Tài liệu Internet Security Product Suite Getting Started Guide Version pdf

Management, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pr

Internet Security Product Suite

Getting Started Guide

Version NGX R65

© 2003-2007 Check Point Software Technologies Ltd.

All rights reserved This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

Management, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express

CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd or its affiliates ZoneAlarm is a Check Point Software Technologies, Inc Company All other product names mentioned herein are trademarks or registered trademarks of their respective owners The products described in this document are protected by U.S Patent No 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S Patents, foreign patents, or pending applications.

Chapter 1

Internet Security Product Suite NGX R65

Welcome 9

In This Guide 11

NGX R65 Documentation 11

Endpoint Security Integration 11

Feedback 11

Chapter 2 Introduction Overview 13

Product CD-ROMs 14

On CD1 14

On CD2 15

On CD3 16

On CD4 17

On CD5 18

For New Check Point Customers 19

What’s New in NGX R65 20

SmartCenter 20

FireWall and SmartDefense 21

Connectra Central Management 21

VPN 21

ClusterXL 22

Eventia Analyzer 22

Eventia Reporter 22

SecureClient Mobile 23

UTM-1 Edge 23

Provider-1/SiteManager-1 23

Chapter 3

Getting Started

VPN-1 Power/UTM Terminology 26

Provider-1/SiteManager-1 Terminology 27

Hardware and Software Requirements 29

Compatibility Table 29

Notes to Compatibility Table 31

Notes to Supported by Platform Table 32

Supported Upgrade Paths and Interoperability 33

Upgrading Management Servers 33

Backward Compatibility For Gateways 33

Licensing NGX R65 35

Licensing VPN-1 Power/UTM 35

Licensing Provider-1/SiteManager-1 36

Upgrading VPN-1 Power/UTM Licenses 37

Licensing Eventia Suite 38

Chapter 4 Performing a New Installation Overview 39

VPN-1 Power/UTM Installation 40

Installing on SecurePlatform 42

Installing on a Windows Platform 53

Installing on a Solaris Platform 55

Installing on a Linux Platform 57

Installing on a Nokia Platform 60

Initial Configuration 63

Provider-1/SiteManager-1 Installation 71

Overview 71

Building the Standard Provider-1 Network 73

Logging In to the MDG for the First Time 78

Where To From Here? 81

Chapter 5 Installing the Eventia Suite Eventia Suite Installation 84

Standalone Installation vs Distributed Installation 85

Installing Eventia Suite on Multiple Versions of SmartCenter Management 85

Standalone Installation 86

Windows Platform 86

Solaris & Linux Platforms 88

SecurePlatform 88

Distributed Installation 89

Windows Platform 89

Solaris & Linux & SecurePlatform 91

Enabling Connectivity Through a Firewall 92

Preparing Eventia Suite in SmartCenter 94

Working with R55 SmartCenter Server 95

Preparing Eventia Suite on Provider-1 MDS 96

For Provider-1/SiteManager-1 Version R55 96

For Provider-1/SiteManager-1 Version R60 98

For Provider-1/SiteManager-1 Version R61 and Up 99

Index 109

Chapter 1 Internet Security Product

Check Point also delivers worldwide technical services including educational, professional and support services through a network of Authorized Training Centers, Certified Support Partners and Check Point technical support personnel

to ensure that you get the most out of your security

To extend your organization’s growing security infrastructure and requirements, we recommend that you consider adopting the OPSEC platform (Open Platform for Security) OPSEC is the industry's open, multi-vendor security framework, which has over 350 partners and the largest selection of best-of-breed integrated applications and deployment platforms

For additional information on the NGX Internet Security Product Suite and other security solutions, go to: http://www.checkpoint.com or call Check Point at 1(800) 429-4391 For additional technical

information, go to: http://support.checkpoint.com

Welcome to the Check Point family We look forward to meeting all of your current and future network, application and management security needs

To find out about what's new in NGX R65, read the NGX R65 What’s New document

For information on upgrading your current Check Point deployment,

refer to the Check Point R65 Upgrade Guide

For upgrading Endpoint Security, refer to the Endpoint Security Installation Guide.

Endpoint Security Integration

For in-depth documentation of Provider-1/SiteManager-1 and SmartCenter Integration with Check Point Endpoint Security products, refer to:

• Endpoint Security Installation Guide

• R65 SmartCenter Administration Guide

Feedback

Check Point is engaged in a continuous effort to improve its

cp_techpub_feedback@checkpoint.com

Chapter 2 Introduction

In This Chapter

Overview

NGX is a Check Point product that provides superior usability and management of your organization’s security environment SmartCenter is now integrated with Connectra, InterSpect and Endpoint Security, enabling centralized management and monitoring of all security enforcement points

NGX R65 has expanded its intelligent inspection technologies

in VPN-1 Power and incorporates additional complex

application support into state of the art stateful-inspection and application intelligence technology

Product CD-ROMs

Product CD-ROMs

The NGX R65 media pack contains the following five CD-ROMs:

On CD1

CPedgecmp UTM-1 Edge compatibility packageCPngcmp R55 compatibility package

CPR55Wcmp R55W compatibility package

CPvsxngxcmp VSX NGX compatibility package

CPinteg Endpoint Security server

CPacc3 VPN-1 Accelerator Card III

CPconcmp Connectra Compatibility PackageCPconplg Connectra Plug-in package

Product CD-ROMs

On CD2

mobile setup files

i Endpoint Security On Demand

2 SmartCenter Power/UTM

CPdesktop VPN-1 SecuRemote/SecureClient for

CPinteg Endpoint Security server

CPacc2 VPN-1 Accelerator Card II

CPacc3 VPN-1 Accelerator Card III

CPSessionAgt-50 Session Agent

CPconcmp Connectra compatibility package

CPconplg Connectra Plug-in package

Product CD-ROMs

ii Secure Client Mobile

CPedgecmp UTM-1 Edge compatibility packageCPngcmp R55 compatibility package

CPR55Wcmp R55W compatibility packageCPvsxngxcmp VSX NGX compatibility package

CPacc2 VPN-1 Accelerator Card II

CPacc3 VPN-1 Accelerator Card III

CPacc4 VPN-1 Accelerator Card IV

CPconcmp Connectra compatibility packageCPconplg Connectra Plug-in package

Product CD-ROMs

On CD4

CPR55Wcmp R55W compatibility package

CPvsxngxcmp VSX NGX compatibility package

CPconcmp Connectra compatibility package

CPconplg Connectra Plug-in package

Product CD-ROMs

On CD5

• In the Solaris2 Directory:

• In the Packages Directory:

2 SmartCenter Power/UTMCPedgecmp UTM-1 Edge compatibility packageCPngcmp R55 compatibility package

CPR55Wcmp R55W compatibility packageCPvsxngxcmp VSX NGX compatibility packageCPconcmp Connectra compatibility packageCPconplg Connectra Plug-in package

For New Check Point Customers

For New Check Point Customers

New Check Point customers can access the Check Point User Center

in order to:

• Manage users and accounts

• Activate products

• Get support offers

• Open service requests

• Search the Technical Knowledge Base

To access the Check Point User Center, go to:

https://usercenter.checkpoint.com/pub/usercenter/get_started.html

NGX R65 introduces an additional infrastructure that enables the use

of management plug-ins The new plug-ins architecture introduces the ability to dynamically add new features and support for new products Management plug-ins offer central management of gateways and features not supported by your current NGX R65 SmartCenter or Provider-1/SiteManager-1 Management plug-ins supply new and separate packages that consist only of those components necessary for managing new gateway products or specific features, thus avoiding

a full upgrade to the next release Each plug-in:

• Is supplied with relevant documentation

• Is installed on SmartCenter Server or Gateway

• Requires a specific version of SmartDashboard

FireWall and SmartDefense

• AMT Support for Linux and SecurePlatform gateways

• Aggressive Aging

• EPS Enforcement

• Web (URL) Filtering

• Layer-2 Firewall deployment

• SIP enhancements for VoIP

• SYN cookies

Connectra Central Management

• New Connectra tab

• New tab for SmartDefense and Web Intelligence updates

• Support for Provider-1/SiteManager-1

• Support for SmartView Monitor counters

VPN

• Same local IP and Cluster IP address for VTIs

• Anti-spoofing for unnumbered interfaces on IPSO

• Dynamic routing support for remote VTIs in clusters

What’s New in NGX R65

• Configurable metrics for dial-up routes

• Increased interoperability between SecurePlatform and IPSO

• Route-based VPN Improvements

• Customer defined scripts for VPN peers

• Route-based VPN and IP Clustering support

• RIM performance improvements on IPSO

• Support for multiple SmartCenter Servers from R54 onwards

• Integration with Eventia Analyzer

• Support for multiple Eventia Reporters in deployment

• Report limitation

What’s New in NGX R65

SecureClient Mobile

SecureClient Mobile is a new client for mobile devices that includes a VPN and firewall functionality and will be the future platform for additional features, including various security and compliance features SecureClient Mobile replaces SecureClient for PocketPC Designed to work on multiple platforms, SecureClient Mobile allows for easy deployment and upgrade

For more information, the “What’s New” documentation is available online at http://www.checkpoint.com/techsupport/downloads.jsp

UTM-1 Edge

With UTM-1 Edge you can now select a destination for the log files The destination can be the SmartCenter Server or Syslog (a standard logging mechanism in Unix based machines)

Provider-1/SiteManager-1

What’s New in NGX R65

Chapter 3 Getting Started

In This Chapter:

This chapter contains information and terminology related to installing NGX R65

Supported Upgrade Paths and Interoperability page 33

VPN-1 Power/UTM Terminology

VPN-1 Power/UTM Terminology

The following VPN-1 Power/UTM terms are used throughout this chapter:

server are installed on separate machines

security policy and acts as a security enforcement point

that regulates the flow of incoming and outgoing

communication

to manage the security policy The organization’s databases and security policies are stored on the SmartCenter server and downloaded to the gateway

aspects of security policy enforcement For example, SmartView Tracker is a SmartConsole application that manages logs

by the system administrator to create and manage the security policy

responsible for the management of the security policy (the SmartCenter server and the gateway) are installed on the same machine

whose networks are protected by VPN-1 gateways, UTM-1 Edge appliances or other Check Point compatible firewalls The customer’s security policies and network access are managed using Provider-1/SiteManager-1.

of the SmartCenter server for a single customer Using the CMA,

an administrator creates security policies and manages customer gateways

such as the Provider-1 MDG, and other SmartConsole

applications

• Internal Certificate Authority (ICA): In addition to authenticating

administrators and users, the ICA creates and manages X.509 compliant certificates for Secure Internal Communication (SIC) between VPN-1 gateways The MDS has an ICA that secures the Provider-1 management domain Each CMA has its own ICA to secure its customer’s management domain

to collecting and storing logs An MLM is a Container of Customer Log Modules (CLMs)

Provider-1/SiteManager-1 Terminology

system information The MDS contains information on Provider-1 deployment, administrators, and customer management The MDS has two modes:

administrator’s entry point into the Provider-1 environment

(CMAs)

An MDS can be a Manager, a Container or both

granular permissions, that manages specific parts of the Provider-1 system Administrators can be assigned one of the following four permission levels:

system, which includes all MDS servers, administrators (with all permission levels), Customers and customer networks

lower permission levels), Customers and customer

networks

the MDG With access to Global SmartDashboard, a Global Manager is capable of managing global policies and global objects For a Global Manager to have additional access to CMA policies, read-write or partial access rights must be specifically assigned

specific Customers Administrators with this permission level can use the MDG application, but they can only view and manage their assigned customers

but cannot access the MDG application

Hardware and Software Requirements

Hardware and Software Requirements

For all hardware and software requirements for each product and platform, see the latest version of the relevant Release Notes at:http://www.checkpoint.com/support/technical/documents/index.html

Compatibility Table

If the existing Check Point implementation contains products that are not supported by NGX R65, the NGX R65 installation process terminates Table 3-1 and Table 3-2 list the NGX R65 supported Check Point products and clients by platform

Compatibility Table

Check Point Product

Solaris

RHEL 3.0

Check Point Nokia Ultra-

2000 Advanced Server (SP1-4)

2000 Server (SP1-4)

2000 Profes- sional (SP1-4)

XP Home

& sional

Profes-kernel 2.4.21

Secure Platform IPSO 4.1 - 4.2

Compatibility Table

Notes to Compatibility Table

1 Anti Virus and Web (URL) Filtering are included on

7 UserAuthority is not supported on Nokia flash-based platforms

8 The following SmartConsole clients are not supported on Solaris UltraSPARC platforms: SmartView Monitor, SmartLSM, Eventia Reporter Client, Eventia Analyzer Client, and the SecureClient Packaging Tool

9 Enabled ROBO Gateways are not supported on Solaris platforms

10 HA Legacy mode is not supported on Windows Server 2003

11 ClusterXL is supported only in third party mode with VRRP or IP Clustering

12 VPN-1 Accelerator Driver II is supported on Solaris 8 only

13 Nokia provides Advanced Routing as part of IPSO

14 Nokia provides SecureXL as part of IPSO

15 NGX-compatible Turbocard driver is available at

http://www.checkpoint.com/downloads/quicklinks/downloads_tc.html

Compatibility Table

Notes to Supported by Platform Table

1 Microsoft Installer support is required for installation of Endpoint Security clients on the Windows platform

Check Point Product

Mac Linux

Server

2003 (SP1)

2000 Server / Advanced Server (SP1-4)

2000 sional (SP1-4) / XP Home &

Profes-Professional

Mobile

2003 2003SE 5.0

Supported Upgrade Paths and Interoperability

Supported Upgrade Paths and

Interoperability

SmartCenter servers and gateways exist in a wide variety of

deployments Consult Table 3-3 and Table 3-4 to determine which versions of your management server and gateways can be upgraded to NGX R65

Upgrading Management Servers

The following SmartCenter server versions can be upgraded

to NGX R65:

Backward Compatibility For Gateways

NGX R65 SmartCenter server supports the following gateway versions:

Supported Upgrade Paths and Interoperability

Upgrading versions 4.0 and 4.1

Upgrading from versions prior to NG (4.0-4.1) is not supported To upgrade FireWall-1 versions 4.0-4.1, upgrade the installed version to

VPN-1 NG R55 (refer to the NG with Application Intelligence R55 Upgrade Guide) Once the VPN-1 NG R55 upgrade is complete,

perform an upgrade to NGX R65

For more information on upgrading your deployment, refer to the

Check Point R65 Upgrade Guide.

Note - NGX R65 cannot manage gateway versions NG, NG

Licensing NGX R65

Licensing NGX R65

Licenses are required for the SmartCenter server and the gateways

No license is required for SmartConsole management clients

Check Point gateways enforce the license installed on the gateway by counting the number of users that have crossed the gateway If the maximum number of users is reached, warning messages are sent to the console

The software on this CD is automatically enabled for a 15-day evaluation period To obtain a permanent license, or to extend the evaluation period, go to the Check Point User Center at:

https://usercenter.checkpoint.com

Licensing VPN-1 Power/UTM

Check Point software is activated using a certificate key, which is located on the back of the software media pack The certificate key is used to generate a license key for products that you want to evaluate

or purchase To purchase Check Point products, contact your reseller.For customers new to the Check Point User Center, go to:

https://usercenter.checkpoint.com/pub/usercenter/get_started.htmlFor further licensing assistance, contact Account Services at: AccountServices@checkpoint.com, or US +1 972-444-6600, option 5

Obtaining a License Key

To obtain a license key from the Check Point User Center:

1 Add the required Check Point products/evaluations to your User

Center account by selecting Accounts & Products > Add Products

2 Generate a license key for your products/evaluations by selecting

Accounts & Products > Products

a Read and accept the End Users License Agreement.

b Import the product license key Licenses are imported using the Check Point Configuration Tool or SmartUpdate SmartUpdate allows you to centrally upgrade and manage Check Point software and licenses The certificate keys associate the product license with the SmartCenter server, which means that:

• The new license remains valid even if the IP address

of the Check Point gateway changes

• Only one IP address is needed for all licenses

• A license can be detached from one Check Point gateway and assigned to another

Licensing Provider-1/SiteManager-1

Provider-1/SiteManager-1 licenses are associated with the IP address

of the licensed entity The Provider-1 Multi-Domain Server (MDS) license is based on the server type: Manager, Container, Combined Manager and Container, or Multi-Domain Log Manager (MLM)

Manager: A license for the administrator's entry point into the

Provider-1/SiteManager-1 environment The Multi-Domain GUI (MDG) and the Global SmartDashboard tools can connect only to MDS servers with this license

Container: A license that defines the maximum number of CMAs

running on the MDS machine With the exception of Provider-1 Enterprise Edition licenses, multiple container licenses can be added together on one container to enable the container to hold up to a maximum of 250 CMAs In addition, each CMA requires its own CMA

Licensing NGX R65

license CMA Pro Add-on licenses, allowing additional management features at the CMA level, can be purchased in bulk These purchase

packages are called Pro Add-ons for MDS.

Combined Manager and Container: These licenses combine a Manager

license with a Container license for a specific number of CMAs In the case of SiteManager-1 licenses, there are no separate Manager and Container versions available, only the Combined Manager and Container license

MLM: A comprehensive license that includes the Customer Log

Modules (CLMs) it hosts There is no need for a separate CLM license

if CLMs are hosted on an MLM A CLM hosted on an MDS server requires its own CLM license

Each gateway requires its own license Licenses are determined according to the number of computing devices (nodes) protected by the gateway Provider-1 licenses can be imported using the Check Point command-line licensing tool or Provider-1's MDG For additional

information, refer to the Provider-1/SiteManager-1 Administration Guide.

Upgrading VPN-1 Power/UTM Licenses

Customers with versions prior to NGX R60 are required to obtain a new license when they upgrade to NGX R65 Check Point NGX R60 software does not work with licenses from previous NG versions The upgrade procedure is free of charge to purchasers of the Software Subscription service (Enterprise Base Support)

Licenses for versions prior to NG cannot be upgraded directly to NGX You must first upgrade to NG and then upgrade the licenses from NG

to NGX

The license upgrade procedure runs the license_upgrade

command, which makes it easy to automatically upgrade licenses

Licensing NGX R65

For additional information on upgrading licenses, refer to the

Upgrading VPN-1 Power/UTM Licenses to NGX R65 chapter in the CheckPoint R65 UpgradeGuide.

Licensing Eventia Suite

All Eventia Suite licenses are installed on the Eventia Suite Server (not on the Management Server)

Correlation Units are licensed by the number of units that are attached to the Eventia Analyzer Server

Chapter 4 Performing a New Installation

In This Chapter

Overview

Check Point software is designed to work across multiple platforms and pre-configured appliances Each installation differs depending on the platform employed This chapter describes how to install VPN-1 Power/UTM and

Provider-1/SiteManager-1

Provider-1/SiteManager-1 Installation page 71

responsible for the management of the security policy (the SmartCenter server and the gateway) are installed on the same machine.

server are installed on different machines

In both deployments, SmartConsole can be installed on any machine

by performing the following steps:

• Install the components that manage or enforce the security policy (for example, the SmartCenter server, the gateway, and the log server)