Checkpoint FireWall 1

SECURITY CHANGE MANAGER

WORKING WITH CHECK POINT

FIREWALL-1 AND NG

DEVICE PACK 4.5MARCH 2010

Revision 17,Manual reference: udoc-sps-00533-enAuthor(s): Documentation TeamThe information contained in this document may be subject to modificationwithout prior notice and LogLogic assumes no responsibility for any errors thatmay appear in it.This documentation concerns LogLogic's software Security Change Manager8.2.Copyright © 2010 LogLogic. All rights reserved.The product described in this document is protected by French patent numberFR97/13254 and may be protected by other US patents, foreign patents orpending applications.Solsoft™ and Exaprotect™ are trademarks of EPT Software Group.All other products mentioned herein are trademarks or registered trademarksof their respective owners.

Working with Check Point FireWall-1 andNG

2


3

4

Table of Contents1. Installation ....................................................................................................... 1

1.1. System Requirements ............................................................................... 11.1.1. Device OS Versions Supported ........................................................ 11.1.2. Licenses ...................................................................................... 1

1.2. Installation ............................................................................................. 11.3. Limitations ............................................................................................ 1

1.3.1. Case Sensitivity ............................................................................ 12. Features supported on Check Point FireWall-1 ........................................................ 3

2.1. Global Features Support ........................................................................... 32.2. Firewall Features ..................................................................................... 32.3. NAT Features ......................................................................................... 52.4. VPN Features ......................................................................................... 62.5. Management Server Features ..................................................................... 7

3. Basic Concepts in Security Change Manager's Interaction with Check Point FireWall-1 .. 93.1. Overview of Check Point FireWall-1 and Security Change Manager Interaction .. 93.2. Check Point FireWall-1 Management Server Object .....................................10

3.2.1. Management Server .....................................................................113.2.2. Management Station .....................................................................113.2.3. Two Kinds of PEPs ......................................................................113.2.4. Management Server/PEP Compatibility Matrix .................................11

3.3. Generation Process .................................................................................113.3.1. Process ......................................................................................113.3.2. Difference between a Translated Object and a Generated Object ...........12

3.4. Naming Rules for Check Point FireWall-1 Objects .......................................123.4.1. Example ....................................................................................123.4.2. Comments Generated for Traceability between Security Change ManagerObjects and Check Point FireWall-1 Objects .............................................143.4.3. Object Colors ..............................................................................14

3.5. Upload Preparation .................................................................................143.6. Upload Process ......................................................................................14

4. How Security Change Manager Objects Map to Check Point FireWall-1 .....................154.1. Translation of Network Objects .................................................................154.2. Translation of Class Objects .....................................................................164.3. Translation of Management Server Objects .................................................16

4.3.1. Check Point Host Default Fields or Check Point Gateway ...................174.3.2. Check Point FireWall-1 Interoperable Default Fields ..........................18

4.4. Translation of Nexus Objects ....................................................................184.5. Translation of PEP Objects ......................................................................18

4.5.1. A Translated Security Change Manager Check Point FireWall-1 PEP ....184.5.2. Specific Translated Fields ..............................................................18

Log ...........................................................................................18Interface Netmask ........................................................................19Anti-Spoofing .............................................................................19

4.5.3. Check Point Gateway or Externally Managed Gateway Default Fields ...19Process ......................................................................................19

4.6. Translation of Services ............................................................................194.6.1. Generation Process .......................................................................19

Principle .....................................................................................19Syntax of the Mapping Table ..........................................................20Example .....................................................................................20

4.6.2. A Translated Security Change Manager Service .................................20Naming Convention ......................................................................21Security Change Manager IGMP Translated Fields .............................21

4.7. Translation of Implicit Generated Objects ...................................................214.7.1. Anti-spoofing ..............................................................................224.7.2. Expand Internet: Objects Generated ................................................22

4.8. Translation of Permissions .......................................................................22

v

4.9. Translation of Time Definition Rules .........................................................224.9.1. What cannot be translated ..............................................................22

4.10. Translation of NAT Rules ......................................................................224.10.1. Example ...................................................................................224.10.2. Rules .......................................................................................234.10.3. Security Change Manager NAT Rules Translated Fields ....................23

4.11. Translation of Limited Path Zones ...........................................................244.12. Translation of Default Objects .................................................................24

4.12.1. All Networks .............................................................................244.12.2. All PEPs ...................................................................................24

4.13. Translation of User Authentication ...........................................................245. How to Define and Deploy a Security Policy on Check Point FireWall-1 .....................27

5.1. First Use of Check Point FireWall-1 ..........................................................275.1.1. SSL Certification and Encryption Procedure .....................................275.1.2. Clear OPSEC Connection Type Procedure ........................................31

5.2. Configure a Check Point GX Management Server ........................................325.2.1. First step: Creating custom services and defining the policy .................335.2.2. Second step: Defining precisely the custom services ...........................33

5.3. Define and Deploy a Policy ......................................................................355.3.1. Step 1: Defining the Secure Topology ..............................................355.3.2. Step 2: Security Policy Definition ...................................................395.3.3. Step 3: Audit ...............................................................................395.3.4. Step 4: Define Rules .....................................................................395.3.5. Step 5: Compile the Security Policy ................................................395.3.6. Step 6: Prepare Upload on Each Directly-Managed PEP and Each Manage-ment Server ........................................................................................40

Prerequisites ...............................................................................40Procedure ...................................................................................40

5.3.7. Step 7: Deploy the Policy ..............................................................405.4. Define and Manage an Existing Policy .......................................................41

5.4.1. Purpose ......................................................................................415.4.2. Prerequisites ...............................................................................415.4.3. Step 1: Perform a Check Point FireWall-1 Import ..............................415.4.4. Step 2: Secure Topology Definition, if You Do Not Perform an Import ..425.4.5. Other Steps .................................................................................43

5.5. Create an Authentication Rule ..................................................................436. How to Perform an Import from Check Point FireWall-1 ..........................................45

6.1. What will be Imported/ not Imported .........................................................456.2. Performing a Standard Import from Check Point FireWall-1 ...........................49

6.2.1. Step 1: Create and Configure a Management Server ...........................496.2.2. Step 2: Perform the Import ............................................................526.2.3. Step 3: Add the Missing Topology ..................................................546.2.4. Step 4: Connect and Group Attached Objects ....................................546.2.5. Step 5: Various Checks to Perform ..................................................55

6.3. Performing a Local Import of Check Point FireWall-1 Policy .........................566.4. Cleaning the Database Before Upload ........................................................60

7. How to Manage Check Point FireWall-1 Concepts Not Supported by Security Change Man-ager ...................................................................................................................63

7.1. First-Time: Define Non-supported Concepts on the Management Server ...........637.1.1. Step 1: Upload Security Change Manager Security Policy on the Manage-ment Server ........................................................................................637.1.2. Step 2: Add Specific Properties ......................................................647.1.3. Step 3: Add Other Objects not Supported by Security Change Manager ..647.1.4. Step 4: Define the Include Rules/ Create a New Policy on the Real Manage-ment Server ........................................................................................647.1.5. Step 5: Modify the Management Server Options ................................647.1.6. Step 6: Upload ............................................................................65

7.2. How to Manage User Groups ....................................................................658. Client-to-Gateway VPN on Check Point FireWall-1 NG ...........................................67

8.1. Procedure .............................................................................................678.1.1. On the Check Point FireWall-1 .......................................................678.1.2. On the Management Server ............................................................688.1.3. PEPs Supporting Remote Access ....................................................68


vi

8.1.4. Specific Parameters ......................................................................68On the device VPN node ...............................................................68

8.1.5. Implicit Permissions .....................................................................698.2. VPN Limitations ....................................................................................70

8.2.1. Global Limitations .......................................................................70VPN-1 Net ..................................................................................70DES-40 and CAST-40 ..................................................................70Multiple Entry Point VPNs (MEP) ..................................................70

8.2.2. Remote Access Limitations ...........................................................70User Groups ................................................................................70Office Mode is disabled on the gateway ............................................70IP pool is defined though a DHCP server ..........................................70Hybrid Mode ...............................................................................70Enable VPN routing .....................................................................70Desktop security policy .................................................................70Visitor Mode ...............................................................................70Transparent mode .........................................................................70Clientless VPN ............................................................................71IPsec/L2TP tunnels ......................................................................71Number of tunnels ........................................................................71

8.2.3. First-time Upload of a VPN Policy ..................................................719. Gateway-to-Gateway VPN on Check Point FireWall-1 NG and NG AI .......................73

9.1. Procedure .............................................................................................739.1.1. On the Security Change Manager ....................................................739.1.2. On the Check Point FireWall-1 Management Server ...........................73

Procedure ...................................................................................739.1.3. VPN Domains .............................................................................74

9.2. VPN Limitations ....................................................................................749.2.1. Global Limitations .......................................................................75

VPN-1 Net ..................................................................................75DES-40 and CAST-40 ..................................................................75Multiple Entry Point VPNs (MEP) ..................................................75

9.2.2. Site-to-site limitation ....................................................................75Usage of the Simplified Mode ........................................................75

10. Check Point FireWall-1 Cluster Management .......................................................7710.1. Procedure ............................................................................................77

10.1.1. On the Check Point FireWall-1 Management Server .........................7710.1.2. On the Security Change Manager Designer .....................................77

10.2. Limitations ..........................................................................................8111. Provider-1 Management Server Installation ..........................................................83

11.1. Adding a Provider-1 Management Server ..................................................8312. Check Point FireWall-1 Properties Windows ........................................................85

12.1. Description ..........................................................................................8512.2. General Options ...................................................................................85

12.2.1. Security Profile ..........................................................................87Common Security Parameters .........................................................88Replace Address ..........................................................................90Replace Service ...........................................................................92

12.2.2. Virtual System ...........................................................................9312.2.3. Authentication ...........................................................................93

Enabled Authentication Schemes ....................................................93Authentication Settings .................................................................93HTTP Security Server ...................................................................94

12.3. Policy Learning Mode ...........................................................................9512.4. Common Interface Options .....................................................................9512.5. Interface Options ..................................................................................96

12.5.1. Security Profile ..........................................................................98Common Security Parameters .........................................................98Replace Address ........................................................................ 100Replace Service ......................................................................... 101

12.5.2. IP Addresses ........................................................................... 102Static IP Addresses ..................................................................... 102Dynamic Addresses Pool ............................................................. 102


vii

IP Addresses ............................................................................. 10212.6. VPN Options ..................................................................................... 104

12.6.1. IKE Capabilities ...................................................................... 10412.6.2. IPSec Capabilities .................................................................... 10512.6.3. Remote Access VPN ................................................................. 105

12.7. Upload Configuration .......................................................................... 10612.8. Tunnel Peer Options ............................................................................ 107

12.8.1. Interface ................................................................................. 10812.9. Authentication User Definition .............................................................. 108

12.9.1. flowListIn ............................................................................... 11112.9.2. flowListOut ............................................................................ 11112.9.3. flowListExternal ...................................................................... 111

13. Check Point FireWall-1 Cluster Properties Windows ........................................... 11313.1. Description ........................................................................................ 11313.2. General Options ................................................................................. 113

13.2.1. Security Profile ........................................................................ 115Common Security Parameters ....................................................... 116Replace Address ........................................................................ 119Replace Service ......................................................................... 120

13.2.2. Authentication ......................................................................... 121Enabled Authentication Schemes .................................................. 121Authentication Settings ............................................................... 122HTTP Security Server ................................................................. 123

13.3. Cluster Options .................................................................................. 12313.3.1. Availability Parameters ............................................................. 12313.3.2. Synchronization ....................................................................... 126

Synchronization Networks ........................................................... 12613.4. Policy Learning Mode ......................................................................... 12613.5. Common Interface Options ................................................................... 12713.6. Interface Options ................................................................................ 128

13.6.1. Security Profile ........................................................................ 130Common Security Parameters ....................................................... 130Replace Address ........................................................................ 131Replace Service ......................................................................... 132

13.6.2. IP Addresses ........................................................................... 133Static IP Addresses ..................................................................... 133Dynamic Addresses Pool ............................................................. 133IP Addresses ............................................................................. 134

13.7. VPN Options ..................................................................................... 13513.7.1. IKE Capabilities ...................................................................... 13513.7.2. IPSec Capabilities .................................................................... 13613.7.3. Remote Access VPN ................................................................. 136

13.8. Tunnel Peer Options ............................................................................ 13713.8.1. Interface ................................................................................. 139

13.9. Authentication User Definition .............................................................. 13913.9.1. flowListIn ............................................................................... 14213.9.2. flowListOut ............................................................................ 14213.9.3. flowListExternal ...................................................................... 142

14. FireWall-1 Management Server Properties Windows ........................................... 14314.1. Description ........................................................................................ 14314.2. General Options ................................................................................. 143

14.2.1. Include Policy ......................................................................... 14414.2.2. Security Server ........................................................................ 144

HTTP Servers ............................................................................ 145HTTP Server ..................................................................... 145

14.2.3. Authentication ......................................................................... 145Failed Authentication Attempts ..................................................... 145Authentication of Users with Certificates ........................................ 146Early Versions Compatibility ....................................................... 146

14.2.4. Local Security Policy ................................................................ 14714.2.5. VPN ...................................................................................... 149

CRL Grace Period ...................................................................... 149IKE Denial of Service protection ................................................... 150


viii

Remote Access .......................................................................... 150Certificates ....................................................................... 151Secure Configuration Verification ......................................... 152

14.2.6. GTP Services .......................................................................... 153GTP Service .............................................................................. 153

14.2.7. Import .................................................................................... 15414.3. Upload Configuration .......................................................................... 155

14.3.1. Connection Options .................................................................. 15514.3.2. Paths ..................................................................................... 15614.3.3. Authentication ......................................................................... 15614.3.4. Prompts .................................................................................. 15714.3.5. FireWall-1 Options ................................................................... 157

15. Provider-1 Management Server Properties Windows ............................................ 15915.1. Description ........................................................................................ 15915.2. General Options ................................................................................. 159

15.2.1. Managed CMAs ....................................................................... 159Index ............................................................................................................... 161


ix

x

List of Figures3.1. Overview of the Security Change Manager and Check Point FireWall-1 Concepts ....... 93.2. Compilation, Preparation Upload, and Upload .....................................................104.1. An Example of a NAT Rule .............................................................................235.1. Creation of new OPSEC Application in SmartDashboard .......................................285.2. CPMI option enabled ......................................................................................285.3. SSL Certification and Encryption Option ............................................................295.4. Getting Certificate Dialog Box ..........................................................................305.5. Clear Option ..................................................................................................325.6. Creation of a custom gtpv1 service cloning the existing gtpv1 ....................................5.7. Defining security policy using custom service ......................................................335.8. Activation of Check Point GX options in Management Server Properties ..................345.9. GTP Service options .......................................................................................345.10. Implicit Rules: Local Security Policy ................................................................365.11. Security Server .............................................................................................365.12. Authentication: Failed Authentication Attempts ..................................................375.13. Authentication: Users with certificates ..............................................................375.14. Authentication: Early Versions Compatibility ....................................................375.15. Upload Configuration: Connection Options .......................................................385.16. Add Managed PEPs ......................................................................................386.1. Management Server Properties: Identification ......................................................506.2. Management Server Properties: Upload Configuration: Connection Options ..............506.3. Management Server Properties: Upload Configuration: Authentication (NG) .............516.4. Management Server Properties: Upload Address ..................................................526.5. CheckPoint Import Dialog Box: Choose Elements to be Imported ............................526.6. CheckPoint Import Report ...............................................................................536.7. Synchronization Network on Cluster ..................................................................556.8. Policy Audit Through Report interface selection ..................................................566.9. CheckPoint Import Dialog Box: Import of objects_5_0.C file .................................566.10. CheckPoint Import Dialog Box: Import of rulebase.fws file ..................................576.11. CheckPoint Import Dialog Box: Choose Elements to be Imported ..........................586.12. CheckPoint Import Dialog Box: Choose Policy to be Imported ..............................586.13. CheckPoint Import Report ..............................................................................596.14. CheckPoint Import Terminated ........................................................................606.15. Options: Clean Database Before Upload ...........................................................607.1. Upload Configuration Set to Copy Only .............................................................659.1. VPN Domain Deduction ..................................................................................7410.1. SIC Authentication Key Activated ...................................................................7710.2. Management Server Referenced on the Cluster ...................................................7810.3. Cluster XL Enabled Option ............................................................................7810.4. Selection of Cluster Members .........................................................................7910.5. Selection of Availability Operation Mode ..........................................................7910.6. Selection of Synchronization Network ..............................................................8010.7. Example of Cluster .......................................................................................81

xi

xii

List of Tables2.1. Global Features Support ................................................................................... 32.2. Firewall Features ............................................................................................. 32.3. Description of Features listed in Table 2.2, “Firewall Features” ................................ 42.4. NAT Features ................................................................................................. 52.5. Description of Features listed in Table 2.4, “NAT Features” .................................... 52.6. VPN Features ................................................................................................. 62.7. Management Server Features ............................................................................. 73.1. Management Server/PEP Compatibility Matrix ....................................................113.2. Prefixes of the All Generated Objects .................................................................123.3. Example of the Translation of a Class into Check Point FireWall-1 group .................133.4. Comments Generated by Check Point FireWall-1 Objects ......................................144.1. Security Change Manager Network Object Rules .................................................154.2. Security Change Manager Class Object Rules ......................................................164.3. Translation of Specific Fields ...........................................................................164.4. SCM Log Numbers .........................................................................................184.5. Translated Security Change Manager Service ......................................................214.6. Security Change Manager Permission Fields .......................................................224.7. Security Change Manager NAT Fields ...............................................................245.1. Define a rule on the Management Server .............................................................416.1. What will be imported/ not imported from Check Point FireWall-1 NG and NG AI .....468.1. VPN: Specific Parameters ................................................................................68

xiii

xiv

Chapter 1. Installation1.1. System Requirements ....................................................................................... 1

1.1.1. Device OS Versions Supported ................................................................ 11.1.2. Licenses .............................................................................................. 1

1.2. Installation ..................................................................................................... 11.3. Limitations .................................................................................................... 1

1.3.1. Case Sensitivity .................................................................................... 1

The synergy between Check Point FireWall-1 and Security Change Manager means increased pro-ductivity for the network administrator who must develop rational security policies for complex net-works.

1.1. System Requirements

1.1.1. Device OS Versions Supported

For the Check Point FireWall-1 PEPs: NG FP3, NG AI R55, NGX (R60, R62, R65), VSX NGX(R65), R70.

For the Check Point FireWall-1 Cluster: NG FP3, NG AI, NGX (R60, R62, R65), VSX NGX (R65),R70.

For the Firewall-1 Management Server: NG FP3, NG AI, NGX (R60, R62, R65), R70.

For the Provider-1: NGX R65 is supported.

The following devices are also supported:

• Nortel Networks Alteon Switched Firewall: NG FP3, NG AI R55, NGX (R60, R62, R65), VSXNGX (R65), R70

• Nortel Networks ASF Cluster: NG FP3, NG AI R55, NGX (R60, R62, R65), VSX NGX (R65),R70

1.1.2. Licenses

You must have purchased and installed the special Security Change Manager option for use withCheck Point FireWall-1. If you do not have this license, you will not be able to create a FireWall-1PEP or a management server.

1.2. InstallationFollow the directions in the Security Change Manager Installation Guide.

1.3. Limitations

1.3.1. Case Sensitivity

Check Point FireWall-1 NG is case sensitive. Therefore, two objects can be created with the samename with different cases, but Security Change Manager will not manage them as two devices.

1

2

Chapter 2. Features supportedon Check Point FireWall-1

2.1. Global Features Support ................................................................................... 32.2. Firewall Features ............................................................................................. 32.3. NAT Features ................................................................................................. 52.4. VPN Features ................................................................................................. 62.5. Management Server Features ............................................................................. 7

This chapter presents the various Check Point FireWall-1 NG SmartCenter Server features and in-dicates whether they are supported by Security Change Manager

Legend for all the following tables:

• Yes: Supported by Security Change Manager• No: Not supported by Security Change Manager• N/A: Not Applicable

2.1. Global Features Support

Table 2.1. Global Features Support

Feature SCM Support

Firewall Yes

NAT Yes

VPN Yes

Management Yes

Import Yes

2.2. Firewall Features

Table 2.2. Firewall Features

Feature SCM Support

ICMP Error Yes

Thorough Logging Yes

Central Filtering Yes

TCP Established Yes

3

Feature SCM Support

ICMP Filtering Yes

Extended IP Filtering Yes

Stateful Filtering Yes

Time Control Filtering Yes

Flow Authentication Internal User DB Yes

External User DB Yes

Clustering Support Failover Yes

Load Balancing Yes

IPsec cluster Yes

Table 2.3. Description of Features listed in Table 2.2, “Firewall Features”(page 3)

Function Description

ICMP Error The PEP is able to generate by default on deniedaccess an ICMP error message (destination netunreachable) and Security Change Manager isable to configure the device accordingly.

Thorough Logging The PEP is able to log accepted and refusedflows and Security Change Manager is able toconfigure the device accordingly.

Central Filtering The PEP is able to perform filtering in its routingtable, rather than in its interfaces and SecurityChange Manager is able to configure the deviceaccordingly.

TCP Established The PEP is able to distinguish between a TCPpacket used to request establishment of a con-nection and a standard TCP packet and SecurityChange Manager is able to configure the deviceaccordingly. This makes it possible to specifythe direction of the TCP flow.

ICMP Filtering The PEP is able to filter the ICMP protocol andSecurity Change Manager is able to configurethe device accordingly.

Extended IP Filtering The PEP is able to filter an arbitrary IP protocolother than ICMP, UDP, or TCP and SecurityChange Manager is able to configure the deviceaccordingly.

Firewall Features

4


Stateful Filtering The PEP is able to perform dynamic filtering andSecurity Change Manager is able to configurethe device accordingly.

Time-controlled Filtering The PEP is able to use time filtering and SecurityChange Manager is able to configure the deviceaccordingly.

Flow Authentication The PEP is able to use an external User DB forflow authentication. Security Change Manager isable to configure the device to use this DB.

2.3. NAT Features

Table 2.4. NAT Features

Feature SCM Support

Source NAT Static Yes

Unistatic Yes

Pool N/A

PAT Yes

Masquerading Yes

Destination NAT Static Yes

Unistatic Yes

Pool N/A

Service NAT Yes

Restrict Application Point No

Table 2.5. Description of Features listed in Table 2.4, “NAT Features” (page 5)


Static Capacity to support bi-directional static transla-tion. An address that is translated in this mannerwill be statically transformed for both outgoingconnections and incoming connections.

Unistatic support Capacity to support uni-directional static transla-

NAT Features

5


tion. A typical example is when one server is tobe made available from outside with static trans-lation for incoming communication and the serv-er performing outgoing communication will bemasqueraded.

Pool Capacity to support address translation throughan address pool.

PAT Capacity to support Port Address translation.

Masquerading Capacity to support Masquerading type of trans-lation (use of the outgoing firewall interface asthe source address).

Service NAT Ability to define NAT transformations restrictedto selected IP services.

Restrict Application Point Ability to apply a NAT rule on a specific inter-face of the Policy Enforcement Point, thus notaffecting traffic not going through this interface.

2.4. VPN Features

Table 2.6. VPN Features

Feature SCM Support

Gateway - Gateway IPsec VPN PSK Auth Method PSK set manually on SmartCen-ter (CPMI limitation)

RSA-Sig Auth Method (PKI) Yes

NAT Transversal Yes

IPsec Keepalive N/A

Dynamic Peer Address No

Client - Gateway IPsec VPN PSK Auth Method Yes (PSK set manually onSmartCenter (CPMI limitation))

RSA-Sig Auth Method (PKI) Yes

Internal User Database Yes

External User Database Yes

Split Tunnelling Management Yes

NAT Transversal Yes

VPN Features

6

Feature SCM Support

Encryption Support DES Yes

3DES Yes

AES (multiple types) Yes

2.5. Management Server Features

Table 2.7. Management Server Features

Feature SCM Support

Communication Method SNMP Refresh No

Encrypted Upload Yes, with SSL Certificate & En-cryption (OPSEC)

Upload Clear (less secure) Yes, with definition of theOPSEC Application Distin-guished Name (in the Manage-ment Server properties)

Management Authentication Internal User database Yes

External Authentication Meth-ods list

N/A

Failsafe Yes

Rollback No

Log Logging Server Configuration No

Policy Learning Mode Yes

Import Yes

Clustering Support Failover Yes

Load Balancing Yes

IPsec cluster Yes

Management Server Features

7

8

Chapter 3. Basic Concepts inSecurity Change Manager'sInteraction with Check PointFireWall-1

3.1. Overview of Check Point FireWall-1 and Security Change Manager Interaction .......... 93.2. Check Point FireWall-1 Management Server Object .............................................10

3.2.1. Management Server .............................................................................113.2.2. Management Station .............................................................................113.2.3. Two Kinds of PEPs ..............................................................................113.2.4. Management Server/PEP Compatibility Matrix .........................................11

3.3. Generation Process .........................................................................................113.3.1. Process ..............................................................................................113.3.2. Difference between a Translated Object and a Generated Object ...................12

3.4. Naming Rules for Check Point FireWall-1 Objects ...............................................123.4.1. Example ............................................................................................123.4.2. Comments Generated for Traceability between Security Change Manager Objectsand Check Point FireWall-1 Objects ................................................................143.4.3. Object Colors ......................................................................................14

3.5. Upload Preparation .........................................................................................143.6. Upload Process ..............................................................................................14

This section describes a number of concepts with which you should be familiar before you learn toupload and compile your policies to a Check Point FireWall-1 PEP.

3.1. Overview of Check Point FireWall-1 and Se-curity Change Manager Interaction

Figure 3.1. Overview of the Security Change Manager and Check PointFireWall-1 Concepts

With Security Change Manager Designer you can define a global security policy for all PEPs thatSecurity Change Manager manages.

To manage a Check Point FireWall-1, Security Change Manager will update and enforce the Secur-

9

ity Policy on the Check Point FireWall-1 Management Server using the OPSEC CPMI API on NG.

Therefore with Security Change Manager, you can define all the permissions. For other PEPs, it willautomatically figure out the enforcement points and the anti-spoofing rules attached to each inter-face. For all other concepts of Check Point FireWall-1 not supported on Security Change Manager,to be able to use them, we have implemented a specific generation process. Please see Chapter 7,How to Manage Check Point FireWall-1 Concepts Not Supported by Security Change Manager(page63 ) for further information.

Figure 3.2. Compilation, Preparation Upload, and Upload

3.2. Check Point FireWall-1 Management ServerObject

Check Point FireWall-1 Manage-ment Server Object

10

3.2.1. Management Server

Security policy is enforced directly on all other PEPs managed by Security Change Manager.However, on a Check Point FireWall-1 PEP, the security policy is uploaded to the Check Point Fire-Wall-1 management server, then Security Change Manager sends the commands to the Check PointFireWall-1 management server to compile and install the security policy on the PEP that it manages.Therefore, a new object in the Security Change Manager map represents the management server ob-ject.

3.2.2. Management Station

In this document, when the term "management station" is used, it refers to the station where themanagement server is installed.

3.2.3. Two Kinds of PEPs

There are two kinds of PEPs:

• Directly Managed PEP: A PEP that can be managed directly from Security Change Manager. Se-curity Change Manager can upload directly on this PEP.

• Indirectly Managed PEP: A PEP that can be managed only through a Management Server object.Security Change Manager can only upload on the management server. It is the management serv-er that will upload on the PEPs.

3.2.4. Management Server/PEP Compatibility Matrix

The following table shows the PEPs that can be managed by each type and version of a managementserver.

Note that Check Point FireWall-1 NGX R63 is not supported by Security Change Manager.

Table 3.1. Management Server/PEP Compatibility Matrix

Management Server

Type & Version

Indirectly Managed PEP Type & Version

Check Point FireWall-1 NG FP3 Check Point FireWall-1 4.1, NG FP1 to FP3

Check Point FireWall-1 NG AI R55 Check Point FireWall-1 4.1, NG FP1 to NG AI

Check Point FireWall-1 NGX R62 Check Point FireWall-1 NGX R60 to R62, NGFP3, NG AI to FP3

Check Point FireWall-1 NGX R65 Check Point FireWall-1 NGX R60 to R65, NGFP3, NG AI to FP3

Provider-1 NGX R65 Check Point FireWall-1 NGX R60 to R65, NGFP3, NG AI to FP3

3.3. Generation Process

3.3.1. Process

Management Station

11

The process used when translating a SCM object to a Check Point FireWall-1 object is to generateCheck Point FireWall-1 objects by using the properties set on the SCM network object and proper-ties to patch the Check Point FireWall-1 object properties that are not managed in Security ChangeManager.

The Check Point FireWall-1 specific object properties can be objects provided by Security ChangeManager with default values or an object where properties not managed by Security Change Man-ager have been set on the management server.

3.3.2. Difference between a Translated Object and aGenerated Object

A translated object is a SCM object that corresponds to one Check Point FireWall-1 object. Thisobject can be used in security policy rules because it will not change its name, even if its contents(for instance, addresses) change. In other words, the object existed as an object in Security ChangeManager and this object can be used in Check Point FireWall-1.

A generated object is a SCM object that needed to be created to match the Security Change Man-ager set of IP addresses or to enforce an option such as anti-spoofing. In other words, the object didnot exist as an object in Security Change Manager and this object had to be invented in order for itto be used in Check Point FireWall-1. Refer to Table 3.3, “Example of the Translation of a Class in-to Check Point FireWall-1 group” (page13 ).

3.4. Naming Rules for Check Point FireWall-1 Ob-jects

The following rules are applied for the translated Security Change Manager name:

1. Each character that is not allowed by Check Point FireWall-1 is replaced by a '_' except for thefirst character (because this is not allowed) where a 'Z' is used instead. The character set allowedby Check Point FireWall-1 is: [A-z] [A-z 0-9_-.]*

2. The name is truncated to 90 characters.

Note

When you look at a class or management server assigned inside a network, nexus, or a PEPit will be translated as in the example below: Network/class will be network_class.

Recommendation: Create names that begin with a letter and have a length of less than 90 charactersin order to locate them easily in the Check Point FireWall-1 Policy Editor.

The following rules are applied for the name of a generated object.

1. Generated objects are prefixed by NP_<Letter>. Please see the table below.2. The name have a <4 digit> suffix to differentiate each name of the generated Check Point Fire-

Wall-1 objects.

3.4.1. Example

When generating two Check Point FireWall-1 objects whose corresponding Security Change Man-ager network object is @loglogic.fr (domain), the first one isNP_N_Zloglogic_fr__domain__0000, and the second one isNP_N_Zloglogic_fr__domain__0001.

Table 3.2. Prefixes of the All Generated Objects

Difference between a Trans-lated Object and a Generated

12

Prefix Comments

NP_A For all generated Check Point FireWall-1 groupobjects from the Security Change Manager anti-spoofing option.

NP_C For all generated Check Point FireWall-1 objectsfrom Security Change Manager Class.

NP_E For all generated Check Point FireWall-1 groupobjects from Security Change Manager expandinternet option.

NP_I For the interface name of the Check Point Fire-Wall-1 Interoperable Device generated from thenexus.

NP_N For all generated Check Point FireWall-1 objectsfrom Security Change Manager Network3.

NP_O_..VFP_.. For all generated objects for NAT and limitedpath zones.

NP_R For all generated Check Point FireWall-1 rangeobjects from the Security Change Manager NATrule (For this case, the name is made like the fol-lowing: NP_R<address range>).

NP_S For all generated & translated Check Point Fire-Wall-1 services.

NP_T For all generated Check Point FireWall-1 timeobjects from the Security Change Manager Timedefinition.

Warning

The Security Change Manager objects that become generated objects will be erased, whiletranslated Security Change Manager objects will be patched. That is, all names will be pre-fixed by NP_<Letter>_.

Table 3.3. Example of the Translation of a Class into Check Point FireWall-1group

Security Change Manager Check Point FireWall-1

@example(ex) Equivalent group will be: Zexample_ex_

Generated network:NP_C_Zexample_ex__001

Generated network:NP_C_Zexample_ex__002

Example

13

In this example, a Security Change Manager class is translated into a Check Point FireWall-1 groupthat contains two generated networks from the Security Change Manager class contents.

3.4.2. Comments Generated for Traceability between Se-curity Change Manager Objects and Check Point Fire-Wall-1 Objects

The following table shows the comments generated for traceability between Security Change Man-ager objects and Check Point FireWall-1 objects.

Table 3.4. Comments Generated by Check Point FireWall-1 Objects

Check Point FireWall-1 object type Comments generated

Translated object Translated from LogLogic <object type>'<object name>' at <Date> {<object commentscontent>}

Generated object Generated from LogLogic <object type> '<objectname>' at <Date>

3.4.3. Object Colors

To differentiate easily translated objects from generated objects, the translated objects are blue andgenerated objects are cyan. These colors can be customized in the management server propertieswindow (in Upload Configuration → Firewall-1 Options). Please refer to the Security ChangeManager Reference Guide for more information.

3.5. Upload PreparationThe Check Point FireWall-1 PEP requires an upload preparation step before upload is carried out.Upload preparation has one or both of the following functions:

• Merges a Security Change Manager policy with pre-existing filters loaded in the PEP's memory• Creates filters combining a Security Change Manager policy definition with a Check Point Fire-

Wall-1 object definition that contains concepts not supported by Security Change Manager.

Upload preparation on Check Point FireWall-1 takes many management server parameters into ac-count.

3.6. Upload ProcessThe upload between Security Change Manager and the Check Point FireWall-1 Management Serveruses secure communication through OPSEC CPMI.

Upload on the management server allows you to stop the process at different steps by setting thepolicy parameter in the upload window.

• Copy Only: Stops immediately after copying.• Upload on PEPs: Stops after copying, compiling, and uploading the security on the PEPs that it

manages.

Object

14

Chapter 4. How SecurityChange Manager Objects Map toCheck Point FireWall-1

4.1. Translation of Network Objects .........................................................................154.2. Translation of Class Objects .............................................................................164.3. Translation of Management Server Objects .........................................................16

4.3.1. Check Point Host Default Fields or Check Point Gateway ...........................174.3.2. Check Point FireWall-1 Interoperable Default Fields ..................................18

4.4. Translation of Nexus Objects ............................................................................184.5. Translation of PEP Objects ..............................................................................18

4.5.1. A Translated Security Change Manager Check Point FireWall-1 PEP ............184.5.2. Specific Translated Fields ......................................................................18

Log ...................................................................................................18Interface Netmask ................................................................................19Anti-Spoofing .....................................................................................19

4.5.3. Check Point Gateway or Externally Managed Gateway Default Fields ...........19Process ..............................................................................................19

4.6. Translation of Services ....................................................................................194.6.1. Generation Process ...............................................................................19

Principle .............................................................................................19Syntax of the Mapping Table ..................................................................20Example .............................................................................................20

4.6.2. A Translated Security Change Manager Service .........................................20Naming Convention ..............................................................................21Security Change Manager IGMP Translated Fields .....................................21

4.7. Translation of Implicit Generated Objects ...........................................................214.7.1. Anti-spoofing ......................................................................................224.7.2. Expand Internet: Objects Generated ........................................................22

4.8. Translation of Permissions ...............................................................................224.9. Translation of Time Definition Rules .................................................................22

4.9.1. What cannot be translated ......................................................................224.10. Translation of NAT Rules ..............................................................................22

4.10.1. Example ...........................................................................................224.10.2. Rules ...............................................................................................234.10.3. Security Change Manager NAT Rules Translated Fields ............................23

4.11. Translation of Limited Path Zones ...................................................................244.12. Translation of Default Objects .........................................................................24

4.12.1. All Networks .....................................................................................244.12.2. All PEPs ...........................................................................................24

4.13. Translation of User Authentication ...................................................................24

This chapter explains how each Security Change Manager object is translated into a Check PointFireWall-1 object.

4.1. Translation of Network ObjectsSince a Check Point FireWall-1 Network object can only be defined with only one IP address and anetmask, and since a SCM network may be linked to more than one Check Point FireWall-1 object,a SCM network will be translated into a group that will contain the Check Point FireWall-1 addressranges.

Table 4.1. Security Change Manager Network Object Rules

15

Case # Security Change Manager Net-work

Check Point FireWall-1 Objects

1 The Security Change Managernetwork is defined with morethan one IP address and a net-mask or with an IP addressrange that is not netmaskable

A group that contains either aset of networks or ranges (onlyif the management server man-ages NG PEPs versions),defined with only one IP ad-dress and a netmask in orderthat the set of networks matchesthe Security Change Managernetworks.

Note: The name of the networkcreated is prefixed by NP_N toremind you that it came from aSecurity Change Manager net-work.

2 A Security Change Managernetwork containing a * address(internet)

Check Point FireWall-1 Anyobject.

4.2. Translation of Class ObjectsThe Security Change Manager Class objects are translated into Check Point FireWall-1 objects us-ing the following rules:

Table 4.2. Security Change Manager Class Object Rules

Case # Security Change Manager Class Check Point FireWall-1 Objects

1 A set of objects and/or a set ofaddresses and/or a set of singleIP addresses

A group that contains all the ob-jects specified in a SecurityChange Manager Class pluseither all created networks orranges.

2 A Security Change Managerclass containing a * or an objectcontaining a * at any level

Check Point FireWall-1 Anyobject.

4.3. Translation of Management Server ObjectsA management server is represented where each IP address of the Security Change Manager istranslated into an interface.

Note

The interface name will be automatically generated with the prefix NP_I.

Table 4.3. Translation of Specific Fields

Translation of Class Objects

16

SCM Management Server fields Check Point FireWall-1 Mgt Server Proper-ties NG FP3 and NG AI R55

Upload Configuration → FireWall-1 Options→ Upload Only if Successful on ALL Man-aged PEPs

This parameter will be used during the installa-tion of the security policy on the PEPs

General Options → Local Security Policy →Log Implied Rules

Global Properties → FireWall → Log ImpliedRules

General Options → Local Security Policy →Accept VPN-1 & Check Point FireWall-1Control Connections

Global Properties → FireWall → AcceptVPN-1 & FW-1 Control Connections

General Options → Local Security Policy →Accept Remote Access Control Connections

Global Properties → FireWall → Accept Re-mote Access Control Connections

General Options → Local Security Policy →Accept RIP

Global Properties → FireWall → Accept RIP

General Options → Local Security Policy →Accept Domain Name Over UDP (Queries)

Global Properties → FireWall → Accept Do-main Name Over UDP (Queries)

General Options → Local Security Policy →Accept Domain Name Over TCP (ZoneTransfer)

Global Properties → FireWall → Accept Do-main Name Over TCP (Zone Transfer)

General Options → Local Security Policy →Accept ICMP

Global Properties → FireWall → AcceptICMP requests

General Options → Local Security Policy →Accept Outgoing Packets Originating FromGateway

Global Properties → FireWall → Accept Out-going Packets Originating From Gateway

General Options → Local Security Policy →Accept CPRID Connections (SmartUpdate)

Global Properties → FireWall → Accept con-trol connections

General Options → Local Security Policy →Accept Dynamic Address Modules' DHCPtraffic

Global Properties → FireWall → Accept dy-namic address modules' DHCP traffic

4.3.1. Check Point Host Default Fields or Check PointGateway

The following Check Point Host options will not be modified by Security Change Manager.

• General → Modules Installed• General → Color• General → Web Server• NAT• Smart Directory• Smart View Monitor• User Authority Server• User Authority Web Access

Check Point Host Default Fieldsor Check Point Gateway

17

• FireWall-1 GX• logs and masters• Capacity Optimization• Advanced

4.3.2. Check Point FireWall-1 Interoperable DefaultFields

These fields in the interoperable device can be changed by the network administrator.

They will not change during the generation process:

• General → Colors• FireWall-1 GX tab

4.4. Translation of Nexus ObjectsThis object is translated into a gateway node, where each IP address of the Security Change Man-ager will be translated into an interface.

Note

The interface name will be automatically generated with the prefix NP_I.

4.5. Translation of PEP Objects

4.5.1. A Translated Security Change Manager CheckPoint FireWall-1 PEP

A Firewall-1 NG PEP is represented by a Check Point Gateway on the Management Server thatmanages it and an externally managed Check Point gateway on a Management Server that does notmanage it.

4.5.2. Specific Translated Fields

Log

Note

The anti-spoofing log is enforced when the Log Level for the Default Rule is set in Inter-faces → Interface Name → Options or when the log is set in the permission. Notethat when an Account is set on deny flow, it will be automatically transformed in the logbecause Accounting is not allowed for deny or dropped rules on Check Point FireWall-1.

Table 4.4. SCM Log Numbers

Case # Security Change Manager Check Point FireWall-1

1 Log Log

2 Account Log

Check Point FireWall-1 Interop-erable Default Fields

18

Case # Security Change Manager Check Point FireWall-1

3 Alert Alert

4 Mail Log

5 SnmpTrap Log

6 User Defined Log

7 User Defined2 Log

8 User Defined3 Log

Other numbers Log Log

Interface Netmask

In order to specify the interface netmask, you can type the interface IP address with the netmask. Ifnot, the netmask of the object it is connected to will be used.

Anti-Spoofing

If the generated anti-spoofing rule is set on the Check Point FireWall-1 PEP, a group will be auto-matically generated and attached to the interface of the Check Point Gateway.

4.5.3. Check Point Gateway or Externally Managed Gate-way Default Fields

In NG, the following fields will be changed during generation.

Process

• General->Color• General->Additional Products• Remote Access->Clientless VPN• Smart Directory (LDAP)• Log and Masters• Capacity Organization• Advanced

4.6. Translation of Services

4.6.1. Generation Process

Principle

The service mapping table is stored in the fw1MgtServer.xml file and defines the relationbetween Security Change Manager and Check Point FireWall-1 services. The table takes into ac-count differences between the 4.0 version, the 4.1 version, NG FP3, NGAI| R55, NGX (R60, R62,R65) and R70 versions.

Check Point Gateway or Extern-ally Managed Gateway Default

19

When the security policy is generated, for each service:

• If the service is in the mapping table, the entry will be used to find the corresponding Check PointFireWall-1 service name for the generation.

• If the service is not in the mapping table, a Check Point FireWall-1 custom service will be gener-ated if possible.

Syntax of the Mapping Table

<SingleCapability name="service_<scm Service>" type="string"value=<FW-1 service >hidden="yes" const="yes"/>

... indicates that <scm service> is mapped with <FW-1 service> for any version of CheckPoint FireWall-1.

To specify for which version that mapping is available, you can insert the following lines after eachline (do not forget to suppress the "/" character at the end of the precedent line i.e. in<const="yes"/>):

• <Condition type="version" dependency="version" min="4.0.0"max="4.0.99"/>

to indicate the range in which the mapping is right.• <Condition type="version" dependency="version" min="4.0.0"/>

to indicate from which version the mapping is right.• <Condition type="version" dependency="version" max="4.1.0"/>

to indicate the range until which the mapping is right.

And add the </SingleCapability> tag at the end to close the <SingleCapability defini-tion.

Note

Check Point FireWall-1 services are case sensitive while Security Change Manager ser-vices are case insensitive.

Example

<SingleCapability name="service_ike" type="string" value="IKE" hid-den="yes" const="yes">

<Condition type="version" dependency="version" min="4.1.0"/>

</SingleCapability>

<SingleCapability name="service_ike" type="string" value="ISAKMP"hidden="yes" const="yes">

<Condition type="version" dependency="version" min="4.0.0"max="4.0.99"/>

</SingleCapability>

4.6.2. A Translated Security Change Manager Service

A Translated Security ChangeManager Service

20

Table 4.5. Translated Security Change Manager Service

Case # Security Change ManagerService

Check Point FireWall-1 ob-jects

1 If the service contains one pro-tocol permission

Corresponding Check PointFireWall-1 service that maps toSecurity Change Manager ser-vice type

2 If the service contains morethan one protocol permission orservice

A group of services

3 If the service contains a servicenot translatable into CheckPoint FireWall-1 (flux server->client)

Error

Naming Convention

Note

All generated and translated Check Point FireWall-1 services will be prefixed by NP_S_because they will be generated at each compilation.

Check Point FireWall-1 does not allow the permission from server to client to be easily defined, sowhen a Security Change Manager service contains only such a permission, the following error mes-sage will occur:

Error: The Security Change Manager service <service name> couldn'tbe described in the Check Point FireWall-1 <PEP name> database. As-sociate it with an existing Check Point FireWall-1 service in themapping table (refer to the documentation for more information).

When the service contains a permission from server to client, but also another type of permission,the following message will occur:

Warning: The return flow of scm service <service name> couldn't bewell described in the Check Point FireWall-1 <PEP name> database.It is recommended to associate it with an existing Check PointFireWall-1 service in the mapping table (refer to the documentationfor more information).

Security Change Manager IGMP Translated Fields

The IGMP message name/number will be ignored, so the filter will be less accurate than in SecurityChange Manager. Therefore, a warning message will occur:

Warning: IGMP message name is not supported by Check Point Fire-Wall-1. It is recommended to associate it with an existing CheckPoint FireWall-1 service in the mapping table (refer to the docu-mentation for more information).

4.7. Translation of Implicit Generated Objects

Fields

21

4.7.1. Anti-spoofing

To manage anti-spoofing, Security Change Manager must generate a group that will contain all net-work objects allowed to pass through that interface. All networks (that are allowed) already exist inCheck Point FireWall-1 objects created by Security Change Manager. It is only necessary to definethe group that will contain them. The generated name is NP_A_<PEP FW-1>_<interfacename>_<4 digits>.

4.7.2. Expand Internet: Objects Generated

To implement the Expand Internet PEP option, objects that match all networks except the internalnetwork are generated. To do that a group of networks that matches "all networks possible - internalnetwork" is created with the name NP_E__INTERNET. These generated objects will be prefixedwith NP_E__INTERNET.

4.8. Translation of PermissionsSecurity Change Manager permission objects are translated into Check Point FireWall-1 securityrules.

Note

Some Security Change Manager permissions could be merged into a single FireWall-1 se-curity rule after the reduction compilation phase.

Table 4.6. Security Change Manager Permission Fields

Security Change Manager Permission fields Check Point FireWall-1 rule fields

Options->Allow/Deny - Allow -> accept

- Deny + Generate ICMP Error Message optionon PEP or on flow-> reject

- Deny -> drop

Options->Log Track (See Table 4.4, “SCM Log Numbers”(page 18).)

4.9. Translation of Time Definition RulesSecurity Change Manager Time Definitions are translated into a group of time definitions.

4.9.1. What cannot be translated

• Year: Year is ignored.• Day of the week in a specific month (all Mondays of March for example). The month is ignored

in this case.

4.10. Translation of NAT Rules

4.10.1. Example

Expand Internet: Objects Gen-erated

22

Figure 4.1. An Example of a NAT Rule

The NAT rule on Check Point FireWall-1 indicates that the class P of network N1 will be translatedinto 124.2.*.

The rule between N1 and N2 must be enforced on:

• FW1 has: allow N1 -> N2 (because on Check Point FireWall-1 NAT is enforced after IP fil-tering).

• On FW2 and CISCO: N1 can be viewed as {121.* except 121.2.* + 124.2.*} Rules. Therefore,the allowed rule is N1' {121.1.*+121.3.0.0/121.255.255.255 + 124.2.} -> N2

4.10.2. Rules

• An object corresponding to this will be created on FW2 as NP_0_N1_VFP_FW2_<servicename>_N2.

• In each rule enforced on a Check Point FireWall-1 PEP where a source or destination is used in aNAT rule a new object must be created to represent the source or the destination in the point ofview of that PEP.

• The name used to describe these new objects will be: NP_O_<object name>_VFP_<PEPname>_<service name>_<destination object> where "object name" can be anykind of Security Change Manager object (a network, a class, a nexus, a PEP or a managementserver).

NoteVFP is an abbreviation for "View from PEP".

• The object that will be generated will be a group that will contain networks even if the SCM ob-ject is a PEP or a management server.

• For each NAT Rule a destination object and a source object will be created.

4.10.3. Security Change Manager NAT Rules TranslatedFields

Rules

23

Table 4.7. Security Change Manager NAT Fields

Security Change Manager NAT fields Check Point FireWall-1 rule fields

Static on Source or Destination Static on Source or Destination

Pool on Source or Destination Not supported

PAT Hide (there is an error if the PAT range containsmore than one address.)

Masquerading Hide with the interface address

4.11. Translation of Limited Path ZonesWhen you have a permission between an object source and a destination class that contains two ob-jects (A and B), if you have different limited path zones on the object source and object A, that donot allow traffic between them, the permission will be enforced only from the source to B.

To reflect this in the Check Point FireWall-1 database, a Check Point FireWall-1 group namedNP_O_<object name>_VFP_<PEP name>, where the <object name> represents the PEPwhere this rule is enforced. In the previous example, the generated object will contain only object A.

4.12. Translation of Default Objects

4.12.1. All Networks

The class "all networks" is translated into a Check Point FireWall-1 group object that contains allnetworks defined in Security Change Manager except the networks that contain '*' as an IP address.

The name of the generated object is Zall_internal_domains

4.12.2. All PEPs

The class "all PEPs" is translated into a Check Point FireWall-1 group object that contains all PEPsdefined in Security Change Manager.

The name of the generated object is Zall_routers.

4.13. Translation of User AuthenticationTo define a user authentication permission, please refer to "Authenticate Users on a Permission" inthe Security Change Manager User Guide or on-line help.

Security Change Manager supports the authentication implementation of Check Point FireWall-1NG.

On both Check Point FireWall-1 and Security Change Manager there are actually 3 types of authen-tication:

• User Authentication• Client Authentication• Session Authentication

Translation of Limited PathZones

24

An authentication rule is defined by a source where the user group is appended to the network loca-tion of the user, a destination and one of the 3 authentication methods (User Authentication, ClientAuthentication, or Session Authentication).

In Security Change Manager Designer, define the authentication on the permission in the Permis-sion Properties window by selecting Actions → Authentication → Application Point and addingthe required PEPs.

Note

The user authentication method appears only for http, ftp, rlogin and telnet.

For each method, implicit permissions are created.

Authentication parameters on the management server and Check Point FireWall-1 can be defined onthe corresponding Security Change Manager objects.

Translation of User Authentica-tion

25

26

Chapter 5. How to Define andDeploy a Security Policy onCheck Point FireWall-1

5.1. First Use of Check Point FireWall-1 ..................................................................275.1.1. SSL Certification and Encryption Procedure .............................................275.1.2. Clear OPSEC Connection Type Procedure ................................................31

5.2. Configure a Check Point GX Management Server ................................................325.2.1. First step: Creating custom services and defining the policy .........................335.2.2. Second step: Defining precisely the custom services ...................................33

5.3. Define and Deploy a Policy ..............................................................................355.3.1. Step 1: Defining the Secure Topology ......................................................355.3.2. Step 2: Security Policy Definition ...........................................................395.3.3. Step 3: Audit .......................................................................................395.3.4. Step 4: Define Rules .............................................................................395.3.5. Step 5: Compile the Security Policy ........................................................395.3.6. Step 6: Prepare Upload on Each Directly-Managed PEP and Each ManagementServer ........................................................................................................40

Prerequisites .......................................................................................40Procedure ...........................................................................................40

5.3.7. Step 7: Deploy the Policy ......................................................................405.4. Define and Manage an Existing Policy ...............................................................41

5.4.1. Purpose ..............................................................................................415.4.2. Prerequisites .......................................................................................415.4.3. Step 1: Perform a Check Point FireWall-1 Import ......................................415.4.4. Step 2: Secure Topology Definition, if You Do Not Perform an Import ..........425.4.5. Other Steps .........................................................................................43

5.5. Create an Authentication Rule ..........................................................................43

This section lists the steps required to define a security policy in Security Change Manager Design-er, and to deploy that policy on a Check Point FireWall-1 PEP.

5.1. First Use of Check Point FireWall-1You will need to establish communication between Security Change Manager and Check Point Fire-Wall-1 either via SSL Certification and Encryption (recommended) or in Clear (not recommen-ded).

This can be set in the SCM Management Server Properties window by defining the OPSEC Con-nection Type option in Upload Configuration → Connection Options.

5.1.1. SSL Certification and Encryption Procedure

Procedure 5.1. Using SSL Certification and Encryption

1. Log onto the SmartCenter with the SmartDashboard.2. Select the Servers and OPSEC Applications → OPSEC Applications node in the Objects

Tree list, right-click it and select New → OPSEC Application to create a new OPSEC Applic-ation .

27

Figure 5.1. Creation of new OPSEC Application in SmartDashboard

3. In the OPSEC Application Properties window:

a. Give a name to the OPSEC Application and remember it.b. Select a host using the Host pull-down menu.c. Tick the CPMI checkbox in the Client Entities panel to enable the CPMI.

Note

Select no other options. For instance, no Server Entities and no other Client Entities thanCPMI.

Figure 5.2. CPMI option enabled

SSL Certification and EncryptionProcedure

28

d. Click the Communication button.e. In the Communication dialog box, enter a password ("activation key" in this GUI) and

remember it.f. Click the Initialize button and click Close to close the Communication dialog box.g. Click OK to close the OPSEC Application Properties window.

4. Save your settings by using File → Save and close the SmartDashboard.5. Connect to the Security Change Manager Designer.6. Create your map, open the Management Server Properties window and select the Upload Con-

figuration → Connection Options view.

a. Set the OPSEC Connection Type option to SSL Certification and Encryption.

Figure 5.3. SSL Certification and Encryption Option


29

b. For the OPSEC Application name option, type in the same name than the one you set inthe SmartDashboard.

c. Click OK to validate your settings and close the Management Server Properties win-dow.

7. Right-click on the Management Server object and select Import → FW1-Import... from thecontextual menu.

The Import in Progress window opens.8. Several dialog boxes shall then prompt you for information:

a. When prompted for username/password, enter those you previously used to connect to theSmartCenter with the SmartDashboard, and click OK.

b. When prompted for a new certificate in the Getting Certificate dialog box, select Yesfrom the pull-down menu and click OK.

Figure 5.4. Getting Certificate Dialog Box


30

c. When prompted for the certificate's password, enter the one you provided during theOPSEC Application's creation and click OK.

The import will begin with the last opened policy.

Note

During the first preparation upload, Security Change Manager will request the passwordthat you wrote down in step 3 to get the certificate for the Check Point FireWall-1 Manage-ment Server.

In the case where the certificate is changed on the Check Point FireWall-1 ManagementServer, Security Change Manager will detect this and request the new certificate.

If for some reason this method fails, you may receive an error beginning with "SIC error..."The certificate has already been given to Security Change Manager. You will need to resetthe certificate by deleting the certificate in Security Change Manager, and following thesteps described above again.

To delete the certificate in Security Change Manager:

1. Go to the Manager8.2\data\authentication\certificate directory2. Delete the <Management Server name>_<OPSEC Applicationname>.p12 file and the corresponding .sicname file.

For more information on this topic, please see the LogLogic Knowledge Base available at:http://www.loglogic.com/services/support/index.php (for registeredcustomers only).

5.1.2. Clear OPSEC Connection Type Procedure

Clear OPSEC Connection TypeProcedure

31

Procedure 5.2. Using Clear

It is not recommended to use the Clear option since it is neither authenticated nor encrypted.

1. Create an OPSEC application on the Management Server through the Check Point FireWall-1SmartDashboard with the CPMI option enabled (in the Client Entities panel of the OPSECApplication Properties window).

2. Create the associated certificates by clicking the Communicate button. Write down and re-member the Application Distinguished Name.

3. Modify the SIC file (sic_policy.conf) to allow the communication between the CheckPoint FireWall-1 Management Server and Security Change Manager to accept clear. Pleaserefer to the Check Point FireWall-1 OPSEC connection configuration guideline at:

http://www.opsec.com/developer/gw_comm_mode.html4. In Security Change Manager Designer, open the Management Server object Properties window

and:

a. Select the Upload Configuration → Connection Options view.b. Set the OPSEC Connection Type option to Clear.c. For the OPSEC Application Distinguished Name option, type in the same name than the

one you set in the SmartDashboard.

Figure 5.5. Clear Option

d. Click OK to validate your settings and close the Management Server Properties win-dow.

5.2. Configure a Check Point GX ManagementServer

This section describes how to define a Check Point GX Management Server in Security ChangeManager.

Configure a Check Point GXManagement Server

32

The main feature of GX for telcos is the protocol inspection of GTP tunnels. The way of configuringGTP traffic inspection recommended by Check Point, is to create new services inheriting one of the4 predefined GTP services and then fine tuning them with some specific settings (onlygtp_v0_default and gtp_v1_default have meaningful options). These services are:

• gtp_mm_v0_default• gtp_mm_v1_default• gtp_v0_default• gtp_v1_default

The feature is activated by creating permissions having:

• a GTP service as service,• and either hosts as source or destination (host representing SGSN and GGSN in GTP termino-

logy) or handover group as source or destination.

Handover groups represent a new kind of objects introduced in GX. They are groups of hosts with aspecial flag identifying them as handover groups. In Security Change Manager, they are representedas meta-classes on which we add "Handover Group" optional flags.

5.2.1. First step: Creating custom services and definingthe policy

1. You must first create custom services in Security Change Manager Designer Service Editorusing existing GTP services.

2. You can then define your security policy as usual using the newly created service.

Figure 5.7. Defining security policy using custom service

5.2.2. Second step: Defining precisely the custom ser-vices

The Management Server properties in scm display a group of GTP Services options allowing you toadd/ create new Check Point-specific GTP-inspecting services.

After having selected a SCM service and Check Point specific GTP inspection options, custom ser-vices will then be created when the upload is made on the Check Point management server. See theimplementation example displayed in Figure 5.9, “GTP Service options” (page34 ). Through this

First step: Creating custom ser-vices and defining the policy

33

group of options you can:

• add a new custom GTP service,• choose which existing service to customize,• and select the appropriate options, that is to say the options which have been selected in the

SmartDashboard.

1. Open the Management Server Properties window (by double-clicking the Management Serv-er object).

2. In the General Options view, set the Is the management server a Check Point GX? optionto Yes.

Figure 5.8. Activation of Check Point GX options in Management ServerProperties

A GTP Services sub-node appears under the General Options node.3. In the GTP Services view, click the AddGTPServiceTemplate icon .

A list of options appears allowing you to define a custom GTP Service. See Section 14.2.6,“GTP Services” (page153 ) for further information about these options.

Figure 5.9. GTP Service options

Second step: Defining preciselythe custom services

34

5.3. Define and Deploy a PolicyThis is the procedure to define and deploy a security policy.

5.3.1. Step 1: Defining the Secure Topology

Note

Some of the screens that follow may appear slightly different on your computer dependingon the version of Check Point FireWall-1 devices you are using.

Recommendation: Create names that begin with a letter and have a length of less than 90 charactersin order to locate them easily in the Check Point FireWall-1 Policy Editor.

Please refer to the Security Change Manager User Guide and perform the following tasks:

1. Create the "physical" level: Network, Nexus, PEPs etc.2. Create the "Conceptual" Level.

a. Create the Management Server on the map. Select the icon in the toolbar or select Mode→ Add Management Server.

After the object has been created, you must define its IP address and attach it to a networkor a PEP.

b. Select the General Options → Local Security Policy view and define implicit rules. Im-plicit rules must be used with caution:

• They are not represented on the map.• They are enforced only on PEPs managed by the Management Server, not on the PEP

directly managed by Security Change Manager. So when a PEP controlled by SCM isbetween the source and the destination of an implicit rule, you must create the corres-ponding permission between that source and that destination.

• They are not considered in the Security Change Manager audit.

Define and Deploy a Policy

35

Figure 5.10. Implicit Rules: Local Security Policy

3. Select the General Options → Security Server view and define the Security Server options.

Figure 5.11. Security Server

4. Select the General Options → Authentication view to define authentication Properties on theManagement Server. On NG, you can define 3 screens of authentication properties:

• Failed Authentication Attempts• Users with Certificates• Early Versions Compatibility

Step 1: Defining the Secure To-pology

36

Figure 5.12. Authentication: Failed Authentication Attempts

Figure 5.13. Authentication: Users with certificates

Figure 5.14. Authentication: Early Versions Compatibility


37

User Authentication Session Time Out: If this number of minutes elapses between a SecurityChange Manager request and the management server's response, the session is dropped.(default: 1 minute)

5. Select the Upload Configuration → Connection Options view and define the upload para-meters.

Figure 5.15. Upload Configuration: Connection Options

6. Select the Managed PEPs view and add all FireWall-1s or Nokia PEPs that shall be managedby the Management Server (this association can also be done in the Properties window of eachPEP).

Figure 5.16. Add Managed PEPs


38

7. Create the appropriate Class you need. See "Representing a Set of IP Addresses via a Class" inthe Security Change Manager User Guide.)

5.3.2. Step 2: Security Policy Definition

Please see the Security Change Manager User Guide to perform the following actions.

1. Create the time definitions needed.2. Create the NAT rules needed, then attach them to each PEPs.3. Create all limited path zones needed and attach them to each object.4. Create all the new services needed.5. Create the security policy: Draw all security permissions between the object with their proper-

ties.

Note

An implicit permission between the Management Server and the managed PEP is automat-ically added for the FW-1 service.

5.3.3. Step 3: Audit

Use Audit (Action → Policy Audit view) to analyze security permissions object by object.

5.3.4. Step 4: Define Rules

Define a rule on the Management Server that allows the CPMI and ica_pull_cert services.Then, install it on the managed PEP.

5.3.5. Step 5: Compile the Security Policy

1. Make a compilation of the policies. Select Action → Generate Global Policy from the menubar. The Expecting Compilation message box appears.

Step 2: Security Policy Defini-tion

39

2. The Compilation Result dialog box appears. It will state whether the compilation has been suc-cessful or not. Read the Errors and Messages.

5.3.6. Step 6: Prepare Upload on Each Directly-ManagedPEP and Each Management Server

Warning

If the FW-1 management server manages PEPs that are on the path between SecurityChange Manager and the Management Server or are on the Management Server itself, werecommend that a policy is installed on these PEPs before upload. If not, the communica-tion between the Management Server and Security Change Manager will be interrupted.

Warning

If Security Change Manager contains an address defined as '*', the upload may fail. Avoidusing '*' as the address.

Prerequisites

• The filters for the current workspace map have been successfully compiled.

Procedure

1. Prepare upload.

The purpose of the upload preparation is to generate a Check Point FireWall-1 security policythat comes from:

• SCM Server object definition• Check Point FireWall-1 object definition that contains concepts not supported by Security

Change Manager.

2. Select Action → Upload Preparation for selection from the menu bar.

The Upload Preparation in Progress window opens and the upload preparation starts auto-matically.

Once the preparation is terminated, a message appears displaying whether it has been success-ful.

3. Click the Close button to close the Upload Preparation in Progress window.

The Upload Preview window opens displaying the .confpatch file that will be appliedwhen uploading the configuration.

5.3.7. Step 7: Deploy the Policy

1. Select Action → Device Manager from the menu bar.

The Device Manager window appears.2. In the Deployment tab, select the PEPs that should be uploaded in the top panel.3. Click the Upload icon. .

Step 6: Prepare Upload on EachDirectly-Managed PEP and Each

40

An Upload Message dialog box opens, asking if you wish to continue.4. Click Continue to proceed with the upload process.

When the upload has completed successfully, the Upload in Progress window displays a mes-sage saying "Upload terminated (successful)".

5.4. Define and Manage an Existing PolicyThis section discusses tasks for managing a security policy that is already in production on a CheckPoint FireWall-1 PEP, and which you want to manage with Security Change Manager.

5.4.1. Purpose

This section describes a situation where you have just bought Security Change Manager and want toconfigure your security policy with Security Change Manager. In this case, you will want to:

• Read your security policy.• Adapt it in Security Change Manager to define a global security policy.• Check that the security policy is what you want to do.• Then, implement that policy.

The following steps are explained in detail in the Security Change Manager User Guide and in theprevious sections of this chapter.

5.4.2. Prerequisites

The first upload of the scm generated security policy on the Check Point FireWall-1 ManagementServer will change the existing security policy files. It is therefore recommended to backup the dir-ectory containing the security policy definition ($FW1\conf) before installing the new one.

1. Duplicate this directory under the name BeforeInstallation (for example)2. Define a rule on the management server that allows the services CPMI and ica_pull_cert

and install it on the managed PEP.

source= Security Change Manager Designer

destination= Check Point FireWall-1 Management Server

Table 5.1. Define a rule on the Management Server

No. Source Destina-tion

Service Action Track Install on Comments

1 LogLogic Manage-ment Serv-er

CPMIica_pull_cert

accept Gateways

5.4.3. Step 1: Perform a Check Point FireWall-1 Import

Define and Manage an ExistingPolicy

41

WarningDo not perform an import on an untitled map. Always name the .npl file first.

5.4.4. Step 2: Secure Topology Definition, if You Do NotPerform an Import

1. Create objects on the map.

Edit the current policy on each management server.

For each object involved in a rule, you will create an object (if it does not exist) in SecurityChange Manager:

Objects involved in Source, Destination:

• Case of a Group: Create a SCM network or a SCM Class with all objects inside.• Case of a network or range: Create a SCM network.• Case of a Check Point Gateway or Check Point Host: If it is a Check Point Gateway or

Check Point Host, create a SCM Check Point FireWall-1 PEP. If not, create a Nexus. Notethat anti-spoofing will be generated automatically by Security Change Manager.

• Case of an embedded device or OSE device: Create a SCM PEP for the corresponding type.In the case where the type does not exist in SCM create an "Unknown" PEP (its Managedoption must be set to Yes).

• Case of Check Point Gateway Cluster: Create a Check Point FireWall-1 Cluster.• Case of a domain: Create the corresponding network in SCM. The concept of domain is not

supported in SCM.• Case of other network object: Create a class with the IP address or objects contains in this

object.

Objects involved in Time:

• Case of a time definition: Create a time definition in Security Change Manager

Objects involved in Service:

• Case of a service: If that service does not exist in Security Change Manager, create it.

2. Create connections between objects.

After all objects have been created, connect them:

• Connect the network with PEPs or nexus.• Connect the class with the network.

3. Create the NAT rules and associate them to each FW-1 PEP involved.

Create the security policy.

For each rule in the management server, create a permission in Security Change Manager De-signer with the right properties:

• Log• Time definition• Deny or allow• Generate ICMP Error Message: flag in the case of a deny rule

Management Server

42

Note

For all the rules that couldn't be created because they are not supported by Security ChangeManager see Chapter 7, How to Manage Check Point FireWall-1 Concepts Not Supportedby Security Change Manager (page63 ).

5.4.5. Other Steps

1. Audit.2. Compile the Security Policy.3. Prepare Upload on Each directly-managed PEP and Each Management Server.4. Deploy the Security Policy.

5.5. Create an Authentication RuleWhen making a user authentication on a Check Point FireWall-1 through Security Change Manager,the user will have to perform the following procedure:

Procedure 5.3. Creating an Authentication Rule

1. Define a User Group and reference the Management Server as the "authentication server".2. If an authentication server needs to be created on the Check Point FireWall-1 Management

Server, create a Nexus or a PEP that contains the IP address of the RADIUS server. This objectwill be used on the Check Point FireWall-1 Management Server to be referenced by the CheckPoint FireWall-1 radius server object.

3. Create a permission to authenticate.4. Edit the permission properties and reference the FW-1 PEP(s) on which the authentication must

be applied.5. Fill the authentication parameters associated with this PEP as it is made on the Check Point

FireWall-1 Management Server.6. Compile.7. Upload the policy.8. On the Check Point FireWall-1 Management Server, check if a warning appears during the up-

load. This would mean that a User Group is empty.9. Define the External User Profiles, LDAP Groups and/or the Users that will be referenced by

the User Group created by Security Change Manager.10. Define the related authentication servers needed (RADIUS, TACACS...) and reference a Secur-

ity Change Manager object as host of these server.11. Save and install the policy.

This task has to be done only to get the user group definition and the authentication server associ-ated. The next upload will not need these tasks except if a new user group has to be managed.

Other Steps

43

44

Chapter 6. How to Perform anImport from Check PointFireWall-1

6.1. What will be Imported/ not Imported .................................................................456.2. Performing a Standard Import from Check Point FireWall-1 ...................................49

6.2.1. Step 1: Create and Configure a Management Server ...................................496.2.2. Step 2: Perform the Import ....................................................................526.2.3. Step 3: Add the Missing Topology ..........................................................546.2.4. Step 4: Connect and Group Attached Objects ............................................546.2.5. Step 5: Various Checks to Perform ..........................................................55

6.3. Performing a Local Import of Check Point FireWall-1 Policy .................................566.4. Cleaning the Database Before Upload ................................................................60

An import can be performed on either an empty security policy or an already-existing securitypolicy. This chapter explains the entire concept beginning with an empty security policy. An importcan be done using one or multiple Management Servers. We have used only one Management Serv-er in this example for ease of understanding.

If you use an already-existing security policy, the attachment of classes and connections are doneautomatically.

Warning

Security Change Manager cannot manage all the concepts supported in Check Point Fire-Wall-1. Therefore, when importing a Check Point FireWall-1 security policy, some objectsand rules will not be imported. All objects that are not supported will be kept in the ob-jects.C file and all rules not supported will be kept in a specific policy file in therulebases.fws file.

When generating a policy:

• The objects that have the same name are updated by Security Change Manager and theothers do not change.

• The "include" rules are added before and after the generated security policy.

If you change an object name in Security Change Manager, when generating a new policyin the objects.C file, there will be two objects:

• The old one (the old one is not removed because it may be referred to by objects in thesecurity policy).

• The new one.

If this happens, you must change the old object for the new one to maintain the synchroniz-ation between the Security Change Manager definition and the Check Point FireWall-1definition.

6.1. What will be Imported/ not ImportedObjects that will be imported/ not imported into Check Point FireWall-1 will be:

45

Table 6.1. What will be imported/ not imported from Check Point FireWall-1NG and NG AI

Check Point Fire-Wall-1 categories

Detail Imported Comment

Networks Objects Check Point FireWall-1Gateway

Check Point FireWall-1Host

Check Point FireWall-1Gateway cluster

Check Point FireWall-1Embedded Device

Check Point FireWall-1Externally ManagedGateway

Gateway Node

Host Node

Interoperable Device

Network

Domain

OSE Devices

Group

Logical server

Address range

Dynamic Object

VoIP domains

VPN-1 Edge/Em-bedded Gateway

VPN-1 Edge/Em-bedded Profile

Partially N/A

Services objects TCP

Compound TCP

UDP

RPC

ICMP

Other

Partially Note that some flowswill need to have a spe-cific declaration in themapping table if itcouldn't be imported.

Negate service will notbe supported.

Services of type 'Other'will not be imported if

What will be Imported/ not Im-ported

46



Group

DCE-RPC

they reference Inspec-tion macro.

Resources URI

URI for QoS

SMTP

FTP

TCP

No

OPSEC Applications OPSEC Application

CVP Group

UFP Group

CPMI Group

No

Server RADIUS

RADIUS Group

TACAS

DEFENDER

LDAP Account Unit

Certificate Authority

SecuRemote DNS

No This implies that all im-plicit flows betweenthese servers and CheckPoint FireWall-1 hostswill be not imported.

Users objects Administrator

External group

Group

User

LDAP Account Unit

Partially

Time objects Time definition

Time group

Scheduled Event

Partially

Virtual Links Virtual Links No

VPN Communities Intranet Meshed

Intranet Star

Extranet

No


47



Partner

Check Point FireWall-1Implied Rules

All those defined in theGeneral Options →Local Security Policyview.

Yes

Security Rules Allow

Drop

Reject

User Auth

Client Auth

Session Auth

Yes All security rules asso-ciating "allow" permis-sions with negate ob-jects (on source and/ordestination) will be im-ported as two distinctrules, i.e. the first rulewill be a "deny" per-mission and the secondrule an "allow" permis-sion. For example, if an"allow" permission isset between A and B,where B is a negate ob-ject, the generated ruleswill be:

• deny A -> B• allow A -> any

A security rulee.g.(src_1,...,src_X);(srv_1,...,srv_Y);(dst_1,...,dst_Z), is imported asonly one optimized rulewith:

• One metaclass forSRC

• One metaclass forDST

• One service groupfor SRV

The naming conventionfor the metaclasses andthe service group is thefollowing: SRC_n,SRV_n, DST_n wheren is the security rule IDnumber.

The IF VIA property isignored.

Address TranslationRules

Static

Hide

Yes


48



Desktop Security Rules Inbound Rules

Outbound Rules

No

Web Access Web Sites

Security Requirements

Authorization Require-ments

Application Settings

No

Floodgate Rules No

6.2. Performing a Standard Import from CheckPoint FireWall-1

This section describes a situation where you want to configure a Check Point FireWall-1 withouttaking into account the existing security policy on it because:

• You have just installed Check Point FireWall-1 and want to configure it with Security ChangeManager.

• You want to configure Check Point FireWall-1 again so as to make all your security policies withSecurity Change Manager and optimize them.

In this case, consider that there is no security policy on the Check Point FireWall-1 to take into ac-count.

If Security Change Manager is installed on the same workstation as the Check Point FireWall-1Management Server, no prerequisites will be used for the Localhost Upload Method.

Warning

In order to keep track of your firewalls and see their names clearly in both the SecurityChange Manager and Check Point FireWall-1 displays, choose a short name (less than 10characters) in Security Change Manager because a longer name will not be completely dis-played in the Check Point FireWall-1 Policy Editor.

6.2.1. Step 1: Create and Configure a Management Serv-er

To be able to make an import, you must give Security Change Manager all the information neces-sary for the connection (IP address, login, password) for retrieving Check Point FireWall-1 informa-tion (installation path, etc.).

So to simplify this situation, you need to create a Management Server that contains at least the fol-lowing information:

• Version number in the Identification view.• Upload IP address in the Upload Configuration → Upload Addresses view.• Login/Password is optional in the Upload Configuration → Authentication view.

Performing a Standard Importfrom Check Point FireWall-1

49

• OPSEC Application Name or OPSEC Application Distinguished Name depending on whetheryou selected the SSL Certificate & Encryption or Clear for the OPSEC Connection Type op-tion in the Upload Configuration → Connection Options view.

Security Change Manager will import only objects involved in rules, a NAT rule or an implicit NATrule. For objects that cannot be imported, the objects will remain in the objects.C file. for rulesthat Security Change Manager cannot manage, the rules stay in rulebases.fws and are referredto by the include policy in Security Change Manager.

Warning

Do not perform an import on an untitled map. Always name the project first in the ProjectManager window.

1. Create a Management Server by selecting the Add Management Server icon in the tool-

bar and clicking once on the map.2. Open the Management Server Properties window, click the Identification view and select a

Management Server Version from the pull-down menu.

Figure 6.1. Management Server Properties: Identification

3. In the Addresses view, click the Add button to add the IP address(es) of the ManagementServer.

4. In the Upload Configuration → Connection Options view, set the Upload Method option toOPSECand the OPSEC Connection Type option to SSL Certificate & Encryption.

Figure 6.2. Management Server Properties: Upload Configuration:Connection Options

Step 1: Create and Configure aManagement Server

50

Type in the OPSEC Application Name.

NoteThe OPSEC Application Name must have been created, saved but never used on theSmartDashboard before being connected from Security Change Manager.

5. Select the Upload Configuration → Authentication view and specify a Login/ Password forauthentication.

Figure 6.3. Management Server Properties: Upload Configuration:Authentication (NG)

6. Select the Upload Configuration → Firewall-1 Options view and specify the Check PointFireWall-1 options.

7. Select the Upload Configuration → Upload Addresses view and specify the upload addressesi.e. the address(es) used by Security Change Manager to connect to Check Point FireWall-1.

Step 1: Create and Configure aManagement Server

51

Figure 6.4. Management Server Properties: Upload Address

6.2.2. Step 2: Perform the Import

Now, you are ready to perform the actual import.

1. Make sure you have already saved the project.2. Select the Management Server on which you want to import. Then, select Tools → Import →

FW-1 Import... or right-click on the Management Server and select Import → FW1-importfrom the contextual menu.

A Checkpoint Import dialog box opens with the Import in Progress window in the back-ground.

3. The Checkpoint Import dialog box displays the name of the ACL that will be imported. Thisis the one used by default on the Management Server. Click the Yes button.

4. Choose the elements to be imported from the pull-down menu:

• All Objects: To import all the objects excluding rules.• Used Objects: To import only the objects used in rules excluding rules themselves.• Rules & All Objects: To import all the objects and rules.• Rules & Used Objects : To import only the objects used in rules and rules themselves.

Figure 6.5. CheckPoint Import Dialog Box: Choose Elements to beImported

Step 2: Perform the Import

52

Click OK.

The Import process is launched and, once completed, an Import Report is generated in the Im-port Report window. Read this import report carefully, to see what the import accomplished.

Figure 6.6. CheckPoint Import Report

Step 2: Perform the Import

53

5. Check the report and click the Close button.

Once the Import process is finished, the bottom panel of the Import in Progress window dis-plays Configuration Import Terminated.

6.2.3. Step 3: Add the Missing Topology

Add the missing topology, particularly networks and connections; add/change icons and addressesto agree with your configuration.

To solve the situation of objects and rules that it does not manage, Security Change Manager createsa new rulebases.fws and a new Objects.C files. These files contain the definition of all ob-jects and rules that were not imported and are located in the following directory: work/pre-upload/<npl file name>/<mgtServer name>. This directory is already used tostore the files objects_5_0.C and rulebases.fws.

You can transform one object into another, for instance a class into a network.

1. Select the object.2. Perform a right-click and select Transform Into in the pop-up menu.3. Select one option. The object will change.

You can also merge networks via Action → Merge Selected Networks

6.2.4. Step 4: Connect and Group Attached Objects

Step 3: Add the Missing Topo-logy

54

1. Use the contextual menu on the map or on the selected objects to connect the following ob-jects:

• PEPs to Networks• Nexus to Networks• Additionally, on an NG cluster, you should synchronize the networks (Refer to the Security

Change Manager User Guide for further information).

NoteIf there is a network Internet '*', all classes not connected to a network become attached tothis network, so that you must check which class may be attached to the Internet network.A warning message appears at the end of the automatic attachment of class to a network toindicate that a class has been attached to the Internet network. You must check that this isreally the action you wanted.

2. Right-click on a PEP or a network and select the Connect to ... → Objects functionality in thecontextual menu to group all attached objects around a network or a PEP inside the same net-work.

6.2.5. Step 5: Various Checks to Perform

1. If the security policy contains a Cluster, open its Properties window and reference the syn-chronization network.

Figure 6.7. Synchronization Network on Cluster

2. Check the Deny Permissions that have been imported.

Optimization of rules will automatically be done by Security Change Manager. You must put apriority > 5000 on deny permissions to be used for logging purposes to be sure that they are

Step 5: Various Checks to Per-form

55

placed at the end of the generated rules.3. Also check the meaning of "Any" and the permissions attached to it, where it has been impor-

ted.4. Select Action → Policy Audit → Throughto launch a "Policy Audit Through" operation on

the Check Point FireWall-1 PEP and select which interface you want to audit.

Figure 6.8. Policy Audit Through Report interface selection

Check the information displayed in the Audit Results window.5. Check whether Security Change Manager imported OSE Devices from the Check Point Fire-

Wall-1 Management Server as PEP devices (3Com, Nortel or Cisco). If they have been impor-ted, remove them on the Check Point FireWall-1 Management Server to avoid conflicts of thistype when uploading.

6.3. Performing a Local Import of Check PointFireWall-1 Policy

It is possible to import a Check Point FireWall-1 policy without a CPMI connection (local importmethod). This feature allows you to select what policy needs to be imported and define preciselywhat needs to be imported from this policy.

To perform a FW1 local import, follow the procedure below:

1. Copy the FW1 objects_5_0.c and the rulebase_5_0.fws files in your local file sys-tem.

2. In the Security Change Manager Designer, select the Management Server object from whichyou want to make the import and open its Properties window.

3. In the Upload Configuration → Connection Options view, set the Upload Method propertyto None.

4. Select the Management Server on which you want to import. Then, select Tools → Import →FW-1 Import... or right-click on the Management Server and select Import → FW1-importfrom the contextual menu.

A Checkpoint Import dialog box opens with the Import in Progress window in the back-ground.

5. Type in the location of the objects_5_0.C file (i.e. path including the file name) and clickOK.

Figure 6.9. CheckPoint Import Dialog Box: Import of objects_5_0.C file

Performing a Local Import ofCheck Point FireWall-1 Policy

56

6. Type in the location of the rulebase.fws file (i.e. path including the file name) and clickOK.

Figure 6.10. CheckPoint Import Dialog Box: Import of rulebase.fws file

7. Choose the elements to be imported from the pull-down menu:


57

• All Objects: To import all the objects excluding rules.• Used Objects: To import only the objects used in rules excluding rules themselves.• Rules & All Objects: To import all the objects and rules.• Rules & Used Objects : To import only the objects used in rules and rules themselves.

Figure 6.11. CheckPoint Import Dialog Box: Choose Elements to beImported

Click OK.

NotePlease note that whatever the option selected, only the objects supported by SecurityChange Manager will be imported.

8. Choose the policy to be imported from the pull-down menu. The ACL names are those thathave been defined on the Management Server (e.g. Standard or Custom Policy in the figurebelow) and click the corresponding button.

Figure 6.12. CheckPoint Import Dialog Box: Choose Policy to be Imported


58

The Import process is launched and, once completed, an Import Report is generated in the Im-port Report window. Read this import report carefully, to see what the import accomplished.

Figure 6.13. CheckPoint Import Report


59

9. Check the report and click the Close button.

Once the Import process is finished, the bottom panel of the Import in Progress window dis-plays Configuration Import Terminated

Figure 6.14. CheckPoint Import Terminated

6.4. Cleaning the Database Before UploadIf the database is corrupted for any reason whatsoever, you might need to clean it so as to get backto a reliable Security Change Manager security policy. To do so:

1. Open the Management Server Properties window and select the Upload Configuration →FireWall-1 Options view.

2. Set the Clean Database Before Next Upload option to Yes.

Figure 6.15. Options: Clean Database Before Upload

Cleaning the Database BeforeUpload

60

Note

The database will be cleaned at the beginning of the next upload and the option will then beset back to No (the default). Therefore, you have to reset it to Yes each time you want toclean it.

The generated rules will not be the same as those imported because:

• Anti-spoofing has been lost and automatically found by Security Change Manager.• Enforcement points have been lost and automatically found by Security Change Man-

ager.• Rule order has been lost.• The position of the include policy (set of rules that have not been imported) at the head

of all other rules.

Cleaning the Database BeforeUpload

61

62

Chapter 7. How to ManageCheck Point FireWall-1Concepts Not Supported bySecurity Change Manager

7.1. First-Time: Define Non-supported Concepts on the Management Server ...................637.1.1. Step 1: Upload Security Change Manager Security Policy on the ManagementServer ........................................................................................................637.1.2. Step 2: Add Specific Properties ..............................................................647.1.3. Step 3: Add Other Objects not Supported by Security Change Manager ..........647.1.4. Step 4: Define the Include Rules/ Create a New Policy on the Real ManagementServer ........................................................................................................647.1.5. Step 5: Modify the Management Server Options ........................................647.1.6. Step 6: Upload ....................................................................................65

7.2. How to Manage User Groups ............................................................................65

This chapter describes how you should configure your Check Point FireWall-1 device to account forconcepts that Security Change Manager does not manage.

Warning

This chapter gives a manual solution for managing Check Point FireWall-1 concepts notsupported by Security Change Manager. The directions in this chapter can be used on a Se-curity Policy that has already been built with Security Change Manager. It is recommendedthat the first time you want to incorporate Check Point FireWall-1 concepts, you use theImport Function. See Chapter 6, How to Perform an Import from Check Point FireWall-1(page 45). Thereafter, use the directions in this chapter to modify your already-existing Se-curity Policy.

7.1. First-Time: Define Non-supported Conceptson the Management Server

The Check Point FireWall-1 objects that are not supported in Security Change Manager are:

• domain• user• servers• key• resources

The Patch Process and Security Include allow you to manage these concepts on the Check PointFireWall-1 Management Server.

7.1.1. Step 1: Upload Security Change Manager SecurityPolicy on the Management Server

Upload Security Change Manager Security Policy on the Management Server in order to have the

63

translated objects on the Check Point FireWall-1 Management Server.

7.1.2. Step 2: Add Specific Properties

Edit each Check Point Gateway or Check Point Host and add the specific parameters that will not bemanaged by Security Change Manager on the Check Point FireWall-1 Management Server:

• Certificates' list• SNMP parameters• Account unit parameters

7.1.3. Step 3: Add Other Objects not Supported by Secur-ity Change Manager

Add other objects not supported by Security Change Manager:

• Users• Servers• Resources• Keys for IPsec

7.1.4. Step 4: Define the Include Rules/ Create a NewPolicy on the Real Management Server

1. On the real Management Server through the Policy Editor, create a new policy for the Firstand/or Last include security policy that will manage all the concepts that can't be managedthrough Security Change Manager.

2. Save the policy with a new name (for instance "My Policy").

Warning

The security policy name is case-sensitive.

This policy is the one you will include in the Include Rules window, shown in Section 7.1.4,“Step 4: Define the Include Rules/ Create a New Policy on the Real Management Server ”(page 64), either as the First include Policy or the Last include Policy.

You must take into account the implications of these includes on the global security policy:

• A rule in the include will not be considered in the Security Change Manager audit: therefore,you are not able to check the global validity of its model with audit.

• A rule in the include will not be enforced in PEPs other than these that are managed by theManagement Server. If there is an equipment managed by Security Change Managerbetween the source and the destination of the rule, the permission may be filtered. To avoidthis situation, you must define a rule that allows the permission on PEPs directly controlledby Security Change Manager.

• NAT rules that may have an impact on equipment directly managed by Security ChangeManager are prohibited.

7.1.5. Step 5: Modify the Management Server Options

Step 2: Add Specific Properties

64

1. In Security Change Manager Designer, open the Management Server Properties window.2. Select the General Options → Include Policy view and type in the names of the include

policy.

Warning

The include policy names must relate to an existing security policy name on the Manage-ment Server and has to be different from the Security Change Manager generated policyname. Please refer to the Security Change Manager Reference Guide.

7.1.6. Step 6: Upload

1. Select the Upload Configuration → FireWall-1 Options view and set the FireWall-1 Up-load Policy to Copy Only and click OK.

Figure 7.1. Upload Configuration Set to Copy Only

2. Right-click the Management Server icon and from the contextual menu, select the DeviceManager menu item.

3. In the Deployment tab of the Device Manager window, check that the Management Server isselected and click the Upload icon to start the upload.

After this step, the final security policy (objects and rules) will be generated and copied ontothe Management Server. You can then upload it on the managed PEPs via the SmartDashboardusing the Policy → Install menu.

Note

If you want to use the previous security policy, you can manually copy the back-up files.Please see (page 41).

7.2. How to Manage User Groups

Step 6: Upload

65

User Groups are used through User Authentication and the remote VPN feature in Security ChangeManager. Only the name of the group is known in Security Change Manager and all other propertiesmust be defined on the Management Server.

During the import, User Groups are imported in Security Change Manager.

During an upload, the creation of an empty User group is made when no User Group or LDAPgroup with the same name exists.

The content of a User Group must be defined through the SmartDashBoard: that is to say the usersreferenced by this group.

To manage servers objects and specifically authentication servers (RADIUS, TACACS) and LDAPservers, they must be defined via the SmartDashBoard.

But before creating it, it is recommended that you create a Nexus in Security Change Manager De-signer that represents the location of the server object in order to manage a permission from or to itand IP modifications through Security Change Manager too.

This nexus will be translated into a node that you will reference on the Smart Dash Board as the hoston which the server is defined.

On Security Change Manager Designer:

1. Create the nexus that has the IP address of the server (RADIUS, TACACS or LDAP servers).2. Add the necessary permissions between the Check Point FireWall-1 PEP and the nexus.3. Select the Copy Only option (see Figure 7.1, “Upload Configuration Set to Copy Only” (page

65)) and upload the configuration.4. On the Check Point FireWall-1 SmartDashBoard, edit the policy on the Management Server

and add a server that references the Check Point FireWall-1 interoperable device that repres-ents the nexus.

How to Manage User Groups

66

Chapter 8. Client-to-GatewayVPN on Check Point FireWall-1NG

8.1. Procedure .....................................................................................................678.1.1. On the Check Point FireWall-1 ...............................................................678.1.2. On the Management Server ....................................................................688.1.3. PEPs Supporting Remote Access ............................................................688.1.4. Specific Parameters ..............................................................................68

On the device VPN node .......................................................................688.1.5. Implicit Permissions .............................................................................69

8.2. VPN Limitations ............................................................................................708.2.1. Global Limitations ...............................................................................70

VPN-1 Net ..........................................................................................70DES-40 and CAST-40 ..........................................................................70Multiple Entry Point VPNs (MEP) ..........................................................70

8.2.2. Remote Access Limitations ...................................................................70User Groups ........................................................................................70Office Mode is disabled on the gateway ....................................................70IP pool is defined though a DHCP server ..................................................70Hybrid Mode .......................................................................................70Enable VPN routing .............................................................................70Desktop security policy .........................................................................70Visitor Mode .......................................................................................70Transparent mode .................................................................................70Clientless VPN ....................................................................................71IPsec/L2TP tunnels ..............................................................................71Number of tunnels ................................................................................71

8.2.3. First-time Upload of a VPN Policy ..........................................................71

This chapter discusses how to use Security Change Manager to manage client-to-gateway VPNs forCheck Point FireWall-1 PEPs.

8.1. ProcedureWhen making a remote access on a Check Point FireWall-1 through Security Change Manager, theuser will do the following tasks:

8.1.1. On the Check Point FireWall-1

1. Define a User Group and reference the Management Server as the "authentication server".2. Create a Mapped User Group, add the User Group and locate it on a network or metaclass.3. Create a tunnel between this Mapped User Group and the Check Point FireWall-1 gateway.4. Edit the Check Point FireWall-1 PEP and define the IP Pool and other VPN parameters.5. Associate the Mapped User Group, the gateway and all networks the User Group will reach to

the same Trust Zone.6. If NAT Traversal is enabled, add a permission for that service between the Mapped User Group

and the Check Point FireWall-1 PEP.7. Compile.8. Perform Upload Preparation on the policy.9. Upload the policy.

67

8.1.2. On the Management Server

If a warning appears during the upload stating that a User Group is empty, for each empty UserGroup:

1. Define the External User Profiles, LDAP Groups and/or Users that will be referenced by theUser Group created by Security Change Manager.

2. Define the related authentication servers needed (RADIUS, TACACS...) and reference a Secur-ity Change Manager object as host of these servers.

3. Save and install the policy.

Note

This task has to be done only to create user group definition and authentication server asso-ciated. The next upload will not need these tasks except if a new user group has to be man-aged.

4. Set the certificates and/or pre-shared key on the users concerned, if this is not the case.

• The certificates and/or pre-shared key parameters must be set on users' and/or external users'profiles the first time they are to be used.

• Install the database on the Check Point FireWall-1 gateway that makes a remote VPN.

If a warning appears during the compilation stating that some IPsec parameters must be set on theuser, set the IPsec proposals on the user of concerned User Group(s). You can customize the follow-ing global parameters:

• Remote Access• Remote Access -> VPN-Basic except:

• Pre-shared secret• IPcompression

8.1.3. PEPs Supporting Remote Access

Security Change Manager supports only Remote Access on a PEP that has the VPN-1 Pro featureenabled.

8.1.4. Specific Parameters

On the device VPN node

1. Add the node Remote Access VPN

Table 8.1. VPN: Specific Parameters

Parameter Type Comment

Set Optional Office Mode Para-meters

Boolean (Yes*/No) Help: allow the user to specifythe DNS and WINS addressesby selecting the appropriateNetwork Objects. In addition,specify the backup DNS and

PEPs Supporting Remote Access

68

Parameter Type Comment

WINS servers and supply theDomain name.

All the following parameters initalics depends on this value.

Primary DNS Switched IP address

First Backup DNS Switched IP address Appears when the Primary DNSis set.

Second Backup DNS Switched IP address Appears when first backup DNSis set

Primary WINS Switched IP address

First Backup WINS Switched IP address

Second Backup WINS Switched IP address Appears when first backupWINS is set

Domain Name String

User Group Global Pool LeaseDuration (in minutes)

Integer (min:2 max:32767)

Support NAT-Traversal (Yes/No*)

NAT-Traversal Service VPN1_IPsec_encapsulation

all services listed

Appears if Yes is selected forSupport NAT-Traversal.

Tunnel Only Trust Zone

Everything

Hub Mode Configuration When enabled, the Gatewayagrees to act as a VPN routerfor the client.

2. Other parameters will be set by Security Change Manager:

• Allow office mode for all users.• Office Mode Method - Manual (using IP pool): always set

• Allocate IsP from network: (defined by the pool on the PEP)

8.1.5. Implicit Permissions

The IKE and ESP implicit permissions are created.

Implicit Permissions

69

8.2. VPN LimitationsVPN Limitations and their workarounds (if they exist) are listed below:

8.2.1. Global Limitations

VPN-1 Net

The VPN-1 Net module is not supported in Security Change Manager.

DES-40 and CAST-40

Security Change Manager does not manage the DES-40 and CAST-40 encryption algorithms.

Multiple Entry Point VPNs (MEP)

Multiple Entry Point VPNs (MEP) are not supported.

8.2.2. Remote Access Limitations

User Groups

Security Change Manager defines only the names of user groups on the Check Point FireWall-1, butdoes not define the content of the groups.

See Section 7.2, “How to Manage User Groups” (page 65) for further information.

Office Mode is disabled on the gateway

The case where the remote user keeps its IP address (Office Mode is disabled on the gateway) is notmanaged.

IP pool is defined though a DHCP server

The case where the IP pool is defined though a DHCP server is not managed.

Hybrid Mode

Security Change Manager does not manage hybrid mode.

You can enable hybrid mode, through the option on the Smart Dashboard, in Global Properties →Remote Access → VPN Basic.

Enable VPN routing

Enable VPN routing will not work since we do not distinguish hub and spoke and star model.

Desktop security policy

Desktop security policy is not generated by the Security Change Manager implementation.

Visitor Mode

Security Change Manager does not support visitor mode.

Transparent mode

Global Limitations

70

Security Change Manager does not support transparent mode since this mode is not possible withOffice Mode.

Clientless VPN

We do not support Clientless VPN.

IPsec/L2TP tunnels

Security Change Manager does not support IPsec/L2TP tunnels.

Number of tunnels

Only one tunnel can be created to a Check Point FireWall-1 PEP.

8.2.3. First-time Upload of a VPN Policy

The first time we upload a VPN policy, the installation of the policy on the Check Point FireWall-1devices may fail with the following message: Can't install policy. Reason: The SRCommunity member <Check Point Gateway name> must have a signed cer-tificate..: Failed - Unspecified error.

In this case, you must open the policy with the SmartDashBoard, open the property box of the<Check Point Gateway name> and validate it (click the OK button). This will create the internalcertificate needed. Then you can install the policy by Security Change Manager.

First-time Upload of a VPNPolicy

71

72

Chapter 9. Gateway-to-GatewayVPN on Check Point FireWall-1NG and NG AI

9.1. Procedure .....................................................................................................739.1.1. On the Security Change Manager ............................................................739.1.2. On the Check Point FireWall-1 Management Server ...................................73

Procedure ...........................................................................................739.1.3. VPN Domains .....................................................................................74

9.2. VPN Limitations ............................................................................................749.2.1. Global Limitations ...............................................................................75

VPN-1 Net ..........................................................................................75DES-40 and CAST-40 ..........................................................................75Multiple Entry Point VPNs (MEP) ..........................................................75

9.2.2. Site-to-site limitation ............................................................................75Usage of the Simplified Mode ................................................................75

This chapter discusses how to use Security Change Manager to manage gateway-to-gateway VPNsfor Check Point FireWall-1 PEPs.

9.1. ProcedureWhen making a gateway-to-gateway VPN on a Check Point FireWall-1 through Security ChangeManager, the user will do the following tasks:

9.1.1. On the Security Change Manager

1. Define a gateway-to-gateway tunnel as described in the Security Change Manager User Guide.2. Compile.3. Perform Upload Preparation on the policy.4. Upload the policy.

9.1.2. On the Check Point FireWall-1 Management Server

On the management server, if it is the first time you upload this VPN, you must set the pre-sharedsecret and/or certificates.

Procedure

1. Set the Authentication parameters:

a. In the case of a pre-shared secret, open the community named NP_V__<PEP1>-<PEP2>.In the shared secret field, copy the pre-shared key written in the 0.

b. In the case of certificates, there is nothing to do except to use a Certificate Authority.When the Certificate Authority of the device is different from that of its Check Point Man-agement Server, you must create this Certificate Authority object in the ManagementServer and then enrol the Check Point FireWall-1 gateway in this Certificate Authority.

73

For more information, refer to the Check Point FireWall-1 documentation.

2. Save and install the policy.

Note

This task must be done after the VPN community is created. The next upload will not needthese tasks to be done again except in the cases where the pre-shared key changed, the cer-tificate authorities changed, or the policy on the tunnel changed from PSK to RSA-Sig orRSA-Sig to PSK.

9.1.3. VPN Domains

The VPN domain will be deduced in the following manner:

Figure 9.1. VPN Domain Deduction

The source (respectively destination) of all permissions that enter (respectively leave) one side of atunnel will be part of the VPN domain of that side.

Since each gateway has only one VPN domain, it will be a group that contains all the networks thatneeded to be reached via IPsec, maybe from different tunnels.

9.2. VPN LimitationsVPN Limitations and their workarounds (if they exist) are listed below:

VPN Domains

74

9.2.1. Global Limitations

VPN-1 Net

The VPN-1 Net module is not supported in Security Change Manager.

DES-40 and CAST-40

Security Change Manager does not manage the DES-40 and CAST-40 encryption algorithms.

Multiple Entry Point VPNs (MEP)

Multiple Entry Point VPNs (MEP) are not supported.

9.2.2. Site-to-site limitation

Usage of the Simplified Mode

The usage of the simplified mode prevent to have permission that pass through a tunnel and permis-sion outside the tunnel for a given service.

Site-to-site limitation

75

76

Chapter 10. Check PointFireWall-1 Cluster Management

10.1. Procedure ....................................................................................................7710.1.1. On the Check Point FireWall-1 Management Server .................................7710.1.2. On the Security Change Manager Designer .............................................77

10.2. Limitations ..................................................................................................81

This chapter discusses how to use Security Change Manager to manage clusters of Check PointFireWall-1 PEPs.

10.1. Procedure

10.1.1. On the Check Point FireWall-1 Management Serv-er

If the cluster object does not already exist, you must create it on the Check Point Management Serv-er. The cluster members do not need to be created. They will be created by the Security ChangeManager.

10.1.2. On the Security Change Manager Designer

1. Create the map with the cluster members defined as PEPs.

a. Reference the Management Server from each PEP.b. Define each PEP's interfaces (other parameters will be hidden when the PEP is referenced

as cluster member).c. Select the Upload configuration view and tick the SIC Authentication Key checkbox to

initiate communication between the Management Server and the module if you have notyet initiated it via the Check Point FireWall-1 Smart Dashboard.

Figure 10.1. SIC Authentication Key Activated

77

2. Create the cluster via the menu Mode → Add Cluster. Make sure it is named with the samename that is used in the Check Point FireWall-1 Management Server.

a. Open the Cluster Properties window, and in the Identification view, reference the Man-agement Server from the cluster using the Managed By pull-down menu.

Figure 10.2. Management Server Referenced on the Cluster

b. Select Cluster Options view and set the Cluster XL Enabled to Yes if you are not usinga 3rd-party application to handle clustering.

Figure 10.3. Cluster XL Enabled Option

On the Security Change Man-ager Designer

78

c. Select the Cluster Options → Cluster Members view, add the cluster members and sortthem according to the priority in which you want them to be available (the top one in thelist is the master).

Figure 10.4. Selection of Cluster Members

d. Select the Cluster Options → Availability Parameters view, and set the OperatingMode option as needed. Set other availability parameters depending on whether you havechosen the cluster XL feature or not.

Figure 10.5. Selection of Availability Operation Mode


79

e. Select the Cluster Options → Synchronization → Synchronization Networks view andreference a network to synchronize the cluster members. This network must have the fol-lowing characteristics:

• It is recommended that you reference a dedicated network that is not connected to anyof the cluster's virtual interfaces. You can define more than one synchronization net-work for backup purposes.

• Since synchronization networks are used to pass sensitive data such as encryption keys,it is important that these networks are secured.

• The network must be linked to one interface of each cluster member.

Figure 10.6. Selection of Synchronization Network


80

f. Add the virtual interfaces and connect them to the same network as the cluster members'interfaces. The virtual interfaces will make the cluster members' interfaces redundant.

Your workspace should look like this:

Figure 10.7. Example of Cluster

NoteImplicit Permissions will be automatically activated between the Cluster members (this isalso the case for Nokia IP clusters).

3. Add an NTP permission between cluster members and the NTP server to ensure the clustershave the same date.

4. Upload the configuration.

10.2. LimitationsHigh Availability Legacy Mode is not supported, but Check Point FireWall-1 supports High Avail-ability New Mode.

Limitations

81

82

Chapter 11. Provider-1Management Server Installation

11.1. Adding a Provider-1 Management Server ..........................................................83

11.1. Adding a Provider-1 Management Server

1. Click on the Mgt server icon in the toolbar.

2. Click on the background of the Security Change Manager Designer map to add a ManagementServer and enter its IP address in the pop-up menu.

3. Double-click the Management Server icon on the map to open its Properties window and selectthe type Provider-1 in the Identification view.

4. Select the General Options → Managed CMAs view and click the Add ManagedCMA iconto add the CMA servers that should be managed by the Provider-1 Management Server.

83

84

Chapter 12. Check PointFireWall-1 Properties Windows

12.1. Description ..................................................................................................8512.2. General Options ...........................................................................................85

12.2.1. Security Profile ..................................................................................87Common Security Parameters .................................................................88Replace Address ..................................................................................90Replace Service ...................................................................................92

12.2.2. Virtual System ...................................................................................9312.2.3. Authentication ...................................................................................93

Enabled Authentication Schemes ............................................................93Authentication Settings .........................................................................93HTTP Security Server ...........................................................................94

12.3. Policy Learning Mode ...................................................................................9512.4. Common Interface Options .............................................................................9512.5. Interface Options ..........................................................................................96

12.5.1. Security Profile ..................................................................................98Common Security Parameters .................................................................98Replace Address ................................................................................ 100Replace Service ................................................................................. 101

12.5.2. IP Addresses ................................................................................... 102Static IP Addresses ............................................................................. 102Dynamic Addresses Pool ..................................................................... 102IP Addresses ..................................................................................... 102

12.6. VPN Options ............................................................................................. 10412.6.1. IKE Capabilities .............................................................................. 10412.6.2. IPSec Capabilities ............................................................................ 10512.6.3. Remote Access VPN ......................................................................... 105

12.7. Upload Configuration .................................................................................. 10612.8. Tunnel Peer Options .................................................................................... 107

12.8.1. Interface ......................................................................................... 10812.9. Authentication User Definition ...................................................................... 108

12.9.1. flowListIn ....................................................................................... 11112.9.2. flowListOut .................................................................................... 11112.9.3. flowListExternal .............................................................................. 111

12.1. Description

Option Description

NoteAllows you to enter a description of the current PEP.

12.2. General OptionsUse this view to examine and modify general PEP options.

Option Description

Managed* Choice "Yes *"

Indicates that SCM Server will produce filters for thisPEP.

85

Option Description

* Choice "No"

Set to "No" if you do not want SCM Server to managethis PEP.

Apply Flow To/From PEP on Relevant In-terfaces Only Enables you to choose how the PEP applies flows to

its various interfaces.

* Choice "Yes *"

Limits an authorized flow, having the PEP as its des-tination, so that incoming packets through an interfacecannot reach any other interface.

* Choice "No"

Enables an authorized flow, having the PEP as its des-tination, to reach all interfaces of the PEP.

This setting is a general default which can be overrid-den for a specific instance using the Permission Prop-erties window: Global Properties View.

Has IPSec Module* Choice "Yes"

Indicates that the device supports the IPSec modulefor VPNs.

* Choice "No"

Indicates that the device does not support IPSec.

supportsEncapsulatedTunnel

Enforce Time FilteringSpecifies whether the PEP is to perform time filtering.For further information on Time Filtering, see theSCM Server User Guide.

Generate NAT Rules* Choice "Yes *"

NAT rules are generated by the compiler and includedin the filters. A warning message is displayed if thePEP cannot implement the rules.

* Choice "Comment"

NAT rules are written to the filters file as commentsand ignored by the upload module.

* Choice "No"

NAT rules are not generated.

At upload time, when the No or Comment option isselected, the rule modifications are uploaded to thedevice without changing the existing NAT rules (ifthese exist). This is important because NAT rules arechanged much less often than other filtering rules, andrewriting them interrupts communication. Howeverthe compiler will take into account the NAT rules to

General Options

86

Option Description

generate the filters for the PEPs beyond the NAT ap-plication point.

Check Point Suite TypeThe suite type that matches the one you installed withyour Check Point software.

VSX TypeLets you choose the type of VSX device.

* Choice "Gateway *"

The VSX device will be a VSX gateway.

* Choice "Virtual System"

The VSX device will be a virtual system.

12.2.1. Security Profile

Use this view to select the PEP's level of security. By default, the PEP's profile is set to maximumsecurity.

Option Description

Security LevelLets you choose the default level of security that SCMServer will generate for this PEP.

You can choose to generate faster configurations oncertain PEPs at the expense of reduced security.

* Choice "Custom Filtering *"

Lets you choose a custom level of filtering by settingoptions in the Replace Address or Replace Serviceviews.

* Choice "Deny few, Permit all"

Same as "Custom Filtering" but with default policy setas "Permit".

* Choice "Full Filtering"

This level configures the PEP parameters to offermaximum security. The parameters contained in theCommon Security Parameters view will be set in orderto ensure maximum security and will lock them to pre-vent changes. This option also:

- prevents you from choosing the Broad Filtering op-tion (see Replace Address and Replace Service node)

* Choice "PEP Access Security Only"

Disables filtering on this PEP, except for the rules thatprotect the PEP itself. Therefore, the PEP will allowall traffic to pass through it, but it will not allow unau-thorized access to itself.

Security Profile

87

Option Description

* Choice "No Filtering"

Disables filtering, and reduces security on this PEP tozero.

Broad FilteringLets you choose to enable faster configurations at theexpense of reduced security.

You must set Security Level to "Custom Filtering" touse this option.

* Choice "Disabled *"

Indicates that filtering is not broadened, and security isat its highest level.

* Choice "By Address"

Reveals the Replace Address view, which lets youconfigure broad filtering by address.

* Choice "By Service"

Reveals the Replacy Service view, which lets you con-figure broad filtering by service.

Common Security Parameters

Use this view to configure common security parameters for the PEP.

Option Description

Suppress Filtering on TCP DirectionSets up the flow rules for traffic returning appropri-ately with the "ack" (acknowledged) bit set.

* Choice "Yes *"

Only the packets belonging to an established connec-tion will be permitted to flow back through the PEP.

* Choice "No"

The filtering rules will not verify the ack bit status.These filters will be more compact but more per-missive for the return traffic which may lead to de-graded security.

Attention: This option should be modified by an ex-pert user only.

Suppress Filtering on ICMP Message Type* Choice "Yes *"

Indicates that the PEP will do filtering by ICMP mes-sage type.

* Choice "No"

Indicates that the PEP will not do filtering by ICMP

Security Profile

88

Option Description

message type.

'Securing PEP' rules* Choice "Yes *"

Denies access to the PEP's interface addresses, exceptfor the default administration flows, thereby securingthe PEP.

* Choice "No"

Permits access to the PEP's interface addresses.

Suppress 'Internet Restriction'Indicates if SCM Server will add extra deny filterswhen the Internet object is defined as "Any". This op-tion is activated by selecting "No" for the Expand In-ternet option on the PEP window: General OptionsView.

* Choice "Yes *"

Any permission you draw to/from Internet causes thecompiler to implicitly generate all necessary denies toprevent permissions to/from all other internal ad-dresses.

* Choice "No"

Any permission you draw to/from Internet will alsoimplicitly allow permissions to/from all other internaladdresses, which may lead to lower security.


Expand InternetThis option is an optimization that controls how SCMServer defines the Internet object. This option can cre-ate very finely-tuned filters, but at the price of in-creased size.

* Choice "Yes"

SCM Server will use a more precise, "expanded"definition of Internet. It defines the Internet as "all ad-dresses outside the internal networks". This createsvery fine, but slower, filters.

* Choice "No *"

SCM Server will define Internet as "Any". The gener-ated filters are thus faster, but less secure.

Default RuleLets you change the default rule on this device. By de-fault SCM Server will write a "deny all" rule at theend of a device's configuration. With this option, youhave the possibility to change this behavior: SCMServer will not write a default "deny all" rule, and, onthis device, all access that is not explicitly denied willbe allowed.

* Choice "Policy Default *"

Security Profile

89

Option Description

Uses the value defined in the Tools > Properties forthe Current Policy window.

* Choice "Deny"

Keeps the standard behavior. Every access that is notdefined is not allowed on this device.

* Choice "Allow"

Lets you easily define policies where the goal is toprohibit a set of given protocols in the network.

If you choose the "Allow" option, make sure that youexplicitly deny every access point that you want toclose, or, make sure that you have another device inseries denies everything by default.

Generate Anti-SpoofingLets you choose if the PEP or SCM Server shouldgenerate anti-spoofing rules.

* Choice "Yes *"

The PEP will generate anti-spoofing rules.

* Choice "No"

The PEP will not generate anti-spoofing rules.

* Choice "Unmanaged"

Takes the computed anti-spoofing into account, butdoes not generate the related configuration so as, at theend, the anti-spoofing defined on the Smartcenter willnot be changed by the upload.

Spoof TrackingIndicates whether the CheckPoint anti-spoofing track-ing option (in the Interface Properties) should be activ-ated and how information about spoofed connectionsshould be logged.

* Choice "None *"

* Choice "Log"

* Choice "Alert"

* Choice "Disabled"

Disables the anti-spoofing option.

Replace Address

Use this view to set a limit the optimizations SCM Server makes on addresses.

SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller orfaster configurations. "Broadening" an address means that when your map contains permissionswith addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission withthe address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "On

Security Profile

90

Address" in the Security Profile view, you can use the current view to put constraints on this optim-ization.

Option Description

Replace SourceThis is an optimization that allows you to generatefewer ACLs, but at the risk of reducing your securitylevel.

Note: if your permission includes logging, time or au-thorization actions, the optimization will not occur.

* Choice "by Netmaskable Network"

Indicates that SCM Server will attempt to replace thesource IP addresses of the permissions managed bythis PEP such that the IP addresses can be representedby a netmask. You can enter this netmask in theSource Network Netmask field, below.

* Choice "by Any"

Indicates that SCM Server will replace the source IPaddresses of the permissions that this PEP manages byAny.

In most situations, these options mean that SCM Serv-er will permit more addresses than your policy spe-cifies. You should only use these options if you haveanother PEP with a tighter restriction on the samepath.

Source Network NetmaskAllows you to enter the netmask to apply to sourcepermissions.

Restrict Source Replacement to TopologyWhen used with the above option, this option will re-strict the enlargement to the address of the networkfrom which each permission originates, in your policymap.

Replace DestinationThis is an optimization that allows you to generatefewer ACLs, but at the risk of reducing your securitylevel.



Indicates that SCM Server will attempt to replace thedestination IP addresses of the permissions managedby this PEP such that the IP addresses can be represen-ted by a netmask. You can enter this netmask in theDestination Network Netmask field, below.

* Choice "by Any"

Indicates that SCM Server will replace the destinationIP addresses of the permissions that this PEP managesby Any.

In most situations, these options mean that SCM Serv-

Security Profile

91

Option Description

er will permit more addresses than your policy spe-cifies. You should only use these options if you haveanother PEP with a tighter restriction on the samepath.

Destination Network NetmaskAllows you to enter the netmask to apply to destina-tion permissions.

Restrict Destination Replacement to Topo-logy When used with the "Enlarge Destination to Net-

maskable Address" option, this option will restrict theenlargement to the address of the network where eachpermission terminates, in your policy map.

Replace Service

Use this view to set a limit the optimizations SCM Server makes on services.

SCM Server can "broaden" the allowed services on permissions in order to generate smaller orfaster configurations. "Broadening" a service means that when your map contains permissions forservices FTP and HTTP, for example, SCM Server will generate one permission for the serviceTCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" inthe Security Profile view, you can use the current view to put constraints on this optimization.

Option Description

Replace ServiceThis is an optimization that enlarges the service of apermission. For example, an http and an ftp permis-sion may be enlarged to tcp. Since this optimizationcan reduce your security level, you should only use itif you have another PEP in the path that does not usethis option.

* Choice "No *"

Will not enlarge services. This option maintains thehighest level of security.

* Choice "by TCP"

Replaces TCP permissions by TCP.

* Choice "by UDP"

Replaces UDP permissions by UDP.

* Choice "by TCP and UDP"

Replaces all TCP-based or UDP-based permissions byTCP and UDP permissions.

A TCP-based permission will be replaced by two per-missions: a permit TCP and a permit UDP. A UDP-based permission will also be replaced by two permis-sions: a permit TCP and a permit UDP.

* Choice "by IP"

Replaces permissions by IP.

Security Profile

92

Option Description

* Choice "by Any"

Replaces all permissions by Any.

12.2.2. Virtual System

Option Description

Container NameSpecifies the name of the container/VirtualSystemBoxthat contains this virtual system.

You must have configured the container device withvirtual systems for scm to be able to communicatewith it.

12.2.3. Authentication

This view does not let you change any parameters. Expand this node in the tree list to see the config-urable views.

Enabled Authentication Schemes

Use this view to enable the different types of authentication servers with which the PEP may com-municate.

Option Description

S/KeyIndicates if the PEP will prompt the user to enter his/her S/Key during authentication (Not on NG AI).

VPN-1 and FireWall-1 PasswordIndicates if the PEP will prompt the user to enter his/her internal Check Point(TM) FireWall-1(R) passwordduring authentication.

SecurIDIndicates if the PEP will prompt the user to enter thenumber shown on the SecurID card during authentica-tion.

RADIUSIndicates if the PEP will prompt the user to answer theRADIUS question during authentication. The questionis defined on a RADIUS server.

TACACSIndicates if the PEP will prompt the user to answer theTACACS question during authentication. The ques-tion is defined on a TACACS or TACACS+ server.

OS PasswordIndicates if the PEP will prompt the user to enter his/her operating system password during authentication.

Authentication Settings

Use this view to configure how the PEP behaves during authentication sessions.

Virtual System

93

Option Description

User Authentication Session Timeout(min) Indicates the number of minutes after which the PEP

closes the authentication session.

Enable wait mode for Client Authentica-tion If the user opens an authentication session over telnet

on port 259, this option indicates if the PEP will keepsthe telnet session open during the time the authentica-tion session is open.

If you select this option, the PEP will close the authen-tication session when the telnet session closes.

If you do not select this option, the PEP will close thetelnet session once the user signs on, and the user willhave to reopen the telnet session to sign off.

Authentication Failure TrackIndicates how the PEP will react to errors during au-thentication.

* Choice "None"

The PEP will not inform the user of errors.

* Choice "Log"

The PEP will log errors.

* Choice "Popup Alert"

The PEP will open a popup window; you can definethe popup alert once in the Check Point(TM) Fire-Wall-1(R) software Global properties window, and af-terwards reference it from SCM Server.

* Choice "Mail Alert"

The PEP will send an email of the error.

* Choice "SNMP Trap Alert"

The PEP will send an SNMP alert.

* Choice "User defined alert no."

The PEP will send a user-defined alert; you can definealerts once using the Check Point(TM) FireWall-1(R)software, and afterwards reference them from SCMServer.

HTTP Security Server

Use this view to configure how the PEP communicates with its associated HTTP security server.

Option Description

Use Next ProxyIndicates whether there is an HTTP proxy server be-hind the Check Point(TM) FireWall-1(R) HTTP Se-curity Server.

HTTP Next Proxy

Authentication

94

Option Description

The host name and port number of the HTTP proxyserver.

12.3. Policy Learning ModeUse this view to change the policy of a device and open it sufficiently to guarantee that the flowswill pass until complete policy discovery has been made by the security team.

Option Description

Enable Policy Learning Mode* Choice "Yes"

Indicates that Policy Learning Mode is enabled.

* Choice "No *"

Indicates that Policy Learning Mode is disabled.

Log Level for Allow Rule* Choice "None *"

Disables logging.

* Choice "Default"

Triggers the logging of any IP packet matching the de-fault policy, to the default log level of current PEPtype.

Note: Some PEPs allow selection of different loglevels.

12.4. Common Interface OptionsUse this view to manage options that are common to all the PEP's interfaces.

Option Description

Generate ICMP Error Message* Choice "Yes"

Sets the error option for all interfaces on the PEP. Thisoption triggers the transmission of the error messageICMP unreachable, for any IP packet that is not au-thorized by the filters. This action is carried out forboth incoming and outgoing interface traffic.

* Choice "No *"

The error option is not set.

Log Level for the Default RuleSets the log level for the default rule for all interfaceson the PEP. This option will not show packets transit-ing in violation of a specific denial. To see that in-formation, you must set the Log option on the Permis-sion Properties window: Log view, or on the con-cerned interface.

Policy Learning Mode

95

Option Description

* Choice "None *"

Disables logging.

* Choice "Default"



Application Point* Choice "Incoming *"

The filters will be generated for the packets enteringthe interface.

* Choice "Outgoing"

The filters will be generated for the packets leavingthe interface.

* Choice "Both Directions if Possible"

SCM Server will choose the application point with re-spect to the PEP capabilities and the PEP options set-tings.

Allow ForwardingIndicates if this device will perform forwarding.

Enable this option to allow the device to forwardpackets.

12.5. Interface OptionsUse this view to manage the options for a single interface.

Option Description

Upload Target* Choice "Yes *"

Specifies that the selected interface will be used foruploading filter files.

* Choice "No"

Specifies that the selected interface is not to be usedfor uploading filter files.

Interface TypeIndicates if the interface's purpose is to filter or tosniff the packets.

* Choice "Filtering Interface"

The interface only does packet filtering.

* Choice "Sensor"

Interface Options

96

Option Description

The interface only does packet sniffing.

* Choice "Sensor + Filtering Interface"

The interface can do both.

Is Loopback InterfaceSpecifies if this interface is a "loopback" interface.

A loopback is a special type of interface used to rep-resent a virtual range of IP addresses. This may beuseful, for example, when your device is connected tothe internet through two redundant ISPs. The loopbackinterface can be used to accept outside connections,which it then routes to one of the real interfaces.

Note: SCM Server will not allow you to connect aloopback interface to any object.

Policy Learning Mode* Choice "Yes"

Indicates that Policy Learning Mode is enabled on thisinterface.

* Choice "No *"

Indicates that Policy Learning Mode is disabled onthis interface.

Log Level for Deny Rules* Choice "None *"

Disables logging.

* Choice "Default"

Triggers the logging of any IP packet matching a denyrule, to the default log level of the current PEP type.

Some PEPs allow selection of different log levels.


Specifies that filters will be produced for this interfaceand the configuration of the interface will be managedby SCM Server.

* Choice "No"

Specifies that no filters will be produced for this inter-face and the configuration of the interface will not bemanaged by SCM Server.

Allow ForwardingIndicates if this interface will perform forwarding.

Enable this option to allow the interface to forwardpackets.

Use as Tunnel PeerIndicates if this interface can be used to mount a tun-nel.

Interface Options

97

Option Description

* Choice "Always"

Indicates that the PEP will always try to use this inter-face when mounting a tunnel.

* Choice "Never"

The PEP will never try to use this interface whenmounting a tunnel.

* Choice "Automatic *"

SCM Server will choose either "always" or "never"depending on whether the interface forms part of apossible path for the tunnel.

Note: You should only need this option if you useTunnel Groups.


Only incoming filters will be applied.

* Choice "Outgoing"

Only outgoing filters will be applied.

* Choice "Device Default"

Incoming/outgoing filters are applied according to thevalue as specified in the Interfaces: Options View.


SCM Server will choose the application point accord-ing to the PEP capabilities and the PEP options set-tings.

Interface is external (leads out to the Inter-net) Specifies that the interface leads to the Internet. This

means that IP addresses behind this interface will notbe counted in the license enforcement.


Use this view to select the level of security on this interface. By default, the interface's profile is setto maximum security.


Use this view to configure common security parameters for this interface.

Option Description

Disable Filtering* Choice "Device Default *"

This option uses the value set in the General Options:Security Profile: Common Security Parameters view.

Security Profile

98

Option Description

* Choice "No"

SCM Server will generate filters for this interface.

* Choice "Yes"

SCM Server will generate a permit any any rule onthis interface.

By disabling the filtering on one (or several) inter-face(s), you create a rule that permits all flows, whichcan reduce the level of security, but improves per-formance.

Note: This option will not disable the "Securing PEP"and "Anti-Spoofing" filters. To disable those filters aswell:

- choose "No" in the "Generate Anti-Spoofing" option

- in the General Options: Security Profile: CommonSecurity Parameters view, enable the option "SuppressSecuring PEP".


* Choice "Yes *"


* Choice "No"





* Choice "Device Default *"

* Choice "None"

* Choice "Log"

* Choice "Alert"

* Choice "Disabled"


Security Profile

99

Replace Address

Use this view to set a limit the optimizations SCM Server makes on addresses, on a single interfaceonly.

SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller orfaster configurations. "Broadening" an address means that when your map contains permissionswith addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission withthe address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "OnAddress" in the General Options > Security Profile view, you can use the current view to put con-straints on this optimization.

Option Description


To use this option, you must enable the Broad Filter-ing option in the General Options: Security Profileview.



Indicates that SCM Server will attempt to replace thesource IP addresses of the permissions managed bythis interface such that the IP addresses can be repres-ented by a netmask. You can enter this netmask in theSource Network Netmask field, below.

* Choice "by Any"

Indicates that SCM Server will replace the source IPaddresses of the permissions that this interface man-ages by Any.






Security Profile

100

Option Description



Indicates that SCM Server will attempt to replace thedestination IP addresses of the permissions managedby this interface such that the IP addresses can be rep-resented by a netmask. You can enter this netmask inthe Destination Network Netmask field, below.

* Choice "by Any"

Indicates that SCM Server will replace the destinationIP addresses of the permissions that this interfacemanages by Any.





Replace Service

Use this view to set a limit the optimizations SCM Server makes on services, on a single interfaceonly.

SCM Server can "broaden" the allowed services on permissions in order to generate smaller orfaster configurations. "Broadening" a service means that when your map contains permissions forservices FTP and HTTP, for example, SCM Server will generate one permission for the serviceTCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" inthe General Options > Security Profile view, you can use the current view to put constraints on thisoptimization.

Option Description

Replace ServiceThis is an optimization that enlarges the service of apermission on one interface. For example, an http andan ftp permission may be enlarged to tcp. Since thisoptimization can reduce your security level, youshould only use it if you have another PEP in the paththat does not use this option.

* Choice "No *"


* Choice "by TCP"

Security Profile

101

Option Description


* Choice "by UDP"





* Choice "by IP"


* Choice "by Any"


12.5.2. IP Addresses

Use this view to set the interface's IP addresses.

Static IP Addresses

Use this section to configure the interface's static IP addresses.

Option Description

Interface IP AddressesSpecifies the static IP address of the interface.

Dynamic Addresses Pool

Use this section to configure the interface's dynamic IP addresses.

Option Description

Dynamic Addresses PoolSpecifies the pool of IP addresses from which the in-terface will get its IP address.

IP Addresses

Use this view to configure the interface's IP addresses.

Option Description

Use Dynamic AddressesSpecifies whether this interface will have static or dy-namic IP addresses.

IP Addresses

102

Option Description

Dynamic Addresses fromIndicates the range from which the PEP can pick an IPaddress to assign to the interface.

* Choice "Network"

The PEP can assign any IP address contained in the in-terface's attached network. You must have connectedthe interface to a network on the workspace in order topick this option.

* Choice "Any"

The PEP can assign any IP address to the interface.

* Choice "User defined pool"

The PEP can assign any address from the pool thatyou define in the Interface View.

DHCP ServerIndicates the range from which the PEP can pick an IPaddress to assign to the interface.

* Choice "Network"


* Choice "Any"




Resolve IP Address UsingWhen you use dynamic interface addresses, this optionindicates how SCM Server will resolve the interface'saddress when it is uploading the PEP's configuration.

* Choice "PEP FQDN"

To resolve the address, SCM Server will contact theDNS server that you specified in the FQDN field ofthe "PEP Properties>General" Options View.

* Choice "Interface Specific FQDN"

To resolve the address, SCM Server will contact theDNS server that you specify in the "Specify InterfaceFQDN" option below.

* Choice "Prompt IP Address"

SCM Server will prompt the user for the interface's IPaddress at the moment of upload.

Interface FQDNEnter the fully qualified domain name of the DNS

IP Addresses

103

Option Description

server that SCM Server will contact to resolve this in-terface's IP address.

12.6. VPN OptionsUse this view to configure the main cryptographic characteristics of a VPN tunnel.

Option Description

NULL Encryption EnabledIndicates if the NULL algorithm is enabled.

DES Encryption EnabledIndicates if this algorithm is enabled.

3DES Encryption EnabledIndicates if this algorithm is enabled.

CAST Encryption EnabledIndicates if this algorithm is enabled.

AES-128 Encryption EnabledIndicates if this algorithm is enabled.


12.6.1. IKE Capabilities

Use this view to consult a VPNs IKE capabilities.

Option Description

Maximum Proposals AllowedIndicates the maximum number of IKE proposals be-fore the device considers the key exchange failed.

Minimum Lifetime (seconds)Indicates the minimum lifetime of the exchanged keys.

Maximum Lifetime (seconds)Indicates the maximum lifetime of the exchangedkeys.

Pre-Shared Key Method EnabledIndicates the the pre-shared key method is enabledwhen the device performs key exchange.

RSA Sig Key Method EnabledIndicates that the RSA-Signature method is enabledwhen the device performs key exchange.

SHA-1 Hash EnabledIndicates that the SHA-1 algorithm is enabled whenthe device performs key exchange.

MD5 Hash EnabledIndicates that the MD5 algorithm is enabled when thedevice performs key exchange.

DH Group 1 EnabledIndicates that the Diffie-Hellman group 1 is enabledwhen the device performs key exchange.

DH Group 2 EnabledIndicates that the Diffie-Hellman group 2 is enabled

VPN Options

104

Option Description

when the device performs key exchange.


12.6.2. IPSec Capabilities

Use this view to consult a VPNs IPSec capabilities.

Option Description

Maximum Proposals AllowedIndicates the maximum number of IPSec proposals be-fore the device considers the authentication failed.

Minimum Lifetime (seconds)Indicates the minimum lifetime of the IPSec session.

Maximum Lifetime (seconds)Indicates the maximum lifetime of the IPSec session.

HMAC-SHA-1 Authentication EnabledIndicates that the HMAC-SHA-1 algorithm is enabledwhen the device performs IPSec authentication.

HMAC-MD5 Authentication EnabledIndicates that the HMAC-MD5 algorithm is enabledwhen the device performs IPSec authentication.

AH Protocol EnabledIndicates that the AH protocol is enabled when thedevice performs IPSec authentication.

ESP Protocol EnabledIndicates that the ESP protocol is enabled when thedevice performs IPSec authentication.

Deflate Compression EnabledIndicates that the Deflate compression algorithm is en-abled when the device performs IPSec authentication.

12.6.3. Remote Access VPN

Use this view to configure the PEP's Remote Access VPN options.

Option Description

User Group Global PoolThe PEP will use the address pool in this field to as-sign addresses to users who connect from a remotelocation. Enter this address pool as a netmask, for ex-ample 10.1.1.0/24.

User Group Global Pool Lease Time(minutes) Enter the time, in seconds, that the Remote Access cli-

ent will use its assigned IP address. When this timeelapses, the client will request a new address from thePEP. The default value 600 equals 10 minutes.

Set Optional Office Mode ParametersAllows you to set additional options for the user grouppool, such as DNS and WINS addresses.

Primary DNS

IPSec Capabilities

105

Option Description

Enter the address of the primary DNS server for theremote users.

First Backup DNSEnter the address of the first backup DNS server forthe remote users.

Second Backup DNSEnter the address of the secondary backup DNS serverfor the remote users.

Primary WINSEnter the address of the primary WINS server for theremote users.

First Backup WINSEnter the address of the first backup WINS server forthe remote users.

Second Backup WINSEnter the address of the secondary backup WINS serv-er for the remote users.

Domain NameEnter the domain name of the remote users. Thisshould match your internal network's domain.

Perform an organized shutdown of tunnelsupon gateway restart Allows the PEP to keep an authentication session open

with a remote access VPN client even if the PEP re-starts.

Perform anti-spoofing on pool addressesIndicates that the PEP will perform anti-spoofing onall pool addresses.

Support connectivity enhancement forgateways with multiple external interfaces Allows the PEP to resolve traffic from one Remote

Access client to another. If your PEP has only one ex-ternal interface, you should disable this option to getbetter performance. If your PEP has multiple inter-faces, you should enable this option to allow differentremote users to communicate.

12.7. Upload ConfigurationUse this view to configure how SCM Server uploads your work to the device.

Option Description

SIC Authentication KeyRepresents the password that will also be used whendefining the module in the module configuration usingthe cpconfig utility. This is a one-time password that isused to set up or re-establish a trust relationshipbetween the Module and the SmartCenter Server. It isthe SAME Activation Key as you entered when con-figuring the Module.

This key will be enforced on the management serverwhen the trust state of the communication with themodule is "Uninitialized" or "Initialized but trust notestablished".

Upload Configuration

106

12.8. Tunnel Peer OptionsThis view lets you configure one of the tunnel endpoints.

On client-to-gateway tunnels, this view lets you configure the mapped user group's IP address pool.

On GRE tunnels, you can use this view to configure how the PEP sets up the tunnel IP addresses.

Option Description

Generate Static Routing* Choice "Yes"

Indicates that SCM Server will generate the routingfor the tunnel. This may conflict with pre-existingrouting that you entered on the device.

* Choice "No *"

Does not generate routing for the tunnel. Use this op-tion if you have pre-existing routing on the device.

* Choice "Comment"

SCM Server generates the routing in the .app file, butthe rules are commented out. Use this option if youwant to verify the rules before uploading them.

Auto Generate Tunnel IP AddressIndicates if SCM Server will automatically choose anIP address for the tunnel interfaces.

You can choose the range SCM Server will use forthese addresses in Properties for the Current Policy>GRE Parameters for Automation >Tunnel interfacesIP address ranges view.

IP AddressLets you manually enter an IP address for the tunnel.

NetmaskFor information: this is the netmask SCM Server usesto construct the networks for the interfaces on GREtunnels.

Support NAT-TraversalLets the VPN client connect to the server PEP viaUDP through a firewall or router using NAT.

NAT-Traversal ServiceDefines the service to use if you allow use IPSec overUDP.

TunnelLets you choose to use split-tunneling.

* Choice "Only Trust Zone *"

If you choose this option, the remote user will not gothrough the tunnel when he/she accesses an addressoutside the tunnel's trust zone. You can define thistrust zone; see the documentation on the Zone Editorin the Security Change Manager Designer User Guidefor more information.

* Choice "Everything"

Choose this option to force all traffic through the tun-

Tunnel Peer Options

107

Option Description

nel. For example, the remote users will have to gothrough the tunnel to surf the internet.

* Choice "Everything except local addresses"

Choose this option to allow addresses on the remoteuser's local network to pass outside the tunnel. For ex-ample, this option lets the remote user access his orher local printer without passing through the VPN.

12.8.1. Interface

Use this view to select the interfaces to which the tunnel can connect.

Option Description

InterfaceUse this view to select the interfaces to which the tun-nel can connect.

12.9. Authentication User DefinitionUse this view to manage the list of PEPs that will authenticate users of this permission. Add an itemto the tree list to see the configurable views.

Option Description

Type* Choice "Client Auth *"

Indicates that the PEP will authenticate each user witha specific IP address who attempts to make this con-nection. If two users connect from the same IP ad-dress, the PEP will only authenticate once.

* Choice "Session Auth"

Indicates that the PEP will authenticate each serviceover which a user attempts to make this connection.The PEP intercepts each connection and activates asession authentication agent to get the user's password.The agent may run on the source, the destination, oranother host.

* Choice "User Auth"

Works for FTP, HTTP, RLOGIN and TELNET. Thisoption indicates that the PEP will authenticate eachuser who attempts to make this connection, regardlessof the user's IP address. The authentication method isbuilt in to these protocols.

HTTP ServersIf you choose User Auth, you can restrict users to a setof HTTP servers.

* Choice "All *"

Indicates that the PEP will not restrict user access to

Interface

108

Option Description

any HTTP servers.

* Choice "Predefined"

Indicates that the PEP will restrict user access to thoseservers that you defined in the Check Point(TM) Fire-Wall-1(R) Management Server properties >Generaloptions >Security server >HTTP servers view.

Contact Agent AtIndicates where the authentication agent is located.The authentication agent is usually a piece of softwarethat checks the user's login and password. The agentmay reside either on the user's machine, or at a remotelocation. This option tells the PEP where to contact theauthentication agent when validating a user's attemptto connect.

* Choice "Src *"

The PEP will contact the authentication agent at thepermission's source.

* Choice "Dst"

The PEP will contact the authentication agent at thepermission's destination.

* Choice "Host"

This option lets you choose a different PEP, which theauthenticating PEP will contact when validating auser's connection.

This option applies to Session Authentication only.

See the Check Point(TM) FireWall-1(R) documenta-tion on "Session Authentication" for more informa-tion.

PEPLets you choose the PEP on which the authenticationagent is running.


Query User Identity from UserAuthorityIndicates that the PEP will contact UserAuthority toauthenticate the user. To use this feature, you musthave configured UserAuthority in your CheckPoint(TM) product.

See the Check Point(TM) documentation on UserAu-thority for more information.


Apply Rule Only if Desktop ConfigurationOptions are Verified The PEP will verify that the SmartDashboard desktop

is properly configured before applying the rule.

For more information on these and the following op-tions, see the Check Point(TM) FireWall-1(R) refer-ence documentation.

Authentication User Definition

109

Option Description

Required Sign OnApplies to Client Authentication only.

* Choice "Standard *"

When the user signs on, the PEP permits all servicesto all destination hosts.

* Choice "Specific"

The PEP forces the user to specify each service anddestination host to which he or she wants to connect.

Sign On Method* Choice "Manual *"

The PEP will require the user to initiate the Client Au-thentication session over TELNET on port 259 or overHTTP on port 900.

* Choice "Partially automatic"

The PEP will require the user to initiate the Client Au-thentication session as above, unless the user requestsan RLOGIN, TELNET, HTTP or FTP service.

* Choice "Fully automatic"

If the user connects over RLOGIN, TELNET, HTTPor FTP, the PEP will sign on the user through UserAuthentication. For other services, the PEP will signon the user through Session Authentication.

* Choice "Agent automatic sign-on"

If the Session Authentication Agent is installed on theclient, the PEP will sign on the user through the Ses-sion Authentication Agent.

* Choice "Single sign-on"

The PEP will verify the user name with the UAMserver, before deciding whether to allow the connec-tion to continue.

Successful Authentication Tracking* Choice "None *"

The PEP will not track the sign-on session.

* Choice "Log"

The PEP creates a log of the authentication session.

* Choice "Alert"

The PEP will launch the Authentication Alert com-mand that you specify in the Check Point(TM) Fire-Wall-1(R) SmartCenter Global Properties window.

Authorization TimeoutIndicates the amount of time that a user's connectionwill be available after he/she performs client authen-tication.


110

Option Description

* Choice "Indefinite *"

The user's connection will be available until he/she ex-picitly signs off, or the administrator resets the fire-wall.

* Choice "Specific"

Lets you enter a specific timeout.

HoursLets you enter the number of hours that a client au-thenticated-connection will be available.

MinutesLets you enter the number of minutes that a client au-thenticated-connection will be available.

Refreshable TimeoutIndicates if the timeout countdown restarts upon eachnew connection.

For example, if connection #1 has already been up for1 hour, and the user makes connection #2, the timeoutwill restart counting at zero.

Number of Sessions AllowedIndicates the number of connections the user can makebefore his/her in a single client authentication session.

Number of SessionsLets you enter the number of sessions.

12.9.1. flowListIn

Option Description

mugpep1_flow

mugpep2_flow

12.9.2. flowListOut

Option Description

pepmug1_flow

pepmug2_flow

12.9.3. flowListExternal

Option Description

sessionAuth_flow

flowListIn

111

112

Chapter 13. Check PointFireWall-1 Cluster PropertiesWindows

13.1. Description ................................................................................................ 11313.2. General Options ......................................................................................... 113

13.2.1. Security Profile ................................................................................ 115Common Security Parameters ............................................................... 116Replace Address ................................................................................ 119Replace Service ................................................................................. 120

13.2.2. Authentication ................................................................................. 121Enabled Authentication Schemes .......................................................... 121Authentication Settings ....................................................................... 122HTTP Security Server ......................................................................... 123

13.3. Cluster Options .......................................................................................... 12313.3.1. Availability Parameters ..................................................................... 12313.3.2. Synchronization ............................................................................... 126

Synchronization Networks ................................................................... 12613.4. Policy Learning Mode ................................................................................. 12613.5. Common Interface Options ........................................................................... 12713.6. Interface Options ........................................................................................ 128

13.6.1. Security Profile ................................................................................ 130Common Security Parameters ............................................................... 130Replace Address ................................................................................ 131Replace Service ................................................................................. 132

13.6.2. IP Addresses ................................................................................... 133Static IP Addresses ............................................................................. 133Dynamic Addresses Pool ..................................................................... 133IP Addresses ..................................................................................... 134

13.7. VPN Options ............................................................................................. 13513.7.1. IKE Capabilities .............................................................................. 13513.7.2. IPSec Capabilities ............................................................................ 13613.7.3. Remote Access VPN ......................................................................... 136

13.8. Tunnel Peer Options .................................................................................... 13713.8.1. Interface ......................................................................................... 139

13.9. Authentication User Definition ...................................................................... 13913.9.1. flowListIn ....................................................................................... 14213.9.2. flowListOut .................................................................................... 14213.9.3. flowListExternal .............................................................................. 142

13.1. Description

Option Description

NoteAllows you to enter a description of the current PEP.

13.2. General OptionsUse this view to examine and modify general PEP options.

113

Option Description

ManagedIndicates that no filters will be produced for thisCluster.

The Cluster icon will be displayed with a red slash toidentify it as unmanaged.

Apply Flow To/From PEP on Relevant In-terfaces Only Enables you to choose how the PEPs in the Cluster ap-

ply flows to their various interfaces.

* Choice "Yes *"

Limits an authorized flow, having the PEP as its des-tination, so that incoming packets through an interfacecannot reach any other interface.

* Choice "No"

Enables an authorized flow, having the PEP as its des-tination, to reach all interfaces of the PEP.

This setting is a general default which can be overrid-den for a specific instance using the Permission Prop-erties window: Global Properties View.

Has IPSec Module* Choice "Yes"

Indicates that the device supports the IPSec modulefor VPNs.

* Choice "No"

Indicates that the device does not support IPSec.

Enforce Time FilteringSpecifies whether the PEPs in the Cluster are to per-form time filtering. This option is only available onPEPs that are capable of performing time filtering. Forfurther information on Time Filtering, see the scmUser Guide.

Generate NAT Rules* Choice "Yes *"

NAT rules are generated by the compiler and includedin the filters. A warning message is displayed if any ofthe PEPs in the cluster cannot implement the rules.

* Choice "Comment"

NAT rules are written to the filters file as commentsand ignored by the upload module.

* Choice "No"

NAT rules are not generated.

At upload time, when the No or Comment option isselected, the rule modifications are uploaded to thedevices without changing the existing NAT rules (ifthese exist). This is important because NAT rules arechanged much less often than other filtering rules, andrewriting them interrupts communication. However

General Options

114

Option Description

the compiler will take into account the NAT rules togenerate the filters for the PEPs beyond the NAT ap-plication point.

Check Point Suite TypeIndicates which Check Point(TM) product you use.This should match the version you installed.

VSX TypeLets you choose the type of VSX device.

* Choice "Cluster *"

The VSX device will be a VSX cluster.

* Choice "Virtual System"

The VSX device will be a virtual system.


Use this view to select the PEP's level of security. By default, the PEP's profile is set to maximumsecurity.

Option Description

Security LevelLets you choose the default level of security that SCMServer will generate for this PEP.

You can choose to generate faster configurations oncertain PEPs at the expense of reduced security.

* Choice "Custom Filtering *"

Lets you choose a custom level of filtering by settingoptions in the Replace Address or Replace Serviceviews.

* Choice "Deny few, Permit all"

Same as "Custom Filtering" but with default policy setas "Permit".

* Choice "Full Filtering"

This level configures the PEP parameters to offermaximum security. The parameters contained in theCommon Security Parameters view will be set in orderto ensure maximum security and will lock them to pre-vent changes. This option also:

- prevents you from choosing the Broad Filtering op-tion (see Replace Address and Replace Service node)

* Choice "PEP Access Security Only"

Disables filtering on this PEP, except for the rules thatprotect the PEP itself. Therefore, the PEP will allowall traffic to pass through it, but it will not allow unau-thorized access to itself.

Security Profile

115

Option Description

* Choice "No Filtering"

Disables filtering, and reduces security on this PEP tozero.

Broad FilteringLets you choose to enable faster configurations at theexpense of reduced security.

You must set Security Level to "Custom Filtering" touse this option.

* Choice "Disabled *"

Indicates that filtering is not broadened, and security isat its highest level.

* Choice "By Address"

Reveals the Replace Address view, which lets youconfigure broad filtering by address.

* Choice "By Service"

Reveals the Replacy Service view, which lets you con-figure broad filtering by service.


Use this view to configure common security parameters for the PEP.

Option Description

Suppress Filtering on TCP DirectionSets up the flow rules for traffic returning appropri-ately with the "ack" (acknowledged) bit set.

* Choice "Yes *"

Only the packets belonging to an established connec-tion will be permitted to flow back through the PEP.

* Choice "No"

The filtering rules will not verify the ack bit status.These filters will be more compact but more per-missive for the return traffic which may lead to de-graded security.


Suppress Filtering on ICMP Message Type* Choice "Yes *"

Indicates that the PEP will do filtering by ICMP mes-sage type.

* Choice "No"

Indicates that the PEP will not do filtering by ICMP

Security Profile

116

Option Description

message type.

'Securing PEP' rules* Choice "Yes *"

Denies access to the PEP's interface addresses, exceptfor the default administration flows, thereby securingthe PEP.

* Choice "No"

Permits access to the PEP's interface addresses.

Suppress 'Internet Restriction'Indicates if SCM Server will add extra deny filterswhen the Internet object is defined as "Any". This op-tion is activated by selecting "No" for the Expand In-ternet option on the PEP window: General OptionsView.

* Choice "Yes *"

Any permission you draw to/from Internet causes thecompiler to implicitly generate all necessary denies toprevent permissions to/from all other internal ad-dresses.

* Choice "No"

Any permission you draw to/from Internet will alsoimplicitly allow permissions to/from all other internaladdresses, which may lead to lower security.


Expand InternetThis option is an optimization that controls how SCMServer defines the Internet object. This option can cre-ate very finely-tuned filters, but at the price of in-creased size.

* Choice "Yes"

SCM Server will use a more precise, "expanded"definition of Internet. It defines the Internet as "all ad-dresses outside the internal networks". This createsvery fine, but slower, filters.

* Choice "No *"

SCM Server will define Internet as "Any". The gener-ated filters are thus faster, but less secure.

Default RuleLets you change the default rule on this device. By de-fault SCM Server will write a "deny all" rule at theend of a device's configuration. With this option, youhave the possibility to change this behavior: SCMServer will not write a default "deny all" rule, and, onthis device, all access that is not explicitly denied willbe allowed.

* Choice "Policy Default *"

Security Profile

117

Option Description

Uses the value defined in the Tools > Properties forthe Current Policy window.

* Choice "Deny"

Keeps the standard behavior. Every access that is notdefined is not allowed on this device.

* Choice "Allow"

Lets you easily define policies where the goal is toprohibit a set of given protocols in the network.

If you choose the "Allow" option, make sure that youexplicitly deny every access point that you want toclose, or, make sure that you have another device inseries denies everything by default.


* Choice "Yes *"


* Choice "No"





* Choice "None *"

* Choice "Log"

* Choice "Alert"

* Choice "Disabled"


Enable Extended Cluster Anti-SpoofingWhen a cluster member communicates with anothercluster member, the packets may pass from the sourcemember's external interface, through the external(virtual) cluster interface, to the external interface ofthe destination cluster member.

This could allow an address spoofing attack.

Extended cluster-anti spoofing prevents this attack, by

Security Profile

118

Option Description

allowing the cluster member to accept packets that ac-tually originate on a cluster member, and rejectspoofed packets that originate in the Internet.

The cluster member does this by giving packets that itsends to another member a TTL (Time to live) of 255(the highest possible value).

* Choice "Yes *"

Enables extended cluster anti-spoofing.

* Choice "No"

Disables extended cluster anti-spoofing.

Replace Address

Use this view to set a limit the optimizations SCM Server makes on addresses.

SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller orfaster configurations. "Broadening" an address means that when your map contains permissionswith addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission withthe address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "OnAddress" in the Security Profile view, you can use the current view to put constraints on this optim-ization.

Option Description




Indicates that SCM Server will attempt to replace thesource IP addresses of the permissions managed bythis PEP such that the IP addresses can be representedby a netmask. You can enter this netmask in theSource Network Netmask field, below.

* Choice "by Any"

Indicates that SCM Server will replace the source IPaddresses of the permissions that this PEP manages byAny.



Security Profile

119

Option Description





Indicates that SCM Server will attempt to replace thedestination IP addresses of the permissions managedby this PEP such that the IP addresses can be represen-ted by a netmask. You can enter this netmask in theDestination Network Netmask field, below.

* Choice "by Any"

Indicates that SCM Server will replace the destinationIP addresses of the permissions that this PEP managesby Any.





Replace Service

Use this view to set a limit the optimizations SCM Server makes on services.

SCM Server can "broaden" the allowed services on permissions in order to generate smaller orfaster configurations. "Broadening" a service means that when your map contains permissions forservices FTP and HTTP, for example, SCM Server will generate one permission for the serviceTCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" inthe Security Profile view, you can use the current view to put constraints on this optimization.

Option Description

Replace ServiceThis is an optimization that enlarges the service of apermission. For example, an http and an ftp permis-sion may be enlarged to tcp. Since this optimizationcan reduce your security level, you should only use itif you have another PEP in the path that does not use

Security Profile

120

Option Description

this option.

* Choice "No *"


* Choice "by TCP"


* Choice "by UDP"





* Choice "by IP"


* Choice "by Any"




Enabled Authentication Schemes

Use this view to enable the different types of authentication servers with which the PEP may com-municate

Option Description

S/KeyIndicates if the PEP will prompt the user to enter his/her S/Key during authentication(Not on NG AI).

VPN-1 and FireWall-1 PasswordIndicates if the PEP will prompt the user to enter his/her internal Check Point(TM) FireWall-1(R) passwordduring authentication.

SecurIDIndicates if the PEP will prompt the user to enter thenumber shown on the SecurID card during authentica-tion.

RADIUSIndicates if the PEP will prompt the user to answer the

Authentication

121

Option Description

RADIUS question during authentication. The questionis defined on a RADIUS server.

TACACSIndicates if the PEP will prompt the user to answer theTACACS question during authentication. The ques-tion is defined on a TACACS or TACACS+ server.

OS PasswordIndicates if the PEP will prompt the user to enter his/her operating system password during authentication.


Authentication Settings

Use this view to configure how the PEP behaves during authentication sessions.

Check Point(TM) FireWall-1(R) NG Cluster properties: General options: Authentication: Authentic-ation settings view.

Option Description

User Authentication Session Timeout(min) Indicates the number of minutes after which the PEP

closes the authentication session.






* Choice "None *"


* Choice "Log"


* Choice "Popup Alert"

The PEP will open a popup window; you can definethe popup alert once in the Check Point(TM) Fire-Wall-1(R) software Global properties window, and af-terwards reference it from SCM Server.

* Choice "Mail Alert"

Authentication

122

Option Description

The PEP will send an email of the error.

* Choice "SNMP Trap Alert"

The PEP will send an SNMP alert.

* Choice "User defined alert no. n"

The PEP will send a user-defined alert; you can definealerts once using the Check Point(TM) FireWall-1(R)software, and afterwards reference them from SCMServer.


HTTP Security Server

Use this view to configure how the PEP communicates with its associated HTTP security server.

Option Description

Use Next ProxyIndicates whether there is an HTTP proxy server be-hind the Check Point(TM) FireWall-1(R) HTTP Se-curity Server.

HTTP Next ProxyThe host name and port number of the HTTP proxyserver.


13.3. Cluster OptionsUse this view to configure the capabilities of a cluster.

Option Description

Cluster XL EnabledSelect the ClusterXL feature if you are not using a3rd-party application to handle clustering.

13.3.1. Availability Parameters

Use this view to configure the way in which the cluster members will assure availability.

Option Description

Operating Mode* Choice "High Availability *"

Used as a back-up at all times.

Cluster Options

123

Option Description

* Choice "Load Sharing"

Expands the performance capability of VPN deploy-ments by distributing traffic between multiple gate-ways. Up to five gateways may be added to a cluster.

3rd Party SolutionUse this option to select the 3rd-party solution thatwill perform the clustering.

Support non-sticky connectionsUse this option to indicate which mechanism willidentify non-sticky connections. Non-sticky connec-tions are those where packets do not pass through thesame cluster member on their way in and out of thecluster. You should activate this option when your3rd-party clustering solution does not support non-sticky connections.

* Choice "No" *

Indicates that the cluster's synchronization mechanismwill not recognize non-sticky connections. Use thisoption if your 3rd-party clustering solution supportsnon-sticky connetions.

* Choice "Yes"

Indicates that the cluster's synchronization mechanismwill recognize non-sticky connections. Use this optionif your 3rd-party clustering solution does not supportnon-sticky connetions.

Hide Cluster Member's outgoing traffic be-hind the Cluster's IP Address Use this option to indicate whether the source IP ad-

dress of outgoing packets will be the external virtualIP address of the cluster instead of the physical IP ad-dress of the cluster member.

Forward Cluster's incoming traffic toCluster Member's IP Addresses Use this option to indicate whether the destination IP

address of incoming connection to the external virtualaddress of the cluster will be replaced with the physic-al external address of one of the cluster members.

High Availability ModeIndicates the cluster's High Availability mode. See theCheck Point documentation about ClusterXL HighAvailability for a description of the High Availabilitymodes.

Upon Gateway RecoveryIndicates what the cluster will do when its active PEPrecovers after a secondary PEP has already taken itsplace.

* Choice "Maintain Active *"

Indicates that the secondary PEP will remain active,even though the primary PEP has recovered.

* Choice "Switch to Higher Priority"

Indicates that the cluster will give the active role backto the primary PEP.

Availability Parameters

124

Option Description

Load SharingIndicates how the cluster will distribute traffic amongthe cluster members.

* Choice "Multicast Mode"

The cluster will send distribute traffic using multicast.

* Choice "Unicast Mode"

The cluster will distribute traffic to each cluster mem-ber individually. This mode is useful if some clustermember PEPs don't support multicast.

Base Shared MethodIndicates how the cluster will decide how to sharepackets among the cluster members.

* Choice "IPs, Ports, SPIs *"

The cluster will distribute packets based on IPs, portsand IPSec SPIs.

* Choice "IPs, Ports"

The cluster will distribute packets based on IPs andports only. This increases the chance that inbound andoutbound connections will use the same cluster mem-ber.

* Choice "IPs"

The cluster distributes packets based on IPs only. Thisyields the highest chance that inbound and outboundconnections will use the same cluster member.

See the Check Point(TM) documentation on AdvancedLoad Sharing Configuration for more information.

Fail Over TrackingLets you select how the cluster will track failoverevents.

* Choice "None"

The cluster will not track failover events.

* Choice "Log *"

The cluster will enter failover events in its SmartViewTracker log.

* Choice "Alert"

The cluster will open a popup window upon failover.

* Choice "Mail"

The cluster will send an email upon failover. You canspecify the recipient's address on the Check PointSmartDashboard in the Policy > Global Properties >Log and Alert > Alert Commands view.

* Choice "SNMP Trap"

Availability Parameters

125

Option Description

The cluster will send an SNMP trap upon failover.

* Choice "User Alert"

The cluster will execute a user-defined script uponfailover. You can define this script on the Check PointSmartDashboard in the Policy > Global Properties >Log and Alert > Alert Commands view.

* Choice "User Alert 2"

The cluster will execute a user-defined script uponfailover.

* Choice "User Alert 3"

The cluster will execute a user-defined script uponfailover.

13.3.2. Synchronization

Use this view to manage how the cluster keeps its PEPs synchronized.

Option Description

Use State SynchronizationIndicates if the cluster will use state synchronization.State synchronization coordinates state informationabout packets travelling through different PEPs in thecluster. You cannot change this option if you have setthe Cluster Options > Availability Parameters > Oper-ation Mode to "Load Sharing".

If you have set the Cluster Options > AvailabilityParameters > Operation Mode to "High Availability",you can choose to turn off state synchronization; inthis case connections will be lost upon failover.

Synchronization Networks

Use this view to manage the networks the cluster uses to keep its member PEPs synchronized.

13.4. Policy Learning ModeUse this view to change the policy of a device and open it sufficiently to guarantee that the flowswill pass until complete policy discovery has been made by the security team.

Option Description

Enable Policy Learning Mode* Choice "Yes"

Indicates that Policy Learning Mode is enabled.

* Choice "No *"

Indicates that Policy Learning Mode is disabled.

Synchronization

126

Option Description

Log Level for Allow Rule* Choice "None *"

Disables logging.

* Choice "Default"



13.5. Common Interface OptionsUse this view to manage options that are common to all the PEP's interfaces.

Option Description

Generate ICMP Error Message* Choice "Yes"

Sets the error option for all interfaces on the PEP. Thisoption triggers the transmission of the error messageICMP unreachable, for any IP packet that is not au-thorized by the filters. This action is carried out forboth incoming and outgoing interface traffic.

* Choice "No *"

The error option is not set.

Log Level for the Default RuleSets the log level for the default rule for all interfaceson the PEP. This option will not show packets transit-ing in violation of a specific denial. To see that in-formation, you must set the Log option on the Permis-sion Properties window: Log view, or on the con-cerned interface.

* Choice "None *"

Disables logging.

* Choice "Default"



Application Point"Incoming" *

The filters will be generated for the packets enteringthe interface.

* Choice "Outgoing"

Common Interface Options

127

Option Description

The filters will be generated for the packets leavingthe interface.


SCM Server will choose the application point with re-spect to the PEP capabilities and the PEP options set-tings.

Allow ForwardingIndicates if this device will perform forwarding.

Enable this option to allow the device to forwardpackets.

13.6. Interface OptionsUse this view to manage the options for a single interface.

Option Description

Upload Target* Choice "Yes *"

Specifies that the selected interface will be used foruploading filter files.

* Choice "No"

Specifies that the selected interface is not to be usedfor for uploading filter files.

Interface TypeIndicates if the interface's purpose is to filter or tosniff the packets.

* Choice "Filtering Interface"

The interface only does packet filtering.

* Choice "Sensor"

The interface only does packet sniffing.

* Choice "Sensor + Filtering Interface"

The interface can do both.

Is Loopback InterfaceSpecifies if this interface is a "loopback" interface.

A loopback is a special type of interface used to rep-resent a virtual range of IP addresses. This may beuseful, for example, when your device is connected tothe internet through two redundant ISPs. The loopbackinterface can be used to accept outside connections,which it then routes to one of the real interfaces.

Note: SCM Server will not allow you to connect aloopback interface to any object.

Policy Learning Mode

Interface Options

128

Option Description

* Choice "Yes"

Indicates that Policy Learning Mode is enabled on thisinterface.

* Choice "No *"

Indicates that Policy Learning Mode is disabled onthis interface.

Log Level for Deny Rules* Choice "None *"

Disables logging.

* Choice "Default"

Triggers the logging of any IP packet matching a denyrule, to the default log level of each PEP type.


Specifies that filters will be produced for this interfaceand the configuration of the interface will be managedby SCM Server.

* Choice "No"

Specifies that no filters will be produced for this inter-face and the configuration of the interface will not bemanaged by SCM Server.

Allow ForwardingIndicates if this interface will perform forwarding.

Enable this option to allow the interface to forwardpackets.


Only incoming filters will be applied.

* Choice "Outgoing"

Only outgoing filters will be applied.

* Choice "Device Default"

Incoming/outgoing filters are applied according to thevalue as specified in the Interfaces: Options View.


SCM Server will choose the application point accord-ing to the PEP capabilities and the PEP options set-tings.

Interface is external (leads out to the Inter-net) Specifies that the interface leads to the Internet. This

means that IP addresses behind this interface will notbe counted in the license enforcement.

Security Profile

129


Use this view to select the level of security on this interface. By default, the interface's profile is setto maximum security.


Use this view to configure common security parameters for this interface.

Option Description

Disable Filtering* Choice "Device Default *"

This option uses the value set in the General Options:Security Profile: Common Security Parameters view.

* Choice "No"

SCM Server will generate filters for this interface.

* Choice "Yes"

SCM Server will generate a permit any any rule onthis interface.

By disabling the filtering on one (or several) inter-face(s), you create a rule that permits all flows, whichcan reduce the level of security, but improves per-formance.

Note: This option will not disable the "Securing PEP"and "Anti-Spoofing" filters. To disable those filters aswell:

- choose "No" in the "Generate Anti-Spoofing" option

- in the General Options: Security Profile: CommonSecurity Parameters view, enable the option "SuppressSecuring PEP".


* Choice "Yes *"


* Choice "No"





Security Profile

130

Option Description

* Choice "None *"

* Choice "Log"

* Choice "Alert"

* Choice "Disabled"


Replace Address

Use this view to set a limit the optimizations SCM Server makes on addresses, on a single interfaceonly.

SCM Server can "broaden" the allowed addresses on permissions in order to generate smaller orfaster configurations. "Broadening" an address means that when your map contains permissionswith addresses 10.10.1.1 and 10.10.2.2, for example, SCM Server will generate one permission withthe address 10.10.*. If you have enabled this behavior by setting the "Broad Filtering" option to "OnAddress" in the General Options > Security Profile view, you can use the current view to put con-straints on this optimization.

Option Description





Indicates that SCM Server will attempt to replace thesource IP addresses of the permissions managed bythis interface such that the IP addresses can be repres-ented by a netmask. You can enter this netmask in theSource Network Netmask field, below.

* Choice "by Any"

Indicates that SCM Server will replace the source IPaddresses of the permissions that this interface man-ages by Any.



Restrict Source Replacement to Topology

Security Profile

131

Option Description

When used with the above option, this option will re-strict the enlargement to the address of the networkfrom which each permission originates, in your policymap.





Indicates that SCM Server will attempt to replace thedestination IP addresses of the permissions managedby this interface such that the IP addresses can be rep-resented by a netmask. You can enter this netmask inthe Destination Network Netmask field, below.

* Choice "by Any"

Indicates that SCM Server will replace the destinationIP addresses of the permissions that this interfacemanages by Any.





Replace Service

Use this view to set a limit the optimizations SCM Server makes on services, on a single interfaceonly.

SCM Server can "broaden" the allowed services on permissions in order to generate smaller orfaster configurations. "Broadening" a service means that when your map contains permissions forservices FTP and HTTP, for example, SCM Server will generate one permission for the serviceTCP. If you have enabled this behavior by setting the "Broad Filtering" option to "On Service" inthe General Options > Security Profile view, you can use the current view to put constraints on thisoptimization.

Security Profile

132

Option Description

Replace ServiceThis is an optimization that enlarges the service of apermission on one interface. For example, an http andan ftp permission may be enlarged to tcp. Since thisoptimization can reduce your security level, youshould only use it if you have another PEP in the paththat does not use this option.

* Choice "No *"


* Choice "by TCP"


* Choice "by UDP"





* Choice "by IP"


* Choice "by Any"


13.6.2. IP Addresses

Use this view to set the interface's IP addresses.

Static IP Addresses

Use this section to configure the interface's static IP addresses.

Option Description

Interface IP AddressesSpecifies the static IP address of the interface.


Use this section to configure the interface's dynamic IP addresses.

Option Description


IP Addresses

133

Option Description

Specifies the pool of IP addresses from which the in-terface will get its IP address.

IP Addresses

Use this view to configure the interface's IP addresses.

Option Description

Use Dynamic AddressesSpecifies whether this interface will have static or dy-namic IP addresses.

Dynamic Addresses fromIndicates the range from which the PEP can pick an IPaddress to assign to the interface.

* Choice "Network"


* Choice "Any"




DHCP ServerIndicates the range from which the PEP can pick an IPaddress to assign to the interface.

* Choice "Network"


* Choice "Any"




Resolve IP Address UsingWhen you use dynamic interface addresses, this optionindicates how SCM Server will resolve the interface'saddress when it is uploading the PEP's configuration.

* Choice "PEP FQDN"

To resolve the address, SCM Server will contact theDNS server that you specified in the FQDN field of

IP Addresses

134

Option Description

the "PEP Properties>General" Options View.

* Choice "Interface Specific FQDN"

To resolve the address, SCM Server will contact theDNS server that you specify in the "Specify InterfaceFQDN" option below.

* Choice "Prompt IP Address"

SCM Server will prompt the user for the interface's IPaddress at the moment of upload.

Interface FQDNEnter the fully qualified domain name of the DNSserver that SCM Server will contact to resolve this in-terface's IP address.

13.7. VPN OptionsUse this view to configure the main cryptographic characteristics of a VPN tunnel.

Option Description

NULL Encryption EnabledIndicates if the NULL algorithm is enabled.

DES Encryption EnabledIndicates if this algorithm is enabled.

3DES Encryption EnabledIndicates if this algorithm is enabled.

CAST Encryption EnabledIndicates if this algorithm is enabled.



13.7.1. IKE Capabilities

Use this view to consult a VPNs IKE capabilities.

Option Description

Maximum Proposals AllowedIndicates the maximum number of IKE proposals be-fore the device considers the key exchange failed.

Minimum Lifetime (seconds)Indicates the minimum lifetime of the exchanged keys.

Maximum Lifetime (seconds)Indicates the maximum lifetime of the exchangedkeys.

Pre-Shared Key Method EnabledIndicates the the pre-shared key method is enabledwhen the device performs key exchange.

RSA Sig Key Method Enabled

VPN Options

135

Option Description

Indicates that the RSA-Signature method is enabledwhen the device performs key exchange.

SHA-1 Hash EnabledIndicates that the SHA-1 algorithm is enabled whenthe device performs key exchange.

MD5 Hash EnabledIndicates that the MD5 algorithm is enabled when thedevice performs key exchange.




13.7.2. IPSec Capabilities

Use this view to consult a VPNs IPSec capabilities.

Option Description

Maximum Proposals AllowedIndicates the maximum number of IPSec proposals be-fore the device considers the authentication failed.

Minimum Lifetime (seconds)Indicates the minimum lifetime of the IPSec session.

Maximum Lifetime (seconds)Indicates the maximum lifetime of the IPSec session.

HMAC-SHA-1 Authentication EnabledIndicates that the HMAC-SHA-1 algorithm is enabledwhen the device performs IPSec authentication.

HMAC-MD5 Authentication EnabledIndicates that the HMAC-MD5 algorithm is enabledwhen the device performs IPSec authentication.

AH Protocol EnabledIndicates that the AH protocol is enabled when thedevice performs IPSec authentication.

ESP Protocol EnabledIndicates that the ESP protocol is enabled when thedevice performs IPSec authentication.

Deflate Compression EnabledIndicates that the Deflate compression algorithm is en-abled when the device performs IPSec authentication.

13.7.3. Remote Access VPN

Use this view to configure the PEP's Remote Access VPN options.

Option Description

User Group Global Pool Lease Time

IPSec Capabilities

136

Option Description

(minutes)Enter the time, in seconds, that the Remote Access cli-ent will use its assigned IP address. When this timeelapses, the client will request a new address from thePEP. The default value 600 equals 15 minutes.

Set Optional Office Mode ParametersAllows you to set additional options for the user grouppool, such as DNS and WINS addresses.

Primary DNSEnter the address of the primary DNS server for theremote users.

First Backup DNSEnter the address of the first backup DNS server forthe remote users.

Second Backup DNSEnter the address of the secondary backup DNS serverfor the remote users.

Primary WINSEnter the address of the primary WINS server for theremote users.

First Backup WINSEnter the address of the first backup WINS server forthe remote users.

Second Backup WINSEnter the address of the secondary backup WINS serv-er for the remote users.

Domain NameEnter the domain name of the remote users. Thisshould match your internal network's domain.

Perform an organized shutdown of tunnelsupon gateway restart Allows the PEP to keep an authentication session open

with a remote access VPN client even if the PEP re-starts.

Perform anti-spoofing on pool addressesIndicates that the PEP will perform anti-spoofing onall pool addresses.

Support connectivity enhancement forgateways with multiple external interfaces Allows the PEP to resolve traffic from one Remote

Access client to another. If your PEP has only one ex-ternal interface, you should disable this option to getbetter performance. If your PEP has multiple inter-faces, you should enable this option to allow differentremote users to communicate.

13.8. Tunnel Peer OptionsThis view lets you configure one of the tunnel endpoints.

On client-to-gateway tunnels, this view lets you configure the mapped user group's IP address pool.

On GRE tunnels, you can use this view to configure how the PEP sets up the tunnel IP addresses.

Option Description

Generate Static Routing* Choice "Yes"

Tunnel Peer Options

137

Option Description

Indicates that SCM Server will generate the routingfor the tunnel. This may conflict with pre-existingrouting that you entered on the device.

* Choice "No *"

Does not generate routing for the tunnel. Use this op-tion if you have pre-existing routing on the device.

* Choice "Comment"

SCM Server generates the routing in the .app file, butthe rules are commented out. Use this option if youwant to verify the rules before uploading them.

Auto Generate Tunnel IP AddressIndicates if SCM Server will automatically choose anIP address for the tunnel interfaces.

You can choose the range SCM Server will use forthese addresses in Properties for the Current Policy>GRE Parameters for Automation >Tunnel interfacesIP address ranges view.

IP AddressLets you manually enter an IP address for the tunnel.

NetmaskFor information: this is the netmask SCM Server usesto construct the networks for the interfaces on GREtunnels.

Support NAT-TraversalLets the VPN client connect to the server PEP viaUDP through a firewall or router using NAT.

NAT-Traversal ServiceDefines the service to use if you allow use IPSec overUDP.

TunnelLets you choose to use split-tunneling.

* Choice "Only Trust Zone *"

If you choose this option, the remote user will not gothrough the tunnel when he/she accesses an addressoutside the tunnel's trust zone. You can define thistrust zone; see the documentation on the Zone Editorin the Security Change Manager Designer User Guidefor more information.

* Choice "Everything"

Choose this option to force all traffic through the tun-nel. For example, the remote users will have to gothrough the tunnel to surf the internet.

* Choice "Everything except local addresses"

Choose this option to allow addresses on the remoteuser's local network to pass outside the tunnel. For ex-ample, this option lets the remote user access his orher local printer without passing through the VPN.

Interface

138

13.8.1. Interface

Use this view to select the interfaces to which the tunnel can connect.

Option Description

InterfaceUse this view to select the interfaces to which the tun-nel can connect.

13.9. Authentication User DefinitionUse this view to manage the list of PEPs that will authenticate users of this permission. Add an itemto the tree list to see the configurable views.

Option Description

Type* Choice "Client Auth *"

Indicates that the PEP will authenticate each user witha specific IP address who attempts to make this con-nection. If two users connect from the same IP ad-dress, the PEP will only authenticate once.

* Choice "Session Auth"

Indicates that the PEP will authenticate each serviceover which a user attempts to make this connection.The PEP intercepts each connection and activates asession authentication agent to get the user's password.The agent may run on the source, the destination, oranother host.

* Choice "User Auth"

Works for FTP, HTTP, RLOGIN and TELNET. Thisoption indicates that the PEP will authenticate eachuser who attempts to make this connection, regardlessof the user's IP address. The authentication method isbuilt in to these protocols.

HTTP ServersIf you choose User Auth, you can restrict users to a setof HTTP servers.

* Choice "All *"

Indicates that the PEP will not restrict user access toany HTTP servers.

* Choice "Predefined"

Indicates that the PEP will restrict user access to thoseservers that you defined in the Check Point(TM) Fire-Wall-1(R) Management Server properties >Generaloptions >Security server >HTTP servers view.

Contact Agent AtIndicates where the authentication agent is located.The authentication agent is usually a piece of softwarethat checks the user's login and password. The agentmay reside either on the user's machine, or at a remotelocation. This option tells the PEP where to contact the


139

Option Description

authentication agent when validating a user's attemptto connect.

* Choice "Src *"

The PEP will contact the authentication agent at thepermission's source.

* Choice "Dst"

The PEP will contact the authentication agent at thepermission's destination.

* Choice "Host"

This option lets you choose a different PEP, which theauthenticating PEP will contact when validating auser's connection.


See the Check Point(TM) FireWall-1(R) documenta-tion on "Session Authentication" for more informa-tion.

PEPLets you choose the PEP on which the authenticationagent is running.


Query User Identity from UserAuthorityIndicates that the PEP will contact UserAuthority toauthenticate the user. To use this feature, you musthave configured UserAuthority in your CheckPoint(TM) product.

See the Check Point(TM) documentation on UserAu-thority for more information.


Apply Rule Only if Desktop ConfigurationOptions are Verified The PEP will verify that the SmartDashboard desktop

is properly configured before applying the rule.


Required Sign OnApplies to Client Authentication only.

* Choice "Standard *"

When the user signs on, the PEP permits all servicesto all destination hosts.

* Choice "Specific"

The PEP forces the user to specify each service anddestination host to which he or she wants to connect.

Sign On Method* Choice "Manual *"


140

Option Description

The PEP will require the user to initiate the Client Au-thentication session over TELNET on port 259 or overHTTP on port 900.

* Choice "Partially automatic"

The PEP will require the user to initiate the Client Au-thentication session as above, unless the user requestsan RLOGIN, TELNET, HTTP or FTP service.

* Choice "Fully automatic"

If the user connects over RLOGIN, TELNET, HTTPor FTP, the PEP will sign on the user through UserAuthentication. For other services, the PEP will signon the user through Session Authentication.

* Choice "Agent automatic sign-on"

If the Session Authentication Agent is installed on theclient, the PEP will sign on the user through the Ses-sion Authentication Agent.

* Choice "Single sign-on"

The PEP will verify the user name with the UAMserver, before deciding whether to allow the connec-tion to continue.

Successful Authentication Tracking* Choice "None *"

The PEP will not track the sign-on session.

* Choice "Log"

The PEP creates a log of the authentication session.

* Choice "Alert"

The PEP will launch the Authentication Alert com-mand that you specify in the Check Point(TM) Fire-Wall-1(R) SmartCenter Global Properties window.

Authorization TimeoutIndicates the amount of time that a user's connectionwill be available after he/she performs client authen-tication.

* Choice "Indefinite *"

The user's connection will be available until he/she ex-picitly signs off, or the administrator resets the fire-wall.

* Choice "Specific"

Lets you enter a specific timeout.

HoursLets you enter the number of hours that a client au-thenticated-connection will be available.

Minutes


141

Option Description

Lets you enter the number of minutes that a client au-thenticated-connection will be available.

Refreshable TimeoutIndicates if the timeout countdown restarts upon eachnew connection.

For example, if connection #1 has already been up for1 hour, and the user makes connection #2, the timeoutwill restart counting at zero.

Number of Sessions AllowedIndicates the number of connections the user can makebefore his/her in a single client authentication session.

Number of SessionsLets you enter the number of sessions.

13.9.1. flowListIn

Option Description

mugpep1_flow

mugpep2_flow

13.9.2. flowListOut

Option Description

pepmug1_flow

pepmug2_flow

13.9.3. flowListExternal

Option Description

sessionAuth_flow

flowListIn

142

Chapter 14. FireWall-1Management Server PropertiesWindows


14.2.1. Include Policy ................................................................................. 14414.2.2. Security Server ................................................................................ 144

HTTP Servers .................................................................................... 145HTTP Server ............................................................................. 145

14.2.3. Authentication ................................................................................. 145Failed Authentication Attempts ............................................................. 145Authentication of Users with Certificates ................................................ 146Early Versions Compatibility ............................................................... 146

14.2.4. Local Security Policy ........................................................................ 14714.2.5. VPN .............................................................................................. 149

CRL Grace Period .............................................................................. 149IKE Denial of Service protection ........................................................... 150Remote Access .................................................................................. 150

Certificates ............................................................................... 151Secure Configuration Verification ................................................. 152

14.2.6. GTP Services .................................................................................. 153GTP Service ...................................................................................... 153

14.2.7. Import ............................................................................................ 15414.3. Upload Configuration .................................................................................. 155

14.3.1. Connection Options .......................................................................... 15514.3.2. Paths ............................................................................................. 15614.3.3. Authentication ................................................................................. 15614.3.4. Prompts .......................................................................................... 15714.3.5. FireWall-1 Options ........................................................................... 157

14.1. Description

Option Description

Note

14.2. General OptionsUse this view to examine and modify general management server options.

Option Description

Generate Comments in Filters* Choice "Yes *"

Indicates to the compiler that it should include com-ments in the generated filtering files. This optionmakes it easier to read the generated filter files.

* Choice "No"

Comments are not included. This allows a reduction in

143

Option Description

the size of the filters.

Result in Case Hidden Rules are DetectedIndicates the type of message that SCM Server willgenerate if it encounters hidden rules.

Is the management server a Check PointGX? Specifies whether the Management Server is a Check-

Point GX or not. Ticking the "Yes" radio button addsa "GTP Services" sub-node to the "General Options"node.

14.2.1. Include Policy

Use this view to specify the names of the FireWall-1(R) security policies to be included before andafter generated rules.

Use this view to specify the names of the FireWall-1(R) security policies to be included before andafter generated rules.

Option Description

First PolicySpecifies the name of a security policy to be includedbefore the generated rules.

Last PolicySpecifies the name of a security policy to be includedafter the generated rules.

14.2.2. Security Server

Use this view to enable the different types of authentication servers with which the PEP may com-municate.

Option Description

Telnet Welcome Message FileThe name of the file from which the PEP will get thewelcome message for users connecting over telnet.

FTP Welcome Message FileThe name of the file from which the PEP will get thewelcome message for users connecting over FTP.

Rlogin Welcome Message FileThe name of the file from which the PEP will get thewelcome message for users connecting over rlogin.

Client Welcome Message FileThe name of the file from which the PEP will get thewelcome message for users who perform a manualsign-on to the authentication session.

SMTP Welcome Message FileThe name of the file from which the PEP will get thewelcome message for users connecting over SMTP.

HTTP Next ProxyIf there is an HTTP proxy server behind the CheckPoint(TM) FireWall-1(R) Security Server, this optionlets you pick one.

Include Policy

144

Option Description

* Choice "Select"

Lets you choose the HTTP proxy server from thosedefined in your policy map.

HTTP Servers

Use this view to configure how the PEP redirects connections to an HTTP security server.

HTTP Server

Option Description

Reauthentication* Choice "Standard *"

The PEP will not ask the user to reenter his/her pass-word as long as the User Authentication SessionTimeout has not expired. This value is specified in thePEP Properties > General Options >Authentication>Authentication Settings View.

* Choice "POST request"

The PEP will ask the user to reenter his/her passwordeach time the user sends a request that may change theserver's configuration. This option only has an effecton S/Key or SecurID passwords, which change con-tinually.

* Choice "Every request"

The PEP will ask the user to reenter his/her passwordeach time the user sends any request. This option onlyhas an effect on S/Key or SecurID passwords, whichchange continually.

HostThe host name of the HTTP server.

PortThe HTTP server's port number.

Server For Null RequestIndicates if the PEP will convert addresses given as "ht-tp://<PEP-name>" to "/" before sending them to theHTTP server.



Failed Authentication Attempts

Use this view to configure how the PEP behaves when users fail to authenticate.

Authentication

145

Option Description

Terminate rlogin Connection After(attempts) Indicates the number of times the user can fail to

identify him/herself before the PEP will terminate anrlogin connection.

Terminate telnet Connection After(attempts) Indicates the number of times the user can fail to

identify him/herself before the PEP will terminate atelnet connection.

Terminate Client Connection After(attempts) Indicates the number of times the user can fail to

identify him/herself before the PEP will terminate theclient authentication connection.

Terminate Session Connection After(attempts) Indicates the number of times the user can fail to

identify him/herself before the PEP will terminate thesession connection.

Authentication of Users with Certificates

Use this view to configure how to PEP will react to users who authenticate with certificates.

Option Description

Authenticates Internal Users With SuffixOnly Indicates if the PEP will only authenticate users who

have a certain suffix in their certificate's qualifiedname.

Enter the suffix in the Suffix option on this view.

Users's certificates which were initiated butnot pulled will expire after All certificates not used in this number of days will

expire.

Early Versions Compatibility

Use this view to configure the PEP's compatibility with earlier versions.

Option Description

User Authentication Session Timeout(min) This option has a different effect depending on the

type of connection.

For rlogin, telnet and FTP, this option indicates thenumber of minutes of inactivity after which the PEPwill close the connection. This is different from theoption with the same name in the PEP properties >General options > Authentication > AuthenticationSettings View.

For HTTP, this option indicates the number of minutesafter which the PEP closes the authentication session.This is equivalent to the option with the same name inthe PEP properties > General options > Authentication> Authentication Settings View.


Authentication

146

Option Description





* Choice "None"


* Choice "Log"


* Choice "Alert"

The PEP will open a popup window; you can definethe popup alert once in the Check Point(TM) Fire-Wall-1(R) software Global properties window, and af-terwards use it in SCM Server.

14.2.4. Local Security Policy

Use this view to examine and modify the Local Security Policy. These properties link to the implicitrules that you can define through the properties menu of the FireWall-1(R) management server asdescribed in the section "Create the Conceptual Level" in the Working with FireWall-1 Device Packdocument.

Option Description

Log Implied RulesIndicates whether implied rules are included in thelog.

Accept VPN-1 & FireWall-1 Control Con-nections * Choice "First"

Enables FireWall-1(R) GUI Clients to communicatewith the Management Server and specifies the positionin the Rule Base for the implied rule.

* Choice "No"

Prevents FireWall-1(R) GUI Clients from communic-ating with the Management Server.

Accept Remote Access Control Connec-tions * Choice "First *"

Accepts remote access control connections.

* Choice "No"

Local Security Policy

147

Option Description

Disables accepting remote access control connections.

Accept RIP* Choice "No"

Specifies that Routing Information Protocol used bythe routed daemon is not accepted.

* Choice "First/Last/Before Last"

Specifies that Routing Information Protocol used bythe routed daemon is accepted and specifies the posi-tion in the Rule Base for the implied rule.

Accept Domain Name Over UDP (Queries)* Choice "No"

Specifies that Domain Name queries over UDP are notaccepted.


Specifies that Domain Name queries over UDP are ac-cepted and specifies the position in the Rule Base forthe implied rule.

Accept Domain Name Over TCP (ZoneTransfer) * Choice "No"

Specifies that Domain Name queries over TCP are notaccepted.


Specifies that Domain Name queries over TCP are ac-cepted and specifies the position in the Rule Base forthe implied rule.

Accept ICMP* Choice "No"

Specifies that Internet Control Messages are not ac-cepted.


Specifies that Internet Control Messages are acceptedand specifies the position in the Rule Base for the im-plied rule.

Accept Outgoing Packets Originating FromGateway * Choice "No"

Specifies that outgoing packets (from the firewall, notfrom the internal network) are not accepted.


Specifies that all outgoing packets (from the firewall,not from the internal network) are accepted and spe-cifies the position in the Rule Base for the impliedrule.

Accept CPRID Connections (SmartUpdate)* Choice "No"

Local Security Policy

148

Option Description

Specifies that CPRID Connections are not accepted.

* Choice "First"

Specifies that they are accepted.

Accept Dynamic Address Modules' DHCPTraffic * Choice "No"

Specifies that Dynamic Address Module DHCP trafficis not accepted.

* Choice "First"

Specifies that it is accepted.

14.2.5. VPN

Use this view to examine and modify Management Server VPN.

Option Description

Resolving MechanismVPN peers must select a particular interface if a PEPhas more than one interface through which a VPN tun-nel can be created. Use this option to choose the meth-od the PEP will use to select this interface.

* Choice "Calculate Statically *"

According to the Gateway topology settings.

* Choice "Dynamic Interface Resolving"

By sending RDP packets to both interfaces and choos-ing the first to respond.

CRL Grace Period

Use this view to examine and modify Management Server CRL Grace Period. This view allows youto set a buffer zone in case the Management Server's clock is not synchronized with the CertificateAuthrority server's clock.

Option Description

Grace period before the CRL is valid(seconds) Indicates how long before the validity time the Man-

agement Server will extend the expiration of theCRLs. Enter the grace period in seconds.

Grace period after the CRL is no longervalid (seconds) Indicates how long Management Server will extend

the expiration of the CRLs that it receives from theCertification Authority server. Enter the grace periodin seconds.

Grace period extension for SecuRemote/SecureClient (seconds) Indicates the additional time that the Management

Server will add to the CRL Grace Period when authen-ticating remote clients.

VPN

149

Option Description

IKE Denial of Service protection

Use this view to examine and modify IKE Denial of Service Protection.

See the "IKE DoS Protection" section in your Check Point(TM) doumentation for more information.

Option Description

Support IKE DoS protection from identi-fied source Indicates how the PEP will respond to denial of ser-

vice (DoS) attacks from valid IP addresses.

* Choice "None"

The PEP will not defend against denial of service at-tacks.

* Choice "Stateless *"

When the PEP thinks it is under a DoS attack, it sendsa unique number to each IP that tried to initiate an IKEsession. This choice is appropriate for DoS attacksfrom valid IP addresses.

* Choice "Puzzles"

The PEP will send a computationally-intensive puzzleto each IP that tries to initiate an IKE session.

Support IKE DoS protection from unidenti-fied source Indicates how the PEP will respond to denial of ser-

vice (DoS) attacks from unknown IP addresses.

* Choice "None"

The PEP will not defend against denial of service at-tacks.

* Choice "Stateless"

When the PEP thinks it is under a DoS attack, it sendsa unique number to each IP that tried to initiate an IKEsession.

* Choice "Puzzles *"

The PEP will send a computationally-intensive puzzleto each IP that tries to initiate an IKE session. Thischoice is appropriate for DoS attacks from unknownIP addresses.

Remote Access

Use this view to examine and modify Management Server remote access.

Option Description

Support remote access VPN using Nokiaclients Indicates that the PEP will allow Nokia clients to par-

VPN

150

Option Description

ticipate in remote VPN connections.

When disconnected, traffic to the encryp-tion domain, will be Indicates how traffic will be treated when the SecuRe-

mote/SecureClient is not connected to the PEP.

* Choice "Dropped *"

The traffic will be dropped.

* Choice "Sent in clear"

The traffic will be sent in the clear.

Resolving MechanismIndicates how the remote client should choose the PEPinterface over which to mount the tunnel.

* Choice "Calculate Statically *"

The client will use the interface defined in the PEP'stopology.

* Choice "Dynamic Interface Resolving"

The client will send RDP packets to the available in-terfaces and mount the tunnel with the interface thatresponds first.

Update TopologyIndicates if the PEP will send the remote client up-dates of the topology behind the PEP. This allows theclient to be aware of changes.

Authentication Timeout (min)Indicates the amount of time that the remote client'spassword is valid.

Enter a value in minutes.

Allow Caching of static passwords on cli-ent Indicates if the remote client stores its password in

cache after authenticating with the PEP. This is usefulwhen the remote client uses the same password formultiple PEPs. If you set this option, the PEP will readthe remote client's password directly from the client'scache rather than asking the user to enter it.

Enable tunnel refreshSet this option to enable the PEP to re-initiate a tunnelthat has already been authenticated, if the tunneltimes-out. This requires the remote client's details tobe stored on all the devices between the PEP and theremote client.

Encrypt DNS trafficIndicates if the remote client's DNS queries are sentthrough the tunnel.

Enable Hybrid Mode AuthenticationIndicates if the PEP will allow other authenticationschemes than those specified in this view.

Certificates

VPN

151

Use this view to configure how the Management Server handles user certificates.

Option Description

Client check gateway cert against CRLIndicates if the remote client checks the CertificateRevocation List (CRL) upon validation.

Renew users internal CA certificatesIndicates if the Managment Server's Internal Certific-ate Authority (ICA) will automatically re-issue certi-ficates before they expire.

The ICA's user certificates are valid for two years.

Renewal starting process delayEnter the time before the certificate expiration date be-fore which the ICA will re-issue a user's certificate.

Enter a value in days.

Secure Configuration Verification


Secure Configuration Options

Use this view to configure Secure Configuration Verification (SCV). SCV is a series of tests that thePEP performs on the remote client upon connection.

Option Description

Apply Secure Configuration Verificationson Simplified mode Security Policies Indicates if the PEP will apply Secure Configuration

Verification (SCV) on the remote client during con-nection time.

Upon verification failureIndicates how the PEP will react if the remote clientfails the Secure Configuration Verification test.

* Choice "Accept and log client's connection *"

The PEP will accept the client's connection and log thefailure. You can set how the failure will be logged inthe Configuration Violation Notification view.

* Choice "Block client's connection"

The PEP will deny the client's connection.

Policy is installed on all interfacesIndicates if the PEP will check that the Desktop Secur-ity Policy is installed on all the interfaces of the re-mote client.

See the your Check Point(TM) product's documenta-tion on Secure Configuration Verification (SCV) formore information.

Only TCP/IP protocols are usedIndicates if the PEP will check that the remote clientonly uses TCP/IP protocols.

VPN

152

Configuration Violation Notification

Use this view to set how the PEP will log the failure when a remote client fails the Secure Configur-ation Verification test.

Option Description

Generate log on clientIndicates if the failure will be logged on the remoteclient.

Notify the userIndicates if the user will receive a notification.

14.2.6. GTP Services

Use this view to add GTP services that will allow you to configure GTP traffic inspection.

GTP Service

Option Description

GTP ServiceType in the name of the GTP Service.

GTP Service NameSelect an existing service to customize in a list dis-playing all customized gtp services.

GTP VersionSelect the GTP version

* Choice "GTP version 0"

* Choice "GTP version 1"

Match IMSI Prefix Name* Choice "Any *"

* Choice "Custom"

Tick this radio button to define a custom IMSI prefix(an "Allowed IMSI Prefix" free-form field will appearto let you do so).

Allowed IMSI PrefixType in your custom IMSI Prefix.

Match Access Point Name* Choice "Any *"

* Choice "Custom"

Tick this radio button to define a custom Access Pointname (an "Allowed Access Point Name" free-formfield will appear to let you do so).

Allowed Access Point NameType in your custom Access Point Name.

Allowed Selection Mode Name* Choice "Any *"

* Choice "Custom"

Tick this radio button to specify the Selection Mode.

Selection Mode

GTP Services

153

Option Description

Use the pull-down menu to choose the SelectionMode.

* Choice "0 - verified *"

* Choice "1 - MS - not verified"

* Choice "2 - Network - not verified"

Match MS-ISDN Prefix Name* Choice "Any"

* Choice "Custom"

Tick this radio button to define a custom MS-ISDNPrefix Name (a "MS-ISDN Prefix Name free-formfield will appear to let you do so).

MS-ISDN Prefix NameType in your custom MS-ISDN Prefix Name.

Match LDAP Group Name* Choice "Any"

* Choice "Custom"

Tick this radio button to define the User Group nameand the matching criteria i.e. IMSI* or MS-ISDN.

Allowed LDAP Group NameType in the LDAP Group Name.

according toChoose the matching criteria of the LDAP GroupName i.e. IMSI* or MS-ISDN.

Allow Usage of Static IP AddressesChoose whether the PEP's interfaces should use staticIP addresses or not.

14.2.7. Import

Option Description

Import Host asIndicates how to import a CheckPoint host, i.e. as anexus, a class or an unknown device.

* Choice "Class"

The CheckPoint host will be imported as a Class (thatis to say as an IP address container).

Auto-Connect ObjectsIndicates if the auto-connect must be performed at theend of the import process

Import Disabled RulesIndicates if disabled rules are imported.

Import Section Titles in NotesIndicates that rules section titles are imported in per-mission note.

Import Rule Details in Notes (verbose)

Import

154

Option Description

Indicated that verbose details are imported in permis-sion note: (index, action, service, source, destination,policy target).

The local import completes the rule detail with therule UID.

14.3. Upload ConfigurationUse this view to configure how SCM Server uploads your work to the device.

Option Description

Which PEPs should be uploaded?Lets you choose the PEPs on which the ManagementServer will upload the configuration.

* Choice "All on map *"

All the PEPs present on the map will be uploaded.

* Choice "Only selected"

Only the selected PEPs will be uploaded. If youchoose this value, the "Uploaded PEPs" sub-node willappear in the tree list to let you select the PEPs thatshould be uploaded.

14.3.1. Connection Options

Use this view to specify the protocols to be used for uploading filters.

Option Description

Upload MethodSpecifies the protocol to be used for uploading filters.

CPMI+Certificate FlowCreates an implicit CPMI+certificate flow.

OPSEC Connection TypeSpecifies whether the connection will be SSL withcertificates or "clear."

Reset certificateSpecifies whether your OPSEC application certificatehas been reset.

OPSEC Application Distinguished NameThe distinguished name of the OPSEC application, ifthe OPSEC connection type is clear.

OPSEC Application NameThe name of the OPSEC application, if the OPSECconnection is SSL+certificates.

OPSEC PortSpecifies the OPSEC Port number.

OPSEC SIC Entity Common Name (CN)Indicates the Common Name (CN) part of the OPSECSIC Entity.

Upload Configuration

155

Option Description

OPSEC Debug LevelSpecifies the opsec debug level. This value is notsaved in any project version.

Session Time Out (ms)If this number of milliseconds elapses between a SCMServer request and the management server's response,the session is dropped.

Full Path to SmartDashboard directoryLets you enter the path to the SmartDashboard direct-ory.

14.3.2. Paths

Use this view to set the Check Point(TM) FireWall-1(R) installation directory.


Use this view to record the username and password for management servers that need to be connec-ted prior to giving access to the configuration account. This username and password must link to anaccount that can be used through the SSH connection.

The Root Password is never used on the management server. To log in as root set User Name to"root" and set User Password to root's password.

Option Description

Use session credentials foruser(login,password) Activates the user authentication on the PEP from the

credentials (login, password) of the user currentlylogged in SCM Server.

Note that both the "User Login" and "User Password"options will be ignored although they are still dis-played in the view.

Use session credentials forroot(login,password) Activates the super-user authentication (for privileged

mode) on the PEP from the credentials (login, pass-word) of the user currently logged in SCM Server.

Note that both the "Enable Login" and "Enable Pass-word" options will be ignored although they are stilldisplayed in the view.

User LoginAllows you to record the username that will be usedon the management server to copy, compile and up-load the security policy. The user must have the priv-ilege to copy files in the $FWDIR/conf and to executethe command $FWDIR/bin/fw.

This user name is used to make the SSH connection onthe management server and may be different to thename used to connect to the management server fromthe Check Point(TM) FireWall-1(R) Policy Editor.

The root password is needed when you want to beconnected as root, but the SSH server installation pre-vents you from connecting directly as root. Using theroot password, SCM Server will first connect to the

Paths

156

Option Description

Management Server using the user login and passwordand then perform the command "su-" specifying theroot password.

User PasswordAllows you to record the user password.

14.3.4. Prompts

Use this view to indicate what the management server's prompts look like, which allows SCM Serv-er to interpret them during communication.

14.3.5. FireWall-1 Options

Use this view to configure FireWall-1 translation options.

Option Description

Generated Policy NameSpecifies the name of the generated policy. The de-fault name is "Custom_Policy". If changing this, youmust use a policy name different to the name used forthe included policies in the Include Policy View.

Suffix Objects Names For This Policy?Indicates whether a suffix should be appended to theobject names. This allows to identify the same objectsin different security policies.

Object Name SuffixLets you type in the suffix that should be appended tothe object names.

Translated Object ColorSelects an alternative display color to more easily dif-ferentiate between translated and generated objects.

Generated Object ColorSelects an alternative display color to more easily dif-ferentiate between translated and generated objects.

Upload if Only Successful on ALL Man-aged PEPs Indicates that the Management Server will not upload

any PEPs if one PEP upload fails.

Clean Database Before Next UploadIndicates if the Management Server should empty itsdatabase before starting upload preparation.

This option resets to "No" after every upload.

FireWall-1 Upload PolicyLets you choose how to perform the upload.

* Choice "Upload on PEPs *"

scm will copy objects and rules on the ManagementServer and the configuration will then be uploadedfrom the Management Server to its managed PEP(s).

Prompts

157

158

Chapter 15. Provider-1Management Server PropertiesWindows


15.2.1. Managed CMAs ............................................................................... 159

15.1. Description

Option Description

Note

15.2. General OptionsUse this view to examine and modify general management server options.

15.2.1. Managed CMAs

References the CMA servers managed by the Provider-1.

159

160

IndexAall networks PEP, 24Anti-Spoofing, 19Anti-spoofing, 22Any, 56Audit Through Report, 56Authentication, 24

Client authentication, 24Session authentication, 24User authentication, 24

Authentication parameters, 43Authentication Rule

Create, 43

BBack-up files, 65

CCAST-40, 70, 75Check Point Gateway, 19Class all PEPs, 24Clear, 27, 32, 32

procedure, 31Client-to-Gateway VPN, 67Clientless VPN, 71Communicate, 32Compilation of the security policy, 39Connections

PEPs to networks, 55connections

Nexus to networks, 55

DDES-40, 70, 75Desktop security policy, 70DHCP server, 70domain, 63

EEnable VPN routing, 70

FFilters

Upload Preparation, 14Firewall Features, 3

GGateway-to-Gateway VPN, 71Generation Process, 11, 27Global Features, 3

H

Hybrid Mode, 70

IICMP, 4Implicit permissions, 69Import

perform, 52Imported/not imported (NG), 46Include Rules, 64Installation, 1Interoperable Default Fields, 18IP Address

range, 16IPSec/L2TP tunnels, 71

LLDAP, 66, 66, 66Licenses, 1Limitations, 1

Case Sensitivity, 1Log, 18

MManagement Server Features, 7Mapping, 15

table syntax, 20Multiple Entry Point VPNs (MEP), 70, 75

NNaming convention, 21NAT Features, 5Non-supported concepts, 63NP_A, 13NP_C, 13NP_E, 13NP_I, 13NP_N, 13, 16NP_O, 23NP_O_..VFP_.., 13NP_R, 13NP_S, 13NP_T, 13

OObject

generated, 12nexus, 18translated, 12

Object Colors, 14Office Mode, 70OPSEC, 27

PPatch Process, 63PEP, 18

Indirectly Managed, 11Permissions

deny, 55

161

RRADIUS, 66, 66Remote Access, 68

SSecurity Include, 63Service type, 21Session Time Out, 38SIC file, 32sic_policy.conf, 32Site-to-site VPN, 73SmartDashBoard, 66Specific translated fields, 18SSL Certification and Encryption, 27, 29

Procedure, 27Supported Versions, 1

TTACACS, 66, 66Topology

missing, 54Translated PEP, 18Translated service, 20Transparent mode, 70

UUpload addresses, 51User Groups, 65

VVIA property, 48Visitor Mode, 70VPN

Specifics parameters, 68VPN Features, 6VPN node, 68VPN-1 Net, 70

162

Checkpoint FireWall 1

Documents

40security

support connectivity

alternative

check point

security change

show packets

policy learning

complete policy