SmartCenter Management Server, HA and Failover, and SMART Clients • Chapter 8 353 system.The issue with this solution is that it might be an incomplete list for your con- figuration. Another option is available in Check Point Knowledge Base Solution sk16625, The Ultimate Upgrade Guide: How to Upgrade a Management Server from 4.1 to NG. A hyperlink in this resolution, How to Upgrade the Management Server, links to http://support.checkpoint.com/kb/docs/public/firewall1/ng/pdf/upgrade_mgmt_srvr. pdf and is the ultimate upgrade guide for taking a 4.1 through NG FP2 management server to FP3. (This is the same solution mentioned in Chapter 1.) In this document, you’ll find steps explaining the files necessary for first replicating a management server to be used for the upgrade.These same steps are helpful in listing the critical files necessary to back up manually. Specific files and directories are listed under both the $CPDIR that contains the CPSHARED configuration and the $FWDIR that contains firewall configurations. It is important to note that you must perform a cpstop prior to copying these files.The best action for you to take is to copy both the $CPDIR and $FWDIR directories completely, including their subdirectories, to make a backup. When you need to perform a restore, you should copy these directo- ries completely and not just specific files you want, or you risk a corruption due to a lack of synchronized states. The importance of the management server is obvious from the previous discussion. For many environments, a license for Management HA should be considered. Next we cover the setup and configuration of the secondary management server. This will take away the opportunity for mistakes that can occur as a result of a manual process. Protecting the Configuration If you are familiar with the simplicity of backing up your 4.1 management server, it is important to note that NG is significantly more complex.You cannot just copy the objects.C, rulebases.fws, *.W files from the $FWDIR/conf directory.You can use the steps listed in Chapter 1 regarding replication of management servers to back up spe- cific files.The easiest method of protecting the configuration files is to completely back up the $FWDIR and $CPDIR directories. Enforcement Point Functions The databases are compiled before they are downloaded to the enforcement points. No functional files on the enforcement points can be used to recreate the objects or rule base files. Copies of these files are available on the management server in subdirectories of the $FWDIR/conf directory. In a distributed installation, there will be a directory with the name of the firewall object, or in a single gateway environment, the directory will have the name of the management server. In the respective directory, there is a copy of the objects_5_0.C and rulebases_5_0.fws files. Check Point Knowledge Base www.syngress.com 259_ChkPt_VPN_08.qxd 4/2/03 4:16 PM Page 353 354 Chapter 8 • SmartCenter Management Server, HA and Failover, and SMART Clients Solution sk11754 documents how these files can be used to repair a situation in which there are no objects available or no rules populating the Security Policy screen in SmartDashboard. Logging When an enforcement point loses the logging connection to the designated logging server(s), it will log locally.You can retrieve these files using SmartView Tracker; refer to the SmartView Tracker portion of the “SMART Client” section of this chapter for details. Installing a Secondary Management Server The Management HA license provides a way for administrators to create their own insur- ance against loss of their management servers.The name of the license feature could lead to some confusion, however.The configuration using secondary management servers is not high availability from the automatic failover perspective. Configuration files and installation state information can be defined to automatically synchronize across multiple management servers from the current active management server.The state change from an active to a standby is a manual process and must be initiated by the administrator. There are a couple of important restrictions to keep in mind.The primary manage- ment and all the secondary management servers must be running the same operating system.You must be using a distributed configuration.There is no limit to the number of secondary servers, aside from purchasing the correct number of licenses. The secondary management server should be licensed with a local license. All other licenses should be central licenses from the primary management server. Certificates and all other configurations are based on the primary management server’s license and IP.To install a secondary management server, follow the same steps as you used to install the pri- mary server until you come to the screen shown in Figure 8.2. During the installation process, select Enterprise Secondary Management and initialize the SIC password. www.syngress.com Figure 8.2 Choosing Secondary Management 259_ChkPt_VPN_08.qxd 4/2/03 4:16 PM Page 354 SmartCenter Management Server, HA and Failover, and SMART Clients • Chapter 8 355 On the Primary Management screen, define a new Check Point host and the com- munication, and initialize SIC with the password you selected during installation.At this point, you need to save the object in SmartDashboard.Then from the menu select Policy | Management High Availability to open the high availability window.This window will display the status of synchronization between primary and secondary management servers (see Figure 8.3).The secondary management station has a status of Never Synched. Highlight the peer and click the Synchronize button to manually repli- cate the configuration.The status will change to Synchronized. Now that the initial synchronization is complete, we need to define the synchro- nization settings to be used from this point forward.There are automatic settings for synchronizing the management servers in the Global Properties. Select Policy | Global Properties to open the Global Properties window. In the tree on the left side of the window, select the Management High Availability option (see Figure 8.4). There are three options that are exclusive of each other; any or all may be selected: ■ When policy is saved ■ When policy is installed ■ On scheduled event Enabling the When policy is saved option means that databases will synchronize every time an administrator elects to save in SmartDashboard.The On scheduled event option allows for defining a time object to determine when to synchronize.This is a good place to define a set time before the daily system backups are performed. Both of these options only replicate the configuration databases.The other choice, When policy is installed, will replicate both the databases and the state information for the policy installed on an enforcement point.This will allow a properly configured firewall to fetch the appropriate policy from the secondary management servers if it is unable to communicate www.syngress.com Figure 8.3 The Management High Availability Server Screen 259_ChkPt_VPN_08.qxd 4/2/03 4:16 PM Page 355 356 Chapter 8 • SmartCenter Management Server, HA and Failover, and SMART Clients with the primary. Properly configured means that you have defined the secondary manage- ment servers as masters under the Logs and Masters | Masters screen (see Figure 8.5).The primary management server (wwwnewyork) will already appear in the Masters window. Click the Add button and then add your secondary server (wwwlondon). When trying to fetch the policy from the master(s), the firewall will first try to fetch from the first listed master, in this case the primary. If it unable to fetch from the first master, it will attempt the next master, in this case the secondary.All three of these choices back up your databases so that your configuration settings are protected. www.syngress.com Figure 8.4 Global Properties Management High Availability Figure 8.5 Gateway Masters Configuration 259_ChkPt_VPN_08.qxd 4/2/03 4:16 PM Page 356 SmartCenter Management Server, HA and Failover, and SMART Clients • Chapter 8 357 The last consideration in a Management HA environment is how to handle log- ging.The primary management server is automatically defined as a log server. In the case of secondary management, you will need to decide if you want logs directed there as well.The main consideration is whether you want the firewalls to duplicate logging across multiple servers.There is the option of logging to a secondary management server when the primary becomes unreachable.This is where the option of a logging server becomes an interesting one. A log server can be used to offload the logging func- tion from a primary or secondary management server.These options provide the flexi- bility you desire in your Check Point infrastructure. In Figure 8.6, you will see the option for always sending logs to a particular server or, in the case in which a server is unavailable, you can have logs directed to a different server. Don’t forget that if these firewalls and management servers are separated over a wide area network (WAN), logging decisions may also depend on available bandwidth or other infrastructure considerations.The important points are that you have flexibility in where you choose to maintain log files and it is possible to configure duplicate logging. The connectivity of a management server or whether or not you are using an HA Management configuration might not be the only logging decisions you need to make. Earlier we mentioned the license option available for a logging server.There are some other considerations you should keep in mind.The first is to have an understanding of the volume of logging going to a particular logging server, whether a management server or just a logging server. In a high-traffic, high-volume log environment, you might choose to use multiple logging servers. www.syngress.com Figure 8.6 Gateway Log Servers Configuration 259_ChkPt_VPN_08.qxd 4/2/03 4:16 PM Page 357 358 Chapter 8 • SmartCenter Management Server, HA and Failover, and SMART Clients The second consideration is the bandwidth available. When you have a small band- width connection to a remote office or a remote site, you might not want to utilize that circuit for logging. In some scenarios, it might make more sense to use a local log- ging server.You, the firewall administrator, need to understand the options available and make the best decision based on your infrastructure and budgetary constraints while being able to provide a business case to justify the choices. SMART Clients Here we list the components that are part of the SMART Client installation. Use of some of these components requires a specific license on the different modules.An important modification with FP3 is the addition of an automatic 15-day evaluation license. Instead of needing to go to the user center to obtain an evaluation license; one installs automatically. If a module has a component enabled without the specific license the feature will be activated using this automatic evaluation license. The naming conventions have all changed in NG-FP3.Table 8.1 lists the name changes. Table 8.1 Feature Pack 3 Name Changes New FP3 Name Previous Name SmartCenter Management SmartCenter Server Management Server SMART Clients Management Clients SmartDashboard Policy Editor SmartView Tracker Log Viewer SmartView Status System Status Viewer SmartMap Visual Policy Editor SmartUpdate SecureUpdate SmartView Monitor Traffic Monitor SmartView Reporter Reporting Tool SmartLSM (Large Scale Manager) Atlas Provider-1/SiteManager-1 Provider-1 SMART Client Functions The SMART Client software enables the configuration of the management server.The management server is always an implied management client (the GUI Clients parameter has been renamed in FP3); all other clients must be defined.This configuration www.syngress.com 259_ChkPt_VPN_08.qxd 4/2/03 4:16 PM Page 358 SmartCenter Management Server, HA and Failover, and SMART Clients • Chapter 8 359 requirement has not changed.The secondary management servers must also be defined as management clients if you want to use SMART Client software to connect to the primary management server.They will be implied only if connecting to themselves as the management station. Some new methods are available in FP3 for designating management clients. In addi- tion to name and IP address; you can define a range of addresses, wildcard matching, or any (see Figure 8.6). Using any means, there is no restriction on the management client IP address.The IP range or wildcards make the process of adding multiple management clients quick. When you use the range or wildcard designations, you must create an explicit rule allowing these addresses as a source to the SmartCenter Server as destination with the predefined Check Point Management Interface (CPMI) service,TCP port 18190. If a firewall sits between the SMART Client and the SmartCenter Server, the Rule Base must be reinstalled after defining additional management clients (see Figure 8.7). SMART Client Login SMART Client tools are used to connect with your management server.The default authentication window that opens contains Identification Method and Connect to Server sections with options for read only and Demo mode. If you’re new to Check Point NG, Demo mode is a great way to get a feel for the different management inter- faces. Provided that your authentication is valid and your IP address is a valid manage- ment client, you will be connected with the appropriate rights. It is recommended that you use an IP address or name in the SmartCenter server section of this screen, even if you use a SMART Client local to the management server.There are knowledge base articles on the Check Point Web site describing some strange behavior linked to using localhost. Please see the Tools & Traps sidebar, “Firewall Administrator Accounts.” www.syngress.com Figure 8.7 Defining Management Clients 259_ChkPt_VPN_08.qxd 4/2/03 4:16 PM Page 359 360 Chapter 8 • SmartCenter Management Server, HA and Failover, and SMART Clients Some new options are available in FP3. By selecting More Options in the authenti- cation screen, you will expand the screen as shown in Figure 8.8.The new areas are Certificate Management, Connection Optimizations, and Advanced Options. Certificate Management allows the administrator to change the password on his or her certificate. Using compression will use an internal method to optimize communications. Information entered into the Session Description field will populate a field called Session ID, available in the Audit mode of SmartView Tracker.This field can be used to explain why a partic- ular administrator is making this particular connection.The last line of this expanded window is a check box, Do not save recent connections information. By checking this box, you set all SMART Client tools on this individual client to not display the last administrator and management server to which an administrator successfully connected. www.syngress.com Figure 8.8 SmartDashboard Login with More Options Enabled Firewall Administrator Accounts Creating firewall administrator accounts has been limited to the cpconfig con- figuration tool authenticating with a static password in the pre-NG and recent feature packs. NG versions provide the ability to create administrator accounts from SmartDashboard. There is increased granularity for defining specific rights to the various components. A new feature in FP3 is an option to control accounts that can manage the administrators. The administrative users can be authenticated using SecurID, VPN-1 and Firewall-1 Password, OS Password, and Radius. If you want to use a two-factor method to authenticate; you can Tools & Traps… Continued 259_ChkPt_VPN_08.qxd 4/2/03 4:16 PM Page 360 SmartCenter Management Server, HA and Failover, and SMART Clients • Chapter 8 361 www.syngress.com generate a certificate or FP3 for Check Point to allow the use of a CAPI certifi- cate (Microsoft) for authentication. From the Objects tree pane, you can right-click the Administrators branch to open a window to create a single administrator account. From the menus, select Manage | Users and Administrators to open the Users and Administrators window. Click New… | Administrator… to open the Administrator Properties window. The general screen contains the Login Name and Permissions Profile parameters. You will first need to create a permissions profile before defining additional options. In the Permissions Profile Properties window, you have the increased granularity for defining administrative rights. In a large environment, you might not want all administrators to have read/write all permissions with the ability to manage administrators (see Figure 8.9). One common situation to define an account with read-only rights is for use during an audit. The ability to define accounts with more limited rights can be helpful in the distribution or delegation of duties to make your life easier. There is one last issue regarding administrator accounts for auditing pur- poses. In many environments, people like to create a common shared account for firewall administration. There are far too many installations out there with a shared administrator account of fwadmin that has a password of abc123. Although this combination is functional for a training environment, it is a very bad idea for production. Create specific administrator accounts for the indi- viduals who will be administering the firewall. Doing so will enable you to see who is connected in SmartView Status and will provide audit logging to track specific changes made by an administrator in SmartView Tracker. Figure 8.9 Administrator Permissions 259_ChkPt_VPN_08.qxd 4/2/03 4:16 PM Page 361 362 Chapter 8 • SmartCenter Management Server, HA and Failover, and SMART Clients SmartDashboard This is the renamed Policy Editor, where nearly all configurations take place; SmartDashboard is the console driving your enterprise security. Four panes make up the SmartDashboard window; they are the Objects tree, the Objects list, the Rule Base, and SmartMap. Ongoing modifications and additions have been made in this tool through all the NG Feature Packs.The ability to add header lines to the security policy is a new fea- ture available with FP3.These are used in large policies to separate rules for readability. The Objects tree shows the different types of objects relative to the selected tab from the top of this pane.The objects list displays the individual objects for the high- lighted branch of the Objects tree pane. In the Rule Base section of the screen, an administrator can define one of the six different types of policies: the Security Policy (Rule Base), Address Translation, VPN Manager, Desktop Security, Quality of Service, and Web Access.All six might not be visible, depending on your licensing and configu- ration.The SmartMap pane represents a graphical version of your objects.You can create a map of your topology that allows you to search for objects and rules in relation to connectivity across the enterprise. www.syngress.com Implied Rules Check Point has taken care to add popup windows for new installations that warn about implied rules. By default, four implied rules are enabled with a matching order designation: ■ Accept VPN-1 and Firewall-1 control connections—First ■ Accept outgoing packets originating from Gateway—Before Last ■ Accept CPRID connections (SmartUpdate)—First ■ Accept dynamic address Module’s DHCP traffic—First The matching order designations are First, Before Last, and Last. First places the implied rules before the first numbered rule. Before Last places the implied rules before the last numbered rule. Last places the implied rules after the last numbered rule. The last numbered rule in any rule base should be the cleanup rule. In this case, a packet being compared to the rules will never reach implied rules with a Last designation. The rules created by these settings do not appear in the Security Policy tab of SmartDashboard. In order to view these, you must select View | Damage & Defense… Continued 259_ChkPt_VPN_08.qxd 4/2/03 4:16 PM Page 362 [...]... FP3-HF1 and VPN- 1/ FireWall -1 FP3-HF1 for Windows, as illustrated in Figures 8 . 17 and 8 .18 .You need to make sure you download the package that’s appropriate for the operating system you want to upgrade www.syngress.com 259_ChkPt _VPN_ 08.qxd 370 4/2/03 4 :16 PM Page 370 Chapter 8 • SmartCenter Management Server, HA and Failover, and SMART Clients Figure 8 . 17 SVN Foundation Figure 8 .18 VPN- 1/ FireWall -1 You... www.syngress.com 259_ChkPt _VPN_ 08.qxd 4/2/03 4 :16 PM Page 3 71 SmartCenter Management Server, HA and Failover, and SMART Clients • Chapter 8 3 71 Figure 8 .19 Product Repository Figure 8.20 Install Product Figure 8. 21 SmartUpdate Warning You then need to select the product to install, and click the Install button For our installation, SVN Foundation was selected first, followed by VPN- 1/ FireWall -1. There... Warning Screen Figure 8.24 The VPN- 1 and FireWall Warning Screen During the upgrade process, the value in the status column in the Operation Status screen will change.You will see the status go through these steps of the process: 1 Operation Started 2 Testing Module 3 Testing Completed 4 Transferring Package to Module 5 Installing Package on Module www.syngress.com 259_ChkPt _VPN_ 08.qxd 4/2/03 4 :16 PM... FP3-HF1, will this change be reflected in the Version field of the object? A: No, the Version field will still read NG Feature Pack 3 HF1 will only show up in the SecureUpdate screen www.syngress.com 377 259_ChkPt _VPN_ 08.qxd 4/2/03 4 :16 PM Page 378 259_ChkPt _VPN_ 09.qxd 4/2/03 4 :19 PM Page 379 Chapter 9 Integration and Configuration of CVP / UFP Solutions in this chapter: I Using CVP for Virus Scanning E-Mail... pull-down menus www.syngress.com 259_ChkPt _VPN_ 08.qxd 364 4/2/03 4 :16 PM Page 364 Chapter 8 • SmartCenter Management Server, HA and Failover, and SMART Clients Figure 8 .10 Connection Persistency Figure 8 .11 Service Persistency Setting Figure 8 .12 The SmartDefense Screen www.syngress.com 259_ChkPt _VPN_ 08.qxd 4/2/03 4 :16 PM Page 365 SmartCenter Management Server, HA and Failover, and SMART Clients • Chapter... VPN- 1/ FireWall -1. There is a check box for rebooting after install; this box is ignored after upgrading the SVN www.syngress.com 259_ChkPt _VPN_ 08.qxd 372 4/2/03 4 :16 PM Page 372 Chapter 8 • SmartCenter Management Server, HA and Failover, and SMART Clients Foundation.The application has the intelligence to know that the VPN- 1/ FireWall -1 software must be upgraded also before rebooting Figure 8.22 shows the... software had to be upgraded to FP3-HF1.Three packages needed to be downloaded: the HF1 for CPSHARED, FW1, and GUI Running setup after extracting the ZIP files is all that was required to upgrade CPSHARED and FW1.The GUI upgrade required uninstalling the FP3 SMART Client software, then reinstallation using the HF1 software Just running the HF1 software gave an error stating that FP3 SMART Client software... with SmartCenter Pro Real-time monitoring is available for Check Point system counters, traffic, and virtual links (see Figure 8 .14 ).Traffic can be monitored by service, network object IP, QoS, and top firewall rules www.syngress.com 259_ChkPt _VPN_ 08.qxd 4/2/03 4 :16 PM Page 3 67 SmartCenter Management Server, HA and Failover, and SMART Clients • Chapter 8 3 67 Figure 8 .14 SmartMonitor Session Properties User... HF1_FP3 after updating the installed product list Notice the whole process summarized in the Operation Status window Figure 8.25 SmartUpdate Products www.syngress.com 259_ChkPt _VPN_ 08.qxd 374 4/2/03 4 :16 PM Page 374 Chapter 8 • SmartCenter Management Server, HA and Failover, and SMART Clients Summary The SmartCenter management server is the cornerstone of a Check Point NG installation In either a standalone... Server:The Roles of a Management Server The SecureServer is the most important component of a Check Point VPN- 1/ Firewall -1 installation Configuration files contain every single configuration modified in the environment www.syngress.com 259_ChkPt _VPN_ 08.qxd 4/2/03 4 :16 PM Page 375 SmartCenter Management Server, HA and Failover, and SMART Clients • Chapter 8 The internal certificate authority on the management server . Foundation FP3-HF1 and VPN- 1/ FireWall -1 FP3-HF1 for Windows, as illustrated in Figures 8 . 17 and 8 .18 .You need to make sure you download the package that’s appropriate for the operating system you. SVN Foundation Figure 8 .18 VPN- 1/ FireWall -1 259_ChkPt _VPN_ 08.qxd 4/2/03 4 :16 PM Page 370 SmartCenter Management Server, HA and Failover, and SMART Clients • Chapter 8 3 71 You then need to select. managing licensing and updating Check Point module software and, in some cases, their operating systems. Currently, only IPSO and SecurePlatform operating systems are supported for upgrade using