SmartPortal is one of Check Point’s newest additions to the SmartCenter server product family. This feature allows a user to browse the security policies and logs of a SmartCenter server using the Internet Explorer Web browser, without needing a full-blown SmartClient software installation. This chapter covers the installation and usage of the SmartPortal interface, which is the interface used to configure your NGX installation: the SmartDashboard.
Once we are done with the tour, new users of Check Point should know where to return in order to configure more advanced features of NGX; those familiar with Check Point NG will see where things have changed and what new features they can use to make management of their systems easier. We will then run through setting up a simple security policy and applying it to your NGX firewall gateway. The new SmartPortal management interface will be visited; we will look at how to install it and how it will help administrate your organization’s Check Point systems.
Check Point provides for three Integrity-NGX configurations through SmartCenter and two Integrity-NGX configurations by means of Provider-1.
Integrity Only. This configuration is intended for users who do not want to connect Integrity to SmartCenter and wish to deploy the Integrity product alone.
Integrity and Smart Center on one host. This configuration is designed to provide the advantage of allowing both SmartCenter and Integrity to run on the same host. This configuration is aimed at:
Sites with concerns regarding the cost of hardware, limited clients, and a low volume of SmartCenter traffic.
Sites that wish to evaluate the product lines.
Integrity connected to a remote SmartCenter. This configuration is designed to allow both SmartCenter and Integrity to be deployed on separate machines. This provides the benefits of greater system control and performance, but at a higher cost. This configuration can be more robust as the load is divided between two hosts. Since SmartCenter must not be open to the public network as is required with the Integrity module, the system may be more tightly secured.
Integrity on the MDS host (Provider-1). This configuration is designed for sites that are attached to a single Check Point Management Agent (CMA).
Integrity associated to a remote CMA on Provider-1. This configuration is designed to provide the ability to connect to both systems using separate hosts.
Each of the aforementioned basic configurations and a variety of combinations that are derived from them are valid. Further, it is feasible to install additional Check Point products with the Integrity module. The following list presents a few of the many methods of installing and configuring this product.
In the subsequent configuration methods, Integrity characterizes a non-clustered Integrity as well as any Integrity cluster node.
Integrity on a primary SmartCenter machine.
Integrity on a primary SmartCenter machine and gateway.
Integrity on a secondary SmartCenter machine and gateway.
Integrity on a Log Server machine. In this case the user may want to send the Integrity logs to this Log Server, thereby having the Integrity logs on the Integrity machine itself.
Integrity on a Log Server machine and gateway.
Integrity on a dedicated machine.
Integrity on a dedicated machine and gateway.
Integrity along with other Check Point products (such as Eventia Reporter).
The Integrity server consists of the following packages: Integrity, SmartPortal, and SmartCenter. The Integrity wrapper installs the right packages automatically. If you prefer to manually install the packages, verify the following:
When you are installing Integrity on the same machine as the SmartCenter, the SmartCenter should be installed as the primary management.
When you are installing Integrity as a distributed configuration, SmartCenter should be configured as a Log Server.
Every additional Integrity node should be treated as Integrity in a distributed mode (that is, SmartCenter should be configured as a Log Server).
The UTC time for Integrity and SmartCenter machines should be the same in a distributed configuration.
The installation should not be interrupted and the packages should be installed in the order listed above.
A reboot is required only after all the packages are successfully installed.
For additional information about installation refer to the Advanced Server Installation Guide.
To completely uninstall Integrity and the packages associated with it, manually uninstall the following three packages in the order they appear: Integrity, then SmartPortal, and finally SmartCenter.
When Integrity is installed on the same or different machine as SmartCenter, it is possible to uninstall Integrity while leaving SmartCenter installed. But, you cannot uninstall SmartCenter without uninstalling Integrity, since Integrity is dependent on SmartCenter services.
The Embedded Data store in Integrity 6.6 (as is distributed on the R65 installation CD) currently supports up to 2,000 concurrent users. This is designed to remove the requirement for an external database. Logs are now stored on the embedded Check Point Log server. This will still integrate with both Check Point and third party reporting tools. It is recommended that sites requiring greater than 2,000 concurrent users continue using Integrity 6.5 until Integrity 7.0 is released.
When deploying SmartPortal on a dedicated server, the following actions should be taken to successfully integrate the SmartPortal Server with the SmartCenter server.
During the SmartPortal installation you will be asked to choose a SIC (Secure Internal Communication) password that will be used to establish trust with the SmartCenter server.
On the SmartCenter server create a network object to represent the SmartPortal server.
Fill in the network objects properties.
Select SmartPortal from the Check Point Product list.
Add access rules to allow administrative access to the SmartPortal Server.
Create administrator users with SmartPortal permissions if you want to restrict access to SmartPortal.
Administrator users can be limited to SmartPortal access only using a Permission profile. Create a Permission profile by selecting the Allow access SmartPortal only permission for the specific administrator.
Those unfamiliar with the Check Point NG interface may find the SmartDashboard interface a little daunting at first sight, what with so many different panes, views, and toolbars on one screen! Indeed, a large screen is a good place to start Check Point—say, at least 800 × 600—but 1280 × 1024 over 19” is much more workable, and an excuse for the larger monitor you’d wanted for months.
The key to working with the interface is understanding what each area is for and sticking to those you need. We will take a quick tour to help with this.
First, we need to log in. Usually, you’d be connecting SmartDashboard to your SmartCenter, but there is also the option of Demo mode. This allows you to get familiar with the interface and take a look at some advanced configurations without risking any damage, because the only configuration you are changing is the local Demo databases. You can choose a number of different Demo databases, varying in complexity from a firewall only to advanced VPN scenarios. When you use Demo mode, SmartDashboard shows that it is connected to a SmartCenter named *local—that’s really just some static files. You can run SmartDashboard in Demo mode without any SmartCenter installed—choose a Demo Installation from your NGX CD.
For our tour, we will log in using Demo mode with the Basic Firewall +VPN database, as shown in Figure 3.1.
The SmartDashboard window includes a number of different panes. Our tour begins with the rulebases—those Check Point administrators who remember FireWall-1 v4 will recall when there was nothing more than the Security and Address Translation rulebases!
The tabs in Figure 3.2 are the default tabs we see in the Demo mode. Each tab configures a different product feature, the Security tab being the most commonly used—the firewall rulebase. Some of the tabs reflect a particular policy, where different policies can be loaded and applied to different gateways, whereas others apply globally across all the gateways managed by your SmartCenter. The combination of policies that you view at one time is called a policy package. Other tabs will appear if other product features are enabled.
To get your first firewall policy up and running, you probably will use only the Security and perhaps Address Translation tabs, but here is the full list.
This tab is the policy-based definition of the firewall security policy. Rules here define what traffic is permitted through a firewall, whether to log the traffic, and whether the traffic requires encryption or authentication. The Security rulebase is part of the Security and Address Translation policy.
These policy-based rules define what Network Address Translation (NAT) should be performed on traffic through a firewall. They are part of the Security and Address Translation policy.
This tab is the global configuration of the firewall’s attack detection and prevention features. This includes everything from low-level IP packet sanity checks up to application layer controls for Instant Messengers and Voice-over IP (VoIP). The functionality here has expanded greatly since the introduction of SmartDefense back in NG FP2.
This tab is the global configuration of Web (HTTP)-related SmartDefense features, including new features that were introduced in the R55W (Web Intelligence) version of NG.
This is the global configuration of VPN gateways when using VPN Communities. This method of VPN configuration applies only when a Simplified Mode Security and Address Translation policy is enforced on the gateways, so this tab is not present if a Traditional Mode Security and Address Translation policy is part of the current policy package. The difference between Simplified and Traditional Mode will be explained in Chapter 10.
This policy controls the behavior of the Quality of Service (QoS) (Floodgate-1) gateway module where it has been enabled. It allows granular control of bandwidth usage per protocol and source and destination IP. This tab is not available in the Basic demo database.
This tab is the policy defining the desktop firewall rulebase that will be downloaded to SecureClient remote users when they connect. Check Point’s SecureClient secure remote access solution consists of client software (SecureClient) installed on each remote user machine; the VPN-1 gateway, which acts as the endpoint for the VPN tunnel to the client; and the SecureClient Policy Server, which runs on the gateway. The Policy Server will supply the latest Desktop Security policy to clients when they connect.
This tab is the global configuration of UserAuthority WebAccess modules. UA WebAccess software can be installed on Web servers to provide URL level access control and single sign-on integration with gateways. This tab is disabled by default—if you are installing a WebAccess module, enable it in the Global Properties, UserAuthority page (see Figure 3.3).
To the left of the rulebases, you should see the Objects Tree, as shown in Figure 3.4.
The tree is a convenient way to browse, edit, and create the objects that you need to define for your rulebases. Objects are needed to represent the SmartCenter, gateways, networks, and hosts you reference in policies, user accounts, and so on.
There are actually several trees of objects—use the tabs at the top of the pane to select the required tree. To create new objects, simply right-click the top of the tree and choose New. To edit an object, double-click it.
This tree holds the objects that represent the hosts, gateways, networks, and address ranges that you reference in your policies. You can also create groups of network objects. There are a number of other special types of objects that can be defined here, representing DNS domains, external VPN peers, VoIP configuration, server load balancing controls, and routers managed by the Check Point OSE product.
By default, the Network Objects tree branches reflect each type of Network Object or can be sorted by color or name. Alternatively, a Group View will show each Network Object group as a branch, and its members within that branch—right-click the top of the tree to switch between Arrange by Group or Classic View.
A wealth of objects reside here that define protocols that can be used in policies. The tree divides the objects by protocol type. The objects range from the obvious—like the telnet object that represents TCP port 23—to the obscure—such as SSL_v3, which represents an SSL connection, but enforces version 3 of the protocol.
Resource objects control the behavior of the firewall security servers—these are transparent proxy servers integrated into the firewall gateway. Security servers can be used for http, ftp, and smtp traffic. There is also a generic TCP proxy. A typical use of security servers is enabling redirection of Web and mail traffic to third-party CVP or UFP servers that perform antivirus scanning or URL cataloging. An additional type of resource object is the CIFS resource that can be used to control and audit use of Microsoft networking—allowing the restriction of what server shares can be accessed. This CIFS enforcement is performed without the use of a security server.
Check Point can integrate with a wide range of other servers and applications. Objects are defined here to represent applications that will be integrated. These include certificate authorities, authentication servers, LDAP servers, and content checking servers. There is one predefined object: the internal_ca Certificate Authority (CA) object. This represents the internal CA that is integrated into the SmartCenter Server.
To connect to the SmartCenter for the first time, an administrator account is used that was created as part of the installation process using the cpconfig utility. This account is visible in SmartDashboard in the object cpconfig_administrators. Once connected using this account, additional administrator accounts should be created here in SmartDashboard for each user that will require access to the SmartCenter. Each account can then have different access permissions as required.
In addition, nonadministrative user accounts can be created to make use of the firewall and VPN authentication features. These accounts can be defined with a fixed password, certificate, or authentication backed off to an external authentication server.
To avoid the overhead of user account management in SmartDashboard, the provision of the user database can be passed to an external server in two ways: first, External User Profiles can be created that back off all authentication requests that do not match a locally defined user. Second, it is possible to fully integrate with a LDAP directory server. This includes using the server for authentication plus the ability to manage user accounts on the LDAP server directly through SmartDashboard—once configured, the directory will become accessible in this object tree. Integration with LDAP for user authentication is a licensed feature—Check Point calls it SmartDirectory. If you have a SmartCenter Pro license, SmartDirectory should be included.
This pane shows objects in a list format. The contents of the list are controlled by what is currently selected in the Objects Tree. For example, select the Network Objects—Nodes branch to see a list of all nodes.
SmartMap provides a visual representation of the network topology that can be gleaned from the network objects that have been defined. SmartMap can be disabled in Global Properties, SmartMap page. If you are not using SmartMap, disable it—this avoids the overhead of SmartDashboard calculating the visual topology.
Although most of the policy and object management can be performed via the panes we’ve looked at, there is plenty more that can be achieved via the drop-down menus or, for some of the most common actions, the toolbars.
To save changes to objects and the current policy package, create new policy packages, or open a different policy package, use the File menu. Remember that a policy package is all the policies you can see on the rulebase pane. If you wish to take a copy of just one of the policies—say the Desktop Policy—and save it in a new package, use the Copy Policy to Package option and specify a name for your new policy package.
Saving the Policy Package does not actually change the policy running on your gateways—it’s just updating the SmartCenter database. To update your gateways, use the Policy menu, Install Policy option—or find the toolbar icon for Install Policies.
There are plenty more menu options to explore in your own time. The final option we will look at is the big daddy of all: Global Properties, from the Policy menu.
The Global Properties window, as the name suggests, defines settings and fine-tuning of your Check Point systems that apply globally (rather than per policy or per gateway). To open the window from the menus, choose Policy | Global Properties, or from the toolbar, choose the icon that looks like a bulleted list (see Figure 3.5).
A detailed look at everything here easily could fill a whole book! We’ll take a look at the more useful settings as well as new additions to NGX. Looking at new additions is fun since it’s an NGX book. NG users will find this useful.
The FireWall page shows Implied Rules settings. These “rules” are imposed over every security policy installed to your gateways. The idea is that they allow traffic that your gateways might need to function correctly—so you avoid pushing a policy that sends your gateway AWOL. There are obvious security implications here—to a degree, you are opening up “holes” in your security policy. Actually, as long as you are aware of what shape and size holes are involved, there is no need to panic. Fortunately, exactly this facility exists in SmartDashboard: with the Security rulebase displayed, use the View menu to choose View | Implied Rules. This will show the Implied Rules that are currently enabled by adding them to the view of your Security rulebase.
The tickbox for VPN-1 Pro/Express Control Connections enables a vast array of implied rules: the initial reaction may be to untick that box. However, on closer inspection, these rules are pretty specific—and in fact, if you disable these implied rules you will likely spend an awful lot of time recreating them as manual rules before you get back to a correctly functioning gateway. The decision is yours: the author’s preference is to leave the option checked unless you are very confident you know what rules you will need to add manually. Are you sure you can avoid either a malfunctioning gateway or a bigger security hole than the implied rules may have left?
The option Accept Outgoing packets originating from Gateway is often left enabled, although we should consider whether we want to implicitly trust any and all connections from the gateway. Should the firewall gateway itself become in some way compromised, do we want to allow it unfettered access to the internal networks? It is preferable to investigate what outgoing traffic will be required from the gateway and accept only that in your rulebase. This is often just DNS queries to the configured DNS servers—remember that VPN-1 control connections (required to permit gateway to SmartCenter connections) are allowed elsewhere.
Of the other implied rules, most are undesirable. Consider the options for RIP and DNS: a sensible security policy would never allow these protocols without considering the source IP address. Those for Dynamic Address module DHCP traffic and Nokia VSX may be useful if relevant to your configurations, and are harmless enough. Note that the VSX VRRP setting does not apply for standard IPSO VRRP gateway clusters.
Finally, it is a good idea to enable Log Implied Rules. That way you can reassure yourself that you know exactly what connections are being allowed by the settings here, thanks to logging in SmartView Tracker. By default, Log Implied Rules is not enabled.
The default settings here are good for most configurations: be aware of the new option of Merge manual proxy ARP configuration. This allows the use of Automatic ARP when the old local.arp publishing method also is required on a Windows gateway. In gateway versions prior to NGX, if Automatic ARP configuration was enabled, the local. arp mechanism was disabled.
There are some global options here affecting site-to-site VPN gateways; however, most VPN configuration is performed in VPN community objects and VPN gateway objects.
Where the SmartCenter is managing remote VPN-1 Edge or other similar software-based devices (e.g., Nokia IP40), this page controls some global behavior. This includes, new in NGX, the ability to inspect Web and mail content passing through these devices using central checking servers. Web traffic can be verified against a central UFP (URL filtering) server; SMTP and POP3 mail can be redirected via a central antivirus scanning CVP server.
On the Remote Access page and its subpages, there is a wide range of configuration settings—usually best left at their defaults unless a specific configuration requires otherwise. New in NGX is the ability to configure SSL Network Extender, SecureClient Hotspot, Office Mode IP reuse across gateways, and SCV connection exceptions.
If you wish to use LDAP integration, don’t forget to enable it here first!
Fundamental to the operation of the firewall gateway is stateful inspection: that is, tracking the progress of a TCP connection (or other protocol sessions) to ensure that all traffic that arrives is consistent with the connection state. This page allows this behavior to be fine-tuned, or to a degree, disabled.
Dropping out-of-state TCP packets is sometimes disabled in scenarios where TCP connections remain idle for long periods, so the gateway will timeout the connection and then drop packets in the future. If at all possible, avoid this; first try extending the TCP Timeout on the object for the service affected. Extending the timeout globally may significantly increase the amount of stale data in the gateway state tables.
For readers familiar with previous versions of SmartDashboard, this chapter may have yet to uncover much that is new for them. For those readers in particular, we will now have a look at the improvements in NGX.
In previous versions, every rule had a number. At a stretch, the administrator may have bothered to scroll over to the far left column of the rule to add a comment. Neither helped clearly identify the purpose of each rule when browsing through the rulebase.
NGX introduces rule names, now the first column in every rule. Describing each rule in one or two words should make the rulebase far more readable. Figure 3.6 shows an example of annotating a rulebase in this way.
Also new are Unique Rule IDs. Every rule now has a hidden, unique ID that does not change throughout the rule’s life span—unlike the visible rule number, which will change when rules above are added or removed. This feature comes into its own when viewing log entries in SmartView Tracker. Now it is possible to identify which rule triggered the log entry—whether or not the rule number has since changed. For good measure, the rule name is included in the log entry, too. An example of the logging you’ll see is shown in Figure 3.7.
There is also an option in SmartDashboard to launch SmartView Tracker and view all logs relating to a rule. Right-click the rule to try this, as shown in Figure 3.8.
It is possible to specify a convention when defining a group. This consists of conditions based on object name, color, and IP, as shown in Figure 3.9.
This can be used to assist when adding members to a group: a list of existing objects that meet the convention is provided. In addition, in the future when a new object is defined, SmartDashboard will check whether it meets a group convention. If so, you will be prompted to add the object to the relevant group.
The Network Objects view in the Object Tree pane has been enhanced for Group objects to allow “drilling down” into groups. Right-click the Groups branch and choose Show Groups Hierarchy, as shown in Figure 3.10.
The tree will now show the members of groups, including subgroups. An example is shown in Figure 3.11.
For those times when you need to create a large number of similar objects, Clone Object is here to help. Right-click any Node or Network object and you have the option to Clone. This creates a new object with the same properties. Just change the name and IP and you are done.
In previous versions, it was possible to supply a Session Description when logging in to SmartDashboard, and this would be written to the Audit Log. This provided a rudimentary way of tracking the reason for which administrators had logged into SmartDashboard, should they choose to supply one.
SmartDashboard NGX provides the ability to require a Session Description in order to log in: enable this in Global Properties, SmartCenter Access. However, as yet there is no way of forcing the administrator to enter something helpful.
In the rulebase, tooltips are provided for host and network objects—hover your mouse pointer over an object for a summary: for example, for a network, its IP, subnet mask, and object comment (see Figure 3.12). This is particularly useful when analyzing a rulebase, allowing you to understand what the objects used in rules are representing. Of course, to make the tooltip really useful, you do need to have provided a helpful Comment in the object definition. This should be considered standard practice in order to make the effect of your rulebase clear. Losing track of what objects represent can easily lead to your defined security policy not providing the protection that you expected, or perhaps (in practice, more often) blocking legitimate traffic.
We’ve now completed our SmartDashboard tour and highlighted the new features in NGX. With some luck you are now familiar enough with the interface to create a simple security policy.
We will now run through the steps of configuring and installing your first security policy. In our example, SmartCenter Express has been installed on a Windows 2003 Server named “sleigh.” You have a dedicated firewall gateway host running Nokia IPSO that has VPN-1 Express gateway installed, named “vixen.”
Having installed the SmartCenter software successfully, you should be able to connect your SmartDashboard for the first time. If you have installed SmartCenter on a Windows platform, you will be able to run the SmartDashboard locally. Otherwise, you will need to install the SmartConsole package on a Windows host and connect to the SmartCenter over the network—make sure your cpconfig GUI clients settings allow the host to connect. Log in by specifying the administrator credentials that you configured in cpconfig and the hostname (or IP) of the SmartCenter, as shown in Figure 3.13.
Note
The first time you connect the SmartDashboard to the SmartCenter, you will be prompted to confirm the identity of the host to which you are connecting. This is achieved by verifying the fingerprint of the Internal CA. If you are at all concerned that the host you’ve connected to might not actually be your SmartCenter, you can compare the fingerprint with the one for your SmartCenter Internal CA; you can get that from the cpconfig utility on the SmartCenter. Once you have done this once, the host running SmartDashboard will trust that SmartCenter. Note that you will be warned again if the Internal CA on the SmartCenter is reset.
Once connected, you will notice in the Objects Tree that an object for the SmartCenter has been created automatically. Double-click the object to review the object settings: verify that the hostname, IP address, and OS are correct. If there are discrepancies, it might indicate a problem with the installation; double-check that the SmartCenter’s host OS is configured correctly. The object for our SmartCenter sleigh is shown in Figure 3.14.
The Products Installed list indicates that sleigh is running a Primary SmartCenter, Log Server, and SVN Foundation (SVN is the base Check Point software module). In our example, no gateway is installed on sleigh, so Firewall, VPN, and QoS are all unchecked. We have provided a useful comment—here it identifies the location of the SmartCenter.
Your first job is to create an administrator’s user account. Select the Users tab of the Objects Tree, right-click on Administrators, and choose New Administrator. Your user ID will be clauss. In order to configure your level of privileges, create a new Permissions Profile called fulladmin. You should select Read/Write Access, and the ability to Manage Administrators so that you can create further accounts for other admins, operators, and so on. Don’t forget to choose an authentication method, too—in the object Admin Auth tab, you should select a Check Point password and set it. Note you can use stronger external mechanisms if you wish, such as RSA SecurID. Additionally, you can create a certificate and use that to authenticate instead of a regular password.
Now that you have an administrator account, save your changes (File | Save) and then exit from SmartDashboard. Then, start SmartDashboard and log in again, this time using the new account.
You are now ready to hook up the SmartCenter to your new VPN-1 gateway, vixen. As part of the installation of NGX on vixen, you were supplied a SIC activation key: you need that in order to define your object for the gateway.
To create your object, right-click on the Network Objects tree and choose New | Check Point | VPN-1 Pro/Express Gateway. You are prompted for the choice of a wizard or manual classic configuration. Unless you have a real aversion to wizards, the wizard is pretty reliable. We recommend that you use the wizard, supplying the following details:
Gateway name. Use the hostname of the gateway.
IP Address. Use the external IP of the gateway (also make sure that, on the gateway host itself, its own hostname resolves to this IP). Choosing the external IP is important for VPN configurations as clients or peers may use this IP for building the VPN tunnel, and the internal, private IPs are unlikely to be reachable. It is critical for the gateway’s hostname to resolve correctly locally because the Check Point services on the gateway will use the resolved IP when locating the firewall object for that gateway. On UNIX platforms, verify the hosts file is correct on the gateway. On Windows, it is not so straightforward: ping the gateway’s own hostname in order to determine which physical interface is considered the primary by Windows, then use that interface as the external interface.
Gateway Type. Express or Pro (we are using Express). This depends on what license you have.
Firewall or VPN. Will you be using the VPN features of VPN-1? If not, only enable FireWall—this simplifies configuration. You can always switch on VPN later if needed. We’ll have VPN from the start.
SIC Activation Key. After you supply this key and click Next, the SmartCenter will attempt a connection to the gateway.
Hopefully the SIC connection is successful—if not, take a look at the sidebar, “Can’t Communicate?”
The wizard will now ask you whether to automatically retrieve interfaces and topology from the gateway. This will fetch a list of interfaces and inspect the routing tables on the gateway in order to identify what subnets are connected to each interface of the gateway, creating any necessary objects for you—on complex networks this can save you a lot of time. It is also important that the interface list is defined accurately, so automatically fetching the list is highly recommended.
When the wizard completes, you can check the box to Edit the Gateways Properties to review the configuration of the new object. The hostname, IP address, OS, and Products Installed should all be as required.
It’s worth reviewing all the objects settings: first, to make sure the wizard got it right (they aren’t perfect, you know), and second, so that you are aware of the available options to be configured if you need to later. The object for vixen is shown in Figure 3.15.
If you are satisfied that these general properties look good, move on to the Topology page for the object. Here you’ll see a list of interfaces on the gateway and the IP addresses behind those interfaces, based on the routing tables. On your vixen gateway, the eth4c0 interface has an additional routed subnet behind that interface and SmartDashboard has created objects to reflect that. The topology is shown in Figure 3.16.
To edit the settings for each interface, just double-click the interface name. As well as the name and IP, the topology should be reviewed to ensure it correctly reflects what IP addresses lie behind that interface. Accurately configuring this allows anti-spoofing protection to be enabled on the interface—essential in securing your networks against spoofed packets arriving at untrusted interfaces.
You may want to browse through the raft of other pages and settings available in the gateway object, but these are best left at their defaults for now.
Tip
SmartDashboard provides a handy shortcut for launching the Web interface to your SecurePlatform or IPSO gateways: right-click on the Check Point object and choose Manage Device. However, note that SmartDashboard will attempt to connect to the device using https on port 443, so if this isn’t what your gateway listens on, this won’t work for you.
Before defining rules in your policy, you will likely need to define a few objects to represent internal hosts and networks. SmartDashboard automatically created objects for two of your internal networks when it fetched the gateway topology, so you can just change those object names to something more meaningful rather than creating new objects.
You will also create a group, sleigh_internal, which will include all your internal networks. To add the networks to the group, just drag and drop them into the group using the Objects Tree.
Figure 3.17 shows the Objects Tree with all our objects defined. You have objects for your networks plus an object for the Internet mail relay server on our DMZ. There is also a group that was automatically defined for use in the gateway topology.
A firewall security policy should be designed with the principle of least privilege in mind: accept only the traffic that is required, drop anything else. When the firewall gateway implements the rulebase, each new connection is compared against the rulebase top down—when a rule is matched, that action is followed and no more rules are checked. Check Point helps you out with best practice by dropping any traffic that is not accepted by either implied rules or a rule you have added to the policy—in other words, there is an invisible rule at the bottom of rulebase: drop anything.
Two rules are usually explicitly added as part of every policy: the Stealth rule and the Clean Up rule.
A Stealth rule is placed near the top of the policy and explicitly blocks access to the firewall. It should be placed above other more general rules that would otherwise allow access (maybe a rule allowing internal users access to the Internet—i.e., any address—which would include the firewall itself). Don’t forget to add a rule above the Stealth rule to allow access for administrators—for example, ssh to the gateway.
A Clean Up rule is placed at the bottom of the policy and explicitly drops and logs all traffic that has not matched other rules. This traffic would have been dropped by the gateway anyway because of the invisible drop-anything rule, but the Clean Up rule ensures it gets logged.
In addition to the aforementioned rules, your security policy should be developed in order to reflect the formal network usage policies of your organization.
Before we begin creating rules, it is a good idea to save the Policy Package using a descriptive name. You will notice that the current policy name is “Standard.” It is good practice to use policy names that identify the date/time of the policy, or some versioning reference. There are two reasons for this—first, it is easy to check what revision of the policy package is installed on a gateway—SmartView Monitor will show the current installed package name. Second, it makes it easy to roll back changes to the policy (although be aware that saving the policy does not provide version control over changes to objects—we’ll discuss Change Management later in this chapter). To save the policy under a new name, use File | Save As.
To add a rule to the rulebase, use the Rules Toolbar. This provides buttons for adding rules at the top or bottom of the policy, and above or below the current selected rule. Clicking one of these buttons adds a rule that by default will drop all traffic. First you should give the rule a Name; then we can modify the rule Source, Destination, and Service by dragging objects into the fields or right-clicking and adding objects from a list. Then choose the Action you wish to take if a connection matches this rule (right-click and choose from the list); to start with, choose between Accept or Drop. Other options can be used to perform authentication or require encryption. The Reject option drops traffic but informs the client by means of either a TCP Reset or ICMP destination unreachable message.
The full security rulebase for our example is shown in Figure 3.18.
Reviewing the rules, you have allowed our administrators PC access to the gateway and SmartCenter for the required protocols. You had to define a new Service object (right-click in the Services tab of Objects Tree) to represent the Microsoft Remote Desktop protocol (TCP port 3389). You ensured that ssh access to the gateway is using the more secure ssh version 2, not version 1, by using the special service ssh_version_2.
Once you have your policy defined, remember to review the implied rules that are enabled in Global Properties. The defaults in NGX are sensible, but make sure that you are aware of what they are. In the example in this chapter, you have left Control Connections and Outgoing Packets from Gateway enabled. It is a good idea to enable Log Implied Rules so that it is clear what connections are being accepted and dropped.
To be allowed to access the Internet, and for your mail relay to receive incoming mail, you need to configure some address translation. Add Hide NAT to your internal networks (hiding behind the gateway itself) and Static NAT to your mail relay. The mail relay will be translated to an address supplied by our ISP, in the same range as our gateway external IP. This is simple to configure using Automatic NAT—edit the relevant objects and configure the NAT page. Figures 3.19 and 3.20 show the NAT configuration on an internal network object and the mail relay object.
In the Network Address Translation rulebase tab, you can review the rules that have been created. You can add more rules to the rulebase manually if you need to—this is discussed further in the Network Address Translation chapter.
At last you are ready to test your policy!
To install the policy, use the Policy toolbar—the policy install button shows a rulebase with a downward arrow above it. SmartDashboard will prompt you to select which gateways the policy should be installed on—in this case, there is only one gateway to choose from, and it will be selected by default. If you later choose to enable the QoS or Policy Server modules on the gateway, you will also be able to select whether you wish to update the QoS and Desktop Security policies. Clicking OK to continue the process will show the Install Progress dialog box. This will indicate that the policy is first Verifying and then Installing. The Verify phase identifies any logical problems with your policy—for example, rules that “hide” later rules, making the later rule redundant. Installation is the process of connecting to the gateway, transferring the policy and database files to the gateway, instructing the gateway to update its policy, and waiting for a successful confirmation from the gateway. If all this succeeds, you will see a reassuring large green tick appear, as in Figure 3.21.
If you see anything else—red crosses, warnings, or the like—click the Show Errors button that will appear in order to view the reasons for this. This may not be critical in some cases—sometimes it is just a recommendation about your policy. Other times it will indicate the policy has not been installed, maybe due to connectivity to the gateway or some other serious error during the policy compilation process.
Before you make any further changes to the policy, you may want to save the current policy using a new name, indicating a new policy version.
Once you have your policy installed it is time to test whether connectivity is as expected: now is probably a good time to read the SmartView Tracker chapter so you can observe your connections being accepted, and the bad guys being dropped. Hopefully.
Once you are comfortable with the core features we’ve covered so far, you might want to explore some more SmartDashboard features. We’ll quickly look at some of them now.
Rulebases tend to quickly become long and cumbersome—you might even end up with a few hundred rules. Keep in mind that the longer the rulebase, the more work the gateway needs to do per new connection. This can be reduced by making sure that the most common connections match rules early in the rulebase. The tools described in this section will help manage bigger rulebases.
As your rulebase gets larger you can use Section Titles to summarize the purpose of a group of rules, making the rulebase easier to read. To add a Section Title, right-click a rule number and choose Add Section Title. A section is the set of rules between two titles and it can be expanded or collapsed with a click.
Individual rules can be hidden (leaving a gray stripe instead) by right-clicking the rule number and choosing Hide. Once rules are hidden, you can store/restore the current list of hidden rules, unhide rules, and view hidden rules (without unhiding them!) using the menus—the Rules | Hide submenu.
In order to locate rules that apply to a particular host or service, for example, use a Rule Query. These will hide all rules that don’t match your query. To define queries, use the Search menu: Search | Query Rules.
You can perform a simple text search through the Security Policy using the Search menu: Search | Find in Rulebase. This is useful as a quick way to locate an object in a rule, or, if you use the Comments field in a structured way, to locate some keyword or perhaps a change control reference.
We’ll take a look at a few useful tools we can use when we are working with Network Objects.
You can track all references to an object—right-click on any object and choose Where Used? This is very useful when you forgot why exactly you created that object all those months ago.
Curious about the last person to edit an object? Right-click the object and choose Last Modified. You’ll see when it was changed, by whom, and from where.
The policy you see in SmartDashboard is not automatically applied to the gateway—you have to install the policy (push it down to the gateway) first! If you are managing multiple gateways, this becomes more of an issue—are you sure you’ve installed the latest policy to all the gateways? Do you have different policies on each gateway? Which rules in your policy are relevant to a gateway?
If you are working with multiple gateways but a single policy, it is not always easy to see which rules would be applied to a particular gateway. You can use the Policy menu, Policy | View Policy Of tool in order to view selected gateway(s) rules. To return to the normal view, use the same tool and click Clear.
You can check what Security policy is actually running on a gateway—rather than the one that you see in SmartDashboard, or the one that you think should be running. From the menus, choose File | Installed Policies.
It is possible to request that the Security Policy be unloaded from remote gateways: from the menu, choose Policy | Uninstall. This is a bad idea, as it leaves your firewall gateway with no protection (although it will no longer forward traffic, so connections cannot be made through the firewall). Ironically, the only time you would want to remove a policy from a gateway is when you’ve accidentally pushed a policy that blocks the connections from the SmartCenter to the gateway—in which case, the SmartDashboard will not be able to request the policy unload anyway! For those times, you will need to run the command fw unloadlocal from the command line of the gateway itself—but disconnect untrusted network interfaces first to avoid leaving the gateway open to attack.
It is possible to take a snapshot of the whole configuration database: rulebases, users, and objects. To do so, use the Database Revision Control feature from the File menu. To take a snapshot, Create a new version. It is possible to review that snapshot at a later date and, if you need to, restore it. You can even choose to create a new version on every policy install—if you do this, make sure you manage the number of database versions you have created: each snapshot increases the size of the SmartCenter configuration directories, and you risk the stability of the SmartCenter if you have hundreds of versions. Note that each version is tied to the SmartCenter software revision, so if you upgrade your SmartCenter there is little point in maintaining the previous database revisions. Do not mistake Revision Control for a full system backup: if you badly corrupt your live database version, you may not be able to connect to SmartDashboard in order to restore an older database.
Check Point SmartDashboard NGX allows the definition of Check Point objects for Connectra and Interspect gateways. Check Point Connectra is a SSL VPN gateway product; Check Point Interspect is an internal network security gateway. However, configuration management of these devices from SmartDashboard is limited to launching a dedicated management client for the device: Interspect SmartDashboard or a Web browser session to the management port of a Connectra gateway.
Right-click on Network Objects in the Objects Tree and choose New | Check Point | Connectra Gateway or Interspect Gateway.
Define the object’s name and IP, then use the Communication button to initialize SIC keys. Configured objects are shown in Figures 3.22 and 3.23.
Once the object has been defined, you need to update the SmartCenter running configuration in order to allow connections from the device. To do this, use the SmartDashboard menu option Policy | Install Database. Then on the new object, you can right-click and choose Manage Device in order to launch the management client for the device.
In the Connectra or Interspect management interface, configure Central Management/Logging as per the device documentation. You will need to specify the SmartCenter name/IP and the object name that you have given to the new object.
After these changes have been made, the device logs should begin to appear in SmartView Tracker.
SmartDashboard also provides centralized SmartDefense Updates for Connectra and Interspect. If you have purchased a SmartDefense subscription for the device, you can update its SmartDefense features directly from the SmartDashboard rather than the management interface of the device: right-click on the object and choose SmartDefense Service Update. The latest SmartDefense database can then be downloaded to the SmartCenter and pushed out to internal Connectra and Interspect gateways, as shown in Figure 3.24.
In NGX 65, the license Repository window of SmartUpdate displays both contracts and regular licenses. Selecting a particular contract will show the contract’s properties including the contract ID and expiration date. It will also provide information as to the gateways that are included within the contract.
The License management window can display if an individual license is linked to a contract. SmartUpdate will also verify if the contract file on the gateway is more up to date then the contract file on the SmartCenter Server, adding an additional menu item to enable the more up-to-date contract information to be loaded into the management server.
NGX R65 is the first version of Check Point’s products to centrally control Connectra gateways. This offers many more methods to configure Connectra than in preceding versions.
SmartDashboard has an additional tab for the configuration of Connectra that provides the capability to access all related configuration details using the objects in this tab.
The Connectra tab in SmartDashboard with NGX 65 integrates a selection linking for SmartDefense and Web Intelligence updates. SmartDefense and Web Intelligence configurations for Connectra are executed as a component of the “SmartDefense profiles.” A SmartDefense profile particular to Connectra is provided for the configuration of Connectra-related SmartDefense and Web Intelligence features.
With NGX 65, Provider-1/SiteManager-1 supports Connectra objects (Connectra gateway, Connectra cluster, and Connectra cluster members). Provider-1 assembles Connectra objects, their statuses, licenses, and packages from the CMAs to the MDS. It will then present these assembled objects in the MDG.
The complexity and power of the Check Point management clients has a downside: the client software is a substantial suite of applications, not exactly lightweight. There are a number of situations when this is not ideal:
There is often a requirement for operators to be able to view the logs or summary of status of the gateways, without any need for the full functionality of the SmartConsole suite.
In a managed service environment, customers may want to view the logging from their sites’ gateways, but not wish to install any software.
Remote administrators may need to check on the status of the gateway, but are unable to install the software on the system they are using.
SmartPortal provides a browser-based alternative to the SmartConsole clients—ideal for these scenarios.
The SmartPortal interface provides:
Status information. Similar information to the Gateway Status view of SmartView Monitor
Log viewer. Access to the traffic and audit logs, similar to SmartView Tracker
Policy and objects summary. A view of the Security Policy rulebase and object details
The SmartPortal server is available as an option when you first install NGX on the supported platforms: Windows, Solaris, Red Hat EL 3.0, and SecurePlatform.
Note that SmartPortal requires a license, although that license is included in most VPN-1 Pro and some extended VPN-1 Express licenses. To check yours, run cplic check swp on your SmartCenter.
If you didn’t choose SmartPortal at install time, you can just run the wrapper again on Windows or Solaris—it should detect that NGX is already installed and give you the option to install additional products. Do this and choose SmartPortal. On SecurePlatform, you will need to install SmartPortal manually: enter Expert mode from a console session and run the command:
rpm –i /sysimg/CPwrapper/linux/CPportal/CPportal-R65-00.i386.rpm
Usually you would install SmartPortal on the SmartCenter; however, it is possible to install it on other Check Point hosts or its own dedicated server. The SmartPortal server then makes an onward connection to the SmartCenter. A dedicated server would be advisable if there are likely to be many concurrent SmartPortal users.
Once the product is installed, ensure that the relevant object has SmartPortal checked in the Check Point Products list. Having done so, perform a database install to the SmartCenter (Policy | Install Database).
To access the portal, point your browser to https://smartcenter-host:4433.
Tip
Smart Portal officially supports a range of browsers: Internet Explorer, Mozilla Suite, Firefox, and Netscape. The latest versions of these browsers are recommended. However, with the NGX initial release code, Firefox 1.0.4 failed to connect, throwing a script error (Firefox 1.0.3 works just fine!). A change to the SmartPortal code to support Firefox 1.0.4 is expected in the first NGX hotfix release.
At the welcome page (see Figure 3.25), supply your administrator credentials (this should be an account created in SmartDashboard) and the name (or IP) of the SmartCenter server.
After a few seconds you should be connected to the SmartPortal front page, as shown in Figure 3.26. If the SmartPortal connection fails, check that you have correctly followed the installation steps and are using the correct SmartDashboard administrator credentials. Check that the SmartCenter Server name you supplied resolves successfully on the server running SmartPortal.
A sidebar allows selection of the different features.
The Gateway Status page will show a summary of status for each gateway and the SmartCenter itself (see Figure 3.27). To see more detailed status information, click the name of the gateway.
The Logs page can show either the Traffic Log or the Audit Log. The view is similar to SmartView Tracker but with a restricted set of columns shown. The Traffic Log is shown in Figure 3.28. Note the toolbar allowing navigation of the log, automatic scrolling, searching, filtering, and access to older log files. If the administrator has write access to the logs, it is possible to switch and purge logs. Clicking the record number will open a new window showing that log entry.
Warning
SmartPortal is entirely read-only with regard to policy and objects; however, the log page does allow purging and switching of logs. In a scenario where you wish to give users access to view configuration and logging only, make sure that you have restricted the user accounts to Read Only. You may need to define a new Administrator Permissions Profile with SmartPortal only and Read Only access and associate that with the user account.
The Policy and Objects page provides a view of the Security rulebase. Figure 3.29 shows the SmartPortal view of the policy that was created in SmartDashboard.
If you have multiple policy packages, you can view the security rulebase from these packages, too.
There are a number of pages for viewing objects: Network Objects, Services, Users, and Time objects. The views are equivalent to the Objects List view in SmartDashboard. A simple Filter on object name can be used to narrow down the list.
SmartDashboard provides an extremely powerful interface for configuring your Check Point installation—from the traditional firewall gateways, through VPN gateways, to the new Connectra and Interspect devices. It effectively provides a single management interface for your entire Check Point security infrastructure.
The interface, though complex, can be broken down into separate panes. Each provides different functionality and views of your configuration, and you can choose which panes are visible. This allows you to tailor the interface to suit the areas you need to work with and your preferred methods of accessing the settings.
The rulebase pane can be tailored to show just the policies and products you manage, again allowing simplification of the interface by hiding the functionality that you don’t need to see. Conversely, when you have several different gateway products installed and therefore a number of different policies defined, these can be combined into a single policy package for the gateway.
The objects panes provide many different views onto your object database—with some experimentation you should be able to find a view ideal for your working style and requirements. Despite the ever-increasing range of object types available, these are broken down into different categories, and within each category, can be sorted and displayed so you see just the types that you are using.
The degree of fine-tuning allowed via the Global Properties windows increases in every software release, but the tree structure of the windows helps with navigation to the setting you need to adjust. The majority of the settings here can be left unchanged for most scenarios, so these pages can remain hidden away. We have outlined those that we do need to be aware of.
The NGX release introduces a range of new features to the interface that should be very helpful to administrators, making management and clear understanding of your configuration easier.
Your first security policy should be straightforward to define once you are familiar with the interface. Configuring a simple security rulebase and automatic NAT should have a typical Internet gateway up and running within minutes, or maybe an hour at the longest.
NGX begins to integrate management of Check Point Connectra and Interspect devices, continuing toward the goal of the SmartCenter being the single point of management for the whole network security infrastructure.
The new NGX SmartPortal Web interface provides a clientless management solution, enabling operator and managed customer access to view the status, logging, and configuration of a management server.
 | Get familiar with SmartDashboard in Demo mode. |
| Use the Objects Tree and Objects List to configure objects representing the network infrastructure. |
| Use the rulebase pane to manage SmartDefense, Web Intelligence, and VPN communities. |
| Define policy packages including security, NAT, QoS, and Desktop policies. |
| Use rule names and UIDs to clearly identify which rule triggered a log entry. |
| Group object convention can assist in defining groups and managing group membership. |
| Drill down into defined groups by viewing the group hierarchy. |
| Easily create similar objects with cloning technology. |
| Requiring a Session Description might help with change tracking. |
| Tooltips make it easier to see details of objects used in rules. |
| Define yourself an administrator account. |
| Verify and configure the Check Point objects we need. |
| Define objects we need to describe the network infrastructure. |
| Define a simple rulebase. |
| Configure NAT if needed. |
| Install and test your new policy. |
| Work better with rules using titles, hiding, searching, and query filters. |
| Work better with objects by tracking references, making changes, and using queries. |
| Work better with complex policies on multiple gateways. |
| Full database change management using Revision Control. |
| Setting up connections to the devices to receive logging. |
| Central SmartDefense management. |