VPN-1 UTM Edge Management Solutions

Administration Guide Version NGX R65

TM

701308 February 14, 2007

 2003-2007 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: 2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.

Contents
Preface
Who Should Use This Guide................................................................................ 8 Summary of Contents ......................................................................................... 9 Related Documentation .................................................................................... 10 More Information ............................................................................................. 13 Feedback ........................................................................................................ 14

Chapter 1

Introduction to VPN-1 UTM Edge Appliances

Introduction .................................................................................................... 16 Security & VPN Solutions for Different Sized Organizations.................................. 17 Solution for VPN-1 UTM Edge Appliances .......................................................... 18 Finding the Right Check Point Management Solution ..................................... 18 An Overview of VPN-1 UTM Edge ................................................................. 22 VPN-1 UTM Edge Device Functionality ......................................................... 25

Chapter 2

Installation and Configuration

Introduction to the Installation and Configuration Processes ................................ 30 Before You Begin ............................................................................................. 31 Overview of Workflow for SmartCenter Management Solution................................ 32 Overview of Workflow for SmartLSM Management Solution .................................. 33 Configuration Operations .................................................................................. 34 Installing and Configuring VPN-1 UTM Edge Appliances................................. 34 Installation & Configuration Using SmartCenter ............................................. 35 Working with VPN-1 UTM Edge Objects for SmartCenter ................................ 35 Working with VPN-1 UTM Edge objects for SmartLSM.................................... 42 SmartDashboard Content Inspection Configuration ......................................... 47 Creating a Security Policy for VPN-1 UTM Edge Appliance.............................. 47 Security Policy Operations ........................................................................... 48 Managing VPN-1 UTM Edge Devices with SmartCenter Server ......................... 49 Remote Login to the SmartCenter Server ....................................................... 51 Configuring VPN in SmartCenter................................................................... 52 Viewing Logs in the SmartView Tracker ......................................................... 59 Downloading the Latest Firmware from SmartUpdate...................................... 60

Index........................................................................................................... 67

Table of Contents

Preface
Preface

P
page 8 page 9 page 10 page 13 page 14

In This Chapter
Who Should Use This Guide Summary of Contents Related Documentation More Information Feedback

Who Should Use This Guide

Who Should Use This Guide

This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support. This guide assumes a basic understanding of System administration. The underlying operating system. Internet protocols (IP, TCP, UDP etc.).

Summary of Contents

Summary of Contents
This document describes how your VPN-1 UTM Edge appliance is managed using various Check Point management solutions, such as SmartCenter, Provider-1 and SmartLSM. In this document you will also learn about Check Point features that the VPN-1 UTM Edge support, and how to use them for your VPN solutions. Chapter Chapter 1, Introduction to VPN-1 UTM Edge Appliances Description describes the appliances offered by Check Point that provide both Security and VPN solutions, SMART management and can be used in conjunction with VPN-1 Power and VPN-1 UTM. In addition, this chapter explains how these appliances can be centrally managed and incorporated into existing infrastructures. describes installation and configuration processes.

Chapter 2, Installation and Configuration

Preface

Related Documentation

Related Documentation
This release includes the following documentation
TABLE P-1 VPN-1 Power documentation suite documentation

Title Internet Security Product Suite Getting Started Guide

Description Contains an overview of NGX R65 and step by step product installation and upgrade procedures. This document also provides information about Whats New, Licenses, Minimum hardware and software requirements, etc. Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R65. Explains SmartCenter Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints. Describes how to control and secure network access; establish network connectivity; use SmartDefense to protect against network and application level attacks; use Web Intelligence to protect web servers and applications; the integrated web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic. This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure.

Upgrade Guide

SmartCenter Administration Guide

Firewall and SmartDefense Administration Guide

Virtual Private Networks Administration Guide

10

Related Documentation TABLE P-1 VPN-1 Power documentation suite documentation (continued)

Title Eventia Reporter Administration Guide

Description Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense. Explains how to install and configure SecurePlatform. This guide will also teach you how to manage your SecurePlatform and explains Dynamic Routing (Unicast and Multicast) protocols. Explains the Provider-1/SiteManager-1 security management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments.

SecurePlatform/ SecurePlatform Pro Administration Guide Provider-1/SiteManager-1 Administration Guide

TABLE P-2

Integrity Server documentation

Title Integrity Advanced Server Installation Guide Integrity Advanced Server Administrator Console Reference

Description Explains how to install, configure, and maintain the Integrity Advanced Server. Provides screen-by-screen descriptions of user interface elements, with cross-references to relevant chapters of the Administrator Guide. This document contains an overview of Administrator Console navigation, including use of the help system. Explains how to managing administrators and endpoint security with Integrity Advanced Server. Provides information about how to integrating your Virtual Private Network gateway device with Integrity Advanced Server. This guide also contains information regarding deploying the unified SecureClient/Integrity client package.

Integrity Advanced Server Administrator Guide Integrity Advanced Server Gateway Integration Guide

Preface

11

Related Documentation TABLE P-2 Integrity Server documentation (continued)

Title Integrity Advanced Server System Requirements Integrity Agent for Linux Installation and Configuration Guide Integrity XML Policy Reference Guide Integrity Client Management Guide

Description Provides information about client and server requirements. Explains how to install and configure Integrity Agent for Linux. Provides the contents of Integrity client XML policy files. Explains how to use of command line parameters to control Integrity client installer behavior and post-installation behavior.

12

More Information

More Information
For additional technical information about Check Point products, consult Check Points SecureKnowledge at https://secureknowledge.checkpoint.com/.

See the latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents

Preface

13

Feedback

Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: [email protected]

14

1 Chapter Introduction to VPN-1 UTM Edge Appliances

In This Chapter
Introduction Security & VPN Solutions for Different Sized Organizations Solution for VPN-1 UTM Edge Appliances page 16 page 17 page 18

15

Introduction

Introduction
Thank you for using Check Point VPN-1 UTM Edge appliances, which provide secure connectivity and VPN solutions at affordable prices. Check Points VPN-1 UTM Edge appliances, which include the X-series and S-series appliances, are easy to install and user-friendly. Moreover, along with the VPN-1 appliances (such as, Nokia and NEC devices), they are seamlessly and securely integrated with different Check Point management solutions, such as, SmartCenter, Provider-1 and SmartLSM. This document describes how your VPN-1 UTM Edge appliances are managed using various Check Point management solutions, such as SmartCenter, Provider-1 and SmartLSM. In this document you will also learn about Check Point features that the VPN-1 UTM Edge and other appliances support, and how to use these appliances for your VPN solutions.

16

Security & VPN Solutions for Different Sized Organizations

Security & VPN Solutions for Different Sized Organizations

All enterprises and organizations, large and small, require tailor-made security and VPN solutions for the management of their remote sites and branch offices. These solutions must take into consideration that remote sites or branch offices: do not necessarily need enterprise-size solutions or costs for their moderate-sized employee-base. do not require advanced Security Policy and VPN configurations but do require full security and connectivity. do not necessarily employ a full-time security administrator and are not necessarily looking to manage the VPN-1 Power or VPN-1 UTM gateway themselves.

What these businesses require is a solution that offers connectivity and security at an affordable rate that is easy to integrate into existing infrastructure and is easy to use.

Chapter 1

Introduction to VPN-1 UTM Edge Appliances

17

Solution for VPN-1 UTM Edge Appliances

Solution for VPN-1 UTM Edge Appliances

VPN-1 UTM Edge is a series of appliances offered by Check Point that provides both Security and VPN solutions, which are affordable, easy to configure and simple to manage for securing enterprise remote sites and large-scale VPN deployments. VPN-1 UTM Edge appliances support SMART management and can be used in conjunction with VPN-1 Power and VPN-1 UTM. VPN-1 UTM Edge appliances enable enterprise customers to quickly and easily create a seamless Check Point Internet security infrastructure. Theses appliances can be centrally managed and easily incorporated into existing infrastructures. These appliances do not include moving parts, easy to use and do not compromise either connectivity or security.

Finding the Right Check Point Management Solution

The VPN-1 UTM Edge appliances can be managed using any one of the following Check Point management solutions: SmartCenter (Pro or Express), Provider-1 or SmartLSM: SmartCenter is considered the standard VPN-1 UTM Edge management solution and is often used in conjunction with SmartLSM. SmartCenter management is useful for organizations with branch offices who are looking for affordable alternatives and basic security and VPN solutions for each branch office. The VPN-1 UTM Edge appliances are represented by an object which is created and managed in SmartDashboard called the VPN-1 UTM Edge gateway.

18

Finding the Right Check Point Management Solution

Figure 1-1

SmartCenter Deployment

SmartLSM, is an extension of SmartCenter providing administrators with an effective means of provisioning and managing hundreds and thousands of VPN-1 UTM Edge ROBO (Remote Office/Branch Office) gateways. VPN-1 UTM Edge Profiles and Profile policies are defined in SmartDashboard. VPN-1 UTM Edge ROBO gateways are provisioned and managed via the SmartLSM console application. For more information see the SmartLSM Administration Guide.

Chapter 1

Introduction to VPN-1 UTM Edge Appliances

19

Finding the Right Check Point Management Solution

Figure 1-2

SmartLSM Deployment

Provider-1, is used by large enterprises and by Managed Service Providers to centrally manage multiple, fully customized, customer domains. VPN-1 UTM Edge appliances are integrated transparently with this management solution. The management capabilities of a Provider-1 CMA (Customer Management Add-On) are equivalent to those of the SmartCenter gateway, including the SmartLSM extension. Global VPN Communities are currently not supported for VPN-1 UTM Edge appliances.

20

Finding the Right Check Point Management Solution

Figure 1-3

Provider-1 Deployment

Chapter 1

Introduction to VPN-1 UTM Edge Appliances

21

An Overview of VPN-1 UTM Edge

An Overview of VPN-1 UTM Edge

In This Section
VPN-1 UTM Edge Advantages of the VPN-1 UTM Edge Appliances Overview of a Typical Workflow page 22 page 23 page 24

VPN-1 UTM Edge

Check Points VPN-1 UTM Edge appliances are available in different series: X-series, ideal for sites requiring site-to-site VPN. This series also delivers additional capabilities such as high performance, high availability, support for multi-ISPs and automatic recovery. W-series, provides secure wireless connectivity for remote sites, branch offices, and partner sites by integrating a secure wireless access point with market-leading VPN-1/FireWall-1 technology, high availability support, and simple Web-based setup.

The following VPN-1 appliances are also supported: Nokia IP30, IP40, IP45, IP60, IP60W NEC SecureBlade, SecureBlade 300

Whatever the series, the VPN-1 UTM Edge appliances support any of the Check Point management solutions (SmartCenter, SmartLSM...etc). Apart from their own seamless integration and ease of use, they also benefit from most of the advantages of any regular VPN-1 gateway.

22

An Overview of VPN-1 UTM Edge

Advantages of the VPN-1 UTM Edge Appliances

There are several distinct advantages to working with VPN-1 UTM Edge devices. The features that are supported depend on the device that you own: Installation, Integration and Configuration - The VPN-1 UTM Edge appliance itself is easy to install and configure. Moreover, the VPN-1 UTM Edge appliance can be used immediately once SmartCenter (Power or UTM) has been installed. The appliance is diskless. It contains pre-configured software and can be used out-of-the-box. VPN - VPN-1 UTM Edge appliances can be implemented in Check Point VPN-1 solutions which offer full encryption and authentication capabilities. These Appliances can participate as a peer gateway in the corporate VPN with just one click. The appliances can participate in a Site-to-Site Community (both Star or Meshed), or as a Remote Access client. For more information on building VPN Communities, see the Virtual Private Networks Administration Guide. Security - A Security Policy can be enforced on VPN-1 UTM Edge appliances. Some of the security highlights include: support of Check Points patented Stateful Inspection, Anti-spoofing, DoS protection and H.323 VoIP. Some of the networking highlights include DHCP, NAT support and Access Control. Logging and gleaning the status of appliances - The status and traffic of the VPN-1 UTM Edge appliances can be monitored and logged using the Check Point SmartConsole clients: SmartView Tracker and SmartView Status. These tools can be used for troubleshooting purposes. Centralized upgrading - the VPN-1 UTM Edge Device firmware can be upgraded automatically due to Check Point SmartUpdate support.

Chapter 1

Introduction to VPN-1 UTM Edge Appliances

23

An Overview of VPN-1 UTM Edge

Overview of a Typical Workflow

1. Install the VPN-1 UTM Edge appliance. For more information see your vendor documentation. 2. Create objects to represent these appliances in the respective management solution (for example, SmartLSM, etc.). This includes the creation of a VPN-1 UTM Edge Profile and a gateway, where the latter is the network object that represents the VPN-1 UTM Edge appliance. 3. The initial configuration of the appliance and the connection to the SmartCenter gateway is done via a Web GUI called the VPN-1 UTM Edge portal (http://my.firewall). It is imperative that trust is established between the SmartCenter and the device in order for them to communicate freely and securely. Moreover, connection to the SmartCenter server from the device needs to take place so that management operations carried out by the SmartCenter server can be applied. This establishment of trust is equivalent to the SIC (Secure Internal Communication) process that takes place in SmartCenter between regular gateways and the SmartCenter gateway. 4. Perform management operations. All management operations such as defining VPN relations with other gateways, fetching a policy or updating the software version embedded in the appliance (or firmware, as it is called) is performed by the SmartCenter gateway using any one (or a combination) of the Check Point management solutions (SmartDashboard, SmartLSM or Provider), or via the Command Line. SmartCenter uses a UDP-based protocol which is encrypted (called SWTP_SMS or SWTP_gateway) in order to communicate with the VPN-1 UTM Edge appliance. This protocol is enforced in an implied rule in the Security Policy. For more about SmartCenter management, see the SmartCenter Administration Guide.

24

VPN-1 UTM Edge Device Functionality

VPN-1 UTM Edge Device Functionality

In This Section
VPN-1 UTM Edge Appliances: VPN Communities & Management page 25 VPN-1 UTM Edge and Packet Filtering FireWall Logging in the SmartView Tracker Upgrading VPN-1 UTM Appliance Firmware using SmartUpdate page 26 page 26 page 27

Viewing the Status of VPN-1 UTM Appliances and VPN Creation page 27

VPN-1 UTM Edge Appliances: VPN Communities & Management

VPN-1 UTM Edge gateways can participate in two types of VPN communities: Site-to-Site and Remote Access. These communities are explained in more detail in the Virtual Private Networks Administration Guide.

Site-to-Site
Unless otherwise stated, VPN-1 UTM Edge Device gateways are added to communities and participate in the VPN tunnel in the same manner as all VPN-1 gateway objects; they are added, like regular participating gateways into the VPN community (Star or Meshed). Consult the Virtual Private Networks Administration Guide for more information on building a VPN between gateways. Note - On SmartCenter Express, any VPN-1 UTM Edge appliance that is connecting using Site-to-Site VPN is considered to be an additional managed site; therefore, you are required to obtain an additional license.

VPN-1 UTM Edge as a Remote Access Client

You can configure the VPN-1 UTM Edge appliance to act as a remote client, (it is added to a Remote Access Community). In this case it is configured in an atypical VPN configuration where the VPN-1 UTM Edge gateway is added as a User group to the VPN-1 community. This User group is created by default and is called VPN-1 devices defined as Remote Access. All machines deployed behind the VPN-1 UTM Edge gateway will also function as Remote Access Clients. This means that all traffic from these gateways will be tunneled as well.

Chapter 1

Introduction to VPN-1 UTM Edge Appliances

25

VPN-1 UTM Edge Device Functionality

VPN-1 UTM Edge Managed by an External Service Center

VPN-1 UTM Edge gateway objects that are managed by an external Management gateway can be defined. These objects can be used in VPN communities. Typically, externally managed gateways are used in Extranet scenarios with partners, or with additional Management gateways.

VPN-1 UTM Edge and Packet Filtering FireWall

VPN-1 UTM Edge appliances use Check Points Stateful Inspection technology just like regular VPN-1 gateways. gateways that are used in the Rule Base, get their Security Policy from the SmartCenter gateway. This policy enforces the manner in which connections are allowed (or not allowed) to pass to and from the VPN-1 UTM Edge appliance. Access Control is used to determine the resources and services that are authorized to be used. This access authorization sets the level of security. Rules are attributed to VPN-1 UTM Edge gateways by installing the rule on a specific gateway. For more about Access Control, see the FireWall and SmartDefense Administration Guide. VPN-1 UTM Edge appliances can be used with the following actions in the Security Policy Rule Base: Accept, Drop and Reject.

Logging in the SmartView Tracker

VPN-1 UTM Edge logs can be generated and sent to a logging server. This server consolidates all VPN-1 UTM Edge logs in the SmartView Tracker. You can view regular logs and audit logs (for management operations) in the SmartView Tracker. You can use these logs to troubleshoot and confirm that connections are passing to and from the VPN-1 UTM appliance, according to what is specified in the Security Policy. SmartView Tracker has a pre-defined query called VPN-1 UTM which can be used to focus on the logs generated from the appliances specifically. Since the VPN-1 UTM gateway sends logs at periodic intervals, you will notice that logs appear in the SmartView Tracker only after the periodic interval has passed.

26

VPN-1 UTM Edge Device Functionality

Viewing the Status of VPN-1 UTM Appliances and VPN Creation

Use the SmartView Monitor in order to learn more about the status of the VPN-1 UTM Edge appliances. SmartView Monitor is available to both VPN-1 Power and Vpn-1 UTM customers. SmartLSM customers may view the status of their objects in SmartView Monitor, or in the SmartLSM SmartConsole. Note - SmartLSM is only available to VPN-1 Power customers.

Upgrading VPN-1 UTM Appliance Firmware using SmartUpdate

The VPN-1 UTM Edge gateway firmware represents the software that is running on the appliance. The VPN-1 UTM Edge gateways firmware can be viewed and upgraded using SmartUpdate. This is a centralized management tool which is used to upgrade all gateways in the system by downloading new versions from the download center. When installing new firmware, the firmware is prepared at the SmartCenter gateway, downloaded and subsequently installed when the VPN-1 UTM Edge gateway fetches for updates. Since the VPN-1 UTM Edge gateway fetches at periodic intervals, you will notice the upgraded version on the gateway only after the periodic interval has passed.

Chapter 1

Introduction to VPN-1 UTM Edge Appliances

27

VPN-1 UTM Edge Device Functionality

28

2 Chapter Installation and Configuration

In This Chapter
Introduction to the Installation and Configuration Processes Before You Begin Overview of Workflow for SmartCenter Management Solution Overview of Workflow for SmartLSM Management Solution Configuration Operations page 30 page 31 page 32 page 33 page 34

29

Introduction to the Installation and Configuration Processes

Introduction to the Installation and Configuration Processes

The installation and configuration process depends on a number of factors: the management solution that you are using (whether SmartCenter, SmartLSM or Provider-1), the type of VPN community that you are configuring as well as the type of device that you are using.

30

Before You Begin

Before You Begin

Before you can work with the VPN-1 UTM Edge appliance, you need to install and configure it via the VPN-1 UTM Edge Portal. This is a Web GUI used expressly for the management of the appliance. Apart from the actual installation process you need to perform a first time login to the VPN-1 UTM Edge appliance via the portal. In this first time login you are meant to set up initial administrator permissions and an authorization permission as well as the Internet connection itself. For more information, see the VPN-1 UTM Edge User Guide.

Chapter 2

Installation and Configuration

31

Overview of Workflow for SmartCenter Management Solution

Overview of Workflow for SmartCenter Management Solution

This workflow assumes that you have installed SmartCenter (Power or UTM). For more information see the appropriate CheckPoint product suite Getting Started Guide The following workflow represents the order in which you should work with VPN-1 UTM Edge appliances. More details about each step in the workflow can be found in this document. 1. Install and configure the VPN-1 UTM Edge appliance. Refer to the VPN-1 UTM Edge User Guide for more information. If you are setting up the appliance on the network, make sure that it is successfully connected. 2. In SmartDashboard: Create the VPN-1 UTM Edge Gateways. Make sure that you setup the VPN-1 UTM Edge appliances topology properly and add the Gateway to a VPN Community. Create rules for your objects and install the Security Policy. This step should be repeated whenever a modification to the VPN-1 UTM Edge objects are made.

3. On the VPN-1 UTM Edge portal, define your SmartCenter Server as the VPN-1 UTM Edge appliances service center. This means that the SmartCenter Server is now responsible for managing the appliance including VPN relations, Access Control, Licensing and updates. The communication between the SmartCenter Server and the VPN-1 UTM Edge appliance is securely connected.

32

Overview of Workflow for SmartLSM Management Solution

Overview of Workflow for SmartLSM Management Solution

This workflow assumes that you have installed SmartCenter Power. For more information see the appropriate Check Point product suite Getting Started Guide. The following workflow represents the order in which you should work with VPN-1 UTM Edge appliances. More details about each step in the workflow can be found in this document. 1. Install and configure the VPN-1 UTM Edge appliance. Refer to the VPN-1 UTM Edge User Guide for more information. If you are setting up the appliance on the network, make sure that it is successfully connected. 2. To enable SmartLSM, run the command LSMenabler on on the SmartCenter Server Pro. 3. In SmartDashboard, Create a Smart LSM VPN-1 UTM Edge Profile. When creating the profile you can specify the VPN community in which you would like the profile to participate. This step can also take place at a later stage.

Note - In SmartLSM, the profile associated with the VPN-1 UTM Edge Gateway can only participate in a Star community for Site-to-Site configuration. Create one or more dynamic objects to be enforced on the VPN-1 UTM Edge ROBO Gateway. Create rules for your objects and install the Security Policy. This step should be repeated whenever a modification to the VPN-1 UTM Edge ROBO objects are made. This step needs to take place after you have created the VPN-1 UTM Edge ROBO Gateway in SmartLSM. Close SmartDashboard.

4. In SmartLSM, create a VPN-1 UTM Edge ROBO Gateway, add the dynamic object to the VPN-1 UTM Edge ROBO Gateway and update the CO (Corporate Office) Gateway, for more information see the SmartLSM Administration Guide. 5. On the VPN-1 UTM Edge portal, define your SmartCenter Server as the VPN-1 UTM Edge appliances service center. This means that the SmartCenter Server is now responsible for managing the appliance including VPN relations, Access Control, Licensing and updates. The communication between the SmartCenter Server and the VPN-1 UTM Edge appliance is securely connected.

Chapter 2

Installation and Configuration

33

Configuration Operations

Configuration Operations
In This Section
Installation & Configuration Using SmartCenter Working with VPN-1 UTM Edge Objects for SmartCenter Working with VPN-1 UTM Edge objects for SmartLSM SmartDashboard Content Inspection Configuration Creating a Security Policy for VPN-1 UTM Edge Appliance Security Policy Operations Managing VPN-1 UTM Edge Devices with SmartCenter Server Remote Login to the SmartCenter Server Configuring VPN in SmartCenter Configuring VPN-1 in SmartLSM Viewing Logs in the SmartView Tracker Downloading the Latest Firmware from SmartUpdate page 35 page 35 page 42 page 47 page 47 page 48 page 49 page 51 page 52 page 58 page 59 page 60

Installing and Configuring VPN-1 UTM Edge Appliances

For information on how to install, configure and work with the VPN-1 UTM Edge Appliance, refer to the VPN-1 UTM Edge User Guide.

34

Installation & Configuration Using SmartCenter

Installation & Configuration Using SmartCenter

VPN-1 UTM Edge support is enabled automatically during the installation of the SmartCenter server. There is no need to install any additional component. Note - VPN-1 UTM Edge cannot be managed from a SmartCenter Server running on Nokia.

Working with VPN-1 UTM Edge Objects for SmartCenter

An object that representing a VPN-1 UTM Edge appliance should be defined in SmartDashboard in order for the SmartCenter Server to be able to manage the VPN-1 UTM Edge appliance: Create the VPN-1 UTM Edge gateway that represents the VPN-1 UTM Edge appliance and associate it with a VPN-1 UTM Edge Profile. See Creating a VPN-1 UTM Edge Gateway on page 35. During this process you must assign the previously created profile to the VPN-1 UTM Edge Gateway that is being created.

Creating a VPN-1 UTM Edge Gateway

A VPN-1 UTM Edge Gateway object is a network object that represents a VPN-1 UTM Edge appliance. This Gateway sits on the network and can be managed by the SmartCenter Server or by an external service center. 1. In the Network Objects tab of the Objects Tree create a new VPN-1 UTM Edge Gateway. 2. In the VPN-1 UTM Edge Gateway - General page: Configure the general settings of the window, including its Name and IP Address (whether static or dynamic), the VPN-1 UTM Edge Profile and version information (Type). It is very important to select the exact version of your appliance. It is also necessary to define a Password (also known as a Registration Key). This password is used for encryption and authentication purposes. Configure the VPN settings. To allow the VPN-1 UTM Edge Gateway to become a member of a VPN community, select the VPN Enabled check box and select the VPN Community type (whether Site to Site or Remote Access). Configure the management settings, if this Gateway is managed by an external server, check Externally Managed Gateway.
Chapter 2 Installation and Configuration 35

Working with VPN-1 UTM Edge Objects for SmartCenter

Select QoS Managed Gateway to configure QoS for a specific host or gateway in the Topology tab. When this option is selected you can define QoS (Quality of Service) and specify guaranteed bandwidth level and limits for gateways/hosts.

Enable the Web UI administration GUI within SmartDashboard by selecting Configure Edge Using Web Interface. Figure 2-1 New VPN-1 UTM Edge Gateway configured for Site-to-Site VPN-1

3. In the VPN-1 UTM Edge Gateway - Topology page (Figure 2-2), the topology is set automatically because it represents the hard coded device. The set topology includes the following three interfaces (two internal and one external): DMZ represents a logical second network behind the VPN-1 UTM Edge appliance. You must connect DMZ computers to the LAN ports. DMZ is a dedicated Ethernet port (RJ-45) used to connect a DMZ (Demilitarized Zone) computer or network. Alternatively, the DMZ can serve as a secondary WAN port. LAN represents the private network. LAN 1-4 Local Area Network switch: Four Ethernet ports (RJ-45) are used for connecting computers or other network devices.

36

Working with VPN-1 UTM Edge Objects for SmartCenter

WAN represents the external interface to the router. A WAN interface card, is a network interface card (NIC) that allows devices to connect to a wide area network. Wide Area Network (WAN): An Ethernet port (RJ-45) used for connecting your cable or xDSL modem, or for connecting a hub when setting up more than one Internet connection

Although these three interfaces automatically appear in the Topology window, they are not associated with an IP address and a Network Mask. If you deselect the Dynamic Address option in the General Properties window and add a static IP address, the WAN automatically receives the specified static IP address and its Network Mask is 255.255.255.255. The Type drop-down list in the General Properties window defines the hardware type and its associated topology. Currently all hardware types share the same topology. Every hardware type has one external interface and two internal interfaces. It is possible to add only one additional external interface. Once you have defined the general settings as well as the topology definitions of the VPN-1 UTM Edge Gateway a certificate is automatically created. Note - Pre-Shared Secrets work in conjunction with Static IP Addresses only.

For managed devices it is essential to specify the correct network. When managing multiple devices it is better to define the networks on the devices, so as to ensure that the networks do not overlap with one another. For externally managed devices the networks specified depend upon both the NAT settings on the other side as well as the agreed configuration.

Chapter 2

Installation and Configuration

37

Working with VPN-1 UTM Edge Objects for SmartCenter

Figure 2-2

Configure the topology settings

4. In the VPN-1 UTM Edge Gateway - VPN page, associate the VPN-1 UTM Edge Gateway with the VPN Community of your choice (if one already exists) (Figure 2-3). This page can only be set by closing and reopening the VPN-1 UTM Edge Gateway object. At this point a certificate is created for the VPN-1 UTM Edge Gateway. You can also add a VPN-1 Gateway to a selected VPN community by opening the VPN community directly from the VPN Manager view. To enable High Availability configure a backup gateway. Refer to Configuring High Availability section in the Check Point VPN-1 Edge Internet Security Appliance User Guide.

38

Working with VPN-1 UTM Edge Objects for SmartCenter

Figure 2-3

Configuring the VPN settings

Note - To perform a detailed configuration of the created VPN-1 UTM Edge Gateway launch
the gateway in a browser. To do this, right-click the specific VPN-1 UTM Edge Gateway and select Manage Devices...

5. In the VPN-1 UTM Edge Gateway - Content Filtering page (Figure 2-4), select Use UFP, Use CVP or both if you want to restrict access to Web content and/or automatically scan your email for the detection and elimination of all known viruses and vandals, in relation to the specific gateway. Select Use Anti Virus Integrated Protection to indicate that Anti Virus is installed and that updates will be sent to this specific gateway. For Anti Virus to work on VPN-1 UTM Edge it must be configured in the Edge Anti Virus section of the SmartDashboard > Content Inspection tab. The type of UFP Server and CVP Server used for content filtering is determined in Policy > Global Properties > VPN-1 UTM Edge Gateway window.

Chapter 2

Installation and Configuration

39

Working with VPN-1 UTM Edge Objects for SmartCenter

Figure 2-4

Configuring Content Filtering

6. In the VPN-1 UTM Edge Gateway - Advanced page (Figure 2-5), enter the following information: Product Key enables you to remotely update the current VPN-1 UTM Edge gateway license (18 hexadecimal characters in three groups separated by hyphens). MAC Address enables stronger validation of the VPN-1 UTM Edge gateway when communicating with the SmartCenter Server. Configuration Script enables you to enter a script for relevant commands and features. The written script will be downloaded automatically and executed to the VPN-1 UTM Edge device.

For more detailed information about configuration scripts, refer to the Command Line Interface Administration Guide.

40

Working with VPN-1 UTM Edge Objects for SmartCenter

Figure 2-5

Configuring Advanced Settings

Chapter 2

Installation and Configuration

41

Working with VPN-1 UTM Edge objects for SmartLSM

Working with VPN-1 UTM Edge objects for SmartLSM

The objects that are used in the SmartLSM management solution are partly created in SmartDashboard and partly, SmartLSM. VPN-1 UTM Edge ROBO Gateway object - represents the VPN-1 UTM Edge appliance. This object is created in SmartLSM. SmartLSM VPN-1 UTM Edge Profile - represents an object that is associated with the VPN-1 UTM Edge ROBO Gateway and provides it with a basic Security Policy and VPN definition. This object is created in SmartDashboard, A Dynamic Object used by the SmartLSM VPN-1 UTM Edge Profile in order to enforce the Security Policy. This object is created in SmartDashboard and is added to the SmartLSM VPN-1 UTM Edge Profile in SmartLSM.

The order of the creation of the VPN-1 UTM Edge objects is: 1. Create the SmartLSM VPN-1 UTM Edge ROBO gateway in SmartDashboard. See Working with VPN-1 UTM Edge Objects for SmartCenter on page 35. 2. Create a Dynamic Object in SmartDashboard. 3. Close SmartDashboard and open SmartLSM. 4. Create the VPN-1 UTM Edge ROBO Gateway that represents the VPN-1 UTM Edge appliance in SmartLSM, and associate it with a VPN-1 UTM Edge ROBO Profile. See Creating a VPN-1 UTM Edge ROBO Gateway on page 46. During this process you must assign the previously created profile to the VPN-1 UTM Edge ROBO Gateway that is being created.

In This Section
Creating a SmartLSM ROBO Profile Creating a VPN-1 UTM Edge ROBO Gateway page 43 page 46

42

Working with VPN-1 UTM Edge objects for SmartLSM

Creating a SmartLSM ROBO Profile

A security policy is defined for a VPN-1 UTM Edge appliance, represented by a VPN-1 UTM Edge ROBO Gateway by associating it to a profile.

Defining VPN-1 UTM Edge ROBO Profiles

1. In SmartDashboard, create a new SmartLSM Profile in the Network Objects tab of the Objects Tree. Figure 2-6 Creating a new SmartLSM Profile in SmartDashboard

2. In the General page, enter the name and an optional comment (Figure 2-7). Figure 2-7 Configure the SmartLSM Profile settings

Chapter 2

Installation and Configuration

43

Working with VPN-1 UTM Edge objects for SmartLSM

3. On the VPN page (Figure 2-8), enter the type of community that you would like to associate with the said profile and save the profile by closing it. Figure 2-8 Configure the SmartLSM Profile Settings for VPN

44

Working with VPN-1 UTM Edge objects for SmartLSM

4. On the Content Filtering tab (Figure 2-9), select the applicable protection types. VPN-1 UTM Edge supports two different types of content filtering and antivirus protection: Integrated Products - VStream Gateway Antivirus, which is integrated into the VPN-1 UTM Edge appliance and managed locally via the Content Filtering window. Third Party Products - Centralized content filtering based on a third party solution on a central server. The CVP and UFP centralized filtering protocol are available.

You can choose to enable integrated products, third party products or both types together. Refer to the online help for a detailed explanation of these options. Select Use Anti Virus Integrated Protection to indicate that Anti Virus is installed and that updates will be sent to a specific gateway. Use the Edge Anti Virus section of the SmartDashboard > Content Inspection tab to configure antivirus protection. Select Use UFP, Use CVP or both to restrict access to Web content and/or automatically scan your email for viruses. Use the Policy > Global Properties > VPN-1 UTM Edge Gateway window to enable and configure UFP and CVP Servers. Figure 2-9 Configuring Content Filtering

Chapter 2

Installation and Configuration

45

Working with VPN-1 UTM Edge objects for SmartLSM

5. In the Advanced page (Figure 2-10), enter the following information: Configuration Script enables you to enter a script for relevant commands and features. The written script will be downloaded automatically and executed to the VPN-1 UTM Edge device.

For more detailed information about configuration scripts, refer to the Command Line Interface Administration Guide. Figure 2-10 Configuring Advanced Settings

Creating a VPN-1 UTM Edge ROBO Gateway

A VPN-1 UTM Edge ROBO Gateway object is a network object that represents a VPN-1 UTM Edge Appliance that is created and managed in SmartLSM. This Gateway sits on the network and can be managed by the SmartCenter Server or by an external service center.

Defining VPN-1 UTM Edge ROBO Gateways

Before you can create the Edge ROBO Gateway make sure that you have exited SmartDashboard, if it is in Read/Write mode. To define VPN-1 UTM Edge ROBO Gateways refer to the Adding a VPN-1 UTM Edge ROBO Gateway and Managing VPN-1 UTM Edge Objects sections in the SmartLSM Administration Guide.

46

SmartDashboard Content Inspection Configuration

SmartDashboard Content Inspection Configuration

To configure Anti Virus to work on VPN-1 UTM Edge gateways, it must be configured in the Edge Anti Virus section of the Content Inspection tab. The Edge Anti Virus settings in the Content Inspection tab only work for Edge machines. For additional information refer to the Anti Virus Protection chapter in the Firewall and SmartDefense Administration Guide.

Creating a Security Policy for VPN-1 UTM Edge Appliance

1. Create your Security Policy rules. For more information on creating rules see the SmartCenter Administration Guide. When you are creating rules, be aware that the VPN-1 UTM Edge Gateway can be used in the Install On column even if there is a VPN Community specified in the VPN column. You may need a rule that allows designated services (such as, ftp, telnet and http) to be performed by the VPN community. In this rule, the VPN-1 Power gateway should be your target. For example: Table 2-1
Example: a rule allowing services for Site-to-Site and Remote Access communities respectively

Source Any

Destination Any

VPN Mesh-comm

Service ftp telnet http ftp telnet http

Action Accept

Install On VPN1_Pro_GW

All Users or VPN-1 Devices defined as Remote Access Table 2-2 Source Edge_Net

Any

RA_comm

Accept

VPN1_Pro_GW

Allowing connections from network to VPN-1 UTM Edge Gateway

Destination VPN_Edge_ Pro_GW

VPN Any

Service Any

Action Accep t

Install On Any

Chapter 2

Installation and Configuration

47

Security Policy Operations

2. Once the rules are complete install your Security Policy (Policy > Install Policy). The VPN-1 UTM Edge Gateway periodically fetches the Security Policy from the SmartCenter Server. When the policy installation is complete the SmartCenter Server will attempt to update the VPN-1 UTM Edge Gateway with the new security policy. In order for the changes to take place immediately you can force a Policy update from the VPN-1 UTM Edge Portal.

Security Policy Operations

In This Section
Installing and uninstalling the Security Policy Downloading a Security Policy Verifying that the Security Policy was downloaded page 48 page 49 page 49

Installing and uninstalling the Security Policy

When the Security Policy is installed or uninstalled, the Security Policy is automatically downloaded to or off-loaded from the SmartCenter Server. When the VPN-1 UTM Edge Gateways check the SmartCenter Server for updates, the activity (whether installation or uninstallation) is implemented. To install, select Policy > Install Policy. To uninstall, select Policy > Uninstall Policy.

48

Managing VPN-1 UTM Edge Devices with SmartCenter Server

Downloading a Security Policy

From the VPN-1 UTM Edge Portal 1. Login from the VPN-1 UTM Edge portal to http://my.firewall. 2. Click Services and Accounts and then click Refresh, Or, click Services and Software Updates and then click Update Now. 3. When the VPN-1 UTM Edge Gateway polls for updates, it downloads the latest Security Policy. From SmartLSM, select Actions > Push Policy. The SmartCenter Server pushes the Security Server to the VPN-1 UTM Edge ROBO Gateway.

Verifying that the Security Policy was downloaded

1. Login from the VPN-1 UTM Edge portal to http://my.firewall. 2. Click Reports and then click Event Log. 3. Verify that the following message appears: Installed updated Security Policy (downloaded). 4. Click Setup > Tools > Diagnostics. The VPN-1 UTM Edge object is displayed in the Policy field.

Managing VPN-1 UTM Edge Devices with SmartCenter Server

Before you can begin to work with the VPN-1 UTM Edge Appliance whether your appliance is managed in SmartDashboard, or in SmartLSM, you need to logon to the VPN-1 UTM Edge portal and define the SmartCenter server as the active service center. Once successfully completed, this step allows the SmartCenter Server to perform a number of management operations for the VPN-1 UTM Edge Appliance such as VPN-1 relations, updating the Security Policy and upgrading to later versions of firmware. Proceed as follows: 1. Browse to http://my.firewall. 2. Enter your user name and password. 3. In the Services screen, connect to the SmartCenter Server by clicking on Connect. A wizard is displayed in which you are required to configure the settings of the SmartCenter Server.

Chapter 2

Installation and Configuration

49

Managing VPN-1 UTM Edge Devices with SmartCenter Server

Figure 2-11 Login to the SmartCenter Server in the VPN-1 UTM Edge Portal

During the SmartCenter Server setup, you are required to enter details about the VPN-1 UTM Edge Gateway object that you created. Note that the Gateway ID refers to the name of the said gateway and the Password refers to the Registration Key specified during the creation of the VPN-1 UTM Edge Gateway object. Figure 2-12 Configuring the Gateway object.

50

Remote Login to the SmartCenter Server

Once this setup is successfully completed, the VPN-1 UTM Edge appliance and the SmartCenter Server can communication securely. For more information about this procedure, see the relevant vendor information. Note - If your device is not installed locally, you will need to logon securely to the VPN-1 UTM Edge Portal using HTTPS (https://<current IP Address>:981). For more information see the relevant vendor information.

Remote Login to the SmartCenter Server

If your device is not installed locally, you will need to logon securely to the VPN-1 UTM Edge Portal using HTTPS (https://<current IP Address>:981). For more information see the relevant vendor information

Chapter 2

Installation and Configuration

51

Configuring VPN in SmartCenter

Configuring VPN in SmartCenter

VPN-1 UTM Edge Gateway can be added to Site-to-Site communities, as well as to Remote Access communities. The VPN-1 UTM Edge Appliance can also be configured to act as a Remote Access client. For more information, see the appropriate CheckPoint product suite Getting Started Guide. In particular the chapters dealing with: Building VPN Between Gateways PKI

In This Section
Gateway in Site-to-Site VPN Configuration Gateway in a Remote Access Client Configuration Management by an External Service Center page 52 page 55 page 57

Gateway in Site-to-Site VPN Configuration

For VPN to be established the following must take place: 1. The VPN-1 UTM Edge Gateway must be defined and configured for Site-to-Site and a certificate created (if the VPN Community members are to use a certificate to authenticate). On the General page (see Figure 2-1): On the VPN-1 UTM Edge Gateway check VPN Enabled and select Site to Site in order to allow the VPN-1 UTM Edge Gateway to participate like any regular VPN-1 Gateway in a star or meshed community. This means that any gateway can initiate a VPN tunnel to the VPN-1 UTM Edge Gateway and the VPN-1 UTM Edge Gateway can initiate a VPN tunnel to any other gateway. In terms of IP addresses: If the VPN-1 UTM Edge Gateway has a static IP Address, you can use a certificate or an IKE pre-shared secret to establish a VPN tunnel. In this case the password you enter is used for the IKE pre-shared secret. If the VPN-1 UTM Edge Gateway has dynamic IP Address, (select Dynamic Address) only a certificate can be used in order to establish a VPN tunnel. In this case, make sure that you have selected Manually defined in the VPN-1 UTM Edge Gateway - Topology page (see Figure 2-2).

52

Configuring VPN in SmartCenter

Make sure that the type that you select corresponds to the actual appliance that you have in your possession. Add a Password that will be used later on the VPN-1 UTM Edge Portal and for the pre-shared secret (if you have a static IP Address).

On the Topology page (see Figure 2-2): All IP Addresses behind Gateway based on Topology information is used for NAT implementation. Manually Defined is used if the VPN-1 UTM Edge Gateway is configured for dynamic IP Address or if NAT is not being implemented.

On the VPN page (see Figure 2-3) generate the certificate and close the VPN-1 UTM Edge Gateway. 2. If you do not already have one, create a Star or Meshed community in the VPN Manager. For more about these communities and how to configure them, see the appropriate CheckPoint product suite Getting Started Guide.

To create a Site-to-Site community: Figure 2-13 Create a new Site-to-Site Community

In a Star Community In the Central Gateways page click Add and select the desired VPN-1 UTM Edge Gateway. Click OK.

Note - If you are creating a Star community, it is not recommended to include the VPN-1 UTM Edge Gateway as a Central Gateway. In the Satellite Gateways page, click Add and select the desired VPN-1 UTM Edge Gateway. Click OK.

Chapter 2

Installation and Configuration

53

Configuring VPN in SmartCenter

Figure 2-14 Add VPN-1 UTM Edge Gateway as Satellite Gateway

In a Meshed Community In the Participating Gateways page, click Add and select the desired VPN-1 UTM Edge Gateway. Click OK.

In Star and Meshed Communities In the VPN Properties page, specify the properties for the phases of IKE negotiation. In the Shared Secret page, specify whether the VPN community member should be authenticated using a pre-shared secret or a certificate. If you would like to use a secret, make sure to select Use only Shared Secret for all External members. The secret used is the password defined when the VPN-1 UTM Edge Gateway object was created. If you would like to use certificates as a means of authentication, make sure that Use only Shared Secret for all External members is unchecked.

3. In the Rule Base, create the rules of your Security Policy. See Creating a Security Policy for VPN-1 UTM Edge Appliance on page 47.

54

Configuring VPN in SmartCenter

4. Install the rule base on the Central Gateways (for a Star community). 5. In the VPN-1 UTM Edge Portal define the SmartCenter server as the active service center, see Managing VPN-1 UTM Edge Devices with SmartCenter Server on page 49. In the VPN window of the VPN-1 UTM Edge Portal, the Site-to-Site configuration is automatically loaded, including its topology and enterprise profile.

Gateway in a Remote Access Client Configuration

In order for the VPN-1 UTM Edge Gateway to function as a Remote Access Client, the gateway must be configured to participate in the Remote Access community. When the VPN-1 UTM Edge Gateway object is defined in the Check Point database, an additional User Group called All VPN-1 UTM Edge Gateway Appliances is created. This User Group is used in the definition of the Remote Access community. Note - The User Group All VPN-1 UTM Edge Gateway Appliances is not a regular User Group and as such it doesnt appear in the Users and Administrators tab of the Objects Tree. For more information about Remote Access Clients, see the appropriate CheckPoint product suite Getting Started Guide. Adding the VPN-1 UTM Edge Gateway to a Remote Access Community There are two basic ways to add the VPN-1 UTM Edge Gateway to a community: In the VPN-1 UTM Edge Gateway - VPN page. click on Add. Select the community to which you would like to associate the selected gateway. In the VPN Manager view, select the Remote Access community to which you would like to add the VPN-1 UTM Edge Gateway. Add the VPN-1 UTM Edge Gateway in the Participant User Group page by clicking on Add and selecting the default User Group called VPN-1 Devices defined as Remote Access to which the VPN-1 UTM Edge Gateway is associated.

When VPN-1 UTM Edge Gateways are configured to work in client mode, it is important that the SmartCenter Server be deployed outside of the VPN domain of the Remote Access Client. If you are working with Remote Access Automatic login mode, the SmartCenter Server may be within the VPN domain, however, in this case, you must create the VPN domain in the VPN-1 UTM Edge Gateway before connecting the VPN-1 UTM Edge Gateway to the SmartCenter Server. For VPN to be established the following must take place:

Chapter 2

Installation and Configuration

55

Configuring VPN in SmartCenter

1. Create a VPN-1 UTM Edge Gateway object. Make sure that you select VPN enabled and Remote Access on the General page. Remote Access means that the selected VPN Edge Gateway can act as a Remote Access client to the corporate gateway, no other gateways will be able to initiate a VPN tunnel to this VPN Edge Gateway. This VPN-1 UTM Edge Gateway can be enforced as part of a User Group in a Remote Access VPN community. If the VPN-1 UTM Edge Gateway has a static IP Address, use an IKE pre-shared secret to establish a VPN tunnel. In this case you will need to enter the password created on the VPN-1 UTM Edge Gateway object. 2. Create a RemoteAccess community in the VPN Manager that includes the VPN-1 UTM Edge Gateway object. For more about these communities and how to configure them, see the appropriate CheckPoint product suite Getting Started Guide. In the Participating Gateways page click Add and select the Central Gateway. Click OK.

In the Participant User Groups page, click Add and select VPN-1 Devices defined as Remote Access. Click OK. Figure 2-15 Add User Group

56

Configuring VPN in SmartCenter

Click OK to exit the Remote Access community window.

3. In the Rule Base, define a rule for the Remote Access community and install it on the Gateway. See Creating a Security Policy for VPN-1 UTM Edge Appliance on page 47. Install the Security Policy on the desired gateways. 4. In the VPN-1 UTM Edge Portal define the SmartCenter server as the active service center, see Managing VPN-1 UTM Edge Devices with SmartCenter Server on page 49. In the VPN window of the VPN-1 UTM Edge Portal, the Remote Access configuration is automatically loaded. Create a new Site to represent the VPN-1 Power Gateway on the VPN-1 UTM Edge appliance. On the VPN screen, click on New Site, run the wizard and perform the following steps: Add the IP Address of the regular VPN-1 Power Gateway. Check Download Configuration. Enter the name of the Site. Under VPN Login, select Automatic Login and refer to the vendor documentation for more information.

5. In SmartDashboard, install the Security Policy.

Management by an External Service Center

You can configure a VPN-1 UTM Edge appliance to be managed by an external Service Center. This means that it is not managed by the local SmartCenter or MDS server. This scenario is typical for extranet or connection to partner sites, and requires configuration in two locations. This procedure is also applicable to locally managed gateways. 1. On the VPN-1 UTM Edge Gateway object: On the General page, check Externally Managed Gateway. The setting defined in the Topology page, depends on the agreed configuration.

2. Modify the VPN Community to which you are adding the VPN-1 UTM Edge. Make sure that you check Use only Shared Secret for all External Members on the Advanced Settings > Shared Secret page.

Chapter 2

Installation and Configuration

57

Configuring VPN in SmartCenter

3. Modify the Security Policy, make sure that rule installed on the profile is disabled. Install the Security Policy. On the VPN-1 UTM Edge Portal on the VPN screen. Click on New Site and run the wizard and do the following steps: Add the IP Address of the regular VPN-1 Power Gateway Check Download Configuration. Configure the routing destination and subnet mask of the external service center Under Authentication, select Use shared secret. Click on Connect in order to connect to the VPN-1 Power Gateway.

Configuring VPN-1 in SmartLSM

VPN-1 UTM Edge ROBO Gateways can participate in meshed Site-to-Site communities. In SmartLSM, VPN is supported using IKE authentication with Check Point internal certificates: 1. In the VPN-1 UTM Edge Portal, verify that a certificate has been installed on the VPN-1 UTM Edge Device before establishing the VPN tunnel. 2. In SmartLSM: Add a dynamic object to the VPN-1 UTM Edge ROBO Gateway. In order to implement VPN on VPN-1 UTM Edge ROBO Gateways, dynamic objects need to be added to the VPN domain of these objects. Make sure you check Add to VPN domain. Update the Corporate Office (CO) Gateway.

3. In SmartDashboard, create a VPN Star community that includes the VPN-1 UTM Edge ROBO Gateway and the CO Gateway as follows: In the Central Gateway page, click Add. Select the CO gateway from the displayed list and click OK. In the Satellite Gateways page, click Add. Select the SmartLSM VPN-1 UTM Edge profile from the displayed list and click OK. In the VPN Properties page, specify the IKE phase properties. In the Shared Secret page, uncheck the Use only Shared secret for all External Members. Make sure that shared secret is only used for external members and set the properties for the IKE negotiations.

58

Viewing Logs in the SmartView Tracker

A topology file and a certificate are downloaded to the VPN-1 UTM Edge ROBO Gateway. This topology file lists the members of the VPN community and specifies the encryption information. 4. On the VPN-1 UTM Edge Portal, on the VPN screen specify the configuration type (whether Site-to-Site or Remote Access and check Download Configuration.

Viewing Logs in the SmartView Tracker

For auditing logs, open the Audit view in the SmartView Tracker. For your convenience add the Origin column to the Audit view (View > Query options > Query Properties, select Origin) and select the VPN-1 UTM Edge appliance that you would like to track. This enables you to figure out from which VPN-1 UTM Edge appliance the log was generated. For security purposes, security logs are displayed in the Log view of the SmartView Tracker. Double-click the log in order to see more information. Figure 2-16 Viewing Security logs

Chapter 2

Installation and Configuration

59

Downloading the Latest Firmware from SmartUpdate

Downloading the Latest Firmware from SmartUpdate

You can use SmartUpdate to get automatic updates of the latest firmware version. To download the latest firmware: 1. In the Product Repository pane, right-click a VPN-1 UTM Edge Gateway and select Add from Download Center. 2. In the displayed window, select the firmware that you would like to download and click Download. 3. In the Product Repository, right-click a VPN-1 UTM Edge Gateway and select Install Product. 4. Select the firmware and click OK. The firmware is downloaded and sent to the SmartCenter Server who is responsible for downloading it to the VPN-1 UTM Edge Gateways when the latter are ready to receive it.

60

THIRD PARTY TRADEMARKS AND COPYRIGHTS

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrusts logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust. Verisign is a trademark of Verisign Inc. The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided as is without express or implied warranty. Copyright Sax Software (terminal emulation only). The following statements refer to those portions of the software copyrighted by Carnegie Mellon University. Copyright 1997 by Carnegie Mellon University. All Rights Reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. The following statements refer to those portions of the software copyrighted by The Open Group. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright 1998 The Open Group.

61

The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson ([email protected]). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 The curl license COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1996 - 2004, Daniel Stenberg, <[email protected]>.All rights reserved. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

62

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. The PHP License, version 3.0 Copyright (c) 1999 - 2004 The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected]. 4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from [email protected]. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo" 5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes PHP, freely available from <http://www.php.net/>". THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at [email protected]. For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>. This product includes software written by Tim Hudson ([email protected]). THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

63

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved. Confidential Copyright Notice Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed. Trademark Notice The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600. U.S. Government Restricted Rights The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987). Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations. Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT. Limitation of Liability

64

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU. Copyright ComponentOne, LLC 1991-2002. All Rights Reserved. BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")) Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release PCRE LICENCE PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself. Written by: Philip Hazel <[email protected]> University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714. Copyright (c) 1997-2004 University of Cambridge All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Eventia Reporter includes software whose copyright is owned by, or licensed from, MySQL AB.

65

66

Index
A
Access Control 26, 32, 33 active service center 55 Anti-spoofing 23 Appliance Before You Begin 31 installing 30 managed by External Service Center 26 supported 22 VPN, Site-to-Site, Remote Access 25 W-series 22 X-series 22 Audit view 59 authentication 35 authentication capabilities 23

E
Enable SmartLSM run LSMenabler 33 encryption 35 Ethernet port 36 external interface 37 External Service Center 57 Extranet scenarios 26

internal interface 37 Introduction 16

L
LAN 36 LAN ports 36 large-scale VPN deployments 18 license string 40 Licensing 32, 33

F
firmware 27, 60 ftp 47

M
MAC address 40 Managed Service Providers 20 management operations 49 Management Settings 35 Management Solutions 30 SmartCenter, Provider1,SmartLSM 18 Managing VPN-1 UTM Edge Devices 49 MDS server 57 Meshed Community 52, 53 meshed Site-to-Site communities 58 multi-ISPs 22

G C
centralized management tool 27 Check Point internal certificates 58 Check Point management solutions 22 Check Points Stateful Inspection 26 client mode 55 Configuration Script 40, 46 connectivity 17 content filtering 39 Corporate Office (CO) Gateway 58 CVP Server 39, 45 Global VPN Communities 20

H
hardware type 37 High Availability 38 high performance 22 http 47 //my.firewall connecting to 24

N I
IKE authentication 58 IKE negotiation 54 IKE phase properties 58 IKE pre-shared secret 52, 56 initial administrator permissions 31 NAT implementation 53 NAT settings 37 Network Objects 35, 43 NIC 37

D
DMZ 36 dynamic IP Address 52, 53 Dynamic Object 33, 42, 58

February 2007

67

O
Objects Tree 35

P
PKI 52 PN-1 Edge appliance 42 profile 44 Protocol SWTP_Gateway 24 SWTP_SMS 24 Provider-1 16, 20 Provider-1 CMA 20

R
Remote Access 25 default User group 25 Remote Access Client 23, 52, 55, 56 Remote Access Community 25, 47, 52, 55, 57 Remote Access VPN configure 55 Remote Access VPN community 56 remote client 25 Remote Login 51 ROBO 19 Rule Base 26, 54, 57

S
secure connectivity 16 Security 17, 18 Security Policy 17, 23, 26, 32, 33, 48, 49, 57, 58 actions 26 define 47 download 49 install & uninstall 48 verify download 49 security policy 43 Security Policy rules 47

Service Center 57 SIC 24 Site-to-Site 25, 47 Site-to-Site configuration 33, 55 Site-to-Site VPN 25 configure 52 Smart LSM VPN-1 UTM Edge Profiles 33 SMART management 18 SmartCenter 16, 18 SmartCenter management 24 SmartCenter Power 33 SmartCenter Server 46 connecting to 24 SmartCenter server 51 SmartCenter Server setup 50 SmartCenter UTM 25 SmartConsole clients 23 SmartLSM 16, 18, 19, 27, 33, 46, 58 SmartLSM management solution 42 SmartLSM VPN-1 UTM Edge Profile 42, 58 SmartLSM VPN-1 UTM Edge ROBO Profile create 43 SmartUpdate 27, 60 download firmware 60 upgrading firmware 27 SmartView Monitor 27 SmartView Status monitoring the status 27 SmartView Tracker 26, 59 creating logs 26 view logs 59 Star Community 33, 52, 53 Stateful Inspection 23 static IP Address 52, 56 subnet mask 58

U
UFP Server 39, 45

V
VPN configure 52 VPN community 23, 30, 35, 38, 47 VPN configuration in SmartLSM 58 VPN Manager 53, 56 VPN relations 32, 33 VPN settings 35 VPN solutions 16, 18 VPN Star community 58 VPN tunnel 52 VPN-1 gateway 27 VPN-1 Power 17, 27 VPN-1 Power gateway 22 VPN-1 UTM Edge 16, 32, 35 VPN-1 UTM Edge Appliance 35, 46, 49 VPN-1 UTM Edge appliance 24, 26, 31, 51 VPN-1 UTM Edge appliances 27 VPN-1 UTM Edge device 40, 46 VPN-1 UTM Edge Gateway 18, 26, 38, 40, 47, 52, 60 create 35 VPN-1 UTM Edge Gateway object 35, 50 VPN-1 UTM Edge Gateways 25 VPN-1 UTM Edge logs 26 VPN-1 UTM Edge object 32 VPN-1 UTM Edge Portal 24, 32, 33, 49, 53, 55 VPN-1 UTM Edge Profile 24, 35 VPN-1 UTM Edge ROBO 19 VPN-1 UTM Edge ROBO Gateway 33, 42, 46, 58 create 46 VPN-1 UTM module 17 VPN-1/FireWall-1 technology 22

T
telnet 47 topology 37

68

W
WAN 37 WAN interface card 37 WAN port 36 Web content 39, 45 Web GUI 31 Workflow SmartCenter management 32 SmartLSM Management 33 using the appliance 24

X
xDSL modem 37

69

70