Security Management Portal Installation Guide

Transcription

Security Management Portal
Security Management Portal Installation
Guide
Installation Guide
Version 8.1
Part No.: 701425
© 2012 Check Point
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation.
No part of this product or related documentation may be reproduced in any form or by any
means without prior written authorization of Check Point. While every precaution has been
taken in the preparation of this book, Check Point assumes no responsibility for errors or
omissions. This publication and features described herein are subject to change without
notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at
DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our
trademarks.
Refer to the Third Party copyright notices
(http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights
and third-party licenses.
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the
latest functional improvements, stability fixes, security enhancements and protection
against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=12827
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).
Revision History
Date
Description
18 April 2012
Rebranded to Check Point
April 2010
First release of this document
Contents
Contents
Introduction ........................................................................................................................................... 1
About This Guide ................................................................................................................................ 1
Intended Audience .............................................................................................................................. 1
Document Conventions ....................................................................................................................... 2
Related Publications ............................................................................................................................ 2
Contacting Technical Support ............................................................................................................. 2
SMP Architecture ................................................................................................................................. 3
Secuirty Management Server (SMS) ................................................................................................... 3
Secuirty Management Center (SMC) .................................................................................................. 4
Self Provisioning Portal (SPP) ............................................................................................................ 4
SMP Virtual Portals ............................................................................................................................ 5
Event Logging Module (ELM) ........................................................................................................... 5
URL Filtering Module (UFM) ............................................................................................................ 6
Content Vectoring Module (CVM) ..................................................................................................... 8
VStream Antivirus Signature Updates Service ................................................................................. 11
VStream Antispam Service ............................................................................................................... 11
Load Balancing Module (LBM) ........................................................................................................ 12
Dynamic VPN Service (DVPN) ........................................................................................................ 12
Dynamic DNS Service (DDNS) ........................................................................................................ 14
Check Point Reporting Module ......................................................................................................... 16
Vulnerability Scanning Service (VSS) .............................................................................................. 17
Installation Schemes ........................................................................................................................... 19
Basic Installation ............................................................................................................................... 20
SMS High Availability Installation ................................................................................................... 21
SMS High Availability with Load Balancing Installation................................................................. 24
Multiple Portals Installation .............................................................................................................. 25
Contents
i
Contents
Preparing for SMP Installation ......................................................................................................... 27
System Requirements ........................................................................................................................ 27
Tips for Capacity Planning ................................................................................................................ 28
Installing a Directory Service ............................................................................................................ 31
Freeing Ports ..................................................................................................................................... 32
Installation ........................................................................................................................................... 33
Installing SMP................................................................................................................................... 35
Uninstalling SMP .............................................................................................................................. 45
Upgrading the SMP ........................................................................................................................... 46
Backing Up the SMP Installation ...................................................................................................... 50
Restoring the SMP Installation ......................................................................................................... 51
Editing the SMC Configuration File ................................................................................................. 53
Editing the SMS INI File .................................................................................................................. 58
Configuring the SMS to Ignore Disabled Gateways ......................................................................... 62
Troubleshooting .................................................................................................................................. 63
Protecting the SMP behind a Firewall .............................................................................................. 67
Replicating Databases ......................................................................................................................... 71
Configuring the Secuirty Content Filtering Server .......................................................................... 73
Configuring SCS General Settings .................................................................................................... 74
Configuring ClamAV Settings .......................................................................................................... 77
Configuring SpamAssassin Settings ................................................................................................. 78
Glossary of Terms ............................................................................................................................... 81
Index ..................................................................................................................................................... 91
ii
About This Guide
Chapter 1
Introduction
The Check Point Security Management Portal (SMP) is a security platform that enables
centralized management of a large number of firewalls embedded in broadband access
devices or gateways. SMP management can be seamlessly integrated with customer and
billing systems, Check Point management infrastructure, and OPSEC-compliant
third-party applications.
This chapter includes the following topics:
About This Guide .........................................................................................1
Intended Audience ........................................................................................1
Document Conventions ................................................................................2
Related Publications .....................................................................................2
Contacting Technical Support ......................................................................2
About This Guide
This guide contains all the information necessary to install all SMP components, as well as
the sample third-party CVP and UFP programs included on the Check Point CD.
Intended Audience
This guide is written for the system administrator in charge of installing the SMP. This
person should be familiar with the following:

Either Microsoft Active Directory or SunONE Directory Server 5.1

Check Point Enterprise Management Console or Check Point SmartDashboard

SMP architecture. See SMP Architecture on page 3.
Chapter 1: Introduction
1
Document Conventions
Document Conventions
To make finding information in this manual easier, some types of information are marked
with special symbols or formatting.
Boldface type is used for command and button names.
Italics are used when specifying which SMP administrator levels can perform a task.
Note: Notes are denoted by indented text and preceded by the Note icon.
Warning: Warnings are denoted by indented text and preceded by the Warning icon.
Related Publications
This guide should be used in conjunction with the following guides:

Check Point Security Management Portal Administrator Guide
This guide explains how to use the Security Management Center (SMC), a Web-based
application for managing, configuring, and monitoring all SMP user and system
settings.

Check Point Security Management Portal Programmer Guide
This guide explains how to use the SMP API and SMP message templates.
Contacting Technical Support
For support and additional documentation, see www.checkpoint.com/support
When you contact us, please state which version of SMP you are currently using.
2
Secuirty Management Server (SMS)
Chapter 2
SMP Architecture
Check Point's technology is based on a distributed architecture, where each user is
protected by an enforcement module embedded in a gateway. You can centrally manage an
essentially unlimited number of enforcement modules from a Network Operating Center
(NOC), using a scalable, fault-tolerant and secure array of Secuirty Management Servers
(SMS), and large-scale management tools such as the Secuirty Management Center
(SMC).
Secuirty Management Server (SMS) ............................................................3
Secuirty Management Center (SMC) ...........................................................4
Self Provisioning Portal (SPP) .....................................................................4
SMP Virtual Portals ......................................................................................5
Event Logging Module (ELM) .....................................................................5
URL Filtering Module (UFM) ......................................................................6
Content Vectoring Module (CVM) ..............................................................8
VStream Antivirus Signature Updates Service ...........................................11
VStream Antispam Service ........................................................................11
Load Balancing Module (LBM) .................................................................12
Dynamic VPN Service (DVPN) .................................................................12
Dynamic DNS Service (DDNS) .................................................................14
Check Point Reporting Module ..................................................................16
Vulnerability Scanning Service (VSS) ....................................................... 17
Secuirty Management Server (SMS)
Check Point Secuirty Management Servers (SMS) obtain gateway-specific information
from the SMP's LDAP directory server, and provide each gateway with a security policy, a
user interface, configuration updates, and the following added-value services:

Event logging, using the Event Logging Module (ELM) on page 5

Family filters, using the URL Filtering Module (UFM) on page 6

Content vectoring, using the Content Vectoring Module (CVM) on page 8
Chapter 2: SMP Architecture
3
Secuirty Management Center (SMC)

Dynamic virtual private networking, using the Dynamic VPN service (DVPN)
on page 12

Dynamic domain name service, using the Dynamic DNS service (DDNS) on
page 14

Check Point reporting, see Check Point Reporting Module on page 16

VStream Antivirus signature updates service, see VStream Antivirus Signature
Updates Service on page 11

Vulnerability Scanning service, see Vulnerability Scanning Service (VSS) on
page 17
SMSs are organized in server groups. The SMSs in a group can perform load balancing
within the group, using the Load Balancing Module (LBM). For information on LBM, see
Load Balancing Module (LBM) on page 12.
SMSs can also perform failovers, so that if a server has failed for some reason, gateways
will automatically switch to a functional one.
Secuirty Management Center (SMC)
The Check Point Secuirty Management Center (SMC) is a Web-based application for
controlling the various SMP components and for managing, configuring, and monitoring
all SMP user and system settings. SMP administrators can connect to the SMC using Web
browsers and perform administrative tasks such as setting customer details, gateway
configuration, user firmware updates, and so on.
When multiple SMP installations exist, each SMC can be configured as “active” or
“standby”. If an SMC is in active mode, then administrators can log in to that SMC, and
background tasks (such as report generation and sending) are enabled for it. If an SMC is
in standby mode, then administrators cannot log in to it, and background tasks are disabled.
The SMC is hosted on an Apache Tomcat 5.5 application server.
Self Provisioning Portal (SPP)
The SMP includes an optional component called the Self Provisioning Portal (SPP). The
SPP is a Web site that allows customers to perform selected tasks, including:

4
Viewing and/or configuring specific gateway settings
SMP Virtual Portals

Viewing and/or configuring specific user account details

Viewing logs related to their gateways and user account

Viewing reports for their gateways
For information on performing these tasks in the SPP, see the Check Point Self
Provisioning Portal User Guide.
SMP administrators can choose whether to enable the SPP for a portal, and control which
settings should be available for viewing and/or modifying in the SPP. For information, see
the SMP Administrator Guide, Configuring the SPP.
If desired, you can use the SMP API (Application Programming Interface) to develop your
own SPP, customized for your business processes and needs. For information on using the
SMP API, refer to the Check Point Security Management Portal Programmer Guide.
SMP Virtual Portals
An SMP virtual portal is a segment of the SMP that is used to manage a specific subset of
gateways and users in the SMP. Each such portal acts as a standalone “virtual SMP”.
Portal management is performed in the SMC. Users with sufficient permissions on a
specific portal can log in to that portal via the SMC and view or manage that portal's
settings only. In contrast, system administrators can view, add, remove, and manage all
portals in the system.
While each portal has separate settings and is used to manage different objects, all portals
share certain global settings, such as firmware images, HTTP proxy settings, and SMSs.
Only system administrators can view and manage these settings in the SMC.
Event Logging Module (ELM)
SMP has several built-in logging mechanisms. The Event Logging Module (ELM) is a
remote logging mechanism that enables the SMS to collect log information and security
reports from gateways. The security reports include attempted attacks, configuration
changes, and system errors.
The SMS sends the collected information to the log destinations specified in its logging
policy: a Syslog server, Check Point's ELA server, the Windows Event Log, or the SMC.
For information on configuring SMC logging, see the SMP Administrator Guide,
Monitoring the SMP.
5
URL Filtering Module (UFM)
You can configure a logging policy for each server group. For information on configuring
a logging policy for a new server group, see the SMP Administrator Guide, Managing
Servers and Server Groups. For information on configuring a logging policy for an existing
server group, see the SMP Administrator Guide, Managing Servers and Server Groups.
The SMP provides a reporting module that enables you to generate reports based on SMP
logs. For information on using the reporting module, see Check Point Reporting Module
on page 16.
OPSEC ELA
OPSEC ELA is an event logging protocol that allows logging to a Check Point
management server, where the logs can be saved and later viewed by the Check Point log
viewer, or exported to other applications using OPSEC LEA (Log Export API). For further
information, see http://www.checkpoint.com/opsec/architect.htm.
OPEN PLATFORM FOR SECURITY (OPSEC)
An open, industry-wide alliance driven by Check Point that ensures interoperability
between security products. Interoperability is achieved through a combination of published
APIs, industry-standard protocols, and a high-level scripting language.
OPSEC encourages partnerships in the areas of infrastructure (network products and
services), framework (security products), and passport (application developers).
Today, the OPSEC platform boasts the broadest operating system and network
infrastructure support; over 350 partners have adopted its security integration interface.
The Check Point URL Filtering Module (UFM) enables Embedded NGX gateway users to
protect their families or businesses from accessing objectionable Web sites.
The URL filtering mechanism operates as follows:
1.
For each HTTP request, the gateway extracts the requested URL.
2.
If rule-based URL filtering is configured:
a) The gateway sends a filtering request to the SMS.
b) The SMS sends a response to the gateway, indicating whether the URL
should be blocked.
c) If access to the site is denied, continue at step 4.
6
3.
4.
If a UFP server is configured (either in addition to rule-based filtering, or
alone):
a) The gateway sends a categorization request for the URL to the SMS.
b) The SMS obtains the categories from the OPSEC UFP-compliant URL
filtering server.
c) The SMS sends the category back to the gateway.
d) The gateway determines whether access to this site should be denied or
permitted, based on the user's configured preferences.
If access to the site is denied, the gateway generates its own HTTP response,
which informs the user that access has been denied and allows them to enter a
password in order to override the URL filtering mode.
The gateway maintains a cache with a list of recently checked URLs, so that filtering need
not be performed for previously requested URLs.
The UFM module works with any OPSEC UFM-compliant URL server. The Secuirty
Content Filtering Server (SCS) represents a full URL filtering solution based on the Secure
Computing SmartFilter system. This optional component is included on the Check Point
CD.
OPSEC UFP
7
Content Vectoring Module (CVM)
OPSEC UFP (URL Filtering Protocol) is an OPSEC API that enables integration of
third-party applications to categorize, and control access to, specific URL addresses. The
UFP API has been adopted by a wide variety of content security vendors. Each customer
can select from a list of categories that they want blocked.
Figure 1: UFM Architecture
The Content Vectoring Module (CVM) allows you to build "transparent proxies" that
automatically divert selected traffic through a content filtering server, without requiring
any configuration on the client side.
CVM can be used to implement a transparent email antivirus and/or antispam mechanism.
The solution is completely transparent to the customer. The customer does not need to
change the configuration of their email client or install any software on their PC.
8
The mechanism operates as follows:
1.
The gateway encounters a POP3 email connection.
2.
The gateway transparently diverts the connection to an OPSEC
CVP-compliant antivirus server.
3.
The CVP server checks the mail for malicious content and/or spam.
4.
If a virus is detected, it is removed and replaced with a warning message.
5.
If spam is detected, the email's Subject line is modified to indicate that it is
suspected spam.
The user can create rules to divert such messages to a special folder.
The CVM module works with any OPSEC CVP-compliant antivirus server. Antispam
functionality is currently supported only by the Check Point Security Content Filtering
Server.
The Secuirty Content Filtering Server (SCS) represents a full antivirus solution based on
the free, open-source ClamAV antivirus system, and a complete antispam solution based
on the free Apache SpamAssassin. This optional component is included on the Check
Point CD.
9
OPSEC CVP
OPSEC CVP (Content Vectoring Protocol) is an OPSEC API that enables integration of
third-party content security applications, such as antivirus software, with Check Point
security products. The CVP API has been adopted by a wide variety of security vendors.
Figure 2: CVM Architecture
10
VStream Antivirus Signature Updates Service
VStream Antivirus Signature Updates Service
VStream Antivirus is an embedded stream-based antivirus engine based on Check Point
Stateful Inspection and Application Intelligence technologies, that performs virus scanning
at the kernel level.
SMP allows centrally managing VStream Antivirus settings for each gateway, as well as
providing automated virus signature updates. SMP automatically fetches signatures from
the Check Point online update center and efficiently delivers them to gateways subscribed
to the VStream signature updates service, ensuring that the gateways' security is always
up-to-date, and the networks are always protected.
VStream Antivirus differs from the Content Vectoring (CVM) subscription service in the
following ways:

CVM is centralized, redirecting traffic through the Service Center for scanning,
while VStream Antivirus scans for viruses in the Embedded NGX gateway
itself.

CVM is specific to email, scanning incoming POP3 and outgoing SMTP
connections only, while VStream Antivirus supports additional protocols,
including incoming SMTP and outgoing POP3 connections.
You can choose to implement CVM, VStream Antivirus, or both.
VStream Antispam Service
VStream Antispam is an embedded antispam engine that allows the user to define exactly
which emails should be scanned for spam, as well as which antispam checks should be
performed. SMP allows centrally managing VStream Antispam settings for each gateway.
VStream Antispam differs from the Content Vectoring (CVM) subscription service in that
CVM is centralized, redirecting traffic through the Service Center for scanning, while
VStream Antispam scans for spam in the Embedded NGX gateway itself.
You can choose to implement CVM, VStream Antispam, or both.
11
Load Balancing Module (LBM)
Load Balancing Module (LBM)
When enabled, the Load Balancing Module (LBM) causes all SMSs in a server group to
constantly synchronize load information. If one SMS becomes overloaded, that server
redirects part of its clients to a less loaded server in the group.
If a gateway detects that an SMS is not responding, it automatically switches to a
functional or less loaded server.
For information on defining server groups and on setting the load-balancing configuration
of a specific SMS, see the SMP Administrator Guide, Managing Servers and Server
Groups.
Dynamic VPN Service (DVPN)
The Dynamic Virtual Private Network (DVPN) service allows the creation of VPN
communities. By enabling DVPN for a community, you can quickly and easily create a
VPN community with hundreds of gateways.
The resulting VPN communities are fully meshed or star (hub-and-spoke) communities.
For ultimate flexibility, these communities can be nested, enabling you to create advanced
VPN topologies, such as a meshed community in which the members are star communities,
or a star community in which the members are meshed communities.
The DVPN service fully supports the use of dynamic IP addresses, and automatically
updates all the gateways in the VPN community with the most recent IP addresses. The
DVPN service also supports VPN-1 SecuRemote and VPN-1 SecureClient VPN clients.
Remote and mobile users can use these clients to securely access community resources.
12
Dynamic VPN Service (DVPN)
The DVPN service supports using industry-standard X.509 digital certificates for secure
Site-to-Site VPN communications, and includes a built-in Certificate Authority (CA) that
automatically issues such certificates to all gateways. The service also supports using
shared secrets for authentication, and configuring support for external certificate
authorities.
Figure 3: Full Mesh DVPN Architecture
13
Dynamic DNS Service (DDNS)
Most Internet service providers (ISP) assign dynamic rather than static IP addresses to their
subscribers. If a gateway has a dynamic IP address, then each time the gateway connects to
the ISP, its IP address may change. This poses a problem if the gateway's owner wants to
run a public server.
The Dynamic Domain Name System Service (DDNS) solves this problem by allowing you
to assign a domain name to a gateway. The DDNS service constantly checks for changes to
the gateway's IP address and updates the mapping of domain name to IP address
accordingly. For example, if the SMP is registered in the worldwide DNS as the owner of
the domain “mycompany.com”, and the DDNS service is enabled for a gateway named
“office”, then the gateway will be accessible using the DNS name
“office.mycompany.com”. Each time the gateway's IP address changes, the DDNS service
will map this DNS name to the new IP address, so that the gateway is always accessible.
The DDNS service resolves the Internet IP address of SMSs, as well, so you can assign
domain names to SMSs.
14
The DDNS service supports email address resolving (DNS MX Records), allowing you to
assign email addresses to your customers under their own domain. For example, if you
define the mail server for the gateway named “office” to be “mail.myisp.com”, then
whenever someone sends email to an address that ends with “@office.mycompany.com”,
the mail will be sent to the mail server “mail.myisp.com”.
Figure 4: DDNS Architecture
15
Check Point Reporting Module
Check Point Reporting Module
The Check Point reporting module is an SMP service that allows you to create detailed
security reports from Embedded NGX gateway logs. The reports include information about
blocked attacks, detected viruses, filtered Web sites, and more, graphically demonstrating
the value of the Embedded NGX firewall and the additional managed services you provide
to your customers.
You can configure the Check Point reporting module to automatically generate reports at
specific intervals and to automatically email those reports to customers and/or SMP
administrators.
The reports are HTML-based and can be extensively customized in the SMC, by using a
simple template.
16
Vulnerability Scanning Service (VSS)
The Vulnerability Scanning Service (VSS) allows you to scan networks for security
vulnerabilities, and to generate detailed vulnerability scanning reports. The reports include
information about identified security vulnerabilities, a list of open TCP and UDP ports, and
a pie chart representing the breakdown of detected vulnerabilities by severity, enabling
subscribers to improve their networks' security, and demonstrating to non-subscribers the
need for a Embedded NGX firewall.
You can configure the VSS module to automatically generate vulnerability scanning
reports at specific intervals and to automatically email those reports to customers and/or
SMP administrators.
The reports are HTML-based and can be extensively customized in the SMC, by using a
simple template.
VSS requires the Nessus or OpenVAS vulnerability scanner, which can be downloaded for
free from http://www.nessus.org or http://www.openvas.org. The vulnerability scanner
must be installed separately from the SMP on a Linux server. Be sure to read the scanner
terms of use on the relevant Web site.
17
Chapter 3
Installation Schemes
SMP supports a variety of installation schemes, for ultimate flexibility and convenience.
This chapter presents a few of the installation schemes supported by SMP.
Basic Installation ........................................................................................ 20
SMS High Availability Installation ............................................................ 21
SMS High Availability with Load Balancing Installation .......................... 24
Multiple Portals Installation .......................................................................25
Chapter 3: Installation Schemes
19
Basic Installation
Basic Installation
In the basic installation scheme, one SMP is installed, and all of its components are
installed on a single machine, as shown in the figure below. Only one SMP virtual portal is
defined in the SMC.
Figure 5: Basic Installation Scheme
20
SMS High Availability Installation
In order to guarantee the ongoing operation of both the customer's managed services and
the service provider's daily operations, a functional SMS must be available at all times.
The following options require an SMS:

Configuration updates and provisioning

Remote management

Remote logging

CVM

UFM

DDNS

Dynamic VPN
Note: To provide DDNS service with no single point of failure, you must register
at least two SMSs as the DNS servers for your domain.
Note: Normal firewall and VPN operation do not require the gateway to be
connected to an SMS server.
21
In order to ensure that a functional SMS is available at all times, you can implement the
high availability installation scheme shown in the figure below.
Figure 6: High Availability Installation Scheme
This installation scheme requires that you replicate your database, so that if the primary
database fails, the SMP will continue to function using the secondary database. The high
availability installation scheme ensures that an SMS will always be available. For
information on database replication, see the SMP Administrator Guide, Database
Maintenance. For information on setting up this installation scheme, see the SMP
Administrator Guide, Configuration Workflows.
22
Note: For full redundancy, perform a Typical Primary SMP and a Typical Secondary
SMP installation on two different machines, then configure the SMC on the primary
server in active mode and the SMC on the secondary server in standby mode.
If the primary server fails:

The SMS on the secondary server automatically takes over the gateways
from the SMS on the primary server.

The administrator must manually change the mode of the SMC on the
secondary server from "standby" to “active”.
There must be exactly one active SMC at any given time. For information on
configuring the SMC's mode, see Editing the SMC Configuration File on page 53.
If desired, you can divide the gateways into geographical regions for improved scalability
and SMS availability. See the figure below.
Figure 7: High Availability Installation Scheme with Regional Divisions
For information on setting up this installation scheme, see the SMP Administrator Guide,
Configuration Workflows.
23
SMS High Availability with Load Balancing Installation
SMS High Availability with Load Balancing
Installation
If you have a heavily-loaded system with thousands of gateways, it is recommended to use
the High Availability with Load Balancing installation scheme. This installation scheme is
identical to the High Availability installation scheme, with the following exception: you
must enable the LBM option for the server group. This ensures that gateways are
automatically assigned to the least-loaded SMSs. (In the High Availability installation
scheme, on the other hand, a gateway is only transferred to another server when its original
SMS shuts down or fails.)
For further information on LBM and load balancing, see Load Balancing Module (LBM)
on page 12. For information on setting the load-balancing configuration of a server group,
see the SMP Administrator Guide, Managing Servers and Server Groups. For information
on setting up this installation scheme, see the SMP Administrator Guide, Configuration
Workflows.
server in active mode and the SMC on the secondary server in standby mode.


secondary server from "standby" to “active”.
Note: It is not necessary to install the same number of LDAP servers as SMSs. If, for
example, you have six SMSs, you can install two replicated LDAP servers and
connect three SMS servers to each. See the figure below.
24
Multiple Portals Installation
Figure 8: High Availability with Load Balancing Installation
Multiple
Portals Installation
In the Multiple Portals installation scheme, you add multiple SMP virtual portals on the
SMP.
ForThis
example,
ISP with
multiple resellers
an SMP
virtual portal for each
reseller.
allowsan
saving
on hardware,
software,can
andinstall
ongoing
maintenance.
Only one SMS is installed, and it handles gateways for all of the SMP virtual portals. In
order for a gateway connect to the relevant SMP virtual portal, the gateway must use its
fully qualified ID, <gateway ID>.<portal name>, when connecting to the Service
Center.
Note: If desired, you can configure the SMS with multiple IP addresses.
Furthermore, you can associate each IP address with a different "default" SMP virtual
portal. When a gateway uses only its gateway ID (instead of its fully qualified ID) to
connect to the Service Center, the default portal name is appended to the gateway ID
automatically (<gateway ID>.<default portal name>), and the
25
Multiple Portals Installation
gateway is connected to the default portal.
server in active mode and the SMC on the secondary server in standby mode. Add the
desired SMP virtual portals via the active SMC.


secondary server from "standby" to “active”. All of the SMP virtual portals
will then be accessible via the SMC on the secondary server.
26
System Requirements
Chapter 4
Preparing for SMP Installation
System Requirements ................................................................................ 27
Tips for Capacity Planning ........................................................................ 28
Installing a Directory Service .................................................................... 31
Freeing Ports .............................................................................................. 32
System Requirements
The SMP machine must meet the requirements listed in the table below. In addition, the
machine's domain name must be configured.
Table 1: System Requirements
Item
Requirement
OS
Microsoft Windows 2000 Server SP4 /
Microsoft Windows 2003 Server SP2 /
Microsoft Windows 2008 Server
CPU
Pentium-4 2.8 GHz or higher
Memory
1 GB minimum
Free disk space
2 GB minimum
File system
NTFS
NIC
100Mbps
Chapter 4: Preparing for SMP Installation
27
Tips for Capacity Planning
When deciding what capacity to provide, consider the following factors:

The number of gateways

The NOC Internet link's bandwidth and network latency

The number of SMSs you intend to install

The load on the SMS can be affected by several configuration settings:


You can use the SMC to increase or decrease the interval in which the
gateways poll for their setup (the Setup Interval) according to the available
bandwidth of your NOC and the expected rate of changes. For information on
changing this interval, see the SMP Administrator Guide, Managing Servers
and Server Groups.
 The server CPU requirements depend on the chosen encryption method.
If UFM will be enabled:


The network bandwidth consumption depends on amount of user Web
surfing.
 Low latency line is important for good user experience.
 Gateways cache responses to minimize the overhead.
 Take peak usage times into account.
If CVM will be enabled:



28
The network bandwidth consumption depends on amount of concurrent email
downloads.
Users' emails are routed through the SMS.
Take peak usage times into account.

If DVPN will be enabled:


Usually network bandwidth consumption is not large as large for CVM and
UFM.
 The server answers revocation checking requests, sends updates on changed
dynamic IP addresses, and distributes the VPN topology and settings of
gateways in the community to all community members. If user authentication
is enabled for a community, then gateways in the community consult the
server when authenticating user logins. The gateways cache the results of user
login checking requests and revocation checking requests.
 If you are managing very large communities containing hundreds of gateways
or more, and the gateways' IP addresses change frequently, there may be a lot
of traffic due to updating the dynamic IP addresses table in the community
members each time an IP address changes.
 You can increase performance by making the revocation checking interval
longer. This allows gateways to cache revocation checking responses for a
longer amount of time and therefore reduces traffic, but it also increases the
amount of time until all gateways know that a gateway's certificate was
revoked.
If DDNS will be enabled:



Usually network bandwidth consumption is not large.
You can tune the DNS caching parameters to reduce the amount of traffic.
DNS resolution for gateways with dynamic IP addresses are usually much
more demanding than DNS resolution for gateways with static IP addresses,
because the DNS clients cache the dynamic IP address resolution results for a
shorter amount time than static IP address resolution results. You can control
these amounts of time, by configuring the Time to Live parameters in the
SMC. See the SMP Administrator Guide, Configuring General SMP Settings.
29

If logging and reporting will be enabled:


You can increase or decrease the logging interval to suit the available
bandwidth of your NOC and the expected rate of events. If the bandwidth is
insufficient, some events might be lost.
 Each gateway sends at most one packet each logging interval. Each packet
can contain up to 100 log messages.
 Log storage can consume a lot of disk space. Old log files can be
automatically erased or compressed to save disk space. For more information,
see the SMP Administrator Guide, Monitoring the SMP.
 To reduce log storage space, you can configure the server group log policy to
filter out log messages of low importance. See the SMP Administrator Guide,
Managing Servers and Server Groups.
If Firmware Updates or the VStream Antivirus signature updates service will be
enabled:


You can limit bandwidth consumption by setting the Concurrent Downloads
Limit in the SMS's Servers > Server > Edit page Configure tab's Advanced node.
Lowering this value will reduce the bandwidth consumption, but make the
updating process slower. See the SMP Administrator Guide, Managing
Servers and Server Groups.
If the Vulnerability Scanning service will be enabled:




30
Vulnerability scanning consumes large amount of memory. If you enable this
feature, it is recommended to use more RAM than the minimum requirements.
Vulnerability scanning consumes a large amount of network bandwidth
during the scanning operation.
You can schedule vulnerability scanning to occur during periods of low
network activity. See the SMP Administrator Guide, Using the Vulnerability
Scanning Service.
You can limit the bandwidth consumption by setting the System >
Vulnerability Scan page Server tab's Scan up to and Perform up to parameters
in the VSS settings. Lowering these values will reduce the bandwidth
consumption, but make the scanning slower. See the SMP Administrator
Guide, Using the Vulnerability Scanning Service.
Installing a Directory Service
Installing a Directory Service
You can install SMP components with either Microsoft's Active Directory or SunONE
Directory Server 5.1. You must install the desired directory service before installing the
SMP.
For information on installing Active Directory, see the following documentation:

http://support.microsoft.com/default.aspx?scid=kb;en-us;324753

http://support.microsoft.com/default.aspx?scid=kb;en-us;318340

http://support.microsoft.com/default.aspx?scid=kb;en-us;308196&sd=tech
Note: SunONE Directory Server must be installed on an NTFS partition.
31
Freeing Ports
Freeing Ports
Many servers are pre-installed with management software that might collide with the SMP
installation. Before installing an SMP component, you must check that the appropriate port
is free and that no other service is bound to it. The following table lists the ports used by
each SMP component.
To verify that the ports are free, use the shell command: netstat -a
Table 2: SMP Ports
This SMP component…
Uses these ports…
Microsoft Active Directory
389 TCP
SunONE Directory Server 5.1
389 TCP, 12345 TCP
CVP
25 TCP (SMTP), 110 TCP (POP3), 18181 TCP
UFP
18182 TCP
SMS
9281, 9282 UDP, 9283 TCP
ELA
18187 TCP
DDNS
53 UDP, 53 TCP
DVPN
None
32
Freeing Ports
Chapter 5
Installation
This chapter contains all the information necessary to install the following components:

SMP components:

 Security Management Center (SMC)
 Self Provisioning Portal (SPP)
 Secuirty Management Server (SMS)
 Secuirty Content Filtering Server (SCS)
Third-party components:








SunONE Directory Server 5.1
Trend Micro InterScan VirusWall CVP Server
Aladdin eSafe Gateway CVP Server 4.0
Computer Associates eTrust CVP Server 7.1
SurfControl SuperScout Web Filter for Check Point FireWall-1 (2.0, 2.1)
SurfControl Web Filter 5.0
Websense Enterprise
SecureComputing SmartFilter FireWall-1 UFP Server
Note: The Security Content Filtering Server (SCS) represents a full antivirus,
antispam, and URL filtering solution. If you choose to use it, you must purchase
a license from Check Point. For more information on the SCS, see Configuring
the Security Content Filtering Server on page 73.
Note: It is possible to install more than one CVP server on the same machine.
To do this, use different ports or bind IP addresses for each CVP server. For
information on configuring these parameters, see Configuring the Secuirty
Content Filtering Server on page 73.
Installing SMP ........................................................................................... 35
Chapter 5: Installation
33
Freeing Ports
Uninstalling SMP ...................................................................................... 45
Upgrading the SMP ................................................................................... 46
Backing Up the SMP Installation .............................................................. 50
Restoring the SMP Installation .................................................................. 51
Editing the SMC Configuration File .......................................................... 53
Editing the SMS INI File ........................................................................... 58
Configuring the SMS to Ignore Disabled Gateways .................................. 62
34
Installing SMP
Installing SMP
Note: Before installing SMP components, you must log on to the system using
administrator credentials.
Note: Full installation can take up to 20 or 30 minutes.
Note: It is recommended to connect the computer to the Internet before starting
installation. If no connection is available during installation, all components will be
installed, but all Internet updates (such as SCS and Web Filtering updates, VStream
Antivirus updates, and so on) will be fetched later, when an Internet connection is
established.
To install SMP
1.
Run the installer setup.exe, located under the windows directory on the
Check Point CD.
The following things happen:
2.
 The Preparing to Install… window opens.
 The Welcome window appears.
Click Next.
The License Agreement window appears.
3.
Read the License Agreement carefully, and click Yes.
The Choose Destination Location dialog box appears.
4.
Browse to the desired destination directory using the Browse button.
5.
Click Next.
The Setup Type dialog box appears.
6.
Select the desired setup type, based on the installation scheme you want to
implement.
See Installation Schemes on page 19 for information on installation schemes.
35
Installing SMP
For information on restoring the SMP from a backup file, see Restoring the SMP
Installation on page 51.
7.
Click Next.
8.
Do one of the following:




If you chose Typical Primary, continue at Installing a Typical Primary SMP
on page 36.
If you chose Typical Secondary, continue at Installing a Typical Secondary
SMP on page 38.
If you chose Secuirty Management Server, continue at Installing an SMS on
page 40.
If you chose Secuirty Content Filtering Server, continue at Completing
Installation on page 41.
Installing a Typical Primary SMP
If you chose Typical Primary, the Setup Type dialog box appears.
1.
To install the SCS, click Yes.
2.
Click Next.

3.
If there is more than one IP address installed on this machine, the Select SMP
IP Address dialog box appears.
Do the following:
1) From the Select IP drop-down list, select the IP address on which you
want to install the SMP.
The list includes all IP addresses configured on this machine.
2) Click Next.
 A second Setup Type dialog box appears.
Choose the directory service you want to use.
Note: If you choose to use Active Directory, a Check Point schema for Active
Directory will be installed. If you choose to use the SunONE Directory Server on
this machine, a Check Point schema for SunONE Directory Server will be
installed.
36
Installing SMP
Note: If you choose to use Active Directory, you must perform the Typical Primary
installation on the Windows 2003 schema master.
4.
Click Next.
A message box appears asking you whether the directory service you chose is installed
locally.
5.

If the directory service you chose is not installed locally, click No.
The Primary Database Information dialog box appears.
Do the following:
1) In the Host field, type the host name or IP address of the machine on
which the primary database server is installed.
2) In the Port field, type the port number of the machine on which the
primary database server is installed.
3) Click Next.
 If the directory service you chose is installed locally, click Yes.
A second Primary Database Information dialog box appears.
Note: If you chose Active Directory, the default values in this dialog box are
identical to the default values used during Active Directory installation. If you did
not change these values when you installed Active Directory, do not change them
in this dialog box.
6.
In the Domain field, type the primary database server's domain path.
7.
In the User field, type the Active Directory administrator's DN or the SunONE
Directory Server database administrator's username, depending on which
directory service you chose.
8.
Click Next.
A third Primary Database Information dialog box appears.
9.
In the field(s) provided, type the Active Directory administrator's password, or
the SunONE Directory Server privileged user's password, depending on which
10. Click Next.
37
Installing SMP
The Secondary Database Information dialog box appears.
11. To use a secondary database, do the following:
In the Host field, type the host name or IP address of the machine on
which the secondary database server is installed.
If you do not have a secondary database, leave this field blank.
b. In the Port field, type the port number of the machine on which the
secondary database server is installed.
12. Click Next.
a.
The Verify Your Selection dialog box appears.
Continue at Completing Installation on page 41.
Installing a Typical Secondary SMP
If you chose Typical Secondary, the Setup Type dialog box appears.
1.
2.
Click Next.

3.
Do the following:
2) Click Next.
 A second Setup Type dialog box appears.
Choose the directory service you want to use.
4.
Click Next.
locally.
5.

38
Installing SMP
6.
In the Host field, type the host name or IP address of the machine on which the
7.
In the Port field, type the port number of the machine on which the primary
database server is installed.
8.
Click Next.
in this dialog box.
9.
10. In the User field, type the Active Directory administrator's DN or the SunONE
11. Click Next.
12. In the field(s) provided, type the Active Directory administrator's password, or
13. Click Next.

If the directory service you chose is not installed locally, the Secondary
Database Information dialog box appears.
To use a secondary database, do the following:
39
Installing SMP

3) Click Next.
Installing an SMS
If you chose Secuirty Management Server, the Setup Type dialog box appears.
1.
2.
Click Next.
A second Setup Type dialog box appears.
3.
Choose the directory service used for the SMP.
4.
Click Next.
5.
In the Host field, type the host name or IP address of the machine on which the
6.
In the Port field, type the port number of the machine on which the primary
database server is installed.
7.
Click Next.
in this dialog box.
8.
9.
10. Click Next.
40
Installing SMP
12. Click Next.
14. Click Next.
a.
Completing Installation
The Current Settings area displays the installation type you chose.
Note: Be sure to read the summary before continuing!
1.
Click Next.
The selected SMP components are installed.
Note: The installation process requires user input, so stay by the computer
during installation.
During installation, the following things happen in the order below:

The Setup Status progress window appears and tracks the progress of
installation.

The log file install.log is created in the Check Point directory and
written to throughout installation. This file contains error messages generated
41
Installing SMP




during the installation process, as well as all the system commands carried out
during the installation process and their output. This file also contains all the
passwords you entered during installation, so you may want to delete all
passwords before sending it to someone else.
If you chose Typical Primary or Secondary setup, the SMC configuration file
INFO.properties is created under
$SMP_HOME\Tomcat\webapps\SMC\WEB-INF, where $SMP_HOME is
the SMP installation directory.
For information on editing the SMC configuration file, see Editing the SMC
Configuration Files on page 53.
If you chose to install the SCS, the SCS configuration file SCS.ini is
created under $SMP_HOME\conf, where $SMP_HOME is the SMP
installation directory.
For information on configuring the SCS, see Configuring the Check Point
Content Filtering Server on page 73.
If you chose to install the SCS only, the SMP 8.1 Installation Complete dialog
box appears. Continue at step 5.
If you chose Typical Primary setup, the SMP configuration dialog box appears.
Do the following:
1) In the SMTP field, type the SMTP server to be used for sending
emails from the SMP.
2) In the Mail field, type the customer support email address.
This address appears in all emails sent by the SMP.
Note: You can change these settings in the SMC, using the procedure
the SMP Administrator Guide, Configuring General SMP Settings.
3) Click Next.
The SMP Admin User information dialog box appears.
4) In the Login field, type the SMC super user's login for logging in to
the SMC.
5) In the Mail field, type the SMC super user's email address.
6) Click Next.
A second SMP Admin User information dialog box appears.
42
Installing SMP
7) In the Password and Confirm password fields, type a password for
the SMC super user.
Note: The password must be at least seven characters long.
2.
8) Click Next.
 If you chose Typical Secondary setup or Secuirty Management Server setup,
the SMC Information dialog box appears.
Do the following:
1) In the Host field, type the hostname or IP address of the SMC.
2) Click Next.
 The Management Server Group dialog box appears.
The screen below is relevant for Typical Primary setup.
If you chose another setup type, this screen appears as follows:
In the Server field, type a name for the new SMS.
The default SMS name is the name of this machine.
3.
In the Group field, do one of the following:

If you chose Typical Primary setup, type a name for the server group that will
be added to the SMC.
 If you chose another setup type, select the desired existing server group.
The new SMS will belong to this group. The default server group name is “group1”.
Note: For information on setting server and server group names, see the SMP
Administrator Guide, Managing Servers and Server Groups.
4.
Click Next.
The SMP 8.1 Installation Complete dialog box appears, and you are asked whether you
want to reboot your computer.
5.
Click Yes, I want to restart my computer now.
6.
Click Finish.

If you chose a Typical Primary or Secondary setup, a free 90-day evaluation
license for 10 gateways is installed, and the “This product is not licensed”
43
Installing SMP
message will appear on the SMC Welcome page. The license is valid for all
SMP virtual portals. For information on buying a license, see the SMP
Administrator Guide, Managing SMP Licenses.
Note: If you chose to use SunONE, you must replicate the database. For
information, see Replicating Databases on page 71.
Note: See the SMP Administrator Guide, Managing Servers and Server
Groups for information on configuring the SMS and its server group.
44
Uninstalling SMP
Uninstalling SMP
Note: Before uninstalling SMP components, you must log on to the system using
administrator credentials.
To uninstall SMP
1.

Check Point CD, or
 In the Add/Remove Programs window, select Check Point Security
Management Portal 8.1, and click Change/Remove.


2.
The Preparing to Install… window opens.
A confirmation message appears asking whether you want to uninstall the
SMP.
Click OK.
The Uninstall Options dialog box appears.
3.
Make sure that the Completely remove SMP data from database check box is
selected.
4.
To remove SMP installation logs, select the Completely remove SMP
installation logs check box.
5.
Click Next.
Another confirmation message appears.
6.
Click OK.

If you are uninstalling a Typical Secondary installation or Security
Management Server installation, the SMC Information dialog box appears.
Do the following:
1) In the Host field, type the hostname or IP address of the SMC.
2) Click Next.
45
Upgrading the SMP


The Setup Status progress window appears.
All Check Point components are uninstalled, along with their configuration
files.
Note: The Check Point schema for your directory service is not removed.

7.
The SMP 8.1 Uninstall Complete dialog box appears, and you are asked
whether you want to reboot your computer.
Click Yes, I want to restart my computer now.
8.
Click Finish.
Upgrading the SMP
You can upgrade existing SMP components to SMP 8.1, while retaining the data currently
stored in the Check Point database.
Note: Before upgrading to SMP 8.1:
46

The SMP 8.1 installer allows upgrading from SMP 8.0 only. To migrate from
earlier versions of SMP, first upgrade to SMP 8.0, then upgrade from SMP
8.0 to SMP 8.1 using the SMP 8.1 installer.

Upgrading to SMP 8.1 requires a new license key. To obtain a new license
key, contact Check Point support at http://www.checkpoint.com/support

When upgrading from an installation with multiple SMP virtual portals
(instances), only a single server group can be defined. Before running the
SMP 8.1 installer, make sure that only one server group is defined.
Upgrading the SMP
Note: After upgrading to SMP 8.1:

All log messages are cleared.

All customized report templates are reset to the new default settings.

A new global administrator account is created.

All administrators defined in the earlier installation are converted to users.
These users’ administrative roles and permissions are preserved.

If the original installation had multiple SMP virtual portals (instances), the
SMP 8.1 global configuration is taken from the first SMP virtual portal.

In SMP versions older than 5.0, the SMS's bind address was set to "Any",
by default. In order to add SMP virtual portals after upgrading the SMP, you
must set the SMS's bind address to a specific server address. For
information on setting the bind address, see the SMP Administrator Guide,
Managing Servers and Server Groups.
Note: If multiple SMP installations are installed on Active Directory, you must perform
the upgrade on the schema master first.
Upgrading the SMP on the Current Server
To upgrade the SMP on the server where it is currently installed
1.
2.
Check Point CD.
 A message box asks you whether you want to upgrade SMP.
Click Yes.
The Welcome screen appears.
3.
Click Next.
4.
5.
Click Next.
This screen differs depending on the database type that is installed.
6.
47
Upgrading the SMP
7.
directory service is installed.
8.
Click Next.
9.
In the field(s) provided, type the Active Directory administrator's password, or
directory service is installed.
10. Click Next.
12. Click Next.
a.
13. Click Next.

The Setup Status progress window appears and tracks the progress of the
upgrade process.
Warning: Do not click Cancel until the upgrade is complete!
48

The SMP components that were installed prior to upgrade are reinstalled to
the same directory. No new components are installed.

The log file install.log is created in the Check Point directory and
written to throughout installation. This file contains error messages generated
during the installation process, as well as all the system commands carried out
during the installation process and their output. This file also contains all the
Upgrading the SMP


passwords you entered during installation, so you may want to delete all
passwords before sending to someone else.
The SMC configuration file INFO.properties is created under
$SMP_HOME\Tomcat\webapps\SMC\WEB-INF, where $SMP_HOME is
the SMP installation directory.
If SCS was installed, the SCS configuration file SCS.ini is created under
$SMP_HOME\conf, where $SMP_HOME is the SMP installation directory.
Note: For information on editing the SMC configuration file, see Editing the
SMC Configuration Files on page 53. For information on configuring the
SCS, see Configuring the Security Content Filtering Server on page 73.


All SMP 7.0 components are uninstalled.
The SMP 8.1Installation Complete dialog box appears, and you are asked
14. Click Yes, I want to restart my computer now.
15. Click Finish.
If SCS was installed:

The SCS shortcuts, the file readme.txt, and the ClamAV and
SpamAssassin licenses are added to the Windows Start menu, under
Programs\Check Point\SCS.

The folder ClamAV is added to the Windows Start menu, under Programs.
Upgrading the SMP on a Different Server
To upgrade the SMP on a different server
1.
On the server where SMP 8.0 is installed, back up the SMP installation.
See Backing Up the SMP Installation on page 50.
2.
On the new server, restore the SMP installation from the backup file created in
the previous step.
See Restoring the SMP Installation on page 51.
The installer automatically upgrades the SMP 8.0 installation to SMP 8.1.
49
Backing Up the SMP Installation
Backing Up the SMP Installation
You can backup the SMP installation to a *.bak file. You can then use the backup file to
restore the SMP installation as needed. For information on restoring the installation, see
Restoring the SMP Installation on page 51.
Note: This procedure explains how to back up all data for all SMP virtual portals via the
command line. To backup this data via the SMC, see the SMP Administrator Guide,
Backing Up and Restoring the SMP System Configuration. To export data for a specific
SMP virtual portal only, see the SMP Administrator Guide, Database Maintenance.
To back up the SMP
1.
Open a command prompt.
2.
Enter the following command:
smp_backup destination_file [-y] [-L]
For information on the command's flags, see the table below.
For example, if you want to backup the SMP to the file backup.bak, enter the
following command:
smp_backup backup.bak
All SMP virtual portals are backed up.
Table 3: Backup SMP Virtual Portal Flags
Flag
Description
destination_file
The path to the destination backup file.
-y
Indicates that if the destination file already exists, it should be overwritten.
-L
Indicates that the log files should not be backed up.
50
Restoring the SMP Installation
You can restore the SMP installation from a backup file. For information on creating a
backup file, see Backing Up the SMP Installation on page 50.
Note: This procedure explains how to restore all data for all SMP virtual portals. To
import data for a specific SMP virtual portal, see the SMP Administrator Guide,
Database Maintenance.
To restore the SMP installation
1.
If the SMP is installed on the computer where you want to perform the restore
action, uninstall it using the procedure Uninstalling SMP from Windows.
2.
Check Point CD.
3.
 The Welcome window appears.
Click Next.
4.
The Choose Destination Location dialog box appears.
5.
6.
Click Next.
The Setup Type dialog box appears.
7.
Select Restore from backup.
8.
Click Next.
The Select Backup File dialog box appears.
9.
10. Click Next.
The following things happen in the order below:
51

Do the following:
2) Click Next.
 The Setup Type dialog box appears.
11. Choose the directory service you want to use.
12. Click Next.
locally.
13. Do one of the following:

Do the following:
which the primary database server is installed.
3) Click Next.
14. In the Domain field, type the primary database server's domain path.
15. In the User field, type the Active Directory administrator's DN or the SunONE
directory service is used.
16. Click Next.
52
Editing the SMC Configuration File
directory service is used.
18. Click Next.
20. Click Next.
a.
21. Click Next.
The following things happen in the order below:

The Setup Status progress window appears and tracks the progress of
installation.
 The SMP installation is restored.
 The SMP 8.1 Installation Complete dialog box appears, and you are asked
22. Click Yes, I want to restart my computer now.
23. Click Finish.
You can change SMC settings after installation, by editing the SMC configuration file
INFO.properties, located under
$SMP_HOME\Tomcat\webapps\SMC\WEB-INF, where $SMP_HOME is the SMP
installation directory.
For information on this file's sections and parameters, refer to the table below.
53
Table 4: SMC Configuration File Parameters
Set this parameter…
To this value…
For example…
DB_URL
The LDAP server's URL, with
SunONE;ldap://demo.chec
"SunONE;" or “AD;” added before it,
kpoint.com:
depending on the server type.
389/o=ldap.checkpoint.co
m
DB_USER
DB_PASS
The privileged user to use when
cn=administrator,cn=users
connecting to this server
,DC=smp1,DC=com
The password to use when
password1
connecting to this server
SMC_TYPE
The SMC's mode. This can be one of
active
the following:
active
 standby

DATETIME_FORMAT
The format to use for displaying the
MMMMM dd, yyyy
date and time in the SPP.
HH:mm:ss
Use the following placeholders to
indicate the desired time units:
MMMMM = month
dd = day
yyyy = year
HH = hours
mm = minutes
ss = seconds
DATE_FORMAT
54
The format to use for displaying the
MMMMM dd, yyyy
To this value…
For example…
date in the SPP.
Use the following placeholders to
indicate the desired time units:
MMMMM = month
dd = day
yyyy = year
SYSTEM_MONITOR_INTER
The interval (in minutes) at which the
VAL
system monitor collects information.
REPORT_THRESHOLD
The number of IP addresses to
20
5
include in the security reports' Top
Attackers list.
CONNECT_TO_SMS_USING
Indicates whether to connect to the
_NAT_IP
SMS using NAT.
0
This can have the following values:

0 - The SMS is not
behind a NAT device, or it
is behind the same NAT
device as the SMC.

An IP address - The IP
address of the NAT
device behind which the
SMS is located.
REPORTER_MAX_LOGFILE
The number of log files to open
S
concurrently during report
500
generation.
Setting a higher value reduces report
generation time but consumes more
memory.
55
To this value…
For example…
HIDE_INSTANCES
Indicates whether to replace the list
1
of SMP virtual portals in the SMC
Login page with a text box, in which
the user must type the SMP virtual
portal name.
UPDATES_URL

1 - Replace the list of
portals with a text box.

0 - Show the list of
portals.
The URL from which to download
https://updates.checkpoint
updates to the SMP.
.com/WebService/services
/DownloadMetaDataServic
e
SESSION_IDLE_TIMEOUT_
The number of minutes after which
MINUTES
idle sessions are automatically timed
15
out.
VSTREAM_INDEX_URL
http://sigcheck.checkpoint.
VStream Antivirus signature
com/vstream-siglist.txt
updates.
VSTREAM_SIGNATURES_B
http://avupdates.checkpoi
ASE_URL
updates to VStream Antivirus
nt.com/
signature updates.
ALLOW_REMOTE_API_ACC
Indicates whether to allow remote
ESS
clients to access the SMP API.
0

56
1 - Allow remote clients to
access the SMP API.
To this value…

For example…
0 - Allow SMP API access
from the local host only.
This is the default.
CLIENT_LOGIN_FAILURE_T
The amount of time in minutes that
TL_MINS
the SMC should list a gateway's
status as "Client Login Failed", after
the gateway failed to authenticate to
the SMS.
The default value is 5 minutes.
57
Editing the SMS INI File
You can change advanced SMS settings and the LDAP server to which the SMS connects,
by editing the SWManagementServer.ini file, which is located on the SMS machine
under the directory $SMP_HOME\conf\, where $SMP_HOME is the SMP installation
directory.
For information on this file's sections and parameters, refer to the table below.
Note: The SMS connects to the LDAP database in order to obtain gateway-specific
information. Therefore, if you change the database login information, you must also
update the SWManagementServer.ini file.
Changing the Windows Server admin user usually changes the database login
information as well.
Table 5: SMS INI File Sections and Parameters
Section
Parameter
Description
Example
DB
URL
The LDAP database's URL.
"ldap://demo.
Note: The LDAP is mandatory for the SMS
checkpoint.com:
startup, since the SMS reads its
checkpoint.com"
configuration from it.
User
389/o=ldap.
The LDAP administrator's user name.
"cn=Directory
Manager"
BACKUP_DB
Password
The LDAP administrator's password.
"checkpoint"
URL
The backup LDAP server's URL.
"ldap://demo.
checkpoint.com:
389/o=ldap.
checkpoint.com"
User
58
The user name of the backup LDAP
"cn=Directory
server administrator.
Manager"
Section
Parameter
Description
Example
Password
The password of the backup LDAP server
"checkpoint"
administrator.
Server
Uid
The SMS server name.
"demo1"
MailProxy
pop3_port
The port used to listen for POP3
110
connections.
smtp_port
The port used to listen for SMTP
25
connections.
Advanced
sessions_purge
The interval of time (in seconds) after
_interval
which the SMS will purge old sessions.
db_reconnect
_interval
which the SMS will try to reconnect to the
10
20
LDAP, if the LDAP disconnects.
ufp_reconnect
_interval
30
UFP server, if the UFP server
disconnects.
cvp_reconnect
_interval
30
CVP server, if the CVP server
disconnects.
cvm_connection
The lifetime of a CVM connection (in
_lifetime
seconds).
cvm_purge_
How often (in seconds) the SMS purges
interval
old CVM connections.
60
60
59
Section
Parameter
Description
Example
opsec_sessions
The interval of time (in seconds) to keep
3
_keepalive
an OPSEC session alive.
swtp_rcv_buf
The size (in bytes) of the SWTP receive
32000
buffer.
swtp_snd_buf
The size (in bytes) of the SWTP send
32000
buffer.
min_lbm
The minimum threshold percentage for
_threshold
load balancing.
10
If a server's load (the number of gateways
handled) reaches or exceeds this
percentage of the server's optimal load,
then the load balancing mechanism is
activated.
cvp_idle_interval
15
which the SMS will send a keepalive
message to the mail server during the
mail scanning process, in order to avoid
time-outs on the server side.
cvp_client_idle
_interval
which the SMS will send a keepalive
15
message to the mail client during the mail
scanning process, in order to avoid
time-outs in the mail reader application.
cvp_client_
The maximum number of times that the
timeout_interval
SMS will send keepalive message to the
600
mail client during the mail scanning
60
Section
Parameter
Description
Example
process.
drm_cache_max_
The maximum number of entries in the
size
DDNS cache.
drm_cache
_purge_interval
which the DDNS service will purge old
1000
30
entries from its cache.
GatewaysReacha
Indicates whether the SMS should close
ble
the client session on a command timeout.
false

true - The SMS will close
the client session on a
command timeout.

false - The SMS will not
close the client session on a
command timeout.
The default value is false.
DisableIpLock
Indicates whether to allow gateways with
false
a static IP address to connect from a
different IP address. This can have the
following values:

true - Gateways with a
static IP address can connect
from a different IP address.

false - Gateways with a
static IP address cannot
connect from a different IP
address.
The default value is false.
certificate_refresh
60
61
Configuring the SMS to Ignore Disabled Gateways
Section
Parameter
Description
Example
_interval
which the SMS will check for a new
certificate.
When you disable an SMP virtual portal, all gateways defined in that portal are considered
disabled. Each time a disabled gateway attempts to connect to the SMS, the SMS sends an
"Access Denied" log to the SMC. In order to prevent the SMS from sending numerous
"Access Denied" logs to the SMC when a portal is disabled, you can configure the SMS to
ignore disabled gateways.
To configure an SMS to ignore disabled gateways

In the SMS INI file, in the Advanced section, add the following line:
ignore_disabled_gateways=true
For information on editing the SMS INI file, see Editing the SMS INI File on page
58.
62
Chapter 6
Troubleshooting
SMP installation failed. What should I do?
The following events indicate that installation has failed:

An error message appears during installation.

The installer does not finish installing all the components.

One or more SMP components do not work.
In the Check Point directory, check the file install.log. This log file contains error
messages generated during the installation process, as well as all the system commands
carried out during the installation process, their output, and return calls. Send the file to
customer support.
I am having trouble contacting the SMC Web site. What should I do?
If you have a Web caching server installed, disable caching of the SMC website in the
server's configuration.
An SMS does not start up. What should I do?
 In the SMC, in the System > Servers > Server > Edit page Configure tab's Status
node, check that the Address field matches the server's actual IP address. If the
server is configured behind a Network Address Translation (NAT) device, the
NAT address should be configured in the General node. For information on
viewing and configuring SMSs, see the SMP Administrator Guide, Managing

On the SMS machine, verify that the SWManagementServer.ini file
exists, and that the LDAP server user ID and password are configured correctly
in the file. For further information, see the SMP Administrator Guide, Managing
Chapter 6: Troubleshooting
63

Restart the SMS from the command line, by doing the following:
a.
b.
sms_stop.bat
sms -confdir $SMP_HOME\conf
where $SMP_HOME is the SMP installation directory.
The SMC is working very slowly. What should I do?
 Check whether your LDAP server is being overloaded by several requests per
second, using the performance monitoring tools provided with your LDAP
server. If it is, you can reduce the user's setup interval.

If you have many firmware files installed, delete some of them, as storing large
files causes significant performance degradation of the LDAP server.
I want to troubleshoot problems with a particular gateway. What should I do?
In the gateway's Main > Gateways > Edit page's Services > Logging node, temporarily set the
gateway's Send logs every field to a short interval (such as five seconds), so that when an
event occurs that involves the gateway, you will be able to view the event log almost
immediately.
For information on configuring a gateway's Send logs every field, see the SMP
Administrator Guide, Managing Service Plans and Gateways. For information on viewing
logs, see the SMP Administrator Guide, Monitoring the SMP.
When connecting to the Service Center, the following error message appears: "The gateway
is already registered with a different gateway ID". What should I do?
This error appears when the connecting gateway's MAC address is already registered in the
Service Center's database under a different gateway name. This can happen in the
following situations:

The gateway's MAC address was loaded to the database by the Service Center
operators.

Sometime in the past, the gateway connected to the Service Center in the past
and registered its MAC address.
64
To work around this problem, search the database for the gateway's MAC address and do
one of the following:

Delete the old gateway entry and reconnect the gateway to the Service Center.

Delete the MAC address information from the gateway's entry and reconnect the
gateway to the Service Center.
I cannot log in to the SMC after changing the Active Directory password. What should I do?
The SMP uses the Active Directory login credentials to access the LDAP database. Active
Directory login credentials are stored when SMP is installed, but they are not dynamically
updated when you change the Active Directory password. If you changed the Active
Directory password, you must edit the following files with the correct credentials:

$SMP_HOME\conf\SWManagementServer.ini

$SMP_HOME\Tomcat\webapps\SMC\WEB-INF\info.properties
$SMP_HOME is the SMP installation directory.
Mail Antivirus scanning does not work. What should I do?
If you provide Mail Antivirus services, and customers complain they cannot send or
receive emails, check the following:

Is the OPSEC CVP server software installed correctly?
The software may offer a few installation options. Make sure that the software is
actually installed in CVP mode. Refer to the installation documentation provided by
the software vendor for more information.

Is the OPSEC CVP server software licensed correctly?
Make sure that you have a valid and working license for the OPSEC CVP server
software.

Is the SMP licensed correctly to provide Mail Antivirus services?
The SMP must be licensed properly to provide Mail Antivirus services. See the SMP
Administrator Guide, Managing SMP Licenses.

Is the SMP behind a firewall?
Open ports TCP 110 (POP3) and TCP 25 (SMTP) for incoming connections to the
SMP.

Is there a mail server installed on the same computer as the SMP?
Chapter 6: Troubleshooting
65
Remove any mail server software installed on the computer.
I cannot generate security reports. What should I do?
Examine the Check Point reporting module log file, located under
$SMP_HOME\files\reports\reporter.log file, where $SMP_HOME is the
SMP installation directory.
66
Chapter 7
Protecting the SMP behind a Firewall
It is highly recommended to protect the SMP behind a firewall. In order for the system to
operate properly, open the ports described in the table below.
Note: In a full installation, the installer automatically installs all the SMP components
(server, database, UFP extension and so on) on the same computer. The table below
uses parentheses to distinguish between the different components.
Table 6: Default SMP Ports
Source
Destination
Default Ports
Note
Management Server
Any
9281 UDP
Gateway-Server
(SMS)
Any
communication
Management Server
9282 UDP
(SMS)
Any
Gateway-Server
communication
Management Server
HTTP, HTTPS (80,
Self Provisioning
(SPP)
443)
Portal
Mail Server
SMTP (25)
Management IP
Management Server
9282 TCP
address (SMC)
(SMS)
Management IP
address (SPP, SMC)
SMC-Server
communication via
SMSTP (SMS
Transport Protocol)
Administrator IP
Management Server
address
(SMS)
Chapter 7: Protecting the SMP behind a Firewall
9283
SMS Console port
TCP
67
Source
Destination
Default Ports
Note
Administrator IP
Management Server
HTTP, HTTPS (80,
Administration SMC
address
(SMC)
443)
Administrator IP
Management IP
12345
address
address (SunONE
Only if SunONE
Directory server is
TCP
LDAP Console)
Any
Management Server
used
110
Needed only if POP3
(SMS)
Management Server
Any
CVP is enabled
110
Needed only if POP3
(SMS)
Any
CVP is enabled
Management Server
25
Needed only if SMTP
(SMS)
Management Server
Any
CVP is enabled
25
Needed only if SMTP
(SMS)
CVP is enabled
Management Server
Check Point Syslog
515 UDP
Syslog port
(SMS)
Server
Management Server
ELA server
18187 TCP
ELA
CVP server
18181 TCP
CVP
UFP server
18182 TCP
UFP
(SMS)
Management Server
(SMS)
Management Server
(SMS)
68
Source
Destination
Default Ports
Note
Management Server
DNS server
53 TCP and UDP
DDNS
(SMS)
Chapter 7: Protecting the SMP behind a Firewall
69
Chapter 8
Replicating Databases
It is recommended that you replicate your database, so that if your main database fails, the
SMP will continue to function, using the second database.
In Active Directory, the recommended replication is to a second server in the same domain
that also has Active Directory installed. Active Directory supports multi-master
replication.
For replication instructions for Active Directory, go to:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/13f61
9dc-ca0c-4c63-97be-bdb1a67f6f50.mspx
For replication instructions for Active Directory 2000, go to:
http://www.petri.co.il/how_to_install_active_directory_replica_on_w2k.htm
For replication instructions for Active Directory 2003, go to:
http://www.petri.co.il/how_to_install_active_directory_replica_on_windows_2003.htm
If you are using SunONE Directory Server, you will need to configure the database
replication. SunONE supports both single-master and multi-master replication. The
recommended replication is multi-master replication to a second server.
For replication instructions for SunONE Directory Server, go to:
http://docs.sun.com/source/816-2670/replicat_new.htm#1100299
Chapter 8: Replicating Databases
71
Chapter 9
Configuring the Secuirty Content
Filtering Server
The Check Point Secuirty Content Filtering Server (SCS) is an optional SMP component
that represents a full antivirus and antispam solution based on the ClamAV antivirus
system and Apache SpamAssassin, as well as a full UFP filtering solution based on the
Secure Computing SmartFilter system.
For information about the ClamAV antivirus system, surf to http://www.clamav.net. For
information about Apache SpamAssassin, surf to http://spamassassin.apache.org. For
information about Secure Computing SmartFilter, surf to
http://www.securecomputing.com/index.
The SCS can be installed using the procedure Installing SMP on page 35, and it requires a
license. For information on purchasing a license from Check Point, see the SMP
Administrator Guide, Managing SMP Licenses. For the ClamAV and SpamAssassin
open-source licenses, see COPYRIGHT & TRADEMARKS.
This appendix explains how to configure the SCS.
Configuring SCS General Settings ............................................................. 74
Configuring ClamAV Settings ...................................................................77
Configuring SpamAssassin Settings ........................................................... 78
Chapter 9: Configuring the Secuirty Content Filtering Server
73
Configuring SCS General Settings
To configure SCS general settings, edit the SCS configuration file SCS.ini, which is
located under $SMP_HOME\conf, where $SMP_HOME is the SMP installation directory.
For information on this file's sections and parameters, see the table below.
Table 7: SCS INI File Sections and Parameters
Section
Parameter
Description
SCS
BindAddr
The IP address to which the listener binds.

A specific IP address

0.0.0.0 - All IP addresses of the
machine
The default is 0.0.0.0.
CvpListenPort
The port used to listen for incoming connections for
CVP filtering.
The default is 18181.
UfpListenPort
The port used to listen for incoming connections for
URL filtering.
The default is 18182.
SpamMechanism
The mechanism used to identify spam.
VirusMechanism

0 - Disable antispam support.

1 - Use SpamAssassin.
The mechanism used to identify viruses.

74
0 - Disable antivirus support.
Section
Parameter
Description

UfpMechanism
1 - Use ClamAV.
The mechanism used to filter Web sites.
MsgFrom

0 - Disable Web Filtering support.

1 - Use SmartFilter.
The name and address appearing in the From field
of the virus notification email.
MsgSubject
The text appearing in the Subject field of the virus
notification email.
MsgSubjectVirusPrefix
The prefix to the text appearing in the Subject field
of the virus notification email.
For example, if this parameter is set to
"*****VIRUS*****" and the MsgSubject
parameter is set to "Virus Blocked by SCS", the
email's Subject field will display:
"*****VIRUS*****Virus Blocked by SCS"
MsgContentFile
The name of the attached *.txt file containing the
infected email.
MsgCharSet
The virus notification email's character set.
VirusFolder
The full path to the folder in which viruses are
collected.
ClamAV
MaxVirusCount
The maximum number of virus samples saved.
ServerIP
The IP address of the server running ClamAV.
By default this is the same server as the SCS.
75
Section
Parameter
Description
Note: If ClamAV is installed on another server, you
can stop the Check Point Mail Antivirus service and
direct the SCS to work with that server.
ServerPort
The port on which ClamAV listens for incoming
connections.
The default value is 3310.
Note: To change this port, you must modify both this
parameter and the TCPSocket field in the Clam
AV configuration file. See Configuring ClamAV
Settings on page 77.
SpamAssassin
ServerIP
The IP address of the server running
SpamAssassin.
By default this is the same server as the SCS.
Note: If SpamAssassin is installed on another
server, you can stop the Check Point Mail
AntiSpam service and direct the SCS to work with
that server.
ServerPort
The port on which SpamAssassin listens for
incoming connections.
Note: To change this port, you must modify both this
parameter and the relevant parameter in the
SpamAssassin configuration file.
ServerTimeout
If the Spam Daemon takes longer than this many
seconds to reply to a message, SCS will abort the
76
Configuring ClamAV Settings
Section
Parameter
Description
connection and treat this as a failure to connect.
MessageSize
The maximum size of messages that will be
scanned for spam (in bytes).
Larger messages will not be scanned for spam.
SmartFilter
UpdateInterval
The interval of time (in minutes) at which the SCS
should download updates to the SmartFilter
database.
Log
LogLevel
The lowest level of messages to be logged. The
possible levels are:

Info

Warning

Error
The default value is “Info”.
LogVerbose
Indicates whether to enable verbose log messages.

true - Enable verbose log messages.

false - Disable verbose log messages.
Configuring ClamAV Settings
To configure ClamAV settings, edit the ClamAV configuration file clamd.conf, which
is located at $SMP_HOME\ClamAV\conf, where $SMP_HOME is the SMP installation
directory.
77
Configuring SpamAssassin Settings
This file's most important fields are described in the table below. For complete
documentation of the ClamAV configuration file, see the comments in the file itself.
Table 8: ClamAV Configuration Fields
Fields
Description
TCPSocket
The port on which ClamAV server listens for incoming
connections.
Note: To change this port, you must modify both this field and
the ClamServerPort parameter in the SCS
configuration file. See Configuring SCS General Settings on
page 74.
TCPAddr
The IP address to which the ClamAV server binds.
Foreground
Specifies whether the ClamAV daemon should stay in the
foreground or move to the background once started.
Warning: Do not disable this option.
To configure SpamAssassin settings, edit the SpamAssassin configuration file local.cf,
which is located at $SMP_HOME\Perl\site\etc\mail\spamassassin, where
$SMP_HOME is the SMP installation directory.
This file's most important fields are described in the table below. For complete
documentation of the SpamAssassin configuration file, see
http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html.
Table 9: SpamAssassin Configuration Fields
Fields
Description
rewrite_header {subject |
If this field is set, SpamAssassin will tag the suspected spam
from | to} STRING
message's header.
78
Fields
Description

{subject | from | to} specifies which header should be
tagged.

STRING is the text that should replace the header.
For example:
rewrite_header Subject SPAM
required_score n.nn
The score required in order for a message to be considered spam.
n.nn is the score.
report_safe { 0 | 1 | 2 }
Indicates how SpamAssassin should handle incoming messages
that are tagged as spam. The possible values are:

0 - SpamAssassin will modify incoming messages that
are tagged as spam by adding X-Spam- headers, but
will not change the message body. In addition,
SpamAssassin will add the X-Spam-Report header.

1 - SpamAssassin will not modify incoming messages
that are tagged as spam. Instead, SpamAssassin will
create a new report message and attach the original
message as a message/rfc822 MIME part. This ensures
that the original message is completely preserved, not
easily opened, and simple to recover.

2 - SpamAssassin will not modify incoming messages
that are tagged as spam. Instead, SpamAssassin will
create a new report message and attach the original
message in text/plain format. This setting is useful for
mail clients that automatically load attachments, and
ensures that the original message is not easily
extracted or viewed.
skip_rbl_checks { 0 | 1 }
Indicates whether SpamAssassin should run RBL checks. The
possible values are:

0 - Run RBL checks.
79
Fields
Description

1 - Do not run RBL checks.
The default value is 0. If your ISP already does this for you, set this
field to 1.
use_bayes { 0 | 1 }
Indicates whether to use the naive-Bayesian-style classifier built
into SpamAssassin. This is a master on/off switch for all
Bayes-related operations. The possible values are:

0 - Do not use the built-in classifier.

1 - Use the built-in classifier.
80
Glossary of Terms
Glossary of Terms
A
antivirus
A program that detects viruses and takes
appropriate action.
B
batch
A group of gateways that share certain
attributes.
C
center gateway
A member of a star VPN community*,
which can establish VPN tunnels* with
each satellite gateway* in the
community. Also called a hub.
certificate
A digital signature encrypted with a
public key and with the private key of
the Certificate Authority (CA)*.
Gateways, users, and computers use
certificates to identify themselves and
provide verifiable information. For
instance, a certificate includes an
entity’s Distinguished Name (DN),
public key, and possibly the IP address.
After two entities exchange and validate
each other's certificates, they can begin
encrypting information between
themselves using the public keys in the
certificates.
Glossary of Terms
Certificate Authority (CA)
The Certificate Authority (CA) issues
certificates* to entities such as
gateways, users, or computers. The
entity later uses the certificate to
identify itself and provide verifiable
information. For instance, the certificate
includes the Distinguished Name (DN)
(identifying information) of the entity,
as well as the public key (information
about itself), and possibly the IP
address.
After two entities exchange and validate
each other's certificates, they can begin
encrypting information between
themselves using the public keys in the
certificates.
Content Vectoring Protocol (CVP)
An OPSEC* API that enables
integration of third-party content
security applications such as antivirus
software into gateways. The CVP API
has been adopted by a wide variety of
security vendors.
Customer Premises Equipment (CPE)
Communications equipment located at
the customer's site.
81
Glossary of Terms
D
demilitarized zone (DMZ)
An internal network defined in addition
to the LAN network and protected by
the Embedded NGX gateway.
DHCP
Any machine requires a unique IP
address to connect to the Internet using
Internet Protocol. Dynamic Host
Configuration Protocol (DHCP) is a
communications protocol that assigns
Internet Protocol (IP) addresses to
computers on the network.
DHCP uses the concept of a "lease" or
amount of time that a given IP address
will be valid for a computer.
Domain Name System (DNS)
An Internet service that receives domain
names and returns the corresponding IP
addresses.
Dynamic DNS (DDNS)
A service that allows you to assign a
domain name to a gateway, and that
updates the mapping of domain name to
IP address each time the gateway’s IP
address changes.
Dynamic VPN (DVPN)
A service that allows the creation of
VPN communities. Each time the IP
address of a gateway in the VPN
community changes, the DVPN service
automatically updates all the gateways
in the community with the most recent
IP address.
82
E
Event Logging Module (ELM)
A remote logging mechanism that
enables the SMS* to collect log
information and security reports from
Embedded NGX gateways.
F
firewall
A combination of hardware and
software resources positioned between a
local (trusted) network and the Internet.
The firewall ensures that all
communication between an
organization’s network and the Internet
meet the organization’s security policy.
firmware
Software embedded in a device.
G
gateway
A device positioned between two
networks, and through which all
communications between the networks
must pass. A gateway is the natural
choice for enforcing a security policy
and providing encryption and
authentication services.
H
High Availability
A configuration in which redundant
components take over the tasks of failed
components, to maintain constant
availability of a system despite failures.
Glossary of Terms
host
A computer connected to a network.
link and network layers), that enforces a
security policy*.
HTTPS
Hypertext Transfer Protocol over Secure
Socket Layer, or HTTP over SSL.
Inspection Script
The ASCII file that the Check Point
Policy Editor generates from the
security policy*. An Inspection Script
can also be written using a text editor.
A protocol for accessing a secure Web
server. It uses SSL as a sub-layer under
the regular HTTP application. This
directs messages to a secure port
number rather than the default Web port
number, and uses a public key to
encrypt data
HTTPS is used to transfer confidential
user information.
I
INSPECT
Check Point’s high-level scripting
language for defining a security policy*.
An INSPECT script* is compiled into
machine code and loaded into an
Inspection Module* for execution.
INSPECT Script
See Inspection Script on page 83.
Inspection Code
A code that is compiled from an
Inspection Script* and loaded into an
Embedded NGX FireWall Module for
enforcement. Also called INSPECT
Code.
Inspection Module
A Check Point security application
embedded in the broadband access
device or gateway, (between the data
Glossary of Terms
Internet
A public network connecting many
thousands of computer networks in a
three-level hierarchy, including
backbone networks (such as NSFNET,
MILNET), mid-level networks and
sub-networks. The Internet utilizes
multiple communication protocols
(especially TCP/IP*) to create a
worldwide communications medium.
Internet Protocol (IP)
The network layer for the TCP/IP*
protocol suite. IP is a connectionless,
best-effort packet switching protocol
that is designed to provide the most
efficient delivery of packets across the
Internet.
intranet
An organization’s internal private
network that is managed according to
Internet protocols, but accessible only
inside the organization.
IP address
The 32-bit address defined by the
Internet Protocol to uniquely identify
Internet hosts and servers.
83
Glossary of Terms
IP spoofing
A technique whereby an intruder
attempts to gain access to a network by
altering a packet’s IP address to make it
appear as though the packet originated
in a part of the network with higher
access privileges, (for example, the IP
address of a workstation in the local
network). This form of attack is only
possible if a network’s internal IP
addresses have been exposed.
K
key
Information used to encrypt and decrypt
data.
L
LAN
See Local Area Network (LAN) on
page 84.
load balancing
The ability to distribute processing
loads among multiple servers, so as to
improve performance and reduce access
time. Load balancing is often
transparent to the user. It improves
Internet security by reducing the risks
associated with certain attacks and by
applying greater resources to the tasks
of monitoring and filtering network
traffic. A variety of algorithms can be
used to determine how best to distribute
traffic over these servers.
84
Local Area Network (LAN)
A data network intended to serve an
area of only a few square kilometers or
less (more typically, an individual
organization). LANs consist of software
and equipment such as cabling, hubs,
switches, and routers, enabling
communication between computers and
the sharing of local resources such as
printers, databases, and file and video
servers.
local management plan
A service plan which allows the
administrators of gateways subscribed
to this plan to configure management,
security, and network settings.
Logging and Event API (LEA)
An OPSEC* API that enables an
application to securely receive and
process both real-time and historical
logging and auditing events generated
by Check Point SMP. LEA can be used
by a variety of applications to
complement firewall management.
M
MAC address
The physical hardware address of a
device connected to a network.
Managed Internet Security Services
Bundled security services, including
secure Internet*, intranet* and extranet,
that are provided by a Service
Provider*. Typically, the Service
Provider handles management and
support for the security services, which
Glossary of Terms
can be implemented as part of the
Internet service or customized to client
needs.
meshed VPN community
A VPN community in which all
members can communicate directly with
each other and fully access the networks
behind the gateways.
N
network address
The network portion of an IP address*.
Depending on the network’s class, this
can comprise the first one to three bytes
of an IP address, with the remainder
being the host or server address.
Network Address Translation
Translating an internal network’s real IP
addresses to “false” IP addresses, either
to prevent exposing the real addresses or
to enable hosts with “invalid” addresses
to communicate on the Internet, thus
avoiding the need to change a network’s
IP addresses (a formidable, error-prone
task).
NOC
Network Operating Center
O
Open Platform for Secure Enterprise
Connectivity (OPSEC)
An open, industry-wide alliance, driven
by Check Point Software Technologies,
to ensure interoperability at the policy
level between security products.
Glossary of Terms
Interoperability is achieved through a
combination of published APIs,
industry-standard protocols, and a
high-level scripting language. OPSEC
encourages partnerships in the areas of
infrastructure (network products and
services), framework (security
products), and passport (applications
developers).
OPSEC
See Open Platform for Secure
Enterprise Connectivity (OPSEC) on
page 85.
P
packet
A unit of data, as sent across a network.
packet filter
A type of firewall* that examines only
the network layer of a packet* and is
typically implemented by routers. This
type of firewall cannot support dynamic
protocols nor apply application
intelligence to the data stream.
password
A short string of characters, knowledge
of which is required to gain access to
some resource. Passwords are
considered unreliable security devices
because they are relatively easy to guess
at, and people tend not to take strict
precautions against their disclosure. See
also token on page 88.
85
Glossary of Terms
public network
Any computer network, such as the
Internet*, that offers long-distance
inter-networking, using open, publicly
accessible telecommunications services,
(*in contrast to a WAN* or LAN*).
R
remote management plan
A service plan which allows SMP
administrators to remotely configure
management, security, and network
settings for gateways subscribed to the
plan.
Rule Base
An ordered set of rules that defines an
Embedded NGX security policy*. A
rule describes a communication in terms
of its source, destination, and service,
and specifies whether the
communication should be accepted or
rejected, as well as whether it is to be
logged. Each communication is tested
against the Rule Base. If it does not
match any of the rules, it is dropped.
S
satellite gateway
A member of a star VPN community*,
which can only establish VPN tunnels
with the center gateway*. Also called a
spoke.
Security Content Filtering Server (SCS)
An optional Check Point component
that represents a full antivirus, antispam,
and URL filtering solution. The SCS is
86
based on the free, open-source ClamAV
antivirus system, the free Apache
SpamAssassin, and on the Secure
Computing SmartFilter URL filtering
system.
Security Management Center (SMC)
A Web-based application for managing,
configuring, and monitoring all SMP
user and system settings.
Security Management Server (SMS)
A Check Point component that
distributes security policies, firmware,
and user interfaces to gateways. The
SMS also installs the gateway’s
certificate on the corresponding
appliance.
security policy
A security policy is defined in terms of
firewalls*, services, users and the rules
that govern the interactions between
them. Once these have been specified,
an Inspection Script* is generated and
then installed on the firewalled hosts or
gateways. The gateways can then
enforce the security policy on a per-user
basis, enabling verification not only of
the communication’s source,
destination, and service, but of the
user’s authenticity, as well. A
user-based security policy also allows
control based on content. For example,
mail to or from certain addresses can be
rejected or redirected, access can be
denied to specific URLs, and antivirus
checking of transferred files can be
performed.
Glossary of Terms
Security with Transport Protocol (SWTP)
The protocol used by the SMS to
communicate with gateways.

Self Provisioning Portal (SPP)
A website that enables customers to
change some of their own settings.
Stateful Inspection
A technology developed and patented
by Check Point that provides the highest
level of security currently available. A
Stateful Inspection Module accesses and
analyzes all the data derived from all
communication layers. This state and
context data is stored and updated
dynamically, providing virtual session
information for tracking connectionless
protocols.
server group
A group of Security Management
Servers* (SMS).
service plan
A service plan is a template in which
you define a set of gateway features.
Each gateway is assigned to a plan, and
by default, inherits its settings from the
plan. There are two types of plans:
remote management* and local
management*.
Service Provider
A provider of access to the Internet.
Some providers own the network
infrastructure, while others lease
network capacity from a third party.
SP
See Service Provider on page 87.
star VPN community
A VPN community composed of two
types of members, center* and satellite*
(also called hub and spoke), where:

The center gateway can
establish VPN tunnels with
each satellite gateway.
Glossary of Terms
Satellite gateways cannot
establish VPN tunnels with
each other.
Cumulative data from the
communication and application states,
network configuration and security rules
are all used to decide on an appropriate
action: either accepting, rejecting or
encrypting the communication.
Any traffic not explicitly allowed by the
security policy* is dropped.
Subnet Mask
A 32-bit identifier indicating how the
network is split into subnets. The subnet
mask indicates which part of the IP
address is the host ID and which
indicates the subnet.
T
TCP
See Transmission Control Protocol on
page 88.
87
Glossary of Terms
TCP/IP
See Transmission Control Protocol
over Internet Protocol (TCP/IP) on
page 88.
token
A password* that can be used only
once, typically generated by a hardware
device, as needed. Tokens are
considered secure, since even if one is
revealed, it cannot be misused, because
it is no longer valid after its first use.
Transmission Control Protocol
An connection-oriented and
stream-oriented Internet standard
transport layer protocol, (in contrast to
the connectionless UDP protocol).
Transmission Control Protocol over
Internet Protocol (TCP/IP)
The common name for the suite of
UNIX-based protocols developed by the
U.S. Department of Defense in the
1970s. TCP/IP is the primary language
of the Internet.
U
URL
An identifier that uniquely identifies a
Web-based resource, such as a Web
page, (for example:
www.checkpoint.com).
URL Filtering Protocol (UFP)
An OPSEC* API that enables the
integration of a third-party application
to categorize and control access to
specific URL addresses.
88
V
Virtual Private Network (VPN)
A network with both private and public
segments, in which data passing over its
public segments is encrypted so as to
achieve secure communications. A VPN
is significantly less expensive and more
flexible than a dedicated private
network.
virus
A program that replicates itself on
computer systems by incorporating
itself into other programs that are shared
among computer systems. Once in a
new host, a virus can damage data in the
host’s memory, display unwanted
messages, crash the host or, in some
cases, simply lie dormant until a
specified event occurs (for example, the
turning of a new year).
VPN community
A group made up of several gateways
sharing the same VPN security
parameters, such as encryption
algorithms. When a new member is
added to a community, it automatically
inherits the appropriate properties and
can immediately establish secure
sessions with the rest of the VPN
community. There are two types of
VPN communities: star and meshed.
VPN routing
A way of directing communication
through a specific VPN tunnel in order
to enhance existing connectivity or
Glossary of Terms
security. For example, in a star VPN
community* configured for VPN
routing, packets sent by a satellite
gateway are routed through the center
gateway to the destination satellite
gateway.
VPN tunnel
A secure connection between a Remote
Access VPN Client and a Remote
Access VPN Server.
W
Web server
A network device that stores and serves
up any kind of data file, including text,
graphic images, video, or audio. Its
stored information can be accessed via
the Internet* using standard protocols,
most often HTTP.
Wide Area Network (WAN)
A geographically large network,
(usually private). A WAN is typically
constructed to span numerous locations
within a single city.
wireless LAN (WLAN)
A wireless local area network protected
by the Embedded NGX gateway.
Glossary of Terms
89
Index
Index
A
About This Guide • 1
antivirus • 81
B
Backing Up the SMP Installation • 50
Basic Installation • 20
batch • 81
C
center gateway • 81
certificate • 81
Certificate Authority (CA) • 81
Check Point Reporting Module • 16
Completing Installation • 41
Configuring ClamAV Settings • 77
Configuring SCS General Settings • 74
Configuring SpamAssassin Settings • 78
Configuring the Secuirty Content Filtering
Server • 73
Configuring the SMS to Ignore Disabled
Gateways • 62
Contacting Technical Support • 2
Content Vectoring Module (CVM) • 8
Content Vectoring Protocol (CVP) • 81
Customer Premises Equipment (CPE) • 81
Index
D
demilitarized zone (DMZ) • 82
DHCP • 82
Document Conventions • 2
Domain Name System (DNS) • 82
Dynamic DNS (DDNS) • 82
Dynamic DNS Service (DDNS) • 14
Dynamic VPN (DVPN) • 82
Dynamic VPN Service (DVPN) • 12
E
Editing the SMC Configuration File • 53
Editing the SMS INI File • 58
Event Logging Module (ELM) • 5, 82
F
firewall • 82
firmware • 82
Freeing Ports • 32
G
gateway • 82
H
High Availability • 82
host • 83
HTTPS • 83
91
Index
I
INSPECT • 83
INSPECT Script • 83
local management plan • 84
Logging and Event API (LEA) • 84
M
Inspection Code • 83
MAC address • 84
Inspection Module • 83
Managed Internet Security Services • 84
Inspection Script • 83
meshed VPN community • 85
Installation • 33
Multiple Portals Installation • 25
Installation Schemes • 19
N
Installing a Directory Service • 31
network address • 85
Installing a Typical Primary SMP • 36
Network Address Translation • 85
Installing a Typical Secondary SMP • 38
NOC • 85
Installing an SMS • 40
Installing SMP • 35
O
Intended Audience • 1
Open Platform for Secure Enterprise
Connectivity (OPSEC) • 85
Internet • 83
OPSEC • 85
Internet Protocol (IP) • 83
P
intranet • 83
packet • 85
Introduction • 1
packet filter • 85
IP address • 83
password • 85
IP spoofing • 84
Preparing for SMP Installation • 27
K
key • 84
L
Protecting the SMP behind a Firewall • 67
public network • 86
R
LAN • 84
Related Publications • 2
load balancing • 84
remote management plan • 86
Load Balancing Module (LBM) • 12
Replicating Databases • 71
Local Area Network (LAN) • 84
Restoring the SMP Installation • 51
92
Index
Rule Base • 86
S
Tips for Capacity Planning • 28
token • 88
satellite gateway • 86
Transmission Control Protocol • 88
Secuirty Management Center (SMC) • 4
Transmission Control Protocol over Internet
Protocol (TCP/IP) • 88
Secuirty Management Server (SMS) • 3
Security Content Filtering Server (SCS) • 86
Security Management Center (SMC) • 86
Security Management Server (SMS) • 86
security policy • 86
Security with Transport Protocol (SWTP) •
87
Self Provisioning Portal (SPP) • 4, 87
server group • 87
service plan • 87
Service Provider • 87
SMP Architecture • 3
SMP Virtual Portals • 5
SMS High Availability Installation • 21
Troubleshooting • 63
U
Uninstalling SMP • 45
Upgrading the SMP • 46
Upgrading the SMP on a Different Server •
49
Upgrading the SMP on the Current Server •
47
URL • 88
URL Filtering Module (UFM) • 6
URL Filtering Protocol (UFP) • 88
V
Virtual Private Network (VPN) • 88
virus • 88
SMS High Availability with Load
Balancing Installation • 24
VPN community • 88
SP • 87
VPN routing • 88
star VPN community • 87
VPN tunnel • 89
Stateful Inspection • 87
VStream Antispam Service • 11
Subnet Mask • 87
VStream Antivirus Signature Updates
Service • 11
System Requirements • 27
T
TCP • 87
TCP/IP • 88
Index
Vulnerability Scanning Service (VSS) • 17
W
Web server • 89
93
Index
Wide Area Network (WAN) • 89
wireless LAN (WLAN) • 89
94

Security Management Portal Installation Guide

Transcription

Similar documents

Vulkanutbrott! Konsekvenser av svaveldioxidutsläpp

Regions CD Check Viewer Installation Guide

FRIDAY, 22 APR 16 • SAPR Walk (1000-1200)

Going for a walk has never been so exciting!

20 years! - Carpetland USA

field services

installation instructions

Mobile: a cashless wallet

Echo Flooring Gallery will Floor You with Huge Savings and 0% 12

- Open Research Online