Smart Center Guide

Check Point SmartCenter
Guide
NG FP3
For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at
http://support.checkpoint.com/kb/
Part No.: 700526

September 2002
© 2000-2002 Check Point Software Technologies Ltd. Permission to use, copy, modify, and distribute this software and its documentation for
any purpose and without fee is hereby granted, provided that the above copyright notice
All rights reserved. This product and related documentation are protected by copyright appear in all copies and that both that copyright notice and this permission notice
and distributed under licensing restricting their use, copying, distribution, and appear in supporting documentation, and that the name of CMU not be used in
decompilation. No part of this product or related documentation may be reproduced in advertising or publicity pertaining to distribution of the software without specific, written
any form or by any means without prior written authorization of Check Point. While prior permission.
every precaution has been taken in the preparation of this book, Check Point assumes CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
no responsibility for errors or omissions. This publication and features described herein INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN
are subject to change without notice. NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
RESTRICTED RIGHTS LEGEND: FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
Use, duplication, or disclosure by the government is subject to restrictions as set forth CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
at DFARS 252.227-7013 and FAR 52.227-19. The following statements refer to those portions of the software copyrighted by The
Open Group.
TRADEMARKS: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
Check Point, the Check Point logo, ClusterXL, ConnectControl, FireWall-1, FireWall-1, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
FireWall-1 GX, FireWall-1 SecureServer, FireWall-1 SmallOffice, FireWall-1 VSX, NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR
FireWall-1 XL, FloodGate-1, INSPECT, INSPECT XL, IQ Engine, Open Security ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
Extension, OPSEC, Provider-1, SecureKnowledge, SecurePlatform, SecureXL, CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
SiteManager-1, SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense, WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView
The following statements refer to those portions of the software copyrighted by The
Reporter, SmartView Status, SmartView Tracker, SVN, UAM, User-to-Address Mapping,
OpenSSL Project.
UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Appliance, VPN-1 Certificate
Manager, VPN-1 Gateway, VPN-1 Net, VPN-1 Pro, VPN-1 SecureClient, VPN-1 This product includes software developed by the OpenSSL Project for use in the
SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer VPN-1 SmallOffice and VPN1 OpenSSL Toolkit (http://www.openssl.org/).*
VSX are trademarks or registered trademarks of Check Point Software Technologies THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *
Ltd. or its affiliates. All other product names mentioned herein are trademarks or EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
registered trademarks of their respective owners. IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
The products described in this document are protected by U.S. Patent No. 5,606,668, PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
5,699,431 and 5,835,726 and may be protected by other U.S. Patents, foreign patents, ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
or pending applications. SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
THIRD PARTIES: USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
other countries. Entrust’s logos and Entrust product and service names are also OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly SUCH DAMAGE.
owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate The following statements refer to those portions of the software copyrighted by Eric
certificate management technology from Entrust. Young.
Verisign is a trademark of Verisign Inc. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR
The following statements refer to those portions of the software copyrighted by IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
University of Michigan. WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
Portions of the software copyright © 1992-1996 Regents of the University of Michigan. PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
All rights reserved. Redistribution and use in source and binary forms are permitted CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
provided that this notice is preserved and that due credit is given to the University of EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
Michigan at Ann Arbor. The name of the University may not be used to endorse or TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
promote products derived from this software without specific prior written permission. DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
This software is provided “as is” without express or implied warranty. ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
Copyright © Sax Software (terminal emulation only). TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
The following statements refer to those portions of the software copyrighted by THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
Carnegie Mellon University. DAMAGE.
Copyright 1997 by Carnegie Mellon University. All Rights Reserved. Copyright © 1998 The Open Group.
Check Point Software Technologies Ltd.

International Headquarters: U.S. Headquarters:
3A Jabotinsky Street Three Lagoon Drive, Suite 400
Ramat Gan 52520, Israel Redwood City, CA 94065
Tel: 972-3-753 4555 Tel: 800-429-4391; (650) 628-2000
Fax: 972-3-575 9256 Fax: (650) 654-4233
September 2002
e-mail: info@CheckPoint.com http://www.checkpoint.com
Please direct all comments regarding this publication to techwriters@checkpoint.com.

Table Of Contents
Preface Who Should Use this User Guide 19

Summary of Contents 19
Check Point Documentation 20
What Typographic Changes Mean 22
Shell Prompts in Command Examples 24
Network Topology Examples 24
Chapter 1 Configuring
VPN-1/FireWall-1
Configuring Check Point Products 25
Licenses 26
The Trial Period 27
Administrators 30
SMART Clients 36
PKCS#11 Token 37
Key Hit Session/Random Pool 38
Certificate Authority 39
Secure Internal Communication 40
Fingerprint 43
High Availability 45
Interfaces 45
VPN-1 Accelerator Driver 45
SNMP Extension (Unix only) 45
Automatic Start of Check Point Modules (Unix only) 46
Secure Internal Communications for Distributed Configurations 46
Communicating Components 46
Security Benefits 46
Administrative Benefits 46
SIC Certificates 46
Communications between the SmartCenter Server(s) and Modules 48
Communications Between the SmartCenter Server and the SMART Client 48
Enabling Communication between Modules 49
Resetting the Trust State of the Module 54
SIC Automatic Renewal 56
Log Viewing and Management 56
Frequently Asked Questions—Installing, Upgrading, Configuring 57
62
Chapter 2 SmartUpdate
Introduction to SmartUpdate 63
Purpose 63
Table of Contents 3
Why use SmartUpdate 63
Installing SmartUpdate 64
Supported Products and Platforms 64
How to Upgrade Remote Check Point Nodes 64
1. Prerequisites for Remote Upgrade 64
2. Upgrading or Installing the SmartCenter Server 65
3. Configuring the SmartCenter Server 65
4. Adding Products to the Product Repository 65
5. Using SmartUpdate to Upgrade Check Point Nodes 67
Starting the SmartUpdate GUI 68
Elements of the SmartUpdate GUI 69
Products and Licenses tabs 70
Product and License Repositories 71
License Type Icons 72
Operation Status 73
Docking Windows 75
Searching for Text 75
Printing Views 76
SmartUpdate Menus and Toolbar 76
Product Management 84
Introduction to Product Management 84
Managing the Product Repository 85
Installing Products—Overview 87
Upgrading All Products 88
Installing a Single Product 89
Uninstalling a Product 92
Verifying an Installation 94
Booting a Check Point Node 95
Getting Check Point Node Data 96
Stopping an Operation and Clearing Completed Operations 96
License Management 97
Introduction to License Management 98
License Types: Central, Local 98
The Trial Period 99
Version 4.1 License Support 99
Obtaining Licenses 100
License Structure and Elements 100
Installing a License for the SmartCenter Server 101
Before Using SmartUpdate License Management 101
Adding a License to the License Repository 101
Attaching a License to a Check Point Node 105
Attaching an Evaluation License to all Check Point Nodes 108
Detaching a License from a Check Point Node 109
Getting Locally Installed Licenses From a Check Point Node 111
Deleting a License from the License Repository 112
Viewing License Properties 113
Viewing Installed Products 115
Checking for Expired Licenses 115
Exporting a License to a File 117
4
Automatically Upgrading Version 4.1 Licenses 117
Licensing Glossary 119
SmartUpdate Architecture 121
SmartUpdate FAQ 122
General SmartUpdate FAQ 122
Remote Installation FAQ 123
Licensing FAQ 125
Chapter 3 Graphical User Interface

Managing VPN-1/FireWall-1 127
The Check Point SmartDashboard 128
Starting the SmartDashboard 128
Object Tree 132
Object List 134
Working with the Objects Tree and the Objects List 135
The SmartMap 136
Problems in Connecting to the SmartCenter Server 136
Tracking Revision Control 137
Displaying SmartDashboard Windows 143
Menus 144
File Menu 144
Edit Menu 145
View Menu 146
Selections Available from the Manage Menu 147
Rules Menu with Toolbar Buttons 148
Policy Menu 149
SmartMap menu 149
Search Menu 150
Window Menu 150
Help Menu 151
VPN-1/FireWall-1 Toolbars 151
Toolbar Buttons and Menu Commands 152
Help Toolbar 152
Objects Toolbar 152
Panes Toolbar 153
Policy Toolbar 153
Rules Toolbar 154
Search Toolbar 154
SmartDefense 154
Standard Toolbar 155
Communities Toolbar 155
Log Consolidator Toolbar Commands for Toolbars and menus 155
Toplogy Map Toolbar 155
SmartDefense Toolbar 155
VPN-1/FireWall-1 Status Bar 155
Chapter 4 Managing Users and Administrators

Overview 157
Table of Contents 5
VPN-1/FireWall-1 Proprietary Users 158
Defining Users and Groups 158
User Properties 162
User Groups 166
User Database 167
Database Installation 167
Generic User Profiles 168
Generic User Overview 168
Example: Defining a Generic User Profile 169
Using Generic User Profiles 169
Generic User Notes 170
Generic User Profile Properties window 170
External Users and Groups 171
Groups of RADIUS Users 171
Associating a Radius Server with a FireWall-1 Enforcement Module 171
Groups of Windows NT users 172
Chapter 5 Network Objects

Overview 173
Adding, Editing and Deleting a Network Object 174
Editing a Network Object from the Network Object Manager 175
Editing a Network Object from the Rule Base 178
Network Objects 180
Network Object Types 181
Network Object Windows 182
Check Point window — General Page 182
Check Point window — Topology Page 186
Interface Properties window — General Tab 188
Interface Properties window — Topology Tab 189
Interface Properties window — QoS (Quality of Service) Tab 192
Check Point window — NAT page 192
Check Point window — UserAuthority page 194
Check Point window — VPN page 195
Check Point window —Extranet page 195
Check Point Properties Window — Authentication page 195
Check Point window — Account Unit page 195
Check Point window — Logs and Masters page 196
Check Point window — Additional Logging Configuration page 197
Check Point window — Masters page 197
Check Point window — Log Servers page 198
Check Point window — Advanced page 199
Check Point window — Capacity Optimization page 199
Check Point window — SYNDefender page 199
Check Point window — SMTP page 200
Check Point window — SAM page 200
Check Point window — Connection Persistence page 201
SofaWare-SmartDashboard Integration 201
Networks 202
6
Network Properties Window — General Tab 202
Network Properties Window — NAT (Address Translation) Tab 203
Domains 203
Domain Properties Window 203
Open Security Devices 203
Overview 204
OSE Device Properties Window — General Tab 204
OSE Device Properties Window — Topology Tab 205
Defining Router Anti-Spoofing Properties 206
Embedded Devices 208
Overview 208
Embedded Devices window — General tab 208
Embedded Device Properties — Topology tab 209
Interface Properties Window — General Tab 209
Interface Properties Window — Topology Tab 210
Embedded Device Properties — SNMP Tab 210
Embedded Device Properties — NAT tab 211
Groups 211
Simple Group 211
Group with Exclusion 213
Viewing Groups with an Exclusion 214
Showing Group with an Exclusion Objects in the SmartMap View 214
UAS High Availability Group 215
Logical Servers 215
Address Ranges 216
Address Range Properties Window — General Tab 216
Address Range Properties Window — NAT Tab 216
Gateway Clusters 216
Dynamic Objects 216
Chapter 6 Services and Resources

Services 220
Defining Services 220
Resources 221
TCP Service Properties 221
Compound TCP Service Properties 223
FTP Service (ftp-pasv and ftp-port) 224
TCP Service Properties — ftp-pasv 224
TCP Service Properties — ftp-port 224
UDP Service Properties 224
RPC Service Properties 226
ICMP Service Properties 228
User Defined (or “Other”) Service Properties 228
User-Defined Service Properties Example 230
DCE-RPC Service Properties 230
Service Group Properties 231
Adding a Service to a Group 231
Deleting a Service from a Group 232
Table of Contents 7
Resources 232
Overview 232
Wild Cards 233
URI Resources 233
URI Definition window — General tab 234
URI Definition window — Match tab (wild cards specification) 235
URI Definition window — Match tab (file specification) 239
URI Definition window — Match tab (UFP) 240
URI Definition window — Action tab 241
URI Definition window — CVP tab 243
URI Definition window — SOAP tab 243
URI for QoS Definition window 244
SMTP Resources 245
SMTP Security Server 245
FTP Resources 250
FTP Definition window — General tab 250
FTP Definition window — Match tab 251
FTP Definition window — CVP tab 251
TCP Resources 252
TCP Resource Properties 252
CIFS Resources 255
CIFS Overview 255
Support of the CIFS protocol 255
Configuring CIFS Stateful Inspection 255
Specifying the allowed disk/print shares 256
Logging 256
Known limitations 256
List Of Supported Services 257
List of Supported TCP Services 257
List of Supported UDP Services 265
List of Supported RPC Services 269
List of Supported ICMP Services 271
List of Supported Other IP Protocol Services 272
Notes for Services 272
Chapter 7 Global Properties

FireWall-1 Implied Rules 276
Track 278
Security Server 278
VoIP (Voice over IP) 279
NAT (Network Address Translation) 279
Automatic NAT rules 279
IP Pool NAT 280
Private Address Ranges 280
Authentication 280
Failed Authentication Attempts 280
Authentication of Users with certificates 281
Earlier Verisons Compatibility 281
8
VPN-1 Pro 282
VPN-1 Early Versions Compatibility 282
VPN-1 Advanced 282
VPN-1 Net 282
Remote Access — VPN SecuRemote/SecureClient 282
Remote Access — VPN 282
Remote Access — Secure Configuration Verification 282
Remote Access — Early Versions Compatibility 282
FloodGate-1 Properties 282
Bandwidth Control 282
SmartMap 283
Management High Availability 283
LDAP (Account Management) 283
Connect Control 285
Servers Availability 285
Servers Persistency 285
Server Load Balancing 285
Open Security Extension (OSE) Access List 286
Stateful Inspection 287
Log and Alert 289
Track Options 289
Logging Modifiers 290
Time Settings 290
Alert Commands 291
On Which Machine Are the Alert Scripts Executed? 292
Extranet Management Interface 292
SmartDashboard Customization 293
Chapter 8 Security Policy Rule Base

What is a Policy Package? 295
Rule Base — Basic Concepts 295
Editing a Policy Package 297
Opening a Policy Package 297
Creating a New Policy Package 297
Deleting a Policy Package 299
Saving a Policy Package 299
Adding a Rule 300
Rule menu 301
Modifying a Rule 301
Masking Rules 318
Hiding Rules 318
Viewing Hidden Rules 319
Unhiding Hidden Rules 319
Managing Hidden Rules 320
Querying the Rule Base 321
Example 321
Refining the Query 324
Rule Base Queries window 327
Table of Contents 9
Rule Base Query window 328
Rule Base Query Clause window 329
Disabling Rules 330
Searching the Rule Base 330
Installing and Uninstalling Policies 331
Installing Security Policies 331
Installing Access Lists 331
Installing Other Policies 332
Installing the Security Policy 333
Uninstalling the Security Policy 338
Connection Persistence during a new Policy installation 339
Installing a VPN-1\FireWall-1 From a Previous Database Version 340
Notes on Installing and Uninstalling Policies 340
Viewing the Inspection Script 341
Inspection Code Loading 341
Importing Access Lists 342
Managing Imported Access Lists in the Rule Base 343
Verifying and Viewing Access Lists 344
Boot Security 345
Auxiliary Connections 345
When a Security Policy is Installed 346
Chapter 9 Time and Scheduled Event Objects

Overview 347
Time Objects 349
Time Object Properties Window — General Tab 349
Time Object Properties Window — Days Tab 350
Scheduled Events 351
Scheduled Event Properties Window — General Page 352
Scheduled Event Properties Window — Days Page 353
Groups 353
Chapter 10 Server Objects and OPSEC Applications

Server Objects 357
Defining Server Objects 359
RADIUS Servers 360
RADIUS Server Properties Window — General Tab 360
RADIUS Server Groups 361
Creating a RADIUS Server Group 361
Adding a Server to a RADIUS Server Group 361
Deleting a Server from a RADIUS Server Group 362
TACACS Servers 362
TACACS Server Properties Window — General Tab 362
AXENT Pathways Defender Servers 363
Defender Server Properties Windows — General Tab 363
ACE (SecurID) Servers 363
10
Configuring ACE (SecurID) Servers 363
ACE and DES 364
ACE and the Rule Base 364
LDAP (Lightweight Directory Access Protocol) Account Units 364
LDAP Account Unit Properties Window — General Tab 365
LDAP Account Unit Properties Window — Users Tab 366
LDAP Account Unit Properties Window — Encryption Tab 367
Certificate Authority 368
Certificate Authority Properties Window — General Tab 368
Certificate Authority Properties Window — VPN-1 CM Tab 369
Certificate Authority Properties Window — Advanced Tab 370
SecuRemote DNS 370
SecuRemote DNS General Tab 370
OPSEC Servers and Clients 371
Defining OPSEC Applications 373
OPSEC Application Properties Window — General Tab 373
Managing OPSEC Products From the SmartDashboard 377
Communication Window 381
Definition Window — CVP Options Tab 382
OPSEC Definition Window — UFP Options Tab 383
OPSEC Definition Window— AMON Options Tab 384
OPSEC Definition Window— CPMI Permissions 384
OPSEC UFP and CVP Groups 384
OPSEC SIC Configuration 386
Chapter 11 SmartView Tracker

388
Overview 388
Tracking Network Traffic 388
Controlling the Display of the SmartView Tracker Content 388
Starting the SmartView Tracker 389
Viewing the Log Files in Different Modes 392
Log Mode 392
Active Mode 398
Audit Mode 398
SmartView Tracker Main Screen 399
Query Tree Pane 399
Query Properties Pane 402
Records Pane 403
Finding a Specific Record 406
Filtering 406
Filter fields 407
Resolving Addresses 415
Resolving Services 416
Showing Null Matches 416
Updating the Log File 416
Find 416
Saving a Query Under a New Name 417
Table of Contents 11
Navigating Through the Log File 418
Log File Management 418
Opening a Different Log File 418
Saving the Currently Displayed Log Entries 418
Starting A New Log File 419
Deleting the Contents of the Active Log File 420
Blocking Connections 420
Viewing a Previous Database Version 421
Fetching Log Files From a Remote Machine 421
Displaying Specified Log Files of a Specific Node 424
Redirecting Logging to Another Master 424
Installing the User Database on a CLM 425
Exporting Log Data to Another Application 425
Menus 426
Log File Menu 426
View Menu 427
Query Menu 427
Tools Menu 428
Window Menu 428
Help Menu 429
SmartView Tracker Toolbar 429
SmartView Tracker Toolbar Buttons and Their Corresponding Menu Commands 430
Query Properties Toolbar 430
Toolbar Buttons For the Query Properties Toolbar 431
Chapter 12 SmartView Status

Monitoring and Managing System Status 433
Starting Check Point SmartView Status 434
System Status 436
Using the Modules Pane 437
Understanding Module Statuses 438
Using the Product Details Window 440
Using the Details Pane 444
Details Window — Network Objects 445
Details Window — Clusters 445
Details Window — SVN Foundation 445
Details Window — FireWall-1 446
Details Window — VPN-1 447
Details Window — FloodGate-1 451
Details Window — Cluster XL 452
Details Window — OPSEC 453
Details Window — Management 454
Details Window — UserAuthority WebAccess 454
Details Window — Policy Server 455
Details Window — Log Server 455
Refreshing the User Database 456
Active Update 456
The Critical Notifications Pane 456
12
Using the Critical Notifications Pane 456
Multi-View Select Synchronization 456
System Alert 457
The Modules Pane 458
The Network Object System Alert Definition Pane 458
Understanding System Alert Options 459
System Alert Monitoring Mechanism 461
Find 461
Alerts 461
Disconnecting a Client 462
Reconnecting to the Server 463
Menus 464
File Menu 464
View Menu 464
Modules Menu 465
Products Menu 465
System Alert Menu 467
Tools Menu 467
Window Menu 467
Help Menu 469
Check Point SmartView Status Toolbar 469
Chapter 13 User Monitor

Viewing SecureRemote Users 471
Starting the User Monitor 471
Using Queries 474
Defining a Query 474
Running a Query 475
Editing a Query 476
Saving a Query 476
Renaming a Query 476
Deleting a Query 476
Exporting a Query 476
Processing Query Results 477
Finding a Specific Record 477
Sorting Results 477
Viewing Policy Servers 477
Chapter 14 Dynamically Assigned IP Addresses

Overview 479
Installation and Configuration 479
DAIP Module IP Address 480
Defining a Module with a Dynamic IP Address 480
Installing a Policy 482
Configuration and Other Issues 482
Configuring a VPN 482
Control Connections Between the DAIP Module and the SmartCenter Server 483
DHCP Connections Between the DAIP Module and the DHCP Server 484
NAT (Network Address Translation) 485
When the DAIP Module’s IP address changes ... 485
When the SmartCenter Server’s IP address changes ... 485
When the DAIP Module’s name changes ... 485
Chapter 15 Virtual Links

Overview 487
Creating a Virtual Link 487
Editing or Deleting a Virtual Link 488
Virtual Link Windows 488
Virtual Link Properties Window — General Tab 488
Virtual Link Properties Window — SLA Parameters Tab 489
Global Properties Window — Log and Alert Page 490
Chapter 16 SmartMap
Introduction to the SmartMap 491
Network Objects 492
Enabling and Disabling SmartMap 492
Docking and Undocking the SmartMap Window 492
Using the SmartMap View 493
Displaying the Network Object and Interface Information 493
Working with Network Objects 493
SmartMap View Options 494
Modes 494
Zooming and Scrolling 495
Navigator Window 497
Arrange Styles 498
Toggle the SmartMap View 499
Customization Options 499
Print out the SmartMap View 503
Exporting the Topology Map 504
Saving the SmartMap View 507
Editing Network Objects 507
Editing Object/Interface Properties 507
Adding New Objects 508
Removing Network Objects 508
Defining a New Group 509
Editing the Network Topology 509
Containing and Contained Networks 509
New Topology Object Types 511
Topology Collapsing 518
How to Collapse Locales 518
How to Collapse Other Topology Structures 519
Working with Topology Folders 519
Viewing External Objects 521
Editing External Objects 521
Viewing Gateway Clusters 522
Integration of the SmartMap View and the SmartDashboard 522
14
Paste Network Object(s) in the Rule Base 522
Dragging & Dropping 522
Show Objects 523
Showing Objects with Network Address Translation (NAT) 524
Understanding Rules Shown in the SmartMap View 524
Showing a Rule in the SmartMap View, by selecting Show from the Rule Base menu 525
Showing a Rule by dragging it from the Rule Base to the SmartMap View 526
Calculations 528
Understanding Topology Calculation 528
Calculating Topology Information 529
The SmartMap Helper 532
Solving Duplicated Networks 533
Solving Unresolved Object Interfaces 533
Menu Commands and Toolbar 534
Cursor Modes 536
Chapter 17 Management
High Availability
Overview 537
Primary vs. Secondary 537
Active vs. Standby 538
Restrictions 538
Using Management High Availability 539
Configuration and Usage 539
Synchronization 540
Properties 543
Upgrading to a New Version 545
SmartView Tracker 545
Chapter 18 Command Line Interface

Overview 547
Setup 549
cpconfig 550
cpstart 553
cpstop 553
fwstart 554
fwstop -default and fwstop -proc 554
Control 556
fwm load 556
fwm unload 558
fwm load 559
fwm fetch 560
fwm putkey 561
fwm dbload 562
rs_db_tool 563
Monitor 564
Check Point WatchDog (cpwd) 565
cpstat 567
fwm lichosts 569
fwm ver 569
fwm sam 570
Utilities 575
fwm ctl 576
fwm gen 579
fwm kill 580
fwell 581
fwm tab 584
dynamic_objects 585
dbedit 587
queryDB_util 591
Log File Management 593
fwm log 593
fwm logswitch 596
fwm logexport 598
fwm repairlog 599
fwm mergefiles 600
fwm lslogs 601
fwm fetchlogs 603
fw lea_notify 604
log_export 604
ClusterXL: High Availability and Load Sharing 609
cphastart 609
cphastop 609
cphaprob 609
fwm hastat 614
User Database Management 615
fwm ikecrypt 615
fwm dbimport 616
fwm dbexport 618
ldapmodify 620
ldapsearch 621
License Management 624
Local Licensing Commands 624
cplic put... 624
cplic del 627
cplic print 628
cplic check 629
Remote Licensing Commands 631
cplic put <object name> ... 631
cplic del <object name> ... 633
cplic get 634
cplic upgrade 635
License Repository Commands 639
cplic db_add 639
cplic db_rm 640
cplic db_print 641
16
Product Management 643
Product Repository Management 643
cppkg Overview 643
cppkg add 643
cppkg del 645
cppkg print (search) 648
cppkg setroot 649
cppkg getroot 650
Remote installation 651
cprinstall Overview 651
cprinstall upgrade 651
cprinstall verify_upgrade 652
cprinstall install 653
cprinstall uninstall 654
cprinstall get 656
cprinstall verify 657
cprinstall boot 658
cprinstall stop 659
cprinstall (cpstart/cpstop) 660
VPN-1 Accelerator Card 661
vpn accel 661
lunadiag 661
VPN Commands 662
vpn ver 662
vpn debug 662
vpn drv 663
vpn intelrng 663
Daemons 664
Check Point Remote Installation Daemon (cprid) 664
CPsyslogD 664
FloodGate-1 666
SmartView Monitor 666
rtmstart 666
rtmstop 666
rtm d 667
rtm debug 667
rtm drv 667
rtm ver 668
rtm stat 668
rtm monitor — Interface Monitoring 668
rtm monitor — Virtual Link Monitoring 671
Options Reporting Tool Commands 671
Starting the Reporting Tool 671
Scheduling and Distributing Reports and Replacing the Management 672
Generating Reports 678
Reporting Server Commands 679
Upgrading FWR, RPF and DEF Files 679
Log Consolidation Engine Commands 680
log_consolidator 680
686
OPSEC 686
upgrade_fwopsec 686
Glossary 689
Index 713
18
Preface
Who Should Use this User Guide

This User Guide is written for system administrators who are responsible for
maintaining network security. It assumes you have a basic understanding and a working
knowledge of:
• system administration
• the Unix or Windows operating system
• the Windows GUI
• Internet protocols (IP, TCP, UDP etc.)
Summary of Contents
Chapter 1, “Configuring VPN-1/FireWall-1” describes how to configure Check Point
VPN-1/FireWall-1.
Chapter 2, “SmartUpdate” describes how to use Check Point SmartUpdate.
Chapter 3, “Graphical User Interface,” describes how to use the Check Point Graphical
User Interface (GUI).
Chapter 4, “Managing Users and Administrators,” describes how to define and manage
users, including users defined on an LDAP Server.
Chapter 5, “Network Objects,” describes how to define network objects (gateways,
hosts, routers, switches, and others).
Chapter 6, “Services and Resources,” describes how to define network services.
Chapter 7, “Global Properties,” describes how to define VPN-1/FireWall-1 properties.
Chapter 8, “Security Policy Rule Base,” describes how to define and enforce a Security
Policy’s rules.
19
Chapter 9, “Time and Scheduled Event Objects,” describes how to define the time
objects used in rules.
Chapter 10, “Server Objects and OPSEC Applications,” describes how to define Server
objects.
Chapter 11, “SmartView Tracker,” describes the SmartView Tracker.
Chapter 12, “SmartView Status,” describes the SmartView Status.
Chapter 13, “User Monitor,” describes the management of SecuRemote users.
Chapter 14, “Dynamically Assigned IP Addresses,” describes how to define and
configure Modules whose IP addresses are not fixed, but dynamically assigned.
Chapter 15, “Virtual Links,” describes how to define and monitor virtual links.
Chapter 16, “SmartMap” describes how to use SmartMap.
Chapter 17, “Management High Availability,” describes how to use Management High
Availability.
Glossary, is a glossary of terms sometimes encountered in discussions of IP networks.
Check Point Documentation

User Guides are available for each product in Portable Document Format (PDF) in the
Check Point Enterprise Suite. The Adobe Acrobat Reader is required to view PDF
files and is also available on the Check Point Enterprise Suite CD-ROM. Alternatively,
you can download the Acrobat Reader from the Adobe Web site
(http://www.adobe.com).
The following User Guides are available for Check Point Enterprise Suite products.
1) Check Point Getting Started Guide — This book is an introduction to Check Point
products.
2) Check Point SmartCenter Guide — This book describes the Check Point
Management GUI, which is used to manage VPN-1/FireWall-1 and other Check
Point products.
3) Check Point FireWall-1 Guide — This book describes Check Point
VPN-1/FireWall-1.
4) Check Point Virtual Private Networks Guide — This book describes the Check Point
VPN-1/FireWall-1 encryption features.
5) Check Point Desktop Security Guide — This book describes Check Point security as
implemented by SecuRemote and SecureClient.
20 Check Point SmartCenter Guide • September 17, 2002

6) Check Point FloodGate-1 Guide — This book describes Check Point FloodGate-1,
which enables administrators to manage the quality of service on their networks.
7) Check Point SmartView Monitor User Guide — This book describes the Check Point
Real Time Monitor, which enables administrators to monitor quality of service on
their network links, as well as Service Level Agreement compliance.
8) Check Point Provider-1/SiteManager-1 Guide — This book describes Check Point
Provider-1/SiteManager-1, which enables service providers and managers of large
networks to provide Check Point products-based services to large numbers of
subscribers.
9) Check Point SmartView Reporter Guide — This book describes the Check Point
Reporting Module, which enables administrators to manage databases of Check
Point log-based information.
10) Check Point UserAuthority User Guide — This book describes Check Point
UserAuthority, which enables third-party and Web applications to leverage Check
Point’s sophisticated authentication and authorization technologies.
11) Check Point User Management Guide — This book describes Check Point
LDAP-based user management.
Note - For additional technical information about Check Point products, consult Check
Point’s SecureKnowledge database at http://support.checkpoint.com/kb/
21
What Typographic Changes Mean
The following table describes the typographic changes used in this book.
TABLE P-1 Typographic Conventions
Typeface Meaning Example

or Symbol
AaBbCc123 The names of commands, Edit your .login file.
files, and directories; Use ls -a to list all files.
on-screen computer output machine_name% You have mail.
AaBbCc123 What you type, when machine_name% su

Password:
contrasted with on-screen
computer output
AaBbCc123 Command-line To delete a file, type rm filename.
placeholder:
replace with a real name or
value
AaBbCc123 Book titles, new words or Read Chapter 6 in User’s Guide.
terms, or words to be These are called class options.
emphasized You must be root to do this.
Save Text that appears on an Click the Save button.
object in a window

TABLE P-2 Command-line Usage Conventions
Symbol Meaning Example

[] Optional variable fw ver [-k] [-f
filename]
Use either or both of the -k and
the -f filename options.
<> Compulsory variable fw converthosts <input_file>
[output_file]
input_file is compulsory.
output_file is optional
| Use one of the alternatives cplic import <Module IP | object
name>
Use either the Module IP or the
object name option
Note - This note draws the reader’s attention to important information.
Warning - This warning cautions the reader about an important point.
Tip - This is a helpful suggestion.
23
Shell Prompts in Command Examples
The following table shows the default system prompt and superuser prompt for the C
shell, Bourne shell, Korn shell and DOS.
TABLE P-3 Shell Prompts
Shell Prompt
C shell prompt machine_name%
C shell superuser prompt machine_name#
Bourne shell and Korn $
shell prompt
Bourne shell and Korn #
shell superuser prompt
DOS current-directory>
Network Topology Examples

Network topology examples usually show a gateway’s name as a city name (for
example, Paris or London) and the names of hosts behind each gateway as names of
popular sites in those cities (for example, Eiffel and BigBen).

CHAPTER 1
Configuring
VPN-1/FireWall-1
In This Chapter
Configuring Check Point Products page 25

Secure Internal Communications for Distributed Configurations page 46
Frequently Asked Questions—Installing, Upgrading, Configuring page 57
Configuring Check Point Products

• Configuring a New or Upgrade Installation — The configuration starts
automatically after the Check Point product is installed or upgraded. The
configuration options appear consecutively. Configure each option and then
proceed to the next window.
After configuration, you must reboot.
• Configuring Installed Products — Check Point products are configured by
running the Check Point configuration application (cpconfig). When you do so,
the different configuration options can be chosen from a menu (on UNIX
platforms) or appear as individual tabs in the Configuration window (on Windows).
To run the configuration application:
• Type cpconfig at the command prompt, or
• Windows platforms — go to Start>Programs>Check Point SMART Clients>Check

Point Configuration NG
The Configuration program is part of the SVN Foundation.

The windows or menus displayed depend on the components installed on the machine. You will
not necessarily see all the windows or menu items described here during your configuration
process.
25
The following configuration options are available:
Licenses page 26
The Trial Period page 27
Administrators page 30
SMART Clients page 36
PKCS#11 Token page 37
Key Hit Session/Random Pool page 38
Certificate Authority page 39
Secure Internal Communication page 40
Fingerprint page 43
High Availability page 45
Interfaces page 45
VPN-1 Accelerator Driver page 45
SNMP Extension (Unix only) page 45
Automatic Start of Check Point Modules (Unix only) page 46
Automatic Start of Check Point Modules (Unix only) page 46
Licenses
Use this option to:
• view license details
• add required licenses for the host
• delete licenses from the host (Windows only). On Unix, to delete or overwrite a
license use the cplic del command (see “cplic del” on page 820).
You do not need a license to run the SMART Client.
Use the cpconfig Licenses option to manage Local licenses only. Central licenses are managed
via SmartUpdate. For details about the differences between Local and Central Licenses, and for
information about centrally managing licenses on remote hosts, see Chapter 2 “Smart Update”
on page 67 of the Check Point SmartCenter Guide.
Note - For a DAIP Module, do not use cpconfig to installing a license. A DAIP Modules can
use only a Central license, which must be installed using the cplic put command.
26 Check Point SmartCenter Guide • September 2002

The Trial Period
FIGURE 1-1 Licenses window (Windows)
Understanding License Details

The Licenses window shows the following information for each license:
IP Address — the IP address of the machine for which the license is intended
Expiration Date — the license expiration date
SKU/Features — a string composed of four groups of 9 nine characters listing the features
included in the license
Obtaining Licenses
If you have not yet obtained your license(s), see “Obtaining Licenses” on page 127 of the Check
Point Getting Started Guide. You can add licenses after completing the other cpconfig
configuration options.
The Trial Period

All purchased Check Point products have a 15 day trial period. During this period the software
is fully functional and all features are available without a license. After that period, a permanent
license must be installed in order to continue using the software. Alternatively, an evaluation
license must be obtained.
The 15 day trial period on an Enforcement Module starts when Secure Internal
Communication is initialized with the SmartCenter Server. On a SmartCenter Server, the trial
period starts when the Certificate Authority is initialized during cpconfig configuration.
If a license is installed during the 15 day trial period, the effective license will be the installed
license.
Chapter 1 Configuring VPN-1/FireWall-1 27

If all installed licenses are removed during the 15 day trial periods, the product will regain full
functionality until the end of trial period.
If no licenses are installed, the remaining trial period is displayed when starting SmartUpdate
and any of the other Check Point SMART Clients.
To see the remaining trial period, perform the Get Check Point Node Licenses operation in
SmartUpdate, or open the cpconfig Licenses tab on the Enforcement Module, or run the
command cplic print locally on the Enforcement Module.
To Fetch One or More Licenses from a File

After installing the license, you should import the licenses to the Smart Update License
Repository. On Windows platforms, to import one or more licenses from a license file, proceed
as follows:
1 Click on Fetch from File.
FIGURE 1-2 Open License File window
2 Browse to the license file, select it, and click Open.
The license(s) that belong to this host are added. After installing the license, you should import
the licenses to the Smart Update License Repository (see “Adding a License to the License
Repository” on page 114).
To Add a License Manually

On Unix platforms, type the details of the license. The license email received from the User
Center contains the license string and an attached license file. On Windows, proceed as follows:
1 Click on Add to add a license.
The Add License window is displayed.

The Trial Period
FIGURE 1-3 Add License window
2 The User Center results page and the license email received from the User Center
contains the license installation instructions. To enter the license data, either:
• Copy the license string to the clipboard. Copy the string that starts with cplic
put... and ends with the last SKU/Feature, then click Paste License, or
• Type in the information.
3 Click Calculate, and make sure the result matches the validation code received from
the User Center.
4 Click OK.
To Delete a License
1 In the Licenses window, select the license to be deleted.
2 Click Delete, or press the Delete key on the keyboard.

Administrators
FIGURE 1-4 Administrators window
Use this option to:

• add administrators who are permitted on the SMART Client side, that is, the
administrators who will be allowed to use a SMART Client to connect to the
SmartCenter Server installed on this machine
• modify Administrator permissions
• delete Administrators
The availability of permissions depends on the installed products.
Whenever an administrator logs in, all actions are recorded on the SmartCenter Server in a file
called $FWDIR/log/fw.adtlog which is viewed using the Log Viewer. Administrator actions are
also logged to a text file called $FWDIR/log/cpmi_audit.txt.
In This Section
To Add an Administrator page 24

To Modify Administrator Permissions page 26
To Delete an Administrator page 27
Concurrent Sessions page 43
Read Only Sessions page 44
Authenticating VPN-1/FireWall-1 Administrators page 44

Administrators
To Add an Administrator
You must define at least one administrator, otherwise no one will be able to use the
SmartCenter Server you have just installed.
The administrator password should be at least four characters long, with no spaces.
1 Click Add to specify an administrator. The Add Administrator window is displayed.
FIGURE 1-5 Add Administrator window
2 Enter the Administrator Name.
3 Enter the Password.

The password should be at least four characters long, with no spaces.
You must enter the password twice in order to confirm it.

4 Specify the Administrator’s Permissions. The following table shows the available
administrator permissions options.
TABLE 1-1 Add and Edit Administrator Permission Options
Selecting this …gives these permissions

option…
Read/Write All Allows full access to all Check Point products.
Read Only All Allows read-only access to all Check Point products.
Customized Allows user-defined access to Check Point products.
Smart Update Note — Choosing Read/Write permissions automatically
gives Read/Write permissions for all other options.
• Read/Write permission allows Check Point product
installations on Managed modules to be centrally
managed.
• Read Only permission allows viewing the status of
installations of Check Point products on managed
Modules.
Objects Database Note — These permissions cannot be selected. They are
automatically assigned based on choices made in other
options.
• Read/Write permission indicates that the administrator
can add, remove and modify objects, in addition to
being able to edit the Policy properties.
• Read Only permission means that the administrator can
see the objects but cannot modify them.
Check Point • Read/Write Allows the administrator to define, remove
Users Database
and modify users or templates, as well as insert and
remove users to/from groups.
• Read Only permission allows the administrator to view
users, templates, and groups but not modify them.
LDAP Users • Read/Write permission allows the administrator to
Database
define, remove and modify LDAP users and groups.
LDAP users and groups but not modify them.
For more information on LDAP Users Database
administrators, see “LDAP Administrators” on page 21 of
Check Point User Management.

Administrators
TABLE 1-1 Add and Edit Administrator Permission Options

option…
Security Policy • Read/Write allows the administrator to manage
Security Policies and rules within the Policies. The
administrator can install and uninstall Security Policies.
• Read Only allows the administrator to open and view
Security Policies but not to modify them.
QoS Policy • Read/Write allows the administrator to manage QoS
policies and rules within the policies. The
administrators can install and uninstall QoS Policies.
QoS Policies but not to modify them.
Log Consolidator • Read/Write allows the administrator to manage Log
Policy
Consolidator policies and rules within the policies. the
administrator can install and uninstall Log Consolidator
Policies.
• Read Only allows opening and viewing Log
Consolidator policies but not to modifying them.
Reporting Tool • Read/Write allows the administrator to create and
manage report definitions.
• Read Only permission allows the administrator to
process reports and change Runtime parameters, but
not to create or modify report definitions.
Monitoring • Read/Write permission allows the administrator full
access to the Log Viewer, System Status and Traffic
Monitoring.
• Read Only permission prevents the administrator
interrupting connections.
To Modify Administrator Permissions

1 Select the Administrator to be edited.
2 Click on Edit in the Administrators window.
The Edit Administrator window will open (very similar to “Add Administrator window,
FIGURE 21-5 on page 24).
3 Specify the Administrator’s Permissions. TABLE 21-1 on page 25 explains the
available administrator permissions options.

To Delete an Administrator
1 Select the Administrator to be deleted.
2 Click Delete in the Administrators window.
Concurrent Sessions
In order to prevent more than one administrator from modifying a Security Policy at the same
time, VPN-1/FireWall-1 implements a locking mechanism.
Any number of administrators can view a Security Policy at the same time, but only one of
them can have write permission at any given moment. Upon opening a Security Policy, an
administrator is granted write permission only if both of the following conditions are true
• The administrator has been assigned Read/Write or User Edit privileges.
• No other administrator currently has write permission for the Security Policy at
this time.
For example, suppose Bob and Alice are both administrators. Bob has Read/Write privileges
and Alice has User Edit privileges. Suppose no one has the Security SmartDashboard open. If
Alice opens the Security SmartDashboard, she will be granted User Edit permission. If Bob
opens the same Security Policy before Alice closes it on her workstation, then Bob will not be
granted Read/Write permission. Instead, he will be asked whether he wishes to quit or to open
the Security Policy with Read Only permission.
Read Only Sessions

An administrator with Read/Write or User Edit privileges can open a Read Only session by
checking the Read Only checkbox in the Check Point SmartDashboard Login window
FIGURE 1-6 Login window
During the Read Only session, another administrator with Read/Write privileges can log in and
be granted write permission.

Administrators
Authenticating VPN-1/FireWall-1 Administrators

You may wish to authenticate VPN-1/FireWall-1 administrators, even if they are defined as
administrators and connecting from authorized SMART Clients.
Note - VPN-1/FireWall-1 administrators are always authenticated. This section describes

how to implement additional authentication mechanisms.
To authenticate VPN-1/FireWall-1 administrators, proceed as follows:

1 Configure your SmartCenter Server so that it is protected by a VPN/FireWall
Module.
The VPN/FireWall Module can be on the same machine as the SmartCenter Server
or on a different machine.
2 In the FireWall-1 Implied Rules page of the Global Properties window, disable Accept
VPN-1 & FireWall-1 Control Connections.
3 Add a rule to the Rule Base specifying Client Authentication or Client Encryption
as the Action, for example, the rule shown below:
TABLE 1-2 Rule Base Example
Source Destination Services Action Track Install On
FW1Admin@Any MgmtStation FW1_mgmt Client Log the

Encryptio VPN/FireW
n all Module
that protects
the
SmartCenter
Server
The FW1_mgmt service is a TCP service on port 258.

4 Add rules to the Rule Base that allow the other control connections you need,
(since you disabled them in step 2).

SMART Clients
FIGURE 1-7 SMART Clients window
Specify the SMART Clients, that is, the remote computers from which administrators will be
allowed to connect to the SmartCenter Server.
There is no need to define a SMART clients that is on the same machine as the SmartCenter
Server. If no SMART clients are defined, you will be able to manage the SmartCenter Server
you have just installed only from a SMART clients running on the same machine.
To Add a SMART clients

Enter the SMART clients’s name and click on Add to add it to the list of allowed SMART
clients. You can add SMART clients using any of the following formats
• IP address (For example 1.2.3.4).
• Machine name (For example Alice, or Alice.checkpoint.com).
• Any (Any IP without restriction).
• IP1-IP2 (A range of addresses. For example 1.2.3.4-1.2.3.40).

• Wild cards (For example 192.140.150.* or *.checkpoint.com).
Note - When specifying SMART clients using any formats OTHER THAN the IP address, you
must add an explicit rule in the Rule Base allowing the SMART clients to connect to the
SmartCenter Server. For example:
Source— Network Address Range, Destination—SmartCenter Server, Service—CPMI,
Action—Accept.
If specifying a SMART clients using a single IP address or machine name, an explicit rule
is not required.

PKCS#11 Token
The connection between the SMART clients and the SmartCenter Server is enabled in
SmartCenter by checking the Accept VPN-1 & FireWall-1 control connections property in the
FireWall-1 Implied Rules page of the Global Properties window.
If the connection between the SMART clients and the SmartCenter Server passes through a
VPN/FireWall Module, then the Security Policy must be re-installed on the VPN/FireWall
Module so that the newly added SMART clients can connect to the SmartCenter Server.
To Remove a SMART clients

To remove a SMART clients from the allowed list, select it and click on Remove.
PKCS#11 Token
FIGURE 1-8 PKCS#11 Token window
Use this window to register a cryptographic token for use by VPN-1/FireWall-1, to see details
of the token, and to test its functionality.
For configuration details, see the “PKCS#11 Token” on page 58 of Check Point Virtual Private
Networks.

Key Hit Session/Random Pool

FIGURE 1-9 Key Hit Session window
You are asked to enter random keystrokes. The random data collected in this session is used in
various cryptographic operations.
Enter random characters containing at least six different characters. Do not type the same
character twice in succession, and try to vary the delay between the characters. Keystrokes that
are too fast or too similar to preceding keystrokes are ignored.
Keep typing until you hear a beep and the bar is full.

Certificate Authority
FIGURE 1-10Certificate Authority window
This option allows you to create an Internal Certificate Authority (ICA) on SmartCenter Server,
and create a Secure Internal Communication (SIC) certificate for the SmartCenter Server.
SIC certificates are used to authenticate communication between Check Point communicating
components, or between Check Point communicating components and OPSEC Applications.
Management FQDN
cpconfig tries to resolve the FQDN (fully qualified domain name) of the SmartCenter Server
and supplies this as a default. If this is not the correct FQDN, change the contents of the
Management FQDN field. This may be useful if there is a problem resolving the FQDN of the
SmartCenter Server.
Specifying the correct FQDN ensures that the Certificate Revocation List (CRL) can be reliably
retrieved by a communicating component, so that it can properly authenticate a certificate.
A fully qualified domain name consists of a host name and a domain name. For example,
www.checkpoint.com is a fully qualified domain name.
The ICA needs the FQDN in order to insert the CRL Distribution Point correctly in every
certificate it issues. Communicating components retrieve the CRL by reading the certificate and
looking for the CRL Distribution Point. The location of the CRL distribution point is an
HTTP address in the form http://FQDN/<CRL_filename>.
To see the location of the CRL applicable for a certificate, in SmartDashboard, edit the
SmartCenter Server object, and in the VPN page, select the certificate and click Edit > View.
The CRL Distribution Point is one of the fields in the certificate.

Secure Internal Communication

FIGURE 1-11Secure Internal Communication window
The Secure Internal Communication window is used to establish trust between this machine
and the Primary SmartCenter Server. Once trust is established this machine can communicate
with other Check Point communicating components. Trust is established by creating a certificate
on the SmartCenter Server and delivering it to this machine.
Where this is a machine with a dynamically assigned IP address (DAIP Module), the
SmartCenter Server can push a certificate to the DAIP Module if the current IP address of the
DAIP module is known when initializing SIC (in SmartDashboard, in the Communications
window of the DAIP object).
For information about communications in a distributed environment, see “Secure Internal
Communications for Distributed Configurations” on page 160 of the Check Point Getting Started
Guide or page 48 of the Check Point SmartCenter Guide.
To Initialize a Module for Communication

1 To enable communication, enter here the same Activation Key as in
SmartDashboard, in the Check Point Gateway- General page of the Module.
Confirm this Activation Key in the Confirm Password field.

Secure Internal Communication
2 At a SMART Client, connect to the SmartCenter Server and open

SmartDashboard. (In a Management High Availability configuration, connect to the
Primary SmartCenter Server).
3 In SmartDashboard, create an object for the Module, and give it a name and an IP
address.
Note - If the Module has dynamic IP address, see “Defining a Module with a Dynamic IP
Address” on page 480 of the Check Point SmartCenter Guide.
The following explanation matches the Classic Mode of creating an object:

a Choose Network Objects from the Manage menu, and click on New > Check
Point Gateway...
b In the Check Point Gateway — General Properties page fill in the Module name
and IP address.
c Check the appropriate product.
4 Initialize the Module:

a In the Check Point Gateway — General Propeties page, click Communication...
FIGURE 1-12Communication Window
b In the Communication window, enter the Activation Key — the SAME

Activation Key as you entered when configuring the Module.

Confirm this Activation Key in the Confirm Activation Key field.
Note - For the next step to work, the SVN Foundation and the VPN-1/FireWall-1 services
must be running on the Module, and there must be IP connectivity from the Management
Server to the Module.
c Click to start the Module initialization process.

Initialize
At this point a certificate is issued to the Module. It is signed, and securely

transferred to the Module.
The Module status is reported in the Trust State field.
Trust state—Trust is established only after a certificate has been issued by the Internal
Certificate Authority on the SmartCenter Server, and delivered to the Module.
If a Module is Initialized or Reset, the Trust state of the Module as reported in cpconfig may
be different than the Trust state reported at the SmartDashboard.
Note the difference between the Trust state and the output of the Test SIC Status button in
the SmartDashboard Communication window of the Module: The Trust state reflects the
situation after Module initialization, that is, when an activation key is exchanged and certificate
is sent to the Module. In contrast, Test SIC Status reflects the SIC status after the Module has
the certificate.
The Trust State as reported in cpconfig in the Secure Internal Communication and in the
SmartDashboard in the Communication window can be in one of three states:
• Uninitialized —The Module is not initialized and therefore cannot communicate
because it has not received a certificate from the Internal Certificate Authority on
the SmartCenter Server.
• Initialized but trust not established —
At the Module, in cpconfig, in the Secure Internal Communication window, this

means that a one-time password has been typed in but the Module has not yet
received a certificate from the Internal Certificate Authority on the SmartCenter
Server.
In the SmartDashboard in the Communication window, this means that a certificate
has been issued to this Module but has not been delivered, so trust (secure
communication) cannot yet be established.
• Trust established — The trust between the Module and the SmartCenter Server
has been established. The Module can communicate securely.

Fingerprint
Trust will be established and the Module will be able to communicate when the
certificate is successfully delivered to the Module, the Trust State is Trust
established, and the SIC name (or DN) of the Module is reported in the General
page of the Workstation Properties window.
Note - The setting up of SIC communication can be tracked by viewing the

$CPDIR\log\cpd.elg log file on the Module.
5 Install the Security Policy on the Module.

Upon successful initialization the newly defined Module can securely communicate with any
other certificate owner Module
To Reset the Trust State of a Module

1 In the Secure Internal Communication window/menu, click or select Reset.
2 For the other half of this procedure, see “How to Reset the Trust State of the
Module” on page 169.
Fingerprint
FIGURE 1-13Fingerprint window

The Fingerprint window shows the fingerprint of the SmartCenter Server. The fingerprint is
text string derived from the certificate of the SmartCenter Server. It is used to verify the identity
of the SmartCenter Server being accessed via the SMART clients. You should compare this
fingerprint to the fingerprint displayed in SmartCenter the first time a SMART clients connects
to this SmartCenter Server.
Note - In a Management High Availability configuration, you can view and save the
Fingerprint. For the...
• primary SmartCenter Server — in the Fingerprint window once the ICA Initialization
has succeeded (see FIGURE 21-13).
• secondary SmartCenter Server — in the Secure Internal Communication tab, if the
Trust Status is Trust Established.
How to Use the Fingerprint to Confirm the Identity of the

SmartCenter Server
1 In the Fingerprint window, click Export to file and save the file.
2 Take the file over to the SMART clients via some non-network means such as a
diskette, or confirm the fingerprint of the SmartCenter Server by fax or telephone.
3 From a SMART clients, make a first time connection to SmartCenter Server. The
Fingerprint of a SmartCenter Server is displayed (see FIGURE 21-14).
FIGURE 1-14Fingerprint of a SmartCenter Server as displayed at the SMART clients
4 Make sure the fingerprint of the SmartCenter Server is identical to the fingerprint
displayed in the SMART clients.
Note - You should not make a first-time connection to a SmartCenter Server from a SMART
clients, unless you have the SmartCenter Server fingerprint to hand, and are able to
confirm it is the same as the fingerprint displayed in the SMART clients.

High Availability
High Availability
FIGURE 1-15High Availability window
Turn on the State Synchronization and the ClusterXL High Availability and Load sharing
capability.
See Chapter 3, “ClusterXL in the Check Point FireWall-1 Guide for information on how to
configure a High Availability environment.
Interfaces
A ROBO Gateway is an object which inherits most of its properties and its policy from the
Profile object to which it is mapped. Each ROBO gateway represents a large number of
gateways, which subsequently inherit the properties stipulated by the Profile object.
Select the IP addresses that represent the interfaces defined for each object from the drop down
list.
VPN-1 Accelerator Driver

This option turns on the VPN-1 Accelerator Driver. The VPN-1 Accelerator Driver is available
on multiple CPU machines.
Changes to this setting only take effect after booting the machine.
SNMP Extension (Unix only)

Use this option to configure the SNMP daemon. The SNMP daemon enables the
VPN/FireWall Module to export its status to external network management tools.

Secure Internal Communications for Distributed Configurations
Automatic Start of Check Point Modules (Unix only)

Specify whether the VPN/FireWall Module will start automatically at boot time.
Secure Internal Communications for Distributed

Configurations
Communicating Components
In a distributed configuration, communicating components such as the SmartCenter Server and
the Modules are deployed on different computers.
Secure Internal Communication (SIC) secures communication between
• Check Point SVN components (such as SmartCenter Servers, SMART clients,
VPN/FireWall Modules, Customer Log Modules, SecureConnect Modules, Policy
Servers), and between
• Check Point SVN components and OPSEC applications.
Security Benefits
Securing communication allows you to be absolutely sure that
• a SMART Client is connecting to a SmartCenter Server to which it is authorized
to connect,
• the Security Policy loaded on a VPN/FireWall Module came from the SmartCenter
Server, rather than a machine pretending to be the SmartCenter Server.
• data privacy and integrity have been maintained
Administrative Benefits
As well as enhancing security, SIC substantially eases the administration of large installations by
reducing the number of configuration actions. It is no longer necessary to perform fw putkey
operations between pairs of communicating components. Instead, it is simply a matter of
performing a simple initialization procedure for each component from the SmartDashboard.
SIC Certificates
Secure Internal Communication for Check Point SVN components uses:
• Certificates for authentication, and
• Standards-based SSL for encryption.

SIC Certificates
SIC Certificates uniquely identify Check Point-enabled machines or OPSEC applications across
the VPN-1/FireWall-1 system. For example, a computer may have one certificate for Check
Point products and a certificate for each OPSEC application. Certificates are created by the
Internal Certificate Authority (ICA) on the SmartCenter Server for communicating components
managed by the SmartCenter Server.
For information about certificates and their benefits, see “Certificates” on page 23 of Check
Point Virtual Private Networks.
Note - VPN certificates (those used for IKE for example), and SIC certificates are used for
different purposes and are managed differently.
• VPN certificates are managed from the VPN page of the VPN-1 installed object (see
“Workstation Encryption Properties” on page 94 of Check Point Virtual Private
Networks)
• SIC certificates are managed from the Communication window on the General page
of any Check Point installed object (see “Enabling Communication between Modules” on
page 22).
Consider the distributed VPN-1/FireWall-1 configuration depicted in FIGURE 0-1.

FIGURE 1-16Distributed VPN-1/FireWall-1 configuration, showing the components with
certificates. Certificates are created by the ICA on the SmartCenter Server
1 The ICA on this

GUI Management Server ...
Client
Management
Server
Internet
router
Intranet FireWalled
Gateway
router
2 ... delivers certificates to

FireWalled
Gateway
Internal the Check Point Modules
FireWall
The ICA creates a certificate for the SmartCenter Server machine during the SmartCenter
Server installation. The ICA itself is created automatically during the installation procedure (see
“Installing VPN-1/FireWall-1 (Windows)” on page 115 or “Installing VPN-1/FireWall-1
(UNIX)” on page 123 of the Check Point Getting Started Guide)

Certificates for the VPN/FireWall Modules and any other communicating component are
created via a simple initialization from the SmartDashboard (see “Enabling Communication
between Modules” on page 22). Upon initialization, the ICA creates, signs, and delivers a
certificate to the communicating component. Every Module can verify the certificate for
authenticity.
Communications between the SmartCenter Server(s) and

Modules
Communications between a SmartCenter Server and its Modules are authenticated using their
certificates, and according to a policy specified in a policy file on each machine.
Communication using certificates will take place provided that the communicating components
• are of the appropriate version
• agree on the authentication method
• agree on the encryption method
The SmartCenter Server and the Modules are identified by their SIC name (also known as the
DN).
Full backward compatibility allows a SmartCenter Server to communicate with a VPN/FireWall
Module of version 4.1 or earlier using the legacy shared secret (fw putkey) method. The two
communicating components use the password to create a shared key which they exchange and
use to set up an encrypted secure link between them.
Communications Between the SmartCenter Server and the

SMART Client
On the SmartCenter Server, the SMART client must be defined as being authorized to connect
to the SmartCenter Server.
For information on how to do this, see “Administrators” on page 136 (for Windows) or
“Administrators” on page 154 (for Unix) of the Check Point Getting Started Guide.
When invoking the SmartDashboard on the SMART client, the VPN-1/FireWall-1
administrator is asked to identify himself and to specify the IP address of the SmartCenter
Server.
The SMART client initiates an SSL based connection with the SmartCenter Server. The
SmartCenter Server verifies that the Client’s IP address belongs to an authorized SMART client,
and sends back its certificate.
Upon authenticating the SmartCenter Server's certificate, the administrator is asked to verify
that the right SmartCenter Server is connected. Verification is done using the SmartCenter
Server fingerprint (see the Check Point Getting Started Guide “How to Use the Fingerprint to
Confirm the Identity of the SmartCenter Server” on page 151). The fingerprint is a text string
that represents a certain hash value computed from the SmartCenter Server certificate.

Enabling Communication between Modules
Once the administrator approves the identity of the SmartCenter Server, the administrator’s
name and password are securely sent to the SmartCenter Server.
The administrator’s name and password are used to authenticate the user as a Policy Management
authorized user.

Note - Where a reference is made to a Module, it applies equally to all communicating
components (see “Communicating Components” on page 19), including VPN/FireWall
Modules and OPSEC applications.
Enabling Communication — New Module Registration

After installing a new Module, proceed as follows:
1 At the Module machine, use cpconfig to initialize the Module:
In the Secure Internal Communication tab (for Windows, see FIGURE 0-2) or
option (for Unix) of the cpconfig configuration utility of the Module, enter and
confirm the one-time password.
FIGURE 1-17cpconfig Secure Internal Communication window (for Windows)

2 At a SMART Client, connect to the SmartCenter Server and open

SmartDashboard. (In a Management High Availability configuration, connect to the
Primary SmartCenter Server).
3 In SmartDashboard, create an object for the Module, and give it a name and an IP
address.
Note - If the Module has dynamic IP address, see “Defining a Module with a Dynamic IP
Address” on page 480 of the Check Point SmartCenter Guide.
The following explanation matches the Classic Mode of creating an object:

a Choose Network Objects from the Manage menu, and click on New > Check
Point Gateway...
b In the Check Point Gateway — General Properties page fill in the Module name
and IP address.
c Check the appropriate product.
4 Initialize the Module:

a In the Check Point Gateway — General Propeties page, click Communication...
FIGURE 1-18Communication Window
b In the Communication window, enter the Activation Key — the SAME

Activation Key as you entered when configuring the Module.

Confirm this Activation Key in the Confirm Activation Key field.
Note - For the next step to work, the SVN Foundation and the VPN-1/FireWall-1 services
must be running on the Module, and there must be IP connectivity from the Management
Server to the Module.
c Click to start the Module initialization process.

Initialize

transferred to the Module.
The Module status is reported in the Trust State field.
the certificate.

Server.

Trust will be established and the Module will be able to communicate when the
certificate is successfully delivered to the Module, the Trust State is Trust
established, and the SIC name (or DN) of the Module is reported in the General
page of the Workstation Properties window.
Note - The setting up of SIC communication can be tracked by viewing the

$CPDIR\log\cpd.elg log file on the Module.
5 Install the Security Policy on the Module.

Upon successful initialization the newly defined Module can securely communicate with any
other certificate owner Module
Enabling Communication — Upgrading 4.1 Modules

Start or continue from Step 1 or Step 2, as appropriate:
Note -
• You can upgrade to NG only from version 4.1 and higher.
• The version of the SmartCenter Server must always be at least the version of the
VPN/FireWall Module with the highest version.
• The trust relationship between the management and module is maintained at all stages
of the upgrade. The old trust relationship, based on a shared secret is converted to one
based on proving identity using certificates.
1 SmartCenter Server Version: 4.1 to NG

Module Version: 4.1
Upgrade the SmartCenter Server version to NG. For details, see “Installing
VPN-1/FireWall-1 (Windows)” on page 115 or “Installing VPN-1/FireWall-1
(UNIX)” on page 123 of the Check Point Getting Started Guide.
The SmartCenter Server can manage version 4.1 Modules. At this point the trust
relationship between the Management and Modules is based on the shared secret
generated prior to the SmartCenter Server upgrade.
2 SmartCenter Server Version: NG
Module Version: Upgrade from 4.1 to NG
Upgrade the Module version to NG. For details, see “Installing VPN-1/FireWall-1
(Windows)” on page 115 or “Installing VPN-1/FireWall-1 (UNIX)” on page 123
of the Check Point Getting Started Guide.
It is perfectly possible for a SmartCenter Server to manage both version 4.1 and
NG Modules. The Modules can be upgraded whenever convenient.

3 From the SmartDashboard, open the General page of the Check Point Gateway
window of the Module (FIGURE 0-4) and change the Version to NG.
FIGURE 1-19Gateway Properties window — General page

transferred to the Module. The Module status is reported in the Trust State field.
the certificate.


Server.
The Module will be able to communicate when the Trust State is Trust Established.
The SIC name (or DN) of the Module is reported in the General page of the Check
Point Gateway window.
This sends the certificate to the Module, and completes the SIC configuration of
the Module.
4 Reinstall the Security Policy on the Module.
Resetting the Trust State of the Module

During the operational lifetime of VPN-1/FireWall-1, it may be required to revoke a Module's
certificate by resetting the Module trust state. This is needed when the security of the Module
has been breached, and it is suspected that its private key has been stolen. It is also needed when
a decision has been taken to cease the operation of a Module. Whatever the reason, in such a
case all other Modules must be notified that the Module's certificate is no longer valid.
Modules are informed of Modules with invalid certificates through a certificate revocation list
(CRL) that is issued and signed by the Internal Certificate Authority (ICA) on the SmartCenter
Server. A CRL is a file containing the serial numbers of all revoked certificates. Every Module
caches a CRL so that it can deny connection from an imposter if the latter uses an old certificate
already listed in its CRL.
As a result of the revocation, the ICA issues a new CRL with the serial number of the revoked
Module's certificate added. The new CRL bears a new date and time of issue. The SIC protocol
ensures fast propagation to all Modules. Part of the protocol negotiation between any two
Modules is CRL checking. If one side of the connecting parties holds a newer CRL, then the
other side replaces its own CRL with the newer one.

Resetting the Trust State of the Module
To allow a Module that has been reset to communicate, the Module must be re-initialized.
How to Reset the Trust State of the Module

To Reset the trust state of a Module, proceed as follows:
Warning -
• For the reset operation to be complete, you must reset the trust state of a Module both
in the SmartDashboard and in the Modules’s cpconfig configuration utility.
• Modules other than the SmartCenter Server will receive the new CRL the next time
a SIC connection is made (such as when the Security Policy is installed on the
Modules).
1 Reset the Trust State in the SmartDashboard:

a At a SMART client, connect to the SmartCenter Server and open the
SmartDashboard.
b In the SmartDashboard, open the Module’s Gateway Properties page, and click
Communication...
c In the Communication window, click Reset.
You can also Reset a Module by deleting the Module object from the
SmartDashboard. Proceed as follows:
a In the SmartDashboard, choose Network Objects from the Manage menu.
b Select the Module object, and click Remove.
2 Reset the Trust State at the Module machine:

a At the Module machine, open the cpconfig configuration utility of the
Module.
b In the Secure Internal Communication tab click Reset.
3 Install the Security Policy on all Modules. This also deploys the new CRL to all
Modules.
How to Re-establish Trust for the Module

1 Reset the Module (see How to Reset the Trust State of the Module). If you deleted the
Module object from the SmartDashboard:
At a SMART client, connect to the SmartCenter Server and open SmartDashboard.
(In a Management High Availability configuration, connect to the Active
SmartCenter Server.)

Log Viewing and Management
2 Continue from “Enabling Communication — New Module Registration, step a on

page 23
SIC Automatic Renewal

SIC certificates are issued by default for five years from the date of issue. Prior to
NG FP3, when SIC certificate expired, SIC for the Module had to be manually
reset. As of NG FP3, SIC certificates are renewed automatically after 75% of the life
of the certificate.
When the cpd process on the Module starts, it schedules a time when the certificate
is to be renewed. When this time arrives, cpd requests a new certificate from the
Internal Certificate Authority (ICA). When the new certificate is received, the
Module moves the current SIC certificate to $CPDIR/conf/old_sic_cert.p12,
renames the new certificate as $CPDIR/conf/sic_cert.p12, and resets SIC on the
Module.
When the ICA gets a request to renew a SIC certificate, it issues the certificate and
then schedules an event to revoke the old SIC certificate after seven days. This is
done in case the Module did not successfully complete the renew operation, and
gives the Module seven days to complete the operation.
Log Viewing and Management

You can view logs maintained by the Customer Log Module using the SmartView Tracker on a
Check Point GUI Client.
For information on installing the Check Point GUI Client, see “Configuring Check Point
Products” in this book.
For information on using the VPN-1/FireWall-1 SmartView Tracker, see Chapter 11,
“SmartView Tracker” in this book.
You can also use standard VPN-1/FireWall-1 log commands for log management. For more
information, see Chapter 18, “Command Line Interface”.
To access Logs using the SmartView Tracker, you must define the GUI Clients and
VPN-1/FireWall-1 Administrators that can connect to the Customer Log Module. GUI Clients
and Administrators are defined during the installation of the VPN-1/FireWall-1 Smart Center
Server that functions as the Customer Log Module.
For more information, see “Configuring Check Point Products” in this book.
After installation, you can add VPN-1/FireWall-1 Administrators and GUI Clients in the
following ways:

Administrators
Add or delete administrators using the Check Point Configuration application on a
VPN-1/FireWall-1 GUI Client. On Windows, go to Start > Programs > Check Point
Management Clients > Check Point Configuration NG FP3. If your logging station is running
under Unix, then you can add or delete administrators using the cpconfig command. See
“Configuring Check Point Products” in this book.
GUI Clients
Add or delete GUI Clients using the Check Point Configuration application. If your logging
station is running under Unix, then you can add or delete GUI Clients by using the cpconfig
command. See “Configuring Check Point Products” on page 25”.
Frequently Asked Questions—Installing, Upgrading,

Configuring
Question: How do I move VPN-1/FireWall-1 to another machine?
First of all, you must ensure that you have a valid license for the new machine. Once the license
issue is resolved, the simplest procedure is as follows:
1 Install VPN-1/FireWall-1 on the new machine.
If your SmartCenter Server manages VPN/FireWall Modules on other machines, you
must repeat the fwm putkey procedure for all the machines (see “Secure Internal
Communications for Distributed Configurations).
2 Make a copy of the Security Policy files from the old machine.
For information on which files to backup, see “How do I back up my Security
Policy?” on page 58.
3 Restore the Security Policy backup files (see step 2 above) to the new machine.
4 Start the GUI on the new machine to confirm that the Security Policy was
successfully transferred.
5 If the new machine is the FireWalled gateway, then define the new machine as a
gateway.
In the new machine’s Workstation Properties window, check the Gateway flag.
6 Delete the old machine from the Network Object Manager.
Alternatively, you can leave the old machine, but uncheck the VPN-1 & FireWall-1
Installed flag in its Workstation Properties window.
7 Install the Security Policy.

Frequently Asked Questions—Installing, Upgrading, Configuring
The above procedure describes the simplest case: where the SmartCenter Server and
VPN/FireWall Modules are on one machine, and the Security Policy is installed on gateways. If
your configuration is more complicated, you will have to modify the procedure accordingly.
Question: How do I back up my Security Policy?
To back up your Security Policy, make copies of the following files:
TABLE 1-3 Backing Up a Security Policy
to back up make a copy of these files

network objects $FWDIR/conf/objects_5_0.C (on the SmartCenter Server)
Rule Base • $FWDIR/conf/*.W
• $FWDIR/conf/rulebases.fws
user database $FWDIR/database/fwauth.NDB*
Question: What Objects are Carried Over from the Previous Version?
When you upgrade to a new version of VPN-1/FireWall-1, the installation procedure carries
the following elements over to the new version:
• VPN-1/FireWall-1 database (users and network • Properties
objects)
• Key database • Encryption Parameters
• Rule Base
VPN-1/FireWall-1 attempts to merge your database with its own new database. For example,
you will have the benefit of services defined in the new version and you will retain the services
you defined in the previous version. In the case of a name conflict, the old objects (the ones you
defined) will be retained.
Question: What files are modified during re-configuration?
The following files are created modified during reconfiguration:

• control.map • fwauthd.conf
• masters • cp.license
• fwauth.keys • external.if (for VPN-1/FireWall-1/25,
VPN-1/FireWall-1/50, etc.)
You must create and modify the loggers file manually.
Question: Must I re-install the Security Policy after upgrading?
After upgrading, VPN-1/FireWall-1 loses its state, so you must start the GUI and install the
Security Policy.
Question: If I change the IP address of a network object, when does the change take
effect?
You must re-install the Security Policy for the change to take effect.

When you re-install a Security Policy, VPN-1/FireWall-1 internal state tables are cleared, so
there is the possibility that some connections may be lost, as follows:
• FTP data connections
If you have an open FTP connection and the Security Policy is re-installed before
the FTP server attempts to open the back connection, then the back connection
will be rejected.
• UDP connections
• TCP connections, in very rare circumstances
• An open encrypted session will be dropped if the newly installed Security Policy
allows the session to be unencrypted.
If you are concerned about losing these connections, then you should take care to re-install your
Security Policy during off-peak hours.
Question: If I have an NG management and a 4.1 or 4.0 Module, how do I re-establish

communication between them?
Version 4.0 and 4.1 VPN/FireWall Modules on hosts and gateways managed by an NG
SmartCenter Server, validate communication between them using an authentication password
that is used to set up a secure link.
For this to work, you must have installed the SmartCenter Server with backward compatibility.
If you have a NG management and a 4.1 or 4.0 Module, and you need to re-establish
communication between them (e.g after installing a new 4.1 Module or adding a log server to a
Module) you need to use the fwm putkey authentication password (the “old way”). This is done
using either
• the cpconfig configuration utility and SmartDashboard, or
• the command line
Using cpconfig and SmartDashboard
1 In the cpconfig configuration utility of the Version 4.x VPN/FireWall Module, go

to the Masters Configuration tab and specify an authentication password.
2 Stop (fwstop) and start (fwstart) the Module.
3 In SmartDashboard, define the 4.x Module object and enter the same password in
the Communication window of the Module object.

Frequently Asked Questions—Installing, Upgrading, Configuring
Using fwm putkey from the command line

For the configuration depicted in FIGURE 2-1 on page 46 of the Check Point Getting Started
Guide in which BigBen is an NG SmartCenter Server, and Chelsea London and Paris are 4.0 or
4.1 hosts, you must provide the authentication passwords for three control links by performing
fwm putkey as follows:
TABLE 1-4 VPN-1/FireWall-1 distributed configuration - fwm putkey
from to and conversely, to

from
BigBen Chelsea Chelsea BigBen
BigBen London London BigBen
BigBen Paris Paris BigBen
To do this (using the same password for all hosts), proceed as follows:
1 Login to BigBen (the SmartCenter Server) and enter the following command:
fwm putkey -p <password> Chelsea London Paris
If you do not enter the password in the command line (using the -p <password>
syntax), you will be prompted for the password twice, as follows:
fwm putkey Chelsea London Paris
Enter secret key: <password>
Again secret key: <password>
2 Login to Chelsea and enter the following command:

fwm putkey -p <password> BigBen

4 Login to London and enter the following command:

6 Login to Paris and enter the following command:

Alternatively, you can use a different password for every host pair, as follows:
1 Login to BigBen and enter the following commands:
fwm putkey -p <password1> Chelsea
fwm putkey -p <password2> London
fwm putkey -p <password3> Paris
2 Login to Chelsea and enter the following command:

fwm putkey -p <password1> BigBen

4 Login to London and enter the following command:

6 Login to Paris and enter the following command:

Only after you have done this will the four machines be able to communicate on the secure
links.
Note - If you specify names (rather than IP addresses), all machines must have the same
name resolution for the other side. In this example, all machines must resolve BigBen in
the same way (to the same interface). You can use the -n parameter for the fwm putkey
command on the SmartCenter Server to ensure this. Alternatively, instead of a machine’s
name, you can specify its IP address (or a comma-separated list of the IP addresses of its
different interfaces).
Question: Is SIC tolerant of Network Address Translation (NAT)? If there is a NAT device
between the SmartCenter Server and the Module, will communication be
affected?
SIC is completely tolerant of NAT because the SIC protocol is based on certificates and “SIC
Names” and not on IP addresses. A NAT device between the SmartCenter Server and the
Module will not have any effect on their ability to communicate using SIC.
Question: How do I prevent the fingerprint of a SmartCenter Server appearing the first
time a SMART client connects to it?
1 On the SMART client machine, open the Registry Editor (on Windows machines,
use Regedit).
2 Go to the Registry entry;
HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Connection\5.0\

3 Add a new DWORD Value with Name NewServerOK and the Value 1.
Question: How do I prevent the SMART client recognizing a SmartCenter Server to which
it has already connected?
1 On the SMART client machine, open the Registry Editor (on Windows machines,
use Regedit).
2 Go to the Registry entry;
HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Connection\5.0\Known Servers
This entry contains the Names and fingerprints of SmartCenter Servers that the
SMART client recognizes.
3 Select the Name of the SmartCenter Server that the SMART client should no longer
recognize.
4 Click Delete.
Question:

CHAPTER 2
SmartUpdate
In This Chapter
Introduction to SmartUpdate page 63

How to Upgrade Remote Check Point Nodes page 64
The SmartUpdate GUI page 68
Product Management page 84
License Management page 97
SmartUpdate Architecture page 121
SmartUpdate FAQ page 122
Introduction to SmartUpdate
Purpose
SmartUpdate is used to centrally manage remote software installations and licensing of Check
Point products.
Why use SmartUpdate

SmartUpdate makes it possible to:
• Track Check Point software installations throughout the organizations of any size.
• Upgrade frequently, to maintain network security.
• Upgrade all products on a Check Point Node with a single click.
• Upgrade the Operating System of the Check Point Node
• Upgrade a number of Check Point Nodes simultaneously.
• View and manage licenses on all managed Check Point Nodes.
• Change Enforcement Point IP address without needing to install a new license.
63
How to Upgrade Remote Check Point Nodes
Installing SmartUpdate
SmartUpdate is silently installed together with the VPN-1/FireWall-1 SmartCenter Server. The
Product Management component of SmartUpdate requires a separate license, in addition to the
Management license (see “Introduction to Product Management” on page 84).
The SmartUpdate Management (GUI) Client is installed by default with the other Management
Clients.
Supported Products and Platforms

SmartUpdate supports remote upgrade of Check Point products on Check Point Nodes that
have either
• SVN Foundation NG, or
• VPN-1/FireWall-1 4.1 SP2 and above, and CPutil Check Point Remote Installation utility.
For a list of supported Check Point products, see the release notes.
The IPSO on Nokia Appliances and SecurePlatform NG operating systems can also be remotely
upgraded.
SmartUpdate allows you to upgrade product versions, or to add additional products to a Check
Point Node which already has VPN-1/FireWall-1 installed.
Supported platforms for the SmartUpdate SmartCenter Server and Management Client and the
managed Check Point Nodes are the same as for VPN-1/FireWall-1. See the Release Notes for
current information.

This procedure explains how to use SmartUpdate to upgrade remote Check Point Nodes
(enforcement points) to NG. It assumes previous knowledge of installing and configuring Check
Point products. The stages of the procedure are:
1. Prerequisites for Remote Upgrade
2. Upgrading or Installing the SmartCenter Server
3. Configuring the SmartCenter Server
4. Adding Products to the Product Repository
5. Using SecureUpdate to Upgrade Check Point Nodes
1. Prerequisites for Remote Upgrade

For the Check Point Nodes and the SmartCenter Server, obtain licenses from the User Center
at http://www.checkpoint.com/usercenter. Existing version NG Check Point Nodes and an NG
SmartCenter Server do not require new licenses.
Requirements for Upgrading Remote Nodes from Version 4.1

• VPN-1/FireWall-1 4.1 SP2 (or higher).

• fw putkey connection between the SmartCenter Server and version 4.1 remote Check
Point Nodes.
• CPutil installed and configured. This is required for CPRID, which is needed for all
remote product operations.
The CPutil package and associated Release Notes are available on the Check Point 2000
CD and from http://www.checkpoint.com/techsupport/installation/ng/index.html
Requirements for Upgrading Remote Nodes from NG

Ensure that there is Secure Internal Communication between the SmartCenter Server and the
Check Point Nodes to be upgraded.

1 Upgrade the SmartCenter Server to the latest version, or install a new SmartCenter Server.
2 Reboot the SmartCenter Server.
3. Configuring the SmartCenter Server

1 Install the latest version of the Management Clients, including SmartUpdate.
2 For a new SmartCenter Server installation, install on the SmartCenter Server the NG
Management license and the SmartUpdate license, using the cpconfig configuration tool,
or the cplic put command. The SmartUpdate license is needed for Product Management
capabilities.
3 For a new SmartCenter Server installation, define the remote Check Point Nodes in
SmartDashboard.
4 Make sure that the Administrator SmartUpdate permissions (as defined in the cpconfig
configuration tool) are Read/Write. Alternatively, log in as root.
5 To upgrade version 4.1 Check Point Nodes, ensure that in the SmartDashboard, in the
Policy Global Properties window FireWall-1 Implied Rules page, Accept CPRID Connections (SmartUpdate) is
checked. By default, it is checked.
4. Adding Products to the Product Repository

Use SmartUpdate to add products to and delete products from the Product Repository.
Products can be added to the Repository
• directly from the Check Point Download Center web site,
• by adding them from the Check Point CD, and
• by importing a file.
When adding the product to the Product Repository, The product file is transferred to the
SmartCenter Server. The Operation Status window opens. Use it to verify the success of the
file transfer. The Product Repository is then updated to show the new product object.
Chapter 2 SmartUpdate 65
Adding Products to the Repository from the Download Center

1 Select Products> New Product> Add From Download Center... If you accept the License
Agreement, the Download Products window opens.
2 Enter your username and password to gain access to the Download Center.
Note - The user name and the password are transmitted using SSL secured communication.
3 Select the product(s) to download. You can view a filtered list of products (for example,
view only the product upgrade packages for installed products), and the the Release Notes.
4 Click Download. The product(s) are downloaded and added to the Product Repository.
The packages are downloaded to a temporary directory on the GUI Client machine and
then transferred to the SmartCenter Server, under the $SUROOT directory.
The Check Point Download Center web site can also be accessed manually at
http://www.checkpoint.com/techsupport/downloads/downloads.html
Adding Products to the Repository from the Check Point CD

1 Insert the Check Point CD into the SmartUpdate Client machine.
2 Open SmartUpdate and select Product> New Product> Add From CD…
The Browse to Folder window opens.
3 Browse for the location of the CD drive, and click OK.
The Add Product From CD window opens, showing the available products on the CD.
4 Select the product(s) to be added to the repository (Ctrl-select for more than one product),
and click OK.
Adding A Product to the Repository by Importing a File

Use this procedure for adding OPSEC packages and Hotfixes to the Product Repository.
1 Download the product files from the Download Center at
http://www.checkpoint.com/techsupport/downloads/downloads.html and save them to the
local disk.
2 Open SmartUpdate
3 Either,
a select Products> New Product> Import File…
The Add Product window opens.

5. Using SmartUpdate to Upgrade Check Point Nodes
b Navigate to the desired .tgz file on the local disk and click Open.
Or,
Drag and drop the product package .tgz file into the Product Repository window.
5. Using SmartUpdate to Upgrade Check Point Nodes

All Check Point products on a Check Point Node can be remotely updated to the latest version
in a single operation. Use this procedure to upgrade version NG products.
Upgrading All Products on Remote Check Point Nodes

4 In SmartUpdate, select Products > Upgrade All Products and select one or more Check
Point Nodes.
The requested operation is verified by checking the following:
• The required products of the latest version are in the Product Repository.
• All Check Point products installed on the remote Check Point Nodes are of the same
NG version.
• Installation logic, disc space, and a cprid (Check Point Remote Installation Daemon)
connection to the Check Point Node.
5 If verification is successful, the Upgrade All Products window opens showing the currently
installed products and the products to be installed on the chosen Check Point Nodes.
If one or more of the required products are missing from the Product Repository,
SmartUpdate will open the Download Products window. You can then download the
required product directly to the Product Repository.
Note that the Reboot Check Point Node After Installation option (checked by default) is
required in order to activate the newly installed product.
6 Click Upgrade.
The Operation Status window opens and shows the progress of the operation. Each
operation is represented by a single entry. Double click the entry to open the Operation
Details window which shows the operation history.
Upgrading a Single Product on a Check Point Nodes

Use this procedure to upgrade the operating system on a Nokia Appliance and on
SecurePlatform NG, and to upgrade version 4.1 products.
1 Drag and drop the latest version of SVN Foundation from the Product Repository over the
Check Point Node object in the Products tab.
Follow the progress of the operation in the Operation Status window
2 Drag and drop the latest version of each of the desired Check Point products, one at a time,
from the Product Repository over the Check Point Node object in the Products tab.
Follow the progress of the operation in the Operation Status window.
The SmartUpdate GUI
In This Section
Starting the SmartUpdate GUI page 68

Elements of the SmartUpdate GUI page 69
Products and Licenses tabs page 70
Product and License Repositories page 71
License Type Icons page 72
Operation Status page 73
Docking Windows page 75
Searching for Text page 75
Printing Views page 76
SmartUpdate Menus and Toolbar page 76
Starting the SmartUpdate GUI

1 To start SmartUpdate, proceed as follows:
TABLE 2-1 Starting the SmartUpdate GUI
Windows Action
System
Windows Select Start>Programs>Check Point Management
Clients>SmartUpdate NG FP3.
X/Motif Run /opt/CPclnt-50/bin/SmartUpdate
The SmartUpdate login window (FIGURE 2-1) is displayed.

FIGURE 2-1 Check Point SmartUpdate login window

Elements of the SmartUpdate GUI
1 Log in using either your user name and password or a certificate

2 Enter the name of the machine on which the SmartCenter Server is running. Enter either a
resolvable machine name or an IP address. To define a new user on the SmartCenter Server,
see “To Add an Administrator” on page 31.
3 For advanced Certificate Management, Compression Optimization and Advanced Options,
click More Options >> .
4 To work in demonstration mode, check Demo Mode.
Elements of the SmartUpdate GUI

After logging in and clicking OK, there is a brief delay, during which the
VPN-1/FireWall-1 database is loaded, the SmartUpdate GUI opens.
FIGURE 2-2 shows the elements of the SmartUpdate GUI.
FIGURE 2-2 The SmartUpdate GUI
Licenses tab
Management Server
Gateway
Product Repository
This window is
Attached License in floating
the Licenses tab...
...and in the
License Repository
License Repository
This window is
docked
Operation Status entry:
Double click
to see Operation Details Management Server
to which GUI is connected
User permissions
Products and Licenses tabs

The SmartUpdate GUI main window contains the:
• Products tab — showing the products and Operating Systems installed on the Check Point
Nodes managed by the SmartUpdate SmartCenter Server. Operations that relate to products
can only be done in the Products tab.
• Licenses tab — showing the attached licenses on the managed Check Point Nodes.
Operations that relate to licenses can only be done in the Licenses tab.
To sort the licenses or products in ascending or descending order, click a column title.
The Check Point Node Tree

The managed Check Point Nodes tree in the Products and Licenses tabs show the products
installed and licenses attached to Check Point Nodes that are managed by the SmartCenter
Server.
A Managed Check Point Node is a Gateway or host with a Check Point product installed in the
General page of the object’s Check Point Gateway Properties in the SmartDashboard. The
minimal Check Point product is the SVN Foundation.
FIGURE 2-3 Managed Check Point Nodes tree in the Products tab (left), and in the Licenses
tab (right)
The tree has three levels:

• Root—Name of the SmartCenter Server to which the GUI is connected.
• Second level—Names of the Check Point Nodes configured in the SmartDashboard.
• Third level— Check Point products (in the Products tab) or installed licenses (in the
Licenses tab) on the Check Point Nodes

Product and License Repositories
The Managed Check Point Nodes tree structure can be expanded or collapsed to display all or
hide all the installed products or licenses. To expand or collapse the tree, right click on the tree
root and choose Expand/Collapse or use the button or the button on the toolbar.
Product and License Repositories

The Product Repository and the License Repository windows can be opened in both the
Licenses tab and the Products tab.
• The Product Repository shows all the products available for installation (Click on the
toolbar, or Products> View Repository in the menu).
Double click a product in the repository to start the Installation wizard for a single product
installation.
FIGURE 2-4 Product Repository
• The License Repository shows all attached and unattached licenses (Click on the
toolbar, or Licenses> View Repository in the menu).
FIGURE 2-5 License Repository
To sort the licenses or products in ascending or descending order, click a column title.
Changing Repository View options

To change the Product or License Repository view options, right click (FIGURE 2-6) on a
blank row or column in the Repository window.
FIGURE 2-6 Product and License Repository View Options
Select one of the following options:

• Details
• Small Icons
• List
Select or deselect Show Grid, as preferred.
License Type Icons

Licenses icons appear in the License Repository and in the Licenses tab of the SmartUpdate
GUI.
TABLE 2-2 License Type Icons
Icon Meaning
Attached Central License— this license has been added to the License
Repository and attached to (installed on) a Check Point Node.
Unattached Central License— this license has been added to the License
Repository and is available for attachment to a Check Point Node.
Attached Local License— This icon (colored yellow) represents both NG
Local and 4.1 Local Licenses. This license has been
• installed locally and retrieved into the License Repository, or
• added to Repository and automatically attached to the remote Check
Point Node.
Evaluation License— A “floating”, limited evaluation license that is not
associated with a specific IP address. It can be attached to any Check Point
Node, and to more than one Check Point Node at a time.
For more information about License Types, see “License Types: Central, Local” on page 98.
To view only one type of license, right click (FIGURE 2-7) in the License Repository window.

Operation Status
FIGURE 2-7 License Repository View Options (when no license is selected)
Select one of the following options:

• View All Licenses
• View Unattached Licenses
• View Attached Licenses
Operation Status
The Operation Status window shows current and past SmartUpdate operations.
FIGURE 2-8 Operation Status window
Each entry contains

Column Contains
Operation Status Icon and Operation description.
Example descriptions are: Installing product <X> on Check Point Node
<Y>, or Attaching license <L> to Check Point Node <Y>. For the
meaning of the status icons, see Operation Status Icons page 74.
Status Current status.
The stage of the operation (applicable command line) and Success/Failure for
each stage and for the whole operation.
Progress Whether in progress or done.
Time Operation time.
When the operation is complete this changes from start time to finish time.
Note -
1. A log file of SmartUpdate remote product operations is generated in the $SUROOT\log
directory. The filename is <Check Point Node name>_SmartUpdate.elg.
2. An audit log of SmartUpdate Operations is available in the SmartView Tracker.
Operation Status Icons

The following list shows the possible Status messages and their related icons that can appear in
the second column of the Operation Status window. Error messages appear in red:
Icon Status Message (and meaning)
Operation started or in progress.
Operation completed.
A warning.
Operation failed, stopped by user, or timed out.
Viewing Operation Details

To view operation details, in the Operation Status window, double click the operation entry, or
click the Enter key, or right click and select Operation Details (FIGURE 2-9).
FIGURE 2-9 Viewing Operation Details
The Operation Details window shows the operation description, start and finish times, and
progress history. The window is resizable. An example is shown in FIGURE 2-10.
Status lines can be copied to the clipboard. Select the line, right click and choose Copy.
FIGURE 2-10Operation Details window
Description — a description of the operation.

Started at/Finished at — The date (dd/mm/yy) and time when the operation started. If the
operation has finished, the finish date and time is shown.

Docking Windows
Operation History — The History of the operation, dynamically updated as the operation
progresses.
Stopping an Operation and Clearing Completed Operations

An installation related operation can be stopped when in progress, and completed operations can
be cleared from the Operation Status window.
For more information see “Stopping an Operation and Clearing Completed Operations” on
page 96.
Docking Windows
• The Product and License Repository windows, and the Operation Status window can be
either docked or floating.
• When SmartUpdate is opened, the Product and License Repository windows are docked in
the lower part of the SmartUpdate main window, and the Operation status view is hidden.
The Operation Status window appears when the first remote operation is performed.
• To toggle between a floating and a docked window, double click the window title, or drag
and drop the window.
• To close or open a window use the toolbar button or the menu item of the window.
• A reopened window opens in its previous size and position (docked or floating).
Searching for Text

To search for any text string, proceed as follows:
1 On the toolbar click , or from the Tools menu, select Find.
The Find window is displayed, see FIGURE 2-11.
FIGURE 2-11The Find window
2 Enter the string for which you would like to search in the Find what field.
Select where you would like to search:
• License Management
• Product Management
• License Repository
• Product Repository
Check Match whole word only to find the sting in the exact manner that it is specified in
the Find window
Check Match case to make your search case sensitive.
Use the Up and Down buttons to choose the direction of your search.
Use the Find next button to continue your search.
Printing Views
To print a view, proceed as follows:
1 From the File menu, select Print.
The window Choose Window is displayed. See FIGURE 2-12.
FIGURE 2-12The Choose Window window
2 Select the window to print

• Operation Status
• License Management
• Product Management
• Product Repository
• License Repository
To preview before printing, select Print Preview.
To adjust the print setup, select Print Setup… .
SmartUpdate Menus and Toolbar
In This Section
SmartUpdate Menu page 77

SmartUpdate Toolbar page 82

SmartUpdate Menu
File Menu
TABLE 2-3 File Menu Commands
Menu Description See Toolbar

Command Button
Print Print the Product or “Printing Views” on page 76 none
License tab, the License or
Product Repository, or the
Operation Status window.
Print Preview Preview before printing one “Printing Views” on page 76 none
of the printable window
Print Setup... Set up the printer “Printing Views” on page 76 none
Exit Exit SmartUpdate. “Printing Views” on page 76 none
View Menu
TABLE 2-4 View Menu Commands
Menu Description See Toolbar

Command Button
Toolbar Show the toolbar. “SmartUpdate Toolbar” on none
page 82
Status Bar Show the status bar (at the “Elements of the SmartUpdate none
bottom of the SmartUpdate GUI” on page 81
window).
Tree Menu
TABLE 2-5 Tree Menu Commands
Menu Command Description See Toolbar

Button
Expand All Expand all the objects in “The Check Point Node
the Check Point Nodes Tree” on page 70
Tree.
Collapse All Collapse all the objects in “The Check Point Node
the Check Point Nodes Tree” on page 70
Tree.
Products Menu
TABLE 2-6 Products Menu Commands

Button
Upgrade All Products Upgrade All Products on “Upgrading All Products”
the selected Check Point on page 88
Node.
Install... Install a product on one or “Installing a Single
more remote Check Point Product” on page 89
Nodes.
Uninstall... Remotely uninstall a “Uninstalling a Product”
product from one or more on page 92
remote Check Point Nodes.
Verify Installation... Test whether the product “Verifying an Installation”
can be installed on the on page 94
remote Check Point Node.
Get Data From All Update the Product “To Get Data From All None
Repository with the Check Point Nodes” on
installed products and OS of page 96
all Check Point Nodes.
Get Check Point Node Update the Product “To Get Check Point
Data Repository with the Node Data” on page 96
installed products and OS of
the selected Check Point
Node.
Reboot Check Point Boot the remote computer. “Booting a Check Point
Node Node” on page 95
New Product> Add Add product(s) to the “Managing the Product
From Download Product Repository directly Repository” on page 85
Center...
from the Check Point
Download Center web site
New Product> Add Add a product to the “Managing the Product
From CD... Product Repository from Repository” on page 85
the Check Point CD

TABLE 2-6 Products Menu Commands

Button
New Product> Import Add a product to the “Managing the Product
File... Product Repository by Repository” on page 85
importing a product file
downloaded from the
Check Point Download site.
Delete Product Delete the selected products “Managing the Product None
from the Product Repository” on page 85
Repository.
View Repository Show or close the Product “Product and License
Repository, which shows all Repositories” on page 71
the products available for
installation.
Licenses Menu
TABLE 2-7 Licenses Menu Commands

Button
Attach... Install the license on the “Attaching a License to a
remote Check Point Node, Check Point Node” on
and associate the license in page 105
the License Repository
with the Check Point Node
object.
Detach... Uninstall the license from “Detaching a License from
the remote Check Point a Check Point Node” on
Node, and make the license page 109
in the License Repository
available to any Check
Point Node.
Upgrade... Upgrade all version 4.1 “Automatically Upgrading
licenses on Check Point Version 4.1 Licenses” on
Nodes and in the License page 117
Repository with new NG
licenses.
TABLE 2-7 Licenses Menu Commands

Button
Get Check Point Node Retrieve locally installed “Getting Locally Installed none
Licenses
license(s) from one Check Licenses From a Check
Point Node into the License Point Node” on page 111
Repository, and delete from
the Repository locally
deleted licenses.
Get All Licenses Retrieve locally installed “Getting Locally Installed none
license(s) in all managed Licenses From a Check
Check Point Nodes into Point Node” on page 111
the Repository, and delete
from the Repository all
locally deleted licenses.
New License> Add Add license to the License “Downloading a License
From User Center...
Repository by downloading File From the User
it from the User Center. Center” on page 102
New License> Add Add license to the License “Adding a License to the
Manually...
Repository by copying License Repository” on
license details. page 101
New License> Import Add license(s) to the “Adding a License to the
File...
License Repository by License Repository” on
importing from a file. page 101
Delete License Delete unattached licenses “Deleting a License from none
from the License the License Repository”
Repository. on page 112
Show Expired Licenses Check for expired licenses. “Checking for Expired none
Licenses” on page 115
View Repository Show or close the License “Product and License
Repository, containing all Repositories” on page 71
attached and unattached
licenses.

Status Menu
TABLE 2-8 Status Menu Commands

Button
Clear All Completed Clear all completed “Operation Status” on none
Operations operations from the page 73
Operation Status view.
View Operation Show the Operation Status “Operation Status” on
Status window. page 73
Tools Menu
TABLE 2-9 Tools Menu Commands

Button
Find... Find a specified text in the “Searching for Text” on
SmartUpdate Products tab, page 75
Licenses tab, License
Repository or Product
Repository.
Window Menu
TABLE 2-10 Window Menu Commands

Button
SmartDashboard Run the SmartDashboard. Chapter 3, “Graphical none
User Interface
SmartView Tracker Run the SmartView Tracker, Chapter 11, “SmartView none
Tracker
SmartView Status Run the SmartView Status. Chapter 12, “SmartView none
Status
SmartView Monitor Run the SmartView Monitor. Check Point SmartView none
Monitor Guide
SecureClient Run the SecureClient Check Point Virtual Private none
Packaging Tool Packaging Tool. Networks Guide Chapter 5,
“Customizing Client
Packages
User Monitor Run the User Monitor. Check Point SmartCenter none
Guide
Help Menu
TABLE 2-11 Help Menu Commands

Button
Help Topics Open the on-line Help none
Upgrade Guide On-line Acrobat PDF document “How to
explaining how to remotely upgrade to Upgrade
the latest Check Point NG Feature Remote Check
Pack. Point Nodes”
on page 64
Check Point NG Document explaining the licensing
License Guide requirements for Check Point
products.
https://usercenter.checkpoint.com/ucd
ocs/SummaryLicensing.htm
Check Point http://www.checkpoint.com/techsupp “cppkg add” none
Download Center ort/downloads/downloads.html. on page 643
Check Point User http://www.checkpoint.com/UserCen “Obtaining none
Center ter Licenses” on
page 100
Check For Latest https://support.checkpoint.com/downl none
Updates oads/bin/autoupdate/su/ng/fp3/fp3su
_updateinfo.txt
Online Software http://www.checkpoint.com/techsupp none
Updates ort/ng/fp2_updates.html
What’s New In Check http://www.checkpoint.com/techsupp none
Point Software ort/ng/fp2_whatsnew.html
About Check Point Display build number and copyright. none
SmartUpdate
SmartUpdate Toolbar
The SmartUpdate Toolbar provides shortcuts for some menu commands.

FIGURE 2-13SmartUpdate Toolbar
TABLE 2-12 Toolbar Buttons and Corresponding Menu Commands
Toolbar Menu Command See

Button
Check Point Nodes > Expand all the objects in the Check Point Nodes
Expand All Tree.
Check Point Nodes > Collapse all the objects within their respective Check
Collapse All Point Nodes in the Check Point Nodes Tree.
“Upgrading All Products” on page 88
Products> Upgrade All

Products
Products> Install... “Installing a Single Product” on page 89
Products> Uninstall... “Uninstalling a Product” on page 92
Products> Verify “Verifying an Installation” on page 94

Installation...
Products> Add Products “Adding Products to the Repository from the

From Download Center... Download Center” on page 62
Products> Add Products “Adding Products to the Repository from the Check
From CD... Point CD” on page 62
Products> Import Product “Adding A Product to the Repository by Importing
From File... a File” on page 63
Product> Get Check Point “Getting Check Point Node Data” on page 96
Node data
Products> Reboot Check “Booting a Check Point Node” on page 95

Point Node
Licenses> Attach “Attaching a License to a Check Point Node” on

page 105
Licenses> Detach “Detaching a License from a Check Point Node” on
page 109
Licenses> New License> “Downloading a license file directly from the User
Add From User Center... Center” on page 102
Product Management
TABLE 2-12 Toolbar Buttons and Corresponding Menu Commands
Toolbar Menu Command See

Button
Licenses> New License> “Adding a License to the License Repository” on
Add Manually... page 101
Licenses> New License> “Adding a License to the License Repository” on
Import File... page 101
Products> View “Product and License Repositories” on page 71
Repository
Licenses> View “Product and License Repositories” on page 71

Repository
Status> View Operation “Operation Status” on page 73.

Status
Tools> Find “Searching for Text” on page 75
Help> Upgrade Guide “How to Upgrade Remote Check Point Nodes” on

page 64
Help> Help Topics Activate context sensitive help for SmartUpdate
windows, toolbar icons and menu commands
Product Management
In This Section
Introduction to Product Management page 84

Managing the Product Repository page 85
Installing Products — Overview page 87
Upgrading All Products page 88
Installing a Single Product page 89
Uninstalling a Product page 92
Verifying an Installation page 94
Booting a Check Point Node page 95
Getting Check Point Node Data page 96
Stopping an Operation and Clearing Completed Operations page 96
Introduction to Product Management

SmartUpdate allows you to centrally manage Check Point product installations on Check Point
Nodes throughout the organization.

Managing the Product Repository
SmartUpdate provides a central view of available and installed products. The administrator can:
• Upgrade all NG products and the Operating System on a Check Point Node to the latest
version in one click (page 67)
• Upgrade major and minor versions (page 64).
• Uninstall major and minor versions (page 92).
• Manage the Product Repository (page 85).
• View remote operation progress status (page 73).
• Verify an installation (page 94),
• Remotely boot a Check Point Node (page 95),
• Get Check Point Node data (page 96),
• Stop a remote operation (page 96).
SmartUpdate Product Management requires a separate license, in addition to the License for the
SmartCenter Server. Install a license with one of the following SKUs:
CPMP-SUP-1-NG for managing one remote Check Point Node
CPMP-SUP-U-NG for managing an unlimited number of remote Check Point Nodes
Managing the Product Repository

Use SmartUpdate to add products to and delete products from the Product Repository.
Products can be added to the Repository
• directly from the Check Point Download Center web site,
• by adding them from the Check Point CD, and
• by importing a file.
When adding the product to the Product Repository, The product file is transferred to the
SmartCenter Server. The Operation Status window opens. Use it to verify the success of the
file transfer. The Product Repository is then updated to show the new product object.
Adding Products to the Repository from the Download Center

1 Select Products> New Product> Add From Download Center... If you accept the License
Agreement, the Download Products window opens.
2 Enter your username and password to gain access to the Download Center.
3 Select the product(s) to download. You can view a filtered list of products (for example,
view only the product upgrade packages for installed products), and the the Release Notes.
Product Management
4 Click Download. The product(s) are downloaded and added to the Product Repository.
The packages are downloaded to a temporary directory on the GUI Client machine and
then transferred to the SmartCenter Server, under the $SUROOT directory.
The Check Point Download Center web site can also be accessed manually at
http://www.checkpoint.com/techsupport/downloads/downloads.html
Adding Products to the Repository from the Check Point CD

1 Insert the Check Point CD into the SmartUpdate Client machine.
2 Open SmartUpdate and select Product> New Product> Add From CD…
The Browse to Folder window opens.
3 Browse for the location of the CD drive, and click OK.
The Add Product From CD window opens, showing the available products on the CD.
4 Select the product(s) to be added to the repository (Ctrl-select for more than one product),
and click OK.
Adding A Product to the Repository by Importing a File

Use this procedure for adding OPSEC packages and Hotfixes to the Product Repository.
1 Download the product files from the Download Center at
http://www.checkpoint.com/techsupport/downloads/downloads.html and save them to the
local disk.
2 Open SmartUpdate
3 Either,
a select Products> New Product> Import File…
The Add Product window opens.
b Navigate to the desired .tgz file on the local disk and click Open.
Or,
Drag and drop the product package .tgz file into the Product Repository window.
Deleting Products from the Product Repository
Note - This action cannot be undone
1 In the Product Repository, select a product, or Ctrl-select multiple products.

Installing Products—Overview
2 From the menu, select Products> Delete Product, or

In the Product Repository, right click and select Delete Product., or
Press the Delete key.
The product is deleted from the Repository, and the Product Repository window is updated.
Command line: cppkg

To manage the product repository via the command line, see “Product Repository
Management” on page 643.
Installing Products — Overview

SmartUpdate allows all products on a Check Point Node to be updated to the latest version in
a single operation (see “Upgrading All Products” on page 88). It is possible to upgrade products
on a machine, one at a time (see “Installing a Single Product” on page 89).
On a Nokia Appliance and on SecurePlatform NG FP3 SmartUpdate make it possible to
upgrade both the OS and all installed products. First, upgrade the OS and boot the machine, as
described in “Installing a Single Product” on page 89, and then upgrade all the other products
to the latest version.
Note - To upgrade a Check Point HA Cluster, see the FAQ: “How do I upgrade a Check
Point ClusterXL gateway cluster?” on page 124
For updates from version 4.1 to NG FP1, Secure Internal Communication (SIC) is automatically
upgraded.
SmartUpdate product packages (NG FP2 and higher) are the same as ordinary installation
packages.
Before the installation begins SmartUpdate makes sure that the installation will succeed. It
checks that the remote Check Point Node can be reached, that the package to be installed is
valid for the remote Check Point Node — including product dependencies and prerequisites —
and that there is enough disk space. This can also be done separately (see “Verifying an
Installation” on page 94).
If the product upgrade fails, SmartUpdate restores the previously installed version. The
installation can be stopped at any time up until the actual installation (see “Stopping an
Operation and Clearing Completed Operations” on page 96).
The following is an overview of the installation process:
1 Review “How to Upgrade Remote Check Point Nodes” on page 64.
2 Update the Check Point Node OS and product data. (See “Getting Check Point Node
Data” on page 96).
3 Add any required packages to the Product Repository (see “Managing the Product
Product Management
4 Install with the boot option checked.

After installing the product:
1 Install the license on the remote Check Point Node.
See “License Management” on page 97.
2 Install the Policy on the remote Check Point Node.
Upgrading All Products

All Check Point products on a Check Point Node can be remotely updated to the latest version
in a single operation. Use this procedure to upgrade version NG products.
Version 4.1 products must be upgraded individually, as described in “Installing a Single Product”
on page 89. Upgrading a single NG product is not recommended because of the various product
and version dependencies.
Note -
1. It is highly recommended to use the boot option when installing. For VPN-1/FireWall-1
installations, boot is required to switch the kernel and to make Secure Internal
Communication work.
2. The remote installation may take some time, depending on the network load and the
package size. View operation progress using the Operation Status window (see page 73)
Upgrading All Products on a Check Point Node

1 Add the product packages to the repository. Do this by downloading the required product
packages from the Check Point Download Center or the Check Point NG FP2 (or higher)
CD. See “Managing the Product Repository” on page 85.
2 In SmartUpdate, select Products > Upgrade All Products and select one or more Check
Point Nodes.
The requested operation is verified by checking the following:
• The required products of the latest version are in the Product Repository.
• All Check Point products installed on the remote Check Point Nodes are of the same
NG version.
• Installation logic, disc space, and a cprid (Check Point Remote Installation Daemon)
connection to the Check Point Node.
3 If verification is successful, the Upgrade All Products window opens showing the currently
installed products and the products to be installed on the chosen Check Point Nodes.
If one or more of the required products are missing from the Product Repository,
SmartUpdate will open the Download Products window. You can then download the
required product directly to the Product Repository.
Note that the Reboot Check Point Node After Installation option (checked by default) is
required in order to activate the newly installed product.

Installing a Single Product
4 Click Upgrade.
The Operation Status window opens and shows the progress of the operation. Each
operation is represented by a single entry. Double click the entry to open the Operation
Details window which shows the operation history.

Version 4.1 products on a Check Point Node must be upgraded one at a time. The
products must be of version 4.1 SP2 or higher with CPutil installed and a CPRID
connection established
Upgrading a single NG product at a time is not recommended because of the various product
and version dependencies.
One product can be installed on a number of different Check Point Nodes. The installations
proceed simultaneously. Each installation has its own Operation Status entry (see “Operation
Status” on page 73).
Note -
1. It is highly recommended to use the boot option when installing. For VPN-1/FireWall-1
installations, boot is required to switch the kernel and to make Secure internal
communication work. However, boot ONLY after all installed products are of the same
version.
2. The remote installation may take some time, depending on the network load and the
package size. View operation progress using the Operation Status window (see page 73)
The maximum number of simultaneous installations is limited to 10 at a time. Any installations

above that number are held in a queue, and a new installation will begin as soon as one
completes.
Installing to a Single Check Point Node Using Drag-and-Drop

1 Open the Product Repository by clicking on the toolbar, or select Products> View
Repository in the menu.
2 Drag and drop a product from the Product Repository onto the Check Point Node in the
Products tab. Make sure the product Operating System matches the destination Check
Point Node OS.
3 Follow the progress of the installation in the Operation Status window (see “Operation
Note - The Check Point Node will boot after installation.
Product Management
Installing to a Single Check Point Node Using the Products tab

1 From the Products tab, select the Check Point Node.
2 Right click, and select Install Product... (as shown in FIGURE 2-14).
FIGURE 2-14Install Product right click menu
The Install Product window opens. This window contains all the products that can be
installed on the selected Check Point Node.
FIGURE 2-15Install Product window
3 Select the product that you wish to install. Be sure to check Reboot Check Point Node(s)
only if all products will be of the same version after installation. This will reboot the Check
Point Node following installation.
4 Click Install.
Installing to Multiple Check Point Nodes Using the Wizard

1 Select from the Products menu, or click
Install... on the toolbar. The Install
Product window (FIGURE 2-16) opens.

FIGURE 2-16Install Product wizard — Select a Check Point Node
2 Select the Check Point Nodes on which to install the product. Make sure that they all have
the same OS. Either Select All Check Point Nodes, or Ctrl click to select more than one
Check Point Node. Be sure to check Reboot Check Point Node(s) only if all products will
be of the same version after installation. This will reboot the Check Point Nodes following
installation. Click Next.
The window shows the available products in the Repository for the selected Check Point
Nodes.
FIGURE 2-17Install Product wizard — Select a Product
3 Select the product that you wish to install. Make sure the product Operating System
matches the destination Check Point Node OS. Click Finish.
4 Follow the progress of the installation in the Operation Status window. If the product is
installed to more than one Check Point Node, each installation has its own Operation
Status entry (see “Operation Status” on page 73).
Product Management
Installing to Multiple Check Point Nodes Using the Product Repository

1 Open the Product Repository by clicking on the toolbar, or select Products> View
Repository in the menu.
2 From the Product Repository, select a product.

3 Right click, and select Install Product... (as shown in FIGURE 2-18).
FIGURE 2-18Install Product from Repository right click menus
The Install Product window opens (see FIGURE 2-19).

FIGURE 2-19Install Product window — Select a Check Point Node
4 Select a Check Point Node on which to install the product. Make sure the product
Operating System matches the destination OS. Either Select All Check Point Nodes, or
Ctrl click to select more than one Check Point Node. Be sure to check Reboot Check
Point Node(s) only if all products will be of the same version after installation.
5 Click Install.
Command line: cprinstall install

To install via the command line, see “cprinstall install” on page 653
Uninstalling a Product
Products can be uninstalled remotely using SmartUpdate. Uninstalling VPN-1/FireWall-1, SVN
Foundation and FloodGate-1 restores the previously installed version.

Uninstalling a Product
It is highly recommended to boot the remote Check Point Node after uninstalling.
Before the uninstallation begins, SmartUpdate makes sure that the remote Check Point Node
can be reached, and that the product is installed on the remote Check Point Node.
After uninstalling a product, get the Check Point Node data (see “Getting Check Point Node
Data” on page 96).
When downgrading an NG product to version 4.1, if the product had licenses installed on it
remotely from the SmartCenter Server, the licenses will still exist in the License Repository. You
should therefore update the License Repository (see “Getting Check Point Node Licenses into
the License Repository” on page 150).
Alternatively, if you delete the Check Point Node object of the uninstalled product from the c
GUI, the licenses will be detached from this object in the License Repository.
Uninstalling From a Single Check Point Node

2 Right click, and select Uninstall Product... The Uninstall Product window opens. This
window contains all the products that can be uninstalled from the selected Check Point
Node.
3 Select the product that you wish to uninstall. To reboot the Check Point Node following
uninstallation (recommended), check Reboot Check Point Node(s).
4 Click Uninstall.
5 Follow the progress of the uninstallation in the Operation Status window (see “Operation
6 After uninstalling, get the Check Point Node data (see “Getting Check Point Node Data”
on page 96) and if the Check Point Node had remotely installed licenses, get the licenses
(see “Getting Check Point Node Licenses into the License Repository” on page 150).
Uninstalling From Multiple Check Point Nodes Using the Wizard

1 Select from the
Uninstall... Products menu, or click on the toolbar. The Uninstall
Product window opens.
2 Select the Check Point Nodes from which to uninstall the product. Make sure they are of
the same OS. Either Select All Check Point Nodes, or Ctrl click to select more than one
Check Point Node. To reboot the Check Point Node following uninstallation
(recommended), check Reboot Check Point Node(s). Click Next.
The window shows the products common to all selected Check Point Nodes, that can be
uninstalled.
3 Select the product that you wish to uninstall, and click Finish.
Product Management
4 Follow the progress of the uninstallation in the Operation Status window. If the product is
uninstalled from more than one Check Point Node, each uninstallation has its own
Operation Status entry (see “Operation Status” on page 73).
5 After uninstalling, get the Check Point Node data (see “Getting Check Point Node Data”
on page 96), and if the Check Point Node had remotely installed licenses, get the licenses
(see “Getting Check Point Node Licenses into the License Repository” on page 150).
Command line: cprinstall uninstall

To uninstall via the command line, see “cprinstall uninstall” on page 654.
Verifying an Installation
Before installing a product it is possible to test whether the product can be installed on the
remote Check Point Node. The test verifies that
• the Operating System and currently installed products are appropriate for the product to be
installed,
• there is a CPRID connection to the remote machine,
• there is sufficient disk space,
• the product is not already installed, and that
• the product dependencies are fulfilled.
SmartUpdate automatically performs this test before a remote installation begins.
Verifying an Installation to a Single Check Point Node

2 Right click, and select Verify installation...
The Verify installation window opens. This window contains all the products that can be
installed on the selected Check Point Node.
3 Select the product that you wish to install and click Verify.
4 Follow the progress of the verification in the Operation Status window (see “Operation
Verifying an Installation to Multiple Check Point Nodes Using the

Wizard
1 From the Products menu, select Verify Installation... or click on the toolbar.
The Verify installation window opens.
2 Select a Check Point Node. Ctrl click to select more than one Check Point Node. Click
Next.
3 The window shows the available products in the Repository.

Select the product, and click Finish.

Booting a Check Point Node
4 Follow the progress of the verification in the Operation Status window. If the verification
is to more than one Check Point Node, each installation verification has its own Operation
Status entry (see “Operation Status” on page 73).
Verifying an Installation to Multiple Check Point Nodes Using the

Product Repository
1 From the Product Repository, select a product.
2 Right click, and select Verify Installation...
The Verify Installation window opens.
3 Select a Check Point Node on which to verify the product installation. Ctrl click to select
more than one Check Point Node.
4 Click Verify.
5 Follow the progress of the verification in the Operation Status window (see “Operation
Command line: cprinstall verify

To verify an installation via the command line, see “cprinstall verify” on page 657.
Booting a Check Point Node

SmartUpdate can be used to boot a remote computer.
To Boot a Check Point Node

2 Right click, and select Reboot Check Point Node, or
from the Products menu, select Reboot Check Point Node, or
click on the toolbar.
3 Follow the progress of the reboot in the Operation Status window (see “Operation Status”
on page 73).
Note - Boot ONLY when all installed products are of the same version.
Command line: cprinstall boot

To boot a Check Point Node via the command line, see “cprinstall boot” on page 658.
Product Management
Getting Check Point Node Data

The information about the Check Point Nodes in the Products tab can be updated with the
details of the products and the Operating System installed on the specified Check Point Node or
on all Check Point Nodes.
Tip - Use this operation to test the cprid connection.
To Get Check Point Node Data

2 Right click, and select Get Check Point Node Data, or
from the Products menu, select Get Check Point Node Data, or
click on the toolbar.
3 Follow the progress of the operation in the Operation Status window (see “Operation
The information in the Products tab will be updated.
To Get Data From All Check Point Nodes

1 From the Products menu, select Get Data From All.
2 Follow the progress of the operation in the Operation Status window (see “Operation
Command line: cprinstall get

To obtain details of the products and the Operating System installed on a Check Point Node, via
the command line, see “cprinstall get” on page 656.

SmartUpdate can be used to stop the operation of installation related operations. This command
will stop the remote installation or uninstallation of a product — even during transfer of files,
extraction and testing, though stopping an installation is not recommended. You can stop the
operation at any time up to the actual installation. License related operations are too quick to be
stopped.
Warning - Do not stop the Installation of SVN Foundation. Doing so will require extensive
manual cleanup at the Check Point Node.

To Stop an Operation
1 From the Operation Status window, select the in-progress operation.
2 From the Status menu, select Stop Operation or
Right click, and select Stop Operation
3 Check the Operation status in the Operation Status window (see “Operation Status” on
page 73).
Command line: cprinstall stop

To stop the operation of installation related operations on a Check Point Node via the
command line, see “cprinstall stop” on page 659.
Clearing Completed Operations

To clear a single operation, select the line in the Operation Status window and press the click
Delete key, or right click and select Clear.
To clear multiple completed operations, Ctrl Click to select multiple lines, and press the Delete
key.
To clear all completed operations from the Operation Status window, select Status>
Clear all completed operations.
License Management
In This Section
Introduction to License Management page 98

License Types: Central, Local page 98
The Trial Period page 99
Version 4.1 License Support page 99
Obtaining Licenses page 100
License Structure and Elements page 100
Installing a License for the SmartCenter Server page 101
Before Using SmartUpdate License Management page 101
Adding a License to the License Repository page 101
Attaching a License to a Check Point Node page 105
Detaching a License from a Check Point Node page 109
Getting Locally Installed Licenses From a Check Point Node page 111
Deleting a License from the License Repository page 112
Viewing License Properties page 113
License Management
Viewing Installed Products page 115

Checking for Expired Licenses page 115
Exporting a License to a File page 117
Automatically Upgrading Version 4.1 Licenses page 117
Introduction to License Management

Using SmartUpdate, Licenses for Check Point products on Check Point Nodes throughout the
organization can be centrally managed from the SmartCenter Server.
SmartUpdate provides both a central view of available and installed licenses, and flexibility in
attaching licenses to Check Point Nodes. The administrator can:
• add one or more licenses to the License Repository (page 101).
• attach one or more licenses to a remote Check Point Node (page 105).
• change the Check Point Node IP address without needing to reapply a new license.
• detach one or more licenses from a remote Check Point Node (page 109).
• delete one or more licenses from the License Repository (page 112).
• get Check Point Node Licenses into the License Repository (page 150).
• view all licenses and their attachment status (page 113).
• sort the licenses (page 71).
• view license properties (page 113).
• check for expired licenses (page 115).
• Export licenses to a file (page 117)
• Upgrade version 4.1 licenses (page 117)
License Types: Central, Local

There are two types of license: Central and Local. The license type is chosen when the license is
generated in the User Center.
Central Licenses
Check Point NG introduced a new licensing scheme in which the product license is tied to the
IP address of the SmartCenter Server, rather than to the IP address of the Check Point Node. A
license of this kind is called a Central license. The benefits are:
• The new license remains valid when changing the IP address of the Check Point Node.
There is no need to create and install a new license.
• Only one IP address is needed for all licenses.
• A license can be taken from one Check Point Node and given to another.
A Central license is an NG license that has the IP address of the SmartCenter Server.

The Trial Period
Local Licenses
A Local license is tied to the IP address of the specific Check Point Node, and can only be used
for a Check Point Node or a SmartCenter Server with that IP address.
Prior to Check Point NG, only Local licenses existed.
Local licenses can be added to the License Repository and automatically attached to a Check
Point Node. Only Local NG licenses can be detached from a remote Check Point Node.
The Trial Period

All purchased Check Point products have a 15 day trial period. During this period the software
is fully functional and all features are available without a license. After that period, a permanent
license must be installed in order to continue using the software. Alternatively, an evaluation
license must be obtained.
The 15 day trial period on an Enforcement Module starts when Secure Internal
Communication is initialized with the SmartCenter Server. On a SmartCenter Server, the trial
period starts when the Certificate Authority is initialized during cpconfig configuration.
If a license is installed during the 15 day trial period, the effective license will be the installed
license.
If all installed licenses are removed during the 15 day trial periods, the product will regain full
functionality until the end of trial period.
If no licenses are installed, the remaining trial period is displayed when starting SmartUpdate
and any of the other Check Point SMART Clients.
To see the remaining trial period, perform the Get Check Point Node Licenses operation in
SmartUpdate, or open the cpconfig Licenses tab on the Enforcement Module, or run the
command cplic print locally on the Enforcement Module.
Version 4.1 License Support

SmartUpdate supports both NG and Version 4.1 licenses.
Version 4.1 licenses are always Local licenses. They:
• are attached automatically to their target Check Point Node when they are added to the
license repository
• can be retrieved into the SmartUpdate License Repository (see “Getting Check Point
Node Licenses into the License Repository” on page 150)
• cannot be deleted (detached) via SmartUpdate.
If a product is upgraded from version 4.1 to NG, the license must be upgraded as well. You
should upgrade to a Central license (obtained from the User Center) in order to gain the
manageability benefits. However a local license can still be used for an NG product. All version
4.1 licenses can be automatically upgraded. See also
• “Automatically Upgrading Version 4.1 Licenses” on page 117.
• “How to Upgrade Remote Check Point Nodes” on page 64.
License Management
Obtaining Licenses
Obtain licenses from the User Center at http://www.checkpoint.com/usercenter using
SmartUpdate via the License > New License > Add From User Center... menu item (see
“Downloading a License File From the User Center” on page 102). If you need more than one
license, you can download a license file containing multiple licenses from the User Center, and
import all the licenses into the SmartUpdate License Repository.
Before using SmartUpdate, you must install a license for the SmartCenter Server at the
SmartCenter Server machine (see “Installing a License for the SmartCenter Server” on page
101).
Note - Local licenses issued with a hostid can be installed on their target machine
only via the cplic command or cpconfig Configuration Tool.
Tip - Licensing Management High Availability Configurations:

The Central license for a Secondary SmartCenter Server should have the IP address of the
Secondary SmartCenter Server. All other Central licenses for remote Check Point Nodes
can have an IP address belonging to any of the Management High Availability members.
Once you have obtained license(s), add them to the License Repository (see “Adding a License
to the License Repository” on page 101).
Certificate Key
The certificate key is a string of 12 alphanumeric characters. The string is unique to each
product, and also identifies the license. For an evaluation license your certificate key can be
found inside the mini pack. For a permanent license you should receive your certificate key
from your reseller.
Note - Any characters in the Certificate Key that may look like 'O' or 'I' are most likely '0'
or '1'
License Structure and Elements

The following is an example of a license received from the User Center, showing the various
elements. Note that:
• The Certificate Key is part of the licence SKU.
• The IP Address for a Central license is the IP Address of the SmartCenter Server, The IP
Address of a Local license is the IP address of the Check Point Node.

Installing a License for the SmartCenter Server
• The signature is unique to the license, and identifies it
Request Details
---------------
Certificate Key: 1BED 4054 433R
Product: CPMP-EVAL-BETA-DES-VNG
Version: NG
Customer Name: Acme Ltd.
Details of Issued License

-------------------------
Expiration Date: 01Dec2002
IP Address: 198.243.45.87
SKU/Features: cpsuite-eval-3des-vNG CK-1BED4054433R
Signature: aScPeamAc-GabqVzrvn-JZRGmSLq2-nYFDmwnPVum (Validation code:
lfkjRW)
Installing a License for the SmartCenter Server

Before using SmartUpdate, you must install a license for the SmartCenter Server. Install the
license at the SmartCenter Server machine using the
• cpconfig configuration application (see “Licenses” on page 26), or
• cplic put command line (follow the instructions received from the User Center. See also
“cplic put <object name> ...” on page 631.
Note - In order to show the locally installed SmartCenter Server licenses in the
SmartUpdate GUI, you must first retrieve them into the License repository (see “Getting
Check Point Node Licenses into the License Repository” on page 150).
Before Using SmartUpdate License Management

• Install a license for the SmartCenter Server. The SmartUpdate GUI cannot be used unless
the SmartCenter Server is licensed.
• Define the remote Check Point Node objects in the SmartDashboard (see “Adding, Editing
and Deleting a Network Object” on page 174.
• Ensure there is IP connectivity from the SmartCenter Server to the Check Point Node.
• SVN Foundation components (cpd) and the FireWall-1 services must run on the
SmartCenter Server and on the Check Point Node.
• The Check Point Nodes must be initialized for SIC before they can be managed using
SmartUpdate (see “Enabling Communication between Modules” on page 49).
Adding a License to the License Repository

Licenses can be added to the License repository

License Management
• By downloading a license file directly from User Center. A license file can contain multiple
licenses.
• By importing a license file received from the User Center.
• Manually (by copying the license details).
Adding a Central license to the License Repository does not install it on any Check Point
Node.
After adding a Central license to the Repository, you can Attach (install) it to a Check Point
Node.
If a Local license is added to the Repository, the license is automatically installed on the Check
Point Node for which it is intended.
Downloading a License File From the User Center

The Licenses> New License> Add From User Center... option opens a browser window
showing the User Center. After logging in to the User Center, it is possible to
• Generate a new license
• Change the IP address of an existing License (“Move IP”)
• Change the license from Local to Central
• Upgrade the license from version 4.1 to NG
This generates a license file that is downloaded to the SmartUpdate GUI Client machine.
SmartUpdate looks for identical licenses in the Repository, an identical license being one with
the same Certificate Key (CK).
For a new license — If there are no identical licenses, the license is added to the License
Repository. A Local license is added to the Repository and attached if there is a Check Point
Node with the same IP address. If there is no suitable Check Point Node, the Local license is
discarded.
For a “Move IP”— The “Move IP” operation allows a Check Point Node whose IP address
has changed to be easily relicensed. If the Check Point Node has an NG license installed it is
replaced by another NG license with the new IP address.
Changing a Local license to a Central license— a license can also be changed from Central
to Local.
For a license upgrade from version 4.1 to NG —If a license with the same CK exists, the
new license is attached and the old license is detached and deleted from the License Repository.
Downloading a license file directly from the User Center

1 Select Licenses> New License> Add From User Center...

Adding a License to the License Repository
2 Log in to the User Center, and perform the required operation.
3 The generated license file is downloaded to the SmartUpdate GUI Client machine. It is
added to the License Repository. If upgrading, “moving IP” or a converting between Local
and Central License, the license is attached to the appropriate Check Point Node.
Adding Licenses From a File Using Drag-and-Drop

License files can contain one or more licenses. Add licenses from a file as follows:
1 Select Licenses> View Repository or click to open the License Repository.
2 Drag and drop the License file from the file system into the License Repository.
The new unattached Central licenses will appear in the Licenses Repository. Local licenses will
be automatically attached to their Check Point Node. If the Attach operation fails, the Local
licenses will be deleted from the Repository.
Importing Licenses From a File

License files can contain one or more licenses. Add licenses from a file as follows:
1 From the SmartUpdate menu, select Licenses> New License> Import File... or click
on the toolbar,
or
Select Licenses> View Repository or click to open the License Repository, then
right click in the Licenses Repository, and choose New License> Import File...
2 Browse to the location of the license file, select it, and click Open.
The new unattached Central licenses will appear in the Licenses repository. Local licenses will be
automatically attached to their Check Point Node. The license will get a default name of the
format SKU@ time date. The name of the license can be changed at a later time (see “Viewing
License Properties” on page 113). If the Attach operation fails, the Local licenses will be deleted
from the Repository.
Adding a License Manually

To manually add a single license to the repository, proceed as follows:

License Management
1 The User Center results page and the license email received from the User Center contains
the license installation instructions. From these instructions, copy the license to the
clipboard. You need to copy the string that starts with cplic putlic... and ends with the
last SKU/Feature. For example
cplic putlic 1.1.1.1 06Dec2002 dw59Ufa2-eLLQ9NB-gPuyHzvQ-WKreSo4Zx CPSUITE-
EVAL-3DES-NG CK-1234567890
If you only have a hard-copy printout, continue from step 2.
2 Select Licenses> New License> Add Manually, or select on the toolbar,
or
Select Licenses> View Repository, then right click in the Licenses Repository, and
choose New License> Add Manually...
The Add License window opens.
FIGURE 2-20The Add License window
3 If you copied the license to the clipboard, click Paste License. The fields will be populated
with the license details.
Otherwise, enter the license details from a hard-copy printout.
4 Click Calculate, and make sure the result matches the validation code received from the
User Center.
5 Optionally, choose a name for the license. If you leave the Name field empty, the license
will get a default name of the format SKU@ time date. The name of the license can be
changed at a later time (see “Viewing License Properties” on page 113).
6 Click OK.
7 Follow the status of the procedure in the Operation Status window.

Attaching a License to a Check Point Node
Command line: cplic db_add

To add a license to the License Repository via the command line, see “cplic db_add” on page
639.

Use SmartUpdate to attach one or more licenses to a Check Point Node with installed NG FP2
product.
Attaching a license to a remote Check Point Node means installing the license on the remote
Check Point Node, and associating the license with the Check Point Node in the License
Repository.
A Central license must be added to the License Repository before it can be attached to a Check
Point Node (see “Adding a License to the License Repository” on page 101).
An NG Local License has the IP address of the Check Point Node. It can therefore be installed
only on a Check Point Node object with the same IP address. If an NG Local license is added
to the Repository, SmartUpdate will immediately attempt to install it on the appropriate Check
Point Node. If the installation does not succeed, the license will be deleted from the
Repository.
Note - Local licenses issued with a hostid can be installed on their target machine only
locally, via the cplic command or the cpconfig Configuration Tool.
There are a number of different ways to attach a license to a Check Point Node. In all cases,
follow the status of the procedure in the Operation Status window.
Attaching One or More Licenses using Drag-and-Drop

1 Select Licenses> View Repository
2 Drag and drop one or more unattached Central licenses in the License Repository onto a
Check Point Node in the Licenses tab.
When done, the license icon(s) in the Repository will change and the license(s) will appear
under the Check Point Node in the Licenses tab.
Attaching one or more Licenses using the Licenses

Repository
1 From the License Repository, select one or more unattached licenses.
2 Right click, and select Attach... (as shown in FIGURE 2-24).

License Management
FIGURE 2-21Attach Licenses right click menus
The Attach Licenses window opens.

3 Select a Check Point Node, and click Attach
4 Follow the status of the procedure in the Operation Status window (see “Operation
When done, the license icon will change and the license will appear under the Check Point
Node in the Licenses tab.
Attaching One or More Licenses Using the Wizard

1 Select Attach... from the Licenses menu, or select on the toolbar.
The Attach Licenses window opens.
FIGURE 2-22Attach Licenses window- Select a Check Point Node
2 Select a Check Point Node to which the license(s) is (are) to be attached, and click Next.
The window shows the available unattached licenses in the Licenses Repository.

FIGURE 2-23Attach License window- Select a License
3 Select the license that you wish to attach. Either Select All, or Ctrl click to select more than
one license.
4 Click Attach.
Attaching One or More Licenses using the Licenses tab

1 From the License tab, select the Check Point Node.
2 Right click, and select Attach Licenses...(as shown in FIGURE 2-24).
FIGURE 2-24Attach License right click menus
The Attach Licenses window opens. This window contains all the available, unattached licenses.

License Management
FIGURE 2-25Attach Licenses window
3 Select the licenses that you wish to attach. Either Select All, or Ctrl click to select more
than one license.
4 Click Attach.
Command line: cplic put

To attach licenses via the command line, see “cplic put <object name> ...” on page 631.
Attaching an Evaluation License to all Check Point Nodes

An Evaluation License is A “floating”, limited evaluation license that is not associated with a
specific IP address. It can be attached to any Check Point Node in the same way as an ordinary
Central license, and to more than one Check Point Node at a time.
To Attach an Evaluation License to all Check Point Nodes

1 Select Licenses> View Repository
2 Drag and drop an evaluation licenses in the License Repository onto the root of the Check
Point Nodes tree in the Licenses tab.
When done, the evaluation license icon will appear under the every Check Point Node in
the Licenses tab.

Detaching a License from a Check Point Node
Detaching a License from a Check Point Node

Detaching a license involves deleting a single license from a remote Check Point Node and
marking it as unattached in the License Repository on the SmartCenter Server. The license is
then available for attachment to any Check Point Node.
Detaching a local NG license from a Check Point Node will also delete the license from the
Repository.
Version 4.1 Local licenses cannot be detached from a Check Point Node. They must be deleted
locally.
Note - If the remote Check Point Node is unreachable (if the product has been uninstalled
or the machine crashed for example), the license cannot be detached via SmartUpdate. In
this case, unattach the attached license by deleting the Check Point Node's network
object in the SmartDashboard.
There are a number of different ways to detach a license from a Check Point Node using
SmartUpdate. In all cases, follow the status of the procedure in the Operation Status window.
Detaching One or More Licenses Using the Wizard

1 Select Detach... from the Licenses menu or select on the toolbar.
The Detach Licenses window opens (as shown in FIGURE 2-26).
FIGURE 2-26Detach Licenses window- Select a Check Point Node
2 Select the Check Point Node from which you wish to detach the license and press Next.
The Detach Licenses window shows the licenses attached to the Check Point Node.

License Management
FIGURE 2-27Detach Licenses window- Select a License
3 Select the license that you wish to Detach. Either Select All or Ctrl click to select more
than one license.
4 Click Finish.
Detaching One or More Licenses Using the Licenses tab

1 In the Licences tab, select the license to be detached. To detach all the licenses on the
Check Point Node, select the Check Point Node.
2 Right click, and select Detach License (if a single license was selected, as shown in
FIGURE 2-28), or Detach All Licenses (if the Check Point Node was selected. This
option is disabled if there are both Central and Local licenses).
FIGURE 2-28Detach License right click menus
Detaching a Single License Using the Licenses Repository

1 From the License Repository, select an attached license.
2 Right click, and select Detach... (as shown in FIGURE 2-29).

Getting Locally Installed Licenses From a Check Point Node
FIGURE 2-29Detach License right click menus
Command line: cplic del

To detach a license via the command line, see “cplic del <object name> ...” on page 633.
Getting Locally Installed Licenses From a Check Point Node

NG and Version 4.1 Local licenses that are installed locally on a Check Point Node (using the
cpconfig configuration tool or cplic put) will not exist in the SmartUpdate License
Repository. Locally deleted licenses will still appear in the Repository.
In order to update the License Repository, retrieve (“get”) NG FP2 Local and version 4.1
licenses from a Check Point Node into the Repository. Getting a licence:
• Retrieves to the Repository licenses that were installed locally (at the machine)
• Deletes from the Repository licenses that were deleted locally.
Note - Only version 4.1 SP1 and higher licenses can be retrieved into the License
Repository.
It is possible to retrieve (“get”) all licenses in the managed network, or only the licenses from a
single Check Point Node. It is recommended to retrieve the SmartCenter Server license(s) so
that it (they) will appear in the License Repository.
To update the License Repository, proceed as follows:
To Get Check Point Node Licenses from a Check Point Node

1 From the Licenses tab, select the Check Point Node.
2 Right click, and select Get Check Point Node Licenses.

License Management
FIGURE 2-30Get License right click menu
or select Get Check Point Node Licenses from the Licenses menu.
3 Follow the status of the procedure in the Operation Status window. Retrieved Local
licenses will appear in the License Repository and in the Products tab with the icon.
To Retrieve all Licenses in the Managed Network

1 Select Get All Licenses from the Licenses menu.
2 Follow the status of the procedure in the Operation Status window. Retrieved Local
licenses will appear in the License Repository and in the Products tab with the icon.
Command line: cplic get

To get Check Point Node licenses via the command line, see “cplic get” on page 634.
Deleting a License from the License Repository

Licenses that are not attached to any Check Point Node and are no longer needed, can be
deleted from the License Repository.
To check for expired licenses, see “Checking for Expired Licenses” on page 115
A license can be deleted from the License Repository only after it has been detached from the
Check Point Node (see “Detaching a License from a Check Point Node” on page 109).
Note - Once the license has been deleted from the License Repository, it can no longer be
used. To re-use it, add it to the License Repository (see “Adding a License to the License
To delete a license from the License Repository, proceed as follows:

1 Select View Repository from the Licenses menu.
To show only the unattached licenses, right click and select View Unattached licenses.
2 Select the unattached license(s) to be deleted, and

• click the Delete key, or
• right click, and select Delete License, or

Viewing License Properties
FIGURE 2-31Delete License right click menu
• select Delete Licenses from the Licenses menu.
Command line: cplic db_rm

To delete a license from the License Repository via the command line, see “cplic db_rm” on
page 640.
Viewing License Properties

License properties for each license are shown in the Licenses tab. License properties can also be
conveniently viewed using the License Properties window, as follows:
• In the Licenses tab,
• double click the license, or
• select the license, and from the License menu, select Properties... or
• right click and from the menu, select License> Properties
• In the License Repository,
• select the license and click Enter, or
• double click the license.
The License Properties window opens (FIGURE 2-32):

License Management
FIGURE 2-32License Properties window
Name — The editable name of the license.

IP Address — The IP address of the machine with which the license is issued.
Expiration Date — The date on which the licenses expires, or never. After a license has
expired, the functionality of the Check Point product may be impaired.
SKU/Features — SKU stands for Stock Keeping Unit. The SKU, also called the license
features, is a character string that identifies an individual product.
License For — Use this description to verify that the license is appropriate for the installed
product. This description is provided for NG and higher licenses.
Signature Key — The individual license identification code.
Certificate Key — The certificate key is a string of 12 alphanumeric characters. The string is
unique to each product
Type — Central or Local. A Central license is tied to the IP address of the SmartCenter Server.
A Local license is tied to the IP address of a specific Check Point Node, and can only be used
for a Check Point Node with that IP address.
Attached To — The Check Point Node on which the license is installed, and with which it is
associated in the License Repository.
Validation Code — Should be the same as the Validation Code received from Check Point.
Command line: cplic db_print

To view the properties of a license via the command line, see “cplic db_print” on page 641.

Viewing Installed Products
Viewing Installed Products

To see which products are installed on a Check Point Node shown in the License tab, proceed
as follows:
1 In the License tab, select the Check Point Node
2 Right click, and select Installed Products... (FIGURE 2-33)
FIGURE 2-33Installed Products right click menu
The Installed Products window appears (FIGURE 2-33)

FIGURE 2-34Installed Products window
The Installed Products window shows

• The name of the Check Point Node, as defined in the SmartDashboard.
• The operating system of the Check Point Node.
• The name, vendor, version, and service pack of the products installed on the Check Point
Node.
Checking for Expired Licenses

Licenses expire on a particular date, or never. After a license has expired, the functionality of the
Check Point product will be impaired. In the License Expiration window it is possible to
• See a list of attached and unattached expired licenses.
• Delete expired Licenses
• View the properties of the expired license
The following configurable options are available:
• View licenses that will expire in expire within a selected number of days.
• Check for expired licenses when SmartUpdate is started.
• Highlight expired licenses in the License Repository by marking them in red.

License Management
SmartUpdate will automatically give a warning before attaching an expired license to a remote
Node.
The expiration date of the Trial Period of products within their 15 day trial period are shown in
the Expiration Date column, if no licenses are installed. For more information, see “The Trial
Period” on page 99.
To Check for Expired Licenses

1 Select Show Expired Licenses
• either from the License menu,
• or in the License Repository, from the right click menu.
The License Expiration window opens.
FIGURE 2-35License Expiration window
2 To delete an unattached license from the License Repository, select the license(s) and click
Delete. If it is attached, you must detach it before deleting it (see “Detaching a License
from a Check Point Node” on page 109).
3 To view the properties of the license, double click the license, or select the license and click
Properties.
4 Choose the Options for future searches. Click Apply to run the search immediately.
In addition, in the Licenses tab and the License Repository you can check for soon-to-expired
licenses by sorting by expiration date. Click

Exporting a License to a File
Exporting a License to a File

Licenses can be exported to a file. The file can later be imported to the License Repository.
This can be useful for administrative or for Support purposes.
All selected licenses will be exported. If the file already exists, the new licenses are added to the
file.
To Export one or more Licenses to a File

1 From the SmartUpdate menu, Select Licenses> View Repository to open the License
Repository,
or
Select the License tab.
2 Select one or more license, right click (FIGURE 2-36), and from the menu select Export
to File...
FIGURE 2-36Export License to File right click menus
3 In the Choose File to Export License(s) To window, name the file (or select an existing
file), and browse to the desired location. Click Save.
All selected licenses will be exported. If the file already exists, the new licenses are added to the
file.
Automatically Upgrading Version 4.1 Licenses

When upgrading Check Point products on remote Check Point Nodes to the latest NG version,
all version 4.1 licenses on those Check Point Nodes and in the License Repository can be
automatically replaced with new NG licenses.

License Management
The license upgrade can be performed either before or after upgrading the version 4.1 Check
Point Nodes to the latest version of VPN-1/FireWall-1 NG.
Note - After upgrading the licenses,
• cplic print in the remote Check Point Node will not show the old 4.1 licenses.
• if the products on the remote Check Point Nodes are downgraded to version 4.1, the
old licenses will reappear in the Check Point Nodes. cplic print will show the old 4.1
licenses, and they can be retrieved to the License Repository using the cplic get
command.
To Automatically Upgrade version 4.1 Licenses

1 Upgrade the SmartCenter Server to the latest version (see “How to Upgrade Remote
Check Point Nodes” on page 64 of the Check Point SmartCenter Guide).
Ensure that there is connectivity between the SmartCenter Server and the remote Check
Point Nodes with the version 4.1 products.
2 Import all licenses into the License Repository (Licenses > Get All Licenses). This can
also be done after upgrading the products on the remote Check Point Nodes to NG (at step
5). To see all the licenses in the repository, open the Product Repository (Licenses > View
Repository).
3 Upgrade the version 4.1 products on the remote Check Point Nodes. (See “Upgrading a
Single Product on a Check Point Nodes” on page 103 of the Check Point SmartCenter
Guide.)
4 Using Licenses > New Licenses > Add From User Center... , view the licenses for the
products that were upgraded from version 4.1 to NG, create new upgraded licenses, and
download a file containing the upgraded NG licenses.
Note - Only download licenses for the products that were upgraded from version 4.1 to
NG.
5 If you did not import the version 4.1 licenses into the repository in step 2, import the
version 4.1 licenses now (Licenses > Get All Licenses)
6 Upgrade the licenses. Select Licenses > Upgrade... and select the downloaded license file.
• The licenses in the downloaded license file and in the license repository are compared.
• If the certificate keys and features match, the old licenses in the repository and in the
remote Check Point Nodes are updated with the new licenses.

Licensing Glossary
Licensing Glossary
SmartUpdate introduces a number of new licensing concepts. The following is a brief
explanation of some licensing concepts.
TABLE 2-13 Licensing Terms and Concepts
Licensing Term Explanation

or Concept
Add Licenses received from the User Center should first be added to
the SmartUpdate License Repository (see page 101). Adding a
Local license to the Repository also Attaches it on the Check
Point Node. The licenses can be
• Imported from a file, or
• Added Manually by pasting or typing the license details.
Attach Licenses are Attached to a Check Point Node via SmartUpdate.

(see page 105). Attaching a license involves;
• installing the license on the remote Check Point Node, and
• associating the license and the Check Point Node in the
License Repository.
Central License A Central license is tied to the IP address of the SmartCenter
Server (see “Central Licenses” on page 98).
Certificate Key See “Certificate Key” on page 100
Cplic Command line for managing Local and Central licenses.
Provides the functionality of SmartUpdate License Manager
from the command line. See “Local Licensing Commands” on
page 624 and “Remote Licensing Commands” on page 631.
Detach Licenses are Detached from a Check Point Node via
SmartUpdate (see page 109). Detaching a license involves;
• uninstalling the license from the remote Check Point Node,
and
• making the license in the License Repository available to
any Check Point Node.
Get Locally installed licenses can be retrieved into the License
Repository, in order to update the repository with all licenses
across the installation (see page 150). The Get operation is a
two-way process. It:
• retrieves to the Repository all locally installed licenses, and
• removes from the Repository all locally deleted licenses.

License Management
TABLE 2-13 Licensing Terms and Concepts
Licensing Term Explanation

or Concept
License Expiration Licenses expire on a particular date, or never. After a license has
expired, the functionality of the Check Point product may be
impaired. See “Checking for Expired Licenses” on page 115
Local License A Local license is tied to the IP address of a specific Check
Point Node, and can only be used for a Check Point Node
with that IP address (see “Local Licenses” on page 99).
Multi-license file Licenses can be conveniently Added by importing a file to the
license repository via a file, rather than by typing long text
strings. Multi-license files contain more than one license, and can
be downloaded from the User Center:
http://www.checkpoint.com/usercenter.
In the command-line, Multi-license files are supported by the
cplic put, and cplic db_add commands. See “License
Management” on page 624.
Delete Licenses that are not attached to any Check Point Node and are
no longer needed, can be deleted from the License Repository
(see page 112).
SKU SKU stands for Stock Keeping Unit. The SKU is a character
string that identifies an individual product.

Licensing Glossary
SmartUpdate Architecture
FIGURE 2-37SmartUpdate Architecture
Check Point CD
Licenses
Download Center
Packages
SecureUpdate
Check Point
Database SVN
Foundation
Packages cpd
Licenses
SIC CPD
CPRID CPRID
SIC
GUI Client
Management Server
command line
cplic (remote and local) Check Point Nodes
cprinstall
cppkg
• Licenses and products are managed using the SmartUpdate GUI. Command lines are also
available.
• The Check Point SmartCenter Server includes the SmartUpdate License and Product
Management components.
• The License Repository ($FWDIR/conf/licenses.C) is part of the Check Point database.
• The default Product (Package) Repository location on Windows machines is C:\SUroot.
On UNIX it is /var/SUroot. The Product Repository ($FWDIR/conf/packages.C) is part
of the Check Point database
• Communication between the Management Client, the SmartCenter Server and the SVN
Foundation on remote Check Point Nodes uses Secure Internal Communication (SIC):
• Product Management uses a CPRID (Check Point Remote Installation Daemon) client on
the SmartCenter Server, and a CPRID server on remote Check Point Nodes.
• License Management uses the cpd daemon.
• The CPRID Server and cpd are components of the SVN Foundation installed on the Check
Point Nodes.
• A log file of SmartUpdate product operations is generated in the file $SUROOT\log\<Check
Point Node name>_SecureUpdate.elg.
• An audit log of SmartUpdate operations can be viewed in the SmartView Tracker Audit
View.

SmartUpdate FAQ
SmartUpdate FAQ
In This Section
General SmartUpdate Questions

How do I install SmartUpdate? page 122
What is the Trial Period, and how is it different from an evaluation license? page 122
Where are the SmartUpdate logs? page 122
Remote Installation Questions
How do I upgrade a remote Check Point Node to Check Point NG FP3? page 123
How do I upgrade the OS on the Check Point Node via SmartUpdate? page 123
What products can I install and where can I get them from? page 123
What should a Check Point Node include (installations, versions) in order to be remotely
installable? page 123
How do I know if an installation succeeded? can I cancel it? roll back/backout?page 123
How do I upgrade a Check Point ClusterXL gateway cluster? page 124
When does the Check Point Node need to be rebooted?page 124
Licensing Questions
How do I create the new Central licenses and how are they different from the old ones?
page 125
How do I use Central Licenses? page 125
How can I view/manage version 4.1 licenses in SmartUpdate GUI? page 126
Do I need new licenses when changing the IP of the SmartCenter Server? page 126
General SmartUpdate FAQ

Question: How do I install SmartUpdate?
SmartUpdate is silently installed together with the VPN-1/FireWall-1 SmartCenter Server. The
SmartUpdate Management (GUI) Client is installed by default at the same time as the other
Management Clients.
Question: What is the Trial Period, and how is it different from an evaluation license?
See “The Trial Period” on page 99.

Question: Where are the SmartUpdate logs?
• A log file of SmartUpdate product operations is generated in the file $SUROOT\log\<Check
Point Node name>_SecureUpdate.elg.
• An audit log of SmartUpdate operations can be viewed in the SmartView Tracker Audit
View.

Remote Installation FAQ
• In addition, log information is displayed in the Operation Status view and in the
Operation Details window
Remote Installation FAQ

Question: How do I upgrade a remote Check Point Node to Check Point NG FP3?
“Upgrade All Products” is the recommended method. See “How to Upgrade Remote Check
Point Nodes” on page 64.
Question: How do I upgrade the OS on the Check Point Node via SmartUpdate?
In NG FP3, its is possible to use SmartUpdate to upgrade the operating system on a Nokia
Appliance and on SecurePlatform NG. First, upgrade the OS and boot the machine, as
described in “Installing a Single Product” on page 89, and then upgrade all the other products
to the latest version, and reboot.
Question: What products can I install and where can I get them from?
As of SmartUpdate NG FP2, there is only one kind of product package for both local and
remote installations. Packages can be obtained from the Check Point NG FP2 CD or the Check
Point Download Center http://www.checkpoint.com/techsupport/downloads/downloads.html).
Add packages to the Product Repository using the SmartUpdate GUI. Use the menu items
Product > New Products > Add From User Center... or Add From CD... or Import File.
Question: What should a Check Point Node include (installations, versions) in order to
be remotely installable?
To use SmartUpdate to upgrade a product on a remote Check Point Node, the product must be
of version 4.1 SP2 or higher, or version NG.
If you have VPN-1/FireWall-1 version 4.1 SP2 or higher on the Check Point Node, you can
use SmartUpdate to remotely install the SVN Foundation components from scratch. To do so,
you must first install and configure the CPutil package (found on the Check Point 2000 CD
and on the Check Point Support download site) on every network object which will participate
in the Remote Installation. For details, see the Release Notes for these packages.
SmartUpdate Installation Management uses a CPRID (Check Point Remote Installation
Daemon) client on the SmartCenter Server, and a CPRID server on remote Check Point
Nodes. License Management uses the cpd daemon. The CPRID server and cpd are components
of the SVN Foundation on the Check Point Nodes. All these components must run in order for
the remote upgrade to succeed.
Question: How do I know if an installation succeeded? can I cancel it? roll

back/backout?
The Operation Status log shows current and past SmartUpdate operations. Each entry includes
the current status and success/Failure of the operation.

SmartUpdate FAQ
SmartUpdate can stop the remote installation of a product— even during transfer of files,
extraction and testing, though stopping an installation is not recommended. You can stop the
operation at any time up to the actual installation (see “Stopping an Operation and Clearing
Completed Operations” on page 96).
Question: What happens if the connection between the Management and the remote
Check Point Node breaks while upgrading?
If the communication break happens before or during the actual product installation, the
product upgrade fails, and SmartUpdate restores the previously installed version. If the
installation completes, the new version will be in place.
Question: How do I upgrade a Check Point ClusterXL gateway cluster?
The following procedure describes how to upgrade a version 4.1 or NG gateway cluster.
If using a third party cluster, before performing the upgrade, configure the synchronization
network in the synchronization tab, and the cluster mode in the ClusterXL tab. Also, refer to the
third party documentation.
To upgrade a cluster of Check Point Gateways, proceed as follows:
1 Obtain an NG Central licenses for the cluster and install it on the SmartCenter Server.
2 On all the inactive cluster members, use SmartUpdate to remotely upgrade all products to
the latest version.
3 Reboot all the inactive members machines.
4 Update the cluster object and members in the SmartDashboard as described in chapter 5,
“ClusterXL” on page 241 of the Check Point FireWall-1 Guide.
5 When the standby machines are up again, in the SmartDashboard, uncheck the On
Gateway clusters, install on all members, If it fails do not install at all checkbox and
Install the security policy on the cluster. The policy will be successfully installed on standby
cluster members, and will fail on the active machine.
6 On the active cluster member, run the cpstop command then the cphastop command.
7 On the active cluster member, use SmartUpdate to remotely upgrade all products to the
latest version and install the Central licenses for the products (such as FireWall-1, not High
Availability licenses) installed on the cluster member.
8 When the cluster members come up, they try to fetch policy from the active member, then
from the SmartCenter Server, and then from themselves. If all this fails, install the Policy on
the cluster.
Question: When does the Check Point Node need to be rebooted?
Booting the machine loads the new FireWall-1 kernel. It is required at the end of the installation
or upgrade process, after all Check Point products on the machine have been successfully
installed or upgraded to the latest version.

Licensing FAQ
The machine can also be rebooted in the middle of the upgrade process, with no ill effects, even
before all products have been upgraded to the latest version, but this is unnecessary. Starting the
Check Point services (cpstart) will start only products with the same version as the installed
SVN Foundation.
Licensing FAQ
Question: How do I create the new Central licenses and how are they different from the
old ones?
Create new licenses at the User Center. at http://www.checkpoint.com/usercenter. Choose the

default 'Central licenses' option.
A Central license has the IP address of the SmartCenter Server and can be used for all managed
Check Point Nodes.
A Local license has the IP address of the SmartCenter Server Check Point Node, or of the
remote Check Point Node, and can only be used for a Check Point Node with that IP address.
Question: How do I use Central Licenses?
To use Central licenses, you must add them to the License Repository and attach them to a
Check Point Node. Proceed as follows:
1 Install the SmartCenter Server, the product on the remote Check Point Node, and the GUI
client
2 Initialize Secure Internal Communication (SIC) between the SmartCenter Server and the
remote Check Point Node.
3 Create a Central license for the SmartCenter Server and the Check Point Nodes at the User
Center http://www.checkpoint.com/usercenter with the IP address of the SmartCenter
Server.
4 Install a license for the SmartCenter Server.
5 In the SmartUpdate GUI, select Licenses> View Repository to open the License
Repository view.
6 Add the license to License Repository (Drag-and-Drop the license file to the Repository, or
select Licenses> New License> Add manually or Import File).
The new license will appear in the License Repository.
7 Click the Licenses Tab.
8 Choose the license in the Repository, drag-and-drop it over the desired target Check Point
Node
There will be an Operation Status message, and when done, the license will be attached. The
license icon will change and the license will appear under the Check Point Node in the
Licenses tab.

SmartUpdate FAQ
Question: How can I view/manage version 4.1 licenses in SmartUpdate GUI?
Version 4.1 licenses are Local licenses. Version 4.1 licenses...

• CAN be retrieved into the SmartUpdate License Repository (see “Getting Check Point
Node Licenses into the License Repository” on page 150)
• CANNOT be deleted (detached) via SmartUpdate.
If a product on a Check Point Node is upgraded from version 4.1 to the latest NG version, the
license must be upgraded as well. You should obtain a Central license (see “Obtaining Licenses”
on page 100) in order to gain the manageability benefits. However a Local license can still be
used. All version 4.1 licenses can be automatically upgraded (see “Automatically Upgrading
Version 4.1 Licenses” on page 117).
Question: Do I need new licenses when changing the IP of the SmartCenter Server?
When changing IP address of the SmartCenter Server, you need to relicense all the Certificate
Keys bound to the old IP address, with the new IP of the Management.
Proceed as follows:
1 Collect all Certificate Keys bound to the old IP address of the SmartCenter Server.
2 In the User Center (http://www.checkpoint.com/usercenter), relicense those Certificate
Keys using the new IP address of the SmartCenter Server.
3 From the User Center, download the file containing the new licenses.
4 Using SmartUpdate, detach (see “Detaching a License from a Check Point Node” on page
109) and delete (see “Deleting a License from the License Repository” on page 112) the old
licenses.
5 Import the new licenses in the file into the License Repository (see “Adding a License to
the License Repository” on page 101).
6 Attach the new licenses to the Check Point Nodes (see “Attaching a License to a Check
Point Node” on page 105).
Question: How do I upgrade a version 4.1 License to an NG License
See “Automatically Upgrading Version 4.1 Licenses” on page 117.

CHAPTER 3
Graphical User Interface
In This Chapter
Managing VPN-1/FireWall-1 page 129

The Check Point SmartDashboard page 130
Displaying SmartDashboard Windows page 146
Menus page 147
VPN-1/FireWall-1 Toolbars page 154
VPN-1/FireWall-1 Status Bar page 158
Managing VPN-1/FireWall-1
The easiest way to manage VPN-1/FireWall-1 is to use the Check Point SmartDashboard. You
can use the command line interface, if you wish, instead of the SmartDashboard. For additional
information about the VPN-1/FireWall-1 command line interface, see Chapter 19, “Command
Line Interface”.
Note - The VPN-1/FireWall-1 command line interface runs only on the SmartCenter Server.
For information about the FireWall-1 Client/Server model, see “VPN-1/FireWall-1

Client/Server Model” on page 12.
127
The Check Point SmartDashboard
Starting the SmartDashboard

To start the Check Point SmartDashboard, proceed as follows:
TABLE 3-1 Starting the Check Point SmartDashboard
Windows Action
System
Windows Double-click the SmartDashboard icon.
X/Motif Run /opt/CPclnt-50/bin/PolicyEditor.
The SmartDashboard Login window (FIGURE 3-1) is then displayed.

FIGURE 3-1 SmartDashboard login window
You can log in using either your:

• user name and password
1 Select User Name.
2 Enter your user name and password.

3 Click OK.
• certificate
1 Select Certificate.
2 Enter the name of your PKCS#12 certificate file.

You can browse for the file using by clicking .
3 Enter the password you used to create the certificate.
4 Click OK.

Enter the name of the machine on which the SmartCenter Server is running. You can enter one
of the following:
• A resolvable machine name
• A dotted IP address
To work in local mode, check Demo Mode.
If you do not wish to modify a policy, check Read Only before clicking on OK.
Note - If you are not defined as a user, and therefore do not possess a user name, see “To
Add an Administrator” on page 49, for information how to define users on the
SmartCenter Server.
Certificate Management, Compression Optimization and Advanced

Options
In the SmartDashboard Login window (FIGURE 3-1), click More Options >> to display the
Certificate Management, Connection Optimizations and Advanced options (FIGURE 3-2).
FIGURE 3-2 SmartDashboard login window — More Options
To change the certificate password, click Change Password.
To compress the connection to the SmartCenter Server, check Use compressed connection.
Enter the text describing why the administrator wants to make a change in the security policy
in Session ID (optional). The text appears as a log entry in the SmartView Tracker in the
Session ID column (in Audit mode only). If the Session ID column does not appear in the
Chapter 3 Graphical User Interface 129

SmartView Tracker, use the Query Properties pane to display it. For more information on the
SmartView Tracker, see the chapter called SmartView Tracker in the Check Point SmartCenter
Guide.
To hide the Certificate Management, Connection Optimizations and Advanced options,
click Less Options <<.
Verifying the Connection to the SmartCenter Server

The first time you log in to the SmartCenter Server from a GUI client, a window showing the
fingerprint of the SmartCenter Server will be displayed. To ensure that you are connecting to
the actual SmartCenter Server rather than to an imposter, be sure to compare this fingerprint
with the actual fingerprint of the SmartCenter Server. See “Communications Between the
SmartCenter Server and the GUI Client” on page 21 for details.
Warning - Do not make a first-time connection to a SmartCenter Server from a GUI client,
unless you have the SmartCenter Server fingerprint, and are able to confirm it is the same
as the fingerprint displayed in the GUI client.
After a brief delay, during which the VPN/FireWall-1 database is loaded, the VPN-1/FireWall-1
Smart Editor window is displayed.

The SmartDashboard Window

FIGURE 3-3 VPN-1/FireWall-1 SmartDashboard
toolbars
Security Policy Desktop Security

Address Translation WebAccess
Rule Base Policy tab
Policy tab Policy tab
VPN Manager tab

Quality of Service
Policy tab
SmartMap
Details of the objects
selected in the
Objects Tree...
...are displayed in
the Objects List
The SmartDashboard window’s title shows the name of the Policy currently displayed.
Depending on your license (the VPN-1/FireWall-1 features your SmartCenter Server is licensed
to implement), you will see some or all of the following tabs in the SmartDashboard window.
• Security Policy
The Security Policy Rule Base is described in Chapter 8, “Security Policy Rule Base.”
• Address Translation
The Address Translation Rule Base is described in Chapter 2, “Network Address Translation
(NAT)” in Check Point FireWall-1.
• VPN Manager
The VPN Manager tab is described in the book Check Point Virtual Private Networks.
• Desktop Security Policy
The SecureClient Policy is described in the book Check Point SecureClient User Guide.
• WebAccess

The Web Access tab is described in the book Check Point UserAuthority.
Object Tree
The Objects Tree consists of eight tabs. These tabs provide access to eight object types. Within
each tab, a different object type is represented in its own tree. You can change the display of
information by collapsing or expanding the object tree using the and buttons,
respectively. Within these tabs you can create and modify selected objects.
FIGURE 3-4 Object Tree Tabs — select the tab of your choice
1 2 3 4 5
1 7 8 9
To display the Objects Tree

Check Objects Tree in the View menu to display the Objects Tree.
TABLE 3-2 Object Tree Tabs
No. Tab Also Accessible Through...
Toolbar Icon Menu Command
1 Network Objects Manage > Network Objects
2 Services Manage > Services
3 Resources Manage > Resources
4 OPSEC Manage > OPSEC Application

Applications
5 Servers Manage > Servers
6 Users Manage > Users
7 Time Objects none Manage > Time
8 Virtual Links Manage > Virtual Links
9 VPN Communities none Manage > Communities
Creating New Objects in the Objects Tree

1 Open the Object tab by selecting the Object icon of your choice (see FIGURE 3-4).

Object Tree
2 Right-click on an object in the Objects Tree.

A menu is displayed, depending on the object that you selected in the Objects Tree.
FIGURE 3-5 Creating a New Object in the Objects Tree
Figure A. Figure B.
3 Select New Object Type from the displayed menu. For example, in the Network Objects tab,
if you select the Network object icon in the Objects Tree, the menu will display New
Network (FIGURE 3-5 — Figure A). However, if you select the primary object type (the
first object in the tree, for which the tab is named), you will have to select New and then to
select the object type from the displayed sub-menu (FIGURE 3-5 — Figure B).
The Object Properties window is displayed.
Sorting the Objects Tree

1 Right-click anywhere on the Objects Tree.
A menu is displayed.
2 Select one of the following:
• Sort by Type — Arrange the Objects Tree by Object types.
• Sort by Name — Arrange the Objects Tree by alphabetical order.
• Sort by Color — Arrange the Objects Tree by the specified object color.
The Objects Tree is sorted.
Modifying Objects in the Objects Tree

1 Right-click on an Object in the Objects Tree.
2 Select Edit from the displayed menu.
The object’s Properties window is displayed. You can now modify the object properties.

Removing Objects from the Objects Tree

A menu is displayed
2 Select Delete from the displayed menu.
A prompt is displayed.
3 Confirm that you would like to delete the selected object.
The object is deleted.
Where Used
2 Select Where Used... from the displayed menu.
In the displayed window you can see where the selected object is used in the Rule Base. If
the selected object is the only object in one or more cells in the Rule Base, deleting this
object will change the value of the cell to Any. For more information, see “Object
Occurrences window” on page 137.
Showing Objects in the SmartMap View

2 Select Show from the displayed menu.
The object is highlighted in the SmartMap View.
Object List
The Objects List displays all Object types in a detailed table. This table includes Object
configuration information and details, as specified in the Object’s Properties window.
To display the Objects List

Check Objects List in the View menu to display the Objects List
Modifying Objects in the Objects List

1 Right-click on an Object in the Objects List.
2 Select Edit from the displayed menu.
The object’s Properties window is displayed. You can now modify the object properties.

Working with the Objects Tree and the Objects List
Removing Objects from the Objects List

A menu is displayed
2 Select Delete from the displayed menu.
A prompt is displayed.
3 Confirm that you would like to delete the selected object.
The object is deleted.
Showing Objects in the SmartMap View

The object is highlighted in the SmartMap View.
Object References window

The Object References window is accessed by clicking Where used on the right-click menu at
various places in the Rule Base, Objects Tree and Objects List. In this window you can learn
where the selected object is used in the Security Policy.
This window is divided into several tabs (Objects, Rulebases and Queries) and in each tab you
can learn more information about the selected object. Some of the data that you can learn is:
Object Name — the name of the specified object
Occurrence in Rule Base:the specified object may be present in one or more places in any of
the SmartDashboard Rule Bases
Last In Cell?— if the specified object is the only object in one or more cells in the Rule Base,
removing this object will change the value of the cell to Any
Rule Base — the name of the Rule Base in which the specified object occurs
Tab — the name of the tab in which Rule Base is saved
Occurrence in Other Objects: the specified object may be present in a constellation of different
objects
Type — the object type in which the specified object occurs
Name — the name of the object in which the specified object occurs
Working with the Objects Tree and the Objects List

The Objects Tree and the Objects List are meant to be used simultaneously. When an object is
selected in the Objects Tree, the Objects List automatically displays the details of the selected
object.

The SmartMap
Check Point’s SmartMap provides a topological view of the objects in the SmartDashboard. The
SmartMap View is a mapped visual representation of the network objects defined in the
SmartDashboard and the relationship between these network objects. For more information
about the SmartMap, see Chapter 17, “SmartMap.”
Problems in Connecting to the SmartCenter Server

If the VPN-1/FireWall-1 GUI cannot connect to the SmartCenter Server, an error message
window like the one shown in FIGURE 3-7 is displayed.
FIGURE 3-6 Error message window
When this happens, the problem is usually one of the following:

1 The specified SmartCenter Server is inaccessible for one of the following reasons:
• There may be no such server.
• The specified SmartCenter Server may be inaccessible or down at the moment.
• The request may have timed out.
In this case, an error message “No Response from Server” will be displayed.
By default the GUI waits 15 seconds for the SmartCenter Server to respond to requests. In
certain cases the server may be very loaded and certain operations (queries for example) may
take longer than 15 seconds. If this happens, you can change the default 15 second timeout
as follows:
• Windows NT
Set a registry DWORD value named ServerTimeout under the key

HKEY_LOCAL_MACHINE\Software\CheckPoint\Policy Editor\5.0 to the desired timeout
in seconds.
• X/Motif
Set an environment parameter named SERVER_TIMEOUT to the desired timeout in seconds.

• The specified SmartCenter Server’s name is not being correctly resolved, perhaps
because you misspelled it.
• The Caps Lock key is down.
2 You did not enter your password correctly.

Re-enter your password and try again.
3 The machine you are working on is not one of the GUI Clients permitted by the server.

Tracking Revision Control
If your SmartCenter Server is running under Windows NT, you can add or delete GUI Clients
using the VPN-1/FireWall-1 Configuration application. See Chapter 4, “Installing and
Configuring VPN-1/FireWall-1,” for information about the VPN-1/FireWall-1 Configuration
application.
If your SmartCenter Server is running under Unix, then you can add or delete GUI Clients by
using any text editor to modify the file
$FWDIR/conf/gui-clients directly. The file consists of IP addresses or resolvable names, one
per line.
4 You are not one of the allowed administrators.
Use the Check Point configuration application to manage administrators.
5 The versions of the GUI Client and SmartCenter Server are incompatible.
This can happen when mixing encryption and non-encryption versions.
6 A rule or property disallows the connection between the GUI Client and SmartCenter
Server.
See “Accept VPN-1 & FireWall-1 control connections” on page 290 for more information.

Check Point SmartDashboard allows you to create backup versions of the database. This allows
the database administrator, if needed, to go back to a previous state of the database. The backup
versions are stored on the SmartCenter Server.
Check Point SmartDashboard allows you to view different database versions stored in the
database version repository. You can create a new database version or delete an existing one.
Note - To use the Database Revision Control feature, you must have the appropriate
license.
To view the list of database versions, choose Database Revision Control from the File menu or
click in the toolbar. The following window appears (see FIGURE 3-8).

FIGURE 3-7 Revision Control window
This window displays a list of all the database versions in the version repository.
The Database Revision Control window contains the following columns:
Version ID — the sequence number of the database version in the version repository. The value
is automatically maintained by the Check Point Editor Policy.
Name — the name of the database version. This field may be empty because when you create a
new database version, giving it a name is optional. For more information, see “Creating a New
Database Version” on page 141.
Creation Date — the day, date, and time the database version was created
Major Version — the (major) version of the product used to create the database version
Minor Version — the (minor) version of the product used to create the database version
Administrator — the administrator name used to log into the Editor Policy (see “Starting the
SmartDashboard” on page 130)
Comment — a comment added about the database version
Creating a New Database Version

You can create a new database version in the version repository.
To create a new database version

1 Click Create in the Database Revision Control window (see FIGURE 3-8). The
following window appears (see FIGURE 3-9).

FIGURE 3-8 Create New Version window
2 Enter the name of the new database version in the Name box.
3 Enter a comment about the new database version in the Comment box.
Note - Step 2 and Step 3 are both optional since Check Point SmartDashboard uniquely
identifies each new version with a sequence number and a creation date.
4 Click OK. The newly-created version is added to the list and to the version repository.
Modifying Version Properties

You can modify the properties of an existing database version.
To modify the properties of an existing database version

1 In the Database Revision Control window, select the version whose properties you want
to modify and click Properties. The Database Version Properties window appears. For a
description of the fields in this window, see page 141. Only the Name and Comments fields
can be edited.
2 Make the desired changes and click OK. The changes you made appear in the Database
Revision Control window.
Deleting a Version
In the Database Revision Control window, select the version you want to delete and click
Delete.

Viewing a Previous Database Version

In the Database Revision Control window (FIGURE 3-8), select the version you want to
view and click View Version. A SmartDashboard window opens in read-only mode. It displays
the rules that were defined for that version. The title bar contains the name of the version you
selected to view.
Note - For information on how to install a previous Firewall-1 Security Policy version on a
Module without changing the definition of the currently-active database policy on the
SmartCenter Server, see page 575” in Chapter 19, “Command Line Interface.
Reverting to a Previous Database Version

You can restore the content of a previous database version. The files in the database of the server
are replaced with the files of the database version to which you reverted.
1 In the Database Revision Control window, select the version you want to open and click
Restore Version. The Restore Database Verification window appears.
2 Do one of the following:
• If you want to retain the users you have defined for the current database version, select
Apply the current user database onto the restored version.
• If you want to revert to the users defined for the database version to be restored, select
Restore the entire database.
Note - Take into account that retaining the current user database might create a conflict,
preventing the successful restoration of the version.
3 You can optionally click View Version to open another SmartDashboard application
displaying the version you want to restore in read-only mode.
4 Click Next. A verification process is initiated checking out all the problems or conflicts that
may have occurred due to certain inconsistencies between the different databases.
If there are no inconsistencies detected, the database is successfully restored and the
following window appears.

FIGURE 3-9 Database restored successfully
If inconsistencies are detected, errors or warnings are displayed with explanations of why
restoration of the database version failed. For example, let’s consider the following scenarios.
Scenario 1
In the current database, you added a new object (tac1) to the database and you defined a
user (u2) to use the newly-added object (tac1). If you want to restore a previous database
but want to retain the users you have defined for the current database version (by choosing
the option Apply the current user database onto the restored version, an inconsistency
will be detected and the restoration process will fail because the object (tac1) did not exist
in the previous version. In this case, the following window appears:

FIGURE 3-10Restoration process failed
Click the Verification Problems button for details about why the restoration process failed.
The following window appears.
FIGURE 3-11 Restore database troubleshooting
Correct the problem and try to restore the database version again.
Scenario 2
In the current database, you created a certificate for the following Gateways:
• bono
• rossini
If you revert to another database version, the certificates you created will no longer be valid
and you will get the following warning:

FIGURE 3-12Invalidating Gateway Certificates
If you click Next, the Gateways will lose the certificates.

5 Once the verification process is completed successfully, click Restore. The SmartDashboard
closes and then reopens after a few seconds with the restored database.
Displaying SmartDashboard Windows

TABLE 3-3 shows how to display each of the more important SmartDashboard windows.
TABLE 3-3 Displaying SmartDashboard windows
To display this In the SmartDashboard window In the

window toolbar
Network Objects Choose Network Objects from the Manage menu or right-click
on a rule’s Source or Destination (see Chapter 5, “Network
Objects”).
Users Choose Users from the Manage menu or right click on a rule’s
Source (see Chapter 4, “Managing Users and Administrators”).
Services Choose Services from the Manage menu or right-click on a rule’s
Services (see Chapter 6, “Services and Resources”).
Resources Choose Resources from the Manage menu (see Chapter 6,
“Services and Resources”).
Servers Choose Servers from the Manage menu (see Chapter 10, “Server
Objects and OPSEC Applications”).

Menus
TABLE 3-3 Displaying SmartDashboard windows
To display this In the SmartDashboard window In the

window toolbar
OPSEC Applications Choose OPSEC Application Properties from the Manage menu
(see Chapter 10, “Server Objects and OPSEC Applications”).
Virtual Links Choose SmartView Monitor >Virtual Links from the Manage
Manager
menu (see Chapter 16, “Virtual Links”).
VPN Communities Choose VPN Communities from the Manage menu. none
Properties Setup Choose Global Properties from the Policy menu (see Chapter 7,
“Global Properties”).
SmartView Status Double-click on the SmartView Status icon on the desktop, or none
choose SmartView Status from the Window menu.
SmartView Tracker Double-click on the SmartView Tracker icon on the desktop or none
choose SmartView Tracker from the Window menu.
Menus
Note - The majority of SmartDashboard menus are common to both the Standard and the
Log Consolidator products. The word “Policy” refers to either the Security Policy or the
Consolidation Policy, depending on the product viewed through the Products sub-menu
of the View menu.
For more information on Log Consolidator-specific menus, see Getting Started with the
Check Point Reporting Module.
File Menu
TABLE 3-4 The File Menu options
Menu Toolbar Description See

Entry Button
New none Create a new Policy Package. “Creating a New Policy Package”
on page 311
Open none Open an existing Policy Package. “Opening a Policy Package” on
page 311
Installed none View a policy installed on a Chapter 8, “Security Policy Rule
Policies VPN/FireWall Module managed Base”
by this SmartCenter Server.

Edit Menu

Entry Button
Refresh Refresh the Policy from the
SmartCenter Server.
Save Save the current Policy Package “Saving a Policy Package” on page
and all system objects. 313
Save As none Save the current Policy Package “Saving a Policy Package” on page
and all system objects. 313
Delete none Delete a Policy Package “Deleting a Policy Package” on
page 313
Database Open the Database Revision “Tracking Revision Control” on
Revision ControlWindow. page 140
Control
Print none Print the current Rule Base or Chapter 8, “Security Policy Rule
the topology map. Base”
Print none Print preview of the current
Preview Policy.
Print none Open the standard Print Setup
Setup window.
Exit none Exit the application.
Edit Menu
TABLE 3-5 The Edit menu options

Entry Button
Cut Delete the selected rule (or rules) and “Copying, Cutting and
copy to the Clipboard. Pasting Rules” on page 327
Copy Copy the selected rule (or rules) to the “Copying, Cutting and
Clipboard. Pasting Rules” on page 327
Paste Paste the rule that is in the Clipboard. “Copying, Cutting and
Pasting Rules” on page 327

Menus
View Menu
TABLE 3-6 The View menu options

Entry Button
Products none Toggle between the SmartDashboard and
the Log Consolidator
Toolbars none Toggle the display of the “VPN-1/FireWall-1
SmartDashboard toolbars. Toolbars” on page 154
Status Bar none Toggle the display of the “VPN-1/FireWall-1 Status
VPN-1/FireWall-1 Status Bar. Bar” on page 158
Objects Toggle the display of the Objects Tree.
Tree
Rule Base Toggle the display of the “Object Tree” on page 134
SmartDashboard Rule Base.
Objects Toggle the display of the Objects List. “Object List” on page 136
List
Topology Toggle the display of the SmartMap. “The SmartMap” on page
Map 139
Reset none Set the Rule Base columns to their
Column default width.
Width
Sort Tree Sort the Objects Tree by the object “Sorting the Objects Tree”
name, type or color. on page 135
Implied none Toggle the display of the implied rules “Implied Rules” on page
Rules (the rules derived from the Global 332
Properties window).
The SmartDashboard consists of several toolbars. These toolbars are displayed below the menu.
To decide which toolbars are displayed, select the requested menu options from the Toolbars
option in the View menu. For more about toolbars, see “VPN-1/FireWall-1 Toolbars” on page
154. The SmartDashboard Status Bar (see page 158) is displayed at the bottom of the
SmartDashboard window.

Selections Available from the Manage Menu
Selections Available from the Manage Menu

TABLE 3-7 The Manage menu options
Menu Entry Toolbar Description See

Button
Network Objects Manage Network Objects. Chapter 5, “Network
Objects”
Services Manage Services. Chapter 6, “Services and
Resources”
Resources Manage Resources. Chapter 6, “Services and
Resources”
OPSEC Manage OPSEC Applications. See http://www.opsec.com
Applications
Servers Manage Servers. Chapter 10, “Server Objects
and OPSEC Applications”
Users and Manage Users. Chapter 4, “Managing Users
Administrators and Administrators”
Permission
Profiles
Time none Manage Time Objects. Chapter 9, “Time and
Scheduled Event Objects”
VPN none Manage Intranet and Extranet Chapter 10, “Extranet
Communities Communities. Management” of Check Point
Virtual Private Networks Guide.
QoS > QoS none Manage QoS Classes. “Diffserv” in Chapter 2,
Classes “QoS Policy Management”
of Check Point FloodGate-1
Guide
Credential none Manage User Authentication for “Server Chapter” of the
Manager> UA credentials management. “UserAuthority User Guide”
Authentication
Domains
SmartView Manage Virtual Links. Chapter 16, “Virtual Links
Monitor >
Virtual Links
Web Access > none Manage Method Objects.
Methods

Menus

Button
Web Access > none Manage Trust Objects.
Trusts
Accountings... Manage Accounting Schemes “Defining Accounting
(Log Consolidator only). Schemes” in Chapter 11,
“Log Consolidation”
Customer... Manage Customers (Log “Defining Customers” in
Consolidator only). Chapter 11, “Log
Consolidation”
Rules Menu with Toolbar Buttons

TABLE 3-8 The Rules menu options

Entry Button
Add Rule none Add a rule to the Rule Base. “Adding a Rule” on page
314
Add Sub- Add a sub-rule to the QoS rule
Rule
Delete Delete the selected rule. “Deleting a Rule” on page

327
Disable none Disable the selected rule. “Disabling Rules” on page
Rule 344
Add QoS none Add a QoS Class above or below the “Diffserv” on page 50 of
Class rule. Check Point FloodGate-1
Administration Guide
Select All none Select all rules in the Rule Base
Hide none Hide or unhide the current rule. “Hiding Rules” on page 332

Policy Menu
Policy Menu
TABLE 3-9 The Policy menu options

Entry Button
Verify Verify the Policy. “Verifying and Viewing the
Security Policy” on page 327
Install Install the Policy on the targets. “Installing the Security
Policy” on page 347
Uninstall Remove the Policy from the “Uninstalling the Security
targets. Policy” on page 352
View none View the Inspection Script. “Viewing the Inspection
Script” on page 355
Access Lists none Display the Router Access Lists “Installing Access Lists” on
Operations window. page 356
Install Users none Install the Database to selected “Database Installation” on
Database FireWalled network objects. page 171
Policy
Installation
Targets
Management none Implement Check Point “Management High
High Management High Availability. Availability” on page 553
Availability
Global Display the Global Properties Chapter 7, “Global
Properties window. Properties”
Install and Install and start the Consolidation “Installing the Consolidation
Start Policy (Log Consolidator only) Policy” in Chapter 11, “Log
Consolidation”
SmartMap menu
For more information, refer to “The SmartMap Helper in Chapter 17, “SmartMap”.

Menus
Search Menu
TABLE 3-10 The Search menu options

Entry Button
Query “Querying the Rule Base”
Rules on page 335
Clear none Clear the defined query. “To Clear a Query” on page
Rules 344
Query
Query Filter the selected network object “Filtering Network Objects”
Network on page 181
Objects
Query
LDAP
Objects
Find in Find the specified text in the Rule “Searching the Rule Base”
Rule Base Base. on page 344
Window Menu
TABLE 3-11 The Window menu options

Button
SmartView none Open the SmartView Tracker Chapter 13, “SmartView
Tracker Tracker
SmartView none Open SmartView Status Chapter 11, “SmartView
Status Status”
SmartView none Open the SmartView Monitor Check Point SmartView
Monitor Monitor Guide
SmartUpdate none Open the SmartUpdate Chapter 2, “SmartUpdate”
User Monitor none Open the Users’ Monitor application Chapter 14, “User Monitor”

Help Menu
Help Menu
TABLE 3-12 The Help menu options
Menu Entry Toolbar Description

Button
Help Topics none Display Help.
What’s new in none Open the Check Point web page containing new features in
Check Point Check Point software.
Software
Online Software none Open the Check Point web page containing Check Point
Updates software updates.
About Check Point none Display the About SmartDashboard window.
SmartDashboard
VPN-1/FireWall-1 Toolbars
To select the toolbars that you would like to display, select the requested menu options from
Toolbars in the View menu.
VPN-1/FireWall-1 consists of the following toolbars:

• Global Properties — Configure the VPN-1/FireWall-1 Global Properties.
• Help — Activate context sensitive help for toolbar icons and menu commands.
• Objects — Display the Network Objects toolbar.
• Panes — Toggle the various panes (see “Panes Toolbar” on page 156).
• Log Consolidator — See the Check Point Reporting Module Guide
• Policy — Work with policies (see “Policy Toolbar” on page 156).
• Rules — Work with rules (see “Rules Toolbar” on page 157).
• Search — Use searches and queries (see “Search Toolbar” on page 157).
• SmartDefense — activate Check Point SmartDefense (see “SmartDefense” on page 157)
• Standard — Use standard editing tools (see “Standard Toolbar” on page 158).
• Topology Map — Work with the topology map (see “Toplogy Map Toolbar” on page 158).
• VPN Communities — See the Check Point Virtual Private Networks Guide.
The toolbar buttons are shortcuts for menu commands.

Toolbar Buttons and Menu Commands

TABLE 3-13 The Global Properties button
Toolbar Menu Command

Button
Policy > Global Properties
Help Toolbar
TABLE 3-14 The Help button
Toolbar Menu Command

Button
none
Objects Toolbar
TABLE 3-15 The Objects toolbar buttons
Toolbar Menu Command Toolbar Menu Command

Button Button
Manage > Network Objects Manage > Services
Manage > Resources Manage > OPSEC

Applications
Manage > Servers Manage > Users and

Administrators
Manage > SmartView Monitor >
Virtual Links

Panes Toolbar
Panes Toolbar
Toolbar Buttons and Menu Command
TABLE 3-16 The Panes toolbar buttons

Button Button
View > Objects Tree View > Sort by Name
View > Rule Base View > Sort by Type
View > Objects List None View > Sort by Color
View > Topology Map
Policy Toolbar
TABLE 3-17 The Policy toolbar buttons

Button Button
Policy > Verify Policy > Install
Policy > Uninstall File >Revision Control

Rules Toolbar
TABLE 3-18 The Rules toolbar button

Button Button
Rules > Add Rule > Bottom Rules > Add Rule > Top
Rules > Add Rule > Before Rules > Add Rule > After
Rules > Add Subrule Rules >

Delete Rule
Search Toolbar
TABLE 3-19 The Search toolbar buttons

Button Button
Search > Query Rules Search > Query Network
Objects
Search > Query LDAP Objects Search > Find
SmartDefense
The Check Point SmartDefense provides a unified security framework for various components
that identify and prevent cyber attacks. In addition to the security enforcement policy, defined in
the rule base, SmartDefense unobtrusively analyzes activity across your network, tracking
potentially threatening events and optionally sending notification.
SmartDefense includes the following features:
• successive events — a mechanism for detecting malicious or suspicious successive events and
notifying the system administrator;
• stateless packet validation — a comprehensive sequence of IP, ICMP, UDP and TCP tests;
• sequence verifier — a mechanism matching the current TCP packet’s sequence number
against a TCP connection state. Packets that match the connection in terms of the TCP
session but have incorrect sequence numbers are either dropped or stripped of data;
• SYN Attack — a module designed to prevent attacks in which TCP connection initiation
packets are sent to the server in an attempt to cause Denial of Service;
• fragment sanity check — a feature that generates logs when detecting packets, purposefully
fragmented for a FireWall bypassing or Denial of Service attack;
• general HTTP worm catcher — a mechanism for detecting and blocking HTTP-based
worms, e.g., CodeRed and Nimda.

Standard Toolbar
• FTP malformed packet logs — an FTP protocol enforcement foiling any attempt to use an
FTP server as an agent for a malicious operation. Optionally, log events will be forwarded
to the VPN-1/FireWall-1 log database.
• DNS malformed packet logs — a DNS protocol enforcement that inspects each packet to
make sure it conforms to the DNS query (or answer) standard. In addition, certain
restrictions are imposed on the type of data allowed in queries and answers.
implicit security servers activation — a feature allowing to implicitly activate the
security servers on all traffic of a certain type, regardless of the Rule Base.
Standard Toolbar
TABLE 3-20 The Standard toolbar buttons
Toolbar Menu Toolbar Menu Toolbar Menu

Button Command Button Command Button Command
File > Save File > Refresh Edit > Cut
Edit > Copy Edit > Paste
Communities Toolbar
TABLE 3-21 The Communities toolbar buttons

Button Button
Manage > VPN Manage > VPN
Communities Communities
Log Consolidator Toolbar Commands for Toolbars and menus

For more information on Log Consolidator toolbars and menus, refer to Check Point Reporting
Module Guide.
Toplogy Map Toolbar

For more information, refer to “Menu Commands and Toolbar in Chapter 17, “SmartMap”.
SmartDefense Toolbar
For more information, refer to “SmartDefense” on page 157.
VPN-1/FireWall-1 Status Bar

FIGURE 3-13VPN-1/FireWall-1 Status Bar

VPN-1/FireWall-1 Status Bar
The VPN-1/FireWall-1 Status Bar, displayed at the bottom of the VPN-1/FireWall-1 window,
shows information on the state of VPN-1/FireWall-1, as well as explanations of menu items and
toolbar buttons.

CHAPTER 4
Managing Users and

Administrators
In This Chapter
Overview page 157

VPN-1/FireWall-1 Proprietary Users page 158
User Database page 167
Generic User Profiles page 168
External Users and Groups page 171
Groups of RADIUS Users page 171
Associating a Radius Server with a FireWall-1 Enforcement Module page 171
Groups of Windows NT users page 172
Overview
When you define users, administrators and groups for VPN-1/FireWall-1, then:
• You are then able to use those user groups as the Source in rules which specify
Authentication (User, Client, or Session) as the Action
• The administrators can use the Check Point Management GUI Clients to administer Check
Point products.
The user’s or administrator’s properties (for example, those defined in the Location and Time
tabs of the User Properties window) are then applied. In this way, you can specify, for example,
that users in one group can connect only during the day, while users in another group can
connect only at night.
There are two ways to define users in VPN-1/FireWall-1:
• using the VPN-1/FireWall-1 proprietary user database — see “VPN-1/FireWall-1
Proprietary Users” on page 158
• using an LDAP directory — see “External Users and Groups” on page 171
157
VPN-1/FireWall-1 Proprietary Users
Defining Users and Groups

You can define users, administrators and groups in the Users window. In addition, you can
define templates upon which future user definitions will be based.
To display the Users window,
• choose Users from the Manage menu
Click on Install to install the User Database to the VPN/FireWall modules on which the
Security Policy is installed. To view specific types of users, select the desired type from the Show
drop-down list.
Creating a New Object (User, Administrator, Group or Template)

To create a new object (User, Administrator, Group or Template), proceed as follows:
1 Click on New.
The New User Object menu is displayed, listing the types of objects you can create.
2 Select User by Template or Administrator by Template from the menu.
A window is displayed prompting you to enter the properties of the selected object type.
Note - If you have chosen User by Template or Administrator by Template, you must
first choose a template from the menu .
The User Templates already defined are listed in the bottom part of the menu.
TABLE 4-1 User types
to create an object of see

type
Group “Creating a Group” on page 159
External Group “External Users and Groups” on page 171
Template “Creating a Template” on page 159
User “Creating a New User” on page 159
Administrator “Creating a New Administrator” on page 159
Modifying a User
To modify an existing user, select the user in the Users window and click on Edit.
Deleting a User
To delete an existing user, select the user in the Users window and click on Remove.

Creating a Group
To create a new group, choose Group from the New User Object menu. The Group Properties
window is then displayed.
To add users or groups to a group, follow the instructions in “User Groups” on page 166.
Creating a Template
To create a new template, choose Template from the New User Object menu. The User
Definition Template window is displayed.
The User Definition Template window is identical to the User Properties window and has
the same tabs (except for the Certificates tab). Enter the data (properties) for the template in
the same way you enter data for a user (see “User Properties” on page 162).
Once you have created a template, any user you create based on the template will inherit all of
the template’s properties, including membership in groups.
If you modify a template’s properties, the change will affect all users created from the template
in the future. Users already created from the template will not be affected.
Note - In contrast to VPN-1/FireWall-1 templates, LDAP templates are live links. Changes
to an LDAP template change the properties of all users linked to the template.
Creating a New User

To create a new user, choose the template on which the new user’s properties will be based from
the New User Object menu. The User Properties window is then displayed.
Enter the data for the user (see “User Properties” on page 162). For any user, you can freely
change the properties that user inherited from the template, but they will be changed for the
user only. The template remains unchanged.
Creating a New Administrator

Check Point Administrators (that is, people who are authorized to use the Check Point
SmartDashboard) are now defined from the SmartDashboard GUI, by selecting New >
Administrator from the Users window.
The other tabs are identical to the corresponding tabs in the User Properties window (“User
Properties” on page 162).
Note -
• The Admin Auth tab of the Administrator Properties window corresponds to the
Authentication tab of the User Properties window.
• The Admin Certificates tab of the Administrator Properties window corresponds to
the Certificates tab of the User Properties window.
Click View Permissions Profile to view the profile (the set of permissions) assigned to the
Administrator.
Chapter 4 Managing Users and Administrators 159

To define a new Permissions Profile, click New in the General tab of the Administrator
Properties window. In the General tab of the Permissions Profile Properties window, specify
the profile’s name.
In the Permissions tab, specify the profile’s permissions.
Permissions Profile Properties window
General Tab
Name — the administrator’s name
Comment — descriptive text
Color — the color of the administrator’s icon
Select the desired color from the drop-down list.
Permissions Tab
In the Permissions tab, specify the permissions to be granted to an administrator who is
assigned this Permissions Profile.
TABLE 4-2 shows the available Permission Profile options.
TABLE 4-2 Add and Edit Permission Profile Options

option…
None Allows no access to any Check Point products.
Read/Write All Allows full access to all Check Point products.
Read Only All Allows read-only access to all Check Point products.
Customized Allows user-defined access to Check Point products.
SmartUpdate Note— Choosing Read/Write permissions automatically gives
Read/Write permissions for all other options.
• Read/Write permission allows Check Point product
installations on Managed modules to be centrally managed.
• Read Only permission allows viewing the status of
installations of Check Point products on managed
Modules.
Objects Database Note — These permissions cannot be selected. They are
automatically assigned based on choices made in other options.
• Read/Write permission indicates that the administrator can
add, remove and modify objects, in addition to being able to
edit the Policy properties.
• Read Only permission means that the administrator can
see the objects but cannot modify them.


option…
Check Point • Read/Write Allows the administrator to define, remove and
Users Database modify users or templates, as well as insert and remove users
to/from groups.
users, templates, and groups but not modify them.
LDAP Users • Read/Write permission allows the administrator to define,
Database remove and modify LDAP users and groups.
LDAP users and groups but not modify them.
For more information on LDAP Users Database administrators,
see “LDAP Administrators” on page 21 of Check Point User
SmartCenter Guide.
Security Policy • Read/Write allows the administrator to manage Security
Policies and rules within the Policies. The administrator can
install and uninstall Security Policies.
Security Policies but not to modify them.
QoS Policy • Read/Write allows the administrator to manage QoS policies
and rules within the policies. The administrators can install
and uninstall QoS Policies.
QoS Policies but not to modify them.
Log Consolidator • Read/Write allows the administrator to manage Log
Policy Consolidator policies and rules within the policies. the
administrator can install and uninstall Log Consolidator
Policies.
• Read Only allows opening and viewing Log Consolidator
policies but not to modifying them.


option…
Reporting Tool • Read/Write allows the administrator to create and manage
report definitions.
• Read Only permission allows the administrator to process
reports and change Runtime parameters, but not to
create or modify report definitions.
Monitoring • Read/Write permission allows the administrator full access
to the Log Viewer, System Status and SmartView Monitor.
• Read Only permission prevents the administrator
interrupting connections.
Web Policy • Read/Write permission allows the administrator full access
to the WebAccess functionality.
User Properties
To display the User Properties windows, double-click on a user name in the Users window
and then select the appropriate tab.
In This Section
User Properties Window — General tab page 162

User Properties Window — Personal tab page 162
User Properties Window — Groups tab page 163
User Properties Window — Authentication tab page 163
User Properties Window — Location tab page 165
User Properties Window — Time tab page 166
User Properties Window — Encryption tab page 166
User Properties Window — Certificates tab page 166
User Properties Window — General tab

Login Name — the user’s name
User Properties Window — Personal tab

Expiration Date — date after which the user will be denied access
Date format is dd-mmm-yyyy, where:
• mmm is one of the following: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec
• yyyy — must be four digits for example, “2031”

User Properties

This text is displayed on the bottom of the Users window when this user is selected.
Color — the color of the user’s icon
User Properties Window — Groups tab
Adding the User to a Group

To add the user to a group, select the groups in the left listbox (labeled Available Groups) to
which you wish to add this user, and then click on Add.
Deleting the User from a Group

To delete the user from a group, select the groups in the right listbox (labeled Belongs to
Groups) from which you wish to delete this user, and then click on Delete.
User Properties Window — Authentication tab

Authentication Scheme — the scheme used to authenticate this user
Select a scheme from the list. The Settings group shows the fields relevant to the selected
scheme. For information about Authentication schemes, see “Authentication Schemes” on
page 125 of Check Point FireWall-1 Guide.
TABLE 4-3 Authentication Schemes and windows
authentication scheme
Undefined No authentication scheme is defined for this user in
the VPN-1/FireWall-1 user database, though one may
be defined on an LDAP Server.
S/Key See “S/Key Authentication” on page 164.
SecurID There are no scheme-specific parameters for the
SecurID authentication scheme. The FireWall-1
enforcement module acts as an ACE/Agent 5.0. For
agent configuration see ACE/Server documentation.
VPN-1 & FireWall-1 See “VPN-1 & FireWall-1 Password Authentication”
on page 165.
OS Password There are no scheme-specific parameters for the OS
Password authentication scheme.
RADIUS See “RADIUS Authentication” on page 165.
AXENT Pathways Defender There are no scheme-specific parameters for the
AXENT Pathways Defender authentication scheme.
TACACS See “TACACS Authentication” on page 165.

S/Key Authentication
Seed — an arbitrary number
Secret Key — chosen by the user
Secret Key should be at least 10 characters long.
Length — number of passwords in the chain
Password — password for the user
Generate Button — generates a password after a gateway has been selected
Installed On — the gateway that will perform the authentication
Method — the hashing method
Print Chain — print the password chain.
This option is available only immediately after generating a new chain.
There are several options for using the S/Key Authentication settings, as follows:
• To generate and save a sequence of one-time passwords, proceed as follows:
1 Enter Seed, Secret Key and Length.
Secret Key should be at least 10 characters long.
2 Click on Generate.
• If the user has already generated a sequence of one-time passwords, proceed as follows:
1 Enter Seed, Length (the number of the last password used), and the last-used Password.
2 Click on OK.
Warning - Do not click on Generate.
The S/Key password is saved. If Seed and Length are not entered, the user is prompted for
them.
To generate new S/Key for a users who have forgotten passwords, proceed as follows:
1 In the user’s User Properties window, enter a new Secret Key (or leave it blank and let
one be chosen randomly).
2 Enter a Length.
3 Click on Generate.
The keys are then generated and saved to a file.

4 Download the User Database by choosing Policy > Install Objects Database on the menu
or by clicking on Install in the Users window.

User Properties
For more information, see “Database Installation” on page 167.

The former “forgotten” keys are no longer valid, and the new keys will be used for all
future authentication.
VPN-1 & FireWall-1 Password Authentication

To enter a password for the user, proceed as follows:
1 Click Change Password.
2 In the Change Password window, enter the password twice: once in Password and a
second time in Confirm Password.
The password can be up to eight characters in length.
Note - OS Password and VPN-1 & FireWall-1 Password are the Authentication
Methods defined in the Authentication tab of the Workstation Properties window.
RADIUS Authentication
Select a RADIUS Server or group of RADIUS Servers from the menu. For information on
how to define RADIUS Servers, see “RADIUS Servers” on page 360.
TACACS Authentication
Select a TACACS Server from the menu. For information on how to define TACACS Servers,
see “TACACS Servers” on page 362.
User Properties Window — Location tab

Source — the user will be allowed access only from the listed network objects.
• To add a network object, select the object from the left list box (labeled Network
Objects), and then click on the Add button to the left of the Source list box.
• To delete a network object, select the object in the Source list box and click on the
Delete button to the left of the Source list box.
For information on how to override this field for a specific rule, see Chapter 3,
“Authentication” in Check Point FireWall-1 Guide.
Destination — the user will be allowed access only to the listed network objects.
• To add a network object, select the object from the left list box (labeled Network
Objects), and then click on the Add button to the left of the Destination list box.
• To delete a network object, select the object in the Destination list box and click on
the Delete button to the left of the Destination list box.
For information on how to override this field for a specific rule, see Chapter 3,
“Authentication” in Check Point FireWall-1 Guide.

User Properties Window — Time tab

Day in Week — days on which the user will be allowed access
Time of Day: From and To — hours between which the user will be allowed access
User Properties Window — Encryption tab

The Encryption tab enables you to specify parameters relating to the user’s SecuRemote
encryption.
For information about encryption, see Check Point Virtual Private Networks Guide.
User Properties Window — Certificates tab

Certificate State — the status of this user’s certificates
Generate — Click to generate a certificate for this user from the Internal Certificate Authority.
Revoke — Click to revoke an existing certificate.
User Groups
To display and update a group’s members, double-click on the group’s name in the Users
window. The Group Properties window is then displayed
Name — the group’s name
Comment — optional descriptive text
Color — Select the desired color from the drop-down list.
You can filter the items displayed in the left listbox using View.
In the left list box (labeled Not in Group), select the users or groups you wish to include in the
group and click on Add.
Note - To define a new user directly from this window, click New. A menu will be displayed
from which you can select they type of user to create. When you finish defining the user, you
will return to this window.
You can add a group to another group in one of two ways:

1) You can individually add all the users in one group to another group, without nesting
groups within groups. Click on Yes in reply to the question in the window (FIGURE 4-1).
2) You can nest groups inside groups to create a group hierarchy of any desired complexity.
Click on No in reply to the question in the window.
FIGURE 4-1 Adding a Group to a Group

Database Installation
If you nest groups, you can see a nested group’s members by selecting the group in the right
listbox (labeled In Group) and clicking View expanded group.
Deleting a User or Group from a Group

To delete a user or group from a group, double-click on the group’s name in the Users window.
The Group Properties window is then displayed. Select the users or groups to be deleted from
the right list box (labeled In Group), and then click on Remove.
User Database
The VPN-1/FireWall-1 User database contains information about each user defined in
VPN-1/FireWall-1, including authentication schemes and encryption keys. The User Database
resides on the SmartCenter Server and on the FireWalled machines (enforcement points).
The VPN-1/FireWall-1 User Database does not contain information about users defined
externally to VPN-1/FireWall-1, for example, users in external groups (see “External Users and
Groups” on page 171), but it does contain information about the external group (for example,
on which Account Unit the external group is defined). For this reason, changes to external
groups take effect only after the Security Policy is installed or the User Database is downloaded.
When the properties of a user defined in the VPN-1/FireWall-1 User Database change, the
change does not take effect immediately. The VPN/FireWall modules on which the Security
Policy is installed must be notified of the change, in one of three ways:
1 Install the User Database by choosing Install Objects Database from the Policy menu.
2 Install the User Database by clicking on Install in the Users window.
3 Install the Security Policy by choosing Install from the Policy menu.
This installs the Security Policy in addition to updating the User Database.
Database Installation
When you install the User Database from the GUI (by choosing Install Objects Database from
the Policy menu or clicking on Install in the Users window), VPN-1/FireWall-1 runs the fw
command with the dbload argument (see “fwm dbload” on page 562).
You can modify this behavior so that VPN-1/FireWall-1 runs a program or shell script (batch
file) of your choice instead of fw dbload. For example, to run bigapple, add the following
statement to the setup.C file:
dbload_program (“bigapple”)

Generic User Profiles
bigapple will be run with the same argument list that fw would have received (where the
first argument is dbload). It is then your responsibility to ensure that bigapple correctly
processes its arguments and installs the Database. Of course, bigapple can also perform any
other functions you wish.
Note - The implicit installation of the User Database that occurs when a Security Policy is
installed is not affected by the dbload_program parameter.
Generic User Overview

Generic User Profiles replace and enhance the generic* use definition. Generic User Profiles
apply to externally defined users, that is, users not defined in the FireWall-1 database or on an
LDAP server.
FireWall-1 users can be defined in the FireWall-1 database or on an LDAP database. If a large
number of users have previously been defined in an external, non-LDAP database, you can
define these users in VPN-1/FireWall-1 either by entering them manually or by importing them
using the fwm dbimport command. In either case, all the users will be defined and maintained
in both databases.
You can avoid the burden of maintaining multiple user databases by defining a Generic User
Profile for all users that are not defined on FireWall-1 or on an LDAP server. Their
authentication is performed as specified in the Authentication tab.
Multiple Generic User Profiles can be defined that can be applied to different groups of
unknown users.
There are two kinds of Generic User Profiles.
The Match all users profile, with the Generic User Profile name generic*, is limited to only
one property set. VPN-1/FireWall-1 applies the restrictions specified for an ordinary user in
the User Properties tabs (for example, Groups). For authentication purposes, it uses the name
typed in by the user instead of generic*. In this way, the external authentication server "sees"
the user's real name and authenticates him or her accordingly.
The Match by domain profiles allow for more granularity in the user definition than is
available with generic*. They are differentiated by their domain name. The user types a
domain name as well as the username. Alternatively, any domain name can be allowed.
It is possible to define all the kinds of users and user Generic User Profiles. FireWall-1 first looks
for an internally defined or LDAP user. If that is not matched, General User Profiles with
domains are searched, followed by General User Profiles with any domain, and then the
generic* profile.

Example: Defining a Generic User Profile
Example: Defining a Generic User Profile

For example, suppose you have already defined a large number of users to the Security
Dynamics database and they are all authenticating themselves with their SecurID cards. Now,
you want to integrate this authentication with VPN-1/FireWall-1 without having to redefine all
SecurID users in the VPN-1/FireWall-1 User Database.
You can use the generic user feature as follows:
1 Define a user group named SecurIDUsers (for example).
2 Define a user named generic* as a member of SecurIDUsers.
3 Specify SecurID as the Authentication Scheme for generic*.
4 Add a rule to the Rule Base similar to this:
TABLE 4-4 Rule for Generic User
Source Destination Services Action Track Install

On
SecurIDUsers@Any tower telnet UserAuth Log Gateways
5 Install the Security Policy.
Note - The above rule will not be applied to users who are defined in the VPN-1/FireWall-1
User Database, only to users who are not defined in the VPN-1/FireWall-1 User Database.
Using Generic User Profiles

Suppose that Alice is a SecurID user, but she is not defined in the VPN-1/FireWall-1 User
Database. When she TELNETs to tower (and the above rule is applied), the following sequence
of events takes place:
1 VPN-1/FireWall-1 prompts Alice for her username.
2 Alice enters her name.
3 VPN-1/FireWall-1 determines that Alice is an unknown user, that is, that she is not defined
in the VPN-1/FireWall-1 User Database (or in any LDAP directory accessed by
VPN-1/FireWall-1).
4 VPN-1/FireWall-1 determines that there is a user named generic* defined in the User
Database, whose Authentication Method is SecurID.
If there is no user named generic*, VPN-1/FireWall-1 issues the “illegal user name” error
message and disallows the connection.
5 VPN-1/FireWall-1 prompts Alice to enter her SecurID password.

6 Alice enters her SecurID password.

7 VPN-1/FireWall-1 contacts the SecurID server and asks to authenticate user Alice,
supplying the password Alice entered.
8 The SecurID server notifies VPN-1/FireWall-1 whether Alice was successfully
authenticated.
9 VPN-1/FireWall-1 either allows or disallows the connection, depending on whether Alice
was successfully authenticated.
Generic User Notes

1) By using this feature with an external server, you disable VPN-1/FireWall-1’s ability to
detect invalid user names.
The responsibility of authenticating the user is passed to the external server. You will only
get an alert or log if the authentication fails on the external server. Without this option, it
is possible to get an alert or log when an invalid user name is entered.
2) When setting the Match all users profile, by default all the users defined in the external
server are allowed access.
There is no way to treat the users differently (but see item 3 below). The System
Administrator should carefully consider the implications of allowing this blanket access.
3) If you wish to deny access to a specific user, define that user in the VPN-1/FireWall-1 User
Database and set the user’s Authentication Scheme to Undefined.
4) generic* cannot be used as the name of a real user.
Generic User Profile Properties window

Generic User Profile name - Choose a name for the Generic User Profile
Domain Name Matching Definitions
DN format.The Domain Name can be in DN format. For example,

SecuRemote/SecureClient users have certificates that contain a domain name in a DN format..
Free Format- Freely specify the Domain Name Format
Any domain Name is acceptable - The user can type any domain name and it will be
accepted. To allow a totally unknown user, use the Match all users Generic User Profile instead.
Domain Name - Specify a Domain Name, Separator character(s) between the Domain Name
and the Username, and whether the Domain Name must be typed before or after the user name.
Omit Domain Name before applying authentication method - Use if the authentication
server does not recognize the Domain Name. After the user is matched to the correct profile,
the Domain Name is dropped and only the username is sent to the Authentication server.

Generic User Profile Properties window
Be careful about checking Omit Domain Name before applying authentication method. If
checked, the authentication server is unable to verify the validity of the domain typed by the
user.
External Users and Groups

An external group is a user group whose members are defined in an external LDAP directory
server. The LDAP directory can be managed independently of VPN-1/FireWall-1.
An external group can be used in a Security Policy in the same way that a VPN-1/FireWall-1
group can be used. The only difference between them is where the users are defined.
For information on managing external groups and users, see Chapter 6, “Managing LDAP
Objects” of Check Point SmratCenter Guide.
Groups of RADIUS Users

To create policy rules for groups of users which are not defined on the SmartCenter Server but
are defined on a RADIUS server (including any RADIUS-compliant server like SecurId
ACE/Server), proceed as follows:
1 Enable the feature by changing the value of the attribute add_radius_groups to true. This
attribute is located under the firewall_properties object in the properties table.
Note - The objects.C file should not be edited directly. Instead, use dbedit (see
Chapter 18, “Command Line Interface” of Check Point SmartCenter Guide) to edit the
objects_5_0.C file on the SmartCenter Server. Make sure to restart VPN-1/FireWall-1 after
using dbedit.
2 Make sure that for each RADIUS server user has a profile that contains the attribute “Class”
(or “Filter-Id” or any other RFC reply string attribute). The value of the attribute is the
group which the user belongs to.
In order to change “Class” to another attribute, modify the value of the
firewall_properties attribute radius_groups_attr.
3 In the SmartDashboard, create a user group with the name “RAD_<group which the
RADIUS users belong to>”. The group may be empty.
4 Define a generic* user that uses this server for RADIUS authentication.
Associating a Radius Server with a FireWall-1 Enforcement Module

A user can be associated with the Radius authentication server via the User Properties
Authentication tab.
It is also possible to associate a FireWall-1 enforcement module with a Radius server, such that
this overrides the User to Radius server association. This is done by directly editing the
FireWall-1 database using a dbedit command.

Groups of Windows NT users
To associate one or more Radius servers to a FireWall-1 enforcement module, use the dbedit
command:
modify network_objects <gw obj> radius_server servers:<radius obj>
It is possible to switch off the Radius to FireWall-1 association on a per user basis, so that the
user will always authenticate to the Radius server specified in the User Properties
Authentication tab. Do this by switching off another attribute in the FireWall-1 database, using
the dbedit command:
modify users <user obj> use_fw_radius_if_exist false
Groups of Windows NT users

To create policy rules for groups of users which are not defined on the SmartCenter Server but
are defined either on the VPN/FireWall Module’s host which is a Windows NT machine or in
the Windows NT machine’s trusted domain, proceed as follows:
1 Enable the feature by changing the value of the attribute add_nt_groups to true. This
attribute is located under the firewall_properties object in the properties table.
Chapter 18, “Command Line Interface” of Check Point SmartCenter Guide) to edit the
objects_5_0.C file on the SmartCenter Server. Make sure to restart VPN-1/FireWall-1 after
using dbedit.
2 Make sure that the user belongs to an NT user group.

3 In the SmartDashboard, create a user group with the name “NT_<NT user group which
the user belongs to>”. The group may be empty.
4 Define a Generic User Profile for a user that uses OS password as the authentication
scheme.

CHAPTER 5
Network Objects
In This Chapter
Overview page 173

Network Objects page 180
Networks page 202
Domains page 203
Open Security Devices page 203
Embedded Devices page 208
Groups page 211
Logical Servers page 215
Address Ranges page 216
Gateway Clusters page 216
Dynamic Objects page 216
Overview
Network objects include gateways, hosts, gateways, routers, networks, switches, Logical Servers,
gateway clusters, domains and others. Before you can include a network object in a rule, you
must define it and its properties.
Network objects can be organized in hierarchical groups to form higher-level objects and easier
to read rules.
You do not have to define every object in your networks to VPN-1/FireWall-1 — only those
objects that are used in the Rule Base. For example, if a rule refers to a network, you must
define the network, but it’s not necessary to define every host in the network.
173
Overview
Adding, Editing and Deleting a Network Object

There are several methods of adding, editing or deleting a network object. Whichever method
you use, if you are creating or editing a network object, then the appropriate window for that
object will be displayed, for example, the Check Point Properties window ( on page 182) or
the Network Properties window, etc.
FIGURE 5-1 VPN-1/FireWall-1 SmartDashboard window
toolbars
Security Policy Desktop Security

Address Translation WebAccess
Rule Base Policy tab
Policy tab Policy tab
VPN Manager tab

Quality of Service
Policy tab
SmartMap
Details of the objects
selected in the
Objects Tree...
...are displayed in
the Objects List
These methods are:

• from the objects tree (see “From the Objects Tree” on page 175”)
• from the objects list (see “From the Objects List” on page 175”)
• from the Rule Base (see “From the Rule Base” on page 175”)
• from the menu (see “From the Menu” on page 175”)
• from the toolbar (see “From the Toolbar” on page 175”)
• from the SmartMap (see Chapter 16, “SmartMap)

Editing a Network Object from the Network Object Manager
From the Objects Tree

To create a new network object from the objects tree (see FIGURE 5-1), right click in the
tree, choose New in the menu and select the type of object to create (see TABLE 5-1 on
page 176 for a list of objects).
Alternatively, you can right click any object in the tree and the menu will display an New
entry appropriate to that object type, for example New Gateway.
Note - If you choose Show from the Network Objects menu while an object in the tree is
selected, the SmartMap will be scrolled so that the object is visible.
To edit or delete an existing object, right click the object in the tree and choose Edit or
Delete from the menu, as appropriate.
From the Objects List

To edit or delete an existing object, right click the object in the list (see FIGURE 5-1 on
page 174) and choose Edit or Delete from the menu, as desired.
From the Rule Base

See “Editing a Network Object from the Rule Base” on page 178 for more information.
From the Menu

Choose Network Objects from the Manage menu. See “Editing a Network Object from the
Network Object Manager” on page 175 for more information.
From the Toolbar

Select from the toolbar. See “Editing a Network Object from the Network Object
Manager” on page 175 for more information.

To define a network object from the Network Object Manager, open the Network Objects
window by:
• choosing Network Objects from the Manage menu, or
• selecting from the toolbar.
Creating a New Object

To create a new object, click New. A menu is displayed that lists the types of objects you can
create.
Chapter 5 Network Objects 175

Overview
Choose a type from the displayed menu. A window is displayed prompting you to enter the
properties of the selected object type.
Note - If you opened the Network Objects window from the Rule Base, then the Add
Network Object menu displays the valid choices for the column from which it was
opened. These vary from column to column. For example, Logical Servers is a valid
choice under Destination but not under Source. On the other hand, if you opened the
Network Objects window from the menu or from the toolbar, then all the possible
choices are displayed in the Add Network Object menu.
TABLE 5-1 summarizes the available options.
TABLE 5-1 Object Types
to create an object of ... see

type...
Check Point “Network Objects” on page 180
Node “Network Objects” on page 180
Interoperable Device “Network Objects” on page 180
Network “Networks” on page 202
Domain “Domains” on page 203
OSE Device “Open Security Devices” on page 203
Embedded Device “Embedded Devices” on page 208
Group “Groups” on page 211
Logical server “Logical Servers” on page 215
Address range “Address Ranges” on page 216
Dynamic object “Dynamic Objects” on page 216
VoIP Domain Chapter 6, “VoIP (Voice Over IP)” of
Check Point FireWall-1 Guide
Editing an Object
To edit an object, select the object and click Edit, or double-click the object.
You can also edit an object from the SmartDashboard (see “Editing a Network Object from the
Rule Base” on page 178).
If the IP addresses of network objects have been modified or new ones added since the GUI was
invoked, restart the GUI to refresh the GUI’s internal cache of addresses. Network objects that
have already been defined are not affected. If their properties have been edited, however,
updated data will be retrieved.
Deleting an Object
To delete an object, select the object and click Remove.

Finding Where an Object is Used

To display where an object is used in the Security Policy, proceed as follows:
1 Right-click the object in the tree.
2 Select Where Used ...
The Objects tab of the References window is displayed.
An object (for example, My Intranet) is not removable (that is, it cannot be deleted) if it is pre-
defined.
The Objects tab shows where the selected object is used in or by other objects.
The Rulebases tab shows in which Rule Bases the object is used.
The Queries tab shows the queries in which this object is a parameter.
Note - The Reference window is non-modal; that is, you can leave it open while you
continue to work with the SmartDashboard. If you make changes that affect the Reference
window, you can update the display to reflect the changes by clicking Refresh.
Filtering Network Objects

To filter the network objects (that is, to specify criteria for searching the defined network
objects), click More >> (to the right of the Show drop-down menu). The Refined Filter section
of the Network Objects window is displayed.
FIGURE 5-2 Add Object Refined Filter Options

Overview
TABLE 5-2 summarizes the available options.
TABLE 5-2 Refined Filter Options
create a filter of type... ... to get the following results

Any (no filter) All network objects will be shown in the left
pane.
Duplicates Show objects that have the same IP address.
IP / interface mismatch Show gateways whose main IP does not
match the interfaces defined in the Topology
page (see “Check Point window — Topology
Page”).
Search by IP Show network objects matching specific IP
addresses using * as a wildcard (199.*.*.*).
Search by Name Show network objects matching a specific
string using * as a wildcard (johnnyBG***).
Search network Show network objects matching specific IP
addresses and netmask addresses using * as a
wildcard (199.123.*.* and 255.*.*.*).
Sub networks Show network identifications according to
inclusion relations.
Unused objects Show objects created but not referenced
anywhere.
To close the Refined Filter section of the Network Objects window, click << Less.
When the results of your filter are displayed, you can group them by checking Define query
results as group.
Editing a Network Object from the Rule Base

To edit a network object from the Rule Base, proceed as follows:
1 Right click a rule’s Source or Destination in the SmartDashboard.
The Object menu is displayed.
The items that appear in the Object menu depend on whether you right clicked in the Source
or Destination column.
2 Choose one of the menu items.
Add — Open the Network Objects window.
You can either select an existing network object, or create a new network object by
clicking on New.
Add User Access — Open the User Access window.

Editing a Network Object from the Rule Base
For information about users, see Chapter 4, “Managing Users and Administrators.”
Edit — Open the appropriate Edit Object window for this object.
Delete — Delete the object(s) from the rule.
Negate — Negate the object(s) in the rule.
For example, if a rule’s Source is a host network object named monk, then the rule applies
when the communication’s Source is monk. However, if you negate monk, then the rule
applies when the communication’s Source is not monk.
You cannot negate individual objects. For example, if two hosts are given as a rule’s
Source, then you can negate both of them or none of them, but not just one of them.
Cut — Delete the object(s) from the rule and put the object on the clipboard.
Copy — Copy the object(s) to the clipboard.
Paste — Paste the object(s) on the Clipboard into the rule at this point.
The objects displayed depend on what you have selected from the Show drop-down list.
Note - Click More >> to display the Refined Filter section of the Network Objects
window, in which you can specify criteria for searching the defined network objects. For
more information, see “Filtering Network Objects” on page 177.
To add an existing network object to a rule, select the object from the list box and click OK.
The selected object is added to the rule and the Network Objects window is closed.
To create a new object and add that object to the rule, click New.
TABLE 5-3 Network Object Actions
for a description of how to... ... see

create a network object “Creating a New Object” on page 175
edit a network object “Editing an Object” on page 176
delete a network object “Deleting an Object” on page 176
build view filters on network object “Filtering Network Objects” on page
177
The new network object is added to the rule in which you began this procedure. For example,
if you right clicked in a rule’s Destination, then the new object is added to the rule’s
Destination.

Network Objects
Network Objects
In This Section
Network Object Types page 181

Check Point window — General Page page 182
Communication window page 185
Check Point window — Topology Page page 186
Interface Properties Window page 188
Check Point window — NAT page page 192
Check Point window — VPN page page 195
Check Point window —Extranet page page 195
Check Point window — Account Unit page page 195
Check Point window — Additional Logging Configuration page page 197
Check Point window — Masters page page 197
Check Point window — Log Servers page page 198
Check Point window — Advanced page page 199
Check Point window — Capacity Optimization page page 199
Check Point window — SYNDefender page page 199
Check Point window — SMTP page page 200
Check Point window — SAM page page 200
Check Point window — Connection Persistence page page 201

Network Object Types
Network Object Types

There are three types of network objects, summarized in TABLE 5-4.
TABLE 5-4 Network Object Types
type sub-types explanation see ...

Check Points — have Gateway a gateway managed by “Network Object
Check Point software the SmartCenter Windows” on page
installed Server on which you 182
are now working
Host host managed by the
SmartCenter Server on
which you are now
working
Gateway Cluster a group of “Gateway Clusters” on
VPN/FireWall Module page 216
machines configured to
provide failover
services
Embedded Device for example, a switch “Network Object
Externally Managed a gateway not managed Windows” on page
Gateway by the SmartCenter 182
Server on which you
are now working, but
by another
SmartCenter Server
Externally Managed a host not managed by
Host the SmartCenter
Server on which you
are now working, but
by another
SmartCenter Server

Network Objects
TABLE 5-4 Network Object Types
type sub-types explanation see ...

Nodes — no Check Gateway a gateway managed by “Network Object
Point software installed the SmartCenter Windows” on page
Server on which you 182
are now working
Host host managed by the
SmartCenter Server on
which you are now
working
Interoperable Devices participate in VPNs “Network Object
— have no Check with Check Point Windows” on page
Point software is objects 182
installed on them
Note - The example windows in this section are those of a Check Point gateway object. The
windows for other types of objects are similar except for the title and the name of the
window.
Changing a Network Object’s Type

To change a network object’s type (for example, from a gateway to a host) right-click the object
in the tree and select the Convert option from the menu.
The Convert option’s name changes in accordance with the selected object and the possibilities.
Note - Not all conversions are possible. For example,it is not possible to convert an
externally managed gateway to an internally managed gateway.
Network Object Windows

The windows shown in the following sections are used for different network object types. As
such, the different versions have different names as well as different trees in the left pane. The
meaning of the fields is the same in all versions of these windows, except if noted otherwise in
the detailed descriptions that follow.
Check Point window — General Page

Name — the Check Point object’s name

The name given here should be identical to the resolvable name (hostname) that appears in the
OS environment, as given in TABLE 5-5. If you use a non-resolvable name, then Get address
may not work.
TABLE 5-5 Default File Locations and Names
Unix Windows NT and 2000

/etc/hosts %SYSTEMDIR%\system32\drivers\etc\hosts
/etc/networks %SYSTEMDIR%\system32\drivers\etc\networks
In Windows NT and 2000, you can determine the hostname’s IP address as follows:
• In the Control Panel, click Network > Bindings and select all protocols. The first
protocol listed in the binding order determines the hostname’s IP address. The order for
TCP/IP and WINS should be consistent.
• The first entry in the output of the ipconfig command shows the hostname’s IP
address.
If NIS is being used, VPN-1/FireWall-1 automatically retrieves the information from the NIS.
If the network object is one that can respond to a Unix hostname command, use the name
returned by that command. The IP address is the one shown by the command grep hostname
/etc/hosts.
IP Address — the object’s IP address

You can get the IP address of previously defined network objects from the database of
network objects by clicking on Get address.
Note -
• The IP address can be dynamically assigned (for example, for gateways with dial-up
connections). See Dynamic Address below.
• For a gateway, the IP Address field in the Check Point window (see ) must specify the
gateway’s external interface. If you fail to do so, IKE encryption will not function
properly.
• It is recommended that you list network objects in the hosts files in addition to
defining them in the VPN-1/FireWall-1 database.
Get address— Click this button to resolve the object’s name to an IP address, using the files
in TABLE 5-5 on page 183.
Dynamic Address — Specifies that the network object’s IP address is dynamically assigned (for
example, for gateways with dial-up connections).
A SmartCenter Server cannot install a Policy on a Module with a dynamic IP address, because
the SmartCenter Server cannot “find” the Module. For the same reason, the Module cannot
terminate a VPN tunnel.
If you check Dynamic Address for an existing network object, the following message will be
displayed:

Network Objects
FIGURE 5-3 Warning Message
If Dynamic Address is checked, you must specify how frequently a Policy should be fetched
from the SmartCenter Server in the Masters page of the Check Point Properties window
(see “Check Point window — Masters page” on page 197).
Comment — Enter a descriptive comment to be displayed when this object is selected in the
Object list and in the Network Objects window.
Color — Select the color in which this object will be displayed in the GUI.
Check Point Products — Specifies the Check Point products installed on this network object,
and their version numbers.
The SmartDashboard installs a Policy on a network object compatible with the Module
version on the network object.
Depending on the products installed, different pages become available in the Check Point
Properties window.
Secure Internal Communication — Available if a Check Point Module is installed on the

network object. A Check Point Module will only be able to communicate with the
SmartCenter Server or with other Check Point Modules when Secure Internal Communication
has been successfully configured on both the SmartCenter Server and on the Module.
Communication — Configure the Check Point Module object on the SmartCenter Server for
Secure Internal Communication. Click this button to open the Communication window
(FIGURE 5-4 on page 185).
DN — The Distinguished Name (or “SIC name”) of the Module. The DN represents the
identity of the Module, and is an internal, read-only value. It exists when a certificate has been
issued for this Module.

Communication Window
FIGURE 5-4 Communication window
The Communication window is used to:

• initialize secure communication between the SmartCenter Server and the Check Point
Module machine
• test SIC Status
• reset the Trust State of the Module
Activation Key— Enter the same Activation Key as is used in the Module configuration. This
is a one-time password whose only purpose is to set up a secure link which is used to deliver a
certificate to the Module.
the certificate.
• Uninitialized —The Module is not initialized and therefore cannot communicate because it
has not received a certificate from the Internal Certificate Authority on the SmartCenter
Server.

Network Objects
At the Module, in cpconfig, in the Secure Internal Communication window, this means
that a one-time password has been typed in but the Module has not yet received a certificate
from the Internal Certificate Authority on the SmartCenter Server.
In the SmartDashboard in the Communication window, this means that a certificate has
been issued to this Module but has not been delivered, so trust (secure communication)
cannot yet be established.
• Trust established — The trust between the Module and the SmartCenter Server has been
established. The Module can communicate securely.
Initialize — For an uninitialized Module, create a certificate and send it to the Module. If
successful, the Module state will change to Trust established.
For an initialized Module, send the certificate to the Module. If successful, the Module state will
change to Trust established.
For details, see “Enabling Communication between Modules” on page 99 of the Check Point
Getting Started Guide or page 49 of the Check Point SmartCenter Guide.
Test SIC Status — opens a SIC connection with the Module, and reports on the current
communication status of the Module, after trust has been established for the first time with the
SmartCenter Server. The SIC Status can be either: Communicating, Unknown (when there's no
connection to peer) or Not Communicating (when there's a SIC problem). If the SIC Status is
Not Communicating an error message will give a reason for the failure and may suggest a
remedy.
Reset — Reset the Module back to the uninitialized state by revoking its certificate and
deleting its DN (or “SIC name”).
For more information, see “Secure Internal Communications for Distributed Configurations”
on page 46 of the Check Point SmartCenter Guide.
Close — Close the window.
Check Point window — Topology Page
Automatic Topology Discovery and Definition

Get Topology — Retrieve the network interfaces information for this network object and
display it in this window.
The Get Topology button is the recommended way to define interfaces.
Warning - If you do not define all of the object’s interfaces, or if you define them
incorrectly, anti-spoofing may not be properly defined, the Security Policy may be
incorrectly enforced, and communication with the module may be disabled. Using Get
Topology will help you ensure that the topology is correctly defined, but you must
confirm the results of the topology discovery process.
If you click Get Topology, VPN-1/FireWall-1 automatically calculates the network object’s
topology based on its routing tables and displays the results in the Get Toplogy Results window
(FIGURE 5-5).

Check Point window — Topology Page
FIGURE 5-5 Get Toplogy Results Topology window
You should confirm that the information displayed in the Get Toplogy Results window is
correct.
Some of the objects displayed in the Get Toplogy Results window are network objects already
defined in the VPN-1/FireWall-1 database, but others may not already be defined (for example,
networks; see the diagram in FIGURE 5-5). These are identified by their colors in the diagram.
Refer to the legend in the bottom left corner of the Get Toplogy Results Topology window.
If you click Accept, then VPN-1/FireWall-1 will:
• automatically define network objects that are not yet defined in the VPN-1/FireWall-1
database, and
• define the network object’s topology as displayed in the Get Topology Results window
• overwrite any topology information already defined for the network object that is different
from the information in the Get Topology Results Topology window (but existing
information that is consistent with or complements the information in the Get Topology
Results Topology window will not be overwritten).
Manual Topology Definition

To add an interface, click Add. The Interface Properties window (FIGURE 5-6) is displayed.
To edit an interface, select the interface and click Edit or double-click the interface. The
Interface Properties window (FIGURE 5-6) is displayed.
To delete an interface, select the interface and click Remove.

Network Objects
Interface Properties Window

The Interface Properties window (FIGURE 5-6) enables you to provide information about
additional connections to a network object. It is essential to understand the difference between
a network object and its interfaces.
A single network object can have many network interfaces; that is, one network object may be
connected to numerous networks. Each interface has its own IP address and net mask.
You can use the Calculate Topology button (in the Topology page of the Check Point
Properties window) to fetch interface data automatically.
Warning - If the VPN/FireWall Module has the capability of automatically sensing that a
new interface has been installed, then the new interface will not have a Security Policy
installed on it (including anti-spoofing). To prevent this from happening, you must first
define the interface for the object in the SmartDashboard, including its anti-spoofing
properties, install the Security Policy and only then install the physical interface.
Interface Properties window — General Tab

FIGURE 5-6 General tab — Interface Properties window

Interface Properties window — Topology Tab
Name — name of the network interface as specified in the interface configuration scheme of the
host, gateway, or router; for example, lo0 for loopback; le0 for Ethernet interface; sl0 for serial
interface 0, etc.
To obtain the correct name and IP address of the interface:

platform command
UNIX ifconfig –a
Windows NT ipconfig /all
Windows 2000 • Use the command ipconfig /all to obtain the IP address
and MAC address of the interface, then
• Use the command route print to obtain the name and MAC
Address of the interface.
Warning - If you do not specify the exact interface names as given in the OS, anti-
spoofing will not function properly.
IP Address — the interface’s IP address

See “IP Address” on page 183.
Net Mask — Specify the interface’s net mask.

FIGURE 5-7 Topology tab — Interface Properties window

Network Objects
External (leads out to the Internet) — Check this box if the interface connects the network
object to the Internet.
Internal (leads to the local network) — Check this box if the interface connects the network
object to the internal (local) network.
IP addresses behind this interface — Specify the IP addresses behind this interface, as
follows:
Not Defined — If you choose this option, then:
• There will be no anti-spoofing defined for this interface.
• This interface and the IP addresses behind it (if any) will not be included in this
object’s VPN domain.
This option is not recommended.
Based on interface’s IP address and Net Mask — VPN-1/FireWall-1 will calculate the
topology based on IP address and Network mask defined for the interface.
Specific — Specify the object(s), usually a network or a group, behind this interface.
For information about anti-spoofing, see “Anti-Spoofing” on page 190.
Perform Anti-Spoofing based on interface topology — VPN-1/FireWall-1 will perform anti-
spoofing based on the interface’s topology as defined in the Topology tab (FIGURE 5-7 on
page 189).
If IP addresses behind this interface is set to Not Defined, then no anti-spoofing will be
performed. For information about anti-spoofing, see “Anti-Spoofing” on page 190.
Note - Do not define anti-spoofing for virtual interfaces, because anti-spoofing has no
meaning in that context.
Spoof Tracking — Spoofed packets are always dropped, but you can specify an additional
action to be taken by selecting one of the following options:
None — No additional action is taken.
Log —The spoofing attempt is logged.
Alert — The action specified for popup alerts in the Alert Commands page of the Global
Properties window is taken (see Chapter 7, “Global Properties”).
Anti-Spoofing
Spoofing is a technique where an intruder attempts to gain unauthorized access by altering a

packet’s IP address to make it appear as though the packet originated in a part of the network
with higher access privileges. For example, a packet originating on the Internet may be disguised
as a local packet. If undetected, this packet might then have unrestricted access to internal
networks.

By implementing anti-spoofing, you can defend your network against these attacks by defining
the addresses that are considered valid on each interface.
When anti-spoofing is specified, an implicit anti-spoof rule is generated, which comes first in
the Security Policy Rule Base (even before properties specified as First in the FireWall-1
Implied Rules page of the Global Properties window).
Anti-spoofing examines the source IP address for incoming packets (entering a gateway) and
determines whether the IP address is valid for that interface.
Note - In versions of VPN-1/FireWall-1 prior to Version NG FP2, anti-spoofing also

examined the destination IP address for outgoing packets (leaving a gateway).
An interface’s “valid addresses” are the IP addresses behind the interface, as defined in the
Topology tab (FIGURE 5-7 on page 189):
• A packet whose source IP address is a valid address is allowed to enter the network object
through the interface.
• A packet whose source IP address is not a valid address is not allowed to enter the network
object through the interface.
Anti-Spoofing Example
Consider the network depicted in FIGURE 5-8.

FIGURE 5-8 Anti-Spoof Example Configuration
Private Public
localnet
le2 le0
Internet
Gateway router
le1
DMZ
(HTTP, FTP, etc.)

Network Objects
The valid addresses for each of the interfaces are as follows:
TABLE 5-6 Valid Addresses for each interface
interface valid addresses

le2 Only IP addresses in localnet are valid (that is, any packets
entering the network object through this interface must have
source addresses in localnet). A packet with any other source IP
address is spoofed.
le1 Only IP addresses in DMZ are valid (that is, any packets entering
the network object through this interface must have source
addresses in DMZ). A packet with any other source IP address is
spoofed.
le0 This interface faces the Internet, so all IP addresses (except the valid
addresses of the other interfaces) are valid source addresses. A packet
with a source IP address belonging to DMZ or to localnet is
spoofed.
Interface Properties window — QoS (Quality of Service) Tab

FIGURE 5-9 Qos (Quality of Service) tab — Interface Properties window
See FloodGate-1 Administration Guide for information about this tab.
Check Point window — NAT page

This page specifies the parameters for automatically generated Address Translation rules for the
network object.

Check Point window — NAT page
For information about automatically generated Address Translation rules, see “Generating
Address Translation Rules Automatically” on page 87 of Check Point FireWall-1 Guide.
IP Pools
Use IP Pool NAT for SecuRemote/SecureClient connections — Use IP Pools for
SecureRemote/SecureClient connections.
Use IP Pool NAT for gateway to gateway connections — Use IP Pools for gateway to
gateway connections.
Allocate IP Pool Addresses from — Select the network object (an Address Range, network or
a group of one of these objects) whose IP addresses will serve as the IP Pool’s IP addresses.
Return unused IP addresses to Pool after — Set the time period during which an IP Pool
address will remain assigned to even after all open connections have ended.
For information about IP pools, see “Multiple Entry Point (MEP) Example Configuration” on
page 169 of Check Point Virtual Private Networks.
For information about hiding behind IP address 0.0.0.0, see “Hiding Behind 0.0.0.0” on page
75 of Check Point FireWall-1 Guide.
Classic Mode
In classic mode (when VPN Communities are not used), IP Pools will be used only if both of
the following conditions are true:
• The rule specifies that IP Pools are to be used.
• The connection matches the checked Use IP Pool NAT parameter above.
For example, if the rule describes a SecuRemote/SecureClient connection and Use IP Pool
NAT for SecuRemote/SecureClient connections is checked, the IP Pools will be used. If
Use IP Pool NAT for SecuRemote/SecureClient connections is not checked, then IP
Pools will not be used.
Communities
In VPN Communities, there are no encryption rules, so only the parameters in the window are
relevant.
Office Mode
This feature allows the organization to assign IP addresses used in its operational network to
SecuRemote/SecureClient users. The mechanism is based on an IKE protocol extension that
enables sending IP addresses during the IKE negotiation.
Never offer Office Mode — The gateway’s IKE negotiation with a SecuRemote/SecureClient
user will not include the offer to use Office Mode.
Offer Office Mode to group — The gateway will offer Office Mode only to members of the
group selected from the drop-down list.

Network Objects
Always offer Office Mode — Office Mode will be offered to any SecuRemote/SecureClient
user that initiates the IKE negotiation with the gateway.
Check Point window — UserAuthority page

UserAuthority Network Object — enter the Network Object which has UA installed on it
UserAuthority Service — default is 19191
UserAuthority server authentication type — default is sslca meaning each side has a
certificate, none means no certificate is required.
Action taken for URL external — default is reject
If the URL entering your site doesn’t belong to any of your websites, what should be done with
it? The default is to reject the URL. Selecting accept lets the URL pass to the Webserver.
Selecting redirect enables the Redirect URL to window.
Redirect URL to — define the location to direct external URLs which do not meet your the
condition you specify.
Advanced — clicking the advanced button opens the Advanced window.
Limits and Timeouts - general limits and timeouts for UA WebAccess: buffer size, server
timeout and session timeout
Maximal client request buffer size - default is 128 kilobytes, minimum is 0 there is no
maximum.
Sets how much information flows in at a time. It is added to minimize the possibility of
overflow.
Communication to UserAuthority Server timeout — default is 5000 miliseconds (5 seconds).
Sets how to wait for an answer from the UserAuthority Server.
HTTP session timeout — default is 900 seconds (15 minutes). Sets how long information is
kept on a cookie before it is deleted
SSL: this section defines how to treat secure socket layers (SSL)
SSL redirection methodology— redirect to original URL via HTTPS (default) or to another
URL.
Selecting redirect to page enables the Redirect to window.
Redirect to — define the location to direct SSL URLs
Windows Groups — allows for the use and definition of Windows groups
Get Windows group data for Windows users — if selected, group names will be obtained
from Windows
Windows domain controller — select a UA Server on a domain controller

Check Point window — VPN page
Case Sensitivity: Case sensitive naming conventions for URLs - check to allow for the use of
case sensitive naming conventions for URLs.
Check Point window — VPN page

This window specifies a network object’s VPN parameters. For additional information regarding
VPN-1/FireWall-1’s VPN feature, see Check Point Virtual Private Networks.
To add a certificate for the network object, click Add.
Note - Before adding certificates, you must first create a CA (Certificate Authority) Server
object (see Chapter 3, “Certificate Authorities” of Check Point Virtual Private Networks).
Check Point window —Extranet page

For additional information regarding Extranets, see Check Point Virtual Private Networks.
Check Point Properties Window — Authentication page

The Authentication page is available only when VPN-1 & FireWall-1 Installed is checked on
the General page (FIGURE 5-6 on page 188).
Check the authentication schemes that are enforced on this gateway. A user for whom another
authentication scheme is defined will not be allowed access through this gateway.
For additional information regarding VPN-1/FireWall-1’s Authentication features, see
Chapter 3, “Authentication” of Check Point FireWall-1 Guide.
Check Point window — Account Unit page

The Account Unit page is available only when both of the following conditions are true:
• VPN-1 & FireWall-1 Installed is checked in the General page of the Check Point
Properties window ( on page 182).
• Use LDAP account management is checked in the LDAP page of the Global Properties
window ( on page 283).
For information about Account Units, see Chapter 10, “Server Objects and OPSEC
Applications.”
Display list of Distinguished Names (DNs) for matching UIDs on login — If this option is
checked, when logging in the user can choose the User ID that matches his/her distinguished
name. This is useful in cases where there are multiple users with the same User ID.
Timeout on LDAP requests — The LDAP query request will be dropped after the amount of
time determined (cannot exceed the TCP session timeout).
All (default priorities located in the Account Unit’s General tab) — If checked, VPN-
1/FireWall-1 queries all LDAP servers.

Network Objects
Selected Account Unit’s list (order implies priority) — If checked, a list box with Available
AUs will appear.
Choose the Account Units to be queried and add them to the Selected AUs list box by
selecting an Account unit and clicking the Add button. To remove an Account Unit from the
list, select the Account Unit and click Remove.
The following options will appear only if Selected AU list is selected.
Available AU’s — displays the list of available Account Units that will not be queried.
Selected AU’s — displays the list of Account Units that will be queried.
Query servers sequentially (by Account Unit’s priorities) — If checked, VPN-1/FireWall-1
will query the LDAP servers in the sequence of their priorities.
Check Point window — Logs and Masters page
Local Log Files

Log switch when file is — Switch logs (that is, close the current log file and start a new one)
when the current log file reaches the size specified in the corresponding field.
Schedule log switch to — Switch logs on a pre-determined schedule, according to the selected
time object specified in the corresponding field.
Disk Space Management

Measure free disk space in — select how you want to measure free disk. The options are:
• MBytes
• Percent
Required free disk space — the amount of free disk space that is required on the machine
Do not delete log files from the last — If the machine has run out of disk space, and log files
need to be deleted to restore the necessary disk space, do not delete log files from the last
number of days specified.
Advanced Settings
Alert when free disk space is below — Issue an alert when the available disk space falls below
the number specified in the corresponding field.
Alert type — Select the type of alert to issue in the corresponding field.
Stop logging when free disk space is below — Stop saving log records on the local machine
when the available disk space falls below the specified number. Log records are saved locally
when the connection to the SmartCenter Server is unavailable.
Reject all connections when logs are not saved — If enabled, then connections are rejected
if they cannot be logged.

Check Point window — Additional Logging Configuration page
Check Point window — Additional Logging Configuration page
Log Forwarding Settings

Forward log files to SmartCenter Server — Select the SmartCenter Server to which to
forward local log files.
Log files are written locally when the connections to all the Log Servers defined in the Log
Servers page of the Check Point Properties window are unavailable. The local log file is
then forwarded to the specified SmartCenter Server according to Log forwarding schedule.
Log forwarding scheduler — Forward local log files to the SmartCenter Server specified in
Forward log files to SmartCenter Server on according to the pre-determined schedule
specified by the selected time object (scheduled event).
See “Scheduled Events” on page 351 for information about scheduled events.
Perform log switch before log forwarding — Switch logs (that is, close the current log file
and start a new one) before forwarding local log files to the SmartCenter Server.
Advanced Settings
Update Account Log every — The frequency at which the Accounting log is updated.
Accounting updates are sent while a connection is open. The counters (packets, bytes, etc.) are
reset when the update is sent, so each update includes the differences (delta) since the last
update.
Turn on QoS logging — Log QoS related events.
See Check Point FloodGate-1 Guide for information about QoS (Quality of Service).
Check Point window — Masters page

A Module’s Master is a SmartCenter Server authorized to download a Policy to the Module.
For example, a VPN/FireWall Module’s Master is the SmartCenter Server authorized to
download a Security Policy to the VPN/FireWall Module.
To add a Master to the list, click Add and add the Master in the Add Masters window.
To delete a logging server from the list, select the Master and click Remove.
To change the sequence, use the Up and Down buttons.

If a Module must fetch a Policy, for example, after a reboot, it attempts to fetch the Policy
from the Masters in the list one after the other, until it succeeds.
Dynamic Address Node Fetch Policy — This field applies to DAIP (Dynamically Assigned IP
Address) Modules, and specifies how the DAIP Module fetches its Policy from the SmartCenter
Server.
For information about DAIP Modules, see Chapter 14, “Dynamically Assigned IP Addresses.”
Select one of the following:

Network Objects
Manually — Fetch this DAIP Module’s Policy manually (see “Installing a Policy” on page 482).
Scheduled Event — Fetch this DAIP Module’s Policy on a pre-determined schedule, according
to the selected time object (scheduled event).
It is recommended that you install a DAIP Module’s first Policy manually, even if you plan to
automatically update it using a scheduled event.
Check Point window — Log Servers page

Use local definitions for Log Servers — This network object will send logs to the Log
Servers specified in its local MASTERS file rather than those specified in this window.
Select this option for backwards - compatibility with previous versions of VPN-1/FireWall-1.
Define Log Servers — This network object will send logs to the Log Servers specified below.
Send logs to this node — If checked, this network object will send log records to itself (that
is, it will log locally) in addition to any Log Servers specified below.
Always send logs to — Specify the Log Servers to which this network object will send logs or
alerts.
Check Logs and/or Alerts to specify what to send to the selected Log Server.
To add a server to the list, click Add and add the log server to the Selected Log Servers list in
the Add Logging Servers window (FIGURE 5-10).
FIGURE 5-10Add Logging Servers window
To delete a logging server from the list, select the server in the Log Servers page of the
Check Point Properties window and click Remove.
When a Log Server is unreachable, send logs to — If one of theLog Servers listed above is
unreachable (that is, the network object cannot connect to the Log Server), then send logs to
the first server in this list that is reachable.
To add a Log Server to the list, click Add and add the log server in the Add Logging Servers
window.

Check Point window — Advanced page
To delete a Log Server from the list, select the Master and click Remove.
To change the sequence, use the Up and Down buttons.
Check Point window — Advanced page

sysName — the object’s name
sysLocation — the object’s location
sysContact —the name of a contact person
Get — You can use this button to retrieve information about this network object and display it
in this window.
Set — Set the object’s properties to those shown in this window.
Read Community — the community with read permission for this object
Write Community — the community with write permission for this object
Check Point window — Capacity Optimization page
Capacity Optimization
These setting enable you to optimize resource usage on the FireWall Module. It is
recommended that you do not alter these settings from their defaults, unless there is some
specific issue you need to address. Keep in mind that resources can be allocated to one task only
at some cost to other tasks.
Maximum concurrent connections — The maximum number of concurrent connections the
FireWall Module will support.
Calculate connections hash table size and memory pool — Choose either Automatically
(recommended) or Manually.
If you choose Manually, then you can specify the following options:
Connections hash table size — the size of the connections hash table
A larger table reduces collisions, but uses more memory.
Memory pool size — the initial size of the memory pool
Maximum memory pool size — the maximum size of teh memory pool
Restore defaults — Click to reset the above values to their defaults.
Check Point window — SYNDefender page

The SYNDefender page defines the parameters of the VPN-1/FireWall-1 SYNDefender feature,
which protects against SYN attacks.
For information about SYNDefender, including guidelines for its deployment, see the Check
Point FireWall-1 Guide.

Network Objects
Method — Choose one of the following:

• — SYNDefender is not deployed.
None
If you choose this option, your network will not be protected from SYN attacks.
• SYN Relay — Deploy the SYN Relay method.
• Passive SYN Gateway — Deploy the Passive SYN Gateway method.
Timeout for SYN attack identification — Specifies how long SYNDefender waits for an
acknowledgment before concluding that the connection is a SYN attack.
Maximum Sessions — Specifies the maximum number of protected sessions.
This parameter is relevant only if Passive SYN Gateway is selected under Method. If SYN
Relay is selected, all sessions are protected.
This parameter specifies the number of entries in an internal connection table maintained by
SYNDefender. If the table is full, SYNDefender will not examine new connections.
If you change this value, the new value will take effect as follows:
• IBM AIX — The new value takes effect after you install the Security Policy, stop and
restart the FireWall/VPN Module.
• on all other platforms — The new value takes effect after you install the Security Policy
and reboot.
Display Warning Messages — If set, SYNDefender will print console messages regarding its
status.
Check Point window — SMTP page

These properties must be set if this network object uses the SMTP Security Server (that is, if
this network object enforces a Security Policy rule that uses an SMTP Resource).
For information about the fields in this window, see TABLE 4-4 on page 216 of Check Point
FireWall-1 Guide.
Check Point window — SAM page

Forward SAM clients’ requests to other SAM Servers — Use this option to change the mode
of the SAM Server on this Check Point Gateway from agent to proxy. A SAM proxy forwards
SAM requests from a SAM client to other SAM Servers on other Check Point Gateways. A
SmartCenter Server is always a proxy.
If there are DAIP Modules in the network, it is not recommended to configure a Check Point
Gateway as a SAM Proxy.
Use backwards compatibility mode — to configure the communication between a SAM
proxy server (typically the connecting management), and this VPN-1/FireWall-1 Module.
If both the SAM proxy server and the VPN-1/FireWall-1 Module are of version 4.1 or lower,
check this box, and choose the authentication (or encryption and authentication) method.

Check Point window — Connection Persistence page
If the SAM proxy server is of version 4.1 or lower, and this Module is upgraded to NG, the
configuration will be done automatically as follows:
• the configuration parameters will be taken from the fwopsec.conf file (present on this
Module prior to the upgrade) and
• the appropriate backward compatibility mode will be selected.
If both, the SAM proxy server and this Module are of version NG, do not check this option.
Purge SAM file when it reaches KBytes — Limits the size of the SAM log file on the Module.
The minimum size is 50 KB. The SAM file includes all requests sent to the Module including
obsolete requests. Purging these obsolete requests from the file restores disk space.
Check Point window — Connection Persistence page

Define what to do with connections that are open when a Policy is installed. For details of how
FireWall-1 handles existing connections, see “Connection Persistence during a new Policy
installation” on page 339.
Keep all connections — Keep all control and data connections open until the connections have
ended. The newly installed Policy will be enforced only for new connections.
Keep Data Connections — Keep all data connections open until the connections have ended.
Control connections that are not allowed under the new Policy will be terminated.
Rematch Policy — All connections not allowed under the new Policy will be terminated, unless
the Keep connections open after policy has been installed is enabled in the service’s
Properties window (see, for example, FIGURE 6-2 on page 222).
Note - Keep connections open after Policy has been installed in the service’s
Properties window takes precedence over the settings in the Connection Persistence
page.
SofaWare-SmartDashboard Integration
SofaWare devices can now be integrated and easily managed via SmartDashboard:
Sofaware gateways can be managed by SmartCenter Management.
• Manage SofaWare devices in Enterprise environments by creating SofaWare Profiles and
adding them to your Security Policy and/or to your VPN.
• Manage SofaWare devices in ISP environments by configuring security levels and assigning
the proper level for Sofaware Device in runtime, with no need to reinstall the policy.
From Network Objects select a gateway. Select Robo gateway profile and double click
Sofaware.
Name- the name of the sofaware gateway profile.
Comment - include free text
From Network objects select a gateway. Select Safe@Gateway.

Networks
Name - the name of the Sofaware gateway.

IP Address - type a specific IP Address or check dynamic address
IP Address complies with the rule base on the SmartDashboard and with VPN.
Comment - include free text
Type - hardware device of the sofaware
Sofaware profile - choose the a sofaware gateway profile
Password - can be generated
Product key - the license of the product
MAC Address - the address of the data link layer of the sofaware hardware
VPN Enabled - if checked enables VPN operation
Externally managed gateway - an external management for sofaware gateways
Networks
In This Section
Network Properties Window — General Tab page 202

Network Properties Window — NAT (Address Translation) Tab page 203
Network Properties Window — General Tab

Name — the network’s name
IP Address — the network’s IP address
For networks, the host portion of the IP address is ignored, so it is best to enter the network
address as x.y.z.0 (for a class C network).
Net Mask — see “Net Mask” on page 189.
Comment — This text is displayed on the bottom of the Network Object window when this
object is selected.
Color — Select a color from the drop-down list.
Broadcasts Address — Specifies whether to consider the network’s broadcast IP address as
being in the network.
If this is set to Included, then in rules which allow access (that is, rules whose Action is
neither Reject nor Drop) and in which this network object is either the Source or the
Destination, the last address in the network is considered to be part of the network.

Network Properties Window — NAT (Address Translation) Tab
Network Properties Window — NAT (Address Translation) Tab

This window specifies the parameters for automatically generated Address Translation rules for
the network object.
For information about automatically generated Address Translation rules, see “Generating
Address Translation Rules Automatically” on page 87.
Domains
Domain Properties Window

Name — the domain’s name
Domain names begin with a period (“.”). For example, “.moon.com” is a domain name.
object is selected.
Using Domain Objects in a Rule

When a domain object is used in a rule’s Source or Destination, the VPN-1/FireWall-1
Inspection Module must determine whether the packet’s IP address belongs to the domain by
reverse resolving the address. VPN-1/FireWall-1 then confirms the reverse resolution by
resolving the domain name.
The first time a rule containing a domain object is applied to a specific IP address, there is a
slight delay while the Inspection Module reverse resolves the IP address. The resolved address is
then stored in a local cache, so the delay occurs only once per IP address.
In order to minimize these delays, it is recommended that rules containing domain objects
should be positioned as far down as possible in the Rule Base.
Note - VPN-1/FireWall-1 reverse resolves the IP address using DNS. Because
VPN-1/FireWall-1’s decision on whether to allow a communication depends on the
information received from the DNS, it is imperative that you ensure you are using a
trusted DNS.
Open Security Devices
In This Section
Overview page 204

OSE Device Properties Window — General Tab page 204
OSE Device Properties Window — Topology Tab page 205
Defining Router Anti-Spoofing Properties page 206

Overview
A VPN-1/FireWall-1 enforcement point is a machine or device that enforces at least some part
of the Security Policy. An enforcement point can be a Check Point object (see “Network
Objects” on page 180), router, switch or any machine that can be managed by a SmartCenter
Server by installing a Security Policy or Access List.
VPN-1/FireWall-1 includes the following types of enforcement points:
• Open Security Extension Devices (OSE)
• Embedded Devices
Open Security Extension (OSE) Devices

The Open Security Extension features enables VPN-1/FireWall-1 to manage third-party open
security extension devices (OSE). The number of managed devices depends on your license.
Devices include hardware and software packet filters. VPN-1/FireWall-1 also supports hardware
security devices which provide routing and additional security features, such as Network Address
Translation and Authentication. Security devices are managed in the Security Policy as
Embedded Devices. The SmartCenter Server generates Access Lists from the Security Policy and
downloads them to selected routers and open security device. VPN-1/FireWall-1 supports the
following devices, as shown in TABLE 5-7:
TABLE 5-7 VPN-1/FireWall-1 Supported OSE Devices
OSE Device Supported Versions
Cisco Systems 9.x, 10.x, 11.x, 12.x

Bay RS 7.x, 8.x, 9.x, 10.x, 11.x, 12.x
3Com 9.x, 10.x, 11.x
OSE Device Properties Window — General Tab

Name — the name of the OSE device
The name given here should be identical to the name as it appears in the system database on
the server.
IP Address — the device’s IP address
Get Address — click this button to resolve the name to an address
Note - It is recommended that you list OSE device objects in your hosts (Unix) and
lmhosts (Windows) files in addition to defining them in the VPN-1/FireWall-1 database.
object is selected.

OSE Device Properties Window — Topology Tab
Color — Select a color from the drop-down list. The OSE device will be represented in the
color selected, throughout the SmartMap for easier user tracking and management.
Type — choose one of the following from the drop-down menu:
• Cisco Systems
• Nortel
• 3Com
OSE Device Properties Window — Topology Tab

OSE devices report their network interfaces and setup at boot time. Each OSE device has a
different command for listing its configuration.
Note - At least one interface must be defined in the Topology tab or Install Policy will fail.
Show all IPs behind gateway — Show all IP Addresses behind the device in the SmartMap
View.
To add an interface, click Add. The Interface Properties window (FIGURE 5-6 on page 188)
is displayed.
To edit an interface, select the interface and click Edit, or double-click the interface. The
Interface Properties window (FIGURE 5-12 on page 210) is displayed.
To delete an interface, select the interface and click Remove.
The manner in which names are specified for OSE device interfaces is different from the manner
in which they are specified for interfaces of other network objects.
Name — name of the network interface as specified in the router’s interface configuration
scheme
This name does not include a trailing number.
For information regarding the other fields in the Interface Properties window for routers, see
“Interface Properties Window” on page 188.
Net Mask — see “Net Mask” on page 189.
Exportable for SecuRemote/SecureClient — Specifies whether information about this object
can be made available to SecuRemote/SecureClient machines.
For information about SecuRemote, see Chapter 1, “VPN-1 SecuRemote Server,” of Check
Point Desktop Security Guide.

Defining Router Anti-Spoofing Properties

The Interface Properties window allows you to define router anti-spoofing parameters when
installing Access Lists on routers. The Interface Properties window is almost identical to the
Interface Properties window for network objects (FIGURE 5-6 on page 188). For more
information on spoofing, see “Anti-Spoofing” on page 190.
Note - To implement anti-spoofing for 3Com and Cisco (version 10.x and higher), you
must define additional properties in the Setup tab of each router after you define the
Valid Addresses in the Interfaces Properties window. For more information, see “Anti-
spoofing Parameters and OSE Devices Setup (Cisco, Nortel and 3Com)” on page 206.
Note - Logging for spoofing attempts is available for external interfaces only.
Anti-spoofing Parameters and OSE Devices Setup (Cisco, Nortel and 3Com)
For Cisco (Version 10.x and higher) Nortel and 3Com OSE devices, you must specify the
direction of the filter rules generated from anti-spoofing parameters. The direction of
enforcement is specified in the Setup tab of each router.
For Cisco routers, the direction of enforcement is defined by the Spoof Rules Interface
Direction property.
Access List No — the number of Cisco access lists enforced

Cisco routers Version 12x and below support an ACL number range from 101-200. Cisco
routers Version 12x and above support an ACL range number from 101-200 and also an ACL
number range from 2000-2699. Inputting this ACL number range enables the support of more
interfaces.
Username — the name required to logon to the OSE device
Password — the Administrator password (Read only) as defined on the router
Enable Username — the user name required to install Access Lists
Enable Password — the password required to install Access Lists
The security administrator must select one of the following options from the drop-down list
for the above Username and Password fields (this includes the Enable fields):
None — Indicates the parameter is not needed.
Known — the value of the parameter must be entered
Prompt — Indicates that the security administrator will be prompted for this parameter.
Version — the Cisco OSE device version (9.x, 10.x, 11.x, 12,x)

Defining Router Anti-Spoofing Properties
OSE Device Interface Direction — Installed rules are enforced on data packets traveling in this
direction on all interfaces.
Spoof Rules Interface Direction — The spoof tracking rules are enforced on data packets
traveling in this direction on all interfaces.
Security —The security administrator must select either none, Wellfleet or Other from the
drop-down list.
Password — the password to access the OSE device
Additional Managers — additional managers as defined in the Bay Site Manager software
Volume — the volume on the OSE device
Config File — name of the config file on the OSE device
Version — the version of the OSE device (7.x, 8.x, 9.x, 10.x, 11.x, or 12.x)
For 3Com routers, the direction of enforcement is defined by the Interface Direction: Spoof
Rules property.
OSE Device Access
Username — the name required to logon to the OSE device

Password — the password to access the OSE device
Manager Password — password required to connect to the OSE device
Interface Directions
Rules — the direction in which the rules are enforced on the OSE device interfaces
Spoof Rules — the direction in which spoof rules are enforced on each OSE device interface
Service Independent Filters — Service independent filters are 3Com specific filters
implemented by 3Com routers. The OSE device simply activates or deactivates these filters.
Refer to the specific 3Com router documentation for complete information for these service
independent filters.
To activate these filters, you must select any of the following:
Deny Route Recording — Specifies whether or not the received packet should be dropped if
the record-route option is present in the IP header.
Deny Src Routing — Specifies whether or not the received packet should be dropped if the
source-route option is present in the IP header.
Deny Tiny Fragments — Specifies whether tiny TCP fragment checks (RFC1858) are
performed.
Deny Time Stamping — Specifies whether or not the received packet should be dropped if
the time-stamp option is present in the IP header.
Deny IP — Specifies whether or not IP tunnel packets are allowed. IP tunnel packets are IP-
over-IP encapsulation.

Embedded Devices
Deny SrcSpoofing (3Com) — Specifies whether packets are subject to source-spoofing checks.
Generate ICMP Errors — For denied packets, this option specifies whether or not the OSE
Device should generate ICMP destination administratively unreachable messages (ICMP type
13).
Embedded Devices
In This Section
Overview page 208

Embedded Devices window — General tab page 208
Embedded Device Properties — Topology tab page 209
Interface Properties Window — Topology Tab page 210
Embedded Device Properties — NAT tab page 211
Overview
Embedded devices include machines or hardware devices on which a VPN/FireWall Module or
an Inspection Module is installed.
VPN-1/FireWall-1 supports the following platforms and VPN-1/FireWall-1 features, as shown
in TABLE 5-8 below:
TABLE 5-8 Supported Embedded Devices
Embedded VPN-1/FireWall-1 features supported

Device Platform
Ramp Anti-spoofing, Logs and Alerts, Time Objects
Xylan Anti-spoofing, Logs and Alerts, Time Objects
Embedded Devices window — General tab

Name — the name of the Embedded Device
object is selected.
Type — choose one of the following vendors from the drop-down list:
• Nokia IP5x
• Xylan

Embedded Device Properties — Topology tab
VPN-1 & FireWall-1 Installed — whether a VPN/FireWall Module or Inspection Module is

loaded on this object and select the Version from the drop-down list or click the Get button to
fetch the correct version number
Licensing — Select the Licensing Type from the drop-down list.
External Interface — This field applies to Xylan only.
Define the interface that leads out to the Internet.
Embedded Device Properties — Topology tab

For complete topology configuration information, see “Interface Properties Window —
Topology tab” on page 134.
For both the Nolkia IP5x and Xylan platforms, topology Interface Properties must be defined.
Otherwise, Install Policy will fail.
Interface Properties Window — General Tab

FIGURE 5-11Interface Properties — General tab
Name — name of the network interface as specified in the interface configuration scheme of the
device
Warning - If you do not specify the exact interface name, anti-spoofing will not function
properly.
IP Address — the interface’s IP address

Embedded Devices
Net Mask — Specify the interface’s net mask.
Interface Properties Window — Topology Tab

FIGURE 5-12Interface Properties — Topology tab
External (leads out to the Internet) — Anti-spoofing will be enabled based on the interface
topology and the security administrator must select one of the Spoof Tracking options as
defined in “Spoof Tracking “on page 163.
Internal (leads into the local network) — Anti-spoofing will be enabled based on the interface
topology and the security administrator must select one of the Spoof Tracking options as
defined in “Spoof Tracking “on page 163 only if This Network or Specific is selected.
IPs Addresses behind Internal Interfaces:
Not Defined — IP addresses are not defined behind the internal interface and anti-spoofing is
not enabled.
Based on interface’s IP address and Net Mask — IP addresses are defined based on the IP
address and Net Mask of the interface.
Specific — Specifies a specific IP address behind internal interface from the drop-down menu.
For information regarding anti-spoofing configuration, see “Check Point window — Topology
Page” on page 186.
Embedded Device Properties — SNMP Tab

sysName — the device’s name

Embedded Device Properties — NAT tab
sysLocation — the device’s location

sysContact —the name of a contact person
Get — You can use this button to retrieve information about this device and display it in this
window.
Set — Set the device’s properties to those shown in this window.
Read Community — the community with read permission for this device
Write Community — the community with write permission for this device
Embedded Device Properties — NAT tab

For information on NAT configuration, see Chapter 2, “Network Address Translation (NAT) of
Check Point FireWall-1 Guide.
Groups
You can simplify the Rule Base by defining a group of network objects and using the group in
rules. To create a new group, proceed as follows:
1 In the Network Objects window, click New.
2 From the menu, select Group.
3 From the sub menu, select the type of group to create.

There are three types of groups:
• Simple Group — see “Simple Group” on page 211
• Group with Exclusion — see “Group with Exclusion” on page 213
• UAS High Availability Group — see “UAS High Availability Group” on page 215
Simple Group
Add objects to a simple group using the Group Properties window (FIGURE 5-13 on
page 212).

Groups
FIGURE 5-13Group Properties window
Adding an Object to a Simple Group

In the left listbox (labeled Not in Group), select the objects you wish to include in the group.
Use the Add button to add individual objects and to add groups to the group.
Note - To define a new object directly from this window, click New. A menu will be
displayed from which you can select they type of object to create. When you finish defining
the object, you will return to this window.
You add a group to another group in one of two ways:

1) You can individually add all the objects in one group to another group, without nesting.
Click Yes in reply to the question in the window (FIGURE 5-14).
Click No in reply to the question in the window (FIGURE 5-14).
FIGURE 5-14Adding a Group to a Group
listbox (labeled In Group) and clicking View expanded group (FIGURE 5-15).

Group with Exclusion
FIGURE 5-15Viewing an Expanded Group
Deleting an Object from a Simple Group

Select the objects to be deleted from the right listbox (labeled In Group), and then click
Remove.
Group with Exclusion
Creating a Group with an Exclusion

Topology may be structured in such a manner that one network seems to be entirely within
another network. For example, in FIGURE 5-16 B is entirely contained within A. It is possible
to define a group that consists of all the objects in a network, except for certain objects, that is,
to define a group “A minus B”, where A and B are networks. This group can be used to define
encryption domains.
FIGURE 5-16Group with exclusion
A
B
To create a Group with Exclusion object, proceed as follows:

Groups
1 Select Group with Exclusion from the Group Objects menu, (see “Networks” on page
202).
The Group with Exclusion window is displayed.
2 Define the outer group, as well as the inner group to be excluded.
FIGURE 5-17Specifying a group with an exclusion
• the outer group (selected from the drop-down list) can be a group or ANY,
• the inner group (selected from the drop-down list)
Viewing Groups with an Exclusion

Select View in the Group with an Exclusion window to display the contents of each selected
group within the Group with an Exclusion objects. For example, in FIGURE 5-18 group A_1
consists of Net and Net.
FIGURE 5-18View Groups window
Showing Group with an Exclusion Objects in the SmartMap View

For SmartMap!
By selecting Show in the Group with an Exclusion window, you can display either of the
selected groups (see FIGURE 5-17) in the SmartMap View.
Objects shown in the SmartMap View are highlighted in red.

UAS High Availability Group
UAS High Availability Group

FIGURE 5-19UAS High Availability Group window
Logical Servers
A Logical Server is a group of machines that provide the same services, and which are treated as
a group among whose members a workload is distributed.
FIGURE 5-20Logical Server Properties window

Address Ranges
Address Ranges
Address Range Properties Window — General Tab

An Address Range object is a range of IP Addresses.
Name — the Address Range’s name
First IP address— the first (low) IP address in the range
Last IP address— the last (high) IP address in the range
Comment — Enter a descriptive comment to be displayed when this Address Range is selected
in the Object list and in the Network Objects window.
Color — Select the color in which this Address Range will be displayed in the GUI.
Address Range Properties Window — NAT Tab

This window specifies the parameters for automatically generated NAT (Network Address
Translation) rules for the Address Range.
For information about automatically generated NAT rules, see “Generating Address Translation
Rules Automatically” on page 87 of Check Point FireWall-1 Guide.
Gateway Clusters
A gateway cluster is a group of VPN/FireWall Module machines configured to provide failover
services.
Gateway clusters are configured in the Gateway Cluster Properties window.
The VPN, Authentication, Masters and Log Servers pages of the Gateway Cluster Properties
window are identical to the corresponding pages in the Check Point Properties window. For
information on these pages, see “Network Objects” on page 180.
The General Properties, Cluster Members, Topology, ClusterXL and Synchronization pages
of the Gateway Cluster Properties window are used in enabling Gateway High Availability.
For information on these pages, see Chapter 5, “ClusterXL” of Check Point FireWall-1 Guide.
Gateway clusters can also be used in setting up extranets. For information about the Extranet
page of the Gateway Cluster Properties window, see Chapter 13, “Extranet Management” of
Check Point Virtual Private Networks.
Dynamic Objects
A dynamic object is a “logical” object that will be resolved to an IP address differently on each
VPN/FireWall Module. A rule that uses this object will then be enforced on each
VPN/FireWall Module on different objects.
For example, an enterprise with several mail servers, each one in a different network and
protected by a different VPN/FireWall Module, can define a dynamic objects called
“local_mailserver” and write a rule that refers to this object.

Address Range Properties Window — NAT Tab
On each VPN/FireWall Module, the system administrator must run the dynamic_objects
command (see “dynamic_objects” on page 585) to specify the IP address to which the
“local_mailserver” object will be resolved on that VPN/FireWall Module.
FIGURE 5-21Dynamic Object window — General Tab
Name — the dynamic object’s name

object is selected.
Resolution Failure Tracking — Specify the action to be taken if the Module fails to resolve
the dynamic object.
None — No additional action is taken.
Log —The resolution failure is logged.
Alert — The action specified for popup alerts in the Alert Commands page of the Global
Properties window is taken (see Chapter 7, “Global Properties”).

Dynamic Objects

CHAPTER 6
Services and Resources
In This Chapter
Defining Services page 220

TCP Service Properties page 221
Compound TCP Service Properties page 223
FTP Service (ftp-pasv and ftp-port) page 224
UDP Service Properties page 224
RPC Service Properties page 226
ICMP Service Properties page 228
User Defined (or “Other”) Service Properties page 228
DCE-RPC Service Properties page 230
Service Group Properties page 231
Resources page 232
URI Resources page 233
URI for QoS Definition window page 244
SMTP Resources page 245
FTP Resources page 250
TCP Resources page 252
CIFS Resources page 255
219
Services
Services
VPN-1/FireWall-1 allows you to control access to a host, not only based on the source and
destination of each communication, but also according to the service requested. Services include
those based on TCP, UDP, RPC, and other protocols. Before you can use a service in a Rule
Base, you must first define its properties.
Note - For a list of services supported out-of-the-box by VPN-1/FireWall-1, see “List of

Supported TCP Services” on page 257.
Defining Services
Services are defined in the Services window. To define a service,
• choose Services from the Manage menu
The list box displays all currently defined services of the type in the Show box.
To view the properties defined for any existing service, double-click on its icon or name in the
list box, or select the service and click on Edit.
Creating a New Service

To create a new service, click on New. A menu appears, listing the types of services you can
create:
Choose a service type from the menu. A window appears prompting you to enter the properties
of the selected service type.
TABLE 6-1 Service Object Types
to create an object of type …. see

TCP “TCP Service Properties“
Compound TCP “Compound TCP Service Properties“
UDP “UDP Service Properties“
RPC “RPC Service Properties“
ICMP “ICMP Service Properties”
Other “Other Service Properties”
DCE-RPC “DCE-RPC Service Properties”
Group “Group Service Properties”
Deleting a Service
Select the service in the Show box and click on Remove.

Resources
Modifying a Service
To modify an existing service, double-click on its icon or name in the list box, or select the
service and click on Edit.
Resources
FIGURE 6-1 depicts the relationship between services, protocol types and resources.
FIGURE 6-1 Services, Protocol Types and Resources
pre-defined and
user-defined services
service service service service service service
(FTP, HTTP etc.)
the Security
Server that provides
Authentication and/or protocol protocol
Content Security
for the service type type
(SMTP, HTTP etc.)
user-defined
resources resource resource resource resource resource resource
TCP Service Properties

Name — the service’s name
This text is displayed on the bottom of the Services window when this service is selected.
Color — the color of the service’s icon
Port — number of the destination port used to provide this service
Keep connections open after the policy has been installed — Keep all control and data
connections open until the connections have ended.
If you change this property, the change will not affect open connections, but only future
connections.
page (see “Check Point window — Connection Persistence page” on page 201).
Chapter 6 Services and Resources 221

TCP Service Properties
TABLE 6-2 Specifying a Port Number
to specify... ... type example

a port number the port number 805
a range of port numbers the lower and upper limits, 800-899
separated by a hyphen
all port numbers greater > followed by the largest port > 799
than a given number number not included
all port numbers smaller < followed by the smallest port < 800
Get — provides port resolving by retrieving the port number on the SmartCenter Server
Click Advanced in the TCP Service Properties window to display the Advanced TCP Services
Properties window (FIGURE 6-2).
FIGURE 6-2 TCP Services Properties windows

Resources
Source port: — You can specify the port number(s) available on the client side of the service.
See TABLE 6-3.
TABLE 6-3 Specifying a Port Number - TCP

If specified, only those source port numbers will be Accepted, Dropped, or Rejected when
inspecting packets of this service. Otherwise, source port number is not inspected.
Protocol Type — Specifies the protocol type associated with the service, and by implication, the
Security Server that enforces Content Security and Authentication for the service.
Enable for TCP resource — The TCP resource allows the screening of URLs using a UFP
Server. If enabled, the UFP Server can perform URL checking without using a security server.
For complete instructions, see “TCP Resources” on page 252.
Match for ‘Any’ — If there are two services using the same port number and a rule that
defines the SERVICE as ‘Any”, then Match for ‘Any’ enables the service defined in the TCP
Service Properties window to be the service associated with this rule.
Session Timeout — Specifies the number of seconds until the session times out.You must
either select the Default TCP time-out as defined in the Stateful Inspection page in the
Global Properties Setup window, or select Other and specify the number of seconds. For TCP
services, a session is defined by the TCP protocol.
Synchronize on cluster — In a state-synchronized High Availability or Load Sharing gateway
cluster, of the services allowed by the rule base, only those with Synchronize on cluster will be
synchronized. By default, all new and existing services are synchronized.
Compound TCP Service Properties

Port — the service’s port number

FTP Service (ftp-pasv and ftp-port)
This is read only, as the port number is always 80.

Compound Service —Specifies the predefined service from the services drop-down list.
connections.
Note - Compound services are not available in Security and Address Translation policies.
FTP Service (ftp-pasv and ftp-port)
TCP Service Properties — ftp-pasv

In addition, two other types of TCP services can be defined: ftp-pasv and ftp-port. Defining the
TCP service to enable only one of PORT/PASV commands. The Security Administrator
maintains control over pasv FTP connections that pass through VPN-1/FireWall-1. The FTP
ports and FTP service rules can be defined to allow only pasv commands while disallowing port
commands on a port/rule that is defined as pasv, as shown in (FIGURE 6-2 on page 236). The
same is true for an FTP rule that is defined to allow only port commands.
For information on the Advanced button, see “Advanced UDP Services Properties window” on
page 225.
TCP Service Properties — ftp-port

For information on the Advanced button, see “Advanced UDP Services Properties window” on
page 225.
UDP Service Properties


Port — number of the destination port used to provide this service
TABLE 6-4 Specifying a Port Number - UDP

Get — Provide port resolving by retrieving the port number on the SmartCenter Server.
For example, if the designated service is CU-SeeMe, then the selecting the Get button will
retrieve the port number on the SmartCenter Server.
connections.
Click Advanced to display the Advanced UDP Service Properties window (FIGURE 6-3).
FIGURE 6-3 Advanced UDP Services Properties window

RPC Service Properties
Source Port — You can specify the port number(s) available on the client side of the service.
See TABLE 6-4.
Protocol Type — Specifies the protocol type associated with the service.
Accept Replies — Specifies if UDP replies are to be accepted.
To specify that no UDP replies will be accepted, that is, to define a “one-way” UDP service,
uncheck Accept Replies.
If Accept Replies is checked, then Accept UDP Replies from any port specifies from which
ports to accept UDP replies.
Accept Replies from any port — If checked, UDP replies will be accepted from any port.
Otherwise, UDP replies will be accepted only from the port to which the original
communication was sent.
For example, the TFTP service (UDP) starts with the client connecting to port 69 on the
server, which replies to the client from a random port. From that point on, the client
communicates with the same random port on the server. So, Accept UDP Replies from any
port must be enabled TFTP.
Note - Accept Replies and Accept UDP Replies from any port correspond to Accept
stateful UDP replies for unknown services and Accept stateful UDP replies from
any port for unknown services in the Stateful Inspection page of the Global
Properties window ( on page 287). The properties in the Stateful Inspection page of
the Global Properties window apply to UDP services that are not defined in the Check
Point Services Manager.
Match for ‘Any’ — If there are two services using the same port number and a rule that
defines the SERVICE as ‘Any”, then Match for ‘Any’ enables the service defined in the UDP
Service Properties window to be the service associated with this rule.
Virtual Session Timeout — Specifies the number of seconds until the session times out. You
must either select the Default time-out, which is defined in Global Properties, or select Other
to override the default time-out.
For UDP services, “session” is defined by VPN-1/FireWall-1, not the protocol itself. This is
why it is called Virtual Session Timeout.
RPC Service Properties

RPC-based services do not use pre-defined port numbers, but program numbers instead. An
RPC “connection” is structured as follows:

1 The client issues a portmapper query to the server (on port 111), asking for the port
number associated with the program.
If the query is UDP, VPN-1/FireWall-1 examines the program number, and allows only
those programs allowed by the Security Policy (in the Services column).
If the query is TCP, VPN-1/FireWall-1 drops the query, unless TCP on port 111 is
explicitly allowed by the Security Policy.
Warning - Allowing TCP on port 111 is considered insecure, because the client can then
run any available RPC program through this port.
2 The server (portmapper) replies with the port number.

VPN-1/FireWall-1 monitors the reply and opens only the specified port for the RPC
traffic.
3 The client connects to that port and the RPC “connection” continues.
Example
Suppose the Security Policy allows RPC as follows:
TABLE 6-5
Source Destination Service Action
RPC_Client RPC_Server nfsprog Accept
• If RPC_Client issues a portmapper query on TCP port 111, VPN-1/FireWall-1 drops the
query packet.
• If RPC_Client issues a portmapper query on UDP port 111, VPN-1/FireWall-1 allows the
query only if the program number is 100003, as specified in the RPC Service Properties
window for the nfsprog service. Moreover, VPN-1/FireWall-1 monitors the reply and then
allows the nfsprog service only on the port specified in the reply.
• If RPC_Client does not issue a portmapper query, but proceeds to directly communicate on
the nfsprog port (100003, as specified in the RPC Service Properties window for the
nfsprog service), VPN-1/FireWall-1 queries portmapper and allows the connection only if
the port number (in the portmapper reply) is also 100003.
Program Number — number of the RPC program to be accessed

ICMP Service Properties
Get — For standard services, you can retrieve the program number from the RPC database.
connections.
ICMP Service Properties

Type — Enter the ICMP type number which determines whether the packet belongs to this
service. The file tcpip.def lists some predefined components that can be used in expressions
Code — Enter the ICMP code number which determines whether the packet belongs to this
service. The file tcpip.def lists some predefined components that can be used in expressions.
For an example of how to use the Code field, see “User-Defined Service Properties Example”
on page 230.
connections.
User Defined (or “Other”) Service Properties

The User Defined Service Properties window allows you to create a service other than TCP,
UDP, ICMP or RPC.

IP Protocol— Specify the IP protocol number associated with the service. (for example, 17 for
TCP, 6 for UDP).
connections.
Click Advanced to display the Advanced Other Service Properties window.

Match — Enter the INSPECT code string which determines whether the packet belongs to this
service (for example, dport = telnet). This should match together with the IP protocol
number defined in the User Defined Service Properties window.
The file tcpip.def lists some predefined components that can be used in expressions.
Accept Replies — Specifies if Other Service replies are to be accepted.
Note - Accept Replies corresponds to Accept stateful Other IP Protocol replies for
unknown services in the Stateful Inspection page of the Global Properties window (
on page 287). The property in the Stateful Inspection page of the Global Properties
window applies to Other services that are not defined in the Check Point Services
Manager.
To specify that no Other Service replies will be accepted, that is, to define a “one-way” Other
Service, uncheck Accept Replies.
Virtual Session Timeout — specifies the number of seconds until the session times out. You
must either select the Defaulttime-out or select Other to define the number of seconds.
For all User Defined Service protocols, “session” is defined by the VPN/FireWall software, not
the protocol itself. This is the reason why it is designated as a “virtual session time-out”.

DCE-RPC Service Properties
User-Defined Service Properties Example

If you wish to define a user-defined service, you must enter INSPECT code in the Match field,
so you must have at least a basic familiarity with INSPECT. For information about INSPECT,
see the SecureKnowledge database at
http://support.checkpoint.com/kb/.
Suppose IP Protocol has a value of 17 (UDP protocol) and the Match field has the following
value:
uh_dport > 33000, ip_ttl < 30
To understand the meaning of the Match field, consider the relevant definitions in
$FWDIR/lib/base.def:
TABLE 6-6 Definitions in $FWDIR/lib/base.def
Name Definition Meaning

uh_dport [22 : 2, b] the UDP destination port
p_ttl [8 : 1] IP Time To Live
Since the comma operand in INSPECT means “and” the meaning of Match is:
• AND the destination port is greater than 33000
• AND the packet’s time to live is less than 30
Suppose you wish to pass IP protocol number 53, similar to ospf, egp, and bgp. Then define a
user-defined service whose IP Protocol is 53.
DCE-RPC Service Properties

VPN-1/FireWall-1 dynamically and transparently tracks DCE-RPC port numbers using the port
mappers in the system. The application information is extracted from the packet in order to
identify the program used. A cache is maintained, mapping DCE-RPC program numbers to
their associated port numbers in a fashion similar to that described for RPC. The following
fields may be defined:
The service’s icon will be represented by this color in the SmartMap.
Interface UUID — identifies the Universal Unique Identifier (UUID) to which the requested
service belongs
An interface is a set of remotely callable operations offered by a server and invokable by clients.
Protocol Type — specifies the protocol type associated with the service.

Adding a Service to a Group
connections.
Service Group Properties

If you choose Group, the Group Properties window is displayed.
Name — the group’s name
This text is displayed on the bottom of the Services window when this group is selected.
Color — the color of the user’s icon
Adding a Service to a Group

In the left list box (labeled Not in Group), select the users or groups you wish to include in the
group and click on Add.
Note - To define a new service directly from this window, click New. A menu will be
displayed from which you can select they type of service to create. When you finish defining
the service, you will return to this window.

1) You can individually add all the users in one group to another group, without nesting. Click
on Yes in reply to the question in the window (FIGURE 6-4).

Resources
Deleting a Service from a Group

Select the service to be removed from the right list box (labeled In Group), and then click on
Remove.
Resources
Overview
Content Security is enabled by a VPN-1/FireWall-1 object of type Resource. A
VPN-1/FireWall-1 Resource specification defines a set of entities which can be accessed by a
specific protocol. You can define a VPN-1/FireWall-1 Resource based on HTTP, FTP and
SMTP.
VPN-1/FireWall-1 provides content security for HTTP, FTP and SMTP connections, using the
VPN-1/FireWall-1 Security Servers. For each connection established through the
VPN-1/FireWall-1 Security Servers, the Security Administrator is able to control specific access
according to fields that belong to the specific service: URLs, file names, FTP PUT/GET
commands, type of requests and more.
For detailed information about VPN-1/FireWall-1’s Content Security feature, see Chapter 4,
“Security Servers and Content Security “in the book Check Point FireWall-1 Guide.
Resource Windows
You can define resources and groups of resources in the Resources window.
To display the Resources window,
• select Resources from the Manage menu, or
Creating a New Resource

To create a new resource, click on New. A menu is displayed, from which you must select the
type of resource you wish to create.
TABLE 6-7 Resource Types
to create a resource of see...

type...
URI “URI Resources” on page 247
URI for QoS “URI for QoS Definition window” on page
244
SMTP “SMTP Resources” on page 259
FTP “FTP Resources” on page 267
TCP “Resource Groups” on page 270

Wild Cards
Modifying a Resource
To modify an existing resource, select it in the Resources window and click on Edit.
Deleting a Resource
To delete an existing resource, select it in the Resources window and click on Remove.
Wild Cards
You can use the following wild card characters when entering data in many of the fields in the
Resource Definition windows.
TABLE 6-8 Wild Card Usage
character matches example

* any string of any length *@elvis.com matches lisa@elvis.com and
priscilla@elvis.com.
lisa*@elvis.com matches
lisamarie@elvis.com and lisa@elvis.com.
For file names, /elvis/*/*.c matches
/elvis/marie/*.c and /elvis/lisa/*.c
+ any single character mar+@elvis.com matches mary@elvis.com
but not marie@elvis.com.
For file names, /elvis/mar+/*.c matches
/elvis/mary/*.c and /elvis/mark/*.c, but
not /elvis/marie/*.c
& (SMTP The & character is used only If the untranslated part is *@elvis.com and
only) in the translated part of a the translated part is &@buddy.com, then
pair, and means use whatever jerrylee@elvis.com becomes
text matched the wild card jerrylee@buddy.com.
characters (*,+) in the
untranslated part of the pair.
{,} any of the listed characters {a,b,c} matches a or b or c.
lisamarie@{elvis,michael}.com matches
lisamarie@elvis.com and
lisamarie@michael.com.
URI Resources
A URI is a Uniform Resource Identifier, of which the familiar URL (Uniform Resource
Locator) is a specific case. URI Resources can define schemes (HTTP, FTP, GOPHER, etc.),
methods, (GET, POST, etc.), hosts (for example “*.com”), paths and queries. In addition, the
Security Administrator can define how to handle responses to allowed resources.

URI Resources
URI Definition window — General tab

The General tab of the URI Definition window specifies the basic parameters of a URI
resource.
Name — the resource’s name
This text is displayed on the bottom of the Resources window when this resource is selected.
Color — the color of the resource’s icon
Use this resource to:
Select one of the following functions of the URI resource you are defining.
Optimize URL logging — if selected, the URI resource will be used for URL logging. The
URL will be logged for HTTP connections and all other fields and tabs of the URI resource
will be disabled. Once the property is selected, the URI resource must then be added to the
Rule Base. The Security Policy is enforced when URL logging is integrated with UFP
caching. URL logging uses Check Point’s TCP streaming technology, which enables the
VPN/FireWall Module to take over some of the Security Servers’ function.
Enforce URI capabilities — If selected, the URI resource will enable all other functionality
of the URI resource, e.g. CVP checking. All basic parameters, defining schemes, hosts, paths
and methods, will apply and the URL is checked by a security server.
Enforce URL Blocking — Enforce URL Blocking- If selected, the URI resource will be used
to check and (if necessary) drop URL requests containing patterns that match the signature of
the Code Red virus. This capability is integral to the VPN-1/FireWall-1 kernel, and does not
require a Security Server. However, a Security Server will give better protection against this
kind of threat.
When selected all selection options and tabs in this window become unavailable.
To obtain protection against viruses other than Code Red, it is possible to edit the :url
filtering section of the FireWall-1 objects database using the dbedit utility. When a new
virus appears, Check Point will give detailed instructions on countering it.
Connection Methods — check any combination of the following:
• Transparent — match all connections that are not in proxy mode.
This option is relevant only if a proxy to the Web browser is not defined.
• Proxy — match connections in proxy mode
This option is relevant only if a proxy to the Web browser is defined.

• Tunneling — match connections using the HTTP “CONNECT” method.
This option is relevant only if the HTTP Security Server is defined as the proxy to the Web
browser.

URI Definition window — Match tab (wild cards specification)
The CONNECT method only specifies the hostname and port number to connect to. When
Tunneling is specified, FireWall-1 does not examine the content of the request, not even the
URL — only the hostname and port number are checked. Therefore, if Tunneling is
specified, all Content Security options in the URI specification are disabled.
Exception Track — This option determines if an action specified in the Action tab (FIGURE
6-8 on page 242) that is taken as a result of a resource definition is to be logged.
For example, if the user attempts to use an unsupported scheme or method, then the tracking
specified here is performed.
• None — no logging or alerting
• Log — log the event
• Alert — issue an alert
URI Match Specification Type — Select one of the following:

• Wild Cards —The URIs are described on the Match tab of the Resource window.
Under this method, many URIs are described by a single wild card. For example, the wild
card www.elvis* describes a large number of URIs. The URIs will be allowed or disallowed,
depending on the Action in the rule that uses the resource.
• File — The URIs are listed by name in the file specified the Match tab of the Resource
window.
Under this method, each URI is individually listed in the given file. The URIs will be allowed
or disallowed, depending on the Action in the rule that uses the resource.
• UFP — A list of URIs in selected categories is provided by the server specified in the Match
tab of the Resource window.
For more information on UFP, see “OPSEC Applications” in the Security Servers and
OPSEC Applications” Chapter.

The Match tab of the URI Definition window (wild cards specification) specifies the parameters
defining a Wild Card URI resource (see ““URI Definition window — General tab” on page
234).
Schemes — the URI schemes to which this VPN-1/FireWall-1 resource applies
Select one or more of the following:
• http — Hypertext Transfer Protocol
• ftp — File Transfer Protocol
• gopher — Gopher
• mailto — SMTP
• news — NNTP
• wais — Wide Area Information Service

URI Resources
• Other — Specify another scheme here. You may use wild card characters in the
specification (see “Wild Cards” on “Wild Cards” on page 233.)
This field is relevant only when the HTTP Security Server is defined as a proxy to the
browser.
Methods — the HTTP method, as defined in the Hypertext Transfer Protocol. A brief
explanation of each of these methods is given here.
GET — The GET method means retrieve whatever information (in the form of an entity) is
identified by the URI. If the URI refers to a data-producing process, it is the produced data
which is returned as the entity in the response and not the source text of the process, unless
that text happens to be the output of the process.
POST — The POST method is used to request that the destination server accept the entity
enclosed in the request as a new subordinate of the resource identified by the URI in the
Request-Line. POST is usually used to provide a block of data, such as the result of
submitting a form, to a data-handling process. The actual function performed by the POST
method is determined by the server and is usually dependent on the URI.
HEAD — The HEAD method is identical to GET except that the server does not return
any Entity-Body in the response. This method is often used for testing hypertext links for
validity, accessibility, and recent modification.
PUT — The PUT method requests that the enclosed entity be stored under the supplied
URI.
Other — Enter one of the following:
* — If you type *, this means all of the following: GET, POST, HEAD and PUT.
OPTIONS — The OPTIONS method represents a request for information about the
communication options available on the request/response chain identified by the URI.
This method allows the client to determine the options and/or requirements associated
with a resource, or the capabilities of a server, without implying a resource action or
initiating a resource retrieval.
PATCH — The PATCH method is similar to PUT except that the entity contains a list of
differences between the original version of the resource identified by the URI and the
desired content of the resource after the PATCH action has been applied.
COPY — The COPY method requests that the resource identified by the URI be copied
to the location(s) given in the request’s URI header field.
DELETE — The DELETE method requests that the origin server delete the resource
identified by the URI.

MOVE — The MOVE method requests that the resource identified by the URI be moved
to the location(s) given in the request’s URI header field. This method is equivalent to a
COPY immediately followed by a DELETE, but enables both to occur within a single
transaction.
LINK — The LINK method establishes one or more Link relationships between the
existing resource identified by the URI and other existing resources.
UNLINK — The UNLINK method removes one or more Link relationships from the
existing resource identified by the URI. These relationships may have been established
using the LINK method or by any other method supporting the Link header.
TRACE — The TRACE method requests that the server identified by the URI reflect
whatever is received back to the client as the entity body of the response. In this way, the
client can see what is being received at the other end of the request chain, and may use
this data for testing or diagnostic information.
Other — Specify another method here. You may use wild card characters in the
specification (see “Wild Cards” on page 233).
Host — the URI’s host name
You may use wild card characters in specifying the host name (see “Wild Cards” on page 233).
Functionality is dependent on the DNS setup of the addressed server.
The following restrictions apply when using wildcard characters in URI Host names:
1 Only the IP address or the full DNS name should be used.
(For example: 191.81.23.* or server.{paris,london}.com, but not {paris,london})
2 For expressions using a host name and port number, the port number must be
explicitly specified.
For example, the expression paris* matches requests on any port. It is recommended to
restrict requests to a known HTTP server (for example, *.paris:80, or paris:80).
Path — the URI’s path name
You may use wild card characters in specifying the path name (see “Wild Cards” on page 233).
Path name matching is based on appending the file name in the request to the current working
directory (unless the file name is already a full path name) and comparing the result to the path
specified in the Resource definition.
The file path name must include the directory separator
character /. For example, the request “/myfile” is matched to
“/<current directory>/myfile”. If the Resource path name specifies only “myfile”, then
the request will not be matched.
Path includes the file name (which can include wildcard characters). For example
• “/boys/bigboy/*” includes all the files in the /boys/bigboy/ directory.
• “/boys/bigboy/” does not include any of the files in the /boys/bigboy/ directory.

URI Resources
• If /boys/bigboy were a file, it would be included in “/boys/bigboy/”.

When using wildcard characters, you must also specify either the full path name, or use the
directory separator in the wildcard expression. For example, the path name “*/myfile” will
match “myfile” in all possible directories.
Note - Sometimes, the HTTP Security Server sees IP addresses instead of host names. In
this case, the HTTP Security Server will attempt to reverse resolve the IP address to a host
name, using reverse DNS. If the reverse DNS does not resolve correctly, the URI Resource
will not match.
Query — the text following the? symbol, if any

These are the parameters that are sent to the URI when it is accessed. You may use wild card
characters in specifying the query text (see “Wild Cards” on page 233).
Example
For the URI shown in FIGURE 6-5, the components are listed in TABLE 6-9.
FIGURE 6-5 URI components
host path
http://www.elvis.com/alive/qc.html?seenon=Mars
query
TABLE 6-9 URI components and values
component value
host www.elvis.com
path /alive/qc.html
query seenon=Mars
When Schemes Are Applied

The schemes checked in the Schemes field in the Match tab of the URI Definition window are
not always applied.
FIGURE 6-6 shows three different ways that an HTTP browser can connect to the Internet
through a VPN/FireWall Module.

URI Definition window — Match tab (file specification)
FIGURE 6-6 HTTP Browser connecting through FireWalled Gateway
HTTP User
(client) direct Gateway
connection
Browser
folded into
the Security Server
by Transparent
Internet
Authentication
Browser
FireWall-1
Proxy
HTTP
Security Server
TABLE 6-10 When Schemes Are Applied
connection type schemes comments

applied
directly, without the none The schemes are not applied because
VPN-1/FireWall-1 HTTP Security the connection is not mediated by
Server the VPN-1/FireWall-1 HTTP
Security Server.
through the VPN-1/FireWall-1 HTTP all checked The schemes are applied because the
Security Server, when the schemes connection is mediated by the
VPN-1/FireWall-1 HTTP Security VPN-1/FireWall-1 HTTP Security
Server is defined as the Proxy to the Server.
browser
through the VPN-1/FireWall-1 HTTP HTTP only The schemes are applied because the
Security Server, when the connection is mediated by the
VPN-1/FireWall-1 HTTP Security VPN-1/FireWall-1 HTTP Security
Server is not defined as the Proxy to the Server.
browser, but the connection is folded
into the VPN-1/FireWall-1 HTTP
Security Server by the Transparent
Authentication feature
URI Definition window — Match tab (file specification)

The Match tab of the URI Definition window (file specification) specifies additional parameters
defining a URI resource.
Click on Import to import a URI Specification file (a list of URIs to which access will be
denied or allowed, depending on the Action in the rule).
You will be asked to specify the file name.
Click on Export to export a previously imported URI Specification file.

URI Resources
You will be asked to specify a file name under which the file will be saved.
URI Specification File Format
A URI Specification file is an ASCII file of records separated by \n, where each record consists
of three fields, as described in TABLE 6-11. There should be no white space between the
category and the \n. The last line in the file must also end in \n.
TABLE 6-11 URI Specification File Format
field explanation example

IP address the URI’s IP address 192.34.56.78
path the URI’s path /icecream (so it is possible to

define a resource as
everything under /icecream
at 192.34.56.78)
category (in hex) not currently used, but may not 1
be blank, so enter “1” in all
lines
Note - A URI specification file should contain no more than a thousand records.
URI Definition window — Match tab (UFP)

The Match tab of the URI Definition window (UFP specification) specifies additional
parameters defining a URI resource.
FIGURE 6-7 URI Definition window — Match tab (UFP specifications) with Ignore UFP server
after connection failure unchecked and checked
UFP Server — Select the UFP server from the menu.

URI Definition window — Action tab
A UFP server maintains a list of URLs and their categories. VPN-1/FireWall-1 checks Web
connection attempts using the URL list on the UFP server.
UFP caching control — Specifies whether there is caching control.
UFP caching reduces the number of requests sent to the UFP Server, thereby optimizing
performance
Categories — Check the categories you wish to include in the resource definition.
Based on these categories, the HTTP Security Server allows or disallows the connection. A
UFP Server must first be defined in order for the Dictionary of Categories to be displayed.
Once the UFP server is selected from the drop-down list, the Dictionary of category selections
becomes available.
Note - For complete instructions on how to define a UFP Server, see “OPSEC Definition
Window — UFP Options Tab” on page 383.
Ignore UFP Server after connection failure — This check box specifies what the FireWall
should do when connection to the UFP server is lost. You must first define the following:
• Number of failures before ignoring the UFP server — number of times the FireWall
will attempt to contact the UFP server before ignoring it
• Timeout before reconnect to UFP server — defines the time interval for the FireWall
to ignore the UFP server
By checking this option, the system administrator can allow the FireWall to ignore the UFP
server, in other words, skip the match process with the UFP server and allow http
connections to pass. This will only occur if the rule defining the URI Resource’s Action is
accept and all other rule parameters match the connection.
URI Definition window — Action tab

The Action tab of the URI Definition window specifies JAVA, ActiveX, Script, Applets, FTP
links and port string actions for a URI resource.

URI Resources
FIGURE 6-8 URI Definition window — Action tab
Replacement URI — If the Action in a rule, which uses this resource, is Drop or Reject, then
this URI is displayed instead of the one the user requested in the Match tab. If a UFP server,
defined on this URI resource, sends a URL for redirection, it will override this replacement
URI.
HTML Weeding — Check one of the options below to strip the specified code from the HTML
page containing the reference to JAVA, JAVA Script or ActiveX code. In this way, the user will
not be aware that the JAVA or ActiveX is available from the HTML page being viewed. JAVA
applets already in the cache are not affected by this parameter.
Select any number of the following:
• Strip Script Tags — Strip JAVA Script tags from HTML code.
• Strip Applet Tags — Strip JAVA Applet tags from HTML code.
• Strip ActiveX Tags — Strip ActiveX tags from HTML code.
• Strip FTP Links — Strip FTP links from HTML code
• Strip Port Strings — Strip port strings from HTML code
Response Scanning — Specifies if JAVA code is to be blocked.

Block JAVA Code — If checked, JAVA applets are blocked by stripping JAVA code from
incoming HTTP. JAVA applets already in the cache are not affected by this parameter.
When the HTTP Security Server encounters JAVA code in incoming HTTP, it strips the code
and does not allow it to reach the browser. The user will see a message indicating that the
applet cannot start (when the JAVA code is incorporated in an HTML document), or a
message indicating that the document contains no data (if the JAVA code is directly fetched,
that is, the link points to the class).

URI Definition window — CVP tab
URI Definition window — CVP tab

In the CVP tab of the URI Definition window, the user must define the following.
Use CVP (Content Vectoring Protocol) — specify whether CVP is to be used
CVP Server — Specifies the CVP Server from the drop-down menu.
If CVP is to be used, the user must then define whether or not the CVP server is allowed to
modify content and whether to send HTTP Headers and HTTP requests to the CVP server.
The following must be defined:
• CVP Server is allowed to modify content — send HTTP requests to CVP server is a
new feature which tells VPN-1/FireWall-1 to pass data outbound through the CVP
Server by enabling the following:
• Send HTTP Headers to CVP server — send all HTTP Header to the CVP server
• Send HTTP requests to CVP server— send all HTTP request to the CVP server
Built in protocol support allows for the chunking of data for outgoing HTTP data packets.
The chunking of data occurs in the application layer of the TCP/IP Protocol Stack on the
packet stream. Data is chunked by adding header and title information to the data packets
which indicate the size of the data chunk. After the data chunk is processed, or rather, tested
for total packet size, it is dechunked (the header and title are removed). It is then treated as a
single packet and released back into the packet stream to proceed to its destination.
Reply Order — designates when data is to be returned to the user. You must select one of the
following choices;
• Return data after content is approved— data is returned after content has been
checked
• Return data before content is approved — data is returned to the user before content
is checked
• Controlled by CVP server - The file is inspected by the CVP Server. If the CVP Server
rejects the file, it is not retrieved
For complete configuration information on configuring CVP as a Security Server, see “Server
Objects” on page 357.
URI Definition window — SOAP tab

The Simple Object Access Protocol (SOAP) provides a way for applications to communicate
with each other over the Internet, independent of platform. SOAP relies on XML to define the
format of the information and then adds the necessary HTTP headers to send it.
XML passes information using commands called Methods that are intended to run on the
destination computer.
FireWall-1 uses a Security Server to check the methods being passed in the SOAP packet.
When FireWall-1 detects SOAP packets, they can either be always Accepted, or only the
Methods specified in a predefined file will be Accepted.

URI Resources
The way that FireWall-1 treats SOAP packets is defined in a URI resource that uses HTTP.
The SOAP processing defined in the URI resource is performed only if the HTTP connection
carying the SOAP message was already Accepted by the rule in which the URI resource is used.
In other words, the connection must match the rule, and the rule Action cannot be Reject or
Drop.
In the URI Resource Properties window, check HTTP in the Match tab. The SOAP tab appears,
and in it define the SOAP Inspection behavior: Either Allow All SOAP Requests, or Allow
only SOAP requests specified in the Following File, and select the file.
The namespace and Method name of the XML Methods being passed can be viewed in the
SmartView Tracker by setting the Track option in the URI Resource Properties, SOAP tab. You
will see that the namespace and the name are concatenated in the log file.
Defining the Allowed SOAP Methods file

The name of the SOAP file must be one of a predefined list of 10 files, from scheme1 to
scheme10. The file must reside in $FWDIR\conf\XML directory in the SmartCenter Server. If
Management High Availability is used, the same file should be duplicated on both SmartCenter
Servers.
The file must contains a two column list separated by a space:
namespace method
For example…
http://tempuri.org/message/ EchoString
http://tempuri.org/message/ SubtractNumbers
The file must be defined very precisely. It is best to copy and paste the namespace and method
name from the log file. If there is a syntax error, the SOAP packets will be dropped.
URI for QoS Definition window

Resources can also be used in the FloodGate-1 Rule Base if they are of type URI for QoS.
The Security Administrator can classify Internet resources, namely URL designators, as part of
an appropriate QoS policy in accordance with enterprise priorities.
Search for URL — Specifies the URL string to be searched for http connections.
A URL string is a character string that contains wild cards which describe the URL that is to
be matched to an http connection within the FloodGate-1 rule. You must enter one of the
following:
• a site with a wild card, for example, www.checkpoint.com/*
For more information on wild cards, see “Wild Cards” on page 233.
• a specific file name, or
• *.gif, which is any gif from any site

SMTP Security Server

SMTP Resources

The SMTP Security Server deals with the following conditions:
• badly formed header or pipe (send to program)
The mail is allowed but the offending field is stripped (if smtp_rfc822 (true) is defined
under :props in objects.C — this is the default) and a warning message is sent to asmtp.log.
If smtp_rfc822 (false) is defined under :props in objects.C, the line is preserved as it is
and not rewritten. A warning message is sent to asmtp.log.
Warning - The objects.C file should not be edited directly. Instead, use dbedit (see
“dbedit” on page 587) to edit the objects_5_0.C file on the SmartCenter Server.
• source routing
If the envelope SMTP MAIL or RCPT commands contain source routing symbols, the SMTP
Security Server replies with an error code.
SMTP Definition window — General tab

The General tab of the SMTP Definition window specifies the basic parameters of an SMTP
resource.
Server — Mail is forwarded to this server
Deliver messages using DNS/MX records — if selected, MX record resolving will be used
to set the destination IP of the connection. When the IP address is resolved, the message will
then be sent.
Check Rule Base with new Destination — if selected, the Rule Base will be rechecked with
the new resolved IP

SMTP Resources
All the resource actions, e.g. header rewriting and CVP, will be decided according to the last
rule matched. The new resolved IP will be fetched from the MX record resolving or from the
server IP.
If multiple servers are defined, then they are tried one after the other until successful.
If this field is empty, mail is forwarded to the server specified under default_server in
$FWDIR/conf/smtp.conf . If this too is empty, then mail is forwarded to its original destination.
Notify Sender on Error—
If Notify Sender on Error is not checked, then no error notification is generated.

If Notify Sender on Error is checked, then:
• If the Server field is empty, the error notification is sent to the server specified under
default_server in $FWDIR/conf/smtp.conf .
• If default_server in $FWDIR/conf/smtp.conf is not specified, then the error
notification is sent to the originator of the mail.
If multiple servers are defined (see “Specifying Multiple Names” on page 249), then they are
tried one after the other until successful.
Server—error mail is forwarded to this server
Deliver messages using DNS/MX records—if selected, MX record resolving will be used to
set the source IP of the connection which will be used to send the error message
Check Rule Base with new Error Destination—if selected, the Rule Base will be rechecked
with the new resolved IP for the error mail.
All resource actions will be decided according to the last rule matched. The new resolved IP will
be fetched from the mx record resolving or from the server IP.
Exception Tracking — This option determines if an action (specified in the Action2 tab) taken
as a result of a resource definition is logged.
For example, if a virus is detected and CVP in the Action2 tab (FIGURE 6-9) is not set to
None, or if the user attempts to send a message that is too long, the tracking specified here is
taken.
Notify Sender on Error — Notify the sender if the message was not delivered.
Note - For mail delivery within an organization using an SMTP Security Server, it is
recommended to use static mail server configuration, by configuring “server” or “error
server in the SMTP resource, rather than using the MX resolving option.

SMTP Definition window — Match tab

The Match tab of the SMTP Definition window specifies additional parameters defining an
SMTP resource.
Sender — the ‘From’ field in the envelope
Recipient — the ‘To’ field in the envelope
You may use wild card characters in specifying these fields (see “Wild Cards” on page 247).
SMTP Definition window — Action tabs

The Action tabs of the SMTP Definition window specify additional parameters of an SMTP
resource.
FIGURE 6-9 SMTP Definition window — Action tabs
Action 1 Tab
This tab defines transformations to be performed on the given fields. The data in the field is
modified in accordance with the defined transformation. The left part of the transformation is a
match field (see “Wild Cards” on page 247). The right part specifies the form of the new
transformed data. For information on specifying multiple names in some of these fields, see
“Specifying Multiple Names” on page 249.
Sender — the ‘From’ field in the header
You can also use the “&” wildcard character in specifying a field. For more information, see
“Wild Cards” on page 247.

SMTP Resources
Recipient — the ‘To’ field in the header

It’s recommended that the transformed data not include embedded spaces.
You can also use the “&” wildcard character in specifying a field. For more information, see
“Wild Cards” on page 247.
Field — the name of a field in the SMTP header (for example, ‘cc’ or ‘subject’)
Contents — the contents of the specified field
Note - Stripping fields such as ‘From’ and ‘To’ is discouraged, since it makes it impossible
to deliver the mail message.
Action 2 Tab
Strip MIME of Type — MIME attachments of the specified type will be stripped from the
message.
1) Allowed types are (as defined in RFC 1521):
• text • audio
• multipart • video
• message • application
• image
Note - If you strip MIME of type text, the text in the body of the message is not stripped.
Strip file by name — strip file attachments with the name specified in this field
This field enables the user to strip UU-ENCODE and MIME file attachments whose names
match any of the defined expressions.
Consider the following expressions:(+love*, *.pic, a*+, ). In the following examples,
the defined file attachments will be stripped.
TABLE 6-12 Stripped File Attachment Example
Expression +love* *.pic a*.+

Example ILoveYou!, XLoveY a.pic,abc.pic ab.2, a.1, aa.1

Don’t Accept Mail Larger Than — Mail messages larger than this size will not be allowed to
pass.
Allowed Characters — Select one of the following:
• 8 bit — Allow 8 bit ASCII.
• 7 bit — Allow only 7 bit ASCII (but no control characters).
Weeding — Check any of the options below to strip header and mail content containing the
reference to JAVA, JAVA Script, ActiveX code, FTP links and port strings. JAVA applets already
in the cache are not affected by this parameter.
Select any number of the following:
• Strip Script Tags — Strip JAVA Script tags.
• Strip Applet Tags — Strip JAVA Applet tags.
• Strip ActiveX Tags — Strip ActiveX tags.
• Strip FTP Links — Strip FTP links.
• Strip Port Strings — Strip port strings.
Specifying Multiple Names

In some fields, you can specify a list of names using the following syntax:
{name1,name2}
Notes:
1) These rules apply to the following fields:
• Server field in ‘Mail Delivery’ • Strip file by name

• Server field in ‘Error Mail Delivery’ • Recipient
• Sender • Field
• Strip MIME of Type • Contents
2) There should be no whitespace before or after the names.

3) Write:
{hostname1@domainname1,hostname2@domainname1}
and not:
{hostname1,hostname2}@domainname1
4) When rewriting, the number of names on the left side should be the same as the number of
names on the right side. Rewrite:
{name1,name2} to {newname1,newname2}
However, if all the names of right side are to be rewritten to the same name on the left side,
you can rewrite:

FTP Resources
{name1,name2} to newname1
SMTP Definition window — CVP tab

In the CVP tab of the SMTP Definition window, the user must define the following:
Use CVP (Content Vectoring Protocol) — Specifies whether CVP is to be used.
CVP Server — Specifies the CVP Server from the drop-down menu.
CVP Server allowed to modify content — Enables the designated CVP Server to modify
content.
Send SMTP headers to CVP Server — Enables the SMTP mail headers to be forwarded to the
CVP server for CVP content checking.
Reply Order — Designates when data is to be returned to the user. You must select one of the
following choices:
• Return data after content is approved — The CVP Server first receives all the data from
the security server. After it has received and inspected all the data it then returns the data to
the security server.
• Return data before content is approved — The CVP Server inspects each data packet
received from the security server and returns it back to the security server before approving
the content. For instance, if the CVP Server found a virus in the data packet, the CVP
Server may replace the data within the packet before returning it to the CVP Server for
content checking.
• Controlled by CVP server — The file is inspected by the CVP Server. If the CVP Server
rejects the file, it is not retrieved.
FTP Resources
FTP Definition window — General tab

The General tab of the FTP Definition window specifies the basic parameters of an FTP
resource.
Exception Track — This option determines if an action (specified in the Action tab) taken as a
result of a resource definition is logged.

FTP Definition window — Match tab

For example, if a virus is detected and Use CVP (Content Vectoring Protocol) in the CVP tab
is not enabled, then the tracking specified here is taken.
FTP Definition window — Match tab

The Match tab of the FTP Definition window specifies additional parameters defining an FTP
resource.
Path — the full path name of the file
File name matching is based on appending the file name in the command to the current
working directory (unless the file name is already a full path name) and comparing the result
to the path specified in the Resource definition.
The file path name must include the directory separator character /.
For example, the FTP command “GET myfile” is matched to
“/<current directory>/myfile”. If the Resource path name specifies only “myfile”, then
the command “GET myfile” will not match this path.
Path includes the file name (which can include wildcard characters). For example
• “/boys/bigboy/*” includes all the files in the /boys/bigboy/ directory.
• “/boys/bigboy/” does not include any of the files in the /boys/bigboy/ directory.
• If /boys/bigboy were a file, it would be included in “/boys/bigboy/”.
You may also use wildcard characters in Path. When using wildcard characters, you must also
specify either the full path name, or use the directory separator in the wildcard expression. For
example, the path name “*/myfile” will match “myfile” in all possible directories.
For more information on FTP file names, see Chapter 10, “Security Servers and Content
Security.”
Methods — Select one of the following:
• GET — getting a file from the server to the client
• PUT — sending a file from the client to the server
FTP Definition window — CVP tab

The CVP tab of the FTP Definition window specifies additional parameters of an FTP resource.
In the CVP tab of the FTP Definition window, the user must define the following.
Use of CVP (Content Vectoring Protocol) — specifies whether CVP is to be used.
CVP Server — specifies the CVP Server from the drop-down menu
CVP Server allowed to modify content — when selected, allows the CVP Server to modify
content

TCP Resources
Reply Order field — designates when data is to be returned to the user. You must select one of
the following choices;
• Return data before content is approved— The CVP Server inspects each data packet
content checking.
For complete configuration information on configuring CVP as a Security Server, “Server
TCP Resources
The TCP resource supports all TCP services and can be used for two different features. The
TCP resource can be used to support the genericid. This is a generic daemon which is not the
HTTP Security Server but rather receives data packets and sends them to a CVP Server, as
defined by the TCP resource.
The TCP resource also allows the screening of URLs using a UFP Server without using the
security server. If enabled, the UFP Server can perform URL checking without using a security
server. The URL received by the UFP Server is not a full URL but rather IP-based only. Before
using the TCP resource, the security administrator must verify that the UFP Server supports IP-
based URLs and can categorize specific protocols for which the TCP resource is to be
implemented.
TCP Resource Properties

Type — Select the type of server to be used in the TCP resource.
UFP — when selected, a UFP Server must be defined in the UFP tab.
CVP — when selected, a CVP Server must be defined and CVP settings configured in the CVP
tab.
Exception Track — This option determines if an action (specified in the Action tab) taken as a
result of a resource definition is logged.

TCP Resource Properties

TCP Definition window — UFP tab

UFP Server — the UFP Server’s name as selected from the drop-down list
The UFP server maintains a list of URLs and their categories. VPN-1/FireWall-1 checks
connection attempts using the URL list on the UFP server
When a user requests a URL, VPN-1/FireWall-1 determines if the UFP server must be used
and handles the request without using a security server. If the UFP Server is used, the
connection packet is temporarily held, until VPN-1/FireWall determines if the connection is
permitted.
UFP Caching Control — specifies how caching is to be enabled
The Security Administrator can choose no caching, caching on the UFP server, or caching 1
or 2 requests on VPN-1/FireWall-1 from the drop-down menu.
Categories — check the categories you wish to include in the resource definition
TCP Definition window — CVP tab

In the CVP tab of the TCP Definition window, the user must define the following:
CVP Server — select the CVP Server from the drop-down list
CVP Server allowed to modify content — when selected, allows the CVP Server to modify
content of the message string
Reply Order — Designates when data is to be returned to the user. You must select one of the
following choices;
• Return data before content is approved — The CVP Server inspects each data packet
content checking.

TCP Resources
Enabling for TCP Resource

To enable a TCP resource, proceed as follows:
1 Select the service that you wish to implement within a rule. You can either
• choose Services from the Manage menu, or
• click on in the toolbar.
2 The TCP Service Properties window is displayed
3 Click the Advanced tab to display the Advanced TCP Service Properties window.
FIGURE 6-10Advanced TCP Service Properties window
4 Click OK. The service appears in the Service with Resource menu.
Click on the service and then select the Resource to be used from the drop-down list and
click OK.
5 The service with the TCP enabled resource appears in the Service column of the associated
rule and can be implemented in the Rule Base.
6 You must then edit $FWDIR/conf/fwauthd.conf and add a line where <port> is the tcp
service’s port number. For example:
<port> fwssd in.genericd wait 0
The TCP Resource will now be implemented.

CIFS Overview
CIFS Resources
CIFS Overview
CIFS (Common Internet File System) is a protocol used to request file and print services from
server systems over a network.
The protocol is an extension of the Server Message Block (SMB) protocol.
The protocol is often implemented over the NETBIOS session service over TCP using port
139.
Microsoft also use CIFS over the Microsoft-DS protocol (port 445) for networking and file
sharing.
In a typical configuration each CIFS client maintains a TCP connection with every CIFS server
to which it is it is connected.
The client and server exchange CIFS-requests and CIFS-responses messages over this
connection.
More information on CIFS can be found under:
http://www.microsoft.com/mind/defaulttop.asp?page=/mind/1196/cifs.htm&nav=/mind/1196
/inthisissuecolumns1196.htm
http://samba.org/cifs/
http://samba.org/samba/about.html
Support of the CIFS protocol

Starting from NG FP3, CIFS connections can be statefully inspected.
If configured, Firewall-1 can enforce the following security checks on CIFS connections:
1) Correctness of the protocol, preventing CIFS and NETBIOS messages issued by the client
from pointing to beyond message boundaries.
2) Allowing access to different disk shares for different groups of users and hosts.
3) Logging disk share access.
Configuring CIFS Stateful Inspection

1 Define a new CIFS resource.
2 In the security policy tab, add a new rule. The rule's Service should be nbsession or
Microsoft-DS together with the configured resource.
3 Install the Policy.

CIFS Resources
Specifying the allowed disk/print shares

Connections matched to a CIFS rule are checked that all disk/print shares accessed by the
clients are in accordance to the Allowed Disk/Print Shares property of the rule's resource.
This property is in the form of a regular expression.
Disk shares accessed by CIFS clients usually take the following form:
"\\ServerName\ShareName"
Note that in addition to the actual disk share, many CIFS client implementation also try to map
a psuedo share called
"\\ServerName\IPC$"
In order to allow access to the desired “ShareName” as well as IPC$, the regular expression
should therefore take the following form:
^\\\\ServerName\\(ShareName|IPC\$)$
Logging
Logging of each share map attempt can be enabled by checking Log mapped shares in the
CIFS Resource Properties window.
In order to log attempts to access restricted shares as well as any protocol violation performed by
the client check Log access violation in the CIFS Resource Properties window.
Known limitations
1) In a High Availability configuration, CIFS statefully inspected connections are not expected
to survive failover.
2) A Disk/Print share whose name is not a legal ASCII string is not supported. An attempt to
connect to these shares will be rejected.
3) CIFS connections will not survive a Policy installation.
CIFS resources are supported with Accept, Client authentication, Session authentication and
Client Encrypt rules. Drop, Reject and User authentication are not allowed.

List of Supported TCP Services
List Of Supported Services

TABLE 6-13 TCP Services SmartDashboard
Service Description Comments
in VPN-1/FireWall-1
Name
normal port
pre–defined
number
AOL (America 5190 protocol used by AOL clients Yes

OnLine) to connect to AOL through a
network connection, as
opposed to a dial-up
connection
chargen 19 A TCP chargen server sends No This is also a UDP service.
an unending stream of
characters until the client
terminates the connection.
Connected 16384 PC agents that wake up Yes
OnLine occasionally and back up
Backup their encrypted data to the
Connected backup server
across the Internet.
Cooltalk 6499, a voice communication Yes To enable auxiliary (back) data
6500 protocol connections for this service, you
must specifically list this service
under Services in the Rule Base.
UDP is used for the voice
connection.
daytime 13 A daytime server returns date Yes This is also a UDP service.
and time of day in text
format.
discard 9 A discard server discards Yes This is also a UDP service.
whatever it is sent by a client.

in VPN-1/FireWall-1
Name
normal port
pre–defined
number
DNS 53 Domain Name System — a Yes This is also a UDP service. TCP
distributed database used to DNS is used for Domain Name
map host names to IP Download, while UDP DNS is
addresses used for Domain Name Queries.
echo 7 An echo server sends the Yes This is also a UDP service.
client whatever the client sent
the server.
exec 512 invokes an executable Yes
finger 79 a protocol that provides Yes
information about users on a
specified host
ftp 21 File Transfer Protocol — a Yes To enable auxiliary data
protocol for copying files connections, check Enable FTP
between hosts PORT Data Connections in the
Services tab of the Properties
Setup window.
gopher 70 a menu driven front end to Yes

other Internet services, such
as Archie, anonymous FTP
and WAIS
http 80 HyperText Transfer Protocol Yes
— a protocol used to
implement the World Wide
Web
https 443 a version of HTTP that uses Yes
SSL for encryption

in VPN-1/FireWall-1
Name
normal port
pre–defined
number
H.323 1720 client-to-client audio-visual Yes When managing a Version 4.1

application Module with an NG
SmartCenter Server, the NG
H.323 code is run by default. To
run the Version 4.1 H.323 code,
modify the
lib/h323.def file in the
backward compatibility directory
on the SmartCenter Server as
follows and then re-install the
Policy:
Replace the following line:
#define FWH323_USE_NEW 1
by:
//#define FWH323_USE_NEW 1
ident 113 a protocol used for user Yes
identification
imap 143 Internet Mail Access Protocol Yes
irc 6670, Internet Relay Chat — a Yes
6680 protocol for on-line “chat”
conversations over the
Internet
kerberos 750 an authentication service Yes as kerberos
This is also a UDP service.
The Kerberos authentication
scheme is not supported by
VPN-1/FireWall-1.
ldap 389 Lightweight Directory Access Yes
Protocol (simple X500
protocol).
ldap-ssl 636 Lightweight Directory Access Yes
Protocol over SSL.

in VPN-1/FireWall-1
Name
normal port
pre–defined
number
LiveLan 1720 H.323 based applications such Yes

as LiveLAN
login 513 procedure used to get access Yes
to an OS or an application
Lotus Notes 1352 a proprietary Lotus protocol Yes
Microsoft a voice conferencing and Yes
Conferencing remote application sharing
protocol
Microsoft messaging center (mail, news, Yes To enable auxiliary data
Exchange users directory) connections for this service, you
• The client requests service on
DCE-RPC mapper (port
135), then initiates TCP
connection to port it received
from mapper.
• experimental support
• You must specifically
allow DCE-RPC under
Services in the Rule
Base.
Microsoft 1503 voice communication (one to Yes Uses H.323.
NetMeeting one or conference) and
application

in VPN-1/FireWall-1
Name
normal port
pre–defined
number
Microsoft 1755 streaming client–server Yes To enable auxiliary data

NetShow multimedia connections for this service, you
may specifically list this service
• The client sends port
command to server, and the
server starts UDP on that port
to the client.
• NAT support
Microsoft 1433 a data replication server Yes

SQL Server
6.0
Mosaic a web browsing application Yes a group consisting of archie, ftp,
gopher and http
nbsession 139 netBIOS used over a WAN Yes belongs to the NBT group
NBT A NetBIOS extension Yes
defining an expanded
application interface
netstat 15 Yes
nntp 119 a protocol used to transmit Yes
news
ntp 123 time protocol with Yes This is also a UDP service.
synchronization — a protocol
providing access over to
Internet to systems with
precise clocks
Open 2000 Yes
Windows
PointCast 80 a protocol for viewing news No
in TV like fashion

in VPN-1/FireWall-1
Name
normal port
pre–defined
number
pop2 109 Post Office Protocol — a Yes

mail protocol that allows a
remote mail client to read
mail from a server
pop3 110 Post Office Protocol — a Yes
modified version of pop2
RAS Remote Access Service Yes
RealAudio 7070 a protocol for the Yes To enable auxiliary (back) data
transmission of high quality connections for this service, you
sound on the Internet must specifically list this service
rexec 512 a protocol that provides Yes as exec
remote execution facilities To enable stderr, check Enable
with authentication RSH/REXEC Reverse stderr
Connections in the Services tab
of the Properties Setup window.
rlogin 513 remote login — a protocol Yes as login
that enables remote login To enable stderr, check Enable
between hosts RSH/REXEC Reverse stderr
rsh 514 remote shell — a protocol Yes as shell
that allows commands to be To enable stderr, check Enable
executed on another system RSH/REXEC Reverse stderr
SecurID a protocol used by an Yes SecurID is a group consisting of
authentication service the services required to
product of Security Dynamics implement SecurId.
Technologies, Inc.
securidprop 5510 a SecurID service Yes

in VPN-1/FireWall-1
Name
normal port
pre–defined
number
smtp 25 Simple Mail Transfer Protocol Yes

— a protocol widely used for
the transmission of e-mail
SQLNet 1521, an Oracle protocol for Yes To enable auxiliary data
1525 transmission of SQL queries connections for this service, you
This service can work in two
modes:
• In the first, the client
connects to the server using
TCP port 1521.
• In the second, the client
connects to a manager
server on TCP 1521 or
1525. This server sends
the client a new server IP
and port, then the client
connects to the new
server.
Sybase SQL > 1024 client–server database No uses a static TCP port (defined in
the Sybase setup) above 1024
TACACS+ 49 an authentication protocol Yes as TACACSplus
telnet 23 Telecommunications Yes
Network Protocol — a
remote terminal protocol
enabling any terminal to
login to any host
time 37 a service that returns the time Yes This is also a UDP service.
of day as a binary number
uucp 540 Unix to Unix Copy Yes

in VPN-1/FireWall-1
Name
normal port
pre–defined
number
Vosaic 1235 audio and video based on Yes also uses UDP ports 61801-
VDP (Video Datagram 61821
Protocol)
VDO-Live 7000 a protocol for the Yes To enable auxiliary (back) data
transmission of high quality connections for this service, you
video on the Internet must specifically list this service
wais 210 Wide Area Information Yes
Servers — a tool for keyword
searches, based on database
content, of databases on the
Internet
Webtheatre 12468 live audio & video streaming Yes To enable auxiliary data
connections for this service, you
• Client opens TCP port 12468
by default for control. For
each media stream request
there is a port command from
client to server including the
RTP (UDP) port the client is
waiting on. The audio passes
on the RTP port and the
control on the RTCP port
(RTCP port = RTP port +1).
• NAT support
WinFrame 1494 remote LAN access Yes

X11 6000 – a windowing system protocol Yes
6063

List of Supported UDP Services

TABLE 6-14 UDP Services SmartDashboard
in VPN-1/FireWall-1
Name
normal port
pre–defined
number
archie 1525 a tool for keyword searches, Yes

based on file names, of files on
the Internet available through
FTP
BackWeb 370 a UDP service similar to Yes source port 371
PointCast To enable auxiliary data
connections for this service,
you must specifically list this
service under Services in the
Rule Base.
biff 512 file format Yes
bootp 67 Bootstrap Protocol — a Yes
protocol for booting diskless
systems
chargen 19 A UPD chargen server sends a No This is also a TCP service.
datagram containing a random
number of characters in
response to each datagram
sent by a client.
CU-SeeMe 7648 – video, audio and chat (client Yes
7652 to client); needs video camera
daytime 13 A daytime server returns date Yes This is also a TCP service.
and time of day in text
format.
discard 9 A discard server discards Yes This is also a TCP service.
whatever it is sent by a client.

in VPN-1/FireWall-1
Name
normal port
pre–defined
number
dns 53 Domain Name System — a Yes This is also a TCP service.

distributed database used to TCP DNS is used for
map host names to IP addresses Domain Name Download,
while UDP DNS is used for
Domain Name Queries.
echo 7 An echo server sends the Yes This is also a TCP service.
client whatever the client sent
the server.
FreeTel 21300, a voice communication Yes To enable auxiliary data
21301 protocol connections for this service,
you must specifically list this
service under Services in the
Rule Base.
InternetPhone 22555 a protocol for the transmission Yes
of voice quality sound over
the Internet
ISAKMP 500 an encryption protocol Yes
kerberos 750 an authentication service Yes This is also a TCP service.
The Kerberos authentication
scheme is not supported by
VPN-1/FireWall-1.
name 42 Host Name Server Yes
nbdatagram 138 NetBios Datagram Service Yes belongs to the NBT group
nbname 137 NetBios Name Service Yes belongs to the NBT group
nfsd 2049 Network File System - Sun Yes belongs to the NFS group
Microsystems
ntp 123 time protocol with Yes This is also a TCP service.
synchronization — a protocol
providing access over to
Internet to systems with
precise clocks

in VPN-1/FireWall-1
Name
normal port
pre–defined
number
OnTime 1622 client/server calendar services Yes

RADIUS 1645 an authentication protocol Yes
RAS Remote Access Service Yes
RDP 259 an internal VPN-1/FireWall-1 Yes
protocol used for establishing
encrypted sessions
rip 520 Routing Information Protocol Yes
— a protocol used to
implement dynamic routing
SecurID a protocol used by an Yes SecurID is a group consisting
authentication service product of the services required to
of Security Dynamics implement SecurId.
Technologies, Inc.
securid-udp 5510 a SecurID service Yes
snmp 161 a protocol used for managing Yes
network resources
snmp-read 161 read only snmp Yes
snmp-trap 162 a notification to the manager Yes
by SNMP of some event of
interest
StreamWorks 1558 a protocol for the transmission Yes
of high quality video (Xing)
syslog 514 a protocol that allows a Yes
computer to send logs to
other computer
TACACS 49 an authentication protocol Yes
TFTP 69 Trivial File Transfer Protocol Yes
— a small, simple file transfer
protocol used primarily in
booting diskless systems

in VPN-1/FireWall-1
Name
normal port
pre–defined
number
time 37 a service that returns the time Yes This is also a TCP service.
of day as a binary number
traceroute >33000 a debugging application that Yes
shows the route followed by
IP packets
who 513 a service that provides Yes
information on who is logged
on to the local network

List of Supported RPC Services
List of Supported RPC Services

TABLE 6-15 RPC Services SmartDashboard
Service progra Description Comments
in VPN-1/FireWall-1
Name m
numbe
r
pre–defined
DCE-RPC a protocol similar to Sun RPC Yes Experimental
Portmapper support for use with
Microsoft
Exchange.
lockmanager 100021 a protocol used for the transmission of Yes as nlockmgr
lock requests
mountd 100005 a protocol used for the transmission of Yes belongs to the NFS
file mount requests group
NFS Network File System — a protocol that Yes a group that
provides transparent file access over a includes all the
network services that are
required for NFS.
nfsprog 100003 Yes belongs to the NFS
group
NIS Network Information System — a Yes NIS is a group that
protocol that provides a network includes all the
accessible system administration services that are
database, widely known as Yellow Pages required for NIS.
nisplus 100300 Yes
pcnfsd 150001 Yes belongs to the NFS
group
rstat 100001 a protocol used to obtain performance Yes
data from a remote kernel
rwall 100008 a protocol used to write to all users in a Yes
network
pbind 100007 Yes belongs to the NIS
group

TABLE 6-15 RPC Services SmartDashboard
Service progra Description Comments
in VPN-1/FireWall-1
Name m
numbe
r
pre–defined
yppasswd 100009 Yes belongs to the NIS
group
ypserv 100004 Yes belongs to the NIS
group
ypupdated 100028 Yes belongs to the NIS
group
ypxfrd 100069 Yes belongs to the NIS
group

List of Supported ICMP Services
List of Supported ICMP Services

TABLE 6-16 ICMP Services SmartDashboard
in VPN-1/FireWall-1
Name
pre–defined
dest-unreach an ICMP message indicating that the destination is Yes
unreachable
source-quench an ICMP message indicating that the system cannot Yes
process datagrams at the rate at which they are being
received
info-req an obsolete ICMP message Yes
info-reply an obsolete ICMP message Yes
mask-request an ICMP message requesting a diskless system’s subnet Yes
mask
mask-reply an ICMP message in reply to a mask-request message Yes
param-prblm an ICMP message indicating invalid data in an earlier Yes
message
ping: The ping program tests whether another host is Yes
echo-request, available, and measures the time between the request
echo-reply (echo-request) and the reply (echo-reply).
redirect an ICMP error message sent by a router in response to Yes
a misdirected datagram
time-exceeded an ICMP error message indicating routing loops or Yes
reassembly failure
timestamp ICMP messages (request and reply) enabling systems to Yes
(request, reply) query each other for the current time
traceroute a debugging application that shows the route followed Yes
by IP packets

Notes for Services
List of Supported Other IP Protocol Services

TABLE 6-17 Other IP Protocol Services SmartDashboard
in VPN-1/FireWall-1
Name
pre–defined
IP protocol
number
egp 8 a protocol used to implement dynamic Yes

routing
ggp 3 a protocol used to implement dynamic Yes
routing
igrp 9 a protocol used to implement dynamic Yes
routing
ospf 89 a protocol used to implement dynamic Yes
routing
Notes for Services

traceroute
traceroute is a UDP service in Unix and an ICMP service in NT. Replies (for example,
time-exceeded) are ICMP in both Unix and NT. To enable traceroute, you must enable both
traceroute packets leaving the client and the UDP reply packets returning to the client, as listed
in TABLE 6-18.
TABLE 6-18 traceroute services
NT traceroute client Unix traceroute client

packets leaving the Enable the echo-request Enable the traceroute service
Client
service in a rule. in a rule.
packets returning to Enable the echo-reply and Enable the dest-unreach and
the Client
time-exceeded services in a time-exceeded services in a
rule. rule.
Note - For NT clients, you can also enable traceroute by checking Accept ICMP in the
Security Policy tab of the Properties Setup window. However, this enables all ICMP
services, and not just the ones required for traceroute.

List of Supported Other IP Protocol Services

Notes for Services

CHAPTER 7
Global Properties
In This Chapter
FireWall-1 Implied Rules page 276 Remote Access — Secure Configuration Verification
page 282
Security Server page 278 Remote Access — Early Versions Compatibilitypage 282
VoIP (Voice over IP) page 279 FloodGate-1 Properties page 282
NAT (Network Address Translation) page 279 SmartMap page 283
Authentication page 280 Management High Availability page 283
VPN-1 Pro page 282 LDAP (Account Management) page 283
VPN-1 Early Versions Compatibility page 282 Connect Control page 285
VPN-1 Advanced page 282 Open Security Extension (OSE) Access Listpage 286
VPN-1 Net page 282 Stateful Inspection page 287
Remote Access — VPN Log and Alert page 289
SecuRemote/SecureClient page 282
Remote Access — VPN page 282 SmartDashboard Customization page 293
A Security Policy is defined not only by the Rule Base, but also by the properties specified in
the various pages of the Global Properties window. These properties enable the user to control
all aspects of a communication’s inspection, while at the same time freeing the user of the need
to specify repetitive detail in the Rule Base.
To display the Global Properties window, choose Properties from the Policy menu, or click
in the toolbar.
275
FireWall-1 Implied Rules
For information about the interaction between Properties and the Rule Base, see “Interaction
between Rule Base and Implied Rules (Properties)” on page 317.”
Note - There is no longer a Services tab. The options that (in previous versions) were in
that tab (listed below) are enabled by default. They can be changed by editing
objects_5_0.C using dbedit (see Chapter 18, “Command Line Interface”).
• Enable FTP PORT data connections
• Enable FTP PASV data connections
• Enable RSH/REXEC reverse stderr connections
• Enable RPC control
FireWall-1 Implied Rules

Accept VPN-1 & FireWall-1 control connections—VPN-1/FireWall-1 uses these connections
for communications between Check Point applications on different machines, and for
connecting to external servers such as RADIUS, TACACS, etc.
If you check this property, each VPN/FireWall Module managed by this SmartCenter Server
will allow the fw1_service service between all VPN/FireWall Modules (managed by this
SmartCenter Server) on which VPN-1 & FireWall-1 is checked (under Check Point products
in the General page of the network object’s Properties window — see “Check Point window
— General Page” on page 182).
Note - NG control connections are different from pre-NG control connections, so pre-NG
Modules will not recognize NG control connections. Therefore, if a pre-NG FireWall Module is
located between an NG Module and its NG SmartCenter Server, control connections between
the NG machines will be blocked by the pre-NG FireWall Module.
TABLE 7-1 lists the services enabled by Accept VPN-1 & FireWall-1 Control Connections.
“all VPN/FireWall Modules” means all VPN/FireWall Modules managed by this SmartCenter
Server. You can view the implied rules generated by this property by choosing Implied Rules
from the View menu (see “Implied Rules” on page 318 for more information).
TABLE 7-1 Accept VPN-1 & FireWall-1 control connections
service group Source Destination

FW1 all VPN/FireWall Modules all VPN/FireWall Modules
FW1_log all VPN/FireWall Modules all VPN/FireWall Modules
FW1_cpd all VPN/FireWall Modules all VPN/FireWall Modules
FW1_cpmi GUI Clients SmartCenter Server
FW1_topo Any all VPN/FireWall Modules
FW1_key Any all VPN/FireWall Modules
IKE Any all VPN/FireWall Modules
IKE all VPN/FireWall Modules Any
FW1_ica_pull all VPN/FireWall Modules SmartCenter Server

TABLE 7-1 Accept VPN-1 & FireWall-1 control connections
service group Source Destination

FW1_ica_pull all VPN/FireWall Modules SmartCenter Server
RDP Any Any
FW1_cvp all VPN/FireWall Modules CVP Servers
FW1_ufp all VPN/FireWall Modules UFP Servers
RADIUS all VPN/FireWall Modules RADIUS Servers
TACACS all VPN/FireWall Modules TACACS Servers
ldap all VPN/FireWall Modules LDAP Servers
FW1_load_agent all VPN/FireWall Modules Logical Servers
You can uncheck Accept VPN-1 & FireWall-1 Control Connections if all the following
conditions are true:
• The VPN/FireWall Module, the SmartCenter Server and the GUI Client are all running
on the same machine.
• There are no external servers (for example, OPSEC, RADIUS etc.).
• There are no SecuRemote/SecureClient users.
• There is only one SmartCenter Server (that is, configuration does not include
Management High Availability.
Note - In VPN-1/FireWall-1 Version 4.1 SP1 and earlier, checking Accept VPN-1 &
FireWall-1 control connections would allow the fw1_service between all network
objects defined on the SmartCenter Server. The current meaning of Accept VPN-1 &
FireWall-1 control connections excludes, for example, an OPSEC server running on a
machine on which VPN-1/FireWall-1 is not installed, and the opsec_putkey command
would fail. To enable the fw1_service for machines excluded by the new meaning, you
must explicitly define a rule allowing the service.
Enabling Accept VPN-1 & FireWall-1 Control Connections opens the VPN-1/FireWall-1
application port and the SmartCenter Server port, allowing VPN-1/FireWall-1 GUI Clients to
communicate with the SmartCenter Server. If you disable Accept VPN-1 & FireWall-1 Control
Connections and you want VPN-1/FireWall-1 applications to communicate with each other,
you must explicitly allow these connections in the Rule Base.
Accept Outgoing Packets Originating from Gateway— Accept all outgoing packets
originating on the gateway (the VPN/FireWall Module machine).
Accept Outgoing Packets Originating from Gateway is set to Before Last to enable the user
to define more detailed rules relating to these packets that will be enforced before this
property. If this property were First, then there would be no opportunity for the user to relate
to these in the Rule Base. If it were Last, then it would be enforced after the last rule (which
typically rejects all packets) and would thus have no effect.
Accept RIP — Accept Routing Information Protocol used by the routed application.
Chapter 7 Global Properties 277

Security Server
RIP maintains information about reachable systems and the routes to those systems.
Accept Domain Name Over UDP (Queries) — Accept Domain Name Queries used by named.
named resolves names by associating them with their IP address. If named does not know the
IP address associated with a particular host name, it issues a query to the name server on the
Internet.
Accept Domain Name Over TCP (Zone Transfer) — Allow uploading of domain name-
resolving tables.
Tables of Internet host names and their associated IP addresses and other data can be uploaded
from designated servers on the Internet.
Accept ICMP requests— Accept Internet Control Messages.
ICMP (Internet Control Message Protocol) is used by IP for control messages (for example,
destination unreachable, source quench, route change) between systems.
Accept ICMP requests is set to Before Last to enable the user to define more detailed ICMP
related rules that will be enforced before this property. If this property were First, then there
would be no opportunity for the user to relate to ICMP in the Rule Base. If it were Last,
then it would be enforced after the last rule (which typically rejects all packets) and would thus
have no effect.
Enabling Accept ICMP does not enable ICMP Redirect. If you wish to enable ICMP
Redirect, you must explicitly do so.
Accept CPRID connections — Accept SmartUpdate connections.
Accept dynamic address gateways’ DHCP traffic — Accept DHCP traffic for DAIP
(Dynamically Assigned IP Address) Modules.
See Chapter 14, “Dynamically Assigned IP Addresses” for more information about DAIP
Modules.
Track
Log Implied Rules — Log the connections to which implied rules (the rules shown when
Implied Rules has been selected in the View menu) are applied.
These rule number of these log entries is 0 (zero).
See “Interaction between Rule Base and Implied Rules (Properties)” on page 317 for more
information.
Security Server
For information about Security Servers, see “Security Servers” on page 205 of Check Point
FireWall-1 Guide.

Automatic NAT rules
VoIP (Voice over IP)

Log VoIP connection — If checked, additional log entries will be generated for every VoIP
connection.
For information about the H.323 parameters in this page, see “Global Properties — H.323” in
Chapter 6, “VoIP (Voice Over IP)” of Check Point FireWall-1 Guide.
For information about the SIP parameters in this page, see “Global Properties — SIP” in
Chapter 6, “VoIP (Voice Over IP)” of Check Point FireWall-1 Guide.
NAT (Network Address Translation)

For information about Network Address Translation, see Chapter 2, “Network Address
Translation (NAT)” of Check Point FireWall-1 Guide.
Automatic NAT rules

Allow bidirectional NAT— If more than one automatic NAT rule matches a connection, then
both rules are matched.
When NAT is defined for a network object, an automatic NAT rule is generated which
performs the required translation. If there are two such objects and one is the source of a
connection and the other the destination, then without bi-directional NAT, only one of these
objects will be translated, because only one of the automatically generated NAT rules will be
applied. With Bi-directional NAT, both automatic NAT rules are applied, and both objects
will be translated.
The operation of bi-directional NAT can be tracked using the Log Viewer, using the fields
• NAT Rule Number
• NAT Additional Rule Number
The NAT rules are the ones in the Address Translation Rule Base. The additional rule is the
rule that matches the automatic translation performed on the second object in bi-directional
NAT.
If Automatic rules intersection is checked, then both rules will be applied and both source
and destination addresses will be translated. If it is not checked, only one of these objects will
be translated, because only one of the automatically generated NAT rules is applied.
Translate destination on client side — Static Destination Mode NAT is performed on the
Client side.
In VPN-1/FireWall-1 prior to Version NG, Static Destination Mode NAT was performed on
the server side of the gateway, which required special handling for anti-spoofing and internal
routing.
For new installations, Perform destination translation on the client side is enabled by
default. For upgrades, Perform destination translation on the client side is disabled, in
order to maintain compatibility with earlier versions.

Authentication
For additional information, see “Ensuring That the Gateway Forwards the Packet to the
Correct Host” on page 84 and “Static Destination Mode” on page 77 of Check Point
FireWall-1 Guide.
Automatic ARP configuration — ARP tables on the VPN/FireWall Module machine (gateway)
performing NAT will be automatically configured so that ARP requests for a translated (NATed)
machine, network or address range are answered by the gateway.
This option removes the requirement (present in VPN-1/FireWall-1 prior to Version NG) for
manual ARP configuration (using the arp command in Unix or the local.arp file in NT).
The command fw ctl arp displays the VPN-1/FireWall-1 Module’s ARP proxy table on
Windows NT and Windows 2000 VPN/FireWall Modules (see “fwm ctl” on page 576). On
Unix, use the arp -a command.
For additional information, see “Ensuring That the Gateway Forwards the Packet to the
Correct Host” on page 84 of Check Point FireWall-1 Guide.
IP Pool NAT
For information about IP Pools, see “IP Pools” on page 176 of Check Point Virtual Private
Networks Guide for information about these parameters.
Private Address Ranges

IP addresses in the specified ranges are considered as public addresses by the SmartMap and by
the automatic topology discovery feature (see “Automatic Topology Discovery and Definition”
on page 186).
The default addresses are those defined by RFC 1918.
• To add a new range, click Add.
• To edit an existing range, select the range and click Edit.
• To remove a range, select it and click Remove.
Authentication
Failed Authentication Attempts

Define the number of failed authentication attempts before terminating the connection for the
following services:
• rlogin connection
• telnet connection
• Client Authentication connection
• Session Authentication connection

Authentication of Users with certificates
Authentication of Users with certificates

Authenticate internal users with this suffix only — This feature is enabled by default, and is
relevant for users (not administrators) defined in the internal DB using PKI authentication only.
This feature when checked, enforces a specific suffix to users DN, to make sure that only
certificates with a specified suffix in their DN are accepted. The suffix is set by default to the
suffix of the ICA's DN in order to enable authentication of user certificates issued by the ICA
(user certificates issued by the ICA is a new feature in FP1.)
Earlier Verisons Compatibility

Note - For VPN-1/FireWall-1 NG and higher, these settings should be defined in the network
object’s Properties window.
For earlier versions, these settings should be defined in the Authentication page of the
Global Properties window.
User Authentication Session timeout (minutes) - The session will time out if there is no
activity for this time period. This applies to FTP, telnet, and the rlogin Security Servers.
For HTTP, this field has a different meaning: The HTTP Security Server extends the validity of
a one-time password for this time period, so users with one-time passwords will not have to
reauthenticate for each connection during this time period.
Enable wait mode for Client Authentication — This option applies only when a user initiates
Client Authentication through a telnet session to port 259 on the gateway.
If Enable wait mode is checked, the initial telnet session remains open. The Client
Authentication session is closed when the telnet session is closed, either by the user or by
other means. VPN-1/FireWall-1 pings the client at regular intervals during the authorization
period. If the client machine has stopped running (for example, due to a power failure) VPN-
1/FireWall-1 closes the telnet session and Client Authentication privileges to the IP address are
withdrawn. When the Client Authentication session has been closed, it cannot initiate any
new authenticated connections; however, all existing authenticated connections remain open.
If Enable wait mode is not checked, the initial telnet session is closed when the user chooses
the Standard Sign On or Specific Sign On options. The user must initiate another telnet
session on the gateway in order to sign off the Client Authentication session.
Authentication Failure Track — specifies the action to take if Authentication fails (applies to
all authentication rules)
• None — no tracking
• Log — Create a log of the authentication action.
• Popup Alert — Run the Run popup alert script in the Log and Alert page of the
Global Properties window (FIGURE 7-23 on page 413).
For information about authentication, see Chapter 3, “Authentication” of Check Point FireWall-1
Guide.

VPN-1 Pro
VPN-1 Pro
For information about encryption, see Check Point Virtual Private Networks Guide.
VPN-1 Early Versions Compatibility

For information about this page, see Check Point Virtual Private Networks Guide.
VPN-1 Advanced
For information about the VPN-1 Advanced page, see Check Point Virtual Private Networks
VPN-1 Net
For information about the VPN-1 Net page, see Check Point Virtual Private Networks.
Remote Access — VPN SecuRemote/SecureClient

For information about the Remote Access page, the Check Point Desktop Security Guide.
Remote Access — VPN

For information about the Remote Access page, see the Check Point Desktop Security Guide.
Remote Access — Secure Configuration Verification

For information, see Check Point Virtual Private Networks.
Remote Access — Early Versions Compatibility

For information, see Check Point Virtual Private Networks.
FloodGate-1 Properties
Bandwidth Control
Weight
Maximum weight of rule — the maximum rate that can be assigned to a rule
Default weight of rule — the default rate assigned to a new rule and to Default rules
Rate
Default interface Rate — the default bandwidth capacity for interfaces
Unit of measure — the unit specified by default for transmission rates

Bandwidth Control
Authentication Timeout for QoS

Authenticated IP expires after — If a user has previously been authenticated, all connections
opened within the specified time will receive the guaranteed bandwidth connection. Any
connection opened after the specified time will require re-authentication.
Non authenticated IP expires after — If a user has previously tried and failed to be
authenticated, all connections that are opened within the specified time will not receive the
guaranteed bandwidth connection.
Unresponded queried IP expires after — UserAuthority is queried to see if a user’s IP address
has been previously authenticated using Client Authentication or SSL. If the query is not
answered within the specified time, the connection will be classified under the default rule.
Set Default — Restore the default settings of the Authentication timeout for QoS parameters.
SmartMap
The SmartMap page enables or disables the SmartMap View of SmartMap.
For more information, see Chapter 16, “SmartMap.”
Management High Availability

The Management High Availability page specifies how redundant SmartCenter Servers
synchronize their databases.
For more information, see Chapter 17, “Management High Availability.”
LDAP (Account Management)

The LDAP page defines the properties related to communications with LDAP Servers (see “User
Database” on page 167).
Use LDAP Account Management — Check this field if User Authentication will use LDAP
Account Units, in addition to the VPN-1/FireWall-1 internal User Database.
• If this field is checked, the other fields in the window are enabled.
• If this field is not checked, User Authentication will use only the VPN-1/FireWall-1
internal User Database.
Time-out on LDAP Requests — An LDAP request will be considered to have timed out after
this period (specified in seconds).
Time-out on Cached Users — A cached user will be considered to be out-of-date after this
period (specified in seconds), and will be fetched again from the LDAP Server.
Cache Size (Users) — This field specifies the number of users that will be cached.
The cache is FIFO (first-in, first-out). When a new user is added to a full cache, the first user
is deleted to make room for the new user. VPN-1/FireWall-1 does not query the LDAP
Server for users already in the cache, unless the cache has timed out.
Password Expires After — The number of days for which a user’s password is valid.

LDAP (Account Management)
After this period has passed, the user must define a new password.
Note - This field does not apply to IKE pre-shared secrets and certificates, which do not
expire.
If a user’s password is modified using a tool other than the Check Point Account Management
Client, fw1pwdLastMod attribute is not updated, and the new password will expire on the day
the old one would have expired.
To specify that a password never expires, set Password Expires After to 0 (zero) days.
Example
Suppose that for user Alice, Days before Password Expires is 15. On January 1st, Alice
modifies her password using the Check Point Account Management Client. fw1pwdLastMod
is set to January 1st, so her password will expire on January 16th.
Suppose that on January 10th, Alice modifies her password again.
• If she uses the Check Point Account Management Client to modify her password, then:
• fw1pwdLastMod is changed to January 10th.
• Her new password is valid for 15 days from January 10th, and will expire on January
26th.
• If she uses a different LDAP Client to modify her password, then:
• fw1pwdLastMod is not changed, and is still January 1st.
• Her new password is valid for 15 days from January 1st, and will expire on January
16th.
When a user defined on an LDAP Account Unit enters a password, VPN-1/FireWall-1 checks
whether the password has expired. If the password has expired, the user is prompted to enter a
new password.
The new password must be different from the old one, and must also satisfy the following
conditions:
• minimum length
• minimum number of lowercase letters (a-z)
• minimum number of uppercase letters (A-Z)
• minimum number of symbols (non-letters and non-numbers)
• minimum number of digits (0-9)

Servers Availability
The default values for these conditions are given in the objects.C file by the following
parameters (the default setting is in parenthesis):
:props (
:psswd_min_length (0)
:psswd_min_num_of_lowercase (0)
:psswd_min_num_of_uppercase (0)
:psswd_min_num_of_symbols (0)
:psswd_min_num_of_numbers (0)
Allow Account Unit to Return — This field specifies the number of users that the Account
Unit may return in response to a single query.
Display user’s DN at login — If checked, then when an LDAP user logs in, his or her DN will
be displayed before he or she is prompted for a password.
This property is a useful diagnostic tool when there is more than one user with the same name
in an Account Unit. In this case, the first one is chosen and any others are ignored. If this
property is enabled, the user can verify that the correct entry is being used.
Note - A user can log in either with a user name or with a DN.
Connect Control
Servers Availability
Server availability check interval — The interval (in seconds) at which the VPN/FireWall
Module will ping a physical server to determine if it is available.
Server check retries — The number of consecutive times the server availability check must fail
in order that the VPN/FireWall Module will consider the physical server to be unavailable (and
will no longer direct connections to it).
Servers Persistency
Persistent server timeout — The length of time during which connections will be redirected
to the same physical server when Persistent server mode is enabled for a Logical Server in the
Logical Server Properties window (FIGURE 9-2 on page 323 of Check Point FireWall-1
Guide).
Server Load Balancing

Load Agents Port — the port on which the Load Measurement Agent communicates
The load agent uses UDP port 18212 by default.
Load Measurement Interval — the intervals at which the Load Measuring Agent measures the
load

Open Security Extension (OSE) Access List
For more information about these parameters, see “How Server Load Balancing Works” on page
320 of Check Point FireWall-1 Guide.
Open Security Extension (OSE) Access List

The OSE Access Lists page of the Global Properties window is similar to the Implied Rules
page (see “FireWall-1 Implied Rules” on page 276), but only options relevant for routers are
enabled.
Accept RIP — Accept Routing Information Protocol used by the routed application.
RIP maintains information about reachable systems and the routes to those systems.
Accept Domain Name Over UDP (Queries) — Accept Domain Name Queries used by named.
named resolves names by associating them with their IP address. If named does not know the
IP address associated with a particular host name, it issues a query to the name server on the
Internet. Enable UDP Replies must be enabled to receive the reply. Domain Name Queries
are issued as needed. Make sure this property is not overridden by rules in the Rule Base.
Accept Domain Name Over TCP (Zone Transfer) — Allow uploading of domain name-
resolving tables.
Tables of Internet host names and their associated IP addresses and other data can be uploaded
from designated servers on the Internet.
Accept ICMP requests— Accept Internet Control Messages.
ICMP (Internet Control Message Protocol) is used by IP for control messages (for example,
destination unreachable, source quench, route change) between systems.
The Accept ICMP requests property is set to Before Last to enable the user to define more
detailed ICMP related rules that will be enforced before this property. If this property were
First, then there would be no opportunity for the user to relate to ICMP in the Rule Base. If
it were Last, then it would be enforced after the last rule (which typically rejects all packets)
and would thus have no effect.
VPN-1/FireWall-1 maintains state information for ICMP. If Accept ICMP is enabled,
VPN-1/FireWall-1 does not allow ICMP replies after one minute has passed since the
corresponding ICMP request.
Enabling Accept ICMP does not enable ICMP Redirect. If you wish to enable ICMP Redirect,
you must do so in the Rule Base.

Server Load Balancing
Stateful Inspection
Note - The term “Stateful Inspection” means that packets are inspected in the context of
connections. The initial packet of a connection is inspected against the Rule Base. If the
connection is allowed, then the connection is added to an internal connection table, and
subsequent packets are checked against the connection table. A connection is removed
from the connection table when it terminates or times out. The use of the connection
table significantly speeds up packet processing.
Default Session Time-outs

TCP start timeout — A TCP connection will be timed out if the interval between the arrival
of the first packet and establishment of the connection (TCP three-way handshake) exceeds TCP
start timeout seconds.
TCP session timeout —A The length of time an idle conection will remain in the
VPN-1/FireWall-1 connections table.
See “When a Security Policy is Installed” on page 346.
TCP end timeout — A TCP connection will be terminated only TCP end timeout seconds
after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST
packet.
This means that after a TCP connection has ended (has seen FIN packets or has been reset)
the VPN/FireWall Module will keep the connection in the connections table another TCP
end timeout seconds, to allow for any stray ACKs belonging to the connection that might
arrive late.
Virtual Session Time-outs
Virtual Sessions— VPN-1/FireWall-1 secures connectionless services using the concept of a

“virtual session,” creating a connection context for these services. Once the specified time has
elapsed, the communication is assumed to have ended and the reply channel is closed.
UDP virtual session timeout — Specifies the amount of time a UDP reply channel may
remain open without any packets being returned.
ICMP virtual session timeout — An ICMP virtual session will be considered to have timed out
after this time period.
Other IP Protocols virtual session timeout — A virtual session of services (which are not one
of the following: TCP, UDP, ICMP) will be considered to have timed out after this time period.
Stateful UDP
These properties define the defaults for UDP services that are not defined in the Services
Manager. For UDP services defined in the Services Manager, the properties are defined on a
per-service basis in the Advanced UDP Service Properties window (FIGURE 6-3 on
page 225).

Stateful Inspection
Accept stateful UDP replies for unknown services — Specifies if UDP replies are to be
accepted.
To specify that no UDP replies will be accepted, uncheck Accept stateful UDP replies for
unknown services.
If Accept stateful UDP replies for unknown services is checked, then Accept stateful UDP
replies from any port for unknown services specifies from which ports to accept UDP
replies.
Accept stateful UDP replies from any port for unknown services — If checked, UDP
replies will be accepted from any port. Otherwise, UDP replies will be accepted only from the
port to which the original communication was sent.
Stateful ICMP
Stateful Inspection is always applied to ICMP packets, that is, an ICMP packet must be in the
context of an ICMP “virtual session,” or statefully matched to another TCP/UDP connection
(for example, ICMP errors). These properties relate to ICMP packets which refer to another
non-ICMP connection, (for example, to an ongoing TCP or UDP connection) that is allowed
by the Rule Base. In other words, these ICMP packets can be considered to be in the context
of the other connection.
Replies — Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base.
Errors — Accept ICMP error packets which refer to another non-ICMP connection (for
example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base.
This property does not include ICMP_redirect.
Note - The stateful ICMP mechanism will not allow ICMP error messages (such as Port
Unreachable, TTL expired in transit) resulting from unidirectional ICMP and “other”
services (services that are defined with Accept Replies disabled in the Advanced
window). To allow such ICMP errors, Accept Replies must be enabled.
Stateful Other IP Protocols

This property defines the default for Other Services (that is, services which are not one of the
following: TCP, UDP, ICMP) that are not defined in the Check Point Services Manager. For
Other Services services defined in the Services Manager, the property are defined on a per-
service basis in the Advanced Other Services Properties window.
Accept stateful Other IP Protocol replies for unknown services — Accept reply packets for
other undefined services.
Out of State Packets

Drop out of state TCP packets — Drop TCP packets which are not consistent with the
currrent state of the TCP connection.
Log on drop — Generate a log entry when these packets are dropped.

Track Options
Drop out of state UDP packets — Drop UDP packets which are not in the context of a
“virtual session” (see “Virtual Sessions” on page 287).
Drop out of state ICMP packets — Drop ICMP packets which are not in the context of a
“virtual session” (see “Virtual Sessions” on page 287).
This parameter is always enabled.
TCP Sequence Verifier

Drop out of sequence packets — Drop out-of-window TCP packets (that is, whose ACK or
SEQ numbers are out of sequence).
In a TCP connection, each side uses ACK and SEQ numbers to monitor a “sliding window,”
that is, data has received and sent. Out of sequence ACK or SEQ numbers may, in some cases,
be evidence of an attack.
Log ... out of state packets — Select one of the following:
Suspicious — Log only those out of sequence packets that indicate either:
• an attack
• an asymmetric routing configuration error where some packets are not being routed
through the VPN/FireWall Module
Note - This setting is a useful method of detecting whether such routing configuration
errors are present.
Anomalous — Log only those out of sequence packets that can rarely occur in a valid
connection.
Every — Log all out of sequence packets.
Every includes Suspicious and Anomalous, as well as some harmless out of sequence
packets (for example, some retransmitted packets, which are accepted after their payload has
been cleared).
Log and Alert
Track Options
VPN successful key exchange — Specifies the action to be taken when VPN keys are
successfully exchanged.
VPN packet handling errors — Specifies the action to be taken when encryption or
decryption errors occurs.

Log and Alert
A log entry contains the action performed (Drop or Reject) and a short description of the
error cause, for example, scheme or method mismatch.
VPN configuration and key exchange errors — Specifies the action to be taken when VPN
configuration or key exchange errors occur, for example, when attempting to establish
encrypted communication with a network object inside the same encryption domain.
IP Options drop — Specifies the action to take when a packet with IP Options is encountered.
VPN-1/FireWall-1 always drops these packets, but you can log them or issue an alert.
Adminstrative notifications — Specifies the action to be taken when an administrative event
(for example, when a certificate is about to expire) occurs.
SLA violation — Specifies the action to be taken when an SLA violation occurs, as defined in
the window (see SmartView Monitor User Guide.)
Virtual Links
Connection matched by SAM — Specifies the action to take be taken when a connection is
blocked by SAM (Suspicious Activities Monitoring).
For information about SAM, see http://www.opsec.com.
Dynamic object resolution failure — Specifies the action to be taken when a dynamic object
cannot be resolved (see “dynamic_objects” on page 789).
Logging Modifiers
Log Established TCP packets — This option controls logging TCP packets for previously
established TCP connections, or packets whose connections have timed out (see “TCP session
timeout” on page 394).
Log every authenticated HTTP connection — Specifies that a log entry should be generated
for every authenticated HTTP connection.
Unify FTP Control and Data logs — Specifies that log entries for the control and data
connections of an FTP session should be unified.
Time Settings
Excessive log grace period — Specifies the minimum amount of time between consecutive
logs of similar packets.
Two packets are considered similar if they have the same source address, source port,
destination address, and destination port; and the same protocol was used. After the first
packet, similar packets encountered within the grace period will be acted upon according to
the Security Policy, but only the first packet generates a log entry or an alert.
Log Manager resolving timeout — After this amount of time, display the log page without
resolving names and show only IP addresses.
Virtual Link statistics interval — Specify the frequency with which Virtual Link statistics will
be logged.

Time Settings
This parameter is relevant only for Virtual Links defined with Log E2E statistics enabled in the
SLA Parameters tab of the Virtual Link window (see the SmartView Monitor User Guide.
Status Fetching Interval — Specifies the frequency at which the SmartCenter Server queries
the VPN/FireWall, FloodGate and other Modules it manages for status information. Any value
from 30 to 900 seconds can be entered in this field.
Community default rule — Specifies whether connections between VPN Community
members, which are accepted by default, are to be logged.
Alert Commands
Send popup alert to System Status — Specifies that when an alert is issued, it is also sent to
System Status.
Run popup alert script — Specifies the OS script to be executed when an alert is issued.
It is recommended not to change this command, otherwise you may not become aware of the
condition that caused the alert.
See “On Which Machine Are the Alert Scripts Executed?” on page 292 for more information.
Send mail alert to System Status — Specifies that when a mail alert is issued, it is also sent to
System Status.
Mail alert script — Specifies the OS script to be executed when Mail is specified as the Track
in a rule.
The default is internal_send_mail, which is not a script but an internal VPN-1/FireWall-1
command. Its syntax is described below.
internal_send_mail [-s subject] -t mailserver

[-f sender_email] recipient_email [recipient_email ...]
internal_send_mail cannot be run from the OS command line.

Its options are listed in TABLE 7-2.
TABLE 7-2 internal_send_mail options
parameter meaning
-s subject The subject of the mail message is specified by subject.
-t mailserver mailserver is the system mail server.

-f sender_email The email address of the sender.
recipient_email The email address of the recipient. At least one recipient
must be specified.
You can specify commands other than the default. See “On Which Machine Are the Alert
Scripts Executed?” on page 292 for more information.

Extranet Management Interface
Send SNMP trap alert to System Status — Specifies that when an SNMP trap alert is issued, it
is also sent to System Status.
SNMP trap alert command — Specifies the OS script to be executed when SNMP Trap is
specified as the Track in a rule.
The default is internal_snmp_trap, which is not a script but an internal VPN-1/FireWall-1
command.
You can specify commands other than the default. See “On Which Machine Are the Alert
Scripts Executed?” on page 292 for more information.
Send user defined alert no. 1 to System Status — Specifies that when an alert is issued, it is
also sent to System Status.
Run user defined alert script no. 1— Specifies the OS script to be executed when User-
Defined is specified as the Track in a rule, or when User Defined Alert no. 1 is selected as one
of the Track Options below.
Send User defined alert no. 2 to System Status — Specifies that when a user defined alert no.
2 is issued, it is also sent to System Status.
Run user defined alert script no. 2 — Specifies the OS script to be executed when User
Defined Alert no. 2 is selected as one of the Track Options below.
Send User defined alert no. 3 to System Status — Specifies that when a user defined alert no.
3 is issued, it is also sent to System Status.
Run user defined alert script no. 3 — Specifies the OS script to be executed when User
Defined Alert no. 3 is selected as one of the Track Options below.
See “On Which Machine Are the Alert Scripts Executed?” on page 292 for more information.
Send 4.x alert to System Status — Specifies that when an alert is issued on a Version 4.x
Module, it is also sent to System Status.
Run 4.x alert no. 3 script— Specifies the OS script to be executed when when an alert is
issued on a Version 4.x Module.
On Which Machine Are the Alert Scripts Executed?

Alert scripts are executed by the alertd process running on the machine on which the Log File
is written. The default is the Management Server, but logs can be directed to other machines.
If logs are being sent to more than one machine, then each alertd process will execute the alert
command. So, for example, two SNMP traps may be executed for the same log entry.
A message describing the event that triggered the alert is available in the command’s stdin for
all the alert commands.
Extranet Management Interface

FIGURE 7-1 Extranet Management Interface page — Global Properties window

On Which Machine Are the Alert Scripts Executed?
For information about extranets, see Check Point Virtual Private Networks.
SmartDashboard Customization
Create Check Point installed Gateways using — Select the mode to use when you define a
new gateway.
Select either simple mode (the gateway wizard will be used) or classic mode (specify all the
parameters in the different pages of the gateway's Properties window.
VPN Topological view
Specify the number of Community members from which the VPN Topological view should
display an icon instead of a full mesh — When a large number of community members are
displayed in a full mesh view, it can be difficult to understand the diagram. In this case, you may
prefer to display an icon instead.
Policy Installation
When installing a Policy or Users Database, you can choose whether All Modules or None of
the Modules are checked by default in the Install On window.
Revision Control
Create new version upon Policy Installation — Create a new version of the Policy whenever
the Policy is installed.

SmartDashboard Customization

CHAPTER 8
Security Policy Rule

Base
In This Chapter
What is a Policy Package? page 295

Rule Base — Basic Concepts page 295
Editing a Policy Package page 297
Masking Rules page 318
Querying the Rule Base page 321
Disabling Rules page 330
Installing and Uninstalling Policies page 331
Installing Access Lists page 342
Boot Security page 345
Auxiliary Connections page 345
When a Security Policy is Installed page 346
What is a Policy Package?

A Policy Package is a set of policies that you install on the SmartDashboard. For more
information on what a policy consists of, see “Rule Base — Basic Concepts” on page 295.
For information on how to define a Policy Package, see “Editing a Policy Package” on page
297.
Rule Base — Basic Concepts

A VPN-1/FireWall-1 Policy consists of network objects, users, services, properties and a Rule
Base.
295
Rule Base — Basic Concepts
Each rule in a Rule Base defines the packets that match the rule (based on Source, Destination
and Service and the Time at which the packet is inspected by the FireWall or Inspection
Module enforcing the rule). The first rule that matches a packet is applied, and the specified
Action is taken. The communication may be logged or an alert may be issued, depending on the
value of the Track field.
VPN-1/FireWall-1 follows the principle “That Which Is Not Expressly Permitted is
Prohibited.” To enforce this principle, VPN-1/FireWall-1 implicitly adds a rule at the end of the
Rule Base that drops all communication attempts not described by the other rules.
FIGURE 8-1 SmartDashboard window with Rule Base
The SmartDashboard window’s title shows the name of the Security Policy currently displayed.
Depending on your license (the VPN-1/FireWall-1 features your SmartCenter Server is licensed
to implement), you may see a number of tabs in the SmartDashboard window:
• Security
The Security Policy Rule Base is described in this chapter.
• Address Translation — The Address Translation Rule Base is described in Chapter 2,
“Network Address Translation (NAT)” of Check Point FireWall-1 Guide.
• QoS — The Quality of Service Policy is described in the book Check Point FloodGate-1
Administration.
• Desktop Security — The Desktop Security Policy is described in the book Check Point
Because rules are examined sequentially for each packet, only packets not described by the
earlier rules are examined by the implicit rule. However, if you rely on the implicit rule to drop
these packets, there is no way to log them. To log these packets, you must explicitly define a
“none of the above” rule, as follows:
FIGURE 8-2 “None of the Above” Rule

Opening a Policy Package
If you do not explicitly define such a rule, VPN-1/FireWall-1 will implicitly define one for you,
and the packets will be dropped. In no case will VPN-1/FireWall-1 allow these packets to pass.
The advantage of defining such a rule explicitly is that you can then specify logging for these
packets.
Note - It’s best to organize lists of objects (sources, destinations, or services) in groups
rather than in long lists. Using groups will give you a better overview of your Security
Policy and will lead to a more readable Rule Base. In addition, objects added to groups
will be automatically included in the rules.
Logged events are recorded in the Log File. For information about the Log File, see Chapter 11,
“SmartView Tracker.” Alerts and important system events are automatically recorded in the Log
File, even when not explicitly requested by the user.
Editing a Policy Package
Opening a Policy Package

1 If the policy package you wish to open is not the one currently displayed, choose Open
from the File menu. The following window appears (see FIGURE 8-3).
FIGURE 8-3 Open Policy Package window
2 Select the desired policy package and click Open. The Editor Policy opens displaying the
Policy Package you selected.
Creating a New Policy Package

1 To create a new policy package, choose New from the File menu. The window that appears
depends on the VPN configuration mode you selected on the VPN-1 page in the Global
Properties window (see “Global Properties” on page 275).
If you selected or Traditional

Simplified mode to all new Security Policies mode to all
new Security Policies, the following window appears (FIGURE 8-4).
Chapter 8 Security Policy Rule Base 297

FIGURE 8-4 Create a new Policy Package
If you selected Traditional or Simplified mode per new Security Policy, the following
window appears (FIGURE 8-5).
FIGURE 8-5 Use either Simplified or Traditional mode
2 Enter the name of the Policy Package. The Policy Package name cannot:
• contain any reserved words
• contain any spaces
• contain numbers at the beginning
• contain any of the following characters:
%, #, ‘. &. *, !, @, ?, <, >, /, \, :

• end with any of the following suffixes:
.w, .pf, .W

Deleting a Policy Package
3 Select the policy types you want included in the Policy Package.
If you selected Traditional or Simplified mode per new Security Policy, on the VPN-1
page in the Global Properties window, you can choose which VNP configuration mode
you want to use (see FIGURE 8-5). For a description of Traditional and Simplified modes,
see Chapter 7, “VPN Communities in the Check Point Virtual Private Networks.
4 Click OK to select the installation target and the modules you want added to the Policy
Package.
5 Select the Modules you want to add to the Policy Package. You can either:
• Select All internal modules to add all the internal Modules to the Policy Package.
• Select Specific modules to add specific modules to the Policy Package. Select the
desired modules by using the Add and Remove buttons to move them between the two
lists. You can also move multiple fields by making multiple selections.
6 Click OK to create the Policy Package. The number of tabs that appear in the
SmartDashboard depends on the number of policy types you chose to include in the Policy
Package.
Deleting a Policy Package

You can either choose to delete an entire Policy Package, that is, all the policies included in the
Policy Package or only specific policies.
1 To delete a Policy Package, choose Delete from the File menu.
Entire policy package named: — Delete a Policy Package and all its policies. Select the
Policy Package that you would like to delete from the drop-down list.
The following policies from the current Policy Package — Delete specific policies from
the current Policy Package.
2 Click OK to delete the Policy Package.
Saving a Policy Package

When you save a Policy Package (by choosing Save from the File menu), you save all the
changes you made in the active Policy Package.
When you choose Save As from the File menu, you save the selected Rule Base from the active
Policy Package as a new Policy Package.
To save the selected Rule Base as a new Policy Package, proceed as

follows:
1 Select the Rule Base you want to save as a new Policy Package.
2 Choose Save As from the File menu. The following window appears.
The title bar displays the Rule Base you chose to save as a new Policy Package.
3 Enter the name of the new Policy Package.

4 Click OK. A new Policy Package containing only the selected Rule Base is created.
Adding a Rule
You can add a rule at any point in the Rule Base.
TABLE 8-1 Adding a Rule
To add a rule Select from menu Toolbar

Button
after the last rule Rules > Add Rule > Bottom
before the first rule Rules > Add Rule > Top
after the current rule Rules > Add Rule > After
before the current rule Rules > Add Rule > Before
to the current rule (for QoS policies Rules > Add Sub-Rule
only!)
Note - The current rule is the one that is highlighted. To select a rule, click its number.
A new rule will be added to the Rule Base, and default values will appear in all the data fields.
You can modify the default values as needed.
Alternatively, right-click the rule’s number to display the Rule menu.

Rule menu
Rule menu
TABLE 8-2 Rule menu items SmartDashboard
Menu Item Action

Insert Rule Above Insert a rule above the current rule.
Add Rule Below Add a rule below the current rule.
Delete Rule Delete the current rule.
Copy Rule Copy the current rule to the clipboard.
Cut Rule Delete the current rule and put it on the clipboard.
Paste Rule Paste the rule on the clipboard (a menu will be displayed
where you can specify whether to paste the rule before or
after the current rule).
Hide Rule Hide the current rule (see “Masking Rules” on page
318).
Disable Rule Disable the current rule (see “Disabling Rules” on page
330).
Select All Rules
Show Show the selected item in the SmartMap.

Query Column Open the Rule Base Query Clause window (FIGURE
8-16 on page 322).
Clear Query Unhide all rules (see “Masking Rules” on page 318).
Modifying a Rule
To modify a rule, add, modify, or delete data field values until the rule is as desired.
Right-click in the data field to open the SmartDashboard Object menu.
The choices displayed in the menu depend on the field in which you right-clicked.
TABLE 8-3 Modifying Network Objects
for a description of how to ... see

modify...
Source “Source” on page 302
Destination “Destination” on page 304
Service “Service” on page 305
Action “Action” on page 306
Track “Track” on page 308

TABLE 8-3 Modifying Network Objects

modify...
Install On “Install On” on page 309
Time “Time” on page 312
Comments “Comments” on page 312
Items in the Source, Destination, Services, Install On and Time data fields are not exclusive.
When you select one of these items, open the menu of that option. Choose the desired option:
Add, Delete, Negate (Negate is not available for Install On).
Note - You can view the properties of a network object or service object by double-
clicking on its icon.
Source
Add — The Network Objects window is displayed, from which you can select network objects
to add to the rule’s Source.
You can define any number of items in Source.
Add Users Access—The Users Access window (FIGURE 8-6) is displayed, from which you
can select user group(s) to add to the rule’s Source.
FIGURE 8-6 User Access window

Modifying a Rule
You must choose Add Users Access for a rule whose Action is one of the following:
• Client Authentication • Session Authentication

• User Authentication • Client Encryption (SecuRemote)
1 Choose one of the user groups.

2 Make the appropriate choice under Location.
If you check No Restriction, then there will be no restriction on the source of the users.
For example, if you choose AllUsers and check No Restriction, then AllUsers@Any will
be inserted under Source in the rule.
If you check Restrict To, then the source will be restricted to the network object you select
in the list box. For example, in FIGURE 8-6, the source object in the rule will be
AllUsers@Area_Servers.
3 Click OK.
Add Extranet Groups — Add an Extranet group or groups to the Source.
For information about Extranet groups, see Chapter 13, “Extranet Management” of Check
Point Virtual Private Networks Guide.
Edit — Edit the selected object.
You must first select one of the objects already defined under Source. The appropriate
window is opened (depending on the type of the selected object), and you can change the
object’s properties.
Alternatively, you can double-click an object to edit it.
Delete — Delete the selected object.
You must first select one of the objects already defined under Source.
Where Used — See other places in the Rule Base where the selected object is used.
If the selected object is the only object in one or more cells in the Rule Base, deleting this
object will change the value of the cell to Any.
Negate Cell — Negate the selected object.
All the objects defined under Source will be negated. Negation means that the rule applies
when the communication’s Source is not one of the Source objects in the rule.
When more than one object is listed under Source, it is not possible to negate some but not
others. Either all are negated or none are negated.
Select All —
Cut — Delete the selected object and put it on the clipboard.


Copy — Copy the selected object to the clipboard.

Paste — Paste the object on the clipboard in the rule’s Source.
Show — Show the selected item in the SmartMap.

Query Column — Open the Query Rule Base Clause window (FIGURE 8-16 on page 322).
For a detailed explanation of the Rule Base Query window, see “Rule Base Query Clause
window” on page 329.
Clear Query — Clear the query and display (unhide) all the rules.
Destination
Add — The Object Manager window is displayed, from which you can select network objects
to add to the rule’s Destination.
You can define any number of items in Destination.
Add Extranet Groups — Add an Extranet group or groups to the Destination.
For information about Extranet groups, see Chapter 13, “Extranet Management” of Check
Point Virtual Private Networks Guide.
You must first select one of the objects already defined under Destination. The appropriate
You must first select one of the objects already defined under Destination.
Negate Cell — Negate the selected object.
All the objects defined under Destination will be negated. Negation means that the rule
applies when the communication’s Destination is not one of the Destination objects in the
rule.
When more than one object is listed under Destination, it is not possible to negate some but
not others. Either all are negated or none are negated.
Select All —


Modifying a Rule

Paste — Paste the object on the clipboard in the rule’s Destination.

Service
Add — The Add Object window is displayed, from which you can select services to add to the
rule’s Services.
You can define any number of items in Services in the rule.
Note - Some services must be explicitly defined in the rule, otherwise they will not
function properly. For more information, see “Auxiliary Connections” on page 345.
Add With Resource — Add a resource.

The Services with Resource window (FIGURE 8-7) is displayed.
FIGURE 8-7 Services with Resource window
For additional information about resources, see “Content Security” on page 227 of Check

You must first select one of the objects already defined under Service. The appropriate
You must first select one of the objects already defined under Service.
Negate Cell— Negate the selected object.
All the objects defined under Service will be negated. Negation means that the rule applies
when the communication’s Service is not one of the services in the rule.
When more than one object is listed under Service, it is not possible to negate some but not
others. Either all are negated or none are negated.
Select All —


Paste — Paste the object on the clipboard in the rule’s Service.
Action
You can only select one Action.
Edit Properties — Edit the properties of the rule’s Action.
This choice is available for a rule whose existing Action is User Authentication, Client or
Session Authentication, and opens the appropriate Authentication Action Properties window
(see Chapter 3, “Authentication” of Check Point FireWall-1 Guide).
If you wish to modify the Encryption parameters of a rule to which Encryption has been
added, select Edit Encryption from the menu rather than Edit Properties.
Add Encryption — Add Encryption to the Action for this rule.

Modifying a Rule
Session Authentication, and to which Encryption has not already been added. An envelope
icon ( ) is superimposed on the existing Action icon in the rule.
You can modify the Encryption parameters by displaying the menu again and selecting Edit
Encryption.
For additional information about VPN-1/FireWall-1’s encryption features, see Check Point
Remove Encryption — Remove Encryption from the Action for this rule.
Session Authentication, and to which Encryption has already been added. The envelope icon
( ) is removed from the existing Action icon in the rule.
Edit Encryption — Edit this rule’s Encryption parameters.
This choice is available for a rule whose existing Action is Encrypt, and for a rule whose
existing Action is User Authentication, or Session Client Authentication, and to which
Encryption has already been added. The Encryption Properties window is displayed.
For additional information about the Encryption Properties window, see “Rule Encryption
Properties” on page 101 of Check Point Virtual Private Networks Guide.
TABLE 8-4 lists the choices available from the Action menu.
TABLE 8-4 Action Menu
Action Meaning Action Meaning

Accept — Accept the Client Authentication —
connection. Invoke Client Authentication
for this connection.
Reject— Reject the Session Authentication —
connection. Invoke Session Authentication
for this connection.
Drop — Drop the Encrypt — Encrypt outgoing
connection; do not notify packets.
the sender. Accept incoming encrypted
packets and decrypt them
User Authentication — Client Encryption — Accept
Invoke User Authentication only SecuRemote
for this connection. communications.

When a Drop action is taken, the sender is not notified. TABLE 8-5 describes what happens
when a Reject action is taken.
TABLE 8-5 Difference between Reject and Drop
service Reject
TCP The sender is notified.
UDP Sends an ICMP port unreachable error to the sender.
other Same as Drop.
Track
TABLE 8-6 Track Menu
Track Meaning
None — no logging or alerting for this connection
Log — Log the connection.
Account — Log in Accounting format.
Alert — Issue an alert (as defined in the PopUp Alert Command field
in the Log and Alert page of the Global Properties window — see
Chapter 7, “Global Properties”).
Mail — Send a mail alert (as defined in the Mail Alert Command
field in the Log and Alert page of the Global Properties window —
see Chapter 7, “Global Properties”).
SNMP Trap — Issue an SNMP trap (as defined in the Snmp Trap
Alert Command field in the Log and Alert page of the Global
Properties window — see Chapter 7, “Global Properties”).
User Defined — Issue a User Defined Alert (as defined in the User
Defined Alert Command field in the Log and Alert page of the
Global Properties window — see Chapter 7, “Global Properties”).

Modifying a Rule
Install On
Add— The Install On field specifies which objects will enforce the rule. You can select any
number of Install On objects.
Viable Install On Targets — Open the Viable Install On Targets window, in which you can
select the target machines on which to enforce this rule.
Note - The entire Policy is installed on all of the Install On objects, but each object
enforces only that part of the Policy which is relevant to it.
Warning - For a Security Policy, if an Install On object does not enforce at least one rule,
then the only rule it enforces is the default rule, which rejects all communications.
TABLE 8-7 Install On Menu
Install On Meaning
Gateway — Enforce on all network objects defined as gateways.
Embedded Devices — Enforce on all embedded devices.
Targets — Enforce on the specified target object(s) only, in the

inbound and outbound (either bound) directions.

TABLE 8-7 Install On Menu
Install On Meaning
Destination — Enforce in the inbound direction on the FireWalled
network objects defined as Destination (typically servers) in this
rule.
Source — Enforce in the outbound direction on the FireWalled
network objects defined as Source (typically clients —initiators of
traffic) in this rule.
OSE Devices — Enforce on all OSE devices.
Adding Targets to the Install On Path

To add any number of Targets to the Install On column, proceed as follows:
1 Select a gateway in the Install On column.
2 Right-click the selected gateway.
3 Select Viable Install On Targets from the right-click menu.
The Viable Install On Targets window is displayed. In this window, Install On List displays
a list of Install On targets, that is, the targets on which enforcing this rule would have
meaning.
For example, if a rule applies to traffic that does not pass through a specific Module, then
enforcing the rule on that Module would not have any effect.
Properties — Show the properties of the selected target.
The gateway’s Properties window is displayed.
Show — Show the selected target in the SmartMap View.
Note - Any object or group of objects selected in the Viable Install On Targets window
to be shown in the SmartMap View, will only be displayed if it is an Install On object or
from an Install On group.
Select a target and click OK to add the target to the Install On column.
Gateways
If you specify Gateways, the rule is enforced on all the hosts that are defined as gateways (on
the General page of the network object’s Properties window). The rule is enforced in both the
inbound and outbound directions.

Modifying a Rule
Source
If you specify Source, the rule is enforced on the FireWalled network objects specified under
Source in that rule. The icon for Source shows arrows pointing away from the object, to
indicate that the rule is enforced for outgoing communications only.
For example, consider the following rule:
Source Destination Services Action Track Install On
mailsrvr,london Any Any Accept Log Src
The rule is enforced only on london, because mailsrvr is not FireWalled. However, the rule is
applied to communications originating either on mailsrvr or london.
Destination
If you specify Destination, the rule is enforced on the FireWalled network objects specified
under Destination in that rule. The icon for Destination shows arrows pointing to the object,
to indicate that the rule is enforced for incoming communications only.
Routers
If you specify OSE Devices, the rule is enforced on the appropriate interfaces on all routers,
using VPN-1/FireWall-1’s auto-scoping feature. For example, a rule specifying Source as
localnet is enforced on the device’s localnet interface. VPN-1/FireWall-1 generates an Access
List for the router (except for Nortel Networks routers on which VPN/FireWall Module is
installed, in which case a Security Policy is installed). It should be noted that with Access Lists
only a subset of VPN/FireWall Module functionality can be implemented. For example, it is not
possible to secure FTP back connections.
Targets
If you specify an object by name, then the rule is enforced for both incoming and outgoing
communications (either bound).
TABLE 8-8 Rule Enforcement Directions
Install On Enforced on Packets in this Direction

Gateways inbound and outbound (either bound)
Destination inbound
Source outbound
Specific Target inbound and outbound (either bound)

Time
Add — The Time Objects window is displayed, from which you can select time objects to add
to the rule’s Time.
You can define any number of items in Time.

You must first select one of the objects already defined under Time. The appropriate window
is opened (depending on the type of the selected object), and you can change the object’s
properties.
You must first select one of the objects already defined under Time.
Comments
To add a comment to a rule, double-click the Comment field to open the Comment window.
Type any text you wish in the text box and click OK.
Note - In this window, a carriage return is not interpreted as clicking on OK, so there can
be more than one line in a comment.
Edit — Edit the selected comment.


Modifying a Rule
Copying, Cutting and Pasting Rules

To copy, cut or paste, select a rule or rules by selecting their numbers.
TABLE 8-9 Copying, Cutting and Pasting Rules
Action Select from menu Toolbar

Button
Cut Edit > Cut
Copy Edit > Copy
Paste Edit > Paste
If you choose Paste, then the Paste menu will be opened. You must then select Above, Below,
Top, or Bottom to specify where in the Rule Base to paste the rule.
Deleting a Rule
1 To delete a rule, select a rule or rules by selecting their numbers.
2 Right-click the desired Rule base and click Delete.
Completing the Rule Base
Verifying and Viewing the Security Policy

When you have defined the desired rules, open the Policy menu and select Verify to perform a
heuristic check on the Rule Base. Verification will check that the rules are consistent and that
no rule is redundant. If a Rule Base fails the verification, an appropriate message will appear.
To view the INSPECT code before installing the Security Policy, open the Policy menu and
select View. Verification is automatically performed every time you view the Rule Base, and
before the Security Policy is installed.
“Silently” Dropping a Service

It is common practice for the last rule in a Rule Base to reject packets that fail to match any of
the preceding rules and to log these rejections. If you would like to “silently” drop a specific
service or group of services, add a rule (before the last rule) that drops the service(s) without
logging.
Installing and Enforcing

Installing a Security Policy consists of generating an Inspection Script from the rule base and
properties, compiling the Inspection Script to generate Inspection Code, and installing the
Inspection Code on all the network objects specified in the Install On window.

The Install On window specifies the network object on which the Security Policy is installed.
In contrast, the Install On column in the SmartDashboard specifies the network object that is to
enforce a specific rule.
In principle, the Security Policy should be installed on all the network objects which are to
enforce it. However, VPN-1/FireWall-1 will allow you to not install the Security Policy on one
or more of the objects that are to enforce it. This capability is useful for debugging purposes,
but in all other cases you should take care to correctly deploy your Security Policy.
If you fail to install a Security Policy on a network object on which it should be installed, the
VPN/FireWall Module will improperly monitor traffic through that object. If you install a
Security Policy on a network object that does not enforce any part of that policy, the
VPN/FireWall Module will block all traffic through that object (because only the implicit drop
rule will be applied). See “Rule Base — Basic Concepts” on page 295.
Inspection Scripts and Inspection Code

The rules that comprise a Security Policy are stored in an ASCII file named
$FWDIR/conf/rule_base.W. Manually editing this file affects the GUI representation of
rules and properties.
An Inspection Script (named $FWDIR/conf/rule_name.pf) is generated from the Security Policy
(Rule Base, objects database and Global Properties). An Inspection Script can be viewed and
even manually edited, but editing an Inspection Script does not affect the GUI representation of
rules and properties. On the other hand, it does affect the Inspection Code compiled from the
Inspection Script and thus introduces inconsistencies between the GUI representation and the
Inspection Code. For this reason, directly editing an Inspection Script should be avoided. If you
edit the $FWDIR/lib/*.def files instead, you will avoid these inconsistencies.
Inspection Code (named $FWDIR/temp/rule_base.fc) is compiled from an Inspection Script. It
is this Inspection Code that is installed on network objects and used by the VPN/FireWall
Module to enforce a Security Policy.

Modifying a Rule
FIGURE 8-8 VPN-1/FireWall-1 Inspection Components - flow of information
Management Server
Inspection Text
Script Editor
INSPECT
Compiler
VPN-1/FireWall-1 Security Policy Inspection

Code
VPN/FireWall Module
Inspection Inspection
Module Code
VPN-1/FireWall-1 daemons
When a Security Policy is installed on a network object, the object receives the entire Inspection
Code but executes only those rules with matching scope. If there are no rules with matching
scope, the VPN/FireWall Module will drop all traffic, by the default rule (“That Which Is Not
Expressly Permitted is Prohibited”). Installing what is essentially an empty Security Policy (no
rules with matching scope) effectively bars all traffic.
Rule Authentication Properties

If User Authentication, Client Authentication, Session Authentication or Client Encryption
is specified as a rule’s Action, the rule’s properties are specified in the Authenticate Action
Properties window.
To display the Authenticate Action Properties window, right-click the Action field in the rule
and choose Edit Properties from the menu.

FIGURE 8-9 Authenticate Action Properties window for a User Authentication Rule
TABLE 8-10 Authenticate Action Properties window
For information about See...

the Authenticate Action
Properties window for
User Authentication rules “User Authentication” on page 126 of Check Point
FireWall-1 Guide
Session Authentication rules “Session Authentication” on page 162 of Check
Point FireWall-1 Guide
Client Authentication rules “Client Authentication” on page 173 of Check Point
FireWall-1 Guide
Client Encryption rules Chapter 1, “VPN-1 SecuRemote Server” of Check
Point Desktop Security Guide
Encryption Properties
If Encrypt is specified as a rule's Action, the Encryption Properties window (FIGURE 8-10)
defines the rule’s encryption properties.
To display the Encryption Properties window, double click the rule’s Encrypt action.

Modifying a Rule
FIGURE 8-10Encryption Properties window
For information about the Encryption Properties window, see “Rule Encryption Properties”
on page 101 of Check Point Virtual Private Networks Guide.
Interaction between Rule Base and Implied Rules (Properties)

A Security Policy is defined not only by the Rule Base, but also by parameters specified in the
FireWall-1 Implied Rules page of the Global Properties window. These parameters enable the
user to control all aspects of a packet’s inspection, while at the same time freeing the user of the
need to specify repetitive detail in the Rule Base.
Packets are matched in the following sequential order:
1 The anti-spoofing rules are applied.
2 Checked properties in the FireWall-1 Implied Rules page of the Global Properties
window labeled First are matched first. If a property is not checked, then it is not included
in the Security Policy.
3 Rules are matched according to their order in the Rule Base, except for the last rule in the
Rule Base.
4 Properties in the FireWall-1 Implied Rules page of the Global Properties window labeled
Before Last are matched after all but the last rule in the Rule Base.
5 The last rule in the Rule Base is matched.

6 The property in the FireWall-1 Implied Rules page of the Global Properties window
labeled Last is matched.
7 The implicit drop rule is matched.
In the Rule Base, the principle of “That Which Is Not Expressly Permitted is Prohibited”
applies. For example, if the Rule Base does not expressly permit ICMP traffic, then ICMP
traffic will be dropped.
However, if Accept ICMP Requests in the FireWall-1 Implied Rules page of the Global
Properties window is checked, and Last is not selected for the property, then ICMP traffic will
be permitted.

Masking Rules
The settings in the FireWall-1 Implied Rules page of the Global Properties window are
translated into macros and compiled in the Inspection Code.
Implied Rules
You can see how the properties and rules interact by checking Implied Rules in the View menu.
The explicit rules (those you have defined) will be displayed together with the implicit rules
(those derived from the properties) in the correct sequence (see FIGURE 8-11).
FIGURE 8-11SmartDashboard showing implied rules
The numbered rules are those you have explicitly defined. The implicit rules are not numbered.
For additional information about Properties, see Chapter 7, “Global Properties.”
Masking Rules
You can view only part of the Rule Base by hiding rules you do not want to see. This feature is
useful when you have a large complex Rule Base and you want to view only a few of the rules
without being distracted by other rules. Hidden rules remain part of the Rule Base and are
installed when the Security Policy is installed.
Hiding Rules
To hide a rule, proceed as follows:
1 Select the rule by clicking on its number.

Viewing Hidden Rules
2 Select Hide from the Rules menu.

The Hide submenu is displayed.
3 Select Hide.
The rule is now hidden, but it is still part of the Rule Base and will be installed when the
Security Policy is installed.
Alternatively, right-click the rule number to open the Rule menu and select Hide Rule.
Viewing Hidden Rules

If View Hidden in the Hide submenu is checked, then all the hidden rules are displayed in the
Rule Base together with the other rules. Hidden rules are colored differently from other rules,
making it easy to identify them so that you can unhide them.
If View Hidden is not checked, the hidden rules are not displayed. A thick colored horizontal
line indicates the presence of hidden rules.
FIGURE 8-12Rule Base with a hidden rule not displayed
indicates that there is a hidden

rule here that is not being displayed
In FIGURE 8-12, there is a hidden rule between rules 2 and 4. The gap in the numbering
indicates how many rules are hidden.
Whether they are displayed or not, hidden rules are installed when the Security Policy is
installed.
Unhiding Hidden Rules

To unhide all the hidden rules, select Unhide All from the Hide submenu.

Masking Rules
Managing Hidden Rules
Defining a Mask
Consider the Rule Base in FIGURE 8-13 below.
FIGURE 8-13Rule Base before defining masks
Suppose that you want to hide all the FTP rules. You can do this as follows:
1 Select the first FTP rule (rule 3).
2 Hide the selected rule as described in “Hiding Rules” on page 318.
3 Select the second FTP rule (rule 5).
4 Hide this rule as well.
The Rule Base now looks like this (FIGURE 8-14):
FIGURE 8-14Rule Base with FTP rules (rules 3 and 5) hidden

The Hide submenu is displayed.

Example
6 Select Manage Hidden from the Hide submenu. The Manage Hidden Rules window is
displayed.
7 Click Store As. The Store Mask As window is displayed.
8 Enter a name for the mask.
10 Select Unhide All from the Hide submenu.
The hidden rules are unhidden and the Rule Base once again is displayed as in FIGURE 8-13
on page 320.
Reapplying a Mask
You can now reapply the FTPRules mask and in one action hide all the FTP rules as follows:
2 Select Manage Hidden from the Hide submenu.
The Manage Hidden Rules window is displayed.
3 Select the umnasked rules group.
4 Click Fetch.
The rules are once again hidden.
Applying Masks
You can apply masks one after another using the Fetch command in the Manage Hidden Rules
window. When you apply a mask, any other mask that is currently applied is first “unapplied”.
So, for example, if you apply the FTPRules mask, the FTP rules are hidden. If you then apply
the HTTPRules mask, the FTP rules are unhidden and the HTTP rules are hidden.
Querying the Rule Base

You can query the Rule Base and display only the rules that satisfy the criteria specified in the
query, hiding all the other rules.
Example
Consider once again the Rule Base depicted in FIGURE 8-13 on page 320. Suppose that you
want to display only rules whose Source includes localnet.
1 From the Search menu, select Query Rules.
The Rule Base Queries window is displayed, showing all the defined queries (in this case
there are none).
For a detailed explanation of the Rule Base Queries window, see “Rule Base Queries

2 Click New. The Rule Base Query window (FIGURE 8-15) is displayed.
FIGURE 8-15Rule Base Query window
3 Enter a name for the query in Name.
4 Click New.
The Rule Base Query Clause window (FIGURE 8-16) is displayed.

FIGURE 8-16Rule Base Query Clause window
For a detailed explanation of the Rule Base Query Clause window, see “Rule Base Query
Clause window” on page 329.
5 Check Explicit.

Example
This specifies that only rules in which localnet explicitly appears (in contrast to rules where
localnet is a member of a group explicitly appearing in the rule) will be considered as satisfying
the query.
6 In Column, select source.
This is the default.

7 In the Not In List box, select localnet.
8 Click Add.
localnet is moved to the In List box.

9 Click OK.
The Rule Base Query window (FIGURE 8-17 on page 323) is displayed, and the query clause
just defined is listed.
FIGURE 8-17Rule Base Query window showing one query clause
10 Click OK.
The Rule Base Queries window (FIGURE 8-18) is displayed, and the query just defined is
listed.

FIGURE 8-18Rule Base Queries window showing one query
11 Click Apply.
The query is used as a mask for hiding the rules that do not satisfy the query criteria. The
Rule Base is displayed as in FIGURE 8-19.
FIGURE 8-19Rule Base after being masked by the query
The only rules that are displayed (that is, the only rules that are not hidden), are those whose
Source includes localnet.
Note that the Rule Base Queries window is still open, allowing you to continue to define or
use additional queries.
12 Click Close to close the Rule Base Queries window.
Refining the Query

Suppose that you want to refine the query so that the only rules displayed are those that satisfy
the following criteria:
• Source includes localnet
• Service includes FTP

Refining the Query
There are two ways to do this:

• Modify the query (by adding an additional clause) to specify both of the above criteria
(see “To Modify the Query below).
• Define a new query that specifies only the second criterion and apply both queries, one
after the other (see “To Define a New Query” on page 326).
To Modify the Query

1 In the Rule Base Queries window (FIGURE 8-18), select the query.
2 Click Edit.
3 In the Rule Base Query window (FIGURE 8-17), click New.
4 The Rule Base Query Clause window (FIGURE 8-16) is displayed.

5 In Column, select services.
6 In the Not In List box, select FTP.

7 Click Add.
FTP is moved to the In List box.

8 Click OK.
The Rule Base Query window (FIGURE 8-20) is displayed, and both query clauses are listed.
FIGURE 8-20Rule Base Query window showing two query clauses
9 Click OK.
The Rule Base Queries window (FIGURE 8-18) is displayed.

10 Click Apply.

The modified query is used as a mask for hiding the rules that do not satisfy the query criteria.
The Rule Base is displayed as in FIGURE 8-21.
FIGURE 8-21Rule Base after being masked by the modified query
To Define a New Query

1 In the Rule Base Queries window (FIGURE 8-18), click New.
2 In the Rule Base Query window (FIGURE 8-17), enter a name for the query in Name.
3 Click New.
The Rule Base Query Clause window (FIGURE 8-16) is displayed.

4 In Column, select services.
5 In the Not In List box, select FTP.

6 Click Add.
FTP is moved to the In List box.

FIGURE 8-22 shows the Rule Base Query Clause window with the FTP service selected.
FIGURE 8-22Rule Base Query Clause window showing FTP selected
7 Click OK.
8 In the Rule Base Query window, click OK.
9 In the Rule Base Queries window, select the query just defined.

Rule Base Queries window
10 Click And.
The newly defined query is applied in addition to the previous query, and the result is shown
in FIGURE 8-21 on page 326.
Rule Base Queries window

The Rule Base Queries window lists all the defined queries, and allows you to add edit, delete,
and apply queries.
FIGURE 8-23Rule Base Queries window
New — Add a new query.

The Rule Base Query window (FIGURE 8-24 on page 328) is displayed.
Edit — Edit the selected query.
The Rule Base Query window (FIGURE 8-24 on page 328) is displayed.
Remove — Delete the selected query.
And — Apply the selected query as a mask, ANDing it with any masks currently applied.
The selected query is intersected with the current view. If another query is currently applied,
only rules that match both queries are displayed.
Or — Unify the selected query with the current view. If another query is currently applied,
rules that match either query are displayed.
Close — Close the Rule Base Queries window.
Apply — Apply the selected query.
This has the same effect as And if a query is selected. Double-clicking on a query is equivalent
to clicking on Apply.

Clear all — Unhide all rules.
Rule Base Query window

FIGURE 8-24Rule Base Query window
Name — Enter the query’s name.

Negate Query — The query is understood to be the negation of all its clauses.
For example, if the query specifies that Source is localnet, then the negated query specifies
that Source is not localnet.
Operation On Criteria — Select one of the choices.
• And — the query’s clauses are ANDed together
• Or — the query’s clauses are ORed together
For example, suppose one query clause specifies that Source is localnet and another query
clause specifies that Service is FTP. Then:
• If you select And, then the query specifies (Source is localnet) AND (Service is FTP).
• If you select Or, then the query specifies (Source is localnet) OR (Service is FTP).
If Negate Query is checked, then the meaning of And and Or is:

• If you select And, then the query specifies NOT ((Source is localnet) AND (Service is
FTP)).
• If you select Or, then the query specifies NOT ((Source is localnet) OR (Service is
FTP)).
New — Define a new query clause.
The Rule Base Query Clause window (FIGURE 8-25 on page 329) is displayed.
Edit — Edit the currently selected query clause.

Rule Base Query Clause window
The Rule Base Query Clause window (FIGURE 8-25 on page 329) is displayed.
Remove — Delete the currently selected query clause.
Rule Base Query Clause window

FIGURE 8-25Rule Base Query Clause window
Column — Select a Rule Base column.

Not in List — objects not included in the query.
In List — objects included in the query clause.
To add an object to the query clause, click the object in the Not in List box, and then click
Add.
To remove an object from the query clause, click the object in the In List box, and then click
Remove.
Negate — If you check this box, then the criteria specified in the query clause are negated.
For example, if the query clause specifies Service is FTP, then if you check Negate, the clause
is taken to specify “NOT (Service is FTP)”.
Explicit — If checked, only rules that explicitly include the object satisfy the criteria.
If the rule includes a group of which the object is a member, then the rule does not satisfy the
criteria. Also, if the rule includes an object which is a member of a group specified in the
criteria, then the rule does not satisfy the criteria.
For example, the standard VPN-1/FireWall-1 service definitions include a group named
“Authenticated”, of which FTP and HTTP are members. If Explicit is checked, then a rule
does not satisfy the criteria in the following two cases:
• The query clause specifies Authenticated and the rule includes FTP.
• The query clause specifies FTP and the rule includes Authenticated.

Disabling Rules
To Clear a Query
1 Select Clear Query from the Search menu.
You are prompted to Unhide all Hidden Rules.
2 Click Yes to proceed.
The Query is cleared.
Disabling Rules
When you disable a rule, the rule is no longer part of the Rule Base and is not installed when
the Security Policy is installed. However, the rule is still displayed in the Rule Base, and you can
re-enable it at any time.
This feature is useful for experimenting with the Rule Base. For example, you can disable a rule
(or rules), install the Security Policy, analyze the effects of the new Security Policy and then re-
enable the rule without having to re-enter it.
To disable a rule, select the rule by clicking on its number and then select Disable Rule from
the Edit menu.
When a rule is disabled, a large red cross is drawn over its rule number.
To enable a disabled rule, select the rule and then select Disable Rule from the Edit menu.
Alternatively, right-click the rule number to open the Rule menu ( on page 301) and select
Disable Rule.
FIGURE 8-26 shows a Rule Base with two rules (rule 1 and rule 3) disabled.
FIGURE 8-26Rule Base with rule 1 and rule 3 disabled
Searching the Rule Base

To search for any string in the Rule Base, proceed as follows:
1 Select Find in Rule Base from the Search menu.
The Find window is displayed, see FIGURE 8-27.

Installing Security Policies
FIGURE 8-27The Find window
2 Enter the string for which you would like to search in the Find what field.
Check Match whole word only to find the sting in the exact manner that it is specified in
the Find window
Check Match case to make your search case sensitive.
Use the Up and Down buttons to choose the direction of your search.
Use the Find next button to continue your search of the Rule Base.
Installing and Uninstalling Policies
Installing Security Policies

Installing the Security Policy does the following:
• performs heuristic verification on rules, and checks that rules are consistent and that every
rule does something
• confirms that each of the Install On objects enforces some part of the Rule Base
If an Install On object does not enforce at least one Security Policy rule, then the only rule it
enforces is the default rule, which rejects all communications.
• converts the Security Policy to an Inspection Script and compiles the Inspection Script to
generate Inspection Code
• distributes the Inspection Code to the selected targets
• distributes the User and Encryption databases to the selected target hosts
VPN-1/FireWall-1 issues a warning if there is an inconsistency in the Rule Base or if there is a
rule that does nothing.
Installing Access Lists

Installing a Security Policy means downloading it to the network objects (Check Point Modules
and routers) which will enforce it. Except in the case of routers, there must be a VPN/FireWall
Module running on the object which is receiving the Security Policy.
When installing Access Lists (ACLs) to a router, the router must be accessible and you must have
permission to install the Access List. Installing Access Lists on Cisco routers can be done as
follows:

Access List download by a Telnet session

By default, the Open Security Extension (OSE) devices use this supported Cisco Access List
download. Using a Telnet session, each Access List statement, or rule, is sent individually from
the VPN/FireWall to the router. This, however, can be time consuming especially for large
Access Lists which can contain potentially thousands of rules.
Access List download using a TFTP server

Using this option reduces the time necessary to install Access Lists on Cisco routers. This
method is supported by all Cisco routers that support a TFTP ACL download.
By default, it is not enabled in the VPN/FireWall module. To do so, proceed as follows:
1) Set the environment variable as follows:
ACL_TFTP_DOWNLOAD (setenv ACL_TFTP_DOWNLOAD 1)
When enabled, the OSE device creates all Access Lists statements on a TFTP server, and then
downloads the entire Access List to the router.
2) For Unix platforms, perform the following:
a. Uncomment the tftpd declaration in /etc/inetd.conf
b. Add the router IP address to /rhosts
c. Create an /tftpboot directory as the TFTP root directory on the partition fw1 is
installed on.
3 For Windows NT platform, perform the following:
Create an /tftpboot directory as TFTP root directory on the partition fw1 is installed on.
Note - There is no standard TFTP server. Refer to your Windows NT TFTP Server manual for
complete instructions.
A TFTP server installation and configuration is not part of fw1 install, but rather must be done
separately by the user. The TFTP server must reside on the SmartCenter Server. Any standard TFTP
server will support an ACL download.
Warning - TFTP does not include login or access control mechanisms. Security
considerations must be taken into account when granting rights to a TFTP server process
in order to prevent violation of the security of the server’s host file system. TFTP is often
installed whereby only files that have public read access are available via TFTP and write
access to files via TFTP is not allowed. The VPN-1/Firewall-1 Security Policy must be
defined to allow TFTP connectivity between the SmartCenter Server and router only.
See the documentation for your router on how to define the appropriate permissions.
Installing Other Policies

Other Policies are verified and then installed in the same way that a Security Policy is installed.

Installing the Security Policy
A NAT Policy is installed together with the Security Policy. QoS and Desktop Security Policies
can be installed independently.
You can select the elements of the Policy to be installed in the Install Policy window (FIGURE
8-28).
To install the Policy

1 Choose Install from the Policy menu. The Install Policy window (FIGURE 8-28) is
displayed.
FIGURE 8-28Install Policy window
2 Select the objects on which to install the Policy, and the elements of the Policy (Security,
QoS, Desktop Security) to install.
Note - The NAT Policy is installed together with the Security Policy.
You can do one of the following:

• Click Clear All to uncheck all the objects in the list
• Click Select All to select all the objects in the list.
• Click Select Targets to select some of the objects in the list. The following window
appears:

FIGURE 8-29Select installation target for Policy Package
3 Select the Modules you want to add to the Policy Package. You can either:
• Select All internal modules to add all the internal Modules to the Policy Package.
-or-
• Select Specific modules to add specific modules to the Policy Package. Select the
desired modules by using the Add and Remove buttons to move them between the two
lists. You can also move multiple fields by making multiple selections.
4 Select an installation mode. The SmartCenter Server will attempt to install the Security
Policy on all the selected Modules. This option enables you to specify what to do if the
Security Policy installation is unsuccessful for one or more of the selected Modules. Choose
one of the following:
Install on each selected Module independently — Failure to successfully install the
Security Policy on one or more of the Modules has no effect on the other Modules. If you
choose this option, then it is possible that different Policies will be enforced on different
Modules.
Install on all selected Modules — The Policy will either be installed on all the selected
Modules, or it will be installed on none of them. If you choose this option, then all
Modules will be enforcing the same Policy (either the new Policy or the old Policy).
Note - Policy installation on pre-Version NG Modules is independent of installation on
Version NG and later Modules, and vice versa. For example, if Install on all selected
Modules is checked, then a Policy installation failure on a pre-NG Module will not affect
Policy installation on NG Modules, but the Policy will not be installed on other pre-NG
Modules.
Install on all the members of the selected Gateway Clusters — This option is similar to
Install on all selected Modules, but relates to each selected Gateway Cluster.

5 Click OK to install the Security Policy on all Modules. A window showing installation
progress is displayed.
FIGURE 8-30Installation Process window
The installation process has two stages, as shown in the Progress bar:
• Verification
• Installation
See the following table for a description of the fields in this window:
Field Description
Installation Targets The Module on which you want to install the
policy
Version The Module version
Security The element of the Policy (Security, QoS, Desktop
Security) you chose to install in the Install Policy
window (see FIGURE 8-28). A column will appear
for each element you chose.
This field contains the element’s installation status at

any given moment. For a description of the available
statuses, click Legend.

Once the installation process is finished, the Progress bar turns into a final status display.
The available final installation statuses are:
• Installation completed successfully — The installation was successfully completed.
• Installation ended with errors — The installation of at least one of the Policy
elements failed.
• Installation completed with warnings — The installation was completed successfully
but contains warnings that should be checked out.
• Installation aborted — The Abort button was clicked during an installation and
therefore the installation was not completed.
Note - Click the Abort button to stop an installation that is in progress. The Abort button
only appears during the installation process.
Viewing Error and Warning Details

You can view the details describing the errors/warnings that occurred during the verification
and installation processes.
To view error and warning details

1 In the Installation Process window (see FIGURE 8-30), click Show Errors/Warnings.
Note - The Show Errors/Warnings button only appears if the installation ended with
errors or warnings. If the installation was completed successfully, the button does not
appear at all.
The following window appears.

FIGURE 8-31Viewing verification and installation errors
Note - This window can be opened from the beginning of the installation process
enabling you to see any errors/warnings that might occur throughout the process.

In this window, you can view the errors that occurred during the verification and installation
process. See the following table for a description of the fields in this window:
Field Description
Verification and Policy The element of the Policy
Compilation Errors (Security, QoS, Desktop Security)
you chose to install in the Install
Policy window.
Status Status of the verification process at
any given time. Click Legend for a
description of the available statuses,
Details Reason why the verification
process failed or ended with
warnings.
Installation Errors Installation Targets The Module on which you
installed the policy.
Policy The element of the Policy
(Security, QoS, Desktop Security)
you chose to install in the Install
Policy window.
Details Reason why the installation failed
or ended with warnings.
2 Double-click a row
-or-
Highlight the desired row and click View Details.
A window appears enabling you to conveniently view all the details of that row in a more
readable form.
Updating the List of Verification and Installation Errors

When you open the Verification and Installation Errors window (see FIGURE 8-31), you see
the errors/warnings that were encountered up to that moment.
To update the list of errors/warnings as new ones are being added, click the Refresh button.
Uninstalling the Security Policy

Choose UnInstall from the Policy menu to install the Security Policy on the selected hosts. The
Install Policy window (FIGURE 8-28 on page 333) is then displayed.
When a Policy is uninstalled, the Module loses its state and existing connections may fail.

Connection Persistence during a new Policy installation
Connection Persistence during a new Policy installation

FireWall-1 provides the best combination between security and connectivity, thereby
maintaining maximum connectivity without compromising security.
In FireWall-1 Stateful Inspection, a packet is matched against the Security Policy Rule Base only
when a new connection is established.
If the Action for a matched connection is Accept, then an entry is created in the connections
table so all future packets that belong to this connection are accepted without referring to the
Policy.
When a new Policy is installed, existing connections are marked as "old" (with a few exceptions
as described later).
When a new packet that belongs to an "old" connection is encountered, it is matched against
the Policy. If the Policy match result is Accept, the entry will revert back to a normal state and
the connection will continue uninterrupted. If the result is Drop or Reject then the packet is
dropped and the connection entry is deleted from the table.
Considerations and Restrictions
First packet direction

Each connection has two peers; the client and the server. The client initiates the connection to
the server.
When a new connection is established, the first packet is from the client to server and this is
what is matched against the Policy.
If the first packet arrives from the server side, and it does not belong to an established TCP
connection, the receiving host will silently discard this packet. UDP, ICMP and other (not TCP)
packets are dropped since there is no way to guarantee these are valid packets that belong to the
connection.
Data connections
Data connections are connections that are dynamically created within an existing control
connection, for example FTP. The initial control connection is used only for sending
commands; actual file transfers are done by new connections.
These auxiliary connections will be accepted and connectivity will not be affected. Data
connections cannot usually be inferred from the Policy, as they are created according to the flow
of the control protocol.
By default, when loading a new Policy, FireWall-1 deletes all the data connections entries from
the table as they are likely to get the wrong results if a Policy match for a data connection packet
is attempted.
It is possible to modify this default behavior and treat data connections like regular ones as there
are cases where the regular and control distinction is not needed (for example with a "ANY
ANY ANY accept") Policy.

It is also possible to define that all data connections will be kept without the "old" flag - this
posses a clear connectivity advantage but also some security risk.
Security Servers
Connection that are passed through the Security Servers continue and are not matched against
the new Policy.
IP Pool NAT
If the new Policy contains a new IP pool with different source or destination addresses than the
old one, any connections that were NATed using the old IP pool will be deleted.
Configuring connection Persistence

See “Check Point window — Connection Persistence page” on page 201.
Installing a VPN-1\FireWall-1 From a Previous Database Version

Use the fwm load command. For details, see chapter 18, “Command Line Interface” on
page 559.
Notes on Installing and Uninstalling Policies

The following issues relate to a configuration consisting of:
• a SmartCenter Server that is also a VPN/FireWall Module
• another VPN/FireWall Module
1) If the VPN/FireWall Module on the SmartCenter Server does not have a Policy installed,
and you install a Policy on both Modules simultaneously, the installation on the Server’s
Module may show a “session timeout” error. This can be ignored.
2) When a Policy on the remote Module is uninstalled, the connection may hang because the
Module loses its state (see “Installing the Security Policy” above). To avoid this problem,
first install the Policy on the Server’s Module and then install the Policy on the remote
Module.
Retrieving a Policy
To retrieve a policy installed on another VPN/FireWall Module, select the VPN/FireWall
Module from the list in Security Policies on Targets. The policy (including all the objects
defined at the time the policy was installed) will be retrieved, and you will be able to view the
policy in read-only mode. You will not be able to modify the policy.

Viewing the Inspection Script
Viewing the Inspection Script

To view the Inspection Script, choose View from the Policy menu. While viewing the text of
the Inspection Script, you can save it to a file (on the server) by using the File menu. You can
then edit the file and use the command-line interface from the server to load it in the
VPN/FireWall Module. The Inspection Script is automatically verified when you load it for
viewing.
For additional information about the INSPECT language, see the SecureKnowledge database at
http://support.checkpoint.com/kb/.
FIGURE 8-32View Inspection Script Text
Inspection Code Loading

When you install or uninstall a Security Policy from the GUI (by choosing Install or UnInstall
from the Policy menu), the VPN-1/FireWall-1 SmartCenter Server runs the fw command with
the load or unload argument (see “fwm load” on page 556 of and
“fwm unload” on page 558 for more information).
You can modify this behavior so that choosing Install or UnInstall from the Policy menu runs
a program or shell script (batch file) of your choice. For example, to run bigapple, define the
attribute :load_program(<batch file name>) at the highest level of
$FWDIR/conf/objects_5_0.C:
load_program (“bigapple”)
bigapple will be run with the same parameters that fw would have received (where the first
argument is either load or unload; see “When fwm load and fwm unload are Run From the
GUI” on page 557). It is then your responsibility to ensure that bigapple correctly processes its
arguments and installs or uninstalls the Security Policy. Of course, bigapple can also perform
any other functions you wish.


When you install a rule on a router, VPN-1/FireWall-1 generates Access Lists and loads them to
the Open Security Extension (OSE) Device. VPN-1/FireWall-1 also allows you to import
Access Lists for Cisco, Bay RS and 3Com OSE Devices, enabling the integration of existing
filter configurations. Access Lists for OSE Devices can be viewed and verified.
When installing Access Lists to an OSE Device, the OSE Device must be accessible and you
must have permission to install the Access List. See the documentation for your router on how
to define the appropriate permissions. You must also define the correct access permissions in the
Setup tab of the OSE Device Properties window.
Importing Access Lists

The VPN-1/FireWall-1 Open Security Extension feature enables you to import existing Access
Lists from the following routers and security devices:
• Cisco routers
• 3Com routers
• Nortel
Access Lists can be imported to a Rule Base or as ASCII files. Access Lists imported to a Rule
Base are displayed in terms of source, destination, service, the router interface and direction to
which each rule applies. Imported Access Lists can be modified in the Rule Base and installed
on the appropriate router interface.
ASCII files display Access Lists as simple text files and include additional details that are not
represented in the Rule Base. You cannot modify the imported ASCII files.
Imported Access Lists can also be viewed and verified. Verification checks Access Lists for
inconsistencies and redundant rules. For more information, see “Verifying and Viewing Access
Lists” on page 344.
Note - The OSE Device properties are not part of an imported policy.
To Import Router Access Lists

1 From the Policy menu, choose Access Lists.
The OSE Device Access List Operations window (FIGURE 8-33) is displayed.

Managing Imported Access Lists in the Rule Base
FIGURE 8-33OSE Device Access List Operations window
2 Select Import Access Lists.
The Router Access Lists Control window (FIGURE 8-34) is displayed.

FIGURE 8-34OSE Device Access List Operations with import options
3 Specify the following parameters:

OSE Device— Select a device from the drop-down list.
Interface — Select an interface.
The drop-down list displays all the interfaces available for the selected router.
Direction — Check a direction.
Display Type — Check one of the following:
• Ascii Access Lists
• Graphical Rule Base
Managing Imported Access Lists in the Rule Base

VPN-1/FireWall-1 opens a new Security Policy when you import Access Lists to the Rule Base.
The Security Policy title displays the name of the imported Rule Base in the following format:
<router name>_<inbound/outbound/eitherbound>_Imported_Policy

Each filter rule is displayed as a rule in the Rule Base. The Rule Base specifies the Source,
Destination and Service for each imported filter rule. The Install On field displays the router
interface and direction to which each rule applies, using the following format:
<inbound/outbound/eitherbound>.<interface name>@<router name>
The Rule Base Comment displays additional filter information.
Modifying Imported Rules

You can modify an imported rule’s Source, Destination, and Service fields, but you cannot
modify the Install On field. You can delete, copy, cut, and paste imported rules. You cannot add
a new rule on a specific router interface. You must first copy and paste a rule that specifies the
router interface and direction under Install On and then modify the other data fields in that
rule.
Unknown Network Objects and Services

Unknown network objects or services indicate objects that you have not yet defined to
VPN-1/FireWall-1. You can complete the object or service definition based on properties
imported from the Access Lists, such as IP addresses or service port numbers. To view the
imported properties of an Unknown object, double-click the object to open the appropriate
Properties window.
Verifying and Viewing Access Lists

VPN-1/FireWall-1 allows you to view and verify Access Lists generated from the Rule Base.
Verification checks that the rules are consistent and that no rule is redundant. If a Rule Base fails
the verification, an appropriate message will appear. You can also view and verify imported
Access Lists.
To verify or view router Access Lists, choose Access Lists from the Policy menu. The OSE
Device Access List Operations window (FIGURE 8-33) is displayed.
To verify Access Lists, check Verify and select the appropriate router from the drop-down list.
To view Access Lists, check View and select the appropriate router from the drop-down list.
VPN-1/FireWall-1 verifies the Access List before displaying it.

FIGURE 8-35View of a Cisco Access List

For instructions on installing Access Lists to routers, see “Installing the Security Policy” on page
333.
Boot Security
During the boot process, there is a short period of time (measured in seconds) between the
point when VPN/FireWall Module machine becomes able to communicate and the point when
the Security Policy is loaded and is enforced. During this time, VPN-1/FireWall-1 Boot
Security protects both the internal networks behind the VPN/FireWall Module machine, and
the machine itself. Boot Security is provided by a number of elements working together:
• Control of IP Forwarding on boot
• The Default Filter (improved in NG)
• The Initial Policy (new in NG)
In addition, the fwstop -proc and fwstop-default commands allow the FireWall-1 processes
to be stopped for maintenance while at the same time protecting the Firewalled Gateway
machine and the internal network.
For more information about Boot Security, see Check Point FireWall-1 Guide.
Note - If you stop VPN-1/FireWall-1 (fwstop) while the Default Filter is active, then no
Security Policy will be enforced until you start VPN-1/FireWall-1 again (fwstart).
Auxiliary Connections
A number of services establish auxiliary connections that require special handling by
VPN-1/FireWall-1. For example, an FTP data (auxiliary) connection from the FTP server to the
client is automatically allowed.

Auxiliary Connections
Consider the following Rule Base:
TABLE 8-11
Source Destinati Services Action Track Install

on On
FTPClient FTPServer Any Accept Gateways

Any Any Any Reject Log Gateways
If the auxiliary connection is from the client to the server (as with FTP PASV), the auxiliary
connection may be improperly handled in some cases (for example, if the server’s IP address is
translated).
Before a back connection is opened (for example, for FTP), the back connection’s destination
port is checked against a list of known TCP and UDP services. If the requested port “belongs”
to a well known service, the back connection is rejected.
Services that open back connections fall into two categories in VPN-1/FireWall-1 (assuming
that there is a rule that allows the initial connection):
• VPN-1/FireWall-1 allows auxiliary connections only if the appropriate property is enabled.
These services are:
• FTP PORT • FTP PASV
• RSH/REXEC • RPC Control
• VPN-1/FireWall-1 allows auxiliary connections only if the service is specifically listed under
Services in the rule that allows the initial connection. These services are:
• VDOLive • WebTheatre
• H.323 • CoolTalk
• BackWeb • RealAudio
• FreeTel • MS Exchange services (requires DCE-RPC)
• NetShow • sqlnet2
When a Security Policy is Installed

The connections table is cleared when a Security Policy is installed. The new Security Policy is
then enforced on existing connections and sessions.
After the Security Policy is installed, the first packet of an established connection is logged if all
the following conditions are true:
• the Security Policy Rule Base specifies that the connection is to be logged
• the packet’s direction (source and target) is the same as the original connection
In the Log Viewer, the additional log entry is unified with the original one. You can see the log
entries individually (not unified) by using the fw log command with the appropriate parameters
(see “fwm log” on page 593).

CHAPTER 9
Time and Scheduled

Event Objects
In This Chapter
Overview page 347

Time Objects page 349
Scheduled Events page 351
Groups page 353
Overview
Time objects are used to specify time periods during which rules are in effect.
Note - If two Modules are in different time zones, then some problems may arise. For
example, suppose a rule specifies encryption from 09:00 to 17:00 between two
enforcement Modules separated by five hours. It can happen that the Module initiating the
connection will encrypt, but the peer will not be expecting the connection to be
encrypted. If Enable decryption on accept in the VPN-1 page of the Global Properties
window is not enabled, then the peer will not decrypt the packets and the connection will
fail.
To define a time object, open the Time Objects window (FIGURE 9-1 on page 348) by
choosing Time from the Manage menu. The Time Objects window appears (FIGURE 9-1 on
page 348).
347
Overview
FIGURE 9-1 Time Objects window
TABLE 9-1 Time Object Actions
for a description of how ... see

to...
create a time object “Creating a New Time Object” on page 348
modify a time object “Modifying a New Time Object” on page 348
edit a time object “Deleting a New Time Object” on page 348
Creating a New Time Object

To create a new object, click on New. A menu appears, listing the types of objects you can
create.
Choose one of the following:
• Time — a time object (one to three periods of time, with optional daily, weekly or monthly
recurrence); see “Time Objects” on page 349.
• Scheduled Event — a scheduled event object (a point in time, with optional daily, weekly
or monthly recurrence); see “Scheduled Events” on page 351.
• Group — a group of time or scheduled events; see “Groups” on page 353.
A window appears prompting you to enter the properties of the selected object type.
Deleting a New Time Object

To delete an object, select the object and click on Remove.
Modifying a New Time Object

To modify an object, select the object and click on Edit, or double-click on the object.

Time Object Properties Window — General Tab
Time Objects
Time Object Properties Window — General Tab

FIGURE 9-2 Time Object Properties window — General tab
Name — the object’s name

This text is displayed on the bottom of the Time Object window when this item is selected.
Color — the color of the object’s icon
Time of Day — Enter up to three From–To pairs in 24–hour notation.
To specify all day, set From to 00:00 and To to 23:59.
A rule in which a time object is used is applied only to connections which begin during the
time period defined by the time object. If an allowed connection extends past the time period,
it will be allowed to continue.
The time on the enforcement Module (VPN/FireWall, FloodGate etc.) is compared to the time
specified in the time object, and if there is a match, the rule is applied.
Chapter 9 Time and Scheduled Event Objects 349

Time Objects
Time Object Properties Window — Days Tab

FIGURE 9-3 Time Object Properties window — Days tab
Days Specification — Choose one of the following:

None — The times of day specified in the General tab of the Time Object Properties
window apply on all days.
Day in Month— The times of day specified in the General tab of the Time Object
window apply only on the days of the month checked under Days in Month
Properties
(FIGURE 9-3).
Day in Week — The times of day specified in the General tab of the Time Object Properties
window apply on the days of the month checked under Days in Week (FIGURE 9-4 on
page 351).

Time Object Properties Window — Days Tab
FIGURE 9-4 Time Object window — Days tab (Days in Month)
Month — The times of day specified in the General tab of the Time Object Properties
window apply only during the month specified. This field is enabled only if Days Specification
is Days in Month.
FIGURE 9-5 Time Object window — Days tab (Days in Week)
Week — The times of day specified in the General tab of the Time Object Properties window
apply only during the week specified. This field is enabled only if Days Specification is Days
in week.
Scheduled Events
Scheduled events are used to trigger processes, for example, in the Management High
Availability page of the Global Properties window or in the Logging Policy page of the
network object’s Properties window.

Scheduled Events
Scheduled Event Properties Window — General Page

FIGURE 9-6 Scheduled Event Properties window — General page
Name — the object’s name

This text is displayed on the bottom of the Time Object window when this item is selected.
Time of Event — Choose one of the following:
• At (hh:mm) — This event happens once a day, at a specific time.
Enter a time of day in 24–hour notation. When this is checked, the Days page (FIGURE
9-7) becomes available.
• Every — Specify how frequently the event occurs.

Scheduled Event Properties Window — Days Page

FIGURE 9-7 Scheduled Event Properties window — Days page
This page is available when Time of Event in the General page (FIGURE 9-6) is checked.
Days Specification — Choose one of the following:
Daily— The time of day specified in the General page of the Scheduled Event Properties
window apply on all days.
Day in Month — The time of day specified in the General page of the Scheduled Event
Properties window apply only on the days of the month checked under Days in Month.
Day in Week — The time of day specified in the General page of the Scheduled Event
Properties window apply on the days of the month checked under Days in Week.
Groups
You can simplify the Rule Base by defining a group of time objects and using the group in rules.
Creating a Group
To create a group, create an object of type Group using the Time Object Manager (see
“Creating a New Time Object” on page 348). Next, add objects to the group using the Group
Properties window (FIGURE 9-8 on page 354).
To display the Group Properties window, double-click on the group’s name in the Time Object
Manager window.

Groups
FIGURE 9-8 Group Properties window
Adding an Object to a Group

In the left listbox (labeled Not in Group), select the objects you wish to include in the group.
Use the Add button to add individual objects and to add groups to the group.
Note - To define a new object directly from this window, click New. A menu will be
displayed from which you can select they type of object to create. When you finish defining
the object, you will return to this window.
To define a new time object, click New.

1) You can individually add all the objects in one group to another group, without nesting.
Click on Yes in reply to the question in the window (FIGURE 9-9).

Deleting an Object from a Group

Select the objects to be deleted from the right listbox (labeled In Group), and then click on
Remove.

Groups

CHAPTER 10
Server Objects and

OPSEC Applications
In This Chapter
Server Objects page 357

RADIUS Servers page 360
TACACS Servers page 362
AXENT Pathways Defender Servers page 363
ACE (SecurID) Servers page 363
LDAP (Lightweight Directory Access Protocol) Account Units page 364
Certificate Authority page 368
SecuRemote DNS page 370
OPSEC Servers and Clients page 371
Server Objects
A server object represents a server running on a specific host. The available server objects are:
1 RADIUS
A RADIUS Server is used to provide authentication services. For information about defining
an Authentication scheme for a user, see “User Properties Window — Authentication tab” on
page 163.
2 RADIUS Server group
A RADIUS Server group consists of RADIUS Servers.
3 TACACS
357
Server Objects
A TACACS Server is used to provide authentication services. For information about defining
an Authentication scheme for a user, see “User Properties Window — Authentication tab” on
page 163.
4 AXENT Defender
An AXENT Defender Server is used to provide authentication services. For information about
defining an Authentication scheme for a user, see “User Properties Window — Authentication
tab” on page 163.
5 ACE (SecurID) Server
ACE Servers are used for authenticating SecurID users. For information about defining an
Authentication scheme for a user, see “User Properties Window — Authentication tab” on
page 163 of Check Point SmartCenter Guide.
6 LDAP Account Unit
The VPN-1/FireWall-1 Account Management system is an independent module that enables
the Security Manager to integrate an LDAP-compliant user database with VPN-1/FireWall-1
User Authentication. An LDAP Server can contain multiple branches (for example,
“o=University of Michigan,c=UK”). An LDAP Server and a subset of its branches constitute
a VPN-1/FireWall-1 Account Unit.
For information about Account Units, see “LDAP (Lightweight Directory Access Protocol)
Account Units” on page 364.
7 Certificate Authority
A Certificate Authority (CA) issues certificates to entities (users or computers) which then
use the certificates to identify themselves and provide verifiable information about
themselves.
For information about Certificate Authorities, see Chapter 3, “Certificate Authorities” of
Check Point Virtual Private Networks Guide.
8 SecurRemote DNS
The SecuRemote DNS GUI lets administrators configure DNS redirection and encryption.
For information about SecuRemote DNS, see “SecuRemote DNS” on page 370.
OPSEC Servers
CVP, UFP or AMON servers
9 URL Filtering Protocol (UFP)

A UFP server can be used in defining a URI Resource. For information about URI
Resources, see “URI Resources” on page 233.
10 Content Vectoring Protocol (CVP)
A CVP server examines the contents of a file or data stream. For examples of how to use CVP
servers in a resource definition, see Chapter 6, “Services and Resources.”

Defining Server Objects
See “Implementing CVP Inspection” on page 234 of Check Point FireWall-1 Guide for
information about the CVP protocol.
11 Application Monitoring (AMON)
An AMON server enables network applications to report their status to Check Point
management.
See “OPSEC Definition Window— AMON Options Tab” on page 384, for information
about the AMON server.
Defining Server Objects

To define a Server object do one of the following:
• choose Servers from the Manage menu, or
TABLE 10-1 Server Object Actions

…
create a new server object “Creating a New Server” on page 359
remove a server object “Removing a Server” on page 360
edit a server object “Editing a Server” on page 360
Creating a New Server

To create a new server:
1) Click on New. A menu is displayed, listing the types of servers you can create.
2) Choose a type from the menu and click OK. A window is displayed prompting you to enter
the properties of the selected server type.
TABLE 10-2 Server Types
to create a server of ... which is used for... ... see

type...
RADIUS RADIUS authentication “RADIUS Servers” on page 360
RADIUS Group RADIUS authentication “RADIUS Server Groups” on
page 361
TACACS TACACS authentication “TACACS Servers” on page 362
DEFENDER AXENT Defender “AXENT Pathways Defender
authentication Servers” on page 363
ACE (SecurID) Server SecurID authentication “ACE (SecurID) Servers” on page
363
Chapter 10 Server Objects and OPSEC Applications 359

RADIUS Servers
TABLE 10-2 Server Types
to create a server of ... which is used for... ... see

type...
LDAP Account Unit maintaining an LDAP user “LDAP Account Unit Properties
database Window — General Tab” on page
365
Certificate Authority defining a Certificate “Certificate Authority Properties
Authority Window — General Tab” on page
368
SecuRemote DNS configuring DNS “SecuRemote DNS General Tab”
redirection and encryption on page 370
OPSEC Server checking content data, “OPSEC Servers and Clients” on
screening URLs, reporting page 371
third party application status
to VPN-1/FireWall-1
Removing a Server
To delete a server, select the server and click Remove.
Editing a Server
To edit or modify a server, select the server and click Edit, or double-click the server.
RADIUS Servers
RADIUS servers are used for authenticating users. For information about defining an
Authentication scheme for a user, see “User Properties Window — Authentication tab” on page
163 of Check Point SmartCenter Guide.
For information about Authentication schemes in general, see “Authentication Schemes” on
page 125.
RADIUS Server Properties Window — General Tab

Name — the server’s name
This text is displayed on the bottom of the Server Object window when this item is selected.
Color — the color of the server’s icon
Priority — Specify the priority level when more than one RADIUS server is contacted

Creating a RADIUS Server Group
When more than one RADIUS server is contacted (that is, when a group of RADIUS servers
or Any is specified for a RADIUS user) then they are contacted in the sequence defined by
their priorities, where a lower number specifies a higher priority.
Host — Select the host on which the server is running.
The host should have already been defined as a network object (see “Overview” on page 173).
Shared Secret — Enter a string of up to 15 nonspace characters.
The shared secret is a key that authenticates communication between the FireWalled machine
and the RADIUS server. You must use the same shared secret you defined in the clients
file on the RADIUS server.
Service — Select the service for communication with the server.
For RADIUS servers, the service is RADIUS.
Version — Select the version from the drop-down list.
The items in the list are given under radius_versions in the file
$FWDIR/lib/setup.C.
RADIUS Server Groups

You can simplify the Rule Base by defining a group of RADIUS servers and using the group in
rules. If a RADIUS server group is defined in a user’s Authentication properties,
VPN-1/FireWall-1 sends authentication requests to the servers in the group according to their
priority, as defined in the General tab of the RADIUS Server Properties window. If two servers
have the same priority, their order is determined arbitrarily.
RADIUS groups can be used for High Availability only, not for chaining. To achieve chaining,
use a RADIUS proxy (between the chain and the FireWall Module).
Creating a RADIUS Server Group

To create a group, create an object of type RADIUS Group using the Server Object Manager (see
“Creating a New Server” on page 359). Next, add objects to the group using the Group
Properties window.
To display the Group Properties window, double-click the group’s name in the Server Object
Manager window.
Adding a Server to a RADIUS Server Group

In the left listbox (labeled Not in Group), select the servers you wish to include in the group.
Use the Add button to add individual servers or groups to the group.
Note - All the servers in a server group must be of the same type.

TACACS Servers

1) You can individually add all the users in one group to another group, without nesting
groups within groups. Click on Yes in reply to the question in the window (FIGURE 10-
1).
FIGURE 10-1Adding a Group to a Group
Deleting a Server from a RADIUS Server Group

Select the servers to be deleted from the right listbox (labeled In Group), and then click
Remove.
TACACS Servers
TACACS Server Properties Window — General Tab

Host — From the menu, select the host on which the server is running.
The host should have already been defined as a network object (see “Overview” on page 173).
Type — Select TACACS or TACACS +.
Secret Key — For more information on this field, see the TACACS server documentation.
Service — From the menu, select the service for communication with the
server Type.
For TACACS+ Servers, for example, the service is “TACACS+”.

Defender Server Properties Windows — General Tab
AXENT Pathways Defender Servers
Defender Server Properties Windows — General Tab

This text is displayed on the bottom of the Server Object window when this server is selected.
Host — the host on which the primary Axent Defender server is running
Select the host from the drop-down list. The host should have already been defined as a
network object’.
Backup Host — the host of the backup Axent Defender server
The Backup Host is not a separate Axent server, but is a backup server to the primary server
defined under Host. Because it is not a separate server, it does not have its own Agent Name
and Agent ID.
Agent ID — the Agent ID of the VPN/FireWall Module, as defined on the Axent Pathways
Defender Server
Agent Key — a 16 hexadecimal digit key
This key is defined on the Axent Pathways Defender Server and is used to encrypt
communication between the VPN/FireWall Module and the Axent Pathways Defender Server.
Note - The VPN-1/FireWall-11 Security Servers support the SecureNet Keys (SNK)
authentication scheme.
ACE (SecurID) Servers

ACE Servers are used for authenticating users. For information about defining an Authentication
scheme for a user, see “User Properties Window — Authentication tab” on page 163 of Check
Point SmartCenter Guide.
ACE Servers are not defined as Check Point Server objects, but there are some issues of which
you should be aware.
Configuring ACE (SecurID) Servers

VPN-1/FireWall-1 uses the standard client library of the ACE Server. In order to use SecurID,
proceed as follows:
1 Install and configure the ACE Server.

LDAP (Lightweight Directory Access Protocol) Account Units
You will need an ACE Server somewhere in your network. The ACE Server does not have to
reside on the VPN/FireWall Module machine. For information about how to install and
configure your ACE server, refer to the SecurID documentation.
2 In VPN-1/FireWall-1, create a user whose authentication scheme is SecurID.
3 Configure your VPN/FireWall Module machine as an ACE Client.
VPN-1/FireWall-1 uses the standard client library of the ACE/Server. This means that you
don't have to do anything special in order to integrate the software. All you have to do is to
prepare the VPN/FireWall Module machine as an ACE Client.
For information about how to install and configure an ACE Client, refer to the SecurID
documentation.
VPN-1/FireWall-1 reads the sdconf.rec file to determine the ACE Server and other
parameters involving ACE Client-Server communications, so you must copy sdconf.rec from
the ACE Server to the ACE Client.
TABLE 10-3 sdconf.rec directory
sdconf.rec directory
Unix /var/ace
Windows NT WINNT/SYSTEM32
Note - If you make any changes to sdconf.rec, stop and restart the VPN/FireWall Module
(using the cpstop and cpstart commands).
ACE and DES

VPN-1/FireWall-1 supports the DES option of the SecurID ACE Server.
ACE and the Rule Base

SecurID services are not automatically added to the Implied Rules within the
VPN-1/FireWall-1 Security Policy Rule Base, as other authentication servers are. Rather, you
must create a Rule Base that allows SecurID service connections to pass between the FireWall
Module and the SecurID Ace Server.

In VPN-1/FireWall-1, users can be managed using an LDAP (Lightweight Directory Access
Protocol) Server. The LDAP Server and VPN-1/FireWall-1 SmartCenter Server usually reside
on different hosts and are maintained by different people. Separating the functionality of the two
systems provides the following benefits:
• The system administrator can use existing LDAP-compliant directories.

LDAP Account Unit Properties Window — General Tab
• A single VPN-1/FireWall-1 SmartCenter Server can be used by several departments or

customers, each of which can manage its own users independently.
• Users can maintain and change their own passwords.
There is no limit to the number of users that can be defined on an LDAP Server.
An LDAP Server can contain multiple branches (“o=University of Michigan,c=UK”, for
example, is a branch). A Check Point Account Unit consists of a subset of the branches defined
on an LDAP Server. A user database can be made up of more than one Account Unit. Any
number of Account Units can be defined to VPN-1/FireWall-1.
For complete instructions and information about how LDAP Account Units are used in
VPN-1/FireWall-1, see the book, Check Point User SmartCenter Guide.
LDAP Account Unit Properties Window — General Tab

Name — the Account Unit’s name
This text is displayed on the bottom of the Server Object window when this LDAP Server is
selected.
CRL Retrieval — This Account Unit is used for Certificate Revocation List (CRL) retrieval,
that is, it is the CRL depository for OPSEC PKI-enabled Certificate Authorities (see Chapter 3,
“Certificate Authorities” of Check Point Virtual Private Networks Guide).
If you check CRL Retrieval, you only need to specify Host, Port, and server Branches in this
window.
User Management — this Account Unit is used for managing users in an LDAP directory.
User Management is enabled only if Use LDAP Account Management is checked in the
LDAP tab of the Global Properties window ( on page 283).
Host — the host on which the LDAP Server is running
Select the host from the drop-down list. The host should have already been defined as a
network object (see “Overview” on page 173).
Port — the port on which the LDAP Server is listening for non-encrypted communication
Login DN — the DN that will be used to bind (login) to the Account Unit
Password — the password for binding
LDAP Rights — the VPN/FireWall Module’s access privileges on the LDAP Server
Check R(ead) or W(rite) or both.
If Write is checked, users can update their VPN-1/FireWall-1 passwords on the LDAP Server.

If the LDAP Server is a slave, uncheck W.
Priority — this Account Unit’s priority in relation to other Account Units

LDAP Server Type — different LDAP servers offer different features by using different
“languages” and by defining the kind of server used, LDAP Account Management knows how
to “talk” to the LDAP server.
Branches— the branches of the LDAP directory which will be searched when querying to this
LDAP Server
Managing LDAP Branches
Fetching All Branches

If your LDAP Server is Version 3.0 or higher, you can fetch all the branches (suffixes) supported
by the LDAP Server by clicking on Fetch.
Adding a New Branch

To add a new branch, click Add. The LDAP Branch Definition window is displayed.
FIGURE 10-2LDAP Branch Definition
Enter the branch and click OK. The branch is added to the listbox in the General tab of the
Account Unit Properties window.
Changing a Branch
To change a branch definition, select the branch and click Edit.
Deleting a Branch
To delete a branch from the list, select the branch and click Delete.
LDAP Account Unit Properties Window — Users Tab

The Users tab specifies the following:
• The default template that will be used to provide VPN-1/FireWall-1-specific attributes to
LDAP users maintained with a third-party LDAP Client.
• The authentication schemes that will be supported by the VPN/FireWall Module for users
defined on this LDAP Account Unit.
Use Default User Template — Specifies the VPN-1/FireWall-1 user template from which to
obtain VPN-1/FireWall-1-specific attributes for LDAP users for whom these attributes are not
defined, that is, users maintained with a third-party LDAP Client.

LDAP Account Unit Properties Window — Encryption Tab
When users are maintained with a third-party LDAP Client in which

VPN-1/FireWall-1-specific attributes are not defined, the missing VPN-1/FireWall-1-specific
attributes are retrieved at run-time from the VPN-1/FireWall-1 template specified in Use
Default User Template. This template should not define attributes that vary from user to user,
because there is no way to define these values — they don’t appear in the LDAP Client and the
user is not defined in the VPN-1/FireWall-1 User Database.
For example, the template should not specify IKE with shared-secret (because the secret is
different for each user), but it can specify IKE with certificates. Note that the template can
specify internal (VPN-1/FireWall-1) password authentication scheme, even though this is
different for each user, because all LDAP servers support password authentication.
Warning - VPN-1/FireWall-1-specific attributes will not be visible in the LDAP Client for
users to whom the default user template is applied.
This option is not supported by VPN-1/FireWall-1 Modules prior to Version 4.1, but Use
Default Scheme is supported.
Authentication Schemes — specifies the authentication schemes enabled on the LDAP

Account Unit.
Use Default Scheme — specifies the authentication scheme to be used when no authentication
scheme is defined for the user on the Account Unit, for example, when users are maintained
with a third-party LDAP Client in which VPN-1/FireWall-1-specific attributes are not defined.
This option is enabled only if Use Default User Template is not checked, because the
template specified in Use Default User Template includes an authentication scheme.
If you select TACACS or RADIUS, you will be prompted to enter the server name.
S/Key is not available here, because it includes user-specific information, and there is no way
to define user-specific information in this case (see Use Default User Template above).
Limit Login Failures — if checked, the feature prevents password attacks by limiting the
number of failed login attempts in a defined period of time, (the default is 180 seconds).
LDAP Account Unit Properties Window — Encryption Tab

Use Encryption (SSL) — whether to connect to this Server using SSL
Encryption Port — the port on the LDAP Server to which to connect using SSL
The default port number is 389 for a standard connection and 636 for an LDAP SSL
connection.
Verify that the server has the following Fingerprint — verify the Server’s DN or key.
Fetch — Fetch the fingerprint from the Server.
Min/Max Encryption Strength — Select the weakest (under Min) and strongest (under Max)
encryption method the Account Unit is prepared to use.

TABLE 10-4 lists the methods used for each Strength. Note that Strong in the GUI
corresponds to Very Strong in the table.
TABLE 10-4 Encryption Method Parameters
Strength Authentication Encryption and Data Integrity

Method Methods
Authentication RSA (512 bit) no encryption
data integrity: MD5 or SHA-1,
depending on the other side
Export RSA (512 bit) • RC4 (40 bit) and MD5, or
• DES (40 bit) and SHA-1
Strong (this cannot be RSA (1024 bit) • RC4 (64 bit) and MD5, or
specified in • DES (40 bit) and MD5 or SHA-
VPN-1/FireWall-1 but 1, depending on the other side
can be negotiated)
Very Strong (this is RSA (1024 bit) • RC4 (128 bit) and MD5 or SHA-1,
indicated in depending on the other side, or
VPN-1/FireWall-1 by • 3DES and MD5 or SHA-1,
Strong) depending on the other side
Authentication — the weakest method
Export— the strongest exportable method
Strong — the strongest method
IKE Key — the key with which users’ IKE pre-shared secrets are encrypted on the Account Unit
A Certificate Authority (CA) issues certificates to entities (users or computers) which then use
the certificates to identify themselves and provide verifiable information about themselves. After
two entities exchange and validate each others’ certificates, they can begin encrypting
communications between them using the public keys in the certificates. There are two kinds of
entities that can identify themselves using certificates:
• encrypting gateways (network objects), when encrypting with other (peer) encrypting
gateways or with SecuRemote Clients
• people (using SecuRemote Clients) — the SecuRemote Client and the site confirm each
others’ identities with certificates
Fore more information see “Certificate Authorities” on page 40 of Check Point Virtual Private
Networks Guide.
Certificate Authority Properties Window — General Tab

Name — the Certificate Authority’s name

Certificate Authority Properties Window — VPN-1 CM Tab

This text is displayed on the bottom of the Server Object window when this Certificate
Authority is selected.
Certificate Authority — the type of Certificate Authority (Entrust or VPN-1 Certificate
Manager)
Certificate Authority Properties Window — VPN-1 CM Tab

VPN-1 CM Version — specifies the version of Entrust PKI on which the VPN-1 Certificate
Manager is based.
Configuration — the entrust.ini file (provided by your Entrust CA administrator) specifies
the location and other parameters of an Entrust CA. Click on one of the following (under
Configuration):
• Get — get the CA’s configuration from the entrust.ini file.
You can browse for the entrust.ini file.

• View — view the entrust.ini file.
Certificate— Before you can validate certificates issued by the CA you have just defined, you
must obtain the CA’s own certificate.
• If a SmartCenter Server will be generating certificates on this CA (see “Certificate
Authority” on page 368), then the CA sends the SmartCenter Server its own certificate
together with the network object’s certificate. In this case, there is no need to explicitly
obtain the CA’s own certificate — it is obtained as a by-product of generating other
certificates.
• If a SmartCenter Server will not be generating certificates on the CA but only validating
them, then you must explicitly obtain the CA’s own certificate by clicking on Get (see
below).
• Get — get the CA’s certificate from a file that contains the CA’s certificate.
The CA’s certificate can be provided by another VPN-1/FireWall-1 administrator (who

has already generated a certificate from the CA) using the Save As button (see below).
View — View the CA’s certificate.
Save As — Save the CA’s certificate to a file, which can be read by another SmartCenter
Server using the Get button.
Profile— A file created either by the user or by a Certificate Authority. For more information
on the profiles, see “Using Certificates” on page 40 of Check Point Virtual Private Networks
Guide.
File — Enter the name of the user profile.

SecuRemote DNS
For more information on Certificate Authorites and creating Certificates, see Chapter 3,
“Certificate Authorities” of Check Point Virtual Private Networks Guide.
Certificate Authority Properties Window — Advanced Tab

CRL Caching — A CRL cache is maintained by modules that validate certificates, in order to
eliminate repeating CRL retrieval from the repository, an action that slows the validation process
very much. This section enables the administrator configure the various CRL cache properties.
Cach CRL on the Module — A CRL is stored in the cache only if this property is set. Otherwise,
it is not kept, and a CRL fetch operation is done whenever a CRL is required for certificate
validation.
Fetch new CRL when expires — The CRL is stored in the cache for its whole life time.
When the CRL expires (current time is later then the nextUpdate field in the CRL), the CRL
is dropped from the cache.
Fetch new CRL after — The CRL is dropped from the cache after X seconds, when X is the
value configured by the user. The number of seconds is measured from the time the CRL is
fetched.
Allow only certificates from the listed branches — When validating certificates, only
certificates that belong to the specified branches are accepted as valid. Branches are designated
by combination of various DN fields (for example, “ou”).
Add — Add a new DN or branch.
When a Certificate Authority is selected, you must then enter the DN for the branch you
want to add by clicking Add.
Edit — Edit the selected DN or branch.
Remove — Remove the selected branch.
SecuRemote DNS
The SecuRemote DNS Server is an internal server that can resolve internal names with
unregistered, (RFC 1981-style) IP addresses. It is best to encrypt the DNS resolution of these
internal names. Not all DNS traffic should be encrypted, as this would mean that every DNS
resolution would require authentication.
SecuRemote DNS General Tab

Name— the name of the SecuRemote DNS Server
This text is displayed on the bottom of the Server Object window when this SecuRemote
DNS Server is selected.

SecuRemote DNS General Tab
Select the desired color from the drop-down list. The SecuRemote DNS Server will be then
be represented by this color throughout the SmartMap.
Host — You must select the host on which the SecuRemote DNS Server is running from the
drop-down menu. The host must be defined as a network object.
SecuRemote DNS Properties Window — Domains Tab
Name — the name of the domain for which the DNS Server resolves names, e.g.
checkpoint.com.
Maximum Prefix Label Count — the maximum number of labels to resolve (for example, three
(3) for xxx.hello.com) that may precede the domain.
For example, if the domain name is “checkpoint.com” and the maximum prefix label count is
“1” then the SecuRemote DNS Server will try to resolve and encrypt
“www.checkpoint.com” or “whatever.checkpoint.com” but not
“www.internal.checkpoint.com.”
To add a new Domain, click the Add button.
FIGURE 10-3SecuRemote DNS Server Domain window
Domain Suffix: — the domain suffix for which the DNS Server resolves names
Match only *.suffix — If this option is selected, the maximum number of labels resolved will be
1.
Match up to...labels preceding the suffix — Select the maximum number of labels to
Domains can also be edited or deleted by selecting either the Edit or Remove button.
OPSEC Servers and Clients
In This Section
OPSEC Application Properties Window — General Tab page 373

Managing OPSEC Products From the SmartDashboard page 377
OPSEC Definition Window — UFP Options Tab page 383

OPSEC Definition Window— AMON Options Tab page 384

OPSEC Definition Window— CPMI Permissions page 384
OPSEC UFP and CVP Groups page 384
Open Platform for Security (OPSEC) is the industry standard for integrated internet security.
An OPSEC application is an application developed by a third party which provides additional
functionality to VPN-1/FireWall-1. This section explains the OPSEC server applications.
OPSEC Server applications provides added functionality for scanning the content of data
streamed through the VPN-1/FireWall-1, disallowing connections to selected URL’s based on
third party software definitions, and enabling third party applications to export their status to
VPN-1/FireWall-1.
OPSEC continually delivers the broadest range of integrated security solutions for a variety of
deployment platforms. For more information on OPSEC products see:
http://www.checkpoint.com/opsec/.
An OPSEC session is a dialog between two OPSEC entities (example: a Client and a Server).
Use the General tab to define an OPSEC application.
When a Check Point Module or SmartCenter Server is upgraded to Next Generation, the
information in the fwopsec.conf file about the associated OPSEC application is used to update
the objects.C file. The OPSEC object in the OPSEC Definition window is automatically
defined, and all the parameters are set.
FIGURE 10-4 shows the interplay between the OPSEC Environment, entities and sessions.
FIGURE 10-4OPSEC Environment, Entity and Session
m achine B
process
O PSEC
environm ent
m achine C
O PSEC process
entity
LE A S erver O PSEC
environm ent
m achine A
O PSEC
process entity
O PSEC LE A S erv er
environm ent O PSEC
session
O PSEC process
entity
O PSEC O PSEC
LE A C lient session environm ent
O PSEC O PSEC
entity entity
S A M C lient O PSEC S A M S erver

session

Defining OPSEC Applications
Defining OPSEC Applications

To define an OPSEC Application Server or Client entity, choose OPSEC Application(s) in one
of the following three ways:
• Select from the Object Tree, right-click OPSEC Applications and select new OPSEC
Application, or
• select Properties from the Manage menu and open the OPSEC Application window .
If you selected the OPSEC Applications via the Manage menu or the toolbar, the objects
displayed depend on what you have selected from the Show drop-down list. If you selected the
OPSEC from the Object Tree, you will skip seeing the Opsec Applications window.
TABLE 10-5 OPSEC applications actions
for a description of how to … ... see

create a New OPSEC application object “Creating a New OPSEC Application” on
page 373
Edit an OPSEC application object “Editing an OPSEC Application” on page 373
Delete an OPSEC application object “Editing an OPSEC Application” on page 373
Creating a New OPSEC Application

To create a new OPSEC application from the toolbar or from the Manage menu, click New. A
menu is displayed, listing the types of servers you can create. The same menu is displayed if you
created your application via the Object Tree by right-clicking.
A window is displayed prompting you to enter the properties of the selected server type.
Choose OPSEC Application from the menu and click OK.
Note - Both CVP and UFP Groups enable Load Sharing. CVP groups also enable chaining.
For information about creating CVP or UFP Groups see “Implementation of Chaining and
Load Sharing” on page 386.
Editing an OPSEC Application

To edit an OPSEC Application Object, select the OPSEC Application and click Edit, or
double-click the OPSEC Application.
Deleting an OPSEC Application

To delete an OPSEC Application Object, select the OPSEC Application Object and click
Remove .
OPSEC Application Properties Window — General Tab

Name — the OPSEC Application name


This text is displayed in the Objects list and in the Object window when this item is selected.
Host — the host on which the server is running
Several OPSEC applications can reside on a single host.
Note - The host should have already been defined as a network object (see “Network
Objects” on page 180).
Application properties — There are two ways to define OPSEC application objects. One is by
manually defining OPSEC properties; the other is by referencing predefined OPSEC product
objects.
• Manually Defining an OPSEC Application Object
Choose User Defined as the Vendor (this is the default). Manually choose the applicable server
and client entities by checking the relevant boxes.
• Referencing an OPSEC Product Object
Choose the vendor, product and version from the predefined list. All server and client entities
will be chosen for you and you cannot change them. If you want to add to the predefined
OPSEC Product Object list, see the RA documentation. (Check Point Roaming Administrator
Utility NG FP2).
Vendor — Select a vendor.
Product — Selecting a product will automatically select the appropriate entities.
Version — When applicable, a choice of product version numbers will appear.
Activate — Specific products include certain actions
For more information, see “Selecting an OPSEC Command” on page 377.

OPSEC Application Properties Window — General Tab
OPSEC Services Server and Client Entities — An OPSEC application can contain both client
and server entities.
TABLE 10-6 Description of OPSEC Server and Client Entities
entit- server expansion of ...which is ...see

ies or client acronym used
CVP server Content for scanning the “Definition Window —
Vectoring content of data CVP Options Tab” in
Protocol streamed Chapter 10, “Server
through Objects and OPSEC
VPN-1/ Applications”
FireWall-1
UFP server URL Filtering for disallowing “OPSEC Definition
Protocol connections to Window — UFP Options
selected URLs Tab” in Chapter 10,
based on third “Server Objects and
party software OPSEC Applications”
definitions
AMON server Application for enabling “OPSEC Definition
Monitoring API third party Window— AMON
Specification applications to Options Tab” in
export their Chapter 10, “Server
status to Objects and OPSEC
VPN-1/ Applications”
FireWall-1
ELA client Event Logging so third party Consult the OPSEC web
API applications can site at:. To find a Solution
write to Vendor go to:
VPN-1/ http://www.opsec.com
FireWall-1
LEA client Log Export API to enable a third Consult the OPSEC web
Specification party site at:. To find a Solution
application to Vendor go to:
securely receive http://www.opsec.com
both real-time
and historical
auditing log data
generated by
VPN-1/
FireWall-1

TABLE 10-6 Description of OPSEC Server and Client Entities
entit- server expansion of ...which is ...see

ies or client acronym used
SAM client Suspicious to integrate Consult the OPSEC web
Activities third-party site at:. To find a Solution
Monitoring suspicious Vendor go to:
Specification activity http://www.opsec.com
detection
applications
with VPN-1/
FireWall-1’s
network traffic
control
capabilities
CPMI client Check Point to provide a Consult the OPSEC web
Management secure interface site at:. To find a Solution
Interface API for accessing the Vendor go to:
Check Point http://www.opsec.com
object
repository.
UAA client User Authority to allow the Consult the OPSEC web
API Specification, definition of an site at:. To find a Solution
OPSEC Vendor go to:
application as a http://www.opsec.com
UA client
meaning that
UA will accept
connections
from that client
Upon checking a Server Entity (or the CPMI Client Entity) check box additional tabs appear at
the top of the window.
Secure Internal Communication — An OPSEC application will only be able to communicate
with the SmartCenter Server, with Check Point Modules or with other OPSEC application
when Secure Internal Communication (see “Secure Internal Communications for Distributed
Configurations” on page 46) has been successfully configured on both the SmartCenter Server
and on the OPSEC application.
Note - This is only relevant for OPSEC NG based SDK applications.

Managing OPSEC Products From the SmartDashboard
Communication — Configure the OPSEC application object on the SmartCenter Server for
Secure Internal Communication. Click to open the Communication window (see page 381).
DN — The Distinguished Name (also known as the “SIC name”) of the OPSEC application.
The DN represents the identity of the OPSEC application, and is a read-only value. It exists
when a certificate has been issued for this OPSEC application (see “Communication
Window” on page 381).

Check Point enables the integration of OPSEC product management into the Check Point
Management framework. It provides the capability of managing OPSEC products from the
Check Point SmartDashboard. From the Management Client, OPSEC application commands
can be activated on a Management Client, SmartCenter Server, Check Point Module or any
SVN Foundation machine.
Selecting an OPSEC Command

1 Click the Activate button in the OPSEC Application Properties window. to select an
action defined by the vendor. The available commands are displayed. If the Activate button
is disabled, then no commands have been defined for that OPSEC application product.
The Activate button establishes the connection between the OPSEC product and the
Check Point GUI and activates the command of the OPSEC product.
Note - The drop-down menus display the commands that have been defined for the
OPSEC product you selected in the objects.C file. The objects.C file should not be
edited directly. Instead, use dbedit (see “dbedit” on page 587 of Check Point SmartCenter
Guide) to edit the objects_5_0.C file on the SmartCenter Server.
For further details about the OPSEC product you have selected, see the specific OPSEC
product manual.
2 Select the desired command.

If you run the command IPconfig, you will get the following output:
FIGURE 10-5Activate window

The command’s status appears at the bottom of the window. The possible status options are:
• Status: Action success!
• Status: Action fail!
Defining the OPSEC Product

All OPSEC product attributes are defined using the CPRA utility. For more information about
the CPRA utility, see CPRA documentation (Check Point Roaming Administrator Utility NG) at
http://www.checkpoint.com/_rnd/docs/techpubs/OPSEC_SDK/NG%20FP1/RA_NG_FP1.pdf. In
addition, every OPSEC product is associated with a command line and command parameters for
every supported platform.
The following schema in an OPSEC product defines one action supported by the OPSEC
application.
: 0 (
: command_name ()
: component (GUI,| MGM,| HOST)
: platform (
: NT (
: command_line ()
: command_params ()
)
: Solaris (
: command_line ()
: command_params ()
)
: Linux (
: command_line ()
: command_params ()
)
: IPSO (
: command_line ()
: command_params ()
)
)
)
)

TABLE 10-7 Description of OPSEC commands
Command name Description

command_name the command as displayed under the Activate
button
component The machine on which the action occurs. The
possible values are:
• GUI — a command that runs on the GUI
machine (the machine that is currently
running the SmartDashboard).
• MGM — a command that runs on a
SmartCenter Server.
• HOST — a command that runs on a host
which has SVN installed.
command_line the command line to be executed
command_params the command parameters
Command Syntax
Following is the argument that can be used for command_line.
TABLE 10-8 Description of command_line argument
argument description
launch An action that ends by the launching of a
new process. For example,
fwPolicy.exe.
This argument must come as a prefix to
the command line.
For more information on the launch argument, see the (Check Point Roaming Administrator
Utility NG) document at
http://www.checkpoint.com/_rnd/docs/techpubs/OPSEC_SDK/NG%20FP1/RA_NG_FP1.pdf.

Following are the arguments that can be used for command_params.
TABLE 10-9 Description of command_line arguments
argument description
%IP The IP address of the OPSEC host
application.
%USER_NAME The administrator user name used to
connect to the SmartDashboard.
%PATH_DIR The root directory containing the
command arguments used for running the
command (retrieved from the Registry
file.
TIMEOUT Action timeout (in seconds).
Examples
Following is a Check Point Product OPSEC product definition that enables you to execute the
following command.
:0 (
:AdminInfo (
:chkpf_uid ("{0BFE28A2-63D0-11D5-A421-000629F56A03}")
:ClassName (multi_platform_command)
)
:command_name ("My server")
:component (HOST)
:platform (
:AdminInfo (
:chkpf_uid ("{0BFE28A2-63D0-11D5-A421-000629F56A03}")
:ClassName (platforms)
)
:NT (
:command_line ("launch my_server.exe")
:command_params ("%TIMEOUT 60")
)
:Solaris (
:command_line ("launch my_server")
:command_params ("%TIMEOUT 60")
)
)
) )
)
my_server.exe is the server program that will be run on the host selected upon executing this
command.

Note - This window is only relevant for OPSEC NG based SDK applications.
The Communication window is used to initialize secure communication between the

SmartCenter Server and the OPSEC application (for details, see “Secure Internal
Communications for Distributed Configurations” on page 46).
Note - In order for the OPSEC application to use certificate-based communication, the
opsec_pull_cert command must be issued from the OPSEC application side of the
connection. See the OPSEC vendor documentation for details.
Note - In order to use the 'local' SIC method with OPSEC applications conversing locally
(on the same machine) with a Check point application, the 'opsec_shared_local_path'
OPSEC environment parameter should be set to $CPDIR/database (in Unix based
machines) or %CPDIR%\\database (on Windows based machines).
Getting here- Click Communication in the General tab of the OPSEC Definition
window.
Password — This field is relevant only where certificate-based communication is to be used.

Enter the same password as is used in the OPSEC application configuration when invoking the
opsec_pull_cert command. This is a one-time password whose only purpose is to set up a
secure link which is used to deliver a certificate to the OPSEC application.
Trust state — The OPSEC application can only communicate once trust has been established.
Trust is established once the OPSEC application has a DN, and (where certificate-based
communication is to be used) after a certificate has been issued by the SmartCenter Server and
delivered to the OPSEC application.
The OPSEC application can be in one of three states:
• Uninitialized — The OPSEC application is not initialized and therefore cannot
communicate because it has no DN (and where certificate-based communication is to be
used, it does not have a valid certificate.
Click to create the DN and (where relevant) the certificate.
Initialize
• Initialized but trust not established — A certificate has been issued to this OPSEC
application but has not been delivered.
Where certificate-based communication is used, trust will be established when the
opsec_pull_cert command has been issued from the OPSEC application side of the
connection and the certificate is successfully delivered to the OPSEC application.

• Trust established — The trust between the OPSEC application and the SmartCenter
Server has been established. The OPSEC application is able to communicate securely.
This state can only exist where certificate-based communication is used.
Initialize — For an uninitialized OPSEC application, create a DN and a certificate (the
certificate is only used where certificate-based communication has been configured). If
successful, the OPSEC application state will change to Initialized but trust not established.
Test SIC Status — Not available for OPSEC applications.
Reset — This field is only relevant where certificate-based communication is used.
Reset the OPSEC application back to the Uninitialized state by revoking its certificate. Its DN
remains valid.
Close — Close the window.
Definition Window — CVP Options Tab
Definition of CVP
CVP is used to enable the VPN-1/FireWall-1 to transfer data (file, E-mail, web pages) to a
third-party application, and allow it to analyze the file. Normally CVP is used by Anti-virus
servers (or content security in general), but it may also be used to secure other needs such as
authentication accounting. For information about setting up CVP groups for load sharing or
chaining see “Implementation of Chaining and Load Sharing” on page 386.
Service — Select the Service for communication with the server from the drop-down list. The
service is the port number to which the server listens. For CVP servers, the service is FW1_cvp.
Backwards Compatibility
Use backwards compatibility mode — If the OPSEC application server uses OPSEC SDK
Version 4.1 or earlier, and the VPN/FireWall Module is Version 4.1 or lower, check this box,
and choose the authentication (or encryption and authentication) method used in
communication between the OPSEC server and VPN-1/FireWall-1.
Configure the backwards compatibility mode as instructed by your OPSEC application vendor.
If instructed to edit the fwopsec.conf file (which does not exist in VPN-1/FireWall-1 NG),
instead select the mode which corresponds to the keyword (such as auth_opsec) in the
fwopsec.conf file.
If the OPSEC server or application uses OPSEC SDK Version 4.1 or earlier, and the
VPN/FireWall Module is upgraded to NG, the OPSEC object will be automatically created.
The information in the window will be taken from the fwopsec.conf file which existed prior
to the upgrade, and the appropriate backward compatibility mode will be selected.
If the OPSEC server or application uses OPSEC SDK NG, do not check this option.
The CVP tab of an OPSEC application object refers to connections that are made from peer
clients to this server. For example:

OPSEC Definition Window — UFP Options Tab
• In the CVP Options tab of the OPSEC Definition dialog box if the Use backwards
compatibility mode check box is checked and the OPSEC Authentication (auth_opsec)
method is selected, then the CVP clients should use the auth_opsec method when
connecting to this CVP server application.
OPSEC Definition Window — UFP Options Tab

UFP enables communications between VPN-1/FireWall-1 and a UFP Server that categorizes
URLs. A VPN-1/FireWall-1 Security Policy (see Chapter 8, “Security Policy Rule Base”) can
then specify resources that allow or disallow communications based on these categories. In this
way, an enterprise can control internal users’ access to external Web sites as well as external
users’ access to internal Web sites.
Service — select the Service from the drop-down list.
The service is the port number to which the server listens. For UFP servers, the service is
FW1_ufp.
Dictionary — the list of categories that the UFP Server uses
This list is required for defining the UFP Server in the VPN-1/FireWall-1 GUI.
Dictionary ID — identification or version of the dictionary
Get Dictionary — click to fetch the category list from the server
Select individual categories from the list in the definition of the resource that uses this UFP
server. For more information, see “URI Definition window — Match tab (UFP)” on page
240.
Description — descriptive text
This text is displayed in the Objects list and in the Object window when this item is selected.
Categories in Dictionary — A UFP Server can define up to 32 categories.
Backwards Compatibility
Use backwards compatibility mode — If the OPSEC application server uses OPSEC SDK
Version 4.1 or earlier, and the VPN/FireWall Module is Version 4.1 or lower, check this box,
and choose the authentication (or encryption and authentication) method used in
communication between the OPSEC server and VPN-1/FireWall-1.
Configure the backwards compatibility mode as instructed by your OPSEC application vendor.
If instructed to edit the fwopsec.conf file (which does not exist in VPN-1/FireWall-1 NG),
instead select the mode which corresponds to the keyword (such as auth_opsec) in the
fwopsec.conf file.
If the OPSEC server or application uses OPSEC SDK Version 4.1 or earlier, and the
VPN/FireWall Module is upgraded to NG, the OPSEC object will be automatically created.
The information in the window will be taken from the fwopsec.conf file which existed prior
to the upgrade, and the appropriate backward compatibility mode will be selected.

If the OPSEC server or application uses OPSEC SDK NG, do not check this option.
The UFP tab of an OPSEC application object refers to connections that are made from peer
clients to this server. For example:
• In the UFP Options tab of the OPSEC Definition dialog box if the Use backwards
compatibility mode check box is checked and the OPSEC Authentication (auth_opsec)
method is selected, then the UFP clients should use the auth_opsec method when
connecting to this UFP server application.
OPSEC Definition Window— AMON Options Tab

AMON (Application Monitoring) Service enables network applications to report their status to
Check Point management. This status information can then be fetched by a CPMI client.
Service — Select the Service for communication with the server from the drop-down list. The
service is the port that the AMON server listens to. For AMON servers, the service is
FW1_amon.
AMON Identifier — In this field the user should select the name of the AMON Identifier that
this OPSEC application supports. This field enables you to select from all the known status
schema.
OPSEC Definition Window— CPMI Permissions

Permissions for OPSEC CPMI applications are defined in the CPMI Permissions tab of the
OPSEC Application Properties window. Click Use Permissions and select a permission set to
use. View Permissions Profile to view the profile (the set of permissions) assigned to the
permission set.
To define a new Permissions Profile, click New in the OPSEC Application Properties window.
In the General tab of the Permissions Profile window, specify the profile’s name, comment
and choose a color.
For more information about defining administrators, see Chapter 4, “Managing Users and
Administrators” of Check Point SmartCenter Guide.
OPSEC UFP and CVP Groups

Name — The group’s name.
Comment — Descriptive text.
Color — The color of the server’s icon.
Members — CVP servers and load share groups or UFP Servers currently defined in the system.

OPSEC UFP and CVP Groups
Adding or Deleting Members from a Group

To add a member to the group: in the Not in Group listbox, select the servers you wish to
include in the group. Use the Add button to add individual objects and to add groups to the
group.
To delete a member to the group: in the right In Group listbox, select the servers you wish to
delete from the group. Use the Remove button to remove individual objects or to remove
groups from the group.
Not in group — Servers which will not be used in the group you are creating for chaining or
load sharing.
In group — Servers which will be used in the group you are creating for chaining or load
sharing.
FIGURE 10-6Adding group members separately or individually
When attempting to add a CVP load sharing group to a CVP chaining group (see “CVP Load
Sharing and Chaining” on page 236 of Check Point FireWall-1 Guide) you will be prompted to
select between adding the group as a whole adding each server separately. This feature is not
available for load sharing since load sharing between chaining groups is not supported.
Up Down — You can move the order of the groups or servers included in In group. To move
the order highlight a member in the right listbox and use the Up or Down button to until your
server or group is in the position you want. For example perhaps the first server in the list is a
caching server and the second server is an anti-virus server. It would be logical to switch the
order these two servers process data in this group.
Work distribution method — Decide whether your group will be defined as load sharing or
chaining see “CVP Load Sharing and Chaining” on page 236 of Check Point FireWall-1 Guide.
Load Sharing — Select this radio button if your group will have load sharing.
Note - When defining a UFP Server, Chaining is not available.
Chaining — Select this radio button if your group will have chaining.
Abort chaining upon Unsafe reply — Use this feature if chaining is selected as your work
distribution method and you wish to guarantee that if a virus is detected all chaining of this
group will stop.
Load sharing method — Select round robin if you wish to go in a specific order or random if
you wish to have the Server decide which Servers are available

Load sharing suspend time-out — Set the time you wish to wait when one server fails before
trying to use it again. The maximum time is 10,000 minutes.
Implementation of Chaining and Load Sharing

To learn more about adding a rule with an HTTP URI resource see Chapter 4, “Security
Servers and Content Security” of Check Point FireWall-1 Guide.
OPSEC SIC Configuration

During the installation procedure of NG FP2 the non-default SIC settings of OPSEC
applications are overwritten. As a result, existing OPSEC applications that use the non-default
SIC settings, will not be able to communicate with VPN-1/FireWall-1.
The default SIC settings for NG FP2 based OPSEC applications are:
• cvp - sslca_clear, sslca, local, sslca_comp
• ufp - sslca_clear, sslca, local, sslca_comp
• amon - sslca, local, sslca_comp
• sam - sslca, local, sslca_comp
• ela - sslca, local, sslca_comp
• lea - sslca, local, sslca_comp
• cpmi - sslca, local, sslca_comp
• uaa - sslca, local, sslca_comp, ssl
The list of methods denotes the fact that VPN-1/FireWall-1 will be able to communicate using
any method on the list where the left most method is the preferred one.
The default authenticated communication settings for pre-NG based OPSEC applications:
• LEA - auth_opsec
• ELA - ssl_opsec
• SAM - auth_opsec
• UAA - ssl_opsec
Note - CVP and UFP can be configured using the SmartDashboard.
In order to avoid this problem, configure the OPSEC applications to work with the default SIC
(or backward compatibility authenticated communication) settings.

CHAPTER 11
SmartView Tracker
Overview page 388

Starting the SmartView Tracker page 389
Viewing the Log Files in Different Modes page 392
SmartView Tracker Main Screen page 399
Query Tree Pane page 399
Query Properties Pane page 402
Records Pane page 403
Filtering page 406
Resolving Addresses page 415
Resolving Services page 416
Showing Null Matches page 416
Updating the Log File page 416
Find page 416
Log File Management page 418
Redirecting Logging to Another Master page 424
Exporting Log Data to Another Application page 425
Menus page 426
387
Overview
The SmartView Tracker allows you to view entries in the Log File. Each entry in the Log File
is a record of an event that, according to the Rule Base or the Properties, is to be logged. In
addition, every event which caused an alert, as well as, certain important system events (such as
a Security Policy being installed or uninstalled on a host), is also logged. The format of log
entries requested by a rule is determined by the log type specified in the rule.
Note - The SmartCenter Server reads the Log File and sends the data to the SmartView
Tracker GUI Client for display. The SmartView Tracker GUI Client merely displays the data.
Tracking Network Traffic

The SmartView Tracker can be used to track all daily network traffic and activity logged by any
Check Point and OPSEC Partners log-generating product and give an indication of certain
problems. Network administrators can use the log information for:
• Detecting and monitoring security-related events
For example, alerts, repeated rejected connections or failed authentication attempts, might
point to possible intrusion attempts.
• Providing information for problematic issues
For example, a client has been authorized to establish a connection but the attempts to
connect have failed. The SmartView Tracker might indicate that the Rule Base has been
erroneously defined to block the client’s connection attempts.
• Statistical purposes like analyzing network traffic patterns
For example, how many HTTP services were used during peak activity as opposed to
Telnet services.
Controlling the Display of the SmartView Tracker Content

The SmartView Tracker gives you control over which information in the Log File is displayed.
You can choose to display all the records in the Log File or only a specific Query.
The SmartView Tracker contains predefined Queries which can only be viewed in read-only.
Each Query allows you to view specific log information. For example, you can display only
specific product-related information such as only log entries related to VPN-1 products or only
records that show changes made to objects in the Rule Base.
SmartView Tracker also allows you to customize your own Query based on an existing,
predefined one, for your own specific needs.

Filtering the SmartView Tracker’s Content

You can use SmartView Tracker’s filtering mechanism to display only certain records and hide
others. For example, you can choose to display only records for events that occurred after a
certain date, or you can exclude all connections that were encrypted.
Fetching Log Files From a Remote Machine

The SmartView Tracker allows you to transfer Log Files from a remote machine to the machine
to which the SmartView Tracker is currently connected.
Starting the SmartView Tracker

To start the SmartView Tracker, proceed as follows:
TABLE 11-1 Starting the SmartView Tracker
Windows Action
System
Windows Double-click the SmartView Tracker icon, or choose
SmartView Tracker from the Window menu in the
X/Motif Run /opt/CPclnt-50/bin/LogManager
The SmartView Tracker Login window (FIGURE 11-1) is then displayed.

FIGURE 11-1SmartView Tracker Login window

1 Select User Name.

3 Click OK.
Chapter 11 SmartView Tracker 389

Starting the SmartView Tracker
• certificate

4 Click OK.
of the following:
SmartCenter Server.
Certificate Management, Compression and Advanced Options

In the SmartView Tracker Login window (FIGURE 11-1), click More Options >> to display
the Certificate Management, Connection Optimizations and Advanced Options (FIGURE
11-2)

FIGURE 11-2SmartView Tracker Login window
Guide.
The SmartView Tracker main screen

Viewing the Log Files in Different Modes
FIGURE 11-3:SmartView Tracker
The Query Properties pane

displays the properties of...
...the fields in the Records

pane.
The Records pane

displays the fields of
each record in the
Log File.

The SmartView Tracker consists of three different modes:
• Log mode
• Active mode
• Audit mode
• Each mode consists of one or more predefined Log File queries. These predefined queries,
cannot be directly modified or saved. They can, however, be modified and saved under a
new name.
You can toggle between modes by clicking the desired tab.
FIGURE 11-4Log Mode tabs
When you switch from one mode to another, SmartView Tracker remembers the last opened
query in that mode and displays it.
Log Mode
Log mode is the default mode. It displays entries for security-related events for different Check
Point products as well as Check Point’s OPSEC partners.
In Log mode, the following predefined queries are available:

Log Mode
• All Records — Contains log data which are typically common to most Check Point
products.
• Product —specific queries which contain entries relevant to that product only. They
include:
• Account ( ) — displays Accounting details
• FireWall-1 GX( ) — displays Firewall - GX details
• FloodGate-1 ( ) — displays FloodGate-1 details
• FireWall-1 ( ) — displays FireWall-1 details
• Virtual Link Monitoring ( ) — displays Virtual Link Monitoring details
• SecureClient ( ) — displays SecureClient details
• UA WebAccess ( ) — displays UA WebAccess details
• UA Server( ) — displays UA Server details
• VPN-1 ( ) — displays VPN-1 details
• SmartDefense ( ) — displays SmartDefense details
• Voice over IP ( ) — displays Voice over IP details
Note - Product-specific queries are only available in Log mode.
The fields that appear in each entry are by default the relevant fields for that entry. For example,
the fields Source and Origin are not predefined to display for UA WebAccess because they are
not relevant to that product.
All Records
When an active window is open, double-click ( ) to display the default log query in the
Records pane.
FireWall-1 Entries
When an active window is open, double-click ( ) to display Firewall-1 details in the
Records pane.
The FireWall-1 Log shows the following FireWall-1 specific data :

• NAT rule number —Number of the NAT rule
• XlateSrc —translated source address
• XlateDst —translated destination address
• XlateSPort —translated source port number
• Xlate DPort —translated source address
• Partner —name of partner

Accounting Entries
When an active window is open, double-click ( ) to display Accounting details in the
Records pane.
The Accounting Log shows the following Account-specific data (including FireWall-1 specific
data):
• Elapsed — the duration of the connection. Elapsed is calculated to the time of the last
byte transferred
• Bytes — the number of bytes transferred
• Start Time — the date on which the connection began
Firewall-1 GX Entries
When an active window is open, double-click ( ) to display FireWall-1 GX details in the
Records pane.
The Firewall-1 GX Log shows the Firewall-1 GX -specifc data:

• Signal Message Type —a string that describes the GTP message type.
• Tunnel ID — GTP Tunnel ID.
• MS - ISDN — the ISDN number of the mobile subscriber.
• APN —Access Point Name
• Selection Mode —GTPIP address of the MS. Exchanged during PDP Context creation
Selection mode.
• End user IP address —IP address of the MS. Exchanged during PDP Context creation
• SGSN for Traffic—SGSN IP address used for traffic. Exchanged during PDP Context
creation or update
• SGSN for Signal —SGSN IP address used for Signaling. Exchanged during PDP Context
creation or update
• GGSN for Traffic —GGSN IP address used for traffic. Exchanged during PDP Context
creation or update
• GGSN for Signal —GGSN IP address used for Signaling. Exchanged during PDP Context
creation or update.
FloodGate-1
When an active window is open, double-click ( ) to display FloodGate-1 details in the
Records pane.
The FloodGate-1 Log shows the following FloodGate-specific data :

• Client Bytes In — the number of inbound Client Bytes
• Client Bytes Out — the number of outbound Client Bytes
• Client Interface In — the name of the inbound Client Interface
• Client Interface Out — the name of the outbound Client Interface
• Client In rule match — the rule matched to the connection of the client interface in the
inbound direction

Log Mode
• Client Out rule match — the rule matched to the connection of the client interface in the
outbound direction
• Client Packets In — the number of inbound Client Packets
• Client Packets Out — the number of outbound Client Packets
• Client DiffServ In — the color of the Inbound DiffServ Client
• Client DiffServ Out — the color of the Outbound DiffServ Client
• Server DiffServ In — the color of the Inbound DiffServ Server
• Server DiffServ Out — the color of the Outbound DiffServ Server
• Server Bytes In — the number of inbound Server Bytes
• Server Bytes Out — the number of outbound Server Bytes
• Server Interface In— the name of the inbound Server Interface
• Server Interface Out — the name of the outbound Server Interface
• Server In rule match — the rule matched to the connection of the server interface in the
inbound direction
• Client Out rule match — the rule matched to the connection of the server interface in the
outbound direction
• Server Packets In — the number of the inbound Server Packets
• Server Packets Out— the number of the outbound Server Packets
• Sub Service — the name of the sub service
Virtual Link Monitoring Entries

When an active window is open, double-click to display Virtual Link Monitoring details
in the Records pane. The Virtual Link Monitoring Log shows the following Virtual Link
Monitoring-specific data :
• App Byte/sec In — the rate of inbound information in bytes from the application
• App Byte/sec Out — the rate of outbound information in bytes sent from the Application
• App Packet/sec In — the rate of inbound information in bytes from the application
• App Packet/sec Out — the rate of outbound information in packets from the application
• BW Loss,% — the Bandwidth Loss that activated the alert
• BW Loss Threshold,% — the threshold set by the user
• CIR, Bps — the CIR that activated the alert
• CIR Threshold, Bps — the threshold for the CIR set by the user
• Dst Gateway — the Destination Gateway
• Estimation — the values of the SLA Statistics
Low — the lowest reported value

High — the highest reported value
Average — the average of all of the values
• RTT, ms — the Round Trip Time that activated the alert

• RTT Threshold, ms — the threshold for the Round Trip Time set by the user
• Sample ID — the name of the query
• SLA Violation — SLA parameter violation
• SRC Gateway — the Source Gateway. This Gateway also acts as a Reporting Module
• Virtual Link — the name of the Virtual Link
• Wire Byte/sec In — the rate of inbound information in bytes coming from the Gateway
• Wire Byte/sec Out — the rate of outbound information in bytes sent from the Gateway
• Wire Packet/sec In — the rate of inbound information in packets from the Gateway
• Wire Packet/sec Out — the rate of outbound information in packets from the Gateway
SecureClient Entries
When an active window is open, double-click to display SecureClient details in the
Records pane.
The SecureClient Log shows the following FireWall-1 specific data:

• NAT rule number — number of a rule for NAT
• XlateSrc —translated source address
• XlateDst —translated destination address
• XlateSPort —translated source port number
• Xlate DPort —translated source address
• Partner - name of partner
UA WebAccess Entries
When an active window is open, double-click to display UA WebAccess details in the
Records pane. The UA WebAccess Log shows the following UA WebAccess-specific data (in
addition to the data displayed in the Security Log):
• Application Name — the name of the accessed application
• Auth Domain — the authentication domain
• Destination Port — the port number of the destination
• Display Name — the full user name
• Domain Username — user name that is used for a specific authentication domain
• Enc Type — the encryption type, whether VPN or SSL
• End2EndEnc — a boolean value, the connection encrypted from source to destination
• ID source — the tool used to identify the user
• Headers inserted/removed — HTTP headers that were inserted/removed using UA
WebAccess
• Operation — the User Authority operation describing the intention of a certain request
such as read, write and delete.
• Redirect URL — whether or not the URL is redirected
• Requested Method — the HTTP Method (GET,POST, etc.)

Log Mode
• Requested URL — the URL of the original request

• SSO Type — the Single Sign On type (either Basic or HTML)
• Session ID — Identifies the user in the browser.
• UA Auth Result — the WAM result, can be Accept, Reject or Redirect
• UA Session ID — The session ID that the User Authority gives the user.
UA Server Entries
When an active window is open, double-click ( ) to display UA Server details in the
Records pane.
The UA Server shows the following UA Server-specific data :

• ID Source — the source ID
• Request Result — the way the request result ended (could be either success, failed,
Timedout or redirected)
• Session ID — Check Point session ID
• UA Session ID — The session ID that the User Authority gives the user.
VPN-1 Entries
When an active window is open, double-click to display VPN-1 details in the Records
pane. The VPN-1 Log shows the following VPN-1-specific data (including FireWall-1 specific
data):
• DstKeyID — display the IPSec SPI used in ESP or AH
• Encryption Methods — the type of encryption algorithm, hash algorithm and
authentication method (for example, MD5)
• Encryption Scheme — the type of encryption being used
• IKE Initiator Cookie — signifies the initiation of Phase 1 of IKE negotiation
• IKE Phase 2 MsgID — signifies that Phase 2 of IKE Negotiation is taking place
• IKE Responder Cookie — signifies the response to Phase 1 of IKE negotiation
• Partner — the name of the Partner
• SRCKeyID — display the IPSec SPI used in ESP or AH
• VPN Peer Gateway — the peer Gateway of the Gateway undergoing negotiation
SmartDefense Entries
When an active window is open, double-click ( ) to display SmartDefense details in the
Records pane.
SmartDefense shows the following SmartDefense-specific data (including FireWall-1 specific

data):
• Attack Name — The name of the attack.

Voice over IP Entries

When an active window is open, double-click ( ) to display Voice over IP details in the
Records pane.
Voice over IP shows the following Voice over IP-specific data (including FireWall-1 specific
data):
• Destination IP Phone — the IP address at which the phone call was received
• Media Type — the type of call being made
• Registered IP Phones — a request to register your phone at a specific IP address
• Source IP Phone — the IP address at which the phone call originated
Active Mode
To show active connections in the SmartView Tracker (FIGURE 11-3), that is, connections
currently open through any of the VPN/FireWall Modules that are logging to the currently
active Log File, open a new window and click the Active tab. The Active mode’s All Records
Query is displayed.
In addition to the data displayed in the Security Log, Active mode displays the following Active
mode-specific data:
• Connection ID — the connection ID, a fixed number (in contrast to the No field which
changes dynamically).
• Bytes —a number of bytes transfered
• Elapsted —a duration of the connection
Audit Mode
To show audit entries in the SmartView Tracker, open a new window and click the Audit tab.
The Audit’s All Records Query is displayed. This mode enables you to track changes made to
objects in the Rule Base, as well as general SmartDashboard usage.
The Audit window displays the following Audit mode-specific data:
• Administrator — the administrator of the object
• Application — the name of the application
• Object table — the table in which the object is categorized
• Changes — changes made to the fields of the object (for example, the object is assigned a
new IP address, then the IP Address field of the object is modified), or changes made to the
Rule Base, (for example the adding of a new rule will change the Rule Base)
• Client — the machine from which the administrator logged in
• Object Name — the name of the object
• UID — the User ID of the object, this ID is unique string
• Operation — the operations performed on the object 9see TABLE 11-2 for more details)

Audit Mode
If the status of the object is unknown, then the SmartView Tracker will display Unknown in
the Operation column
TABLE 11-2 The Operations Table
Operation Description
creating creating a new object
updating updating an existing object
deleting deleting an object
logging in logging in to an object
login failed login to an object failed
Install policy policy installed on an object
Uninstall Policy policy on object uninstalled
SmartView Tracker Main Screen

The SmartView Tracker Main Screen is the area where the Log Files appear. The SmartView
Tracker has a new and improved interface enabling you to open multiple windows.
You can open more than one Log File simultaneously. You can also open more than one
window of the same Log File. This may be helpful if you want to get different images of the
same Log File. For example, you can open two windows of the same file and use different
filtering criteria on each window. You can view both windows simultaneously and compare the
different images. You can also resize each window so as to fit in as many windows as possible in
the SmartView Tracker Main Screen.The number of windows is limited to 5 windows opened
simultaniously in the application.
SmartView Tracker is divided into three sections:
• Query Tree Pane
• Query Properties Pane
• Query Records Pane
Query Tree Pane

The Query Tree pane contains the following folders in each mode:
Predefined — A folder containing one or more predefined Queries which cannot be directly
modified or saved. It can, however, be modified and saved under a new name. The predefined
queries available in the Query Tree pane depend on the mode you are in. Each mode contains
a Query called All Records. Product-specific queries are available in Log mode only.
Custom — This folder will automatically receive all Queries which were modified and saved
under a new name. For information on how to save a predefined query under a different name.

Query Tree Pane
Displaying a Query in an Active window

To display a query in an active window, double-click the desired query in the Query Tree pane.
The log entries for the selected query will be displayed in the Records pane.
Opening an Existing Query

You can open an existing query in an active window by:
• Using the Query menu
• Right-clicking an existing query
• Double-clicking an existing query
To open an existing query using the Query menu

1 Select the query you want to open.
2 From the Query menu, select Open. The desired query appears in the Records pane.
To open an existing query by right-clicking

1 Right-click the query you want to open. A different menu is displayed depending on
whether you chose to open a predefined or customized query.
2 Choose Open. The desired query appears in the Records pane.
To open an existing query by double-clicking

1 Double-click the desired query. The desired query appears in the Records pane.
Creating a Customized Query

Predefined queries contained in the Predefined folder cannot be modified but they can be saved
under a different name.
Saving a predefined query under a different name

1 Open a predefined Query. For information on how to open a predefined query, .
2 Modify the Query as desired.
3 From the Query menu, select Save As. The following window appears.
FIGURE 11-5Save the predefined Query under a different name
4 Type the desired Query name.

Audit Mode
5 Click OK. The modified view is placed in the Custom folder.
Duplicating an Existing Query

You can create an exact duplicate of an existing query (predefined or customized), that is, one
that has the same properties, and save it under a new name.
To duplicate an existing query (predefined or customized)

1 Select the query you want to duplicate.
2 From the Query menu, select Copy or Right-click the desired query and select Copy from
the displayed menu. The newly-duplicated query is placed in the Custom folder.
3 Enter the desired query name and press Enter.
Saving the changes you made to a customized query

1 Open the desired query and make the desired changes.
2 From the Query menu, choose Save.
Renaming a customized Query

1 Select the query you want to rename.
2 From the Query menu, select Rename or Right-click the desired Query and select Rename
from the displayed menu.
The newly-duplicated Query is placed in the Custom folder.
3 Enter the desired Query name and click Enter.
Deleting a Customized Query

1 Select the Query you want to delete.
2 From the Query menu, select Delete or Right-click the desired query and select Delete
from the displayed menu.
Note - You cannot delete an open or predefined query.
Hiding/Showing the Query Tree Pane

You can choose to hide or display the Query Tree pane.
To toggle the display of the Query Tree pane

Click in the SmartView Tracker toolbar or
Click Query Tree from the View menu.

Query Properties Pane
Query Properties Pane

The Query Properties pane show the attributes for the corresponding columns in the Records
pane. . These attributes include whether the columns are displayed or hidden, the width of the
column and the filtering arguments you used to display specific entries.
FIGURE 11-6Query Properties pane
The Query Properties pane contains four columns. See the following table (TABLE 11-3) for a
description of the columns.
TABLE 11-3 Query Properties pane description
Column Description
Column The name of the column
Show Check to display the corresponding column in the Records pane.
Clear the check box to conceal the corresponding column.
Width The specified width of the corresponding column in the Records
pane in pixels.
Filter The items contained in this column are the filtering criteria used to
display specific log data.
Hiding/Showing the Query Properties Pane

You can choose to hide or display the Query Properties pane. Hiding the Query Properties
pane gives you a full-screen image of the Log File entries in the Records pane.
To toggle the display of the Query Properties pane

1) Click in the toolbar or select Query Properties from the View menu.

Audit Mode
Records Pane
The Records pane displays the list of records in the Log File. The columns that appear depend
on which Query is open. If a column is not wide enough to see all the field’s information, you
can use the tooltip to enable you to see display everything that is hidden. The tooltip appears
only where the cell is not wide enough to display all the information in it.
Modifying a Column’s Properties
Showing/Hiding a Column
You can show/hide a column:
• Using the Query Properties pane
• Using the Records pane
To show/hide a column using the Query Properties pane

In the Query Properties pane, select the column’s check box in the Show column to display the
column or clear the check box to hide it. The corresponding column in the Records pane is
displayed/hidden respectively.
To hide a column by using the Records pane

1 Right-click in the Records pane or anywhere in a column.
2 Select Hide from the displayed menu. The column is hidden and at the same time, the
check box in the Show column in the Query Properties pane is automatically cleared. For
example, in FIGURE 11-7, the Date column is displayed while the Time column is hidden.
FIGURE 11-7Hiding a column

Records Pane
Changing a Column’s Width

You can change the width of a column either in the Query Properties or the Records pane. If
you change it in one pane, it is automatically changed in the other.
You can change a column’s width:
• From the Width column in the Query Properties pane
• By dragging the column’s right border in the Records pane
To set the column width from the Query Properties pane

1 Click the Width field that you would like to edit in the Width column. The Width field
becomes an editable field in which you can specify a new width (in pixels).
FIGURE 11-8Editing the column width
2 Edit the width value and press Enter. The corresponding column in the Records pane is
widened/narrowed accordingly.
To set the column width by dragging its border in the Records pane
1 Place the cursor on the column’s right border in the header. The cursor changes to the
column resize cursor.
2 Click on the left mouse button without releasing it.
3 Move the column border to the desired position while keeping the left mouse button down.
4 Release the left mouse button. The value in the column’s corresponding Width field in the
Query Properties pane is automatically modified accordingly.
Rearranging a Column’s Position

You can rearrange a column’s position in the Query Properties or the Records pane. If you
change the position in one pane, it is automatically changed in the other.
To rearrange a column’s position

• In the Queries Properties pane, drag the column up or down to the desired position.
• In the Records pane, drag the header of the column left or right to the desired position.
Copying Log Record Data

You can copy a whole log record or only one of its cells to the clipboard.

Audit Mode
To copy log record data

1 Right-click the desired record.
2 From the displayed menu, select Copy Cell to copy only the cell on which the cursor is
standing or Copy Line to copy the entire record.
To view a record’s details

Double-click the desired record. The Record Details window appears.
FIGURE 11-9Record Detail window
This window contains all the record’s fields and their values. The fields in the Record Detail
window always appear in the same order as they do in the Records pane. Fields that have been
defined as hidden for that record, do not appear in the Record Detail window.
All field values appear in their entirety, as can be seen in the tooltip.
Viewing a rule
You can view the rule that created the log
To view a rule
1 Right- click on the desired record.
2 Select View Rule in SmartDashboard.

Filtering
3 In the SmartDashboard view the rules in the Database Revision Control icon or in the
Global Properties mark the check box Create new version upon installed Policy
Operation
Finding a Specific Record

You can search for specific record based in a specific column
To find a specific record based on a value in a specific column in the

Log File
1 In the Records pane, right-click anywhere in the specified column.
2 Select Findfrom the menu that appears. The appropriate Find By window displays. The
Find By window that appears is almost the same window as you would get if you used the
filtering mechanism for that field. For information on how to use the SmartView Tracker’s
filtering mechanism. The only difference between the Find By window and the filtering
windows is that the Find By windows additionally contain the option by which you can
specify the desired search direction.
3 Enter the desired criteria
4 Select one of the Search Direction options to specify the desired search direction:
• Forward — to search forward from the current entry (toward the end of the Log File)
• Back — to search backwards from the current entry (toward the beginning of the Log
File)
5 Click OK to highlight the specified entry.
Filtering
You can use SmartView Tracker’s filtering mechanism to include only the log entries you would
like to display.
To display only entries of interest in the SmartView Tracker and to hide other entries, you can
specify the criteria you want to use in filtering the Log File. Once you have applied the filtering
criteria, only entries matching the criteria you have selected will be displayed. For more
information on how to apply filtering criteria.
Note - In Local mode, you can display filtering criteria, but you cannot change selection
specification. In other words, you cannot apply or remove filtering criteria.
1 In the Query Properties pane, right-click the desired field in the Filter column, or in the
Records pane, right-click anywhere in the desired field.

Filter fields
2 Choose Edit Filter from the displayed menu.

Each field displays a type-specific Filter window. Configure the window as desired and the
log data will be displayed according to the filtering criteria used.
Note - Filtering criteria will only take effect if the Apply Filter button is activated. For
more information.
3 Click the OK button to apply the configuration settings

4 Click Cancel to close the Filter window.
Filter fields
Numeric field
Right-click in the desired field and choose Edit Filter from the displayed menu.
Note - If you choose to filter the Number field, choose Go to Record and specify the
desired number.
The appropriate Filter window is displayed.

FIGURE 11-10Rule Criterion window
Note -
• The title that appears in the window depends on which field you are filtering.
• The default is to include the specified items in the filtering. To exclude the
specified items, select Not.

Filtering
5 Configure the Filter window according to the following table:
Field Description
Field The available options are:
• Is equal to — Include/Exclude all entries whose value
is equal to the specified value.
• Is less than — Include/Exclude all entries whose value
is less than the specified value.
• is greater than — Include/Exclude all entries whose
value is greater than the specified value.
• Is one of — Include/Exclude all entries whose value is
equal to the specified value/s.
• Is in range — Include/Exclude all entries whose value
is within the specified range. Specify the range by
entering From and To criteria.
Not Exclude the log entries, that is, to display only log entries
that are not in the specified range. Not is only available if
you select the is in range operator.
Value Specify the desired criterion value.
6 Click OK and then the Apply Filter button ( ) if it is not yet clicked to apply the
specified criteria. The criterion is displayed in the Filter column of the specified field in the
Query Properties pane.
7 Right-click the Filter column of the specified field and select Clear Filter to remove the
specified criteria. The criterion is no longer displayed in the Filter column.
Date / Time fields

1 Right-click in the desired field, and choose Edit Filter in the menu that displays. The
appropriate Filter window is displayed.
FIGURE 11-11Date Filter window

Filter fields
FIGURE 11-12 Time Filter window
2 Configure the Date/Time Filter fields according to the following table:
Field Description
• Is after — Include/Exclude all entries occurring after
the specific date/time.
• Is before — Include/Exclude all entries occurring
before after the specific date/time.
• Is in range — Include/Exclude all entries occurring
within the specified range. Specify the range by entering
From and To criteria.
Not Exclude the log entries, that is, to display only log entries
that are not in the specified range. Not is only available if
you select the is in is in range operator.
After Specify the desired criterion value.
Interface field
You can filter the Log File by specifying one or more interfaces to be included in (or excluded
from) the filtering criteria.
1 Right-click in the Interface field, and choose Edit Filter in the menu that displays. The
Interface Filter window is displayed.

Filtering
FIGURE 11-13Interface Filter window
2 In the editable field (to the left of the Add>> button), type the interface you want to
include/exclude in the filtering criteria (for example, sl0, le0, all) and click Add. The
interface appears in the box below the Add>> button.
3 Select the Not check box if you want to exclude the log entries, that is, to display only log
entries that do not match the specified criteria.
4 Select one or both of the following packet types:
• Inbound — packets going in the inbound direction
• Outbound — packets going in the outbound direction
New value field


Filter fields
FIGURE 11-14roduct Filter window
Note -
• The title that appears in the window depends on which field you are filtering.
• The default is to include the specified items in the filtering. To exclude the
specified items, select Not.
2 In the left list box, select the items you wish to include/exclude in the filtering criteria.
Click the Add> button to add it to the list of items you wish to use as the filtering criteria.
Click the <Remove button to remove it. You can also move multiple items by making
multiple selections.
You can also manually add an item by entering the item name in the editable field (on top
of the left list box). When filtering the Log File by product, you can include any OPSEC
product or third party vendor product. This allows you, for example, to add external Source
or Destination hosts which do not appear in the list box. You may specify a host by
entering its name or by entering its address in conventional IP dot notation.
Note - Origin is the origin of the log entry, that is, the host that generated the log entry
and on which the rule is enforced. Origin can only be an internal object. Source and
Destination are the source and destination of the packet, either of which may be internal
or external.
The items you want to add/exclude are in the right list box. These elements are the
filtering criteria.
Predefined field

Filtering
FIGURE 11-15Type Filter window
2 Select one or more of the types you wish to include or exclude.

The following table gives a description of the different types in the Type Filter window
(TABLE 11-4).
TABLE 11-4 Type description
icon meaning
Alert — An event that generated an alert. Available only in Log and
Active modes.
Log — An event that was logged as specified by the Security Policy.
Available only in Log and Active modes.
Control — An event that was logged automatically (for example,
installing a Security Policy). Available only in Log and Active
modes.
Account — An event that generated an Account log.
The following table gives a description of the different types in the SSO Type Filter window
(TABLE 11-8)
TABLE 11-5 SSO Type description
icon meaning
Basic — Single Sign On for Basic authentication
HTML — Single Sign On for HTML authentication
None — no Single Sign On

Filter fields
(TABLE 11-6).
TABLE 11-6 Encryption Type description
icon meaning
Unknown — unknown encryption type
Vpn — encrption type that is used by the VPN
SSL — SSL encryption type
(TABLE 11-7)
TABLE 11-7 E2E Encryption description
icon meaning
Unknown — there is no information on encryption
False — No encryption
True — encryption
The following table gives a description of the different types in the Request Result Filter
window (TABLE 11-8)
TABLE 11-8 Request Result description
icon meaning
su Success — Request result has been successful
fa Failed — Request result has failed.
ti TimedOut — Request result has been timed out.
re Redirected — Request result has been redirected according to the
Security Policy.

Filtering
The following table gives a description of the different types in the UA Auth Result Filter
window (TABLE 11-9).
TABLE 11-9 UA Auth Result description
icon meaning
Accept — HTTP request was accepted.
Reject — HTTP request was rejected.
auth Authenticate — User must be authenticated in order to access this

page.
Redirect to ssl — Connection should be encrypted using SSL.
Redirect — HTTP was redirected according to the Security Policy.
3 The following table gives a description of the different types in the Action Filter window
(TABLE 11-10).
TABLE 11-10Action icons
Icon Action Icon Action

Accept — The connection Decrypt — The
was allowed to proceed. connection was decrypted.
Reject — The connection Key Install — encryption
was blocked. keys were created
Drop — The connection Authorize — Client
was dropped without Authentication logon
notifying the source.
Encrypt — The Deauthorize — Client
connection was encrypted. Authentication logoff
Authcrypt — SecuRemote
user logon
4 Select the Not check box if you want to exclude the log entries, that is, to display only log
entries that do not match the specified criteria.

Filter fields
Free Text Field

FIGURE 11-16Partner Filter window
Note - The title that appears in the window depends on which field you are filtering.
2 Configure the Free Text fields according to the following table:
Field Description
• is equal — Include/Exclude all entries containing text
that equals the specified pattern.
• contains — Include/Exclude all entries with text that
contains the specified pattern.
Not Exclude the specified items. The default is to include the
specified items in the filtering.
Text Specify the text string you want to include/exclude.
Match Case To find or ignore an item with specific capitalization, select
or clear the Match case check box.
4 To remove all the filters in the Log File by clicking the Clear All Filters button ( ) in
the Query pane toolbar to remove the specified criteria. The criterion is no longer
displayed in the Filter column.
Resolving Addresses
You can control the display of source and destination host names in the Log File.
Click the button to toggle between:

Resolving Services
• Displaying the name of the host and the domain

• Displaying the addresses in conventional IP dot notation
Resolving Services
Each port number is mapped to the type of service it uses. You can control the display of the
destination port in the Log File.
Click the button to toggle between:
• Displaying the destination port number
• Displaying the type of service the port uses
Note - If you have the clicked the Resolving Services button to display the type of
service the port uses, and the port number appears, it means that a service has not been
previously defined for this port. A port number can be mapped to a service either in the
Objects database using the Object Manager (see the Check Point SmartCenter Guide) or in
the Services Configuration file.
In UNIX, the Services Configuration file name is called /etc/services
In Windows NT, the services Configuration file name is called

winnt\system32\drivers\etc\services
Showing Null Matches

This option controls the display of Null Matches, that is, log entries that are neither included
nor excluded by the current filtering criteria.
For example, if you choose to display only log entries whose Action is either Reject or Drop,
control logs are null matches because Action is not relevant to a control log. They are neither
included nor excluded. If Show Null Matches is clicked, the null matches are displayed.
Updating the Log File

When you open an active file, the SmartView Tracker shows the state of the Log File as it was
when the Log File was first opened. To update the list of log entries online as new entries are
added, click in the Query pane toolbar. The newly-added entries are added to the end of
the list, highlighting the last entry at the bottom.
To stop updating the log entries, click again
Note - This option is only relevant if the current active Log File is displayed in the
SmartView Tracker.
Find
You can search for an item in all columns, rather than just in a specific column in the Log File.

Saving a Query Under a New Name
To search for an item in all columns

1 Click the button in the Query Properties toolbar. The following window appears.
FIGURE 11-17Find in all columns window
2 Configure the Find in all columns window according to the following table:
Field Description
Pattern Specify the pattern string you want to include in your
search.
Match whole word only To match only a complete word, select Match whole word
only.
Match Case To find or ignore an item with specific capitalization, select
or clear the Match case check box.
Direction Select the desired search direction.
Click the Find (F3 to Next) button. The log entry matching the specified pattern is highlighted.
Saving a Query Under a New Name

You can modify a Query and save it under a new name.
To modify a predefined Query and save it under a new name

1 Modify the predefined Query as desired.
2 Choose Save As from the Query menu, or click and specify a file name for the
modified Query.
3 Click OK. The modified Query is placed in the Custom folder.
To save the changes made to a custom Query

1 Modify the Query as desired.
Choose Save from the Query menu or click
2 Press F3 on your keyboard to find the next occurrence of the item.

Log File Management
Navigating Through the Log File

SmartView Tracker allows easy navigation through both the Query Properties and the Records
panes.
Scrolling Through the Query Properties and the Records Pane

Use the scroll bars on the side and bottom of each pane. You can also use the Up and Down
arrows or the PageUp and PageDown keys on your keyboard.
Navigating to a Specific Location in the Records Pane
To go to the beginning of the file

Click in the toolbar of the Query pane.
-or-
Press Ctrl+Home on your keyboard.
To go to the end of the file

Click in the toolbar of the Query pane.
-or-
Press Ctrl+End on your keyboard.
Log File Management
Opening a Different Log File

When opening a new Log File, you can either open a Log File in the currently active window
or in a new window without closing any currently open one(s).
• To close the currently open Log File and open a new one in the active window, choose
Open from the File menu and specify the file to open or
click in the toolbar.

• To open a Log File in a new window without closing any currently open ones, choose
Open in New Window from the File menu and specify the file to open.
Saving the Currently Displayed Log Entries

1 To save the currently displayed Log File entries to a file, choose Save As from the File
menu
-or-
click in the toolbar. The following window appears:

Starting A New Log File
FIGURE 11-18Save Log File As window
2 In the File name box, specify the new file name.

3 In the Range box, select one of the following:
• Whole File — to save all the records in the file
• Records — to save only specific records. Specify the range by entering From and To
values.
4 Click OK.
The current log entries will be written to file. Only the records that match the filtering criteria
will be saved to the file (both those that are visible in the window and those that are not).
Starting A New Log File

To start a new Log File, choose Switch Active File from the File menu, or click in the
SmartView Tracker toolbar.
When you create a new Log File, the current Log File is closed and written to disk with a name
that contains the current date and time. The new Log File receives the default Log File name,
$FWDIR/log/fw.log. You can optionally specify another Log File name instead of by clearing
the Default box and entering a new name.
Note - This operation actually performs a Log File switch (see “fwm logswitch” on page
596).

Log File Management
Deleting the Contents of the Active Log File

To delete all records in the active Log File, choose Purge Active File from the File menu.
Note - This feature is only available in Log or Audit mode.
Blocking Connections
You can terminate an active connection and block further connections from and to specific IP
addresses.
Note - The termination and blocking of active connections can only be performed in
Active mode.
To terminate a connection using the Block Intruder window

1 Select the connection you want to block by clicking it.
2 From the Tools menu, select Block Intruder. The Block Intruder window is displayed.
3 In Blocking Scope, select one of the options:
• Block only this connection — the selected connection is terminated, and all further
attempts to establish a connection from the same source IP address to the same
destination IP address and port will be blocked
• Block access from this source — the selected connection is terminated, and all further
attempts to establish connections from the source IP address of the selected connection
will be denied
• Block access to this destination — the selected connection is terminated, and all
further attempts to establish connections to the destination IP address of the selected
connection will be denied
4 In Blocking Timeout, select one of the options:
• Indefinite — block all further access
• For... minutes — block all further access attempts for the specified number of minutes
5 In Force this blocking,select one of the options:

• Only on... — block access attempts through the indicated VPN/FireWall Module.
• On any VPN-1 & FireWall-1 Module — block access attempts through all VPN/FireWall
Modules which are defined as gateways or hosts on the Log Server
Note - A Log Server is a machine to which log events are sent by one or more
VPN/FireWall Modules. One of these VPN/FireWall Modules may be running on the Log
Server. For more information, see “Redirecting Logging to Another Master” on page 424.

6 Click OK.
To clear blocked connections choose Clear Blocking from the Tools menu. For
information how to block connections.

Every log record is created in accordance with a certain rule in the SmartDashboard. The
SmartCenter Server retains a repository of database versions and SmartView Tracker allows you
to view the SmartDashboard version from which a specific log record was created.
To view the database version from which a record was created

1 In the Records pane, right-click in any field.
2 From the displayed menu, choose View in SmartDashboard. If the SmartDashboard is not
already open, a SmartDashboard window opens in read-only mode displaying the rule that
created that log record.
If the SmartDashboard is already open but did not display the desired database version,
another SmartDashboard window will open highlighting the appropriate rule.
If the SmartDashboard is already open to the desired database version, the appropriate rule
will be highlighted.

The SmartView Tracker allows you to transfer Log Files from a remote machine to the machine
to which the SmartView Tracker is currently connected.
To transfer Log Files from a remote machine

1 Choose Remote Files Management from the Tools menu or click in the toolbar.
The Remote Files Management window appears.

Log File Management
FIGURE 11-19Remote Files Management Window
This window displays the list of Check Point Modules from which you can fetch Log Files.
Note - To close the currently active Log File and create an acitve file on the selected
Module, click Log Switch and specify the Log File Name.
2 Select the desired Node and click Get File List. The following window appears.
FIGURE 11-20Files Found in Selected Node Window
This window displays the list of files found in the Check Point Node you selected (see
FIGURE 11-19), including the active files. It contains three columns:
• File Name — displays the name of the file
• Date — displays the date the file was created

• Size — displays the size of the file (in bytes)
Note - You can sort each column by clicking the column header.
3 Select one or more files that you want to fetch.
Note - You cannot fetch an active Log File. If you want to fetch an active file, you must
first close the currently active file and open a new one. See (see “fwm logswitch” on page
596).
4 Click Fetch Files. The Files Fetch Progress window appears showing the progress of the
file transfer operation.
FIGURE 11-21Viewing the Progress of the File Transfer Operation
Note - You can also open the Files Fetch Progress window by clicking in the
toolbar. This button is enabled only when the file transfer operation is in progress. The
file transfer operation will continue even if the Files Fetch Progress window is closed. It
is interrupted only if you click the Abort button.
This window is divided into two sections:

• Check Point Nodes pane — View the node(s) you selected from the Remote Files
Management window (see FIGURE 11-19).
• Fetched Files From pane — View the Log Files that were selected to be transferred (see
FIGURE 11-20). This pane contains the following Log File information:
Target File Name — the new name of the file after it has been transferred
After a file has been fetched, it is renamed. The new file name consists of the module
name and the original file name separated by two (underscore) _ _ characters. For
example, the Log File 2001-07-10_022001.log is fetched from the Node Hobbit. After
the Log File has been transferred, it is renamed:

Redirecting Logging to Another Master
Hobbit_ _2001-07-10_022001.log
Size — the size of the Log File (in bytes)

Progress — the progress of the file transfer
Status — the transfer status of the Log File. Following are the possible status options:
Queued — The Log File is on a queue waiting to be transferred. Only one Log file can be
transferred at a time.
In Progress — The transfer operation is in progress.
Done — The Log File has been moved to the target machine.
Aborted — Transfer of the Log Files has been stopped.
Original File Name — The name of the Log File before it was transferred.
Abort — Stop the transfer of the Log Files for a machine. The files that have not yet been
fetched, will get an Aborted status.
Refresh — returns the Node to the list of Check Point Nodes in the Remote Files
Management window (see FIGURE 11-19) after the file fetching operation has ended
and/or been aborted.
Only after clicking the Refresh button will you be able to fetch files from the same Check
Point Node whose file fetching operation has just ended and/or been aborted.
5 Click the Refresh button.
Note - You can sort each column by clicking the column header.
Displaying Specified Log Files of a Specific Node

To display the Log Files of a specified Node, select the desired Node in the Check Point Nodes
pane in the Files Fetch Progress window . The files selected to be transferred from that Node
to the target machine will be displayed in the Files Fetched From pane.
Redirecting Logging to Another Master

A Master is a machine to which VPN/FireWall Modules direct logging. The file
$FWDIR/conf/masters contains a list of IP addresses (or network object names), one per line.
When the VPN/FireWall Module starts working, it reads this file to determine where to direct
logging.
Logs can also be directed to a Customer Log Module (CLM). A CLM is a SmartCenter Server
that only performs logging and collects alerts if the $FWDIR/conf/loggers file exists and
identifies the CLM.

Displaying Specified Log Files of a Specific Node
Installing the User Database on a CLM

From NG FP3 when the user database is installed on a CLM (Log Server machine), some of
the files are moved from the object.c of the SmartCenter Server to the objects.c of the
CLM. When the user connects to the Log Server via SmartDashboard or the SmartView
Tracker he or she will be able to see the changes in the user database. When the user installs a
user database on a Log Servers which is NG FP2 and below, during the installation process a
warning prompt will be displayed which says that the performance of the Log Server will not be
affected, the user database will be refreshed; however, the user will not be able to see the
changes in SmartDashboard and/or in the SmartView Tracker.
Exporting Log Data to Another Application

You can create a comma delimited ASCII file which can be used as input for other applications.
Only the records that match the filtering criteria will be saved to the file (both those that are
visible in the window and those that are not).
To create a comma delimited ASCII file

1 Open the desired file.
2 Choose Export from the File menu.
3 Specify the new filename and location.
4 Click Save.

Menus
Menus
Log File Menu

TABLE 11-11File menu commands

Button
Open Close the currently open Log File “Redirecting Logging to
and open another one in the Another Master” on page 424
active window.
Open In New none Open a new Log File without “Redirecting Logging to
Window closing any currently open Another Master” on page 424
windows.
Save As Save the currently open Log File “Save Log File As window” on
under a different name. page 419
Export none Create a comma delimited ASCII “Exporting Log Data to
file. Another Application” on page
425
Switch Active Close the currently active Log “Starting A New Log File” on
File File and create a new one. page 419
Purge Active none Delete all the records in the active “Deleting the Contents of the
File Log File. Active Log File” on page 420
Exit none Exit the SmartView Tracker
application

View Menu
View Menu
TABLE 11-12View menu commands

Button
Toolbar none Toggle between displaying and
hiding the toolbar.
Status Bar none Toggle between displaying and
hiding the status bar.
Query Tree Toggle between displaying and “Hiding/Showing the Query
hiding the Query Tree pane. Tree Pane” on page 401
Query Toggle between displaying and “Hiding/Showing the Query
Properties hiding the Query Properties Properties Pane” on page 402
pane in the Query pane.
Files Fetch Toggle between displaying and “Fetching Log Files From a
Progress hiding the Files Fetch Remote Machine” on page 421
Progress window.
Query Menu
TABLE 11-13Query Menu Commands

Button
Open Open an existing Query. “Opening an Existing Query” on
page 400
Copy none Duplicate an existing query. “To duplicate an existing query
(predefined or customized)” on
page 401
Save none Save the changes made to a “To save the changes made to a
custom Query. custom Query” on page 417
Save As Save a Query under a new “Saving a Query Under a New
name. Name” on page 417
Rename none Rename a customized Query. “Renaming a customized Query”
on page 401
Delete none Delete a customized Query. “Deleting a Customized Query” on
page 401

Menus
Tools Menu
TABLE 11-14Tools Menu Commands

Button
Block none Open the Block Intruder “Blocking Connections” on page
Intruder window. 420
Clear none Clear blocked connections. “Blocking Connections” on page
Blocking 420
Remote Files Open the Remote Files “Fetching Log Files From a
Management Management window. Remote Machine” on page 421
Window Menu
TABLE 11-15Window Menu Commands

Button
SmartDashboa none Open the SmartDashboard Chapter 8, “Security Policy Rule
rd application. Base”
SmartView none Open the SmartView Status Chapter 12, “SmartView Status”
Status application.
SmartView none Open the SmartView Monitor Check Point SmartView Monitor
Monitor application. Guide
SmartUpdate none Open SmartUpdate Chapter 2, “SmartUpdate”
application.
SecureClient none Open the SecureClient Check Point Virtual Private
Packaging Packaging Tool application. Networks Guide
Tool
User Monitor none Open the User Monitor Check Point Desktop Security Guide
application.
Cascade none Display all currently open
windows in cascade mode.
Tile none Display all currently open
windows in tile mode.
Arrange icons none Arrange all windows reduced
to taskbar buttons at the
bottom of the Query pane.

Help Menu
Help Menu
TABLE 11-16Help Menu Commands

Button
Help Topics none Display SmartView Tracker Help.
About Check none Display the About Check Point SmartView Tracker window.
Point Log
Viewer
SmartView Tracker Toolbar

Some of the toolbar buttons are shortcuts for menu commands (see TABLE 11-17). Other
buttons have no corresponding menu commands.

Menus
SmartView Tracker Toolbar Buttons and Their Corresponding Menu

Commands
TABLE 11-17Toolbar Buttons and Their Corresponding Menu Commands for the SmartView
Tracker
Toolbar Menu Command Meaning

Button
File>Open Open an existing Log File.
File>Save As Save the Log File under a new name in a new

location.
File>Switch Active File Open a new active Log File
View>Query Tree Toggle the display of the Query Tree pane.
View>Query Properties Toggle the display of the Query Properties

pane.
View>Files Fetch Progress Toggle the display of the Files Fetch Progress
Window
Query>Open Open an existing Query.
Query>Save Query Save the modifications you made to the

custom Query.
Query>Save Query As Save the Query under a new name in the
Custom folder.
Tools>Remote File Management Open the Remote File Management window.
none Access Context Sensitive Help for windows,

toolbar icons and menu options.
Query Properties Toolbar

The following table describes the toolbar buttons for the Query Properties pane (see TABLE
11-18).

Toolbar Buttons For the Query Properties Toolbar
Toolbar Buttons For the Query Properties Toolbar

TABLE 11-18Toolbar Buttons for the Query Properties pane
Toolbar Description See

Button
Apply all filtering criteria. “To remove all the filters in the Log
File by clicking the Clear All Filters
button () in the Query pane toolbar to
remove the specified criteria. The
criterion is no longer displayed in the
Filter column.” on page 415
Display the name of the host and the “Resolving Addresses” on page 415
domain.
Display the type of service the port uses. “Resolving Services” on page 416
Show all null matches “Showing Null Matches” on page 416
Update the Log File to display all new log “Showing Null Matches” on page 416
entries and place them at the end of the
Log File.
Delete all filtering criteria in the Log File.
Find the specified text string in all fields
Go to the top of the Log File. “Navigating to a Specific Location in

the Records Pane” on page 418
Go to the bottom of the Log File. “Navigating to a Specific Location in
the Records Pane” on page 418
Stop loading Log data from the server or
abort any action which is in progress or
on queue to be started.

Menus

CHAPTER 12
SmartView Status
In This Chapter
Monitoring and Managing System Status page 433

System Status page 436
Using the Modules Pane page 437
Using the Product Details Window page 440
Using the Details Pane page 444
The Critical Notifications Pane page 456
Multi-View Select Synchronization page 456
System Alert page 457
System Alert Monitoring Mechanism page 461
Find page 461
Alerts page 461
Menus page 464
Check Point SmartView Status Toolbar page 469
Monitoring and Managing System Status

Check Point SmartView Status displays a snapshot of all Check Point products, such as FireWall-
1, VPN-1, FloodGate-1, Cluster XL, etc., as well as third party products, (OPSEC-partner
modules). It enables real-time monitoring and allows you to get alerts and warnings when
certain predefined conditions critical to the operation occur. Communication and traffic flow
statistics are also displayed.
433
Monitoring and Managing System Status
Starting Check Point SmartView Status

To start the Check Point SmartView Status, proceed as follows:
TABLE 12-1 Starting the SmartView Status
Windows Action
System
Windows Double-click on the SmartView Status icon, or choose
SmartView Status from the Window menu in the
X/Motif Run /opt/CPclnt-50/bin/SystemStatus
The SmartView Status Login window (FIGURE 12-1) is displayed.

FIGURE 12-1SmartView Status Login window

1 Select User Name.

3 Click OK.
• certificate

4 Click OK.

of the following:
SmartCenter Server.
Certificate Management, Compression Optimization and Advanced

Options
In the SmartView Status Login window (FIGURE 12-1), click More Options >> to display the
Certificate Management, Connection Optimizations and Advanced options (FIGURE 12-2).
FIGURE 12-2SmartView Status login window — More Options
Chapter 12 SmartView Status 435

System Status
Guide.
Working With the Check Point SmartView Status Interface

After you have logged in, the Check Point SmartView Status window is displayed.
The SmartView Status interface has two tabs:
• System Status tab — For information on the System Status tab, see “System Status” on
page 436.
• System Alert tab — For more information on the System Alert tab, see “System Alert”
on page 457.
System Status
The System Status tab is divided into several sections:
• Modules Pane — view all modules and their statuses in an hierarchical tree structure.
Workstations are displayed above the modules that they manage.
• Details Pane — view the details of a selected module
• Critical Notifications — view all problematic modules

FIGURE 12-3The SmartView Status Main Screen — System Status Tab
The Modules pane

displays the Modules
as well as their
respective statuses
The details of the Modules
selected in the Modules pane...
...are displayed in the Details

pane.
The problematic Modules in the

Modules pane...
...are isolated and displayed in

the Critical Notifications pane.
Using the Modules Pane

The Modules pane displays network modules hierarchy and status information. The Modules
pane consists of four columns:
• Modules column — displays the modules in an hierarchical tree structure
• IP Address column — displays the IP address of the module
• Status column — displays the status of the module
• Updated column — displays the time that the specified module was last updated
Resizing Columns
To change a column’s width in the Modules pane, drag the column’s right border in the header,
as follows:
1 Move the cursor to the column’s right border in the header.
2 Click on the left mouse button without releasing it.
3 Move the column border without releasing it.
4 Release the left mouse button.

Sorting Modules
The software components installed on a Check Point Module can be sorted in the Modules
pane. To do so, click on the column heading Module. The Modules will be resorted.
Note - The hierarchical tree structure of the Modules pane is not broken when the
modules are sorted, only the modules themselves are reordered. The Workstations do not
change places.
Collapsing and Expanding the Modules Tree

The Modules pane tree structure can be expanded or collapsed in order to display all or hide all
of the modules in the tree.
To expand the tree, click on in the toolbar.
To collapse the tree click on in the toolbar.
You can also expand and/or collapse individual branches of the tree by clicking on the branches
and/or respectively.
Displaying Object Properties

To display the properties of a specific object in the Modules pane, double-click or select the
corresponding row. Object-specific information will be displayed in the Details pane (see “Using
the Details Pane” on page 444).
Understanding Module Statuses

There are differing statuses for:
• Workstations — See FIGURE 12-2 for Module statuses.
• Application — These represent the applications installed on the Module. See FIGURE 12-
3 for Application statuses.
FIGURE 12-2 refers to the statuses of all Check Point Modules.
TABLE 12-2 Module Statuses
Icon Description
Waiting... — from the time that the SmartView Status starts to run
until the time that the first status message is received. This should take
no more than thirty seconds.

Understanding Module Statuses
TABLE 12-2 Module Statuses
Icon Description
Connected — the Module has been reached.
Disconnected — the Module cannot be reached.
Untrusted — Secure Internal Communication failed. The Module is

connected, but the SmartCenter Server is not the Master of the
Module. Read more about Masters on page 627.
TABLE 12-3 refers to statuses of the following applications: FireWall-1, VPN-1, FloodGate-1,
OPSEC, ClusterXL, SVN Foundation and Management.
TABLE 12-3 Application Statuses
Icon Description
Waiting… — This is displayed from the time that the SmartView
Status starts to run until the time that the first status message is
received. This takes no more than thirty seconds.
Unknown — The machine cannot be reached or there is no Check
Point agent installed on it.
Untrusted — Secure Internal Communication failed. The machine is
connected, but the SmartCenter Server is not the Master of the
Module installed on the machine. Read more about Masters on
page 627.
No Response — There is no module installed on this machine, or the
module is installed, but it is corrupted.
OK — A Module is installed on this object and is responding to status
update requests from the SmartCenter Server
Attention — The Module is active even though each cluster member
has a problem. Despite this, the gateway with the fewest problems and
the next highest priority level is active and working as a backup until
the highest priority level gateway is restored.
Problem — A Module is installed and responding to status checks,
but its status is problematic. These problems may vary from product to
product, For example, a typical status problem message for FireWall-1
may be: “policy not installed”.

Using the Product Details Window

SmartView Status allows you to isolate logical groups of information. These information chunks
consist of details about each product and are displayed per product. See TABLE 12-4 for more
information.
TABLE 12-4 Product Details window
Click Description See...

on...
SVN Foundation Details “Display SVN Foundation Details” on
page 440
FireWall-1 Details “Display Cluster XL Details” on page
442
VPN-1 Details “Display VPN-1 Details” on page 441
FloodGate-1 Details “Display FloodGate-1 Details” on

page 442
Cluster XL Module Details “Display Cluster XL Details” on page
442
OPSEC Application Details “Display OPSEC Details” on page
443
Management Details “Display Management Details” on
page 443
UA WebAccess Details “Display UA WebAccess Details” on
page 443
Policy Server Details “Display Policy Server Details” on
page 444
Log Server Details “Display Log Server Details” on page
444
Display SVN Foundation Details

To display the SVN Foundation Details window, click in the toolbar.
Name — the name of the SVN Foundation module
IP Address — the IP address of the SVN Foundation module
Status — the status of the SVN Foundation module (see TABLE 12-3 on page 439 for more on
status types)
Version — the version of SVN Foundation
OS Name — the name of the Operating System

OS Version — the version of the Operating System

OS Level —
Display FireWall-1 Details

To display the FireWall-1 Details window, click in the toolbar.
Name — the name of the FireWall-1 module
IP Address — the IP address of the FireWall module
Status — the status of the FireWall-1 module.
See TABLE 12-3 on page 439 for more information on status types.
Version — the version, service pack (SP) and build of FireWall-1
Policy Name — the name of the Security Policy installed on the FireWall Module
Installed At — the date and time the Security Policy was last installed
Accepted — the number of packets accepted by the FireWall Module
Dropped — the number of packets dropped by the FireWall Module
Logged — the number of packets logged by the FireWall Module
Display VPN-1 Details

To display the VPN-1 Details window, click in the toolbar.
Name — the name of the VPN-1 Module
IP Address — the IP address of the VPN-1 Module
Status — the status of the VPN-1 Module (see TABLE 12-3 on page 439 for more on status
types)
Note - The other fields that appear depend on the options you select from the Subject
and Parameter Type boxes.
In the Subject box, you can see the details for:

• Tunnels
• Encrypted Traffic
• Hardware
Note - For information on the options in the Subject box, see “Details Window — VPN-1”
on page 447.

In the Parameter Type box, select the paramater type details you want to see. The options are:
• Current
• High Watermark
• Accumulative
Note - For information on the options in the Parameter Type box, see “Details Window
— VPN-1” on page 447.
Display FloodGate-1 Details

To display the FloodGate-1 Details window, click in the toolbar.
Name — the name of the FloodGate-1 Module
IP Address — the IP address of the FloodGate-1 Module
Status — the status of the FloodGate-1 Module (see TABLE 12-3 on page 439 for more on
status types)
Policy Name — the name of the Policy installed on the FloodGate-1 Module
Installed At — the date and time the Policy was installed
Version — the version of FloodGate-1
Number of interfaces — the number of interfaces on the FloodGate-1 Module
Display Cluster XL Details

To display the Cluster XL Details window, click in the toolbar.
Name — the name of the Cluster XL module
IP Address — the IP address of the Cluster XL module
Status — the status of the Cluster XL Module (see TABLE 12-3 on page 439 for more on
status types)
Working mode — the mode that the Module is working in. The possible modes are:
• ClusterXL — the Module is working in ClusterXL mode
• Load Sharing — the Module is working in Load Sharing mode
• Sync Only — the Module is working in Sync Only mode
Started — Yes, if the Module is active; No, if the Module is not active
Running Mode — the running mode of the Cluster XL Module. The possible statuses are:
• Active — the Module is running and active
• Ready — the Module is running but not active
• Standby — the Module is running and ready to become active

• Otherwise — the Module is experiencing some difficulties

Priority — the priority sequence number of the Module
Display OPSEC Details

To display the OPSEC Details window, click in the toolbar.
Name — the name of the OPSEC Application object defined in the SmartDashboard.
IP Address — the IP address of the OPSEC Application object defined in the SmartDashboard.
Status — the status of the OPSEC Application module (see TABLE 12-3 on page 439 for more
on status types)
Vendor — the name of the OPSEC vendor
Product — the name of the OPSEC product
SDK Version — the version name/number of the Check Point — OPSEC SDK
SDK Build — the version name/number of the Check Point OPSEC SDK build
Product Version — the version name/number of the Check Point OPSEC product
Up Time — the amount of time (in seconds) since the OPSEC module has been up and
running.
Display Management Details

To display the Management Details window, click in the toolbar.
Name — the name of the SmartCenter Server
IP Address — the IP address of the SmartCenter Server
Status — the status of the SmartCenter Server (see TABLE 12-3 on page 439 for more on
status types)
Synchronization Status — whether the SmartCenter Server is synchronized or not.
Note - For more about Management ClusterXL, see the Chapter 17, “Management High
Availability in the Check Point SmartCenter Guide.
Active status — whether the selected Management is the Active SmartCenter Server or the
Standby SmartCenter Server
Connected clients — the number of clients connected to the SmartCenter Server
Display UA WebAccess Details

To display UA WebAccess Details, click on in the toolbar. The UA WebAccess Details
window is displayed.

Using the Details Pane
Name — the name of the machine on which the UA WebAccess Module is installed
IP Address — the IP address of the machine on which the UA WebAccess Module is installed
Status — the status of the machine on which the UA WebAccess Module is installed (see
TABLE 12-3 on page 439 for more on status types)
WAM Name — the name of the UA WebAccess Module
UAG IP Address — the IP address of the UA Server
Open sessions counter — the number of sessions which are currently open
Display Policy Server Details

To display Policy Server Details, click on in the toolbar. The Policy Server Details
Name — the name of the Policy Server
IP Address — the IP address of the Policy Server

Status — the status of the Policy Server (see TABLE 12-3 on page 439 for more on status
types)
Version — the major version and/or the minor version of the Policy Server
Licensed users — the number of licensed users
Connected users — the number of licensed users who are currently connected to the Policy
Server
Display Log Server Details

To display Log Server Details, click on in the toolbar. The Log Server Details window is
displayed.
Name — the name of the Log Server
IP Address — the IP address of the Log Server
Status — the status of the Log Server (see TABLE 12-3 on page 439 for more on status types)
Started — Yes if the Log Server is active; No if the Log Server is not active
Connected clients — the number of licensed users who are currently connected to the Log
Server

To display additional information about a network object, select an object in the Modules pane
and additional details about the selected modules are displayed in the Details pane.

Details Window — Network Objects
Detailed information can be displayed for each Check Point product installed on the machine.
This includes information for:
• Network Objects — see “Details Window — Network Objects” on page 445
• Clusters — see “Details Window — Clusters” on page 445
• SVN Foundation — see “Details Window — SVN Foundation” on page 445
• FireWall-1 — see “Details Window — FireWall-1” on page 446
• VPN-1 — see “Details Window — VPN-1” on page 447
• FloodGate-1 — see “Details Window — FloodGate-1” on page 451
• Cluster XL — see “Details Window — Cluster XL” on page 452
• OPSEC — see “Details Window — OPSEC” on page 453
• Management — see “Details Window — Management” on page 454
• UA WebAccess — see “Details Window — UserAuthority WebAccess” on page 454
• Policy Server — see “Details Window — Policy Server” on page 455
• Log Server — see “Details Window — Log Server” on page 455
Details Window — Network Objects

Select a Network Object in the Modules pane to display its details in the Details pane.
Status — the status of the network object
IP Address — the IP address of the network object
Comment — the comment displayed from the objects Properties window in the
SmartDashboard
Details Window — Clusters

Select a Gateway Cluster object in the Modules pane to display its details in the Details pane.
Status — the status of the Gateway Cluster
IP Address — the IP address of the Gateway Cluster
Comment — the comment displayed in the Gateway Cluster Properties window in the
SmartDashboard
Details Window — SVN Foundation

Select an SVN Foundation module in the Modules pane to display its details in the Details pane.
Status — the status of the SVN Foundation (see TABLE 12-3)
Version — the version, service pack (SP) and build of SVN Foundation
OS Information:
OS Name — the name of the Operating System in use

OS Version — the version name/number of the Operating System in use

OS Build — the build number of the Operating System in use

OS SP — the name/number of the Service Pack (SP) of the Operating System in use
OS Level — additional information about the Operating System in use
CPU:
Usage — the percentage of CPU consumption

User time — the percentage of CPU consumption by the user
System time — the percentage of CPU consumption by the System
Idle Time — the percentage of CPU consumption by Idle Time
Memory:
Total virtual memory — the total amount of virtual memory in the system
Active virtual memory — the amount of virtual memory that is currently active
Total real memory — the total amount of real memory
Active real memory — the total amount of real memory that is currently active
Free real memory — the total amount of real memory that is currently free for use
Disk:
Free space — the percentage of free space on the disk

Total free space — the total amount of free space
Available free Space — the amount of free space that is actually available for use
Total space — the total amount of space on the disk
Details Window — FireWall-1

Select a FireWall module in the Modules pane to display its details in the Details pane.
Status — the status of the FireWall-1 Module installed on this object
For more information on status types, see TABLE 12-3 on page 439.
Policy Name — the name of the Security Policy installed on the FireWall-1 Module
Installed At — the date and time the Security Policy was last installed
Packets:
Accepted — the number of packets accepted by the FireWall-1 Module

Dropped — the number of packets dropped by the FireWall-1 Module
Logged — the number of packets logged by the FireWall-1 Module
The following parameters apply to the performance of the UFP Cache

Details Window — VPN-1
Hit Ratio (%) — the percentage of hits out of the total number of hits that were handled by the
cache
Connections inspected — the total number of connections passing through the UFP
Hits — the total number of hits passing through the cache
The following parameters apply to Hash Kernel Memory which provides details about the
memory managed by FireWall-1, as well as, System Kernel Memory which provides details
about the memory managed by the Operating System.
Total memory allocated — the total number of memory allocated
Total memory used — the amount of memory used out of the total number of memory
allocated
Total blocks used — the total number of memory blocks used
Allocations — the number of memory allocation operations performed
Allocation failures — the number of memory allocation operations have failed
Frees — the number of times that memory allocations have been freed up
Frees Failure — the number of times that the memory allocation freeing operation has failed
NAT Cache —
Hits —
Misses —

Select a VPN-1 Module in the Modules pane to display its details in the Details pane.
Status — the status of the VPN-1 Module installed on this object
Active Tunnels:
• All
Current — the number of VPN peers (Gateway or client) to which there is currently an
open IPsec tunnel. Useful for tracking the proximity to a VPN-1 Net licensing and the
activity level of the VPN-1 module.
High Watermark — the maximum number of VPN peers (Gateway or client) to which
there was an open IPsec tunnel since the Module was restarted
• RemoteAccess
Current — the number of RemoteAccess VPN users with which there is currently an
open IPsec tunnel. Useful for tracking the activity level and load patterns of VPN-1
modules serving as a remote access server.

High Watermark — the maximum number of RemoteAccess VPN users with which
there was an open IPsec tunnel since the Module was restarted
Tunnels Establishment Negotiation:
• Successful
Current — the current rate of successful Phase I IKE Negotiations (measured in

Negotiations per second). Useful for tracking the activity level and load patterns of an
VPN-1 module serving as a remote access server.
High Watermark — the highest rate of successful Phase I IKE Negotiations since the
Policy was installed (measured in Negotiations per second)
Accumulative — the total number of successful Phase I IKE Negotiations since the Policy
was installed
• Failed
Current — the current rate of failed Phase I IKE Negotiations (measured in seconds).
Can be used for troubleshooting denial of service for heavy a load of VPN remote access
connections.
High Watermark — the highest rate of failed Phase I IKE negotiations since the Policy
was installed
Accumulative — the total number of failed Phase I IKE negotiations since the Policy was
installed
• Concurrent
Current — the current number of concurrent IKE negotiations. Useful for tracking the
behavior of VPN connection initiation, especially in large deployments of remote access
VPN scenarios.
High Watermark — the maximum number of concurrent IKE negotiations since the
Policy was installed
Encrypted Traffic:
• Encrypted throughput
Current — the current rate of encrypted traffic (measured in Mbps).

Encrypted/decrypted throughput is useful (in conjunction with encrypted/decrypted
packet rate) for tracking VPN usage and VPN performance of the VPN-1 module.
High Watermark — the maximum rate of encrypted traffic (measured in Mbps) since the
Module was restarted
Accumulative — Total encrypted traffic since the Module was restarted (measured in
Mbps)
• Decrypted throughput
Current — the current rate of decrypted traffic (measured in Mbps). Encrypted/decrypted

throughput is useful (in conjunction with encrypted/decrypted packet rate) for tracking
VPN usage and VPN performance of the VPN-1 module.

High Watermark — the maximum rate of encrypted traffic (measured in Mbps) since the
Accumulative — Total decrypted traffic since the Module was restarted (measured in
Mbps)
• Encrypted packets
Current — the current rate of encrypted packets (measured in packets per second).
Encrypted/decrypted packet rate is useful (in conjunction with encrypted/decrypted
throughput) for tracking VPN usage and VPN performance of the VPN-1 module.
High Watermark — the maximum rate of encrypted packets (measured in packets second)
since the Module was restarted
Accumulative — the total number of encrypted packets since the Module was restarted
• Decrypted packets
Current — the current rate of decrypted packets (measured in packets per second).
Encrypted/decrypted packet rate is useful (in conjunction with encrypted/decrypted
throughput) for tracking VPN usage and VPN performance of the VPN-1 module.
High Watermark — the maximum rate of decrypted packets (measured in packets per
second) since the Module was restarted
Accumulative — the total number of decrypted packets since the Module was restarted
• Encryption errors
Current — the current rate at which encryption errors are encountered by the VPN-1
Module (measured in errors per second). Useful for troubleshooting VPN connectivity
issues.
High Watermark — the maximum rate at which encryption errors are encountered by
the VPN-1 Module (measured in errors per second) since the Module was restarted
Accumulative — the total number of encryption errors encountered by the VPN-1
Module since the Module was restarted
• Decryption errors
Current — the current rate at which decryption errors are encountered by the VPN-1
Module (measured in errors per second). Useful for troubleshooting VPN connectivity
issues.
High Watermark — the maximum rate at which decryption errors are encountered by
the VPN-1 Module (measured in errors per second) since the Module was restarted
Accumulative — the total number of decryption errors encountered by the VPN-1
Module since the Module was restarted
Hardware:
• VPN Accelerator Status — the status of the VPN Accelerator
• VPN Accelerator Vendor — the name of the VPN Accelerator vendor
• Encrypted throughput

Current — the current rate of VPN Accelerator encrypted traffic (measured in Mbps).
packet rate) for tracking VPN usage and VPN performance of the VPN-1 module with
VPN acceleration.
High Watermark — the maximum rate of VPN Accelerator encrypted traffic (measured
in Mbps) since the Module was restarted
Accumulative — total encrypted traffic since the Module was restarted (measured in
Mbps)
• Decrypted throughput
Current — the current rate of VPN Accelerator decrypted traffic (measured in Mbps).
packet rate) for tracking VPN usage and VPN performance of the VPN-1 module with
VPN acceleration.
High Watermark — the maximum rate of VPN Accelerator encrypted traffic (measured
in Mbps) since the Module was restarted
Accumulative — Total decrypted traffic since the since the Module was restarted
(measured in Mbps)
• Encryption errors
Current — the current rate at which VPN Accelerator encryption errors are encountered
by the VPN-1 Module (measured in errors per second). Useful for troubleshooting VPN
connectivity issues when VPN acceleration is in use.
High Watermark — the maximum rate at which VPN Accelerator encryption errors are
encountered by the VPN-1 Module (measured in errors per second) since the since the
Accumulative — the total number of VPN Accelerator encryption errors encountered by
the VPN-1 Module since the Module was restarted
• Decryption errors
Current — the current rate at which VPN Accelerator decryption errors are encountered
by the VPN-1 Module (measured in errors per second). Useful for troubleshooting VPN
connectivity issues when VPN acceleration is in use.
High Watermark — the maximum rate at which VPN Accelerator decryption errors are
Accumulative — the total number of VPN Accelerator decryption errors encountered by
the VPN-1 Module since the Module was restarted
• General errors
Current— the current rate at which VPN Accelerator general errors are encountered by
the VPN-1 Module (measured in errors per second)

Details Window — FloodGate-1
High Watermark — the maximum rate at which VPN Accelerator general errors are
Accumulative — the total number of VPN Accelerator general errors encountered by the
VPN-1 Module since the Module was restarted
IP Compression:
• Compressed packets
Current — the current rate of compressed packets (measured in packets per second)
High Watermark — the maximum rate of compressed packets (measured in packets per
Accumulative — the total number of compressed packets since the Module was restarted
• Decompressed packets
Current — the current rate of decompressed packets (measured in packets per second)
High Watermark — the maximum rate of decompressed packets (measured in packets per
Accumulative — the total number of decompressed packets since the Module was
restarted
• Compression errors
Current — the current rate at which VPN Accelerator compression errors are
encountered by the VPN-1 Module (measured in errors per second)
High Watermark — the maximum rate at which VPN Accelerator compression errors are
Accumulative — the total number of VPN Accelerator compression errors encountered
by the VPN-1 Module since the Module was restarted
• Decompression errors
Current — the current rate at which VPN Accelerator decompression errors are
encountered by the VPN-1 Module (measured in errors per second)
High Watermark — the maximum rate at which VPN Accelerator decompression errors
are encountered by the VPN-1 Module (measured in errors per second) since the since
the Module was restarted
Accumulative — the total number of VPN Accelerator decompression errors
encountered by the VPN-1 Module since the Module was restarted
Details Window — FloodGate-1

Select a FloodGate module in the Modules pane to display its details in the Details pane.
Status — the status of the Floodgate-1 Module installed on this object

Policy Name — the name of the QoS Policy installed
Installed At — the date and time that the QoS policy was installed
Version — the version and service pack (SP) of FloodGate-1
Number of interfaces — the number of interfaces on the FloodGate-1 module
Interface — The following fields relate to interfaces on the FloodGate-1 module. These
parameters apply to Inbound and Outbound interfaces.
Rate Limit — the maximum number of bytes that pass per second
Average Rate — the average number of bytes that pass per second
Connections — the total number of conversations
Conversations are active connections and connections that are anticipated as a result of prior
inspection. Examples are data connections in FTP, and the “second half” of UDP connections.
Pending Packets — the number of packets waiting in FloodGate-1’s queues
Pending Bytes — the number of bytes waiting in FloodGate-1’s queues
Retransmission Packets — This field is currently not implemented and its value will always
be 0.
Details Window — Cluster XL

Select a Cluster XL Module in the Modules pane to display its details in the Cluster XL Details
pane.
Note - the Cluster XL options are ONLY relevant for ClusterXL, and NOT for third party
solutions.
Status — the status of the Cluster XL Module installed on this module

Description — additional status information
Working Mode — the module’s working mode. There are three possible working modes:
• ClusterXL — modules are working in ClusterXL mode
• Load Sharing — modules are working in Load Sharing mode
• Sync Only — modules are working in Sync Only mode
Started — Yes if the module is active; No if the module is not active

Priority — the priority sequence number of the Module
Running Mode — the module’s running mode. There are four possible running modes:

Details Window — OPSEC
• Active
• Stand-by
• Ready
• Down
For more information on the running mode types, see see Chapter 5, “ClusterXL” in Check
Interfaces — the interface(s) recognized by the FireWall module
variable (the name of the Interface)
IP — the IP address of the specified interface
Status — the status of the specified interface. The value can be Up or Down.
Verified — time (in msec) passed from the last inbound or outbound packet connection
Trusted — the interface is secured for passing internal information. The value can be Trusted,
Secured or Not Secured.
Shared — an interface whose IP address is the same for all cluster gateway members. The
value can be Unique or Shared.
Problem Notes — contains descriptions of the problem notification device
variable (the name of the Problem Note)
Status — the status of the specified problem notification. The status can be OK or Problem.
Priority — the value is always 0

Verified — time (in sec) when the status last changed
Details Window — OPSEC

Select an OPSEC Module in the Modules pane to display its details in the Details pane.
Status — the status of the OPSEC Application module (see TABLE 12-3 on page 439 for more
on status types)
Vendor — the name of the OPSEC vendor
Product — the name of the OPSEC product
SDK Version — the version name/number of the Check Point OPSEC SDK
SDK Build — the build number of Check Point OPSEC SDK
Product Version — the version name/number of the OPSEC product
Up Time — the amount of time (in seconds) since the OPSEC module has been up and
running

The fields mentioned above are mandatory fields that appear for every OPSEC Application
module. The OPSEC vendor may add additional fields to their OPSEC Application module’s
details.
Details Window — Management

Select a SmartCenter Server in the Modules pane to display its details in the Details pane.
Status — the status of the Management Client. This status can be OK or Error
Started — Yes, if the SmartCenter Server is active; No, if it is not active

Synchronization status — whether the Management ClusterXL Servers are synchronized.
There are four possible statuses:
• Synchronized — the SmartCenter Server is synchronized with the primary server
• Advanced — the SmartCenter Server is more advanced than the primary server
• Lagging — the SmartCenter Server is lagging behind the primary server
• Never Synched — SmartCenter Server has never been synchronized
Active status — whether the selected Management is the active or the Standby SmartCenter
Server
Connected clients — the number of connected clients on the Management
Client Name — the name of the Management Client
— the administrator who is responsible for administering the selected
Administrator
Management Client
Host — the name of the Management Client host
Database locked — the name of the database which is locked
Application type — the type of application can be any of the following: SmartDashboard,
SmartView Status, SmartView Tracker, SmartView Monitor, User Monitor, Large Scale
Manager etc.
Details Window — UserAuthority WebAccess

Select a UA WebAccess module in the Modules pane to display its details in the Details pane.
Status — the status of the machine on which the UA WebAccess Module is installed (see
TABLE 12-3 on page 439 for more on status types)
WAM Name — the name of the UA WebAccess Module
Plugin Performance: the following parameters relate to plugin performance
Accepted Requests Counter — the number of http requests that are accepted
Rejected Requests Counter — the number of http requests that are rejected

Details Window — Policy Server
Policy Info: the following parameters relate to the UA WebAccess policy

Policy Name — the name of the UA WebAccess policy as specified in the SmartDashboard
Policy last update — the date that the UA WebAccess policy was last updated in the
SmartDashboard
UAS Info: — the following parameters relate to the UA Server
UAS Host — the name of the UA Server host
UAS IP Address — the IP address of the UAG Server
UAS Port — the port number of the UAG Server
UAS Queries Counter — the number of requests sent to the UA Server
UAS Last handling time — the amount of time it took to the UA Server to handle the last
request made
Global Performance Info: the following fields relate to global UA WebAccess parameters
Number of open sessions — the number of currently open sessions
Last open session time — the time passed since the last session was opened
See the Check Point UserAuthority Guide for more information.
Details Window — Policy Server

Select a Policy Server in the Modules pane to display its details in the Details pane.
types)
Licensed users — the number of licensed users
Connected users — the number of licensed users who are currently connected
Details Window — Log Server

Select a Log Server in the Modules pane to display its details in the Details pane.
types)
Started — Yes, if the SmartCenter Server is active; No, if it is not active
Connected clients — the number of licensed users who are currently connected
Name of Client — the following fields provide further information about the named Connected
client
Administrator — the administrator who is responsible for administering the selected Log
Server

Refreshing the User Database
Host — the name of the Log Server host

Database locked — the name of the database which is locked
Application type — the type of application can be any of the following: SmartDashboard,
SmartView Status, SmartView Tracker, SmartView Monitor, User Monitor, Large Scale
Manager etc.
Refreshing the User Database

Occasionally it is required to refresh the User database in order to update the Object statuses.
Active Update
If you are working in active mode (i.e., you specified the name of your SmartCenter Server
when you logged in to the SmartView Status), select Update Selected from the Modules
menu, or click in the toolbar. The Update Selected operation will refresh the statuses of
the objects selected in the Modules pane. If you select an application object (such as SVN
Foundation, FireWall-1, VPN-1 etc.) only that selected object status will be refreshed. However
if you select a Gateway Cluster or a Check Point Module in the Modules pane, its status will be
refreshed as well as the status of all of its modules.
Note - It is not possible to update all of the objects in the system at once. They must be
selected one at a time and be updated in the manner described above.
The Critical Notifications Pane

SmartView Status presents a useful new way to isolate problematic modules using the Critical
Notifications pane.
Using the Critical Notifications Pane

When problematic modules are found, they are isolated and displayed in the Critical
Notifications pane.
To locate the problematic modules specified in the Critical Notifications pane in the Modules
pane, proceed as follows:
1 Select the Module that you would like to locate in the Critical Notifications pane.
2 Double-click on the selected module.
The problematic module is located and selected in the Modules pane.
Multi-View Select Synchronization

When modules are selected in one of the views, they are automatically selected in the others as
well:

Using the Critical Notifications Pane
• Select a module in the Modules pane and its module details are displayed in the Details
pane.
Note - If you double-click on a module in the Modules pane, its Product Details window
is displayed.
• Select a Module in the Product Details window and it is also selected in the Modules pane
and its details are displayed in the Details pane.
• Select a Module in the Critical Notifications pane and it is also selected in the Modules
pane. If relevant, its details are displayed in the Product Details window.
This synchronization allows you to keep track any object and have it displayed respective to the
different views.
System Alert
System Alert enables you to predefine the conditions for which you can get a warning or an
alert for certain critical situation updates. For example, if free disk space is less than 10%, or if a
security policy has been changed.
FIGURE 12-4The SmartView Status Main Screen — System Alert Tab
The system alert parameters for

the Modules in the Modules
pane...
...are displayed in the Network

System Alert Definition pane.
The Modules pane

displays the Modules,
as well as their
respective statuses.
You can define system alert parameters for the following Check Point products:
• FireWall-1
• FloodGate-1
• SmartCenter Server
• SVN Foundation

The Modules Pane
The System Alert tab is divided into two sections:

• Modules Pane — View all Modules and their system alert status in a hierarchical tree
structure. Workstations are displayed above the modules that they manage.
• Network Objects System Alert Definition Pane — View and define system alert
definitions.
The Modules Pane

The Modules pane displays network modules hierarchy and the system alert option of each
module. The Modules pane consists of three columns:
• Modules column — displays the modules in an hierarchical tree structure
• IP Address column — displays the IP address of the module
• System Alert column — displays the selected system alert option of the module. For more
information about system alert options, see “The Network Object System Alert Definition
Pane” on page 458.
Resizing Columns
For information on how to change a column’s width, see “Resizing Columns” on page 437.
Sorting Modules
For information on how to sort the modules, see “Sorting Modules” on page 438.
Collapsing and Expanding the Modules tree

For information on how to expand or collapse the tree structure, see “Collapsing and Expanding
the Modules Tree” on page 438.
The Network Object System Alert Definition Pane

The Network Object System Alert Definition pane displays the system alert option applied to
the selected Module and the system alert parameters of its modules. The number of tabs it has
depends on the number of products contained in the selected Module.
It contains the following tabs:
• The General tab
• A tab for each Check Point product
To display the system alert option defined for all the software modules in a specific Check Point:
• Select a Check Point in the Modules pane. The system alert option is displayed in the
Network Object System Alert Definition pane.
To display the system alert definitions of a network object:

• Select a network object in the Modules pane. Object-specific system alert definitions are
displayed in the Network Object System Alert Definition pane.

Understanding System Alert Options

You can apply one of the following system alert options to a Check Point:
Same as Global — Apply a set of predefined system alert parameters to all the modules in the
Module. If you apply global properties, the system alert parameters cannot be modified. For
information on how to define global properties, see “Defining Global Properties” on page 459.
Custom — Define object-specific system alert properties. For more information, see “Defining
Customized System Alert Definitions” on page 461.
None — Do not apply any system alert parameters.
To apply a system alert option, proceed as follows:
1 Select the machine to which you want to apply a system alert option.
2 In the General tab, select the desired option. For a description of the system alert options,
see “Understanding System Alert Options” on page 459.
3 Click the Apply button. If you do not click the Apply button after making a change, a
message will appear asking you whether you want to apply the changes you made.
Defining Global Properties

The Global System Alert Definition window enables you to define a set of default system alert
parameters. To open the Global System Alert Definition window, click in the toolbar or
select Global... from the System Alert menu.
FIGURE 12-5Global System Alert Definition window
Defining System Alert Parameters

You can define system alert parameters for each product and then determine what action to take
when that parameter is reached.
SVN Foundation — System Alert Parameters

No connection — there is no response from the network object
CPU usage more than — CPU utilization has reached the specified value. Enter the desired
value.

The Network Object System Alert Definition Pane
Free disk space less than — free disk space is lower than the specified value. Enter the desired
value.
FireWall-1 — System Alert Parameters

No policy has been installed — A Security Policy has not been installed
Policy name has been changed — The name of the Security Policy has been changed
Policy has been installed — A new Security Policy has been installed
FloodGate-1 — System Alert Parameters

No policy has been installed — A Security Policy has not been installed
Policy name has been changed — The name of the Security Policy has been changed
Policy has been installed — A new Security Policy has been installed
Management — System Alert Parameters

Not synchronized — The SmartCenter Server has been configured for ClusterXL but the states
of the VPN/FireWall Modules machines which are acting as backups for the SmartCenter Server
have not been correctly synchronized. For more information on ClusterXL, see Chapter 5,
“ClusterXL” in Check Point FireWall-1.
Note - An alert can only be set if the SmartCenter Server has been configured for
ClusterXL.
Defining What Action to Take When a System Alert Parameter is

Reached
When a system alert parameter is reached, you can do one of the following:
None — Do not take any action
Log — Send an entry to the log server
Alert — Issue an alert (as defined in the PopUp Alert Command field in the Log and Alert
page of the Global Properties window — see Chapter 7, “Global Properties”)
Mail — Send an mail alert (as defined in the Mail Alert Command field in the Log and Alert
page of the Global Properties window — see Chapter 7, “Global Properties”)
Snmptrap — Send an SNMP trap alert (as defined in the SNMP Trap Alert Command field in
the Log and Alert page of the Global Properties window — see Chapter 7, “Global
Properties”)
User-defined — Issue a user-defined alert (as defined in the User Defined Alert Command
field in the Log and Aler t page of the Global Properties window — see Chapter 7, “Global
Properties”). You can define up to three user-defined actions.

Defining Customized System Alert Definitions

If you want to define system alert parameters per product, proceed as follows:
1 Select the desired machine.
2 In the General tab, select Custom and click Apply.
3 Select the module whose system alert properties you want to custom-define. When you
select a module in the Modules pane, the corresponding tab is automatically selected in the
Network Object System Alert Definition pane.
4 Define system alert parameters as desired (see “Defining System Alert Parameters” on page
459) and click Apply.
System Alert Monitoring Mechanism

Check Point SmartCenter Server has a system alert monitoring mechanism that takes the system
alert parameters you defined in SmartView Status and checks if that system alert parameter has
been reached. If it is reached, it activates the action defined to be taken (see “Defining What
Action to Take When a System Alert Parameter is Reached” on page 460). To activate this
mechanism, click in the toolbar, or select Start from the System Alert menu.
To stop the system alert monitoring mechanism, click in the toolbar, or select Stop from
the System Alert menu.
Find
The Find window enables you to find specified text strings or IP addresses in the SmartView
Status GUI. To access the Find window, click in the toolbar, or select Find from the
Tools menu.
To find a text string, specify the string in the By Name field.

To find an object according to its IP address, enter the IP address in the By IP Address field.
The IP address must be in conventional dot format.
To make the specified string case sensitive, check Match Case.
You can reverse the direction of the Find operations, by selecting Up or Down.
Alerts
The window applies only to VPN-1/FireWall-1. Alert commands are specified in the
Alerts
Popup Alert Command field in the Log and Alert page of the Global Properties window in
the SmartDashboard. For more information, see Chapter 7, “Global Properties.”
To view the alerts, choose Alerts from the Tools menu, or click on in the toolbar. The
Alerts window is displayed.

Disconnecting a Client
FIGURE 12-6Alerts window
temp
To play a sound when an alert is received, check Play system Default beep sound.
To automatically display the Alerts window the next time an alert is received, check Display
Alerts window when an alert pops up.
To delete selected alerts, select the alert(s) and then click on Delete.
To delete all alerts, click on Delete All.
To close the Alerts window, click Close.
Note - Alerts are sent by VPN/FireWall Modules to the SmartCenter Server. The
SmartCenter Server then forwards these alerts to all the SmartView Status applications
connected to the SmartCenter Server at that moment.
Disconnecting a Client
The SmartView Status allows you to view the clients that are connected to the SmartCenter
Server. If you have the correct permissions, you can choose to disconnect one or more of the
connected Mangement Clients.
To disconnect a client from the SmartCenter Server

1 From the Tool menu, choose Disconnect Client. The following window appears:

FIGURE 12-7Disconnect Clients window
See the following table for a description of the fields.
TABLE 12-5 Description of Disconnect Client window’s fields
Field Description
Administrator the administrator who is responsible for administering the
selected Management Client
Host the name of the Management Client host
Client Name the name of the Management Client
Database Lock describes the state of the database. The two options are:
• Locked
• empty (unlocked)
2 Select the Management Client you want to delete and click Disconnect
Note - You can only delete a client if you have the proper permissions.
Reconnecting to the Server

In the event that the SmartView Status loses connection with the SmartCenter Server, for any
reason, it immediately attempts to reconnect at 15 second intervals until it succeeds. Once the
SmartView Status initiates this reconnection operation, the Reconnect window is displayed,
which shows the progress of the reconnection operation.

Menus
FIGURE 12-8Reconnect Window
To stop the reconnection operation, click Abort in the Reconnect window.
Menus
File Menu
TABLE 12-6 File Menu Commands

Button
Exit none Exit the SmartView Status.
View Menu
TABLE 12-7 View Menu Commands

Button
Toolbar none Toggle the display of the
SmartView Status Toolbar.
Status Bar none Toggle the display of the
SmartView Status Bar.

Modules Menu
Modules Menu
TABLE 12-8 Modules Menu Commands

Button
Update Active Mode only! Refresh “Active Update” on page 456
Selected the status of the selected
application, or of all of the
applications of the selected
Check Point or Cluster.
Expand All Expand all the objects in the “Collapsing and Expanding
Modules Tree. the Modules Tree” on page
438
Collapse All Collapse all the objects within “Collapsing and Expanding
their respective Check Points the Modules Tree” on page
and Clusters in the Modules 438
Tree.
Products Menu
TABLE 12-9 Product Menu Commands

Button
SVN Display SVN Foundation “Display SVN Foundation
Foundation window Details” on page 440
FireWall-1 Display VPN-1/FireWall-1 “Display FireWall-1 Details”
window on page 441
VPN-1 Display VPN-1 window “Display VPN-1 Details” on
page 441
FloodGate-1 Display FloodGate-1 “Display FloodGate-1 Details”
Module window on page 442
Cluster XL Display Cluster XL Module “Display Cluster XL Details”
window on page 442
OPSEC Display OPSEC Application “Display OPSEC Details” on
window page 443
Management Display Management “Display Management Details”
window on page 443

Menus
TABLE 12-9 Product Menu Commands

Button
UA Display UA WebAccess “Display UA WebAccess
WebAccess window Details” on page 443
Policy Server Display Policy Server “Display Policy Server Details”
window on page 444
Log Server Display Log Server Details “Display Log Server Details”
window on page 444

System Alert Menu
System Alert Menu

TABLE 12-10System Alert Menu Commands

Button
Global Display the Global System “Defining Global Properties”
Alert Definition window. on page 459
Start Start the system alert “System Alert Monitoring
monitoring mechanism. Mechanism” on page 461
Stop Stop the system alert “System Alert Monitoring
monitoring mechanism. Mechanism” on page 461
Tools Menu
TABLE 12-11Tools Menu Commands

Button
Find Find the specified text string “Find” on page 461
or IP Address.
Alerts Display the Alerts window. “Alerts” on page 461
Disconnect none Disconnect a client from the

Client Mangement Server
Window Menu

Button
SmartDashboard none Open the SmartDashboard. Chapter 8, “Security Policy
Rule Base”
SmartView none Open the SmartView Tracker. Chapter 11, “SmartView
Tracker Tracker”
SmartView none Open the SmartView Check Point FloodGate-1
Monitor Monitor.
User Monitor none Open the User Monitor Chapter 13,“User Monitor”
Large Scale none Open Large Scale Manager Check Point Large Scale Manager
Manager Guide

Menus

Button
SmartUpdate none Open SmartUpdate. Chapter 2, “SmartUpdate”
SecureClient none Open SecuRemote Packaging Check Point Virtual Private
Packaging Tool Tool. Networks
Users’ Monitor none Open Users’ Monitor Check Point Desktop Client
Guide

Help Menu
Help Menu
TABLE 12-13Help Menu Commands

Button
Help Topics none Open the SmartView Status
Help Topics
About Check Point none Display the About Check
SmartView Status Point SmartView Status
window
Check Point SmartView Status Toolbar

TABLE 12-14Toolbar Buttons and Corresponding Menu Commands

Button
Modules > Update Selected Active Mode only! Refresh the status of the
selected application, or of all of the
applications of the selected Check Point or
Cluster.
Modules > Expand All Expand all the objects in the Modules Tree.
Modules > Collapse All Collapse all the objects within their respective
Workstations and Clusters in the Modules
Tree.
Products > SVN Foundation Display SVN Foundation window.
Products > FireWall-1 Display FireWall-1 window.
Products > VPN Display VPN-1 window.
Products > FloodGate-1 Display FloodGate-1 Module window.
Products > Cluster XL Display Cluster XL Module window.
Products > OPSEC Application Display OPSEC Application window.
Products > Management Display Management Details window.

Check Point SmartView Status Toolbar
TABLE 12-14Toolbar Buttons and Corresponding Menu Commands

Button
Products > UA WebAccess Display UA WebAccess window.
Products > Policy Server Display Policy Server window.
Products > Log Server Display Log Server window.
Tools > Alerts Display the Alerts window.
Tools > Find Find the specified text string or IP Address.
System Alert > Global System Display the Global System Alert Definition
Alert window.
System Alert > Start System Alert Start the system alert monitoring mechanism.
Daemon
System Alert > Stop System Stop the system alert monitoring mechanism.
Alert Daemon
none Access Context Sensitive Help for Views,

toolbar icons and menu options.
Note - The Check Point product icons are enabled only for those products you are
licensed to use.

CHAPTER 13
User Monitor
In This Chapter
Viewing SecureRemote Users page 471

Using Queries page 474
Processing Query Results page 477
Viewing Policy Servers page 477
Viewing SecureRemote Users

The User Monitor is an administrative feature allowing you to keep track of SecureRemote
users currently logged on to the specific Policy Servers. The User Monitor also enables you to
easily navigate through the obtained results.
Starting the User Monitor

To start the User Monitor, proceed as follows:
TABLE 13-1 Starting the User Monitor
Windows Action
System
Windows Double-click the User Monitor icon, or choose User Monitor
from the Window menu in the SmartDashboard window.
X/Motif Run /opt/CPclnt-50/bin/UserMonitor
The User Monitor Login window (FIGURE 13-1) is then displayed.
471
Viewing SecureRemote Users
FIGURE 13-1User Monitor Login window

1 Select User Name.

3 Click OK.
• certificate

4 Click OK.
of the following:
SmartCenter Server.

Starting the User Monitor
Certificate Management, Compression and Advanced Options

In the User Monitor Login window (FIGURE 13-1), click More Options >> to display the
Certificate Management, Connection Optimizations and Advanced Options (FIGURE 13-2)
FIGURE 13-2User Monitor Login window
FIGURE 13-3UserMonitor default
Chapter 13 User Monitor 473

Using Queries
Using Queries
Creating a query most suitable to your requirements is crucial for obtaining relevant and precise
information. The User Monitor provides you with a comprehensive set of filters which makes
the query definition process user-friendly and highly efficient.
Defining a Query
To open the Query Editor pane, click in the toolbar or choose Query Editor from the
View menu.
To create a new query, proceed as follows:

• Click in the toolbar, or
• Right-click a query and select New from the menu, or
• Choose New from the Query menu.
The following filters are available:

• User Name — This filter allows searching for a specific user.
• Policy Server — Use this filter to restrict the search by the Policy Server(s) of your
choice.
• IP Address — If this filter is enabled, only the SecureRemote users whose IP address
and mask match the defined value will appear in the query results.
• SCV — This filter introduces the Secure Configuration Verification as a matching factor.
• Logon Time — Use this filter to search for SecureRemote users who logged on to the
relevant Policy Server(s) within the defined period.
• Records Limitation — Restrict the number of entries in the query results. This
property is available only in Server mode.
Defining User Name

To define a user name as a matching factor for your query, proceed as follows:
1 Select User Name in the Query Editor.
2 Click Edit to display the Edit User Name window.
3 Type the relevant name or combination of letters and click Add. The entered text will
appear in the reference list. To delete an entry from the reference list, select the entry and
click Remove.
Defining Policy Servers

To search only for SecuRemote users currently logged on to the specific Policy Server(s),
proceed as follows:
1 Select Policy server in the Query Editor.
2 Click Select to display the Select Policy Server window.

Running a Query
3 Use Add and Remove buttons to create the list of the relevant Policy Servers in the Filtered
Policy Servers field.
Defining IP Address and Mask

To define an IP address and/or mask as a matching factor for your query, proceed as follows:
1 Select IP Address and Mask in the Query Editor.
2 Enter the appropriate values into the IP Address and Mask fields using the following
guidelines:
• Wildcards are not allowed in the IP address field.
• It is allowed to use 0 (zero) as a wildcard in the Mask field.
• Defining 255 in a set of the Mask field will result in searching for the value defined in
the corresponding set of the IP address field.
• Any value, except 255, defined in the Mask field overrides the value defined in the
corresponding set of the IP address field.
Defining SCV State

To introduce the SCV State into the query definition, proceed as follows:
1 Select SCV in the Query Editor.
2 From the drop-down menu, choose one of the following options:
• Verified — only securely configured users will appear in the query results
• Non Verified — only the users who failed to pass the Secure Configuration Verification
will appear in the query results.
• N/A — do not apply the SCV state criterion as a matching factor.
Defining Logon Time

To search for SecureRemote users who logged on to the relevant Policy Server(s) within the
defined period, proceed as follows:
1 Select Logon Time in the Query Editor.
2 Enter the appropriate values into the From and/or To fields.
Limiting Query Results

To restrict the number of entries in the query results, enter the appropriate value into the
Records limitation field.
Running a Query
To run a query, do one of the following:
• highlight the query and click in the toolbar, or
• highlight the query and choose Run from the Query menu, or
• right-click on the query and select Run from the menu, or

Using Queries
• double-click on the query, or

• open the query for editing and click Run.
Editing a Query
To edit a query, do one of the following:
• highlight the query and choose Edit from the Query menu, or
• right-click on the query and select Edit from the menu.
Saving a Query
To save a query, make sure it is opened and do one of the following:
• highlight the query and choose Save from the Query menu, or
• right-click on the query and select Save from the menu.
Renaming a Query
To rename a query, do one of the following:
• highlight the query and choose Rename from the Query menu, or
• right-click on the query and select Rename from the menu, or
• left-click on the query and enter the new name.
Deleting a Query
To delete a query, do one of the following:
• highlight the query and choose Delete from the Query menu, or
• right-click on the query and select Delete from the menu, or
• highlight the query and press the Delete button.
Exporting a Query
The User Monitor allows you to export a query in text format (with the extension .xfw
compatible with MS Excel. To export a query, proceed as follows:
1 Highlight the query and choose Export from the Query menu or right-click on the query
and select Export from the menu.
The Export Data Results window is displayed.
2 Enter the exported file name.

Processing Query Results

It is possible to narrow down your search by finding a specific entry in a query results. To define
the requested parameters, proceed as follows:
1 From the Tools menu, select Find to display the Find window.
The following filters are available in the Find window:
• By User Name
• By Policy Server
• By IP Address
• By Logon Time
For detailed description of these filters, see “Defining a Query” on page 474.
2 Define the search direction by selecting Up or Down.
3 Click Find Next to initiate the search.

An entry matching the defined parameters will be highlighted in the query results.
Sorting Results
The User Monitor provides you with multiple options for sorting query results.
To sort a query results, proceed as follows:
1 Click Advanced Sort in the Query Editor to display the Dialog window.
2 Define the primary, secondary and tertiary sorting option by selecting the appropriate value
from the drop-down lists.
3 Choose the order in which the entries will be displayed by selecting Ascending or
Descending.
Viewing Policy Servers

All the Policy Servers available in the network topology are displayed in the Policy Servers
pane. Right-clicking within the pane allows you to view the names of the Policy Servers as
small icons or list. Selecting Details from the right-click menu will display the Policy Server
names as a list with the Status field. When working in Server mode, the following options may
appear in the Status column:
• syncronized - data from the Policy Server has been updated on the SmartCenter Server
• not synchronized - data from the Policy Server has not yet been updated on the
SmartCenter Server. If a Policy Server stays not synchronized for a long time, it may be
not functioning properly.

Viewing Policy Servers

CHAPTER 14
Dynamically Assigned
IP Addresses
In This Chapter
Overview page 479

Installation and Configuration page 479
DAIP Module IP Address page 480
Defining a Module with a Dynamic IP Address page 480
Installing a Policy page 482
Configuration and Other Issues page 482
Overview
Both VPN/FireWall Modules and FloodGate-1 modules (both a gateway and a host) can have a
dynamic IP address (for example, its IP address can be assigned by DHCP or some other
mechanism) rather than a fixed IP address.
See also “rs_db_tool” on page 563.
Network Address Translation (NAT) can be performed on Dynamic Objects. A manual NAT
rule must be created in the NAT Rule Base, and the Dynamic Object can be used in both the
original and translated packet.
Installation and Configuration

To install and configure a DAIP Module, proceed as follows:
1 Install the Check Point SmartCenter Server software on the SmartCenter Server machine.
479
DAIP Module IP Address
2 Install the VPN/FireWall and/or FloodGate Module software on the DAIP machine.
See Chapter 4, “Installing and Configuring VPN-1/FireWall-1” of Check Point Getting
Started Guide for information on how to install VPN/FireWall Module software on a DAIP
machine.
Note - The following steps are all performed on the SmartCenter Server.
3 Define the DAIP Module as described below (see “Defining a Module with a Dynamic IP
Address”).
4 Generate the license for the DAIP.
In the User Center (http://www.checkpoint.com/usercenter), generate a Central license for
the DAIP Module (a Local license would become unusable when the IP address of the DAIP
Module changes). Licenses are stored centrally on the SmartCenter Server.
5 Install the DAIP Module license using Secure Update.
6 Define the Policy.
7 Install the Policy on the DAIP Module from the SmartDashboard (Policy > Install).
Alternatively, you can fetch the Policy from the DAIP Module using the fw fetch
command (see “Installing a Policy” on page 482 for more information).
DAIP Module IP Address

The DAIP Module’s IP address is maintained in the SmartCenter Server’s database. The IP
address is updated whenever:
• a SIC certificate is pushed from the SmartCenter Server to the DAIP Module, and
• the DAIP Module fetches its Policy from the SmartCenter Server (see “Check Point
window — Masters page” on page 197).
Defining a Module with a Dynamic IP Address
Note - Before you begin this procedure, make sure the DAIP Module is accessible.
To define a Module with a dynamic IP address, proceed as follows:

1 Create a new Check Point object (either a host or gateway) for the DAIP Module.
2 In the General page of the DAIP Module’s Check Point Properties window, check
Dynamic Address.
If Dynamic Address is checked, then IP address is disabled and the following are
automatically selected under Check Point Products:

• FireWall-1
• VPN-1
• SVN Foundation
• FloodGate-1
If you check Dynamic Address for an existing network object, a warning message will be
displayed.
3 Click Communicate to initialize the certificates.
4 Enter the one-time password to be used for the initial communication in Activation Key
and Confirm Activation Key. Enter the same Activation Key that is used at the DAIP
Module in the Check Point Configuration tool.
5 Check This machine currently uses this IP address and enter its IP address.
If you do not know the IP address, check I do not know the current IP address. In this
case, you must at some later point “push” the certificate to the DAIP Module from this
window.
6 Click Initialize.
If This machine currently uses this IP address is checked, the certificate is “pushed” to
the specified IP address.
7 In the Topology page of the Module’s Properties window, click Get Topology.
The interface information will be fetched from the DAIP Module, and displayed in the
Topology page.
8 Select the interface whose IP address is dynamically assigned and click Edit.
Note - The dynamically assigned IP address usually belongs to the external interface, and
the IP addresses of the internal interfaces are fixed.
9 In the Interface Properties window, check Dynamic IP.
10 Specify the VPN (if needed) in the VPN page of the DAIP Module’s Gateway Properties
window.
For a Module with a dynamic IP address, the allowed parameters are:
• the IKE encryption scheme with Public Key certificates
• internal certificates
11 You can install a Policy on the DAIP Module either from the SmartCenter Server or from
the DAIP Module. For more information, see “Installing a Policy” on page 482.
If you choose to install the Policy from the DAIP Module (by fetching it from the
SmartCenter Server), specify how frequently a Policy should be fetched in the Masters page
of the Check Point window (see “Check Point window — Masters page” on page 197).
Chapter 14 Dynamically Assigned IP Addresses 481

Installing a Policy
Dynamic Address Node Fetch Policy — Select one of the following:

Manual — Fetch this network object’s Policy manually (see “Installing a Policy” on page
482”).
Scheduled Event — Fetch this network object’s Policy on a pre-determined schedule,
according to the selected time object (scheduled event).
It is recommended that you install a DAIP Module’s first Policy manually, even if you plan to
automatically update it using a scheduled event.
Installing a Policy
You can install a Policy on the DAIP Module in either of two ways:
• installing it from the SmartCenter Server to the DAIP Module
Select Policy > Install from the menu. VPN-1/FireWall-1 will verify, compile the Policy,
and install the Policy on DAIP Modules.
• fetching it to the DAIP Module from the SmartCenter Server
On the Module, use the fw fetch command (see “fwm fetch” on page 560).
Configuration and Other Issues
Configuring a VPN
A DAIP Module can open a VPN tunnel to another machine (but not to another DAIP
Module. The VPN tunnel and all encrypted connections must be initiated by the DAIP
Module, not by the VPN peer.
Note - It is recommended that you use the simplified VPN mode, in order to avoid the
need to manually define VPN rules (as described here). This section describes how to
configure a VPN using the “classic” mode.
Two Encryption rules are required to define encryption between a DAIP Module and another
machine.For example, suppose London is a VPN/FireWall Module and BigBen is a DAIP
Module. Then the following two rules are needed (FIGURE 14-1).
FIGURE 14-1Encryption rules for DAIP Module
The first rule (installed on BigBen) enables encryption from London. Note that:
The source object (LocalMachine) is a dynamic object that is automatically resolved on each
DAIP Module (that is, it is not necessary to run the dynamic_object command).

Control Connections Between the DAIP Module and the SmartCenter Server
The second rule (installed on London) enables encryption from BigBen.

If there is more than one DAIP Module, you can define a group that includes all of them
and use the group as the source object in this rule.
Note - This is the only context in which a DAIP Module (for example, BigBen) can be used
in a rule’s Source or Destination.
Control Connections Between the DAIP Module and the SmartCenter

Server
A VPN/FireWall Module (whether on the SmartCenter Server, the DAIP Module or
somewhere between them) is unaware that the DAIP Module’s IP address is that of a
VPN/FireWall Module. Therefore, it will not allow some control connections to pass between
the SmartCenter Server and the DAIP Module.
Specifically, a VPN/FireWall Module will not allow:
• SIC certificates — the DAIP Module to pull its SIC certificate from the SmartCenter
Server, or the SmartCenter Server to push a certificate to the DAIP Module
• Policy — the DAIP Module to fetch a Policy from the SmartCenter Server, or the
SmartCenter Server to install a Policy to the DAIP Module
• logs — the DAIP Module to send a log entry to a Logging Server
• licenses — the SmartCenter Server to remotely install a license to the DAIP Module
Enabling Connections From the SmartCenter Server

To enable connections from the SmartCenter Server to the DAIP Module, proceed as follows:
1 Check Accept VPN-1 & FireWall-1 control connections in the Implied Rules page of the
Global Properties window.
2 Install the Security Policy on:
• all VPN/FireWall Modules between the SmartCenter Server and the DAIP Module
(including the VPN/FireWall Module protecting the SmartCenter Server)
• the DAIP Module
Enabling Connections From the DAIP Module

To enable connections from the DAIP Module to the SmartCenter Server or Logging Server,
proceed as follows:

1 Define a rule in the SmartDashboard as follows:
TABLE 14-1 Explicitly defined rule for DAIP communications
Column
Source Any or a specific subnet
Use Any when you do not know the IP addresses of the DAIP
Modules. Specify a subnet when you have more specific
knowledge about the IP address of the Modules (for example, the
network from which these addresses will be allocated).
Destination The SmartCenter Server and/or the Logging Server, as relevant
Service Specify the following services:
CPD, FW1_ica_pull (pulling certificates), FW1_log (logging).
2 Install the Security Policy on:

• all VPN/FireWall Modules between the SmartCenter Server and the DAIP Module
(including the VPN/FireWall Module protecting the SmartCenter Server)
• the DAIP Module
DHCP Connections Between the DAIP Module and the DHCP Server
1 To enable DHCP communications between the DAIP Module and the DHCP Server (for
example, when the DAIP Module’s lease expires), do either one of the following:
• In the Implied Rules page of the Global Properties window, check Accept dynamic
address gateways’ DHCP traffic, or
• define a rule in the SmartDashboard as shown in TABLE 14-2.
TABLE 14-2 Explicitly defined rule for DHCP communications
Column
Source DAIP Module and DHCP Server
Destination DAIP Module and DHCP Server
Service Specify the following services:
dhcp-req-localmodule and dhcp-rep-localmodule
Install On the DAIP Module
2 Next, install the Security Policy on the DAIP Module.
Note -
• There should be no other FireWall Module between the DAIP and the DHCP Server.
• The above rule does not accept DHCP services to the network behind the DAIP Module.


NAT cannot be performed for a DAIP Module’s IP address. A DAIP Module can perform NAT
Hide for other machines and for networks, but its own IP address cannot be NATed.
When the DAIP Module’s IP address changes ...

If the DAIP Module loses its IP address, there are two possibilities:
• the DAIP Module is assigned a different IP address
When the new IP address is assigned, VPN-1/FireWall-1 (running on the DAIP Module)
automatically stops and restarts itself.
• the DAIP Module is not assigned an IP address
The DAIP Module loses its connectivity until it acquires an IP address, and only then will
VPN-1/FireWall-1 automatically stop and restart itself.
When the DAIP Module is restarted (cpstart), it fetches a Policy from the SmartCenter Server,
which updates the DAIP Module’s IP address in its database.
The DAIP Module’s IP address is maintained in the SmartCenter Server’s database. The IP
address is sometimes updated, as described in “DAIP Module IP Address” on page 480.
When the SmartCenter Server’s IP address changes ...

If you move the SmartCenter Server to another machine, or if you re-install the SmartCenter
Server software, you must re-establish SIC trust between the SmartCenter Server and the DAIP
Module (see “Secure Internal Communications for Distributed Configurations” on page 46).
Next, on the DAIP Module, fetch the Policy from the SmartCenter Server using the
fw fetch command (see “fwm fetch” on page 560).
When the DAIP Module’s name changes ...

If you change a DAIP Module’s name, in the General page of the DAIP Module’s Check Point
window, you must re-install the DAIP Module’s Policy manually.


CHAPTER 15
Virtual Links
In This Chapter
Overview page 487

Creating a Virtual Link page 487
Virtual Link Windows page 488
Overview
A Virtual Link is a path between two Check Point VPN/FireWall or FloodGate Modules.
Virtual Links are defined in the SmartDashboard, and can be given Service Level Agreement
(SLA) parameters. They can then be monitored using Check Point SmartView Monitor.
For information on monitoring a Virtual Link, the Check Point SmartView Monitor User Guide.
Creating a Virtual Link

To create a Virtual Link and define SLA and Log and Alert parameters, proceed as follows:
1 In the SmartDashboard, choose Virtual Links from the Manage menu.
The Virtual Links window is displayed.
2 Click New and choose Virtual Link.
3 In the General tab of Virtual Link Properties window, define the general parameters of
the Virtual Link.
For information about the fields in the General tab, see “Virtual Link Properties Window —
General Tab” on page 488.
4 In the SLA Parameters tab of Virtual Link Properties window, define the SLA parameters
to be monitored.
487
Virtual Link Windows
For information about the fields in the SLA Parameters tab, see “Virtual Link Properties
Window — SLA Parameters Tab” on page 489.
Note - At least one SLA threshold must be defined for every Virtual Link.
5 Click OK.
The Virtual Link and its SLA Parameters have been defined.
6 Open the Global Properties window by choosing Global Properties from the Policy
menu.
7 Specify Log and Alert parameters in the Log and Alert page of the Global Properties
window.
For information about the Log and Alert page, see “Global Properties Window — Log and
Alert Page” on page 490.
8 Click OK.
Editing or Deleting a Virtual Link

After a Virtual Link has been created, you can edit its properties or delete it. Enter the Virtual
Links window and select the link from the list of Virtual Links.
To delete the selected Virtual Link, click Remove.
To edit the selected Virtual Link, click Edit and redefine the desired parameters in the General
and SLA Parameters tabs. You may go directly to these tabs by double-clicking the name of the
Virtual Link in the SmartDashboard Objects Tree.
When you close the SmartDashboard, you will be asked if you wish to save the changes you
made.
Virtual Link Properties Window — General Tab

Name — the name of the Virtual Link
Color — the color of the Virtual Link’s icon
Virtual Link End Points — Choose the two gateways that define the Virtual Link from the
appropriate drop down menus:
Gateway A — This gateway must be internal, meaning that it is managed by the SmartCenter
Server that the SmartDashboard is working with.
Gateway B — Gateway B can be internal or external.

Virtual Link Properties Window — SLA Parameters Tab
Each of the gateways must have VPN-1/FireWall-1 installed.
Note - Virtual Link Monitoring is implemented using the E2ECP service, a Check Point
protocol. Make sure there is a rule on each of the Virtual Link gateways that allows the
E2ECP service between them.
Enable Virtual Link Monitoring — Specify whether or not it will be possible to monitor the
Virtual Link.
If this option is not selected, you will not be able to monitor the Virtual Link using Check
Point SmartView Monitor. The link will not appear in the Monitored Virtual Link list in the
Module Selection tab of the Session Properties window.
Virtual Link Properties Window — SLA Parameters Tab

Thresholds — Define the parameters for each gateway in the direction you wish to monitor.
For each of the traffic directions, you can:
• Check Inform when Committed Information Rate is lower than... and specify a rate
in the corresponding text box. The SLA Violation action will be initiated when the
CIR drops below the specified rate.
For example, if your SLA guarantees a CIR of 10,000 Bps, you may wish to be alerted any
time CIR drops below 10,000 Bps.
• Check Inform when bandwidth loss exceeds... and specify a percentage in the
corresponding text box. The SLA Violation action will be initiated when bandwidth loss
exceeds the specified percentage.
For example, if your SLA states that bandwidth loss will not exceed 22 percent, you can
choose to be informed when this occurs.
For round trip traffic, you can:
• Check Inform when round trip time exceeds... and specify a time limit in the
corresponding text box. The SLA Violation action will be initiated when round trip
time exceeds the specified limit.
Note - “Inform...” in this tab refers to the SLA Violation track option specified under
Track Options in the Log and Alert page of the Global Properties window (see “Global
Properties Window — Log and Alert Page” on page 490).
Log SLA Statistics — Specify whether or not SLA discrepancies will be logged in the Check
Point SmartView Tracker.
The frequency with which SLA statistics will be logged is specified by Virtual Link statistics
logging interval in the Log and Alert page of the Global Properties window (see “Global
Properties Window — Log and Alert Page” on page 490).
For information regarding the SmartView Tracker, see Chapter 11, “SmartView Tracker”.
Chapter 15 Virtual Links 489

Global Properties Window — Log and Alert Page

The Log and Alert page allows you to define system-wide logging and alerting parameters. The
following fields define SLA-related parameters:
SLA violation (under Track Options) — Choose the action to be taken if one of the
thresholds defined in the SLA Parameters tab of the Virtual Links window is violated.
Virtual Link statistics logging interval (under Time Settings) — Set the frequency with
which SLA statistics will be logged.
This parameter is relevant only for Virtual Links with Enable Virtual Link Monitoring
checked in the General tab of the Virtual Link Properties window.

CHAPTER 16
SmartMap
In This Chapter
Introduction to the SmartMap page 491

Using the SmartMap View page 493
Editing Network Objects page 507
Editing the Network Topology page 509
Topology Collapsing page 518
Integration of the SmartMap View and the SmartDashboard page 522
Calculations page 528
The SmartMap Helper page 532
Menu Commands and Toolbar page 534
Introduction to the SmartMap

Check Point’s SmartMap provides a topological view of the objects in the SmartDashboard. The
SmartMap View is a mapped visual representation of the network objects defined in the
SmartDashboard and the relationship between them. SmartMap provides a user-friendly
environment which transforms the conceptual object database into a visual, working topology
map.
The SmartMap View can be printed out and/or exported as an image file or Microsoft Visio
diagram. The printout resulting from the print or export operations replaces complex hand-
drawn network diagrams with a single, efficient diagram. Critical elements of the Security Policy
can be instantly located, and the security manager can easily and directly edit object parameters
and intuitively define new object groups for more efficient policy creation.
SmartMap performs automatic calculations for:
• objects behind the Gateway
• Install On targets
• anti-spoofing
491
Introduction to the SmartMap
Security Policy rules can be displayed in the SmartMap View. This rule display, is an important
tool in monitoring security since the direction (the source and destination), as well as the action
(accept, encryption, etc.) are illustrated. Showing the impact of policy rules enables the security
manager to validate the intent and integrity of the policy; it ensures that the intent of the
security manager and the actual effect of the policy are one and the same.
Network Objects
OPSEC Applications
OPSEC applications installed on a network object are indicated in the SmartMap View.
Networks
Private IP address ranges defined in the NAT page of the Global Properties window (see
“Private Address Ranges” on page 280) are identified as such in the SmartMap View.
Enabling and Disabling SmartMap

The SmartMap can be enabled or disabled in the SmartMap page of the Global Properties
window.
• To display the SmartMap automatically when the SmartDashboard GUI Client is opened,
check Enable SmartMap.
• To disable the automatic display of the SmartMap when the SmartDashboard GUI Client is
displayed, uncheck Enable SmartMap.
The specified change will take place the next time the SmartDashboard GUI Client is opened.
Note - When the SmartMap View is disabled, its menus and commands are not displayed
and no topology calculations are performed.
Docking and Undocking the SmartMap Window

To undock the SmartMap window (that is, display it outside the SmartDashboard window, as in
FIGURE 16-1), double-click on the SmartMap’s upper border.

Displaying the Network Object and Interface Information
FIGURE 16-1Docked SmartMap
To dock the SmartMap window, right-click inside the window and select Docked View from
the menu.
Using the SmartMap View
Displaying the Network Object and Interface Information

The SmartMap View may consist of a multitude of network objects. To display information for
any network object, proceed as follows:
• Select any network object or interface and click Enter on your keyboard, or
• Double-click the selected network object or interface.
Note - An interface is represented by an edge (link) between a network object and a

network.
The selected network object or interface Properties window is displayed.
Working with Network Objects

The SmartMap View supports the following objects:
• Network Objects
• Network
• OSE Device
• Embedded Device
• Gateway Clusters
Chapter 16 SmartMap 493

• Community objects (Intranet, Extranet and Partner objects)

• Dynamic Address Gateways
• OPSEC Applications
Select any network object or group of network objects and right-click. A menu is displayed.
This menu varies depending on where on the SmartMap View you have clicked.
• If you right-click a specific network object, group or edge, a menu specifically relevant to
the selected network object, group or edge will be displayed.
• If you right-click an open space in the SmartMap View a general menu, relevant to the
SmartMap View as a whole, will be displayed.
Select Mode — Switch to Select mode (see “Select Mode” on page 494).
Zoom Mode — Switch to Zoom mode (see “Zoom Mode” on page 495).
Arrange — Rearrange the topology map layout (see “Arrange Styles” on page 498).
Zoom In — Increase the magnitude of the SmartMap View (see “Zoom In” on page 496).
Zoom Out — Decrease the magnitude of the SmartMap View (see “Zoom Out” on page
496).
Zoom — Select from several Zoom options (see “Other Zoom Options” on page 496).
New Network Object — Create a new network object (see “Adding an Object to the
SmartMap View” on page 508).
The SmartMap View provides several ways to perform the same operation; the menu commands
in the right-click menu often have an equivalent command in the form of an icon on the
toolbar, or an option on the menu bar. See “Menu Commands and Toolbar” on page 534 for
more information.
SmartMap View Options
Modes
The SmartMap View consists of various working modes. These modes are task specific. The
most common mode is Select Mode. The other modes provide functionality specific to certain
tasks. Each mode has its own specific cursor. For a summary of the cursor modes, see “Cursor
Modes” on page 536.
Select Mode
Select Mode is the default mode. Select Mode enables you to select an area including any object
or group in the SmartMap View. To use the Select Mode, proceed as follows:
Selecting network objects in the SmartMap View
1 Select Select Mode from the SmartMap menu, or click in the toolbar.

Zooming and Scrolling
2 Click anywhere in the SmartMap View and drag the mouse.

As you drag the mouse a rectangular select-box is displayed. All the nodes and edges that
are cut by the select-box will be fully selected, even those that are only partially cut,
and/or
Press the Ctrl key and while pressing, click the network objects one at a time to add them or
release them from Select Mode.
The network object(s) are selected.
Dragging selected network objects in the SmartMap View
Drag selected network object(s) to relocate them anywhere in the SmartMap View.
Note - You can revert to Select Mode from any other mode by clicking the Esc key.
Viewing Selected Objects in the SmartMap View
1 Select the Network Objects that you would like to view.

2 From the Zoom command in the SmartMap menu, select Fit Topology Map in window,
or click in the toolbar, to fit the entire Topology Map into the SmartMap View pane.
Or,
From the Zoom command in the SmartMap menu, select Fit selection in window, or
click in the toolbar, to fit the objects selected on the Topology Map into the
SmartMap View pane.
The entire topology map, or the selected Network Objects are resized to fit exactly into the
SmartMap View.
Zooming and Scrolling
Zoom Mode
Zoom Mode enables you to magnify the SmartMap View. To use the Zoom Mode, proceed as
follows:
1 Select Zoom Mode from the SmartMap menu, or click in the toolbar.
2 Click anywhere in the SmartMap View and drag the mouse. As you drag the mouse a
rectangular select-box is displayed. Enlarge the select-box until the area that you wish to
magnify is enclosed in the select-box.
All the nodes and edges that are cut by the select-box will be magnified in Zoom Mode.
Zoom Options
There are several Zoom options in the SmartMap View. These options are summarized in
TABLE 16-1.

Zoom In
The Zoom In command magnifies the topology map. To Zoom in, do any of the following:
• Click in the toolbar.
• Select Zoom In in the SmartMap menu.
• Press the plus sign [+] on your keyboard.
See also “IntelliMouse Support” on page 496.
Zoom Out
The Zoom Out command reduces the topology map. To Zoom Out, do any of the following:
• Click in the toolbar.
• Select Zoom Out from the SmartMap menu.
• Press the minus sign [-] on your keyboard.
See also “IntelliMouse Support” on page 496.
Other Zoom Options
These options can be accessed from Topology > Zoom > any submenu:
TABLE 16-1 Zoom Options
Zoom Option HotKey Toolbar Description

Buttons
Fit Topology Map Ctrl+w Fits the whole topology map in the
in Window SmartMap View pane.
Fit selection in Ctrl+B Fits a selection of the topology map in the
window SmartMap View pane.
select one: 25%, none Resizes the topology map to the selected
50%, 150% percentile view.
Actual Size none Sets the topology map to its default size.
Custom Zoom none Customize the zoom ratio of the SmartMap
View.
IntelliMouse Support
Use the IntelliMouse scroll wheel to:
• scroll up or down the SmartMap View using the scroll wheel
For more advanced scrolling, click the scroll wheel once to pan the SmartMap View in all
directions.
• Zoom In or Zoom Out of the SmartMap View
Click the Ctrl key and either scroll up (to zoom in) or scroll down (to zoom out).

Navigator Window
New Network Object Mode

New Network Object Mode allows you to create new network objects in the SmartMap View
one after the other.
To use the New Network Object Mode, proceed as follows:
1 Select New Network Object Mode from the SmartMap menu.
2 Click at the point in the SmartMap View where you would like your new network object
to be created.
The network object’s Properties window is displayed.
3 When your new network object is saved and closed, you are prompted to create another
new network object.
Navigator Window
The Navigator window is a secondary window which displays an overview of the SmartMap
View. The Navigator window consists of a moveable selection box. As you move or resize the
selection box in the Navigator window, the SmartMap View is adjusted to reflect the changing
selections. Each time the Navigator window is closed, its state (size and position) is saved, and
the next time that it is accessed it opens according to the saved coordinates.
The selection box can also be adjusted to Zoom In or Zoom Out of the SmartMap View:
• To increase the selection to include more of the SmartMap View, (in other words, to Zoom
Out to a larger selection of the SmartMap View), enlarge the selection box by dragging it
outwards by its handles.
• To decrease the selection, (in other words, to Zoom In to a more specific part of the
SmartMap View), decrease the selection box by dragging it inwards by its handles.
• To toggle the Navigator window, select Topology > View Navigator (when the SmartMap
View is the active view), or click in the SmartMap View toolbar.
When any adjustment is made to the selection box, it is immediately reflected in the SmartMap
View.

FIGURE 16-2The Navigator Window
Arrange Styles
The Arrange styles determine how the network objects are placed within the SmartMap View.
The SmartMap View can be arranged in two Arrange styles; hierarchic layout and symmetric
layout.
To optimally arrange the entire topology map, with the currently selected Arrange style within
the whole SmartMap View window,
• select Arrange > Global Arrange from the SmartMap menu, or
• click in the Topology toolbar.
To arrange a selected area of the topology map, with the currently selected Arrange style, within
the whole SmartMap View window,
• select Arrange > Incremental Arrange from the SmartMap menu, or
• click in the Topology toolbar.

Toggle the SmartMap View
Symmetric Layout
Symmetric layout arranges the topology map with a loose organization of the nodes. extending
from the network objects. This type of layout of the topology map resembles star and ring
structures. To use Symmetric layout, proceed as follows:
In the SmartMap menu > Customization > Arrange Styles, select Symmetric Layout. The
topology map is arranged by the SmartMap.
Hierarchic Layout
Hierarchic layout arranges the topology map in a pseudo-hierarchical structure. In this type of
layout the topology map resembles a tree graph. To use Hierarchic layout, proceed as follows:
In the SmartMap menu > Customization > Arrange Styles, select Hierarchic Layout. The
topology map is arranged by the SmartMap.
Toggle the SmartMap View

Toggle View displays or hides the SmartMap View.
To toggle the SmartMap View, check Topology Map in the View menu, or click in the
Views toolbar.
Note - When the SmartMap View is hidden or inactive, all of its menus and commands are
disabled; however, topology calculations do continue.
Customization Options
The Customization options allow you to customize several attributes of the SmartMap View.
These include the customization of network object and selection specification, the definition of
tooltips, as well as arranging styles (whether the SmartMap View is hierarchic or symmetric).
To customize the SmartMap View attributes, select Customization from the SmartMap menu.
The Toplogy View Options window (FIGURE 16-3) is displayed.

SmartMap View Options — View Manager Tab

FIGURE 16-3SmartMap View Options window — View Manager tab
This tab defines what happens when the topology map is redrawn as a result of changes to the
topology.
Do not rearrange any objects — Objects will not be rearranged, but edges will be redrawn
if necessary.
Rearrange only changed objects — Only changed objects will be rearranged.
Rearrange the entire map — The map will be completely redrawn, and all objects will be
rearranged as necessary.

Customization Options
SmartMap View Options — View Options Tab

FIGURE 16-4SmartMap View Options window — View Options tab
Selected Object Color — the highlight around a selected Object

Select a color from the Color window, or define your own custom color.
Selected Edge Color — the highlight of the edge of an Object.
Select a color from the Color window, or define your own custom color.
Selected Edge Width — the width (in points) of the selected edges
Show Legend during Show Rule — Display the Rule Color Legend window when you show
a Rule in the SmartMap View.

SmartMap View Options — Tooltips Information Tab

FIGURE 16-5SmartMap View Options window — Tooltips Information tab
Select the information about the network object that will be displayed when the cursor passes
over the object.
To cancel a tooltip, uncheck the specified fields, or click Clear All to uncheck all the fields.
FIGURE 16-6Tooltip customized information — example
Object Name
IP Address
Comment

Print out the SmartMap View
SmartMap View Options — Arranging Styles Tab

FIGURE 16-7SmartMap View Options window —Arranging Styles tab
The Arrange styles determine how the SmartMap View is displayed.

Symmetric — See “Symmetric Layout” on page 499.
Hierarchic — See “Hierarchic Layout” on page 499.
Note - Use the example of the topology map next to the Arrange Styles options to help
you decide which Arrangement suits you best.
Print out the SmartMap View

To print the topology map, select Print > Topology Map from the File menu, or use the
HotKey <Ctrl + E>.The Print Topology Map Setup window is displayed.
Scale By — Select the required scale option before the topology map is printed
Pages — Scale the topology map in pages
• Width — Scale the width of the printout in pages.
• Height — Scale the height of the printout in pages.
Zoom level — Scale the printout according to the specified zoom level. The default zoom level
displayed here is the zoom level currently set in the SmartMap View
Current zoom level — Scale the printout according to the zoom level currently set in the
SmartMap View.
Check any of the following options:
• Print page numbers — Include pages numbers on all pages of the topology map printout.
• Print border — Print a border around the topology map printout.

• Print crop marks — Display all crop marks on the topology map printout.
• Print caption — Include a caption on the topology map printout, enter the text in the
Caption text box.
Margins — Specify the size of the margin (from the edge of the page until the border if
specified, or until the beginning of the topology map diagram) in inches.
Print Previewing the Topology Map

Before the topology map is printed out, select Print Preview > Topology Map from the File
menu, or use the HotKey <Ctrl + l> to review the active topology map before it is printed
out.
Exporting the Topology Map

The Topology map can be exported as an image file or to Microsoft Visio. You can export a
part of the topology map by selecting the desired area in the topology map, or you can export
the entire topology map by choosing one of the export options from the SmartMap menu.
Export to Visio
To export the topology map to Visio, select Topology > Export > Visio. The Export to Visio
FIGURE 16-8Export to Visio window

Exporting the Topology Map
Network object data options
You can export any of the information in the following fields by checking Use. To display this
exported information on the exported Visio drawing check Display Label.
• Object Name
• Object IP
• Net Mask
Folder options
Export topology with all folders expanded — Expand all folders in the SmartMap View
during the export operation. All objects in the SmartMap View will be displayed.
Export every locale to a separate page — Export each locale to a separate page.
Keep current network objects arrangement — Save the current arrangement of network
objects on the topology map diagram.
Network object icon options
Use SmartMap icons — When exporting the topology map to Microsoft Visio, use the default
Check Point Visual Policy icons.
Use Visio export stencil — Select the Visio export stencil that includes predefined Visio icons.
Edit Icons — If you would like to customize the predefined Visio icons, click Edit Icons
Use color of SmartMap objects — Keep the colors specified for the SmartMap network
objects.
Additional Information
Display date of export on the Visio drawing page(s) — Display the date of the export
operation on the image exported to Visio.
Visio page label — Specify a title or comment on the exported Visio page.
Visio export stencil file directory — Click Browse and select a directory in which the Visio
export stencil will be saved.
Export as Image File

To export the topology map as an image file, select Topology > Export > Image File. The
Export Image window is displayed.

FIGURE 16-9Export Image
Image Type — Select the image type (and compression level) to be used when you export the
topology map.
Image Size
Adjust to actual size — The size of the exported image will be the size of the full topolgy
map, including the parts that are not currently displayed.
Fit to — Resize the image in the exported file while maintaining the aspect ratio.
Folder Options
Expand all folders before export — Expand all folders in the SmartMap View during the
export operation. All objects in the SmartMap View will be displayed.
Export every locale to a separate page — Export each locale to a separate page.
Additional Information
Display date of export on the image(s) — Check to display the date of the export operation
on the image file.
Image label — Specify a title or comment on the exported image file.
File name prefix — Specify a prefix that will be used for saving multiple image files. Note that
the prefix is not the name of the created file.
Image file(s) directory — Click Browse and select the directory in which the image file will
be saved.

Saving the SmartMap View
Open exported image(s) — Open all image files, once exported (using the registered file
viewer for the image type).
Print exported image(s) — Print all exported images.
Saving the SmartMap View

The SmartMap View is saved automatically whenever you save the Policy. This can be done by
selecting Save from the File menu, or by clicking in the toolbar.
The SmartMap View has a smart save implementation; each time an administrator logs in to the
SmartMap, sets up the SmartMap View, in the manner that he or she prefers and saves his or her
changes, the SmartMap View saves the topology coordinates as set up by the specified
administrator. Each subsequent time that the administrator logs on, the SmartMap View will be
displayed according to the saved coordinates and folders
Should the network objects in the SmartMap View be modified in any way by any
administrator, the next administrator to logon will have to decide whether to merge his or her
coordinates with the new changes, or whether to overwrite his or her own coordinates with the
newly modified coordinates.
Editing Network Objects

The SmartMap can be used to edit and define network objects. All items in the SmartDashboard
which are representations of physical network objects, (such as OSE Devices and network
objects), can also be seen and edited in the SmartMap View. Objects which are not
representations of physical network objects, (such as Address ranges), cannot be seen in the
SmartMap View.
The objects in the SmartMap View are created, configured and placed according to their IP
addresses, (although routing information is not a factor of object configuration and placement).
Thus, the modification of the SmartMap View is implemented via the manipulation of the
network objects’ IP addresses.
Editing Object/Interface Properties

1 Select an Object or an edge corresponding to the Gateway’s interface
2 Double-click the object or edge corresponding to the Gateway’s interface.
The object’s Properties window is displayed.
Note - Only edges of defined interfaces can be edited.
3 Edit the specified IP Address.

If you select an IP Address that is inappropriate for the net mask of the current Gateway,
the object will be created and added to the topology map in a location that is appropriate
to its new IP Address.

Editing Network Objects
Adding New Objects

There are several ways to add a new object to the SmartMap View:
Adding objects to an existing network

When you add a new object to an existing network, the new object will automatically be given
the IP address prefix of the existing network. To add a new object to an existing network:
1 Right-click the network to which you would like to add a new object.
2 From the displayed menu select New Network Object.
A list of New Network Object options is displayed.
3 From the New Network Object menu options, select the new object that you would like
to configure on the existing network. The object’s Properties window is displayed.
Adding an Object to the SmartMap View

You can add an object to the SmartMap View using the right-click option:
1 Right-click in the SmartMap View.
A list of New Network Object options are displayed.
2 Select New Network Object from the displayed menu.
3 From the New Network Object menu options, select the object you would like to add to
the SmartMap View.
4 Configure the new object.
Adding Multiple Objects

You can add network object one after the other when you work in New Network Object
mode. In this mode, as soon as a new network object has been configured you are prompted to
create a new one. To do this select the New network Object Mode from the SmartMap menu.
See “New Network Object Mode” on page 497 for more information.
Removing Network Objects

It is possible to remove an object or a group of objects from the SmartMap View. To remove
an object:
1 Select the object(s) that you would like to remove. To select a group of objects, select each
object while pressing the Ctrl key, or use the selection rectangle.
2 Proceed by doing one of the following:
• Press Delete on your keyboard, or
• Right-click the selected object(s)

Defining a New Group
3 Select Remove from the displayed menu.

You are prompted to make sure that you want to remove the object(s).
4 Select Yes to remove the network object.
Note - A warning will be displayed if you attempt to remove an object that is part of a
Security Policy (or QoS Policy) rule. If you ignore the warning, the object will still be
removed and the SmartMap View will be adjusted accordingly.
Defining a New Group

To define selected objects as a group, proceed as follows:
1 Select the objects which you would like to define as a group. See “Select Mode” on page
494 for more information and do one of the following:
• Click in the Topology toolbar, or
• Right-click the selected group, and choose Group from the displayed menu
The Group Properties window is displayed.
2 Configure the Group Properties window, by adding or removing objects to or from the
new group.
The selected objects are defined as a group.
Editing the Network Topology

The language of network topology is IP addressing. The SmartMap View is constantly updated
as a result of changes in IP addresses. The use of duplicated or illegal IP Addresses is common in
the network topology, (especially taking into consideration the implementation of Network
Address Translation [NAT]), for more information see “Network Address Translation (NAT)”
on page 67. This may result in some ambiguities, for instance, the IP duplication may result in
the duplication of networks, where more than one network share the same IP address and net
mask.
The SmartMap View creates new topology objects where IP Address ambiguities prevent
network objects from being connected. These topology objects are used to highlight and resolve
ambiguities. For more information, see “New Topology Object Types” on page 511. You can
also use the SmartMap Helper to learn how to solve some of these connectivity issues. For more
information, see “The SmartMap Helper” on page 532.
Containing and Contained Networks

Containing networks are network which contain other networks. The contained network will
always be derived from the same or lower net mask class. For example, in FIGURE 16-10,
Big_net 5.5.0.0 contains Small_net 5.5.5.0, or, in other words Small_net is contained by
Big_net. Big_net and Small_net have a hierarchical arrangement in which they are automatically
connected together in a type of “containment chain”.
By default, it is assumed that contained networks are probably sub-networks; therefore:

• when network objects, OSE Devices and Embedded Devices are created and/or modified,
their edge is connected to the smallest existing network that suits their IP address and net
mask (if they are defined).
If an object is connected to a network and a smaller network is subsequently defined, the
object is relocated to the smaller network.
• larger networks are automatically connected to smaller networks, unless there is more than
one equal network to which it can be connected, or unless the network chains are
conflicted.
FIGURE 16-10Large networks are automatically connected to smaller networks
Contained Networks’ Edges

The SmartMap View connects networks according to the hierarchy of their IP addresses and net
masks, but does not assume that you want to keep them contained; therefore, the networks
edges are editable, they are removable, (the edges can be deleted), and they can be returned to
their “contained” structure.
Editing Contained Networks

A contained network is edited in the same way as any other network object, see “Editing
Object/Interface Properties” on page 507.
Once the IP Address of the contained network has been altered, the contained network may
no longer be contained. It is removed from the containment chain and is relocated to a new
position in the SmartMap View.
Removing the Edges of Contained Networks

1 Right-click the selected edge of a contained network.
A menu is displayed
2 Select Disconnect from the displayed menu.
The selected edge is removed.
Reconnecting Contained Networks

When the edge of a contained network has been removed, you can choose to reconnect it
to the containment chain, to do so, proceed as follows,
1 Select the network whose edge was removed from the containment chain.

New Topology Object Types
A menu is displayed
2 Select Connect > Containing Network from the displayed menu.
The Resolve by List window is displayed.
3 Select the viable containing network of your choice from the Viable Networks list
box in the Resolve by List window, and click Connect.
The contained network is reconnected to the containing network and rejoins the
containment chain.

The SmartMap View maintains graphic connectivity between different parts of the network. It
does this by creating and adding several new topology objects, such as:
• Internet Objects and Clouds
• Implied Networks
• Ambiguous Networks
Note - Topology objects, or objects created by the SmartMap View, such as clouds and
implied networks, etc., cannot be defined as protected objects. They cannot be included
in any group, nor can they be pasted into the SmartDashboard Rule Base.
Internet Objects and Clouds

These object types, when declared, define connectivity between network objects, without
supplying technical details of the path of these network objects.
The Internet object declares connectivity via a public network, and a Connectivity Cloud,
declares connectivity via a private network. Only networks can be connected to Internet objects
or Connectivity clouds.
When the SmartMap does automatic calculations it looks for Internet objects and uses them to
identify whether interfaces are external or internal.
FIGURE 16-11External Interface from Internet Cloud
Internet objects have no properties; therefore, they cannot be edited. The color and name of
Connectivity Clouds can be modified.

Multiple Internet and Connectivity Clouds can be defined. Multiple Internet objects are
inherently linked and inextricable from one another, even if visually they seem to be separate.
Note - Network objects are not connected automatically to Internet or Connectivity

clouds; this connection must be added manually.
Creating Connectivity Clouds

To create a Connectivity cloud, proceed as follows:
1) Right-click in the SmartMap View at the point where you would like to place the new
cloud.
2) Select New Network Object > Connectivity Cloud from the menu.
The Connectivity Cloud Properties window is displayed
3) Configure the new Connectivity Cloud.
4) Click OK.
The new cloud is displayed.
Note - You can also create a Connectivity Cloud by connecting two or more networks, for
more information, see “Connecting Multiple Networks to a Single Connectivity Cloud” on
page 513.
Creating an Internet
To create an Internet, proceed as follows, select New Internet from the SmartMap menu. The
new Internet is displayed.
Note - There will always be at least one Internet Cloud in the SmartMap View. This
Internet object cannot be removed.
Connecting a Network to Internet Objects/Clouds

One Internet in SmartMap View
If there is only one Internet in the SmartMap View and the user wants to connect a network to
the cloud, a line will automatically be drawn connected to that cloud.
One Connectivity Cloud in SmartMap View
Even if there is only one Connectivity Cloud in the SmartMap View, the user has to manually
connect the network to the cloud, by the process outlined in step 1-step 3 below.

More Than One Internet Object and/or Connectivity Cloud in SmartMap View
If there is more than one Internet and/or Connectivity Cloud in the SmartMap View, you can connect a
network to any of the Internet objects/clouds by declaring an edge between the network and
the Internet/cloud. To do so, proceed as follows:
1 Right-click the network that you would like to connect to an Internet object/cloud.
2 Click Connect to > Internetto connect the network to the Internet. Click Connect to >
Connectivity Cloud to connect the network to the Intranet.
3 Click the Internet object or Connectivity Cloud of your choice. A line is drawn from the
selected network to the Internet or Connectivity Cloud.
Note - You can delete the edge that has just been added between an network and a
Cloud. To do so, right click the edge and select Remove.
Connecting Multiple Networks to a Single Connectivity Cloud

Networks can be concurrently selected and joined to a single Connectivity Cloud. To do
so, proceed as follows:
1 Select the networks that you would like to connect by the Connectivity Cloud by holding
the Ctrl key down and selecting each network, or by using the selection rectangle.
Release the Ctrl key when all the networks have been selected.
2 Right-click the last selected network.
3 Select Connect networks from the displayed menu.
FIGURE 16-12Connect Selected Networks menu
The Connectivity Cloud Properties window is displayed.

4 Specify the Connectivity Cloud parameters, and click OK.
The selected network objects are connected.

FIGURE 16-13Selected Networks connected in a Connectivity Cloud.
Implied Networks
An implied network is created when an interface of a gateway or host, or any other object, is
defined and there is no viable network to match it; in this case all the existing objects that need
a suitable network are connected to the implied network. The implied network is an
automatically generated network to which the new interface is connected. The implied network
is named by its IP address and it is marked by a network-type structure and a superimposed “i”,
see FIGURE 16-14. It is Read Only and can only be edited if it is made into a real network,
see.“Turning an Implied Network into a Real Network” on page 514.
FIGURE 16-14Implied Networks are identified by a SmartMap View-generated IP address and
a superimposed “i”.
Viewing the Settings of an Implied Network

Implied networks are read-only and non-editable, unless they are changed into real networks,
(where the definition of “real” is that the network is no longer an “implied” topology generated
object, but rather an actual network object with a legitimate IP address). Despite this, network
objects can be connected to implied networks in the SmartMap View. to view the settings of an
implied network, proceed as follows:
• Double click the Implied network, or,
• Right-click the implied network and select View from the displayed menu.
The Network Properties window is displayed. The implied network settings can be viewed.
Turning an Implied Network into a Real Network

When an implied network is actualized it is changed from a fictitious topology object declared
by the SmartMap View, into a real functioning network, with its own specifications and
settings.
To do so proceed as follows:
1 Right-click the implied network.
A right-click menu is displayed.

2 Select Actualize Network.

The Network Properties window is displayed.
Note - A name is automatically supplied in the Network Properties window; however,

it can be edited.
3 Configure the implied network.

The implied network is made into a real network.
Ambiguous Networks
When a new machine (such as network objects, routers or OSE devices), is defined, the
SmartMap assigns that object to an existing network on the SmartMap View. If there is more
than one valid network available, the SmartMap indicates this by connecting the network object
to a question mark, see FIGURE 16-16.
FIGURE 16-15The Ambiguous network
This question mark is a placeholder for the network to which the object should be connected
and it signals that you must resolve the network object with one of the existing viable networks.
The network placeholders are commonly known as “ambiguous” or “?” networks. All
ambiguous networks and objects are gathered in a folder, which is labelled “Objects to
Resolve”, see FIGURE 16-17. This folder is always displayed in the SmartMap View, even if
there are no network objects to be resolved.
Note - Gateway Cluster objects are the only objects that may be connected to an
ambiguous network, but which are not gathered in the”Objects to Resolve“folder.
The network object remains unresolved until it is matched to a viable network. For more
information on the way networks are resolved, see “Containing and Contained Networks” on
page 509
FIGURE 16-16The Ambiguous network folder, Figure A — with unresolved objects, Figure B
— empty
Figure A — Figure B —
Resolving a Network Object

To resolve a network object to a viable network you must use the Resolve by List or the
Resolve by Map commands:

Resolve by List
To Resolve by List, proceed as follows:
1 Double-click the ambiguous network.
The Unresolved Interface Properties window is displayed, or,
2 Right-click the unresolved network object.
3 From the right-click menu, select Resolve by List. The Unresolved Interface Properties
FIGURE 16-17The Unresolved Interface Properties window
The Unresolved Interface Properties fields
Name — the name of the network object

IP Address — the IP Address of the network object
Net Mask — the Net Mask of the network object
Viable Networks — displays a list of viable networks to which the unresolved object can be
matched.
Show — shows selected network in the topology map. The network object and the machines
connected to it are framed in red.
Properties — opens the network properties window for the selected network in Read Only
mode.
Connect — connects selected network in the Viable Networks list to the object to be
resolved.

Close — closes the Unresolved Interface Properties window.

4 Select a network from the Viable Networks list.
5 Click Connect to declare a connection between the selected object and the selected
network.
A line is drawn between the object and the network. The object is resolved.
Note - The connection drawn between the selected viable network and the network object
is an editable connection and can be removed. To remove the connection, right-click it,
and select Disconnect from the displayed menu.
Resolve by Map
To resolve an unconnected network object, proceed as follows:
1 Select the ambiguous network.
2 Select Resolve by Map from the right-click menu.
The valid networks are highlighted within the SmartMap View. For enhanced visibility, the
highlighted networks may blink for a few seconds. If the viable networks are contained
within a folder, the folder will blink several times. This feature will help you to peel the
folder layers until you find the viable network.
Note - You can edit the default highlight color in the “SmartMap View Options — View
Options Tab” on page 501.
3 Select the network to which you would like to join the unresolved object.
A line will be drawn between the network object and the viable network that you have
selected.
Changing the Network Object Resolution

If an ambiguous network object has been resolved you can change its resolution by removing
the network object connection. This returns the network object to the ambiguous “?” state. At
this point the ambiguous network can be resolved again using the desired viable network. to
remove a network object connection, proceed as follows:
1 Right-click the line which connects the network object and the network.
2 Select Disconnect from the right-click menu.
The connection is removed.
3 Re-resolve the unresolved network object.
Extranet and Intranet Communities

For more information on these objects please see the Check Point Virtual Private Networks Guide.

Topology Collapsing
Extranet Communities and Partner Objects

Extranet communities are objects which enable VPN functionality. They include all the partners
outside of your company who have access to a common extranet. These partners are represented
by Partner Objects. These objects are inextricably connected to the Internet, they are managed
by your partner company.
FIGURE 16-18Extranet Partner Object
Topology Collapsing
Topology collapsing, often referred to as folding, facilitates the use of the topology map by
expanding or collapsing topology structures. This collapsing mechanism simplifies the topology
map, by ridding it of visual clutter, but still preserving its underlying structure. The folding
mechanism allows you to collapse certain topology structure types. The folders can be created at
the following points along the topology map:
• on an edge that is an interface as well as all the object behind it.
• on any network. If there are no hosts or containing networks the network cannot be
collapsed.
• on any gateway and its locales
• on any locale
• unresolved hosts — All network objects that are ambiguous are automatically collapsed into
a special folder labelled Objects To Resolve.
• external objects — All hosts which have no networks to which they can be connected
(because they do not fit into any network’s IP address range) as well as any standalone
networks, are automatically collapsed into a special folder labelled External Objects (except
CP installed objects).
The folder can be collapsed or expanded at any of these locations, to hide or display the
underlying network structures within the crease of the fold.
How to Collapse Locales

All locales can be collapsed. To do so, proceed as follows:
1 Right-click the locale in the SmartMap View.

How to Collapse Other Topology Structures
FIGURE 16-19Collapse the Locale
2 Select the Collapse Locale from the displayed menu.

The locale is collapsed.
How to Collapse Other Topology Structures

To collapse topology structures, proceed as follows:
1 Select the object or edge that you would like to collapse
The selected object or edge is highlighted in the SmartMap View.
2 Right-click the object.
3 Click Collapse Object, (where Object is a variable according to the object type selected).
Working with Topology Folders
In This Section
Expanding Topology Folders page 519

Showing the Contents of Topology Folders page 520
Hiding the Contents of Topology Folders page 520
Renaming Topology Folders page 520
Defining a Group Containing the Members of a Topology Folder page 521
Adding the Contents of a Topology Folder to the Rule Base page 521
Expanding Topology Folders

To expand collapsed topology structures, proceed as follows:
1 Select the folder which contains the object that you would like to display.

Topology Collapsing
2 To proceed, do one of the following:

• Right-click the folder and select Expand from the displayed menu, or,
• Double-click the folder, or select it and press Enter.
The “collapsed” objects are expanded and displayed.
Note - The External Objects and Unresolved Objects folders are not expanded like other
topology folders. You can display the contents of these folders, but the folders
themselves cannot be disbanded. Even if the folders are empty, they still appear in the
SmartMap View, see “Showing the Contents of Topology Folders” on page 520.
Renaming Topology Folders

To rename topology folders, proceed as follows:
1 Right-click the folder that you would like to rename.
2 Select Rename from the displayed menu.
The Folder Properties window is displayed.
FIGURE 16-20The Folder Properties window
3 Enter a new name in the Display Name field.

The folder is renamed.
Showing the Contents of Topology Folders

You can show the contents of the Unresolved Objects folder and the External Objects folder.
To show all the network objects within these folders, proceed as follows:
1 Right-click the folder whose members you would like to display.
2 Select Show Contents from the displayed menu.
The topology folder is expanded and all the network objects in the folder are displayed.
Hiding the Contents of Topology Folders

To hide all the network objects within the Topology Folder, proceed as follows:
1 Right-click the folder whose members you would like to hide.

Viewing External Objects
2 Select Hide Contents from the displayed menu, or double-click inside the folder.
The topology folder is collapsed and all the network objects in the folder are hidden from
sight.
Defining a Group Containing the Members of a Topology Folder

To define the members of a Topology folder group, proceed as follows:
1 Right-click the folder whose members you would like to save as group.
2 Select Define Contents as Group from the displayed menu.
3 Configure the Group Properties window, by adding or removing members to or from the
group.
Note - Topology objects, or objects created by the SmartMap View, such as clouds and
implied networks, etc., cannot be defined as protected objects. They cannot be included
in any group, nor can they be pasted into the SmartDashboard Rule Base.
Adding the Contents of a Topology Folder to the Rule Base

You can add the contents of a Topology Folder as objects in the Source or Destination column
of the Rule Base. To do so, proceed as follows:
1 Select the Topology folder that you would like to include as an object in the Rule Base.
2 Press the Shift key.
3 Drag the selected folder to the desired location in the Rule Base.
You will be asked to save the members of the Topology Folder as a group or per object.
4 Configure the Group properties window.
The Topology Folder is saved as a Group object in the Rule Base.
Viewing External Objects

External objects are hosts which have no networks to which they can be connected. That is to
say, their IP address does not belong to any IP address range of any network defined in the
Topology.
Editing External Objects

To edit the external objects displayed in the External Objects window, proceed as follows:
1 Double-click the external object that you would like to edit, or right-click the selected
external object and select Edit from the displayed menu.
The objects Properties window is displayed.

Integration of the SmartMap View and the SmartDashboard
2 Configure the objects Properties window.

The external object is edited.
Viewing Gateway Clusters

1 Select the Gateway Cluster.
2 Right-click the selected Gateway Cluster.
3 Select Show Members from the displayed menu.
4 The Gateway Cluster opens into a window in which all the gateways in the Gateway
Cluster are displayed.

SmartMap facilitates working with the Rules tab of the SmartDashboard and the visualization of
these Rules. This includes in certain cases, pasting, copying, showing, dragging and dropping
objects from the Rule Base to the SmartMap View and vice versa.
Paste Network Object(s) in the Rule Base

Selected network objects in the SmartMap View, can be pasted into the SmartDashboard Rule
Base. To do so, proceed as follows:
1 Select an object or a group of objects in the SmartMap View and do one of the following:
• Click Ctrl and C on your keyboard, or
• Right-click the selected object(s). Select Copy (to Rule Base) from the displayed menu.
2 Place the cursor in either the Source, Destination or Install On column of the
SmartDashboard.
3 Right-click in the chosen column. Select Paste from the right-click menu.
The selected object(s) are pasted into the Rules tab.
Note - Topology objects (that is objects declared by the SmartMap View; for example
clouds and implied networks, etc.) cannot be pasted into the SmartDashboard.
Dragging & Dropping
From the Rule Base to the SmartMap View

1 In the Rule Base, select the object that you would like to view in the SmartMap View
from either the Source, Destination or Install On column.
2 Drag the object using the left mouse button and drop it into the SmartMap View.
The object will be highlighted in the SmartMap View.

Show Objects
From the SmartMap View to the Rule Base

1 Select the object(s) that you would like to paste in the Rule Base.
2 Drag the object(s) using the left mouse button and the Shift/Alt key into the Rule Base.
3 Drop the object(s) into the appropriate Source, Destination or Install On column.
The selected object(s) are pasted into the Rule Base.
Note - You can also drag folders to the Rule Base and save the members of the folder as
a Group object, for more information, see “Adding the Contents of a Topology Folder to
the Rule Base” on page 521.
Show Objects
This feature enables you to track objects on the topology map. You can choose to show objects
in the topology map, from any of the following places:
• from the Rule Base
• from the Network Objects Manager
• from the Objects Tree
• from the Objects List
When you choose to show a selected object, it is displayed in the following manner:
• The selected object is highlighted in the SmartMap View.
• The highlighted object will blink for several seconds. In a very complex network topology,
this blink enhances visibility, and allows you to find the selected object with ease.
Note - If the selected object is to be found within one or more folders, the folder will
blink for several seconds. Each consecutive folder layer will blink until all the folder layers
have been peeled and you find the selected object that you chose to show.
Show Objects from the Rule Base

1 Select an object by placing the cursor on the object of your choice in either the Source,
Destination or Install On column of the SmartDashboard
2 Right-click the selected object.

The selected object will appear highlighted in the SmartMap View.
Show Objects from the Network Objects Manager

1 Select Network Objects from the Manage menu.
2 Select an object in the Network Objects window.

3 Click Show.
Show Objects from the Objects Tree

1 In the Objects Tree, select the object that you would like to display.
The object will be selected in the SmartMap View.
Show Objects from the Objects List

1 In the Objects Tree, select the object that you would like to display.
4 Click Show.
Showing Objects with Network Address Translation (NAT)

You can query NATed objects behind a FireWalled machine which has more than one
interface, to do so, proceed as follows:
1 Right-click a selected gateway in the SmartMap View.
2 Select Show NAT from the displayed menu.
All NATed objects behind the selected gateway are displayed.
3 To clear the NAT view, click anywhere in the SmartMap View.
Understanding Rules Shown in the SmartMap View

Rules defined in the Security policy can be shown in the SmartMap View. Rules appear as
combinations of highlighted colors and arrows on the topology map. Colors are designated to
represent the Source, Destination and Install On columns of the SmartDashboard. These colors
can be viewed in the Rule Color Legend window, which is displayed when a rule is shown.
The colors assigned to the arrows represents the action being performed. This is based on the
color of the action in the Rule Base, see TABLE 16-2. For example, Accept is green and Drop
is red, etc.). The arrow also indicates the direction of the rule; from whence the rule came
(source), and to where it is going (destination).

Showing a Rule in the SmartMap View, by selecting Show from the Rule Base menu
The colors used in the Show Rule operation are displayed in the Rule Color Legend window.
The action is represented by green arrows. These arrows also demonstrate the direction of the
rule.
TABLE 16-2 Action Color Chart
Action Column Color
Drop, Reject Red

Accept Green
User Auth, Client Auth, Session Auth Blue
Encrypt, Client Encrypt Purple
Note - Only Security Policy rules, can be shown in the SmartMap View.
Rule Exceptions
The rules mentioned below are mapped and displayed in a specific manner:
• Source — Where the Source is Any, the rule is mapped out along the SmartMap View
from the Install On to the Destination.
• Destination — Where the Destination is Any, the rule is mapped out along the SmartMap
View from the Source to the Install On.
• Any — where both Source and Destination are Any, only the paths between the Install Ons
are shown.
Note - When rules are shown in the SmartMap View, the “Any” value is represented by the
icon at the base or the head of the arrow, to indicate that the Source or Destination,
respectively, is Any.
Showing a Rule in the SmartMap View, by selecting Show from the

Rule Base menu
Rules can be selected one at a time in the SmartDashboard and shown in the SmartMap View.
To do so, proceed as follows:
1 Select a Rule in the SmartDashboard rule base by the rule number.

2 Select Show from the right-click menu.

The Rule is marked in the SmartMap View.
Note - You can use the Esc key, or else you can click anywhere in the SmartMap View to
clear a rule shown in the SmartMap View.
Note - The more complex the network topology, the longer the Show Rule operation may
be.
Showing a Rule by dragging it from the Rule Base to the SmartMap

View
To show rules in the SmartMap View, proceed as follows:
1 Select the rule in the Rule Base.
2 Drag the selected rule to the SmartMap View.
The rule is highlighted in the SmartMap View in significant colors, see FIGURE 16-22.
This color key exemplifies the significance of the colors used in the show rule operation.
For example, in FIGURE 16-22:
• Source — the source object (CEO) is highlighted in light blue.
• Destination — the destination object (DMZ_net), which is located in the External
Objects folder is highlighted in a pink.
• Install On — a specific Install On object defined on the path of the Rule, specified in
the Install On column. This object will take on the color of the Action item icon
defined in the Rule Base. There is no such object defined in Rule 2.
• Redundant Install On — an Install On object that is specified in the Install On column,
but which does not have an interface defined on the path of the selected rule. The
remote_router object is such an Install on.
• Missing Install On — a specific Install On object which is in the path of the selected
Rule, but is not specified in the Install On column. There is no such object defined in
Rule 2.
You can hide this window by selecting Don’t show this window. To display the Rule Color
Legend window at a later stage, you can check Show Legend during Show Rule in the View
Option tab of the Customization window.

Showing a Rule by dragging it from the Rule Base to the SmartMap View
FIGURE 16-21Rule shown in SmartMap View
3 Additionally, an Advanced button is displayed in the upper left hand corner of the
SmartMap View. click this button to display the Show Rule Control window. In this
window you can specify how you would like the selected rule to be read.
FIGURE 16-22Show Rule Control
Show All Paths — Show all the valid paths from all the Source objects to all the Destination
objects.
Show All Paths between selected Pair — Show all the valid paths between the selected source
object and the selected destination object:
Source — Select the source object from the drop-down list.
Destination — Select the destination object from the drop-down list.
Page Between Paths — View (one at a time) all the paths between the source objects and the
destination objects where there is more than one valid path between the objects.
While you are paging between the paths, you can go to a previous path by clicking, Back, or
you can move forward to the next path by clicking Next.

Calculations
Rule Analysis
If an Install On object is specified, the Rule Analysis field is marked by . In this case, the
Details window is not accessible.
If no Install On object is specified, the Rule Analysis field is marked by . Click Details to
get an in depth rule analysis explanation.
Calculations
Understanding Topology Calculation

Why does your topology map look as it does? How can the topology map best be modified? To
answer these questions, we need to understand the “Topology creation algorithm” in the
SmartMap. This algorithm uses network objects data to execute calculation. The network
objects that are taken into consideration during the topology calculation, are:
• Networks — The IP address and net mask of the network can be used to define a range of
IP addresses that can be connected to the network. In general, hosts and gateways connect
to networks. Other networks may connect to a network if their IP range happens to be
included in the IP address range of the network, (these are called contained networks). A
network is not required to be connected to other objects (as opposed to hosts and
gateways), and all connections between networks are editable, that is to say that they can be
removed.
• Hosts — are divided into two groups:
• simple hosts — have no defined interfaces
Where there is no net mask specified:

Simple hosts with no defined interfaces are connected according to their general IP address.
In this case the host's net mask is not defined, so any network whose IP address range
includes the IP address of the host, could be a good connection point.
Connecting to the smallest adequate IP address range:
However, the SmartMap connects the host to the network that has the smallest adequate IP
address range. This means that if you have a host with an IP address of: 192.168.132.7,
connected to a network with an IP address of 192.168.0.0. In addition you have at another
site a network with an IP address of 192.168.132.0, the SmartMap will connect the host to
the second, smaller network. If you want the host to connect to the first network, you can
either define the appropriate interface on the host, (with a net mask that will prevent its
connection to the second network) or, define a network identical to the smaller one and
connect it to the first, bigger network as a contained network.
Where there is more than one equally small network:
In a situation where a host has more than one equally small networks to which it can
connect, its connection is removable. You can connect it to any of the possible networks.
Where the host IP address does not fit into the networks’ IP address ranges:

Calculating Topology Information
If a host has an IP address that is not included in any of the defined networks’ IP address
ranges, the host will be added to the external objects folder.
• hosts — have a general IP address, as well as one or more defined interfaces.
Hosts with interfaces are dealt with in the same manner as gateways.
• Gateways (and hosts with interfaces) — any Gateway and host with at least one defined
interface, is connected according to its interfaces and not according to its general IP address.
Since an interface's definition includes both an IP address and a net mask, it uniquely
identifies the parameters of the network to which it should connect. If such a network is
found, the corresponding interface is connected to it. If no network with those parameters
is defined in the system, the SmartMap automatically generates such a network, for more
information see “Implied Networks” on page 514. If more than one network in the system
has those same parameters, the interface's connection is ambiguous until manually resolved,
for more information see “Ambiguous Networks” on page 515.
The SmartMap generated topology consists of two possible types of connections, fixed (non-
editable) connections and manual (editable) connections:
• Fixed connections — exist between objects whose topology can be deterministically
calculated. These connections can only be changed if the objects connected by them are
edited. A fixed connection can be made into an editable one, if other objects are added or
modified. For example, if a host is uniquely connected to a network and later an identical
network is defined, the host's connection will be changed from a fixed connection to an
editable one to allow for the host to be moved from the one network to the other.
• Editable connections — can be created automatically by the SmartMap by adding or
modifying objects, such as by modifying the connection between contained and containing
networks, or they can be defined manually by the user. For example, when ambiguous
network are resolved, or when networks are connected to the Internet, or to other
networks (either by a containment relation or using a connectivity cloud), these
connections can be disconnected by right-clicking on the connecting edge and selecting
Disconnect.

Topology information specifies information about the object’s interfaces and the IP Addresses
behind these interfaces. The SmartMap can calculate topology information automatically for the
following objects:
• Gateways which have VPN-1/FireWall-1 installed as well as two or more interfaces
• OSE Devices
• Embedded Devices
Note - A protected objects group can be defined for any of these objects. For more
information, see “How to Define Protected Objects as Group” on page 532
To calculate Topology information, proceed by doing any of the following:

Calculations
1 Select the object for which you would like to calculate the Topology information in any of
the following places:
• SmartMap View
• Objects Tree
• Objects List

3 Choose Calculate Topology from the displayed menu.
The Topology calculation results window is displayed.
FIGURE 16-23The Topology Calculation Results window — selected object
Name — the name of the interface

IP Address — the IP address of the interface
Net Mask — the net mask of the interface
IP Addresses behind interface — the name of the object(s) whose IP Address lies behind the
interface.
Legend — specifies how the displayed IP Addresses behind interface is to be understood,
based on the color in which it is displayed.
If the field is highlighted in red the resulting calculation is different from the currently defined
Topology information.
If the field is highlighted in blue resulting calculation has been approved.
If the field is regular, and has no highlights, there has been no change to Topology information
and there is no need to make any Approvals.
Approve — If the IP Addresses behind interface is highlighted in red, click Approve to
display and contrast the current Topology information with the resulting Topology information.
The Topology Calculation results window of the selected interface is displayed.

Approve All — click Approve All to automatically approve all Topology calculation results
without comparing, contrasting and approving each result individually. (As can be done if you
click Approve).
Show Addresses — shows the selected objects which correlate to the specified interface in the
SmartMap View.
View Group — view the objects in the specified group.
The Topology Calculation Results window

The Topology Calculation Results window of the selected interface is displayed when
Approve is selected in the Topology Calculation Results window of the selected object,
FIGURE 16-24Topology Calculation Results window — approve selected interface
IP Address — the IP Address of the selected interface

Net Mask — the Net Mask of the selected interface
Show Addresses behind interface —
Interface Topology:
The Current definition, or the currently specified Topology information is contrasted with the
Calculation result, or the modified Topology information that results from the topology
calculation. The following information is compared:
Whether the interface is External or Internal.
Whether the IP Addresses behind this interface are:

• Not Defined — there are no defined IP Addresses behind the interface
• Based on Interface’s IP — the IP Addresses behind the interface are defined based on the
IP Address of the selected interface
• Specific — the IP Addresses behind the interface are defined for a specific network
View Group — view the objects in the specified group.

The SmartMap Helper
How to Define Protected Objects as Group

Any object which does not lead to the Internet, in other words, an object that is internal to the
gateway, can be defined as a protected object. To define a group of protected objects, proceed
as follows:
1 Select the objects that you would like to make into a protected objects group.
2 Right-click the selected objects.
3 Select Define Protected Objects as Group from the displayed menu.
4 Once you have defined the protected objects as a group, select OK.
Note - You can define protected objects as group for any of the following objects:
Gateway Clusters, OSE Devices, Embedded Devices and Gateways (which are
FireWall-1 installed and which has two or more defined interfaces.)
Note - Implied networks cannot be defined as protected objects.
The group of protected objects can be selected as the VPN Domain in the Manually
Defined field of the Topology page of the network object’s Properties window.
The SmartMap Helper

The SmartMap Helper teaches you how to solve tasks relating to connectivity such as:
• duplicated networks
• unresolved object interfaces
The Helper is a learning tool. Once you understand how to solve these connectivity tasks, you
can solve them directly in the SmartMap View, and not via the Helper.
To access the SmartMap Helper, select SmartMap Helper from the SmartMap menu.
The Helper consists of a series of windows which guide you through the resolution of the
related connectivity task. Each connectivity task includes an introductory screen which describes
the nature of the specified task, as well as presents the manner in which the task can be solved.
To use the Helper click Back to revert to the previous step, or click Next to continue to the
following step. When you have filled out all the required information, you are required to click
Finish. To exit the Helper click Close.
If there are any connectivity tasks to be performed, appears next to the related tasks, if
there are no connectivity tasks to be performed, appears next to the related connectivity
task.

Solving Duplicated Networks
Solving Duplicated Networks

Duplicated networks occur if there is more than one network with the identical IP address and
Net Mask.
Note - Some network systems may require duplicated networks. Consider the needs of
your system before modifying duplicated networks.
To solve duplicated networks, you can modify the shared IP Addresses and Net Mask, so that
each IP Address is unique. Duplicated networks can be resolved in the SmartMap Helper —
Duplicated Networks window, see FIGURE 16-25. Alternately, you can elect to delete the
duplicated networks.
FIGURE 16-25Resolving Duplicated Networks
IP Addresses — duplicated IP Addresses and Net Masks are listed in the IP Addresses list box.
Existing Networks — the network objects which share the IP addresses and Net masks listed in
the IP Addresses list box, are displayed in the Existing Networks list box.
Show — to show the selected objects in the SmartMap View. In the SmartMap View, right-
click the highlighted object and click Edit from the displayed menu to give the network a new
IP Address.
If you make any changes to the topology of the duplicated networks listed in the Existing
Networks list, the refresh button is enabled. Click this button to refresh the Existing
Networks list.
Solving Unresolved Object Interfaces

See “Ambiguous Networks” on page 515.

Menu Commands and Toolbar

The SmartMap View can be modified and read quickly and efficiently with the help of the
Topology Tool Bar. The SmartMap icons are shortcuts for certain SmartMap menu commands.
The following table describes the SmartMap toolbar and the corresponding menu commands in
the Topology and View menus.
TABLE 16-3 Topology Icons
Toolbar Menu Command Description See...

Button
Topology > View Toggles the Navigator “Navigator
Navigator Window” on page
497
Topology > Select Mode Selects an area on the “Select Mode” on
SmartMap View. page 494
Topology > Zoom Mode Zoom selected area on the “Zoom Mode” on
topology map. page 495
none Topology > New New Network Object “New Network
Network Object Mode Mode. Object Mode” on
page 497
Topology > Zoom In Magnifies the topology map “Zooming and
HotKey: [+] within the SmartMap Scrolling” on page
View. 495
Topology > Zoom Out Diminishes the topology “Zooming and
HotKey: [-] map within the SmartMap Scrolling” on page
View. 495
none Topology > Zoom > Select one of the Zoom
Submenu options
Topology > Zoom > Sizes the whole topology “Zooming and
Fit Topology Map in map using the full space of Scrolling” on page
window
HotKey: [Ctrl+w] and
the SmartMap View 495
[W]
Topology > Zoom > Sizes the selected area of “Zooming and
Fit selection in window the topology map using the Scrolling” on page
HotKey: [Ctrl+w] and [B]
full space of the SmartMap 495
View
Arrange > Global Arranges the whole “Arrange Styles” on
Arrange topology map within the page 498
[D]
SmartMap View in Layout.

Solving Unresolved Object Interfaces
Toolbar Menu Command Description See...

Button
Arrange > Incremental Arranges a selection of the “Arrange Styles” on
Arrange topology map within the page 498
[Y]
SmartMap View in Layout.
Topology > Group Groups selected objects in “Defining a New
the SmartMap View. Group” on page 509
none Topology > New Specifies new Connectivity “Internet Objects
Connectivity Cloud Cloud. and Clouds” on page
511
none Topology > New Specifies new Internet. “Internet Objects
Internet and Clouds” on page
511
none Topology > Collapse All Collapse all network
objects
none Topology > Export To > Export the topology map to “Exporting the
Microsoft Vision Microsoft Visio Topology Map” on
page 504
none Topology > Export To > Export the topology map as “Exporting the
Image File an image file Topology Map” on
page 504
none Topology > SmartMap Solve connectivity issues “The SmartMap
Helper using the SmartMap Help Helper” on page 532
none Topology > Customizes SmartMap “Customization
Customization View network objects Options” on page
tooltips. 499
View > Topology Map Toggles SmartMap View. “Toggle the
SmartMap View” on
page 499

Cursor Modes
TABLE 16-4 Cursor Modes
TABLE 16-5
Modes Cursor See...

Select Mode “Select Mode” on page 494
Zoom Mode “Zoom Mode” on page 495
New Network Object Mode “New Network Object Mode” on page

497
Internet Mode “Connecting a Network to Internet
Objects/Clouds” on page 512
Add Connectivity Cloud Mode “Connecting a Network to Internet
Objects/Clouds” on page 512
Resolve Network Mode “Resolving a Network Object” on page
515
Wait Mode

CHAPTER 17
Management
High Availability
In This Chapter
Overview page 537

Restrictions page 538
Using Management High Availability page 539
SmartView Tracker page 545
Overview
High Availability for SmartCenter Servers allows the administrator to dramatically reduce the
window for planned downtime and offers unprecedented levels of SmartCenter Server’s uptime
and access.
Implementing Management High Availability guarantees that at any given time one
SmartCenter Server is active while the others are in standby mode. Data synchronization across
all the SmartCenter Servers greatly improves fault tolerance and enables the administrator to
seamlessly activate a standby SmartCenter Server when required.
Primary vs. Secondary

The Management High Availability scheme requires one Primary SmartCenter Server and at
least one Secondary SmartCenter Server. There is no limit to the number of Secondary
SmartCenter Servers. For information on how to install Primary and Secondary SmartCenter
Servers, see step 1 on page 539 and step 2 on page 539.
The first SmartCenter Server installed is automatically designated as Primary while every other
SmartCenter ServerSmartCenter Server added to the group is considered Secondary.
After the Secondary SmartCenter Servers have been properly initialized, no functional
differences exist between the two SmartCenter Server types.
537
Restrictions
Active vs. Standby

In normal circumstances, the active SmartCenter Server performs as a typical SmartCenter
Server granting the Read/Write access to the user. In contrast, standby SmartCenter Servers can
be accessed in Read Only mode.
Manual switching between active and standby servers adds scalability and availability to the basic
SmartCenter Server functionalities, reduces workload on servers and accelerates response to
users’ requests. To enable manual switching, the standby servers’ databases must be regularly
updated. This can be achieved as follows:
• The administrator can manually overwrite a standby server’s database from the
Management High Availability Servers, or
• choose from a number of options for automated synchronization.
For more information, see “Synchronization” on page 540.
Since every SmartCenter Server in a High Availability configuration can theoretically switch
from active to standby mode and vice versa, logs should be forwarded either to one
SmartCenter Server or to a specially designated machine which is not a group member.
Warning - It is highly recommended not to work with more than one active SmartCenter
Server. One of the databases will be overwritten when synchronized and all the work on
that database will be lost.
It is possible to have two active SmartCenter Servers (this can happen when an active
SmartCenter Server goes down and then comes up again after another SmartCenter Server
has been made active), but in this case you must resolve the problem immediately.
Restrictions
• Both the Primary and Secondary SmartCenter Server must be of the same operating system
(e.g either both Windows NT or Solaris).
• Management High Availability is only supported in a distributed configuration, that is the
Primary Server and a VPN/FireWall Module should not be installed on the same machine.

Configuration and Usage
Using Management High Availability
Configuration and Usage

FIGURE 17-1Sample Management High Availability configuration
Primary Primary
Management Management
Server Server
BigBen Liberty
VPN/FireWall VPN/FireWall
Module Module
Internet
London New York
VPN/FireWall
Module
Paris
Primary
Management
Server
Eiffel
In the configuration above, BigBen is the Primary SmartCenter Server located behind London,
while Eiffel and Liberty serve as Secondary SmartCenter Servers for Paris and New York,
respectively. If BigBen fails, either Eiffel or Liberty should take over. To achieve this, proceed as
follows:
1 Install the Check Point SmartCenter Server on BigBen and configure it as the Primary
SmartCenter Server.
2 Install the Check Point SmartCenter Server on Eiffel and Liberty and configure them as
Secondary SmartCenter Servers.
Note - The Secondary SmartCenter Server are all Certificate Authorities, but not in their
own right. They are all “clones” of the Primary SmartCenter Server CA. They can all issue
certificates, but their certificates will appear to have been issued by the Primary
SmartCenter Server.
3 On BigBen, define Eiffel as a network object.

4 Under Check Point Products Installed, in the General page of the BigBen’s Properties
window, check Check Point SmartCenter Server.
5 Click on Communication.
You will be prompted to insert a one-time password.
6 Enter the one-time password and click OK.
This initializes the secure communication process. For more information, see “Secure
Internal Communications for Distributed Configurations” on page 19.
Chapter 17 Management High Availability 539

7 Save the database by:

• clicking on in the toolbar, or
• selecting Install Policy or Install Users Database from the Policy menu.
8 Synchronize Eiffel with BigBen to make it available for Management High Availability. For
detailed information, see “Manual Synchronization” on page 540.
9 To add Liberty to the list of Secondary SmartCenter Servers, repeat steps 1 through 6.
10 Define all Secondary SmartCenter Servers as Masters of the VPN-1/FireWall-1 Module(s)
that they control. For more information, see “Check Point window — Masters page” on
page 197.
Synchronization
In the Management High Availability context, synchronization is defined by the following
characteristics:
• Only saved data is synchronized.
• Data synchronization means one database overwriting the other rather than item-by-item
conflict resolution. This approach is consistently applied in the Management High
Availability except certificate-related discrepancies. If such a conflict occurs, the problematic
certificate will be revoked.
• Synchronization details are logged and can be displayed in Log Viewer’s Audit mode.
The SmartCenter Server databases either manually or automatically. The two options are
explained in greater detail below.
Manual Synchronization
You can manually initiate synchronization of the SmartCenter Server databases, change the
status of a SmartCenter Server or login to another SmartCenter Server.
Logged into Active SmartCenter Server

When you are logged onto the Active SmartCenter Server, select Policy > Management High
Availability from the menu.

Synchronization
FIGURE 17-2Primary — Management High Availability Servers window
Synchronize — Synchronizes the selected standby SmartCenter Server with the active
SmartCenter Server by overwriting the standby Server’s database.
FIGURE 17-3Server Synchronization options
In the Server Synchronization window, select one of:

• Synchronize configuration files only — only the database and configuration files will be
synchronized
• Synchronize fetch, install and configuration files — in addition to the database and
configuration files, the fetch and install files will also will be synchronized, enabling
Modules to fetch their Policies from the standby SmartCenter Server as well, if the standby
Server is defined as a Master in the Masters page of the Module’s Properties window.
If the standby SmartCenter Server’s database is more advanced, the following message will
prompt you for confirmation:

FIGURE 17-4Management High Availability warning
Change to Standby — Changes the SmartCenter Server’s status from Active to Standby. This
option will only appear when you have logged onto the Active SmartCenter Server.
Refresh — Updates the current status of the SmartCenter Servers.
The following status values are available:
• Never Synchronized — The SmartCenter Server has never been synchronized.
• Not Reachable — Communication with the SmartCenter Server has not been properly
established. To resolve the problem, perform cpstop followed by cpstart.
• Collision — Both SmartCenter Servers’ databases have progressed since the last
synchronization. This can occur, for example, when there are two active SmartCenter
Servers. In this case it is recommended you not synchronize the databases.
• Advanced — This is when the Standby SmartCenter Server’s database has progressed and
the Active SmartCenter Server has not. This can occur, for example, when the machine
that is currently Standby, was very recently Active.In this case, you will want to Change to
Standby, and then perform Synchronize Me. Once you have done this, click Change to
Active to return to Active mode.
• Lagging — This is when the Standby machine is lagging behind the Active. This is the
most common and expected occurrence. This is the ideal time to synchronize the two
databases.
• Synchronized — This is when both machines are synchronized.
Comment Bar — A light bulb indicates that there is a recommendation or error. Click on
the Details button for more information. The Details window will appear.
FIGURE 17-5Details window
If everything is in order, a will appear.

Properties
Logged into Standby SmartCenter Server

When you are logged onto the Standby SmartCenter Server and you Policy > Management
High Availability from the menu, the following window is displayed:
FIGURE 17-6Logged into Standby
Change to Active — Make the Standby SmartCenter Server Active. This option will only
appear when you have logged into the Standby SmartCenter Server in Read/Write mode.
Login in Read Only — Click on this button to switch to Read Only mode.
Refresh — Update the current Status of the SmartCenter Servers.
Synchronize Me — Synchronize the standby SmartCenter Server (the one on which you are
logged onto now) from the SmartCenter Server that is highlighted in the window.
Properties
Synchronization parameters are defined in the Management High Availability page of the
Global Properties window (FIGURE 17-7).

FIGURE 17-7Global Properties window — Management High Availability page
Note - Synchronization of an Active server will not succeed if the GUI is open with
Read/Write permissions.
• When policy is saved (only configuration files will be synchronized) — Databases will
be synchronized whenever a Security Policy is saved.
Note - If the Status column on the Standby SmartCenter Server is Collision or Advanced,
the databases will not be synchronized.
• When policy is installed — Databases and Fetch files will be synchronized whenever a
Security Policy or database is installed. This can only work if the status in the Status
column on the standby SmartCenter Server is not Collision or Advanced.

Upgrading to a New Version
• Scheduled event — Databases will be synchronized in accordance with the selected Time
Object. For this to work, you must create a Scheduled Event, and specify the day(s) and
time you want to perform the synchronization. After you have created the Schedule Event,
you will be able to select it from the drop-down menu. For information, see “Time and
Scheduled Event Objects” on page 347 above.
Note - When working with the Automatic method, you can also synchronize manually by
going to Manage > High Availability Servers in the menu.
Upgrading to a New Version

To upgrade the Check Point software on a group of High Availability SmartCenter Servers,
proceed as follows:
1 Synchronize all the SmartCenter Servers.
2 Upgrade the SmartCenter Server software on all the SmartCenter Servers.
3 Open the Check Point Management Client GUI on one of the SmartCenter Servers.
4 In the General page of the each of the other SmartCenter Server’s Properties window ( on
page 182), set the correct software version (in Version).
5 Once again, synchronize all the SmartCenter Servers.
SmartView Tracker
All operations having to do with Management High Availability can be viewed in the Check
Point SmartView Tracker. Both the Primary and Secondary SmartCenter Servers can send logs,
which can be seen in the Oper. column in Audit mode. For more information, see “SmartView
Tracker” on page 387.

SmartView Tracker

CHAPTER 18
Command Line Interface
In This Chapter
Overview page 547

Setup page 549
Control page 556
Monitor page 564
Utilities page 575
Log File Management page 593
ClusterXL: High Availability and Load Sharing page 609
User Database Management page 615
License Management page 624
Product Management page 643
Product Repository Management page 643
VPN-1 Accelerator Card page 661
VPN Commands page 662
Daemons page 664
FloodGate-1 page 666
SmartView Monitor page 666
Options Reporting Tool Commands page 671
Log Consolidation Engine Commands page 680
OPSEC page 686
Overview
The fwm and vpnprograms are used to manage VPN-1/FireWall-1. These programs control the
fwd and vpnd daemons.
547
Overview
With the exception of the setup commands cpconfig, fwstart, cpstart and cpstop (see
“Setup” on page 549), all commands have the following Usage:
fwm action [-d] [targets]

or
vpn action [-d] [targets]
fwm and VPN Options
TABLE 18-1 fwm and VPN options
option meaning
action This determines the specific command (for example,
fwm load or fwm ctl). The rest of this chapter describes
each command’s action and options. These commands are
grouped by the following categories: Control, Monitor,
Certificates, Utilities, VPN-1 Accelerator Card.
-d If this flag is the first argument to an fwm command, then
debug information is generated as the command runs.
targets Some commands can be executed on the specified targets.
See below for more information.
Targets
There are three options for specifying the targets on which a given command is to be executed
(see TABLE 18-2). If more than one option is used, the command executes on the combination
of targets. If none of these options is specified, the Inspection Code is installed on the local host.
TABLE 18-2 Target options SmartDashboard
parameter meaning
-conf conffile The command is executed on targets specified in
confile. Each line in conffile has the Usage of a
target in a target list (see “Target Usage” on page 549).
-all The command is executed on all targets specified in the
default system configuration file ($FWDIR/conf/sys.conf).
This file must be created manually. Create a simple text
file containing a list of IP addresses and/or resolvable
machine names, one per line.
target The command is executed on the specific named target.
(see “Target Usage” on page 549)

Target Usage
Targets can be specified using any of the following formats:
host
Where:
parameter meaning
host The name of the network object (as returned by the hostname
command) or its IP address.
all The meaning of all varies according to its placement. It may
specify: both directions, all interfaces or both directions on all
interfaces.
• The dot (.) and the at-sign (@) are part of the Usage; spaces around them are not allowed.
• If host is not specified, localhost is assumed.
• If only host is specified, all is assumed (meaning both directions on all interfaces).
Several targets may be specified in various formats. Command-line separators are subject to the
rules of the shell (spaces and tabs are the most common separators).
The format of configuration files is identical to the format of targets. In configuration files, the
following separators may be used: spaces, tabs, comma, or new line.
Examples
le0.in@host1
all@host2
host3
all.out
all.all
Setup
In This Section
cpconfig page 550

cpstart page 553
cpstop page 553
fwstart page 554
fwstop -default and fwstop -proc page 554
Chapter 18 Command Line Interface 549

Setup
cpconfig
cpconfig reconfigures an existing VPN-1/FireWall-1 installation.
Usage
cpconfig
Windows
In Windows plaforms, the reconfiguration application is a GUI application that displays all the
configuration windows from the VPN-1/FireWall-1 installation as tabs in the same window
(FIGURE 18-1).
FIGURE 18-1VPN-1/FireWall-1 Configuration window
To reconfigure an option, click on the appropriate tab and modify the fields as required. Click
on OK to apply the changes.
The tabs that appear depend on the installed configuration and product(s). The tabs and their
fields are described in Chapter 4, “Installing and Configuring VPN-1/FireWall-1 of the Check
Point Getting Started Guide and in Chapter 1, “Configuring VPN-1/FireWall-1 of the Check
Point SmartCenter Guide.

cpconfig
Unix
cpconfig displays a screen with the configuration options. The tabs that appear depend on the
installed configuration and product(s). The tabs and their fields are briefly described in TABLE
18-3. For a full description, see Chapter 4, “Installing and Configuring VPN-1/FireWall-1 of
the Check Point Getting Started Guide and Chapter 1, “Configuring VPN-1/FireWall-1 of the
Check Point SmartCenter Guide.
Choose the configuration options you wish to reconfigure.
Welcome to VPN-1/FireWall-1 Configuration Program.

============================================
This program will let you re-configure your VPN-1/FireWall-1
configuration.
----------------------
(1) Licenses
(2) Administrators
(3) GUI clients
(4) SNMP Extension
(5) Groups
(6) PKCS#11 Token
(7) Random Pool
(8) Certificate Authority
(9) Secure Internal communication
(10) CA Keys
(11) Fingerprint
(12) Enable High Availability
(13) Automatic Start of Check Point Modules
(16) Exit
Enter your choice (1-13) :

Thank You...
Note - The option shown depend on the installed configuration and product(s).

Setup
TABLE 18-3 cpconfig configuration optionsSmartDashboard
option description see also...

Licenses Update VPN-1/FireWall-1 licenses. “cplic put...” on page 624
Administrators Update the list of administrators, users “Administrators” on page
who are authorized to connect to a 78 of the Check Point
SmartCenter Server through the GUI. Getting Started Guide
GUI clients Update the list of GUI Clients, machines “SMART Clients” on page
from which administrators are authorized 84 of the Check Point
to connect to a SmartCenter Server Getting Started Guide
through the GUI.
SNMP Extension Configure the SNMP daemon. The Chapter 8, “SNMP and
SNMP daemon enables the Network Management
VPN/FireWall Module to export its Tools” of the Check Point
status to external network management FireWall-1 Guide
tools.
Groups Update the list of Unix groups “Automatic Start of Check
authorized to run VPN-1/FireWall-1. Point Modules (Unix only)”
on page 95 of the Check
Point Getting Started Guide
PKCS #11 Token Register a cryptographic token for use by “PKCS#11 Token” on page
VPN-1/FireWall-1, to see details of the 55 of Check Point Virtual
token, and to test its functionality Private Networks Guide
Random Pool Configure RSA keys. Chapter 3, “Certificate
Certificate Configure Certificate Authority keys. Authorities” of Check Point
Authority Virtual Private Networks
Guide
Secure Internal Used to set up trust between this “Secure Internal
communication machine and the SmartCenter Server. Communication” on page 89
Once trust is established this machine can of the Check Point Getting
communicate with other Check Point Started Guide
communicating components.

cpstart
TABLE 18-3 cpconfig configuration optionsSmartDashboard
option description see also...

Fingerprint Shows the SmartCenter Server’s “Fingerprint” on page 93 of
fingerprint, a text string derived from the the Check Point Getting
certificate of the SmartCenter Server. It Started Guide
is used to verify the identity of the
SmartCenter Server being accessed via
the GUI Client.
High Availability Specify whether this gateway is a Chapter 5, “ClusterXL of
member of a High Availability Gateway the Check Point SmartCenter
Cluster. Guide
Automatic Start of Specify whether the VPN/FireWall
Check Point Module will start automatically at boot
Modules time.
cpstart
Note - On Win32 platforms, use the Services applet in the Control Panel to stop and
start Check Point Services.
cpstart starts all the Check Point applications running on a machine (other than cprid, which
is invoked upon boot and keeps on running independently).
cpstart implicitly invokes fwstart (or any other installed Check Point product, such as fgstart,
uagstart, etc.).
Usage
cpstart
cpstop
Note - On Win32 platforms, use the Services applet in the Control Panel to stop and
cpstop stops all the Check Point applications running on a machine (other than cprid, which
is invoked upon boot and keeps on running independently).
cpstop implicitly invokes fwstop (or any other installed Check Point product, such as fgstop,
uagstop, etc.).

Setup
Usage
cpstop
cpstop -fwflag [-proc | -default]
TABLE 18-4 cpstop options
parameter meaning
-fwflag -proc When calling fwstop, pass it the -proc argument (see
“fwstop -default and fwstop -proc” on page 554).
-fwflag -default When calling fwstop, pass it the -default argument
(see “fwstop -default and fwstop -proc” on page 554).
fwstart
Note -
• Use fwstop and fwstart only for boot security reasons (see the Check Point FireWall-1
Guide). To stop and start Check Point processes, use cpstop and cpstart (see page 553).
• On Win32 platforms, use the Services applet in the Control Panel to stop and
fwstart -f loads the VPN/FireWall Module and starts the following processes:
• The FireWall-1 daemon (fwd), which creates the VPN-1 daemon (vpnd).
• The SmartCenter Server (fwm).
• VPN-1/FireWall-1 SNMP daemon (snmpd).
• The authentication daemons (these are started when needed).
fwstop -default and fwstop -proc

Note -
• Use fwstop and fwstart only for boot security reasons (see the Check Point FireWall-1
Guide). To stop and start Check Point processes, use cpstop and cpstart (see page 755).
• On Win32 platforms, use the Services applet in the Control Panel to stop and start
Check Point Services.
Usage
fwstop [-default | -proc]

fwstop -default and fwstop -proc
Options
TABLE 18-5 Options for fwstop
Options Meaning
(no parameters) Kills all VPN-1/FireWall-1 processes, that is:
• FireWall-1 daemon (fwd)
• VPN-1 daemon (vpnd)
• the Management Server (fwm)
• VPN-1/FireWall-1 SNMP daemon (snmpd)
• the authentication daemons
The VPN-1/FireWall-1 Security Policy is then unloaded from
the kernel.
-default Kills VPN-1/FireWall-1 processes (fwd, fwm, vpnd, fwssd). Logs,
kernel traps, resources, and all security server connections stop
working.
The Security Policy in the kernel is replaced with the Default
Filter.
-proc Kills VPN-1/FireWall-1 processes (fwd, fwm, vpnd, fwssd). Logs,
kernel traps, resources, and all security server connections stop
working.
The Security Policy remains loaded in the kernel. Therefore rules
with generic allow/reject/drop rules, based only on service,
continue working.

Control
Control
In This Section
fwm load page 556

fwm unload page 558
fwm load page 559
fwm fetch page 560
fwm logswitch page 596
fwm putkey page 561
fwm dbload page 562
rs_db_tool page 563
fwm load
fwm load compiles and installs a Security Policy to the target’s VPN/FireWall Modules. This is
done in one of two ways:
6 fwm loadcompiles and installs an Inspection Script (*.pf) file to the designated
VPN/FireWall Modules.
7 fwm load converts a Rule Base (*.W) file created by the GUI into an Inspection Script
(*.pf) file then installs it to the designated VPN/FireWall Modules.
Note - The scope of a set of rules in a Rule Base and the targets of a Rule Base installation
are not the same. The system will install the entire Rule Base on the designated targets.
However, only the rules whose scope includes the target system will actually be enforced
on a target.
To protect a target, you must load a Policy that contains rules whose scope matches the target.
If none of the rules are enforced on the target, then all traffic through the target is blocked.

fwm load
Usage
fwm load [-all | -conf conffile] [filter-file | rule-base]

[-ip IPaddress] targets
Options
TABLE 18-6 fwm load options SmartDashboard
parameter meaning
-all The command is to be executed on all targets specified in the
default system configuration file ($FWDIR/conf/sys.conf). This
file must be manually created. For more information, see
“Targets” on page 548.
-conf conffile The command is to be executed on the targets specified in
conffile. For more information, see “Targets” on page 548.
filter-file An Inspection Script (*.pf).
rule-base A Rule Base file (*.W) created by the GUI. The file's full
pathname must be given.
-ip IPaddress Install the Policy on the Module with the specified IP address.
This parameter is used for installing a Policy on a DAIP Module
(see Chapter 14, “Dynamically Assigned IP Addresses” of Check
Point SmartCenter Guide). Note that:
• If this parameter is used, then targets must be a DAIP
Module.
• Only one DAIP Module may be specified for each execution
of this command.
targets The command is to be executed on the designated
VPN/FireWall Modules. For more information, see “Targets” on
page 548.
When fwm load and fwm unload are Run From the GUI
The fwm load and fwm unload commands are run when the user installs or uninstalls a Policy
from the GUI (by choosing Install or Uninstall from the Policy menu). In this case, the
parameters are:
TABLE 18-7 fwm load and fwm unload parameters SmartDashboard
parameter meaning
load or unload
-x load or
-x unload

Control
TABLE 18-7 fwm load and fwm unload parameters SmartDashboard
parameter meaning
-s<ConnectionNumber> internal parameter
policy-file For example, C:\WINNT\FW1\NG\conf\Standard.W .
targets The Module on which the Policy will be installed.
You can modify this behavior so that choosing Install or UnInstall from the Policy menu runs
a program or shell script (batch file) of your choice. For example, to run bigapple, define the
attribute :load_program(<batch file name>) at the highest level of
$FWDIR/conf/objects_5_0.C:
load_program (“bigapple”)
bigapple will be run with the parameter list above (TABLE 18-7). It is then your responsibility
to ensure that bigapple correctly processes its arguments and installs or uninstalls the Security
Policy. Of course, bigapple can also perform any other functions you wish.
Examples
fwm load my_rules.W

fwm load gateway.pf gateway1
fwm load -all complex_rules.pf
fwm unload
fwm unload uninstalls the currently loaded Inspection Code from selected targets.

fwm load
Usage
fwm unload [-all | -conf conffile] targets
Options
TABLE 18-8 fwm unload options
parameter meaning
default system configuration file ($FWDIR/conf/sys.conf). For
more information, see “Targets” on page 548.
conffile. For more information, see “Targets” on page 548.
targets The command is to be executed on these specified
page 548.
Examples
fwm unload gateway1

fwm unload -a
fwm load
The Managment Server maintains a repository of database versions. fwm load installs a VPN-
1/Firewall-1 Security Policy of a specific version on a Module without changing the definition
of the current active database version on the SmartCenter Server.
You can install a VPN-1/Firewall-1 Security Policy on a remote Module or on a Module that
resides on the same machine as the SmartCenter Server.
Note - If you are installing a specific version of a Security Policy on a remote Module, the
local user database is not installed.

Control
Scheduling the VPN-1/Firewall-1 Security Policy Installation

You create and save a VPN-1/Firewall-1 Security Policy using the Revision Control feature
(see “Tracking Revision Control “ in Chapter 3, “Graphical User Interface). After defining and
saving the VPN-1/Firewall-1 Security Policy, you can install it at a time which is convenient for
you, for example, when the system is not so busy. For information on how to install a Security
Policy, see “Installing Security Policies” in Chapter 8, “Security Policy Rule Base”.
Note - To use the Revision Control feature, you must have the appropriate license.
Backward Compatibility
The version repository can maintain NG FP2 and NG FP3 Security Policy versions. Currently,
only VPN-1/FireWall-1 Security Policies that were defined and saved in version NG FP3, can
be installed on Modules.
Usage
fwm load [-v version number] <rulebase> <targets>
Options
TABLE 18-9 fwm load options
parameter meaning
-v version number Retrieves the Security Policy from the version repository.
Version number is the Security Policy version number saved in
the version repository.
<rulebase> A Rule Base file (*.W) created by the GUI.
Only the file's name is given and not its full pathname.
<targets> The command is to be executed on the designated
page 548.
Example
The following command:
fmw load -v18 standard.W johnny
installs Security Policy Standard.W, version 18 in the version repository, on Module “johnny”.
fwm fetch
fwm fetch fetches the Inspection Code from the specified host and installs it to the kernel.

fwm putkey
Usage
fwm fetch [-n] -f | targets
Options
TABLE 18-10fwm fetch options SmartDashboard
parameter meaning
-n Fetch the Policy from the SmartCenter Server to the local
state directory, and install the Policy only if the fetched
Policy is different from the Policy already installed.
-f filename Fetch the Policy from SmartCenter Servers listed in
filename. If filename is not specified, the list in
conf/masters is used.
-i Ignore the SIC information (for example, SIC name) in

the database and use the information in conf/masters.
This option is used when a Policy is fetched for the first
time by a DAIP Module from a SmartCenter Server with
a changed SIC name.
targets The name of the SmartCenter Server from which to fetch
the Policy. You may specify a list of one or more
SmartCenter Servers, such as master1 master2 which
will be searched in the order listed. See also “Target
Usage” on page 549.
If no targets is not specified, or if targets is inaccessible,
the Policy is fetched from localhost.
Examples
fwm fetch gateway1
fwm putkey
fwm putkey installs a VPN-1/FireWall-1 authentication password on a host. This password is
used to authenticate internal communications between VPN/FireWall Modules and between a
Check Point Module and its SmartCenter Server. That is, the password is used to authenticate
the control channel the first time communication is established.
fwm putkey is required for some backward compatibility scenarios. For an example of such a
scenario, see “If I have an NG management and a 4.1 or 4.0 Module, how do I re-establish
communication between them?” on page 108 of the Check Point Getting Started Guide.

Control
Usage
fwm putkey [-no_opsec] [-opsec] [-ssl] [-p password]

[-k num] [-n name] target
Options
TABLE 18-11fwm putkey options
parameter meaning
-no_opsec Only VPN-1/FireWall-1 control connections are enabled.
-opsec Only OPSEC control connections are enabled.
-ssl The key is used for an SSL connection.
-k num The length of the first S/Key password chain for fwa1
authentication (Check Point’s proprietary authentication
protocol). The default is 7. When fewer than 5 passwords
remain, the hosts renegotiate a chain of length 100, based on a
long random secret key. The relatively small default value
ensures that the first chain, based on a short password entered by
the user, is quickly exhausted.
-n name The IP address (in dot notation) to be used by
VPN-1/FireWall-1 when identifying this host to all other hosts,
instead of, for example, the resolution of the hostname
command.
-p password The key (password). If you do not enter the password on the
command line, you will be prompted for it.
target The IP address(es) or the resolvable name(s) of the other host(s)
on which you are installing the key (password). This should be
the IP address of the interface “closest” to the host on which the
command is run. If it is not, you will get error messages such as
the following:
“./fwd: Authentication with hostname for command sync failed”
If neither -opsec nor -no_opsec is specified, then both VPN-1/FireWall-1 and OPSEC
connections are enabled.
fwm dbload
fwm dbload downloads the user database and network objects information (for example,
encryption keys) to selected targets. If no target is specified, then the database is downloaded to
localhost.

rs_db_tool
Usage
fwm dbload [-all | -conf conffile] [targets]
Options
TABLE 18-12fwm dbload options
parameter meaning
-all The command is to be executed on all targets specified in
the default system configuration file
($FWDIR/conf/sys.conf). For more information, see
“Targets” on page 548.
conffile. For more information, see “Targets” on page
548.
targets The command is executed on the designated targets. For
more information, see “Target Usage” on page 549.
rs_db_tool
rs_db_tool is used for managing DAIP Modules in a DAIP database.

Monitor
Usage
rs_db_tool [-d] <-operation <add | fetch | delete | list | sync> > [arguments]
Options
TABLE 18-13rs_db_tool options
parameter meaning
-d Toggle debug output on
- operation add — add entry to database (see arguments below)
fetch — get entry from database
delete — delete entry from database(see arguments
below)
list — list all the database entries
sync — synchronize the database
arguments For add, fetch and delete operations, the following

arguments must be used:
• add — <-name object_name> <-ip module_ip>
<-TTL Time-To-Live>
• fetch — <-name object_name>
• delete — <-name object_name>
Where:
• object name — name of the module object.
• module_ip — IP address of the module.
• Time-To-Live — relative time interval (in seconds) during which the entry is valid. A value
of zero specifies “unlimited”.
Monitor
In This Section
Check Point WatchDog (cpwd) page 565 page 565

Check Point WatchDog (cpwd) page 565 page 565
cpstat page 567 page 567
fwm lichosts page 569 page 569
fwm ver page 569 page 569
fwm sam page 570 page 570

Check Point WatchDog (cpwd)
Check Point WatchDog (cpwd)

WatchDog (cpwd) is a process that invokes and monitors critical processes such as Check Point
daemons on the local machine, and attempts to restart them if they fail. Among the processes
monitored by Watchdog are cpd, fwd, fwm. cpwd is part of the SVN Foundation.
cpwd writes monitoring information to the $CPDIR/log/cpwd.elg log file. In addition,
monitoring information is written to the console on UNIX platforms, and to the Windows
Event Viewer.
The cpwd_admin utility is used to show the status of processes, and to configure cpwd
cpwd_admin Usage
cpwd_admin list
cpwd_admin config -p
cpwd_admin config -a <value to add=data value=data...>
cpwd_admin config -d <values to delete from WD configuration>
Options
parameter meaning
List Show the status of the processes for which cpwd is
responsible
Config -p Shows the cpwd parameters added using the config
-a option.
Note - The following commands have no effect if cpwd is running. They will affect
cpwd the next time it is run.
config -a Add one or more monitoring parameters to the cpwd
configuration. See Cpwd_admin config Parameters
page 566.
config -d Delete one or more parameters from the cpwd
configuration. See Cpwd_admin config Parameters
page 566.

Monitor
Cpwd_admin config Parameters
Parameter Description
with values
Note - these parameters have no effect if cpwd is running. They will affect
cpwd the next time it is run.
timeout If rerun_mode=1, how much time from process failure
(any value in to rerun. The default is 60 seconds
seconds)
no_limit Maximum number of times that cpwd will try to restart
(any value in a process. The default is 5.
seconds)
zero_timeout After failing no_limit times to restart a process, cpwd
(any value in will wait zero_timeout seconds before retrying. The
seconds) default is 7200 seconds. Should be greater than
timeout.
sleep_mode 1 Wait the timeout. This is the default.
0 Ignore the timeout. Rerun the process immediately.
dbg_mode 1 In a debug mode a process that terminates abnormally
(with exit-code#0) should show a pop-up message
with its termination status.
Accept pop-up error messages (Windows NT only).
0 Do not receive pop-up error messages. This is useful if
pop-up error messages freeze the machine. This is the
default (Windows NT only).
rerun_mode 1 Rerun a failed process. This is the default.
0 Do not rerun a failed process. Perform only
monitoring.
Examples
The following shows a sample output of the cpwd_admin list command.
#cpwd_admin list
APP PID STAT #START START_TIME COMMAND
CPD 463 E 1 [20:56:10] 21/5/2001 cpd
FWD 440 E 1 [20:56:24] 21/5/2001 fwm fwd
FWM 467 E 1 [20:56:25] 21/5/2001 fwm fwm
An explanation of the column headings:

• APP — Application. The name of the process.
• PID — Process Identification Number.

cpstat
• STAT — Whether the process Exists (E) or has been Terminated (T).
• #START —How many times the process has been started since cpwd took control of the
process.
• START TIME — The last time the process was run.
• COMMAND — The command that cpwd used to start the process.
The following example shows two configuration parameters being changed:

timeout to 120 seconds, and no_limit to 10.
# C:\>cpwd_admin config -p
WD doesn't have configuration parameters
C:\>cpwd_admin config -a timeout=120 no_limit=12
C:\>cpwd_admin config -p
WD Configuration parameters are:
timeout : 120
no_limit : 12cpwd_admin config -a timeout=120 no_limit=10
cpstat
cpstat displays the status of Check Point applications, either on the local machine or on
another machine, in various formats.
Usage
cpstat [-h host][-p port][-f flavour][-d] application_flag
Executing cpstat with no parameters displays a list of parameters and their meanings.

Monitor
Options
TABLE 18-14cpstat options (first version)SmartDashboard
parameter meaning
-h host A resolvable hostname, or a dot-notation address (for
example,192.168.33.23). The default is localhost.
-p port Port number of the AMON server. The default is the
standard AMON port (18192)
-f flavor The flavor of the output (as appears in the configuration
file). The default is to use the first flavor found in
configuration file.
entity One of:
• fwm — FireWall-1
• vpn — VPN-1
• fg — FloodGate-1
• ha — High Availability
• os — for OS Status
• mg — for Management Status
TABLE 18-15Entities and Flavors
entity available flavors

fw "fw", with flavours: "default", "all", "policy",
"performance", "hmem", "kmem", "inspect", "cookies",
"chains", "fragments", "totals", "ufp_caching",
"http_stat", "ftp_stat", "telnet_stat", "rlogin_stat",
"ufp_stat", "smtp_stat"
vpn “product”, “general”, “IKE”, “ipsec”, “fwz”,
“accelerator”, “all”
ha “default”, “all”
mg “default”
os “default”, “routing”
fg “all”

fwm lichosts
Example
> cpstat fw
Policy name: Standard

Install time: Wed Nov 1 15:25:03 2000
Interface table
---------------------------------------------------------------
--
|Name|Dir|Total *|Accept**|Deny|Log|
---------------------------------------------------------------
--
|hme0|in |739041*|738990**|51 *|7**|
---------------------------------------------------------------
--
|hme0|out|463525*|463525**| 0 *|0**|
---------------------------------------------------------------
--
*********|1202566|1202515*|51**|7**|
fwm lichosts
fwm lichosts prints a list of hosts protected by the VPN-1/FireWall-1/n products.
The list of hosts is in the file $FWDIR/database/fwd.h.
Usage
fwm lichosts [-x] [-l]
Options
TABLE 18-16fwm lichosts options
parameter meaning
-x use hexadecimal format
-l use long format
fwm ver
fwm ver displays the VPN-1/FireWall-1 major version number, the build number, and a
copyright notice. The number is the version of the VPN-1/FireWall-1 daemon and the the
compiler. The version of the GUI is displayed in the opening screen, and can be viewed at any
time from the Help menu.

Monitor
Usage
fwm ver [ -k ] [-f filename]
Options
TABLE 18-17fwm ver options
parameter meaning
-k Print the version name and build number of the Kernel
Module
-f filename Print the version name and build number to the file
filename
fwm sam
fwm sam inhibits (blocks) connections to and from specific IP addresses without the need to
change the Security Policy. The command is logged.
To “uninhibit” inhibited connections, execute fwm sam again with the -C or -D parameters.
It is also possible to do fwm sam monitoring on active SAM requests.

fwm sam
Usage
fwm sam [-v] [-s sam_server] [-S server_sic_name] [-t timeout]

[-l log] [-f fw_host] [-C]-(n|i|I|j|J) criteria
fwm sam [-v] [-s sam_server][-S server_sic name] [-f fw_host]-D
fwm sam [-v] [-s sam_server] [-S server_sic_name] [-f fw_host]-M
-ijn criteria
Options
TABLE 18-18fwm sam options
parameter meaning
-v Verbose mode — writes one message (describing whether the
command was successful or not) to stderr for each
VPN/FireWall Module on which the command is enforced.
-s sam_server The IP address (in dot format) or the resolvable name of the
FireWalled host that will enforce the command. The default is
localhost. See “Configuration Files” on page 574 for more
information.
-S server_sic_name This refers to the SIC name for the SAM server to be
contacted. It is expected that the SAM server will have this SIC
name, otherwise the connection will fail. If no server SIC name
is supplied the connection will proceed without SIC names
comparison. For more information on enabling SIC refer to the
OPSECTM API Specification.
-f fwm The VPN/FireWall Modules on which to enforce the action.
Can be one of the following (default is “All”):
See “Configuration Files” on page 574 for more information.
value the action will be
enforced on...
“localhost” ...on the machine on which the
SAM server runs
the name of the ...on this object; if this object is
VPN-1/FireWall-1 object or a group, on every object in the
group group
Gateways ...on all the Firewalls (managed
by the SmartCenter Server on
or under which the SAM server
runs) which are defined as
gateways

Monitor
TABLE 18-18fwm sam options
parameter meaning
All ...on all the Firewalls managed
by the SmartCenter Server on
or under which the SAM server
runs
-t timeout The time period (in seconds) for which the action will be
enforced. The default is forever or until cancelled.
-l log The type of the log for enforced actions can be one of the
following: nolog, long_noalert, long_alert. The default is
long_alert.
-C Cancel the specified command (that is, inhibited connections
with the specified parameters will no longer be inhibited). The
parameters must match the ones in the original command
except timeout.
-D Cancel all inhibit (-i, -j,-I,-J) and notify (-n) commands.
-n Notify, that is, generate a long-format log entry and an alert
when connections that match the specified services or IP
addresses pass through the FireWall. This action does not
inhibit or close connections.
-i Inhibit the specified connections (that is, do not allow new
connections with the specified parameters). Each inhibited
connection is logged according to log type. Connections will be
rejected.
-I Inhibit the specified connections, and close all existing
connections with the specified parameters. Each inhibited
connection is logged according to the log type. Connections
will be rejected.
-j Inhibit the specified connections. Each inhibited connection is
logged according to the log type. Connections will be dropped.
-J Inhibit the specified connections, and close all existing
connections with the specified parameters. Each inhibited
connection is logged according to the log type. Connections
will be dropped.
-M Monitor the active SAM requests with the specified actions and
criteria.

fwm sam
TABLE 18-19 fwm sam Criteria Table
value connectivity match on...

src <ip> Match the source IP address of the
connection
dst <ip> Match the destination IP address of the
connection.
any <ip> Match either the source IP address or
the destination IP address of the
connection.
subsrc <ip> <netmask> Match the source IP address of the
connections according to the netmask.
subdst <ip> <netmask> Match the destination IP address of the
connections according to the netmask.
subany <ip> <netmask> Match either the source IP address or
destination IP address of connections
according to the netmask.
srv <src ip> <dst ip> <service> Match the specific source IP address,
<protocol> destination IP address, service and
protocol.
subsrvd <src ip><dst ip> <netmask> Match specific source IP address,
<service> <protocol> destination IP address, service and
protocol. Destination IP address is
assigned according to the netmask.
dstsrv <dst ip> <service> <protocol> Match specific destination IP address,
service and protocol.
subdstsrv <dst ip> <netmask> <service> Match specific destination IP address,
<protocol> service and protocol. Destination IP
address is assigned according to the
netmask.
srcpr <ip> <protocol> Match the source IP address and
protocol.
dstpr <ip> <protocol> Match the destination IP address and
protocol.

Monitor
TABLE 18-19 fwm sam Criteria Table
value connectivity match on...

subsrcpr <ip> <netmask> <protocol> Match the source IP address and
protocol of connections. Source IP
netmask.
subdstpr <ip> <netmask> <protocol> Match the destination IP address and
protocol of connections. Destination IP
netmask.
all none Get all active requests. For monitoring
purposes only.
Configuration Files
There are two configuration files in $FWDIR/conf that affect the functionality of the fwm sam
command:
product.conf
This file (which you should not modify) has two parameters relevant to fwm sam:
• Management
When VPN-1/FireWall-1 is installed, this parameter is set to 1 on SmartCenter Servers and to

0 on VPN/FireWall Modules. On machines which are both SmartCenter Servers and
VPN/FireWall Modules, this parameter is set to 1.
• FireWall
When VPN-1/FireWall-1 is installed, this parameter is set to 0 on SmartCenter Servers and to

1 on VPN/FireWall Modules. On machines which are both SmartCenter Servers and
VPN/FireWall Modules, this parameter is set to 1.
On a machine on which Management is 0, the fwm sam command cannot perform remote
actions (that is, it cannot inhibit connections through other machines).
On a machine on which FireWall is 0, the fwm sam command cannot perform local actions
(that is, it can inhibit connections only through other machines).
fwopsec.conf
The sam_allowed_remote_requests parameter (default value “no”) determines whether the fwm
sam command on this machine can perform remote commands. To enable a VPN/FireWall
Module to inhibit connections through other FireWalled machines, set
sam_allowed_remote_requests to “yes”. Do not try to accomplish this by modifying
product.conf .
The ability to set a maximum size to the SAM history file is available. It is configured from the
fwopsec.conf file by adding the following line:
sam_server purge_file_no_of_records #

fwm sam
Where # is the number of records in the file. The default value of this attribute is 2000.
Examples
The command:
fwm sam -t 600 -i src louvre
inhibits all connections originating on louvre for 10 minutes. Connections will be rejected.
The command:
fwm sam -l long_alert -J subsrvs louvre 255.255.255.0 eifel 21 6
inhibits all FTP connections from the louvre subnet to the eifel. All existing open connections
will be closed. New connection will be dropped, and a log and alert will be sent.
This command will be enforced forever or until canceled by the following command:
fwm sam -C -l long_alert -J subsrvs louvre 255.255.255.0 eifel 21 6
The command:
fwm sam -M -nij any lourve
Monitor all active inhibit or notify SAM requests influencing lourve as the source or
destination IP address.
The command:
fwm sam -C -i src louvre
Cancels the command in the first example.
Utilities
In This Section
fwm ctl page 576 page 576

fwm gen page 579 page 579
fwm kill page 580 page 580
fwell page 581 page 581
fwm tab page 584 page 584
dynamic_objects page 585 page 585
dbedit page 587 page 587
queryDB_util page 591 page 591

Utilities
fwm ctl
fwm ctl sends control information to the VPN-1/FireWall-1 Kernel Module.

fwm ctl
Usage
fwm ctl [ip_forwarding option] | pstat | install | uninstall |

iflist| arp
Options
TABLE 18-20fwm ctl options SmartDashboard
parameter meaning
ip_forwarding option is one of the following:
option
value match
never VPN-1/FireWall-1 does not control
(and thus never changes) the status of
IP Forwarding.
always VPN-1/FireWall-1 controls the status
of IP Forwarding irrespective of the
state of IP forwarding in the kernel.
(see page 577).
default VPN- 1/FireWall- 1 controls the
status of IP Forwarding only if IP
Forwarding is disabled in the kernel.
Otherwise, VPN- 1/FireWall- 1 does
not control (and thus does not
For more information, see “IP Forwarding” on page 577.
pstat Display VPN-1/FireWall-1 internal statistics.
install VPN-1/FireWall-1 will intercept packets.
uninstall VPN-1/FireWall-1 will not intercept packets.
iflist Displays the IP interfaces known to the kernel by name and
internal number
arp Displays ARP proxy table, which is a mapping of IP and
MAC addresses, and utilizes local.arp file. (Relevant for
Windows platforms only.)
IP Forwarding
Consider the following command:
fwm ctl ip_forwarding always

Utilities
When VPN-1/FireWall-1 controls the status of IP Forwarding, then VPN-1/FireWall-1

changes the status as follows:
• When VPN-1/FireWall-1 is stopped (fwstop), IP Forwarding is disabled.
• When VPN-1/FireWall-1 is started (fwstart), IP Forwarding is enabled.
This ensures that once VPN-1/FireWall-1 has been started for the first time, there is never a
time when the host is forwarding packets while the Policy is not fully loaded.
It is recommended that IP Forwarding be disabled in the kernel. See “Enabling and Disabling IP
Forwarding” below for instructions on how to do this. In this way, IP Forwarding will be never
be enabled unless VPN-1/FireWall-1 is working, no matter which of the above options you
have chosen.
In IBM AIX, IP Forwarding is by default disabled during boot, so it is not necessary to disable
it in the kernel.
Disabling IP forwarding protects the networks behind the Module, but it does not protect the
Module itself. For this purpose, VPN-1/FireWall-1 implements a Default Filter. For more
information about Boot Security and the Default Filter, see the Check Point FireWall-1 Guide.
Enabling and Disabling IP Forwarding

It is recommended that IP Forwarding be disabled in the kernel. In this way, IP Forwarding will
be never be enabled unless VPN-1/FireWall-1 is working, no matter which of the above
options you have chosen.
This section specifies how to enable and disable IP Forwarding on the following platforms:
Solaris 2.x and HP-UX 11, Windows NT and IBM AIX.
Solaris 2.x (source routed packets)
To turn off IP Forwarding and source routed packets, edit /etc/rc2.d/S69inet and change:
ndd -set /dev/ip ip_forwarding 1
to:

ndd -set /dev/ip ip_forward_src_routed 0
For additional information, refer to the man pages for ndd(1M) and ip(7).
HP–UX 11
To turn off IP Forwarding and source routed packets, edit /etc/rc2.d/S69inet and change:
to:

fwm gen
Windows NT
To turn off IP Forwarding:

1 Open the Network applet in the Windows Control Panel. In the Protocols tab, select
TCP/IP and click on Properties. The TCP/IP Properties window is displayed. Select the
Routing tab, and check Enable IP Forwarding.
2 Reboot the computer.

IBM AIX
Warning - The AIX default is for IP Forwarding to be off. If you enable IP Forwarding
while VPN-1/FireWall-1 is not running, you will be exposing your network. Make sure that
it is not turned on in one of the .rc scripts during boot. Turn it on (with the
no -o ipforwarding=1 command) in the fwstart script after VPN-1/FireWall-1 starts
enforcing a Security Policy, and turn it off (with the no -o ipforwarding=0 command) in
the fwstop script just before VPN-1/FireWall-1 stops.
To enable IP Forwarding, enter the following command:
no -o ipforwarding=1
To disable IP Forwarding, enter the following command:
no -o ipforwarding=0
fwm gen
fwm gen generates an Inspection Script (*.pf) file or a router access-list from a Rule Base (*.W)
file. Rule Base files are created by the GUI, but you may edit them and use this command to
generate Inspection Scripts (though this is not recommended).

Utilities
Syntax
fwm gen filename
Options
TABLE 18-21fwm gen options
parameter meaning
filename The Rule Base file.
Examples
fwm gen $FWDIR/conf/default.W

fwm gen $FWDIR/conf/corporate.W | more
fwm gen $FWDIR/conf/corporate.W > /tmp/corporate.pf
fwm kill
fwm kill sends a signal to a VPN-1/FireWall-1 daemon.
Usage
fwm kill [-t sig_no] proc-name
Options
TABLE 18-22fwm kill options
parameter meaning
[-t sig_no] proc-name If the file $FWDIR/tmp/proc-name.pid
exists, send signal sig_no to the pid given in the
file. If no signal is specified, signal 15 (SIGTERM)
is sent.
The VPN-1/FireWall-1 daemons and Security Servers write their pids to files in the tmp
directory upon startup. These files are named
$FWDIR/tmp/daemon_name.pid. For example, the file containing the pid of the
VPN-1/FireWall-1 snmp daemon is $FWDIR/tmp/snmpd.pid.
Note - On NT, sig_no is ignored. Only the default (fwm kill proc_name, that is, signal
15) works properly on NT.

fwell
Examples
fwm kill snmpd
sends signal 15 to the VPN-1/FireWall-1 snmp daemon.
fwm kill -t 1 snmpd
sends signal 1 to the VPN-1/FireWall-1 snmp daemon.
fwell
fwell manages Access Lists for Wellfleet (Bay Networks) routers.
Usage
For UNIX systems:
fwell load rulebase-file [-s] [-u] [interface-name@]router-name

[targets]
fwell unload [-s] [-u] [interface-name@]router-name targets
fwell stat targets
For Windows NT:
fwell [-s] [-u] load rulebase-file [interface-name@]router-

name
[targets]
fwell [-s] [-u] unload [interface-name@]router-name targets
fwell stat targets

Utilities
Options
TABLE 18-23fwell options SmartDashboard
parameter meaning
load rulebase-file Load the Access List specified by the Rule Base file (*.W)
to the router.
interface-name Machine-dependent representation of interface (e.g. le0).
router-name The name of the router as defined in the
SmartDashboard.
targets The command is to be executed on these machines. For
unload Unload the Access List.
-s Generate summary output.
-u A list of interfaces.
stat Show statistics.
Note - When loading a Rule Base to a router, all the router’s interfaces are first unloaded.
If the -u parameter is specified, then the virtual router’s interfaces are unloaded. If the -
u parameter is not specified, then the real router’s interfaces are unloaded.
Examples
The command:
fwell stat well
produces output similar to the following:
CIRCUIT IF FILTERDATE
E21 - -
S21 192.114.50.33 d423Mar95 10:34:13
S22 - - -
Individual Interface Loading for Bay Routers (Wellfleet)

Rather than loading (or unloading) the Security Policy (Access Lists) to (or from) all the
interfaces of a Bay Router, it is possible to specify individual interfaces.
Example 1
Suppose a Wellfleet router well has three interfaces: E21, S21 and S22.

fwell
The user might wish to define (manually, in objects.C) two “virtual” routers, well1 and well2,
as follows:
(well1
:ipaddr well
:if-1E21
)
(well2
:ipaddr well
:if-0S21
:if-2S22
)
The list of interfaces to be loaded or unloaded is specified in the command line.
Warning - The objects.C file should not be edited directly. Instead, use dbedit (see
Example 2
The command:
fwell load p.W E21@well1
performs the following actions:

• unloads E21, S21, S22 (all the interfaces of the real router well1 — this is because the -u
parameter was not specified)
• loads E21 (all the interfaces of the virtual router well1)
In practice, specifying E21 in the command line had no effect. All the interfaces were loaded,
but as it happens, well1 has only one interface.
Example 3
The command:
fwell load -u p.W well2

• unloads S21 and S22 (all well2 interfaces — this is because the -u parameter was specified)
• load S21 and S22 (all well2 interfaces)
Example 4
The command:
fwell load -u p.W S21@well2

Utilities
• unload S21 (the only interface specified in the command line)

• load S21 (the only interface specified in the command line)
fwm tab
fwm tab displays the content of INSPECT tables on the target hosts in various formats.
For each host, the default format displays the host name and a list of all tables with their
elements.

dynamic_objects
Usage
fwm tab [-all | -conf conffile] [-a] [-s][-u | -m number] [-t

tname]
targets
Options
TABLE 18-24fwm tab options
parameter meaning
default system configuration file ($FWDIR/conf/sys.conf).
For more information, see “Targets” on page 548.
conffile. For more information, see “Targets” on page
548.
-a Display all tables.
-s Use short format: host name, table name, table ID, and its
number of elements.
-u Do not limit the number of displayed entries.
-m number For each table, display only its first number of elements
(default is 16).
-t tname Display only tname table.
targets The command is executed on the designated targets. For
Examples
fwm tab
fwm tab -t hostlist1 gateway1
dynamic_objects
dynamic_objects specifies an IP address to which the dynamic object (see “Dynamic Objects”
on page 216 of Check Point SmartCenter Guide) will be resolved on this machine.
Note - This command cannot be executed when the VPN/FireWall Module is running.

Utilities
Usage
dynamic_objects -o object_name [-r [fromIP toIP] ...] [-s] [-a]

[-d] [-l] [-n <object_name> ] [-c]
Options
TABLE 18-25dynamic_objects options
parameter meaning
-o object_name object name
-r [fromIP toIP] ... address ranges — one or more “from IP address to
IP address” pairs
-a [fromIP toIP] ... add ranges to object
-d [fromIP toIP] ... delete range from object
-l list dynamic objects
-n object_name create new object (if VPN/FireWall Module is not
running)
-c compare the objects in the dynamic objects file and
in object.C.
-do object_name delete object
Examples
The command:
dynamic_objects -n bigserver
creates a new dynamic object named “bigserver”.
The command:
dynamic_objects -n bigserver -r 190.160.1.1 190.160.1.40 -a

creates a new dynamic object named “bigserver” and adds to it the IP address range
190.160.1.1-190.160.1.40.
The command:
dynamic_objects -o bigserver -r 190.160.1.1 190.160.1.40 -a

adds the IP address range 190.160.1.1-190.160.1.40 to the previously created dynamic object
“bigserver”.
The command:
dynamic_objects -o bigserver -r 190.160.1.1 190.160.1.40 -d

dbedit
deletes the IP address range 190.160.1.1-190.160.1.40 from the dynamic object “bigserver”.
dbedit
dbedit edits the objects file on the SmartCenter Server.
VPN-1/FireWall-1 NG handles objects files differently from earlier versions. There is no longer
an objects.C file on both the SmartCenter Server and on the Module. Instead, there is an
objects file on the Module and a new file, objects_5_0.C on the SmartCenter Server. A new
objects.C file is created on the Module (based on the objects_5_0.C on the SmartCenter
Server) whenever a Policy is installed. Editing the objects.C file on the Module is no longer
required or desirable, since it will be overwritten the next time a Policy is installed.
Two new utilities simplify working with the objects file (objects_5_0.C) on the SmartCenter
Server:
• Dbedit enables administrators to make changes to the objects file.
• queryDB_util enables searching the database according to search parameters.

Utilities
Usage
dbedit [-s server] [- u user | -c certificate] [-p password]

[-f filename] [-r db-open-reason] [-help]
Options
TABLE 18-26dbedit options
parameter meaning
-s server The SmartCenter Server on which the objects_5_0.C file
to be edited is located. If this is not specified in the
command line, then the user will be prompted for it.
If the server is not localhost, the user will be required to
authenticate.
-u user | The user’s name (the name used for the GUI Management
-c certificate Client) or the full path to the certificate file.
-p password The user’s password (the password used for the GUI
Management Client).
-f filename The name of the file containing the commands. If filename
is not given, then the user will be prompted for
commands.
-r db-open-reason A non-manditory flag used to open the database with a
string that states the reason. This reason will be attached to
audit logs on database operations.
-help Print usage and short explanation.

dbedit
Commands
TABLE 18-27dbedit commands
command explanation
create [object_type] Create an object with its default values. This
[object_name] command will not commit the object to the
database.
The create command may use an extended (or
“owned”) object as shown in the example.
Changes are committed to the database only by
an update or quit command.
modify [table_name] Modify fields of an object which is:
[object_name] [field_name] • stored in the database (the command will
[value]
lock the object in such case).
• newly created by dbedit
The modify command allows the use of
Extended Formats for owned objects:
For example, [field_name] = Field_A:Field_B
See the examples at the end of this section for
details.
update [table_name] Update the database with the object. This
[object_name] command will check the object validity and
will issue an error message if appropriate.
Invalid fields can be modified using the modify
command.
delete [table_name] Delete an object from the database and from
[object_name] the client implicit database.
addelement [table_name] Add an element (of type string) to a multiple
[object_name] [field_name] field.
[value]
rmelement [table_name] Remove an element (of type string) from a

[object_name] [field_name] multiple field.
[value]
rename [table_name] Assign a new name for a given object. The
[object_name] operation also performs an update.
[new_object_name]
Example:
Rename network object London to Chicago.
rename network_objects london chicago
quit Quit dbedit and update the database with
modified objects not yet committed.

Utilities
Note - The meanings of object_type, object_name and table_name are given in the OPSEC
CPMI specification.
Examples
Create a tcp_service
create tcp_service my_service
Modify a service’s port
modify services my_service port 8080
Update a service
update services my_service
Example
Replace the owned object with a new null object
modify network_objects my_obj firewall_setting NULL
NULL is a reserved word specifying a null object.
Extended Format
Example
firewall_properties owns the object floodgate_preferences.
floodgate_preferences has a Boolean attribute turn_on_logging, which will be set to true.
modify properties firewall_properties floodgate_preferences:turn_on_logging true
Example
comments is a field of the owned object contained in the ordered container.

The 0 value indicates the first element in the container (zero based index).
modify network_objects my_networkObj interfaces:0:comments my_comment
Example
Replace the owned object with a new one with its default values.
modify network_objects my_net_obj interfaces:0:security interface_security

queryDB_util
Example
create LDAP_policy my_policy

addelement ldap my_policy Read:BranchObjectClass Organization
addelement ldap my_policy Read:BranchObjectClass OrganizationalUnit
queryDB_util
queryDB_util enables searching the object database according to search parameters.

Utilities
Usage
queryDB_util [-t <table_name>] [-o <object_name>] [-a]

[-mu <modified_by>] [-mh <modified_from>]
[-ma <modified_after>] [-mb <modified_before>] [-
p|m|u|h|t|f]
[-f filename} [-h] [-q]
Options
TABLE 18-28queryDB_util options
parameter meaning
[-t <table_name>] The name of the table.
[-o <object_name>] The name of the object.
[-a] All objects.
[-mu <modified_by>] The name of the administrator who last modified the
object.
[-mh <modified_from>] The host from which the object was last modified.
[-ma <modified_after>] The date after which the object was modified
<[hh:mm:ss][ddmmmyyyy]>. Either or both options may
be used. Omitting hh:mm:ss defaults to today at midnight,
omitting ddmmmyyyyy defaults to today’s date on the
client.
[-mb <modified_before>] The date before which the object was modified
<[hh:mm:ss][ddmmmyyyy]>. Either or both options may
be used. Omitting hh:mm:ss defaults to today at midnight,
omitting ddmmmyyyyy defaults to today’s date on the
client.
[-p|m|u|h|t|f] Short print options:
• c — creation details
• m — last_modification details
• u — administrator name (create and modify)
• h — host name (create and modify)
• t — time (create and modify)
• f — field details
-f filename The name of the output file.

[-h] Display command usage information.
[-q] Quit.
Examples

fwm log
Print details of internal_ca object
query> -t servers -o name= internal_ca

Object Name: internal_ca
Created by: Upgrade Process
Created from: london
Creation time: Mon Jun 19 11:43:19 2000
Last Modified by: Upgrade Process
Last Modified from: london
Last Modification time: Mon Jun 19 11:43:19 2000
A total of 1 objects match the query.
Print modification details of all objects modified by administrator “aa”
query> -a -mu Bob -pm

Object Name:my_object
Last Modified by:Bob
Last Modified from:london
Last Modification time:Mon Jun 19 11:44:27 2000
Object Name:internal_ca
Last Modified by:Bob
Last Modified from:london
Last Modification time:Tue Jun 20 11:32:58 2000
A total of 2 objects match the query.
Log File Management
In This Section
fwm log page 593 page 593

fwm logswitch page 596 page 596
fwm logexport page 598 page 598
fwm repairlog page 599 page 599
fwm mergefiles page 600 page 600
fwm lslogs page 601 page 601
fwm fetchlogs page 603 page 603
fw lea_notify page 604
fwm log
fwm log displays the content of Log Files.

Log File Management
Usage
fwm log [-f [t]] [-c action] [-l] [-s starttime] [-e endtime]
[-b stime etime]][-h hostname] [-n]
[-m initial | semi | raw | account] [logfile]
Options
TABLE 18-29fwm log options
parameter meaning
-f [t] After current display is completed, do not exit but continue to
monitor the Log file and display it while it is being written.
The t parameter indicates that the display is to begin at the end
of the file, in other words, the display will initially be empty
and only new records added later will be displayed.
-c action Display only events whose action is action, that is, accept,
drop, reject, authorize, deauthorize, encrypt
and decrypt. Control actions are always displayed.
-l Display the date for each record.
-s starttime Display only events that were logged after time. starttime
may be a date, a time, or both. If date is omitted, then today’s
date is assumed.
-e endtime Display only events that were logged before time. endtime may
be a date, a time, or both.
-b stime etime Display only events that were logged between stime and
etime, each of which may be a date, a time, or both. If date
is omitted, then today’s date is assumed.
-h hostname Display only log entries sent by the Module machine
hostname.
-n Don't perform DNS resolution of the IP addresses in the Log
File (this option significantly speeds up the processing)

fwm log
TABLE 18-29fwm log options
parameter meaning
-m This flag specifies the unification mode.
• initial — Complete unification of log records; that is,
output one unified record for each id. This is the default.
When used together with -f, no updates will be displayed,
but only entries relating to the start of new connections. To
display updates, use the semi parameter.
• semi — Step-by-step unification, that is, for each log
record, output a record that unifies this record with all
previously-encountered records with the same id.
• raw — Output all records, with no unification.
• account — Output accounting records only.
-o For unified log entries, display also the individual entries it

includes.
logfile Use logfile instead of the default Log file. The default Log
File is $FWDIR/log/fw.log.
The Usage for starttime, endtime, stime, etime is as follows.
• DD-mon-YYYY (e.g. 12-jan-2001)
• mon DD, YYYY (e.g. Feb 14, 1999)
• MM/DD/YYYY
• DD.MM.YYYY
• YYYY-MM-DD
• DDMMYYYY
DD is the day (e.g. 01, 14, 28).
YYYY is the year (e.g. 1994).
MM is the month (e.g. 01, 04, 12).
mon is the month (e.g. jan, feb, mar)

Log File Management
Examples
fwm log
fwm log | more
fwm log -c reject
fwm log -s Jan1
fwm log -f -s 16:00
fwm logswitch
fwm logswitch creates a new Log File. The current Log File is closed and renamed
$FWDIR/log/date.log, and a new Log File with the default name ($FWDIR/log/fw.log) is
created. Old Log Files are located in the same directory. You must have the appropriate file
privileges to run fwm logswitch.
A SmartCenter Server can use fwm logswitch to switch a Log File on a remote machine and
transfer the Log File to the SmartCenter Server. For information on how to direct logging to a
specific machine, see “Redirecting Logging to Another Master” on page 627 of Check Point
SmartCenter Guide.
See also “How can I switch my Log File on a periodic basis?” on page 338 of Check Point
SmartCenter Guide.

fwm logswitch
Usage
fwm logswitch [-h target] [+|-][““|old_log]
Options
TABLE 18-30fwm logswitch options
parameter meaning
-h target The resolvable name or IP address of the remote machine
(running either a VPN/FireWall Module or a SmartCenter
Server) on which the Log File is located. The SmartCenter
Server (on which the fw logswitch command is executed) must
be defined as one of target’s SmartCenter Servers. In addition,
you must perform fw putkey to establish a control channel
between the SmartCenter Server and target.
For information about establishing control channels, see
“Enabling Communication between Modules” on page 99 of
Check Point SmartCenter Guide.
For information on target Usage, see “Target Usage” on page
549.
When a log file is sent to the SmartCenter Server, the data is
compressed. See “Compression” on page 598 for more
information.
+ The Log File is transferred from target to the SmartCenter
Server. The transferred Log File is compressed and encrypted.
The name of the copied Log File on the SmartCenter Server is
prefixed by target (see “Targets” on page 548 for details). This
parameter is ignored if target is not specified. There should be
no white space between this parameter and the next one.
When a log file is sent to the SmartCenter Server, the data are
compressed. See “Compression” on page 598 for more
information.
- The same as +, but the Log File is deleted on target.
““ Delete the current Log File (on target if specified; otherwise on

the SmartCenter Server).
old_log The new name of the old Log File.
TABLE 18-31 lists the files created in the $FWDIR/log directory on both target and the
SmartCenter Server when the + or - parameters are specified. Note that if - is specified, the Log

Log File Management
File on target is deleted rather than renamed.
TABLE 18-31Files created in $FWDIR/log
old_log specified old_log not specified

target specified On target, the old Log File is On target, the new name is
renamed to old_log. On the the current date, for example,
SmartCenter Server, the copied 04Feb98-10:04:20 in Unix and
file will have the same name, 04Feb98-100420 in NT.
prefixed by target’s name. For On the SmartCenter Server, the
example, the command copied file will have the same name,
fw logswitch -h venus +xyz but prefixed by target. For
creates a file named venus.xyz example, (target.04Feb98-
on the SmartCenter Server. 10:04:20 in Unix and
target.04Feb98-100420 in NT.)
target not specified On the SmartCenter Server, the On the SmartCenter Server, the old
old Log File is renamed to Log File is renamed to the current
old_log. date(see above).
If either the SmartCenter Server or target is an NT machine, the files will be created using the
NT naming convention.
Compression
When log files are transmitted from one machine to another, they are compressed using the zlib
package, a standard package used in the Unix gzip command (see RFC 1950 to RFC 1952 for
details). The algorithm is a variation of LZ77 method.
The compression ratio varies with the content of the log records and is difficult to predict.
Binary data are not compressed, but string data such as user names and URLs are compressed.
Examples
The following command creates a new Log File and moves (renames) the old Log File to
old.log.
fwm logswitch old.log
fwm logexport
fwm logexport exports the Log File to an ASCII file.

fwm repairlog
Usage
fwm logexport [-d delimiter] [-i inputfile] [-o outputfile]

[-r record_chunk_size] [-n] [-f]
[-m initial | semi | raw | account]
Options
TABLE 18-32fwm logexport options
parameter meaning
-d delimiter Output fields will be separated by this character
— default is semicolon (;)
-i inputfile The name of the input Log File.
-o outputfile The name of the output ASCII file.
-r record_chunk_size This determines how many records should be
read (during a single access to the Log File) into
the internal buffer for processing.
-n Do not perform DNS resolution of the IP
addresses in the Log File (this option
significantly speeds the processing).
-f Stay online and export new logs to the ASCII
output file as they occur.
-m This flag specifies the unification mode.
• initial — Complete unification of log
records; that is, output one unified record
for each id. This is the default.
• semi — Step-by-step unification, that is,
for each log record, output a record that
unifies this record with all previously-
encountered records with the same id.
• raw — Output all records, with no
unification.
• account — Output accounting records
only.
fwm repairlog
fwm repairlog rebuilds a Log file’s pointer files. The three files fw.logptr, fw.loginitial_ptr
and fw.logaccount_ptr are recreated from data in the specified Log file. The Log file itself is
modified only if the -u flag is specified.

Log File Management
Usage
fwm repairlog [-u] logfile
Options
TABLE 18-33fwm repairlog options
parameter meaning
-u Indicates that the unification chains in the Log file should be
rebuilt.
logfile The name of the Log file to repair.
fwm mergefiles
This command merges several Log Files into a single Log File.
The merged file can be sorted according to the creation time of the Log entries, and the times
can be “fixed” according to the time zones of the origin Log Servers.
Logs entries with the same Unique-ID are unified. If a Log switch was performed before all the
segments of a specific log were received, this command will merge the records with the same
Unique-ID from two different files, into one fully detailed record.
It is not recommended to merge the current active fw.log file with other Log Files. Instead,
run the fwm logswitch command and then run fwm mergefiles.

fwm lslogs
Usage
fwm mergefiles [-s] [-t time_conversion_file]

log_file_name_1 [... log_file_name_n]·output_file
Options
TABLE 18-34fwm repairlog options
parameter meaning
-s Sort merged file by log records time field.
-t time_conversion_file “Fix” different GMT zone log records time in the
event that the log files originated from Log Servers in
different time zone.
The time_conversion_file format is as follows:
ip-address signed_date_time_in_secoonds
ip-address signed_date_time_in_secoonds
.
.
log_file_name_n Full pathnames of the Log File(s).
output_file Full pathname of the output Log File.
fwm lslogs
This command displays a list of Log Files residing on a remote machine.

Log File Management
Usage
fwm lslogs [[-f file name] ...] [-e] [-s name | size | stime |
etime] [-r] [module]
Options
TABLE 18-35fwm lslogs options
parameter meaning
-f filename The list of files to be displayed. The file name can
include wildcards. In Solaris, any file containing
wildcards should be enclosed in quotes.
The default parameter is *.log.
-e Display an extended file list. It includes the following
data:
• Size — The size of the file and its related pointer
files together.
• Creation Time — The time the Log File was
created.
• Closing Time — The time the Log File was
closed.
• Log File Name — The file name.
-s Specify the sort order of the Log Files using one of

the following sort options:
• name — The file name.
• size — The file size.
• stime — The time the Log File was created.
• etime — The time the Log File was closed.
The default is stime.
-r Reverse the sort order (descending order).

module The name of the machine on which the files are
located. It can be a module or a Log Server. The
default is localhost.
Examples
The following example shows the log data you see when you use the fwm lslogs command:
fwm lslogs module3

Size Log file name
99KB 2002-01-10_183752.log
16KB fw.log

fwm fetchlogs
This example shows the extended file list you see when you use the fwm lslogs -e command:
fwm lslogs -e module3

Size Creation Time Closing Time Log file name
99KB 10Jan2002 16:46:27 10Jan2002 18:36:05 2002-01-10_183752.log
16KB 10Jan2002 18:36:05 -- fw.log
fwm fetchlogs
fwm fetchlogs fetches Log Files from a remote machine.
You can use the fwm fetchlogs command to transfer Log Files to the machine on which the
fwm fetchlogs command is executed.
The Log Files are read from and written to the directory $FWDIR/log.
Note - The files transferred by the fwm lsfetchlogs command are MOVED from the
source machine to the target machine.
Usage
fwm fetchlogs [[-f file name] ... ] module
Options
TABLE 18-36fwm fetchlogs options
parameter meaning
-f filename The Log Files to be transferred. The file name can
include wildcards. In Solaris, any file containing
wildcards should be enclosed in quotes.
The default parameter is *.log.
Related pointer files will automatically be fetched.
module The name of the remote machine from where you
transfer the Log Files.
The active Log File (fw.log) cannot be fetched. If you want to fetch the most recent log data,
proceed as follows:
1 Run fwm logswitch to close the currently active Log File and open a new one. For more
information on the fwm logswitch command, see “fwm logswitch” on page 596.
2 Run fwm lslogs to see the newly-generated file name (see “fwm lslogs” on page 601).
3 Run fwm fetchlogs -f filename to transfer the file to the machine on which the fwm
fetchlogscommand is executed.

Log File Management
The file is now available for viewing in the Log Viewer. For more information on the
SmartView Tracker, see Chapter 11, “SmartView Tracker”.
After a file has been fetched, it is renamed. The Module name and the original Log File name
are concatenated to create a new file name. The new file name consists of the module name and
the original file name separated by two (underscore) _ _ characters.
Example
The following command:
fwm fetchlogs -f 2001-12-31_123414.log module3
fetches the Log File 2001-12-31_123414.log from Module3.

After the file has been fetched, the Log File is renamed:
module3_ _2001-12-31_123414.log
fw lea_notify
This command should be run from the SmartCenter Server. It sends a LEA_COL_LOGS event to all
connected lea clients, see the LEA Specification documentation. It should be used after new log
files have been imported (manually or automatically) to the $FWDIR/log directory in order to
avoid the scheduled update which takes 30 minutes.
log_export
log_export is a utility that allows you to transfer Log data to an external database.
Note - Only Oracle database is currently supported.
This utility behaves as a LEA client. LEA (Log Export API) enables VPN-1/FireWall-1 Log data
to be exported to third-party applications. log_export receives the Logs from the SmartCenter
Server via LEA so it can be run from any host that has a SIC connection with the SmartCenter
Server and is defined as an OPSEC host.
To run log_export, you need a basic understanding and a working knowledge of:
• Oracle database administration
• LEA
For more information about LEA, see Check Point VPN-1/FireWall-1 LEA (Log Export API)
Specification at
http://cpi.checkpoint.com/__rnd/docs/techpubs/OPSEC/OPSEC_SDK/NG%20FP2/LEA_NG_FP2.pdf.
Installation Requirements
• Before you can run log_export, the Oracle client must be installed and configured. Make
sure that:

log_export
• the ORACLE_HOME environment variable is set correctly.

• $ORACLE_HOME/lib is located in the PATH environment variable on the NT platform or
LD_LIBRARY_PATH on Solaris and Linux platforms.
• If log_export is running from another machine, you must install and configure at least
SVN Foundation and Reporting Module.
The log_export Configuration File

log_exporthas a Configuration File. The Configuration File contains the default parameters for
log_export. log_export reads all parameters from the Configuration File that is specified in the
command line.
Note - The Configuration File is a Check Point Set file and should be configured according
to Set file conventions.
For more information about Configuration File parameters, see “Modifying the Configuration
File” on page 606.

Log File Management
Usage
log_export [-f conf_file] [-l lea_server_ip_address] [-g

log_file_name,log_file_name,...] [-t database_table_name] [-p
database_password][-h] [-d].
Options
TABLE 18-37log_export options
parameter meaning
-f conf_file The Configuration File from which log_export reads
the Log file parameters. If conf_file is not specified,
the default Configuration File log_export.conf ,
located in the current working directory.
-l The IP address of the LEA server.
-t The name of the table in the database to which the
logs will be added.
-g A comma separated list of log file names from where
the logs will be taken.
-p The database login password. If you do not want to
specify the password in the Configuration File for
security reasons, you can enter the password using the
command line where it will not be saved anywhere.
-h Display log_export usage.
-d Display debugging information.
Modifying the Configuration File

log_export parameters are defined in the Configuration File. To change the parameters, you can
either modify the Configuration File or use the command line.
Note - For your convenience, all log_export parameters can be defined in the
Configuration File. Only the location of the Configuration File should be entered via the
command line.
You should be aware, though, that any parameter entered using the command line will
override the parameters in the Configuration File.

log_export
Modify the Configuration File according to the following table:
TABLE 18-38Configuration File parameters
parameter meaning
db_connection_string The string that defines the Oracle database server. For example,
the name of the server.
db_table_name The name of the table in the database to which the logs will be
added.
create_db_table Following are the available options:
• 1 — create a new table in the database
• 0 — use the existing table.
If there is an existing table, the logs will be added to that table.

This requires that the existing table have the same format as the
logs you are adding. If you enter 0 and there is no existing table,
you will get an error message. The default is 1.
db_user_name The database login user name.
db_password The database login password.
log_server_ip_address The IP address of the LEA server.
log_server_port Port number of the LEA server. The default LEA port is 18184.
log_file_name A list of log file names from where the logs will be taken.
log_fields The name of the Log file as known by LEA. For more
information, refer to LEA documentation at
http://cpi.checkpoint.com/__rnd/docs/techpubs/OPSEC/OPS
EC_SDK/NG%20FP2/LEA_NG_FP2.pdf.
db_field_name The Log field name as represented in the database table.
db_field_type The Log field type in the database table. This parameter can be
one of the following:
• STRING
• NUMBER
• DATE
db_field_size The size of the field in the database table. This parameter is
required only if the db_field_type is either STRING or
NUMBER.

Log File Management
Configuration File Example
:db_table_name (fw_log)
:db_connection_string (database_service_name)
:db_user_name (scott)
:db_password (tiger)
:log_server_ip_address (127.0.0.1)
:log_server_port (18184)
:create_db_table (1)
:log_file_name (fw.log)
:log_fields (
: (time
:db_field_name (log_time)
:db_field_type (DATE)
)
: (product
:db_field_name (product)
:db_field_type (STRING)
:db_field_size (25)
)
: (i/f_name
:db_field_name (interface)
:db_field_size (100)
)
: (orig
:db_field_name (origin)
:db_field_size (16)
)
: (action
:db_field_name (action)
:db_field_size (16)
)
: (service
:db_field_name (service)
:db_field_size (40)
)

cphastart
ClusterXL: High Availability and Load Sharing
cphastart page 609

cphastop page 609
cphaprob page 609
fwm hastat page 614
cphastart
cphastart starts the High Availabilty feature on the machine. This is done when the
VPN/FireWall Module is started.
Usage
cphastart
cphastop
cphastop stops the High Availability feature on the machine.
Usage
cphastop
cphaprob
cphaprob defines “critical” processes. When a critical process fails, the machine is considered to
have failed.
Usage
cphaprob -d <device> -t <timeout(sec)> -s <ok|init|problem> [-p] register

cphaprob -f <file> register
cphaprob -d <device> [-p] unregister
cphaprob -a unregister
cphaprob -d <device> -s <ok|init|problem> report
cphaprob [-i[a]] [-e] list
cphaprob state
cphaprob [-a] if
cphaprob savepnotes

TABLE 18-39tphaprob options SmartDashboard
parameter meaning
-d <device> Add <device> to the list of devices that must be running for the
VPN/FireWall Module to be considered active (in other words,
if <device> fails, then the VPN/FireWall Module is considered
to have failed)
-s The status to be reported — one of:
• “ok” — <device> is alive
• “init” — <device> is initializing. The machine is down.
This state prevents the machine from becoming active.
• “problem” — <device> has failed
-t <timeout> If <device> fails to contact the VPN/FireWall Module in
<timeout> seconds, <device> will be considered to have failed.
To disable this parameter, enter <0> as the timeout value.
-f <file> Insert all problem notifications into a <file> and register them
register automatically.
[-p] register Register <device> as a critical process.
[-p] unregister Unregister <device> as a critical process.
[-p] Makes these changes permanent. This means that after removing
the kernel (on linux or IPSO for example), and re-attaching it,
the pnote (problem notification) status of pnotes that where
registered with this flag will be saved.
This means that if a pnote was registered as "problem" before
removing the kernel, the pnote status will be restored after re-
installing the kernel.
state Display the state of this VPN/FireWall Module and all the other
VPN/FireWall Modules in the High Availability configuration.
-i[a] -e list Display the state of devices.
report Report the status of High Availability VPN/FireWall Modules
and their status.
if Display the state of interfaces.
savepnotes Saves the status of the currently defined pnotes (problem
notifications) to a file. The pnotes in this file are restored to
their saved statuses after a reboot or cpstop/cpstart commands.
A process specified by <device> should run cphaprob with the “-s ok” parameter to notify the
High Availability module that the process is alive. If this notification is not received in
<timeout> seconds, the process (and the machine) will be considered to have failed.

cphaprob
This is true only for problem notification with timeouts. If a notification is registered with the
-t 0 parameter, there will be no timeout, and until the device reports otherwise, the status is
considered to be the last reported status.
Example
This example illustrates how to manually cause a machine to fail and another machine to take
over.
1 Verify that the primary machine is currently active with the following command:
#cphaprob state
Information similar to the following should be displayed:
1 (local) <IP-address> active

2 <IP-address> stand-by
Working mode: Load Sharing (or "Active up" or "Primary up" or
"Sync Only")
Number Unique address State
1 1.2.3.4 Active
2 5.6.7.8 Standby
3 9.0.1.2 Down
2 Register a device that initializes with a problem report:
#cphaprob -d failDevice -s problem -t 0 report

The machine will immediately fail, and the secondary machine will take over. failDevice
is the name of a non-existent device in this case.
3 To reactivate the machine, enter one of the following commands:
#cphaprob -d failDevice -s ok report
#cphaprob -d failDevice unregister

The machine will become active if Switch to higher priority gateway is selected in the
Gateway Cluster Properties window (FIGURE 3-17 on page 190 of the Check Point
FireWall-1 Guide ).
Example
These examples illustrate various uses of the chaprob command.
[root@tuti]/opt/CPfw1-50>cphaprob if
hme0 UP
hme1 UP
hme2 UP

[root@tuti]/opt/CPfw1-50>cphaprob -a if
Required interfaces: 4
Required secured interfaces: 1
ge0 DOWN (4810.2 secs) (non secured, unique)

hme0 UP (non secured, unique)
qfe0 DOWN (4810.2 secs) (non secured, unique)
qfe1 UP (non secured, unique)
qfe2 UP (non secured, unique)
qfe3 UP (secured, unique)

cphaprob
[root@tuti]/opt/CPfw1-50/bin>cphaprob -i list
Built-in Devices:
Device Name: Interface Active Check

Current state: OK
Device Name: HA Initialization

Current state: OK
Device Name: Load Balancing Configuration

Current state: OK
Registered Devices:
Device Name: Synchronization

Registration number: 0
Timeout: none
Current state: problem
Time since last report: 106.8 sec
Device Name: Filter

Timeout: none
Device Name: cphad

Timeout: 2 sec
Current state: OK
Device Name: fwd

Timeout: 2 sec
Current state: OK

[root@tuti]/opt/CPfw1-50/bin>cphaprob -i -e list
Registered Devices:
Device Name: Synchronization

Timeout: none
Device Name: Filter

Timeout: none
Device Name: cphad

Timeout: 2 sec
Current state: OK
Device Name: fwd

Timeout: 2 sec
Current state: OK
fwm hastat
The fwm hastat command displays information about High Availability machines and their
states.
Usage
fwm hastat [<target>]
TABLE 18-40fwm hasta options SmartDashboard
parameter meaning
<target> A list of machines whose status will be displayed. If target is
not specified, the status of the local machine will be displayed.

fwm ikecrypt
User Database Management
In This Section
fwm ikecrypt page 615 page 615

fwm dbimport page 616 page 616
fwm dbexport page 618 page 618
ldapmodify page 620 page 620
ldapsearch page 621 page 621
fwm ikecrypt
fwm ikecrypt command line encrypts the password of a SecuRemote user using IKE. The
resulting string must then be stored in the LDAP database.
Note - An internal CA must be created before implementing IKE encryption. An Internal

CA is created during the initial configuration of the SmartCenter Server, following
installation.
Usage
fwm ikecrypt shared-secret user-password
Options
TABLE 18-41fwm ikecrypt options SmartDashboard
parameter meaning
shared-secret The IKE Key defined in the Encryption tab of the LDAP
Account Unit Properties window.
user-password The SecuRemote user’s password.
Examples
The command
fwm ikecrypt MySecret UsersPassword
returns the following string (in stdout):
KYTSLfvuOkzX14edJHIXcwqZsDWv

fwm dbimport
fwm dbimport imports users into the VPN-1/FireWall-1 User Database from an external file.
You can create this file yourself (see “File Format” on page 616), or use a file generated by fwm
dbexport (see “fwm dbexport” on page 618).
See also “ldapmodify” on page 620.
Usage
fwm dbimport [-m] [-s] [-v] [-r] [-k errors] [-f file] [-d delim]
Options
TABLE 18-42fwm dbimport options SmartDashboard
parameter meaning
-m If an existing user is encountered in the import file, the user’s
default values will be replaced by the values in the template
(the default template or the one given in the attribute list for
that user in the import file), and the original values will be
ignored.
If -m is not specified, then an existing user’s original values
will be not be modified.
-s Suppress the warning messages issued when an existing user’s
values are changed by values in the import file.
-v verbose mode
-r fwm dbimport will delete all existing users in the database.
-k errors Continue processing until nerror errors are encountered.
The line count in the error messages starts from 1 including
the attributes line and counting empty or commented out
lines.
-f file The name of the import file. The default import file is
$FWDIR/conf/user_def_file. Also see the
requirements listed under “File Format” on page 616.
-d delim Specifies a delimiter different from the default value (;).
To ensure that there is no dependency on the previous database values, use the -r flag together
with the -m flag.
File Format
The import file must conform to the following Usage:
1 The first line in the file is an attribute list.

fwm dbimport
The attribute list can be any partial set of the following attribute set, as long as name is
included:
{name; groups; destinations; sources; auth_method; fromhour;

tohour; expiration_date; color; days; internal_password;
SKEY_seed; SKEY_passwd; SKEY_gateway; template; comments;
userc}
2 The attributes must be separated by a delimiter character.

The default delimiter is the ; character. However, you can use a different character by
specifying the -d option in the command line (see below).
3 The rest of the file contains lines specifying the values of the attributes per user.
The values are separated by the same delimiter character used for the attribute list.
An empty value for an attribute means use the default value.
4 For attributes that contain a list of values (for example, days), enclose the values in curly
braces, that is,{}.
Values in a list must be separated by commas. If there is only one value in a list, the braces may
be omitted.
A + or - character appended to a value list means to add or delete the values in the list from
the current default user values.
Otherwise the default action is to replace the existing values.
5 Legal values for the days attribute are: MON, TUE, WED, THU, FRI, SAT, SUN.
6 Legal values for the authentication method are: Undefined, S/Key, SecurID, Unix Password,
VPN-1/FireWall-1 Password, RADIUS, Defender.
7 Time format is hh:mm.
8 Date format is dd-mmm-yy, where mmm is one of {Jan, Feb, Mar, Apr, May, Jun, Jul, Aug,
Sep, Oct, Nov, Dec}.
9 If the S/Key authentication method is used, all the other attributes regarding this method
must be provided.
10 If the VPN-1/FireWall-1 password authentication method is used, a valid
VPN-1/FireWall-1 password should be given as well.
The password should be encrypted with the C language encrypt function.
11 Values regarding authentication methods other than the one specified are ignored.

12 The userc field specifies the parameters of the user’s SecuRemote connections, and has
three parameters, as follows:
TABLE 18-43SecuRemote parameters
parameter values
key encryption method DES, CLEAR, Any
data encryption method DES, CLEAR, Any
integrity method MD5,[blank] = no data integrity
“Any” means the best method available for the connection. This depends on the encryption
methods available to both sides of the connection.
Example:
TABLE 18-44SecureRemote examples
userc means
{DES,DES,MD5} key encryption method is DES;
data encryption method is DES;
data integrity method is MD5
{DES,CLEAR,} key encryption method is DES;
no data encryption;
no data integrity
{Any,Any,} use “best” key encryption method;
use “best” data encryption method;
no data integrity
13 A line beginning with the ! character is considered a comment.
fwm dbexport
fwm dbexport exports the VPN-1/FireWall-1 User Database to a file. The file may be in one
of the following formats:
• the same Usage as the import file for fwm dbimport (see “fwm dbimport” on page 616)
• LDIF Usage, which can be imported into an LDAP Server using ldapmodify (see
“ldapmodify” on page 620),
Usage
• To export the User Database to a file that can be used with fwm dbimport:
fwm dbexport [ [-g group | -u user] [-d delim]

[-a {attrib1, attrib2, ...} ] [-f file] ]

fwm dbexport
• To export the User Database as an LDIF file:
fwm dbexport -l [-d delim] [-a {attrib1, attrib2, ...} ] -s

subtree
[-f file] [-k IKE-shared-secret]
Options
TABLE 18-45fwm dbexport options
parameter meaning
-g group Specifies a group (group) to be exported. The users in the
group are not exported.
-u user Specifies that only one user (user) is to be exported.
-d delim Specifies a delimiter different from the default value (“;”).
-a {attrib1, attrib2, ...} Specifies the attributes to export, in the form of a comma-
separated list, between {} characters, for example,
-a {name,days}. If there is only one attribute, the {} may
be omitted.
-f file file specifies the name of the output file. The default output
file is $FWDIR/conf/user_def_file.
-l Create an LDIF format file for importation by an LDAP

server.
-s The branch under which the users are to be added.
-k This is the Account Unit’s IKE shared secret (IKE Key in the
Encryption tab of the Account Unit Properties window —
see “LDAP Account Unit Properties Window — Encryption
Tab” on page 367 of Check Point SmartCenter Guide).
Warning - If you use the -a parameter to specify a list of attributes, and then import the
created file using fwm dbimport, the attributes not exported will be deleted from the user
database.
Notes
• fwm dbexport and fwm dbimport (non-LDIF Usage) cannot export and import user groups.
To export and import a user database, including groups, proceed as follows:
a Run fwm dbexport on the source SmartCenter Server.
b On the destination SmartCenter Server, create the groups manually.
c Run fwm dbimport on the destination SmartCenter Server.
The users will be added to the groups to which they belonged on the source SmartCenter
Server.

• If you wish to import different groups of users into different branches, run fwm dbexport
once for each subtree, for example:
fwm dbexport -f f1 -l -s ou=marketing,o=WidgetCorp,c=us

fwm dbexport -f f2 -l -s ou=rnd,o=WidgetCorp,c=uk
Next, import the individual files into the LDAP server one after the other. For information on
how to do this, refer to the documentation for your LDAP server.
• The LDIF file is a text file which you may wish to edit before importing it into an LDAP
server. For example, in the VPN-1/FireWall-1 user database, user names may be what are in
effect login names (such as “maryj”) while in the LDAP server, the DN should be the user’s
full name (“Mary Jones”) and “maryj” should be the login name.
Examples
Suppose the User Database contains two users, “maryj” and “ben”.
fwm dbexport -l -s o=WidgetCorp,c=us
creates a LDIF file consisting of two entries with the following DNs:
cn=ben,o=WidgetCorp,c=us
cn=maryj,o=WidgetCorp,c=us
ldapmodify
ldapmodify imports users to an LDAP server. The input file must be in the LDIF format.
You can import VPN-1/FireWall-1 User Database to an LDAP server by first generating an
LDIF file using fwm dbexport (“fwm dbexport” on page 618), and then using ldapmodify.
Before importing, prepare the LDAP directory as follows:
1 Make sure the root branch is defined as an allowed branch on your LDAP server.
2 Restart the LDAP server.
3 Create the branch into which the users will be imported, either by using Create Tree
Object in the Account Management Client or with the ldapmodify command:
ldapmodify -a -h <host> -p <port> -D <LDAPadminDN> -w

<LDAPadminPassword>
dn: o=myOrg,c=US
objectclass: organization
o:myOrg

ldapsearch
Usage
ldapmodify -a -c -h <host> -p <port> -D <LDAPadminDN> -p

<LDAPadminPassword> -f <exportfilename>.ldif
Options
TABLE 18-46 ldapmodify options
parameter meaning
-a Add users.
-c Continue on errors.
-h <host> LDAP Server IP address.
-p <port> LDAP Server port number.
-D <LDAPadminDN> LDAP Administrator DN.
-w <LDAPadminPassword> LDAP Administrator password.
-f <exportfilename>.ldif Specifies the name of the input file. This file must be
in the LDIF format.
Example
1 Export the users using fwm dbexport.
fwm dbexport -l -f ./o_file.ldif -s "o=bigcorp,c=uk" -k hello1234

For more information, see “fwm dbexport” on page 618.
2 Create the "o=bigcorp,c=uk" branch (see step 3 above).
3 Import the users:
ldapmodify -a -c -h <host> -p <port> -D bindDN -w bindPas -f

./o_file.ldif
4 Define an Account Unit with these parameters, including hello1234 as the IKE shared
secret.
ldapsearch
ldapsearch queries an LDAP directory and returns the results.

Usage
ldapsearch [options] filter [attributes]

ldapsearch
Options
TABLE 18-47ldapsearch options
parameter meaning
options Any of the following:
option meaning
-A Retrieve attribute names only (without values).
-B Do not suppress printing of non-ASCII values.
-D bindDN The DN to be used for binding to the LDAP Server.
-F separator Print separator between attribute name and value
instead of “=”.
-h host The LDAP server identified by IP address or resolvable
name.
-l timelimit The server side time limit for search, in seconds.
-p portnum The port number. The default is standard LDAP port
389.
-S attribute Sort the results by the values of attribute.
-s scope One of the following: “base”, “one”, “sub”.
-b Base distinguished name (DN) for search.
-t Write values to files in /tmp. Each attribute-value pair is
written to a separate file, named
/tmp/ldapsearch-<attribute>-<value>.
For example, for the fw1color attribute, the file written
will be named
/tmp/ldapsearch-fw1color-a00188.
-T timeout The client side timeout (in milliseconds) for all
operations.
-u Show “user friendly” entry names in the output. For
example, show “cn=Babs Jensen, users, omi” instead
of “cn=Babs Jensen,cn=users,cn=omi”
-w password The password.
filter RFC-1558 compliant LDAP search filter. For example,
objectclass=fw1host.
attributes The list of attributes to be retrieved. If no attributes are given, all attributes
are retrieved.

License Management
Examples
ldapsearch -p 18185 -b cn=omi objectclass=fw1host objectclass
This means that the LDAP directory will be queried for fw1host objects using port number
18185 with DN common name “omi”. For each object found, the value of its objectclass
attribute will be printed.
License Management
In This Section
Local Licensing Commands

cplic put... page 624 page 624
cplic del page 627 page 627
cplic print page 628 page 628
cplic check page 629 page 629
Remote Licensing Commands
cplic put <object name> ... page 631 page 631
cplic del <object name> ... page 633 page 633
cplic get page 634 page 634
cplic upgrade page 635 page 635
License Repository Commands
cplic db_add page 639 page 639
cplic db_rm page 640 page 640
cplic db_print page 641 page 641
Local Licensing Commands
cplic put...
The cplic put command (located in $CPDIR/bin) is used to install one or more Local licenses.
This command installs a license on a local machine — it cannot be performed remotely.
Note - For the remote command, see “cplic put <object name> ...” on page 631. Multiple
licenses can be installed using a multi-license file received from the User Center.
Use it to install a
• NG Local license for a Check Point Node on a Check Point Node
• NG Local license for a SmartCenter Server on a SmartCenter Server

cplic put...
License installation will fail if the

• IP address of the Check Point Node does not correspond to the IP address in the license.
• License is already installed on the machine.
• License is corrupted.
Local licenses can also be installed with the cpconfig configuration tool (see “cpconfig” on page
550).
After installing a license,
1 confirm that you are using the appropriate license by printing the licenses using the cplic
print command (see “cplic print” on page 628).
2 It is recommended that you retrieve the licenses to the SmartUpdate License Repository
using the cplic get command or via the SmartUpdate GUI.

License Management
Usage
cplic put [-o overwrite] [-c check-only] [-s select] [-F <output
file>]
[-P Pre-boot] [-k kernel-only] <-l license-file | host
expiration date signature SKU/feature>
Options
TABLE 18-48cplic put options for local operations
parameter meaning
-overwrite On a SmartCenter Server this will erase all existing licenses
(or -o) and replace them with the new license(s). On a Check
Point Node this will erase only Local licenses but not
Central licenses, that are installed remotely.
-check-only Verify the license. Checks if the IP of the license matches
(or -c) the machine, and if the signature is valid
select Select only the Local licenses whose IP address matches
(or -s) the IP address of the machine.
-F outputfile Outputs the result of the command to the designated file
rather than to the screen.
-Preboot Use this option after upgrading to VPN-1/FireWall-1 NG
(or -P) FP2 and before rebooting the machine. Use of this option
will prevent certain error messages.
-kernel-only Push the current valid licenses to the kernel. For Support
(or -k) use only.
-l license-file Installs the license(s) in license-file, which can be a
multi-license file. The following options are NOT needed:
host expiration-date signature SKU/features
Copy/paste the following parameters from the license received from the User Center.

cplic del
TABLE 18-48cplic put options for local operations
parameter meaning
host One of the following:
• All platforms — The IP address of the external
interface (in dot notation); last part cannot be 0 or
255.
• Sun OS4 and Solaris2 — The response to the hostid
command (beginning with 0x).
• HP-UX — The response to the uname -i
command (beginning with 0d).
• AIX — The response to the uname -l command
(beginning with 0d), or the response to the uname
-m command (beginning and ending with 00).
expiration date The license expiration date. Can be never
signature The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
(Case sensitive. The hyphens are optional)
SKU/features A string listing the SKU and the Certificate Key of the
license. The SKU of the license summarizes the features
included in the license. For example:
CPMP-EVAL-1-3DES-NG CK0123456789ab
Example
This command:
cplic put -l 215.153.142.130.lic
Host Expiration SKU

215.153.142.130 26Dec2001 CPMP-EVAL-1-3DES-NG CK0123456789ab
In this example, the license

• is taken from a file
• is intended for a host with IP address 215.153.142.130.
• expires on December 26, 2001.
• SKU is “CPMP-EVAL-1-3DES-NG”.
• Certificate Key is “CK0123456789ab”.
cplic del
The cplic del command (located in $CPDIR/bin) deletes a single Check Point license on a
host. Use it to delete unwanted evaluation, expired, and other licenses.

License Management
Run cplic print -x to get the license signature (see “cplic print” on page 628).
Note - For the remote command, see “cplic del <object name> ...” on page 633.
Usage
cplic del [-F <output file>] <signature>
TABLE 18-49cplic del options for local operations
parameter meaning
-File <output file> Send the output to <output file> instead of the
(or -F <output file) screen.
signature The signature string within the license. For example:
ag2e7EPPP-eZ2HfqEwe-9MDay2aw6-a5rJg8P7k.
(Case sensitive. The hyphens are optional)
The signatures of the licenses on the machine can be
viewed using the command cplic print -x (See
“cplic print” on page 628)
Example
The command
cplic del 2f540abb-d3bcb001-7e54513e-kfyigpwn
will delete the license with the given signature.
cplic print
The cplic print command (located in $CPDIR/bin) prints details of Check Point licenses on
the local machine.
On a Check Point Node, this command will print all licenses that are installed on the local
machine — both Local and Central licenses.
To print the licenses in the License Repository, see “cplic db_print” on page 641.

cplic check
Usage
cplic print [-n noheader][-x prints signatures][-t type][-F

<outputfile>] [-p preatures]
Options
TABLE 18-50cplic print options SmartDashboard
parameter meaning
-noheader Print licenses with no header. The header is the first
(or -n) line of the output in the Example page 629 below.
-x Print licenses with their signature
-type Prints licenses showing their type: Central or Local.
(or -t)
-F <outputfile> Divert the output to outputfile.
-preatures Print licenses resolved to primitive features.
(or -p)
Example
This command
cplic print -x
produces output similar to the following
Host Expiration SKU

215.153.142.130 26Dec2001 CPMP-EVAL-1-3DES-NG CK-CK0123456789ab
aG2FxigdpkWeFyHcDTfzuFdbVrd3nDN3kLpg
In this example the license

• is intended for a host with IP address 215.153.142.130.
• SKU is “CPMP-EVAL-1-3DES-NG”.
• signature is “aG2FxigdpkWeFyHcDTfzuFdbVrd3nDN3kLpg”
A valid license may still be irrelevant, because the date may be expired, or the host may not
match the machine.
cplic check
Use cplic check command (located in $CPDIR/bin) to check whether the license on the
machine will allow a given feature to be used.
This command is used mainly for Technical Support purposes.

License Management
Usage
cplic check [-p <product name>] [-v <product version>] [-c count]
[-t <date>] [-r routers] [-S SRusers] <feature>
Options
TABLE 18-51cplic check options SmartDashboard
parameter meaning
-product <product-name> The product for which license information is
(or -p <product-name> requested. For example fw1, netso.
-version <product-version> The product version for which license information is
(or -v <product-version>) requested. For example 4.1, 5.0
-count Count how many licenses have this feature
(or -c)
-time date Check license status on future date. Use the format
(or -t date) ddmmmyyyy. A given feature may be valid on a given
date on one license, but invalid in another.
-routers Check how many routers are allowed. The feature
(or -r) option is not needed.
-SRusers Check how many SecuRemote users are allowed. The
(or -S) feature option is not needed
<feature> The <feature> for which license information is

requested. Use the command cplic print -p (see
“cplic print” on page 628) to see the primitive features
in the licenses on the machine.
Examples
The command
cplic check fm
May give the following output:
cplic check 'fm': license valid
The command
cplic check -product fw1 -version 5.0 encryption
May give the following output:
cplic check 'encryption': license invalid

cplic put <object name> ... page 631 page 631

cplic del <object name> ... page 633 page 633
cplic get page 634 page 634
cplic upgrade page 635 page 635
cplic put <object name> ...

Use the cplic put command (located in $CPDIR/bin) to attach (install) one or more
• Central licenses on an NG FP2 Check Point Node,
• Local licenses on the appropriate NG FP2 Check Point Node, and
• Version 4.1 licenses on the appropriate version 4.1 Check Point Node.
The License Repository is also updated.

This command can be used only from the SmartCenter Server.
Note - Unattached version 4.1 and NG FP2 Local licenses can ONLY be attached to the
Check Point Node with the same IP address as the license.
After installing a license, confirm that the license installation worked using the cplic db_print
command (see “cplic db_print” on page 641).
To install a license on the local machine, see “cplic put...” on page 624.

License Management
Usage
cplic put <object name> [-ip dynamic ip] [-F <output file>] < -l license-
file | host expiration-date signature SKU/features >
Options
TABLE 18-52cplic put options SmartDashboardfor remote operation
parameter meaning
Object name The name of the Check Point Node object, as defined in
the SmartDashboard.
-ip dynamic ip Install the license on the Check Point Node with the
specified IP address. This parameter is used for installing a
license on a DAIP Check Point Node (see Chapter 14,
“Dynamically Assigned IP Addresses” of Check Point
SmartCenter Guide).
Note - If this parameter is used, then object name must
be a DAIP Check Point Node.
-F outputfile Divert the output to outputfile rather than to the screen.
-l license-file Installs the license(s) from license-file. The following
options are NOT needed:
Host Expiration-Date Signature SKU/features
Note - Copy/paste the following parameters from the license received from the User
Center. More than one license can be attached.
Host The target hostname or IP address.
Expiration-Date The license expiration date. Can be never
Signature The License signature string. For example:
(the hyphens are optional)
SKU/features A string listing the SKU and the Certificate Key of the
license. The SKU of the license summarizes the features
CPSUITE-EVAL-3DES-vNG CK0123456789ab
Example
This command:
cplic put caruso -l 215.153.142.130.lic
Host Expiration SKU

212.150.140.127 26Dec2001 CPSUITE-EVAL-3DES-vNG CK0123456789ab

cplic del <object name> ...

• Host IP shown is the IP address of the SmartCenter Server, taken from the license string,
and not the IP address of the Check Point Node. This is true only for Central licenses.
• is taken from a file.
• SKU is “CPSUITE-EVAL-3DES-vNG”.
• is an evaluation license.
cplic del <object name> ...

Use the cplic del command (located in $CPDIR/bin) to detach a Central license from an NG
Check Point Node.
This command deletes the license from the Check Point Node. A Central license remains in the
repository as an unattached license. The license is available for attachment to another Check
Point Node.
This command can be executed only on a SmartCenter Server. Running this command updates
the License Repository.
To delete a license on the local machine, see “cplic del” on page 627.

License Management
Usage
cplic del <Object name> [-F outputfile] [-ip dynamic ip] <Signature>
Options
TABLE 18-53cplic del options SmartDashboardfor remote operations
parameter meaning
object name The name of the Check Point Node object, as defined
in the SmartDashboard.
-F outputfile Divert the output to outputfile rather than to the
screen.
-ip dynamic ip Delete the license on the Check Point Node with the
specified IP address. This parameter is used for deleting
a license on a DAIP Check Point Node (see
Chapter 14, “Dynamically Assigned IP Addresses” of
Check Point SmartCenter Guide).
Note - If this parameter is used, then object name
must be a DAIP Module.
Signature The signature string within the license. For example:
ag2e7EPPP-eZ2HfqEwe-9MDay2aw6-a5rJg8P7k
viewed using the command cplic <object name>
print -x (see “cplic db_print” on page 641)
Example
cplic del caruso 2f540abb-d3bcb001-7e54513e-kfyigpwn
cplic get
The cplic get command (located in $CPDIR/bin) retrieves all licenses from a Check Point
Node (or from all Check Point Nodes) into the license repository on the SmartCenter Server.
Do this to synchronize the repository with the Check Point Node(s), if NG FP2 and version 4.1
Local licenses were added (or deleted) locally, and hence do not yet (or still) exist in the license
repository. Retrieving licenses will also delete from the repository Local licenses that do not
exist on the Check Point Node. This command can be used only from the SmartCenter
Server.
Note - For 4.1 licenses, only version 4.1 SP1 and higher licenses can be retrieved.

cplic upgrade
Usage
cplic get <ipaddr | hostname | -all> [-v41]
Options
TABLE 18-54cplic get options SmartDashboard
parameter meaning
ipaddr The IP address of the Check Point Node from which
licenses are to be retrieved.
hostname The name of the Check Point Node object (as defined
in the SmartDashboard) from which licenses are to be
retrieved.
-all Retrieve licenses from all Check Point Nodes in the
managed network.
-v41 Retrieve version 4.1 licenses from the NF Check Point
Node. Used to upgrade version 4.1 licenses. See “cplic
upgrade” on page 635.
Example
If the Check Point Node with the object name caruso contains four Local licenses, and the
license repository contains two other Local licenses, the command:
cplic get caruso
Get retrieved 4 licenses.

Get removed 2 licenses.
cplic upgrade
Use the cplic upgrade command to upgrade licenses in the license repository using licenses in
a license file obtained from the User Center.
The licenses in the downloaded license file and in the license repository are compared. If the
certificate keys and features match, the old licenses in the repository and in the remote network
objects are updated with the new licenses.
A report of the results of the license upgrade is printed.

License Management
Usage
cplic upgrade <–l inputfile>
Options
parameter meaning
inputfile Upgrades the licenses in the license repository and
Check Point Nodes to match the licenses in
<inputfile>
Example
1 Upgrade the Management Server to the latest version (see “How to Remotely Upgrade to
Check Point NG” on page 72 of the Check Point Management Guide).
Ensure that there is connectivity between the Management Server and the remote
workstations with the version 4.1 products.
2 Import all licenses into the License Repository. This can also be done after upgrading the
products on the remote workstations to NG (at step 7). Run the command
cplic get –all.
For example:
Getting licenses from all modules ...
count:root(su) [~] # cplic get -all

golda:
Retrieved 1 licenses.
Detached 0 licenses.
Remo ved 0 licenses.
count:
Retrieved 1 licenses.
Detached 0 licenses.
Removed 0 licenses.

cplic upgrade
3 To see all the licenses in the repository, run the command
cplic db_print -all –a

For example:
count:root(su) [~] # cplic db_print -all -a
Retrieving license information from database ...
The following licenses appear in the database:

==================================================
Host Expiration Features

192.168.8.11 Never CPFW-FIG-25-41 CK-
49C3A3CC7121 golda
192.168.5.11 26Nov2002 CPSUITE-EVAL-3DES-NG CK-
1234567890 count
4 Upgrade the version 4.1 products on the remote workstations. (See “How to Remotely
Upgrade to Check Point NG” on page 72 of the Check Point Management Guide.)
5 In the User Center (http://www.checkpoint.com/usercenter), view the licenses for the
products that were upgraded from version 4.1 to NG and create new upgraded licenses.
6 Download a file containing the upgraded NG licenses.
Note - Only download licenses for the products that were upgraded from version 4.1 to
NG.
7 If you did not import the version 4.1 licenses into the repository in step 2, import the
version 4.1 licenses now using the command
cplic get -all -v41
8 Run the license upgrade command:
cplic upgrade –l <inputfile>

• The licenses in the downloaded license file and in the license repository are compared.
• If the certificate keys and features match, the old licenses in the repository and in the
remote workstations are updated with the new licenses.
• A report of the results of the license upgrade is printed.

License Management
In the following example, there are two NG licenses in the file. One does not match any
license on a remote workstation, the other matches a version 4.1 license on a remote
workstation that should be upgraded:
count:root(su) [~] # cplic upgrade -l CPLicenseFile.lic
The following licenses from the file were not upgraded:

==========================================================
License: am6Hv3CUG52YbHKak3mcADM2rhNbecsm44Ma
----------------------------
Host: 212.168.8.9
Expiration Date: never
Signature: am6Hv3CUG52YbHKak3mcADM2rhNbecsm44Ma
Feature: CPFW-FIG-25-NG
Certificate Key: CK-DB4F140AD57B
Version: 5.0
Mode: local
State:
Attached to:
Reason: No matching licenses were found in database for the above

licenses.
The following licenses were upgraded:

=========================================
License: afb2rUZCHDqbEcktrjTJQGFvUekaFfH1F8Ad
----------------------------
Host: 192.168.8.11
Expiration Date: never
Signature: afb2rUZCHDqbEcktrjTJQGFvUekaFfH1F8Ad
Feature: CPFW-FIG-25-NG
Certificate Key: CK-49N3A3CC7521
Version: 5.0
Mode: central
State: installed
Attached to: golda

cplic db_add page 639 page 639

cplic db_rm page 640 page 640
cplic db_print page 641 page 641
cplic db_add
The cplic db_add command (located in $CPDIR/bin) is used to add one or more licenses to the
license repository on the SmartCenter Server.
Adding a Central license to the License Repository does not install it on any Check Point
Node.
If a Local license is added to the Repository, SmartUpdate will install it on the Check Point
Node for which it is intended.
This command can be executed only on a SmartCenter Server.

License Management
Usage
cplic db_add < -l license-file | host expiration-date signature

SKU/features >
Options
TABLE 18-55cplic db_add options SmartDashboard
parameter meaning
-l license-file adds the license(s) from license-file. The
following options are NOT needed:
Host Expiration-Date Signature SKU/features
Note - Copy/paste the following parameters from the license received from the User
Center. More than one license can be added.
Host The target host name or IP address.
Expiration-Date The license expiration date.
Signature The License signature string. For example:
SKU/Features The SKU of the license summarizes the features
CPSUITE-EVAL-3DES-vNG
Example
If the file 192.168.5.11.lic contains one or more licenses, the command:
cplic db_add -l 192.168.5.11.lic
will produce output similar to the following:
Adding license to database ...

Operation Done
cplic db_rm
The cplic db_rm command (located in $CPDIR/bin) removes a license from the license
repository on the SmartCenter Server. It can be executed ONLY after the license was detached
using the cplic del command (see page 633).
Once the license has been removed from the repository, it can no longer be used. To re-use it,
use the cplic db_add (see page 639) or cplic put (see page 631) commands.

cplic db_print
Usage
cplic db_rm <signature>
Options
TABLE 18-56cplic db_rm options SmartDashboard
parameter meaning
Signature The signature string within the license. For example:
ag2e7EPPP-eZ2HfqEwe-9MDay2aw6-a5rJg8P7k
viewed using the command cplic <object name>
db_print -x (see page 641). The signature is case
sensitive.
Example
cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn
cplic db_print
The cplic db_print command (located in $CPDIR/bin) displays the details of Check Point
licenses stored in the license repository on the SmartCenter Server.

License Management
Usage
cplic db_print <object name | -all> [-n noheader] [-x print

signatures] [-t type] [-a attached]
Options
TABLE 18-57cplic db_print options SmartDashboard
parameter meaning
Object name Print only the licenses attached to Object name.
Object name is the name of the Check Point Node
object, as defined in the SmartDashboard.
-all Print all the licenses in the license repository
-noheader Print licenses with no header. The header is the first
(or -n) line of the result in the Example page 642 below.
-x Print licenses with their signature
-t Print licenses with their type: Central or Local.
(or -type)
-a Show which object the license is attached to. Useful if
(or -attached) the -all option is specified.
Example
This command:
cplic db_print caruso -x
Host Expiration SKU

215.153.142.130 26Dec2001 CPSUITE-EVAL-3DES-vNG CK-
CK0123456789ab aG2FxigdpkWeFyHcDTfzuFdbVrd3nDN3kLpg

• IP address is 215.153.142.130
• is an evaluation license.
• SKU is “CPSUITE-EVAL-3DES-vNG”.
• signature is “aG2FxigdpkWeFyHcDTfzuFdbVrd3nDN3kLpg”
A valid license may still be irrelevant, because the date may be expired, or the host may be
incorrect.

cppkg Overview
Product Management
In This Section
Product Repository Management

cppkg Overview page 643 page 643
cppkg add page 643 page 643
cppkg del page 645 page 645
cppkg print (search) page 648 page 648
cppkg setroot page 649 page 649
cppkg getroot page 650 page 650
Remote Installation
cprinstall Overview page 651 page 651
cprinstall install page 653 page 653
cprinstall upgrade page 651 page 651
cprinstall verify_upgrade page 652 page 652
cprinstall uninstall page 654 page 654
cprinstall get page 656 page 656
cprinstall verify page 657 page 657
cprinstall boot page 658 page 658
cprinstall stop page 659 page 659
cppkg Overview
The Product (“package”) Repository on the VPN-1/FireWall-1 SmartCenter Server can be
managed using cppkg commands on the SmartCenter Server, as well as using SmartUpdate.
cppkg add
The cppkg add command is used to add a product package to the Product Repository. For NG
FP2, and higher there is no difference between SmartUpdate and regular installation packages.
For NG FP1 and below, only SmartUpdate packages can be added to the Product Repository.
Products can be added to the Repository as described in the following procedures, by
• adding them directly from the Check Point Download Center
• adding them from the Check Point CD.

• importing a file downloaded from the Download Center web site at

http://www.checkpoint.com/techsupport/downloads/downloads.html. The package file can
be added to the Repository directly from the CD or from a local or network drive.
Note - cppkg add does not overwrite existing packages. To overwrite existing
packages, you must first delete existing packages.
Usage
cppkg add <package-full-path | CD drive>
Options
TABLE 18-58 cppkg add options SmartDashboard
parameter meaning
package-full-path If the package to be added to the repository is on a
local disk or network drive, type the full path to the
package.
CD drive If the package to be added to the repository is on a
CD:
For Windows machines type the CD drive letter, e.g.
d:\
For UNIX machines, type the CD root path, e.g.
/caruso/image/CPsuite-NG/FP2
You will be asked to specify the product and

appropriate Operating System (OS).

cppkg del
Example
[d:\winnt\fw1\ng\bin]cppkg add l:\CPsuite-NG_FP2\
Select product name :

--------------------
(1) SVNfoundation
(2) firewall
(3) floodgate
(4) rtm
(5) policyserver
(e) Exit
Enter your choice : 1
Select OS :
------------------
(1) solaris
(2) linux
(3) win32
(e) Exit
Select SP :
------------------
(1) FCS_FP1
(2) FCS
(3) FP2
(e) Exit
You chose to add 'SVNfoundation solaris FP2 Is this correct? [y/n]

: y"
Package added to repository.
cppkg del
The command is used to delete a product package from the repository. To delete a package,
• type cppkg del and follow the menu instructions (recommended), or

• type the cppkg del command with the parameters specified in TABLE 18-59 on
page 647.
Note - It is not possible to undo the cppkg del command.
For general information about cppkg commands, see “cppkg Overview” on page 643.

cppkg del
Usage
cppkg del [<vendor> <product> <version> <os> [sp]]
Options
TABLE 18-59 cppkg del options SmartDashboard
parameter meaning
vendor Package vendor (e.g. checkpoint).
product Package name
Options are: SVNfoundation, firewall, floodgate.
version Package version (e.g. NG).
OS Package Operating System. Options are:
win32 for Windows NT and Windows 2000, solaris,
hpux, ipso, aix, linux.
SP Package service pack (e.g. fcs for NG FP2 inital
release, FP1, FP2 etc.) This parameter is optional. Its
default is fcs.

Example
count:root(su) [/opt/CPfw1-50/bin] # cppkg del
Getting information from package repository. Please wait ...
Select package:
--------------------
(0) Delete all
(1) SVNfoundation solaris checkpoint NG FCS_FP1
(2) firewall solaris checkpoint NG FCS_FP1
(3) floodgate win32 checkpoint NG FP2
(4) rtm win32 checkpoint NG FP2
(5) policyserver win32 checkpoint NG FP2
(6) SVNfoundation win32 checkpoint NG FP2
(7) firewall win32 checkpoint NG FP2
(8) SVNfoundation solaris checkpoint NG FP2
(9) firewall solaris checkpoint NG FP2
(10) policyserver solaris checkpoint NG FP2
(11) floodgate solaris checkpoint NG FP2
(12) rtm solaris checkpoint NG FP2
(e) Exit
You chose 'SVNfoundation solaris checkpoint NG FCS_FP1', Is this

correct?
[y/n] : y
Package removed from repository.
cppkg print (search)

The command is used to list the contents of the Product Repository.
Use cppkg print (also known as cppkg search) to see the product ID strings required to install
a product package using the cprinstall command, or to delete a package using the cppkg del
command.

cppkg setroot
Usage
cppkg print
Example
[d:\winnt\fw1\ng\bin]cppkg print
Getting information from package repository. Please wait ...
Vendor Product Version OS SP Description

-------------------------------------------------------------
checkpoint SVNfoundation NG win32 FCS_FP1 SVN foundation
NG Feature Pack 1 for 4.1 upgrade
checkpoint SVNfoundation NG win32 FP1 SVN foundation
Feature Pack 1 for NG upgrade
cppkg setroot
The command is used to create a new repository root directory location, and to move existing
product packages into the new repository.
The default Product Repository location is created when the SmartCenter Server is installed.
On Windows machines the default location is C:\SUroot and on UNIX it is /var/SUroot. Use
this command to change the default location.
Note - It is important to reboot the SmartCenter Server after performing this command, in
order to set the new $SUROOT environment variable.
When changing repository root directory:

• The contents of the old repository is copied into the new repository.
• The $SUROOT environment variable gets the value of the new root path.
• A product package in the new location will be overwritten by a package in the old
location, if the packages are the same (that is, they have the same ID strings).
The repository root directory should have at least 200 Mbyte of free disk space.

Usage
cppkg setroot <repository-root-directory-full-path>
Options
TABLE 18-60cppkg setroot options SmartDashboard
parameter meaning
repository-root-directory-full-path The desired location for the Product
Repository.
Example
# cppkg setroot /var/new_suroot

Repository root is set to : /var/new_suroot/
Note : When changing repository root directory :

1. Old repository content will be copied into the new repository.
2. A package in the new location will be overwritten by a package
in the old location, if the packages have the same name.
Change the current repository root ? [y/n] : y
The new repository directory does not exist. Create it ? [y/n] : y
Repository root was set to : /var/new_suroot
Notice : To complete the setting of your repository directory,

reboot the machine!
cppkg getroot
The command is used to find out the location of the Product Repository.
The default Product Repository location on Windows machines is C:\SUroot. On UNIX it is
/var/SUroot

Remote installation
Usage
cppkg getroot
Example
# cppkg getroot
Current repository root is set to : /var/suroot/
Remote installation
cprinstall upgrade page 651 page 651

cprinstall verify_upgrade page 652 page 652
cprinstall install page 653 page 648
cprinstall uninstall page 654 page 649
cprinstall boot page 658 page 654
cprinstall get page 656 page 656
cprinstall verify page 657 page 657
cprinstall stop page 659 page 658
cprinstall Overview
Use cprinstall commands to perform remote installation of product packages, and associated
operations.
On the SmartCenter Server, SmartUpdate cprinstall commands require:
• an NG FP1 SmartCenter Server.
• a separate license installed, in addition to the SmartCenter ServerSmartCenter Server
license. You must have one of the following SKUs:
CPMP-SUP-1-NG
CPMP-SUP-U-NG
On the remote Check Point Nodes the following are required:
• There must be Trust between the SmartCenter Server and the Check Point Node.
• cpd must run
• cprid remote installation daemon must run. cprid is available on VPN-1/FireWall-1 4.1
SP2 and higher, and as part of SVN Foundation for NG and higher.
cprinstall upgrade
Use the cprinstall upgrade command to upgrade all products on a Check point Node to the
latest version.
All products on the Check Point Node must NG FP1 or higher.

When cprinstall upgrade is run, the command verifies which products are installed on the
Check Point Node, and that there is a matching product package in the Product Repository
with the same OS.
If the verification is successful, the product package is installed on the remote Check Point
Node. Otherwise, a explanatory message give a reason for the operation failure.
Usage
cprinstall upgrade [-boot] <object name>
Options
TABLE 18-61cprinstall upgrade options SmartDashboard
parameter meaning
boot Boot the remote Check Point Node after completing
the remote installation.
object name Object name of the Check Point Node, defined in the
SmartDashboard.
cprinstall verify_upgrade
Use the cprinstall verify_upgrade command to verify the success of the upgrade of all
products on a Check point Node to the latest version, before performing the upgrade.
This command is automatically performed by the cprinstall upgrade command.
When the command is run, the command verifies which products are installed on the Check
Point Node, and that that there is a matching product package in the Product Repository with
the same OS.
A message reports on the results of the verification.

cprinstall install
Usage
cprinstall verify_upgrade <object name>
Options
TABLE 18-62cprinstall verify_upgrade options SmartDashboard
parameter meaning
object name Object name of the Check Point
Node, defined in the SmartDashboard.
cprinstall install
The cprinstall install command is used to install Check Point products on remote Check Point
Nodes.
To install a product package you must specify a number of options. Use the cppkg search
command (see “cppkg print (search)” on page 648) and copy the required options.
When running this command, it is highly recommended to boot the remote Check Point Node
by specifying the -boot option.
Before transferring any files, this command runs the cprinstall verify command to verify that the
Operating System is appropriate and that the product is compatible with previously installed
products.
For general information about cprinstall commands, see “cprinstall Overview” on page 651.

Usage
cprinstall install [-boot] <Object name> <vendor> <product> <version>

[sp]
Options
TABLE 18-63 cprinstall install options SmartDashboard
parameter meaning
-boot Boot the remote computer after installing the package.
Note - Only boot after ALL products have the same
version, either NG or NG FP1. Boot will be cancelled in
certain scenarios. See the Release Notes for details.
Object name Object name of the Check Point Node defined in the
SmartDashboard.
vendor Package vendor (e.g. checkpoint)

version Package version (e.g. NG FP2)

sp Package service pack (e.g. fcs for NG FP2 initial
release, FP1 for NG Feature Pack 1.)
Example
# cprinstall install -boot nudge checkpoint firewall NG FP1
Installing firewall NG FP1 on nudge...

Info : Testing Check Point Node
Info : Test completed successfully.
Info : Transfering Package to Check Point Node
Info : Extracting package on Check Point Node
Info : Installing package on Check Point Node
Info : Product was successfully applied.
Info : Rebooting the Check Point Node
Info : Checking boot status
Info : Reboot completed successfully.
Info : Checking Check Point Node
Info : Operation completed successfully.
cprinstall uninstall
The cprinstall uninstall command is used to uninstall products on remote Check Point
Nodes.
To uninstall a product package you must specify a number of options. Use the cppkg search
command (see “cppkg print (search)” on page 648) and copy the required options.

cprinstall uninstall
When running this command, it is highly recommended to boot the remote Check Point Node
by specifying the -boot option.
Before uninstalling any files, this command runs the cprinstall verify command to verify
that the Operating System is appropriate and that the product is installed.
After uninstalling, retrieve the Check Point Node data by running cprinstall get (see
“cprinstall get” on page 656), or from the SmartUpdate GUI.
Usage
cprinstall uninstall [-boot] <Object name> <vendor> <product>

<version> [sp]
Options
TABLE 18-64cprinstall uninstall options SmartDashboard
parameter meaning
-boot Boot the remote computer after installing the package.
Note - Only boot after ALL products have the same
version, either NG or NG FP1. Boot will be cancelled
in certain scenarios. See the Release Notes for details.
SmartDashboard.

version Package version (e.g. NG)


Example
# cprinstall uninstall nudge checkpoint firewall NG FP1
Uninstalling firewall NG FP1 from nudge...

Info : Removing package from Check Point Node
Info : Product was successfully applied.
Operation Success.Please get network object data to complete the
operation.
cprinstall get
The cprinstall get command is used to obtain details of the products and the Operating
System installed on the specified Check Point Node, and to update the database.
Usage
cprinstall get <Object name>
Options
TABLE 18-65cprinstall get options SmartDashboard
parameter meaning
Object name The object name of the Check Point Node defined in
the SmartDashboard.

cprinstall verify
Example
[c:\winnt\fw1\5.0\bin]cprinstall get fred
Getting information from fred...
Operating system Version SP

----------------------------------------------------------------
----
solaris 5.7 fcs
Vendor Product Version SP

----------------------------------------------------------------
----
CheckPoint VPN-1/FireWall-1 NG fcs
CheckPoint SVNfoundation NG fcs
cprinstall verify
The cprinstall verify command is used to verify whether a specific product can be installed
on the remote Check Point Node. It verifies that the Operating System and currently installed
products are appropriate for the package, and that there is enough disk space to install the
product, and that there is a CPRID connection.

Usage
cprinstall verify <Object name> <vendor> <product> <version> [sp]
Options
TABLE 18-66 cprinstall verify options SmartDashboard
parameter meaning
SmartDashboard.

Options are: SVNfoundation, firewall, floodgate,
rtm.
version Package version (e.g. NG FP2)

Example
The following examples show a successful and a failed verify operation:
• Verify succeeds:
cprinstall verify harlin checkpoint SVNfoundation NG_FP1
Verifying installation of SVNfoundation NG FP1 on harlin...

Info : Testing Check Point Node.
Info : Test completed successfully.
Info : Installation Verified, The product can be installed.
• Verify fails:
cprinstall verify harlin checkpoint SVNfoundation NG FCS_FP1
Verifying installation of SVNfoundation NG FCS_FP1 on harlin...

Info : Testing Check Point Node
Info : SVN Foundation NG is already installed on 192.168.5.134
Operation Success.Product cannot be installed, did not pass
dependency check.
cprinstall boot
The command is used to boot the remote computer. For general information about cprinstall
commands, see “cprinstall Overview” on page 651.

cprinstall stop
Usage
cprinstall boot <Object name>
Options
TABLE 18-67 cprinstall boot options SmartDashboard
parameter meaning
SmartDashboard.
Example
# cprinstall boot harlin

Booting harlin...
Info : Rebooting the Check Point Node
Info : Checking boot status
Info : Reboot completed successfully.
cprinstall stop
The command is used to stop the operation of other cprinstall commands. In particular, this
command stops the remote installation of a product - even during transfer of files, file
extraction, and pre-installation verification. The operation can be stopped at any time up to the
actual installation.
cprinstall stop can be run from one command prompt to stop a running operation at
another command prompt.

Usage
cprinstall stop <Object name>
Options
TABLE 18-68 cprinstall stop options SmartDashboard
parameter meaning
SmartDashboard.
Example
[c:\winnt\fw1\5.0\bin] cprinstall stop Check Point Node01

Info : Stop request sent
cprinstall (cpstart/cpstop)
This variant of the cprinstall command does not install software, but rather enables running
the cpstop and cpstart commands remotely.
Usage
cprinstall cpstart <object name>

cprinstall cpstop <-proc | -nopolicy> <object name>
cprinstall cprestart <object name>
Options
TABLE 18-69cprinstall remote cpstop/cpstart options
parameter meaning
cpstart Run cpstart on the remote Check Point Node (see
“cpstart” on page 553).
cpstop <-proc | -nopolicy> Run cpstop on the remote Check Point Node. The
-proc and -nopolicy arguments have the same
meaning here as they have for the cpstop command
(see “cpstop” on page 553).
cprestart Run cpstop followed by cpstart on the remote
Check Point Node.
object name Object name of the Check Point Node, defined in the
SmartDashboard.

vpn accel
VPN-1 Accelerator Card
In This Section
vpn accel page 661 page 661

lunadiag page 661 page 661
vpn accel
If a VPN-1 Accelerator Card is installed, it is enabled by default when VPN-1/FireWall-1 starts.
You can also enable or disable it manually as well as obtain its status using vpn accel.
When you enable or disable the VPN-1 Accelerator Card, current connections are not dropped.
Instead, encryption continues in the hardware or software, accordingly.
Usage
vpn accel on | off | stat [-l]
Options
TABLE 18-70vpn accel options SmartDashboard
parameter meaning
on Enable VPN-1 Accelerator Card.
off Disable VPN-1 Accelerator Card.
stat Obtain the status of the VPN-1 Accelerator Card.
-l Report the status of the VPN-1 Accelerator Card using long
format.
lunadiag
A software diagnostics utility specific to the Luna accelerator card is available in the Luna
package. The utility is documented in the file lunadiag.txt.
The locations of these files are given in TABLE 18-71.
TABLE 18-71File Locations
file location
executable • Solaris — $FWDIR/bin/lunadiag
• NT — $FWDIR\bin\lunadiag.exe
documentation • Solaris — $FWDIR/doc/lunadiag.txt

• NT — $FWDIR\doc\lunadiag.txt
lunadiag should show firmware version 1.24.

VPN Commands
To determine the VPN-1 Accelerator Card driver version, enter the following command:
Solaris
modinfo | grep luna
The version number should be 3.9a.
NT
In the Explorer, right-click on C:\WINNT\system32\drivers\LunaVPN.sys. The version
number, displayed in the Properties tab, should be 3.9a.
VPN Commands
vpn command-line commands can be used to obtain information about VPN activities, and to
start specific VPN services. These commands are performed by the vpnd daemon, which is
responsible for all VPN and encryption activities.
In This Section
vpn ver page 662 page 662

vpn debug page 662 page 662
vpn drv page 663 page 663
vpn intelrng page 663 page 663
vpn ver
vpn ver displays the VPN-1 major version number, the build number, and a copyright notice.
Usage and options are the same as for “fwm ver” on page 569.
vpn debug
Debug the VPN-1 daemon.

vpn drv
Usage
vpn debug on | off | ikeon | ikeoff
Options
TABLE 18-72vpn debug
parameter meaning
on Start debug mode
off Stop debug mode
ikeon ikeon starts and ikeoff stops IKE logging to the
ikeoff IKE.elg file.
IKE logs are analyzed by IKEView.exe (a utility used by
Check Point Support)
vpn drv
Installs the VPN-1 kernel (vpnk) and connects to the FireWall-1 kernel (fwk).
Usage
vpn drv on | off | stat
Options
TABLE 18-73vpn drvSmartDashboard
parameter meaning
on Start the VPN-1 kernel
off Stop the VPN-1 kernel
stat Status of the VPN-1 kernel. Whether it is on or off
vpn intelrng
vpn intelrng displays the status of the Intel RNG (random number generator). This command
is a Windows NT and Windows 2000 only command.

Daemons
Usage
vpn intelrng
Examples
#vpn intelrng
Using Intel(R) Security Driver.
#vpn intelrng
Intel(R) Security Driver not detected.
Daemons
In This Section
Check Point Remote Installation Daemon (cprid) page 664 page 664
CPsyslogD page 664 page 664
Check Point Remote Installation Daemon (cprid)

The Check Point Remote installation Daemon (cprid) allows for the remote upgrade and
installation of products. It is part of the SVN Foundation. In Windows it is a service.
To stop cprid:
cpridstop
To restart cprid:
cpridstart
cprid is independent of cpstart and cpstop (see page 553).
CPsyslogD
CPsyslogD enables the Check Point logging mechanism to process syslog logs from hardware
devices whose architecture is not supported by OPSEC and can therefore not utilize ELA.
To enable CPsyslogD, check Accept Syslog messages in the Management - Logging Policy
page of the Module’s Global Properties window.
The main reason for this daemon is to allow processing of logs from hardware devices working
with architectures that OPSEC does not support. They cannot use ELA but they want to use the
Check Point logging mechanism. For example, hardware high-availability vendors must send
logs to the Check Point logging mechanism (certification requirement), but they do not have
ELA working on their architecture.

CPsyslogD
CPSyslogD
The Syslog daemon resides in every VPN/FireWall module. If enabled, it works in parallel to
the local Syslog Daemon (in Unix machines; in other machines it will be the only Syslog
Daemon). The local syslog daemon handles local logs, and the CPSyslogD handles all incoming
logs (through UDP port 514).
Syslog
Syslog is a simple standard. It defines the port and protocol of Syslog (UDP Port 514). They also
define a “Priority + Facility” number that differentiate between logs and the rest of the log is
free text.
Unix machines have a syslog daemon that processes internal logs (for example, kernel logs) and
external logs (via UDP Port 514). The syslog daemon sends these logs to different logging files
(for example, “\var\log\massages”), sends alerts to different users, etc.
The logs look like this:

(Priority)CP5000:Token1=Value1;Token2=Value2…."
Where:
Priority - A number representing the priority
CP5000 - Magic number identifying CPSyslogD logs
TABLE 18-74syslog
Token Possible Values Meaning

Product String Product Name
Alert 0,1 Alert=1 means issue an
alert
Protocol TCP/UDP/ICMP
src IP string The Source IP
service Port Number
S_port Port Number Source port
Message String
All other info is written to the Message field of the log.
Syslog Configuration
• Check Accept Syslog messages in the Management - Logging Policy page of the
Module’s Properties window.

FloodGate-1
• Define a Security Policy rule that allows UDP port 514 communication from the desired
device to the Module
Note - Syslog logs are not entirely reliable because they use UDP protocol, which does
not guarantee the delivery of the packets.
FloodGate-1
For more on FloodGate-1 commands, see the FloodGate-1 Administration Guide.
SmartView Monitor
rtmstart page 666 page 666

rtmstop page 666 page 666
rtm d page 667 page 667
rtm debug page 667 page 667
rtm drv page 667 page 667
rtm ver page 668 page 668
rtm stat page 668 page 668
rtm monitor — Interface Monitoring page 668 page 668
rtm monitor — Virtual Link Monitoring page 671 page 671
Following are the commands that are unique to SmartView Monitor. Commands that are shared
with other Check Point products are listed elsewhere in this guide.
rtmstart
rtmstart loads the RTM kernel module and starts the RTM daemon.
Usage
rtmstart
rtmstop
rtmstop kills the RTM daemon and then unloads the RTM kernel module.

rtm d
Usage
rtmstop
rtm d
rtm d starts the rtm daemon manually (this occurs automatically when you run rtmstart).
Usage
rtm d
rtm debug
rtm debug sends debug printouts to the file $FWDIR/log/rtmd.elg.
Usage
rtm debug <on | off>
Options
TABLE 18-75rtm debug
parameter meaning
on Start debug mode
off Stop tdebug mode
rtm drv
rtm drv starts, stops or checks the status of the RTM kernel driver.

SmartView Monitor
Usage
rtm drv <on | off | stat>
Options
TABLE 18-76rtm drvSmartDashboard
parameter meaning
on Start the RTM kernel driver
off Stop the RTM kernel driver
stat Status of the RTM kernel driver
rtm ver
rtm ver displays the RTM version.
Usage
rtm ver [-k]
Options
TABLE 18-77rtm verSmartDashboard
parameter meaning
-k Also displays the RTM kernel version
rtm stat
rtm stat displays general RTM status, including the status of the daemon, driver, and active
virtual links.
Usage
rtm stat
rtm monitor — Interface Monitoring

rtm monitor starts monitoring and specifies parameters for monitoring an interface.

rtm monitor — Interface Monitoring
Usage
rtm monitor module-name interface-name [options] [entities]
Options
TABLE 18-78rtm monitor - Interface MonitoringSmartDashboard
parameter meaning
module-name The name of the monitored RTM Module
interface-name The name of the monitored interface
To monitor all of the module’s interfaces, use
interface-name ‘any’.
-d Specifies one of the following monitoring directions.
• inbound — monitor in the inbound direction
• outbound — monitor in the outbound
direction
• eitherbound — monitor in both directions
The default is eitherbound.
-y Specifies one of the following measurement units.
• bytes — data transfer rate
• pkts — packets per second
• line — percent line utilization
The following measurement options work only with
the ‘top’ grouping options (see -g below):
• B — total bytes, from the beginning of the
monitoring session
• c — new connections opened per second
• C — total connections opened, from the
beginning of the monitoring session
The default is bytes.

SmartView Monitor
TABLE 18-78rtm monitor - Interface MonitoringSmartDashboard
parameter meaning
-a • aggregate — display connections of a
specific type as an aggregate
• individual — display connections of a
specific type individuallyThe default is
eitherbound.
The default is aggregate.
-g Specifies one of the following grouping options for
monitored traffic.
• svc — monitor by service
• src — monitor by network object, source only
• dst — monitor by network object, destination
only
• ip — monitor by network object, source and
destination
• fgrule — monitor by QoS Policy rule
• topsvc — monitor traffic of the top 50
services
• topsrc — monitor traffic from the top 50
sources
• topdst — monitor traffic to the top 50
destinations
• topdst — monitor traffic to or from the top
-p <y|n> Specifies whether or not thousands will be separated by

commas.
• -p y — e.g. 1,000
• -p n — e.g. 1000
The default is -p y.
Entities
The specified entities should correspond to the specified grouping option. For example, if
monitoring is by service (svc), all the services to be monitored should be listed, separated by
single spaces.
When monitoring by QoS Policy rule (fgrule), ‘rule@@subrule’ should be used to specify a
subrule entity.
The ‘top’ grouping options do not need their entities specified, as they automatically monitor
the top 50 entities according to the specified group.

rtm monitor — Virtual Link Monitoring
Example
The following command will display monitoring data in total bytes for the top 50 services
passed on interface hme1.
rtm monitor localhost hme1 -g topsvc -y B
rtm monitor — Virtual Link Monitoring

rtm monitor starts monitoring and specifies parameters for monitoring a Virtual Link.
Usage
rtm monitor module-name -v virtual-link-name [options]
Options Reporting Tool Commands
In This Section
Starting the Reporting Tool page 671

Scheduling and Distributing Reports and Replacing the Management page 672
Generating Reports page 678
Starting the Reporting Tool
RTClient.exe
RTClient.exe is executed from <Management Clients directory>.

Syntax
RTClient.exe <reporting server> <user name> <password>
Parameters
parameter meaning
reporting server name or IP address of the Reporting Server
user name user name
password login password
Note - If the above parameters are not specified, the command starts the Reporting
Tool login window.
Scheduling and Distributing Reports and Replacing the

Management
Reporting Command Client (rtcommand)

rtcommand enables you to execute scheduling, distribution and Check Point Management Server
replacement commands. rtcommand tries to register the specified request on the Reporting
Server, and reports whether the registarion succeeded (“Reporting Server successfully registered
request”) or failed (for example, when the Reporting Server is down, rtcommand displays the
following message: “Error: Failed to connect to server.”). To see whether the Reporting Server
succeeded or failed to carry out the request, check the Log File.
rtcommand is executed from the <Reporting Module directory>.
In This Section
Printing Module Version page 673

Immediate Report Distribution page 673
Monthly Report page 673
Weekly Report page 674
Daily Report page 675
Delayed Report Activation page 677
Remove Schedule page 677
Remove All Schedules page 677
Change Management Configuration page 678

Scheduling and Distributing Reports and Replacing the Management
Printing Module Version
Syntax
rtcommand ver
Parameters
parameter meaning
ver Print module version
Immediate Report Distribution
Syntax
rtcommand RPF
Parameters
parameter meaning
RPF The Run Time Parameters file
Monthly Report
Syntax
rtcommand RPF -monthly month_day -tm hh:mm [-n schedule_name] [-sd

mm/dd/yyyy] [-ed mm/dd/yyyy]

Parameters
parameter meaning
-monthly month_day A monthly report, where month_day is the day of the
month the schedule is to be generated. month_day is a
number between 1-31. Note that the last day of the
month will be
taken for cases that the month ends before month_day.
Also note that 31 will assure that you will get the last day
of every month.
-tm hh:mm Report time: hh - 2 digits of the hour (00-23),
mm - 2 digits of the minutes (00-59)
[-n schedule_name] Associate a name with the report (Schedule name is
unique per Report Definition, while different Report
Definitions can have schedules with identical names).
[-sd mm/dd/yyyy] Start date for the schedule rule:
mm - 2 digits of the month (01-12).
dd - 2 digits of the month day (01-31).
yyyy - 4 digits of the year.
[-ed mm/dd/yyyy] End date for the schedule rule.
mm - 2 digits of the month (01-12)
dd - 2 digits of the month day (01-31)
yyyy - 4 digits of the year
Weekly Report
Syntax
rtcommand RPF -weekly weekday -tm hh:mm [-n schedule_name] [-sd

mm/dd/yyyy][-ed mm/dd/yyyy]

Parameters
parameter meaning
-weekly weekday Weekly report. Weekday is a string of the weekday name.
The name is not case sensitive. Example: sun, Sun, sunday
and Sunday are all equivalent.
mm - 2 digits of the minutes (00-59).
Daily Report
Syntax
rtcommand RPF -daily -tm hh:mm [-n schedule_name] [-sd mm/dd/yyyy]

[-ed mm/dd/yyyy]
Parameters
parameter meaning
-daily Daily report

parameter meaning

Delayed Report Activation
Syntax
rtcommand RPF -runonce -tm hh:mm -sd dd/mm/yyyy [-n schedule_name]
Parameters
parameter meaning
-runonce A delayed report.
-sd dd/mm/yyyy Start date for the schedule rule:
Remove Schedule
Syntax
rtcommand -r schedule_name
Parameters
parameter meaning
-r schedule_name Remove schedules which have schedule_name
(see -n option)
Remove All Schedules

Syntax
rtcommand -ra

Parameters
parameter meaning
-ra Remove all schedules
Change Management Configuration
Syntax
rtcommand -mh management_host or -md
Parameters
parameter meaning
-mh management_host Associate the Reporting Server with a specific
management host (IP or name).
-md Associate the Reporting Server with either the default
management machine.
Note - rtcommand exits with 0 upon successful registration.
Generating Reports
RTGen
RTGen was used in Reporting Module Version 4.1 to generate reports in the appropriate format
without distributing them. This command is still available to NG users, but is deprecated and
may not be supported in future Reporting Module versions. It is, therefore, highly
recommended to use rtcommand instead, which not only generates reports but also distributes
them to the specified targets. If you choose to continue using RTGen in an NG installation, the
Reporting Server service must be running.
RTGen is executed from <Reporting Server directory>.

Upgrading FWR, RPF and DEF Files
Syntax
RTGen <Report Definition name> <output file name> <ascii

delimiter>
Parameters
parameter meaning
Run Time Parameter absolute path to the Run Time Parameter file (*.RPF).
file name Use the path name beginning with the drive letter.
output file name the absolute path to the report results file. There is no
need to specify a file extension. The report results file
automatically receives the file extension specified in the
Target tab of the Report Definition.
If the target is File, this name is only the prefix for the
name specified in the target field.
ascii delimiter a delimiter character required for ASCII output file
formats only
Example
RTGen “c:\Program Files\CheckPoint\Reporting Module\5.0\tRPF\

blockedconn271123.RPF” “c:\my reports\MonthSummary”
Reporting Server Commands
Upgrading FWR, RPF and DEF Files
UpgradeUtil
UpgradeUtil upgrades FWR (propietary report result file), RPF (Run Time Parameters file) and
DEF (Report Definition file) files from Version 4.1 format to NG format (the source file name
extension must be .fwr, .rpf or .def, respectively).

Log Consolidation Engine Commands
Usage
UpgradeUtil [Source File] [Target File]
Options
TABLE 18-79UpgradeUtil options
parameter meaning
Source File The name of the original Version 4.1 format
file.
Target File The name of the NG format file. If it is not
specified, the original file will be backed up as
<Original file Name>.old.
Example
UpgradeUtil abc.def
The Version 4.1 format abc.def file is converted to an NG format file with the same name
while the original file is renamed abc.def.old.
log_consolidator
Log Consolidation Engine commands are executed from the:
<Reporting Module directory>/log_consolidator_engine/bin directory.
Note - Commands are case sensitive.
In This Section
Version and build number page 682

Sending Commands to the Log Consolidation Engine page 682
Exporting Connection Tables Data page 682
Importing Connection Table Data page 683
Archiving Database Tables page 683
Delete Records page 684

log_consolidator
Configure the List of Permitted Origins page 684

FireWall-1 Data page 685
Running the Log Consolidation Engine page 685

Version and build number
Syntax
log_consolidator -V
Parameters
parameter meaning
-V Show the Log Consolidation Engine version and build
number.
Sending Commands to the Log Consolidation Engine
Syntax
log_consolidator -C -m [ terminate | stop | start ]
Parameters
parameter meaning
-C -m Send a command message to the Log Consolidation
Engine.
terminate Force the Log Consolidation Engine to exit. Records that
have been consolidated but not stored are not saved.
stop Stop the Log Consolidation Engine.
start Start the Log Consolidation Engine with the last installed
Consolidation Policy.
Exporting Connection Tables Data
Syntax
log_consolidator -E -a [ Table_Name | ALL ] [-b File_Name]

log_consolidator
Parameters
parameter meaning
-E Export connection tables data from the database to a
file.
-a [Table_Name | ALL] The name of the table, or “ALL” to specify all
tables.
[-b File_Name] 1. The exported table will be written to File_Name. If you
do not specify a name for the file, its default name will
consist of the table name and the date and time of
execution as the postfix (e.g.
CONNECTIONS26Jun2001-114739).
Importing Connection Table Data
Syntax
log_consolidator -I -a File_Name [-b Table_Name]
Parameters
parameter meaning
-I Import connection table data from a file to a table in the
Reporting Database.
-a File_Name The name of the file.
[-b Table_Name] The name of the table. If Table_Name is not specified,
the file will be imported into the table it was originally
exported from. If the original table no longer exists, the
file will be imported into a new table named after the
original one.
Archiving Database Tables
Syntax
log_consolidator -A -a Src_Table_Name -b Dest_Table_Name

-s Save_From_Date

Parameters
parameter meaning
-A Archive records to the specified Database table.
-a Src_Table_Name The name of the source table.
-b Dest_Table_Name The name of the destination tables.
-s Save_From_Date Archive all records previous to the specified date from the
source table to the destination table.
Save_From_Date is in dd-mm-yyyy hh:mm:ss format.
Delete Records
Syntax
log_consolidator -T -a Src_Table_Name -s Save_From_Date
Parameters
parameter meaning
-T Delete all records previous to Save_From_Date from the
specified source table. Save_From_Date is in dd-mm-yyyy
hh:mm:ss format.
-a Src_Table_Name The name of the source table.
-s Save_From_Date The date up to which records will be deleted.
Configure the List of Permitted Origins

Syntax
log_consolidator -O -r Ip1,Ip2,Ip3...|-a Ip1,Ip2,Ip3...

|-o Ip1,Ip2,Ip3...|-p Ip1,Ip2,Ip3...

log_consolidator
Parameters
parameter meaning
-O Configure the list of permitted origins.
-r Ip1,Ip2,Ip3... Remove the old origins, whose IP addresses are specified,
from the list.
-a Ip1,Ip2,Ip3... Add the new origins, whose IP addresses are specified, to
the list
-o Ip1,Ip2,Ip3... Overwrite the old origins in the list, whose IP addresses
are specified, with new ones.
-p Ip1,Ip2,Ip3... Print the current list of origins whose IP addresses are
specified.
FireWall-1 Data
Syntax
log_consolidator -G
Parameters
parameter meaning
-G Generate data on FireWall-1 object definitions.
Running the Log Consolidation Engine
Syntax
log_consolidator -R
Parameters
parameter meaning
-R Run the Log Consolidation Engine with the last installed
Consolidation Policy.

TABLE 18-80rtm monitor — Virtual Link MonitoringSmartDashboard
parameter meaning
module-name The name of the monitored RTM Module
-virtual-link-name The name of the monitored Virtual Link
-d Specifies one of the following monitoring directions.
• a2b — monitor from End Point A to End
Point B
• b2a — monitor from End Point B to End
Point A
• a2b_b2a — monitor in both directions.
The default is a2b_b2a.
-y Specifies one of the following measurement units.
Required only when the -w value is bandwidth (see
-w below).
• bytes — data transfer rate
• pkts — packets per second
The default is bytes.
-w Specifies the displayed data type.
• bandwidth — display the effective bandwidth
• loss — display the difference between the
transmission rate and the receiving rate
• rtt — display the time required to make the
round trip between the End Points
The default is bandwidth.
-t Specifies the data type.
Required only when the -w value is bandwidth (see
-w above).
• wire — show the data on the wire, after
compression or encryption
• application — show the data as the
application sees it, uncompressed and unencrypted
The default is application.
OPSEC
upgrade_fwopsec
upgrade_fwopsec upgrades OPSEC configuration information on the SmartCenter Server from
pre-NG to NG format, based on the upgraded Module information.

upgrade_fwopsec
In VPN-1/FireWall-1 NG, the fwopsec.conf file is required only for non-default

configurations. The OPSEC configuration information on Modules is upgraded automatically
when the Module is upgraded.
During the upgrade process on the Module, the fwopsec.conf file is saved as fwopsec.v4x.
The fwopsec.conf file is modified.
If you have not changed any of the defaults, then there is no need to run the upgrade_fwopsec
command. However, if you have changed the defaults, then you should run the
upgrade_fwopsec command.
To copy the configuration information from the Module to the upgraded SmartCenter Server,
use the upgrade_fwopsec command.
Note - upgrade_fwopsec should be run on the SmartCenter Server, after the Module has
been upgraded and the file fwopsec.v4x has been created. Make sure that the
SmartDashboard application is closed before running upgrade_fwopsec.

OPSEC
Usage
upgrade_fwopsec [-mgmt mgmt_host] [-u user -p password]

[-fwm fw_obj_name [-fetch]] -f fwopsec_file [-log log_file | -
nolog]
Options
TABLE 18-81upgrade_fwopsec options
parameter meaning
-mgmt mgmt_host The name of the SmartCenter Server (default is localhost).
-u user The administrator’s name. The administrator must have
write permission.
-p password The user’s password (the password used for the GUI
Management Client).
[-fwm fw_obj_name [-fetch]] fw_obj_name is the name of the Module object (as
specified in the VPN-1/FireWall-1 SmartDashboard) to
which the configuration information applies. If -fetch is
specified, then the information will be retrieved from
fwopsec_file on the Module; otherwise
upgrade_fwopsec will retrieve it from the SmartCenter
Server (the local machine on which this command is run).
-f fwopsec_file The path to the file containing the configuration
information, usually “fwopsec.v4x”. If the -fetch option
is used, then fwopsec_file specifies the file’s path relative
to the remote Module’s $FWDIR.
[-log log_file | -nolog] Log the upgrade process to log_file (default is
$FWDIR/tmp/<fw_obj_name>.upg_opsec.log). If nolog is
specified, the log will be directed to stderr. If the
upgrade is successful, the log will be appended to
$FWDIR/tmp/mgmt.upg_opsec.log.

Glossary
CHAPTER
Access Control List (ACL) A sequential list of permit and deny conditions that define the
connections permitted to pass through a device, usually a *router. ACL syntax is arcane and specific
to individual vendors, and a *security policy based on ACLs is difficult to maintain.
ActiveX A programming environment developed by Microsoft Corporation; a direct
competitor to Sun Microsystems’ *Java. ActiveX presents a security risk because its executable
ActiveX control files run on the client and can be used to gain illicit access to its files.
ActiveX Stripping The ability to prevent *ActiveX programs from being executed on the
client by removing all ActiveX programs from HTML pages as they are downloaded.
Address Resolution Protocol (ARP) The *protocol used inside networks to bind high
level *IP addresses to low-level physical hardware addresses.
Advanced Encryption Standard (AES) A replacement proposed for *DES by the US
Commerce Department’s National Institute of Standards and Technology (NIST) in 1997. The
successful candidate, the Rijndael block cipher, pronounced “raindoll”), is supported both for VPN
Modules and VPN Clients (SecuRemote/SecureClient).
AES’s advantages are:
• variable key length (from 128 to 256 bits); the DES key length is 56 bits and 3DES provides
security equivalent to 112 bit keys
• a threefold performance improvement over 3DES
anti-spoofing A method used to protect a network against *IP spoofing attacks by verifying
that a packet’s source and destination *IP addresses are appropriate to the interface through which
the packet passes, for example, that a packet entering the local network from the outside carries an
external source IP address.
A simple precaution against IP spoofing attacks is to hide internal IP addresses (using the Network
Address Translation feature) so that outside users cannot learn what they are.
anti-virus A mechanism that provides detection, inoculation, logging and alerting capabilities
to disarm *viruses on a local disk or in files as they are transferred on the network.
API see “Application Programming Interface (API)
application gateway A *firewall that uses *proxies to provide security.
Historically, application level gateways suited the Internet’s common uses and needs. However, as
the Internet has become a dynamic environment in which new protocols, services and applications
appear almost daily, proxies are no longer able to cope with the diversity of the Internet, or to fulfill
the new business needs, high bandwidth and security requirements of networks.
689
application layer The top network communication layer in a *protocol stack. The appli-
cation layer is concerned with the semantics of work, such as how to format an e-mail message for
display on the screen. A message’s routing information is processed by lower layers of the network
stack (see “layered communication model).
Application Programming Interface (API) A well-defined set of functions, syntax or
languages that enable application programs to communicate with one another and exchange data.
ARP see “Address Resolution Protocol (ARP)
Asynchronous Transfer Mode (ATM) A method for dynamically allocating
bandwidth using a fixed packet size (called a cell). These cells can carry data, voice, and video at
high speeds.
ATM see “Asynchronous Transfer Mode (ATM)
audit In network security, examining and evaluating the relative security of a network.
authentication A method of verifying that an object is really what it appears to be: that a user
or a computer is not being impersonated by another user or computer, or that a message received is
the same message that was sent (that is has not been tampered with).
Users are authenticated by a challenge-response mechanism: the user is asked to provide information
(for example, a *password or *token) presumably known to no one else. Computers may be
authenticated in a similar way. In addition, human users can be authenticated by biometric means,
such as verifying fingerprints or retinal images.
Authenticating a message verifies its integrity and verifying the sender’s identity, usually by means of
a *digital signature.
authentication algorithm An algorithm, such as MD5, used to calculate the *digital
signature by which a message’s integrity is verified.
B1, B2 level In the USA, the National Security Agency’s rating system for network security.
Ratings are certified by the National Computer Security Center. A B1 rating describes a basic level
of enterprise-wide Internet security and is equivalent to the European E3 rating (see “E3). A B2
rating describes a much higher level of security typically used to protect military systems.
bridge A device, with two interfaces connecting two networks, that replicates packets appearing
on one interface and transmits them on the other interface.
broadcast A message sent to every destination on the network, in contrast to *multicast and
*unicast.

C
certificate A *digital signature encrypted with the (for example, *RSA) private key of the
*Certificate Authority (CA) who sent the message that includes the certificate, intended to generate
confidence in the legitimacy of the public key contained in the message.
The recipient can verify that the message was indeed sent by the CA by computing the message’s
digital signature, decrypting the transmitted digital signature using the CA’s public key (reliably
available from an out-of-band source such as a printed directory) and comparing the two. If they are
the same, then the message was sent by someone who knows the CA’s private key; presumably this
can only be the CA.1
Certificate Authority (CA) A trusted third party from which information (for example, a
person’s public key) can be reliably obtained, even over an insecure channel.
For example, if Alice and Bob obtain each other’s public keys over an insecure channel such as the
Internet, they must be certain that the keys are genuine. Alice cannot simply ask Bob for his public
key, because there is the danger that Charlie might intercept Alice’s request and send Alice his own
key instead. Charlie would then be able to read all of Alice’s encrypted messages to Bob.
The CA certifies the information it provides by generating a *certificate. Anyone receiving the
information verifies the certificate as proof of the information’s validity.
community In SNMP, a community is a logical group of managed devices and NMSs in the
same administrative domain.
computationally unfeasible Impossible in practical terms though not theoretically so.
For example, it is computationally unfeasible to compute the private part of a *public key pair from
the public part, because the only known method — the “brute force” approach of trying all the
possibilities one after the other — would take millions of years.
connectionless communication A scheme in which communication occurs outside of
any context, that is, replies and requests are not distinguishable. Connectionless communication
avoids the overhead inherent in maintaining a connection’s context, but at the risk of allowing
transmission errors to go undetected. Streaming services usually use connectionless communication
protocols such as *UDP, because they must attain high transmission speeds and there is no
advantage in sending a retransmitted packet out of sequence.
content security The ability to specify the content of a communication as an element of a
security policy, in contrast to defining a security policy on the basis of header information only.
Effective content security requires that a firewall understand the internal details of the protocols and
services it monitors.
An example of content security is enforcing *anti-virus checking for downloaded files, disallowing
email from or to specified email addresses, or allowing access to Web pages containing certain words
only during specified time periods.
1. Purists would object to saying “encrypted with the private key” and “decrypted with the public key.” The words
“encrypted” and “decrypted” are used here in their common senses of hiding and revealing.
Chapter 691
Content Vectoring Protocol (CVP) An *OPSEC API that enables integration of third-
party content security applications such as antivirus software into VPN-1/FireWall-1. The CVP
API has been adopted by a wide variety of security vendors.
Customer log module
The Customer Log Module is a SmartCenter Server with a limited license allowing log and alerts
management only. The Customer Log Module collects logs and alerts from all VPN/FireWall
Modules in the enterprise, but it does not maintain or manage a Security Policy.
The Customer Log Module enables centralized log management in configurations with multiple
VPN/FireWall Modules. FIGURE 18-4 depicts a configuration in which centralized logging is
enabled.
FIGURE 18-2Centralized Logging Configuration
1 This Customer
Log Module ...
Internet
router
Customer Log FireWalled
Module Gateway
(Thames)
(London)
router
GUI
Client
(Tower) 2 ... collects logs from FireWalled
Internal these VPN/FireWall
Gateway
Management FireWall (Paris)
Server Modules ...
(Chelsea)
(BigBen)
The Customer Log Module on Thames collects log data from three VPN/FireWall Modules,
each of which protects a separate network. The VPN-1/FireWall-1 Log Viewer on the GUI
Client can connect to the Customer Log Module to display logged events and alerts on network
activity for all VPN/FireWall Modules.
Data Encryption Standard (DES) An widely-used *secret key *encryption algorithm

endorsed as an official standard by the U.S. government in 1977. To address security concerns
resulting from the relatively short (56 bit) key length, triple-DES (encrypting under three different
DES keys in succession, believed to be equivalent to doubling the DES key length to 112 bits) is
often employed.
data link layer (DLL) see “layered communication model”

Demilitarized Zone (DMZ) A computer or a network located outside the trusted or secure
network but still protected from the insecure network (Internet). Network administrators often
isolate public resources such as HTTP servers in a DMZ so that an intruder who succeeds in
breaching security cannot continue on to the internal network.
FIGURE 18-3A network with a Demilitarized Zone
private FireWalled public
localnet Gateway
Internet
Router
mailsrvr
London
publicly accessible DMZ

(HTTP, FTP, etc.)
In FIGURE 18-3, the DMZ is protected by the FireWalled gateway but is at the same time isolated
from the private network. There is no way of connecting from the DMZ to the private network
without going through the *firewall.
denial of service attack An attack with the purpose of overwhelming the target with
spurious data to the point where it is no longer able to respond to legitimate service requests, in
contrast to an attack whose purpose is to penetrate the target system. Examples of denial of service
attacks are SYN and “ping of death.”
dial-up line A telecommunication line available only after a dialling procedure, such as an
ordinary telephone line, in contrast to a *leased line.
Diffie-Hellman key exchange scheme A public key scheme, invented by Whitfield
Diffie and Martin Hellman, used for sharing a secret key without communicating any secret infor-
mation, thus avoiding the need for a secure channel. Once the correspondents have computed the
shared secret key, they can use it to encrypt communications between them.
Chapter 693
FIGURE 18-4Diffie-Hellman Key Exchange
Alice Bob
Alice Bob Alice Bob
Only the public parts

of the Diffie-Hellman
keys are exchanged
11. Alice performs 22. Bob performs

a calculation a calculation
with her private with his private
key and Bob's key and Alice's
public key public key
Key Key
Calculation Calculation
Engine Engine
Secret Key
for
Alice and Bob
33. The results

of both
calculations
are the same
Under the Diffie-Hellman scheme, each correspondent has a public-private key pair. They agree on
a secret key as follows (FIGURE 18-4):
• Bob gets Alice’s public key (from a *Certificate Authority) and performs a calculation
involving his own private key and Alice’s public key.
• Alice gets Bob’s public key (from a Certificate Authority) and performs a calculation
involving her own private key and Bob’s public key.
The result of both calculations is the same, and serves as the secret key. In this way, a secret key can
be agreed on without any secret information being communicated. There is no opportunity for an
eavesdropper to determine the secret key.
An additional advantage of this scheme is that only one key pair needs to be managed for each
correspondent.
Diffserv Diffserv (Differentiated Services) is a technology in which packets are marked (in the
IP header TOS byte) inside the enterprise network as belonging to a certain class of service. These
classes are then granted priority on the public network. FloodGate-1 can mark packets, but it does
not prioritize traffic based on these markings. DiffServ markings have meaning on the public
network, not inside the enterprise network. Effective implementation of DiffServ requires that
packet markings be recognized and honored on all public network segments.
digital signature The result of a complex calculation on the contents of a message.
Changing even one bit in the message results in a completely different digital signature. Moreover,
it is *computationally unfeasible to compose a message with a given digital signature. A digital
signature is used to verify a message’s integrity, that is, to ensure that it has not been tampered with.
See also certificate.

directory service A standard database providing distributed, scalable, client/server-based
repositories of data that are read much more frequently than modified (for example, user definitions,
user profiles, and network resource definitions). Users and applications can access these directories
through directory access protocols (DAPs). In network environments, example DAPs include the
Novell Directory Services (NDS) and *X.500 directory access protocols. Another widely-used DAP
is LDAP (see “Lightweight Directory Access Protocol (LDAP)).
DMZ see “Demilitarized Zone (DMZ)
E3 A verifiable level of security required by European governments for any Internet firewalls
employed over any of its networks. Products meeting this level of security (roughly equivalent to
the U.S. B1 “Orange Book” level) are certified by the Information Technology Security Evaluation
and Certification organization (ITSEC) in the United Kingdom and by the Logical Evaluation
Defence Signals Directorate (DSD) in Australia. See also “B1, B2 level.
“E3” also refers to a high speed transmission line in Europe equivalent to the T3 transmission line in
the United States.
encapsulated encryption An *encryption scheme in which an entire packet, including
the header, is encrypted, and a new header appended to the packet. Encapsulated encryption hides
the true source and destination but increases a packet’s length, in contrast to *in-place encryption.
encryption The transformation of a message so that the encrypted message can only be read
with the aid of some additional information (the *key) known to the sender and the intended
recipient alone.
In *secret key (symmetric) encryption, the same key is used to both encrypt a message and then to
decrypt it. In *public key (asymmetric) encryption, two mathematically-related keys are used: one
to encrypt the message and the other to decrypt it.
encryption algorithm An algorithm, such as *AES, *DES, for encrypting and decrypting
data. An encryption algorithm is one element of an *encryption scheme.
encryption domain The computers and networks on whose behalf a *gateway encrypts and
decrypts communications.
encryption scheme A mechanism for encrypting and authenticating messages as well as
managing and distributing keys, such as *IPsec, *SKIP and *IKE.
An encryption scheme consists of three elements:
• an *encryption algorithm that performs the actual encryption
• an *authentication algorithm for ensuring message integrity
• a *key management protocol for generating and exchanging keys
enforcement point A machine that enforces at least some part of a VPN-1/FireWall-1
Security Policy. An enforcement point can be a network object, router, switch or any machine that
can be managed by a SmartCenter Server by installing a Security Policy or Access List.
Chapter 695
enterprise-wide security management The consistent application and
management of a security policy in a complex, distributed network environment, usually including
corporate *intranets and *extranets.
extranet In contrast to the Internet, which provides universal access to network-based infor-
mation, and an *intranet, which is accessible only within an enterprise, an extranet enables a
company and its partners or customers to collaborate, communicate and exchange documents in a
secured network environment. extranets typically utilize virtual private networks that allow autho-
rized users to access specific information, such as technical documentation or inventory information
(see “Virtual Private Network (VPN)).
Fetch Install a pre-compiled policy from the state directory to the kernel without compilation
(see also “Load).
File Transfer Protocol (FTP) A widely-used TCP-based protocol for copying files
between hosts. In security environments, FTP commands can be controlled via *authentication
schemes, *content security schemes, file name restrictions, and *anti-virus programs.
firewall A combination of hardware and software resources positioned between the local
(trusted) network and the Internet (see FIGURE 18-5). The firewall ensures that all communication
between an organization’s network and the Internet conform to the organization's security policy.
Firewalls track and control communications, deciding whether to pass, reject, encrypt or log
communications.
FIGURE 18-5A network protected by a firewalled gateway
private FireWalled public
localnet Gateway
Internet
Router
mailsrvr
London
FireWall Module A VPN-1/FireWall-1 security application, similar to an *Inspection

Module, that provides the additional functionality of *user authentication, *content security,
*encryption, *Network Address Translation, and *high availability.
frame The packet transmitted by the *data link layer.
FTP see “File Transfer Protocol (FTP)
FWDIR An environment variable specifying the directory in which VPN-1/FireWall-1 is
installed.

G
gateway A device positioned between two networks through which all communications
between the networks must pass. A gateway is a natural choice for enforcing a security policy and
providing encryption and authentication services.
gateway stealthing Disallowing connections that originate or terminate on a *gateway
while allowing connections to pass through the gateway, thereby making the gateway transparent
(or “invisible”) to the networks which it connects.
header The portion of a packet, preceding the actual data, containing source and destination
addresses, checksums and other fields. A header is analogous to the envelope of a letter sent by
ordinary mail. In order to deliver the message (letter), it is only necessary to act on the information
(address) in the header (envelope).
A communication can have several layers of headers. For example, a mail message includes an appli-
cation layer header specifying, the message originator, date and time. At the lower layers, the
packets in which the mail message is transmitted carry IP headers and TCP headers.
high availability A hardware and software configuration in which a device takes over the
tasks of another device that has gone down.
host A computer connected to a network.
HTTP see “Hypertext Transfer Protocol (HTTP)
hub A device that connects computers, servers and peripherals together in a local area network
(LAN). Hubs typically repeat signals from one computer to the others on the *LAN. Hubs may be
passive or intelligent and can be stacked together to form a single managed environment. See also
“switch and “router.
Hypertext Transfer Protocol (HTTP) A standard protocol for transferring files on the
World Wide Web.
IETF see “Internet Engineering Task Force (IETF)

in-place encryption A mechanism by which only the data in an IP packet is encrypted,
while the header is not encrypted. In-place encryption leaves headers exposed, but preserves the
packet’s length, in contrast to *encapsulated encryption.
Chapter 697
Information Technology Security Evaluation and Certification Scheme
(ITSEC) An organization dedicated to evaluating the security features of information
technology products and systems and to certifying the level of assurance that can be placed on them.
INSPECT Check Point’s high-level scripting language for defining a *Security Policy. An
INSPECT script is compiled into machine code and loaded into an *Inspection Module for
execution.
INSPECT Script The ASCII file generated from the *Security Policy by VPN-1/FireWall-1 is
known as an Inspection Script. An Inspection Script can also be written using a text editor.
Inspection Code Inspection Code compiled from an Inspection Script and loaded into a
VPN-1/FireWall-1 FireWall Module for enforcement.
Inspection Module A VPN-1/FireWall-1 security application embedded in the operating
system kernel, between the data link and network layers, that enforces a VPN-1/FireWall-1
*Security Policy. See also “FireWall Module.
Internet A public network connecting many thousands of computer networks in a three-level
hierarchy including backbone networks (for example, NSFNET, MILNET), mid-level networks
and stub networks. The Internet utilizes multiple communication protocols (especially TCP/IP) to
create a worldwide communications medium.
Internet Key Exchange (IKE) A standard protocol for authentication and key exchange;
part of the key management scheme used for negotiating virtual private networks (VPNs) as defined
in the IETF IPSec working group. This key management scheme is mandated for deployment in
IPv6. It was formerly known as *ISAKMP.
Internet Engineering Task Force (IETF) The principle body engaged in the devel-
opment of new Internet standard specifications. IETF identifies solutions to technical problems and
makes recommendations to the Internet Engineering Steering Group (IESG) regarding the
standardization of protocols and protocol usage in the Internet, and facilitates the transfer of
technology developed by the Internet Research Task Force (IRTF) to the wider Internet
community. IETF also provides a forum for the exchange of information between vendors, users
and researchers interested in improving various aspects of the Internet. The IETF meets three times
a year and is comprised entirely of volunteers.
Internet Protocol (IP) The network layer for the TCP/IP protocol suite. IP is a connec-
tionless, best-effort packet switching protocol designed to provide the most efficient delivery of
packets across the Internet.
Internet Protocol Security Standard (IPSec) An encryption and authentication
scheme supporting multiple encryption and authentication algorithms.
Note - Manual IPSec is no longer supported in VPN-1/FireWall-1, beginning with NG.
Internet Security Association Key Management Protocol (ISAKMP) A
standard protocol for authentication and key exchange that is now known as IKE. See “Internet Key
Exchange (IKE).
Internet Service Provider (ISP) A provider of access to the Internet. In some cases, these
providers own the network infrastructure, while other lease network capacity from a third party.
intranet An internal private network, managed according to Internet protocols, but accessible
only inside the organization.

IP see “Internet Protocol (IP)
IPSec see “Internet Protocol Security Standard (IPSec)
IP address The 32-bit address defined by the Internet Protocol to uniquely identify Internet
hosts and servers. A typical IP Address, shown here in conventional IP “dot” notation, consists of
the following parts:
FIGURE 18-6IP Address
Net ID Host ID
192.9.200.112
implies Class ID
The first bits of the Class ID specify a network’s class. Most local networks are of class C (Class ID
byte = 110XXXXX; Class ID 192 in IP dot notation). Class C networks can have up to 254
hosts. Larger networks can be either class B or Class A.
The Net ID identifies the network. Because an IP address consists of both a network identifier
(NetID) and a host identifier (HostID), it does not identify a host, but rather a network connection
(interface). If a host or gateway is connected to several networks, it will have several IP addresses.
By convention, host ID refers to the network itself; that is, a network’s address ends in zeros. This
scheme enables IP addresses to specify networks as well as hosts. A host identifier of all 1s is reserved
for broadcast.
IP spoofing A technique whereby an intruder attempts to gain access by altering a packet’s IP
address to make it appear as though the packet originated in a part of the network with higher access
privileges (for example, the IP address of a network object in the local network). This form of attack
is only possible if a network’s internal IP addresses have been exposed (see “anti-spoofing).
ISP see “Internet Service Provider (ISP)
ISAKMP see “Internet Security Association Key Management Protocol (ISAKMP)
ITSEC see “Information Technology Security Evaluation and Certification Scheme (ITSEC)
Java A platform-independent programming environment developed by Sun Microsystems and

supported by numerous vendors, including Microsoft. Java presents a security risk because Java
applets run on the client and can be used to gain illicit access to its files.
Java Stripping The ability to prevent *Java code from being executed on the client by
removing all Java tags from HTML pages as they are downloaded.
Chapter 699
K
Kerberos An authentication service developed by the Project Athena team at MIT. Kerberos
uses secret keys for encryption and authentication. Unlike a public key authentication system, it
does not produce digital signatures; Kerberos was designed to authenticate requests for network
resources rather than to authenticate authorship of documents. Thus, Kerberos does not provide for
third-party verification of documents.
key Information used to encrypt and decrypt data. There are two kinds of keys: *secret keys and
*public keys.
key management A mechanism for distributing encryption keys in a public key scheme.
Key management is performed by a *SmartCenter Server and includes key generation, certification
(although this can also be performed by an external *Certificate Authority) and key distribution.
Key management can either be manual or automated.
LAN see “Local Area Network (LAN)

layered communication model The conceptual division of communication tasks into a
“layered model.” The fundamental characteristic of the layered model is that each layer processes
the same object processed by the corresponding layer at the other end of the communication.
The X.25 protocols shown in FIGURE 18-7 are based on the OSI model.
FIGURE 18-7OSI seven layer communication model
Communication Layers
7 Application applications such as email, file transfer etc.
6 Presentation compression and other common functionality
5 Session protocol software VPN-1/FireWall-1 is

positioned here,
4 Transport end-to-end reliability between layers 2 and 3.
defines basic unit of transfer

3 Network (packet assembly)
2 Data Link defines frames and frame boundaries

(hardware interface)
1 HW Connection physical hardware connection between devices
The TCP/IP model, consisting of four software layers and one hardware layer, is illustrated in
FIGURE 18-8.

FIGURE 18-8TCP/IP communication model
Application
messages or data streams
Transport
transport control packets
Internet
IP datagrams
Network Interface
frames VPN-1/FireWall-1 is positioned
hardware here, between the Network
Interface and Internet layers.
leased line A dedicated telecommunications access line that is “leased” from a vendor, and
thus always available, in contrast to a *dial-up line. The physical medium may be copper or fiber
optic, providing a wide range of line speeds.
Lightweight Directory Access Protocol (LDAP) A mechanism for Internet clients
to access and manage a database of directory services over a TCP/IP connection. A simplification of
the X.500 directory access protocol, LDAP is gaining significant support from major Internet
vendors.
Load Compile a policy and then install it to the kernel (see also “Fetch).
load balancing The ability to distribute processing loads among multiple servers to improve
performance and reduce access times. Load balancing is often transparent to the user and improves
Internet security by reducing the risks associated with certain attacks and by applying greater
resources to the task of monitoring and filtering network traffic. A variety of algorithms may be used
to determine how best to distribute traffic over these servers.
Local Area Network (LAN) A data network intended to serve an area of only a few square
kilometers or less (more typically, an individual organization). LANs consist of software and
equipment such as cabling, hubs, switches and routers, enabling communication between computers
and the sharing of local resources such as printers, databases, and file and video servers.
Logging and Event API (LEA) An *OPSEC API that enables an application to securely
receive and process both real-time and historical logging and auditing events generated by
VPN-1/FireWall-1. LEA can be used by a variety of applications to complement firewall
management.
MAC address The physical hardware address of a device connected to a network.

Managed Internet Security Services Bundled security services, including secure
*Internet, *intranet and *extranet, provided by an *ISP. Typically, the ISP handles management
and support for the security services, which can be implemented as part of the Internet service
implementation or customized to client needs.
Chapter 701
Management Module The VPN-1/FireWall-1 module in which a VPN-1/FireWall-1
*Security Policy is defined.
SmartCenter Server The VPN-1/FireWall-1 application, controlled by a GUI on a client,
that manages a VPN-1/FireWall-1 *Security Policy. If the SmartCenter Server is deployed in
Client/Server mode, then the Graphical User Interface (GUI) can be run on another network
object.
Manual IPsec see “IPSec.
Note - Manual IPSec is no longer supported in VPN-1/FireWall-1, beginning with NG.
Master In VPN-1/FireWall-1, the station to which logs and alerts are directed.
The Master also maintains the most recent Inspection Code for each of the FireWalled systems it
controls. If a FireWalled system loses its Inspection Code for any reason, it can retrieve an up-to-
date copy from the Master. In practice, the Master and SmartCenter Server are usually on the same
system, but Failover Masters can be defined.
multicast A message sent to all the destinations in a specific group of hosts in a network, in
contrast to *broadcast and *unicast.
multi-homed host A computer with two or more physical network connections is often
referred to as a multi-homed host.
NAT see “Network Address Translation

network address The network portion of an IP address. Depending on the class of
network; this may comprise the first one to three bytes of an IP address, with the remainder being
the host or server address.
netmask For a standard Class A, B, or C network, the netmask has no meaning. An expla-
nation of the use of net masks with nonstandard network classes follows.
The standard IP addressing scheme can be extended by the use of net masks. For simple,
unextended Class C networks, the net mask is 255.255.255.0; that is,
11111111 11111111 11111111 00000000
in binary notation. The 1s in the mask (the first 24 bits) indicate the bits that identify the network
and the 0s (last 8 bits) indicate the bits that identify the host. By changing the interpretation of the
IP address slightly, it is possible to extend the addressing scheme. If we “borrow” some of the bits
from the HostID for the NetID portion of the address, we can extend the IP address to include
subnets within one NetID. For instance, the net mask 255.255.255.192 (last byte is 11000000)
indicates that 26 bits are being used for the network ID and only 6 bits for the HostID.
Network Address Translation Translating an internal network’s real IP addresses to
“false” IP addresses, either to prevent exposing the real addresses or to enable hosts with “invalid”

addresses to communicate on the Internet, thus avoiding the need to change a network’s IP
addresses (a formidable, error-prone task).
NIC Network Interface Card; also Network Information Center, an organization that provides
services to Internet networks and users.
node A computing device with an IP address, connected to a network.
Open Platform for Secuity (OPSEC) An open, industry-wide alliance, driven by

Check Point Software Technologies, to ensure inter operability at the policy level between security
products. Inter operability is achieved through a combination of published APIs, industry-standard
protocols, and a high-level scripting language. OPSEC encourages partnerships in the areas of infra-
structure (network products and services), framework (security products), and passport (applications
developers).
OPSEC see “Open Platform for Secuity (OPSEC)
overlapping encryption domains Encryption domains overlap when they have at least
one host in common.
packet A unit of data as sent across a network.

packet filter A type of *firewall that examines only the network layer, typically implemented
by *routers. This type of firewall cannot support dynamic protocols and cannot apply application
intelligence to the data stream.
password A short string of characters, knowledge of which is required to gain access to some
resource. Passwords are considered unreliable security devices because they are relatively easy to
guess at, and people tend not to take strict precautions against their disclosure. See also “token.
Perfect Forward Secrecy In *IKE encryption, a method of assuring that if an intruder
breaks into a system at a given point of time, and gains access to the entire state (all current Phase 1
and Phase 2 keys), he will not be able to decrypt future communications after the next Phase 2
exchange takes place.
PPP (Point-to-Point Protocol) A method for transmitting packets over serial point-to-
point links, such as a *dial-up line.
PPTP (Point-to-Point Tunneling Protocol) An extension to PPP that encapsulates
different protocols, including IPX and Appletalk, into an IP data stream so that they can be trans-
mitted over the Internet.
protocol A formal description of message formats and the rules required to accomplish some
task.
Chapter 703
protocol stack A synonym (in practice if not in theory) for the *communication layers as
supported by an operating system.
proxy An application-layer implementation of a service that provides additional functionality
(for example, security or caching) that is not part of the original service.
Application gateways use proxies to implement firewalls. A proxy’s primary advantage is its ability to
provide partial communication-derived state, full application-derived state information and partial
communication information.
The disadvantages of using proxies as firewalls are:
• limited connectivity — each service needs its own proxy, so the number of available
services and their scalability are limited, and there is usually a significant delay before a new
service can be implemented (a new proxy must be written)
• limited technology — application gateways cannot provide proxies for UDP, RPC and
other services from common protocol families
• performance — application level implementation entails a discernible performance penalty
In addition, proxies are vulnerable to OS and application level bugs, overlook information
contained in lower layers, and in the case of traditional proxies, are rarely transparent.
public key A scheme in which each correspondent has a pair of mathematically related keys: a
public key known to everyone, and a private key known only to its owner.
• The *RSA public key scheme is used for encryption as follows: if Bob wants to send Alice
an encrypted message, he encrypts the message with Alice’s public key. The encrypted
message can only be decrypted with Alice’s private key, which only Alice knows.
• The *Diffie-Hellman public key scheme is used for sharing a secret key without
communicating any secret information, thus avoiding the need for a secure channel.
The disadvantage of public key encryption is that it is much slower than *secret key encryption.
The terminology can be confusing, because “public key” is sometimes used to mean both keys
together (in the context of schemes) and sometimes to mean only the public part of the key.
Public Key Infrastructure (PKI) A set of security services, usually provided by a *Certif-
icate Authority, enabling *authentication, *encryption and certificate management using *public
key encryption technology.
public network Any computer network, such as the Internet, that offers long-distance inter-
networking using open, publicly accessible telecommunications services, in contrast to a *WAN or
*LAN.
RC2, RC4 A widely used *encryption method developed by Rivest Corporation for RSA Data
Security.
Remote Authentication Dial In Service (RADIUS) A centralized network-authen-
tication scheme developed by Livingston Enterprises and proposed as a standard to the IETF, which

includes *authentication, authorization, and accounting features and may also include the ability to
pass-through authentication to proxy servers.
Request For Comments (RFC) A numbered series of documents, available from *NIC,
which are the primary means of technical discussion about the Internet. Some RFCs define
standards.
Resource Reservation Protocol (RSVP) A *unicast and *multicast signaling
*protocol, designed to install and maintain reservation state information at each router along the
path of a stream of data. RSVP-enabled applications may improve the quality of service across IP
networks. Networked multimedia applications, many of which benefit from a predictable
end-to-end connection, are likely to be initial users of RSVP-signaled services.
RFC see “Request For Comments (RFC)
Replay Protection A mechanism to prevent an intruder resending legitimate packets. The
system detects that the packet was seen in the past in ignores it.
router A device providing network-to-network transmission capabilities, including routing,
segmenting and filtering. Most routers support multiple communications protocols, such as ISDN
and Ethernet. By examining only packet headers, routers can:
• pass the packets between networks running different protocols
• determine which network should receive the packet
• determine whether to block the transmission
Rule Base An ordered set of rules that defines a VPN-1/FireWall-1 *Security Policy. A rule
describes a communication in terms of its source, destination and service, and specifies whether the
communication should be accepted or rejected, as well as whether it is to be logged. Each commu-
nication is tested against the Rule Base; if it does not match any of the rules, it is dropped.
RSA A public key scheme used for *encryption and *digital signatures, invented in 1977 by Ron
Rivest, Adi Shamir and Leonard Adelman; also a company founded by them to market products
based on their inventions.
SAM see “Suspicious Activity Monitoring Protocol (SAM)

secret key A symmetric key used to both encrypt and decrypt data.
FIGURE 18-9Encrypting and decrypting with a secret key
… founded on … w!&84$&
this continent a h*+d(#d
nation conceived 39UBd9@3
in liberty ... *&#sHhj ...
Chapter 705
Ensuring the key’s secrecy is critical, since anyone who knows the key can decrypt and read the
message.
Secret key encryption is simple and fast, but has its disadvantages:
• A secure channel is required by which the correspondents can agree on a key before their
first encrypted communication. Direct face-to-face negotiation may be impractical or
unfeasible, and the correspondents may have to agree on a key by mail or telephone or
some other insecure means.
• The number of keys required can quickly become unmanageable, since there must be a
different key for each pair of possible correspondents.
Public (asymmetric) key systems, where each correspondent has a pair of keys, can solve both of
these problems (see “public key).
Secure Hypertext Transfer Protocol (S-HTTP) A security-enhanced version of
*HTTP providing a variety of mechanisms to enable confidentiality, *authentication and integrity.
Unlike SSL, which layers security beneath application protocols like HTTP, NNTP, and Telnet, S-
HTTP adds message-based security to HTTP. SSL and S-HTTP can co-exist by layering S-HTTP
on top of SSL.
SecuRemote Client A software component installed on a desktop or mobile computer that
enables secure encrypted communications with an enterprise network.
SecuRemote Server A FireWall Module or VPN Module with which a SecuRemote Client
conducts encrypted communications.
Secure Socket Layer (SSL) A protocol combining *RSA *public key encryption and the
services of a *Certificate Authority to provide a secure environment for electronic commerce and
communications. SSL provides three levels of security server authentication:
• verification of the identity of the server using a *certificate
• *encryption, which ensures the privacy of client-server communications by encrypting the
data stream
• integrity, which verifies that the contents of the message arrive at their destination in the
same form as they were sent.
Security Policy A Security Policy is defined in terms of firewalls, services, users, and the rules
that govern the interactions between them. Once these have been specified, an *Inspection Script is
generated and then installed on the firewalled hosts or gateways. These gateways can enforce the
Security Policy on a per-user basis, enabling verification not only of the communication’s source,
destination and service, but the authenticity of the user as well. A user-based Security Policy also
allows control based on content. For example, mail to or from certain addresses can be rejected or
redirected, access can be denied to specific URLs, and anti-virus checking of transferred files can be
performed.
S-HTTP see “Secure Hypertext Transfer Protocol (S-HTTP)
Simple Key Management for Internet Protocols (SKIP) An automated *key
management system developed by Sun Microsystems and proposed to the IETF as a standard *IPSec
key management scheme. SKIP adds key management functionality to IPSec. Several vendors have
successful implementations of SKIP, and both SKIP and *IKE can be deployed/implemented within
the IPSec framework.

Note - SKIP is no longer supported in VPN-1/FireWall-1, beginning with NG.
Simple Mail Transfer Protocol (SMTP) A *protocol used to transfer electronic mail
between computers. Subsequently enhanced to support not only e-mails but file attachments as well,
SMTP’s flexibility poses a challenge to security systems.
Simple Network Management Protocol (SNMP) A *protocol for managing nodes
on an IP network. In security environments, SNMP is used to communicate management infor-
mation (monitoring, configuration and control) between the network SmartCenter Servers and
network elements (for example, devices such as hosts, gateways and servers).
Single Gateway Product Single Gateway products (VPN-1/FireWall-1/25,
VPN-1/FireWall-1/50 etc.) include:
• SmartCenter Server
• VPN/FireWall Module
VPN-1/FireWall-1 single gateway products enforce restrictions based on the number of protected
hosts. If these restrictions are exceeded, VPN-1/FireWall-1 will issue an error message.
These restrictions are:
• number of internal hosts
Up to n nodes behind the gateway are allowed, where n is the number in the product name. For
example, VPN-1/FireWall-1/50 is restricted to 50 nodes, VPN-1/FireWall-1/250 is restricted to
250 nodes, etc.
A node is defined as a computing device with an IP address. A multi-user computer with one IP
address is counted as one node.
This restriction relates to the number of protected hosts. Every host behind VPN-1/FireWall-1 is
protected by VPN-1/FireWall-1, even if no connections to the outside are initiated from that host.
Every node protected by VPN-1/FireWall-1 is counted against the limit, even if its IP address is
hidden from VPN-1/FireWall-1 by a proxy or by other means.
• number of external interfaces
For all VPN-1/FireWall-1/n products, only one external interface may be connected to the
VPN-1/FireWall-1 machine.
There is no restriction on the number of internal interfaces on the VPN-1/FireWall-1 machine.
• no external Modules
An additional restriction for these products is that they cannot manage external VPN/FireWall or
FloodGate Modules, that is, the SmartCenter Server and the VPN/FireWall and FloodGate Module
must both be on the same machine. However, the GUI Client can be installed on a different
machine from the SmartCenter Server. This configuration is sometimes referred to as a
Client/Server configuration.
Note - If you exceed the restriction on the number of protected hosts, VPN-1/FireWall-1
will display warning messages on the system console notifying you that you have violated
the terms of the VPN-1/FireWall-1 license. You should immediately upgrade to the
appropriate product in order to be in compliance with the terms of the VPN-1/FireWall-1
license. In the meantime, your security is not compromised and VPN-1/FireWall-1 will
continue to protect your network.
SKIP see “Simple Key Management for Internet Protocols (SKIP)
Chapter 707
SMTP see “Simple Mail Transfer Protocol (SMTP)
SNMP see “Simple Network Management Protocol (SNMP)
SSL see “Secure Socket Layer (SSL)
state information Information describing the context of a communication. There are two
types of state information: communication derived and application derived.
• Communication-derived state information is extracted from past communications and is
compared against current attempts to access or manipulate information. For example, an
outgoing PORT command of an *FTP session can be saved so that a later incoming FTP
data connection can be verified against it.
• Application-derived state information is extracted from other applications to verify user
access. For example, an *extranet application may be used to allow a previously
authenticated access through the firewall for authorized services only.
Stateful Inspection A technology developed and patented by Check Point that provides
the highest level of security currently available. A stateful *Inspection Module accesses and analyzes
all the data derived from all communication layers. This state and context data is stored and updated
dynamically, providing virtual session information for tracking connectionless protocols.
Cumulative data from the communication and application states, network configuration and
security rules are all used to decide on an appropriate action, either accepting, rejecting or
encrypting the communication (FIGURE 18-10).
FIGURE 18-10Stateful Inspection
VPN-1/FireWall-1 Inspection Module
IP TCP Session Application
7 Application Packet Yes Pass Yes

Matches Log/Alert the
6 Presentation Rule? Packet?
5 Session No
No
4 Transport Yes
No
3 Network Is There
Another Send NACK
VPN-1/FireWall-1 Inspection Module Rule?
2 Data Link
Drop the Packet END
1 HW Connection

Any traffic not explicitly allowed by the *Security Policy is dropped.
TABLE 18-82Technology Comparison
firewall capability router proxies Stateful

s Inspection
communication information Partial Partial Yes
communication-derived No Partial Yes
state
application-derived state No Yes Yes
information manipulation Partial Yes Yes
stub network A network that carries only packets to and from local hosts. Even if it has paths
to more than one network, a stub network does not carry traffic for other networks. Stub networks
are the third and last layer of the Internet network topography.
subnet A physically independent network segment, which shares a network address with other
portions of the network. Subnets enable greater security from unauthorized internal access by
dividing the intranet into discrete managed portions.
Suspicious Activity Monitoring Protocol (SAM) An *OPSEC API used to
integrate third party intrusion detection applications into firewalls.
switch A hub-like device that maximizes the performance of a high-speed connection by
providing a dedicated link between two devices via MAC-layer addresses.
symmetric key see “secret key
TELNET (Telecommunications Network Protocol)

A remote terminal protocol enabling any terminal to login to another host.
TCP see “Transmission Control Protocol
TCP/IP see “Transmission Control Protocol over Internet Protocol (TCP/IP)
token A *password that can be used only once, typically generated as needed by a hardware
device. Tokens are considered to be secure because even if one is revealed, it cannot be misused
because it is no longer valid after its first use.
Transmission Control Protocol An connection-oriented and stream-oriented Internet
standard transport layer protocol, in contrast to the connectionless UDP protocol (“User Datagram
Protocol (UDP)).
Transmission Control Protocol over Internet Protocol (TCP/IP) The
common name for the suite of UNIX-based protocols developed by the U.S. Department of
Defense in the 1970s. TCP/IP is the primary language of the Internet.
Chapter 709
U
UDP see “User Datagram Protocol (UDP)

unicast A message sent to a single destination, in contrast to *broadcast and *multicast.
Uniform Resource Locator (URL) An address format used by Internet communications
protocols such as the *Hyper Text Transfer Protocol (HTTP) popularized by the World Wide
Web. URLs typically identify the type of service required to access an item, its location on an
Internet host and the file name or item name on that machine.
URL see “Uniform Resource Locator (URL)
URL Filtering Protocol (UFP) An *OPSEC API that enables the integration of third-
party application to categorize and control access to specific URL addresses.
user authentication The process of verifying that a user is actually who he or she claims to
be. See also “authentication.
User Datagram Protocol (UDP) An Internet-standard transport layer protocol which
adds a level of reliability and multiplexing to IP. UDP is a connectionless protocol, making no
distinction between the originator of the request and the response to it. Connectionless protocols
are problematic in a security environment, but can be tracked and controlled using communication-
derived state information (see “state information).
Virtual Private Network (VPN) A network with some public segments in which data
passing over its public segments is encrypted to achieve secure communications. A VPN is signifi-
cantly less expensive and more flexible than a dedicated private network.
virus A program that replicates itself on computer systems by incorporating itself into other
programs which are shared among computer systems. Once in the new host, a virus may damage
data in the host’s memory, display unwanted messages, crash the host or, in some cases, simply lie
dormant until a specified event occurs (for example, the turning of a new year).
VPN see “Virtual Private Network (VPN)
WAN see “Wide Area Network (WAN)

Web Server A network device that stores and serves up any kind of data file, including text,
graphic images, video, or audio. Its stored information can be accessed via the Internet using
standard protocols, most often *HTTP.

Wide Area Network (WAN) A (usually private) geographically large network. A WAN is
typically constructed to span numerous locations within a single city.
World Wide Web (WWW) A hypertext-based information service providing access to multi-
media, complex documents and databases via the Internet. Web application programs can access
many other Internet services as well, including Gopher, Usenet news, file transfer, remote connec-
tivity and even special access to data on the local network.
WWW see “World Wide Web (WWW)
X.25 A widely-used set of *protocols based on the OSI model. See also “layered communication
model.
X.500 A *protocol used for communication between a user and an X.500 directory services
system. Multiple X.500 directory system agents may be responsible for the directory information for
a single organization or organizational unit.
X.509 A certification methodology providing authenticated, encrypted access to private infor-
mation, which establishes a trust model enabling certain transactions such as those involving money
or funds. For example, X.509 certificates are used in the *IKE encryption scheme to obtain public
keys and to verify the authenticity of the parties in an exchange.
Chapter 711
Index
Symbols sdconf.rec file 364

using DES 364
AMON
definition 384
ACE (SecurID) Servers 363 anti-spoofing 190
$FWDIR/log/cpmi_audit.txt file 30 ACE servers definition of 190, 689
$FWDIR/log/fw.adtlog file 30 configuring 360 example 191
$FWDIR/log/fw.log 595 ACK number 289 in previous versions of VPN-1/
<$nospace 641 active connections 398 FireWall-1 191
“?” Networks 515 ActiveX 242 virtual interfaces 190
definition of 689 anti-virus
ActiveX Stripping definition of 689
Numerics definition of 689
Adding a Single Object to the
AOL 257
Application
Topology View 508 Attention 439
4.x alert script 292 Adding Multiple Objects 508 No Response 439
Adding New Objects 508 OK 439
Adding objects to an existing
network 508 Problem 439
A Additional Information Selection Unknown 439
Untrusted 439
window 415
accelerator card 661 Address Range 193 Waiting 439
Accept ICMP 286 address range 216 application gateway
Accept ICMP property 272 menu choice 176 definition of 689
Accept VPN-1 & FireWall-1 Control Address Resolution Protocol application layer
Connections definition of 689 definition of 690
new meaning of 277 Administrator archie 265
Accept VPN-1/FireWall-1 control for SecureUpdate 160 ARP
connections property 35 for SmartUpdate 32 automatic configuration for
access control administrator NAT 280
logging 30 defining for SecureUpdate 65 definition of 689
Access Control List administrators arp command 280
definition of 689 authenticating 35 ARP proxy 280
Access List AES 689 Arrange 498
download by Telnet session 332 alert command hierarchic layout 498
Access Lists mail 291, 292 symmetric layout 498
Importing Access Lists 342 SNMP Trap 292 authentication
Installing 342 user defined 292 definition of 690
Managing imported Access Lists alert commands authentication algorithm
in the Rule Base 343 where executed 292 definition of 690
Properties 286, 292 alert script authentication passwords
router, installing 345 popup 291 synchronizing 59
verifying and viewing 344 SNMP 292 automatic definition
Wellfleet 581 user defined 292 network objects 187
Account Management 358 alertd 292 automatic topology discovery 280
ACE Alerts 461 auxiliary connections 345
configuring VPN-1/ alerts AXENT Pathways Defender
received by 462 defining as server 363
FireWall-11 to work with
ACE software 363 sent to 462
America OnLine 257
713
B definition of 691
compiling a Security Policy 556
cplic check 629
cplic db_print 631
compression cplic get 634
back connection of log files 598 cplic print 625, 628
requested port 346 computationally unfeasible cplic put 624
backup definition of 691 remote operation 631
backing up a Security Policy 58 conf/loggers 424 CPMI 590
backward compatibility 561 conf/masters 424, 561 cppkg add 643
BackWeb 265, 346 Configuration File 605 cppkg delete 645
before installing VPN-1/ Modifying 606 cppkg getroot 650
FireWall-1 25 Conn. ID 398 cppkg overview 643
Blackbox Properties 208 Connected OnLine Backup 257 cppkg setroot 649
Block Intruder window 420 Connecting Networks to cprestart argument 660
blocking connections 570 Clouds 512 Cprid 664
boot security connection persistence 201 cprinstall boot 658
default filter 345 connection table 287 cprinstall get 656
fwstop -proc 345 connectionless communication cprinstall overview 651
fwstop-default 345 definition of 691 cprinstall stop 659
Initial Policy 345 connections cprinstall uninstall 654
blocking 420 cprlic
IP Forwarding 345 print 114
bootp 265 inhibiting or blocking 570
cprlic, see cplic
bridge lost when Security Policy re- cpstart 553
definition of 690 installed 58 cpstart command
terminating 420 running remotely 660
connections hash table 199 cpstat 567
content security
C definition of 691
cpstop 553
cpstop command
control connection running remotely 660
CA accepting 276, 277, 483 cpwd 565
Redundant Management 539 encrypting 48 cpwd_admin 565
Calculating the Install On control information creating
column 310 sending to Kernel Module 576 database version 138
categorization Control Properties Creating Objects 512
maximum number of displaying windows 144 Critical Notifications 436
categories 383 control.map file using 456
certificate 284 modified during VPN-1/ CRL 365, 370
definition of 691 FireWall-1 Cursor Modes 536
Certificate Authority 368 reconfiguration 58 CU-SeeMe 265
definition of 691 conversion Customer Log Module
obtaining the CA’s own network object type 182 description 692
certificate 369 CoolTalk 346 Customer log module 692
certificate key 100 enabling back connections 257 Customization of Tool-tips 499
chaining servers 385 cp.license file CVP
chargen 257, 265 modified during definition of 692
CIFS 255 reconfiguration 58 CVP inspection
clearing blocked connections 421 URI resource 243
cpconfig 550
CLM 425 installing a license using 625
object.c 425 cpd 121
Clouds 511
color 184, 202, 203, 205, 208, 216,
cphaprob 609
cphastart 609 D
217, 221, 223, 224, 227, 229, 231 cphastop 609
Columns cplic 119 daemon 580
resizing 437 db_add 105 DAIP
comment 221, 223, 224, 227, 228, db_rm 113 and DHCP 484
230, 231 del 111 deleting a license 634
adding to a rule 312 installation and
import 112
community configuration 482
put 108
714 Check Point SmartCenter Guide • August 2002

installing a license 632 High Availability 452 echo-reply 271
installing a Policy 557 Management 454 echo-request 271, 272
NAT 485 Network Objects 445 Edit Menu 145
simplified VPN mode 482 OPSEC 453 Editing Network Objects 507
DAIP Module 278, 561 Policy Server 455 Editing object properties 507
installing a Policy 482 egp 272
SVN Foundation 445 ELA 664
IP address change 485 UA WebAccess 454 Elapsed column
IP address loss 485 using 444 method of calculation 394
managing from the command VPN-1 447 Enable Domain Name
line 563 DHCP Download 278, 286
name change 485 and DAIP 484 Enable Domain Name Queries 278,
Data Encryption Standard, see DES dhcp-rep-localmodule 484 286
database version dhcp-req-localmodule 484 Enable ICMP 278, 286
creating 138 Diffie-Hellman key exchange scheme Enable RIP 277, 286
deleting 139 definition of 693 Enabling a TCP Resource 254
modifying version Diffserv encapsulated encryption
properties 139 definition of 694 definition of 695
reverting to a previous 140 digital signature encryption
viewing 140 definition of 694 definition of 695
viewing a previous 140 directory service hardware acceleration 661
database versions 137 definition of 695 encryption algorithm
daytime 257, 265 discard 257, 265 definition of 695
dbedit 587 Disconnect 517 encryption domain
dbedit utility 587 Displaying Network Object’s definition of 695
DCE-RPC 260, 269 Information 493 encryption scheme
required by MS Exchange 346 DMZ definition of 695
debugging definition of 693 Enforcement Point
TCP/IP 268, 271 DN definition of 695
Default Filter 345 logging in using 285 enforcing and installing, difference
Default Security Policy DNS 258 between 313
fwstop while active 345 dns 266 Entity 375
default_server 246 domain error message
Define Protected Objects as menu choice 176 No Response from Server 136
Group 532 using a domain object in a established TCP connections 346
delimiter rule 203 established TCP packets 290
default for fw logexport 599 Domain Name Download 278, 286 events
denial of service attack domain name download, scheduled 351
definition of 693 enabling 278, 286 excessive log grace period 290
DES Domain Name Queries 278, 286 exec 258
definition of 692 domain name queries, enabling 278, explicitly defined rules
using ACE (SecurID) DES with 286 interaction with implicit
Drop rules 317
VPN-1/FireWall-1 364 differences from Reject 308
Destination Selection window 411 export
Duplicates 178 user database 618
dest-unreach 271, 272 dynamic object 176, 217, 290
Details extended format 590
resolution failure 217 external FireWall Module
FireWall-1 441
dynamic_objects 585 not managed by VPN-1/
FloodGate-1 442 dynamically assigned IP address 183
High Availability 442 FireWall-1/n 707
dynamically-assigned IP address 479 external group
Management 443
when changes take effect 167
OPSEC 443
external interfaces
SVN Foundation 440
VPN-1 441 E restricted number of 707
external.if file
Details View 436 modified during VPN-1/
Clusters 445 E2ECP FireWall-1
FireWall-1 446 rule 489 reconfiguration 58
FloodGate-1 451 echo 258, 266
715
externally managed gateway FW1_log service 276 generic services
converting to an internally FW1_mgmt 35 service properties 228
managed gateway 182 fw1_service 276 ggp 272
Extranet 303, 304 FW1_topo service 276 Global Properties 459
extranet FW1_ufp service 277 Global Properties window
definition of 696 fw1pwdLastMod 284 Log and Alert page 490
fwa1 562 gopher 258
fwauth.keys file grace period
modified during VPN-1/ logging 290
F FireWall-1
reconfiguration 58
GUI windows
closing 143
Fetch command (Named Masks fwauthd.conf file displaying 143
window) 321 modified during VPN-1/
fetch interval 184, 481 FireWall-1
File Menu 144 reconfiguration 58
filtering network objects 177 FWDIR H
Find 461 definition of 696
finger 258 fwm dbexport H.323 259, 260, 346
FireWall-1 LDIF syntax 619 enabling back connections 259
reconfiguring 550 syntax 618 pre-NG version 259
FireWall-1 authentication password fwm dbimport 168, 616 HCID_RULE_COMMENT_1 312
installing 561 fwm dbload 562 header
FireWalled host fwm fetch 560 definition of 697
displaying status of 567 fwm fetchlogs 603 heuristic check of Rule Base 313
FreeTel 266, 346 fwm fetchlogs command 603 HID_MANAGE_CE_CUSTOMER
FTP 346 fwm gen 579 S 147
back connection 59 fwm hastat command 614 hidden rules 318
control connections 290 fwm ikecrypt 615 displaying 319
data connection 59 fwm kill 580 unhiding 319
data connections 290 fwm lichosts 569
fwm load 341, 556, 559 hiding rules 318
PORT command 58 fwm log 593 Hierarchical Layout 499
unifying logs for control and fwm logexport 598 high availability
data connections 290 fwm logswitch 419, 423, 596 definition of 697
ftp 258 fwm lslogs 601 upgrading a cluster of Check
FTP data connections 258 fwm mergefiles 600 Point Modules 124
FTP PASV 346 fwm printlic, see cplic print HKEY_LOCAL_MACHINESoftwa
FTP PASV data connections 276 fwm putlic 561 reCheckPointPolicy
FTP PORT data connections 276 fwm repairlog 599 Editor4.1 136
ftp-pasv 224 fwm tab 584 hostname 183
ftp-port 224 fwm unload 341, 558 IP address of 183
fw command 547 fwm ver 569 hosts
fw ctl 280, 576 fwopsec.conf file 574, 687 list of those protected by
fw kill fwopsec.v4x file 687 VPN-1/FireWall-1/n
NT restriction 580 fwstart 554, 579 product 569
fw lea_notify 604 fwstop 555, 579 hosts file 183, 204
fw lea_notify command 604 fwstop -proc 345 HTML Weeding 242, 249
fw lslogs 601 fwstop-default 345 http 258
fw putkey 60, 561 https 258
fw sam 570
fw unload 558
fw.log file 419 G
FW1 service 276
FW1_cpd service 276
I
gateway
FW1_cpmi service 276 converting type 182
FW1_cvp service 277 ICA 47
FW1_ica_pull service 276, 277 packets originating on 277 icense
FW1_key service 276 gateway stealthing overwriting 626
FW1_load_agent service 277 definition of 697 ICMP 286

enabling 272, 278, 286 installing a FireWall-1 authentication SmartCenter Server 485
match string 228, 229 password 561 IP address loss
Port Unreachable 288 installing a FireWall-1 license 624 DAIP Module 485
TTL expired in transit 288 Installing Access Lists 331 IP addresses
ICMP Redirect installing and enforcing, difference definition of 699
enabling 286 between 313 private ranges 280
Integrated FireWalls when does changing take
ICMP_redirect 288 general properties 208
ident 259 effect 58
ied 146 Integrated Firewalls 207
Integration of the Topology view and IP Forwarding 345, 577
igrp 272 controlling status of with
IKE 183 the Rules Tab 522
Intel RNG FireWall-1 576
Office Mode 193 enabling and disabling 578
checking status 663
IKE service 276 enabling and disabling on
imap 259 IntelliMouse 496
Interface 436 HPUX 11 578
implicit rules
see implied rules interface enabling and disabling on IBM
automatic discovery 188 AIX 579
implied rules 278
interaction with explicitly interface data enabling and disabling on Solaris
fetching automatically 188 2 578
defined rules 317
interface names 189, 209 enabling and disabling on
toggling display of 146 interfaces
Implied Rules option on View Windows NT 579
network, properties of 188, 189 IBM AIX 578, 579
menu 318 result of failing to define 186
info-reply 271 IP options 290
info-req 271 interfaces, external IP Pool 193
inhibiting connections 570 restricted in FireWall-1/50 and addresses in 193
Initial Policy 345 FireWall-1/250 707 IP spoofing
in-place encryption Internal Certificate Authority, see definition of 699
definition of 697 ICA ipconfig command 183
INSPECT internal commands 291, 292 irc 259
definition of 698 internal hosts ISAKMP
INSPECT tables license restriction exceeded 707 see IKE
displaying 584 number restricted in FireWall-1/ ISAKMP see IKE
Inspection Code n 707
compiling from Inspection too many 707
Script 314 internal interfaces
definition of 698 number not restricted 707 J
Inspection Code Loading 341 internal network objects 158
Inspection Module internal_send_mail 291 JAVA 242, 249
fetching last installed on internal_snmp_trap 292 blocking JAVA applets 242
host 560 Internet Java
definition of 698 definition of 699
Inspection Module tables, displaying,
using command-line Internet Service Provider, see ISP JAVA applets
interface 584, 624 InternetPhone 266 already in cache 242, 249
Inspection Script intranet
definition of 698 JAVA Script 242, 249
compiling Inspection Code Java Stripping
from 314 Introduction to Smart Map 491 definition of 699
intruders
definition of 698 blocking connections from or to
generating from Rule Base 579 suspected 420
generating using command-line
interface 579
IP Address 202
IP address
K
manually editing 314 dynamically assigned 183
viewing 341 hostname 183 Kerberos
installing IP address 0.0.0.0 definition of 700
a previous database version 559 hiding behind 193 kerberos 259, 266
router access list 345 IP address change Kernel Module
Security Policy 331 DAIP Module 485 sending control information
to 576
717
key configure the permitted origins Log File
definition of 700 list 684 compression 598
key management DAIP Module 483 creating new 596
definition of 700 deleting 626 creating new, using command-
detaching 109, 119 line interface 596
displaying 628 deleting 420
L finding expired 115
for SmartCenter Server 101
displaying contents of 593
displaying, using command-line
glossary 119 interface 570, 593, 599
LAN installing 624 exporting 425, 598
definition of 701 installing on host 561 miscellaneous functions 424
layered communication model local 99 opening another 418
definition of 700 saving 418
log_consolidator -O 684
Layout 498 starting a new 419
LDAP 171 multi-license file 120
default user template 366, 367 printing 628 unified log 600
definition of 701 reconfiguring with Log file
cpconfig 551 repairing pointer files 599
FireWall-1-specific
removing 626 Log Files
attributes 367 fetching 389, 421
port number for SSL removing from repository 112
Repository 71 merging 601
connection 367 log grace period 290
users maintained by third-party routers 630
SecuRemote users 630 Log Server
clients 366, 367 definition of 420
LDAP Client structure 100
install the user database 425
third-party 366, 367 type icons 72
log unification 595, 599
LDAP query request viewing properties 113 rebuilding chains 600
timeout 195 licenses Log Viewer
LDAP Server Central 631 displaying 144
exporting users from 618 LiveLan 260 log_consolidator -O 684
importing users to 620 lmhosts file 204 log_export 604
LDAP server, see also Account Unit Load Agents logging
ldap service 259, 277 defining parameters 285 Access Control 30
ldapmodify command 621 load balancing QoS 197
ldapsearch 621 definition of 701
to more than one machine 292
LDAPservers load_program attribute 341, 558
loading a Security Policy 556 Logging and Alerting
defining 364 Security Policy 289
ldap-ssl 259 Local license management 624
local.arp file 280 Logging Server
LDIF file format 620 DAIP Modules 483
LDIF syntax 618 lockmanager 269
LEA log Logical Server 215
definition of 701 saving 424 login 260
scrolling 418 with DN or user name 285
leased line
definition of 701 viewing 471 Lotus Notes 260
log consolidation engine Luna card diagnostics utility 661
License Luna card software diagnostics
Local 624 configure the permitted origins
utility 661
license list 684 lunadiag 661
adding log_consolidator -O 684 LZ77 598
from a file 103 Log entries, selecting by
manually 103 destination 421
adding to Repository interface 409
definition 119 origin, source, destination, user M
attaching 105, 119 or service 421
central 98 protocol 421 MAC address
certificate key 100, 114 service 421 definition of 701
checking 629 source 421 Mail Alert Command 291
type 411 mail alert command 291

Make True Network 514, 515 Monitoring System Status 433 group, defining properties
Management Module monitoring system status 433 of 163
definition of 702 Mosaic 261 internal 158
Management Station mountd 269 modifying 176
protecting 35 moving VPN-1/FireWall-1 to properties 173, 357, 359
masking rules 318 another machine 57
MS Exchange 346 network object group
mask-reply 271 deleting from 213
mask-request 271 multicast
definition of 702 Network Object System Alert
masks Definition 458
applying 321 multi-homed host
definition of 702 network objects
Master 541 automatic definition of 187
definition of 702 Multi-View Select
Synchronization 456 filtering 177
fetching Security Policy Network Objects Manager
from 560 displaying 143
redirect logging to another Networks 311
Master 424
MASTERS file 198
N New Network Object Mode 497
NFS 269
masters file nfsd 266
modified during VPN-1/ name 221, 224, 227, 228, 231, 266 nfsprog 269
FireWall-1 named 278, 286 NIS 269
reconfiguration 58 NAT nisplus 269
and auxiliary connections 346 NIST 689
match 228, 229
maximum concurrent and FTP PASV 346 nntp 261
connections 199 automatic ARP node
memory pool 199 configuration 280 definition of 703
Menus DAIP Module 485 nodes
File 426, 464 Network Properties number restricted in VPN-1/
Help 469 window 203 FireWall-1/n 707
Modules 465 NAT tab Nortel Networks router 311
Products 465 Gateway Properties ntp 261, 266
Selection 427 window 192
Tools 428, 467 nbdatagram 266
View 427, 464
Window 428, 467
nbname 266
nbsession 261 O
Microsoft Conferencing 260 NBT 261
Microsoft Exchange 260 net mask 202 object
Microsoft NetMeeting 260 NetBEUI, see NBT where used 177
Microsoft NetShow 261 NetShow 346 object database
Microsoft SQL Server 261 netstat 261 querying 591
MIME attachments network 193 Object Tree 132, 134
definable in an SMTP ambiguous 515 Objects
Resource 248 menu choice 176 display properties 438
definition syntax in SMTP Network Address Translation objects.C file 587
definition of 702 objects_5_0.C file 58, 171, 172, 245,
Resource 248
network interface properties 188, 276, 341, 372, 377, 558, 583, 587,
stripping specified types from 189 588
message 248 network object Office Mode 193
Modes 494 changing type of 182 OnTime 267
Modifying creating 175 Open 204
Configuration File 606 defining 173 Open Windows 261
Module deleting 176 OPSEC 590, 664
sorting 438 definition of 703
dynamically assigned IP
statuses 438 upgrade_fwopsec 686
address 183
Modules Tree OPSEC Applications 492
collapsing and expanding 438 editing existing 176, 360, 373
group 353, 361 OPSEC Environment, Entitiy and
Modules View 436 Session 372
using 437 group, adding service to 231 OPSEC PKI 365
719
OPSEC session product repository management 643 reconfiguring FireWall-1 550
definition 372 product.conf file 574 Reconnecting to the Server 463
opsec_putkey command 277 prog number 228 redirect 271
ospf 272 program number 227 Redundant Management
out of sequence TCP packets 289 properties CAs 539
outgoing packets interaction with Rule Base 317 Reject
accepting 277 network object 173, 357, 359 differences from Drop 308
overlapping encryption domains of defined object, remote installation 651
definition of 703 displaying 220 using SecureUpdate Product
of network interface 188, 189 Management 84
of service object, defining 220 Remote Installation daemon 664
Removing Network Objects 508
P time object 347, 537
protocol stack Re-resolving network object
definition of 704 edges 517
package repository management, see protocol type 223, 226, 228, 230 resolution failure
product repository management proxy dynamic object 217
packet definition of 704 Resolve by Graph 517
definition of 703 public key Resolve by List 516
packet filter definition of 704 Resolve by Map 517
definition of 703 resolve name timeout
public network Log Viewer 290
installing Security Policy definition of 704
on 342 Resolving a Network Object 515
Resolving Services 416
param-prblm 271 Return unused IP addresses to Pool
password
length of 165 Q after 193
reverse DNS 238
limitation on length in Revision Control 293
Windows 31 QoS rexec 262
password expiration 283 logging 197 RFC
Paste selected Topology queryDB_util utility 587, 591, 592 definition of 705
Object(s) 522 RFC 1521 248
pcnfsd 269 RFC 1918 280
permitted origin list 684 RFC 1950 598
ping 271
PKI
R RFC 1951 598
RFC 1952 598
definition of 704 Rijndael 689
PointCast 261 RADIUS 267
defining server 360 RIP 277, 286
Policy rip 267
fetch interval 184, 481 definition of 704 RIP, enabling 277, 286
Policy Menu 149 enabling connections from rlogin 262
pop2 262 FireWall Module to router
pop3 262 server 276 definition of 705
port 111 High Availability 361 Router Access Lists
UDP and TCP 227 RADIUS chaining 361 importing 342
port 18212 285 RADIUS proxy 361 managing imported access
port number 221, 223, 225 RADIUS Servers lists 343
portmapper 227 Server Groups 372 verifying and viewing 344
pre-shared secret 284 RADIUS service 277 routers
Previous Database version radius_versions 361 anti-spoofing capabilities 206
installing 559 range of addresses 216 installing access lists on 345
Print out the Topology View 503 RAS 262, 267
Print Preview 504 RDP 267 installing Security Policy
printing RDP service 277 on 311, 331
log entries 424 Read Community 199, 211 routing configuration error 289
private IP address ranges 492 RealAudio 262, 346 Routing Information Protocol,
Product Details 440 enabling back connections 262 enabling 277, 286
Product Repository 71 re-configuration RPC
installing from 92 files modified during 58 service properties 226
RPC Control 346

RPC control 276 scheduled events 351 loading 556
rs_db_tool command 563 sdconf.rec file 364 uninstalling 558
RSA making changes to 364 viewing 340
definition of 705 Search by IP 178 Security Servers
rsh 262 Search network 178 sending signal to 580
RSH/REXEC 346 secret key Select Mode 494
RSH/REXEC reverse stderr definition of 705 Selection 422
connections 276 SecureClient Entries 396 SEQ number 289
rstat 269 SecuRemote server
RSVP connection parameters in user logical 215
definition of 705 database import 618 server load balancing
rtcommand 672 SecuRemote DNS Server 370 defining parameters 285
RTGen 678 SecuRemote users server object
Rule Base license 630 adding a server to a group 361
adding a new rule 300 SecureNet Keys 363 creating 359, 373
deleting rule from 313 SecureUpdate 63 creating groups of server
generating Inspection Script adding an administrator 160 objects 361
from 579 Administrator permissions 160 defining 357, 359
generating Inspection Script architecture 121 deleting 360
from, using command-line backward compatibility 99 deleting a server from a
interface 579 booting a remote Module 95 group 362
interaction with Properties 317 clearing a completed editing 373
masking rules 318 operation 96 modifying 360
verifying 313 connections 278 SERVER_TIMEOUT 136
rule number zero 278 Frequently Asked servers availability
rules Questions 122 defining parameters 285
adding and inserting 300, 301 getting Module data 96 servers persistency
adding to Rule Base 300 installing 64 defining parameters 285
consistency and redundancy installing a product using 89 ServerTimeout 136
check of 313 menus 76 service object
copying to clipboard 301 Operation Status pane, using creating new 220
cutting to clipboard 301 the 73 defining 220
deleting 301 Product Repository 71 deleting 220
deleting from Rule Base 313 purpose 63 modifying 221
disabling 330 remotely upgrading a Module Services Manager
hiding 318 using 64 displaying 143
how executed 296 starting 68 session timeout
masking 318 stopping an operation 96 UDP 287
modifying 302 toolbar 82 setup.C file 361
pasting from clipboard 301 uninstalling a product using 92 shared-secrets
rwall 269 third party LDAP Servers 367
upgrading a High Availability
Show 416
cluster 124 Show Objects 523
verifying an installation 94 Show objects
S SecurID 262, 267
ACE server configuration 363
highlight 523
Network Objects Manager 523
securidprop 262 Objects List 524
S/Key security
fwa1 authentication 562 Objects Tree 524
TCP port 111 227
Secret Key minimum Rule Base 523
Security Policy
length 164 backing up 58 Show Rules 525
SAM 290 Show rules 524
compiling 556 S-HTTP
definition of 705, 709 creating new 297
sam_allowed_remote_requests 574 definition of 706
definition of 706 SIC
saving fetching from Master 560
log entries 424 administrative benefits 46
installing 331 certificates 46
log file 418
721
configuring for a new Source Object Selection Criteria SYNDefender 199
Module 49 window 411 maximum number of protected
configuring for upgraded source port range 223, 225, 226 sessions 200
Modules 52 source-quench 271 when changes to Maximum
ICA 47 Specifying 222 Sessions take effect 200
spoofed packets sysContact 199, 211
overview 46 dropping 190
SecureUpdate, use in 121 sysLocation 199, 211
spoofing 190 syslog 267, 664, 665
security benefits 46 SQLNet 263
SIC certificate syslog configuration 665
sqlnet2 346 Syslog daemon 665
DAIP Module 483 SSL syslog daemon 665
SIC name 561 definition of 706 sysName 199, 210
Single Gateway Product port number for LDAP System Alert 457
description 707 connection 367 system alert monitoring
SKIP state information mechanism 461
definition of 706 definition of 708 system alert option 459
SLA 290, 487 state tables system alert parameter 460
logging statistics 489 cleared when Security Policy re- system alert parameters 459
sliding window 289 installed 58 System Status 436
Smart Map 280 stateful ICMP 288 displaying 144
docking 492 Stateful Inspection 287 toolbar 469
OPSEC applications 492 definition of 708 User Interface 436
private IP address ranges 492 IP protocols other than TCP,
Smart Map Menu and Toolbar 532 UDP and ICMP 288
Smart Map view 293
SmartCenter Server
Customer Log Module 692
stateful UDP 287
status T
of Check Point Mosules,
definition of 702 displaying 567 TACACS 267
IP address change 485 of hosts, displaying using TACACS Server
problems in connecting to 136 command-line interface 567 enabling connections from
timeout in connecting to 136 Statuses VPN/FireWall Module
SmartDefense Application 438 to 276
features overview 154 Applications 439 TACACS servers
purpose 154 Modules 438 defining 362
toolbar 155 Workstations 438 TACACS service 277
SmartUpdate stderr 276 TACACS+ 263
adding an administrator 32 rsh/rexec reverse stderr TCP
Administrator permissions 32 connections 262 definition of 709
SMTP stdin service properties 221
badly formed header 245 alert commands 292 TCP end timeout 287
definition of 707 stop updating the log entries 416 TCP port 111
pipe 245 StreamWorks 267 security issue 227
source routing 245 stub network TCP sequence verifier 289
SMTP resource definition of 709 TCP Session Timeout 287
restricting message size 249 Sub networks 178 TCP session timeout 287
smtp service 263 subnet TCP/IP
smtp.conf file 246 definition of 709 definition of 709
smtp_rfc822 property 245 sub-rule 300 tcpip.def file 229
SNMP 267 suspected intruders TELNET
definition of 707 blocking connections to and definition of 709
trap 585 from 420 telnet 263
snmp 267 TFTP 226
switch tftp 267
SNMP properties 199, 210 definition of 709
snmp service 267 time object
Sybase SQL 263 creating 348
SNMP Trap alert command 292 symmetric key
SNMP trap alert script 292 creating groups of time
definition of 709
snmp-trap 267 objects 353
Symmetrical Layout 499

defining 347, 537
deleting 348
Understanding Rules shown in the
Topology View 524 V
editing existing 348 unicast
groups 351 definition of 710 VDO-Live 264
modifying 348 uninstalling a Security Policy 558 enabling back connections 264
properties 347, 537 Unknown Network Objects 344 VDOLive 346
Unused objects 178 version number
time object group upgrade_fwopsec command 686, displaying 569, 662
deleting from 355 687 Viable Install On Targets
time service 263, 268 upgrading window 310
time zone objects carried over from view expanded group 167, 212, 231,
VPN peers in different time previous version 58 354, 362
zone 347 reinstalling Security Policy View menu 318
time-exceeded 271, 272 after 58 viewing
timeout Inspection Script 341
changing default 136 using SecureUpdate 89
URI Specification File log 471
connection to Management virtual interfaces
format 240
Server 136 anti-spoofing 190
URL
LDAP query 195 definition of 710 Virtual Link
Log Manager resolve name 290 user creating 487
timestamp 271 group, defining properties definition of 487
timestamp reply 271 of 166 editing or deleting 488
timestamp request 271 enabling monitoring 489
Toggle View 499 restricting internal user’s access
to JAVA applets 242 end points 488
too many internal hosts 707
topology User Authentication logging interval 490
automatic calculation 186 authentication rule 315 windows 488
automatic definition 186 User Database Virtual Link Properties window
automatic discovery 186 Active Update 456 General tab 487, 488
discovery process 186 downloading 167, 562 SLA Parameters tab 489
manual definition 187 installing, see User Database, SLA parameters tab 487
overwriting existing downloading Virtual Link statistics interval 290
when changes take effect 167 virtual session time-outs 287
definition 187 virtual session timoeout
Topology Menu 149 user database
exporting 618 UDP 287
Topology View Options 494 virtual sessions 287
traceroute 272 importing 616
user defined alert command 292 virus
description of 268, 271 definition of 710
enabling 272 user group
adding to source of rule 303 VoIP domain 176
tracking database versions 137 Vosaic 264
Turning a Provisory Network into a in rule 302
VPN
True Network 514 restricting access based on 302 definition of 710
user groups peers in different time
exporting and importing 619
zones 347
user properties 162
U User-Defined Service Properties vpn accel 661
VPN Community
Example 230
log connections between
UDP users
restricting internal user’s access members 291
accept replies 288 vpn debug 662
definition of 710 to JAVA applets 242
VPN domain 190
enabling replies 288 Users Manager vpn drv 663
service properties 224 displaying 143 vpn intelrng 663
virtual session timeout 287 Using the Topology View 493 vpn ver 662
UDP port 18212 285 uucp 263 VPN/FireWall Module
UDP replies 226, 288 starting 554
UFP VPN/FireWall-1 daemon
definition of 710 sending signal to 580
VPN-1 Accelerator Card 661
723
VPN-1/FireWall-1
moving to another machine 57 Y
VPN-1/FireWall-1 daemon
stopping 555 ypbind 269
VPN-1/FireWall-1 license, see yppasswd 270
license ypserv 270
VPN-1/FireWall-1 version number ypupdated 270
displaying 569 ypxfrd 270
W Z
wais 264 Zoom Mode 495
WAN Zoom Options 495
definition of 711
WatchDog 565
Web Server
definition of 710
WebTheatre 264, 346
Wellfleet
managing Access Lists 581
What is Smart Map? 491
where used 177
who service 268
Windows
starting the System Status 434
windows
Virtual Links 487
WinFrame 264
WINS protocol 183
wnload 332
Working with Network Objects 493
Workstation Properties Window
Logging CPSyslogD Check
Point’s Syslog Daemon 196, 197
Workstation Status
Connected 439
Disconnected 439
Untrusted 439
Waiting 438
Write Community 199, 211
WWW
definition of 711
X
X/Motif
starting System Status 434
starting the GUI 128
starting the Log Viewer 68,
389, 471
X11 264
Xing 267

Smart Center Guide

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Smart Center Guide

Caricato da

Copyright:

Formati disponibili

Check Point SmartCenter

Part No.: 700526

Check Point Software Technologies Ltd.

e-mail: info@CheckPoint.com http://www.checkpoint.com

Please direct all comments regarding this publication to techwriters@checkpoint.com.

Preface Who Should Use this User Guide 19

Chapter 3 Graphical User Interface

Chapter 4 Managing Users and Administrators

Chapter 5 Network Objects

Chapter 6 Services and Resources

Chapter 7 Global Properties

Chapter 8 Security Policy Rule Base

Chapter 9 Time and Scheduled Event Objects

Chapter 10 Server Objects and OPSEC Applications

Chapter 11 SmartView Tracker

Chapter 12 SmartView Status

Chapter 13 User Monitor

Chapter 14 Dynamically Assigned IP Addresses

Chapter 15 Virtual Links

Chapter 18 Command Line Interface

Who Should Use this User Guide

Check Point Documentation

20 Check Point SmartCenter Guide • September 17, 2002

Typeface Meaning Example

AaBbCc123 What you type, when machine_name% su

22 Check Point SmartCenter Guide • September 17, 2002

Symbol Meaning Example

Note - This note draws the reader’s attention to important information.

Warning - This warning cautions the reader about an important point.

Tip - This is a helpful suggestion.

Network Topology Examples

24 Check Point SmartCenter Guide • September 17, 2002

Configuring Check Point Products page 25

Configuring Check Point Products

• Windows platforms — go to Start>Programs>Check Point SMART Clients>Check

The Configuration program is part of the SVN Foundation.

The following configuration options are available:

26 Check Point SmartCenter Guide • September 2002

FIGURE 1-1 Licenses window (Windows)

Understanding License Details

The Trial Period

Chapter 1 Configuring VPN-1/FireWall-1 27

To Fetch One or More Licenses from a File

2 Browse to the license file, select it, and click Open.

To Add a License Manually

28 Check Point SmartCenter Guide • September 2002

FIGURE 1-3 Add License window

• Type in the information.

Chapter 1 Configuring VPN-1/FireWall-1 29

Use this option to:

To Add an Administrator page 24

30 Check Point SmartCenter Guide • September 2002

2 Enter the Administrator Name.

3 Enter the Password.

Chapter 1 Configuring VPN-1/FireWall-1 31

Selecting this …gives these permissions

32 Check Point SmartCenter Guide • September 2002

TABLE 1-1 Add and Edit Administrator Permission Options

Selecting this …gives these permissions

To Modify Administrator Permissions

Chapter 1 Configuring VPN-1/FireWall-1 33

Read Only Sessions

34 Check Point SmartCenter Guide • September 2002

Authenticating VPN-1/FireWall-1 Administrators