checkpoint firewall 1
TRANSCRIPT
SECURITY CHANGE MANAGER
WORKING WITH CHECK POINT
FIREWALL-1 AND NG
DEVICE PACK 4.5MARCH 2010
Revision 17,Manual reference: udoc-sps-00533-enAuthor(s): Documentation TeamThe information contained in this document may be subject to modificationwithout prior notice and LogLogic assumes no responsibility for any errors thatmay appear in it.This documentation concerns LogLogic's software Security Change Manager8.2.Copyright © 2010 LogLogic. All rights reserved.The product described in this document is protected by French patent numberFR97/13254 and may be protected by other US patents, foreign patents orpending applications.Solsoft™ and Exaprotect™ are trademarks of EPT Software Group.All other products mentioned herein are trademarks or registered trademarksof their respective owners.
Working with Check Point FireWall-1 andNG
2
Working with Check Point FireWall-1 andNG
3
4
Table of Contents1. Installation ....................................................................................................... 1
1.1. System Requirements ............................................................................... 11.1.1. Device OS Versions Supported ........................................................ 11.1.2. Licenses ...................................................................................... 1
1.2. Installation ............................................................................................. 11.3. Limitations ............................................................................................ 1
1.3.1. Case Sensitivity ............................................................................ 12. Features supported on Check Point FireWall-1 ........................................................ 3
2.1. Global Features Support ........................................................................... 32.2. Firewall Features ..................................................................................... 32.3. NAT Features ......................................................................................... 52.4. VPN Features ......................................................................................... 62.5. Management Server Features ..................................................................... 7
3. Basic Concepts in Security Change Manager's Interaction with Check Point FireWall-1 .. 93.1. Overview of Check Point FireWall-1 and Security Change Manager Interaction .. 93.2. Check Point FireWall-1 Management Server Object .....................................10
3.2.1. Management Server .....................................................................113.2.2. Management Station .....................................................................113.2.3. Two Kinds of PEPs ......................................................................113.2.4. Management Server/PEP Compatibility Matrix .................................11
3.3. Generation Process .................................................................................113.3.1. Process ......................................................................................113.3.2. Difference between a Translated Object and a Generated Object ...........12
3.4. Naming Rules for Check Point FireWall-1 Objects .......................................123.4.1. Example ....................................................................................123.4.2. Comments Generated for Traceability between Security Change ManagerObjects and Check Point FireWall-1 Objects .............................................143.4.3. Object Colors ..............................................................................14
3.5. Upload Preparation .................................................................................143.6. Upload Process ......................................................................................14
4. How Security Change Manager Objects Map to Check Point FireWall-1 .....................154.1. Translation of Network Objects .................................................................154.2. Translation of Class Objects .....................................................................164.3. Translation of Management Server Objects .................................................16
4.3.1. Check Point Host Default Fields or Check Point Gateway ...................174.3.2. Check Point FireWall-1 Interoperable Default Fields ..........................18
4.4. Translation of Nexus Objects ....................................................................184.5. Translation of PEP Objects ......................................................................18
4.5.1. A Translated Security Change Manager Check Point FireWall-1 PEP ....184.5.2. Specific Translated Fields ..............................................................18
Log ...........................................................................................18Interface Netmask ........................................................................19Anti-Spoofing .............................................................................19
4.5.3. Check Point Gateway or Externally Managed Gateway Default Fields ...19Process ......................................................................................19
4.6. Translation of Services ............................................................................194.6.1. Generation Process .......................................................................19
Principle .....................................................................................19Syntax of the Mapping Table ..........................................................20Example .....................................................................................20
4.6.2. A Translated Security Change Manager Service .................................20Naming Convention ......................................................................21Security Change Manager IGMP Translated Fields .............................21
4.7. Translation of Implicit Generated Objects ...................................................214.7.1. Anti-spoofing ..............................................................................224.7.2. Expand Internet: Objects Generated ................................................22
4.8. Translation of Permissions .......................................................................22
v
4.9. Translation of Time Definition Rules .........................................................224.9.1. What cannot be translated ..............................................................22
4.10. Translation of NAT Rules ......................................................................224.10.1. Example ...................................................................................224.10.2. Rules .......................................................................................234.10.3. Security Change Manager NAT Rules Translated Fields ....................23
4.11. Translation of Limited Path Zones ...........................................................244.12. Translation of Default Objects .................................................................24
4.12.1. All Networks .............................................................................244.12.2. All PEPs ...................................................................................24
4.13. Translation of User Authentication ...........................................................245. How to Define and Deploy a Security Policy on Check Point FireWall-1 .....................27
5.1. First Use of Check Point FireWall-1 ..........................................................275.1.1. SSL Certification and Encryption Procedure .....................................275.1.2. Clear OPSEC Connection Type Procedure ........................................31
5.2. Configure a Check Point GX Management Server ........................................325.2.1. First step: Creating custom services and defining the policy .................335.2.2. Second step: Defining precisely the custom services ...........................33
5.3. Define and Deploy a Policy ......................................................................355.3.1. Step 1: Defining the Secure Topology ..............................................355.3.2. Step 2: Security Policy Definition ...................................................395.3.3. Step 3: Audit ...............................................................................395.3.4. Step 4: Define Rules .....................................................................395.3.5. Step 5: Compile the Security Policy ................................................395.3.6. Step 6: Prepare Upload on Each Directly-Managed PEP and Each Manage-ment Server ........................................................................................40
Prerequisites ...............................................................................40Procedure ...................................................................................40
5.3.7. Step 7: Deploy the Policy ..............................................................405.4. Define and Manage an Existing Policy .......................................................41
5.4.1. Purpose ......................................................................................415.4.2. Prerequisites ...............................................................................415.4.3. Step 1: Perform a Check Point FireWall-1 Import ..............................415.4.4. Step 2: Secure Topology Definition, if You Do Not Perform an Import ..425.4.5. Other Steps .................................................................................43
5.5. Create an Authentication Rule ..................................................................436. How to Perform an Import from Check Point FireWall-1 ..........................................45
6.1. What will be Imported/ not Imported .........................................................456.2. Performing a Standard Import from Check Point FireWall-1 ...........................49
6.2.1. Step 1: Create and Configure a Management Server ...........................496.2.2. Step 2: Perform the Import ............................................................526.2.3. Step 3: Add the Missing Topology ..................................................546.2.4. Step 4: Connect and Group Attached Objects ....................................546.2.5. Step 5: Various Checks to Perform ..................................................55
6.3. Performing a Local Import of Check Point FireWall-1 Policy .........................566.4. Cleaning the Database Before Upload ........................................................60
7. How to Manage Check Point FireWall-1 Concepts Not Supported by Security Change Man-ager ...................................................................................................................63
7.1. First-Time: Define Non-supported Concepts on the Management Server ...........637.1.1. Step 1: Upload Security Change Manager Security Policy on the Manage-ment Server ........................................................................................637.1.2. Step 2: Add Specific Properties ......................................................647.1.3. Step 3: Add Other Objects not Supported by Security Change Manager ..647.1.4. Step 4: Define the Include Rules/ Create a New Policy on the Real Manage-ment Server ........................................................................................647.1.5. Step 5: Modify the Management Server Options ................................647.1.6. Step 6: Upload ............................................................................65
7.2. How to Manage User Groups ....................................................................658. Client-to-Gateway VPN on Check Point FireWall-1 NG ...........................................67
8.1. Procedure .............................................................................................678.1.1. On the Check Point FireWall-1 .......................................................678.1.2. On the Management Server ............................................................688.1.3. PEPs Supporting Remote Access ....................................................68
Working with Check Point FireWall-1 andNG
vi
8.1.4. Specific Parameters ......................................................................68On the device VPN node ...............................................................68
8.1.5. Implicit Permissions .....................................................................698.2. VPN Limitations ....................................................................................70
8.2.1. Global Limitations .......................................................................70VPN-1 Net ..................................................................................70DES-40 and CAST-40 ..................................................................70Multiple Entry Point VPNs (MEP) ..................................................70
8.2.2. Remote Access Limitations ...........................................................70User Groups ................................................................................70Office Mode is disabled on the gateway ............................................70IP pool is defined though a DHCP server ..........................................70Hybrid Mode ...............................................................................70Enable VPN routing .....................................................................70Desktop security policy .................................................................70Visitor Mode ...............................................................................70Transparent mode .........................................................................70Clientless VPN ............................................................................71IPsec/L2TP tunnels ......................................................................71Number of tunnels ........................................................................71
8.2.3. First-time Upload of a VPN Policy ..................................................719. Gateway-to-Gateway VPN on Check Point FireWall-1 NG and NG AI .......................73
9.1. Procedure .............................................................................................739.1.1. On the Security Change Manager ....................................................739.1.2. On the Check Point FireWall-1 Management Server ...........................73
Procedure ...................................................................................739.1.3. VPN Domains .............................................................................74
9.2. VPN Limitations ....................................................................................749.2.1. Global Limitations .......................................................................75
VPN-1 Net ..................................................................................75DES-40 and CAST-40 ..................................................................75Multiple Entry Point VPNs (MEP) ..................................................75
9.2.2. Site-to-site limitation ....................................................................75Usage of the Simplified Mode ........................................................75
10. Check Point FireWall-1 Cluster Management .......................................................7710.1. Procedure ............................................................................................77
10.1.1. On the Check Point FireWall-1 Management Server .........................7710.1.2. On the Security Change Manager Designer .....................................77
10.2. Limitations ..........................................................................................8111. Provider-1 Management Server Installation ..........................................................83
11.1. Adding a Provider-1 Management Server ..................................................8312. Check Point FireWall-1 Properties Windows ........................................................85
12.1. Description ..........................................................................................8512.2. General Options ...................................................................................85
12.2.1. Security Profile ..........................................................................87Common Security Parameters .........................................................88Replace Address ..........................................................................90Replace Service ...........................................................................92
12.2.2. Virtual System ...........................................................................9312.2.3. Authentication ...........................................................................93
Enabled Authentication Schemes ....................................................93Authentication Settings .................................................................93HTTP Security Server ...................................................................94
12.3. Policy Learning Mode ...........................................................................9512.4. Common Interface Options .....................................................................9512.5. Interface Options ..................................................................................96
12.5.1. Security Profile ..........................................................................98Common Security Parameters .........................................................98Replace Address ........................................................................ 100Replace Service ......................................................................... 101
12.5.2. IP Addresses ........................................................................... 102Static IP Addresses ..................................................................... 102Dynamic Addresses Pool ............................................................. 102
Working with Check Point FireWall-1 andNG
vii
IP Addresses ............................................................................. 10212.6. VPN Options ..................................................................................... 104
12.6.1. IKE Capabilities ...................................................................... 10412.6.2. IPSec Capabilities .................................................................... 10512.6.3. Remote Access VPN ................................................................. 105
12.7. Upload Configuration .......................................................................... 10612.8. Tunnel Peer Options ............................................................................ 107
12.8.1. Interface ................................................................................. 10812.9. Authentication User Definition .............................................................. 108
12.9.1. flowListIn ............................................................................... 11112.9.2. flowListOut ............................................................................ 11112.9.3. flowListExternal ...................................................................... 111
13. Check Point FireWall-1 Cluster Properties Windows ........................................... 11313.1. Description ........................................................................................ 11313.2. General Options ................................................................................. 113
13.2.1. Security Profile ........................................................................ 115Common Security Parameters ....................................................... 116Replace Address ........................................................................ 119Replace Service ......................................................................... 120
13.2.2. Authentication ......................................................................... 121Enabled Authentication Schemes .................................................. 121Authentication Settings ............................................................... 122HTTP Security Server ................................................................. 123
13.3. Cluster Options .................................................................................. 12313.3.1. Availability Parameters ............................................................. 12313.3.2. Synchronization ....................................................................... 126
Synchronization Networks ........................................................... 12613.4. Policy Learning Mode ......................................................................... 12613.5. Common Interface Options ................................................................... 12713.6. Interface Options ................................................................................ 128
13.6.1. Security Profile ........................................................................ 130Common Security Parameters ....................................................... 130Replace Address ........................................................................ 131Replace Service ......................................................................... 132
13.6.2. IP Addresses ........................................................................... 133Static IP Addresses ..................................................................... 133Dynamic Addresses Pool ............................................................. 133IP Addresses ............................................................................. 134
13.7. VPN Options ..................................................................................... 13513.7.1. IKE Capabilities ...................................................................... 13513.7.2. IPSec Capabilities .................................................................... 13613.7.3. Remote Access VPN ................................................................. 136
13.8. Tunnel Peer Options ............................................................................ 13713.8.1. Interface ................................................................................. 139
13.9. Authentication User Definition .............................................................. 13913.9.1. flowListIn ............................................................................... 14213.9.2. flowListOut ............................................................................ 14213.9.3. flowListExternal ...................................................................... 142
14. FireWall-1 Management Server Properties Windows ........................................... 14314.1. Description ........................................................................................ 14314.2. General Options ................................................................................. 143
14.2.1. Include Policy ......................................................................... 14414.2.2. Security Server ........................................................................ 144
HTTP Servers ............................................................................ 145HTTP Server ..................................................................... 145
14.2.3. Authentication ......................................................................... 145Failed Authentication Attempts ..................................................... 145Authentication of Users with Certificates ........................................ 146Early Versions Compatibility ....................................................... 146
14.2.4. Local Security Policy ................................................................ 14714.2.5. VPN ...................................................................................... 149
CRL Grace Period ...................................................................... 149IKE Denial of Service protection ................................................... 150
Working with Check Point FireWall-1 andNG
viii
Remote Access .......................................................................... 150Certificates ....................................................................... 151Secure Configuration Verification ......................................... 152
14.2.6. GTP Services .......................................................................... 153GTP Service .............................................................................. 153
14.2.7. Import .................................................................................... 15414.3. Upload Configuration .......................................................................... 155
14.3.1. Connection Options .................................................................. 15514.3.2. Paths ..................................................................................... 15614.3.3. Authentication ......................................................................... 15614.3.4. Prompts .................................................................................. 15714.3.5. FireWall-1 Options ................................................................... 157
15. Provider-1 Management Server Properties Windows ............................................ 15915.1. Description ........................................................................................ 15915.2. General Options ................................................................................. 159
15.2.1. Managed CMAs ....................................................................... 159Index ............................................................................................................... 161
Working with Check Point FireWall-1 andNG
ix
x
List of Figures3.1. Overview of the Security Change Manager and Check Point FireWall-1 Concepts ....... 93.2. Compilation, Preparation Upload, and Upload .....................................................104.1. An Example of a NAT Rule .............................................................................235.1. Creation of new OPSEC Application in SmartDashboard .......................................285.2. CPMI option enabled ......................................................................................285.3. SSL Certification and Encryption Option ............................................................295.4. Getting Certificate Dialog Box ..........................................................................305.5. Clear Option ..................................................................................................325.6. Creation of a custom gtpv1 service cloning the existing gtpv1 ....................................5.7. Defining security policy using custom service ......................................................335.8. Activation of Check Point GX options in Management Server Properties ..................345.9. GTP Service options .......................................................................................345.10. Implicit Rules: Local Security Policy ................................................................365.11. Security Server .............................................................................................365.12. Authentication: Failed Authentication Attempts ..................................................375.13. Authentication: Users with certificates ..............................................................375.14. Authentication: Early Versions Compatibility ....................................................375.15. Upload Configuration: Connection Options .......................................................385.16. Add Managed PEPs ......................................................................................386.1. Management Server Properties: Identification ......................................................506.2. Management Server Properties: Upload Configuration: Connection Options ..............506.3. Management Server Properties: Upload Configuration: Authentication (NG) .............516.4. Management Server Properties: Upload Address ..................................................526.5. CheckPoint Import Dialog Box: Choose Elements to be Imported ............................526.6. CheckPoint Import Report ...............................................................................536.7. Synchronization Network on Cluster ..................................................................556.8. Policy Audit Through Report interface selection ..................................................566.9. CheckPoint Import Dialog Box: Import of objects_5_0.C file .................................566.10. CheckPoint Import Dialog Box: Import of rulebase.fws file ..................................576.11. CheckPoint Import Dialog Box: Choose Elements to be Imported ..........................586.12. CheckPoint Import Dialog Box: Choose Policy to be Imported ..............................586.13. CheckPoint Import Report ..............................................................................596.14. CheckPoint Import Terminated ........................................................................606.15. Options: Clean Database Before Upload ...........................................................607.1. Upload Configuration Set to Copy Only .............................................................659.1. VPN Domain Deduction ..................................................................................7410.1. SIC Authentication Key Activated ...................................................................7710.2. Management Server Referenced on the Cluster ...................................................7810.3. Cluster XL Enabled Option ............................................................................7810.4. Selection of Cluster Members .........................................................................7910.5. Selection of Availability Operation Mode ..........................................................7910.6. Selection of Synchronization Network ..............................................................8010.7. Example of Cluster .......................................................................................81
xi
xii
List of Tables2.1. Global Features Support ................................................................................... 32.2. Firewall Features ............................................................................................. 32.3. Description of Features listed in Table 2.2, “Firewall Features” ................................ 42.4. NAT Features ................................................................................................. 52.5. Description of Features listed in Table 2.4, “NAT Features” .................................... 52.6. VPN Features ................................................................................................. 62.7. Management Server Features ............................................................................. 73.1. Management Server/PEP Compatibility Matrix ....................................................113.2. Prefixes of the All Generated Objects .................................................................123.3. Example of the Translation of a Class into Check Point FireWall-1 group .................133.4. Comments Generated by Check Point FireWall-1 Objects ......................................144.1. Security Change Manager Network Object Rules .................................................154.2. Security Change Manager Class Object Rules ......................................................164.3. Translation of Specific Fields ...........................................................................164.4. SCM Log Numbers .........................................................................................184.5. Translated Security Change Manager Service ......................................................214.6. Security Change Manager Permission Fields .......................................................224.7. Security Change Manager NAT Fields ...............................................................245.1. Define a rule on the Management Server .............................................................416.1. What will be imported/ not imported from Check Point FireWall-1 NG and NG AI .....468.1. VPN: Specific Parameters ................................................................................68
xiii
xiv
Chapter 1. Installation1.1. System Requirements ....................................................................................... 1
1.1.1. Device OS Versions Supported ................................................................ 11.1.2. Licenses .............................................................................................. 1
1.2. Installation ..................................................................................................... 11.3. Limitations .................................................................................................... 1
1.3.1. Case Sensitivity .................................................................................... 1
The synergy between Check Point FireWall-1 and Security Change Manager means increased pro-ductivity for the network administrator who must develop rational security policies for complex net-works.
1.1. System Requirements
1.1.1. Device OS Versions Supported
For the Check Point FireWall-1 PEPs: NG FP3, NG AI R55, NGX (R60, R62, R65), VSX NGX(R65), R70.
For the Check Point FireWall-1 Cluster: NG FP3, NG AI, NGX (R60, R62, R65), VSX NGX (R65),R70.
For the Firewall-1 Management Server: NG FP3, NG AI, NGX (R60, R62, R65), R70.
For the Provider-1: NGX R65 is supported.
The following devices are also supported:
• Nortel Networks Alteon Switched Firewall: NG FP3, NG AI R55, NGX (R60, R62, R65), VSXNGX (R65), R70
• Nortel Networks ASF Cluster: NG FP3, NG AI R55, NGX (R60, R62, R65), VSX NGX (R65),R70
1.1.2. Licenses
You must have purchased and installed the special Security Change Manager option for use withCheck Point FireWall-1. If you do not have this license, you will not be able to create a FireWall-1PEP or a management server.
1.2. InstallationFollow the directions in the Security Change Manager Installation Guide.
1.3. Limitations
1.3.1. Case Sensitivity
Check Point FireWall-1 NG is case sensitive. Therefore, two objects can be created with the samename with different cases, but Security Change Manager will not manage them as two devices.
1
2
Chapter 2. Features supportedon Check Point FireWall-1
2.1. Global Features Support ................................................................................... 32.2. Firewall Features ............................................................................................. 32.3. NAT Features ................................................................................................. 52.4. VPN Features ................................................................................................. 62.5. Management Server Features ............................................................................. 7
This chapter presents the various Check Point FireWall-1 NG SmartCenter Server features and in-dicates whether they are supported by Security Change Manager
Legend for all the following tables:
• Yes: Supported by Security Change Manager• No: Not supported by Security Change Manager• N/A: Not Applicable
2.1. Global Features Support
Table 2.1. Global Features Support
Feature SCM Support
Firewall Yes
NAT Yes
VPN Yes
Management Yes
Import Yes
2.2. Firewall Features
Table 2.2. Firewall Features
Feature SCM Support
ICMP Error Yes
Thorough Logging Yes
Central Filtering Yes
TCP Established Yes
3
Feature SCM Support
ICMP Filtering Yes
Extended IP Filtering Yes
Stateful Filtering Yes
Time Control Filtering Yes
Flow Authentication Internal User DB Yes
External User DB Yes
Clustering Support Failover Yes
Load Balancing Yes
IPsec cluster Yes
Table 2.3. Description of Features listed in Table 2.2, “Firewall Features”(page 3)
Function Description
ICMP Error The PEP is able to generate by default on deniedaccess an ICMP error message (destination netunreachable) and Security Change Manager isable to configure the device accordingly.
Thorough Logging The PEP is able to log accepted and refusedflows and Security Change Manager is able toconfigure the device accordingly.
Central Filtering The PEP is able to perform filtering in its routingtable, rather than in its interfaces and SecurityChange Manager is able to configure the deviceaccordingly.
TCP Established The PEP is able to distinguish between a TCPpacket used to request establishment of a con-nection and a standard TCP packet and SecurityChange Manager is able to configure the deviceaccordingly. This makes it possible to specifythe direction of the TCP flow.
ICMP Filtering The PEP is able to filter the ICMP protocol andSecurity Change Manager is able to configurethe device accordingly.
Extended IP Filtering The PEP is able to filter an arbitrary IP protocolother than ICMP, UDP, or TCP and SecurityChange Manager is able to configure the deviceaccordingly.
Firewall Features
4
Function Description
Stateful Filtering The PEP is able to perform dynamic filtering andSecurity Change Manager is able to configurethe device accordingly.
Time-controlled Filtering The PEP is able to use time filtering and SecurityChange Manager is able to configure the deviceaccordingly.
Flow Authentication The PEP is able to use an external User DB forflow authentication. Security Change Manager isable to configure the device to use this DB.
2.3. NAT Features
Table 2.4. NAT Features
Feature SCM Support
Source NAT Static Yes
Unistatic Yes
Pool N/A
PAT Yes
Masquerading Yes
Destination NAT Static Yes
Unistatic Yes
Pool N/A
Service NAT Yes
Restrict Application Point No
Table 2.5. Description of Features listed in Table 2.4, “NAT Features” (page 5)
Function Description
Static Capacity to support bi-directional static transla-tion. An address that is translated in this mannerwill be statically transformed for both outgoingconnections and incoming connections.
Unistatic support Capacity to support uni-directional static transla-
NAT Features
5
Function Description
tion. A typical example is when one server is tobe made available from outside with static trans-lation for incoming communication and the serv-er performing outgoing communication will bemasqueraded.
Pool Capacity to support address translation throughan address pool.
PAT Capacity to support Port Address translation.
Masquerading Capacity to support Masquerading type of trans-lation (use of the outgoing firewall interface asthe source address).
Service NAT Ability to define NAT transformations restrictedto selected IP services.
Restrict Application Point Ability to apply a NAT rule on a specific inter-face of the Policy Enforcement Point, thus notaffecting traffic not going through this interface.
2.4. VPN Features
Table 2.6. VPN Features
Feature SCM Support
Gateway - Gateway IPsec VPN PSK Auth Method PSK set manually on SmartCen-ter (CPMI limitation)
RSA-Sig Auth Method (PKI) Yes
NAT Transversal Yes
IPsec Keepalive N/A
Dynamic Peer Address No
Client - Gateway IPsec VPN PSK Auth Method Yes (PSK set manually onSmartCenter (CPMI limitation))
RSA-Sig Auth Method (PKI) Yes
Internal User Database Yes
External User Database Yes
Split Tunnelling Management Yes
NAT Transversal Yes
VPN Features
6
Feature SCM Support
Encryption Support DES Yes
3DES Yes
AES (multiple types) Yes
2.5. Management Server Features
Table 2.7. Management Server Features
Feature SCM Support
Communication Method SNMP Refresh No
Encrypted Upload Yes, with SSL Certificate & En-cryption (OPSEC)
Upload Clear (less secure) Yes, with definition of theOPSEC Application Distin-guished Name (in the Manage-ment Server properties)
Management Authentication Internal User database Yes
External Authentication Meth-ods list
N/A
Failsafe Yes
Rollback No
Log Logging Server Configuration No
Policy Learning Mode Yes
Import Yes
Clustering Support Failover Yes
Load Balancing Yes
IPsec cluster Yes
Management Server Features
7
8
Chapter 3. Basic Concepts inSecurity Change Manager'sInteraction with Check PointFireWall-1
3.1. Overview of Check Point FireWall-1 and Security Change Manager Interaction .......... 93.2. Check Point FireWall-1 Management Server Object .............................................10
3.2.1. Management Server .............................................................................113.2.2. Management Station .............................................................................113.2.3. Two Kinds of PEPs ..............................................................................113.2.4. Management Server/PEP Compatibility Matrix .........................................11
3.3. Generation Process .........................................................................................113.3.1. Process ..............................................................................................113.3.2. Difference between a Translated Object and a Generated Object ...................12
3.4. Naming Rules for Check Point FireWall-1 Objects ...............................................123.4.1. Example ............................................................................................123.4.2. Comments Generated for Traceability between Security Change Manager Objectsand Check Point FireWall-1 Objects ................................................................143.4.3. Object Colors ......................................................................................14
3.5. Upload Preparation .........................................................................................143.6. Upload Process ..............................................................................................14
This section describes a number of concepts with which you should be familiar before you learn toupload and compile your policies to a Check Point FireWall-1 PEP.
3.1. Overview of Check Point FireWall-1 and Se-curity Change Manager Interaction
Figure 3.1. Overview of the Security Change Manager and Check PointFireWall-1 Concepts
With Security Change Manager Designer you can define a global security policy for all PEPs thatSecurity Change Manager manages.
To manage a Check Point FireWall-1, Security Change Manager will update and enforce the Secur-
9
ity Policy on the Check Point FireWall-1 Management Server using the OPSEC CPMI API on NG.
Therefore with Security Change Manager, you can define all the permissions. For other PEPs, it willautomatically figure out the enforcement points and the anti-spoofing rules attached to each inter-face. For all other concepts of Check Point FireWall-1 not supported on Security Change Manager,to be able to use them, we have implemented a specific generation process. Please see Chapter 7,How to Manage Check Point FireWall-1 Concepts Not Supported by Security Change Manager(page63 ) for further information.
Figure 3.2. Compilation, Preparation Upload, and Upload
3.2. Check Point FireWall-1 Management ServerObject
Check Point FireWall-1 Manage-ment Server Object
10
3.2.1. Management Server
Security policy is enforced directly on all other PEPs managed by Security Change Manager.However, on a Check Point FireWall-1 PEP, the security policy is uploaded to the Check Point Fire-Wall-1 management server, then Security Change Manager sends the commands to the Check PointFireWall-1 management server to compile and install the security policy on the PEP that it manages.Therefore, a new object in the Security Change Manager map represents the management server ob-ject.
3.2.2. Management Station
In this document, when the term "management station" is used, it refers to the station where themanagement server is installed.
3.2.3. Two Kinds of PEPs
There are two kinds of PEPs:
• Directly Managed PEP: A PEP that can be managed directly from Security Change Manager. Se-curity Change Manager can upload directly on this PEP.
• Indirectly Managed PEP: A PEP that can be managed only through a Management Server object.Security Change Manager can only upload on the management server. It is the management serv-er that will upload on the PEPs.
3.2.4. Management Server/PEP Compatibility Matrix
The following table shows the PEPs that can be managed by each type and version of a managementserver.
Note that Check Point FireWall-1 NGX R63 is not supported by Security Change Manager.
Table 3.1. Management Server/PEP Compatibility Matrix
Management Server
Type & Version
Indirectly Managed PEP Type & Version
Check Point FireWall-1 NG FP3 Check Point FireWall-1 4.1, NG FP1 to FP3
Check Point FireWall-1 NG AI R55 Check Point FireWall-1 4.1, NG FP1 to NG AI
Check Point FireWall-1 NGX R62 Check Point FireWall-1 NGX R60 to R62, NGFP3, NG AI to FP3
Check Point FireWall-1 NGX R65 Check Point FireWall-1 NGX R60 to R65, NGFP3, NG AI to FP3
Provider-1 NGX R65 Check Point FireWall-1 NGX R60 to R65, NGFP3, NG AI to FP3
3.3. Generation Process
3.3.1. Process
Management Station
11
The process used when translating a SCM object to a Check Point FireWall-1 object is to generateCheck Point FireWall-1 objects by using the properties set on the SCM network object and proper-ties to patch the Check Point FireWall-1 object properties that are not managed in Security ChangeManager.
The Check Point FireWall-1 specific object properties can be objects provided by Security ChangeManager with default values or an object where properties not managed by Security Change Man-ager have been set on the management server.
3.3.2. Difference between a Translated Object and aGenerated Object
A translated object is a SCM object that corresponds to one Check Point FireWall-1 object. Thisobject can be used in security policy rules because it will not change its name, even if its contents(for instance, addresses) change. In other words, the object existed as an object in Security ChangeManager and this object can be used in Check Point FireWall-1.
A generated object is a SCM object that needed to be created to match the Security Change Man-ager set of IP addresses or to enforce an option such as anti-spoofing. In other words, the object didnot exist as an object in Security Change Manager and this object had to be invented in order for itto be used in Check Point FireWall-1. Refer to Table 3.3, “Example of the Translation of a Class in-to Check Point FireWall-1 group” (page13 ).
3.4. Naming Rules for Check Point FireWall-1 Ob-jects
The following rules are applied for the translated Security Change Manager name:
1. Each character that is not allowed by Check Point FireWall-1 is replaced by a '_' except for thefirst character (because this is not allowed) where a 'Z' is used instead. The character set allowedby Check Point FireWall-1 is: [A-z] [A-z 0-9_-.]*
2. The name is truncated to 90 characters.
Note
When you look at a class or management server assigned inside a network, nexus, or a PEPit will be translated as in the example below: Network/class will be network_class.
Recommendation: Create names that begin with a letter and have a length of less than 90 charactersin order to locate them easily in the Check Point FireWall-1 Policy Editor.
The following rules are applied for the name of a generated object.
1. Generated objects are prefixed by NP_<Letter>. Please see the table below.2. The name have a <4 digit> suffix to differentiate each name of the generated Check Point Fire-
Wall-1 objects.
3.4.1. Example
When generating two Check Point FireWall-1 objects whose corresponding Security Change Man-ager network object is @loglogic.fr (domain), the first one isNP_N_Zloglogic_fr__domain__0000, and the second one isNP_N_Zloglogic_fr__domain__0001.
Table 3.2. Prefixes of the All Generated Objects
Difference between a Trans-lated Object and a Generated
12
Prefix Comments
NP_A For all generated Check Point FireWall-1 groupobjects from the Security Change Manager anti-spoofing option.
NP_C For all generated Check Point FireWall-1 objectsfrom Security Change Manager Class.
NP_E For all generated Check Point FireWall-1 groupobjects from Security Change Manager expandinternet option.
NP_I For the interface name of the Check Point Fire-Wall-1 Interoperable Device generated from thenexus.
NP_N For all generated Check Point FireWall-1 objectsfrom Security Change Manager Network3.
NP_O_..VFP_.. For all generated objects for NAT and limitedpath zones.
NP_R For all generated Check Point FireWall-1 rangeobjects from the Security Change Manager NATrule (For this case, the name is made like the fol-lowing: NP_R<address range>).
NP_S For all generated & translated Check Point Fire-Wall-1 services.
NP_T For all generated Check Point FireWall-1 timeobjects from the Security Change Manager Timedefinition.
Warning
The Security Change Manager objects that become generated objects will be erased, whiletranslated Security Change Manager objects will be patched. That is, all names will be pre-fixed by NP_<Letter>_.
Table 3.3. Example of the Translation of a Class into Check Point FireWall-1group
Security Change Manager Check Point FireWall-1
@example(ex) Equivalent group will be: Zexample_ex_
Generated network:NP_C_Zexample_ex__001
Generated network:NP_C_Zexample_ex__002
Example
13
In this example, a Security Change Manager class is translated into a Check Point FireWall-1 groupthat contains two generated networks from the Security Change Manager class contents.
3.4.2. Comments Generated for Traceability between Se-curity Change Manager Objects and Check Point Fire-Wall-1 Objects
The following table shows the comments generated for traceability between Security Change Man-ager objects and Check Point FireWall-1 objects.
Table 3.4. Comments Generated by Check Point FireWall-1 Objects
Check Point FireWall-1 object type Comments generated
Translated object Translated from LogLogic <object type>'<object name>' at <Date> {<object commentscontent>}
Generated object Generated from LogLogic <object type> '<objectname>' at <Date>
3.4.3. Object Colors
To differentiate easily translated objects from generated objects, the translated objects are blue andgenerated objects are cyan. These colors can be customized in the management server propertieswindow (in Upload Configuration → Firewall-1 Options). Please refer to the Security ChangeManager Reference Guide for more information.
3.5. Upload PreparationThe Check Point FireWall-1 PEP requires an upload preparation step before upload is carried out.Upload preparation has one or both of the following functions:
• Merges a Security Change Manager policy with pre-existing filters loaded in the PEP's memory• Creates filters combining a Security Change Manager policy definition with a Check Point Fire-
Wall-1 object definition that contains concepts not supported by Security Change Manager.
Upload preparation on Check Point FireWall-1 takes many management server parameters into ac-count.
3.6. Upload ProcessThe upload between Security Change Manager and the Check Point FireWall-1 Management Serveruses secure communication through OPSEC CPMI.
Upload on the management server allows you to stop the process at different steps by setting thepolicy parameter in the upload window.
• Copy Only: Stops immediately after copying.• Upload on PEPs: Stops after copying, compiling, and uploading the security on the PEPs that it
manages.
Object
14
Chapter 4. How SecurityChange Manager Objects Map toCheck Point FireWall-1
4.1. Translation of Network Objects .........................................................................154.2. Translation of Class Objects .............................................................................164.3. Translation of Management Server Objects .........................................................16
4.3.1. Check Point Host Default Fields or Check Point Gateway ...........................174.3.2. Check Point FireWall-1 Interoperable Default Fields ..................................18
4.4. Translation of Nexus Objects ............................................................................184.5. Translation of PEP Objects ..............................................................................18
4.5.1. A Translated Security Change Manager Check Point FireWall-1 PEP ............184.5.2. Specific Translated Fields ......................................................................18
Log ...................................................................................................18Interface Netmask ................................................................................19Anti-Spoofing .....................................................................................19
4.5.3. Check Point Gateway or Externally Managed Gateway Default Fields ...........19Process ..............................................................................................19
4.6. Translation of Services ....................................................................................194.6.1. Generation Process ...............................................................................19
Principle .............................................................................................19Syntax of the Mapping Table ..................................................................20Example .............................................................................................20
4.6.2. A Translated Security Change Manager Service .........................................20Naming Convention ..............................................................................21Security Change Manager IGMP Translated Fields .....................................21
4.7. Translation of Implicit Generated Objects ...........................................................214.7.1. Anti-spoofing ......................................................................................224.7.2. Expand Internet: Objects Generated ........................................................22
4.8. Translation of Permissions ...............................................................................224.9. Translation of Time Definition Rules .................................................................22
4.9.1. What cannot be translated ......................................................................224.10. Translation of NAT Rules ..............................................................................22
4.10.1. Example ...........................................................................................224.10.2. Rules ...............................................................................................234.10.3. Security Change Manager NAT Rules Translated Fields ............................23
4.11. Translation of Limited Path Zones ...................................................................244.12. Translation of Default Objects .........................................................................24
4.12.1. All Networks .....................................................................................244.12.2. All PEPs ...........................................................................................24
4.13. Translation of User Authentication ...................................................................24
This chapter explains how each Security Change Manager object is translated into a Check PointFireWall-1 object.
4.1. Translation of Network ObjectsSince a Check Point FireWall-1 Network object can only be defined with only one IP address and anetmask, and since a SCM network may be linked to more than one Check Point FireWall-1 object,a SCM network will be translated into a group that will contain the Check Point FireWall-1 addressranges.
Table 4.1. Security Change Manager Network Object Rules
15
Case # Security Change Manager Net-work
Check Point FireWall-1 Objects
1 The Security Change Managernetwork is defined with morethan one IP address and a net-mask or with an IP addressrange that is not netmaskable
A group that contains either aset of networks or ranges (onlyif the management server man-ages NG PEPs versions),defined with only one IP ad-dress and a netmask in orderthat the set of networks matchesthe Security Change Managernetworks.
Note: The name of the networkcreated is prefixed by NP_N toremind you that it came from aSecurity Change Manager net-work.
2 A Security Change Managernetwork containing a * address(internet)
Check Point FireWall-1 Anyobject.
4.2. Translation of Class ObjectsThe Security Change Manager Class objects are translated into Check Point FireWall-1 objects us-ing the following rules:
Table 4.2. Security Change Manager Class Object Rules
Case # Security Change Manager Class Check Point FireWall-1 Objects
1 A set of objects and/or a set ofaddresses and/or a set of singleIP addresses
A group that contains all the ob-jects specified in a SecurityChange Manager Class pluseither all created networks orranges.
2 A Security Change Managerclass containing a * or an objectcontaining a * at any level
Check Point FireWall-1 Anyobject.
4.3. Translation of Management Server ObjectsA management server is represented where each IP address of the Security Change Manager istranslated into an interface.
Note
The interface name will be automatically generated with the prefix NP_I.
Table 4.3. Translation of Specific Fields
Translation of Class Objects
16
SCM Management Server fields Check Point FireWall-1 Mgt Server Proper-ties NG FP3 and NG AI R55
Upload Configuration → FireWall-1 Options→ Upload Only if Successful on ALL Man-aged PEPs
This parameter will be used during the installa-tion of the security policy on the PEPs
General Options → Local Security Policy →Log Implied Rules
Global Properties → FireWall → Log ImpliedRules
General Options → Local Security Policy →Accept VPN-1 & Check Point FireWall-1Control Connections
Global Properties → FireWall → AcceptVPN-1 & FW-1 Control Connections
General Options → Local Security Policy →Accept Remote Access Control Connections
Global Properties → FireWall → Accept Re-mote Access Control Connections
General Options → Local Security Policy →Accept RIP
Global Properties → FireWall → Accept RIP
General Options → Local Security Policy →Accept Domain Name Over UDP (Queries)
Global Properties → FireWall → Accept Do-main Name Over UDP (Queries)
General Options → Local Security Policy →Accept Domain Name Over TCP (ZoneTransfer)
Global Properties → FireWall → Accept Do-main Name Over TCP (Zone Transfer)
General Options → Local Security Policy →Accept ICMP
Global Properties → FireWall → AcceptICMP requests
General Options → Local Security Policy →Accept Outgoing Packets Originating FromGateway
Global Properties → FireWall → Accept Out-going Packets Originating From Gateway
General Options → Local Security Policy →Accept CPRID Connections (SmartUpdate)
Global Properties → FireWall → Accept con-trol connections
General Options → Local Security Policy →Accept Dynamic Address Modules' DHCPtraffic
Global Properties → FireWall → Accept dy-namic address modules' DHCP traffic
4.3.1. Check Point Host Default Fields or Check PointGateway
The following Check Point Host options will not be modified by Security Change Manager.
• General → Modules Installed• General → Color• General → Web Server• NAT• Smart Directory• Smart View Monitor• User Authority Server• User Authority Web Access
Check Point Host Default Fieldsor Check Point Gateway
17
• FireWall-1 GX• logs and masters• Capacity Optimization• Advanced
4.3.2. Check Point FireWall-1 Interoperable DefaultFields
These fields in the interoperable device can be changed by the network administrator.
They will not change during the generation process:
• General → Colors• FireWall-1 GX tab
4.4. Translation of Nexus ObjectsThis object is translated into a gateway node, where each IP address of the Security Change Man-ager will be translated into an interface.
Note
The interface name will be automatically generated with the prefix NP_I.
4.5. Translation of PEP Objects
4.5.1. A Translated Security Change Manager CheckPoint FireWall-1 PEP
A Firewall-1 NG PEP is represented by a Check Point Gateway on the Management Server thatmanages it and an externally managed Check Point gateway on a Management Server that does notmanage it.
4.5.2. Specific Translated Fields
Log
Note
The anti-spoofing log is enforced when the Log Level for the Default Rule is set in Inter-faces → Interface Name → Options or when the log is set in the permission. Notethat when an Account is set on deny flow, it will be automatically transformed in the logbecause Accounting is not allowed for deny or dropped rules on Check Point FireWall-1.
Table 4.4. SCM Log Numbers
Case # Security Change Manager Check Point FireWall-1
1 Log Log
2 Account Log
Check Point FireWall-1 Interop-erable Default Fields
18
Case # Security Change Manager Check Point FireWall-1
3 Alert Alert
4 Mail Log
5 SnmpTrap Log
6 User Defined Log
7 User Defined2 Log
8 User Defined3 Log
Other numbers Log Log
Interface Netmask
In order to specify the interface netmask, you can type the interface IP address with the netmask. Ifnot, the netmask of the object it is connected to will be used.
Anti-Spoofing
If the generated anti-spoofing rule is set on the Check Point FireWall-1 PEP, a group will be auto-matically generated and attached to the interface of the Check Point Gateway.
4.5.3. Check Point Gateway or Externally Managed Gate-way Default Fields
In NG, the following fields will be changed during generation.
Process
• General->Color• General->Additional Products• Remote Access->Clientless VPN• Smart Directory (LDAP)• Log and Masters• Capacity Organization• Advanced
4.6. Translation of Services
4.6.1. Generation Process
Principle
The service mapping table is stored in the fw1MgtServer.xml file and defines the relationbetween Security Change Manager and Check Point FireWall-1 services. The table takes into ac-count differences between the 4.0 version, the 4.1 version, NG FP3, NGAI| R55, NGX (R60, R62,R65) and R70 versions.
Check Point Gateway or Extern-ally Managed Gateway Default
19
When the security policy is generated, for each service:
• If the service is in the mapping table, the entry will be used to find the corresponding Check PointFireWall-1 service name for the generation.
• If the service is not in the mapping table, a Check Point FireWall-1 custom service will be gener-ated if possible.
Syntax of the Mapping Table
<SingleCapability name="service_<scm Service>" type="string"value=<FW-1 service >hidden="yes" const="yes"/>
... indicates that <scm service> is mapped with <FW-1 service> for any version of CheckPoint FireWall-1.
To specify for which version that mapping is available, you can insert the following lines after eachline (do not forget to suppress the "/" character at the end of the precedent line i.e. in<const="yes"/>):
• <Condition type="version" dependency="version" min="4.0.0"max="4.0.99"/>
to indicate the range in which the mapping is right.• <Condition type="version" dependency="version" min="4.0.0"/>
to indicate from which version the mapping is right.• <Condition type="version" dependency="version" max="4.1.0"/>
to indicate the range until which the mapping is right.
And add the </SingleCapability> tag at the end to close the <SingleCapability defini-tion.
Note
Check Point FireWall-1 services are case sensitive while Security Change Manager ser-vices are case insensitive.
Example
<SingleCapability name="service_ike" type="string" value="IKE" hid-den="yes" const="yes">
<Condition type="version" dependency="version" min="4.1.0"/>
</SingleCapability>
<SingleCapability name="service_ike" type="string" value="ISAKMP"hidden="yes" const="yes">
<Condition type="version" dependency="version" min="4.0.0"max="4.0.99"/>
</SingleCapability>
4.6.2. A Translated Security Change Manager Service
A Translated Security ChangeManager Service
20
Table 4.5. Translated Security Change Manager Service
Case # Security Change ManagerService
Check Point FireWall-1 ob-jects
1 If the service contains one pro-tocol permission
Corresponding Check PointFireWall-1 service that maps toSecurity Change Manager ser-vice type
2 If the service contains morethan one protocol permission orservice
A group of services
3 If the service contains a servicenot translatable into CheckPoint FireWall-1 (flux server->client)
Error
Naming Convention
Note
All generated and translated Check Point FireWall-1 services will be prefixed by NP_S_because they will be generated at each compilation.
Check Point FireWall-1 does not allow the permission from server to client to be easily defined, sowhen a Security Change Manager service contains only such a permission, the following error mes-sage will occur:
Error: The Security Change Manager service <service name> couldn'tbe described in the Check Point FireWall-1 <PEP name> database. As-sociate it with an existing Check Point FireWall-1 service in themapping table (refer to the documentation for more information).
When the service contains a permission from server to client, but also another type of permission,the following message will occur:
Warning: The return flow of scm service <service name> couldn't bewell described in the Check Point FireWall-1 <PEP name> database.It is recommended to associate it with an existing Check PointFireWall-1 service in the mapping table (refer to the documentationfor more information).
Security Change Manager IGMP Translated Fields
The IGMP message name/number will be ignored, so the filter will be less accurate than in SecurityChange Manager. Therefore, a warning message will occur:
Warning: IGMP message name is not supported by Check Point Fire-Wall-1. It is recommended to associate it with an existing CheckPoint FireWall-1 service in the mapping table (refer to the docu-mentation for more information).
4.7. Translation of Implicit Generated Objects
Fields
21
4.7.1. Anti-spoofing
To manage anti-spoofing, Security Change Manager must generate a group that will contain all net-work objects allowed to pass through that interface. All networks (that are allowed) already exist inCheck Point FireWall-1 objects created by Security Change Manager. It is only necessary to definethe group that will contain them. The generated name is NP_A_<PEP FW-1>_<interfacename>_<4 digits>.
4.7.2. Expand Internet: Objects Generated
To implement the Expand Internet PEP option, objects that match all networks except the internalnetwork are generated. To do that a group of networks that matches "all networks possible - internalnetwork" is created with the name NP_E__INTERNET. These generated objects will be prefixedwith NP_E__INTERNET.
4.8. Translation of PermissionsSecurity Change Manager permission objects are translated into Check Point FireWall-1 securityrules.
Note
Some Security Change Manager permissions could be merged into a single FireWall-1 se-curity rule after the reduction compilation phase.
Table 4.6. Security Change Manager Permission Fields
Security Change Manager Permission fields Check Point FireWall-1 rule fields
Options->Allow/Deny - Allow -> accept
- Deny + Generate ICMP Error Message optionon PEP or on flow-> reject
- Deny -> drop
Options->Log Track (See Table 4.4, “SCM Log Numbers”(page 18).)
4.9. Translation of Time Definition RulesSecurity Change Manager Time Definitions are translated into a group of time definitions.
4.9.1. What cannot be translated
• Year: Year is ignored.• Day of the week in a specific month (all Mondays of March for example). The month is ignored
in this case.
4.10. Translation of NAT Rules
4.10.1. Example
Expand Internet: Objects Gen-erated
22
Figure 4.1. An Example of a NAT Rule
The NAT rule on Check Point FireWall-1 indicates that the class P of network N1 will be translatedinto 124.2.*.
The rule between N1 and N2 must be enforced on:
• FW1 has: allow N1 -> N2 (because on Check Point FireWall-1 NAT is enforced after IP fil-tering).
• On FW2 and CISCO: N1 can be viewed as {121.* except 121.2.* + 124.2.*} Rules. Therefore,the allowed rule is N1' {121.1.*+121.3.0.0/121.255.255.255 + 124.2.} -> N2
4.10.2. Rules
• An object corresponding to this will be created on FW2 as NP_0_N1_VFP_FW2_<servicename>_N2.
• In each rule enforced on a Check Point FireWall-1 PEP where a source or destination is used in aNAT rule a new object must be created to represent the source or the destination in the point ofview of that PEP.
• The name used to describe these new objects will be: NP_O_<object name>_VFP_<PEPname>_<service name>_<destination object> where "object name" can be anykind of Security Change Manager object (a network, a class, a nexus, a PEP or a managementserver).
NoteVFP is an abbreviation for "View from PEP".
• The object that will be generated will be a group that will contain networks even if the SCM ob-ject is a PEP or a management server.
• For each NAT Rule a destination object and a source object will be created.
4.10.3. Security Change Manager NAT Rules TranslatedFields
Rules
23
Table 4.7. Security Change Manager NAT Fields
Security Change Manager NAT fields Check Point FireWall-1 rule fields
Static on Source or Destination Static on Source or Destination
Pool on Source or Destination Not supported
PAT Hide (there is an error if the PAT range containsmore than one address.)
Masquerading Hide with the interface address
4.11. Translation of Limited Path ZonesWhen you have a permission between an object source and a destination class that contains two ob-jects (A and B), if you have different limited path zones on the object source and object A, that donot allow traffic between them, the permission will be enforced only from the source to B.
To reflect this in the Check Point FireWall-1 database, a Check Point FireWall-1 group namedNP_O_<object name>_VFP_<PEP name>, where the <object name> represents the PEPwhere this rule is enforced. In the previous example, the generated object will contain only object A.
4.12. Translation of Default Objects
4.12.1. All Networks
The class "all networks" is translated into a Check Point FireWall-1 group object that contains allnetworks defined in Security Change Manager except the networks that contain '*' as an IP address.
The name of the generated object is Zall_internal_domains
4.12.2. All PEPs
The class "all PEPs" is translated into a Check Point FireWall-1 group object that contains all PEPsdefined in Security Change Manager.
The name of the generated object is Zall_routers.
4.13. Translation of User AuthenticationTo define a user authentication permission, please refer to "Authenticate Users on a Permission" inthe Security Change Manager User Guide or on-line help.
Security Change Manager supports the authentication implementation of Check Point FireWall-1NG.
On both Check Point FireWall-1 and Security Change Manager there are actually 3 types of authen-tication:
• User Authentication• Client Authentication• Session Authentication
Translation of Limited PathZones
24
An authentication rule is defined by a source where the user group is appended to the network loca-tion of the user, a destination and one of the 3 authentication methods (User Authentication, ClientAuthentication, or Session Authentication).
In Security Change Manager Designer, define the authentication on the permission in the Permis-sion Properties window by selecting Actions → Authentication → Application Point and addingthe required PEPs.
Note
The user authentication method appears only for http, ftp, rlogin and telnet.
For each method, implicit permissions are created.
Authentication parameters on the management server and Check Point FireWall-1 can be defined onthe corresponding Security Change Manager objects.
Translation of User Authentica-tion
25
26
Chapter 5. How to Define andDeploy a Security Policy onCheck Point FireWall-1
5.1. First Use of Check Point FireWall-1 ..................................................................275.1.1. SSL Certification and Encryption Procedure .............................................275.1.2. Clear OPSEC Connection Type Procedure ................................................31
5.2. Configure a Check Point GX Management Server ................................................325.2.1. First step: Creating custom services and defining the policy .........................335.2.2. Second step: Defining precisely the custom services ...................................33
5.3. Define and Deploy a Policy ..............................................................................355.3.1. Step 1: Defining the Secure Topology ......................................................355.3.2. Step 2: Security Policy Definition ...........................................................395.3.3. Step 3: Audit .......................................................................................395.3.4. Step 4: Define Rules .............................................................................395.3.5. Step 5: Compile the Security Policy ........................................................395.3.6. Step 6: Prepare Upload on Each Directly-Managed PEP and Each ManagementServer ........................................................................................................40
Prerequisites .......................................................................................40Procedure ...........................................................................................40
5.3.7. Step 7: Deploy the Policy ......................................................................405.4. Define and Manage an Existing Policy ...............................................................41
5.4.1. Purpose ..............................................................................................415.4.2. Prerequisites .......................................................................................415.4.3. Step 1: Perform a Check Point FireWall-1 Import ......................................415.4.4. Step 2: Secure Topology Definition, if You Do Not Perform an Import ..........425.4.5. Other Steps .........................................................................................43
5.5. Create an Authentication Rule ..........................................................................43
This section lists the steps required to define a security policy in Security Change Manager Design-er, and to deploy that policy on a Check Point FireWall-1 PEP.
5.1. First Use of Check Point FireWall-1You will need to establish communication between Security Change Manager and Check Point Fire-Wall-1 either via SSL Certification and Encryption (recommended) or in Clear (not recommen-ded).
This can be set in the SCM Management Server Properties window by defining the OPSEC Con-nection Type option in Upload Configuration → Connection Options.
5.1.1. SSL Certification and Encryption Procedure
Procedure 5.1. Using SSL Certification and Encryption
1. Log onto the SmartCenter with the SmartDashboard.2. Select the Servers and OPSEC Applications → OPSEC Applications node in the Objects
Tree list, right-click it and select New → OPSEC Application to create a new OPSEC Applic-ation .
27
Figure 5.1. Creation of new OPSEC Application in SmartDashboard
3. In the OPSEC Application Properties window:
a. Give a name to the OPSEC Application and remember it.b. Select a host using the Host pull-down menu.c. Tick the CPMI checkbox in the Client Entities panel to enable the CPMI.
Note
Select no other options. For instance, no Server Entities and no other Client Entities thanCPMI.
Figure 5.2. CPMI option enabled
SSL Certification and EncryptionProcedure
28
d. Click the Communication button.e. In the Communication dialog box, enter a password ("activation key" in this GUI) and
remember it.f. Click the Initialize button and click Close to close the Communication dialog box.g. Click OK to close the OPSEC Application Properties window.
4. Save your settings by using File → Save and close the SmartDashboard.5. Connect to the Security Change Manager Designer.6. Create your map, open the Management Server Properties window and select the Upload Con-
figuration → Connection Options view.
a. Set the OPSEC Connection Type option to SSL Certification and Encryption.
Figure 5.3. SSL Certification and Encryption Option
SSL Certification and EncryptionProcedure
29
b. For the OPSEC Application name option, type in the same name than the one you set inthe SmartDashboard.
c. Click OK to validate your settings and close the Management Server Properties win-dow.
7. Right-click on the Management Server object and select Import → FW1-Import... from thecontextual menu.
The Import in Progress window opens.8. Several dialog boxes shall then prompt you for information:
a. When prompted for username/password, enter those you previously used to connect to theSmartCenter with the SmartDashboard, and click OK.
b. When prompted for a new certificate in the Getting Certificate dialog box, select Yesfrom the pull-down menu and click OK.
Figure 5.4. Getting Certificate Dialog Box
SSL Certification and EncryptionProcedure
30
c. When prompted for the certificate's password, enter the one you provided during theOPSEC Application's creation and click OK.
The import will begin with the last opened policy.
Note
During the first preparation upload, Security Change Manager will request the passwordthat you wrote down in step 3 to get the certificate for the Check Point FireWall-1 Manage-ment Server.
In the case where the certificate is changed on the Check Point FireWall-1 ManagementServer, Security Change Manager will detect this and request the new certificate.
If for some reason this method fails, you may receive an error beginning with "SIC error..."The certificate has already been given to Security Change Manager. You will need to resetthe certificate by deleting the certificate in Security Change Manager, and following thesteps described above again.
To delete the certificate in Security Change Manager:
1. Go to the Manager8.2\data\authentication\certificate directory2. Delete the <Management Server name>_<OPSEC Applicationname>.p12 file and the corresponding .sicname file.
For more information on this topic, please see the LogLogic Knowledge Base available at:http://www.loglogic.com/services/support/index.php (for registeredcustomers only).
5.1.2. Clear OPSEC Connection Type Procedure
Clear OPSEC Connection TypeProcedure
31
Procedure 5.2. Using Clear
It is not recommended to use the Clear option since it is neither authenticated nor encrypted.
1. Create an OPSEC application on the Management Server through the Check Point FireWall-1SmartDashboard with the CPMI option enabled (in the Client Entities panel of the OPSECApplication Properties window).
2. Create the associated certificates by clicking the Communicate button. Write down and re-member the Application Distinguished Name.
3. Modify the SIC file (sic_policy.conf) to allow the communication between the CheckPoint FireWall-1 Management Server and Security Change Manager to accept clear. Pleaserefer to the Check Point FireWall-1 OPSEC connection configuration guideline at:
http://www.opsec.com/developer/gw_comm_mode.html4. In Security Change Manager Designer, open the Management Server object Properties window
and:
a. Select the Upload Configuration → Connection Options view.b. Set the OPSEC Connection Type option to Clear.c. For the OPSEC Application Distinguished Name option, type in the same name than the
one you set in the SmartDashboard.
Figure 5.5. Clear Option
d. Click OK to validate your settings and close the Management Server Properties win-dow.
5.2. Configure a Check Point GX ManagementServer
This section describes how to define a Check Point GX Management Server in Security ChangeManager.
Configure a Check Point GXManagement Server
32
The main feature of GX for telcos is the protocol inspection of GTP tunnels. The way of configuringGTP traffic inspection recommended by Check Point, is to create new services inheriting one of the4 predefined GTP services and then fine tuning them with some specific settings (onlygtp_v0_default and gtp_v1_default have meaningful options). These services are:
• gtp_mm_v0_default• gtp_mm_v1_default• gtp_v0_default• gtp_v1_default
The feature is activated by creating permissions having:
• a GTP service as service,• and either hosts as source or destination (host representing SGSN and GGSN in GTP termino-
logy) or handover group as source or destination.
Handover groups represent a new kind of objects introduced in GX. They are groups of hosts with aspecial flag identifying them as handover groups. In Security Change Manager, they are representedas meta-classes on which we add "Handover Group" optional flags.
5.2.1. First step: Creating custom services and definingthe policy
1. You must first create custom services in Security Change Manager Designer Service Editorusing existing GTP services.
2. You can then define your security policy as usual using the newly created service.
Figure 5.7. Defining security policy using custom service
5.2.2. Second step: Defining precisely the custom ser-vices
The Management Server properties in scm display a group of GTP Services options allowing you toadd/ create new Check Point-specific GTP-inspecting services.
After having selected a SCM service and Check Point specific GTP inspection options, custom ser-vices will then be created when the upload is made on the Check Point management server. See theimplementation example displayed in Figure 5.9, “GTP Service options” (page34 ). Through this
First step: Creating custom ser-vices and defining the policy
33
group of options you can:
• add a new custom GTP service,• choose which existing service to customize,• and select the appropriate options, that is to say the options which have been selected in the
SmartDashboard.
1. Open the Management Server Properties window (by double-clicking the Management Serv-er object).
2. In the General Options view, set the Is the management server a Check Point GX? optionto Yes.
Figure 5.8. Activation of Check Point GX options in Management ServerProperties
A GTP Services sub-node appears under the General Options node.3. In the GTP Services view, click the AddGTPServiceTemplate icon .
A list of options appears allowing you to define a custom GTP Service. See Section 14.2.6,“GTP Services” (page153 ) for further information about these options.
Figure 5.9. GTP Service options
Second step: Defining preciselythe custom services
34
5.3. Define and Deploy a PolicyThis is the procedure to define and deploy a security policy.
5.3.1. Step 1: Defining the Secure Topology
Note
Some of the screens that follow may appear slightly different on your computer dependingon the version of Check Point FireWall-1 devices you are using.
Recommendation: Create names that begin with a letter and have a length of less than 90 charactersin order to locate them easily in the Check Point FireWall-1 Policy Editor.
Please refer to the Security Change Manager User Guide and perform the following tasks:
1. Create the "physical" level: Network, Nexus, PEPs etc.2. Create the "Conceptual" Level.
a. Create the Management Server on the map. Select the icon in the toolbar or select Mode→ Add Management Server.
After the object has been created, you must define its IP address and attach it to a networkor a PEP.
b. Select the General Options → Local Security Policy view and define implicit rules. Im-plicit rules must be used with caution:
• They are not represented on the map.• They are enforced only on PEPs managed by the Management Server, not on the PEP
directly managed by Security Change Manager. So when a PEP controlled by SCM isbetween the source and the destination of an implicit rule, you must create the corres-ponding permission between that source and that destination.
• They are not considered in the Security Change Manager audit.
Define and Deploy a Policy
35
Figure 5.10. Implicit Rules: Local Security Policy
3. Select the General Options → Security Server view and define the Security Server options.
Figure 5.11. Security Server
4. Select the General Options → Authentication view to define authentication Properties on theManagement Server. On NG, you can define 3 screens of authentication properties:
• Failed Authentication Attempts• Users with Certificates• Early Versions Compatibility
Step 1: Defining the Secure To-pology
36
Figure 5.12. Authentication: Failed Authentication Attempts
Figure 5.13. Authentication: Users with certificates
Figure 5.14. Authentication: Early Versions Compatibility
Step 1: Defining the Secure To-pology
37
User Authentication Session Time Out: If this number of minutes elapses between a SecurityChange Manager request and the management server's response, the session is dropped.(default: 1 minute)
5. Select the Upload Configuration → Connection Options view and define the upload para-meters.
Figure 5.15. Upload Configuration: Connection Options
6. Select the Managed PEPs view and add all FireWall-1s or Nokia PEPs that shall be managedby the Management Server (this association can also be done in the Properties window of eachPEP).
Figure 5.16. Add Managed PEPs
Step 1: Defining the Secure To-pology
38
7. Create the appropriate Class you need. See "Representing a Set of IP Addresses via a Class" inthe Security Change Manager User Guide.)
5.3.2. Step 2: Security Policy Definition
Please see the Security Change Manager User Guide to perform the following actions.
1. Create the time definitions needed.2. Create the NAT rules needed, then attach them to each PEPs.3. Create all limited path zones needed and attach them to each object.4. Create all the new services needed.5. Create the security policy: Draw all security permissions between the object with their proper-
ties.
Note
An implicit permission between the Management Server and the managed PEP is automat-ically added for the FW-1 service.
5.3.3. Step 3: Audit
Use Audit (Action → Policy Audit view) to analyze security permissions object by object.
5.3.4. Step 4: Define Rules
Define a rule on the Management Server that allows the CPMI and ica_pull_cert services.Then, install it on the managed PEP.
5.3.5. Step 5: Compile the Security Policy
1. Make a compilation of the policies. Select Action → Generate Global Policy from the menubar. The Expecting Compilation message box appears.
Step 2: Security Policy Defini-tion
39
2. The Compilation Result dialog box appears. It will state whether the compilation has been suc-cessful or not. Read the Errors and Messages.
5.3.6. Step 6: Prepare Upload on Each Directly-ManagedPEP and Each Management Server
Warning
If the FW-1 management server manages PEPs that are on the path between SecurityChange Manager and the Management Server or are on the Management Server itself, werecommend that a policy is installed on these PEPs before upload. If not, the communica-tion between the Management Server and Security Change Manager will be interrupted.
Warning
If Security Change Manager contains an address defined as '*', the upload may fail. Avoidusing '*' as the address.
Prerequisites
• The filters for the current workspace map have been successfully compiled.
Procedure
1. Prepare upload.
The purpose of the upload preparation is to generate a Check Point FireWall-1 security policythat comes from:
• SCM Server object definition• Check Point FireWall-1 object definition that contains concepts not supported by Security
Change Manager.
2. Select Action → Upload Preparation for selection from the menu bar.
The Upload Preparation in Progress window opens and the upload preparation starts auto-matically.
Once the preparation is terminated, a message appears displaying whether it has been success-ful.
3. Click the Close button to close the Upload Preparation in Progress window.
The Upload Preview window opens displaying the .confpatch file that will be appliedwhen uploading the configuration.
5.3.7. Step 7: Deploy the Policy
1. Select Action → Device Manager from the menu bar.
The Device Manager window appears.2. In the Deployment tab, select the PEPs that should be uploaded in the top panel.3. Click the Upload icon. .
Step 6: Prepare Upload on EachDirectly-Managed PEP and Each
40
An Upload Message dialog box opens, asking if you wish to continue.4. Click Continue to proceed with the upload process.
When the upload has completed successfully, the Upload in Progress window displays a mes-sage saying "Upload terminated (successful)".
5.4. Define and Manage an Existing PolicyThis section discusses tasks for managing a security policy that is already in production on a CheckPoint FireWall-1 PEP, and which you want to manage with Security Change Manager.
5.4.1. Purpose
This section describes a situation where you have just bought Security Change Manager and want toconfigure your security policy with Security Change Manager. In this case, you will want to:
• Read your security policy.• Adapt it in Security Change Manager to define a global security policy.• Check that the security policy is what you want to do.• Then, implement that policy.
The following steps are explained in detail in the Security Change Manager User Guide and in theprevious sections of this chapter.
5.4.2. Prerequisites
The first upload of the scm generated security policy on the Check Point FireWall-1 ManagementServer will change the existing security policy files. It is therefore recommended to backup the dir-ectory containing the security policy definition ($FW1\conf) before installing the new one.
1. Duplicate this directory under the name BeforeInstallation (for example)2. Define a rule on the management server that allows the services CPMI and ica_pull_cert
and install it on the managed PEP.
source= Security Change Manager Designer
destination= Check Point FireWall-1 Management Server
Table 5.1. Define a rule on the Management Server
No. Source Destina-tion
Service Action Track Install on Comments
1 LogLogic Manage-ment Serv-er
CPMIica_pull_cert
accept Gateways
5.4.3. Step 1: Perform a Check Point FireWall-1 Import
Define and Manage an ExistingPolicy
41
WarningDo not perform an import on an untitled map. Always name the .npl file first.
5.4.4. Step 2: Secure Topology Definition, if You Do NotPerform an Import
1. Create objects on the map.
Edit the current policy on each management server.
For each object involved in a rule, you will create an object (if it does not exist) in SecurityChange Manager:
Objects involved in Source, Destination:
• Case of a Group: Create a SCM network or a SCM Class with all objects inside.• Case of a network or range: Create a SCM network.• Case of a Check Point Gateway or Check Point Host: If it is a Check Point Gateway or
Check Point Host, create a SCM Check Point FireWall-1 PEP. If not, create a Nexus. Notethat anti-spoofing will be generated automatically by Security Change Manager.
• Case of an embedded device or OSE device: Create a SCM PEP for the corresponding type.In the case where the type does not exist in SCM create an "Unknown" PEP (its Managedoption must be set to Yes).
• Case of Check Point Gateway Cluster: Create a Check Point FireWall-1 Cluster.• Case of a domain: Create the corresponding network in SCM. The concept of domain is not
supported in SCM.• Case of other network object: Create a class with the IP address or objects contains in this
object.
Objects involved in Time:
• Case of a time definition: Create a time definition in Security Change Manager
Objects involved in Service:
• Case of a service: If that service does not exist in Security Change Manager, create it.
2. Create connections between objects.
After all objects have been created, connect them:
• Connect the network with PEPs or nexus.• Connect the class with the network.
3. Create the NAT rules and associate them to each FW-1 PEP involved.
Create the security policy.
For each rule in the management server, create a permission in Security Change Manager De-signer with the right properties:
• Log• Time definition• Deny or allow• Generate ICMP Error Message: flag in the case of a deny rule
Management Server
42
Note
For all the rules that couldn't be created because they are not supported by Security ChangeManager see Chapter 7, How to Manage Check Point FireWall-1 Concepts Not Supportedby Security Change Manager (page63 ).
5.4.5. Other Steps
1. Audit.2. Compile the Security Policy.3. Prepare Upload on Each directly-managed PEP and Each Management Server.4. Deploy the Security Policy.
5.5. Create an Authentication RuleWhen making a user authentication on a Check Point FireWall-1 through Security Change Manager,the user will have to perform the following procedure:
Procedure 5.3. Creating an Authentication Rule
1. Define a User Group and reference the Management Server as the "authentication server".2. If an authentication server needs to be created on the Check Point FireWall-1 Management
Server, create a Nexus or a PEP that contains the IP address of the RADIUS server. This objectwill be used on the Check Point FireWall-1 Management Server to be referenced by the CheckPoint FireWall-1 radius server object.
3. Create a permission to authenticate.4. Edit the permission properties and reference the FW-1 PEP(s) on which the authentication must
be applied.5. Fill the authentication parameters associated with this PEP as it is made on the Check Point
FireWall-1 Management Server.6. Compile.7. Upload the policy.8. On the Check Point FireWall-1 Management Server, check if a warning appears during the up-
load. This would mean that a User Group is empty.9. Define the External User Profiles, LDAP Groups and/or the Users that will be referenced by
the User Group created by Security Change Manager.10. Define the related authentication servers needed (RADIUS, TACACS...) and reference a Secur-
ity Change Manager object as host of these server.11. Save and install the policy.
This task has to be done only to get the user group definition and the authentication server associ-ated. The next upload will not need these tasks except if a new user group has to be managed.
Other Steps
43
44
Chapter 6. How to Perform anImport from Check PointFireWall-1
6.1. What will be Imported/ not Imported .................................................................456.2. Performing a Standard Import from Check Point FireWall-1 ...................................49
6.2.1. Step 1: Create and Configure a Management Server ...................................496.2.2. Step 2: Perform the Import ....................................................................526.2.3. Step 3: Add the Missing Topology ..........................................................546.2.4. Step 4: Connect and Group Attached Objects ............................................546.2.5. Step 5: Various Checks to Perform ..........................................................55
6.3. Performing a Local Import of Check Point FireWall-1 Policy .................................566.4. Cleaning the Database Before Upload ................................................................60
An import can be performed on either an empty security policy or an already-existing securitypolicy. This chapter explains the entire concept beginning with an empty security policy. An importcan be done using one or multiple Management Servers. We have used only one Management Serv-er in this example for ease of understanding.
If you use an already-existing security policy, the attachment of classes and connections are doneautomatically.
Warning
Security Change Manager cannot manage all the concepts supported in Check Point Fire-Wall-1. Therefore, when importing a Check Point FireWall-1 security policy, some objectsand rules will not be imported. All objects that are not supported will be kept in the ob-jects.C file and all rules not supported will be kept in a specific policy file in therulebases.fws file.
When generating a policy:
• The objects that have the same name are updated by Security Change Manager and theothers do not change.
• The "include" rules are added before and after the generated security policy.
If you change an object name in Security Change Manager, when generating a new policyin the objects.C file, there will be two objects:
• The old one (the old one is not removed because it may be referred to by objects in thesecurity policy).
• The new one.
If this happens, you must change the old object for the new one to maintain the synchroniz-ation between the Security Change Manager definition and the Check Point FireWall-1definition.
6.1. What will be Imported/ not ImportedObjects that will be imported/ not imported into Check Point FireWall-1 will be:
45
Table 6.1. What will be imported/ not imported from Check Point FireWall-1NG and NG AI
Check Point Fire-Wall-1 categories
Detail Imported Comment
Networks Objects Check Point FireWall-1Gateway
Check Point FireWall-1Host
Check Point FireWall-1Gateway cluster
Check Point FireWall-1Embedded Device
Check Point FireWall-1Externally ManagedGateway
Gateway Node
Host Node
Interoperable Device
Network
Domain
OSE Devices
Group
Logical server
Address range
Dynamic Object
VoIP domains
VPN-1 Edge/Em-bedded Gateway
VPN-1 Edge/Em-bedded Profile
Partially N/A
Services objects TCP
Compound TCP
UDP
RPC
ICMP
Other
Partially Note that some flowswill need to have a spe-cific declaration in themapping table if itcouldn't be imported.
Negate service will notbe supported.
Services of type 'Other'will not be imported if
What will be Imported/ not Im-ported
46
Check Point Fire-Wall-1 categories
Detail Imported Comment
Group
DCE-RPC
they reference Inspec-tion macro.
Resources URI
URI for QoS
SMTP
FTP
TCP
No
OPSEC Applications OPSEC Application
CVP Group
UFP Group
CPMI Group
No
Server RADIUS
RADIUS Group
TACAS
DEFENDER
LDAP Account Unit
Certificate Authority
SecuRemote DNS
No This implies that all im-plicit flows betweenthese servers and CheckPoint FireWall-1 hostswill be not imported.
Users objects Administrator
External group
Group
User
LDAP Account Unit
Partially
Time objects Time definition
Time group
Scheduled Event
Partially
Virtual Links Virtual Links No
VPN Communities Intranet Meshed
Intranet Star
Extranet
No
What will be Imported/ not Im-ported
47
Check Point Fire-Wall-1 categories
Detail Imported Comment
Partner
Check Point FireWall-1Implied Rules
All those defined in theGeneral Options →Local Security Policyview.
Yes
Security Rules Allow
Drop
Reject
User Auth
Client Auth
Session Auth
Yes All security rules asso-ciating "allow" permis-sions with negate ob-jects (on source and/ordestination) will be im-ported as two distinctrules, i.e. the first rulewill be a "deny" per-mission and the secondrule an "allow" permis-sion. For example, if an"allow" permission isset between A and B,where B is a negate ob-ject, the generated ruleswill be:
• deny A -> B• allow A -> any
A security rulee.g.(src_1,...,src_X);(srv_1,...,srv_Y);(dst_1,...,dst_Z), is imported asonly one optimized rulewith:
• One metaclass forSRC
• One metaclass forDST
• One service groupfor SRV
The naming conventionfor the metaclasses andthe service group is thefollowing: SRC_n,SRV_n, DST_n wheren is the security rule IDnumber.
The IF VIA property isignored.
Address TranslationRules
Static
Hide
Yes
What will be Imported/ not Im-ported
48
Check Point Fire-Wall-1 categories
Detail Imported Comment
Desktop Security Rules Inbound Rules
Outbound Rules
No
Web Access Web Sites
Security Requirements
Authorization Require-ments
Application Settings
No
Floodgate Rules No
6.2. Performing a Standard Import from CheckPoint FireWall-1
This section describes a situation where you want to configure a Check Point FireWall-1 withouttaking into account the existing security policy on it because:
• You have just installed Check Point FireWall-1 and want to configure it with Security ChangeManager.
• You want to configure Check Point FireWall-1 again so as to make all your security policies withSecurity Change Manager and optimize them.
In this case, consider that there is no security policy on the Check Point FireWall-1 to take into ac-count.
If Security Change Manager is installed on the same workstation as the Check Point FireWall-1Management Server, no prerequisites will be used for the Localhost Upload Method.
Warning
In order to keep track of your firewalls and see their names clearly in both the SecurityChange Manager and Check Point FireWall-1 displays, choose a short name (less than 10characters) in Security Change Manager because a longer name will not be completely dis-played in the Check Point FireWall-1 Policy Editor.
6.2.1. Step 1: Create and Configure a Management Serv-er
To be able to make an import, you must give Security Change Manager all the information neces-sary for the connection (IP address, login, password) for retrieving Check Point FireWall-1 informa-tion (installation path, etc.).
So to simplify this situation, you need to create a Management Server that contains at least the fol-lowing information:
• Version number in the Identification view.• Upload IP address in the Upload Configuration → Upload Addresses view.• Login/Password is optional in the Upload Configuration → Authentication view.
Performing a Standard Importfrom Check Point FireWall-1
49
• OPSEC Application Name or OPSEC Application Distinguished Name depending on whetheryou selected the SSL Certificate & Encryption or Clear for the OPSEC Connection Type op-tion in the Upload Configuration → Connection Options view.
Security Change Manager will import only objects involved in rules, a NAT rule or an implicit NATrule. For objects that cannot be imported, the objects will remain in the objects.C file. for rulesthat Security Change Manager cannot manage, the rules stay in rulebases.fws and are referredto by the include policy in Security Change Manager.
Warning
Do not perform an import on an untitled map. Always name the project first in the ProjectManager window.
1. Create a Management Server by selecting the Add Management Server icon in the tool-
bar and clicking once on the map.2. Open the Management Server Properties window, click the Identification view and select a
Management Server Version from the pull-down menu.
Figure 6.1. Management Server Properties: Identification
3. In the Addresses view, click the Add button to add the IP address(es) of the ManagementServer.
4. In the Upload Configuration → Connection Options view, set the Upload Method option toOPSECand the OPSEC Connection Type option to SSL Certificate & Encryption.
Figure 6.2. Management Server Properties: Upload Configuration:Connection Options
Step 1: Create and Configure aManagement Server
50
Type in the OPSEC Application Name.
NoteThe OPSEC Application Name must have been created, saved but never used on theSmartDashboard before being connected from Security Change Manager.
5. Select the Upload Configuration → Authentication view and specify a Login/ Password forauthentication.
Figure 6.3. Management Server Properties: Upload Configuration:Authentication (NG)
6. Select the Upload Configuration → Firewall-1 Options view and specify the Check PointFireWall-1 options.
7. Select the Upload Configuration → Upload Addresses view and specify the upload addressesi.e. the address(es) used by Security Change Manager to connect to Check Point FireWall-1.
Step 1: Create and Configure aManagement Server
51
Figure 6.4. Management Server Properties: Upload Address
6.2.2. Step 2: Perform the Import
Now, you are ready to perform the actual import.
1. Make sure you have already saved the project.2. Select the Management Server on which you want to import. Then, select Tools → Import →
FW-1 Import... or right-click on the Management Server and select Import → FW1-importfrom the contextual menu.
A Checkpoint Import dialog box opens with the Import in Progress window in the back-ground.
3. The Checkpoint Import dialog box displays the name of the ACL that will be imported. Thisis the one used by default on the Management Server. Click the Yes button.
4. Choose the elements to be imported from the pull-down menu:
• All Objects: To import all the objects excluding rules.• Used Objects: To import only the objects used in rules excluding rules themselves.• Rules & All Objects: To import all the objects and rules.• Rules & Used Objects : To import only the objects used in rules and rules themselves.
Figure 6.5. CheckPoint Import Dialog Box: Choose Elements to beImported
Step 2: Perform the Import
52
Click OK.
The Import process is launched and, once completed, an Import Report is generated in the Im-port Report window. Read this import report carefully, to see what the import accomplished.
Figure 6.6. CheckPoint Import Report
Step 2: Perform the Import
53
5. Check the report and click the Close button.
Once the Import process is finished, the bottom panel of the Import in Progress window dis-plays Configuration Import Terminated.
6.2.3. Step 3: Add the Missing Topology
Add the missing topology, particularly networks and connections; add/change icons and addressesto agree with your configuration.
To solve the situation of objects and rules that it does not manage, Security Change Manager createsa new rulebases.fws and a new Objects.C files. These files contain the definition of all ob-jects and rules that were not imported and are located in the following directory: work/pre-upload/<npl file name>/<mgtServer name>. This directory is already used tostore the files objects_5_0.C and rulebases.fws.
You can transform one object into another, for instance a class into a network.
1. Select the object.2. Perform a right-click and select Transform Into in the pop-up menu.3. Select one option. The object will change.
You can also merge networks via Action → Merge Selected Networks
6.2.4. Step 4: Connect and Group Attached Objects
Step 3: Add the Missing Topo-logy
54
1. Use the contextual menu on the map or on the selected objects to connect the following ob-jects:
• PEPs to Networks• Nexus to Networks• Additionally, on an NG cluster, you should synchronize the networks (Refer to the Security
Change Manager User Guide for further information).
NoteIf there is a network Internet '*', all classes not connected to a network become attached tothis network, so that you must check which class may be attached to the Internet network.A warning message appears at the end of the automatic attachment of class to a network toindicate that a class has been attached to the Internet network. You must check that this isreally the action you wanted.
2. Right-click on a PEP or a network and select the Connect to ... → Objects functionality in thecontextual menu to group all attached objects around a network or a PEP inside the same net-work.
6.2.5. Step 5: Various Checks to Perform
1. If the security policy contains a Cluster, open its Properties window and reference the syn-chronization network.
Figure 6.7. Synchronization Network on Cluster
2. Check the Deny Permissions that have been imported.
Optimization of rules will automatically be done by Security Change Manager. You must put apriority > 5000 on deny permissions to be used for logging purposes to be sure that they are
Step 5: Various Checks to Per-form
55
placed at the end of the generated rules.3. Also check the meaning of "Any" and the permissions attached to it, where it has been impor-
ted.4. Select Action → Policy Audit → Throughto launch a "Policy Audit Through" operation on
the Check Point FireWall-1 PEP and select which interface you want to audit.
Figure 6.8. Policy Audit Through Report interface selection
Check the information displayed in the Audit Results window.5. Check whether Security Change Manager imported OSE Devices from the Check Point Fire-
Wall-1 Management Server as PEP devices (3Com, Nortel or Cisco). If they have been impor-ted, remove them on the Check Point FireWall-1 Management Server to avoid conflicts of thistype when uploading.
6.3. Performing a Local Import of Check PointFireWall-1 Policy
It is possible to import a Check Point FireWall-1 policy without a CPMI connection (local importmethod). This feature allows you to select what policy needs to be imported and define preciselywhat needs to be imported from this policy.
To perform a FW1 local import, follow the procedure below:
1. Copy the FW1 objects_5_0.c and the rulebase_5_0.fws files in your local file sys-tem.
2. In the Security Change Manager Designer, select the Management Server object from whichyou want to make the import and open its Properties window.
3. In the Upload Configuration → Connection Options view, set the Upload Method propertyto None.
4. Select the Management Server on which you want to import. Then, select Tools → Import →FW-1 Import... or right-click on the Management Server and select Import → FW1-importfrom the contextual menu.
A Checkpoint Import dialog box opens with the Import in Progress window in the back-ground.
5. Type in the location of the objects_5_0.C file (i.e. path including the file name) and clickOK.
Figure 6.9. CheckPoint Import Dialog Box: Import of objects_5_0.C file
Performing a Local Import ofCheck Point FireWall-1 Policy
56
6. Type in the location of the rulebase.fws file (i.e. path including the file name) and clickOK.
Figure 6.10. CheckPoint Import Dialog Box: Import of rulebase.fws file
7. Choose the elements to be imported from the pull-down menu:
Performing a Local Import ofCheck Point FireWall-1 Policy
57
• All Objects: To import all the objects excluding rules.• Used Objects: To import only the objects used in rules excluding rules themselves.• Rules & All Objects: To import all the objects and rules.• Rules & Used Objects : To import only the objects used in rules and rules themselves.
Figure 6.11. CheckPoint Import Dialog Box: Choose Elements to beImported
Click OK.
NotePlease note that whatever the option selected, only the objects supported by SecurityChange Manager will be imported.
8. Choose the policy to be imported from the pull-down menu. The ACL names are those thathave been defined on the Management Server (e.g. Standard or Custom Policy in the figurebelow) and click the corresponding button.
Figure 6.12. CheckPoint Import Dialog Box: Choose Policy to be Imported
Performing a Local Import ofCheck Point FireWall-1 Policy
58
The Import process is launched and, once completed, an Import Report is generated in the Im-port Report window. Read this import report carefully, to see what the import accomplished.
Figure 6.13. CheckPoint Import Report
Performing a Local Import ofCheck Point FireWall-1 Policy
59
9. Check the report and click the Close button.
Once the Import process is finished, the bottom panel of the Import in Progress window dis-plays Configuration Import Terminated
Figure 6.14. CheckPoint Import Terminated
6.4. Cleaning the Database Before UploadIf the database is corrupted for any reason whatsoever, you might need to clean it so as to get backto a reliable Security Change Manager security policy. To do so:
1. Open the Management Server Properties window and select the Upload Configuration →FireWall-1 Options view.
2. Set the Clean Database Before Next Upload option to Yes.
Figure 6.15. Options: Clean Database Before Upload
Cleaning the Database BeforeUpload
60
Note
The database will be cleaned at the beginning of the next upload and the option will then beset back to No (the default). Therefore, you have to reset it to Yes each time you want toclean it.
The generated rules will not be the same as those imported because:
• Anti-spoofing has been lost and automatically found by Security Change Manager.• Enforcement points have been lost and automatically found by Security Change Man-
ager.• Rule order has been lost.• The position of the include policy (set of rules that have not been imported) at the head
of all other rules.
Cleaning the Database BeforeUpload
61
62
Chapter 7. How to ManageCheck Point FireWall-1Concepts Not Supported bySecurity Change Manager
7.1. First-Time: Define Non-supported Concepts on the Management Server ...................637.1.1. Step 1: Upload Security Change Manager Security Policy on the ManagementServer ........................................................................................................637.1.2. Step 2: Add Specific Properties ..............................................................647.1.3. Step 3: Add Other Objects not Supported by Security Change Manager ..........647.1.4. Step 4: Define the Include Rules/ Create a New Policy on the Real ManagementServer ........................................................................................................647.1.5. Step 5: Modify the Management Server Options ........................................647.1.6. Step 6: Upload ....................................................................................65
7.2. How to Manage User Groups ............................................................................65
This chapter describes how you should configure your Check Point FireWall-1 device to account forconcepts that Security Change Manager does not manage.
Warning
This chapter gives a manual solution for managing Check Point FireWall-1 concepts notsupported by Security Change Manager. The directions in this chapter can be used on a Se-curity Policy that has already been built with Security Change Manager. It is recommendedthat the first time you want to incorporate Check Point FireWall-1 concepts, you use theImport Function. See Chapter 6, How to Perform an Import from Check Point FireWall-1(page 45). Thereafter, use the directions in this chapter to modify your already-existing Se-curity Policy.
7.1. First-Time: Define Non-supported Conceptson the Management Server
The Check Point FireWall-1 objects that are not supported in Security Change Manager are:
• domain• user• servers• key• resources
The Patch Process and Security Include allow you to manage these concepts on the Check PointFireWall-1 Management Server.
7.1.1. Step 1: Upload Security Change Manager SecurityPolicy on the Management Server
Upload Security Change Manager Security Policy on the Management Server in order to have the
63
translated objects on the Check Point FireWall-1 Management Server.
7.1.2. Step 2: Add Specific Properties
Edit each Check Point Gateway or Check Point Host and add the specific parameters that will not bemanaged by Security Change Manager on the Check Point FireWall-1 Management Server:
• Certificates' list• SNMP parameters• Account unit parameters
7.1.3. Step 3: Add Other Objects not Supported by Secur-ity Change Manager
Add other objects not supported by Security Change Manager:
• Users• Servers• Resources• Keys for IPsec
7.1.4. Step 4: Define the Include Rules/ Create a NewPolicy on the Real Management Server
1. On the real Management Server through the Policy Editor, create a new policy for the Firstand/or Last include security policy that will manage all the concepts that can't be managedthrough Security Change Manager.
2. Save the policy with a new name (for instance "My Policy").
Warning
The security policy name is case-sensitive.
This policy is the one you will include in the Include Rules window, shown in Section 7.1.4,“Step 4: Define the Include Rules/ Create a New Policy on the Real Management Server ”(page 64), either as the First include Policy or the Last include Policy.
You must take into account the implications of these includes on the global security policy:
• A rule in the include will not be considered in the Security Change Manager audit: therefore,you are not able to check the global validity of its model with audit.
• A rule in the include will not be enforced in PEPs other than these that are managed by theManagement Server. If there is an equipment managed by Security Change Managerbetween the source and the destination of the rule, the permission may be filtered. To avoidthis situation, you must define a rule that allows the permission on PEPs directly controlledby Security Change Manager.
• NAT rules that may have an impact on equipment directly managed by Security ChangeManager are prohibited.
7.1.5. Step 5: Modify the Management Server Options
Step 2: Add Specific Properties
64
1. In Security Change Manager Designer, open the Management Server Properties window.2. Select the General Options → Include Policy view and type in the names of the include
policy.
Warning
The include policy names must relate to an existing security policy name on the Manage-ment Server and has to be different from the Security Change Manager generated policyname. Please refer to the Security Change Manager Reference Guide.
7.1.6. Step 6: Upload
1. Select the Upload Configuration → FireWall-1 Options view and set the FireWall-1 Up-load Policy to Copy Only and click OK.
Figure 7.1. Upload Configuration Set to Copy Only
2. Right-click the Management Server icon and from the contextual menu, select the DeviceManager menu item.
3. In the Deployment tab of the Device Manager window, check that the Management Server isselected and click the Upload icon to start the upload.
After this step, the final security policy (objects and rules) will be generated and copied ontothe Management Server. You can then upload it on the managed PEPs via the SmartDashboardusing the Policy → Install menu.
Note
If you want to use the previous security policy, you can manually copy the back-up files.Please see (page 41).
7.2. How to Manage User Groups
Step 6: Upload
65
User Groups are used through User Authentication and the remote VPN feature in Security ChangeManager. Only the name of the group is known in Security Change Manager and all other propertiesmust be defined on the Management Server.
During the import, User Groups are imported in Security Change Manager.
During an upload, the creation of an empty User group is made when no User Group or LDAPgroup with the same name exists.
The content of a User Group must be defined through the SmartDashBoard: that is to say the usersreferenced by this group.
To manage servers objects and specifically authentication servers (RADIUS, TACACS) and LDAPservers, they must be defined via the SmartDashBoard.
But before creating it, it is recommended that you create a Nexus in Security Change Manager De-signer that represents the location of the server object in order to manage a permission from or to itand IP modifications through Security Change Manager too.
This nexus will be translated into a node that you will reference on the Smart Dash Board as the hoston which the server is defined.
On Security Change Manager Designer:
1. Create the nexus that has the IP address of the server (RADIUS, TACACS or LDAP servers).2. Add the necessary permissions between the Check Point FireWall-1 PEP and the nexus.3. Select the Copy Only option (see Figure 7.1, “Upload Configuration Set to Copy Only” (page
65)) and upload the configuration.4. On the Check Point FireWall-1 SmartDashBoard, edit the policy on the Management Server
and add a server that references the Check Point FireWall-1 interoperable device that repres-ents the nexus.
How to Manage User Groups
66
Chapter 8. Client-to-GatewayVPN on Check Point FireWall-1NG
8.1. Procedure .....................................................................................................678.1.1. On the Check Point FireWall-1 ...............................................................678.1.2. On the Management Server ....................................................................688.1.3. PEPs Supporting Remote Access ............................................................688.1.4. Specific Parameters ..............................................................................68
On the device VPN node .......................................................................688.1.5. Implicit Permissions .............................................................................69
8.2. VPN Limitations ............................................................................................708.2.1. Global Limitations ...............................................................................70
VPN-1 Net ..........................................................................................70DES-40 and CAST-40 ..........................................................................70Multiple Entry Point VPNs (MEP) ..........................................................70
8.2.2. Remote Access Limitations ...................................................................70User Groups ........................................................................................70Office Mode is disabled on the gateway ....................................................70IP pool is defined though a DHCP server ..................................................70Hybrid Mode .......................................................................................70Enable VPN routing .............................................................................70Desktop security policy .........................................................................70Visitor Mode .......................................................................................70Transparent mode .................................................................................70Clientless VPN ....................................................................................71IPsec/L2TP tunnels ..............................................................................71Number of tunnels ................................................................................71
8.2.3. First-time Upload of a VPN Policy ..........................................................71
This chapter discusses how to use Security Change Manager to manage client-to-gateway VPNs forCheck Point FireWall-1 PEPs.
8.1. ProcedureWhen making a remote access on a Check Point FireWall-1 through Security Change Manager, theuser will do the following tasks:
8.1.1. On the Check Point FireWall-1
1. Define a User Group and reference the Management Server as the "authentication server".2. Create a Mapped User Group, add the User Group and locate it on a network or metaclass.3. Create a tunnel between this Mapped User Group and the Check Point FireWall-1 gateway.4. Edit the Check Point FireWall-1 PEP and define the IP Pool and other VPN parameters.5. Associate the Mapped User Group, the gateway and all networks the User Group will reach to
the same Trust Zone.6. If NAT Traversal is enabled, add a permission for that service between the Mapped User Group
and the Check Point FireWall-1 PEP.7. Compile.8. Perform Upload Preparation on the policy.9. Upload the policy.
67
8.1.2. On the Management Server
If a warning appears during the upload stating that a User Group is empty, for each empty UserGroup:
1. Define the External User Profiles, LDAP Groups and/or Users that will be referenced by theUser Group created by Security Change Manager.
2. Define the related authentication servers needed (RADIUS, TACACS...) and reference a Secur-ity Change Manager object as host of these servers.
3. Save and install the policy.
Note
This task has to be done only to create user group definition and authentication server asso-ciated. The next upload will not need these tasks except if a new user group has to be man-aged.
4. Set the certificates and/or pre-shared key on the users concerned, if this is not the case.
• The certificates and/or pre-shared key parameters must be set on users' and/or external users'profiles the first time they are to be used.
• Install the database on the Check Point FireWall-1 gateway that makes a remote VPN.
If a warning appears during the compilation stating that some IPsec parameters must be set on theuser, set the IPsec proposals on the user of concerned User Group(s). You can customize the follow-ing global parameters:
• Remote Access• Remote Access -> VPN-Basic except:
• Pre-shared secret• IPcompression
8.1.3. PEPs Supporting Remote Access
Security Change Manager supports only Remote Access on a PEP that has the VPN-1 Pro featureenabled.
8.1.4. Specific Parameters
On the device VPN node
1. Add the node Remote Access VPN
Table 8.1. VPN: Specific Parameters
Parameter Type Comment
Set Optional Office Mode Para-meters
Boolean (Yes*/No) Help: allow the user to specifythe DNS and WINS addressesby selecting the appropriateNetwork Objects. In addition,specify the backup DNS and
PEPs Supporting Remote Access
68
Parameter Type Comment
WINS servers and supply theDomain name.
All the following parameters initalics depends on this value.
Primary DNS Switched IP address
First Backup DNS Switched IP address Appears when the Primary DNSis set.
Second Backup DNS Switched IP address Appears when first backup DNSis set
Primary WINS Switched IP address
First Backup WINS Switched IP address
Second Backup WINS Switched IP address Appears when first backupWINS is set
Domain Name String
User Group Global Pool LeaseDuration (in minutes)
Integer (min:2 max:32767)
Support NAT-Traversal (Yes/No*)
NAT-Traversal Service VPN1_IPsec_encapsulation
all services listed
Appears if Yes is selected forSupport NAT-Traversal.
Tunnel Only Trust Zone
Everything
Hub Mode Configuration When enabled, the Gatewayagrees to act as a VPN routerfor the client.
2. Other parameters will be set by Security Change Manager:
• Allow office mode for all users.• Office Mode Method - Manual (using IP pool): always set
• Allocate IsP from network: (defined by the pool on the PEP)
8.1.5. Implicit Permissions
The IKE and ESP implicit permissions are created.
Implicit Permissions
69
8.2. VPN LimitationsVPN Limitations and their workarounds (if they exist) are listed below:
8.2.1. Global Limitations
VPN-1 Net
The VPN-1 Net module is not supported in Security Change Manager.
DES-40 and CAST-40
Security Change Manager does not manage the DES-40 and CAST-40 encryption algorithms.
Multiple Entry Point VPNs (MEP)
Multiple Entry Point VPNs (MEP) are not supported.
8.2.2. Remote Access Limitations
User Groups
Security Change Manager defines only the names of user groups on the Check Point FireWall-1, butdoes not define the content of the groups.
See Section 7.2, “How to Manage User Groups” (page 65) for further information.
Office Mode is disabled on the gateway
The case where the remote user keeps its IP address (Office Mode is disabled on the gateway) is notmanaged.
IP pool is defined though a DHCP server
The case where the IP pool is defined though a DHCP server is not managed.
Hybrid Mode
Security Change Manager does not manage hybrid mode.
You can enable hybrid mode, through the option on the Smart Dashboard, in Global Properties →Remote Access → VPN Basic.
Enable VPN routing
Enable VPN routing will not work since we do not distinguish hub and spoke and star model.
Desktop security policy
Desktop security policy is not generated by the Security Change Manager implementation.
Visitor Mode
Security Change Manager does not support visitor mode.
Transparent mode
Global Limitations
70
Security Change Manager does not support transparent mode since this mode is not possible withOffice Mode.
Clientless VPN
We do not support Clientless VPN.
IPsec/L2TP tunnels
Security Change Manager does not support IPsec/L2TP tunnels.
Number of tunnels
Only one tunnel can be created to a Check Point FireWall-1 PEP.
8.2.3. First-time Upload of a VPN Policy
The first time we upload a VPN policy, the installation of the policy on the Check Point FireWall-1devices may fail with the following message: Can't install policy. Reason: The SRCommunity member <Check Point Gateway name> must have a signed cer-tificate..: Failed - Unspecified error.
In this case, you must open the policy with the SmartDashBoard, open the property box of the<Check Point Gateway name> and validate it (click the OK button). This will create the internalcertificate needed. Then you can install the policy by Security Change Manager.
First-time Upload of a VPNPolicy
71
72
Chapter 9. Gateway-to-GatewayVPN on Check Point FireWall-1NG and NG AI
9.1. Procedure .....................................................................................................739.1.1. On the Security Change Manager ............................................................739.1.2. On the Check Point FireWall-1 Management Server ...................................73
Procedure ...........................................................................................739.1.3. VPN Domains .....................................................................................74
9.2. VPN Limitations ............................................................................................749.2.1. Global Limitations ...............................................................................75
VPN-1 Net ..........................................................................................75DES-40 and CAST-40 ..........................................................................75Multiple Entry Point VPNs (MEP) ..........................................................75
9.2.2. Site-to-site limitation ............................................................................75Usage of the Simplified Mode ................................................................75
This chapter discusses how to use Security Change Manager to manage gateway-to-gateway VPNsfor Check Point FireWall-1 PEPs.
9.1. ProcedureWhen making a gateway-to-gateway VPN on a Check Point FireWall-1 through Security ChangeManager, the user will do the following tasks:
9.1.1. On the Security Change Manager
1. Define a gateway-to-gateway tunnel as described in the Security Change Manager User Guide.2. Compile.3. Perform Upload Preparation on the policy.4. Upload the policy.
9.1.2. On the Check Point FireWall-1 Management Server
On the management server, if it is the first time you upload this VPN, you must set the pre-sharedsecret and/or certificates.
Procedure
1. Set the Authentication parameters:
a. In the case of a pre-shared secret, open the community named NP_V__<PEP1>-<PEP2>.In the shared secret field, copy the pre-shared key written in the 0.
b. In the case of certificates, there is nothing to do except to use a Certificate Authority.When the Certificate Authority of the device is different from that of its Check Point Man-agement Server, you must create this Certificate Authority object in the ManagementServer and then enrol the Check Point FireWall-1 gateway in this Certificate Authority.
73
For more information, refer to the Check Point FireWall-1 documentation.
2. Save and install the policy.
Note
This task must be done after the VPN community is created. The next upload will not needthese tasks to be done again except in the cases where the pre-shared key changed, the cer-tificate authorities changed, or the policy on the tunnel changed from PSK to RSA-Sig orRSA-Sig to PSK.
9.1.3. VPN Domains
The VPN domain will be deduced in the following manner:
Figure 9.1. VPN Domain Deduction
The source (respectively destination) of all permissions that enter (respectively leave) one side of atunnel will be part of the VPN domain of that side.
Since each gateway has only one VPN domain, it will be a group that contains all the networks thatneeded to be reached via IPsec, maybe from different tunnels.
9.2. VPN LimitationsVPN Limitations and their workarounds (if they exist) are listed below:
VPN Domains
74
9.2.1. Global Limitations
VPN-1 Net
The VPN-1 Net module is not supported in Security Change Manager.
DES-40 and CAST-40
Security Change Manager does not manage the DES-40 and CAST-40 encryption algorithms.
Multiple Entry Point VPNs (MEP)
Multiple Entry Point VPNs (MEP) are not supported.
9.2.2. Site-to-site limitation
Usage of the Simplified Mode
The usage of the simplified mode prevent to have permission that pass through a tunnel and permis-sion outside the tunnel for a given service.
Site-to-site limitation
75
76
Chapter 10. Check PointFireWall-1 Cluster Management
10.1. Procedure ....................................................................................................7710.1.1. On the Check Point FireWall-1 Management Server .................................7710.1.2. On the Security Change Manager Designer .............................................77
10.2. Limitations ..................................................................................................81
This chapter discusses how to use Security Change Manager to manage clusters of Check PointFireWall-1 PEPs.
10.1. Procedure
10.1.1. On the Check Point FireWall-1 Management Serv-er
If the cluster object does not already exist, you must create it on the Check Point Management Serv-er. The cluster members do not need to be created. They will be created by the Security ChangeManager.
10.1.2. On the Security Change Manager Designer
1. Create the map with the cluster members defined as PEPs.
a. Reference the Management Server from each PEP.b. Define each PEP's interfaces (other parameters will be hidden when the PEP is referenced
as cluster member).c. Select the Upload configuration view and tick the SIC Authentication Key checkbox to
initiate communication between the Management Server and the module if you have notyet initiated it via the Check Point FireWall-1 Smart Dashboard.
Figure 10.1. SIC Authentication Key Activated
77
2. Create the cluster via the menu Mode → Add Cluster. Make sure it is named with the samename that is used in the Check Point FireWall-1 Management Server.
a. Open the Cluster Properties window, and in the Identification view, reference the Man-agement Server from the cluster using the Managed By pull-down menu.
Figure 10.2. Management Server Referenced on the Cluster
b. Select Cluster Options view and set the Cluster XL Enabled to Yes if you are not usinga 3rd-party application to handle clustering.
Figure 10.3. Cluster XL Enabled Option
On the Security Change Man-ager Designer
78
c. Select the Cluster Options → Cluster Members view, add the cluster members and sortthem according to the priority in which you want them to be available (the top one in thelist is the master).
Figure 10.4. Selection of Cluster Members
d. Select the Cluster Options → Availability Parameters view, and set the OperatingMode option as needed. Set other availability parameters depending on whether you havechosen the cluster XL feature or not.
Figure 10.5. Selection of Availability Operation Mode
On the Security Change Man-ager Designer
79
e. Select the Cluster Options → Synchronization → Synchronization Networks view andreference a network to synchronize the cluster members. This network must have the fol-lowing characteristics:
• It is recommended that you reference a dedicated network that is not connected to anyof the cluster's virtual interfaces. You can define more than one synchronization net-work for backup purposes.
• Since synchronization networks are used to pass sensitive data such as encryption keys,it is important that these networks are secured.
• The network must be linked to one interface of each cluster member.
Figure 10.6. Selection of Synchronization Network
On the Security Change Man-ager Designer
80
f. Add the virtual interfaces and connect them to the same network as the cluster members'interfaces. The virtual interfaces will make the cluster members' interfaces redundant.
Your workspace should look like this:
Figure 10.7. Example of Cluster
NoteImplicit Permissions will be automatically activated between the Cluster members (this isalso the case for Nokia IP clusters).
3. Add an NTP permission between cluster members and the NTP server to ensure the clustershave the same date.
4. Upload the configuration.
10.2. LimitationsHigh Availability Legacy Mode is not supported, but Check Point FireWall-1 supports High Avail-ability New Mode.
Limitations
81
82
Chapter 11. Provider-1Management Server Installation
11.1. Adding a Provider-1 Management Server ..........................................................83
11.1. Adding a Provider-1 Management Server
1. Click on the Mgt server icon in the toolbar.
2. Click on the background of the Security Change Manager Designer map to add a ManagementServer and enter its IP address in the pop-up menu.
3. Double-click the Management Server icon on the map to open its Properties window and selectthe type Provider-1 in the Identification view.
4. Select the General Options → Managed CMAs view and click the Add ManagedCMA iconto add the CMA servers that should be managed by the Provider-1 Management Server.
83
84
Chapter 12. Check PointFireWall-1 Properties Windows
12.1. Description ..................................................................................................8512.2. General Options ...........................................................................................85
12.2.1. Security Profile ..................................................................................87Common Security Parameters .................................................................88Replace Address ..................................................................................90Replace Service ...................................................................................92
12.2.2. Virtual System ...................................................................................9312.2.3. Authentication ...................................................................................93
Enabled Authentication Schemes ............................................................93Authentication Settings .........................................................................93HTTP Security Server ...........................................................................94
12.3. Policy Learning Mode ...................................................................................9512.4. Common Interface Options .............................................................................9512.5. Interface Options ..........................................................................................96
12.5.1. Security Profile ..................................................................................98Common Security Parameters .................................................................98Replace Address ................................................................................ 100Replace Service ................................................................................. 101
12.5.2. IP Addresses ................................................................................... 102Static IP Addresses ............................................................................. 102Dynamic Addresses Pool ..................................................................... 102IP Addresses ..................................................................................... 102
12.6. VPN Options ............................................................................................. 10412.6.1. IKE Capabilities .............................................................................. 10412.6.2. IPSec Capabilities ............................................................................ 10512.6.3. Remote Access VPN ......................................................................... 105
12.7. Upload Configuration .................................................................................. 10612.8. Tunnel Peer Options .................................................................................... 107
12.8.1. Interface ......................................................................................... 10812.9. Authentication User Definition ...................................................................... 108
12.9.1. flowListIn ....................................................................................... 11112.9.2. flowListOut .................................................................................... 11112.9.3. flowListExternal .............................................................................. 111
12.1. Description
Option Description
NoteAllows you to enter a description of the current PEP.
12.2. General OptionsUse this view to examine and modify general PEP options.
Option Description
Managed* Choice "Yes *"
Indicates that SCM Server will produce filters for thisPEP.
85
Option Description
* Choice "No"
Set to "No" if you do not want SCM Server to managethis PEP.
Apply Flow To/From PEP on Relevant In-terfaces Only Enables you to choose how the PEP applies flows to
its various interfaces.
* Choice "Yes *"
Limits an authorized flow, having the PEP as its des-tination, so that incoming packets through an interfacecannot reach any other interface.
* Choice "No"
Enables an authorized flow, having the PEP as its des-tination, to reach all interfaces of the PEP.
This setting is a general default which can be overrid-den for a specific instance using the Permission Prop-erties window: Global Properties View.
Has IPSec Module* Choice "Yes"
Indicates that the device supports the IPSec modulefor VPNs.
* Choice "No"
Indicates that the device does not support IPSec.
supportsEncapsulatedTunnel
Enforce Time FilteringSpecifies whether the PEP is to perform time filtering.For further information on Time Filtering, see theSCM Server User Guide.
Generate NAT Rules* Choice "Yes *"
NAT rules are generated by the compiler and includedin the filters. A warning message is displayed if thePEP cannot implement the rules.
* Choice "Comment"
NAT rules are written to the filters file as commentsand ignored by the upload module.
* Choice "No"
NAT rules are not generated.
At upload time, when the No or Comment option isselected, the rule modifications are uploaded to thedevice without changing the existing NAT rules (ifthese exist). This is important because NAT rules arechanged much less often than other filtering rules, andrewriting them interrupts communication. Howeverthe compiler will take into account the NAT rules to
General Options
86
Option Description
generate the filters for the PEPs beyond the NAT ap-plication point.
Check Point Suite TypeThe suite type that matches the one you installed withyour Check Point software.
VSX TypeLets you choose the type of VSX device.
* Choice "Gateway *"
The VSX device will be a VSX gateway.
* Choice "Virtual System"
The VSX device will be a virtual system.
12.2.1. Security Profile
Use this view to select the PEP's level of security. By default, the PEP's profile is set to maximumsecurity.
Option Description
Security LevelLets you choose the default level of security that SCMServer will generate for this PEP.
You can choose to generate faster configurations oncertain PEPs at the expense of reduced security.
* Choice "Custom Filtering *"
Lets you choose a custom level of filtering by settingoptions in the Replace Address or Replace Serviceviews.
* Choice "Deny few, Permit all"
Same as "Custom Filtering" but with default policy setas "Permit".
* Choice "Full Filtering"
This level configures the PEP parameters to offermaximum security. The parameters contained in theCommon Security Parameters view will be set in orderto ensure maximum security and will lock them to pre-vent changes. This option also:
- prevents you from choosing the Broad Filtering op-tion (see Replace Address and Replace Service node)
* Choice "PEP Access Security Only"
Disables filtering on this PEP, except for the rules thatprotect the PEP itself. Therefore, the PEP will allowall traffic to pass through it, but it will not allow unau-thorized access to itself.
Security Profile
87
Option Description
* Choice "No Filtering"
Disables filtering, and reduces security on this PEP tozero.
Broad FilteringLets you choose to enable faster configurations at theexpense of reduced security.
You must set Security Level to "Custom Filtering" touse this option.
* Choice "Disabled *"
Indicates that filtering is not broadened, and security isat its highest level.
* Choice "By Address"
Reveals the Replace Address view, which lets youconfigure broad filtering by address.
* Choice "By Service"
Reveals the Replacy Service view, which lets you con-figure broad filtering by service.
Common Security Parameters
Use this view to configure common security parameters for the PEP.
Option Description
Suppress Filtering on TCP DirectionSets up the flow rules for traffic returning appropri-ately with the "ack" (acknowledged) bit set.
* Choice "Yes *"
Only the packets belonging to an established connec-tion will be permitted to flow back through the PEP.
* Choice "No"
The filtering rules will not verify the ack bit status.These filters will be more compact but more per-missive for the return traffic which may lead to de-graded security.
Attention: This option should be modified by an ex-pert user only.
Suppress Filtering on ICMP Message Type* Choice "Yes *"
Indicates that the PEP will do filtering by ICMP mes-sage type.
* Choice "No"
Indicates that the PEP will not do filtering by ICMP
Security Profile
88
Option Description
message type.
'Securing PEP' rules* Choice "Yes *"
Denies access to the PEP's interface addresses, exceptfor the default administration flows, thereby securingthe PEP.
* Choice "No"
Permits access to the PEP's interface addresses.
Suppress 'Internet Restriction'Indicates if SCM Server will add extra deny filterswhen the Internet object is defined as "Any". This op-tion is activated by selecting "No" for the Expand In-ternet option on the PEP window: General OptionsView.
* Choice "Yes *"
Any permission you draw to/from Internet causes thecompiler to implicitly generate all necessary denies toprevent permissions to/from all other internal ad-dresses.
* Choice "No"
Any permission you draw to/from Internet will alsoimplicitly allow permissions to/from all other internaladdresses, which may lead to lower security.
Attention: This option should be modified by an ex-pert user only.
Expand InternetThis option is an optimization that controls how SCMServer defines the Internet object. This option can cre-ate very finely-tuned filters, but at the price of in-creased size.
* Choice "Yes"
SCM Server will use a more precise, "expanded"definition of Internet. It defines the Internet as "all ad-dresses outside the internal networks". This createsvery fine, but slower, filters.
* Choice "No *"
SCM Server will define Internet as "Any". The gener-ated filters are thus faster, but less secure.
Default RuleLets you change the default rule on this device. By de-fault SCM Server will write a "deny all" rule at theend of a device's configuration. With this option, youhave the possibility to change this behavior: SCMServer will not write a default "deny all" rule, and, onthis device, all access that is not explicitly denied willbe allowed.
* Choice "Policy Default *"
Security Profile
89
Option Description
Uses the value defined in the Tools > Properties forthe Current Policy window.
* Choice "Deny"
Keeps the standard behavior. Every access that is notdefined is not allowed on this device.
* Choice "Allow"
Lets you easily define policies where the goal is toprohibit a set of given protocols in the network.
If you choose the "Allow" option, make sure that youexplicitly deny every access point that you want toclose, or, make sure that you have another device inseries denies everything by default.
Generate Anti-SpoofingLets you choose if the PEP or SCM Server shouldgenerate anti-spoofing rules.
* Choice "Yes *"
The PEP will generate anti-spoofing rules.
* Choice "No"
The PEP will not generate anti-spoofing rules.
* Choice "Unmanaged"
Takes the computed anti-spoofing into account, butdoes not generate the related configuration so as, at theend, the anti-spoofing defined on the Smartcenter willnot be changed by the upload.
Spoof TrackingIndicates whether the CheckPoint anti-spoofing track-ing option (in the Interface Properties) should be activ-ated and how information about spoofed connectionsshould be logged.
* Choice "None *"
* Choice "Log"
* Choice "Alert"
* Choice "Disabled"
Disables the anti-spoofing option.
Replace Address
Use this view to set a limit the optimizations SCM Server makes on addresses.
SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller orfaster configurations. "Broadening" an address means that when your map contains permissionswith addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission withthe address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "On
Security Profile
90
Address" in the Security Profile view, you can use the current view to put constraints on this optim-ization.
Option Description
Replace SourceThis is an optimization that allows you to generatefewer ACLs, but at the risk of reducing your securitylevel.
Note: if your permission includes logging, time or au-thorization actions, the optimization will not occur.
* Choice "by Netmaskable Network"
Indicates that SCM Server will attempt to replace thesource IP addresses of the permissions managed bythis PEP such that the IP addresses can be representedby a netmask. You can enter this netmask in theSource Network Netmask field, below.
* Choice "by Any"
Indicates that SCM Server will replace the source IPaddresses of the permissions that this PEP manages byAny.
In most situations, these options mean that SCM Serv-er will permit more addresses than your policy spe-cifies. You should only use these options if you haveanother PEP with a tighter restriction on the samepath.
Source Network NetmaskAllows you to enter the netmask to apply to sourcepermissions.
Restrict Source Replacement to TopologyWhen used with the above option, this option will re-strict the enlargement to the address of the networkfrom which each permission originates, in your policymap.
Replace DestinationThis is an optimization that allows you to generatefewer ACLs, but at the risk of reducing your securitylevel.
Note: if your permission includes logging, time or au-thorization actions, the optimization will not occur.
* Choice "by Netmaskable Network"
Indicates that SCM Server will attempt to replace thedestination IP addresses of the permissions managedby this PEP such that the IP addresses can be represen-ted by a netmask. You can enter this netmask in theDestination Network Netmask field, below.
* Choice "by Any"
Indicates that SCM Server will replace the destinationIP addresses of the permissions that this PEP managesby Any.
In most situations, these options mean that SCM Serv-
Security Profile
91
Option Description
er will permit more addresses than your policy spe-cifies. You should only use these options if you haveanother PEP with a tighter restriction on the samepath.
Destination Network NetmaskAllows you to enter the netmask to apply to destina-tion permissions.
Restrict Destination Replacement to Topo-logy When used with the "Enlarge Destination to Net-
maskable Address" option, this option will restrict theenlargement to the address of the network where eachpermission terminates, in your policy map.
Replace Service
Use this view to set a limit the optimizations SCM Server makes on services.
SCM Server can "broaden" the allowed services on permissions in order to generate smaller orfaster configurations. "Broadening" a service means that when your map contains permissions forservices FTP and HTTP, for example, SCM Server will generate one permission for the serviceTCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" inthe Security Profile view, you can use the current view to put constraints on this optimization.
Option Description
Replace ServiceThis is an optimization that enlarges the service of apermission. For example, an http and an ftp permis-sion may be enlarged to tcp. Since this optimizationcan reduce your security level, you should only use itif you have another PEP in the path that does not usethis option.
* Choice "No *"
Will not enlarge services. This option maintains thehighest level of security.
* Choice "by TCP"
Replaces TCP permissions by TCP.
* Choice "by UDP"
Replaces UDP permissions by UDP.
* Choice "by TCP and UDP"
Replaces all TCP-based or UDP-based permissions byTCP and UDP permissions.
A TCP-based permission will be replaced by two per-missions: a permit TCP and a permit UDP. A UDP-based permission will also be replaced by two permis-sions: a permit TCP and a permit UDP.
* Choice "by IP"
Replaces permissions by IP.
Security Profile
92
Option Description
* Choice "by Any"
Replaces all permissions by Any.
12.2.2. Virtual System
Option Description
Container NameSpecifies the name of the container/VirtualSystemBoxthat contains this virtual system.
You must have configured the container device withvirtual systems for scm to be able to communicatewith it.
12.2.3. Authentication
This view does not let you change any parameters. Expand this node in the tree list to see the config-urable views.
Enabled Authentication Schemes
Use this view to enable the different types of authentication servers with which the PEP may com-municate.
Option Description
S/KeyIndicates if the PEP will prompt the user to enter his/her S/Key during authentication (Not on NG AI).
VPN-1 and FireWall-1 PasswordIndicates if the PEP will prompt the user to enter his/her internal Check Point(TM) FireWall-1(R) passwordduring authentication.
SecurIDIndicates if the PEP will prompt the user to enter thenumber shown on the SecurID card during authentica-tion.
RADIUSIndicates if the PEP will prompt the user to answer theRADIUS question during authentication. The questionis defined on a RADIUS server.
TACACSIndicates if the PEP will prompt the user to answer theTACACS question during authentication. The ques-tion is defined on a TACACS or TACACS+ server.
OS PasswordIndicates if the PEP will prompt the user to enter his/her operating system password during authentication.
Authentication Settings
Use this view to configure how the PEP behaves during authentication sessions.
Virtual System
93
Option Description
User Authentication Session Timeout(min) Indicates the number of minutes after which the PEP
closes the authentication session.
Enable wait mode for Client Authentica-tion If the user opens an authentication session over telnet
on port 259, this option indicates if the PEP will keepsthe telnet session open during the time the authentica-tion session is open.
If you select this option, the PEP will close the authen-tication session when the telnet session closes.
If you do not select this option, the PEP will close thetelnet session once the user signs on, and the user willhave to reopen the telnet session to sign off.
Authentication Failure TrackIndicates how the PEP will react to errors during au-thentication.
* Choice "None"
The PEP will not inform the user of errors.
* Choice "Log"
The PEP will log errors.
* Choice "Popup Alert"
The PEP will open a popup window; you can definethe popup alert once in the Check Point(TM) Fire-Wall-1(R) software Global properties window, and af-terwards reference it from SCM Server.
* Choice "Mail Alert"
The PEP will send an email of the error.
* Choice "SNMP Trap Alert"
The PEP will send an SNMP alert.
* Choice "User defined alert no."
The PEP will send a user-defined alert; you can definealerts once using the Check Point(TM) FireWall-1(R)software, and afterwards reference them from SCMServer.
HTTP Security Server
Use this view to configure how the PEP communicates with its associated HTTP security server.
Option Description
Use Next ProxyIndicates whether there is an HTTP proxy server be-hind the Check Point(TM) FireWall-1(R) HTTP Se-curity Server.
HTTP Next Proxy
Authentication
94
Option Description
The host name and port number of the HTTP proxyserver.
12.3. Policy Learning ModeUse this view to change the policy of a device and open it sufficiently to guarantee that the flowswill pass until complete policy discovery has been made by the security team.
Option Description
Enable Policy Learning Mode* Choice "Yes"
Indicates that Policy Learning Mode is enabled.
* Choice "No *"
Indicates that Policy Learning Mode is disabled.
Log Level for Allow Rule* Choice "None *"
Disables logging.
* Choice "Default"
Triggers the logging of any IP packet matching the de-fault policy, to the default log level of current PEPtype.
Note: Some PEPs allow selection of different loglevels.
12.4. Common Interface OptionsUse this view to manage options that are common to all the PEP's interfaces.
Option Description
Generate ICMP Error Message* Choice "Yes"
Sets the error option for all interfaces on the PEP. Thisoption triggers the transmission of the error messageICMP unreachable, for any IP packet that is not au-thorized by the filters. This action is carried out forboth incoming and outgoing interface traffic.
* Choice "No *"
The error option is not set.
Log Level for the Default RuleSets the log level for the default rule for all interfaceson the PEP. This option will not show packets transit-ing in violation of a specific denial. To see that in-formation, you must set the Log option on the Permis-sion Properties window: Log view, or on the con-cerned interface.
Policy Learning Mode
95
Option Description
* Choice "None *"
Disables logging.
* Choice "Default"
Triggers the logging of any IP packet matching the de-fault policy, to the default log level of current PEPtype.
Note: Some PEPs allow selection of different loglevels.
Application Point* Choice "Incoming *"
The filters will be generated for the packets enteringthe interface.
* Choice "Outgoing"
The filters will be generated for the packets leavingthe interface.
* Choice "Both Directions if Possible"
SCM Server will choose the application point with re-spect to the PEP capabilities and the PEP options set-tings.
Allow ForwardingIndicates if this device will perform forwarding.
Enable this option to allow the device to forwardpackets.
12.5. Interface OptionsUse this view to manage the options for a single interface.
Option Description
Upload Target* Choice "Yes *"
Specifies that the selected interface will be used foruploading filter files.
* Choice "No"
Specifies that the selected interface is not to be usedfor uploading filter files.
Interface TypeIndicates if the interface's purpose is to filter or tosniff the packets.
* Choice "Filtering Interface"
The interface only does packet filtering.
* Choice "Sensor"
Interface Options
96
Option Description
The interface only does packet sniffing.
* Choice "Sensor + Filtering Interface"
The interface can do both.
Is Loopback InterfaceSpecifies if this interface is a "loopback" interface.
A loopback is a special type of interface used to rep-resent a virtual range of IP addresses. This may beuseful, for example, when your device is connected tothe internet through two redundant ISPs. The loopbackinterface can be used to accept outside connections,which it then routes to one of the real interfaces.
Note: SCM Server will not allow you to connect aloopback interface to any object.
Policy Learning Mode* Choice "Yes"
Indicates that Policy Learning Mode is enabled on thisinterface.
* Choice "No *"
Indicates that Policy Learning Mode is disabled onthis interface.
Log Level for Deny Rules* Choice "None *"
Disables logging.
* Choice "Default"
Triggers the logging of any IP packet matching a denyrule, to the default log level of the current PEP type.
Some PEPs allow selection of different log levels.
Managed* Choice "Yes *"
Specifies that filters will be produced for this interfaceand the configuration of the interface will be managedby SCM Server.
* Choice "No"
Specifies that no filters will be produced for this inter-face and the configuration of the interface will not bemanaged by SCM Server.
Allow ForwardingIndicates if this interface will perform forwarding.
Enable this option to allow the interface to forwardpackets.
Use as Tunnel PeerIndicates if this interface can be used to mount a tun-nel.
Interface Options
97
Option Description
* Choice "Always"
Indicates that the PEP will always try to use this inter-face when mounting a tunnel.
* Choice "Never"
The PEP will never try to use this interface whenmounting a tunnel.
* Choice "Automatic *"
SCM Server will choose either "always" or "never"depending on whether the interface forms part of apossible path for the tunnel.
Note: You should only need this option if you useTunnel Groups.
Application Point* Choice "Incoming *"
Only incoming filters will be applied.
* Choice "Outgoing"
Only outgoing filters will be applied.
* Choice "Device Default"
Incoming/outgoing filters are applied according to thevalue as specified in the Interfaces: Options View.
* Choice "Both Directions if Possible"
SCM Server will choose the application point accord-ing to the PEP capabilities and the PEP options set-tings.
Interface is external (leads out to the Inter-net) Specifies that the interface leads to the Internet. This
means that IP addresses behind this interface will notbe counted in the license enforcement.
12.5.1. Security Profile
Use this view to select the level of security on this interface. By default, the interface's profile is setto maximum security.
Common Security Parameters
Use this view to configure common security parameters for this interface.
Option Description
Disable Filtering* Choice "Device Default *"
This option uses the value set in the General Options:Security Profile: Common Security Parameters view.
Security Profile
98
Option Description
* Choice "No"
SCM Server will generate filters for this interface.
* Choice "Yes"
SCM Server will generate a permit any any rule onthis interface.
By disabling the filtering on one (or several) inter-face(s), you create a rule that permits all flows, whichcan reduce the level of security, but improves per-formance.
Note: This option will not disable the "Securing PEP"and "Anti-Spoofing" filters. To disable those filters aswell:
- choose "No" in the "Generate Anti-Spoofing" option
- in the General Options: Security Profile: CommonSecurity Parameters view, enable the option "SuppressSecuring PEP".
Generate Anti-SpoofingLets you choose if the PEP or SCM Server shouldgenerate anti-spoofing rules.
* Choice "Yes *"
The PEP will generate anti-spoofing rules.
* Choice "No"
The PEP will not generate anti-spoofing rules.
* Choice "Unmanaged"
Takes the computed anti-spoofing into account, butdoes not generate the related configuration so as, at theend, the anti-spoofing defined on the Smartcenter willnot be changed by the upload.
Spoof TrackingIndicates whether the CheckPoint anti-spoofing track-ing option (in the Interface Properties) should be activ-ated and how information about spoofed connectionsshould be logged.
* Choice "Device Default *"
* Choice "None"
* Choice "Log"
* Choice "Alert"
* Choice "Disabled"
Disables the anti-spoofing option.
Security Profile
99
Replace Address
Use this view to set a limit the optimizations SCM Server makes on addresses, on a single interfaceonly.
SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller orfaster configurations. "Broadening" an address means that when your map contains permissionswith addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission withthe address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "OnAddress" in the General Options > Security Profile view, you can use the current view to put con-straints on this optimization.
Option Description
Replace SourceThis is an optimization that allows you to generatefewer ACLs, but at the risk of reducing your securitylevel.
To use this option, you must enable the Broad Filter-ing option in the General Options: Security Profileview.
Note: if your permission includes logging, time or au-thorization actions, the optimization will not occur.
* Choice "by Netmaskable Network"
Indicates that SCM Server will attempt to replace thesource IP addresses of the permissions managed bythis interface such that the IP addresses can be repres-ented by a netmask. You can enter this netmask in theSource Network Netmask field, below.
* Choice "by Any"
Indicates that SCM Server will replace the source IPaddresses of the permissions that this interface man-ages by Any.
In most situations, these options mean that SCM Serv-er will permit more addresses than your policy spe-cifies. You should only use these options if you haveanother PEP with a tighter restriction on the samepath.
Source Network NetmaskAllows you to enter the netmask to apply to sourcepermissions.
Restrict Source Replacement to TopologyWhen used with the above option, this option will re-strict the enlargement to the address of the networkfrom which each permission originates, in your policymap.
Replace DestinationThis is an optimization that allows you to generatefewer ACLs, but at the risk of reducing your securitylevel.
To use this option, you must enable the Broad Filter-ing option in the General Options: Security Profileview.
Security Profile
100
Option Description
Note: if your permission includes logging, time or au-thorization actions, the optimization will not occur.
* Choice "by Netmaskable Network"
Indicates that SCM Server will attempt to replace thedestination IP addresses of the permissions managedby this interface such that the IP addresses can be rep-resented by a netmask. You can enter this netmask inthe Destination Network Netmask field, below.
* Choice "by Any"
Indicates that SCM Server will replace the destinationIP addresses of the permissions that this interfacemanages by Any.
In most situations, these options mean that SCM Serv-er will permit more addresses than your policy spe-cifies. You should only use these options if you haveanother PEP with a tighter restriction on the samepath.
Destination Network NetmaskAllows you to enter the netmask to apply to destina-tion permissions.
Restrict Destination Replacement to Topo-logy When used with the "Enlarge Destination to Net-
maskable Address" option, this option will restrict theenlargement to the address of the network where eachpermission terminates, in your policy map.
Replace Service
Use this view to set a limit the optimizations SCM Server makes on services, on a single interfaceonly.
SCM Server can "broaden" the allowed services on permissions in order to generate smaller orfaster configurations. "Broadening" a service means that when your map contains permissions forservices FTP and HTTP, for example, SCM Server will generate one permission for the serviceTCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" inthe General Options > Security Profile view, you can use the current view to put constraints on thisoptimization.
Option Description
Replace ServiceThis is an optimization that enlarges the service of apermission on one interface. For example, an http andan ftp permission may be enlarged to tcp. Since thisoptimization can reduce your security level, youshould only use it if you have another PEP in the paththat does not use this option.
* Choice "No *"
Will not enlarge services. This option maintains thehighest level of security.
* Choice "by TCP"
Security Profile
101
Option Description
Replaces TCP permissions by TCP.
* Choice "by UDP"
Replaces UDP permissions by UDP.
* Choice "by TCP and UDP"
Replaces all TCP-based or UDP-based permissions byTCP and UDP permissions.
A TCP-based permission will be replaced by two per-missions: a permit TCP and a permit UDP. A UDP-based permission will also be replaced by two permis-sions: a permit TCP and a permit UDP.
* Choice "by IP"
Replaces permissions by IP.
* Choice "by Any"
Replaces all permissions by Any.
12.5.2. IP Addresses
Use this view to set the interface's IP addresses.
Static IP Addresses
Use this section to configure the interface's static IP addresses.
Option Description
Interface IP AddressesSpecifies the static IP address of the interface.
Dynamic Addresses Pool
Use this section to configure the interface's dynamic IP addresses.
Option Description
Dynamic Addresses PoolSpecifies the pool of IP addresses from which the in-terface will get its IP address.
IP Addresses
Use this view to configure the interface's IP addresses.
Option Description
Use Dynamic AddressesSpecifies whether this interface will have static or dy-namic IP addresses.
IP Addresses
102
Option Description
Dynamic Addresses fromIndicates the range from which the PEP can pick an IPaddress to assign to the interface.
* Choice "Network"
The PEP can assign any IP address contained in the in-terface's attached network. You must have connectedthe interface to a network on the workspace in order topick this option.
* Choice "Any"
The PEP can assign any IP address to the interface.
* Choice "User defined pool"
The PEP can assign any address from the pool thatyou define in the Interface View.
DHCP ServerIndicates the range from which the PEP can pick an IPaddress to assign to the interface.
* Choice "Network"
The PEP can assign any IP address contained in the in-terface's attached network. You must have connectedthe interface to a network on the workspace in order topick this option.
* Choice "Any"
The PEP can assign any IP address to the interface.
* Choice "User defined pool"
The PEP can assign any address from the pool thatyou define in the Interface View.
Resolve IP Address UsingWhen you use dynamic interface addresses, this optionindicates how SCM Server will resolve the interface'saddress when it is uploading the PEP's configuration.
* Choice "PEP FQDN"
To resolve the address, SCM Server will contact theDNS server that you specified in the FQDN field ofthe "PEP Properties>General" Options View.
* Choice "Interface Specific FQDN"
To resolve the address, SCM Server will contact theDNS server that you specify in the "Specify InterfaceFQDN" option below.
* Choice "Prompt IP Address"
SCM Server will prompt the user for the interface's IPaddress at the moment of upload.
Interface FQDNEnter the fully qualified domain name of the DNS
IP Addresses
103
Option Description
server that SCM Server will contact to resolve this in-terface's IP address.
12.6. VPN OptionsUse this view to configure the main cryptographic characteristics of a VPN tunnel.
Option Description
NULL Encryption EnabledIndicates if the NULL algorithm is enabled.
DES Encryption EnabledIndicates if this algorithm is enabled.
3DES Encryption EnabledIndicates if this algorithm is enabled.
CAST Encryption EnabledIndicates if this algorithm is enabled.
AES-128 Encryption EnabledIndicates if this algorithm is enabled.
AES-256 Encryption EnabledIndicates if this algorithm is enabled.
12.6.1. IKE Capabilities
Use this view to consult a VPNs IKE capabilities.
Option Description
Maximum Proposals AllowedIndicates the maximum number of IKE proposals be-fore the device considers the key exchange failed.
Minimum Lifetime (seconds)Indicates the minimum lifetime of the exchanged keys.
Maximum Lifetime (seconds)Indicates the maximum lifetime of the exchangedkeys.
Pre-Shared Key Method EnabledIndicates the the pre-shared key method is enabledwhen the device performs key exchange.
RSA Sig Key Method EnabledIndicates that the RSA-Signature method is enabledwhen the device performs key exchange.
SHA-1 Hash EnabledIndicates that the SHA-1 algorithm is enabled whenthe device performs key exchange.
MD5 Hash EnabledIndicates that the MD5 algorithm is enabled when thedevice performs key exchange.
DH Group 1 EnabledIndicates that the Diffie-Hellman group 1 is enabledwhen the device performs key exchange.
DH Group 2 EnabledIndicates that the Diffie-Hellman group 2 is enabled
VPN Options
104
Option Description
when the device performs key exchange.
DH Group 5 EnabledIndicates that the Diffie-Hellman group 5 is enabledwhen the device performs key exchange.
12.6.2. IPSec Capabilities
Use this view to consult a VPNs IPSec capabilities.
Option Description
Maximum Proposals AllowedIndicates the maximum number of IPSec proposals be-fore the device considers the authentication failed.
Minimum Lifetime (seconds)Indicates the minimum lifetime of the IPSec session.
Maximum Lifetime (seconds)Indicates the maximum lifetime of the IPSec session.
HMAC-SHA-1 Authentication EnabledIndicates that the HMAC-SHA-1 algorithm is enabledwhen the device performs IPSec authentication.
HMAC-MD5 Authentication EnabledIndicates that the HMAC-MD5 algorithm is enabledwhen the device performs IPSec authentication.
AH Protocol EnabledIndicates that the AH protocol is enabled when thedevice performs IPSec authentication.
ESP Protocol EnabledIndicates that the ESP protocol is enabled when thedevice performs IPSec authentication.
Deflate Compression EnabledIndicates that the Deflate compression algorithm is en-abled when the device performs IPSec authentication.
12.6.3. Remote Access VPN
Use this view to configure the PEP's Remote Access VPN options.
Option Description
User Group Global PoolThe PEP will use the address pool in this field to as-sign addresses to users who connect from a remotelocation. Enter this address pool as a netmask, for ex-ample 10.1.1.0/24.
User Group Global Pool Lease Time(minutes) Enter the time, in seconds, that the Remote Access cli-
ent will use its assigned IP address. When this timeelapses, the client will request a new address from thePEP. The default value 600 equals 10 minutes.
Set Optional Office Mode ParametersAllows you to set additional options for the user grouppool, such as DNS and WINS addresses.
Primary DNS
IPSec Capabilities
105
Option Description
Enter the address of the primary DNS server for theremote users.
First Backup DNSEnter the address of the first backup DNS server forthe remote users.
Second Backup DNSEnter the address of the secondary backup DNS serverfor the remote users.
Primary WINSEnter the address of the primary WINS server for theremote users.
First Backup WINSEnter the address of the first backup WINS server forthe remote users.
Second Backup WINSEnter the address of the secondary backup WINS serv-er for the remote users.
Domain NameEnter the domain name of the remote users. Thisshould match your internal network's domain.
Perform an organized shutdown of tunnelsupon gateway restart Allows the PEP to keep an authentication session open
with a remote access VPN client even if the PEP re-starts.
Perform anti-spoofing on pool addressesIndicates that the PEP will perform anti-spoofing onall pool addresses.
Support connectivity enhancement forgateways with multiple external interfaces Allows the PEP to resolve traffic from one Remote
Access client to another. If your PEP has only one ex-ternal interface, you should disable this option to getbetter performance. If your PEP has multiple inter-faces, you should enable this option to allow differentremote users to communicate.
12.7. Upload ConfigurationUse this view to configure how SCM Server uploads your work to the device.
Option Description
SIC Authentication KeyRepresents the password that will also be used whendefining the module in the module configuration usingthe cpconfig utility. This is a one-time password that isused to set up or re-establish a trust relationshipbetween the Module and the SmartCenter Server. It isthe SAME Activation Key as you entered when con-figuring the Module.
This key will be enforced on the management serverwhen the trust state of the communication with themodule is "Uninitialized" or "Initialized but trust notestablished".
Upload Configuration
106
12.8. Tunnel Peer OptionsThis view lets you configure one of the tunnel endpoints.
On client-to-gateway tunnels, this view lets you configure the mapped user group's IP address pool.
On GRE tunnels, you can use this view to configure how the PEP sets up the tunnel IP addresses.
Option Description
Generate Static Routing* Choice "Yes"
Indicates that SCM Server will generate the routingfor the tunnel. This may conflict with pre-existingrouting that you entered on the device.
* Choice "No *"
Does not generate routing for the tunnel. Use this op-tion if you have pre-existing routing on the device.
* Choice "Comment"
SCM Server generates the routing in the .app file, butthe rules are commented out. Use this option if youwant to verify the rules before uploading them.
Auto Generate Tunnel IP AddressIndicates if SCM Server will automatically choose anIP address for the tunnel interfaces.
You can choose the range SCM Server will use forthese addresses in Properties for the Current Policy>GRE Parameters for Automation >Tunnel interfacesIP address ranges view.
IP AddressLets you manually enter an IP address for the tunnel.
NetmaskFor information: this is the netmask SCM Server usesto construct the networks for the interfaces on GREtunnels.
Support NAT-TraversalLets the VPN client connect to the server PEP viaUDP through a firewall or router using NAT.
NAT-Traversal ServiceDefines the service to use if you allow use IPSec overUDP.
TunnelLets you choose to use split-tunneling.
* Choice "Only Trust Zone *"
If you choose this option, the remote user will not gothrough the tunnel when he/she accesses an addressoutside the tunnel's trust zone. You can define thistrust zone; see the documentation on the Zone Editorin the Security Change Manager Designer User Guidefor more information.
* Choice "Everything"
Choose this option to force all traffic through the tun-
Tunnel Peer Options
107
Option Description
nel. For example, the remote users will have to gothrough the tunnel to surf the internet.
* Choice "Everything except local addresses"
Choose this option to allow addresses on the remoteuser's local network to pass outside the tunnel. For ex-ample, this option lets the remote user access his orher local printer without passing through the VPN.
12.8.1. Interface
Use this view to select the interfaces to which the tunnel can connect.
Option Description
InterfaceUse this view to select the interfaces to which the tun-nel can connect.
12.9. Authentication User DefinitionUse this view to manage the list of PEPs that will authenticate users of this permission. Add an itemto the tree list to see the configurable views.
Option Description
Type* Choice "Client Auth *"
Indicates that the PEP will authenticate each user witha specific IP address who attempts to make this con-nection. If two users connect from the same IP ad-dress, the PEP will only authenticate once.
* Choice "Session Auth"
Indicates that the PEP will authenticate each serviceover which a user attempts to make this connection.The PEP intercepts each connection and activates asession authentication agent to get the user's password.The agent may run on the source, the destination, oranother host.
* Choice "User Auth"
Works for FTP, HTTP, RLOGIN and TELNET. Thisoption indicates that the PEP will authenticate eachuser who attempts to make this connection, regardlessof the user's IP address. The authentication method isbuilt in to these protocols.
HTTP ServersIf you choose User Auth, you can restrict users to a setof HTTP servers.
* Choice "All *"
Indicates that the PEP will not restrict user access to
Interface
108
Option Description
any HTTP servers.
* Choice "Predefined"
Indicates that the PEP will restrict user access to thoseservers that you defined in the Check Point(TM) Fire-Wall-1(R) Management Server properties >Generaloptions >Security server >HTTP servers view.
Contact Agent AtIndicates where the authentication agent is located.The authentication agent is usually a piece of softwarethat checks the user's login and password. The agentmay reside either on the user's machine, or at a remotelocation. This option tells the PEP where to contact theauthentication agent when validating a user's attemptto connect.
* Choice "Src *"
The PEP will contact the authentication agent at thepermission's source.
* Choice "Dst"
The PEP will contact the authentication agent at thepermission's destination.
* Choice "Host"
This option lets you choose a different PEP, which theauthenticating PEP will contact when validating auser's connection.
This option applies to Session Authentication only.
See the Check Point(TM) FireWall-1(R) documenta-tion on "Session Authentication" for more informa-tion.
PEPLets you choose the PEP on which the authenticationagent is running.
This option applies to Session Authentication only.
Query User Identity from UserAuthorityIndicates that the PEP will contact UserAuthority toauthenticate the user. To use this feature, you musthave configured UserAuthority in your CheckPoint(TM) product.
See the Check Point(TM) documentation on UserAu-thority for more information.
This option applies to Session Authentication only.
Apply Rule Only if Desktop ConfigurationOptions are Verified The PEP will verify that the SmartDashboard desktop
is properly configured before applying the rule.
For more information on these and the following op-tions, see the Check Point(TM) FireWall-1(R) refer-ence documentation.
Authentication User Definition
109
Option Description
Required Sign OnApplies to Client Authentication only.
* Choice "Standard *"
When the user signs on, the PEP permits all servicesto all destination hosts.
* Choice "Specific"
The PEP forces the user to specify each service anddestination host to which he or she wants to connect.
Sign On Method* Choice "Manual *"
The PEP will require the user to initiate the Client Au-thentication session over TELNET on port 259 or overHTTP on port 900.
* Choice "Partially automatic"
The PEP will require the user to initiate the Client Au-thentication session as above, unless the user requestsan RLOGIN, TELNET, HTTP or FTP service.
* Choice "Fully automatic"
If the user connects over RLOGIN, TELNET, HTTPor FTP, the PEP will sign on the user through UserAuthentication. For other services, the PEP will signon the user through Session Authentication.
* Choice "Agent automatic sign-on"
If the Session Authentication Agent is installed on theclient, the PEP will sign on the user through the Ses-sion Authentication Agent.
* Choice "Single sign-on"
The PEP will verify the user name with the UAMserver, before deciding whether to allow the connec-tion to continue.
Successful Authentication Tracking* Choice "None *"
The PEP will not track the sign-on session.
* Choice "Log"
The PEP creates a log of the authentication session.
* Choice "Alert"
The PEP will launch the Authentication Alert com-mand that you specify in the Check Point(TM) Fire-Wall-1(R) SmartCenter Global Properties window.
Authorization TimeoutIndicates the amount of time that a user's connectionwill be available after he/she performs client authen-tication.
Authentication User Definition
110
Option Description
* Choice "Indefinite *"
The user's connection will be available until he/she ex-picitly signs off, or the administrator resets the fire-wall.
* Choice "Specific"
Lets you enter a specific timeout.
HoursLets you enter the number of hours that a client au-thenticated-connection will be available.
MinutesLets you enter the number of minutes that a client au-thenticated-connection will be available.
Refreshable TimeoutIndicates if the timeout countdown restarts upon eachnew connection.
For example, if connection #1 has already been up for1 hour, and the user makes connection #2, the timeoutwill restart counting at zero.
Number of Sessions AllowedIndicates the number of connections the user can makebefore his/her in a single client authentication session.
Number of SessionsLets you enter the number of sessions.
12.9.1. flowListIn
Option Description
mugpep1_flow
mugpep2_flow
12.9.2. flowListOut
Option Description
pepmug1_flow
pepmug2_flow
12.9.3. flowListExternal
Option Description
sessionAuth_flow
flowListIn
111
112
Chapter 13. Check PointFireWall-1 Cluster PropertiesWindows
13.1. Description ................................................................................................ 11313.2. General Options ......................................................................................... 113
13.2.1. Security Profile ................................................................................ 115Common Security Parameters ............................................................... 116Replace Address ................................................................................ 119Replace Service ................................................................................. 120
13.2.2. Authentication ................................................................................. 121Enabled Authentication Schemes .......................................................... 121Authentication Settings ....................................................................... 122HTTP Security Server ......................................................................... 123
13.3. Cluster Options .......................................................................................... 12313.3.1. Availability Parameters ..................................................................... 12313.3.2. Synchronization ............................................................................... 126
Synchronization Networks ................................................................... 12613.4. Policy Learning Mode ................................................................................. 12613.5. Common Interface Options ........................................................................... 12713.6. Interface Options ........................................................................................ 128
13.6.1. Security Profile ................................................................................ 130Common Security Parameters ............................................................... 130Replace Address ................................................................................ 131Replace Service ................................................................................. 132
13.6.2. IP Addresses ................................................................................... 133Static IP Addresses ............................................................................. 133Dynamic Addresses Pool ..................................................................... 133IP Addresses ..................................................................................... 134
13.7. VPN Options ............................................................................................. 13513.7.1. IKE Capabilities .............................................................................. 13513.7.2. IPSec Capabilities ............................................................................ 13613.7.3. Remote Access VPN ......................................................................... 136
13.8. Tunnel Peer Options .................................................................................... 13713.8.1. Interface ......................................................................................... 139
13.9. Authentication User Definition ...................................................................... 13913.9.1. flowListIn ....................................................................................... 14213.9.2. flowListOut .................................................................................... 14213.9.3. flowListExternal .............................................................................. 142
13.1. Description
Option Description
NoteAllows you to enter a description of the current PEP.
13.2. General OptionsUse this view to examine and modify general PEP options.
113
Option Description
ManagedIndicates that no filters will be produced for thisCluster.
The Cluster icon will be displayed with a red slash toidentify it as unmanaged.
Apply Flow To/From PEP on Relevant In-terfaces Only Enables you to choose how the PEPs in the Cluster ap-
ply flows to their various interfaces.
* Choice "Yes *"
Limits an authorized flow, having the PEP as its des-tination, so that incoming packets through an interfacecannot reach any other interface.
* Choice "No"
Enables an authorized flow, having the PEP as its des-tination, to reach all interfaces of the PEP.
This setting is a general default which can be overrid-den for a specific instance using the Permission Prop-erties window: Global Properties View.
Has IPSec Module* Choice "Yes"
Indicates that the device supports the IPSec modulefor VPNs.
* Choice "No"
Indicates that the device does not support IPSec.
Enforce Time FilteringSpecifies whether the PEPs in the Cluster are to per-form time filtering. This option is only available onPEPs that are capable of performing time filtering. Forfurther information on Time Filtering, see the scmUser Guide.
Generate NAT Rules* Choice "Yes *"
NAT rules are generated by the compiler and includedin the filters. A warning message is displayed if any ofthe PEPs in the cluster cannot implement the rules.
* Choice "Comment"
NAT rules are written to the filters file as commentsand ignored by the upload module.
* Choice "No"
NAT rules are not generated.
At upload time, when the No or Comment option isselected, the rule modifications are uploaded to thedevices without changing the existing NAT rules (ifthese exist). This is important because NAT rules arechanged much less often than other filtering rules, andrewriting them interrupts communication. However
General Options
114
Option Description
the compiler will take into account the NAT rules togenerate the filters for the PEPs beyond the NAT ap-plication point.
Check Point Suite TypeIndicates which Check Point(TM) product you use.This should match the version you installed.
VSX TypeLets you choose the type of VSX device.
* Choice "Cluster *"
The VSX device will be a VSX cluster.
* Choice "Virtual System"
The VSX device will be a virtual system.
13.2.1. Security Profile
Use this view to select the PEP's level of security. By default, the PEP's profile is set to maximumsecurity.
Option Description
Security LevelLets you choose the default level of security that SCMServer will generate for this PEP.
You can choose to generate faster configurations oncertain PEPs at the expense of reduced security.
* Choice "Custom Filtering *"
Lets you choose a custom level of filtering by settingoptions in the Replace Address or Replace Serviceviews.
* Choice "Deny few, Permit all"
Same as "Custom Filtering" but with default policy setas "Permit".
* Choice "Full Filtering"
This level configures the PEP parameters to offermaximum security. The parameters contained in theCommon Security Parameters view will be set in orderto ensure maximum security and will lock them to pre-vent changes. This option also:
- prevents you from choosing the Broad Filtering op-tion (see Replace Address and Replace Service node)
* Choice "PEP Access Security Only"
Disables filtering on this PEP, except for the rules thatprotect the PEP itself. Therefore, the PEP will allowall traffic to pass through it, but it will not allow unau-thorized access to itself.
Security Profile
115
Option Description
* Choice "No Filtering"
Disables filtering, and reduces security on this PEP tozero.
Broad FilteringLets you choose to enable faster configurations at theexpense of reduced security.
You must set Security Level to "Custom Filtering" touse this option.
* Choice "Disabled *"
Indicates that filtering is not broadened, and security isat its highest level.
* Choice "By Address"
Reveals the Replace Address view, which lets youconfigure broad filtering by address.
* Choice "By Service"
Reveals the Replacy Service view, which lets you con-figure broad filtering by service.
Common Security Parameters
Use this view to configure common security parameters for the PEP.
Option Description
Suppress Filtering on TCP DirectionSets up the flow rules for traffic returning appropri-ately with the "ack" (acknowledged) bit set.
* Choice "Yes *"
Only the packets belonging to an established connec-tion will be permitted to flow back through the PEP.
* Choice "No"
The filtering rules will not verify the ack bit status.These filters will be more compact but more per-missive for the return traffic which may lead to de-graded security.
Attention: This option should be modified by an ex-pert user only.
Suppress Filtering on ICMP Message Type* Choice "Yes *"
Indicates that the PEP will do filtering by ICMP mes-sage type.
* Choice "No"
Indicates that the PEP will not do filtering by ICMP
Security Profile
116
Option Description
message type.
'Securing PEP' rules* Choice "Yes *"
Denies access to the PEP's interface addresses, exceptfor the default administration flows, thereby securingthe PEP.
* Choice "No"
Permits access to the PEP's interface addresses.
Suppress 'Internet Restriction'Indicates if SCM Server will add extra deny filterswhen the Internet object is defined as "Any". This op-tion is activated by selecting "No" for the Expand In-ternet option on the PEP window: General OptionsView.
* Choice "Yes *"
Any permission you draw to/from Internet causes thecompiler to implicitly generate all necessary denies toprevent permissions to/from all other internal ad-dresses.
* Choice "No"
Any permission you draw to/from Internet will alsoimplicitly allow permissions to/from all other internaladdresses, which may lead to lower security.
Attention: This option should be modified by an ex-pert user only.
Expand InternetThis option is an optimization that controls how SCMServer defines the Internet object. This option can cre-ate very finely-tuned filters, but at the price of in-creased size.
* Choice "Yes"
SCM Server will use a more precise, "expanded"definition of Internet. It defines the Internet as "all ad-dresses outside the internal networks". This createsvery fine, but slower, filters.
* Choice "No *"
SCM Server will define Internet as "Any". The gener-ated filters are thus faster, but less secure.
Default RuleLets you change the default rule on this device. By de-fault SCM Server will write a "deny all" rule at theend of a device's configuration. With this option, youhave the possibility to change this behavior: SCMServer will not write a default "deny all" rule, and, onthis device, all access that is not explicitly denied willbe allowed.
* Choice "Policy Default *"
Security Profile
117
Option Description
Uses the value defined in the Tools > Properties forthe Current Policy window.
* Choice "Deny"
Keeps the standard behavior. Every access that is notdefined is not allowed on this device.
* Choice "Allow"
Lets you easily define policies where the goal is toprohibit a set of given protocols in the network.
If you choose the "Allow" option, make sure that youexplicitly deny every access point that you want toclose, or, make sure that you have another device inseries denies everything by default.
Generate Anti-SpoofingLets you choose if the PEP or SCM Server shouldgenerate anti-spoofing rules.
* Choice "Yes *"
The PEP will generate anti-spoofing rules.
* Choice "No"
The PEP will not generate anti-spoofing rules.
* Choice "Unmanaged"
Takes the computed anti-spoofing into account, butdoes not generate the related configuration so as, at theend, the anti-spoofing defined on the Smartcenter willnot be changed by the upload.
Spoof TrackingIndicates whether the CheckPoint anti-spoofing track-ing option (in the Interface Properties) should be activ-ated and how information about spoofed connectionsshould be logged.
* Choice "None *"
* Choice "Log"
* Choice "Alert"
* Choice "Disabled"
Disables the anti-spoofing option.
Enable Extended Cluster Anti-SpoofingWhen a cluster member communicates with anothercluster member, the packets may pass from the sourcemember's external interface, through the external(virtual) cluster interface, to the external interface ofthe destination cluster member.
This could allow an address spoofing attack.
Extended cluster-anti spoofing prevents this attack, by
Security Profile
118
Option Description
allowing the cluster member to accept packets that ac-tually originate on a cluster member, and rejectspoofed packets that originate in the Internet.
The cluster member does this by giving packets that itsends to another member a TTL (Time to live) of 255(the highest possible value).
* Choice "Yes *"
Enables extended cluster anti-spoofing.
* Choice "No"
Disables extended cluster anti-spoofing.
Replace Address
Use this view to set a limit the optimizations SCM Server makes on addresses.
SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller orfaster configurations. "Broadening" an address means that when your map contains permissionswith addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission withthe address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "OnAddress" in the Security Profile view, you can use the current view to put constraints on this optim-ization.
Option Description
Replace SourceThis is an optimization that allows you to generatefewer ACLs, but at the risk of reducing your securitylevel.
Note: if your permission includes logging, time or au-thorization actions, the optimization will not occur.
* Choice "by Netmaskable Network"
Indicates that SCM Server will attempt to replace thesource IP addresses of the permissions managed bythis PEP such that the IP addresses can be representedby a netmask. You can enter this netmask in theSource Network Netmask field, below.
* Choice "by Any"
Indicates that SCM Server will replace the source IPaddresses of the permissions that this PEP manages byAny.
In most situations, these options mean that SCM Serv-er will permit more addresses than your policy spe-cifies. You should only use these options if you haveanother PEP with a tighter restriction on the samepath.
Source Network NetmaskAllows you to enter the netmask to apply to sourcepermissions.
Security Profile
119
Option Description
Restrict Source Replacement to TopologyWhen used with the above option, this option will re-strict the enlargement to the address of the networkfrom which each permission originates, in your policymap.
Replace DestinationThis is an optimization that allows you to generatefewer ACLs, but at the risk of reducing your securitylevel.
Note: if your permission includes logging, time or au-thorization actions, the optimization will not occur.
* Choice "by Netmaskable Network"
Indicates that SCM Server will attempt to replace thedestination IP addresses of the permissions managedby this PEP such that the IP addresses can be represen-ted by a netmask. You can enter this netmask in theDestination Network Netmask field, below.
* Choice "by Any"
Indicates that SCM Server will replace the destinationIP addresses of the permissions that this PEP managesby Any.
In most situations, these options mean that SCM Serv-er will permit more addresses than your policy spe-cifies. You should only use these options if you haveanother PEP with a tighter restriction on the samepath.
Destination Network NetmaskAllows you to enter the netmask to apply to destina-tion permissions.
Restrict Destination Replacement to Topo-logy When used with the "Enlarge Destination to Net-
maskable Address" option, this option will restrict theenlargement to the address of the network where eachpermission terminates, in your policy map.
Replace Service
Use this view to set a limit the optimizations SCM Server makes on services.
SCM Server can "broaden" the allowed services on permissions in order to generate smaller orfaster configurations. "Broadening" a service means that when your map contains permissions forservices FTP and HTTP, for example, SCM Server will generate one permission for the serviceTCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" inthe Security Profile view, you can use the current view to put constraints on this optimization.
Option Description
Replace ServiceThis is an optimization that enlarges the service of apermission. For example, an http and an ftp permis-sion may be enlarged to tcp. Since this optimizationcan reduce your security level, you should only use itif you have another PEP in the path that does not use
Security Profile
120
Option Description
this option.
* Choice "No *"
Will not enlarge services. This option maintains thehighest level of security.
* Choice "by TCP"
Replaces TCP permissions by TCP.
* Choice "by UDP"
Replaces UDP permissions by UDP.
* Choice "by TCP and UDP"
Replaces all TCP-based or UDP-based permissions byTCP and UDP permissions.
A TCP-based permission will be replaced by two per-missions: a permit TCP and a permit UDP. A UDP-based permission will also be replaced by two permis-sions: a permit TCP and a permit UDP.
* Choice "by IP"
Replaces permissions by IP.
* Choice "by Any"
Replaces all permissions by Any.
13.2.2. Authentication
This view does not let you change any parameters. Expand this node in the tree list to see the config-urable views.
Enabled Authentication Schemes
Use this view to enable the different types of authentication servers with which the PEP may com-municate
Option Description
S/KeyIndicates if the PEP will prompt the user to enter his/her S/Key during authentication(Not on NG AI).
VPN-1 and FireWall-1 PasswordIndicates if the PEP will prompt the user to enter his/her internal Check Point(TM) FireWall-1(R) passwordduring authentication.
SecurIDIndicates if the PEP will prompt the user to enter thenumber shown on the SecurID card during authentica-tion.
RADIUSIndicates if the PEP will prompt the user to answer the
Authentication
121
Option Description
RADIUS question during authentication. The questionis defined on a RADIUS server.
TACACSIndicates if the PEP will prompt the user to answer theTACACS question during authentication. The ques-tion is defined on a TACACS or TACACS+ server.
OS PasswordIndicates if the PEP will prompt the user to enter his/her operating system password during authentication.
For more information on these and the following op-tions, see the Check Point(TM) FireWall-1(R) refer-ence documentation.
Authentication Settings
Use this view to configure how the PEP behaves during authentication sessions.
Check Point(TM) FireWall-1(R) NG Cluster properties: General options: Authentication: Authentic-ation settings view.
Option Description
User Authentication Session Timeout(min) Indicates the number of minutes after which the PEP
closes the authentication session.
Enable wait mode for Client Authentica-tion If the user opens an authentication session over telnet
on port 259, this option indicates if the PEP will keepsthe telnet session open during the time the authentica-tion session is open.
If you select this option, the PEP will close the authen-tication session when the telnet session closes.
If you do not select this option, the PEP will close thetelnet session once the user signs on, and the user willhave to reopen the telnet session to sign off.
Authentication Failure TrackIndicates how the PEP will react to errors during au-thentication.
* Choice "None *"
The PEP will not inform the user of errors.
* Choice "Log"
The PEP will log errors.
* Choice "Popup Alert"
The PEP will open a popup window; you can definethe popup alert once in the Check Point(TM) Fire-Wall-1(R) software Global properties window, and af-terwards reference it from SCM Server.
* Choice "Mail Alert"
Authentication
122
Option Description
The PEP will send an email of the error.
* Choice "SNMP Trap Alert"
The PEP will send an SNMP alert.
* Choice "User defined alert no. n"
The PEP will send a user-defined alert; you can definealerts once using the Check Point(TM) FireWall-1(R)software, and afterwards reference them from SCMServer.
For more information on these and the following op-tions, see the Check Point(TM) FireWall-1(R) refer-ence documentation.
HTTP Security Server
Use this view to configure how the PEP communicates with its associated HTTP security server.
Option Description
Use Next ProxyIndicates whether there is an HTTP proxy server be-hind the Check Point(TM) FireWall-1(R) HTTP Se-curity Server.
HTTP Next ProxyThe host name and port number of the HTTP proxyserver.
For more information on these and the following op-tions, see the Check Point(TM) FireWall-1(R) refer-ence documentation.
13.3. Cluster OptionsUse this view to configure the capabilities of a cluster.
Option Description
Cluster XL EnabledSelect the ClusterXL feature if you are not using a3rd-party application to handle clustering.
13.3.1. Availability Parameters
Use this view to configure the way in which the cluster members will assure availability.
Option Description
Operating Mode* Choice "High Availability *"
Used as a back-up at all times.
Cluster Options
123
Option Description
* Choice "Load Sharing"
Expands the performance capability of VPN deploy-ments by distributing traffic between multiple gate-ways. Up to five gateways may be added to a cluster.
3rd Party SolutionUse this option to select the 3rd-party solution thatwill perform the clustering.
Support non-sticky connectionsUse this option to indicate which mechanism willidentify non-sticky connections. Non-sticky connec-tions are those where packets do not pass through thesame cluster member on their way in and out of thecluster. You should activate this option when your3rd-party clustering solution does not support non-sticky connections.
* Choice "No" *
Indicates that the cluster's synchronization mechanismwill not recognize non-sticky connections. Use thisoption if your 3rd-party clustering solution supportsnon-sticky connetions.
* Choice "Yes"
Indicates that the cluster's synchronization mechanismwill recognize non-sticky connections. Use this optionif your 3rd-party clustering solution does not supportnon-sticky connetions.
Hide Cluster Member's outgoing traffic be-hind the Cluster's IP Address Use this option to indicate whether the source IP ad-
dress of outgoing packets will be the external virtualIP address of the cluster instead of the physical IP ad-dress of the cluster member.
Forward Cluster's incoming traffic toCluster Member's IP Addresses Use this option to indicate whether the destination IP
address of incoming connection to the external virtualaddress of the cluster will be replaced with the physic-al external address of one of the cluster members.
High Availability ModeIndicates the cluster's High Availability mode. See theCheck Point documentation about ClusterXL HighAvailability for a description of the High Availabilitymodes.
Upon Gateway RecoveryIndicates what the cluster will do when its active PEPrecovers after a secondary PEP has already taken itsplace.
* Choice "Maintain Active *"
Indicates that the secondary PEP will remain active,even though the primary PEP has recovered.
* Choice "Switch to Higher Priority"
Indicates that the cluster will give the active role backto the primary PEP.
Availability Parameters
124
Option Description
Load SharingIndicates how the cluster will distribute traffic amongthe cluster members.
* Choice "Multicast Mode"
The cluster will send distribute traffic using multicast.
* Choice "Unicast Mode"
The cluster will distribute traffic to each cluster mem-ber individually. This mode is useful if some clustermember PEPs don't support multicast.
Base Shared MethodIndicates how the cluster will decide how to sharepackets among the cluster members.
* Choice "IPs, Ports, SPIs *"
The cluster will distribute packets based on IPs, portsand IPSec SPIs.
* Choice "IPs, Ports"
The cluster will distribute packets based on IPs andports only. This increases the chance that inbound andoutbound connections will use the same cluster mem-ber.
* Choice "IPs"
The cluster distributes packets based on IPs only. Thisyields the highest chance that inbound and outboundconnections will use the same cluster member.
See the Check Point(TM) documentation on AdvancedLoad Sharing Configuration for more information.
Fail Over TrackingLets you select how the cluster will track failoverevents.
* Choice "None"
The cluster will not track failover events.
* Choice "Log *"
The cluster will enter failover events in its SmartViewTracker log.
* Choice "Alert"
The cluster will open a popup window upon failover.
* Choice "Mail"
The cluster will send an email upon failover. You canspecify the recipient's address on the Check PointSmartDashboard in the Policy > Global Properties >Log and Alert > Alert Commands view.
* Choice "SNMP Trap"
Availability Parameters
125
Option Description
The cluster will send an SNMP trap upon failover.
* Choice "User Alert"
The cluster will execute a user-defined script uponfailover. You can define this script on the Check PointSmartDashboard in the Policy > Global Properties >Log and Alert > Alert Commands view.
* Choice "User Alert 2"
The cluster will execute a user-defined script uponfailover.
* Choice "User Alert 3"
The cluster will execute a user-defined script uponfailover.
13.3.2. Synchronization
Use this view to manage how the cluster keeps its PEPs synchronized.
Option Description
Use State SynchronizationIndicates if the cluster will use state synchronization.State synchronization coordinates state informationabout packets travelling through different PEPs in thecluster. You cannot change this option if you have setthe Cluster Options > Availability Parameters > Oper-ation Mode to "Load Sharing".
If you have set the Cluster Options > AvailabilityParameters > Operation Mode to "High Availability",you can choose to turn off state synchronization; inthis case connections will be lost upon failover.
Synchronization Networks
Use this view to manage the networks the cluster uses to keep its member PEPs synchronized.
13.4. Policy Learning ModeUse this view to change the policy of a device and open it sufficiently to guarantee that the flowswill pass until complete policy discovery has been made by the security team.
Option Description
Enable Policy Learning Mode* Choice "Yes"
Indicates that Policy Learning Mode is enabled.
* Choice "No *"
Indicates that Policy Learning Mode is disabled.
Synchronization
126
Option Description
Log Level for Allow Rule* Choice "None *"
Disables logging.
* Choice "Default"
Triggers the logging of any IP packet matching the de-fault policy, to the default log level of current PEPtype.
Note: Some PEPs allow selection of different loglevels.
13.5. Common Interface OptionsUse this view to manage options that are common to all the PEP's interfaces.
Option Description
Generate ICMP Error Message* Choice "Yes"
Sets the error option for all interfaces on the PEP. Thisoption triggers the transmission of the error messageICMP unreachable, for any IP packet that is not au-thorized by the filters. This action is carried out forboth incoming and outgoing interface traffic.
* Choice "No *"
The error option is not set.
Log Level for the Default RuleSets the log level for the default rule for all interfaceson the PEP. This option will not show packets transit-ing in violation of a specific denial. To see that in-formation, you must set the Log option on the Permis-sion Properties window: Log view, or on the con-cerned interface.
* Choice "None *"
Disables logging.
* Choice "Default"
Triggers the logging of any IP packet matching the de-fault policy, to the default log level of current PEPtype.
Note: Some PEPs allow selection of different loglevels.
Application Point"Incoming" *
The filters will be generated for the packets enteringthe interface.
* Choice "Outgoing"
Common Interface Options
127
Option Description
The filters will be generated for the packets leavingthe interface.
* Choice "Both Directions if Possible"
SCM Server will choose the application point with re-spect to the PEP capabilities and the PEP options set-tings.
Allow ForwardingIndicates if this device will perform forwarding.
Enable this option to allow the device to forwardpackets.
13.6. Interface OptionsUse this view to manage the options for a single interface.
Option Description
Upload Target* Choice "Yes *"
Specifies that the selected interface will be used foruploading filter files.
* Choice "No"
Specifies that the selected interface is not to be usedfor for uploading filter files.
Interface TypeIndicates if the interface's purpose is to filter or tosniff the packets.
* Choice "Filtering Interface"
The interface only does packet filtering.
* Choice "Sensor"
The interface only does packet sniffing.
* Choice "Sensor + Filtering Interface"
The interface can do both.
Is Loopback InterfaceSpecifies if this interface is a "loopback" interface.
A loopback is a special type of interface used to rep-resent a virtual range of IP addresses. This may beuseful, for example, when your device is connected tothe internet through two redundant ISPs. The loopbackinterface can be used to accept outside connections,which it then routes to one of the real interfaces.
Note: SCM Server will not allow you to connect aloopback interface to any object.
Policy Learning Mode
Interface Options
128
Option Description
* Choice "Yes"
Indicates that Policy Learning Mode is enabled on thisinterface.
* Choice "No *"
Indicates that Policy Learning Mode is disabled onthis interface.
Log Level for Deny Rules* Choice "None *"
Disables logging.
* Choice "Default"
Triggers the logging of any IP packet matching a denyrule, to the default log level of each PEP type.
Managed* Choice "Yes *"
Specifies that filters will be produced for this interfaceand the configuration of the interface will be managedby SCM Server.
* Choice "No"
Specifies that no filters will be produced for this inter-face and the configuration of the interface will not bemanaged by SCM Server.
Allow ForwardingIndicates if this interface will perform forwarding.
Enable this option to allow the interface to forwardpackets.
Application Point* Choice "Incoming *"
Only incoming filters will be applied.
* Choice "Outgoing"
Only outgoing filters will be applied.
* Choice "Device Default"
Incoming/outgoing filters are applied according to thevalue as specified in the Interfaces: Options View.
* Choice "Both Directions if Possible"
SCM Server will choose the application point accord-ing to the PEP capabilities and the PEP options set-tings.
Interface is external (leads out to the Inter-net) Specifies that the interface leads to the Internet. This
means that IP addresses behind this interface will notbe counted in the license enforcement.
Security Profile
129
13.6.1. Security Profile
Use this view to select the level of security on this interface. By default, the interface's profile is setto maximum security.
Common Security Parameters
Use this view to configure common security parameters for this interface.
Option Description
Disable Filtering* Choice "Device Default *"
This option uses the value set in the General Options:Security Profile: Common Security Parameters view.
* Choice "No"
SCM Server will generate filters for this interface.
* Choice "Yes"
SCM Server will generate a permit any any rule onthis interface.
By disabling the filtering on one (or several) inter-face(s), you create a rule that permits all flows, whichcan reduce the level of security, but improves per-formance.
Note: This option will not disable the "Securing PEP"and "Anti-Spoofing" filters. To disable those filters aswell:
- choose "No" in the "Generate Anti-Spoofing" option
- in the General Options: Security Profile: CommonSecurity Parameters view, enable the option "SuppressSecuring PEP".
Generate Anti-SpoofingLets you choose if the PEP or SCM Server shouldgenerate anti-spoofing rules.
* Choice "Yes *"
The PEP will generate anti-spoofing rules.
* Choice "No"
The PEP will not generate anti-spoofing rules.
* Choice "Unmanaged"
Takes the computed anti-spoofing into account, butdoes not generate the related configuration so as, at theend, the anti-spoofing defined on the Smartcenter willnot be changed by the upload.
Spoof TrackingIndicates whether the CheckPoint anti-spoofing track-ing option (in the Interface Properties) should be activ-ated and how information about spoofed connectionsshould be logged.
Security Profile
130
Option Description
* Choice "None *"
* Choice "Log"
* Choice "Alert"
* Choice "Disabled"
Disables the anti-spoofing option.
Replace Address
Use this view to set a limit the optimizations SCM Server makes on addresses, on a single interfaceonly.
SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller orfaster configurations. "Broadening" an address means that when your map contains permissionswith addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission withthe address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "OnAddress" in the General Options > Security Profile view, you can use the current view to put con-straints on this optimization.
Option Description
Replace SourceThis is an optimization that allows you to generatefewer ACLs, but at the risk of reducing your securitylevel.
To use this option, you must enable the Broad Filter-ing option in the General Options: Security Profileview.
Note: if your permission includes logging, time or au-thorization actions, the optimization will not occur.
* Choice "by Netmaskable Network"
Indicates that SCM Server will attempt to replace thesource IP addresses of the permissions managed bythis interface such that the IP addresses can be repres-ented by a netmask. You can enter this netmask in theSource Network Netmask field, below.
* Choice "by Any"
Indicates that SCM Server will replace the source IPaddresses of the permissions that this interface man-ages by Any.
In most situations, these options mean that SCM Serv-er will permit more addresses than your policy spe-cifies. You should only use these options if you haveanother PEP with a tighter restriction on the samepath.
Source Network NetmaskAllows you to enter the netmask to apply to sourcepermissions.
Restrict Source Replacement to Topology
Security Profile
131
Option Description
When used with the above option, this option will re-strict the enlargement to the address of the networkfrom which each permission originates, in your policymap.
Replace DestinationThis is an optimization that allows you to generatefewer ACLs, but at the risk of reducing your securitylevel.
To use this option, you must enable the Broad Filter-ing option in the General Options: Security Profileview.
Note: if your permission includes logging, time or au-thorization actions, the optimization will not occur.
* Choice "by Netmaskable Network"
Indicates that SCM Server will attempt to replace thedestination IP addresses of the permissions managedby this interface such that the IP addresses can be rep-resented by a netmask. You can enter this netmask inthe Destination Network Netmask field, below.
* Choice "by Any"
Indicates that SCM Server will replace the destinationIP addresses of the permissions that this interfacemanages by Any.
In most situations, these options mean that SCM Serv-er will permit more addresses than your policy spe-cifies. You should only use these options if you haveanother PEP with a tighter restriction on the samepath.
Destination Network NetmaskAllows you to enter the netmask to apply to destina-tion permissions.
Restrict Destination Replacement to Topo-logy When used with the "Enlarge Destination to Net-
maskable Address" option, this option will restrict theenlargement to the address of the network where eachpermission terminates, in your policy map.
Replace Service
Use this view to set a limit the optimizations SCM Server makes on services, on a single interfaceonly.
SCM Server can "broaden" the allowed services on permissions in order to generate smaller orfaster configurations. "Broadening" a service means that when your map contains permissions forservices FTP and HTTP, for example, SCM Server will generate one permission for the serviceTCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" inthe General Options > Security Profile view, you can use the current view to put constraints on thisoptimization.
Security Profile
132
Option Description
Replace ServiceThis is an optimization that enlarges the service of apermission on one interface. For example, an http andan ftp permission may be enlarged to tcp. Since thisoptimization can reduce your security level, youshould only use it if you have another PEP in the paththat does not use this option.
* Choice "No *"
Will not enlarge services. This option maintains thehighest level of security.
* Choice "by TCP"
Replaces TCP permissions by TCP.
* Choice "by UDP"
Replaces UDP permissions by UDP.
* Choice "by TCP and UDP"
Replaces all TCP-based or UDP-based permissions byTCP and UDP permissions.
A TCP-based permission will be replaced by two per-missions: a permit TCP and a permit UDP. A UDP-based permission will also be replaced by two permis-sions: a permit TCP and a permit UDP.
* Choice "by IP"
Replaces permissions by IP.
* Choice "by Any"
Replaces all permissions by Any.
13.6.2. IP Addresses
Use this view to set the interface's IP addresses.
Static IP Addresses
Use this section to configure the interface's static IP addresses.
Option Description
Interface IP AddressesSpecifies the static IP address of the interface.
Dynamic Addresses Pool
Use this section to configure the interface's dynamic IP addresses.
Option Description
Dynamic Addresses Pool
IP Addresses
133
Option Description
Specifies the pool of IP addresses from which the in-terface will get its IP address.
IP Addresses
Use this view to configure the interface's IP addresses.
Option Description
Use Dynamic AddressesSpecifies whether this interface will have static or dy-namic IP addresses.
Dynamic Addresses fromIndicates the range from which the PEP can pick an IPaddress to assign to the interface.
* Choice "Network"
The PEP can assign any IP address contained in the in-terface's attached network. You must have connectedthe interface to a network on the workspace in order topick this option.
* Choice "Any"
The PEP can assign any IP address to the interface.
* Choice "User defined pool"
The PEP can assign any address from the pool thatyou define in the Interface View.
DHCP ServerIndicates the range from which the PEP can pick an IPaddress to assign to the interface.
* Choice "Network"
The PEP can assign any IP address contained in the in-terface's attached network. You must have connectedthe interface to a network on the workspace in order topick this option.
* Choice "Any"
The PEP can assign any IP address to the interface.
* Choice "User defined pool"
The PEP can assign any address from the pool thatyou define in the Interface View.
Resolve IP Address UsingWhen you use dynamic interface addresses, this optionindicates how SCM Server will resolve the interface'saddress when it is uploading the PEP's configuration.
* Choice "PEP FQDN"
To resolve the address, SCM Server will contact theDNS server that you specified in the FQDN field of
IP Addresses
134
Option Description
the "PEP Properties>General" Options View.
* Choice "Interface Specific FQDN"
To resolve the address, SCM Server will contact theDNS server that you specify in the "Specify InterfaceFQDN" option below.
* Choice "Prompt IP Address"
SCM Server will prompt the user for the interface's IPaddress at the moment of upload.
Interface FQDNEnter the fully qualified domain name of the DNSserver that SCM Server will contact to resolve this in-terface's IP address.
13.7. VPN OptionsUse this view to configure the main cryptographic characteristics of a VPN tunnel.
Option Description
NULL Encryption EnabledIndicates if the NULL algorithm is enabled.
DES Encryption EnabledIndicates if this algorithm is enabled.
3DES Encryption EnabledIndicates if this algorithm is enabled.
CAST Encryption EnabledIndicates if this algorithm is enabled.
AES-128 Encryption EnabledIndicates if this algorithm is enabled.
AES-256 Encryption EnabledIndicates if this algorithm is enabled.
13.7.1. IKE Capabilities
Use this view to consult a VPNs IKE capabilities.
Option Description
Maximum Proposals AllowedIndicates the maximum number of IKE proposals be-fore the device considers the key exchange failed.
Minimum Lifetime (seconds)Indicates the minimum lifetime of the exchanged keys.
Maximum Lifetime (seconds)Indicates the maximum lifetime of the exchangedkeys.
Pre-Shared Key Method EnabledIndicates the the pre-shared key method is enabledwhen the device performs key exchange.
RSA Sig Key Method Enabled
VPN Options
135
Option Description
Indicates that the RSA-Signature method is enabledwhen the device performs key exchange.
SHA-1 Hash EnabledIndicates that the SHA-1 algorithm is enabled whenthe device performs key exchange.
MD5 Hash EnabledIndicates that the MD5 algorithm is enabled when thedevice performs key exchange.
DH Group 1 EnabledIndicates that the Diffie-Hellman group 1 is enabledwhen the device performs key exchange.
DH Group 2 EnabledIndicates that the Diffie-Hellman group 2 is enabledwhen the device performs key exchange.
DH Group 5 EnabledIndicates that the Diffie-Hellman group 5 is enabledwhen the device performs key exchange.
13.7.2. IPSec Capabilities
Use this view to consult a VPNs IPSec capabilities.
Option Description
Maximum Proposals AllowedIndicates the maximum number of IPSec proposals be-fore the device considers the authentication failed.
Minimum Lifetime (seconds)Indicates the minimum lifetime of the IPSec session.
Maximum Lifetime (seconds)Indicates the maximum lifetime of the IPSec session.
HMAC-SHA-1 Authentication EnabledIndicates that the HMAC-SHA-1 algorithm is enabledwhen the device performs IPSec authentication.
HMAC-MD5 Authentication EnabledIndicates that the HMAC-MD5 algorithm is enabledwhen the device performs IPSec authentication.
AH Protocol EnabledIndicates that the AH protocol is enabled when thedevice performs IPSec authentication.
ESP Protocol EnabledIndicates that the ESP protocol is enabled when thedevice performs IPSec authentication.
Deflate Compression EnabledIndicates that the Deflate compression algorithm is en-abled when the device performs IPSec authentication.
13.7.3. Remote Access VPN
Use this view to configure the PEP's Remote Access VPN options.
Option Description
User Group Global Pool Lease Time
IPSec Capabilities
136
Option Description
(minutes)Enter the time, in seconds, that the Remote Access cli-ent will use its assigned IP address. When this timeelapses, the client will request a new address from thePEP. The default value 600 equals 15 minutes.
Set Optional Office Mode ParametersAllows you to set additional options for the user grouppool, such as DNS and WINS addresses.
Primary DNSEnter the address of the primary DNS server for theremote users.
First Backup DNSEnter the address of the first backup DNS server forthe remote users.
Second Backup DNSEnter the address of the secondary backup DNS serverfor the remote users.
Primary WINSEnter the address of the primary WINS server for theremote users.
First Backup WINSEnter the address of the first backup WINS server forthe remote users.
Second Backup WINSEnter the address of the secondary backup WINS serv-er for the remote users.
Domain NameEnter the domain name of the remote users. Thisshould match your internal network's domain.
Perform an organized shutdown of tunnelsupon gateway restart Allows the PEP to keep an authentication session open
with a remote access VPN client even if the PEP re-starts.
Perform anti-spoofing on pool addressesIndicates that the PEP will perform anti-spoofing onall pool addresses.
Support connectivity enhancement forgateways with multiple external interfaces Allows the PEP to resolve traffic from one Remote
Access client to another. If your PEP has only one ex-ternal interface, you should disable this option to getbetter performance. If your PEP has multiple inter-faces, you should enable this option to allow differentremote users to communicate.
13.8. Tunnel Peer OptionsThis view lets you configure one of the tunnel endpoints.
On client-to-gateway tunnels, this view lets you configure the mapped user group's IP address pool.
On GRE tunnels, you can use this view to configure how the PEP sets up the tunnel IP addresses.
Option Description
Generate Static Routing* Choice "Yes"
Tunnel Peer Options
137
Option Description
Indicates that SCM Server will generate the routingfor the tunnel. This may conflict with pre-existingrouting that you entered on the device.
* Choice "No *"
Does not generate routing for the tunnel. Use this op-tion if you have pre-existing routing on the device.
* Choice "Comment"
SCM Server generates the routing in the .app file, butthe rules are commented out. Use this option if youwant to verify the rules before uploading them.
Auto Generate Tunnel IP AddressIndicates if SCM Server will automatically choose anIP address for the tunnel interfaces.
You can choose the range SCM Server will use forthese addresses in Properties for the Current Policy>GRE Parameters for Automation >Tunnel interfacesIP address ranges view.
IP AddressLets you manually enter an IP address for the tunnel.
NetmaskFor information: this is the netmask SCM Server usesto construct the networks for the interfaces on GREtunnels.
Support NAT-TraversalLets the VPN client connect to the server PEP viaUDP through a firewall or router using NAT.
NAT-Traversal ServiceDefines the service to use if you allow use IPSec overUDP.
TunnelLets you choose to use split-tunneling.
* Choice "Only Trust Zone *"
If you choose this option, the remote user will not gothrough the tunnel when he/she accesses an addressoutside the tunnel's trust zone. You can define thistrust zone; see the documentation on the Zone Editorin the Security Change Manager Designer User Guidefor more information.
* Choice "Everything"
Choose this option to force all traffic through the tun-nel. For example, the remote users will have to gothrough the tunnel to surf the internet.
* Choice "Everything except local addresses"
Choose this option to allow addresses on the remoteuser's local network to pass outside the tunnel. For ex-ample, this option lets the remote user access his orher local printer without passing through the VPN.
Interface
138
13.8.1. Interface
Use this view to select the interfaces to which the tunnel can connect.
Option Description
InterfaceUse this view to select the interfaces to which the tun-nel can connect.
13.9. Authentication User DefinitionUse this view to manage the list of PEPs that will authenticate users of this permission. Add an itemto the tree list to see the configurable views.
Option Description
Type* Choice "Client Auth *"
Indicates that the PEP will authenticate each user witha specific IP address who attempts to make this con-nection. If two users connect from the same IP ad-dress, the PEP will only authenticate once.
* Choice "Session Auth"
Indicates that the PEP will authenticate each serviceover which a user attempts to make this connection.The PEP intercepts each connection and activates asession authentication agent to get the user's password.The agent may run on the source, the destination, oranother host.
* Choice "User Auth"
Works for FTP, HTTP, RLOGIN and TELNET. Thisoption indicates that the PEP will authenticate eachuser who attempts to make this connection, regardlessof the user's IP address. The authentication method isbuilt in to these protocols.
HTTP ServersIf you choose User Auth, you can restrict users to a setof HTTP servers.
* Choice "All *"
Indicates that the PEP will not restrict user access toany HTTP servers.
* Choice "Predefined"
Indicates that the PEP will restrict user access to thoseservers that you defined in the Check Point(TM) Fire-Wall-1(R) Management Server properties >Generaloptions >Security server >HTTP servers view.
Contact Agent AtIndicates where the authentication agent is located.The authentication agent is usually a piece of softwarethat checks the user's login and password. The agentmay reside either on the user's machine, or at a remotelocation. This option tells the PEP where to contact the
Authentication User Definition
139
Option Description
authentication agent when validating a user's attemptto connect.
* Choice "Src *"
The PEP will contact the authentication agent at thepermission's source.
* Choice "Dst"
The PEP will contact the authentication agent at thepermission's destination.
* Choice "Host"
This option lets you choose a different PEP, which theauthenticating PEP will contact when validating auser's connection.
This option applies to Session Authentication only.
See the Check Point(TM) FireWall-1(R) documenta-tion on "Session Authentication" for more informa-tion.
PEPLets you choose the PEP on which the authenticationagent is running.
This option applies to Session Authentication only.
Query User Identity from UserAuthorityIndicates that the PEP will contact UserAuthority toauthenticate the user. To use this feature, you musthave configured UserAuthority in your CheckPoint(TM) product.
See the Check Point(TM) documentation on UserAu-thority for more information.
This option applies to Session Authentication only.
Apply Rule Only if Desktop ConfigurationOptions are Verified The PEP will verify that the SmartDashboard desktop
is properly configured before applying the rule.
For more information on these and the following op-tions, see the Check Point(TM) FireWall-1(R) refer-ence documentation.
Required Sign OnApplies to Client Authentication only.
* Choice "Standard *"
When the user signs on, the PEP permits all servicesto all destination hosts.
* Choice "Specific"
The PEP forces the user to specify each service anddestination host to which he or she wants to connect.
Sign On Method* Choice "Manual *"
Authentication User Definition
140
Option Description
The PEP will require the user to initiate the Client Au-thentication session over TELNET on port 259 or overHTTP on port 900.
* Choice "Partially automatic"
The PEP will require the user to initiate the Client Au-thentication session as above, unless the user requestsan RLOGIN, TELNET, HTTP or FTP service.
* Choice "Fully automatic"
If the user connects over RLOGIN, TELNET, HTTPor FTP, the PEP will sign on the user through UserAuthentication. For other services, the PEP will signon the user through Session Authentication.
* Choice "Agent automatic sign-on"
If the Session Authentication Agent is installed on theclient, the PEP will sign on the user through the Ses-sion Authentication Agent.
* Choice "Single sign-on"
The PEP will verify the user name with the UAMserver, before deciding whether to allow the connec-tion to continue.
Successful Authentication Tracking* Choice "None *"
The PEP will not track the sign-on session.
* Choice "Log"
The PEP creates a log of the authentication session.
* Choice "Alert"
The PEP will launch the Authentication Alert com-mand that you specify in the Check Point(TM) Fire-Wall-1(R) SmartCenter Global Properties window.
Authorization TimeoutIndicates the amount of time that a user's connectionwill be available after he/she performs client authen-tication.
* Choice "Indefinite *"
The user's connection will be available until he/she ex-picitly signs off, or the administrator resets the fire-wall.
* Choice "Specific"
Lets you enter a specific timeout.
HoursLets you enter the number of hours that a client au-thenticated-connection will be available.
Minutes
Authentication User Definition
141
Option Description
Lets you enter the number of minutes that a client au-thenticated-connection will be available.
Refreshable TimeoutIndicates if the timeout countdown restarts upon eachnew connection.
For example, if connection #1 has already been up for1 hour, and the user makes connection #2, the timeoutwill restart counting at zero.
Number of Sessions AllowedIndicates the number of connections the user can makebefore his/her in a single client authentication session.
Number of SessionsLets you enter the number of sessions.
13.9.1. flowListIn
Option Description
mugpep1_flow
mugpep2_flow
13.9.2. flowListOut
Option Description
pepmug1_flow
pepmug2_flow
13.9.3. flowListExternal
Option Description
sessionAuth_flow
flowListIn
142
Chapter 14. FireWall-1Management Server PropertiesWindows
14.1. Description ................................................................................................ 14314.2. General Options ......................................................................................... 143
14.2.1. Include Policy ................................................................................. 14414.2.2. Security Server ................................................................................ 144
HTTP Servers .................................................................................... 145HTTP Server ............................................................................. 145
14.2.3. Authentication ................................................................................. 145Failed Authentication Attempts ............................................................. 145Authentication of Users with Certificates ................................................ 146Early Versions Compatibility ............................................................... 146
14.2.4. Local Security Policy ........................................................................ 14714.2.5. VPN .............................................................................................. 149
CRL Grace Period .............................................................................. 149IKE Denial of Service protection ........................................................... 150Remote Access .................................................................................. 150
Certificates ............................................................................... 151Secure Configuration Verification ................................................. 152
14.2.6. GTP Services .................................................................................. 153GTP Service ...................................................................................... 153
14.2.7. Import ............................................................................................ 15414.3. Upload Configuration .................................................................................. 155
14.3.1. Connection Options .......................................................................... 15514.3.2. Paths ............................................................................................. 15614.3.3. Authentication ................................................................................. 15614.3.4. Prompts .......................................................................................... 15714.3.5. FireWall-1 Options ........................................................................... 157
14.1. Description
Option Description
Note
14.2. General OptionsUse this view to examine and modify general management server options.
Option Description
Generate Comments in Filters* Choice "Yes *"
Indicates to the compiler that it should include com-ments in the generated filtering files. This optionmakes it easier to read the generated filter files.
* Choice "No"
Comments are not included. This allows a reduction in
143
Option Description
the size of the filters.
Result in Case Hidden Rules are DetectedIndicates the type of message that SCM Server willgenerate if it encounters hidden rules.
Is the management server a Check PointGX? Specifies whether the Management Server is a Check-
Point GX or not. Ticking the "Yes" radio button addsa "GTP Services" sub-node to the "General Options"node.
14.2.1. Include Policy
Use this view to specify the names of the FireWall-1(R) security policies to be included before andafter generated rules.
Use this view to specify the names of the FireWall-1(R) security policies to be included before andafter generated rules.
Option Description
First PolicySpecifies the name of a security policy to be includedbefore the generated rules.
Last PolicySpecifies the name of a security policy to be includedafter the generated rules.
14.2.2. Security Server
Use this view to enable the different types of authentication servers with which the PEP may com-municate.
Option Description
Telnet Welcome Message FileThe name of the file from which the PEP will get thewelcome message for users connecting over telnet.
FTP Welcome Message FileThe name of the file from which the PEP will get thewelcome message for users connecting over FTP.
Rlogin Welcome Message FileThe name of the file from which the PEP will get thewelcome message for users connecting over rlogin.
Client Welcome Message FileThe name of the file from which the PEP will get thewelcome message for users who perform a manualsign-on to the authentication session.
SMTP Welcome Message FileThe name of the file from which the PEP will get thewelcome message for users connecting over SMTP.
HTTP Next ProxyIf there is an HTTP proxy server behind the CheckPoint(TM) FireWall-1(R) Security Server, this optionlets you pick one.
Include Policy
144
Option Description
* Choice "Select"
Lets you choose the HTTP proxy server from thosedefined in your policy map.
HTTP Servers
Use this view to configure how the PEP redirects connections to an HTTP security server.
HTTP Server
Option Description
Reauthentication* Choice "Standard *"
The PEP will not ask the user to reenter his/her pass-word as long as the User Authentication SessionTimeout has not expired. This value is specified in thePEP Properties > General Options >Authentication>Authentication Settings View.
* Choice "POST request"
The PEP will ask the user to reenter his/her passwordeach time the user sends a request that may change theserver's configuration. This option only has an effecton S/Key or SecurID passwords, which change con-tinually.
* Choice "Every request"
The PEP will ask the user to reenter his/her passwordeach time the user sends any request. This option onlyhas an effect on S/Key or SecurID passwords, whichchange continually.
HostThe host name of the HTTP server.
PortThe HTTP server's port number.
Server For Null RequestIndicates if the PEP will convert addresses given as "ht-tp://<PEP-name>" to "/" before sending them to theHTTP server.
14.2.3. Authentication
This view does not let you change any parameters. Expand this node in the tree list to see the config-urable views.
Failed Authentication Attempts
Use this view to configure how the PEP behaves when users fail to authenticate.
Authentication
145
Option Description
Terminate rlogin Connection After(attempts) Indicates the number of times the user can fail to
identify him/herself before the PEP will terminate anrlogin connection.
Terminate telnet Connection After(attempts) Indicates the number of times the user can fail to
identify him/herself before the PEP will terminate atelnet connection.
Terminate Client Connection After(attempts) Indicates the number of times the user can fail to
identify him/herself before the PEP will terminate theclient authentication connection.
Terminate Session Connection After(attempts) Indicates the number of times the user can fail to
identify him/herself before the PEP will terminate thesession connection.
Authentication of Users with Certificates
Use this view to configure how to PEP will react to users who authenticate with certificates.
Option Description
Authenticates Internal Users With SuffixOnly Indicates if the PEP will only authenticate users who
have a certain suffix in their certificate's qualifiedname.
Enter the suffix in the Suffix option on this view.
Users's certificates which were initiated butnot pulled will expire after All certificates not used in this number of days will
expire.
Early Versions Compatibility
Use this view to configure the PEP's compatibility with earlier versions.
Option Description
User Authentication Session Timeout(min) This option has a different effect depending on the
type of connection.
For rlogin, telnet and FTP, this option indicates thenumber of minutes of inactivity after which the PEPwill close the connection. This is different from theoption with the same name in the PEP properties >General options > Authentication > AuthenticationSettings View.
For HTTP, this option indicates the number of minutesafter which the PEP closes the authentication session.This is equivalent to the option with the same name inthe PEP properties > General options > Authentication> Authentication Settings View.
Enable wait mode for Client Authentica-tion If the user opens an authentication session over telnet
Authentication
146
Option Description
on port 259, this option indicates if the PEP will keepsthe telnet session open during the time the authentica-tion session is open.
If you select this option, the PEP will close the authen-tication session when the telnet session closes.
If you do not select this option, the PEP will close thetelnet session once the user signs on, and the user willhave to reopen the telnet session to sign off.
Authentication Failure TrackIndicates how the PEP will react to errors during au-thentication.
* Choice "None"
The PEP will not inform the user of errors.
* Choice "Log"
The PEP will log errors.
* Choice "Alert"
The PEP will open a popup window; you can definethe popup alert once in the Check Point(TM) Fire-Wall-1(R) software Global properties window, and af-terwards use it in SCM Server.
14.2.4. Local Security Policy
Use this view to examine and modify the Local Security Policy. These properties link to the implicitrules that you can define through the properties menu of the FireWall-1(R) management server asdescribed in the section "Create the Conceptual Level" in the Working with FireWall-1 Device Packdocument.
Option Description
Log Implied RulesIndicates whether implied rules are included in thelog.
Accept VPN-1 & FireWall-1 Control Con-nections * Choice "First"
Enables FireWall-1(R) GUI Clients to communicatewith the Management Server and specifies the positionin the Rule Base for the implied rule.
* Choice "No"
Prevents FireWall-1(R) GUI Clients from communic-ating with the Management Server.
Accept Remote Access Control Connec-tions * Choice "First *"
Accepts remote access control connections.
* Choice "No"
Local Security Policy
147
Option Description
Disables accepting remote access control connections.
Accept RIP* Choice "No"
Specifies that Routing Information Protocol used bythe routed daemon is not accepted.
* Choice "First/Last/Before Last"
Specifies that Routing Information Protocol used bythe routed daemon is accepted and specifies the posi-tion in the Rule Base for the implied rule.
Accept Domain Name Over UDP (Queries)* Choice "No"
Specifies that Domain Name queries over UDP are notaccepted.
* Choice "First/Last/Before Last"
Specifies that Domain Name queries over UDP are ac-cepted and specifies the position in the Rule Base forthe implied rule.
Accept Domain Name Over TCP (ZoneTransfer) * Choice "No"
Specifies that Domain Name queries over TCP are notaccepted.
* Choice "First/Last/Before Last"
Specifies that Domain Name queries over TCP are ac-cepted and specifies the position in the Rule Base forthe implied rule.
Accept ICMP* Choice "No"
Specifies that Internet Control Messages are not ac-cepted.
* Choice "First/Last/Before Last"
Specifies that Internet Control Messages are acceptedand specifies the position in the Rule Base for the im-plied rule.
Accept Outgoing Packets Originating FromGateway * Choice "No"
Specifies that outgoing packets (from the firewall, notfrom the internal network) are not accepted.
* Choice "First/Last/Before Last"
Specifies that all outgoing packets (from the firewall,not from the internal network) are accepted and spe-cifies the position in the Rule Base for the impliedrule.
Accept CPRID Connections (SmartUpdate)* Choice "No"
Local Security Policy
148
Option Description
Specifies that CPRID Connections are not accepted.
* Choice "First"
Specifies that they are accepted.
Accept Dynamic Address Modules' DHCPTraffic * Choice "No"
Specifies that Dynamic Address Module DHCP trafficis not accepted.
* Choice "First"
Specifies that it is accepted.
14.2.5. VPN
Use this view to examine and modify Management Server VPN.
Option Description
Resolving MechanismVPN peers must select a particular interface if a PEPhas more than one interface through which a VPN tun-nel can be created. Use this option to choose the meth-od the PEP will use to select this interface.
* Choice "Calculate Statically *"
According to the Gateway topology settings.
* Choice "Dynamic Interface Resolving"
By sending RDP packets to both interfaces and choos-ing the first to respond.
CRL Grace Period
Use this view to examine and modify Management Server CRL Grace Period. This view allows youto set a buffer zone in case the Management Server's clock is not synchronized with the CertificateAuthrority server's clock.
Option Description
Grace period before the CRL is valid(seconds) Indicates how long before the validity time the Man-
agement Server will extend the expiration of theCRLs. Enter the grace period in seconds.
Grace period after the CRL is no longervalid (seconds) Indicates how long Management Server will extend
the expiration of the CRLs that it receives from theCertification Authority server. Enter the grace periodin seconds.
Grace period extension for SecuRemote/SecureClient (seconds) Indicates the additional time that the Management
Server will add to the CRL Grace Period when authen-ticating remote clients.
VPN
149
Option Description
IKE Denial of Service protection
Use this view to examine and modify IKE Denial of Service Protection.
See the "IKE DoS Protection" section in your Check Point(TM) doumentation for more information.
Option Description
Support IKE DoS protection from identi-fied source Indicates how the PEP will respond to denial of ser-
vice (DoS) attacks from valid IP addresses.
* Choice "None"
The PEP will not defend against denial of service at-tacks.
* Choice "Stateless *"
When the PEP thinks it is under a DoS attack, it sendsa unique number to each IP that tried to initiate an IKEsession. This choice is appropriate for DoS attacksfrom valid IP addresses.
* Choice "Puzzles"
The PEP will send a computationally-intensive puzzleto each IP that tries to initiate an IKE session.
Support IKE DoS protection from unidenti-fied source Indicates how the PEP will respond to denial of ser-
vice (DoS) attacks from unknown IP addresses.
* Choice "None"
The PEP will not defend against denial of service at-tacks.
* Choice "Stateless"
When the PEP thinks it is under a DoS attack, it sendsa unique number to each IP that tried to initiate an IKEsession.
* Choice "Puzzles *"
The PEP will send a computationally-intensive puzzleto each IP that tries to initiate an IKE session. Thischoice is appropriate for DoS attacks from unknownIP addresses.
Remote Access
Use this view to examine and modify Management Server remote access.
Option Description
Support remote access VPN using Nokiaclients Indicates that the PEP will allow Nokia clients to par-
VPN
150
Option Description
ticipate in remote VPN connections.
When disconnected, traffic to the encryp-tion domain, will be Indicates how traffic will be treated when the SecuRe-
mote/SecureClient is not connected to the PEP.
* Choice "Dropped *"
The traffic will be dropped.
* Choice "Sent in clear"
The traffic will be sent in the clear.
Resolving MechanismIndicates how the remote client should choose the PEPinterface over which to mount the tunnel.
* Choice "Calculate Statically *"
The client will use the interface defined in the PEP'stopology.
* Choice "Dynamic Interface Resolving"
The client will send RDP packets to the available in-terfaces and mount the tunnel with the interface thatresponds first.
Update TopologyIndicates if the PEP will send the remote client up-dates of the topology behind the PEP. This allows theclient to be aware of changes.
Authentication Timeout (min)Indicates the amount of time that the remote client'spassword is valid.
Enter a value in minutes.
Allow Caching of static passwords on cli-ent Indicates if the remote client stores its password in
cache after authenticating with the PEP. This is usefulwhen the remote client uses the same password formultiple PEPs. If you set this option, the PEP will readthe remote client's password directly from the client'scache rather than asking the user to enter it.
Enable tunnel refreshSet this option to enable the PEP to re-initiate a tunnelthat has already been authenticated, if the tunneltimes-out. This requires the remote client's details tobe stored on all the devices between the PEP and theremote client.
Encrypt DNS trafficIndicates if the remote client's DNS queries are sentthrough the tunnel.
Enable Hybrid Mode AuthenticationIndicates if the PEP will allow other authenticationschemes than those specified in this view.
Certificates
VPN
151
Use this view to configure how the Management Server handles user certificates.
Option Description
Client check gateway cert against CRLIndicates if the remote client checks the CertificateRevocation List (CRL) upon validation.
Renew users internal CA certificatesIndicates if the Managment Server's Internal Certific-ate Authority (ICA) will automatically re-issue certi-ficates before they expire.
The ICA's user certificates are valid for two years.
Renewal starting process delayEnter the time before the certificate expiration date be-fore which the ICA will re-issue a user's certificate.
Enter a value in days.
Secure Configuration Verification
This view does not let you change any parameters. Expand this node in the tree list to see the config-urable views.
Secure Configuration Options
Use this view to configure Secure Configuration Verification (SCV). SCV is a series of tests that thePEP performs on the remote client upon connection.
Option Description
Apply Secure Configuration Verificationson Simplified mode Security Policies Indicates if the PEP will apply Secure Configuration
Verification (SCV) on the remote client during con-nection time.
Upon verification failureIndicates how the PEP will react if the remote clientfails the Secure Configuration Verification test.
* Choice "Accept and log client's connection *"
The PEP will accept the client's connection and log thefailure. You can set how the failure will be logged inthe Configuration Violation Notification view.
* Choice "Block client's connection"
The PEP will deny the client's connection.
Policy is installed on all interfacesIndicates if the PEP will check that the Desktop Secur-ity Policy is installed on all the interfaces of the re-mote client.
See the your Check Point(TM) product's documenta-tion on Secure Configuration Verification (SCV) formore information.
Only TCP/IP protocols are usedIndicates if the PEP will check that the remote clientonly uses TCP/IP protocols.
VPN
152
Configuration Violation Notification
Use this view to set how the PEP will log the failure when a remote client fails the Secure Configur-ation Verification test.
Option Description
Generate log on clientIndicates if the failure will be logged on the remoteclient.
Notify the userIndicates if the user will receive a notification.
14.2.6. GTP Services
Use this view to add GTP services that will allow you to configure GTP traffic inspection.
GTP Service
Option Description
GTP ServiceType in the name of the GTP Service.
GTP Service NameSelect an existing service to customize in a list dis-playing all customized gtp services.
GTP VersionSelect the GTP version
* Choice "GTP version 0"
* Choice "GTP version 1"
Match IMSI Prefix Name* Choice "Any *"
* Choice "Custom"
Tick this radio button to define a custom IMSI prefix(an "Allowed IMSI Prefix" free-form field will appearto let you do so).
Allowed IMSI PrefixType in your custom IMSI Prefix.
Match Access Point Name* Choice "Any *"
* Choice "Custom"
Tick this radio button to define a custom Access Pointname (an "Allowed Access Point Name" free-formfield will appear to let you do so).
Allowed Access Point NameType in your custom Access Point Name.
Allowed Selection Mode Name* Choice "Any *"
* Choice "Custom"
Tick this radio button to specify the Selection Mode.
Selection Mode
GTP Services
153
Option Description
Use the pull-down menu to choose the SelectionMode.
* Choice "0 - verified *"
* Choice "1 - MS - not verified"
* Choice "2 - Network - not verified"
Match MS-ISDN Prefix Name* Choice "Any"
* Choice "Custom"
Tick this radio button to define a custom MS-ISDNPrefix Name (a "MS-ISDN Prefix Name free-formfield will appear to let you do so).
MS-ISDN Prefix NameType in your custom MS-ISDN Prefix Name.
Match LDAP Group Name* Choice "Any"
* Choice "Custom"
Tick this radio button to define the User Group nameand the matching criteria i.e. IMSI* or MS-ISDN.
Allowed LDAP Group NameType in the LDAP Group Name.
according toChoose the matching criteria of the LDAP GroupName i.e. IMSI* or MS-ISDN.
Allow Usage of Static IP AddressesChoose whether the PEP's interfaces should use staticIP addresses or not.
14.2.7. Import
Option Description
Import Host asIndicates how to import a CheckPoint host, i.e. as anexus, a class or an unknown device.
* Choice "Class"
The CheckPoint host will be imported as a Class (thatis to say as an IP address container).
Auto-Connect ObjectsIndicates if the auto-connect must be performed at theend of the import process
Import Disabled RulesIndicates if disabled rules are imported.
Import Section Titles in NotesIndicates that rules section titles are imported in per-mission note.
Import Rule Details in Notes (verbose)
Import
154
Option Description
Indicated that verbose details are imported in permis-sion note: (index, action, service, source, destination,policy target).
The local import completes the rule detail with therule UID.
14.3. Upload ConfigurationUse this view to configure how SCM Server uploads your work to the device.
Option Description
Which PEPs should be uploaded?Lets you choose the PEPs on which the ManagementServer will upload the configuration.
* Choice "All on map *"
All the PEPs present on the map will be uploaded.
* Choice "Only selected"
Only the selected PEPs will be uploaded. If youchoose this value, the "Uploaded PEPs" sub-node willappear in the tree list to let you select the PEPs thatshould be uploaded.
14.3.1. Connection Options
Use this view to specify the protocols to be used for uploading filters.
Option Description
Upload MethodSpecifies the protocol to be used for uploading filters.
CPMI+Certificate FlowCreates an implicit CPMI+certificate flow.
OPSEC Connection TypeSpecifies whether the connection will be SSL withcertificates or "clear."
Reset certificateSpecifies whether your OPSEC application certificatehas been reset.
OPSEC Application Distinguished NameThe distinguished name of the OPSEC application, ifthe OPSEC connection type is clear.
OPSEC Application NameThe name of the OPSEC application, if the OPSECconnection is SSL+certificates.
OPSEC PortSpecifies the OPSEC Port number.
OPSEC SIC Entity Common Name (CN)Indicates the Common Name (CN) part of the OPSECSIC Entity.
Upload Configuration
155
Option Description
OPSEC Debug LevelSpecifies the opsec debug level. This value is notsaved in any project version.
Session Time Out (ms)If this number of milliseconds elapses between a SCMServer request and the management server's response,the session is dropped.
Full Path to SmartDashboard directoryLets you enter the path to the SmartDashboard direct-ory.
14.3.2. Paths
Use this view to set the Check Point(TM) FireWall-1(R) installation directory.
14.3.3. Authentication
Use this view to record the username and password for management servers that need to be connec-ted prior to giving access to the configuration account. This username and password must link to anaccount that can be used through the SSH connection.
The Root Password is never used on the management server. To log in as root set User Name to"root" and set User Password to root's password.
Option Description
Use session credentials foruser(login,password) Activates the user authentication on the PEP from the
credentials (login, password) of the user currentlylogged in SCM Server.
Note that both the "User Login" and "User Password"options will be ignored although they are still dis-played in the view.
Use session credentials forroot(login,password) Activates the super-user authentication (for privileged
mode) on the PEP from the credentials (login, pass-word) of the user currently logged in SCM Server.
Note that both the "Enable Login" and "Enable Pass-word" options will be ignored although they are stilldisplayed in the view.
User LoginAllows you to record the username that will be usedon the management server to copy, compile and up-load the security policy. The user must have the priv-ilege to copy files in the $FWDIR/conf and to executethe command $FWDIR/bin/fw.
This user name is used to make the SSH connection onthe management server and may be different to thename used to connect to the management server fromthe Check Point(TM) FireWall-1(R) Policy Editor.
The root password is needed when you want to beconnected as root, but the SSH server installation pre-vents you from connecting directly as root. Using theroot password, SCM Server will first connect to the
Paths
156
Option Description
Management Server using the user login and passwordand then perform the command "su-" specifying theroot password.
User PasswordAllows you to record the user password.
14.3.4. Prompts
Use this view to indicate what the management server's prompts look like, which allows SCM Serv-er to interpret them during communication.
14.3.5. FireWall-1 Options
Use this view to configure FireWall-1 translation options.
Option Description
Generated Policy NameSpecifies the name of the generated policy. The de-fault name is "Custom_Policy". If changing this, youmust use a policy name different to the name used forthe included policies in the Include Policy View.
Suffix Objects Names For This Policy?Indicates whether a suffix should be appended to theobject names. This allows to identify the same objectsin different security policies.
Object Name SuffixLets you type in the suffix that should be appended tothe object names.
Translated Object ColorSelects an alternative display color to more easily dif-ferentiate between translated and generated objects.
Generated Object ColorSelects an alternative display color to more easily dif-ferentiate between translated and generated objects.
Upload if Only Successful on ALL Man-aged PEPs Indicates that the Management Server will not upload
any PEPs if one PEP upload fails.
Clean Database Before Next UploadIndicates if the Management Server should empty itsdatabase before starting upload preparation.
This option resets to "No" after every upload.
FireWall-1 Upload PolicyLets you choose how to perform the upload.
* Choice "Upload on PEPs *"
scm will copy objects and rules on the ManagementServer and the configuration will then be uploadedfrom the Management Server to its managed PEP(s).
Prompts
157
158
Chapter 15. Provider-1Management Server PropertiesWindows
15.1. Description ................................................................................................ 15915.2. General Options ......................................................................................... 159
15.2.1. Managed CMAs ............................................................................... 159
15.1. Description
Option Description
Note
15.2. General OptionsUse this view to examine and modify general management server options.
15.2.1. Managed CMAs
References the CMA servers managed by the Provider-1.
159
160
IndexAall networks PEP, 24Anti-Spoofing, 19Anti-spoofing, 22Any, 56Audit Through Report, 56Authentication, 24
Client authentication, 24Session authentication, 24User authentication, 24
Authentication parameters, 43Authentication Rule
Create, 43
BBack-up files, 65
CCAST-40, 70, 75Check Point Gateway, 19Class all PEPs, 24Clear, 27, 32, 32
procedure, 31Client-to-Gateway VPN, 67Clientless VPN, 71Communicate, 32Compilation of the security policy, 39Connections
PEPs to networks, 55connections
Nexus to networks, 55
DDES-40, 70, 75Desktop security policy, 70DHCP server, 70domain, 63
EEnable VPN routing, 70
FFilters
Upload Preparation, 14Firewall Features, 3
GGateway-to-Gateway VPN, 71Generation Process, 11, 27Global Features, 3
H
Hybrid Mode, 70
IICMP, 4Implicit permissions, 69Import
perform, 52Imported/not imported (NG), 46Include Rules, 64Installation, 1Interoperable Default Fields, 18IP Address
range, 16IPSec/L2TP tunnels, 71
LLDAP, 66, 66, 66Licenses, 1Limitations, 1
Case Sensitivity, 1Log, 18
MManagement Server Features, 7Mapping, 15
table syntax, 20Multiple Entry Point VPNs (MEP), 70, 75
NNaming convention, 21NAT Features, 5Non-supported concepts, 63NP_A, 13NP_C, 13NP_E, 13NP_I, 13NP_N, 13, 16NP_O, 23NP_O_..VFP_.., 13NP_R, 13NP_S, 13NP_T, 13
OObject
generated, 12nexus, 18translated, 12
Object Colors, 14Office Mode, 70OPSEC, 27
PPatch Process, 63PEP, 18
Indirectly Managed, 11Permissions
deny, 55
161
RRADIUS, 66, 66Remote Access, 68
SSecurity Include, 63Service type, 21Session Time Out, 38SIC file, 32sic_policy.conf, 32Site-to-site VPN, 73SmartDashBoard, 66Specific translated fields, 18SSL Certification and Encryption, 27, 29
Procedure, 27Supported Versions, 1
TTACACS, 66, 66Topology
missing, 54Translated PEP, 18Translated service, 20Transparent mode, 70
UUpload addresses, 51User Groups, 65
VVIA property, 48Visitor Mode, 70VPN
Specifics parameters, 68VPN Features, 6VPN node, 68VPN-1 Net, 70
162