15 December 2010 Administration Guide Security Management Server R75 © 2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11667 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date Description 15 December 2010 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Security Management Server R75 Administration Guide). Contents Important Information 3 Security Management Overview 9 Introduction 9 Deployments 9 Some Basic Concepts and Terminology 10 Management Software Blades 11 Login Process 13 Overview 13 Authenticating the Administrator 13 Authenticating the Security Management Server Using its Fingerprint 13 Tour of SmartDashboard 14 SmartDashboard and Objects 14 Managing Objects 16 Configuring Objects 16 Changing the View in the Objects Tree 16 Groups in the Network Objects Tree 18 Securing Channels of Communication (SIC) 21 The SIC Solution 22 The Internal Certificate Authority (ICA) 22 Initializing the Trust Establishment Process 22 Understanding SIC Trust States 23 Testing the SIC Status 23 Resetting the Trust State 23 Troubleshooting SIC 23 Network Topology 24 Managing Users in SmartDashboard 25 User Management Requirements 25 The Check Point User Management Solution 25 Users Database 25 User and Administrator Types 26 Configuring User Objects 26 Working with Policies 28 Overview 28 To Install a Policy Package 29 To Uninstall a Policy Package 29 Installing the User Database 29 Policy Management 31 The Need for an Effective Policy Management Tool 31 The Check Point Solution for Managing Policies 31 Policy Management Overview 31 Policy Packages 32 Dividing the Rule Base into Sections using Section Titles 34 Querying and Sorting Rules and Objects 34 Policy Management Considerations 35 Conventions 35 Policy Management Configuration 35 Policy Package 35 Rule Sections 36 Querying the Rule Base 36 Querying and Sorting Objects 37 SmartMap 39 Overview of SmartMap 39 The SmartMap Solution 39 Working with SmartMap 39 Enabling and Viewing SmartMap 39 Adjusting and Customizing SmartMap 40 Working with Network Objects and Groups in SmartMap 41 Working with SmartMap Objects 42 Working with Folders in SmartMap 44 Integrating SmartMap and the Rule Base 45 Troubleshooting with SmartMap 46 Working with SmartMap Output 48 The Internal Certificate Authority 49 The Need for the ICA 49 The ICA Solution 49 Introduction to the ICA 49 ICA Clients 49 Certificate Longevity and Statuses 50 SIC Certificate Management 51 Gateway VPN Certificate Management 51 User Certificate Management 51 CRL Management 52 ICA Advanced Options 53 The ICA Management Tool 53 ICA Configuration 54 Retrieving the ICA Certificate 54 Management of SIC Certificates 54 Management of Gateway VPN Certificates 55 Management of User Certificates via SmartDashboard 55 Invoking the ICA Management Tool 55 Search for a Certificate 56 Certificate Operations Using the ICA Management Tool 57 Initializing Multiple Certificates Simultaneously 58 CRL Operations 59 CA Cleanup 59 Configuring the CA 60 SmartView Tracker 64 The Need for Tracking 64 The Check Point Solution for Tracking 65 Tracking Overview 65 SmartView Tracker 66 Filtering 71 Queries 71 Matching Rule 72 Log File Maintenance via Log Switch 73 Disk Space Management via Cyclic Logging 73 Log Export Capabilities 74 Local Logging 74 Check Point Advisory 75 Advanced Tracking Operations 75 Tracking Considerations 75 Choosing which Rules to Track 75 Choosing the Appropriate Tracking Option 76 Forwarding Online or Forwarding on Schedule 76 Tracking Configuration 77 Basic Tracking Configuration 77 SmartView Tracker View Options 77 Configuring a Filter 78 Configuring the Current Rule Number Filter 79 Follow Source, Destination, User Data, Rule and Rule Number 79 Viewing the Logs of a Rule from the Rule Base 79 Configuring Queries 79 Hiding and Showing the Query Tree Pane 81 Working with the Query Properties Pane 81 Modifying a Column's Properties 81 Copying Log Record Data 82 Viewing a Record's Details 82 Viewing a Rule 82 Find by Interface 83 Maintenance 83 Local Logging 84 Working with Log Servers 84 Custom Commands 85 Block Intruder 86 Configuring Alert Commands 86 Enable Warning Dialogs 86 Policy Backup and Version Control 87 The Need for Security Management 87 The Security Management Solution 87 General 87 Managing Policy Versions 88 Version Operations 88 Version Configuration 89 Version Upgrade 90 Version Diagnostics 90 Manual versus Automatic Version Creation 90 Backup and Restore the Security Management server 90 Management Portal 91 Overview of Management Portal 92 Deploying the Management Portal on a Dedicated Server 92 Deploying the Management Portal on the Security Management server 92 Management Portal Configuration and Commands 93 Management Portal Commands 93 Limiting Access to Specific IP Addresses 93 Management Portal Configuration 93 Client Side Requirements 93 Connecting to the Management Portal 94 Using the Management Portal 94 Troubleshooting Tools 94 SmartUpdate 95 The Need for Software Upgrade and License Management 95 The SmartUpdate Solution 95 Introducing SmartUpdate 95 Understanding SmartUpdate 96 SmartUpdate - Seeing it for the First Time 97 Common Operations 97 Upgrading Packages 98 Overview of Upgrading Packages 98 The Upgrade Package Process 99 Other Upgrade Operations 101 Managing Licenses 102 Overview of Managing Licenses 102 Licensing Terminology 102 License Upgrade 104 The License Attachment Process 104 Other License Operations 105 Service Contracts 106 Generating CPInfo 106 The SmartUpdate Command Line 107 SmartDirectory (LDAP) and User Management 108 Integrating LDAP Servers with Check Point Software 108 The Check Point Solution for Using LDAP Servers 108 SmartDirectory (LDAP) Deployment 109 Account Units 109 The SmartDirectory (LDAP) Schema 110 Managing Users on a SmartDirectory (LDAP) Server 111 Retrieving Information from a SmartDirectory (LDAP) Server 112 Working with Multiple SmartDirectory (LDAP) Servers 112 Check Point Schema 112 SmartDirectory (LDAP) Profiles 113 SmartDirectory (LDAP) Considerations 114 Configuring SmartDirectory (LDAP) Entities 114 Define an LDAP Account Unit 114 Working with SmartDirectory (LDAP) for User Management 116 Working with SmartDirectory (LDAP) for CRL Retrieval 117 Managing Users 118 Using SmartDirectory (LDAP) Queries 119 SmartDirectory (LDAP) Reference Information 121 Integration with Various SmartDirectory (LDAP) Vendors 121 SmartDirectory (LDAP) Schema 124 Modifying SmartDirectory (LDAP) Profiles 131 Management High Availability 140 The Need for Management High Availability 140 The Management High Availability Solution 140 Backing Up the Security Management server 140 Management High Availability Deployment 141 Active versus Standby 141 What Data is Backed Up by the Standby Security Management servers? 142 Synchronization Modes 142 Synchronization Status 142 Changing the Status of the Security Management server 143 Synchronization Diagnostics 144 Management High Availability Considerations 144 Remote versus Local Installation of the Secondary SMS 144 Different Methods of Synchronization 144 Data Overload During Synchronization 144 Management High Availability Configuration 145 Secondary Management Creation and Synchronization - the First Time 145 Changing the Active SMS to the Standby SMS 146 Changing the Standby SMS to the Active SMS 146 Refreshing the Synchronization Status of the SMS 147 Selecting the Synchronization Method 148 Tracking Management High Availability Throughout the System 148 Working with SNMP Management Tools 149 The Need to Support SNMP Management Tools 149 The Check Point Solution for SNMP 149 Understanding the SNMP MIB 150 Handling SNMP Requests on Windows 150 Handling SNMP Requests on Unix 150 Handling SNMP Requests on SecurePlatform 151 SNMP Traps 151 Special Consideration for the Unix SNMP Daemon 151 Configuring Security Gateways for SNMP 151 Configuring Security Gateways for SNMP Requests 151 Configuring Security Gateways for SNMP Traps 152 Security Management Servers on DHCP Interfaces 154 Requirements 154 Enabling and Disabling 154 Using a Dynamic IP Address 154 Licensing a Dynamic Security Management Server 155 Limitations for a Dynamic Security Management Server 155 Network Objects 156 Introduction to Objects 156 The Objects Creation Workflow 156 Viewing and Managing Objects 156 Network Objects 157 Check Point Objects 157 Nodes 158 Interoperable Device 158 Networks 158 Domains 158 Open Security Extension (OSE) Devices 159 Groups 161 Logical Servers 161 Address Ranges 162 Dynamic Objects 162 VoIP Domains 162 CLI Appendix 163 Index 173 Page 9 Chapter 1 Security Management Overview In This Chapter Introduction 9 Management Software Blades 11 Login Process 13 Tour of SmartDashboard 14 Securing Channels of Communication (SIC) 21 Network Topology 24 Managing Users in SmartDashboard 25 Working with Policies 28 Introduction To make the most of Check Point products and all their capabilities and features, you must be familiar with some basic concepts and components. This chapter includes an overview of usage, and describes the terminology and procedures that will help you administer your Check Point Security Gateways. Deployments There are two basic deployments:  Standalone deployment - where the gateway and the Security Management server are installed on the same machine.  Distributed deployment - where the gateway and the Security Management server are installed on different machines (see the figure). A typical deployment Introduction Security Management Overview Page 10 In the figure, there are two gateways. Each gateway connects to the Internet on one side, and to a LAN on the other. It is possible to create a Virtual Private Network (VPN) between the two gateways, to secure all communication between them. The Security Management server is installed in the LAN, so that it is protected by a Security Gateway. The Security Management server manages the gateways and allows remote users to connect securely to the corporate network. SmartDashboard may be installed on the Security Management server or on any other machine. In addition to Check Point gateways, other OPSEC-partner modules (for example, an AntiVirus Server) can be deployed in order to complete the network security in collaboration with the Security Management server and its gateways. Some Basic Concepts and Terminology  Administrators are the designated managers of SmartConsole. They are assigned different levels of access permissions, which define their ability to view and/or modify data using the SmartConsole. At least one administrator must have full Read/Write permissions so that he or she can manage the Security Policy.  Configuration is the process by which Check Point Security Gateways and Security Management servers are configured using the Check Point Configuration Tool. This tool runs immediately after the initial stages of installation are complete. However, it can be run and modified at any time. During the configuration process, the major attributes of the installed product are defined, such as the definition of Administrators, Fingerprint (for first time Security Management server identity verification), as well as features such as Management High Availability.  Installation is the process by which the Check Point product components are installed on a computer. Check Point products are based on a 3-tier technology architecture where a typical Check Point deployment is composed of a gateway, the Security Management server and a SmartConsole (usually SmartDashboard). There are several different ways to deploy these components:  A standalone deployment is the simplest deployment, where the components that are responsible for the management of the Security Policy (the Security Management server, and the gateway) are installed on the same machine.  A distributed deployment is a more complex deployment where the gateway and the Security Management server are deployed on different machines. In all deployments, SmartConsole can be installed on any machine, unless stated otherwise.  Licenses are required in order to use certain Check Point software blades and features. It is recommended to use SmartUpdate for license management. [...]... has already been used to connect to the Security Management server, and an administrator has already authenticated the Security Management server, Fingerprint authentication is performed automatically Authenticating the Security Management Server Using its Fingerprint The administrator authenticates the Security Management server using the Security Management server' s Fingerprint This Fingerprint, shown... how many Software Blades are currently installed on the Security Management Server, look at the SmartDashboard representation of the Security management server In the General Properties Security Management Overview Page 12 Login Process page of the Security management server, the Management tab of the Software Blades section shows all enabled management Software Blades In a High Availability environment... of the target Security Management server and clicks OK to perform the authentication If the administrator is authenticated successfully by the Security Management server, one of the following operations takes place:  If this is the first time this SmartConsole has been used to connect to the Security Management server, the administrator must manually authenticate the Security Management server using... Security Management server and the remote gateway, including anti-spoofing settings 4 Ensure the Security Management server' s IP address and name are in the /etc/hosts file on the gateway If the IP address of the Security Management server undergoes static NAT by its local Security Gateway, add the public IP address of the Security Management server to the /etc/hosts file on the remote Security Gateway,... the Security Policy on all gateways This deploys the updated CRL to all gateways Troubleshooting SIC If SIC fails to Initialize: 1 Ensure connectivity between the gateway and Security Management server 2 Verify that server and gateway use the same SIC activation key 3 If the Security Management server is behind another gateway, make sure there are rules that allow connections between the Security Management. .. organization Management Software Blades Software Blades are independent and flexible security modules that enable you to select the functions you want to build a custom Check Point Security Gateways Software Blades can be purchased independently or as pre-defined bundles The following Security Management Software Blades are available: Security Management Overview Page 11 Management Software Blades Security Management. .. whether or not the Security Management server is able to communicate securely with the gateway The most typical status is Communicating Any other status indicates that the SIC communication is problematic For example, if the SIC status is Unknown then there is no connection between the Gateway and the Security Management server If the SIC status is Not Communicating, the Security Management server is able... a bidirectional operation, in which the administrator and the Security Management server authenticate each other and create a secure channel of communication between them using Secure Internal Communication (SIC) Once both the administrator and the Security Management server have been successfully authenticated, the Security Management server launches the selected SmartConsole Authenticating the Administrator... shown in the Fingerprint tab of the Check Point Configuration Tool, is obtained by the administrator before attempting to connect to the Security Management server The first time the administrator connects to the Security Management server, the Security Management server displays a Fingerprint verification window The administrator, who has the original Fingerprint on hand, compares it to the displayed... Blades Network Policy Management Gives you control over configuring and managing even the most complex security deployments Based on the Check Point unified security architecture, the Network Policy Management Software Blade provides comprehensive security policy management using SmartDashboard - a single, unified console for all security features and functionality Endpoint Policy Management Logging & . the Security Management server 90 Management Portal 91 Overview of Management Portal 92 Deploying the Management Portal on a Dedicated Server 92 Deploying the Management Portal on the Security. before attempting to connect to the Security Management server. The first time the administrator connects to the Security Management server, the Security Management server displays a Fingerprint. following Security Management Software Blades are available: Management Software Blades Security Management Overview Page 12 Security Management Software Blades Description Network Policy Management