1. Trang chủ
  2. » Công Nghệ Thông Tin

check point ng vpn 1 firewall 1 advanced configuration and troubleshooting phần 2 ppsx

64 327 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 64
Dung lượng 0,94 MB

Nội dung

Smart Clients • Chapter 2 33 feature is the support for multiple OPSEC servers.You may scale your OPSEC-based servers via chaining or load sharing. Chaining requires splitting the inspection tasks on multiple servers, but load sharing distributes the requests on identical servers with a round-robin algorithm.The server groups are also formed under the OPSEC Applications menu. Servers Though the basic server types remain unchanged, the submenus are more stable. It is easier to define directory servers under LDAP Account Unit.The UFP and CVP server definitions have transferred to OPSEC Applications, and Defender and Policy Server types are no longer valid. SecuRemote DNS Server may be defined through the Servers menu as well. Users and Administrators Managing administrator users through SmartClients was an eagerly awaited function- ality. It is now possible to define administrator users and user groups through SmartDashboard (see Figure 2.6). Another important change in FP3 is the Generic* user. If you try to create this user, your request will be denied since it is predefined.To manage Generic* users, you should use the External User Profile object type. When you define directory services through servers, you will be able to modify the user settings through the Users and Administrators category under the Object Tree. Time Time objects and groups are accessible through the Time menu.The new Time object type is Scheduled Event. Scheduled Event objects are used to trigger processes, for example, in the Management High Availability page of the Global Properties window and in the Logging Policy page of the Workstation Properties window. Virtual Links The new virtual links are created in SmartDashboard. With virtual links, it is possible to monitor traffic and service-level agreements (SLAs) between two network entities. Monitoring virtual links is detailed in the “SmartView Monitor” section later in this chapter. www.syngress.com Figure 2.6 Users and Administrators 259_ChkPt_VPN_02.qxd 4/2/03 3:23 PM Page 33 34 Chapter 2 • Smart Clients VPN Communities The new VPN Communities, which allow VPN Communities as a matching factor in Security Rules may be defined through this object type category. Site-to-Site, Extranet, and Remote Access are the available object types. The Extended Object Properties Screen The Global Properties window in Check Point GUI client 4.1 release had 13 tabs lay- ered in three lines. Check Point’s GUI developers have addressed this problem by intro- ducing “Windows-style” expandable left pane navigation trees.The tabular GUI view in the overpopulated menus of Global Properties, Check Points, Nodes, Interoperable Devices,Time, and VPN Communities windows have been replaced by a expandable tree pane on the left side of the window.You may manage all properties from this expandable GUI (see Figure 2.7). Extended Administrator Access Now it is possible to use your certificates to authenticate your GUI access. In the SmartDashboard login screen, you may choose to use your certificates or change your certificate password (see Figure 2.8). Another important improvement is the Demo Mode. Every SmartClient installation comes with a predefined demo network. When the Demo Mode check box is selected, the other options are grayed out and you make a local logon to the demo security rule base.This semifunctional rule base is very helpful for learning the features when lab facilities are limited. www.syngress.com Figure 2.7 The New Menu Style in Global Properties 259_ChkPt_VPN_02.qxd 4/2/03 3:23 PM Page 34 Smart Clients • Chapter 2 35 The last new function on the logon screen is the Session Description.This free text area is very useful when combined with the security policy.This text is directly logged under audit log type when logout is executed. In other words, it is possible to comment the SmartDashboard sessions in the log database.This text is visible when Session ID is checked in SmartTracker. A GUI Overview of New FP3 Features Besides basic object and rule management properties of SmartDashboard, new tools and windows accelerate the daily life of an administrator.The new policy installation inter- face aims to remove the burden of policies on multiple firewalls by classifying the installation targets.The Sections feature simplifes the view of complex rule bases by www.syngress.com Figure 2.8 The GUI Client Login Window Editing the Demo Database The SmartClients installation folder contains the demo database in the fol- lowing folder: %Installation Path%\SMART Clients\NG FP3\PROGRAM\cpml_dir\conf This folder contains authentic objects_5_0.C and other files so you can modify and change the actual demo files. For troubleshooting purposes, you may view other policies simply by changing the contents of this folder. Tools & Traps… 259_ChkPt_VPN_02.qxd 4/2/03 3:23 PM Page 35 36 Chapter 2 • Smart Clients organizing the rules under certain section headers. Furthermore, the database revision tool is Check Point’s first attempt to control change management on the rule bases. The New Policy Installation Interface The new user interface offers detailed control of the installation process.The installation targets, live process indication, and organized error indication lists are the new extended features in policy installation.The new features make SmartDashboard installations cleaner. You’ll see four main windows during the policy installation. In the Install Policy window (see Figure 2.9), you can define the policy types to be installed. NAT policy and Security policy are installed together by default. It is possible to install Desktop Security and VPN-1 Net policies individually. Depending on your deployment’s com- plexity, you have an option to choose Select All or Clear All. In the Installation Mode properties, you may choose to install the policy independently or dependently.This option enables you to specify what to do if the Security Policy installation is unsuc- cessful for one or more of the selected modules. When dependent installation is chosen, the policy will not be installed if any of the installations fail.These rules do not apply to pre-NG gateways. Select Installation Target Window.This window (see Figure 2.10) is very useful if you install policy on specific servers. Once you set the installation targets, you don’t have to deselect each host in your objects database.You may define the installation tar- gets per policy.This feature is very helpful if you are managing multiple firewall net- works from a single management server. During the installation, you can view the stages and percentage of the operation in the Installation Process window (see Figure 2.11). www.syngress.com Figure 2.9 The Install Policy Window 259_ChkPt_VPN_02.qxd 4/2/03 3:23 PM Page 36 Smart Clients • Chapter 2 37 When you click the Show Errors button, you can see the processes in real time from the Verification and Installation Errors screen (see Figure 2.12). If the installation completed successfully, this button disappears. www.syngress.com Figure 2.10 The Installation Target Window Figure 2.11 The Installation Process Window Figure 2.12 The Verification and Installation Errors Window 259_ChkPt_VPN_02.qxd 4/2/03 3:23 PM Page 37 38 Chapter 2 • Smart Clients Using Sections in the Security Rule Base Although search functions release the pain of navigating a Security Rule Base, navigating a complex Security Rule Base with more than 30 rules is a continuing problem. With FP3, Check Point addresses this issue by simply applying the same expand/collapse logic to its Security Rule Base. Now you can organize rules under sections. Applying a section is simple. Highlight the rule where you want to add a section. From either the Rules—Add Section Title menu or the right-mouse-click Add Section Title menu, you can choose to add a section above or below the highlighted rule. Enter the name of the section in the header pop-up menu, and that is all you need. Remember that all the rules below that section will be added to the new section.You do not have an option to choose the number of rules to add, so starting from the bottom is a good idea. Since rule base order must remain intact, you may not deploy logical sections and reorganize the rules in different sequences; you may only summarize the existing rules in existing order. Collapsed rules organized under sections are shown in Figure 2.13. Version Control with Database Revision Control With FP3, Check Point improved the revisioning system.You may save an existing database on SmartCenter Server. Once it is saved, you can go back to the previous states of the database. With revision control you can create, view, restore, and delete the previous database versions. If you want to deactivate this feature, you need to uncheck Revision Control from the Global Properties window.You then need to save the policy and unload the policy from the module.The last step is to push the policy to the module again. If you do not unload the policy first, all attempts to load a new policy will fail. This tool requires a separate license, and it should not be considered a complete version control system.You should consider the following issues before deployment: ■ It is not possible to edit previous versions; they are accessible only in read- only mode. ■ Only FP2 backward compatibility is supported. Restoring FP2 databases on the remote module is possible only through the command line. www.syngress.com Figure 2.13 Sections of Rules on SmartDashboard 259_ChkPt_VPN_02.qxd 4/2/03 3:23 PM Page 38 Smart Clients • Chapter 2 39 ■ You may not compare the changes with the Database Revision Tool. ■ Key management is not versioned. SmartView Status Integration of the new application-monitoring standard AMON brought a solid base to the Check Point system status manager.The new modular architecture of the Check Point base and all certified products can now be monitored to a greater extent. It is easy to notice the effects in the new SmartView Status: pane-based tabular screen orga- nization, adjustable window sizes for panes, search functions, collapsible menus, and all- new interface gizmos are used in the new GUI. A new Disconnect Client feature has also been added to the interface. What’s New in SmartView Status? More status data is available in NG.You can access real status details such as virtual pri- vate network (VPN) statistics from the SmartView Status interface.The good news is that all information is accessible through CLI, so system administrators can integrate in- house monitoring systems with Check Point status data. System alerts are more useful with NG since SVN foundation monitors the critical resources of the systems beneath the VPN-1/FireWall-1 firewall. The Panes There are two main tabular screens in SmartView Tracker: System Status and System Alert. System Status, with its three panes, is very useful for gathering real-time avail- ability data in a hierarchical view. On the other hand, Systems Alert helps administrators set predefined alert thresholds for various cases. Let’s look at each screen in more detail. System Status System Status has three synchronized panes (see Figure 2.14).The heart of the status- monitoring system is the top-left Modules pane.This pane has the hierarchical brief infor- mation of all the products installed. On a tree-based view, it is possible to monitor time-stamped status and IP addresses of all Check Point products. Each product is listed under its parent product.The hierarchy is as follows: Network Objects | Members | Products installed on the members. When any of the products or subcomponents is high- lighted, the left Details pane displays all known status details. All problematic modules are relisted in the bottom Critical Notifications pane so that you can isolate the problems.All views are synchronized, so if you choose one product in the Critical Notifications pane, the contents of the other two panes change dynamically, or vice versa. www.syngress.com 259_ChkPt_VPN_02.qxd 4/2/03 3:23 PM Page 39 40 Chapter 2 • Smart Clients Figure 2.14 SmartView System Status Status Information from the Command Line Check Point NG applications are monitored through the AMON protocol (TCP 18192). This makes it easy to troubleshoot data-gathering problems in SmartView Status. The cpstat command returns the same information that you see on the Details pane. The syntax of the cpstat command is as follows: #cpstat [-h host] [-p port] [-f flavour] [-d] entity. The entity and available flavors for FP3 are listed in Table 2.3. Table 2.3 cpstat Command Options Entity Available Flavors fw default, all,policy,performance,hmem, kmem, inspect, cookies, chains, fragments, totals, ufp_caching, http_stat, ftp_stat, telnet_stat, rlogin_stat, ufp_stat, smtp_stat vpn product, general, IKE, ipsec, fwz, accelerator, all ha default, all mg default os default, routing fg all Tools & Traps… www.syngress.com 259_ChkPt_VPN_02.qxd 4/2/03 3:23 PM Page 40 Smart Clients • Chapter 2 41 System Alert The second screen of SmartView Status (see Figure 2.15) allows administrators to define threshold values and possible counteractions. As of NF FP3, only FireWall-1, FloodGate-1, SmartCenter Server, and SVN Foundation support system alerts.The screen is divided into two panes: Modules and Alert Definition.There are three system alert definition options for each component.These options can be checked under the General tab of the Alert Definition pane: ■ Global Description pane is grayed out.The Global entries of the System Alert menu are valid. ■ Custom The description can be defined through the Alert Definition pane. ■ None No alerts are applied for the given network object. The predefined alert triggers per product are listed in Table 2.4. Alert actions are the same as those for SmartDashboard. Table 2.4 Alert Triggers Product Name Alert Triggers SVN Foundation No Connection, Max. CPU Usage, Min Free Disk Space FireWall-1 No Policy Installed, Policy Name Change, Policy Installed FloodGate-1 No Policy Installed, Policy Name Change, Policy Installed SmartCenter Not Synchronized (for ClusterXL) www.syngress.com Figure 2.15 The System Alert Tab 259_ChkPt_VPN_02.qxd 4/2/03 3:23 PM Page 41 42 Chapter 2 • Smart Clients Changes in the Menu and the Toolbar The four-item menu of 4.x is gone.The overpopulated View menu of the 4.x Status Manager is enhanced in FP3 by four new root-level menus: Modules, Products, System Alert, and Tools.The new locations of the previous View menu functions are: ■ Removed menu items Show/Hide Objects, Icons View, Compression Details. ■ Transferred to toolbar Automatic Update as Active Update, Alerts (pop-up). ■ Transferred to Products menu VPN Details, FloodGate Details, HA Module Details. ■ Transferred to Modules Update Status as Update Selected. ■ Transferred to System Alert Options and Global. ■ Existing Menu Items Toolbar and Status Bar of View Menu, File Menu, Window, and Help menus. Highlights of SmartView Status There are small but useful additions to the SmartView Status interface besides basic status and alert functionality.These additions include displaying and disconnecting clients or auto reconnect. Disconnecting a Client No more “read only” messages for the mighty firewall administrators.The Disconnect Client tool (see Figure 2.16) displays all current GUI connections with the host as well as client name and database status information. In addition, if you have the proper per- missions, you can choose the session and click the Disconnect button to guarantee your next read/write access session. www.syngress.com Figure 2.16 Disconnect Clients 259_ChkPt_VPN_02.qxd 4/2/03 3:23 PM Page 42 [...]... data direction.There is no difference in the Settings screen When you complete the settings, you may monitor the activity based on your rules, as shown in Figure 2. 24 www.syngress.com 51 25 9_ChkPt _VPN_ 02. qxd 52 4 /2/ 03 3 :23 PM Page 52 Chapter 2 • Smart Clients Figure 2. 24 Monitoring Rules Monitor Using Virtual Links The trail between two Check Point VPN firewalls or FloodFate Modules is defined by a virtual... traffic When all the services change dynamically in real-time monitoring, you can lock the services by www.syngress.com 25 9_ChkPt _VPN_ 02. qxd 4 /2/ 03 3 :23 PM Page 49 Smart Clients • Chapter 2 clicking the Lock the Services button and continue monitoring in a more stable environment Another useful feature is sorting on a data column Figure 2. 21 SmartView Monitor Traffic Monitoring Real-time traffic is monitored... file and an Oracle client For example: log_export www.syngress.com 47 25 9_ChkPt _VPN_ 02. qxd 48 4 /2/ 03 3 :23 PM Page 48 Chapter 2 • Smart Clients SmartView Monitor Seeing is believing Check Point has an easy-to-use network-monitoring tool SmartView Monitor, which is the FP3 marketing brand name of the previous RealTime Monitor, answers most enterprise monitoring needs of a mission-critical distributed Check. .. Services www.syngress.com 25 9_ChkPt _VPN_ 02. qxd 4 /2/ 03 3 :23 PM Page 51 Smart Clients • Chapter 2 I The Settings tab You can define the update interval and chart type (bar/line), measurement unit, and scale options from this tab Monitor Using Network Objects When your traffic should be monitored on a network object basis, you can chose a Check Point FireWall or FloodGate product or just a single interface... to monitor traffic between two VPN- 1/ FireWall1 gateways, monitor SLA violations, and log traffic data www.syngress.com 25 9_ChkPt _VPN_ 02. qxd 4 /2/ 03 3 :23 PM Page 59 Smart Clients • Chapter 2 Q: How can I define a non -Check Point firewall in SmartDashboard? A: Select Manage | Network Objects | New | Interoperable Device to create a third-party firewall Q: Why I can’t see client VPN connections on User Monitor... NG FP3 SmartView Tracker? A: This problem occurs on NT SP6a.You need a specific fix Q: I can’t run Remote Files Management on the cluster I get a Check if the module is up” notification, even if the module is up A: Run the following command from the command line: fw fetchlogs -f *.log www.syngress.com 59 25 9_ChkPt _VPN_ 02. qxd 4 /2/ 03 3 :23 PM Page 60 25 9_ChkPt _VPN_ 03.qxd 4 /2/ 03 3 :25 ... for filtering when the GUI-based query filter is selected There are three log formats: Log, Audit, and Active www.syngress.com 57 25 9_ChkPt _VPN_ 02. qxd 58 4 /2/ 03 3 :23 PM Page 58 Chapter 2 • Smart Clients SmartView Monitor Besides real-time monitoring, historical reports are also available All Check Point system counters can be monitored graphically Virtual links enable SLA monitoring QoS monitoring is also... Service E2ECP Action Accept Track Log Install On Gateways To monitor virtual links from the SmartView Monitor, the Activate Virtual Link check box must be checked in the Virtual Object properties In SmartView Monitor, the monitoring setting can be defined from the following screens: www.syngress.com 25 9_ChkPt _VPN_ 02. qxd 4 /2/ 03 3 :23 PM Page 53 Smart Clients • Chapter 2 I Virtual Link Monitoring You must... servers, and you will be able to define queries and export your query results for reporting.This tool centralizes the monitoring for enterprises that have multiple policy servers User Monitor allows you to define queries, refine results, and view the active policy servers in a single interface www.syngress.com 53 25 9_ChkPt _VPN_ 02. qxd 54 4 /2/ 03 3 :23 PM Page 54 Chapter 2 • Smart Clients Tools & Traps… Fixing... Encryption pack www.syngress.com 63 25 9_ChkPt _VPN_ 03.qxd 64 4 /2/ 03 3 :25 PM Page 64 Chapter 3 • Advanced Authentication 6 Allow modifications on schema 7 Modify AD schema for additional Check Point fields (optional) Active Directory Installation and Basic Configuration When Active Directory is chosen for a VPN- 1/ FireWall -1 user database, it is assumed that the target network has a working AD base But due . SmartView Monitor, the monitoring setting can be defined from the following screens: www.syngress.com Figure 2. 24 Monitoring Rules 25 9_ChkPt _VPN_ 02. qxd 4 /2/ 03 3 :23 PM Page 52 . configuration file and an Oracle client. For example: log_export www.syngress.com 25 9_ChkPt _VPN_ 02. qxd 4 /2/ 03 3 :23 PM Page 47 48 Chapter 2 • Smart Clients SmartView Monitor Seeing is believing. Check Point. screen. www.syngress.com Figure 2. 21 SmartView Monitor 25 9_ChkPt _VPN_ 02. qxd 4 /2/ 03 3 :23 PM Page 49 50 Chapter 2 • Smart Clients ■ The Settings tab You can define the update interval and chart type (bar/line)

Ngày đăng: 14/08/2014, 18:20

TỪ KHÓA LIÊN QUAN