CheckPoint R65 Internet Security Products GettingStarted

Internet Security Product SuiteGetting Started Guide

Version NGX R65

703049 July 16, 2008

3

© 2003-2008 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks.

For third party notices, see “THIRD PARTY TRADEMARKS AND COPYRIGHTS” on page 145.

http://www.checkpoint.com/copyright.html

4

5

Contents

Chapter 1 Introduction

Welcome...................................................................................9In This Guide ..........................................................................11NGX R65 Documentation .........................................................11Endpoint Security Integration....................................................11Documentation Feedback .........................................................12For New Check Point Customers................................................12What’s New in NGX R65 ..........................................................13

SmartCenter ................................................................... 14FireWall and SmartDefense.............................................. 14Connectra Central Management........................................ 15VPN............................................................................... 15ClusterXL ....................................................................... 15Eventia Analyzer ............................................................. 15Eventia Reporter ............................................................. 16SecureClient Mobile ........................................................ 16UTM-1 Edge................................................................... 16Provider-1/SiteManager-1 ................................................ 16IPS-1............................................................................. 17

Chapter 2 Getting Started

VPN-1 Power/UTM Terminology.................................................24Provider-1/SiteManager-1 Terminology.......................................25Hardware and Software Requirements........................................27Compatibility Tables ................................................................28Supported Upgrade Paths and Interoperability ............................31

VPN-1 Upgrade Paths and Interoperability ........................ 31Upgrading SmartCenter Servers........................................ 32Backward Compatibility For Gateways ............................... 33

6

IPS-1 Upgrade Paths and Interoperability .......................... 34Licensing NGX R65..................................................................35

Licensing VPN-1 Power/UTM............................................ 35Licensing Provider-1/SiteManager-1.................................. 37Licensing IPS-1 .............................................................. 38Licensing Eventia Suite ................................................... 38

Chapter 3 VPN-1 Setup and Installation

Overview .................................................................................41Installing SecurePlatform with VPN-1 ........................................43

Installing SecurePlatform Using the NGX CD ..................... 43Installing SecurePlatform Using the Network ..................... 45Initially Configuring SecurePlatform.................................. 51Installing NGX Products on SecurePlatform ....................... 52Configuring SecurePlatform Using WebUI.......................... 54

Installing NGX Products on Windows..........................................55Installing NGX Products on Solaris or Linux ................................58Installing NGX Products on Nokia ..............................................60

Enabling Native IPSO Security Servers .............................. 63Initially Configuring NGX Products .............................................64Where To From Here? ...............................................................73

Chapter 4 Provider-1 Setup and Installation

Overview .................................................................................75Building the Standard Provider-1 Network ..................................78

Setting Up Networking..................................................... 78Installing the Gateways .................................................... 79Installing and Configuring the MDS................................... 79Installing SmartConsole and the MDG Client...................... 82Installing SmartConsole ................................................... 82Installing the MDG .......................................................... 82Uninstalling Provider-1 .................................................... 83

Table of Contents 7

Logging Into the MDG.............................................................. 84Where To From Here? .............................................................. 87

Chapter 5 IPS-1 Setup and Installation

Overview ................................................................................ 90IPS-1 System Architecture .............................................. 90Platforms....................................................................... 92

IPS-1 Deployment ................................................................... 93IPS-1 Sensor Deployment ............................................... 93IPS-1 Management Deployment....................................... 95

IPS-1 Management Installation and Setup................................. 98Installation of IPS-1 Management Servers ........................ 98

IPS-1 Sensor Appliances........................................................ 104Introduction................................................................. 104

IPS-1 Sensor Installation ....................................................... 109Connecting to IPS-1 Sensors ......................................... 109Installing SecurePlatform and IPS-1 Sensors .................. 110Initial Configuration of IPS-1 Sensors............................. 112Initial Configuration of IPS-1 Power Sensor..................... 114

IPS-1 Management Dashboard Installation .............................. 116Post-Installation Steps........................................................... 116

Configuring NTP on SecurePlatform ............................... 116Completing IPS-1 Management Setup ............................ 118Completing IPS-1 Sensor Setup..................................... 122

Where To From Here? ............................................................ 126

Chapter 6 Installing the Eventia Suite

Eventia Suite Installation ....................................................... 128Standalone Installation vs. Distributed Installation ................... 129

Installing Eventia Suite on Multiple Versions of SmartCenter Management................................................................ 129

Standalone Installation .......................................................... 130Windows Platform ........................................................ 130

8

Solaris & Linux Platforms............................................... 132SecurePlatform ............................................................. 132

Distributed Installation ...........................................................133Windows Platform ......................................................... 133Solaris & Linux & SecurePlatform ................................... 135

Enabling Connectivity Through a Firewall..................................136Preparing Eventia Suite in SmartCenter....................................138

Working with R55 SmartCenter Server............................. 139Preparing Eventia Suite on Provider-1 MDS ..............................140

For Provider-1/SiteManager-1 Version R55 ...................... 140For Provider-1/SiteManager-1 Version R60 ...................... 142For Provider-1/SiteManager-1 Version R61 and Up........... 143

9

Chapter 1Introduction

In This Chapter

WelcomeThank you for choosing Check Point’s Internet Security Product Suite. We hope that you will be satisfied with this solution and our support services. Check Point products provide your business with the most up to date and secure solutions available today.

Check Point also delivers worldwide technical services including educational, professional, and support services through a network of Authorized Training Centers, Certified Support Partners, and Check Point technical support personnel to ensure that you get the most out of your security investment.

Welcome page 9

In This Guide page 11

NGX R65 Documentation page 11

Endpoint Security Integration page 11

Documentation Feedback page 12

For New Check Point Customers page 12

What’s New in NGX R65 page 13

Welcome

10

To extend your organization’s growing security infrastructure and requirements, we recommend that you consider adopting the OPSEC platform (Open Platform for Security). OPSEC is the industry's open, multi-vendor security framework, which has over 350 partners and the largest selection of best-of-breed integrated applications and deployment platforms.

For additional information on the NGX Internet Security Product Suite and other security solutions, go to: http://www.checkpoint.com or call Check Point at 1(800) 429-4391. For additional technical information, go to: http://support.checkpoint.com.

For more information about the current release, see the latest version of the Release Notes at:

http://support.checkpoint.com

Welcome to the Check Point family. We look forward to meeting all of your current and future network, application, and management security needs.

http://www.checkpoint.com

http://www.checkpoint.com





In This Guide

Chapter 1 Introduction 11

In This GuideThis guide provides a brief overview of NGX R65 Internet Security Product Suite applications and deployment and installation procedures.

NGX R65 DocumentationTechnical documentation is available on your NGX R65 CD-ROM at: CD2\Docs\CheckPoint_Suite. These documents can also be found at: http://support.checkpoint.com

To find out about what's new in NGX R65, read the NGX R65 What’s New document.

For information on upgrading your current Check Point deployment, refer to the Check Point R65 Upgrade Guide.

For upgrading Endpoint Security, refer to the Endpoint Security Installation Guide.

Endpoint Security IntegrationFor in-depth documentation of Provider-1/SiteManager-1 and SmartCenter Integration with Check Point Endpoint Security products, refer to:

• Endpoint Security Installation Guide

• R65 SmartCenter Administration Guide


Documentation Feedback

12

Documentation FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to:

[email protected]

For New Check Point CustomersNew Check Point customers can access the Check Point User Center in order to:

• Manage users and accounts

• Activate products

• Get support offers

• Open service requests

• Search the Technical Knowledge Base

To access the Check Point User Center, go to: https://usercenter.checkpoint.com/pub/usercenter/get_started.html.

mailto:[email protected]?subject=Check Point User Guide feedback

https://usercenter.checkpoint.com/pub/usercenter/get_started.html


What’s New in NGX R65


What’s New in NGX R65The NGX Internet Security Suite is a Check Point product that provides superior usability and management of your organization’s security environment. SmartCenter is now integrated with Connectra, InterSpect, and Integrity, enabling centralized management and monitoring of all security enforcement points.

NGX R65 has expanded its intelligent inspection technologies in VPN-1 Power and incorporates additional complex application support into state of the art stateful-inspection and application intelligence technology.

The following sections offer a brief overview of the advancements offered in NGX R65. For more information, see the What’s New in Check Point Enterprise Suite NGX R65 document.

In This Section:

SmartCenter page 14

FireWall and SmartDefense page 14

Connectra Central Management page 15

VPN page 15

ClusterXL page 15

Eventia Analyzer page 15

Eventia Reporter page 16

SecureClient Mobile page 16

UTM-1 Edge page 16

Provider-1/SiteManager-1 page 16

IPS-1 page 17


14

SmartCenterNGX R65 introduces an additional infrastructure that enables the use of management plug-ins. The new plug-ins architecture introduces the ability to dynamically add new features and support for new products. Management plug-ins offer central management of gateways and other features not supported by your current NGX R65 SmartCenter or Provider-1/SiteManager-1. Management plug-ins supply new and separate packages that consist only of those components necessary for managing new gateway products or specific features, thus avoiding a full upgrade to the next release. Each plug-in:

• Is supplied with relevant documentation

• Is installed on SmartCenter Server or Gateway.

• Requires a specific version of SmartDashboard

For more information, refer to:

• CheckPoint_R65_SmartCenter_AdminGuide.pdf

• CheckPoint_R65_Provider1_AdminGuide.pdf

or visit:

http://www.checkpoint.com/ngx/upgrade/plugin/index.html

FireWall and SmartDefense• AMT Support for Linux and SecurePlatform gateways

• Aggressive Aging

• EPS Enforcement

• Web (URL) Filtering

• Layer-2 Firewall deployment

• SIP enhancements for VoIP

• SYN cookies

http://www.checkpoint.com/ngx/upgrade/plugin/index.html



Connectra Central Management• New Connectra tab

• New tab for SmartDefense and Web Intelligence updates

• Support for Provider-1/SiteManager-1

• Support for SmartView Monitor counters

VPN• Same local IP and Cluster IP address for VTIs

• Anti-spoofing for unnumbered interfaces on IPSO

• Dynamic routing support for remote VTIs in clusters

• Configurable metrics for dial-up routes

• Increased interoperability between SecurePlatform and IPSO

• Route-based VPN Improvements

• Customer defined scripts for VPN peers

• Route-based VPN and IP Clustering support

• RIM performance improvements on IPSO

ClusterXL• Interface bonding for creation of a fully meshed redundant

topology in High Availability configurations

• Support for multicast routing failover

Eventia AnalyzerEventia Analyzer, for collecting, correlating, and consolidating network events in a central repository, is now included in the R65 product suite.


16

Eventia Reporter• IPv6 Reporting

• DNS implementation

• Remote license management

• Installation options

• Support for multiple SmartCenter Servers from R54 onwards

• Integration with Eventia Analyzer

• Support for multiple Eventia Reporters in deployment

• Result limitation

SecureClient MobileSecureClient Mobile is a new client for mobile devices that includes a VPN and firewall functionality and will be the future platform for additional features, including various security and compliance features. SecureClient Mobile replaces SecureClient for PocketPC. Designed to work on multiple platforms, SecureClient Mobile allows for easy deployment and upgrade.

For more information, the “What’s New” documentation is available online at http://www.checkpoint.com/techsupport/downloads.jsp.

UTM-1 EdgeWith UTM-1 Edge you can now select a destination for the log files. The destination can be the SmartCenter server or Syslog (a standard logging mechanism in Unix based machines).

Provider-1/SiteManager-1• Management Plug-ins View.

http://www.checkpoint.com/techsupport/downloads.jsp



• Install on Dynamic Objects.

• Gateway Function Oriented Global Policy.

• Global Manager.

IPS-1IPS-1 is now included in and delivered with the NGX R65 product suite.

IPS-1 is a Check Point product that provides superior usability and management of your organization’s internal security. The IPS-1 Server can now be integrated with SmartCenter, enabling centralized user management.

Version NGX R65 of IPS-1 also introduces significant improvements in functionality, usability, and design. The release also includes resolution of some limitations.

Check Point recommends that all existing NFR and Check Point customers upgrade their deployments to this version. New deployments should also be installed using the current version. From versions 5.x of all Management Servers, existing installations can be smoothly upgraded. Earlier versions, and all Sensors, will require full software re-installation.

This section briefly lists new features of version NGX R65. For more more information, see the IPS-1 NGX R65 Release Notes.

In This Section

Sensors page 18

IPS-1 Management Dashboard page 19

Alerts Concentrator and IPS-1 Server page 20

System Terminology page 21


18

Sensors

Platforms

Check Point delivers the IPS-1 Power 1000 and 2000 (C/F) Sensor, for critical high-bandwidth (up to 4 Gbps in passive mode and 2 Gbps in inline mode) network security applications. The IPS-1 Power Sensors are delivered only as a pre-installed appliance, running BiviOS with Check Point’s IPS-1 software.

For regular (non-Power) Sensors of the current release, Check Point delivers both hardware with pre-installed software, and a software-only version. Both versions include Check Point’s SecurePlatform operating system and the IPS-1 Sensor software.

Regular (non-Power) Sensors are supported only on Check Point’s SecurePlatform. The Sensor installation (for the software-only version, or for eventual re-installation) and command-line configuration procedures are similar to those of Check Point’s VPN-1 network security products.

New Features

• Improved usability of configuration process.

• Enhanced security by hiding the encryption passphrase in cpinfo output.

• Licensing of all components is defined in IPS-1 Management Dashboard’s License Manager, accessible from the Policy Manager.

N-Code Enhancements

• N-Code optimizer performance and functionality improvements.

• New N-Code packet variables.

• The N-Code packet variable system.inline now indicates the Sensor’s current mode.



• New N-Code tcpwindowmaxsize built-in exception.

IPS-1 Management Dashboard

New Functionality

• System Settings tab in Policy Manager provides additional tools for controlling system behavior and performance.

• Single-tier Profile management.

• Option in Protection Overview to display only changed values.

• Granular control of protections including Active/Inactive, Confidence slider, and protection-specific variables.

• Ability to change Sensor Mode from Policy Manager, and new Sensor Mode column available in Alert Browser.

Usability and Design

• Significant design and usability improvements in all views, windows, and messages.

• Policy Manager now similar to Check Point’s SmartDefense.

• Policy Manager’s less commonly used features hidden except in the new Advanced mode.

• Protections are configured on their own individual pages.

• Protection Overview is now accessed from the Protection navigation tree in Policy Manager.

• Raw N-Code names replaced with user-friendly display names.

• Settings dialogs enhanced to prevent entering invalid configuration data.

• New Tooltips.

• Alert Browser filters have been re-organized alphabetically.


20

Other Changes

• IPS-1 Management Dashboard is now supported only on Windows.

Alerts Concentrator and IPS-1 Server

NGX R65 Integration

The IPS-1 Server and Alerts Concentrator can be installed on Check Point’s Linux-based SecurePlatform, in addition to other operating systems. SecurePlatform NGX R65 is supplied with IPS-1.

The IPS-1 Server (alone or with an Alerts Concentrator) can be installed together with a SmartCenter server for managing a VPN-1 deployment. In this case, IPS-1 will access and recognize SmartCenter administrator information, but not regular user information. It will be possible to log into the IPS-1 Server via the IPS-1 Management Dashboard with a SmartCenter Server administrator name and password. For usernames common to both IPS-1 and SmartCenter, the IPS-1 password and privileges will override the SmartCenter settings.

Functionality

• Alert transmission performance from Alerts Concentrators to IPS-1 Server has been significantly improved.

• Space Manager database access performance has been significantly improved.

• Export/Import windows replace the DBTool command-line utility for IPS-1 Server data migration, backup, and restore.

• Import and Export of IPS-1 Server data can now be safely performed while the system is running.

Resolved Limitations

• Fixed problem that caused intermittent database freezes.



• Space Manager now takes turns with other processes rather than blocking the Management Dashboard’s access to alert data.

System TerminologySome IPS-1 terminology has changed. These include changes resulting from moving to the Check Point product line and other changes. The changes are:

Table 1-1

Old Term New Term

NFR Sentivist IPS-1

Sentivist (Power) Sensor IPS-1 (Power) Sensor

Sentivist Server IPS-1 Alerts Concentrator

Sentivist Enterprise Server IPS-1 Server

Sentivist Protection Center IPS-1 Management Dashboard

Package Protocol (except for some special packages)

Backend Protection Group

Alert definition / signature Protection

Alert rule Action

Alert Configuration (Policy Manager tab)

Alert Actions

Policy Inspector Protection Overview

Inline fail-passthrough Inline fail-open

Inline fail-severed Inline fail-closed

Inline bridge IPS Monitor-Only

Encryption Passphrase Activation Key


22

23

Chapter 2 Getting Started

In This Chapter:

This chapter contains information and terminology related to installing NGX R65.

VPN-1 Power/UTM Terminology page 24

Provider-1/SiteManager-1 Terminology page 25

Hardware and Software Requirements page 27

Compatibility Tables page 28

Supported Upgrade Paths and Interoperability page 31

Licensing NGX R65 page 35

VPN-1 Power/UTM Terminology

24

VPN-1 Power/UTM TerminologyThe following VPN-1 Power/UTM terms are used throughout this chapter:

• Distributed Deployment: When the gateway and the SmartCenter server are installed on separate machines.

• Gateway: The VPN-1 engine that enforces the organization’s security policy and acts as a security enforcement point.

• Security Policy: The policy created by the system administrator that regulates the flow of incoming and outgoing communication.

• SmartCenter Server: The server used by the system administrator to manage the security policy. The organization’s databases and security policies are stored on the SmartCenter server and downloaded to the gateway.

• SmartConsole: GUI applications that are used to manage various aspects of security policy enforcement. For example, SmartView Tracker is a SmartConsole application that manages logs.

• SmartDashboard: A SmartConsole GUI application that is used by the system administrator to create and manage the security policy.

• Standalone Deployment: When Check Point components responsible for the management of the security policy (the SmartCenter server and the gateway) are installed on the same machine.

Provider-1/SiteManager-1 Terminology

Chapter 2 Getting Started 25


The following Provider-1/SiteManager-1 terms are used throughout this chapter.

• Customer: A business entity or subdivision of a business entity whose networks are protected by VPN-1 gateways, VPN-1 UTM Edge appliances or other Check Point compatible firewalls. The Customer’s security policies and network access are managed using Provider-1/SiteManager-1.

• Customer Log Module (CLM): A log server for a single Customer.

• Customer Management Add-on (CMA): The Provider-1 equivalent of the SmartCenter server for a single Customer. Using the CMA, an administrator creates security policies and manages customer gateways.

• GUI Client: A computer running Check Point GUI interfaces, such as the Provider-1 MDG, and other SmartConsole applications.

• Internal Certificate Authority (ICA): In addition to authenticating administrators and users, the ICA creates and manages X.509 compliant certificates for Secure Internal Communication (SIC) between VPN-1 gateways. The MDS has an ICA that secures the Provider-1 management domain. Each CMA has its own ICA to secure its customer’s management domain.

• Multi-Domain Log Module (MLM): An MDS Container dedicated to collecting and storing logs. An MLM is a Container of Customer Log Modules (CLMs).


26

• Multi-Domain Server (MDS): A server that houses Provider-1 system information. The MDS contains information on Provider-1 deployment, administrators, and customer management. The MDS has two modes:

• Manager: Runs the Provider-1 deployment and is the administrator’s entry point into the Provider-1 environment.

• Container: Holds the Customer Management Add-ons (CMAs).

An MDS can be a Manager, a Container or both.

• Provider-1 Administrator: A security administrator, assigned with granular permissions, that manages specific parts of the Provider-1 system. Administrators can be assigned one of the following four permission levels:

• Provider-1 Superuser: Manages the entire Provider-1 system, which includes all MDS servers, administrators (with all permission levels), Customers and customer networks.

• Customer Superuser: Manages all administrators (with lower permission levels), Customers and customer networks.

• Global Manager: A new type of administrator account in the MDG. With access to Global SmartDashboard, a Global Manager is capable of managing global policies and global objects. For a Global Manager to have additional access to CMA policies, read-write or partial access rights must be specifically assigned.

• Customer Manager: Manages customer networks for specific Customers. Administrators with this permission level can use the MDG application, but they can only view and manage their assigned customers.

• None: Manages customer networks for specific Customers, but cannot access the MDG application.

Hardware and Software Requirements


Hardware and Software RequirementsFor all hardware and software requirements for each product and platform, see the latest version of the relevant Release Notes at:



Compatibility Tables

28

Compatibility TablesIf the existing Check Point implementation contains products that are not supported by NGX R65, the NGX R65 installation process terminates. Table 2-1 and Table 2-2 list the NGX R65 supported Check Point products and VPN clients by platform.

Table 2-1 NGX R65 Supported Products by Platform

Notes to Compatibility Table

1. Anti Virus and Web (URL) Filtering are included on SecurePlatform.

Check Point Product

SolarisRHEL 3.0

Check Point Nokia

Ultra- SPARC 8, 9 &

10

Server 2003

(SP1-2)

2000 Advanced

Server (SP1-4)

2000 Server

(SP1-4)

2000 Profes-sional

(SP1-4)

XP Home & Profes-

sional

kernel 2.4.21

Secure Platform

IPSO 4.1 - 4.2

VPN-1 Power / UTM X X X X X X 1 X 2

SmartCenter Server X X X X X X X 3

Provider-1/SiteManager-1 .Server (MDS)

X X 4 X

VPN-1 Power VSX 5 X

Endpoint Security Server X X X X X

Eventia Suite 6 X X X X X X UserAuthority Server X X X X X X X X X 7

SSL Network Extender Server X X X X X X XSmartConsole Applications X 8 X X X X XProvider-1/SiteManager-1 MDG X X X X X XSmartPortal X X X X X XSmartLSM - Enabled .Management & Enabled .ROBO / CO Gateways

X 9 X X X X X X

ClusterXL X X 10 X X X X X 11

VPN-1 Accelerator Driver II X 12

VPN-1 Accelerator Driver III X X X X X X

VPN-1 Accelerator Driver IV X X X

Advanced Routing X X 13

Performance Pack X X X 14

SecureXL Turbocard X 15

OSE Supported Routers

Microsoft Windows

Platform and Operating System

Nortel Versions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14

Cisco OS Versions: 9.x, 10.x, 11.x, 12.x



2. Anti Virus and Web (URL) Filtering are supported on Nokia IPSO 4.2 only.

3. UTM-1 Edge devices cannot be managed from a SmartCenter server running on a Nokia IPSO platform.

4. Provider-1/SiteManager-1 is supported on both RHEL 3.0 AS and ES.

5. VPN-1 Power VSX gateways are also supported on Crossbeam Systems X-Series Security Services Switches.

6. Eventia Suite includes Eventia Reporter Server, Eventia Analyzer Server, and the Eventia Analyzer Correlation Unit.

7. UserAuthority is not supported on Nokia flash-based platforms.

8. The following SmartConsole clients are not supported on Solaris UltraSPARC platforms: SmartView Monitor, SmartLSM, Eventia Reporter Client, Eventia Analyzer Client, and the SecureClient Packaging Tool.

9. Enabled ROBO Gateways are not supported on Solaris platforms.

10. HA Legacy mode is not supported on Windows Server 2003.

11. ClusterXL is supported only in third party mode with VRRP or IP Clustering.

12. VPN-1 Accelerator Driver II is supported on Solaris 8 only.

13. Nokia provides Advanced Routing as part of IPSO.

14. Nokia provides SecureXL as part of IPSO.

15. NGX-compatible Turbocard driver is available at http://www.checkpoint.com/downloads/quicklinks/downloads_tc.html.

16. RHEL 3.0 & 4.0, AS & ES.

17. Solaris 8 is not supported for IPS-1 Management Server and Alerts Concentrator.

Table 2-2 NGX R65 Supported Clients by Platform

http://www.checkpoint.com/downloads/quicklinks/downloads_tc.html

http://www.checkpoint.com/downloads/quicklinks/downloads_tc.html


30

Notes to Clients Compatibility Table

1. Microsoft Installer support is required for installation of Endpoint Security clients on the Windows platform.

Check Point Product

Mac Linux

Server 2003 (SP1)

2000 Server / Advanced

Server(SP1-4)

2000 Profes-sional (SP1-4) / XP Home & Professional

Mobile 2003

2003SE 5.0

OS "X"

SecuRemote X X X

SecureClient X X X XSecureClient Mobile XSSL Network Extender X X X

Endpoint Security clients1 X X

Windows

Operating System

Supported Upgrade Paths and Interoperability



In This Section

VPN-1 Upgrade Paths and Interoperability

SmartCenter servers and gateways exist in a wide variety of deployments. Consult Table 2-3 and Table 2-4 to determine which versions of your Management Server and Gateways can be upgraded to NGX R65.

VPN-1 Upgrade Paths and Interoperability page 31

Upgrading SmartCenter Servers page 32

Backward Compatibility For Gateways page 33

IPS-1 Upgrade Paths and Interoperability page 34


32

Upgrading SmartCenter ServersThe following SmartCenter server versions can be upgraded to NGX R65:

Table 2-3 SmartCenter server Upgrade Paths

Release VersionVPN-1 Power/UTM NGX R62VPN-1 Pro/Express NGX R61VPN-1 Pro/Express NGX R60AVPN-1 Pro/Express NGX R60VPN-1 Pro NG R55WVPN-1 Pro/Express NG With Application Intelligence R55VPN-1 Pro/Express NG R55PVPN-1 Pro/Express NG With Application Intelligence R54VPN-1 Pro/Express NG FP3

Express CI R57 (Advanced Upgrade only)GX 2.5

VSX 2.0.1VSX NG AIVSX NG AI Release 2

NGX

NG

VSX



Backward Compatibility For GatewaysNGX R65 SmartCenter server supports the following gateway versions:

Table 2-4 Backward Compatibility for Gateways

Note - NGX R65 cannot manage gateway versions NG, NG FP1, or NG FP2

Release VersionVPN-1 Power/UTM NGX R62VPN-1 Pro/Express NGX R61VPN-1 Pro/Express NGX R60AVPN-1 Pro/Express NGX R60VPN-1 Pro NG R55PVPN-1 Pro NG R55WVPN-1 Pro/Express NG With Application Intelligence R55VPN-1 Pro/Express NG With Application Intelligence R54VPN-1 Pro/Express NG FP3

Express CI R57 GX 2.5, 2.5, NGX

VSX NG AIVSX NG AI Release 2VSX NGX

InterSpect NGXConnectra NGX R62

NGX

VSX

NG


34

Upgrading versions 4.0 and 4.1Upgrading from versions prior to NG (4.0-4.1) is not supported. To upgrade FireWall-1 versions 4.0-4.1, upgrade the installed version to VPN-1 NG R55 (refer to the NG with Application Intelligence R55 Upgrade Guide). Once the VPN-1 NG R55 upgrade is complete, perform an upgrade to NGX R65.

For more information on upgrading your deployment, refer to the Check Point R65 Upgrade Guide.

IPS-1 Upgrade Paths and Interoperability

Upgrade PathsNon-Power Sensors installed on SecurePlatform cannot be upgraded to the current version. A new installation is required.

Alerts Concentrators and IPS-1 Management Servers, including NFR Sentivist Servers and Enterprise Servers, and IPS-1 Power 1000 and 2000 Sensors, of versions 5.x, can be upgraded to the current version. From earlier versions, completely reinstall.

InteroperabilityManagement components of the current release, such as IPS-1 Management Server, Alerts Concentrators and Management Dashboard, are compatible with Sensors of versions 4.1 onwards.

The different management components (IPS-1 Management Server, Alerts Concentrators and Management Dashboard) must always be of the same version.

Licensing NGX R65


Licensing NGX R65Most of the software on this CD is automatically enabled for a 15-day evaluation period. To obtain a permanent license, or to extend the evaluation period, go to the Check Point User Center at: https://usercenter.checkpoint.com.

Customers new to the Check Point User Center should go to: https://usercenter.checkpoint.com/pub/usercenter/get_started.html

For further licensing assistance, contact Account Services at: [email protected], or US +1 972-444-6600, option 5.

In This Section

Licensing VPN-1 Power/UTMLicenses are required for the SmartCenter server and the gateways. No license is required for SmartConsole management clients.

Check Point gateways enforce the license installed on the gateway by counting the number of users that have crossed the gateway. If the maximum number of users is reached, warning messages are sent to the console.

The Check Point software is activated using a certificate key, which is located on the back of the software media pack. The certificate key is used to generate a license key for products that you want to evaluate or purchase. To purchase Check Point products, contact your reseller.

Licensing VPN-1 Power/UTM page 35

Licensing Provider-1/SiteManager-1 page 37

Licensing IPS-1 page 38

Licensing Eventia Suite page 38



Licensing NGX R65

36

Obtaining a License KeyTo obtain a license key from the Check Point User Center:

1. Add the required Check Point products/evaluations to your User Center account by selecting Accounts & Products > Add Products.

2. Generate a license key for your products/evaluations by selecting Accounts & Products > Products.

Select your product(s) and click Activate License. The selected product(s) evaluations have been assigned license keys.

3. Complete the installation and configuration process by doing the following:

a. Read and accept the End Users License Agreement.

b. Import the product license key. Licenses are imported using the Check Point Configuration Tool or SmartUpdate. SmartUpdate allows you to centrally upgrade and manage Check Point software and licenses. The certificate keys associate the product license with the SmartCenter server, which means that:

• The new license remains valid even if the IP address of the Check Point gateway changes.

• Only one IP address is needed for all licenses.

• A license can be detached from one Check Point gateway and assigned to another.

Upgrading VPN-1 Power/UTM LicensesCustomers with versions prior to NGX R60 are required to obtain a new license when they upgrade to NGX R65. Check Point NGX R60 software does not work with licenses from previous NG versions.

The upgrade procedure is free of charge to purchasers of the Software Subscription service (Enterprise Base Support).

Licensing NGX R65


Licenses for versions prior to NG cannot be upgraded directly to NGX. You must first upgrade to NG and then upgrade the licenses from NG to NGX.

The license upgrade procedure runs the license_upgrade command, which makes it easy to automatically upgrade licenses.

For additional information on upgrading licenses, refer to the Upgrading VPN-1 Power/UTM Licenses to NGX R65 chapter in the CheckPoint R65 UpgradeGuide.

Licensing Provider-1/SiteManager-1Provider-1/SiteManager-1 licenses are associated with the IP address of the licensed entity. The Provider-1 Multi-Domain Server (MDS) license is based on the server type: Manager, Container, Combined Manager and Container, or Multi-Domain Log Manager (MLM).

Manager: A license for the administrator's entry point into the Provider-1/SiteManager-1 environment. The Multi-Domain GUI (MDG) and the Global SmartDashboard tools can connect only to MDS servers with this license.

Container: A license that defines the maximum number of CMAs running on the MDS machine. With the exception of Provider-1 Enterprise Edition licenses, multiple container licenses can be added together on one container to enable the container to hold up to a maximum of 250 CMAs. In addition, each CMA requires its own CMA license. CMA Pro Add-on licenses, allowing additional management features at the CMA level, can be purchased in bulk. These purchase packages are called Pro Add-ons for MDS.

Combined Manager and Container: These licenses combine a Manager license with a Container license for a specific number of CMAs. In the case of SiteManager-1 licenses, there are no separate Manager and Container versions available, only the Combined Manager and Container license.

Licensing NGX R65

38

MLM: A comprehensive license that includes the Customer Log Modules (CLMs) it hosts. There is no need for a separate CLM license if CLMs are hosted on an MLM. A CLM hosted on an MDS server requires its own CLM license.

Each gateway requires its own license. Licenses are determined according to the number of computing devices (nodes) protected by the gateway. Provider-1 licenses can be imported using the Check Point command-line licensing tool or Provider-1's MDG. For additional information, refer to the Provider-1/SiteManager-1 Administration Guide.

Licensing IPS-1The IPS-1 Management Server requires a license, defined with the ability to manage a fixed maximum number of Sensors. In a Combined installation where the Alerts Concentrator installed together with the IPS-1 Management Server, the Alerts Concentrator shares the IPS-1 Management Server’s license.

For any separate Alerts Concentrators and for all Sensors, obtain and add licenses. Licenses are added using IPS-1’s Management Dashboard.

The IPS-1 Management Dashboard does not require a license. However, without a licensed IPS-1 Management Server, the IPS-1 Dashboard will function only in Demo mode.

All licenses are stored on the IPS-1 Management Server and must have been generated according to the IPS-1 Management Server’s IP address.

Licensing Eventia SuiteAll Eventia Suite licenses are installed on the Eventia Suite Server (not on the SmartCenter server).

Licensing NGX R65


Correlation Units are licensed by the number of units that are attached to the Eventia Analyzer Server.

Licensing NGX R65

40

41

Chapter 3 VPN-1 Setup and Installation

In This Chapter

OverviewCheck Point software is designed to work across multiple platforms and pre-configured appliances. Each installation differs depending on the product and the platform.

For upgrading an existing installation of VPN-1, see the Upgrade Guide.

VPN-1 NGX R65 can be installed in the following two types of deployments:

• Standalone Deployment: Check Point components that are responsible for the management of the security policy (the SmartCenter server and the gateway) are installed on the same machine.

Overview page 41

Installing SecurePlatform with VPN-1 page 43

Installing NGX Products on Windows page 55

Installing NGX Products on Solaris or Linux page 58

Installing NGX Products on Nokia page 60

Initially Configuring NGX Products page 64

Where To From Here? page 73

Overview

42

• Distributed Deployment: The gateway and the SmartCenter server are installed on different machines.

In both deployments, SmartConsole can be installed on any machine by performing the following steps:

• Install the components that manage or enforce the security policy (for example, the SmartCenter server, the gateway, and the log server).

• Install one or more SmartConsole clients to manage different aspects of VPN-1 Power/UTM. For example, SmartDashboard is used by the system administrator to manage and create the security policy. Any number of SmartConsole GUI applications can be installed on the same machine.

Note - The TCP/IP network protocol must be installed, properly configured, and operational before you begin the installation process.

Installing SecurePlatform with VPN-1

Chapter 3 VPN-1 Setup and Installation 43

Installing SecurePlatform with VPN-1In This Section

Installing SecurePlatform Using the NGX CD

To install SecurePlatform using the NGX R65 CD:

1. Insert CD1 from the media pack into the CD drive, and boot the computer from the CD. After booting, Welcome to Check Point SecurePlatform appears. If you do not press Enter within 90 seconds, the computer boots from the hard drive.

The installation program is loaded.

2. The following options are displayed:

• Device List: When selected, the Hardware Scan Details menu displays.

• Add Driver: When selected, the Devices menu opens. Sometimes updated hardware is incompatible with the previous version’s driver and you receive an error message during installation because the operating system could not find the appropriate hard disk driver. Alternatively, the installation may be complete, but the hardware does not function properly. The Add Driver option enables you to add the missing driver during the installation process.

3. Select OK to install. The System Type screen opens.

Installing SecurePlatform Using the NGX CD page 43

Installing SecurePlatform Using the Network page 45

Initially Configuring SecurePlatform page 51

Installing NGX Products on SecurePlatform page 52

Configuring SecurePlatform Using WebUI page 54


44

4. When prompted What type of system would you like to install? Depending on the license you purchased, select one of the following options:

• SecurePlatform

• SecurePlatform Pro (includes the Advanced Routing Suite and additional enhancements such as RADIUS authentication for administrators)

The Keyboard Selection menu opens.

5. Select a keyboard type.

6. From the Network Interface Configuration menu, define the management interface IP address, netmask and default gateway for the first network interface (eth0 on most systems).

7. From the HTTPS Server Configuration menu, enable or disable web-based configuration using SecurePlatform’s WebUI.

8. Select OK.

A message confirms that you are about to format your hard drive.

Warning - The formatting procedure erases all information located on your hard drive.

9. Select OK to format your hard drive, and extract and install SecurePlatform software components. The installation process can take several minutes to complete.

10. Remove the installation CD from the drive.

11. Select OK to reboot your system.

Continue to “Initially Configuring SecurePlatform” on page 51.

Note - If you intend to deploy VPN-1’s remote access or Endpoint Security software, select a port other than 443.



Installing SecurePlatform Using the Network

SecurePlatform can be installed using the network, by locating the CD distribution files on a remote file server, accessible by the target machine. Three types of servers (and protocols) can be used:

• FTP

• HTTP (web)

• NFS

In order to perform a network based installation:

1. Prepare the file server.

2. Boot the target machine from the SecurePlatform boot diskette.

3. Point the installation program to your server.

Preparing a Network Installation ServerPrepare a Network Installation server by locating the CD distribution files on one of the supported remote file servers.

FTP

To prepare an FTP server as the Network Installation server:

1. Install an FTP server on a machine in your local network, or use an existing server.

2. Create a user account. (FTP installation can be either anonymous, or authenticated.)

3. Create a file server directory that will accommodate the distribution files, and that can be accessed by an FTP client.

Note - A Windows machine cannot be used as an FTP, or HTTP server for installation..


46

4. Copy the entire contents of the SecurePlatform CD to the file server directory created in step 3.

5. Test the FTP connectivity from a remote machine before performing the installation.

HTTP

To prepare an HTTP server as the Network Installation server:

1. Install an HTTP server on a machine in your local network, or use an existing server.

2. Create a directory that will accommodate the distribution files and that can be accessed by an HTTP client.

3. Copy the entire contents of the SecurePlatform CD to the file server directory created in step 2.

4. Test accessing the relevant URL from a remote machine, before performing the installation.

NFS

To prepare an NFS server as the Network Installation server:

1. Install an NFS server on a machine, in your local network, or use an existing server.

2. Create a new directory, under a shared subdirectory, that will accommodate the distribution files, and that can be accessed by an NFS client.

Note - You will use the user account and path to access the files.

Note - You will use a URL to access the files



3. Copy the entire contents of the SecurePlatform CD to the file server directory created in step 2. Alternatively, you can export or mount the CD itself.

4. Test accessing the mounted directory from a remote machine, before performing the installation.

Preparing a Network Installation Boot DisketteYou can install SecurePlatform from the network, using an FTP, HTTP, or NFS server. To do so, you must prepare a special network installation boot diskette, using the cpawrite utility.

You will need:

• a clean (formatted) 1.44 inch diskette

• the SecurePlatform CD

• a Windows PC

1. Insert the diskette and the CD into the PC.

2. Browse the CD to SecurePlatform/Images.

3. Drag the bootnet.img file to the cpawrite icon.

This will start the process that creates the network installation boot diskette.

To install SecurePlatform, using an FTP, HTTP, or NFS server:

1. Insert the floppy Boot Diskette that you created into the floppy drive and boot from there.

After rebooting, the SecurePlatform with Application Intelligence Installation screen is displayed.

2. Click Enter to confirm the installation. If you choose not to continue, you will be asked to remove the CD, or the diskette, and to reboot.

Note - You will use the path to access the files


48

After confirmation, the Welcome menu is displayed.

3. Select OK and press Enter. The Installation Method menu is displayed:

Figure 3-1 Installation Method menu

4. Select one of the following network installation methods, select OK, and press Enter.

• NFS image

• FTP

• HTTP

The Interface Selection menu is displayed.



Figure 3-2 Interface Selection menu

5. Select the Network Interface Card, connected to the network, where the file server is running, select OK and press Enter.

The Configure TCP/IP menu is displayed.


50

Figure 3-3 Configure TCP/IP menu

6. Specify the IP settings for this machine, select OK and press Enter. These IP settings will be used to create a TCP session to the file server, and will remain valid after installation is completed.

Depending on your Network Installation Method (FTP, HTTP, NFS), a selection window, asking for session parameters, will be displayed.

7. Enter the session details, select OK and press Enter. When asked for a path, enter the path to the directory where SecurePlatform resides. If you are using non-anonymous FTP, you will be asked for the account details.

The installation program reads the distribution files from the network, and the Welcome menu is displayed.

Note - Do not disconnect the network connection until you are instructed to reboot the target computer.



Initially Configuring SecurePlatformAfter the operating system installation is complete and the computer has rebooted:

1. From the SecurePlatform boot menu, Start in normal mode.

2. Log in using admin as your username and password.

3. When prompted, change the default username and password. Ensure that the new password contains more than six characters and has a combination of upper and lower cases letters and numbers.

4. Run: sysconfig .

A first-time configuration wizard opens, and displays a Welcome message.

5. Press n to proceed to the next menu.

The following Network Configuration menu options are displayed:

6. Use the menu options to configure:

• The host name

• The domain name and at least one DNS server

• The computer’s network interfaces

• The default gateway (if required)

Option Purpose

Host Name Sets and displays the host name

Domain Name Sets and displays the Domain name

Domain Name Servers Adds, removes, displays Domain name servers

Network Connections Adds, configures, removes, displays network connections.

Routing Sets and shows a default gateway


52

7. Once Network Configuration is complete, select the Time and Date Configuration menu option and configure the following:

• Time zone

• Date

• Local time

• Show date and time settings

8. Press n.

The Import Check Point Products Configuration window opens and displays the Fetch Import file from TFTP Server option. If you exported the configuration of another SecurePlatform installation, you can now import that configuration. For additional information, see the Upgrade Guide.

9. Press n to continue to products installation.

Continue here to the following section.

Installing NGX Products on SecurePlatform

The Check Point product installation wizard continues from SecurePlatform’s first-time system configuration (sysconfig) wizard. Alternatively, run: sysconfig, and select Products Installation.

1. The wrapper welcome message appears, beginning the installation wizard. Press n.

2. Read and accept the End User License agreement.

3. Select which version of VPN-1 to install, either Check Point Power or Check Point UTM.

4. Select New Installation, or Installation Using Imported Configuration (the configuration imported in step 8).



Depending on the VPN-1 version you selected in step 3, a product list is displayed:

5. Select the appropriate products and press n.

a. If you selected SmartCenter, decide whether it should be installed as a primary or secondary SmartCenter and whether a Log server should also be installed.

b. Select whether or not to install the Connectra Management NGX plug-in, which enables the central management of Connectra NGX R62CM gateways.

6. A message validates your choice of SmartCenter server. Press n.

SmartCenter server is installed. The Check Point Configuration Tool guides you through steps to define (for SmartCenter):

a. Licenses

b. Administrators

c. GUI clients

d. A Certificate authority

See: “Using the Configuration Tool on Unix Systems” on page 68.

Check Point Power Check Point UTM

VPN-1 Power VPN-1 UTM

User Authority User Authority

SmartCenter SmartCenter UTM

Eventia Suite Eventia Suite

Endpoint Security Endpoint Security

Performance Pack Performance Pack

SmartPortal SmartPortal


54

7. Reboot the machine. IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections, for example, install policy operations. This policy remains in place until you have installed the first Security Policy.

Configuring SecurePlatform Using WebUIYou can also use the WebUI to configure network settings, apply a license, and install and configure products. After system reboot, use your browser to connect to the IP address specified in step 6 on page 44.

Installing NGX Products on Windows


Installing NGX Products on WindowsThe NGX R65 installation on a Windows platform is GUI based. The windows displayed during installation differ depending on the installed Check Point components.

To perform a new installation on a Windows platform:

1. Log on as Administrator and insert the CD. The wrapper automatically starts and a Congratulations message displays.

Review the Evaluation Options or select Read More about

Installation and click Forward.

2. Accept the terms of the End Users License Agreement.

3. Select which version of VPN-1 to install, either Check Point Power or Check Point UTM.

4. Select one of the following installation options:

• Demo installation (SmartConsole only)

• New installation

• Installation using an imported configuration (for additional information, refer to the CheckPoint R65 UpgradeGuide)

5. Click Forward.

If you selected Installation Using Imported Configuration, you are prompted to provide the location of the imported configuration file.

Depending on the VPN-1 version you selected in step 3, a list of products is displayed:






56

6. Select the products you wish to install and click Forward.

a. If you selected SmartCenter, decide whether it should be installed as a primary or secondary SmartCenter and whether a Log server should also be installed.


7. Confirm installation of selected products. Click Forward.

The selected products are installed.

8. To complete the installation process, configure the SmartCenter server or the gateway using the Check Point Configuration Tool. For first time installations, the Configuration Tool runs automatically and prompts you to (for SmartCenter):

a. Add licenses

b. Add administrators

c. Specify remote clients from which an administrator can log into SmartCenter server

d. Initialize the Internal Certificate Authority

e. Export the SmartCenter server fingerprint to a text file

For additional information, refer to the “Configuration Tool Overview” on page 64.

SmartConsole SmartConsole


VPN-1 Client VPN-1 Client





9. Reboot the machine. IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections, for example, install policy operations. This policy remains in place until you have installed the first Security Policy.

Installing NGX Products on Solaris or Linux

58


NGX R65 installation on Linux and Solaris platforms is run from a command line, with a wizard that guides you through installation. For SecurePlatform there is a separate installation procedure which is described in “Installing SecurePlatform with VPN-1” on page 43.

To perform a new installation on a Linux or Solaris platform:

1. Mount the CD on the appropriate subdirectory.

2. From the root directory of the CD, run:

./UnixInstallScript

The wrapper welcome message appears, beginning the installation wizard. Press n.

3. Read and accept the terms of the End User License Agreement.

4. Select which version of VPN-1 to install, either Check Point Power or Check Point UTM, and press n.

5. Select New Installation and press n.

6. Depending on the VPN-1 version you selected in step 4 a product list is displayed:






Performance Pack (on Solaris) Performance Pack (on Solaris)





7. Select the products you wish to install and press n.

8. If you selected SmartCenter:

a. Select whether it should be installed as a primary or secondary SmartCenter, and whether a Log server should also be installed.


9. Confirm the selected products by pressing n.

10. Once product installation is complete, the Check Point Configuration tool will prompt for various configuration options. For a SmartCenter, the stages are:

a. Add licenses. The Check Point Configuration program only manages local licenses on this machine. The recommended way to manage licenses is using SmartUpdate.

b. Configure GUI clients (a list of hosts that are able to connect to the SmartCenter server using SmartConsole).

c. Configure group permissions by specifying a group name.

d. Configure the Certificate Authority, and save the CA’s Fingerprint to a file.

11. Reboot the machine.

IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections such as install policy operations. This policy remains in place until you have installed the first security policy.

Installing NGX Products on Nokia

60

Installing NGX Products on NokiaThe NGX R65 installation on Nokia platforms is performed from a console or Nokia Network Voyager (a secure web-based network element management application). Use a console to perform the initial configuration.

You can also use Nokia Horizon Manager to install and configure Check Point components on multiple Nokia appliances simultaneously. For additional information, refer to Nokia Horizon Manager documentation on the Nokia Support website:

http://support.nokia.com

NGX R65 software packages for Nokia IPSO 4.1 and 4.2 are available from the Check Point download center at: http://www.checkpoint.com/techsupport/downloads.jsp.

If you have purchased a new Nokia gateway with IPSO 4.2 already installed, then skip to step 13 on page 61.

If you are performing a new installation on an older IPSO gateway, then start here:

Before Installing:

• From the Check Point website, download: IPSO_Wrapper_R65.tgz.

• From Nokia, download: UTM-Base Build 004

To install NGX R65 with UTM functionality:

1. Enter the Network Voyager and open a CLI console.

2. Click System Configuration > Install New IPSO Image.

The New Image Installation Upgrade window opens.

3. Enter the following information (for IPSO 4.2):

Note - Verify from Nokia that you have IPSO 4.2 with UTM compatibility (IPSO 4.2 Build 041)



http://support.nokia.com



Enter URL to the image location

Enter HTTP Realm (for HTTP URLs only)

Enter Username (if applicable)

Enter Password (if applicable)

4. Click Apply.

You are informed that the file download and image installation may take some time.

5. Click Apply.

A message is displayed indicating that the new image installation process has started.

6. When you receive a Success message, click UP > UP > Manage IPSO Images.

The IPSO Image Management window opens.

7. Under the title Select an image for next boot, select the last downloaded image: IPSO 4.2

8. Click Test Boot.

9. Access the CLI console to see when the Reboot is complete. Once the Reboot is complete, go back to the Network Voyager to verify that the image was set properly.

10. In the Network Voyager, click Refresh and log in.

11. If you are not returned to the last window you were in, clickSystem Configuration > Manage IPSO Images.

You should be able to see that the relevant IPSO Image is selected.

12. Select Commit testboot and click Apply.

13. Access the CLI console, and log in.

14. Type newpkg, and press Enter.

15. Use the FTP menu option to transfer the UTM-Base package.


62

16. Install the UTM-Base package.

Wait until a message informs you that the process is complete.

17. Activate the UTM-Base package.

18. In Voyager, verify that the UTM Base package is turned ON.

19. On the CLI, type newpkg, and press Enter.

20. Use the FTP menu option to transfer the IPSO_Wrapper_R65.tgz package.

21. Install the IPSO_Wrapper_R65 package.

Wait until a message informs you that the process is complete.

22. Type Reboot and press Enter.

23. From a console connection, run cpconfig.

24. Select a product:

• Check Point Power for headquarters and branch offices

• Check Point UTM for medium-sized businesses

25. Select an installation type, Stand Alone or Distributed.

26. Select Enterprise SmartCenter from the selection list.

27. Specify the SmartCenter type as Primary or Secondary.

28. Add Licenses.

29. Configure an administrator name and password.

30. Configure the GUI clients and hosts which can access the SmartCenter server using SmartConsole.

31. Configure Group Permissions.

32. Configure a pool of characters for use in cryptographic operations. Type randomly until the progress bar is full.

33. Configure the Certificate Authority, and save the CA’s Fingerprint to a file.

34. Start the installed products.



If you opt not to start the installed products at this time, they can be started later by running cpstart.

35. Reboot.

Enabling Native IPSO Security ServersOnce Anti-virus and Web filtering is enabled, the relevant traffic is blocked from passing through the gateway. If the relevant traffic is not blocked, run the fwlinux2ipso command on the gateway to manually activate the native IPSO security servers. (When the UTM-Base package was installed and activated, the native IPSO security servers should have been activated as well).

Initially Configuring NGX Products

64

Initially Configuring NGX ProductsIn This Section

Configuration Tool OverviewThe Configuration Tool runs automatically once the installation process is complete. The Configuration Tool can also be run manually by running the cpconfig command.

The configuration options vary according to installed product. The examples in this chapter are for a SmartCenter server.

The Configuration Tool is used to configure:

• Licenses: Generates a license for the SmartCenter server and the gateway.

• Administrators: Creates an administrator with SmartCenter server access permissions. The administrator must have Read/Write permissions in order to create the first security policy.

• GUI Clients: Creates a list of names or IP addresses for machines that can connect to the SmartCenter server using SmartConsole.

• Key Hit Session: Creates a random seed for use in various cryptographic operations.

• Certificate Authority: Provides definitions that are used to initiate the Internal Certificate Authority, which enables secure communication between the SmartCenter server and its gateways. For some operating systems, such as Windows, you must specify the name of the host where the ICA resides. You

Configuration Tool Overview page 64

Using the Configuration Tool on Windows Systems page 65

Using the Configuration Tool on Unix Systems page 68

Logging In for the First Time page 69



may use the default name or provide your own. The ICA name should be in the hostname.domain format, for example, ica.checkpoint.com.

• Fingerprint: Verifies the identity of the SmartCenter server the first time you log in to SmartConsole. Upon SmartConsole login, a Fingerprint is displayed. This Fingerprint must match the Fingerprint shown in the Configuration Tool window in order for authentication to succeed. You may want to export this Fingerprint for verification purposes when you log in to SmartConsole for the first time.

Using the Configuration Tool on Windows SystemsTo configure the NGX R65 using the Configuration Tool on Windows systems:

1. Open the Configuration Tool by selecting Start > Run > cpconfig.

2. In the Licenses tab, perform one or both of the following procedures:

a. Fetch one or more licenses from a file.

i. Click Fetch from File.

ii. Browse to the license file, select it and click Open. The license(s) that belong to this host are added.

b. Add a license manually.

i. Click Add. The Add License window opens.

ii. Configure the appropriate options in the Add License window.

iii. Click OK to add the newly configured license.

3. Click Next.


66

4. In the Administrators tab, click Add. Add an administrator that uses SmartConsole to connect to the SmartCenter server. From NGX version R60, only one administrator can be added using the Configuration Tool. Additional administrators can be added using SmartDashboard.

5. From the Add Administrator window, configure the required parameters and click OK.

6. Click Next.

7. On the GUI Clients tab, add a GUI client.

8. Type the GUI client’s name in the Remote hostname field.

9. Click Add. You can add a GUI client using any of the following formats:

• IP address: For example, 1.2.3.4.

• IP/netmask: A range of IP addresses, for example, 192.168.10.0/255.255.255.0.

• Machine name: For example, Alice, or Alice.checkpoint.com.

• Any: Any IP address.

• IP1-IP2: A range of IP addresses, for example, 192.168.10.8 - 192.168.10.16.

• Wild cards: For example, 192.168.10.

10. Click Next.

11. In the Certificate Authority tab, add a name using the <hostname>.<domain name> format, for example, <hostname>.checkpoint.com. This option enables you to initialize an Internal Certificate Authority (ICA) on the SmartCenter server and a Secure Internal Communication (SIC)

Note - If you do not define at least one GUI client, you can only manage the SmartCenter server from a GUI client that runs on the same machine as the SmartCenter server.



certificate for the SmartCenter server. SIC certificates authenticate communication between Check Point communicating components, or between Check Point communicating components and OPSEC applications.

12. Click Next. The Fingerprint window opens and displays the Fingerprint of the SmartCenter server. The Fingerprint, a text string derived from the SmartCenter server certificate, is used to verify the identity of the SmartCenter server that is being accessed through SmartConsole.

13. From the Fingerprint window, click Export to file and save the file. The Fingerprint is exported to a text file that can be accessed from the SmartConsole client machine(s) and used to confirm the Fingerprint of the SmartCenter server.

14. Once configuration using the Configuration Tool is complete, do the following:

a. From SmartConsole, perform a first time connection to the SmartCenter server. The Fingerprint of the SmartCenter server displays.

b. Ensure that the SmartCenter server Fingerprint matches the Fingerprint displayed in SmartConsole.

15. Close the Configuration Tool.

Note - Components can communicate with each other only once the Certificate Authority is initialized and each component has received a SIC certificate.

Note - Do not perform a first time connection to the SmartCenter server from SmartConsole unless the SmartCenter server Fingerprint is accessible and you can confirm that it matches the Fingerprint displayed in SmartConsole.


68

Using the Configuration Tool on Unix SystemsTo complete the installation process, use the Check Point Configuration Tool to configure the SmartCenter server or gateway.

To configure the NGX R65 using the Configuration Tool on Unix systems:

1. Access the Configuration Tool.

2. Add licenses. A license can be added manually or fetched from a file.

3. Add administrators. Add an administrator that uses SmartConsole to connect to the SmartCenter server. Only one administrator can be added using the Configuration Tool. Additional administrators can be added using SmartDashboard.

4. Define GUI clients. You can add GUI clients using any of the following formats:

• IP address: For example, 1.2.3.4.

• IP/netmask: A range of IP addresses, for example, 192.168.10.0/255.255.255.0.

• Machine name: For example, Alice, or Alice.checkpoint.com.

• Any: Any IP address.

• IP1-IP2: A range of IP addresses, for example, 192.168.10.8 - 192.168.10.16.

• Wild cards: For example, 192.168.10.

5. Initialize the Internal Certificate Authority.

Note - For first time installations, the Configuration Tool runs automatically. The Configuration Tool can also be run after installation is complete using the cpconfig command.



This option enables you to initialize an Internal Certificate Authority (ICA) on the SmartCenter server and a Secure Internal Communication (SIC) certificate for the SmartCenter server. SIC certificates authenticate communication between Check Point communicating components, or between Check Point communicating components and OPSEC applications.

6. Export the SmartCenter’s fingerprint to a text file. The fingerprint, a text string derived from the SmartCenter server certificate, is used to verify the identity of the SmartCenter server that is being accessed through SmartConsole. The first time SmartConsole connects to the SmartCenter server, compare this string to the string displayed in SmartDashboard.

7. Start the installed products.

Logging In for the First Time

The Login Process

Administrators connect to the SmartCenter server through SmartDashboard using the same process as SmartConsole clients. The administrator and the SmartCenter server are first authenticated (to create a secure channel of communication) and then the selected SmartConsole starts.

After the first login, the administrator can create a certificate for subsequent logins. For additional information on how to create a certificate, refer to the R65 SmartCenter Administration Guide.

Note - Components can communicate with each other only once the Certificate Authority is initialized and each component has received a SIC certificate.


70

Authenticating the Administrator

To authenticate the administrator:

1. Open SmartDashboard by selecting Start > Programs > Check Point SmartConsole NGX R65 > SmartDashboard.

2. Log in using the User Name and Password defined in the Configuration Tool’s Administrators page during the SmartCenter server installation.

If you are using a locally stored certificate to authenticate your connection, browse to its location and enter the certificate’s password. The certificate’s password can be changed by expanding the More Options link and clicking Change Password.



3. Specify the name or IP address of the target SmartCenter server and click OK.

4. Decide whether to connect in Read Only mode. This mode enables you to view the current configuration without accidentally changing it. It also gives access to SmartCenter server when another designated administrator is already connected.

5. More Options. Clicking the More Options link enables you to fine tune how SmartDashboard connects to SmartCenter server.

• The Change Password button in the Certificate Management area of the dialog enables you to change the password that protects the certificate.

• Session Description. Descriptive information entered here populates the Session ID field available in SmartView

Tracker’s Audit Mode. The field can be used to explain why a particular administrator is connecting to SmartCenter Server.

• Use compressed connection. This option optimizes the connection to SmartCenter server. By default, the connection to SmartCenter server is compressed. For a very large configuration database, disabling the compression may help reduce load on the SmartCenter server.

• Do not save recent connections information. By default, SmartDashboard server remembers the last user ID and SmartCenter to which a connection was made. Select this option to prevent SmartDashboard from displaying the last administrator and SmartCenter server to which the administrator successfully connected.

• Plug-in Demo Mode. This option enables SmartDashboard demo mode to display windows and options specific to a particular plug-in. Select the plug-in from the Versions drop-down box.


72

6. Manually authenticate the SmartCenter server using the Fingerprint provided during the configuration process.

Note - This step is only necessary the first time you log in from a given client computer, since once the SmartCenter server is authenticated, the Fingerprint is saved in the SmartConsole computer’s registry.

Where To From Here?


Where To From Here?You have now learned the basics that you need to get started. The next step is to obtain more advanced knowledge of your Check Point software.

Check Point documentation is available in PDF format on the Check Point CD and the Technical Support download site at: http://support.checkpoint.com

Be sure to also use the Check Point Online Help when you are working with the Check Point SmartConsole clients.

For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at: http://support.checkpoint.com



Where To From Here?

74

75

Chapter 4 Provider-1 Setup and Installation

In This Chapter

OverviewA typical Management Service Provider (MSP) handles many different customer systems. Provider-1/SiteManager-1 is compatible with a wide range of customer security schemes and product deployments. Figure 4-1 shows a sample Provider-1 deployment.

Overview page 75

Building the Standard Provider-1 Network page 78

Logging Into the MDG page 84


Overview

76

Figure 4-1 Sample Provider-1 Deployment

The standard Provider-1 deployment has the following components:

• MDS: Each Provider-1 network must have at least one Manager and one Container, which can be installed on the same server, or separately.

• MDG and SmartConsole applications: These applications are installed on a GUI client and support centralized system management.

• CMAs: Each CMA manages the network of a single customer domain. CMAs are installed on a Container MDS.

• Customer gateways: A gateway that protects the customer’s networks.

Overview

Chapter 4 Provider-1 Setup and Installation 77

• NOC gateways: A gateway that protects the MSP headquarters and Network/Security Operations Centers.

Note - Depending on your system specifications, you must decide whether to manage the NOC gateways with a standalone SmartCenter or with the Provider-1 system. For Provider-1 systems, it is common to dedicate a Provider-1 customer as the NOC customer.

Building the Standard Provider-1 Network

78


This section describes how to build your first Provider-1 Operations Center following the workflow shown in Figure 4-2:Figure 4-2

In This Section

Setting Up NetworkingThe MDS server host and the VPN-1 gateways should be TCP/IP ready. The MDS server machine should include at least one interface with an IP address and have the ability to query a DNS server to resolve the IP addresses of other machine names.

Where applicable, ensure that routing is configured to enable IP communication between the:

Setting Up Networking page 78

Installing the Gateways page 79

Installing and Configuring the MDS page 79

Installing SmartConsole and the MDG Client page 82

Installing SmartConsole page 82

Installing the MDG page 82

Uninstalling Provider-1 page 83



• CMA/CLM and its managed gateways

• MDS and other MDSs in the system

• MA and CLMs of the same customer

• CMA and its high availability CMA peer

• GUI client and MDS Managers

• GUI client and CMAs/CLMs

Installing the GatewaysInstall both the NOC and the customer gateways. Gateway installation is performed using the Internet Security Product Suite CD. For additional information, refer to: “VPN-1 Setup and Installation” on page 41.

Installing and Configuring the MDS For upgrading an existing installation of Provider-1, see the Upgrade Guide.

All MDS types, whether Manager, Container, or MLM, are created using the same installation process.

To create a primary manager:

1. Verify that you have superuser permissions.

Note - During gateway installation, record the activation key used to initialize the SIC with the each gateway's management server.


80

2. From the mounted directory, navigate to the subdirectory that matches the operating system of your MDS server - solaris2 or linux.

3. For Solaris and Linux, run the mds_setup script.

4. Select whether the MDS is:

• A Manager

• A Container,

• A Manager and Container

• An MLM

If you decide that the MDS is a Manager (or that it is both a Manager and Container) specify whether this MDS is the Primary Manager. At least one Primary Manager must be created.

5. Specify whether the MDS should start automatically with each reboot (recommended). If you choose to restart automatically, select a default base directory when prompted.

6. Read and accept the License Agreement.

A list of the network interfaces on the MDS is displayed.

7. Enter the name of the primary interface — the interface through which the MDS will communicate with other MDSs in the Provider-1/SiteManager-1 network.

Note - When installing the MDS on SecurePlatform, the instal-lation is performed using the SecurePlatform installer on the CD. Do not execute mds_setup script directly.

Note - Any information that you enter at this stage can be modified later by rerunning the mdsconfig utility.

Note - If this is a Container MDS, Provider-1/SiteManager-1 additionally maps CMAs to this interface.



8. A 15-day trial license is automatically applied. If you have a valid permanent license, enter it now.

9. Select an operating system users group allowed to access the MDS files. If you do not select a users group, the root users group is given permissions to the files.

10. Initialize the primary Manager’s ICA. The ICA issues certificates to MDSs and administrators so that they can communicate securely with the system once Trust has been established.

A fingerprint is generated for the server. It is recommended to save this fingerprint for later reference.

11. Create an administrator. Enter a name and password, and assign the administrator’s authority level. Create at least one Provider-1 Superuser to set up the Provider-1/SiteManager-1 network. Create other administrators either now or later.

12. Configure at least one GUI Client: a computer authorized to access the MDG. A GUI Client can be identified by either IP address or Name (if the Name is routable on the network). Add other GUI clients either now or later.

13. When the mdsconfig utility finishes, set the source path by running (depending on your shell):

• For csh - source /opt/CPshared/5.0/tmp/.CPprofile.csh

• For sh - . /opt/CPshared/5.0/tmp/.CPprofile.sh

To avoid running the source path command each time you start the MDS, it is recommended to add these lines to your .cshrc or . profile files, respectively.

14. Start the MDS by running the script: mdsstart.

If your current shell is sh or bash, you must exit the shell after the MDS has started.


82

Installing SmartConsole and the MDG Client

The following instructions are used when installing SmartConsole applications on Windows platforms.

Installing SmartConsoleTo install the SmartConsole on Windows platforms:

1. Access the windows/SmartConsole directory on the Provider-1 product CD.

2. Copy the SmartConsole executable to a temporary directory.

3. Start the installation by double-clicking the SmartConsole executable.

4. When the installation has completed, run SmartConsole applications from the Windows Start > Programs > Check Point SmartConsole R65 > SmartDashboard menu option.

Installing the MDGTo install the MDG package:

1. Access the windows/MDG directory on the Provider-1 product CD.

2. Copy the Prov1Gui executable to a temporary directory.

3. Start the installation by double-clicking the Prov1Gui executable.

4. When the installation has completed, run the MDG from the Windows Start > Programs > Check Point SmartConsole R65 > Provider-1 menu option.



Uninstalling Provider-1

To uninstall the MDS:

On Linux and Solaris, run:

mds_remove.

To uninstall the MDG and SmartConsole applications:

From the Windows Start menu, select Settings > Control Panel > Add/Remove Programs.

Note - This command is not available on SecurePlatform.

Logging Into the MDG

84

Logging Into the MDG In This Section

Logging Into the MDG for the First TimeTo log in to the MDG for the first time:

1. Type the User Name and Password you defined during MDS installation.

2. Type the name or IP address of the MDS and click OK.

Upon MDG login, a secure communication channel is created to the MDS.

The Customer Contents mode in the MDG General pane opens.:

Logging Into the MDG for the First Time page 84

Demo Mode page 85

Note - When logging in to an MDS server for the first time, you are prompted to compare the Fingerprint of the ICA with the Fingerprint saved during MDS installation, to ensure that you are connected to the correct MDS host.



Figure 4-3 MDG General Pane - Customer Contents Mode

The Customer Contents mode in the MDG General pane provides the following information:

• The Provider-1/SiteManager-1 root.

• The Customers, for example, Flowers, Good-Bank and Perfect-Luggage.

• The CMAs of each Customer, for example, the Customer Good-Bank has a single CMA (Single_CMA_For_Good-Bank).

• The gateways belonging to each Customer.

Demo ModeWhen starting the MDG, you can select Demo mode. This mode does not require authentication or connection to the MDS. Demo mode is used to experiment and learn the MDG. It uses preconfigured sample objects and policies.


86

Operations performed while in Demo mode are stored in a local database, which allows you to continue a Demo session from the point at which you left off in a previous session.

Where To From Here?


Where To From Here?You have now learned the basics that you need to get started. The next step is to obtain more advanced knowledge of your Check Point software.






Where To From Here?

88

89

Chapter 5 IPS-1 Setup and Installation

In This Chapter

Overview page 90

IPS-1 Deployment page 93

IPS-1 Management Installation and Setup page 98

IPS-1 Sensor Appliances page 104

IPS-1 Sensor Installation page 109

IPS-1 Management Dashboard Installation page 116

Post-Installation Steps page 116


Overview

90

OverviewIn This Section

IPS-1 System ArchitectureCheck Point’s IPS-1 is a dedicated intrusion prevention system (IPS) that delivers:

• Mission-critical protection against known and unknown attacks

• Unmatched management capabilities

• Granular forensic analysis

• Flexible deployment

• Confidence Indexing

An IPS-1 deployment includes the following components:

• IPS-1 Sensor: Detects and prevents internal network attacks, and sends alerts to the Alerts Concentrator.

• Alerts Concentrator: Manages and receives alerts from a group of Sensors, and stores the alerts in a MySQL database (included in the Alerts Concentrator installation). Multiple IPS-1 Alerts Concentrators can be distributed throughout the network as needed.

• IPS-1 Management Server: The central Management Server for the entire deployment. Receives and correlates relevant alert information from the Alerts Concentrator(s). Alert information is stored in a MySQL database, which is included in the IPS-1 Management Server installation.

IPS-1 System Architecture page 90

Platforms page 92

Overview

Chapter 5 IPS-1 Setup and Installation 91

• IPS-1 Management Dashboard: Windows-based remote graphical user interface (GUI) to the IPS-1 Management Server, for managing the IPS-1 system and for monitoring alerts. The IPS-1 Dashboard includes a number of independent interlinked windows, primarily:

• Policy Manager for configuring protections and managing the entire IPS-1 system.

• Alert Browser for viewing, tracking, and analyzing real-time alerts.

There are two deployment configurations for IPS-1:

• Combined Deployment - An Alerts Concentrator is installed together with the IPS-1 Management Server on the same computer.

• Distributed Deployment - The IPS-1 Management Server connects to one or more Alerts Concentrators installed on separate computers.

The installation steps for each deployment configuration are found in the Initial Configuration of Management Servers section of the Check Point Internet Security Product Suite Getting Started Guide Version NGX R65.

The following diagram illustrates the components of the IPS-1 system architecture with two Alerts Concentrators in a Distributed Deployment:Figure 5-1 The IPS-1 System

Overview

92

PlatformsThe IPS-1 Server and Alerts Concentrator can be installed on Check Point’s SecurePlatform or on other supported operating systems. SecurePlatform is provided with the IPS-1 installation media.

The IPS-1 Server can be installed together with a SmartCenter server for managing VPN-1 gateways and IPS-1 Sensors from the same platform. In this case, it is possible to log into the IPS-1 Server via the IPS-1 Management Dashboard with a SmartCenter Server administrator username and password. For usernames common to both IPS-1 and SmartCenter, the IPS-1 password and privileges override the SmartCenter settings.

IPS-1 (non-Power) Sensors are supported only on Check Point’s SecurePlatform.

IPS-1 Deployment


IPS-1 DeploymentIn This Section

IPS-1 Sensor Deployment

Sensor PlacementIPS-1 Sensors should be deployed at natural choke points according to network topology. Usually, Sensors should be just within the network firewall.

Placing Sensors outside the firewall is not recommended, because the Sensor is not then protected by the firewall, and the unfiltered traffic places a heavier load on the Sensor.

Ideally, network cores should also be protected with Sensors. In most cases, network core topology does not enable these Sensors to be placed inline, in which case the Sensors should be used for intrusion detection in passive mode.

Sensor TopologyIn most cases, IPS-1 Sensors should be placed inline, enabling intrusion prevention. In some cases, such as in a complex switching environment in a network core, Sensors need to be used for intrusion detection in passive mode.

Sensors’ monitoring interfaces are layer-3 transparent and do not have IP addresses. Each Sensor has a management interface that requires an IP address, routable to and from the Alerts Concentrator. For enhanced security, it is recommended that management be on a separate, out-of-band network.

IPS-1 Sensor Deployment page 93

IPS-1 Management Deployment page 95

IPS-1 Deployment

94

For full information on Sensor modes, see the IPS-1 Administration Guide.

Inline Intrusion Prevention

For intrusion prevention, Sensors should be connected inline, so that all of the traffic to be monitored flows through the IPS-1 Sensor. In this configuration, Sensors can drop traffic containing attacks, according to defined and configurable confidence indexing.

Inline Sensors’ behavior upon failure can be configured to either open, passing through all traffic; or closed, severing the traffic path.

Inline Sensors can be set to Bridge (Monitor-Only) mode, to avoid the possibility of false-positive traffic dropping. In bridge mode, you can track what the Sensor would have done in prevention mode. You can fine-tune your prevention settings in bridge mode, and later change to prevention mode.

Passive Intrusion Detection

The IPS-1 Sensor can be placed out of the path of network traffic, in which case it performs intrusion detection only.

For the Sensor to monitor traffic, a monitoring interface of the Sensor should be connected to one of the following:

• A hub’s port

• A switch’s SPAN (or ‘mirror’) port

• A network tap

A network tap has advantages over a switch’s SPAN port. For example, the switch could prevent (or be unable to send) some traffic out of the SPAN port.

For information on configuring and connecting the switch or tap, see the switch’s or tap’s documentation.

IPS-1 Deployment


IPS-1 Management Deployment

In This Section

Required IPS-1 Management ComponentsEvery IPS-1 deployment must have exactly one IPS-1 Management Server.

At least one installation of the IPS-1 Management Dashboard on a Windows client host is necessary for managing the IPS-1 environment and for viewing and analyzing alerts.

The appropriate number of Alerts Concentrators varies according to the network and to administrative needs. The following rough guidelines should be considered:

• Each Alerts Concentrator is usually capable of handling around ten Sensors.

• It is not recommended for a single Alerts Concentrator’s database to approach 40 GB; If it does, an additional Alerts Concentrator is recommended.

For a rough estimate of appropriate database size, multiply the volume of monitored traffic (in Gbps) by the number of months of alerts you plan to maintain. The database size (in GB) should approach half of that product.

For example, if the Sensors that send alerts to a particular Alerts Concentrator collectively monitor 5Gbps, and you want to maintain six months of back alerts, the database should be 12-15 GB. However, appropriate database size is also dependent on other factors, such as fine-tuning protections for your system to minimize false positives.

Required IPS-1 Management Components page 95

IPS-1 Management Network page 96

Alerts Concentrator High Availability page 96

IPS-1 Deployment

96

Optionally, one Alerts Concentrator can be installed together with the IPS-1 Management Server in a Combined installation. This Alerts Concentrator will share a license and some processes with the IPS-1 Management Server, but alert information is stored in separate database tables.

IPS-1 Management NetworkFor enhanced security, it is recommended that management be on a separate, out-of-band network.

TCP connectivity is required as follows:

• Connect from the IPS-1 Management Dashboard to the IPS-1 Management Server on port 8443

• Connect from the IPS-1 Management Server to any Alerts Concentrators on port 18272

• Connect from each Alerts Concentrator to the management interfaces of its IPS-1 Sensors, and vice versa, on port 1968

• (optional) Connect from the IPS-1 Management Server to the online update server (ips-packages.checkpoint.com) on port 2013

Make sure the firewalls in between each component are configured to allow this traffic.

Alerts Concentrator High AvailabilityTo ensure continuity of information flow from IPS-1 Sensors to the IPS-1 Management Server in the event of an IPS-1 Alerts Concentrator failure, you can configure an IPS-1 Sensor to report to a secondary IPS-1 Alerts Concentrator. This automatically redirects alerts and event data to the secondary Alerts Concentrator if the active Alerts Concentrator or the Sensor’s connection with it fails. You can deploy the secondary Alerts Concentrator in the same network as the active Alerts Concentrator.

IPS-1 Deployment


For information on configuring Alerts Concentrator High Availability, see the IPS-1 Administration Guide.

IPS-1 Management Installation and Setup

98


In This Section

Installation of IPS-1 Management Servers

This section discusses installing the IPS-1 Management Server and Alerts Concentrator.

The IPS-1 Management Server and Alerts Concentrator can be installed on Check Point’s SecurePlatform or on other supported operating systems. SecurePlatform is supplied with NGX R65.

To install IPS-1 Management Servers together with a SmartCenter, first install the SmartCenter according to the instructions in “VPN-1 Setup and Installation” on page 41. Then follow the instructions in “Installation on an Existing Operating System” on page 102.

To install Check Point’s SecurePlatform, follow the instructions in “Installation of SecurePlatform for IPS-1 Management” on page 99.

To install IPS-1 Management Servers on already installed and configured operating systems, follow the instructions in “Installation on an Existing Operating System” on page 102.

Installation of IPS-1 Management Servers page 98

IPS-1 Management Dashboard Installation page 116

Completing IPS-1 Management Setup page 118



In This Section

Installation of SecurePlatform for IPS-1 ManagementTo install SecurePlatform with the IPS-1 Management Server and/or Alerts Concentrator:

1. Insert CD6 from the media pack into the CD drive, and boot the computer from the CD.

After booting, Welcome to Check Point SecurePlatform appears. Make sure to press Enter within 90 seconds.


The following options are displayed:



2. Select OK to install.

The IPS-1 Products window appears.

3. Select Management Server, and OK.

Installation of SecurePlatform for IPS-1 Management page 99

Installation on an Existing Operating System page 102

Initial Configuration of Management Servers page 103


100

4. Depending on the license you purchased, select one of the following options:

• SecurePlatform

• SecurePlatform Pro (includes the Advanced Routing Suite and additional enhancements such as RADIUS authentication for administrators)

5. Select a keyboard type.

6. In the Management Interface Configuration window, define the management interface IP address, netmask and default gateway. Select OK.


8. Press Enter to reboot.

9. When the computer is finished booting, log in with username: admin , and password: admin .

10. As prompted, change the password and username.

11. Run:

sysconfig

The first-time system configuration wizard begins.


The following Network Configuration menu options are displayed:

Option Purpose

Host Name Sets and displays the host name

Domain Name Sets and displays the Domain name




• The hostname


• The computer’s network interfaces

• The default gateway (if required)

14. Once Network Configuration is complete, press n to continue to Time and Date Configuration. Configure the following:

• Time zone

• Date

• Local time


15. Press n.

Domain Name Servers Adds, removes, displays Domain name servers

Network Connections Adds, configures, removes, displays network connections.

Routing Sets and shows a default gateway

Note - Make sure the hostname and IP address are correctly defined at this stage. The IPS-1 software will take this information from the operating system at installation time. Subsequent changing of the hostname will be reflected in the application.

Note - Network Time Protocol (NTP) can be configured through the command line interface after the all of the installation procedures are complete. For more information, see “Configuring NTP on SecurePlatform” on page 116.

Option Purpose


102

Continue to “Initial Configuration of Management Servers” on page 103.

Installation on an Existing Operating SystemTo install an IPS-1 Management Server and/or Alerts Concentrator on an already installed and configured supported operating system:

1. Before installing an IPS-1 Management Server on Red Hat Linux, ensure proper connectivity between IPS-1 Management Dashboard and the IPS-1 Management Server by verifying that there is an /etc/hosts table entry for your IP address and server name. For example:

127.0.0.1 localhost localhost.localdomain

192.168.13.5 servername servername.example.com

2. Before an upgrade, do the following:

a. Stop the IPS-1 processes.

b. As a precaution, back up database files by copying the contents of the sdb/data directory to another host.

3. Make sure the hostname and IP address are correctly defined in the operating system. The IPS-1 software will take this information from the operating system at installation time. Subsequent changing of the hostname will not take effect.

4. Insert CD6 from the media pack, and mount it on the appropriate subdirectory.

5. From the CD’s root directory, run:

./UnixInstallScript [-splat]

On SecurePlatform, include the -splat flag. On other supported operating systems, omit the flag.

Continue here to the following section for the configuration process.



Initial Configuration of Management Servers1. Press Enter to scroll down and read the End-User License

Agreement. Then press y to accept.

IPS-1 packages are installed. This may take some time.

2. Answer whether this is an upgrade (y/n). If this is an upgrade, you are then prompted for the previous installation location.

3. Select an IPS-1 product to install:

a. IPS-1 Management Server (all components)

This installs the IPS-1 Management Server as a Combined Deployment, that is an IPS-1 Management Server with an Alerts Concentrator.

b. IPS-1 Management Server (without Alerts Concentrator)

This installs the IPS-1 Management Server as a Distributed Deployment, that is an IPS-1 Management Server only, without an Alerts Concentrator.

c. IPS-1 Alerts Concentrator

4. When installing an Alerts Concentrator, enter and then confirm an activation key with which the Alerts Concentrator will authenticate the IPS-1 Management Server. You will need this activation key when you add the Alerts Concentrator from the IPS-1 Dashboard.

5. When installing an IPS-1 Management Server or Combined installation, type and then confirm an IPS-1 login password. This will be the password to use when logging into the IPS-1 Management Server with the IPS-1 Dashboard for the first time with username: admin .

6. Select whether IPS-1 should start when the computer is booted.

IPS-1 processes start. This completes the installation process.

The IPS-1 Management Server is now configured. Continue to “Post-Installation Steps” on page 116.

IPS-1 Sensor Appliances

104


IntroductionThis chapter discusses setting up Check Point pre-installed appliances. For third-party hardware, set up the hardware according to the third-party documentation, and then continue to “IPS-1 Setup and Installation” on page 89.

For considerations for Sensor location and network topology, see “IPS-1 Sensor Deployment” on page 93.

Check Point currently delivers the following Sensor appliances with the interface configurations listed:

• IPS-1 Sensor 50C:

• Two 10/100Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as an IPS pair with bypass support, or in IDS (passive) mode as two monitoring interfaces

• Two 10/100/1000Mbps copper Ethernet front-panel interfaces, of which one is the management interface and the other can be used in IDS (passive) mode as an additional monitoring interface

• IPS-1 Sensor 100C and 200C:

• Four 10/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces

• Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs without bypass support, or in IDS (passive) mode as additional monitoring interfaces



• IPS-1 Sensor 200F:

• Four 10/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces

• Four 1000Mbps Fiber front-panel interface with bypass support

• Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs without bypass support, or in IDS (passive) mode as additional monitoring interfaces

• IPS-1 Sensor 500C:

• Eight 10/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces

• Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as additional monitoring interfaces

• IPS-1 Sensor 500F:

• Eight 10/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces

• Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as additional monitoring interfaces


106

• One Gigabit fiber Ethernet front-panel interface with bypass support

• IPS-1 Sensor 1000C

• Eight 10/100/1000 copper Ethernet back-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces

• Two 10/100/1000 built-in copper Ethernet back-panel interfaces, of which one is the management interface and the other should remain unused

• IPS-1 Sensor 1000F

• Eight Gigabit fiber Ethernet back-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces

• Two 10/100/1000 copper Ethernet back-panel interfaces, of which one is the management interface and the other should remain unused

• IPS-1 Power Sensor 1000C/F:

• Eight 10/100/1000 Mbps copper Ethernet interfaces (C model), or Gigabit fiber Ethernet interfaces (F model), used in IPS (inline) mode as IPS pairs, or in IDS (passive) as monitoring interfaces

• One front-panel 10/100Mbps copper Ethernet front-panel interface for management



• IPS-1 Power Sensor 2000C/F:

• A Primary chassis unit, including:

• Eight 10/100/1000 Mbps copper Ethernet interfaces (C model), or Gigabit fiber Ethernet interfaces (F model), used in IPS (inline) mode as IPS pairs, or in IDS (passive) as monitoring interfaces

• One front-panel 10/100Mbps copper Ethernet front-panel interface for management

• An Expansion chassis unit, adding processors and RAM

Preparing the Sensor’s EnvironmentThe IPS-1 Sensors require the following:

Table 5-1 IPS-1 Sensor Environmental Requirements

50C 200C/F 500C/F Power C/F

Chassis size 1 Rack Unit (RU), 19” 2 chassis units x 2RU, 19”

Amps AC 6.0/3.0 8.2/4.1 6.7/3.4 4/2 per chassis unit

Voltage Input

Range

100-240 100-127/ 200-240

100-127/ 200-240

90-255

Operating

Temperature

0°C to +40°C

+10°C to +35°C

+10°C to +35°C

0°C to +55°C

Non-Operating

Temperature

-20°C to +80°C

-40°C to +70°C

-40°C to +70°C

-10°C to +70°C

Non-Operating

Relative

Humidity

10-90%, non- condensing @ 35°C

90%, non- condensing @ 35°C

90%, non- condensing @35°C

10-90%, non- condensing @35°C

Emissions FCC Class A Device


108

Mount each unit onto the equipment rack.

Connect the power supply. For the Power Sensor, connect two power supplies to each of the two chassis units.

Setting Up Sensor Appliance Network Connections

Connect the management interface to the management network. On the 50C and Power 2000 models, the management interface is on the front panel. On other models, it should be one of the two built-in interfaces on the rear panel.

For working in IDS (passive), any or all of the remaining interfaces can be used as monitoring ports.

For working in inline IPS mode, the inline pairs must conform to hardware configuration:

• For the 50C, the inline pair is marked on the front panel.

• For the 200 and 500 models, inline pairs are in vertical groupings.

• For the Power Sensors, inline interfaces are on the rear panel, horizontally paired. For example, in the diagram below, s1.e0 is paired with s1.e1 .

Connecting the Power Sensor Chassis Units

With the supplied expansion cable, connect the Primary chassis unit’s Expansion slot A to the Expansion chassis unit’s Expansion slot B:

IPS-1 Sensor Installation



In This Section

Connecting to IPS-1 SensorsYou can run commands on the IPS-1 Sensor in one of three ways, depending on hardware configuration:

• A connected keyboard and monitor.

• A serial console (DTE to DTE), using terminal emulation software such as HyperTerminal (from Windows) or Minicom (from Unix/Linux systems). Connection parameters for Check Point appliances are:

Connecting to IPS-1 Sensors page 109

Installing SecurePlatform and IPS-1 Sensors page 110

Initial Configuration of IPS-1 Sensors page 112

Initial Configuration of IPS-1 Power Sensor page 114


110

• For a regular (non-Power) IPS-1 Sensor appliance: 9600bps, no parity, 1 stop bit (8N1).

• For an IPS-1 Power Sensor: 115200bps, 8 bit, no parity, 1 stop bit, no hardware or software (xon/xoff) flow control

For third-party hardware connection parameters, see the third-party documentation.

• An SSH connection to the Sensor’s management interface (if sshd is configured).

Installing SecurePlatform and IPS-1 Sensors

The following instructions are for installing IPS-1 Sensor software on third-party hardware, or for reinstalling on a Check Point appliance.

IPS-1 (non-Power) Sensors are supported only on Check Point’s SecurePlatform operating system version NGX R65. The IPS-1 Sensor is installed with SecurePlatform in one installation process. You cannot reinstall the Sensor without reinstalling the operating system and formatting the hard disk.

To install SecurePlatform and the IPS-1 Sensor:

1. Insert CD6 from the media pack into the CD drive, and boot the computer from the CD.

After booting, Welcome to Check Point SecurePlatform appears. Make sure to press Enter within 90 seconds.


The following options are displayed:





2. Select OK to install.

The IPS-1 Products window appears.

3. Select Sensor, and OK.

4. Select the type of hardware you are using. If you are installing on hardware provided by Check Point (or old hardware provided by NFR), select Appliance. If you are installing on hardware supplied by another vendor, select Open Sensor.

5. Select a keyboard type. Select OK.

6. In the Networking Device window, select the management interface. Select OK.

7. In the Management Interface Configuration window, define the management interface IP address, netmask and default gateway. Select OK.


9. When installation is complete, remove the CD.

10. Press Enter to reboot.

Continue to the following section.


112

Initial Configuration of IPS-1 SensorsUpon initial boot of an IPS-1 Power Sensor, follow the instructions in “Initial Configuration of IPS-1 Power Sensor” on page 114.

Upon initial boot of a freshly installed IPS-1 Sensor, including a new regular (non-Power) preinstalled appliance, configure it as follows:

1. Log in with username: admin and password: admin .

2. When prompted, change the password and username.

3. Run:

sysconfig

The first-time system configuration wizard begins.


The Network Configuration menu options appear.


• The hostname


• The management interface

6. Once Network Configuration is complete, press n to continue to Time and Date Configuration. Configure the following:

• Date

• Time and time zone (GMT is for Power Sensors only)


Enter n.

Note - Network Time Protocol (NTP) can be configured through the command line interface after the all of the installation procedures are complete. For more information, see “Configuring NTP on SecurePlatform” on page 116.



7. Configure the following Alerts Concentrator options for the Sensor:

• IP address of primary Alerts Concentrator.

• For Alerts Concentrator High Availability, type an IP address of a second Alerts Concentrator. For more information on Alerts Concentrator High Availability, see the IPS-1 Administration Guide.

• An Activation Key, a character string of your choice, which you will enter into the IPS-1 Dashboard when adding the Sensor to an Alerts Concentrator.

Select Next.

8. Configure the Operating Mode options. For each field, select the field with the Enter key, and select the appropriate value.

• Operating Mode - one of the following:

• IDS (passive): intrusion detection, no prevention. Packets do not pass from one interface to another.

• IPS (inline, fail-closed): inline intrusion prevention. In fault conditions, all packets are dropped.

• IPS (inline, fail-open): inline intrusion prevention. In fault conditions, all packets are passed through.

• IPS Monitor-Only (inline, fail-open): inline bridge mode, but without actual prevention.

For more information on Sensor modes, see the IPS-1 Administration Guide.

• Management Interface - displays (read-only) the IP address configured in the operating system.

• Inline Pair(s) - pairs of monitoring interfaces. Depending on your hardware, you may need to define the interface pairs that you will be using.

Select Next to complete the wizard.


114

You can modify the Sensor’s settings at anytime by running the cpconfig command.

The IPS-1 Sensor is now installed and configured. Continue to “Post-Installation Steps” on page 116.

Initial Configuration of IPS-1 Power Sensor

Configure a freshly delivered or reinstalled IPS-1 Power Sensor as follows:

1. Log in with the displayed username and password.

2. Set a new login password, and select Next.

3. Set the date and UTC time, and optionally define an NTP server. Select Next.

4. Set the following:

• Hostname and domain name

• The Sensor’s IP information

Select Next.

5. Set the following:

• The IP address of the Primary Alerts Concentrator, and, for an Alerts Concentrator High Availability deployment, the IP address of the second Alerts Concentrator. For more information on Alerts Concentrator High Availability, see the IPS-1 Administration Guide.

• An Activation Key, a character string of your choice, which you will enter into the IPS-1 Dashboard when adding the Sensor to an Alerts Concentrator.

Select Next.

6. Press Enter to see the following available operation modes:



• IDS (passive): intrusion detection, no prevention.

• IPS (inline, fail-closed): inline intrusion prevention. In fault conditions, all packets are dropped.

• IPS (inline, fail-open): inline intrusion prevention. In fault conditions, all packets are passed through.

• IPS Monitor-Only (inline, fail-open): inline bridge mode, but without actual prevention.

For more information about Sensor modes, see the IPS-1 Administration Guide.

Select an operation mode and select Next. The system reboots.

7. The IPS-1 Power Sensor uses an internal network between components. The network address for this network is preset to 10.10.10.0/24. If this conflicts with your network addressing (for example, the Alerts Concentrator or Sensor are in a network with that same address), reconfigure the internal network address, as follows:

a. Log into the IPS-1 Power Series appliance as admin . The password is the same as for the nfr user

b. At the prompt, type:

configure system

c. At the next prompt, type:

set mccp subset address <address>

where <address> is an available 24-bit network address (For example, 192.168.1.0)

You can modify the Sensor’s settings at anytime by logging on as the nfr user.

The IPS-1 Power Sensor is now configured. Continue to “Post-Installation Steps” on page 116.

IPS-1 Management Dashboard Installation

116

IPS-1 Management Dashboard Installation

IPS-1 Dashboard is a Java application and is supported on:

• Windows 2000 Professional with SP4

• Windows XP Professional with SP2

IPS-1 Dashboard can be installed from CD2. The installation files are also located on CD6 of the media pack in:

windows\CPipsClient

Run the setupwin32 executable, and follow instructions.

Post-Installation StepsOnce the IPS-1 components have been installed, one of the following procedures may be required before deploying them in the network.

In This Section

Configuring NTP on SecurePlatformIPS-1 components rely on Network Time Protocol (NTP) to coordinate the time on each component. Use the following commands to configure and manage NTP.

ntpConfigure and start the Network Time Protocol polling client.

Configuring NTP on SecurePlatform page 116

Completing IPS-1 Management Setup page 118

Completing IPS-1 Sensor Setup page 122

Post-Installation Steps


Syntax

Parameters

ntpstop

Stop polling the NTP server.

Syntax

ntpstart

Start polling the NTP server.

ntp <MD5_secret> <interval> <server1> [<server2>[<server3>]]ntp -n <interval> <server1> [<server2>[<server3>]]

Table 5-2 ntp Parameters

parameter meaning

MD5_secret pre-shared secret used to authenticate against the NTP server; use “-n” when authentication is not required.

interval polling interval, in seconds

server[1,2,3] IP address or resolvable name of NTP server

ntpstop


118

Syntax

Completing IPS-1 Management Setup

In This Section

First LoginAfter installation, your initial login user name is: admin , and the password is the one you entered during the IPS-1 Management Server installation. Begin managing the IPS-1 system as follows:

1. Use the following command to verify that the IPS-1 Server (or Alerts Concentrator) processes are running:

a. On SecurePlatform, enter expert mode by typing expert and pressing enter. On other operating systems, login as root.

b. Run:

/etc/init.d/ips1 start

ntpstart

First Login page 118

The Setup IPS-1 Wizard page 120



2. On the client computer, start the IPS-1 Management Dashboard. A login window appears:

3. Type your username and password, and specify the IPS-1 Server’s IP address or resolvable hostname. By default, port number is 8443.

4. If you are trying to connect to the IPS-1 Server through a proxy server, expand the login window by clicking More Options and check Use Proxy. Type the proxy server’s connection and authentication information. Note that for Digest Proxy only HTTP is supported, not HTTPS.

5. Upon first login, you are prompted to Verify IPS-1 Management Server Certificate. If you are sure the presented certificate is coming from your IPS-1 Management Server, click Trust for the IPS-1 Management Dashboard on the host you are working on to trust this IPS-1 Management Server in the future.

Note - The default username is admin.

When upgrading from a previous version of IPS-1, login with the pre-existing usernames. The default username for prior versions of IPS-1 is nfr.


120

The Setup IPS-1 WizardIf additional initial configuration is required, the Setup IPS-1 wizard starts after the initial login. The following sections explain the wizard pages that may appear.

Manage Licenses

A freshly installed IPS-1 Management Server comes with a fifteen day trial license. If the trial license has expired, you must add an IPS-1 Management Server license obtained from Check Point’s User Center in order to continue working with IPS-1.

All licenses are stored on the IPS-1 Management Server and must have been generated according to the IPS-1 Management Server’s IP address.

To add a license:

1. Copy your license string, obtained from Check Point’s user center, to the clipboard.

A license string will include the following:

cplic putlic x.x.x.x 1Jan2001 xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx CPMP-IPS-5-NGX xx-xxxxxxxxxxx

2. In the License Manager, click Add.

3. Populate the fields by clicking Paste License. Click OK.



The added license appears in the license list.

In a Distributed Deployment, click Next to continue to the Add Alerts Concentrators page. In a Combined Deployment, the Alerts Concentrator installed with the Server will automatically be added.

Add Alerts Concentrators

Alerts Concentrators can be added now or later, but you must have at least one to proceed.

To add an Alerts Concentrator, click New.

The New Alerts Concentrator window appears:


122

Configure the Alerts Concentrator settings as follows:

1. In the Host field, type the Alerts Concentrator’s IP address or resolvable hostname.

2. Type and confirm the activation key that you specified during the Alerts Concentrator installation.

3. If there is a proxy server between the IPS-1 Server and the Alerts Concentrator, select Use Proxy and type the proxy’s connection and authentication information.

4. Make sure Receive Alerts is On.

5. If this Alerts Concentrator or the IPS-1 Server’s communication with it might be slower than others, select Avoid this server for help text. When an Alert Browser user right-clicks an alert and selects Alert Details, the IPS-1 Server first attempts to retrieve the Help Text from another Alerts Concentrator.

6. Click OK.

The Alerts Concentrator is added.

Completing IPS-1 Sensor SetupOnce the IPS-1 Sensor is installed and configured, for it to be managed and monitored by IPS-1 management, it needs to be added in the IPS-1 Management Dashboard.

In Policy Manager, add the Sensor to the IPS-1 system, as follows:

Note - Entering the Alert Concentrator’s IP address is preferred to better protect against DNS spoofing.

Note - If you don’t have the activation key, log onto the Alerts Concentrator and set the activation key via the set_activation_key command.



1. In Policy Manager’s Sensors and Concentrators tab, select the Alerts Concentrator to which you are adding the new Sensor and click New Sensor.

The Add New Sensor window appears:

2. Type the Sensor Name exactly as defined on the Sensor itself, and click Next.

3. Type the Sensor’s IP address or resolvable Hostname.

4. Type and confirm the Activation Key, as defined during Sensor installation or in the Sensor’s Management Menu.


124

Click Next.

5. Select the Local Network Addresses that you want the IPS-1 Sensor to protect from the list of Recently Used Values and use the arrow buttons in the middle of the window to add, remove or change the order of the addresses in list of Selected Host Types.

If your network does not appear in the Recently Used Values list, type the network address and netmask information into the field at the bottom of the window and press enter.

When all of your network addresses are listed in the Selected Host Types, click Next.

6. Select the Local Broadcast Addresses for the protected networks from the Recently Used Values and use the arrow buttons in the middle of the window to add or remove addresses from the list of Selected Host Types.

If your broadcast address does not appear in the Recently Used Values list, type the broadcast address into the field at the bottom of the window and press enter.

When all of your broadcast addresses are listed in the Selected Host Types, click Next.

7. Click New to assign descriptive names to your interfaces.

The Edit Interface Description window appears:

Note - You can reset the Activation key on the Sensor with the cpconfig command, or, in the case of an IPS-1 Power Sensor, by logging in as the nfr user



Enter the raw interface name as it is listed in the Sensor, and enter the descriptive name that you want to assign to that interface. Click OK.

8. Once you have finished modifying the names of the interfaces, press Finish to add the new Sensor to the Alerts Concentrator.

9. To apply the changes, click Install Policy.

For configuring protections and other settings, see the IPS-1 Administration Guide.

Where To From Here?

126

Where To From Here?You have now learned the basics that you need to get started. The next step is to obtain more advanced knowledge of your Check Point software. Information regarding configuration and deployment of IPS-1 can be found in the Check Point IPS-1 Administration Guide.






127

Chapter 6 Installing the Eventia Suite

In This Chapter

Eventia Suite Installation page 128

Standalone Installation vs. Distributed Installation page 129

Standalone Installation page 130

Distributed Installation page 133

Enabling Connectivity Through a Firewall page 136

Preparing Eventia Suite in SmartCenter page 138

Preparing Eventia Suite on Provider-1 MDS page 140

Eventia Suite Installation

128

Eventia Suite InstallationThis chapter covers installing Eventia Suite. Eventia Suite is comprised of:

• Eventia Reporter, which consists of the Eventia Reporter Server and the Eventia Reporter Client.

• Eventia Analyzer, which consists of the Eventia Analyzer Server, Correlation Unit and the Eventia Analyzer Client.

For Hardware Requirements and Supported Platforms please refer to the Release Notes document.

This installation process consists of three phases:

1. Install Eventia Suite.

2. Prepare Eventia Suite in SmartCenter (refer to “Preparing Eventia Suite in SmartCenter” on page 138).

3. Configuring Eventia Suite (refer to Eventia Analyzer and Eventia Reporter User Guides respectively).

Standalone Installation vs. Distributed Installation

Chapter 6 Installing the Eventia Suite 129

Standalone Installation vs. Distributed Installation

Eventia Reporter can be installed in either a “Standalone” installation or a “Distributed” installation, while the Eventia Analyzer can only be installed on a “Distributed” installation:

• Standalone installation — Eventia Reporter is installed on the same machine as SmartCenter server.

• Distributed installation — Eventia Reporter and Eventia Analyzer are installed on a machine dedicated to reporting.

• When working with Provider-1/SiteManager-1 or SmartCenter on Nokia, Eventia must be installed on a separate machine (distributed).

A distributed installation requires establishing Secure Internal Communication (SIC) between the two machines. The distributed installation is recommended for better performance.

Installing Eventia Suite on Multiple Versions of SmartCenter Management

Eventia Suite in a Distributed installation can work with multiple versions of SmartCenter Management from R54 and up.

When installed on a Distributed deployment, Eventia Suite recognizes all the Network Objects in the SmartCenter Management database via an internal process referred to as dbsync. With dbsync Eventia Suite can recognize objects from multiple versions (that is, from R54 and up).

Note - For Eventia Suite to read logs from a distributed log server, the database must be installed on the log server after the Eventia Suite installation is complete.

Standalone Installation

130

Standalone InstallationIn This Section

Windows Platform1. To install, login as an administrator and launch the wrapper by

double-clicking on the setup executable.

2. Click Next, and accept the terms of the license agreement.

3. Select either:

• Check Point Power

• Check Point UTM

Click Next.

4. Select New Installation.

5. From the Products list, select Eventia Suite. SmartCenter is automatically installed along with Eventia Reporter.

SmartCenter Server is needed because of its log server component.

6. Specify the type of SmartCenter Server to install:

• Primary SmartCenter

• Secondary SmartCenter

• Log Server

If you want a distributed deployment, select Log Server. If you want a standalone deployment, select Primary SmartCenter.

Windows Platform page 130

Solaris & Linux Platforms page 132

SecurePlatform page 132



7. From the list of Eventia Suite components, select Eventia Reporter.

8. Click Next, and a list of products to install is displayed.

9. Verify the default install directory, or browse to new location.

10. The Check Point Configuration program, CPConfig, opens.

11. Select Add and enter the Product License information provided by Check Point. Alternatively, you may use the 15-day evaluation license. Select OK, and then Next.

12. The Administrators window appears. Select Add and enter the administrator name and password. Select OK. Then set permissions for the administrator. Add more administrators if you like, and then select Next.

13. The GUI Clients window appears. Type in the IP address for a machine that will run the Eventia Analyzer Client in the Remote Hostname field. Select Add. Add more GUI Clients if you like, and then select Next.

14. To ensure secure communication between the Eventia Analyzer and SmartCenter servers, an identical Activation Key must be set on both. Enter a Secure Internal Communication (SIC) activation key and record it to be entered later on the SmartCenter server. Select Finish.

Return to the wrapper.

15. To complete the installation of the Eventia Reporter and to continue with the next phase of the installation, click Next and reboot the machine.

16. Launch SmartDashboard.

17. Install the Security Policy, (Policy>Install) or install the database (Policy>Install Database).


132

Solaris & Linux Platforms1. Mount the CD on the relevant subdirectory.

2. In the mounted directory, run the script: UnixInstallScript.

3. Read the End-User License Agreement (EULA) and if you accept click Yes.

4. Select whether you would like to perform an upgrade or create a new installation.

5. Continue from step 5 on page 130 in order to complete the installation.

SecurePlatform1. After you install SecurePlatform from the CD, select the Eventia

Reporter product from cpconfig or from the SecurePlatform Web GUI.

2. Select whether you would like to perform an upgrade or create a new installation.

3. Continue from step 5 on page 130 in order to complete the installation.

Distributed Installation


Distributed InstallationIn This Section

In a distributed installation, Eventia Suite and SmartCenter server are installed on separate machines.

Windows PlatformOn the machine that will hold the Eventia Suite:

1. Login as an administrator and launch the wrapper by double-clicking on the setup executable.

2. Click Next, and accept the terms of the license agreement.

3. Select either:

• Check Point Power

• Check Point UTM

Click Next.

4. Select New Installation.

5. From the Products list, select Eventia Suite.

6. Specify Log Server as the type of SmartCenter Server to install. SmartCenter Server is needed because of its log server component.

7. From the list of Eventia Suite components, select the components that you want to install (Eventia Analyzer Server, Eventia Correlation Unit, Log Consolidator).

8. Click Next, and a list of products to install is displayed.

9. Verify the default install directory, or browse to new location.

Windows Platform page 133

Solaris & Linux & SecurePlatform page 135


134

10. The Check Point Configuration program, CPConfig, opens.

11. Select Add and enter the Product License information provided by Check Point. Alternatively, you may use the 15-day evaluation license. Select OK, and then Next.

12. The Administrators window appears. Select Add and enter the administrator name and password. Select OK. Then set permissions for the administrator. Add more administrators if you like, and then select Next.

13. The GUI Clients window appears. Type in the IP address for a machine that will run the Eventia Analyzer Client in the Remote Hostname field. Select Add. Add more GUI Clients if you like, and then select Next.

14. To ensure secure communication between the Eventia Analyzer and SmartCenter servers, an identical Activation Key must be set on both. Enter a Secure Internal Communication (SIC) activation key and record it to be entered later on the SmartCenter server. Select Finish.

Return to the wrapper.

15. To complete the installation of Eventia Suite and continue with the next phase of the installation, click Next and reboot the machine.



Solaris & Linux & SecurePlatform1. Mount the CD from the relevant subdirectory and launch the

wrapper.

2. From the list of Eventia Suite components, select the components that you want to install (Eventia Analyzer Server, Eventia Correlation Unit, Log Consolidator).

3. When prompted, perform a short random keystroke session to collect random data for cryptographic operations.

4. When prompted, create an activation key. Remember this key for later.

5. Enter Finish to complete the installation.

Enabling Connectivity Through a Firewall

136


Certain additions to the Rule Base need to be made if a Firewall exists between any Eventia Suite components and the Management Server, and either of the following conditions apply:

• the management is prior to NGX (R60)

• the implied rules have been disabled

If either of these conditions is true, modify the Rule Base to enable connectivity between components as follows:

Table 6-3 Additions to the Rule Base to Enable Connectivity

Source Destination Service

Eventia Analyzer Client

Eventia Analyzer Server

CPMI

Eventia Reporter Client

Eventia Reporter Server

CPMI

Management Server Eventia Analyzer and Reporter Server

CPMI, FW1_ica_push


Management Server FW1_sam


Correlation Unit CPD, CPD_amon

Correlation Unit Eventia Analyzer Server

CPD_seam (TCP/18266)

Third-party devices that issue syslog messages

Log Server enabled to receive syslog messages

UDP syslog



For NGX SmartCenter or above, the following rule needs to be added to the Rule Base if a firewall exists between any Eventia Analyzer components and the Management Server:

Source Destination Service

Correlation Unit Log Server LEA

Preparing Eventia Suite in SmartCenter

138


1. Launch SmartDashboard.

2. Create a new host for each Eventia Suite machine that contains an Eventia Suite component:

Manage > Network Object > New > Check Point > Host

3. In the General Properties window, click Communication and enter the activation key.

4. The version is not automatically entered if the Eventia Suite’s version is newer than SmartCenter. If so, select the most recent version available from the Version drop-down list.

5. In the Check Point product list, select the appropriate Eventia Suite component that you installed on the host that you created in step 2. If the SmartCenter version is pre-NGX, select both SmartView Reporter and Log Server in place of Eventia Analyzer Server or Eventia Correlation Unit.

6. Install the Security Policy, (Policy > Install) or install the database (Policy > Install Database) to make the Eventia Suite functional. This must be performed in order for Eventia Analyzer to function as a log server.

7. To enable the log server on the Eventia server, perform install database in SmartDashboard and select the Eventia server as one of the targets.



Working with R55 SmartCenter ServerTo enable Eventia Analyzer to block attacks from specific IP addresses, SmartCenter servers of version R55 server must be configured to accept SAM commands from the Eventia Analyzer.

On the Management Server, edit:

$CPDIR\conf\sic_policy.conf.

Under [Inbound rules], and add the following line under # sam proxy:

DN_Mgmt ; Reporting_Tool; Any; sam ; sslca

Preparing Eventia Suite on Provider-1 MDS

140


Preparing Eventia Suite on Provider-1 MDS varies according to the version you are currently working with. Refer to the appropriate section below based on your version of Provider-1.

In This Section

For Provider-1/SiteManager-1 Version R55

In Provider-1/SiteManager-1 R55, Eventia Suite can read the logs of multiple CMAs with the use of putkey operations.

1. In the Provider-1/SiteManager-1 Global SmartDashboard, create a Check Point Host Object, name it, enter its IP address and enable the product SmartView Reporter.

2. Select Communication and enter the activation key you created during installation. Select Initialize to establish communication.

3. Select Close and OK.

4. From the File menu, select Save.

5. From the MDG, install Global Policy on all CMAs participating with Eventia Suite.

For Provider-1/SiteManager-1 Version R55 page 140

For Provider-1/SiteManager-1 Version R60 page 142

For Provider-1/SiteManager-1 Version R61 and Up page 143

Note - Do not run the Get Version operation. Instead, specify the most recent version possible.



6. For each CMA participating with Eventia Suite, open its SmartDashboard, select Policy > Install Database, and select only the Log Servers and the CMA from which you want the Eventia Suite to read logs.

7. To enable the syslog server run, the following commands from the command ilne of the Eventia machine:

a. syslog -r

b. cpstop

c. cpstart

8. On the Eventia Suite machine and/or the Correlation Unit machine that will read logs from a CMA, run the command cpstop.

9. Edit the file sic_policy.conf, which is located in the directory $CPDIR/conf. Search for the section [Outbound rules], and change the following lines from:

# for log_export tool and Abacus analyzer

ANY ;ANY ;ANY; lea ; sslca

to:

# for log_export tool, Eventia Analyzer Provider-1

ANY ;ANY ;ANY; lea ; ssl , sslca

10. On the Eventia Suite machine, run the command cpstart.

11. On the Provider-1/SiteManager-1 MDS, run the command mdsstop.

Note - Wait a couple of minutes for the objects to synchronize between the MDS and Eventia Analyzer.

Note - Be sure to insert ssl , before sslca.


142

12. Edit the file sic_policy.conf, which is located in the directory $CPDIR/conf. In the section [Inbound rules], locate the following two lines:

# log export to DB utility (lea client from any SVN host)

ANY ; CP_PRODUCT; ANY; lea ; sslca

Add the following rule after these lines:

ANY ;ANY ;ANY; lea ; ssl

13. Run the command mdsstart.

14. Execute the putkey operation in the following manner:

a. On the Eventia Suite machine, run cpstop and fw putkey -p [shared_password] [CMA_IP].

b. On the MDS, while in the CMA environment, run mdsstop_customer [CMA_IP] and fw putkey -p [shared_ password] [Eventia Suite Server_IP]

c. Run mdsstart_customer [CMA_IP] on the CMA.

d. Run cpstart on the Eventia Suite machine.

For Provider-1/SiteManager-1 Version R60

1. In Global SmartDashboard, create a Check Point Host Object, name it, and enter its IP address.

Note - Enter the command mdsenv <customer_name> to switch to the appropriate CMA environment. To return to the MDS environment, enter the command mdsenv.

Note - Wait a few minutes for the putkey operation to complete.





4. Make sure that the products Eventia Reporter is enabled.



7. For each CMA participating with Eventia Suite, open its SmartDashboard, select Policy > Install Database, and select only the Log Servers and the CMA from which you want Eventia Analyzer or Reporter to read logs.

8. To enable the syslog server run the following commands from the command line of the Eventia server:

a. syslog -r

b. cpstop

c. cpstart

For Provider-1/SiteManager-1 Version R61 and Up

1. In Global SmartDashboard, create a Check Point Host Object, name it, and enter its IP address.


Note - Wait a couple of minutes for the objects to synchronize between the MDS and Eventia Suite.


144



4. Make sure that the appropriate products (Eventia Reporter, Eventia Analyzer Server, Eventia Correlation Unit and Log Server) are enabled.

5. In the properties of the new Host object, select Log and Masters > Additional Logging Configuration, and enable the property Accept Syslog messages.



8. For each CMA participating with Eventia Suite, open its SmartDashboard, select Policy > Install Database, and select only the Log Servers and the CMA from which you want Eventia Analyzer or Reporter to read logs.


Check Point Software Technologies Ltd.

U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 5 Ha’Solelim Street,Tel-Aviv, 67895, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

THIRD PARTY TRADEMARKS AND COPYRIGHTS

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided “as is” without express or implied warranty. Copyright © Sax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The Open Group.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

146

The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `ÀS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group.

The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

147

The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson ([email protected]). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICE

Copyright (c) 1996 - 2004, Daniel Stenberg, <[email protected]>.All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

148

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from [email protected]. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes PHP, freely available from <http://www.php.net/>".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM `ÀS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

149

SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>.

This product includes software written by Tim Hudson ([email protected]).

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Copyright © 2003, 2004 NextHop Technologies, Inc. All rights reserved.

Confidential Copyright Notice

Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-

150

commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed.

Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600.

U.S. Government Restricted Rights

The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial

Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations.

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESENTATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

151

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.

Copyright © ComponentOne, LLC 1991-2002. All Rights Reserved.

BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))

Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release

PCRE LICENCE

PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself.

Written by: Philip Hazel <[email protected]>

University of Cambridge Computing Service, Cambridge, England. Phone:

+44 1223 334714.

Copyright (c) 1997-2004 University of Cambridge All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

* Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

152

SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Eventia Reporter includes software whose copyright is owned by, or licensed from, MySQL AB.

Documents

CheckPoint R65 Internet Security Products GettingStarted