15 December 2010 Administration Guide SmartView Monitor R75 © 2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11672 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date Description 15 December 2010 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on SmartView Monitor R75 Administration Guide). Contents Important Information 3 Introducing SmartView Monitor 6 SmartView Monitor Features 6 SmartView Monitor Considerations 7 Terminology 7 Understanding the User Interface 8 Gateways Status View 8 Traffic View 9 System Counters View 10 Tunnels View 11 Users View 12 Cooperative Enforcement View 13 Monitoring Alerts 14 Overview 14 Alerts 14 Interfering Actions 14 Alerts Management 15 Viewing Alerts 15 System Alerts 15 System Alert Monitoring Mechanism 15 Monitoring Gateway Status 17 Gateway Status Solution 17 How Does it Work? 18 Gateway Status 18 Displaying Gateway Information 19 Views about a Specific Gateway 22 Interfering Actions 23 Thresholds 23 Alert Dialog 23 Configuring Gateway Views 24 Defining the Frequency at which Status Information is Fetched 24 Start/Stop Cluster Member 24 Select and Run a Gateways View 24 Refresh a Gateways Status View 24 Run a Specific View at Startup 24 View In-Depth Information about a Specific Gateway 24 Create a Custom Gateways Status View 25 Edit a Gateway View 25 Defining a Threshold 25 Define Global Threshold Settings 25 Delete a Custom Gateway View 26 Copy a Gateway View 26 Rename a Custom Gateway Status View 26 Export a Custom Gateway Status View 26 Monitoring Traffic or System Counters 27 Traffic or System Counters Solution 27 Traffic 27 System Counters 28 Traffic or System Counters Configuration 28 Select and Run a Traffic or System Counters View 29 Run a Specific View at Startup 29 Create a New Traffic or System Counters Results View 29 Create a Real-Time Custom Traffic or Counter View 30 Create a History Traffic or Counter View 30 Edit a System Counter or Traffic View 30 Edit a Custom Traffic or System Counter View 31 Copy a Traffic or System Counter View 31 Rename a Custom Traffic or Counter View 31 Delete a Custom Traffic or Counter View 31 Export a Custom Traffic or Counter View 32 Recording a Traffic or Counter View 32 Monitoring Suspicious Activity Rules 33 The Need for Suspicious Activity Rules 33 Suspicious Activity Rules Solution 33 Configure Suspicious Activity Rules 33 Create a Suspicious Activity Rule 33 Manage Suspicious Activity Rules 35 Monitoring Tunnels 36 Tunnels Solution 36 Tunnel View Configuration 37 Run a Tunnel View 37 Refresh a Tunnel View 38 Run a Specific View at Startup 38 Create a Custom Tunnel View 38 Edit a Custom Tunnel View 39 Edit a Tunnel View 39 Delete a Custom Tunnel View 39 Copy a Tunnel View 39 Rename a Custom Tunnel View 39 Monitoring Users 41 Users Solution 41 Users View Configuration 41 Run a Users View 41 Refresh a Users View 42 Run a Specific View at Startup 42 Create a Custom Users View 42 Edit a Custom Users View 42 Edit a Users View 43 Delete a Custom Users View 43 Copy a Users View 43 Rename a Custom Users View 43 Cooperative Enforcement 44 Cooperative Enforcement Solution 44 Enforcement Mode 44 Monitor Only Deployment Mode 45 Non-Compliant Hosts by Gateway View 45 Configuring a Cooperative Enforcement View 46 Index 47 Page 6 Chapter 1 Introducing SmartView Monitor Corporate networks in today's dynamic business environment are often comprised of many networks and gateways that support a diverse set of products and user needs. The challenge of managing an increasing array of system traffic can put enormous pressure on IT staffing capacity and network resources. With SmartView Monitor, Check Point offers you a cost effective solution to obtain a complete picture of network and security performance; and to respond quickly and efficiently to changes in gateways, tunnels, remote users and traffic flow patterns or security activities. SmartView Monitor is a high-performance network and security analysis system that helps you easily administer your network by establishing work habits based on learned system resource patterns. Based on Check Point's Security Management Architecture, SmartView Monitor provides a single, central interface for monitoring network activity and performance of Check Point Software Blades. In This Chapter SmartView Monitor Features 6 SmartView Monitor Considerations 7 Terminology 7 Understanding the User Interface 8 SmartView Monitor Features SmartView Monitor allows administrators to easily configure and monitor different aspects of network activities. Graphical views can easily be viewed from an integrated, intuitive interface. Pre-defined views include the most frequently used traffic, counter, tunnel, gateway, and remote user information. For example, Check Point System Counters collect information on the status and activities of Check Point products (for example, VPN or NAT). Using custom or pre-defined views, administrators can drill down on the status of a specific gateway and/or a segment of traffic to identify top bandwidth hosts that may be affecting network performance. If suspicious activity is detected, administrators can immediately apply a Firewall rule to the appropriate Security Gateway to block that activity. These Firewall rules can be created dynamically via the graphical interface and be set to expire within a certain time period. Real-time and historical reports (that is, flexible, graphical reporting) of monitored events can be generated to provide a comprehensive view of gateways, tunnels, remote users, network, security and gateway performance over time. The following list describes the key features of SmartView Monitor and how it is employed.  Gateways Status SmartView Monitor enables information about the status of all gateways in the system to be collected from these gateways. This information is gathered by the Security Management server and can be viewed in an easy-to-use SmartConsole. The views can be customized so that details about the gateway(s) can be shown in a manner that best meets the administrator's needs.  Traffic / System Counters SmartView Monitor delivers a comprehensive solution for monitoring and analyzing network traffic and network usage. You can generate fully detailed or summarized graphs and charts for all connections when monitoring traffic and for numerous rates and figures when counting usage throughout the network. The Traffic view also enables filtering according to categories (for example, services, IP addresses, interfaces or Firewall rules).  Tunnels SmartView Monitor Considerations Introducing SmartView Monitor Page 7 SmartView Monitor enables system administrators to monitor connectivity between gateways. With the information collected by SmartView Monitor system administrators are able to sustain privacy, authentication and integrity. By showing real-time information about active tunnels (for example, information about its state and activities, volume of traffic or which hosts are most active), administrators can verify whether the tunnel(s) is working properly.  Users The Remote User Monitor is an administrative feature allowing you to keep track of VPN remote users currently logged on (that is, SecuRemote, Endpoint Security Secure Client and SSL Network Extender, and in general any IPSec client connecting to the VPN gateway). It provides you with a comprehensive set of filters which enables you to navigate easily through the obtained results. With information regarding, for example, current open sessions, overlapping sessions, route traffic, connection time, the Remote User Monitor is able to provide detailed information about remote users' connectivity experience. This feature enables you to view real-time and historical statistics about open remote access sessions.  Cooperative Enforcement Cooperative Enforcement is a feature that works in conjunction with Endpoint Security client. This feature utilizes Endpoint Security client compliance capability in order to verify connections arriving from the various hosts across the internal network. The firewall generates logs for unauthorized hosts. The logs generated for both authorized and unauthorized hosts can be viewed in SmartView Monitor. SmartView Monitor Considerations In view of the fact that SmartView Monitor enables graphical views of different types of measurements such as bandwidth, round trip time, packet rate or CPU usage, the most efficient way to yield helpful information is to create a view based on your specific needs. With SmartView Monitor it is possible to create customized views for view types (for example, status, traffic, system statistics and tunnels). The customization allows control over filtering what to view, and over the values to display (for example, the columns in the Gateway Status view). The following are just two examples of the numerous scenarios for which SmartView Monitor can offer information:  If a company's Internet access is slow, a Traffic view and report can be created to ascertain what may be clogging up the company's gateway interface. The view can be based on a review of, for example, specific Services, Firewall rules or Network Objects, that may be known to impede the flow of Internet traffic. If the SmartView Monitor Traffic view indicates that users are aggressively using such Services or Network Objects (for example, Peer to Peer application or HTTP), the cause of the slow Internet access has been determined. If aggressive use is not the cause, the network administrator will have to look at other avenues (for instance, performance degradation may be the result of memory overload).  If employees who are working away from the office cannot connect to the network a Counter view and report can be created to determine what may be prohibiting network connections. The view can be based on, for example, CPU Usage %, Total Physical Memory or VPN Tunnels, to collect information about the status, activities hardware and software usage of different Check Point products in real-time. If the SmartView Monitor Counter view indicates that there are more failures than successes, it is possible that the company cannot accommodate the mass number of employees attempting to log on at once. Terminology These are terms that you should be familiar with, to understand the information that is presented throughout this guide.  Views generate reports about the network according to network targets, filters and specific settings (for example, Monitor Rate).  Custom View a view generated by the SmartView Monitor user. This type of view is created from scratch or is based on a modified version of an existing out of the box view for common network scenarios.  System Counters generates reports about the status, activities, hardware and software usage of different Check Point products in real-time or history mode. Understanding the User Interface Introducing SmartView Monitor Page 8  Traffic provides transaction information about network sessions in a given time interval  Tunnel an encrypted connection between two gateways.  Gateways Status provides information about the status of all Check Point supported hosts.  Users provides information about remote access VPN clients (for example, Endpoint Connect, Mobile Access, and others that are interoperable with VPN clients).  Cooperative Enforcement is a feature that works in conjunction with Endpoint Security client. This feature utilizes Endpoint Security client compliance capability in order to verify connections arriving from the various hosts across the internal network. The firewall generates logs for unauthorized hosts. The logs generated for both authorized and unauthorized hosts can be viewed in SmartView Monitor.  History provides information about previous Traffic or System Counters data.  Real-Time provides information about Traffic or System Counters data as it is generated.  Suspicious Activity Rules Firewall rules that are applied immediately. These rules can instantly block suspicious connections that are not restricted by the currently enforced security policy.  Threshold contains actions that are triggered when the status of a blade is changed or when an event has occurred.  Cluster indicates a group of servers and resources that act like a single system. This group enables high availability and in some cases, load balancing and parallel processing.  High Availability is a system or component that is continuously operational for a long length of time. Availability can be measured relative to "100% operational" or "never failing." Understanding the User Interface The SmartView Monitor is divided into a number of features. Refer to the following sections for a visual representation of each SmartView Monitor view. The type of view results that appear on the screen are directly related to whether a Traffic, Counter, Tunnel, Gateway or Remote User view is selected. Gateways Status View To understand the following Gateways Status view refer to the numbers in the figure and the list preceding it. Figure 1-1 Gateways Status View Understanding the User Interface Introducing SmartView Monitor Page 9 1. Tree View lists all the views. 2. Toolbars include shortcuts of SmartView Monitor options. The same options can also be accessed from the SmartView Monitor menus. The lower of the two toolbars is view specific and the same options can be found in the Gateways menu. 3. Results View provides information about all the gateways in the organization as well as pertinent information about the gateway (such as its IP Addresses, the last time it was updated as well as its status). This information is directly linked to the view selected in the Tree View. Each row in the table represents a Gateway. 4. Gateway Details is an HTML view that behaves like a browser and allows the user to hit links associated with a variety of data about the selected gateway. 5. At the bottom of the screen there is a button for every view that is currently running in SmartView Monitor (that is, a minimized view). As the number of running views grows the visibility of these buttons is aided by a tool tip. This tool tip displays the full name of the view on which the cursor is standing. Traffic View To understand the following Traffic view refer to the numbers in the figure and the list preceding it. Figure 1-2 Traffic View 1. Tree View lists all the Custom and views. 2. Toolbars include shortcuts of SmartView Monitor options. The same options can also be accessed from the SmartView Monitor menus. The lower of the two toolbars is view specific and the same options can be found in the Traffic menu. 3. Results View (that is, bar, line, pie chart) provides information that is directly linked to the view selected and run from the Tree View. 4. Legend includes a textual view (that is, report) of the Traffic view results 5. Traffic Status Bar displayed at the bottom of the SmartView Monitor contains system information (for example, system uptime or traffic flow) about the gateway associated with the selected view. 6. At the bottom of the screen there is a button for every view that is currently running in SmartView Monitor (that is, a minimized view). As the number of running views grows the visibility of these buttons is aided by a tool tip. This tool tip displays the full name of the view on which the cursor is standing. Understanding the User Interface Introducing SmartView Monitor Page 10 System Counters View To understand the following System Counters view refer to the numbers in the figure and the list preceding it. Figure 1-3 System Counters View 1. Tree View lists all the Custom and views. 2. Toolbars include shortcuts of SmartView Monitor options. The same options can also be accessed from the SmartView Monitor menus. The lower of the two toolbars is view specific and the same options can be found in the Counters menu. 3. Results View (that is, bar, line, pie chart) provides information that is directly linked to the view selected and run from the Tree View. 4. Legend includes a textual view (that is, report) of the System Counters view results 5. Counter Status Bar displayed at the bottom of the SmartView Monitor contains system information (for example, system uptime or traffic flow) about the gateway associated with the selected view. 6. At the bottom of the screen there is a button for every view that is currently running in SmartView Monitor (that is, a minimized view). As the number of running views grows the visibility of these buttons is aided by a tool tip. This tool tip displays the full name of the view on which the cursor is standing. [...]... Toolbars include shortcuts of SmartView Monitor options The same options can also be accessed from the SmartView Monitor menus The lower of the two toolbars is view specific 3 Results View provides information that is directly linked to the view selected in the Tree View 4 At the bottom of the screen there is a button for every view that is currently running in SmartView Monitor (that is, a minimized... Tunnels refer to the Monitoring Tunnels on page 36 chapter  Monitor Users - provides a list of Mobile Access users currently logged on to the specific Security Management servers On the SmartView Monitor Gateways interface you will be able to view all the remote users currently logged on to specific Security Management servers Monitoring Gateway Status Page 22 Gateway Status Solution  Monitor Traffic... running Gateways Status view, right-click the specific gateway line and select Refresh Run a Specific View at Startup With SmartView Monitor you can select the view that will first appear when you launch SmartView Monitor 1 Right-click the view that should be run as soon as SmartView Monitor is launched 2 Select Run at Startup View In-Depth Information about a Specific Gateway 1 Run the Gateways Status... 3 Click OK The results of the selected view appear in the SmartView Monitor client Run a Specific View at Startup With SmartView Monitor you can select the view that will first appear when you launch SmartView Monitor 1 Right-click the view that should be run as soon as SmartView Monitor is launched 2 Select Run at Startup Create a New Traffic or System Counters Results View A View is the output that... passing through the VPN gateway SmartView Monitor delivers a comprehensive solution for monitoring and analyzing network traffic and network usage You can generate fully detailed or summarized graphs and charts for all connections intercepted and logged when monitoring traffic and for numerous rates and figures when counting usage throughout the network Traffic Traffic Monitoring provides in-depth details... System Counters views Monitoring Traffic or System Counters Page 28 Traffic or System Counters Configuration To obtain an explicit understanding about the fields, text boxes, drop-down lists, etc., in each window refer to SmartView Monitor Online Help Select and Run a Traffic or System Counters View When a Traffic or System Counters view is run the results appear in the SmartView Monitor client A Traffic... same user-friendly window Monitoring Gateway Status Page 23 Configuring Gateway Views Configuring Gateway Views The following pages contain a number of different sets of steps that will instruct you on how to work with SmartView Monitor Gateway Status views To obtain an explicit understanding about the fields, text boxes, drop-down lists, etc., in each window refer to SmartView Monitor Online Help Defining... Counter View 1 2 3 4 In the SmartView Monitor client, select the Custom branch of the Tree View Right-click the Traffic or System Counters view you would like to delete Select Delete Select Yes to delete the selected Custom view Monitoring Traffic or System Counters Page 31 Traffic or System Counters Configuration Export a Custom Traffic or Counter View 1 In the SmartView Monitor client, right-click... applied immediately without the need to perform an Install Policy operation (see the R75 Security Management Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11667) for additional information) Configure Suspicious Activity Rules To block traffic when a threat is imposed, SmartView Monitor offers the tools needed to create and manage suspicious activity rules These... are associated with URLs and categories In addition, SmartView Monitor can now run Anti-Virus and URL Filtering counters For example:  Top five attacks in the last hour  Top 10 attacks since last reset  Top 10 http attacks in the last hour  HTTP attacks general info Multi-Domain Security Management SmartView Monitor can now be used to monitor Multi-Domain Servers This information can be viewed in . (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on SmartView Monitor R75 Administration Guide) . Contents Important Information 3 Introducing SmartView Monitor 6 SmartView Monitor Features 6 SmartView Monitor Considerations. or Firewall rules).  Tunnels SmartView Monitor Considerations Introducing SmartView Monitor Page 7 SmartView Monitor enables system administrators to monitor connectivity between gateways SmartView Monitor Considerations 7 Terminology 7 Understanding the User Interface 8 SmartView Monitor Features SmartView Monitor allows administrators to easily configure and monitor different