Checkpoint R65 Edge Management Admin Guide

8/2/2019 Checkpoint R65 Edge Management Admin Guide

1/70

VPN-1 UTM Edge Management

Solutions

Administration Guide

Version NGX R65

701308 February 14, 2007

TM


2/70


3/70

2003-2007 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior writtenauthorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors oromissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check PointExpress CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement,Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1,FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity ClientlessSecurity, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management,Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer,SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro,

SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering,TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, WebIntelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router,Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affi liates. ZoneAlarm is a CheckPoint Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. Theproducts described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected byother U.S. Patents, foreign patents, or pending applications.

For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.


4/70


5/70

Table of Contents 5

Contents

Preface Who Should Use This Guide................................................................................ 8Summary of Contents ......................................................................................... 9

Related Documentation .................................................................................... 10

More Information............................................................................................. 13

Feedback ........................................................................................................ 14

Chapter 1 Introduction to VPN-1 UTM Edge AppliancesIntroduction .................................................................................................... 16

Security & VPN Solutions for Different Sized Organizations.................................. 17

Solution for VPN-1 UTM Edge Appliances .......................................................... 18

Finding the Right Check Point Management Solution ..................................... 18

An Overview of VPN-1 UTM Edge ................................................................. 22

VPN-1 UTM Edge Device Functionality ......................................................... 25

Chapter 2 Installation and ConfigurationIntroduction to the Installation and Configuration Processes ................................ 30

Before You Begin............................................................................................. 31

Overview of Workflow for SmartCenter Management Solution................................ 32

Overview of Workflow for SmartLSM Management Solution .................................. 33

Configuration Operations .................................................................................. 34

Installing and Configuring VPN-1 UTM Edge Appliances................................. 34

Installation & Configuration Using SmartCenter ............................................. 35

Working with VPN-1 UTM Edge Objects for SmartCenter ................................ 35

Working with VPN-1 UTM Edge objects for SmartLSM.................................... 42

SmartDashboard Content Inspection Configuration......................................... 47

Creating a Security Policy for VPN-1 UTM Edge Appliance.............................. 47

Security Policy Operations ........................................................................... 48

Managing VPN-1 UTM Edge Devices with SmartCenter Server......................... 49

Remote Login to the SmartCenter Server....................................................... 51

Configuring VPN in SmartCenter................................................................... 52

Viewing Logs in the SmartView Tracker ......................................................... 59

Downloading the Latest Firmware from SmartUpdate...................................... 60

Index...........................................................................................................67


6/70

6


7/70

7

Preface PPreface

In This Chapter

Who Should Use This Guide page 8

Summary of Contents page 9

Related Documentation page 10

More Information page 13

Feedback page 14


8/70

Who Should Use This Guide

8

Who Should Use This GuideThis guide is intended for administrators responsible for maintaining network

security within an enterprise, including policy management and user support.

This guide assumes a basic understanding of

System administration.

The underlying operating system.

Internet protocols (IP, TCP, UDP etc.).


9/70

Summary of Contents

Preface 9

Summary of ContentsThis document describes how your VPN-1 UTM Edge appliance is managed using

various Check Point management solutions, such as SmartCenter, Provider-1 andSmartLSM. In this document you will also learn about Check Point features that

the VPN-1 UTM Edge support, and how to use them for your VPN solutions.

Chapter Description

Chapter 1, Introduction to

VPN-1 UTM Edge

Appliances

describes the appliances offered by Check Point

that provide both Security and VPN solutions,

SMART management and can be used inconjunction with VPN-1 Power and VPN-1 UTM.

In addition, this chapter explains how these

appliances can be centrally managed and

incorporated into existing infrastructures.

Chapter 2, Installation and

Configuration

describes installation and configuration

processes.


10/70

Related Documentation

10

Related DocumentationThis release includes the following documentation

TABLE P-1 VPN-1 Power documentation suite documentation

Title Description

Internet Security Product

Suite Getting Started

Guide

Contains an overview of NGX R65 and step by step

product installation and upgrade procedures. This

document also provides information about Whats

New, Licenses, Minimum hardware and software

requirements, etc.Upgrade Guide Explains all available upgrade paths for Check Point

products from VPN-1/FireWall-1 NG forward. This

guide is specifically geared towards upgrading to

NGX R65.

SmartCenter


Explains SmartCenter Management solutions. This

guide provides solutions for control over

configuring, managing, and monitoring securitydeployments at the perimeter, inside the network, at

all user endpoints.

Firewall and

SmartDefense


Describes how to control and secure network

access; establish network connectivity; use

SmartDefense to protect against network and

application level attacks; use Web Intelligence to

protect web servers and applications; the integrated

web security capabilities; use Content Vectoring

Protocol (CVP) applications for anti-virus protection,

and URL Filtering (UFP) applications for limiting

access to web sites; secure VoIP traffic.

Virtual Private Networks


This guide describes the basic components of a

VPN and provides the background for the

technology that comprises the VPN infrastructure.


11/70


Preface 11

Eventia ReporterAdministration Guide

Explains how to monitor and audit traffic, andgenerate detailed or summarized reports in the

format of your choice (list, vertical bar, pie chart

etc.) for all events logged by Check Point VPN-1

Power, SecureClient and SmartDefense.

SecurePlatform/

SecurePlatform Pro


Explains how to install and configure

SecurePlatform. This guide will also teach you how

to manage your SecurePlatform and explains

Dynamic Routing (Unicast and Multicast) protocols.

Provider-1/SiteManager-1


Explains the Provider-1/SiteManager-1 security

management solution. This guide provides details

about a three-tier, multi-policy management

architecture and a host of Network Operating Center

oriented features that automate time-consuming

repetitive tasks common in Network Operating

Center environments.TABLE P-2 Integrity Server documentation

Title Description

Integrity Advanced

Server Installation

Guide

Explains how to install, configure, and maintain the

Integrity Advanced Server.

Integrity Advanced

Server Administrator

Console Reference

Provides screen-by-screen descriptions of user

interface elements, with cross-references to relevant

chapters of the Administrator Guide. This document

contains an overview of Administrator Console

navigation, including use of the help system.

Integrity Advanced

Server AdministratorGuide

Explains how to managing administrators and

endpoint security with Integrity Advanced Server.

Integrity Advanced

Server Gateway

Integration Guide

Provides information about how to integrating your

Virtual Private Network gateway device with Integrity

Advanced Server. This guide also contains information

regarding deploying the unified SecureClient/Integrity

client package.

TABLE P-1 VPN-1 Power documentation suite documentation (continued)

Title Description


12/70


12

Integrity AdvancedServer System

Requirements

Provides information about client and serverrequirements.

Integrity Agent for Linux

Installation and

Configuration Guide

Explains how to install and configure Integrity Agent

for Linux.

Integrity XML Policy

Reference Guide

Provides the contents of Integrity client XML policy

files.Integrity Client

Management Guide

Explains how to use of command line parameters to

control Integrity client installer behavior and

post-installation behavior.

TABLE P-2 Integrity Server documentation (continued)

Title Description


13/70

More Information

Preface 13

More Information For additional technical information about Check Point products, consult Check

Points SecureKnowledge at https://secureknowledge.checkpoint.com/.

See the latest version of this document in the User Center at

http://www.checkpoint.com/support/technical/documents
https://secureknowledge.checkpoint.com/https://secureknowledge.checkpoint.com/http://www.checkpoint.com/support/technical/documentshttp://www.checkpoint.com/support/technical/documentshttps://secureknowledge.checkpoint.com/https://secureknowledge.checkpoint.com/


14/70

Feedback

14

FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please

help us by sending your comments to:

[email protected]
http://www.checkpoint.com/support/technical/documentshttp://www.checkpoint.com/support/technical/documentshttp://www.checkpoint.com/support/technical/documentshttp://www.checkpoint.com/support/technical/documentshttp://www.checkpoint.com/support/technical/documentsmailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedbackmailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedback


15/70

15

Chapter 1

Introduction to VPN-1 UTMEdge Appliances

In This Chapter

Introduction page 16

Security & VPN Solutions for Different Sized Organizations page 17

Solution for VPN-1 UTM Edge Appliances page 18
mailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedbackmailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedbackmailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedbackmailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedbackmailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedbackmailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedback


16/70

Introduction

16

IntroductionThank you for using Check Point VPN-1 UTM Edge appliances, which provide

secure connectivity and VPN solutions at affordable prices. Check Points VPN-1UTM Edge appliances, which include the X-series and S-series appliances, are easy

to install and user-friendly. Moreover, along with the VPN-1 appliances (such as,

Nokia and NEC devices), they are seamlessly and securely integrated with different

Check Point management solutions, such as, SmartCenter, Provider-1 and

SmartLSM.

This document describes how your VPN-1 UTM Edge appliances are managed using

various Check Point management solutions, such as SmartCenter, Provider-1 andSmartLSM. In this document you will also learn about Check Point features that

the VPN-1 UTM Edge and other appliances support, and how to use these

appliances for your VPN solutions.
http://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.htmlhttp://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.htmlhttp://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.htmlhttp://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.htmlhttp://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.htmlhttp://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.htmlhttp://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.htmlhttp://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.html


17/70

Security & VPN Solutions for Different Sized Organizations

Chapter 1 Introduction to VPN-1 UTM Edge Appliances 17

Security & VPN Solutions for Different SizedOrganizations

All enterprises and organizations, large and small, require tailor-made security and

VPN solutions for the management of their remote sites and branch offices. These

solutions must take into consideration that remote sites or branch offices:

do not necessarily need enterprise-size solutions or costs for their

moderate-sized employee-base.

do not require advanced Security Policy and VPN configurations but do require

full securityand connectivity.

do not necessarily employ a full-time security administrator and are not

necessarily looking to manage the VPN-1 Power or VPN-1 UTM gateway

themselves.

What these businesses require is a solution that offers connectivity and security at

an affordable rate that is easy to integrate into existing infrastructure and is easy to

use.


18/70

Solution for VPN-1 UTM Edge Appliances

18

Solution for VPN-1 UTM Edge AppliancesVPN-1 UTM Edge is a series of appliances offered by Check Point that provides

both Security and VPN solutions, which are affordable, easy to configure andsimple to manage for securing enterprise remote sitesand large-scale VPN

deployments.

VPN-1 UTM Edge appliances support SMART management and can be used in

conjunction with VPN-1 Power and VPN-1 UTM.

VPN-1 UTM Edge appliances enable enterprise customers to quickly and easily

create a seamless Check Point Internet security infrastructure. Theses appliancescan be centrally managed and easily incorporated into existing infrastructures.

These appliances do not include moving parts, easy to use and do not compromise

either connectivity or security.

Finding the Right Check Point Management

Solution

The VPN-1 UTM Edge appliances can be managed using any one of the following

Check Point management solutions: SmartCenter (Pro or Express), Provider-1 or

SmartLSM:

SmartCenteris considered the standard VPN-1 UTM Edge management solution

and is often used in conjunction with SmartLSM. SmartCenter management is

useful for organizations with branch offices who are looking for affordable

alternatives and basic security and VPN solutions for each branch office. TheVPN-1 UTM Edge appliances are represented by an object which is created and

managed in SmartDashboard called the VPN-1 UTM Edge gateway.

Fi di th Ri ht Ch k P i t M t S l ti


19/70

Finding the Right Check Point Management Solution


Figure 1-1 SmartCenter Deployment

SmartLSM, is an extension of SmartCenter providing administrators with an

effective means of provisioning and managing hundreds and thousands of

VPN-1 UTM Edge ROBO (Remote Office/Branch Office) gateways. VPN-1 UTM

Edge Profiles and Profile policies are defined in SmartDashboard. VPN-1 UTM

Edge ROBO gateways are provisioned and managed via the SmartLSM console

application. For more information see the SmartLSM Administration Guide.



20/70


20

Figure 1-2 SmartLSM Deployment

Provider-1, is used by large enterprises and by Managed Service Providers to

centrally manage multiple, fully customized, customer domains. VPN-1 UTM

Edge appliances are integrated transparently with this management solution.

The management capabilities of a Provider-1 CMA (Customer Management

Add-On) are equivalent to those of the SmartCenter gateway, including the

SmartLSM extension. Global VPN Communities are currently not supported for

VPN-1 UTM Edge appliances.



21/70



Figure 1-3 Provider-1 Deployment

An Overview of VPN-1 UTM Edge


22/70

An Overview of VPN 1 UTM Edge

22


In This Section

VPN-1 UTM Edge

Check Points VPN-1 UTM Edge appliances are available in different series:

X-series, ideal for sites requiring site-to-site VPN. This series also delivers

additional capabilities such as high performance, high availability, support for

multi-ISPs and automatic recovery.

W-series, provides secure wireless connectivity for remote sites, branch offices,

and partner sites by integrating a secure wireless access point with

market-leading VPN-1/FireWall-1 technology, high availability support, andsimple Web-based setup.

The following VPN-1 appliances are also supported:

Nokia IP30, IP40, IP45, IP60, IP60W

NEC SecureBlade, SecureBlade 300

Whatever the series, the VPN-1 UTM Edge appliances support any of the Check

Point management solutions (SmartCenter, SmartLSM...etc). Apart from their ownseamless integration and ease of use, they also benefit from most of the advantages

of any regular VPN-1 gateway.

VPN-1 UTM Edge page 22

Advantages of the VPN-1 UTM Edge Appliances page 23

Overview of a Typical Workflow page 24



23/70

g


Advantages of the VPN-1 UTM Edge Appliances

There are several distinct advantages to working with VPN-1 UTM Edge devices.

The features that are supported depend on the device that you own:

Installation, Integration and Configuration - The VPN-1 UTM Edge appliance

itself is easy to install and configure. Moreover, the VPN-1 UTM Edge appliance

can be used immediately once SmartCenter (Power or UTM) has been installed.

The appliance is diskless. It contains pre-configured software and can be

used out-of-the-box.

VPN - VPN-1 UTM Edge appliances can be implemented in Check Point VPN-1

solutions which offer full encryption and authentication capabilities. TheseAppliances can participate as a peer gateway in the corporate VPN with just

one click. The appliances can participate in a Site-to-Site Community (both

Star or Meshed), or as a Remote Access client. For more information on

building VPN Communities, see the Virtual Private Networks Administration

Guide.

Security - A Security Policy can be enforced on VPN-1 UTM Edge appliances.

Some of the security highlights include: support of Check Points patentedStateful Inspection, Anti-spoofing, DoS protection and H.323 VoIP. Some of the

networking highlights include DHCP, NAT support and Access Control.

Logging and gleaning the status of appliances - The status and traffic of the

VPN-1 UTM Edge appliances can be monitored and logged using the Check

Point SmartConsole clients: SmartView Tracker and SmartView Status. These

tools can be used for troubleshooting purposes.

Centralized upgrading - the VPN-1 UTM Edge Device firmware can be upgradedautomatically due to Check Point SmartUpdate support.



24/70

24

Overview of a Typical Workflow

1. Install the VPN-1 UTM Edge appliance. For more information see your vendor

documentation.

2. Create objects to represent these appliances in the respective management

solution (for example, SmartLSM, etc.). This includes the creation of a VPN-1

UTM Edge Profileand a gateway, where the latter is the network object that

represents the VPN-1 UTM Edge appliance.

3. The initial configuration of the appliance and the connection to the

SmartCenter gateway is done via a Web GUI called the VPN-1 UTM Edge portal

(http://my.firewall). It is imperative that trust is established between theSmartCenter and the device in order for them to communicate freely andsecurely. Moreover, connection to the SmartCenter server from the device needs

to take place so that management operations carried out by the SmartCenter

server can be applied. This establishment of trust is equivalent to the SIC

(Secure Internal Communication) process that takes place in SmartCenter

between regular gateways and the SmartCenter gateway.

4. Perform management operations. All management operations such as defining

VPN relations with other gateways, fetching a policy or updating the software

version embedded in the appliance (or firmware, as it is called) is performed by

the SmartCenter gateway using any one (or a combination) of the Check Point

management solutions (SmartDashboard, SmartLSM or Provider), or via the

Command Line.

SmartCenter uses a UDP-based protocol which is encrypted (called SWTP_SMS orSWTP_gateway) in order to communicate with the VPN-1 UTM Edge appliance.This protocol is enforced in an implied rule in the Security Policy. For more

about SmartCenter management, see the SmartCenter Administration Guide.

VPN-1 UTM Edge Device Functionality


25/70



In This Section

VPN-1 UTM Edge Appliances: VPN Communities &Management

VPN-1 UTM Edge gateways can participate in two types of VPN communities:

Site-to-Site and Remote Access. These communities are explained in more detail in

the Virtual Private Networks Administration Guide.

Site-to-Site

Unless otherwise stated, VPN-1 UTM Edge Device gateways are added to

communities and participate in the VPN tunnel in the same manner as all VPN-1

gateway objects; they are added, like regular participating gateways into the VPN

community (Star or Meshed). Consult the Virtual Private Networks Administration

Guidefor more information on building a VPN between gateways.

VPN-1 UTM Edge as a Remote Access Client

You can configure the VPN-1 UTM Edge appliance to act as a remote client, (it is

added to a Remote Access Community). In this case it is configured in an atypicalVPN configuration where the VPN-1 UTM Edge gateway is added as a User groupto

the VPN-1 community. This User group is created by default and is called VPN-1

devices defined as Remote Access. All machines deployed behind the VPN-1 UTM

Edge gateway will also function as Remote Access Clients. This means that all

traffic from these gateways will be tunneled as well.

VPN-1 UTM Edge Appliances: VPN Communities & Management page 25

VPN-1 UTM Edge and Packet Filtering FireWall page 26

Logging in the SmartView Tracker page 26

Viewing the Status of VPN-1 UTM Appliances and VPN Creation page 27

Upgrading VPN-1 UTM Appliance Firmware using SmartUpdate page 27

Note - On SmartCenter Express, any VPN-1 UTM Edge appliance that is connecting usingSite-to-Site VPN is considered to be an additional managed site; therefore, you are required

to obtain an additional license.



26/70

26

VPN-1 UTM Edge Managed by an External Service Center

VPN-1 UTM Edge gateway objects that are managed by an external Management

gateway can be defined. These objects can be used in VPN communities. Typically,

externally managed gateways are used in Extranet scenarios with partners, or withadditional Management gateways.

VPN-1 UTM Edge and Packet Filtering FireWall

VPN-1 UTM Edge appliances use Check Points Stateful Inspection technology just

like regular VPN-1 gateways.

gateways that are used in the Rule Base, get their Security Policy from theSmartCenter gateway. This policy enforces the manner in which connections are

allowed (or not allowed) to pass to and from the VPN-1 UTM Edge appliance.

Access Control is used to determine the resources and services that are authorized

to be used. This access authorization sets the level of security. Rules are attributed

to VPN-1 UTM Edge gateways by installing the rule on a specific gateway. For more

about Access Control, see the FireWall and SmartDefense Administration Guide.

VPN-1 UTM Edge appliances can be used with the following actions in the Security

Policy Rule Base: Accept, Drop and Reject.

Logging in the SmartView Tracker

VPN-1 UTM Edge logs can be generated and sent to a logging server. This server

consolidates all VPN-1 UTM Edge logs in the SmartView Tracker. You can view

regular logs and audit logs (for management operations) in the SmartView Tracker.You can use these logs to troubleshoot and confirm that connections are passing to

and from the VPN-1 UTM appliance, according to what is specified in the Security

Policy. SmartView Tracker has a pre-defined query called VPN-1 UTM which can be

used to focus on the logs generated from the appliances specifically.

Since the VPN-1 UTM gateway sends logs at periodic intervals, you will notice that

logs appear in the SmartView Tracker only after the periodic interval has passed.



27/70


Viewing the Status of VPN-1 UTM Appliances and VPNCreation

Use the SmartView Monitor in order to learn more about the status of the VPN-1

UTM Edge appliances. SmartView Monitor is available to both VPN-1 Power and

Vpn-1 UTM customers. SmartLSM customers may view the status of their objects in

SmartView Monitor, or in the SmartLSM SmartConsole.

Upgrading VPN-1 UTM Appliance Firmware usingSmartUpdate

The VPN-1 UTM Edge gateway firmware represents the software that is running on

the appliance. The VPN-1 UTM Edge gateways firmware can be viewed and

upgraded using SmartUpdate. This is a centralized management tool which is used

to upgrade all gateways in the system by downloading new versions from the

download center. When installing new firmware, the firmware is prepared at theSmartCenter gateway, downloaded and subsequently installed when the VPN-1

UTM Edge gateway fetches for updates. Since the VPN-1 UTM Edge gateway

fetches at periodic intervals, you will notice the upgraded version on the gateway

only after the periodic interval has passed.

Note - SmartLSM is only available to VPN-1 Power customers.



28/70

28


29/70

29

Chapter 2

Installation and ConfigurationIn This Chapter

Introduction to the Installation and Configuration Processes page 30

Before You Begin page 31

Overview of Workflow for SmartCenter Management Solution page 32Overview of Workflow for SmartLSM Management Solution page 33

Configuration Operations page 34

Introduction to the Installation and Configuration Processes


30/70

30

Introduction to the Installation andConfiguration Processes

The installation and configuration process depends on a number of factors: themanagement solution that you are using (whether SmartCenter, SmartLSM or

Provider-1), the type of VPN community that you are configuring as well as the type

of device that you are using.

Before You Begin


31/70

Chapter 2 Installation and Configuration 31

Before You BeginBefore you can work with the VPN-1 UTM Edge appliance, you need to install and

configure it via the VPN-1 UTM Edge Portal. This is a Web GUI used expressly forthe management of the appliance. Apart from the actual installation process you

need to perform a first time login to the VPN-1 UTM Edge appliance via the portal.

In this first time login you are meant to set up initial administrator permissions and

an authorization permission as well as the Internet connection itself. For more

information, see the VPN-1 UTM Edge User Guide.

Overview of Workflow for SmartCenter Management Solution


32/70

32

Overview of Workflow for SmartCenterManagement Solution

This workflow assumes that you have installed SmartCenter (Power or UTM). Formore information see the appropriate CheckPoint product suite Getting Started

Guide

The following workflow represents the order in which you should work with VPN-1

UTM Edge appliances. More details about each step in the workflow can be found

in this document.

1. Install and configure the VPN-1 UTM Edge appliance. Refer to the VPN-1 UTMEdge User Guidefor more information. If you are setting up the appliance on

the network, make sure that it is successfully connected.

2. In SmartDashboard:

Create the VPN-1 UTM Edge Gateways. Make sure that you setup the

VPN-1 UTM Edge appliances topology properly and add the Gateway to a

VPN Community.

Create rules for your objects and install the Security Policy. This step

should be repeated whenever a modification to the VPN-1 UTM Edge

objects are made.

3. On the VPN-1 UTM Edge portal, define your SmartCenter Server as the VPN-1

UTM Edge appliances service center. This means that the SmartCenter Server

is now responsible for managing the appliance including VPN relations, Access

Control, Licensing and updates. The communication between the SmartCenterServer and the VPN-1 UTM Edge appliance is securely connected.

Overview of Workflow for SmartLSM Management Solution


33/70


Overview of Workflow for SmartLSMManagement Solution

This workflow assumes that you have installed SmartCenter Power. For moreinformation see the appropriate Check Point product suite Getting Started Guide.

The following workflow represents the order in which you should work with VPN-1

UTM Edge appliances. More details about each step in the workflow can be found

in this document.

1. Install and configure the VPN-1 UTM Edge appliance. Refer to the VPN-1 UTM

Edge User Guide for more information. If you are setting up the appliance onthe network, make sure that it is successfully connected.

2. To enable SmartLSM, run the command LSMenabler on on the SmartCenterServer Pro.

3. In SmartDashboard,

Create a Smart LSM VPN-1 UTM Edge Profile. When creating the profile

you can specify the VPN community in which you would like the profile toparticipate. This step can also take place at a later stage.

Create one or more dynamic objects to be enforced on the VPN-1 UTM

Edge ROBO Gateway. Create rules for your objects and install the Security Policy. This step

should be repeated whenever a modification to the VPN-1 UTM Edge ROBO

objects are made. This step needs to take place after you have created the

VPN-1 UTM Edge ROBO Gateway in SmartLSM.

Close SmartDashboard.

4. In SmartLSM, create a VPN-1 UTM Edge ROBO Gateway, add the dynamicobject to the VPN-1 UTM Edge ROBO Gateway and update the CO (Corporate

Office) Gateway, for more information see the SmartLSM Administration Guide.

5. On the VPN-1 UTM Edge portal, define your SmartCenter Server as the VPN-1

UTM Edge appliances service center. This means that the SmartCenter Server

is now responsible for managing the appliance including VPN relations, Access

Control, Licensing and updates. The communication between the SmartCenter

Server and the VPN-1 UTM Edge appliance is securely connected.

Note - In SmartLSM, the profile associated with the VPN-1 UTM Edge Gateway can onlyparticipate in a Star community for Site-to-Site configuration.

Configuration Operations

i i i


34/70

34

Configuration Operations

In This Section

Installing and Configuring VPN-1 UTM Edge

Appliances

For information on how to install, configure and work with the VPN-1 UTM Edge

Appliance, refer to the VPN-1 UTM Edge User Guide.

Installation & Configuration Using SmartCenter page 35

Working with VPN-1 UTM Edge Objects for SmartCenter page 35

Working with VPN-1 UTM Edge objects for SmartLSM page 42

SmartDashboard Content Inspection Configuration page 47

Creating a Security Policy for VPN-1 UTM Edge Appliance page 47

Security Policy Operations page 48

Managing VPN-1 UTM Edge Devices with SmartCenter Server page 49

Remote Login to the SmartCenter Server page 51

Configuring VPN in SmartCenter page 52

Configuring VPN-1 in SmartLSM page 58

Viewing Logs in the SmartView Tracker page 59

Downloading the Latest Firmware from SmartUpdate page 60

Installation & Configuration Using SmartCenter

I t ll ti & C fi ti U i S tC t


35/70


Installation & Configuration Using SmartCenter

VPN-1 UTM Edge support is enabled automatically during the installation of the

SmartCenter server. There is no need to install any additional component.

Working with VPN-1 UTM Edge Objects for

SmartCenterAn object that representing a VPN-1 UTM Edge appliance should be defined in

SmartDashboard in order for the SmartCenter Server to be able to manage the

VPN-1 UTM Edge appliance:

Create the VPN-1 UTM Edge gateway that represents the VPN-1 UTM Edge

appliance and associate it with a VPN-1 UTM Edge Profile. See Creating a VPN-1

UTM Edge Gateway on page 35. During this process you must assign thepreviously created profile to the VPN-1 UTM Edge Gateway that is being created.

Creating a VPN-1 UTM Edge Gateway

A VPN-1 UTM Edge Gateway object is a network object that represents a VPN-1

UTM Edge appliance. This Gateway sits on the network and can be managed by the

SmartCenter Server or by an external service center.

1. In the Network Objects tab of the Objects Tree create a new VPN-1 UTM Edge

Gateway.

2. In the VPN-1 UTM Edge Gateway - General page:

Configure the general settings of the window, including its Name and IP

Address (whether static or dynamic), the VPN-1 UTM Edge Profile and

version information (Type). It is very important to select the exact version of

your appliance. It is also necessary to define a Password (also known as a

Registration Key). This password is used for encryption and authentication

purposes.

Configure the VPN settings. To allow the VPN-1 UTM Edge Gateway to

become a member of a VPN community, select the VPN Enabled check box

and select the VPN Community type (whether Site to Site or Remote Access).

Configure the management settings, if this Gateway is managed by anexternal server, check Externally Managed Gateway.

Note - VPN-1 UTM Edge cannot be managed from a SmartCenter Server running on Nokia.

Working with VPN-1 UTM Edge Objects for SmartCenter

Select QoS Managed Gateway to configure QoS for a specific host or gateway


36/70

36

Select QoS Managed Gateway to configure QoS for a specific host or gateway

in the Topology tab. When this option is selected you can define QoS

(Quality of Service) and specify guaranteed bandwidth level and limits for

gateways/hosts.

Enable the Web UI administration GUI within SmartDashboard by selecting

Configure Edge Using Web Interface.

Figure 2-1 New VPN-1 UTM Edge Gateway configured for Site-to-Site VPN-1

3. In the VPN-1 UTM Edge Gateway - Topology page (Figure 2-2), the topology is set

automatically because it represents the hard coded device.

The set topology includes the following three interfaces (two internal and one

external):

DMZ represents a logical second network behind the VPN-1 UTM Edgeappliance. You must connect DMZ computers to the LAN ports. DMZ is a

dedicated Ethernet port (RJ-45) used to connect a DMZ (Demilitarized

Zone) computer or network. Alternatively, the DMZ can serve as a secondary

WAN port.

LAN represents the private network. LAN 1-4 Local Area Network switch:

Four Ethernet ports (RJ-45) are used for connecting computers or other

network devices.


WAN represents the external interface to the router A WAN interface card


37/70


WAN represents the external interface to the router. A WAN interface card,

is a network interface card (NIC) that allows devices to connect to a wide

area network. Wide Area Network (WAN): An Ethernet port (RJ-45) used for

connecting your cable or xDSL modem, or for connecting a hub when

setting up more than one Internet connection

Although these three interfaces automatically appear in the Topology window,

they are not associated with an IP address and a Network Mask.

If you deselect the Dynamic Address option in the General Properties window and

add a static IP address, the WAN automatically receives the specified static IP

address and its Network Mask is 255.255.255.255.

The Type drop-down list in the General Properties window defines the hardwaretype and its associated topology. Currently all hardware types share the same

topology. Every hardware type has one external interface and two internal

interfaces. It is possible to add only one additional external interface.

Once you have defined the general settings as well as the topology definitions

of the VPN-1 UTM Edge Gateway a certificate is automatically created.

For managed devices it is essential to specify the correct network. When

managing multiple devices it is better to define the networks on the devices, so

as to ensure that the networks do not overlap with one another.

For externally managed devices the networks specified depend upon both theNAT settings on the other side as well as the agreed configuration.

Note - Pre-Shared Secrets work in conjunction with Static IP Addresses only.


Figure 2-2 Configure the topology settings


38/70

38

Figure 2 2 Configure the topology settings

4. In the VPN-1 UTM Edge Gateway - VPN page, associate the VPN-1 UTM Edge

Gateway with the VPN Community of your choice (if one already exists)

(Figure 2-3). This page can only be set by closing and reopening the VPN-1

UTM Edge Gateway object. At this point a certificate is created for the VPN-1UTM Edge Gateway.

You can also add a VPN-1 Gateway to a selected VPN community by opening

the VPN community directly from the VPN Manager view.

To enable High Availability configure a backup gateway. Refer to Configuring

High Availabilitysection in the Check Point VPN-1 Edge Internet Security

Appliance User Guide.


Figure 2-3 Configuring the VPN settings


39/70


g g g g

5. In the VPN-1 UTM Edge Gateway - Content Filtering page (Figure 2-4), select Use

UFP, Use CVP or both if you want to restrict access to Web content and/or

automatically scan your email for the detection and elimination of all known

viruses and vandals, in relation to the specific gateway.

Select Use Anti Virus Integrated Protection to indicate that Anti Virus is installed

and that updates will be sent to this specific gateway.

For Anti Virus to work on VPN-1 UTM Edge it must be configured in the Edge

Anti Virus section of the SmartDashboard > Content Inspection tab.

The type of UFP Server and CVP Server used for content filtering is determined

in Policy > Global Properties > VPN-1 UTM Edge Gateway window.

Note - To perform a detailed configuration of the created VPN-1 UTM Edge Gateway launchthe gateway in a browser. To do this, right-click the specific VPN-1 UTM Edge Gateway and

select Manage Devices...


Figure 2-4 Configuring Content Filtering


40/70

40

6. In the VPN-1 UTM Edge Gateway - Advanced page (Figure 2-5), enter the

following information:

Product Key enables you to remotely update the current VPN-1 UTM Edge

gateway license (18 hexadecimal characters in three groups separated by

hyphens).

MAC Address enables stronger validation of the VPN-1 UTM Edge gateway

when communicating with the SmartCenter Server.

Configuration Script enables you to enter a script for relevant commands and

features. The written script will be downloaded automatically and executedto the VPN-1 UTM Edge device.

For more detailed information about configuration scripts, refer to the

Command Line Interface Administration Guide.


Figure 2-5 Configuring Advanced Settings


41/70


Working with VPN-1 UTM Edge objects for SmartLSM

Working with VPN-1 UTM Edge objects for


42/70

42

g g j

SmartLSM

The objects that are used in the SmartLSM management solution are partly createdin SmartDashboard and partly, SmartLSM.

VPN-1 UTM Edge ROBO Gateway object - represents the VPN-1 UTM Edge

appliance. This object is created in SmartLSM.

SmartLSM VPN-1 UTM Edge Profile - represents an object that is associated

with the VPN-1 UTM Edge ROBO Gateway and provides it with a basic Security

Policy and VPN definition. This object is created in SmartDashboard,

A Dynamic Object used by the SmartLSM VPN-1 UTM Edge Profile in order to

enforce the Security Policy. This object is created in SmartDashboard and is

added to the SmartLSM VPN-1 UTM Edge Profile in SmartLSM.

The order of the creation of the VPN-1 UTM Edge objects is:

1. Create the SmartLSM VPN-1 UTM Edge ROBO gateway in SmartDashboard. See

Working with VPN-1 UTM Edge Objects for SmartCenter on page 35.

2. Create a Dynamic Object in SmartDashboard.

3. Close SmartDashboard and open SmartLSM.

4. Create the VPN-1 UTM Edge ROBO Gateway that represents the VPN-1 UTM

Edge appliance in SmartLSM, and associate it with a VPN-1 UTM Edge ROBO

Profile. See Creating a VPN-1 UTM Edge ROBO Gateway on page 46. During

this process you must assign the previously created profile to the VPN-1 UTM

Edge ROBO Gateway that is being created.

In This Section

Creating a SmartLSM ROBO Profile page 43

Creating a VPN-1 UTM Edge ROBO Gateway page 46


Creating a SmartLSM ROBO Profile


43/70


A security policy is defined for a VPN-1 UTM Edge appliance, represented by a

VPN-1 UTM Edge ROBO Gateway by associating it to a profile.

Defining VPN-1 UTM Edge ROBO Profiles

1. In SmartDashboard, create a new SmartLSM Profile in the Network Objects tab

of the Objects Tree.

Figure 2-6 Creating a new SmartLSM Profile in SmartDashboard

2. In the General page, enter the name and an optional comment (Figure 2-7).Figure 2-7 Configure the SmartLSM Profile settings


3. On the VPN page (Figure 2-8), enter the type of community that you would like

to associate with the said profile and save the profile by closing it


44/70

44

to associate with the said profile and save the profile by closing it.

Figure 2-8 Configure the SmartLSM Profile Settings for VPN


4. On the Content Filtering tab (Figure 2-9), select the applicable protection types.

VPN-1 UTM Edge supports two different types of content filtering and antivirus


45/70


VPN-1 UTM Edge supports two different types of content filtering and antivirus

protection:

Integrated Products - VStream Gateway Antivirus, which is integrated into theVPN-1 UTM Edge appliance and managed locally via the Content Filtering

window.

Third Party Products - Centralized content filtering based on a third party

solution on a central server. The CVP and UFP centralized filtering protocol

are available.

You can choose to enable integrated products, third party products or both

types together. Refer to the online help for a detailed explanation of theseoptions.

Select Use Anti Virus Integrated Protection to indicate that Anti Virus is installed

and that updates will be sent to a specific gateway. Use the Edge Anti Virus

section of the SmartDashboard > Content Inspection tab to configure antivirus

protection.

Select Use UFP, Use CVP or both to restrict access to Web content and/or

automatically scan your email for viruses. Use the Policy > Global Properties >

VPN-1 UTM Edge Gateway window to enable and configure UFP and CVP Servers.

Figure 2-9 Configuring Content Filtering


5. In the Advanced page (Figure 2-10), enter the following information:

C fi i S i bl t t i t f l t d d


46/70

46

Configuration Script enables you to enter a script for relevant commands and

features. The written script will be downloaded automatically and executed

to the VPN-1 UTM Edge device.For more detailed information about configuration scripts, refer to the

Command Line Interface Administration Guide.

Figure 2-10 Configuring Advanced Settings

Creating a VPN-1 UTM Edge ROBO Gateway

A VPN-1 UTM Edge ROBO Gateway object is a network object that represents a

VPN-1 UTM Edge Appliance that is created and managed in SmartLSM. This

Gateway sits on the network and can be managed by the SmartCenter Server or by

an external service center.

Defining VPN-1 UTM Edge ROBO Gateways

Before you can create the Edge ROBO Gateway make sure that you have exited

SmartDashboard, if it is in Read/Write mode.

To define VPN-1 UTM Edge ROBO Gateways refer to the Adding a VPN-1 UTM Edge

ROBO Gatewayand Managing VPN-1 UTM Edge Objectssections in the SmartLSM

Administration Guide.

SmartDashboard Content Inspection Configuration

SmartDashboard Content Inspection Configuration


47/70


To configure Anti Virus to work on VPN-1 UTM Edge gateways, it must be

configured in the Edge Anti Virus section of the Content Inspection tab. The Edge

Anti Virus settings in the Content Inspection tab only work for Edge machines.

For additional information refer to the Anti Virus Protectionchapter in the Firewall

and SmartDefenseAdministration Guide.

Creating a Security Policy for VPN-1 UTM Edge

Appliance1. Create your Security Policy rules. For more information on creating rules see

the SmartCenter Administration Guide.

When you are creating rules, be aware that the VPN-1 UTM Edge Gateway can

be used in the Install On column even if there is a VPN Community specified in

the VPN column.

You may need a rule that allows designated services (such as, ftp, telnet andhttp) to be performed by the VPN community. In this rule, the VPN-1 Power

gateway should be your target.

For example:

Table 2-1 Example: a rule allowing services for Site-to-Site and Remote Access communitiesrespectively

Table 2-2 Allowing connections from network to VPN-1 UTM Edge Gateway

Source Destination VPN Service Action Install On

Any Any Mesh-comm ftp

telnet

http

Accept VPN1_Pro_GW

All Users or

VPN-1 Devices

defined as

Remote

Access

Any RA_comm ftp

telnet

http

Accept VPN1_Pro_GW

Source Destination VPN Service Action Install On

Edge_Net VPN_Edge_

Pro_GW

Any Any Accep

t

Any

Security Policy Operations

2. Once the rules are complete install your Security Policy (Policy > Install Policy).

The VPN 1 UTM Edge Gateway periodically fetches the Security Policy from the


48/70

48

The VPN-1 UTM Edge Gateway periodically fetches the Security Policy from the

SmartCenter Server. When the policy installation is complete the SmartCenter

Server will attempt to update the VPN-1 UTM Edge Gateway with the newsecurity policy. In order for the changes to take place immediately you can

force a Policy update from the VPN-1 UTM Edge Portal.

Security Policy Operations

In This Section

Installing and uninstalling the Security Policy

When the Security Policy is installed or uninstalled, the Security Policy isautomatically downloaded to or off-loaded from the SmartCenter Server. When the

VPN-1 UTM Edge Gateways check the SmartCenter Server for updates, the activity

(whether installation or uninstallation) is implemented.

To install, select Policy > Install Policy.

To uninstall, select Policy > Uninstall Policy.

Installing and uninstalling the Security Policy page 48

Downloading a Security Policy page 49

Verifying that the Security Policy was downloaded page 49

Managing VPN-1 UTM Edge Devices with SmartCenter Server

Downloading a Security Policy

F th VPN 1 UTM Ed P t l


49/70


From the VPN-1 UTM Edge Portal

1. Login from the VPN-1 UTM Edge portal to http://my.firewall.

2. Click Services and Accounts and then click Refresh, Or, click Services and

Software Updates and then click Update Now.

3. When the VPN-1 UTM Edge Gateway polls for updates, it downloads the latest

Security Policy.

From SmartLSM, select Actions > Push Policy. The SmartCenter Server pushes the

Security Server to the VPN-1 UTM Edge ROBO Gateway.

Verifying that the Security Policy was downloaded

1. Login from the VPN-1 UTM Edge portal to http://my.firewall.

2. Click Reports and then click Event Log.

3. Verify that the following message appears: Installed updated SecurityPolicy (downloaded).

4. Click Setup >Tools > Diagnostics.

The VPN-1 UTM Edge object is displayed in the Policy field.

Managing VPN-1 UTM Edge Devices with

SmartCenter Server

Before you can begin to work with the VPN-1 UTM Edge Appliance whether your

appliance is managed in SmartDashboard, or in SmartLSM, you need to logon to

the VPN-1 UTM Edge portal and define the SmartCenter server as the active service

center.

Once successfully completed, this step allows the SmartCenter Server to perform a

number of management operations for the VPN-1 UTM Edge Appliance such as

VPN-1 relations, updating the Security Policy and upgrading to later versions offirmware. Proceed as follows:

1. Browse to http://my.firewall.

2. Enter your user name and password.

3. In the Services screen, connect to the SmartCenter Server by clicking onConnect. A wizard is displayed in which you are required to configure the

settings of the SmartCenter Server.

Managing VPN-1 UTM Edge Devices with SmartCenter Server

Figure 2-11 Login to the SmartCenter Server in the VPN-1 UTM Edge Portal


50/70

50

During the SmartCenter Server setup, you are required to enter details about

the VPN-1 UTM Edge Gateway object that you created. Note that the Gateway ID

refers to the name of the said gateway and the Password refers to theRegistration Key specified during the creation of the VPN-1 UTM Edge Gateway

object.

Figure 2-12 Configuring the Gateway object.

Remote Login to the SmartCenter Server

Once this setup is successfully completed, the VPN-1 UTM Edge appliance and

the SmartCenter Server can communication securely.For more informationabo t this p oced e see the ele ant endo info mation


51/70


about this procedure, see the relevant vendor information.

Remote Login to the SmartCenter Server

If your device is not installed locally, you will need to logon securely to the VPN-1

UTM Edge Portal using HTTPS (https://:981). For moreinformation see the relevant vendor information

Note - If your device is not installed locally, you will need to logon securely to the VPN-1UTM Edge Portal using HTTPS (https://:981). For moreinformation see the relevant vendor information.

Configuring VPN in SmartCenter


VPN 1 UTM Ed G t b dd d t Sit t Sit iti ll t


52/70

52

VPN-1 UTM Edge Gateway can be added to Site-to-Site communities, as well as to

Remote Access communities. The VPN-1 UTM Edge Appliance can also be

configured to act as a Remote Access client. For more information, see theappropriate CheckPoint product suite Getting Started Guide. In particular the

chapters dealing with:

Building VPN Between Gateways

PKI

In This Section

Gateway in Site-to-Site VPN Configuration

For VPN to be established the following must take place:

1. The VPN-1 UTM Edge Gateway must be defined and configured for Site-to-Site

and a certificate created (if the VPN Community members are to use a

certificate to authenticate).

On the General page (see Figure 2-1):

On the VPN-1 UTM Edge Gateway check VPN Enabled and select Site to Sitein order to allow the VPN-1 UTM Edge Gateway to participate like any

regular VPN-1 Gateway in a star or meshed community. This means that any

gateway can initiate a VPN tunnel to the VPN-1 UTM Edge Gateway and the

VPN-1 UTM Edge Gateway can initiate a VPN tunnel to any other gateway.

In terms of IP addresses:

If the VPN-1 UTM Edge Gateway has a static IP Address, you can use a

certificate or an IKE pre-shared secret to establish a VPN tunnel. In thiscase the password you enter is used for the IKE pre-shared secret.

If the VPN-1 UTM Edge Gateway has dynamic IP Address, (select

Dynamic Address) only a certificate can be used in order to establish a

VPN tunnel. In this case, make sure that you have selected Manually

defined in the VPN-1 UTM Edge Gateway - Topology page (see

Figure 2-2).

Gateway in Site-to-Site VPN Configuration page 52

Gateway in a Remote Access Client Configuration page 55

Management by an External Service Center page 57


Make sure that the type that you select corresponds to the actual appliance

that you have in your possession.
http://-/?-http://-/?-


53/70


Add a Password that will be used later on the VPN-1 UTM Edge Portal and

for the pre-shared secret (if you have a static IP Address).

On the Topology page (see Figure 2-2):

All IP Addresses behind Gateway based on Topology information is used for

NAT implementation.

Manually Defined is used if the VPN-1 UTM Edge Gateway is configured for

dynamic IP Addressor if NAT is not being implemented.

On the VPN page (see Figure 2-3) generate the certificate and close the VPN-1UTM Edge Gateway.

2. If you do not already have one, create a Star or Meshed community in the VPN

Manager. For more about these communities and how to configure them, see

the appropriate CheckPoint product suite Getting Started Guide.

To create a Site-to-Site community:

Figure 2-13 Create a new Site-to-Site Community

In a Star Community

In the Central Gateways page click Add and select the desired VPN-1 UTM

Edge Gateway. Click OK.

In the Satellite Gateways page, click Add and select the desired VPN-1 UTM

Edge Gateway. Click OK.

Note - If you are creating a Star community, it is not recommended to include the VPN-1UTM Edge Gateway as a Central Gateway.


Figure 2-14 Add VPN-1 UTM Edge Gateway as Satellite Gateway


54/70

54

In a Meshed Community

In the Participating Gateways page, click Add and select the desired VPN-1

UTM Edge Gateway. Click OK.

In Star and Meshed Communities

In the VPN Properties page, specify the properties for the phases of IKE

negotiation.

In the Shared Secret page, specify whether the VPN community member

should be authenticated using a pre-shared secret or a certificate. If youwould like to use a secret, make sure to select Use only Shared Secret for all

External members. The secret used is the password defined when the VPN-1

UTM Edge Gateway object was created. If you would like to use certificates

as a means of authentication, make sure that Use only Shared Secret for all

External members is unchecked.

3. In the Rule Base, create the rules of your Security Policy. See Creating a

Security Policy for VPN-1 UTM Edge Appliance on page 47.


4. Install the rule base on the Central Gateways (for a Star community).

5. In the VPN-1 UTM Edge Portal define the SmartCenter server as the active

service center see Managing VPN 1 UTM Edge Devices with SmartCenter


55/70


service center, see Managing VPN-1 UTM Edge Devices with SmartCenter

Server on page 49. In the VPN window of the VPN-1 UTM Edge Portal, the

Site-to-Site configuration is automatically loaded, including its topology and

enterprise profile.

Gateway in a Remote Access Client Configuration

In order for the VPN-1 UTM Edge Gateway to function as a Remote Access Client,

the gateway must be configured to participate in the Remote Access community.

When the VPN-1 UTM Edge Gateway object is defined in the Check Point database,an additional User Group called All VPN-1 UTM Edge Gateway Appliances is

created. This User Group is used in the definition of the Remote Access

community.

For more information about Remote Access Clients, see the appropriate CheckPoint

product suite Getting Started Guide.

Adding the VPN-1 UTM Edge Gateway to a Remote Access Community

There are two basic ways to add the VPN-1 UTM Edge Gateway to a community:

In the VPN-1 UTM Edge Gateway - VPN page. click on Add. Select the community

to which you would like to associate the selected gateway.

In the VPN Manager view, select the Remote Access community to which you

would like to add the VPN-1 UTM Edge Gateway. Add the VPN-1 UTM Edge

Gateway in the Participant User Group page by clicking on Add and selecting the

default User Group called VPN-1 Devices defined as Remote Access to which the

VPN-1 UTM Edge Gateway is associated.

When VPN-1 UTM Edge Gateways are configured to work in client mode, it isimportant that the SmartCenter Server be deployed outside of the VPN domain of

the Remote Access Client. If you are working with Remote Access Automatic login

mode, the SmartCenter Server may be within the VPN domain, however, in this

case, you must create the VPN domain in the VPN-1 UTM Edge Gateway before

connecting the VPN-1 UTM Edge Gateway to the SmartCenter Server.

For VPN to be established the following must take place:

Note - The User Group All VPN-1 UTM Edge Gateway Appliances is not a regular UserGroup and as such it doesnt appear in the Users and Administrators tab of the ObjectsTree.


1. Create a VPN-1 UTM Edge Gateway object. Make sure that you select VPN

enabled and Remote Access on the General page. Remote Access means that the

selected VPN Edge Gateway can act as a Remote Access client to the corporate


56/70

56

gateway, no other gateways will be able to initiate a VPN tunnel to this VPN

Edge Gateway. This VPN-1 UTM Edge Gateway can be enforced as part of aUser Group in a Remote Access VPN community.

If the VPN-1 UTM Edge Gateway has a static IP Address, use an IKE pre-shared

secret to establish a VPN tunnel. In this case you will need to enter the

password created on the VPN-1 UTM Edge Gateway object.

2. Create a RemoteAccess community in the VPN Manager that includes the

VPN-1 UTM Edge Gateway object. For more about these communities and how

to configure them, see the appropriate CheckPoint product suite Getting Started

Guide.

In the Participating Gateways page click Add and select the Central Gateway.

Click OK.

In the Participant User Groups page, click Add and select VPN-1 Devices

defined as Remote Access. Click OK.

Figure 2-15 Add User Group


Click OK to exit the Remote Access community window.

3. In the Rule Base, define a rule for the Remote Access community and install it

on the Gateway See Creating a Security Policy for VPN-1 UTM Edge


57/70


on the Gateway. See Creating a Security Policy for VPN 1 UTM Edge

Appliance on page 47. Install the Security Policy on the desired gateways.

4. In the VPN-1 UTM Edge Portal define the SmartCenter server as the active

service center, see Managing VPN-1 UTM Edge Devices with SmartCenter

Server on page 49.

In the VPN window of the VPN-1 UTM Edge Portal, the Remote Access

configuration is automatically loaded. Create a new Site to represent the

VPN-1 Power Gateway on the VPN-1 UTM Edge appliance. On the VPN

screen, click on New Site, run the wizard and perform the following steps: Add the IP Address of the regular VPN-1 Power Gateway.

Check Download Configuration.

Enter the name of the Site.

Under VPN Login, select Automatic Login and refer to the vendor

documentation for more information.

5. In SmartDashboard, install the Security Policy.

Management by an External Service Center

You can configure a VPN-1 UTM Edge appliance to be managed by an external

Service Center. This means that it is not managed by the local SmartCenter or MDS

server. This scenario is typical for extranet or connection to partner sites, and

requires configuration in two locations.

This procedure is also applicable to locally managed gateways.

1. On the VPN-1 UTM Edge Gateway object:

On the General page, check Externally Managed Gateway.

The setting defined in the Topology page, depends on the agreed

configuration.

2. Modify the VPN Community to which you are adding the VPN-1 UTM Edge.

Make sure that you check Use only Shared Secret for all External Members on theAdvanced Settings > SharedSecret page.


3. Modify the Security Policy, make sure that rule installed on the profile is

disabled. Install the Security Policy.

On the VPN-1 UTM Edge Portal on the VPN screen. Click on New Site and


58/70

58

On the VPN 1 UTM Edge Portal on the screen. Click on e S te and

run the wizard and do the following steps:

Add the IP Address of the regular VPN-1 Power Gateway

Check Download Configuration.

Configure the routing destination and subnet mask of the external service

center

Under Authentication, select Use shared secret.

Click on Connect in order to connect to the VPN-1 Power Gateway.

Configuring VPN-1 in SmartLSM

VPN-1 UTM Edge ROBO Gateways can participate in meshed Site-to-Site

communities. In SmartLSM, VPN is supported using IKE authentication with Check

Point internal certificates:

1. In the VPN-1 UTM Edge Portal, verify that a certificate has been installed onthe VPN-1 UTM Edge Device before establishing the VPN tunnel.

2. In SmartLSM:

Add a dynamic object to the VPN-1 UTM Edge ROBO Gateway. In order to

implement VPN on VPN-1 UTM Edge ROBO Gateways, dynamic objects

need to be added to the VPN domain of these objects. Make sure you check

Add to VPN domain.

Update the Corporate Office (CO) Gateway.

3. In SmartDashboard, create a VPN Star community that includes the VPN-1

UTM Edge ROBO Gateway and the CO Gateway as follows:

In theCentral Gateway page, click Add. Select the CO gateway from the

displayed list and click OK.

In the Satellite Gateways page, click Add. Select the SmartLSM VPN-1 UTMEdge profile from the displayed list and click OK.

In the VPN Propertiespage, specify the IKE phase properties.

In the Shared Secret page, uncheck the Use only Shared secret for all

External Members.

Make sure that shared secret is only used for external members and set the

properties for the IKE negotiations.

Viewing Logs in the SmartView Tracker

A topology file and a certificate are downloaded to the VPN-1 UTM Edge

ROBO Gateway. This topology file lists the members of the VPN community

and specifies the encryption information.


59/70


4. On the VPN-1 UTM Edge Portal, on the VPN screen specify the configuration

type (whether Site-to-Site or Remote Access and check Download Configuration.

Viewing Logs in the SmartView Tracker

For auditing logs, open the Audit view in the SmartView Tracker.

For your convenience add the Origin column to the Audit view (View > Query options

> Query Properties, select Origin) and select the VPN-1 UTM Edge appliance thatyou would like to track. This enables you to figure out from which VPN-1 UTM Edge

appliance the log was generated.

For security purposes, security logs are displayed in the Log view of the SmartView

Tracker. Double-click the log in order to see more information.

Figure 2-16 Viewing Security logs

Downloading the Latest Firmware from SmartUpdate

Downloading the Latest Firmware from

SmartUpdate


60/70

60

You can use SmartUpdate to get automatic updates of the latest firmware version.To download the latest firmware:

1. In the Product Repository pane, right-click a VPN-1 UTM Edge Gateway and

select Add from Download Center.

2. In the displayed window, select the firmware that you would like to download

and click Download.

3. In the Product Repository, right-click a VPN-1 UTM Edge Gateway and selectInstall Product.

4. Select the firmware and click OK.

The firmware is downloaded and sent to the SmartCenter Server who is responsible

for downloading it to the VPN-1 UTM Edge Gateways when the latter are ready to

receive it.


61/70

61

THIRD PARTY TRADEMARKS AND COPYRIGHTS

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrusts logos and Entrustproduct and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiaryof Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the

University may not be used to endorse or promote products derived from this software without specific prior written permission. Thissoftware is provided as is without express or implied warranty. Copyright Sax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted,provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear insupporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the softwarewithout specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALLIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT

OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTIONWITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The Open Group.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOTLIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NOEVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OFCONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHERDEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes softwaredeveloped by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE.

The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERICYOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIESOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR ORCONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICTLIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,

EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright 1998The Open Group.

The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C)1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event willthe authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software forany purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this


62/70

62

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use thissoftware in a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software;you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free SoftwareFoundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will beuseful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULARPURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public Licensealong with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark CooperCopyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation therights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whomthe Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall beincluded in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY

KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR APARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLEFOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISINGFROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own.

Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. BruceVerderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold SpringHarbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998,1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner.Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001,2002 John Ellson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson ([email protected]). Portionsrelating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997,1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See thefile README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Vanden Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercialapplication, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership ofthe derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If

you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessibledocumentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including butnot limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanyingdocumentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, andHutchison Avenue Software Corporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. Youmay obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICE

Copyright (c) 1996 - 2004, Daniel Stenberg, .All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose

with or without fee is hereby granted, provided that the above copyright

notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOTLIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OFTHIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGESOR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR INCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


63/70

63

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, useor other dealings in this Software without prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modificat ion, is permitted provided that the following conditions aremet:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. Forwritten permission, please contact [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, wi thout prior written permission

from [email protected]. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it"PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishingversion number. Once covered code has been published under a particular version of the license, you may always continue to use it

under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of thelicense published by the PHP Group. No one other than the PHP Group has the right to modify the terms a

Documents

Checkpoint R65 Edge Management Admin Guide