0% found this document useful (0 votes)

3 views1,042 pages

CP R82 SecurityManagement AdminGuide

The R82 Security Management Administration Guide provides comprehensive information on managing security within Check Point's R82 software. It includes details on software updates, important certifications, and a revision history of changes made to the document. Additionally, the guide outlines various features, configurations, and best practices for effective security management and administration.

Uploaded by

Tiến Phạm

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

3 views1,042 pages

CP R82 SecurityManagement AdminGuide

Uploaded by

Tiến Phạm

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

07 May 2026

SECURITY
MANAGEMENT

R82

Administration Guide
Check Point Copyright Notice
© 2024 - 2026 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No
part of this product or related documentation may be reproduced in any form or by any means
without prior written authorization of Check Point. While every precaution has been taken in
the preparation of this book, Check Point assumes no responsibility for errors or omissions.
This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at
DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party
licenses.
Important Information

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-
date with the latest functional improvements, stability fixes, security
enhancements and protection against new and evolving attacks.

Certifications
For third party independent certification of Check Point products, see the Check
Point Certifications page.

Check Point R82

For more about this release, see the R82 home page.

Latest Version of this Document in English

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.

Patent Notice
Check Point Security Management is protected by the following patents in the
United States and elsewhere.
This page is intended to serve as notice under 35 U.S.C. § 287(a):
US7,647,492, US7,769,862, US7,797,566, US7,950,059, US8,051,187,
US8,146,159, US8,161,188, US8,176,539, US8,200,818, US8,254,698,
US8,406,233, US8,533,808, US8,615,655, US8,644,328, US8,726,008,
US8,776,017, US8,843,993, US8,844,019, US8,850,576, US8,902,900,
US8,948,193, US8,959,047, US9,137,204, US9,208,317, US9,210,128,
US9,356,945, US9,483,583, US9,537,756, US9,569,265, US9,647,985,
US9,672,189, US9,832,215, US9,935,903, US10,057,390, US10,382,493,
US10,467,407, US10,567,395, US10,567,468, US10,645,074, US10,728,266,
US10,728,274, US11,075,882, US11,165,820, US11,321,453, US11,323,426,
US11,411,924, US11,606,375

R82 Security Management Administration Guide | 3

Important Information

R82 Security Management Administration Guide | 4

Important Information

Revision History

Date Description

08 April 2026 Updated "Creating Application Control and URL Filtering Rules" on
page 353

10 March Updated "Gaia API Proxy" on page 676

2026

19 February Added "Unified Access Policy for SASE and Network Security" on page 527
2026

01 January Updated "Account Units" on page 209

2026

29 December Updated"Searching the SmartConsole Rule Bases" on page 43

2025
n "Searching the SmartConsole Rule Bases" on page 43
n "SmartTasks" on page 621

15 December Updated "Access Control Policy Insights " on page 404

2025

14 December n Updated "Access Roles" on page 177

2025
n Added "Running Scripts" on page 253

09 December Updated:
2025
n "migrate_server" on page 1005

03 December Updated "Account Units" on page 209

2025

23 November Updated "External Network Feeds" on page 549

2025

12 November Updated "Access Control Policy Insights " on page 404

2025

02 November Updated "Access Control Policy Insights " on page 404

2025

29 October Updated "Planning Security Management" on page 53

2025

28 October Updated "Updating the Updatable Objects through the Management

2025 Server" on page 302

R82 Security Management Administration Guide | 5

Important Information

Date Description

23 October Updated:
2025
n "Configuring a Security Gateway to Access the Management Server
or Log Server at its NATed IP Address" on page 252
n "Security Management behind NAT" on page 489

09 October Updated "Access Control Policy Insights " on page 404

2025

01 October Updated "Session Flow for Administrators" on page 126

2025

29 Updated "Self-Managed Security Gateways" on page 392

September
2025

28 Updated "Working with Automatic NAT Rules" on page 427

September
2025

16 Updated "Secure Internal Communication (SIC)" on page 221

September
2025

03 Updated "Creating Application Control and URL Filtering Rules" on

September page 353
2025

04 August Updated:
2025
n "Access Control Policy Insights " on page 404
n "Connecting On-Premises Management Servers and Security
Gateways to the Check Point Portal" on page 557

25 June 2025 Updated "Working with Manual NAT Rules" on page 437

16 June 2025 Updated "The Columns of the Access Control Rule Base" on page 330

28 May 2025 Updated "Connecting On-Premises Management Servers and Security

Gateways to the Check Point Portal" on page 557

27 April 2025 Updated "HTTPS Inspection" on page 563

06 April 2025 Added "Blocking TLS Connections" on page 598

R82 Security Management Administration Guide | 6

Important Information

Date Description

23 March Added "Access Control Policy Insights " on page 404

2025 Updated "Creating an Administrator Account with SAML Authentication
Login" on page 102

14 March Updated the chapter "UserCheck in the Access Control Policy" on

2025 page 535

25 February Updated "Central Deployment of Hotfixes and Version Upgrades" on

2025 page 244 -
in the section "Limitations" added Security Group in Maestro and ElasticXL
Cluster

06 February Updated:
2025
n "SmartConsole Window" on page 38
n "SmartConsole Toolbars" on page 39

05 January Added:
2025
n "SmartConsole Packages" on page 34
n "Analyzing Threats" on page 534
n "Testing New SmartConsole Features" on page 682
Updated:
n "Access, Custom and HTTPS Inspection Tools" on page 47
n "Keyboard Shortcuts for SmartConsole" on page 51
n "Updatable Objects" on page 297
n "Managing Administrator Accounts" on page 75
n "Managing User Accounts" on page 136

01 January Updated "Security Zones" on page 307

2025

29 December Updated:
2024
n "Security Management behind NAT" on page 489
n "HTTPS Inspection" on page 563

15 December Updated "HTTPS Inspection" on page 563

2024

01 December Updated "SmartTasks" on page 621

2024

04 November Updated "The HealthCheck Point Tool" on page 278

2024

R82 Security Management Administration Guide | 7

Important Information

Date Description

21 October First release of this document

2024

R82 Security Management Administration Guide | 8

Table of Contents

Table of Contents
Introduction to Network Security Management 32
Workflow for Configuring Security Management 32
SmartConsole Packages 34
Connecting to the Security Management Server with SmartConsole 35
Understanding SmartConsole 37
SmartConsole Window 38
SmartConsole Toolbars 39
Searching the SmartConsole Rule Bases 43
General Search 43
Packet Search 44
Packet Search in Intersection Mode 44
Rule Base Results 45
Using AI Copilot in SmartConsole 45
Access, Custom and HTTPS Inspection Tools 47
"Access Tools" in the Security Policies "Access Control" view 47
"Custom Policy Tools" in the Security Policies "Threat Prevention" view 47
HTTPS Inspection Tools in the Security Policies HTTPS Inspection View 48
Shared Policies 49
API Command Line Interface 50
Keyboard Shortcuts for SmartConsole 51
Planning Security Management 53
Sizing the Security Management Server 53
Define your Organization's Topology 54
Define Access Rules for Protection of your Organization's Resources 54
Enforce Access Policies 54
Configuring the Security Management Server and Security Gateways 55
Managing Security through API 57

R82 Security Management Administration Guide | 9

Table of Contents

API 57
API Tools 58
Configuring the API Server 58
Self-Managed Security Gateways 61
Introduction 61
Requirements 62
Limitations 63
Notes 64
Configuration 64
Resetting a Dynamic Layer 70
Creating an Administrator Account with API Key Authentication 72
Managing Administrator Accounts 75
Creating an Administrator Account 75
Editing an Administrator Account 78
Deleting an Administrator Account 79
Default Expiration for Administrators 79
Configuring SmartConsole Session Timeout 80
Revoking an Administrator Certificate 80
Restricting Administrator Login Attempts 81
Unlocking Administrator Accounts 81
Multiple Administrators 81
Creating an Administrator Account with Check Point Password Authentication 82
Creating an Administrator Account with OS Password Authentication 85
Creating an Administrator Account with RADIUS Server Authentication 88
Creating an Administrator Account with TACACS Server Authentication 93
Creating an Administrator Account with SecurID Authentication 98
Creating an Administrator Account with SAML Authentication Login 102
Use Case 102
SAML Authentication Login 103
Creating an Administrator Account with API Key Authentication 113

R82 Security Management Administration Guide | 10

Table of Contents

Assigning Permission Profiles to Administrators 116

Changing and Creating Permission Profiles 116
Configuring Customized Permissions 118
Configuring Permissions for Access Control Layers 120
Configuring Permissions for Access Control and Threat Prevention 121
Configuring Permissions for Monitoring, Logging, Events, and Reports 122
Defining Trusted Clients 123
Session Flow for Administrators 126
Publishing a Session 126
Working in SmartConsole Session View 127
Viewing Changes Made in Private Sessions 128
Taking over locked objects from administrators with inactive sessions 128
Administrators Working with Multiple Sessions 129
Approval Cycle for Sessions (SmartWorkflow and Identity Provider) 132
Use Case 132
Configuration 132
Setting up for Team Work 135
Managing User Accounts 136
Creating a User Account 136
Changing an Existing User 139
Deleting a User 139
Managing User Groups 140
Configuring Default Expiration Settings for Users 141
Managing Users 142
Creating a New User Template 142
Creating a New User 143
Editing an Existing User 144
Deleting a User 144
Configuring Default Expiration Settings for Users 145
Creating a User Account with Check Point Password Authentication 146

R82 Security Management Administration Guide | 11

Table of Contents

Creating a User Account with OS Password Authentication 150

Creating a User Account with RADIUS Server Authentication 154
Configuring RADIUS Authentication for a User 154
Granting User Access Using RADIUS Server Groups 160
Creating a User Account with TACACS Server Authentication 161
Creating a User Account with SecurID Authentication 168
Access Roles 177
Adding Access Roles 177
User Directory 179
User Directory Considerations 179
Deploying User Directory 180
Enabling User Directory 181
User Directory Schema for LDAP 181
Schema Checking 182
OID Proprietary Attributes 182
User Directory Schema Attributes 182
Fetch User Information Effectively 193
Setting User-to-Group Membership Mode 193
Profile Attributes 193
Managing Users on a User Directory Server 204
Distributing Users in Multiple Servers 204
Managing LDAP Information 204
LDAP Groups for the User Directory 205
Retrieving Information from a User Directory Server 207
Running User Directory Queries 207
Querying Multiple LDAP Servers 208
Account Units 209
Working with LDAP Account Units 209
Account Units and High Availability 215
Setting High Availability Priority 216

R82 Security Management Administration Guide | 12

Table of Contents

Configuring Users on an External LDAP Server 217

Microsoft Active Directory 217
Performance 217
Manageability 217
Enforcement 217
Updating the Registry Settings 218
Delegating Control 218
Extending the Active Directory Schema 218
Adding New Attributes to the Active Directory 219
Updating the user or service account password to the LDAP account unit on the
Active Directory 220
Managing Gateways 221
Secure Internal Communication (SIC) 221
Initializing Trust 221
SIC Status 222
Managing Trust State 222
Troubleshooting SIC 223
Understanding the Check Point Internal Certificate Authority (ICA) 224
ICA Clients 224
SIC Certificate Management 224
Creating a New Security Gateway 226
Manually Updating the Gateway Topology 228
Get Interfaces API 229
Dynamically Updating the Security Gateway Topology 230
Dynamic Anti-Spoofing 230
Managing Licenses 231
Managing Server and Gateway Licenses 232
Viewing Licenses in SmartConsole 234
Viewing license information for VSX 235
Monitoring Licenses in SmartConsole 236

R82 Security Management Administration Guide | 13

Table of Contents

License or Quota Changes 238

Security Gateway Indicators 240
Installing the Recommended Take on the Security Gateway 241
Central Deployment of Hotfixes and Version Upgrades 244
Introduction 244
Prerequisites 245
Limitations 246
Installation 246
Uninstalling a Hotfix or a Jumbo Hotfix Accumulator 250
How the Central Deployment Upgrades a Cluster 250
Configuring a Security Gateway to Access the Management Server or Log Server at
its NATed IP Address 252
Running Scripts 253
One Time Script 253
Understanding One-Time Scripts 253
Running a one-time script 253
One Time Script Options 254
Script Repository 254
Configuring Implied Rules or Kernel Tables for Security Gateways 256
Introduction 256
Configuration files 256
Configuration Procedure 258
Location of '[Link]' Files on the Management Server 259
Location of 'implied_rules.def' Files on the Management Server 260
Location of '[Link]' Files on the Management Server 262
Location of '[Link]' Files on the Management Server 264
Location of 'vpn_table.def' Files on the Management Server 266
Location of 'vpn_route.conf' Files on the Management Server 268
Location of '[Link]' Files on the Management Server 270
Location of '[Link]' Files on the Management Server 272

R82 Security Management Administration Guide | 14

Table of Contents

R82 Security Management Administration Guide | 15

Table of Contents

Limitations 306
Security Zones 307
Processing Flow for Rule Base Execution when using Security Zones and NAT
Rules 308
Creating and Assigning Security Zones 308
Predefined Security Zones 309
Limitations 310
Externally Managed Gateways and Hosts 311
Interoperable Devices 312
VoIP Domains 313
Logical Servers 314
Balance Method 314
Open Security Extension (OSE) Devices 315
Defining OSE Device Interfaces 315
OSE Device Properties Window - "General" Tab 316
Anti-Spoofing Parameters and OSE Devices Setup (Cisco) 316
Managing Policies 318
Working with Policy Packages 318
Viewing Rule Logs 325
Policy Installation History 326
Concurrent Install Policy 327
Accelerated Install Policy 328
Creating an Access Control Policy 329
Introducing the Unified Access Control Policy 329
The Columns of the Access Control Rule Base 330
Source and Destination Column 331
To Learn More About Network Objects 331
VPN Column 331
IPsec VPN 331
Mobile Access to the Network 332

R82 Security Management Administration Guide | 16

Table of Contents

To Learn More About VPN 332

Services & Applications Column 332
Service Matching 333
Application Matching 333
Content Column 336
Data Type Group 337
Actions 338
Tracking Column 340
To Learn More About Tracking 340
Rule Matching in the Access Control Policy 341
The matching examples show that: 344
Creating a Basic Access Control Policy 346
Basic Rules 346
Use Case - Basic Access Control 346
Use Case - Inline Layer for Each Department 348
Default Cell Values 351
Enforcement of Rules with the Value "None" 352
Upgrading of a Management Server from R81 and Lower Versions 352
Creating Application Control and URL Filtering Rules 353
Blocking URL Categories 360
Using Dynamic URL Lists for Application Control and URL Filtering 360
Ordered Layers and Inline Layers 367
The Need for Ordered Layers and Inline Layers 367
Order of Rule Enforcement in Inline Layers 367
Order of Rule Enforcement in Ordered Layers 368
Creating an Inline Layer 369
Creating an Ordered Layer 370
Enabling Access Control Features 371
Types of Rules in the Rule Base 373
Administrators for Access Control Layers 375

R82 Security Management Administration Guide | 17

Table of Contents

Sharing Layers 375

Visual Division of the Rule Base with Sections 376
Managing Policies and Layers 377
Best Practices for Access Control Rules 378
Use Cases for the Unified Rule Base 380
Self-Managed Security Gateways 392
Introduction 392
Requirements 393
Limitations 394
Notes 395
Configuration 395
Resetting a Dynamic Layer 401
Installing the Access Control Policy 403
Access Control Policy Insights 404
Known Limitations 404
Prerequisites 405
Activating Access Control Policy Insights 405
Insights 406
Calculation Process 406
Types of Insights 406
Confidence Level 407
High Confidence Insights 407
Low Confidence insights 407
Security Impact 407
Managing Access Control Policy Insights 407
Available Actions 408
Telemetry and Data Processing 408
Additional Clarifications Regarding Data Handling and Privacy 410
Background Activities 410
The Access Control Policy Insights Window 411

R82 Security Management Administration Guide | 18

Table of Contents

Filtering Insights 411

Analyzing the Rule Base Hit Count 412
Enabling or Disabling Hit Count 412
Hit Count Display 413
Preventing IP Spoofing 415
Anti-Spoofing Options 418
Configuring the NAT Policy 419
Getting Started with NAT 419
Introduction 419
Types of NAT Rules 420
Types of NAT Methods 421
NAT Rules in SmartConsole 424
Order of NAT Rule Enforcement 426
Working with Automatic NAT Rules 427
Example of Automatic NAT Rules 427
Configuring Automatic NAT 430
Example Deployment 431
Automatic Hide NAT to External Networks 435
Working with Manual NAT Rules 437
Example of a Manual NAT Rule 437
Configuring Manual NAT 438
Example Deployment 438
Working with NAT46 Rules 444
Overview 444
Known Limitations for NAT46 446
Configuring NAT46 446
Logging of NAT46 Traffic 458
Working with NAT64 Rules 459
Overview 459
Known Limitations for NAT64 460

R82 Security Management Administration Guide | 19

Table of Contents

Example of NAT64 Translation Flow 460

Configuring NAT64 463
Logging of NAT64 traffic 479
Advanced NAT Settings 480
Automatic and Proxy ARP 480
NAT and Anti-Spoofing 481
Disabling NAT in a VPN Tunnel 482
Internal Communication with Overlapping Addresses 483
Example Network Configuration 483
Communication Examples 484
Routing Considerations 485
Object Database Configuration 485
Multicast Access Control 487
Security Management behind NAT 489
Overview 489
Configuring NAT for Control Connections on the Security Management Server 489
Configuration on the Security Gateway 490
IP Pool NAT 492
Overview 492
NAT Priorities 493
IP Pool per Interface 494
Reusing IP Pool Addresses for Different Destinations 495
IP Pool Configuration Procedure 497
Mobile Access to the Network 501
Check Point Mobile Access Solutions 501
Client-Based vs. Clientless 501
Mobile Access Clients 502
Mobile Access Web Portal 502
SSL Network Extender 502
Configuring Mobile Access to Network Resources 503

R82 Security Management Administration Guide | 20

Table of Contents

Sample Mobile Access Workflow 503

Sample Mobile Access Deployment 504
Using the Mobile Access Configuration Wizard 505
Allowing Mobile Connections 506
Defining Access to Applications 507
Activating Single Sign-On 507
Connecting to a Citrix Server 509
Sample Deployment with Citrix Server 509
Configuring Citrix Services for Mobile Access 510
Compliance Check 512
Compliance Policy Rules 512
Creating a Compliance Policy 512
Configuring Compliance Settings for a Security Gateway 513
Secure Workspace 514
Secure Workspace 515
To Learn More About Mobile Access 516
Site-to-Site VPN 517
Sample Site-to-Site VPN Deployment 517
VPN Communities 517
Sample Combination VPN Community 520
Allowing VPN Connections 520
Sample VPN Access Control Rules 521
To Learn More About Site-to-Site VPN 521
Remote Access VPN 522
VPN Connectivity Modes 522
Sample Remote Access VPN Workflow 522
Configuring the Security Gateway for a Remote Access Community 524
To Learn More About Remote Access VPN 524
Implied Rules 525
Creating a New Threat Prevention Policy 526

R82 Security Management Administration Guide | 21

Table of Contents

Installing the Threat Prevention Policy 526

Unified Access Policy for SASE and Network Security 527
Prerequisites 527
Activating Unified Access Policy for SASE 528
Supported Policies and Objects 531
Mapping of Policy Component Display between Network Security and SASE 532
Logs 532
Switching Back to SASE Management 533
Analyzing Threats 534
UserCheck in the Access Control Policy 535
Configuring UserCheck 537
UserCheck Interaction Objects for Access Control Software Blades 541
UserCheck Interaction Action Types 541
Default UserCheck Interaction Objects for Access Control 542
Creating New UserCheck Interaction Objects for Access Control 542
Send Email Notifications in Plain Text 546
Localizing and Customizing the UserCheck Portal 548
External Network Feeds 549
Use Case 549
Configuration 550
Working with Trusted CAs for External Network Feeds 552
Monitoring 553
Troubleshooting 555
Connecting On-Premises Management Servers and Security Gateways to the
Check Point Portal 557
Prerequisites 557
Connecting Your Security Management Server and Security Gateway to the Check
Point Portal 558
Sharing Configuration Information with the Check Point Portal 560
Sharing Logging Information with the Check Point Portal 561
Troubleshooting 562

R82 Security Management Administration Guide | 22

Table of Contents

HTTPS Inspection 563

Intercepting HTTPS Connections 564
Outbound HTTPS Inspection 564
Inbound HTTPS Inspection 565
Getting Started with HTTPS Inspection 566
HTTPS Inspection Policy 567
Configuring HTTPS Inspection Policy 569
HTTPS Inspection Policy Enforcement 570
Working with Inbound CA Certificates 571
Assigning a Server Certificate for Inbound HTTPS Inspection 571
Configuring HTTPS Inspection on the Security Gateway 572
HTTPS Inspection Deployment View 575
Working with Outbound CA Certificates 576
Creating an Outbound CA Certificate 576
Importing an Outbound CA Certificate 577
Exporting and Deploying the Generated CA Certificate 579
Deploying Certificates using Group Policy 580
Exporting a Certificate from one Security Management Server to Another 580
Working with Trusted CAs for Outbound HTTPS Inspection 582
HTTPS Inspection Global Settings 584
Fail Mode 584
Categorization Mode 584
Server Validations 585
Certificate Blocking 586
Bypass Allow Lists 587
Session Logs 587
Other 588
Intermediate CA 588
Bypass Under Load Logging 588
HTTPS Inspection Statistics View 589

R82 Security Management Administration Guide | 23

Table of Contents

Configuration 589
Viewing HTTPS Inspection Statistics 589
SNI support for Site Categorization 591
HTTPS Inspection on Non-Standard Ports 591
Inspection of TLS v1.3 Traffic 592
Inspection of HTTP/3 protocol (RFC 9114) 592
Using HTTPS/3 the in a Rule Base 592
Monitoring the HTTP/3 inspection 593
Limitations 598
Blocking TLS Connections 598
Prerequisites 598
Procedure 599
Client Certificates for Smartphones and Tablets 606
Managing Client Certificates 606
Creating Client Certificates 607
Revoking Certificates 608
Creating Templates for Certificate Distribution 608
Cloning a Template 610
Giving Permissions for Client Certificates 610
Preferences and Management Settings 611
Database Revisions 611
Setting IP Address Versions of the Environment 614
Restoring Window Default 615
Configuring the Login Window 616
Synchronization with UserCenter 617
Inspection Settings 618
Configuring Inspection Settings 618
SmartTasks 621
Available Triggers 621
Available Actions 623

R82 Security Management Administration Guide | 24

Table of Contents

Configuring SmartTask Properties 624

SmartTask Advanced Properties 624
Send Web Request 624
Run script 624
Send Email 624
Management High Availability 629
Overview of Management High Availability 629
The High Availability Environment 630
Configuring a Secondary Security Management Server in SmartConsole 631
Synchronizing Active and Standby Servers 633
Monitoring High Availability 633
Monitoring Synchronization Status and Actions 633
Changing a Server to Active or Standby 635
Working in Collision Mode 635
Changeover Between Active and Standby 635
High Availability Troubleshooting 636
Not Communicating 636
Collision or HA Conflict 636
Sync Error 636
Unlocking the Administrator 636
Environments with Endpoint Security 637
High Availability Disaster Recovery 638
Compliance 640
The Compliance View 640
The Compliance Scoring System 641
The Security Best Practices Compliance View 642
Creating User-Defined Best Practices 643
Activating and Deactivating Best Practice Tests 645
The Gateways View 647
The Blades View 648

R82 Security Management Administration Guide | 25

Table of Contents

The Action Items and Messages View 649

The Regulatory Compliance View 651
Creating Reports 653
The ICA Management Tool 654
Overview 654
Connecting to the ICA Management Tool 654
The ICA Management Tool Portal 657
User Certificate Management 658
Modifying the Key Size for User Certificates 658
Performing Multiple Simultaneous Operations 660
ICA Administrators with Reduced Privileges 661
Operations with Certificates 662
Management of SIC Certificates 662
Management of Security Gateway VPN Certificates 662
Management of User Certificates in SmartConsole 662
Notifying Users about Certificate Initialization 662
Retrieving the ICA Certificate Files 662
Searching for a Certificate 663
Basic Search Parameters 663
Advanced Search Attributes 663
The Search Results 664
Viewing and Saving Certificate Details 664
Removing and Revoking Certificates and Sending Email Notifications 664
Submitting a Certificate Request to the CA 665
Initializing Multiple Certificates Simultaneously 666
CRL 669
CRL Management 669
CRL Operations 669
CA Procedures 670
CA Cleanup 670

R82 Security Management Administration Guide | 26

Table of Contents

Configuring the CA 670

CA Data Types and Attributes 670
Certificate Longevity and Statuses 675
Gaia API Proxy 676
Testing New SmartConsole Features 682
Command Line Reference 683
Syntax Legend for CLI Commands 684
contract_util 686
contract_util check 688
contract_util cpmacro 689
contract_util download 690
contract_util mgmt 692
contract_util print 693
contract_util summary 694
contract_util update 695
contract_util verify 696
cp_conf 697
cp_conf admin 699
cp_conf auto 702
cp_conf ca 703
cp_conf client 705
cp_conf finger 709
cp_conf lic 710
cp_log_export 713
cpca_client 734
cpca_client create_cert 736
cpca_client double_sign 738
cpca_client get_crldp 740
cpca_client get_pubkey 741
cpca_client init_certs 742

R82 Security Management Administration Guide | 27

Table of Contents

cpca_client lscert 743

cpca_client revoke_cert 746
cpca_client revoke_non_exist_cert 749
cpca_client search 750
cpca_client set_ca_services 753
cpca_client set_cert_validity 755
cpca_client set_mgmt_tool 756
cpca_client set_sign_hash 761
cpca_create 763
cpconfig 764
cpinfo 767
cplic 768
cplic check 771
cplic contract 773
cplic db_add 775
cplic db_print 777
cplic db_rm 779
cplic del 780
cplic del <object name> 781
cplic get 782
cplic print 784
cplic put 787
cplic put <object name> 790
cplic upgrade 793
cppkg 795
cppkg add 797
ppkg delete 798
cppkg get 800
cppkg getroot 801
cppkg print 802

R82 Security Management Administration Guide | 28

Table of Contents

cppkg setroot 803

cpprod_util 804
cprid 809
cprinstall 810
cprinstall boot 813
cprinstall cprestart 814
cprinstall cpstart 815
cprinstall cpstop 816
cprinstall delete 817
cprinstall get 818
cprinstall install 819
cprinstall revert 822
cprinstall show 823
cprinstall snapshot 824
cprinstall transfer 825
cprinstall uninstall 827
cprinstall verify 829
cpstart 831
cpstat 832
cpstop 840
cpview 841
Overview of CPView 841
CPView User Interface 841
Using CPView 842
cpwd_admin 843
cpwd_admin config 846
cpwd_admin del 849
cpwd_admin detach 850
cpwd_admin exist 851
cpwd_admin flist 852

R82 Security Management Administration Guide | 29

Table of Contents

cpwd_admin getpid 854

cpwd_admin kill 855
cpwd_admin list 856
cpwd_admin monitor_list 859
cpwd_admin start 860
cpwd_admin start_monitor 862
cpwd_admin stop 863
cpwd_admin stop_monitor 865
dbedit 866
fw 879
fw fetchlogs 881
fw hastat 885
fw kill 886
fw log 887
fw logswitch 897
fw lslogs 901
fw mergefiles 904
fw repairlog 907
fw sam 908
fw sam_policy 916
fw sam_policy add 919
fw sam_policy batch 932
fw sam_policy del 934
fw sam_policy get 938
fwm 944
fwm dbload 947
fwm exportcert 948
fwm fetchfile 949
fwm fingerprint 951
fwm getpcap 953

R82 Security Management Administration Guide | 30

Table of Contents

fwm ikecrypt 955

fwm load 956
fwm logexport 957
fwm mds 962
fwm printcert 964
fwm sic_reset 970
fwm snmp_trap 971
fwm unload 974
fwm ver 978
fwm verify 979
inet_alert 980
ldapcmd 983
ldapcompare 985
ldapmemberconvert 989
ldapmodify 995
ldapsearch 997
mgmt_cli 1000
migrate 1001
migrate_server 1005
queryDB_util 1016
rs_db_tool 1017
sam_alert 1019
stattest 1023
threshold_config 1026
Glossary 1032

R82 Security Management Administration Guide | 31

Introduction to Network Security Management

Introduction to Network Security

Management
Check Point offers effective Security Management solutions to help you keep up with
constantly growing needs and challenges of your organizational network. This Administration
Guide focuses on the basic Security Management Server deployment.
If you are interested in deployments for organizations with multiple sites, refer to the R82 Multi-
Domain Security Management Administration Guide.
These are the basic components of Check Point security architecture.

Item Description

1 SmartConsole - Check Point Graphical User Interface for connection to and

management of Security Management Servers.

2 Security Management Server - Manages Security Gateways with defined security

policies and monitors security events on the network.

3 Security Gateway - Placed at the perimeter of the network topology, to protect

your environment through enforcement of the security policies.

4 Your environment to protect.

Workflow for Configuring Security Management

1. Connect with SmartConsole to the Security Management Server.
See "Connecting to the Security Management Server with SmartConsole" on page 35.
2. Configure the Security Management Server and Security Gateways in your environment.

R82 Security Management Administration Guide | 32

Introduction to Network Security Management

See "Configuring the Security Management Server and Security Gateways" on page 55.
3. Define the administrators of your environment.
See "Managing Administrator Accounts" on page 75.
4. Assign permissions to the administrators of your environment.
See "Assigning Permission Profiles to Administrators" on page 116
5. Define users and user groups that your security environment protects.
See "Managing User Accounts" on page 136.
6. Configure the physical and virtual network components in your environment.
See "Managing Objects" on page 281

7. Configure access rules that govern the protection of your organization's resources.
See "Creating an Access Control Policy" on page 329.
8. Install the Security Policy.
See "Installing the Access Control Policy" on page 403.
See "Installing the Threat Prevention Policy" on page 526.

R82 Security Management Administration Guide | 33

SmartConsole Packages

SmartConsole Packages
SmartConsole is the main GUI client you use to connect to the Check Point Management
Server to configure the required objects and policies in a Check Point environment.
Check Point provides these SmartConsole Packages:

SmartConsole Where to Get

Description
Package It

Desktop sk181127. A standlone SmartConsole application you install on

SmartConsole a Windows OS-based computer.
For information about the updatable SmartConsole,
see sk171315.

Web This package is Web SmartConsole provides the SmartConsole GUI

SmartConsole built-in to the functionality in a web browser.
Management Best Practice - We recommend to use the
Server. Google Chrome web browser to connect to the
This package is Web SmartConsole.
self-updatable,
if the To connect to the Web SmartConsole:
Management
1. In a web browser, connect to:
Server is
connected to [Link] Address of the
the Internet. Management Server>/smartconsole
Get the latest Example:
offline package [Link]
from sk170314. 2. Log in with the credentials of the Management
Server administrator.

Portable sk116158. Portable SmartConsole is a version of the

SmartConsole SmartConsole client which is deployed without the
installer of SmartConsole.
This package encapsulates all content into the
directory where it is deployed, so that it can be
carried around in a portable device.
Another advantage of this version is that it allows
side by side versions of the SmartConsole of the
same release on the same computer.

R82 Security Management Administration Guide | 34

Connecting to the Security Management Server with SmartConsole

Connecting to the Security

Management Server with
SmartConsole
To log in to a Security Management Server / Domain Management Server with SmartConsole,
you must have an administrator account configured on the Security Management Server /
Domain Management Server.
When installing the Security Management Server / Multi-Domain Security Management
Server, you create one administrator in the First Time Configuration Wizard. After that, you can
create additional administrators accounts in SmartConsole.

To log in to the Security Management Server / Domain Management Server with

SmartConsole
1. Launch the SmartConsole application.
See "SmartConsole Packages" on page 34.
2. Enter your administrator authentication credentials.
These can be a username, or a certificate file, or a CAPI certificate.
n Logging in with a username:
Enter the Username and Password.
n Logging in with a certificate file:
a. From the drop-down list, select Certificate File.

b. Browse to the file.

This is the certificate file you created in the administrator object.
See "Managing Administrator Accounts" on page 75.
c. Enter the password of the certificate file.

R82 Security Management Administration Guide | 35

Connecting to the Security Management Server with SmartConsole

n Logging in with a certificate in the CAPI repository:

Prerequisite - You must create a certificate file in the administrator object in
SmartConsole, save it, and import it into the Windows Certificate Store on the
SmartConsole client computer. See "Managing Administrator Accounts" on
page 75.
a. From the drop-down list, select CAPI Certificate.
b. From the drop-down list, select the administrator.
n Logging in with Identity Provider:
From the drop-down list, select Identity Provider

Note - No need to enter credentials. The third party Identity Provider you
are connected to already recognizes and authenticates you. For
instructions on how to configure the Identity Provider, see "Creating an
Administrator Account with SAML Authentication Login" on page 102.

3. Enter the name or the IP address of the Security Management Server / Domain
Management Server.
4. To connect in read-only mode, select the Read Only checkbox.
5. Click Login.
The SmartConsole authenticates the Security Management Server / Domain
Management Server. The first time you connect, SmartConsole shows the fingerprint.
6. Confirm the fingerprint.

The fingerprint and the IP address of the Security Management Server / Domain Management
Server are saved to the user settings in Windows.

R82 Security Management Administration Guide | 36

Understanding SmartConsole

Understanding SmartConsole
Check Point SmartConsole makes it easy to manage security for complex networks. Before
you configure your cyber security environment and policies, become familiar with Check
Point's SmartConsole.
You can get the SmartConsole package in the Home Page SK article - sk181127.
You must install the SmartConsole package in a folder, whose full path includes only English
characters.

R82 Security Management Administration Guide | 37

SmartConsole Window

Item Description Item Description

1 Global Toolbar 5 Validations pane

2 Session 6 AI Copilot. For complete description and

Management minimum requirements, see sk182844.
Toolbar

3 Navigation Toolbar 7 Command line interface button

4 Objects Bar (F11)

Note - In SmartConsole > Gateways & Servers view, after you click the Filter
(funnel) button on the top toolbar, you can select only one facet in each category
("Version", "Hardware", and so on).

R82 Security Management Administration Guide | 38

SmartConsole Toolbars

SmartConsole Toolbars
Global Toolbar (top of SmartConsole)

Icon Description

The main SmartConsole Menu. When SmartConsole is connected to a Security Management Server, this includes:

n Manage policies and layers

n Open Object Explorer
n New object (opens a menu to create a new object)
n Publish session
n Discard session
n Session details
n Install policy
n Verify Access Control Policy
n Install Database
n Uninstall Threat Prevention policy
n Management High Availability
n Manage Licenses and Packages
n Endpoint (opens a menu to SmartEndpoint and Harmony Endpoint Web UI)
n Global Properties
n View (opens a menu to select a View to open)

Create new objects or open the Object Explorer

Install policy on managed Security Gateways

Session Management Toolbar (top of SmartConsole)

Icon Description

Discard changes made during the session

Enter session details to view the number of changes made in the session.

Publish the SmartConsole session, to make the changes visible to other

administrators, and ready to install on Security Gateways.
Note - When the policy is installed, published changes are installed on the
Security Gateways and enforced.

R82 Security Management Administration Guide | 39

SmartConsole Toolbars

Navigation Toolbar (left side of SmartConsole)

Keyboard
Icon Description
Shortcut

Ctrl+1 Gateways & Servers configuration view:

n Manage Security Gateways
n Activate Software Blades
n Add, edit, or delete Security Gateways and clusters
(including virtual clusters)
n Run scripts
n Backup and restore Security Gateways
n Open a command line interface on the Security Gateway
n View Security Gateway status

Ctrl+2 Security Policies Access Control view:

n Manage Access Control: Content Awareness, VPN,
Application & URL Filtering, and Mobile Access
n Edit multiple policies at the same time
n Add, edit, or delete NAT rules
n Use the Access Tools
Security Policies Threat Prevention view:
n Manage Threat Prevention: IPS, Anti-Bot, Anti-Virus,
Threat Emulation
n Edit the unified threat Rule Base
n Configure threat profiles
n Add, edit, or delete exceptions and exception groups
n Use the Custom Policy Tools

Shared Policies Views:

n Manage Mobile Access, DLP, and inspection Settings

Ctrl+3 Logs & Events view:

n View high level graphs and plots
n Search through logs
n Schedule customized reports
n Monitor Security Gateways
n View compliance information

R82 Security Management Administration Guide | 40

SmartConsole Toolbars

Keyboard
Icon Description
Shortcut

Ctrl+4 Infinity Services view:

n Connect from you on-premises Management Server to
the Check Point Portal
n Run services that are managed in the Check Point Portal
on your Management Server objects.
n See a unified log view of all your Check Point products,
both in cloud and on-premises.
n Use new administrator capabilities on the on-premises
Management Server

Ctrl+5 Manage & Settings view - review and configure the Security
Management Server settings:
n Administrators
n Permissions profiles
n Trusted clients
n Administrator sessions, and session settings
n Blades
n Revisions
n Preferences
n Sync with User Center

Command Line Interface Button (left bottom corner of SmartConsole)

Keyboard
Icon Description
Shortcut

F9 Open a command line

interface for management
scripting and API

For more SmartConsole shortcuts, see "Keyboard Shortcuts for SmartConsole" on page 51.

Objects Bar (right side of SmartConsole)

Keyboard
Item Description
Shortcut

Objects F11 Manage security and network

objects

R82 Security Management Administration Guide | 41

SmartConsole Toolbars

AI Copilot Pane (right side of SmartConsole

Item Description

AI The AI Copilot is an intelligent assistant integrated into SmartConsole,

Copilot designed to streamline tasks and deliver actionable insights for efficient
Security Management. For complete description and minimum
requirements, see sk182844.

Validations Pane (right side of SmartConsole)

Item Description

Validations View validation errors

System Information Area (bottom of SmartConsole)

Item Description

Task List Management tasks in progress. Expand to view recent tasks

Server Details The IP address of the server to which SmartConsole is connected. If

Management High Availability is configured, click to view the details.

Session Status The number of changes made in the session and the session status.

Connected Connected administrators: Yourself and others.

administrators

R82 Security Management Administration Guide | 42

Searching the SmartConsole Rule Bases

You can search the SmartConsole Rule Bases for rules, objects, IP addresses, or any other
information related to each Rule Base.
To search an object in a Rule Base, use one of these search methods:

General Search
This is the default search mode. General Search performs a text-based search across the
Rule Base. Enter the required object name in the search box above the Rule Base.
You can search for an object by its full name or:
n Enter the prefix of the object's name. For example, to find USGlobalHost, enter USG in
the search box.
n Enter any sequence of characters in the object’s name, preceded by an asterisk (*). For
example, to find USGlobalHost, enter *oba, *host, or *SG.
General Search for an IP Address or a Network
When you enter a valid IP address or a network, the search returns these results:
n Objects with an IP address property (direct results).
n Objects containing the IP address as text (for example, in comments in the object editor).
n Networks, IP address ranges, groups (including groups with exclusions), and rules
containing the specified IP address or network.
To refine your search, SmartConsole supports these predefined search tokens:

View Search Tokens

Security Policies view > Source, Destination, VPN, Services, Applications,

Access Control > Policy Install On, Action, Track, Hits.

Security Policies view > Original Source, Original Destination, Original Services,
Access Control > NAT Translated Source, Translated Destination, Translated
Services, Install On, Hits.

Security Policies view > Scope, Source, Destination, Service, Protection, Install
Threat Prevention > Custom On.
Policy

Security Policies > HTTPS Source, Destination, Install On, Category/Custom

Inspection > Inbound Policy Application
or Outbound Policy

R82 Security Management Administration Guide | 43

Searching the SmartConsole Rule Bases

View Search Tokens

Security Policies > Shared Applications, User Groups, Install On

Policies > Mobile Access >
Policy

Security Policies > Shared Mobile Profiles, User Groups

Policies > Mobile Access >
Profiles Policy

To search a Rule Base using a search token:

1. In the search box, select the required search token .

2. Enter the name of the object you wish to search.

Note - To navigate between search results, use the arrows on the right side of the
search box.

Packet Search
Packet Search simulates how a Security Gateway processes a real packet. It scans the
Source and Destination columns in the Rule Base and identifies all rules and objects
(including nested groups) that can capture the packet.
Packet Search returns these results:
n When searching for an IP address - The specified IP address and any networks that
contain it.
n When searching for a network - The specified network, all IP addresses that the network
contains, and any larger networks that contain it.
n All rules where the Source or Destination column is set to Any.
n Rules that include the IP address or network within groups using exclusions, or in fields
set to "negated" (matching everything except the specified IP address).

To run a Packet Search:

1. Click the search box above the Rule Base.
2. Select Packet Mode > On, or enter: "mode:Packet".
3. To search a specific rule column, enter: ColumnName:Criteria.

Note - To navigate between search results, use the arrows on the right side of the
search box.

Known Limitation- Packet Search does not support IPv6.

Packet Search in Intersection Mode

Starting from R82 Jumbo Hotfix Accumulator Take 60.

R82 Security Management Administration Guide | 44

Searching the SmartConsole Rule Bases

Packet search in Intersection mode refines the packet search, enabling you to apply these
specific search filters:
n Any - Returns rules in which the Source or Destination column includes the IP address
or network you entered in the search.
n Exact - Returns only rules in which the Source or Destination column has the exact IP
address or network you entered in the search.
n Containing - Returns rules in which the IP address or network you entered in the search,
contains the IP address or network in the Source or Destination column.
For example: A search for [Link]/16 matches rules with [Link]/24 as well as [Link]/16
itself.
n Contained - Returns rules in which the IP address or network in the Source or
Destination column contains the IP address or network you searched for.
For example: A search for [Link]/8 matches rules with [Link]/24 as well as [Link]/16
itself
Packet search in Intersection mode is only available through API. There is currently no user
interface for it in SmartConsole. For more information, see the API Management Reference
Guide.

Known Limitation- Packet search in Intersection mode does not support IPv6.

Rule Base Results

Matched rules in the Rule Base are highlighted to help you quickly identify relevant results.

Text contains This is highlighted

A direct match on an object name or on textual Only the specific matched

columns characters

A direct match on object properties The entire object name

A negated column The negated label

A match on "Any" "Any"

Using AI Copilot in SmartConsole

The AI Copilot is an intelligent assistant integrated into SmartConsole, designed to streamline
security management tasks and deliver actionable insights for enhanced operational
efficiency.

R82 Security Management Administration Guide | 45

Searching the SmartConsole Rule Bases

The AI Copilot was trained to read and understand Check Point Security Policies, configured
objects and logs, and was trained on the content of Administration Guides and knowledge
base SK articles. As a result, the AI Copilot can provide precise answers about your Check
Point environment.
AI Copilot is available in R82, starting from R82 SmartConsole Releases Take 1027, and for
Web SmartConsole, starting from Take 125. For more information on how to enable the AI
Copilot and its functionalities, see sk182844.

R82 Security Management Administration Guide | 46

Access, Custom and HTTPS Inspection Tools

The Access Tools section in the Security Policies Access Control view and the Custom
Policy Tools section in the Security Policies Threat Prevention view give you more
management and data collection tools.

"Access Tools" in the Security Policies "Access Control"

view
Tool Description

VPN Create, edit, or delete VPN Communities.

Communities

VPN Network Monitor the status and availability of Site to Site VPN tunnels.
Probes

Updates Update the Application & URL Filtering database, schedule updates, and
configure updates.

UserCheck Configure UserCheck Interaction objects for Access Control policy

actions.

Client Create and distribute client certificates that allow users to authenticate to
Certificates the Security Gateway from handheld devices.

IoT Protect Configure network security for IoT devices.

Application Browse to the Check Point AppWiki. Search and filter the Web 2.0
Wiki Applications Database, to use Check Point security research in your
policy rules for actions on applications, apps, and widgets.

Installation See the Policy installation history for each Security Gateway, and who
History made the changes. See the revisions that were made during each
installation, and who made them. Install a specific version of the Policy.

"Custom Policy Tools" in the Security Policies "Threat

Prevention" view
Tool Description

Profiles Create, edit, or delete profiles.

IPS Edit IPS protections per profile.

Protections

R82 Security Management Administration Guide | 47

Access, Custom and HTTPS Inspection Tools

Tool Description

Protections See statistics on different protections.

Allow List Configure Whitelist Files list.

Files

Indicators Configure indicators of malicious activity and how to handle it.

Updates Configure updates to the Malware database, Threat Emulation engine and
images, and the IPS database.

UserCheck Configure UserCheck Interaction objects for Threat Prevention policy

actions.

Threat Wiki Browse to the Check Point ThreatWiki. Search and filter Check Point's
Malware Database, to use Check Point security research to block malware
before it enters your environment, and to best respond if it does get in.

HTTPS Inspection Tools in the Security Policies HTTPS

Inspection View
Tool Description

Deployment See the statuses and recommendations for Security Gateways with
HTTPS Inspection enabled in Learning Mode. See the inspection status
of each Security Gateway. Manage inbound and outbound certificates for
the Security Gateways.

Advanced Configure HTTPS Inspection global settings for all Security Gateways.
Settings

Trusted Manage trusted CAs and custom trusted certificates.

Certificates

R82 Security Management Administration Guide | 48

Shared Policies

Shared Policies
The Shared Policies section in the Security Policies shows the policies that are not in a Policy
package. They are shared between all Policy packages.
Shared policies are installed with the Access Control Policy.

Software
Description
Blade

Mobile Launch Mobile Access policy in a SmartConsole. Configure how your

Access remote users access internal resources, such as their email accounts,
when they are mobile.

DLP Launch Data Loss Prevention policy in a SmartConsole. Configure

advanced tools to automatically identify data that must not go outside the
network, to block the leak, and to educate users.

Inspection You can configure Inspection Settings for the Security Gateway (see
Settings "Preferences and Management Settings" on page 611):
n Deep packet inspection settings
n Protocol parsing inspection settings
n VoIP packet inspection settings

R82 Security Management Administration Guide | 49

API Command Line Interface

You can also configure objects and rules through the API command line interface, which you
can access from SmartConsole.

Click to open the command line interface.

In the command line interface, this button opens the Check Point Management API
Reference.
The Check Point Management API Reference is a comprehensive guide that provides
detailed information on how to use the Check Point Management APIs.

In addition to the command line interface, you can create and run API scripts to manage
configuration and operations on the Security Management Server (see "Managing Security
through API" on page 57).

R82 Security Management Administration Guide | 50

Keyboard Shortcuts for SmartConsole

These are additional keyboard shortcuts that you can use to navigate between the different
SmartConsole fields:

Keyboard shortcut Description

Ctrl+S Publish the SmartConsole session.

Ctrl+Alt+S Discard the SmartConsole session.

Shift+Alt+Enter Install policy.

F10 Show/hide task details.

F11 Show/hide Object Explorer.

Ctrl+O Manage policies and layers

Ctrl+E Open Object Explorer

Ctrl+F3 Switch to high-contrast theme

Alt+Space System menu

F1 Open the relevant online help

Alt+F4 Close SmartConsole

Shortcuts for the specific views that support them:

Keyboard shortcut Description

Ctrl+T Open new tab

Ctrl+W or Ctrl+F4 Close current tab

Ctrl+Tab Move to the next tab

Ctrl+Shift+Tab Move to the previous tab

Delete Delete the currently selected item

Ctrl+A Select all elements

Esc Cancel operation to close window

Enter or mouse double-click Edit item

R82 Security Management Administration Guide | 51

Keyboard Shortcuts for SmartConsole

In the Security Policies view, these are the shortcuts for pages that contain policies:

Keyboard shortcut Description

Ctrl+G Go to rule (in the Access Control Rule Base)

Ctrl+X Cut rule

Ctrl+C Copy rule

Ctrl+V Paste rule below the selected rule

Delete Remove a used item from a rule cell

Ctrl+F Open Rule Base search

F3 Navigate to the next Rule Base search result

Ctrl+arrow up Go to the first rule in the Rule Base

Ctrl+arrow down Go to the last rule in the Rule Base

Space or + Open drop-down menu for the current cell in the Rule Base

Shift+arrow up/down Move between objects in the Rule Base

Shortcuts for the Logs & Events view:

Keyboard shortcut Description

Ctrl+G Switch to grid view (in the Logs and Audit Logs views)

Ctrl+L Switch to table view (in the Logs and Audit Logs views)

Ctrl+R Resolve objects

F5 Refresh query

F6 Enable auto-refresh

Ctrl+D Add to favorites

Ctrl+S Organize favorites

R82 Security Management Administration Guide | 52

Planning Security Management

Sizing the Security Management Server
This section provides information to help you size a Security Management Server and validate
the sizing of an existing environment.
The data required for accurate sizing of the Security Management Server:
n Number of Security Gateways managed by the Security Management Server.
n Sustained logs per second.
n Large-scale deployments:
l Number of Domains
l Size of Rule Base
l Number of concurrent administrators
l Security Management limitations
You can find guidelines on how to collect the data and identify the appropriate size for your
Management Server in sk181782.
For Multi-Domain / Large-scale deployments, refer to sk178325.
We recommend:
n To use dedicated Management Servers.
n To use dedicated Log Servers.
n Configure Management High Availability. You can use standby Management Servers as
Log Servers for your gateways
n Use dedicated SmartEvent Servers.
n You can define the SmartEvent Server as the Primary Log Server for your gateways
(does not apply to Multi-Domain Security Management configurations).
After installing the Security Management Server and Security Gateway, you can continue with
cyber security configuration for your environment.

Note - If you prefer to manage your security infrastructure in the cloud rather than deploy
and maintain on-premises Management Servers, see the Smart-1 Cloud Administration
Guide — Check Point’s fully cloud-based security management solution.
It offers automatic scaling, zero maintenance, and continuous updates, enabling
centralized management of all Security Gateways and environments (on-premises, cloud,
mobile, IoT) from a single console.

R82 Security Management Administration Guide | 53

Planning Security Management

Define your Organization's Topology

Network topology consists of network components, both physical and logical, such as physical
and virtual Security Gateways, hosts, hand-held devices, CA servers, third-party servers,
services, resources, networks, address ranges, and groups. Each of these components
corresponds to an object in your Check Point security management configuration. Configure
those objects in SmartConsole. See "Network Object Types" on page 286.

Define users and user groups that your security environment protects
You can add users and groups to the database manually, through LDAP and User Directory, or
with the help of Active Directory.

To add users and user groups, see "Managing User Accounts" on page 136
To use LDAP and User Directory, see "Configuring Users on an External LDAP Server" on
page 217.
To use Active Directory, see "Microsoft Active Directory" on page 217.

Define Access Rules for Protection of your

Organization's Resources
Configure access rules and group them in policies that are enforced on the Security Gateways.
You can define access policies based on traffic, applications, Web sites, and data (see
"Managing Policies" on page 318). Set up preventative actions against known threats with
Check Point Anti-Virus and Anti-Malware. Educate users about the validity and security of the
operations they attempt with the help of UserCheck. Track network traffic and events through
logging and monitoring.

Enforce Access Policies

Configure the Security Gateways. Make sure to activate the appropriate Software Blades.
Then, install your policies on the Security Gateways.

R82 Security Management Administration Guide | 54

Configuring the Security Management Server and Security Gateways

Configuring the Security

Management Server and Security
Gateways
To start setting up your security environment, configure the Security Management Server and
the Security Gateways. The Security Gateways enforce the security policy that you define on
the Security Management Server.
To configure the Security Management Server in SmartConsole

1. In the Gateways & Servers view, find the Security Management Server object.

In the Search box at the top of the view, you can search for it by object name or object
IP address.
When you select the Security Management Server object, the Summary tab in the
lower pane shows the Software Blades that are enabled on it.
2. Double-click the object to open its properties.
On the Management tab, enable the Software Blades, as necessary:
n Network Policy Management - Manage a comprehensive security policy,
unified for all security functionalities. This is automatically enabled.
n Endpoint Policy Management - Manage Endpoint Security Clients on end-user
computers and hand-held devices.

Important - It is not supported to disable this Software Blade after you

enable it.
n Logging & Status - Monitor security events and status of Security Gateways,
VPNs, users, and more, with advanced visuals and data management features.
n Identity Logging - Add user identities, and data of their computers and devices,
from Active Directory domains, to log entries.
n User Directory - Populate your security scope with user accounts from the
LDAP servers in your environment.
n Provisioning - Manage Security Gateway configuration and policies for multiple
appliances and open servers in one central SmartConsole.
n Compliance - Optimize your security settings and comply with regulatory
requirements

R82 Security Management Administration Guide | 55

Configuring the Security Management Server and Security Gateways

n SmartEvent Server - Manage security events in real-time.

n SmartEvent Correlation Unit - Correlate security events in real-time.

To configure the Security Gateways in SmartConsole

1. From the navigation toolbar, select Gateways & Servers.

2. Click New, and select Gateway.
3. In the Check Point Security Gateway Creation window that opens, select a
configuration mode:
n Wizard Mode - Run the configuration wizard.
n Classic Mode - Configure the Security Gateway settings in the classic mode
(see "Managing Gateways" on page 221).

R82 Security Management Administration Guide | 56

Managing Security through API

This section describes the API Server on a Management Server and the applicable API Tools.

API
You can configure and control the Management Server through API Requests you send to the
API Server that runs on the Management Server.
The API Server runs scripts that automate daily tasks and integrate the Check Point solutions
with 3rd-party systems, such as virtualization servers, ticketing systems, and change
management systems.

To learn more about the management APIs, to see code samples, and to take advantage of
user forums, see:
n The API Documentation:
l Online - Check Point Management API Reference (at the top, select the correct
version)
l Local - [Link] IP Address>/api_docs
By default, access to the local API Documentation is disabled. Follow the
instructions in sk174606.

Note - On a Standalone server (a server which runs both a Security

Management Server and a Security Gateway), the API Documentation
web portal ([Link] IP Address>/api_docs) stops
working when you open SmartView Web Application
([Link] IP Address>/smartview).
n The Developers Network section of Check Point CheckMates Community.

R82 Security Management Administration Guide | 57

Managing Security through API

API Tools
You can use these tools to work with the API Server on the Management Server:
n Standalone management tool, included with Gaia operating system:
mgmt_cli
n Standalone management tool, included with SmartConsole:
mgmt_cli.exe

You can copy this tool from the SmartConsole installation folder to other computers that
run Windows operating system.
n Web Services APIs that allow communication and data exchange between the clients
and the Management Server over the HTTP protocol.
These APIs also let other Check Point processes communicate with the Management
Server over the HTTPS protocol.
[Link] Address of Management Server>/web_api/<command>

Configuring the API Server

To configure the API Server:
1. Connect with SmartConsole to the Security Management Server or applicable Domain
Management Server.
2. From the left navigation panel, click Manage & Settings.

3. In the upper left section, click Blades.

4. In the Management API section, click Advanced Settings.
The Management API Settings window opens.
5. Configure the Startup Settings and the Access Settings.

R82 Security Management Administration Guide | 58

Managing Security through API

Configuring Startup Settings

Select Automatic start to automatically start the API server when you start or reboot
the Management Server.

Notes:
n If the Management Server has more than 4GB of RAM installed, the

Automatic start option is activated by default during the Management

Server installation.
n If the Management Server has less than 4GB of RAM, the Automatic

start option is deactivated.

Configuring Access Settings

Select one of these options to configure which clients can connect to the API Server:
n Management server only
Only the Management Server itself can connect to the API Server.
This option only lets you use the mgmt_cli utility on the Management Server
command line to send API requests.
You cannot use SmartConsole or Web services to send API requests.
n All IP addresses that can be used for GUI clients
You can send API requests from all IP addresses that are defined in
SmartConsole > Permissions & Administrators > Trusted Clients.

This includes requests from SmartConsole, Web services, and the mgmt_cli
utility on the Management Server.
n All IP addresses

You can send API requests from all IP addresses.

This includes requests from SmartConsole, Web services, and the mgmt_cli
utility on the Management Server.

6. Click OK.
7. In the upper left section, click Permissions & Administrators.
8. In the object of each applicable Administrator, make sure the assigned Permission
Profile allows access to Management API.
Instructions

a. Edit the Administrator object.

b. In the left panel, click General.

R82 Security Management Administration Guide | 59

Managing Security through API

c. In the Permissions section, on the right side of the selected Permission Profile,
click the eye icon.
The Permission Profile object opens in the read-only view.
d. In the left panel, click Management.
e. The permission Management API Login has to be selected.
If it is not selected, then close this window and edit this Permission Profile
object.
For more information, see "Assigning Permission Profiles to Administrators" on
page 116.
f. Click Close.

9. Publish the SmartConsole session.

10. Restart the API Server on the Management Server with this command:

api restart
Notes:
n On a Multi-Domain Server, you must run this command in the context of

the applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management
Server>
n The output of this command must show:
API started successfully

11. Examine the status of the API server on the Management Server with this command:

api status

R82 Security Management Administration Guide | 60

Managing Security through API

Notes:
n The output of this command must show:

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready

to receive connections
n The output this command may show the state of the "API" process as "Stopped"
when the API access is set to "All IP addresses that can be used for GUI
clients", and more than 200 Trusted Clients are configured:
Processes:

Name State PID More Information

-------------------------------------------------
API Stopped ...

Self-Managed Security Gateways

Introduction
R82 introduced a new Dynamic Layer in the Access Control policy to assist customers with
highly automated network environments.
This Policy Layer serves as a container for rules created directly on the Security Gateway
using the Gaia API call "set-dynamic-content", catering to environments where
provisioning, configuration, and other IT processes are regularly managed through the
distribution of JSON files.

Workflow:
1. On the Management Server, in the Access Control, you create a new Policy Layer and
configure it as a Dynamic Layer.
2. On the Security Gateway, you configure the required Access Control rules in this
Dynamic Layer with the Gaia API call "set-dynamic-content" (in the JSON format).
The Dynamic Layer works only as a container for rules that you configure on the Security
Gateway. After you run the Gaia API command on the Security Gateway, it ignores all rules in
this Dynamic Layer that were configured in SmartConsole. If permanent rules are needed (for
example, to allow access from a remote API client), you must configure them in the main policy
on the Management Server and not in Dynamic Layers.
For additional information, refer to sk182252.

R82 Security Management Administration Guide | 61

Managing Security through API

Requirements
1. Management Server R82 and higher:
n Security Management Server
n Multi-Domain Security Management Server
2. Security Gateway R82 and higher:
n Single Security Gateway
n ElasticXL Cluster
n ClusterXL
n Security Group in Maestro or Scalable Chassis

3. On the Security Gateway, the user that runs the Gaia API must have this configuration in
Gaia OS:
a. Role: adminRole.
b. Access Mechanism: Gaia API.
c. Shell: /etc/[Link] or /bin/bash
See the Gaia Administration Guide for your version > User Management chapter>
Users and Roles sections.

R82 Security Management Administration Guide | 62

Managing Security through API

Limitations
n This feature was designed for the JSON format.
Use a 3rd-party REST API client that allows you to paste the required API body in the
JSON format.
Do not use the Check Point CLI API client "mgmt_cli".
n It is not supported to edit or delete individual dynamic rules on the Security Gateway
after you add them.
l To change an individual dynamic rule, you must run the Gaia API call "set-
dynamic-content" with the updated API body that contains the complete Access
Control rules and the updated parameters and values for that individual rule.
l To delete an individual dynamic rule, you must run the Gaia API call "set-
dynamic-content" with the updated API body that contains the complete Access
Control rules without that individual rule.

Notes:
l To see the current rules and to copy the current complete JSON, run the

Gaia API call "show-dynamic-layer" on the Security Gateway.

l If necessary, you can delete all rules in the Dynamic Layer on the Security

Gateway. See "Resetting a Dynamic Layer" on page 70.

n VSNext Virtual Gateway is not supported.
n Traditional VSX Virtual System (on a VSX Gateway or VSX Cluster) is not supported.
n Traditional VSX Virtual Router (on a VSX Gateway or VSX Cluster) is not supported.

R82 Security Management Administration Guide | 63

Managing Security through API

Notes
n Each Policy Package supports more than one Dynamic Layer as an Inline Layer or as an
Ordered Layer. For example, different administrators can use different Policy Layers.
n The Security Gateway applies the Access Control rules in the order of the Policy Layers
in the Policy Package.
n Rules that you configure in the Dynamic Layer apply until you run the Gaia API call
"set-dynamic-content" for the first time on the Security Gateway.
n If you delete the Dynamic Layer from the Policy Package (or clear the checkbox Set as a
Dynamic Layer in the Dynamic Layer) and install the Access Control policy, then the
Security Gateway removes all dynamic rules and applies only the static rules configured
in SmartConsole.
n SmartConsole does not show rules in the Dynamic Layer that you configure on the
Security Gateway.
n To see the list of the supported objects in the Dynamic Layer, refer to the API call "set-
dynamic-content" > section "Request Body" > parameter "objects".

Configuration
1. Connect with SmartConsole to the Security Management Server / Domain Management
Server.
2. Add a new Policy Layer and configure it as a Dynamic Layer.
Notes:
n You can configure a new Policy Layer directly in a specific policy, or as a shared
Policy Layer for several policies.
n You can configure an Inline Layer (within a specific rule), or an Ordered Layer (a
separate set of rules in a dedicated Policy Layer).
See "Ordered Layers and Inline Layers" on page 367.
n You can add a new Policy Layer and configure it as a Dynamic Layer either in
SmartConsole (described below) or with the Management API call "add-access-
layer dynamic-layer true" (see Check Point Management API Reference
(at the top, select the correct version) v1.8 and higher).
Procedure in SmartConsole:
To configure an Ordered Layer in a specific Access Control policy

a. In the top left corner, click Menu > Manage policies and layers.
b. In the left panel, click Policies.

R82 Security Management Administration Guide | 64

Managing Security through API

c. Right-click the applicable Policy Package and click Edit.

d. In the Access Control section, click the + icon.
e. In the top right corner, click New Layer.
f. Enter the name for this Policy Layer.
g. On the General page:
In the Blades section, select the supported blades:
i. Mandatory: Firewall
ii. Optional: Application & URL Filtering
h. On the Advanced page:

i. In the Implicit Cleanup Action section, set the implicit cleanup action
according to your security needs.
ii. In the Dynamic Layer section, select Set as a Dynamic Layer.
i. On the Permissions page, select the permission profiles that can edit the
Dynamic Layer. This is essential when multiple Dynamic Layers are used, each
configured by different users. Only the profiles shown here can edit the Layer.
To add additional profiles that can edit the Layer, go to the bottom of the
Permissions page.
To create a new permission profile, in SmartConsole, go to the Manage &
Settings view > Permissions & Administrators > Permission Profiles. In the
profile editor, go to Access Control > Policy, and make sure Edit layers by the
selected profile in a layer editor is selected.
j. Click OK to close the Layer Editor window.

k. In the policy, to the right of the Access Control section, you now see the Layer
called Network (default name) and the new Dynamic Layer.

Important - You can change the order of these Policy Layers.

l. Click OK to close the Policy window.

To configure an Inline Layer in a specific Access Control policy in a specific rule

a. From the left navigation panel, click Security Policies.

b. If you need to open a different Security Policy:
i. At the top, click the [+] tab.
ii. Click the required policy.
c. In the Access Control section, click Policy.

R82 Security Management Administration Guide | 65

Managing Security through API

d. Locate the applicable rule.

e. In the rule, click in the Action cell > click Inline Layer > click New Layer.
f. Enter the name for this Policy Layer.
g. On the General page, in the Blades section, select the supported blades:
n Mandatory: Firewall
n Optional: Application & URL Filtering
n Optional: In the Sharing section, select Multiple policies and rules can
use this layer.
h. On the Advanced page:

To configure a shared Ordered Layer to use in several Access Control Policies

a. In the top left corner, click Menu > Manage policies and layers.
b. In the left panel, click Layers > Access Control.
c. From the top tool bar, click New.
d. Enter the name for this Policy Layer.

R82 Security Management Administration Guide | 66

Managing Security through API

e. On the General page, in the Blades section, select the supported blades:
n Mandatory: Firewall
n Optional: Application & URL Filtering
n Optional: In the Sharing section, select Multiple policies and rules can
use this layer.
f. On the Advanced page:
i. In the Implicit Cleanup Action section, select the option Drop.
This Drop rules makes sure to drop all traffic that matches this Ordered
Layer until you run the Gaia API call "set-dynamic-content" on the
Security Gateway.

You can change it later in SmartConsole.

ii. In the Dynamic Layer section, select Set as a Dynamic Layer.
g. On the Permissions page, select the permission profiles that can edit the
Dynamic Layer. This is essential when multiple Dynamic Layers are used, each
configured by different users. Only the profiles shown here can edit the Layer.
To add additional profiles that can edit the Layer, go to the bottom of the
Permissions page.
To create a new permission profile, in SmartConsole, go to the Manage &
Settings view > Permissions & Administrators > Permission Profiles. In the
profile editor, go to Access Control > Policy, and make sure Edit layers by the
selected profile in a layer editor is selected.

h. Click OK to close the Layer Editor window.

i. In the left panel, click Policies.

j. Right-click the applicable Policy Package and click Edit.

k. In the Access Control section, click the + icon.
l. Click the new Dynamic Layer.
m. In the policy, to the right of the Access Control section, you now see the Layer
called Network (default name) and the new Dynamic Layer.

Important - You can change the order of these Policy Layers.

n. Click OK to close the Policy window.

o. Click Close to close the Manage policies and layers window.

R82 Security Management Administration Guide | 67

Managing Security through API

3. If you run Gaia API calls on the Security Gateway from a remote API client (and not
locally on the Security Gateway), make sure your Access Control policy allows such
connection to the Security Gateway.

Best Practice - To avoid losing connectivity loss for the API client, add the
applicable rule only in a static Policy Layer (that is not configured as a Dynamic
Layer).

4. Install this Access Control Policy on the Security Gateway / Cluster object.
5. Run the Gaia API call "set-dynamic-content" on the Security Gateway / each
Cluster Member / Security Group to configure the required dynamic Access Control
rules.

Warning - Pay close attention to the rules you configure on the Security
Gateway.
There is no verification of possible conflicts between the rules configured on the
Security Gateway and the rules configured in SmartConsole.
Notes:
n Refer to the online Check Point Gaia API Reference (at the top, select the

correct version) (v1.8 and higher) > section System > sub-section
Dynamic Content.
To see the local Gaia API Reference, go to this URL on a Management
Server or Security Gateway (R82 or higher):
[Link] Address of Gaia Management
Interface>/gaia_docs/#web/set-dynamic-content
At the top of the Gaia API Reference, click the Web Services tab.
n Because you run Gaia API calls from a remote API client, make sure your
Access Control policy allows such connection to the Security Gateway.
Best Practice - To avoid losing connectivity loss for the API client,
add the applicable rule only in a static Policy Layer (that is not
configured as a Dynamic Layer).

Workflow for a remote REST API client (based on the Postman application)

a. Install the Postman application.

b. Get the Gaia REST API collection from sk143612.
c. Import the Gaia REST API collection into the Postman application (first, you
must create a Postman account). Refer to the Postman documentation about the
import methods.

R82 Security Management Administration Guide | 68

Managing Security through API

d. Configure the required API variables:

i. In the left panel, in the Gaia REST API collection, click the top folder Gaia
API.
ii. Add these variables:

Variable
Variable Value Comment
Name

username Username of the The default user is admin.

applicable user in the You can create other users
Gaia OS on the Security (see the Requirements
Gateway. section).

password Password of the You configure this

applicable user in the password.
Gaia OS on the Security
Gateway.

ip IP Address of the Gaia This is the IP address on

Management Interface the Security Gateway /
on the Security Gateway each Cluster Member /
/ each Cluster Member / Security Group, to which
Security Group. the API client connects.

sid Initially, empty. Use this variable to contain

the required SID after
running the Gaia API call
"login".

e. Get the Login Session ID (SID):

i. In the left pane, open the folder Session Management.
ii. Click the API call "login".
iii. In the top right corner, click Send.
iv. In the bottom panel, copy the value of the parameter "sid".
f. Configure the SID variable:
i. In the left panel, click the top folder Gaia API.
ii. In the sid variable, enter the copied value in the column Current Value.
iii. In the top right corner, click Save.

R82 Security Management Administration Guide | 69

Managing Security through API

g. Run the API call "set-dynamic-content" on the Security Gateway / each

Cluster Member / Scalable Platform Security Group:
i. In the left panel, click the API "set-dynamic-content".
ii. At the top, click the Body tab.
iii. Configure the required parameters and values in the JSON format.
iv. In the top right corner, click Send.
v. In the bottom panel, copy the entire response with a Task ID.
vi. In the left panel, open the Misc folder, and click the API call "show task".
vii. At the top, click the Body tab and click the raw option.

viii. Paste the entire response with the Task ID.

ix. In the top right corner, click Send.
x. In the bottom panel, see the API response for the API call "set-
dynamic-content".

6. Optional: Examine the configured dynamic Access Control rules.

n To see the configured dynamic Access Control rules in a specific Dynamic Layer,
run the Gaia API call "show-dynamic-layer" on the Security Gateway / each
Cluster Member / Security Group.
n To see the configured dynamic Access Control rules in all configured Dynamic
Layers, run the Gaia API call "show-dynamic-layers" on the Security Gateway
/ each Cluster Member / Security Group.

Resetting a Dynamic Layer

To remove all dynamic rules, you must reset the Dynamic Layer that contains these rules on
the Security Gateway.
Procedure

Run the Gaia API call "set-dynamic-content" on the Security Gateway and use
"operation": "reset".

R82 Security Management Administration Guide | 70

Managing Security through API

Syntax part for a remote REST API client

"access-layers-content": [
{
"name": "<Name_of_Dynamic_Layer>",
"operation": "reset",
"rulebase": []
}
]

R82 Security Management Administration Guide | 71

Creating an Administrator Account with API Key Authentication

Creating an Administrator Account with API Key

Authentication
An API key is a token that a client provides when making API calls.
API key authentication provides an administrator the ability to use a token for authenticating to
the API interface instead of the usual administrator name / password.
You can use SmartConsole to configure an API key for administrators to use the management
API.

Note - This administrator can only use the API for executing API commands and
cannot use it for SmartConsole authentication.

Prerequiste:
Make sure you configured the required Permission Profile. See "Assigning Permission Profiles
to Administrators" on page 116.
To configure API authentication for an Administrator using SmartConsole

1. From the left navigation panel, click Manage & Settings..

2. Expand Permissions & Administrators > click Administrators.

3. From the top toolbar, click the icon (New) > click New Administrator.

The New Administrator window opens and shows the General page.
4. In the top field, enter the applicable object name.
5. Optional: Enter the comment.

6. In the Authentication Method field, select API Key.

7. Click Generate API key:
a. Click Copy Key to Clipboard
b. Save the key for a later use (provide it to the relevant administrator).
c. Click OK.
8. In the Permission Profile field, select the applicable profile.
9. In the Expiration section, configure the required valid expiration date.
10. Optional: On the Additional Info page, configure:

R82 Security Management Administration Guide | 72

Creating an Administrator Account with API Key Authentication

n Phone Number
n Contact Details
n Email
11. Click OK.
12. Publish the SmartConsole session.

Example

This example demonstrates how to use the API Key for the API command "login" and the
API command "add simple-gateway".
1. Connect to the command line on the Security Management Server.

2. Log in to the Expert mode.

3. Run the API command "login", use the previously generated API key, and save the
output to a file:
Syntax:

mgmt_cli login api-key <api-key> > /<path_to>/<filename>

Example:

mgmt_cli login api-key mvYSiHVmlJM+J0tu2FqGag12 >

/var/tmp/[Link]

4. Run the API command "add simple-gateway".

Run the mgmt_cli command with the "-s" flag and specify the token file.

Syntax:

mgmt_cli -s /<path_to>/<filename> add simple-gateway name

<gateway name> ip-address <ip address> one-time-password
<password> blade <true>

Example:

mgmt_cli -s /var/tmp/[Link] add simple-gateway name "gw1"

ip-address [Link] one-time-password "aaaa" firewall
true vpn true

For more details, see the Check Point Management API Reference (at the top, select
the correct version) .

R82 Security Management Administration Guide | 73

Creating an Administrator Account with API Key Authentication

After you configure API authentication, you can, in addition, configure authentication with a
certificate file. The administrator can then authenticate to the Security Management Server
with either an API Key or a certificate file.
You create the certificate file in SmartConsole. The administrator can use the certificate to log
in to SmartConsole in two ways:
n Log in to SmartConsole with the Certificate File option. The administrator must provide
the password to use the certificate file.
n You can import the certificate file to the Windows Certificate Store on the Microsoft
Windows SmartConsole computer. The administrator can use this stored certificate to
log in to SmartConsole with the CAPI Certificate option. The administrator does not need
to provide a password to log in.
The administrator can also give the certificate to other administrators to log in to SmartConsole
with no administrator account of their own.

R82 Security Management Administration Guide | 74

Managing Administrator Accounts

A Check Point administrator is an IT professional who manages and maintains a Check Point
security environment with SmartConsole, CLI, or the API. Check Point administrators
configure and manage Check Point's security products to protect their organizations' networks
from cyber attacks, malware, and other security threats. A Check Point administrator typically
installs, configures, and maintains the Check Point software, manages network traffic and
security policies, monitors system performance, and troubleshoots security issues.
Administrators also ensure that the Check Point security environment is up to date with the
latest Hotfixes and updates to maintain optimal security.
You can store administrator accounts in the Check Point management database or on an
external LDAP server. The Security Management Server authenticates administrators. Check
Point supports different authentication methods for administrators.
As an administrator, you can delegate tasks, such as defining objects and users, to other
administrators. Make sure to create administrator accounts with the privileges that are
required to accomplish those tasks. If you are the only administrator, we recommend that you
create a second administrator account with Read Only permissions, which is useful for
troubleshooting, consultation, or auditing.

Creating an Administrator Account

To successfully manage security for a large network, we recommend that you first set up your
administrative team, and delegate tasks.

We recommend that you create administrator accounts in SmartConsole, with the procedure
below or with the First Time Configuration Wizard.
When you create an administrator account through SmartConsole, you can select one of these
authentication methods:

Authentication
Description
Method

Check Point Check Point password is a static password that is configured in

Password SmartConsole. The local database on the Security Management
Server stores the password. No additional software is required.
See"Creating an Administrator Account with Check Point Password
Authentication" on page 82.

R82 Security Management Administration Guide | 75

Managing Administrator Accounts

Authentication
Description
Method

OS Password OS password is kept on the operating system of the computer on which

the Security Management Server is installed. You can also use
passwords that are stored in Windows domain. No additional software
is required.
See "Creating an Administrator Account with OS Password
Authentication " on page 85

RADIUS Remote Authentication Dial-In User Service (RADIUS) is an external

authentication method that provides security and scalability by
separating the authentication function from the access server. With
RADIUS, the Security Management Server forwards the authentication
requests to the RADIUS server. The RADIUS server, which stores
administrator account information, does the authentication. The
RADIUS protocol uses UDP to communicate with the Security Gateway
or the Security Management Server.
See "Creating an Administrator Account with RADIUS Server
Authentication" on page 88

TACACS Terminal Access Controller Access Control System (TACACS)

provides access control for routers, network access servers and other
networked devices through one or more centralized servers.
TACACS is an external authentication method that provides verification
services. With TACACS, the Security Management Server forwards
authentication requests by remote administrators to the TACACS
server. The TACACS server, which stores administrator account
information, authenticates administrators. The system supports
physical card key devices or token cards and Kerberos secret key
authentication. TACACS encrypts the administrator name, password,
authentication services and accounting information of all authentication
requests to secure communication.
See "Creating an Administrator Account with TACACS Server
Authentication" on page 93

R82 Security Management Administration Guide | 76

Managing Administrator Accounts

Authentication
Description
Method

SecurID SecurID requires administrators to possess a token authenticator and

to supply a PIN or password. Token authenticators generate one-time
passwords that are synchronized to an RSA Authentication Manager
(AM) and may come in the form of hardware or software. Hardware
tokens are key-ring or credit card-sized devices. Software tokens
reside on the PC or device from which the administrator wants to
authenticate. All tokens generate a random, one-time use access code
that changes approximately every minute. When an administrator
attempts to authenticate to a protected resource, the AM must validate
the one-time use code.
The Security Management Server forwards SecurID authentication
requests by remote administrators to the AM. The AM manages the
database of the RSA users and their assigned hard or soft tokens. The
Security Management Server act as an AM Agent and directs all
access requests to the RSA AM for authentication. For additional
information on agent configuration, refer to the RSA Authentication
Manager documentation.
There are no specific parameters required for the SecurID
authentication method. Authentication requests can be sent over SDK-
supported API or through REST API.
See "Creating an Administrator Account with SecurID Authentication"
on page 98.

API Key You can use SmartConsole to configure an API key for administrators
to use the management API. You can only use the API to execute API
commands and not for SmartConsole authentication. For more
information, see "Creating an Administrator Account with API Key
Authentication" on page 113

SAML An administrators can log in to SmartConsole through a central 3rd

party Identity Provider with the SAML protocol. The Identity Provider
holds the information about the administrators, including the ability to
authenticate the administrators. Check Point supports these Identity
Providers: Okta, Ping Identity, Azure. For more information, see
"Creating an Administrator Account with SAML Authentication Login"
on page 102.

R82 Security Management Administration Guide | 77

Managing Administrator Accounts

Alternatively, or in addition to one of the above authentication methods, you can configure
certificate file authentication. The administrator can then authenticate to SmartConsole with
one of the Check Point authentication methods or with a certificate file.
You create the certificate file in SmartConsole. The administrator can use the certificate to log
in to SmartConsole in two ways:
n Log in to SmartConsole with the Certificate File option. The administrator must provide
the password to use the certificate file.
n You can import the certificate file to the Windows Certificate Store on the Microsoft
Windows SmartConsole computer. The administrator can use this stored certificate to
log in to SmartConsole with the CAPI Certificate option. The administrator does not need
to provide a password to log in.
The administrator can also give the certificate to other administrators to log in to SmartConsole
with no administrator account of their own.

To create an Administrator Account with the "Check Point Configuration Tool" tool
(cpconfig)
We do not recommend to create an administrator with cpconfig, the Check Point
Configuration Tool.
Use it only if there is no access to SmartConsole or the Gaia Portal.
If you use cpconfig to create an administrator:
n You must restart Check Point Services to activate the administrator with these
commands:

cpstop ; cpstart

n It does not show the other administrators.

n Check Point Password is automatically configured as the authentication method.

Editing an Administrator Account

1. From the left navigation panel, click Manage & Settings.
2. Click Permissions & Administrators.
3. Double-click an administrator account.
The Administrators properties window opens.

R82 Security Management Administration Guide | 78

Managing Administrator Accounts

Deleting an Administrator Account

To make sure your environment is secure, the best practice is to delete administrator accounts
when personnel leave or transfer.

To delete an administrator account

1. From the left navigation panel, click Manage & Settings.
2. Click Permissions & Administrators.
3. Select an administrator account and click Delete.
4. Click Yes in the confirmation window that opens.

Default Expiration for Administrators

If you want to use the same expiration settings for multiple accounts, you can set the default
expiration for administrator accounts. You can also select to show notifications about the
approaching expiration date when an administrator logs into SmartConsole or one of the
SmartConsole clients. The remaining number of days, during which the account is alive,
shows in the status bar.
To configure the default expiration settings

1. From the left navigation panel, click Manage & Settings.

2. Click Permissions & Administrators > Advanced.

3. Click Advanced.
4. In the Default Expiration Date section, select a setting:
n Never expires
n Expire at - Select the expiration date from the calendar control
n Expire after - Enter the number of days, months, or years (from the day the
account is made) before administrator accounts expire
5. In the Expiration notifications section, select Show 'about to expire' indication in
administrators view and select the number of days in advance to show the message
about the approaching expiration date.
6. Publish the SmartConsole session.

Note - If you configure an expiration date for an administrator, then the

administrator is not logged out automatically. Only a new login is blocked.
To improve security, configure the idle timeout. Go to SmartConsole > Manage &
Settings > Permissions & Administrators > Advanced > Idle Timeout.

R82 Security Management Administration Guide | 79

Managing Administrator Accounts

Configuring SmartConsole Session Timeout

Use the SmartConsole in a secure manner, and enforce secure usage for all administrators.
Configuring a SmartConsole timeout is a basic requirement for secure usage. When an
administrator does not use the SmartConsole, it logs out.
To set the SmartConsole session timeout

1. From the left navigation panel, click Manage & Settings.

2. Click Permissions & Administrators > Advanced.
3. In the Idle Timeout area, select Perform logout after being idle.
4. Enter a number of minutes.

When a SmartConsole is idle after this number of minutes, the SmartConsole

automatically logs out the connected administrator, but all changes are preserved.

Revoking an Administrator Certificate

If an administrator that authenticates through a certificate cannot temporarily fulfill
administrator duties, you can revoke the certificate for the account. The administrator account
remains, but no one can authenticate to the Security Management Server with the certificate.
However, if the account has an additional authentication method (a password, for example),
the administrator can use this method to authenticate to the account.

To revoke an administrator certificate

1. From the left navigation panel, click Manage & Settings.

2. Click Permissions & Administrators.

3. Select an administrator account and click Edit.
4. In General > Authentication, click Revoke.

R82 Security Management Administration Guide | 80

Managing Administrator Accounts

Restricting Administrator Login Attempts

You can configure these login restrictions for administrators who log in to the Security
Management Server with a Check Point password:
n The number of login attempts before SmartConsole automatically locks an administrator
account.
n The number of minutes before SmartConsole unlocks the administrator's account after it
was locked.

To configure login restrictions

1. Go to the Manage & Settings view or to the Multi-Domain view.

2. Go to Permissions & Administrators > Advanced > Login Restrictions.

Note - These restrictions apply only to administrators who authenticate to the Security
Management Server with a Check Point password.

Unlocking Administrator Accounts

An administrator with the Manage Administrators permission can unlock another
administrator if the locked administrator authenticates to the Security Management Server with
a Check Point password.

To unlock an administrator:
1. Go to the Manage & Settings view or to the Multi-Domain view.

2. Right-click the locked administrator and select Unlock Administrator.

Or:
Use the API command "unlock-administrator".

Note - The Unlock Administrator feature does not apply to administrators who use
other authentication methods.

Multiple Administrators
If two administrators create an administrator account with the same name, after the first
administrator publishes a session, the second administrator will not be able to publish their
session. If the second administrator tries to change the name in the administrator account,
they will not be able to do so. To resolve this issue, the second administrator must discard the
session changes and reconnect.

R82 Security Management Administration Guide | 81

Creating an Administrator Account with Check Point Password Authentication

Creating an Administrator Account with Check

Point Password Authentication
Check Point password is a static password that is configured in SmartConsole. The local
database on the Security Management Server stores the password. No additional software is
required.
After you configure authentication with a Check Point password, you can, in addition, configure
certificate file authentication . The administrator can then authenticate to SmartConsole with
the Check Point password or the certificate file.
You create the certificate file in SmartConsole. The administrator can use the certificate to log
in to SmartConsole in two ways:
n Log in to SmartConsole with the Certificate File option. The administrator must provide
the password to use the certificate file.
n You can import the certificate file to the Windows Certificate Store on the Microsoft
Windows SmartConsole computer. The administrator can use this stored certificate to
log in to SmartConsole with the CAPI Certificate option. The administrator does not need
to provide a password to log in.
The administrator can also give the certificate to other administrators to log in to SmartConsole
with no administrator account of their own.

Prerequiste:

Make sure you configured the required Permission Profile. See "Assigning Permission Profiles
to Administrators" on page 116.

To create a new administrator with Check Point password authentication

1. Create a new administrator and define Check Point password as the authentication
method

a. From the left navigation panel, click Manage & Settings..

b. Expand Permissions & Administrators > click Administrators.

c. From the top toolbar, click the icon (New) > click New Administrator.

The New Administrator window opens and shows the General page.
d. In the top field, enter the applicable object name.
e. Optional: Enter the comment.
f. In Authentication Method field, select Check Point Password.

R82 Security Management Administration Guide | 82

Creating an Administrator Account with Check Point Password Authentication

g. Click Set New Password:

i. In the Password field, enter the password.
ii. In the Confirm field, enter the same password.
iii. Optional: Select User must change password on next login.
iv. Click OK.
h. Optional: Create a certificate for this administrator:
i. In the Certificate Information field, click Create.
ii. In the Password field, enter the password.
A password is required to protect the sensitive data in the certificate file.

iii. In the Confirm field, enter the same password.

iv. Click OK.
v. Wait for the Save As window to open.
vi. In the File name field, make sure to include the username.
vii. In the Save as type field, select Certificate Files (*p12).
The certificate file is in the PKCS #12 format, and has a .p12 extension.
viii. Browse to a secure location on the SmartConsole computer.
ix. Click Save.

Notes:
n After you save the certificate file, give the administrator this file

and password.
The administrator can then authenticate with the certificate when
they log in with SmartConsole to the Security Management
Server.
n You can revoke this certificate at any time. Select the certificate

and click Revoke.

i. In the Permission Profile field, select the applicable profile.

j. In the Expiration section, configure the required valid expiration date.

R82 Security Management Administration Guide | 83

Creating an Administrator Account with Check Point Password Authentication

k. Optional: On the Additional Info page, configure:

n Phone Number
n Contact Details
n Email
l. Click OK.
m. Publish the SmartConsole session.

2. Optional: Import the certificate file into the Windows Certificate Store
Note - This procedure applies if you create a certificate authentication in the
administrator object, and you log in to SmartConsole with the CAPI
Certificate option.

a. Right-click the *.p12 file you saved when you created the required administrator,
and click Install PFX.
The Certificate Import Wizard opens.
b. In the Store Location section, select the applicable option:
n Current User (this is the default)
n Local Machine
c. Click Next.
d. Enter the same certificate password you used when you created the required
administrator certificate.
e. Clear Enable strong private key protection.
f. Select Mark this key as exportable.

g. Click Next.
h. Select Place all certificates in the following store, click Browse > Personal >
OK.
i. Click Next.
j. Click Finish.

R82 Security Management Administration Guide | 84

Creating an Administrator Account with OS Password Authentication

Creating an Administrator Account with OS

Password Authentication
OS password is kept on the operating system of the computer on which the Security
Management Server is installed. You can also use passwords that are stored in Windows
domain. No additional software is required.
After you configure authentication with an OS password, you can, in addition, configure
authentication with a certificate file. The administrator can then authenticate to SmartConsole
with either the OS password or the certificate file.
You create the certificate file in SmartConsole. The administrator can use the certificate to log
in to SmartConsole in two ways:
n Log in to SmartConsole with the Certificate File option. The administrator must provide
the password to use the certificate file.
n You can import the certificate file to the Windows Certificate Store on the Microsoft
Windows SmartConsole computer. The administrator can use this stored certificate to
log in to SmartConsole with the CAPI Certificate option. The administrator does not need
to provide a password to log in.
The administrator can also give the certificate to other administrators to log in to SmartConsole
with no administrator account of their own.

Prerequiste:

Make sure you configured the required Permission Profile. See "Assigning Permission Profiles
to Administrators" on page 116.

To configure Check Point password authentication for an administrator

1. Create a new administrator and define OS password as the authentication method
a. From the left navigation panel, click Manage & Settings..
b. Expand Permissions & Administrators > click Administrators.

c. From the top toolbar, click the icon (New) > click New Administrator.

R82 Security Management Administration Guide | 85

Creating an Administrator Account with OS Password Authentication

g. Optional: Create a certificate for this administrator:

i. In the Certificate Information field, click Create.
ii. In the Password field, enter the password.
A password is required to protect the sensitive data in the certificate file.
iii. In the Confirm field, enter the same password.
iv. Click OK.
v. Wait for the Save As window to open.
vi. In the File name field, make sure to include the username.
vii. In the Save as type field, select Certificate Files (*p12).

The certificate file is in the PKCS #12 format, and has a .p12 extension.
viii. Browse to a secure location on the SmartConsole computer.
ix. Click Save.

Notes:
n After you save the certificate file, give the administrator this file

and click Revoke.

h. In the Permission Profile field, select the applicable profile.

i. In the Expiration section, configure the required valid expiration date.

j. Optional: On the Additional Info page, configure:

n Phone Number
n Contact Details
n Email
k. Click OK.
l. Publish the SmartConsole session.

R82 Security Management Administration Guide | 86

Creating an Administrator Account with OS Password Authentication

f. Select Mark this key as exportable.

g. Click Next.
h. Select Place all certificates in the following store, click Browse > Personal >
OK.
i. Click Next.
j. Click Finish.

R82 Security Management Administration Guide | 87

Creating an Administrator Account with RADIUS Server Authentication

Creating an Administrator Account with

RADIUS Server Authentication
Remote Authentication Dial-In User Service (RADIUS) is an external authentication method
that provides security and scalability by separating the authentication function from the access
server. With RADIUS, the Security Management Server forwards the authentication requests
to the RADIUS server. The RADIUS server, which stores administrator account information,
does the authentication. The RADIUS protocol uses UDP to communicate with the Security
Gateway or the Security Management Server.
You can perform RADIUS authentication for SmartConsole administrators through a RADIUS
server or a RADIUS server group. You define RADIUS servers and RADIUS server group
objects in SmartConsole. A RADIUS server group is a high availability group of identical
RADIUS servers which includes any or all the RADIUS servers in the system. When you
create the group, you define a priority for each server in the group. If the server with the highest
priority fails, the one with the next highest priority in the group takes over, and so on. If you
assign the same priority to all RADIUS servers, the Security Gateway will randomly select one
of them for authentication. When you define a group of RADIUS servers, all members of the
group must use the same protocol.
To learn how to configure a RADIUS server, refer to the vendor documentation.
After you configure RADIUS server authentication, you can, in addition, configure
authentication with a certificate file. The administrator can then authenticate to SmartConsole
with the RADIUS server or the certificate file.

You create the certificate file in SmartConsole. The administrator can use the certificate to log
in to SmartConsole in two ways:
n Log in to SmartConsole with the Certificate File option. The administrator must provide
the password to use the certificate file.
n You can import the certificate file to the Windows Certificate Store on the Microsoft
Windows SmartConsole computer. The administrator can use this stored certificate to
log in to SmartConsole with the CAPI Certificate option. The administrator does not need
to provide a password to log in.
The administrator can also give the certificate to other administrators to log in to SmartConsole
with no administrator account of their own.

Prerequisite:
Make sure you configured the required Permission Profile. See "Assigning Permission Profiles
to Administrators" on page 116.

R82 Security Management Administration Guide | 88

Creating an Administrator Account with RADIUS Server Authentication

To configure RADIUS server authentication for an administrator

1. In SmartConsole, configure a new RADIUS server object

a. Go to the Object Explorer and select New > More > Server > RADIUS.
b. Give the server a Name. It can be any name.
c. In the Host field, click the drop-down arrow, click New and create a New Host
with the IP address of the RADIUS server.
d. Click OK.
This host now appears in the Host field of the New RADIUS window.
e. In the Shared Secret field, type the secret key that you defined previously on the
RADIUS server.
f. Click OK.
g. Publish the SmartConsole session.

2. Create a new administrator and define RADIUS as the authentication method

a. From the left navigation panel, click Manage & Settings..
b. Expand Permissions & Administrators > click Administrators.

c. From the top toolbar, click the icon (New) > click New Administrator.

The New Administrator window opens and shows the General page.

d. In the top field, enter the username that you configured on the RADIUS server.
e. Optional: Enter the comment.

f. In Authentication Method field, select RADIUS.

g. In the RADIUS Server field, select the RADIUS server object you configured
earlier.

R82 Security Management Administration Guide | 89

Creating an Administrator Account with RADIUS Server Authentication

h. Optional: Create a certificate for this administrator:

The certificate file is in the PKCS #12 format, and has a .p12 extension.
viii. Browse to a secure location on the SmartConsole computer.
ix. Click Save.

Notes:
n After you save the certificate file, give the administrator this file

and click Revoke.

i. In the Permission Profile field, select the applicable profile.

j. In the Expiration section, configure the required valid expiration date.

k. Optional: On the Additional Info page, configure:

n Phone Number
n Contact Details
n Email
l. Click OK.
m. Publish the SmartConsole session.

3. Optional: Configure a RADIUS server group for SmartConsole administrator authentication

R82 Security Management Administration Guide | 90

Creating an Administrator Account with RADIUS Server Authentication

a. In SmartConsole, configure all the servers that you want to include in the server
group, as explained in "To configure RADIUS server authentication for an
administrator" on page 89.
For each server, enter its priority in the group. The lower the number is, the
higher the priority.
For example, if you create a group with 3 servers, with priorities 1,2 and 3, the
server with number 1 is approached first, the server with number 2 second, and
the server with number 3, third.
b. Create the server group:
In SmartConsole, go to Object Explorer and click New > Server > More >
RADIUS Group.

c. Configure the group properties and add servers to the group:

i. Give the group a Name. It can be any name.
ii. Click the + icon for each server you want to add, and select the server from
the drop-down list.
iii. Click OK.
iv. Publish the SmartConsole session.

4. Optional: Import the certificate file into the Windows Certificate Store
Note - This procedure applies if you create a certificate authentication in the
administrator object, and you log in to SmartConsole with the CAPI
Certificate option.

a. Right-click the *.p12 file you saved when you created the required administrator,
and click Install PFX.

The Certificate Import Wizard opens.

b. In the Store Location section, select the applicable option:
n Current User (this is the default)
n Local Machine
c. Click Next.
d. Enter the same certificate password you used when you created the required
administrator certificate.
e. Clear Enable strong private key protection.
f. Select Mark this key as exportable.
g. Click Next.

R82 Security Management Administration Guide | 91

Creating an Administrator Account with RADIUS Server Authentication

h. Select Place all certificates in the following store, click Browse > Personal >
OK.
i. Click Next.
j. Click Finish.

R82 Security Management Administration Guide | 92

Creating an Administrator Account with TACACS Server Authentication

Creating an Administrator Account with

TACACS Server Authentication
Terminal Access Controller Access Control System (TACACS) provides access control for
routers, network access servers and other networked devices through one or more centralized
servers.
TACACS is an external authentication method that provides verification services. With
TACACS, the Security Management Server forwards authentication requests by remote
administrators to the TACACS server. The TACACS server, which stores administrator
account information, authenticates administrators. The system supports physical card key
devices or token cards and Kerberos secret key authentication. TACACS encrypts the
administrator name, password, authentication services and accounting information of all
authentication requests to secure communication.
You can perform TACACS authentication for SmartConsole administrators through a TACACS
server or a TACACS server group. A TACACS server group is a High Availability group of
identical TACACS servers in the system. When you create the group, you define a priority for
each server. If the server with the highest priority fails, the one with the next highest priority in
the group takes over, and so on. If you assign the same priority to all TACACS servers, the
Security Gateway will randomly select one of them for authentication. All TACACS servers in
the group must use the same protocol.
To learn how to configure a TACACS server, refer to the vendor documentation.
After you configure TACACS server authentication, you can, in addition, configure
authentication with a certificate file. The administrator can then authenticate to SmartConsole
with the TACACS server or the certificate file.
You create the certificate file in SmartConsole. The administrator can use the certificate to log
in to SmartConsole in two ways:
n Log in to SmartConsole with the Certificate File option. The administrator must provide
the password to use the certificate file.
n You can import the certificate file to the Windows Certificate Store on the Microsoft
Windows SmartConsole computer. The administrator can use this stored certificate to
log in to SmartConsole with the CAPI Certificate option. The administrator does not need
to provide a password to log in.
The administrator can also give the certificate to other administrators to log in to SmartConsole
with no administrator account of their own.

Prerequisite:
Make sure you configured the required Permission Profile. See "Assigning Permission Profiles
to Administrators" on page 116.

R82 Security Management Administration Guide | 93

Creating an Administrator Account with TACACS Server Authentication

To configure TACACS server authentication for an administrator

1. In SmartConsole, add a new TACACS server object

a. Go to Object Explorer and click New > More > Server > TACACS.
b. Enter the server Name.
c. In the Host field, click the drop-down arrow, click New, and create a New Host
with the IP address of the TACACS server.
d. Click OK.
This host now appears in the Host field of the New TACACS window.
e. Select a Server type.

f. If your server type is TACACS+, type the Secret key that you defined previously
on the TACACS+ server.
g. Click OK.
h. Publish the SmartConsole session.

2. Add a new administrator and define as the authentication method

a. From the left navigation panel, click Manage & Settings..
b. Expand Permissions & Administrators > click Administrators.

c. From the top toolbar, click the icon (New) > click New Administrator.

The New Administrator window opens and shows the General page.
d. In the top field, enter the username that you configured on the TACACS server.

e. Optional: Enter the comment.

f. In Authentication Method field, select TACACS.
g. In the TACACS Server field, select the TACACS server object you configured
earlier.

R82 Security Management Administration Guide | 94

Creating an Administrator Account with TACACS Server Authentication

h. Optional: Create a certificate for this administrator:

The certificate file is in the PKCS #12 format, and has a .p12 extension.
viii. Browse to a secure location on the SmartConsole computer.
ix. Click Save.

Notes:
n After you save the certificate file, give the administrator this file

and click Revoke.

i. In the Permission Profile field, select the applicable profile.

j. In the Expiration section, configure the required valid expiration date.

k. Optional: On the Additional Info page, configure:

n Phone Number
n Contact Details
n Email
l. Click OK.
m. Publish the SmartConsole session.

3. Optional: Configure a TACACS Server group for SmartConsole administrator

authentication

R82 Security Management Administration Guide | 95

Creating an Administrator Account with TACACS Server Authentication

a. In SmartConsole, configure all the servers that you want to include in the server
group, as explained in "To configure TACACS server authentication for an
administrator" on page 94.
For each server, enter its priority in the group. The lower the number is, the
higher the priority.
For example, if you create a group with 3 servers, with priorities 1,2 and 3, the
server with number 1 is approached first, the server with number 2 second, and
the server with number 3, third.
b. Create the server group:
In SmartConsole, go to Object Explorer and click New > Server > More >
TACACS Group.

c. Configure the group properties and add servers to the group:

i. Enter the group Name.
ii. Click the + icon for each server you want to add, and select the server from
the drop-down list.
iii. Click OK.
iv. Publish the SmartConsole session.

a. Right-click the *.p12 file you saved when you created the required administrator,
and click Install PFX.

The Certificate Import Wizard opens.

R82 Security Management Administration Guide | 96

Creating an Administrator Account with TACACS Server Authentication

h. Select Place all certificates in the following store, click Browse > Personal >
OK.
i. Click Next.
j. Click Finish.

R82 Security Management Administration Guide | 97

Creating an Administrator Account with SecurID Authentication

Creating an Administrator Account with SecurID

Authentication
SecurID requires administrators to possess a token authenticator and to supply a PIN or
password. Token authenticators generate one-time passwords that are synchronized to an
RSA Authentication Manager (AM) and may come in the form of hardware or software.
Hardware tokens are key-ring or credit card-sized devices. Software tokens reside on the PC
or device from which the administrator wants to authenticate. All tokens generate a random,
one-time use access code that changes approximately every minute. When an administrator
attempts to authenticate to a protected resource, the AM must validate the one-time use code.
The Security Management Server forwards SecurID authentication requests by remote
administrators to the AM. The AM manages the database of the RSA users and their assigned
hard or soft tokens. The Security Management Server act as an AM Agent and directs all
access requests to the RSA AM for authentication. For additional information on agent
configuration, refer to the RSA Authentication Manager documentation.
There are no specific parameters required for the SecurID authentication method.
Authentication requests can be sent over SDK-supported API or through REST API.
To learn how to configure a SecurID server, refer to the vendor documentation.
After you configure SecurID authentication, you can, in addition, configure authentication with
a certificate file. The administrator can then authenticate to SmartConsole with SecurID
authentication or the certificate file.

Prerequiste:
Make sure you configured the required Permission Profile. See "Assigning Permission Profiles
to Administrators" on page 116.

R82 Security Management Administration Guide | 98

Creating an Administrator Account with SecurID Authentication

To configure SecurID authentication for an administrator

1. Configure the Security Management Server to use SecurID (this procedure is only relevant
if you use an SDK-supported API)

a. Connect to the command line on the Security Management Server.

b. Log in to the Expert mode.
c. Copy the [Link] file to the /var/ace/ directory.
If the /var/ace/ directory does not exist, create it with this command:

mkdir -v /var/ace/

d. Assign all permissions to the [Link] file:

chmod -v 777 /var/ace/[Link]

2. Configure the SecurID Server object

a. Add a new SecurID server object:

Go to the Object Explorer and select New > More > Server > New SecurID.
b. In the top field, enter the applicable object name.
c. Optional: Enter the comment.
d. This step applies only to SDK-supported API:

Click Browse and select the [Link] file.

This must be a copy of the file that is located on the Security Management
Server.
e. Click OK.

3. Add a new administrator and define SecurID as the authentication method

a. From the left navigation panel, click Manage & Settings..

b. Expand Permissions & Administrators > click Administrators.

c. From the top toolbar, click the icon (New) > click New Administrator.

The New Administrator window opens and shows the General page.
d. In the top field, enter the applicable object name.
e. Optional: Enter the comment.
f. In Authentication method, select SecurID.

R82 Security Management Administration Guide | 99

Creating an Administrator Account with SecurID Authentication

g. Optional: Create a certificate for this administrator:

The certificate file is in the PKCS #12 format, and has a .p12 extension.
viii. Browse to a secure location on the SmartConsole computer.
ix. Click Save.

Notes:
n After you save the certificate file, give the administrator this file

and click Revoke.

h. In the Permission Profile field, select the applicable profile.

i. In the Expiration section, configure the required valid expiration date.

j. Optional: On the Additional Info page, configure:

n Phone Number
n Contact Details
n Email
k. Click OK.
l. Publish the SmartConsole session.

R82 Security Management Administration Guide | 100

Creating an Administrator Account with SecurID Authentication

f. Select Mark this key as exportable.

g. Click Next.
h. Select Place all certificates in the following store, click Browse > Personal >
OK.
i. Click Next.
j. Click Finish.

R82 Security Management Administration Guide | 101

Creating an Administrator Account with SAML Authentication Login

Creating an Administrator Account with SAML

Authentication Login
With SAML authentication, administrators log in to SmartConsole through a central 3rd party
Identity Provider with the SAML protocol. The Identity Provider holds the information about the
administrators, including the ability to authenticate the administrators. Check Point supports
these Identity Providers: Okta, Ping Identity, Azure.

Use Case
Administrators with accounts in Azure want to work with SmartConsole. If each administrator
uses two different administrator names and passwords, one for Azure and one for
SmartConsole, this causes a number of issues:
n The administrators must handle different password and expiration policies (in addition to
other corporate passwords).
n The administrators must remember two different passwords, one for Azure and one for
SmartConsole (in addition to other corporate passwords).
n It requires additional maintenance of the administrators. For example, when an
administrator leaves, you must remove them from all applications they are registered to.
If you use an Identity Provider, you simply need to remove the administrator from the
Identity Provider database.
Therefore, the organization prefers that each administrator uses one password for both Azure
and SmartConsole. With the Identity Provider, the administrator can authenticate once to
Azure, and when the administrator connects to SmartConsole, SmartConsole already
recognizes them and they do not have to enter another password. This way, the administrator
also does not reveal their password to the Security Management Server.

SAML Authentication Process Flow:

1. The administrator tries to log in to SmartConsole.
2. SmartConsole redirects the administrator back to the browser to a URL which is pre-
configured on the Security Management Server.
3. The Security Management Server redirects the browser with a SAML request to the
Identity Provider.
4. The Identity Provider authenticates the administrator.
5. The Identity Provider generates a SAML assertion and sends it back to the Security
Management Server through the browser.
6. The Security Management Server validates the SAML assertion.

R82 Security Management Administration Guide | 102

Creating an Administrator Account with SAML Authentication Login

7. If the administrator is authenticated, the Security Management Server redirects the

browser to SmartConsole with the necessary data required for authentication.
8. SmartConsole opens a session to the Security Management Server with this
authentication data.

SAML Authentication Login

Note - By default, SAML authentication for SmartConsole login requires Gaia Portal
on the Management Server to work on the TCP port 443. If Gaia Portal runs on a
different port, then enter this port number in the SmartConsole login window (<IP_
Address>:<Port>). For more information, see sk182032.

1. In your Identity Provider, create the SmartConsole application and configure its settings

See your Identity Provider documentation for instructions.

R82 Security Management Administration Guide | 103

Creating an Administrator Account with SAML Authentication Login

Notes:
n Make sure the client can connect to the Identity Provider website and

that there is no policy rule that blocks it.

n The SmartConsole application integration in your Identity Provider must

have attribute mappings for "username", and it must have the "sign
assertion and response" option selected.
n The Identity Provider can return response to more than one URL. In a

Management High Availability environment, enter the required number

of Reply URLs.
When the Identity Provider sends the response, the response must
contain the IP address that the response is returned to.
If the required destination is not included in the response, the response
is eliminated.
Make sure to disable the use of "Default" for the Reply URLs:

2. In SmartConsole, create an Identity Provider object and configure its settings

a. In the Object Explorer, click New > More > User/Identity > Identity Provider.
The New Identity Provider window opens.

R82 Security Management Administration Guide | 104

Creating an Administrator Account with SAML Authentication Login

b. Configure these properties for the Identity Provider object:

n Name (for example: Azure).
n Use Identity Provider for - Select Managing administrator access. This
handles the authentication to SmartConsole through an Identity Provider.
Note - To use the SAML authentication for Security Gateway and logs,
see the R82 Identity Awareness Administration Guide.

R82 Security Management Administration Guide | 105

Creating an Administrator Account with SAML Authentication Login

n Data Required by the SAML Identity Provider - SmartConsole creates

the Identifier (Entity ID) and the Reply URLs according to the
environment.
Take the Identifier (Entity ID) and Reply URL that SmartConsole showed
you and enter them in the relevant places in the properties of the
SmartConsole application you created in your Identity Provider.
To use a Domain name instead of a URL
Note - For a Security Management Server and Multi-Domain
Server behind NAT, these steps must be followed.

In a Management High Availability environment, you must do these

steps on each Management Server.

i. Connect to the command line on the Management Server.

ii. Log in to the Expert mode.
iii. Back up the current $CPDIR/tmp/.[Link] file:

cp -v$CPDIR/tmp/.[Link]{,_BKP}

iv. Edit the $CPDIR/tmp/.[Link] file:

vi $CPDIR/tmp/.[Link]

v. Add this line at the bottom of the file:

SAML_IP_OR_NAME=<Your Domain Name>;export

SAML_IP_OR_NAME

Example:

SAML_IP_OR_NAME=[Link];export SAML_IP_OR_
NAME

vi. Save the changes in the file and exit the editor.
vii. Restart Check Point services (this action disconnects
SmartConsole clients):
l On a Security Management Server, run: cpstop ;
cpstart
l On a Multi-Domain Server, run: mdsstop ; mdsstart
viii. Connect with SmartConsole to the Management Server.

R82 Security Management Administration Guide | 106

Creating an Administrator Account with SAML Authentication Login

ix. Open the Identity Provider Website.

x. In the Reply URLs, replace the IP address with the Domain Name.

n Data received from the SAML Identity Provider:

l Import metadata file - The Identity Provider creates this file. The
metadata file has all the information required to establish trust
between the Identity Provider and the Management Server.
l If the Identity Provider has no metadata file, enter this information of
the Identity Provider manually:
o Identifier (Entity ID) - Unique identifier of the Identity Provider.
o Login (URL) - This is the endpoint on the Identity Provider side
where SAML requests are posted.
o Certificate file - The Management Server takes the certificate
file from the Identity Provider to validate the Identity Provider's
signature. The certificate is stored on the Management Server
and used whenever responses are posted.
c. Click OK.
d. Publish the SmartConsole session.

3. In SmartConsole, go to the Manage & Settings view > Permissions & Administrators >
Advanced > Identity Provider > Identity Provider for Managing Administrator Access
> select the Identity Provider object that you created.

Notes
n On a Security Management Server, you can use only one Identity
Provider.
n On a Multi-Domain Security Management Server:
l You can use only one Identity Provider for a Domain.

l If you configure an Identity Provider for the Multi-Domain Server and

do not configure an Identity Provider for a Domain, the Domain

Management Server takes the Identity Provider configured for the
Multi-Domain Server.
l Only super user can assign an Identity Provider to a Domain.

l To access the Domain with the Domain's Identity Provider, open

SmartConsole and connect to the Domain's IP address.

l Domain's Identity Provider can only authenticate for administrators

or groups that have a permission profile for the Domain.

4. Create the administrator (or group of administrators) that authenticates with an Identity
Provider

R82 Security Management Administration Guide | 107

Creating an Administrator Account with SAML Authentication Login

Prerequiste: Make sure you configured the required Permission Profile. See
"Assigning Permission Profiles to Administrators" on page 116.
a. From the left navigation panel, click Manage & Settings..
b. Expand Permissions & Administrators > click Administrators.

c. From the top toolbar, click the icon (New) > click New Administrator.

The New Administrator window opens and shows the General page.
d. In the top field, enter the applicable object name.
The object name must be identical to the name defined in the Identity Provider's
username attribute.
e. Optional: Enter the comment.

f. In Authentication Method field, select Identity Provider.

g. Optional: Create a certificate for this administrator:
i. In the Certificate Information field, click Create.
ii. In the Password filed, enter the password.
A password is required to protect the sensitive data in the certificate file.
iii. In the Confirm filed, enter the same password.
iv. Click OK.
v. Wait for the Save As window to open.

vi. In the File name field, make sure to include the username.
vii. In the Save as type field, select Certificate Files (*p12).

The certificate file is in the PKCS #12 format, and has a .p12 extension.
viii. Browse to a secure location on the SmartConsole computer.
ix. Click Save.

Notes:
n After you save the certificate file, give the administrator this file

and click Revoke.

h. In the Permission Profile field, select the applicable profile.

R82 Security Management Administration Guide | 108

Creating an Administrator Account with SAML Authentication Login

i. Optional: On the Additional Info page, configure:

n Phone Number
n Contact Details
n Email
j. Click OK.
k. Publish the SmartConsole session.

Notes:
n In the Identity Provider's interface, configure a SAML attribute:

i. Define an optional attribute named "groups".

ii. Configure the attribute according to the Identity Provider's
requirements.
n If you configure an administrator group, configure these settings
l Name - Enter a name for the administrator group object. You can

select any name.

l Group ID/name - Must be identical to the group attribute defined

in the Identity Provider.

n The Expiration date is grayed out because it is defined in the Identity

Provider's database.

5. There are two ways to log in to SmartConsole with Identity Provider.

Logging in through the SmartConsole login window

a. Open SmartConsole.
b. From the first drop-down menu, select Identity Provider.
The Security Management Server checks if the administrator exists in the
Security Management Server database.
n If the administrator exists, the SmartConsole logs the administrator in.
n If the administrator does not exist, the Security Management Server
checks if the administrator is in an administrator group in the Security
Management Server database.
If the administrator exists in such a group, SmartConsole logs in the
administrator, and the Security Management Server assigns the
administrator the permissions of the group.
c. Enter the IP address or hostname of the Management Server.
d. Click Login with SSO.

R82 Security Management Administration Guide | 109

Creating an Administrator Account with SAML Authentication Login

Notes:
n If an administrator has an administrator account and is also part of an

administrator group, the Security Management Server assigns to the

administrator the administrator account permissions.
n If the administrator belongs to more than one administrator group, the

Security Management Server assigns to the administrator the

permissions of the administrator group which comes first in alphabetical
order in the Security Management Server database.
n The administrator session is not disconnected if you disconnect or edit

the administrator object in the Identity Provider while the Security

Management Server session is active.
Best Practice - We recommend to use at least one administrator that is not
authenticated through the Identity Provider, in case the Identity Provider is
not available.

Logging in with a SmartConsole configuration file

CLI Syntax:
To launch SmartConsole with a configuration file for SAML login, use this command in
the Windows Command Prompt:

[Link] -p "Full Path to the Configuration File"

Example:

cd /d "C:\Program Files (x86)\CheckPoint\SmartConsole\R82\"

[Link] -p "D:\MySAML_Configuration.xml"

Required Configuration File:

This is the required configuration file (plain-text XML):

<?xml version="1.0" encoding="utf-8"?>

<RemoteLaunchParemeters
xmlns:xsi="http:/[Link]/2001/XMLSchema-instance"
xmlns:xsd="http:/[Link]/2001/XMLSchema">
<ServerIP>IP Address of the Management Server</ServerIP>
<DomainName>Name of the Domain Management Server</DomainName>
<ReadOnly>False</ReadOnly>
<CloudDemoMode>False</CloudDemoMode>
<IsSamlLogin>1</IsSamlLogin>
</RemoteLaunchParemeters>

R82 Security Management Administration Guide | 110

Creating an Administrator Account with SAML Authentication Login

Parameters:

Parameter Description

<ServerIP> Specifies the IP Address of the Management Server.

<DomainName> Specifies the name of the Domain Management Server

object when connecting to a Multi-Domain Security
Management Server.

<ReadOnly> Specifies if to open SmartConsole in the Read-Only

mode.
Valid values:
n False - Opens SmartConsole in the Write mode.
n True - Opens SmartConsole in the Read-Only

mode.

<CloudDemoMode> Specifies if to enable the Demo Mode.

Valid values:
n False - Opens SmartConsole in regular mode.
n True - Opens SmartConsole in the Demo mode.

<IsSamlLogin> Specifies if to enable the SAML login.

Valid values:
n 1 - Enables the SAML login.
n 0 - Disables the SAML login.

Example of the configuration file for a Security Management Server with the IP
address [Link]:

<?xml version="1.0" encoding="utf-8"?>

<RemoteLaunchParemeters
xmlns:xsi="http:/[Link]/2001/XMLSchema-instance"
xmlns:xsd="http:/[Link]/2001/XMLSchema">
<ServerIP>[Link]</ServerIP>
<ReadOnly>False</ReadOnly>
<CloudDemoMode>False</CloudDemoMode>
<IsSamlLogin>1</IsSamlLogin>
</RemoteLaunchParemeters>

After you configure SAML authentication, you can, in addition, configure authentication with a
certificate file. The administrator can then authenticate to SmartConsole with the SAML
Identity Provider or the certificate file.
You create the certificate file in SmartConsole. The administrator can use the certificate to log
in to SmartConsole in two ways:

R82 Security Management Administration Guide | 111

Creating an Administrator Account with SAML Authentication Login

n Log in to SmartConsole with the Certificate File option. The administrator must provide
the password to use the certificate file.
n You can import the certificate file to the Windows Certificate Store on the Microsoft
Windows SmartConsole computer. The administrator can use this stored certificate to
log in to SmartConsole with the CAPI Certificate option. The administrator does not need
to provide a password to log in.
The administrator can also give the certificate to other administrators to log in to SmartConsole
with no administrator account of their own.

R82 Security Management Administration Guide | 112

Creating an Administrator Account with API Key Authentication

Creating an Administrator Account with API Key

Note - This administrator can only use the API for executing API commands and
cannot use it for SmartConsole authentication.

1. From the left navigation panel, click Manage & Settings..

2. Expand Permissions & Administrators > click Administrators.

3. From the top toolbar, click the icon (New) > click New Administrator.

The New Administrator window opens and shows the General page.
4. In the top field, enter the applicable object name.
5. Optional: Enter the comment.

6. In the Authentication Method field, select API Key.

R82 Security Management Administration Guide | 113

Creating an Administrator Account with API Key Authentication

n Phone Number
n Contact Details
n Email
11. Click OK.
12. Publish the SmartConsole session.

Example

This example demonstrates how to use the API Key for the API command "login" and the
API command "add simple-gateway".
1. Connect to the command line on the Security Management Server.

2. Log in to the Expert mode.

3. Run the API command "login", use the previously generated API key, and save the
output to a file:
Syntax:

mgmt_cli login api-key <api-key> > /<path_to>/<filename>

Example:

mgmt_cli login api-key mvYSiHVmlJM+J0tu2FqGag12 >

/var/tmp/[Link]

4. Run the API command "add simple-gateway".

Run the mgmt_cli command with the "-s" flag and specify the token file.

Syntax:

mgmt_cli -s /<path_to>/<filename> add simple-gateway name

<gateway name> ip-address <ip address> one-time-password
<password> blade <true>

Example:

mgmt_cli -s /var/tmp/[Link] add simple-gateway name "gw1"

ip-address [Link] one-time-password "aaaa" firewall
true vpn true

For more details, see the Check Point Management API Reference (at the top, select
the correct version) .

R82 Security Management Administration Guide | 114

Creating an Administrator Account with API Key Authentication

R82 Security Management Administration Guide | 115

Assigning Permission Profiles to Administrators

A permission profile is a predefined set of Security Management Server and SmartConsole
administrative permissions that you can assign to administrators. You can assign a permission
profile to more than one administrator. Only Security Management Server administrators with
the Manage Administrators permission in the profile can create and manage permission
profiles.
To learn about permission profiles for Multi-Domain Security Management administrators, see
the R82 Multi-Domain Security Management Administration Guide.

Changing and Creating Permission Profiles

Administrators with Super User permissions can edit, create, or delete permission profiles.

These are the predefined, default permission profiles. You cannot change or delete the default
permission profiles. You can clone them, and change the clones:
n Read Only All - Full Read Permissions. No Write permissions.
n Read Write All - Full Read and Write Permissions.
n Super User - Full Read and Write Permissions, including managing administrators and
sessions.

Note - Multiple administrators can log in to SmartConsole with Read-Write All

permission at the same time. You cannot switch between the Read Only All and
Read-Write All permission profiles. To switch mode, close the session, reconnect to
SmartConsole, and in the SmartConsole login screen, select or clear the Read Only
checkbox, as needed.

To change the permission profile of an administrator

1. Click Manage & Settings > Permissions & Administrators.

2. Double-click the administrator account.
The Administrators properties window opens.
3. In the Permissions section, select another Permission Profile from the list.
4. Click OK.

R82 Security Management Administration Guide | 116

Assigning Permission Profiles to Administrators

To change a permission profile

1. In SmartConsole, go to Manage & Settings > Permissions & Administrators >

Permission Profiles.
2. Double-click the profile to change.
3. In the Profile configuration window that opens change the settings as needed.
4. Click Close.

To create a new permission profile

1. In SmartConsole, go to Manage & Settings > Permissions & Administrators >

Permission Profiles.

2. Click New Profile.

The New Profile window opens.
3. Enter a unique name for the profile.
4. Select a profile type:
n Read/Write All - Administrators can make changes to all features
n Auditor (Read Only All) - Administrators can see all information but cannot
make changes
n Customized - Configure custom settings (see "Configuring Customized
Permissions" on the next page).
5. Click OK.

To delete a permission profile

1. In SmartConsole, go to Manage & Settings > Permissions & Administrators >

Permission Profiles.
2. Select a profile and click Delete.
You cannot delete a profile that is assigned to an administrator. To see which
administrators use a profile, in the error message, click Where Used.
If the profile is not assigned to administrators, a confirmation window opens.
3. Click Yes to confirm.

R82 Security Management Administration Guide | 117

Assigning Permission Profiles to Administrators

Configuring Customized Permissions

Configure administrator permissions for Gateways, Access Control, Threat Prevention,
Others, Monitoring and Logging, Events and Reports, Management. For each resource,
define if administrators that are configured with this profile can configure the feature or only
see it.

Permissions:
n Selected - The administrator has this feature.
n Not selected - The administrator does not have this feature.

Note - If you cannot clear a feature selection, the administrator access to it is

mandatory.

Some features have Read and Write options. If the feature is selected:
n Read - The administrator has the feature but cannot make changes.
n Write - The administrator has the feature and can make changes.
To configure customized permissions

1. In the Profile object, in the Overview > Permissions section, select Customized.
2. Configure permissions in these pages of the Profile object:
n Gateways -Configure the Provisioning and the Scripts permissions.
n Access Control - Configure Access Control Policy permissions (see
"Configuring Permissions for Access Control and Threat Prevention" on
page 121).
n Threat Prevention - Configure Threat Prevention Policy permissions (see
"Configuring Permissions for Access Control and Threat Prevention" on
page 121).
n Others - Configure permissions for Common Objects, user databases, HTTPS
Inspection features, and Client Certificates.
n Monitoring and Logging - Configure permissions to generate and see logs and
to use monitoring features (see "Configuring Permissions for Monitoring,
Logging, Events, and Reports" on page 122).
n Events and Reports - Configure permissions for SmartEvent features (see
"Configuring Permissions for Monitoring, Logging, Events, and Reports" on
page 122).
3. In the Management section, configure this profile with permissions to:

R82 Security Management Administration Guide | 118

Assigning Permission Profiles to Administrators

n Manage Administrators - Manage other administrator accounts.

n Manage Sessions - Lets you disconnect, discard, publish, or take over other
administrator sessions.
n High Availability Operations - Configure and work with High Availability.
n Management API Login - Permission to log in to the Security Management
Server and run API commands using these tools:
l mgmt_cli (Linux and Windows binaries)
l Gaia CLI (clish)
l Web Services (REST)
Useful if you want to prevent administrators from running automatic scripts on
the Management Server.

Note - This permission is not required to run commands from within the
API terminal in SmartConsole.
n Cloud Management Extension (CME) API - Permission to read or edit the
Cloud Management Extension (CME) configuration.
n Publish sessions without an approval - permission to publish without an
approval.
n Approve / reject other sessions - permission to approve or reject other
sessions.
n Manage integration with Infinity Services - Permission to connect to the Check
Point Portal through the Infinity Services view in SmartConsole.
4. Click OK.

Important - In a Permission Profile, if you select the permission VSX Provisioning (in
the Gateways tab), you must also select Publish sessions without an approval (in
the Management tab), because the Management Server must save changes in VSX
objects immediately.

R82 Security Management Administration Guide | 119

Assigning Permission Profiles to Administrators

Configuring Permissions for Access Control Layers

You can simplify the management of the Access Control Policy by delegating ownership of
different Layers to different administrators.
To do this, assign a permission profile to the Layer. The permission Profile must have this
permission: Edit Layer by the selected profiles in a layer editor.
An administrator that has a permission profile with this permission can manage the Layer.
Workflow

1. Give Layer permissions to an administrator profile.

2. Assign the permission profile to the Layer.

To give Layer permissions to an administrator profile

1. In the Profile object, in the Access Control > Policy section, select Edit Layer by the
selected profiles in a layer editor.
2. Click OK.

To assign a permission profile to a Layer

1. In SmartConsole, click Menu > Manage policies and layers.
2. In the left pane, click Layers.
3. Select a Layer.

4. Click Edit.
5. In the left pane, select Permissions.

6. Click +
7. Select a profile with Layer permissions.
8. Click OK.
9. Click Close.
10. Publish the SmartConsole session.

R82 Security Management Administration Guide | 120

Assigning Permission Profiles to Administrators

Configuring Permissions for Access Control and Threat

Prevention
In the permission profile object, select the features and the Read or Write administrator
permissions for them.
n Access Control
To edit a Layer, a user must have permissions for all Software Blades in the Layer.
In the Actions section:
l Install Policy - Install the Access Control Policy on Security Gateways.
l Application & URL Filtering Update - Download and install new packages of
applications and websites, to use in access rules.
n Threat Prevention
In the Actions section:
l Install Policy - Install the Threat Prevention Policy on Security Gateways.
l IPS Update -Download and install new packages for IPS protections.

R82 Security Management Administration Guide | 121

Assigning Permission Profiles to Administrators

Configuring Permissions for Monitoring, Logging, Events,

and Reports
In the Profile object, select the features and the Read or Write administrator permissions for
them.
n Monitoring and Logging Features
These are some of the available features:
l Monitoring
l Management Logs
l Track Logs
l Application and URL Filtering Logs
n Events and Reports Features
These are the permissions for SmartEvent:
l SmartEvent
o Events - views in SmartConsole > Logs & Events
o Policy - SmartEvent Policy and Settings on SmartEvent GUI.
o Reports - in SmartConsole > Logs & Events
l SmartEvent Application & URL Filtering reports only

R82 Security Management Administration Guide | 122

Defining Trusted Clients

To limit the access to the Security Management Server from a specified list of hosts, you must
configure Trusted Clients.
You can configure Trusted Clients in these ways:

Trusted Client
Description
Definition

Any All hosts

IPv4 Address A single host with the specified IPv4 address

IPv4 Address Hosts with IPv4 addresses in the specified range

Range

IPv4 Netmask Hosts with IPv4 addresses in the subnet defined by the specified IPv4
address and netmask

IPv6 Address A single host with the specified IPv6 address

IPv6 Address Hosts with IPv6 addresses in the specified range

Range

IPv6 Netmask Hosts with IPv6 addresses in the subnet defined by the specified IPv6
address and netmask

Name A host with the specified hostname

Note - The hostname refers to a fixed IP address. If the IP
address changes, the GUI displays an error.

Wild cards (IP Hosts with IP addresses described by the specified regular
only) expression

Administrators with Super User permissions can add, edit, or delete trusted clients in
SmartConsole.

R82 Security Management Administration Guide | 123

Defining Trusted Clients

Adding a new trusted client

1. In SmartConsole, go to Manage & Settings > Permissions & Administrators >

Trusted Clients.
2. Click New.
The New Trusted Client window opens.
3. Enter a unique name for the client.
4. Select a client type and configure corresponding values:
n Any - No values to configure
n IPv4 Address - Enter an IPv4 address of a host
n IPv4 Address Range - Enter the first and the last address of an IPv4 address
range
n IPv4 Netmask - Enter the IPv4 address and the netmask
n IPv6 Address - Enter an IPv6 address of a host
n IPv6 Address Range - Enter the first and the last address of an IPv6 address
range
n IPv6 Netmask - Enter the IPv6 address and the netmask
n Name - Enter a host name
n Wild cards (IP only) - Enter a regular expression that describes a set of IP
addresses
5. Click OK.

Modifying a trusted client settings

1. In SmartConsole, go to Manage & Settings > Permissions & Administrators >

Trusted Clients.
2. Double-click the client you want to edit.
3. In the Trusted Client configuration window that opens, change the settings as
needed.
4. Click OK.

R82 Security Management Administration Guide | 124

Defining Trusted Clients

Deleting a trusted client

1. In SmartConsole, go to Manage & Settings > Permissions & Administrators >

Trusted Clients.
2. Select a trusted client and click Delete.
The confirmation window opens.
3. Click Yes to confirm.

Note - Administrators can also configure the GUI Clients in the Check Point
Configuration Tool on the Security Management Server (see "cpconfig" on page 764).

R82 Security Management Administration Guide | 125

Session Flow for Administrators

In SmartConsole, administrators work with sessions. A session is created each time an
administrator logs into SmartConsole. Changes made in the session are saved automatically.
You can generate a changes report to show you all the changes made in a session. These
changes are private and available only to the administrator. To avoid configuration conflicts,
other administrators see a lock icon on objects and rules that are being edited in other
sessions.
Administrators can publish or discard their private changes. To include private changes in the
policy installation, you must publish your changes in the session. This is also true if you want to
make your private changes available to other administrators. Unpublished changes from other
sessions are not included in the policy installation.

Before you publish a session, we recommend that you give the session a name and add a brief
description that documents the work process.

Publishing a Session
The validations pane in SmartConsole shows configuration error messages. Examples of
errors are object names that are not unique, or the use of objects that are not valid in the Rule
Base. Make sure you correct these errors before publishing.

To publish a SmartConsole session

On the SmartConsole toolbar, click Publish. When a session is published, a new database
version is created and shows in the list of database revisions.

To add a name or description to a session

1. In the SmartConsole toolbar, click Session.

The Session Details window opens.
2. Enter a name for the database version.
3. Enter a description.
4. Click OK.

To discard a session
In the SmartConsole toolbar, click Discard.

R82 Security Management Administration Guide | 126

Session Flow for Administrators

Working in SmartConsole Session View

The Session view shows all unpublished sessions in the system. The view shows the sessions
of the current administrator, sessions of other administrators and sessions from other
applications. The columns in the view can be customized and show the session owner, name,
description, connection mode, number of private changes, number of locks, application and
other values.
To see session information, click Manage & Settings > Sessions > View Sessions.
Actions available to administrators on private sessions are determined by the Manage
Sessions permission on their profile.

Administrators without the Manage Administrators with the Manage Session

Session permission can: Permission can:

n Publish and discard their own n Publish and discard their own sessions
sessions n See sessions opened by other
n See sessions opened by other administrators, the number the locks they
administrators, the number the have and number changes they have made
locks they have and number of n Publish & Disconnect the private sessions
changes they have made of other administrators
n Take over sessions created by n Disconnect & Discard the private sessions
applications, for example of other administrators
sessions created by the API n Disconnect another administrator's private
command line tool session
n Take over sessions created by applications,
for example sessions created by the API
command line tool
n Take over the private sessions of other
administrators.
Note - If you want to keep changes
made in your own private session,
publish these changes before you take
over the session of another
administrator. If you do not publish your
changes, you will lose them. When you
take over, you disconnect the other
administrator's SmartConsole session.
n Publish & Disconnect the private sessions
of other administrators. The action applies to
both SmartConsole sessions and command
line API sessions.
n Disconnect the private session of other
administrators
n Discard & Disconnect the private session of
other administrators

R82 Security Management Administration Guide | 127

Session Flow for Administrators

Viewing Changes Made in Private Sessions

You can generate a report to show you the changes made in a specific session, it can be your
current session or a different one. Tracking the changes made in sessions lets you track and
monitor the changes made, and troubleshoot bugs.
The change report only details changes in policy rules and common network objects. For more
details, see: sk166435.
To view the changes made in your current session:

Click the Changes button on the toolbar.

A report is generated which shows the changes made in the current private session.

To view the changes made in any session of your choice:

1. In SmartConsole, go to the Manage & Settings view > Sessions > View Sessions.
The list of sessions appears.
2. Click on the required session.
3. Click the Changes button on the toolbar.
A changes report is generated.
The report shows a comparison between the selected private sessions.

Note - There is inconsistency between the number of changes which appears in the
session toolbar and the Revisions view.

Taking over locked objects from administrators with inactive

sessions
If there are locked objects in SmartConsole by administrators with inactive sessions, but the
relevant administrators are currently unavailable to log back in to SmartConsole and remove
the lock, you can take over their sessions.

To take over inactive sessions of other administrators:

1. Log in to SmartConsole with a different administrator account.
2. Go to Manage & Settings > Sessions > View Sessions.
3. Right-click the relevant sessions of the administrator who owns the locked objects and
select Take over.
You can now open the relevant object and publish or discard changes to remove the lock.

R82 Security Management Administration Guide | 128

Session Flow for Administrators

Administrators Working with Multiple Sessions

Administrators working with multiple sessions can open multiple additional private sessions
without publishing changes made in the current private session.

Use Case
Suppose you are making changes in a private session and are asked to solve some immediate
problem. The task involves making a change and publishing it. You do not wish to publish or
discard your current private session.
You open a new private session, make the change required to resolve the issue, publish the
change, then return to your previous private session.
To do this, you need to work with multiple sessions. To switch on multiple sessions, you need
the Manage Sessions permission selected on your administrator profile.

To enable working in multiple sessions

1. Open the relevant permission profile.
2. Make sure the Manage Sessions permission is selected on the Management page.
3. Open SmartConsole > Manage & Settings View > Sessions > Advanced.
4. Select Each administrator can manage multiple SmartConsole sessions at the same
time.
5. Publish the change.

When working with multiple sessions, you can:

n Open and manage multiple sessions to the Security Management Server using the same
administrator account
n Switch between the active session and previously saved sessions
n Publish, discard and disconnect other sessions
n Take over other sessions

Note - When an Administrator is connected to SmartConsole and opens another

SmartConsole session, the first session is not disconnected, and the Administrator
does not receive notification that the first session is still active.

The SmartConsole Session menu

After multiple sessions are enabled, the SmartConsole Session menu has these new options:

R82 Security Management Administration Guide | 129

Session Flow for Administrators

Option Description

Edit Lets you change the session name and description.

sessions
details

Create In the current window

new Opens a new session in the current SmartConsole
session In a new window
Opens a new session in a new SmartConsole

Recent Shows a list of recent sessions. Selecting a session opens the session in the
current SmartConsole

More Opens the Open Session window that shows sessions that you previously
created and saved.
n Sessions shown in this window are owned by the current administrator
in the current domain.
n The Open Session > Actions menu has options to open a saved
session in the current SmartConsole or open the session in a new
SmartConsole.

The SmartConsole Session View

When multiple sessions are enabled, you can perform these additional actions:

Action You can:

For sessions that you own n Discard and

Disconnect
n Publish and
Disconnect
n Disconnect
n Open an older session

For sessions owned by other administrators that have made n Publish and
private changes Disconnect their
changes
n Discard and
Disconnect
n Disconnect
n Take over their
changes

For sessions owned by other administrators that have not n Disconnect

made private sessions n Take over

R82 Security Management Administration Guide | 130

Session Flow for Administrators

Notes:
n When you work in single session, you need to publish or discard your changes
before you take over another session. In multiple sessions, you do not have to
publish or discard your session before you take over the session of another
administrator.
n In multiple sessions, an administrator who connects from another desktop to an
already connected session can still take over the connected session by default.

Switching between Multiple and Single Session

If the session management settings switch from multiple SmartConsole sessions to allow only
a single SmartConsole session at a time:
n Administrators can still publish, discard and open sessions that they own.
n Cannot create new sessions until they have published or discarded all their unpublished
sessions with private sessions
n Cannot take over the sessions of other administrators or applications (for example
sessions created with API commands in the mgmt_cli utility) until they have published or
discarded all their previously saved private sessions.

R82 Security Management Administration Guide | 131

Session Flow for Administrators

Approval Cycle for Sessions (SmartWorkflow and Identity

Provider)
Lets administrators approve changes in sessions made by other administrators.

Use Case
This feature gives you the option to review and approve configuration changes made by other
administrators before publishing them. You can define which administrators must submit their
changes for approval and which administrators are authorized to approve changes.

Configuration
1. Create a new permission profile for the Administrator "A" whose changes require approval

a. In SmartConsole, go to Manage & Settings > Permissions & Administrators >

Permission Profiles > New Profile.
The New Profile window opens.
b. In the Overview page ,select Read/Write All or Customized.
c. In the Management page, clear the Publish sessions without an approval
option.
d. Configure the rest of the profile settings, and click OK and publish the changes.

2. Create a new administrator account for the Administrator "A" whose changes require
approval:

a. In SmartConsole, go to Manage & Settings > Permissions & Administrators >

Administrators > New Administrator.

The New Profile window opens.

b. Configure the Administrator name and other properties, and in the Permission
Profile field, select the profile you created for this administrator.
c. Click OK.

3. Create a new permission profile for the Administrator "B" who approves the changes"

a. In SmartConsole, go to Manage & Settings > Permissions & Administrators >

Permission Profiles > New Profile.
The New Profile window opens.
b. In the Overview page ,select Read/Write All or Customized.
c. In the Management page, select Approve/reject other sessions.

R82 Security Management Administration Guide | 132

Session Flow for Administrators

d. Configure the rest of the profile settings, and click OK.

4. Create a new administrator account for the Administrator "B" who approves the changes:

a. In SmartConsole, go to Manage & Settings > Permissions & Administrators >

Administrators > New Administrator.
The New Profile window opens.
b. Configure the Administrator name and other properties, and in the Permission
Profile field, select the profile you created for this administrator.
c. Click OK and publish your changes.

5. To submit your changes for approval, in SmartConsole's top toolbar, click Submit Request
Note - If Administrator "A" tries to install policy before his changes are
approved, a message shows up indicating the changes must be submitted for
approval first.

Each time Administrator "A" makes changes in the SmartConsole configuration:

After Administrator "A" modifies a rule in the Rule Base and clicks Submit,
SmartConsole locks this rule for further changes and shows a padlock icon.
After Administrator "A" modifies an object and clicks Submit, SmartConsole locks this
object for further changes. You can only view the object properties (right-click the
object > View).

Note - To see the status of all sessions, go to Manage & Settings >
Sessions > View Sessions.

6. Administrator "B" to reviews and approves the changes

Note - If you have sessions which are pending approval, a notification with
the number of sessions pending approval appears next to the Manage &
Settings tab and next to the View Sessions tab.

a. In SmartConsole, go to Manage & Settings > Sessions > View Sessions.

b. Right-click a session that is pending approval.
c. To review the changes, select Review change report from the drop-down menu.

R82 Security Management Administration Guide | 133

Session Flow for Administrators

d. After you reviewed the changes, right-click the sessions and select one of these
options from the drop-down menu:
n To publish the session, select Approve. After the session is published,
Administrator "A" can install policy.
n To return the session to the submitter to fix, select Reject. If you select this
option, you return the session to Administrator "A". A window opens and
you must provide the return justification.

7. Administrator "A" sees the notifications of the reviewed sessions in the Manage & Settings
tab and the View Sessions tab.

To fix a session, click a session and select open session from the drop-down menu.

Notes:
n To get email notifications about session updates, go to Manage & Settings >
SmartTasks, and configure the applicable SmartTask (see "SmartTasks" on
page 621).
n To be able to save changes in the Database Tool or in SmartProvisioning , you
must have permission to publish your changes without an approval. If the
Publish sessions without an approval, option is cleared, you cannot save
changes in the Database Tool or in SmartProvisioning.

R82 Security Management Administration Guide | 134

Setting up for Team Work

As an administrator, you can delegate tasks, such as defining objects and users, to other
administrators. Make sure to create administrator accounts (see "Managing Administrator
Accounts" on page 75) with the privileges that are required to accomplish those tasks.
If you are the only administrator, we recommend that you create a second administrator
account with Read Only permissions, which is useful for troubleshooting, consultation, or
auditing.

R82 Security Management Administration Guide | 135

Managing User Accounts

A user account is an object that represents a user that generates traffic in a Check Point
environment. The Management Server administrators create, manage and monitor user
accounts. The Security Gateway lets you control access privileges for authenticated users.
The administrator uses the Security Rule Base to restrict or give users access to specified
resources. Users are unaware of the groups to which they belong. Limitation of access to
sensitive information and resources only to authorized users ensures the security of the
organization's network and data.
Users authenticate to Security Gateways. Check Point supports different Authentication
Methods for users.

All users are configured directly in SmartConsole (in contrast to users configured on external
servers, such as Active Directory), and are stored on the Management Server in the
management database.
When an administrator installs a policy, the Management Server copies the applicable user
data to the managed Security Gateway.
When an administrator installs a database (Menu > Install Database), the Management
Server copies the applicable user data to the managed servers (for example, the Log Server).

Creating a User Account

When you create a user account through SmartConsole, you can select one of these
authentication methods:

Authentication
Description
Method

Check Point Check Point password is a static password that is configured in

Password SmartConsole. The local database on the Security Gateway stores the
password. No additional software is required.
See "Creating a User Account with Check Point Password
Authentication" on page 146.

OS Password OS Password is stored on the operating system of the computer on

which the Security Gateway is installed. You can also use passwords
that are stored in a Windows domain. No additional software is
required.
See "Creating a User Account with OS Password Authentication" on
page 150

R82 Security Management Administration Guide | 136

Managing User Accounts

Authentication
Description
Method

RADIUS Remote Authentication Dial-In User Service (RADIUS) is an external

authentication method that provides security and scalability by
separating the authentication function from the access server.
With RADIUS, the Security Gateway lets you control access privileges
for authenticated RADIUS users, based on the administrator's
assignment of users to RADIUS groups. These groups are used in the
Security Rule Base to restrict or give users access to specified
resources. Users are unaware of the groups to which they belong.
The Security Gateway forwards authentication requests by remote
users to the RADIUS server. The RADIUS server, which stores user
account information, does the authentication.
The RADIUS protocol uses UDP to communicate with the Security
Gateway.
To use RADIUS groups, you must define a return attribute in the
RADIUS user profile of the RADIUS server. This attribute is returned to
the Security Gateway and contains the group name (for example,
RAD_<group to which the RADIUS users belong>) to which the users
belong.
For the Gaia operating system, use the attribute "Vendor-Specific" (26)
- refer to RFC 2865.
See "Creating a User Account with RADIUS Server Authentication" on
page 154.

TACACS Terminal Access Controller Access Control System (TACACS)

provides access control for routers, network access servers and other
networked devices through one or more centralized servers.
TACACS is an external authentication method that provides verification
services. With TACACS, the forwards authentication requests by
remote users to the TACACS server. The TACACS server, which
stores user account information, authenticates users. The system
supports physical card key devices or token cards and Kerberos secret
key authentication. TACACS encrypts the user name, password,
authentication services and accounting information of all authentication
requests to make sure communication is secure.
See"Creating a User Account with TACACS Server Authentication" on
page 161

R82 Security Management Administration Guide | 137

Managing User Accounts

Authentication
Description
Method

SecurID SecurID requires users to both possess a token authenticator and to

supply a PIN or password. Token authenticators generate one-time
passwords that are synchronized to an RSA Authentication Manager
(AM) and may come in the form of hardware or software. Hardware
tokens are key-ring or credit card-sized devices. Software tokens
reside on the PC or device from which the user wants to authenticate.
All tokens generate a random, one-time use access code that changes
approximately every minute. When a user attempts to authenticate to a
protected resource, the one-time use code must be validated by the
AM.
The Security Gateway forwards authentication requests by remote
users to the AM. The AM manages the database of RSA users and their
assigned hard or soft tokens. The Security Gateway acts as an AM
agent and directs all access requests to the AM for authentication. For
more information on agent configuration, refer to RSA Authentication
Manager documentation. There are no specific parameters required for
the SecurID authentication method. Authentication requests can be
sent over SDK-supported API or through REST API.
See "Creating a User Account with SecurID Authentication" on
page 168

Important - If you do not select an authentication method, the user cannot log in or
use network resources.

After you configure authentication with one of the Check Point authentication methods, you
can, in addition, create a certificate file for the user. The user can authenticate to the Security
Gateway with one of the Check Point authentication methods or with a certificate file.

You create the certificate file in SmartConsole, and the user can log in to the Security Gateway
with the certificate file in two ways:
n Log in to Security Gateway with the Certificate File option. The user must provide the
password to use the certificate file.
n You can import the certificate file to the Windows Certificate Store on the Microsoft
Windows SmartConsole computer. The user can use this stored certificate to log in to the
Security Gateway with the CAPI Certificate option. The user does not need to provide a
password to log in.

R82 Security Management Administration Guide | 138

Managing User Accounts

Changing an Existing User

Procedure

1. In the Object Explorer, click User/Identity > Users.

2. Double-click a user.
The User window opens.
3. Change the properties as necessary.
4. Click OK.

Deleting a User
Procedure

1. n the Object Explorer, click User/Identity > Users.

2. Right-click the account and select Delete.
The confirmation window opens.
3. Click Yes.

R82 Security Management Administration Guide | 139

Managing User Accounts

Managing User Groups

User groups are collections of user accounts. Add the user group to the Source or Destination
of a rule. You cannot add individual users to a rule.
You can also edit user groups, and delete user groups that are not used in the Rule Base.
To create a new user group

1. In the Object Explorer (F11), click New > More > User/Identity > User Group.
The New User Group window opens.
2. Enter a name for the new group.

3. For each user or a group of users, click the [+] sign and select the object from the list.
4. Configure the optional settings:
n Mailing List Address
n Comment
n Tag
n Color
5. Click OK.

To add new users or other user groups to a group

1. In the Object Explorer (F11), select Object Categories > Users/Identities > User
Groups
2. Right-click the user group and click Edit.

The User Group window opens.

3. Click +
4. Select users or user groups.
5. Click OK.

R82 Security Management Administration Guide | 140

Managing User Accounts

Configuring Default Expiration Settings for

Users
If a user account is about to expire, notifications show when you open the properties of the
user in SmartConsole.
Procedure

1. From the main Menu, select Global Properties.

The Global Properties window opens.
2. Click User Accounts.

3. Select Expire at or Expire after.

n Expire at - Select the expiration date from the calendar control.
n Expire after - Enter the number of days (from the day the account is made)
before user accounts expire.
4. Select Show accounts expiration indication, and enter the number of days.
Expiration warnings in the SmartConsole user object show this number of days before
an account expires. During this time, if the user account is to be active for longer, you
can edit the user account expiration configuration. This prevents loss of working time.

R82 Security Management Administration Guide | 141

Managing Users

Managing Users
All users are configured directly in SmartConsole (in contrast to users configured on external
servers, such as Active Directory), and are stored on the Management Server in the
management database.
When an administrator installs a policy, the Management Server copies the applicable user
data to the managed Security Gateway.
When an administrator installs a database (Menu > Install Database), the Management
Server copies the applicable user data to the managed servers (for example, Log Server).

Creating a New User Template

A user template configures a profile - all new users, for which you select this user template,
automatically get these settings. You can override these template settings in each user object.
1. In the top right corner, click the Objects panel.
2. Click New > More > User/Identity > User Template.
The New User Template window opens.
3. In the top field, enter the applicable object name.
4. Optional: Enter the comment.
5. On the General page, configure the expiration for this object:
n According to Global Properties
n Expire at
This is the date, after which the user is no longer authorized to access network
resources and applications.
6. On the Groups page, select the applicable user group objects.
All new users, for which you select this user template, are automatically added to these
user groups.
7. On the Authentication page, select the authentication method:
n Undefined
n Check Point Password
n OS Password
n SecurID

R82 Security Management Administration Guide | 142

Managing Users

n RADIUS
n TACACS
8. On the Location page:
a. Configure the allowed sources from which this user can access or send data and
traffic.
These objects must already exist before you can select them.
b. Configure the allowed destinations to which this user can access or send data and
traffic.
These objects must already exist before you can select them.
9. On the Time page, configure the applicable working days or hours, when the users can
be authenticated for access.
10. On the Encryption page, configure the IKEv2 authentication and encryption settings for
Remote Access VPN.
a. Select IKE.
b. Click Edit.
The encryption IKE Phase 2 Properties window opens.
c. On the Authentication page, select the authentication schemes:
i. Password - The user authenticates with a pre-shared secret password.

ii. Public Key - The user authenticates with a public key contained in a
certificate file.
d. Click OK.

11. Click OK.

12. Publish the SmartConsole session.

Creating a New User

See:
n "Creating a User Account with Check Point Password Authentication" on page 146
n "Creating a User Account with OS Password Authentication" on page 150
n "Creating a User Account with RADIUS Server Authentication" on page 154
n "Creating a User Account with TACACS Server Authentication" on page 161
n "Creating a User Account with SecurID Authentication" on page 168

R82 Security Management Administration Guide | 143

Managing Users

Editing an Existing User

1. In the top right corner, click the Objects panel.
2. In the list of Object Categories, click Users/Identities.
3. Click Users.
4. Double-click the applicable user object.
The User window opens.
5. Configure the requires settings.
6. Click OK.
7. Publish the SmartConsole session.

8. Install the Access Control Policy.

Deleting a User
1. In the top right corner, click the Objects panel.
2. In the list of Object Categories, click Users/Identities.
3. Click Users.
4. Right-click the user object and select Delete.
5. Click Yes to confirm.

6. Publish the SmartConsole session.

7. Install the Access Control Policy.

R82 Security Management Administration Guide | 144

Managing Users

Configuring Default Expiration Settings for Users

If a user account is about to expire, notifications show when you open the properties of the
user in SmartConsole.
To configure the default expiration settings
1. From the Menu, select Global Properties.
The Global Properties window opens.
2. Click User Accounts.
3. Select Expire at or Expire after.
n Expire at - Select the expiration date from the calendar control.
n Expire after - Enter the number of days (from the day the account is made) before
user accounts expire.
4. Select Show accounts expiration indication, and enter the number of days.
Expiration warnings in the SmartConsole User object show this number of days before
an account expires. During this time, if the user account is to be active for longer, you can
edit the user account expiration configuration. This will avoid loss of working time.
5. Click OK.
6. Publish the SmartConsole session.

R82 Security Management Administration Guide | 145

Creating a User Account with Check Point Password Authentication

Creating a User Account with Check Point

Password Authentication
Check Point password is a static password that is configured in SmartConsole. The local
database on the Security Gateway stores the password. No additional software is required.
After you configure authentication with a Check Point password, you can, in addition, configure
authentication with a certificate file. The user can then authenticate to the Security Gateway
with the Check Point password or the certificate file.

To create a new user with Check Point password authentication

1. In the top right corner, click the Objects panel.

2. Click New > More > User/Identity > User.

The New User window opens.
3. Choose the applicable user template and click OK.
4. In the top field, enter the applicable object name.
This must be a unique, case sensitive character string.
If you generate a user certificate with a non-Check Point Certificate Authority, enter the
Common Name (CN) component of the Distinguished Name (DN).
For example:

If the DN is: CN = James, O = My Organization, C = My Country

then enter James as the user name.

If you use Common Names as user names, they must contain exactly one string with no
spaces.
5. Optional: Enter the comment.
6. On the General page, configure the applicable settings:
n Email address (optional)
n Mobile phone number (optional)

R82 Security Management Administration Guide | 146

Creating a User Account with Check Point Password Authentication

n Expire at
This is the date, after which the user is no longer authorized to access network
resources and applications.
The default expiration date is configured in Menu > Global Properties > User
Accounts > Expiration Date.
7. On the Groups page, you can select the applicable user group objects (in addition or
instead those configured in the user template).
8. On the Authentication page:
a. In the Authentication method field, select Check Point Password.

Important - If you do not select an authentication method, the user cannot

b. Click Set new password.

9. On the Location page:
a. Configure the allowed sources from which this user can access or send data and
traffic.
These objects must already exist before you can select them.
b. Configure the allowed destinations to which this user can access or send data and
traffic.
These objects must already exist before you can select them.

10. On the Time page:

If the user has specific working days or hours, you can configure when the user can be
authenticated for access.
n From and To - Enter start time and end time of an expected workday. This user will
not be authenticated if a login attempt is made at a time outside the given range.
n Days in week or Daily - Select the days on which the user can authenticate and
access resources. This user will not be authenticated if a login attempt is made on
an unselected day.
11. On the Certificates page:
You can configure the applicable certificates for this user for more secured access
control.

R82 Security Management Administration Guide | 147

Creating a User Account with Check Point Password Authentication

a. Click New.
b. Select the applicable option:
n Registration Key for certificate enrollment
Sends a registration key that activates the certificate.
i. Enter the number of days the user has to activate the certificate, before
the registration key expires.
ii. Optional: Enter a comment.
iii. Optional: Click Template to preview the email template.
iv. Click Send.

v. Click OK to save this key.

n Certificate file (p12)
Creates a *.p12 certificate file with a private password for the user.
i. Enter and confirm the certificate password.
A password is required to protect the sensitive data in the certificate file.
ii. Optional: Enter a comment.
iii. Click OK.
iv. Wait for the Save As window to open.

v. In the File name field, make sure to include the username.

vi. In the Save as type field, select Certificate Files (*p12).
The certificate file is in the PKCS #12 format, and has a .p12
extension.
vii. Browse to a secure location on the SmartConsole computer.
viii. Click Save.
ix. Give the user this file and password.
c. Click OK.

Notes:
n If a user will not be in the system for some time (for example, going on an

extended leave), you can revoke the certificate. This leaves the user
account in the system, but it cannot be accessed until you renew the
certificate.
n To revoke a key / certificate, select the key / certificate and click Revoke.

12. On the Encryption page:

R82 Security Management Administration Guide | 148

Creating a User Account with Check Point Password Authentication

You can configure the IKEv2 authentication and encryption settings for Remote Access
VPN.
a. Select IKE.
b. Click Edit.
The encryption IKE Phase 2 Properties window opens.
c. On the Authentication page, select the authentication schemes:
i. Password - The user authenticates with a pre-shared secret password.
ii. Public Key - The user authenticates with a public key contained in a
certificate file.
d. On the Encryption page, there are no settings to configure.

Youy configure these algorithms in SmartConsole > Global Properties > Remote
Access > VPN - Authentication > section Encryption algorithms.
e. Click OK.
13. Click OK.
14. Publish the SmartConsole session.
15. Install the Access Control Policy.

R82 Security Management Administration Guide | 149

Creating a User Account with OS Password Authentication

Creating a User Account with OS Password

Authentication
OS Password is stored on the operating system of the computer on which the Security
Gateway is installed. You can also use passwords that are stored in a Windows domain. No
additional software is required.
After you configure authentication with an operating system password, you can, in addition,
configure authentication with a certificate file. The user can then authenticate to the Security
Gateway with the operating system password or the certificate file.

To create a new user with OS password authentication

1. In the top right corner, click the Objects panel.

2. Click New > More > User/Identity > User.
The New User window opens.
3. Choose the applicable user template and click OK.
4. In the top field, enter the applicable object name.
This must be a unique, case sensitive character string.
If you generate a user certificate with a non-Check Point Certificate Authority, enter the
Common Name (CN) component of the Distinguished Name (DN).

For example:
If the DN is: CN = James, O = My Organization, C = My Country

then enter James as the user name.

R82 Security Management Administration Guide | 150

Creating a User Account with OS Password Authentication

Important - If you do not select an authentication method, the user cannot

b. Click Set new password.

10. On the Time page:

If the user has specific working days or hours, you can configure when the user can be
authenticated for access.
n From and To - Enter start time and end time of an expected workday. This user will
not be authenticated if a login attempt is made on a time outside the given range.
n Days in week or Daily - Select the days on which the user can authenticate and
access resources. This user will not be authenticated if a login attempt is made on
an unselected day.
11. On the Certificates page:
You can configure the applicable certificates for this user for more secured access
control.

R82 Security Management Administration Guide | 151

Creating a User Account with OS Password Authentication

v. Click OK to save this key.

v. In the File name field, make sure to include the username.

Notes:
n If a user will not be in the system for some time (for example, going on an

12. On the Encryption page:

R82 Security Management Administration Guide | 152

Creating a User Account with OS Password Authentication

R82 Security Management Administration Guide | 153

Creating a User Account with RADIUS Server Authentication

Creating a User Account with RADIUS Server

Authentication
Remote Authentication Dial-In User Service (RADIUS) is an external authentication method
that provides security and scalability by separating the authentication function from the access
server.
With RADIUS, the Security Gateway lets you control access privileges for authenticated
RADIUS users, based on the administrator's assignment of users to RADIUS groups. These
groups are used in the Security Rule Base to restrict or give users access to specified
resources. Users are unaware of the groups to which they belong.

The Security Gateway forwards authentication requests by remote users to the RADIUS
server. The RADIUS server, which stores user account information, does the authentication.
The RADIUS protocol uses UDP to communicate with the Security Gateway.
To use RADIUS groups, you must define a return attribute in the RADIUS user profile of the
RADIUS server. This attribute is returned to the Security Gateway and contains the group
name (for example, RAD_<group to which the RADIUS users belong>) to which the users
belong.
For the Gaia operating system, use the attribute "Vendor-Specific" (26) - refer to RFC 2865.
To learn how to configure a RADIUS server, refer to the vendor documentation.
Users can perform RADIUS authentication through a RADIUS server or a RADIUS server
group. A RADIUS server group is a high availability group of identical RADIUS servers which
includes any or all the RADIUS servers in the system. When you create the group, you define a
priority for each server in the group. If the server with the highest priority fails, the one with the
next highest priority in the group takes over, and so on. If you assign the same priority to all
RADIUS servers, the Security Gateway will randomly select one of them for authentication.
After you configure authentication with a RADIUS server, you can, in addition, configure
authentication with a certificate file. The user can then authenticate to the Security Gateway
with the RADIUS server or the certificate file.

Configuring RADIUS Authentication for a User

1. In SmartConsole, configure a new RADIUS Server object

a. In the top right corner, click the Objects panel.

b. Click New > More > Server > RADIUS.
c. In the top field, enter the applicable object name.
d. Optional: Enter the comment.

R82 Security Management Administration Guide | 154

Creating a User Account with RADIUS Server Authentication

e. In the Host field, click the drop-down arrow, click New.

f. Create a New Host with the IP address of the RADIUS server. Click OK.
g. Make sure that this host shows in the Host field of the New RADIUS window.
h. In the Service field, leave the default value RADIUS.
i. In the Shared Secret field, enter the secret key that you defined previously on
the RADIUS server.
j. In the Version field, leave the default value RADIUS Ver. 1.0.
k. In the Protocol field, leave the default value PAP.
l. In the Priority field, leave the default value 1.

m. Click OK.
n. Publish the SmartConsole session.

2. Create a new user and select RADIUS as the authentication method

a. In the top right corner, click the Objects panel.

b. Click New > More > User/Identity > User.
The New User window opens.
c. Choose the applicable user template and click OK.
d. In the top field, enter the applicable object name.

This must be a unique, case sensitive character string.

If you generate a user certificate with a non-Check Point Certificate Authority,
enter the Common Name (CN) component of the Distinguished Name (DN).

For example:
If the DN is: CN = James, O = My Organization, C = My Country
then enter James as the user name.
If you use Common Names as user names, they must contain exactly one string
with no spaces.
e. Optional: Enter the comment.

R82 Security Management Administration Guide | 155

Creating a User Account with RADIUS Server Authentication

f. On the General page, configure the applicable settings:

n Email address (optional)
n Mobile phone number (optional)
n Expire at
This is the date, after which the user is no longer authorized to access
network resources and applications.
The default expiration date is configured in Menu > Global Properties >
User Accounts > Expiration Date.
g. On the Groups page, you can select the applicable user group objects (in
addition or instead those configured in the user template).

h. On the Authentication page:

i. In the Authentication method field, select RADIUS.
ii. In the RADIUS server field, leave the default value Any or select the
applicable RADIUS server object.

Important - If you do not select an authentication method, the user

cannot log in or use network resources.

i. On the Location page:

i. Configure the allowed sources from which this user can access or send
data and traffic.

These objects must already exist before you can select them.
ii. Configure the allowed destinations to which this user can access or send
data and traffic.

These objects must already exist before you can select them.

R82 Security Management Administration Guide | 156

Creating a User Account with RADIUS Server Authentication

j. On the Time page:

If the user has specific working days or hours, you can configure when the user
can be authenticated for access.
n From and To - Enter start time and end time of an expected workday. This
user will not be authenticated if a login attempt is made on a time outside
the given range.
n Days in week or Daily - Select the days on which the user can
authenticate and access resources. This user will not be authenticated if a
login attempt is made on an unselected day.
k. On the Certificates page:
You can configure the applicable certificates for this user for more secured
access control.

R82 Security Management Administration Guide | 157

Creating a User Account with RADIUS Server Authentication

i. Click New.
ii. Select the applicable option:
n Registration Key for certificate enrollment
Sends a registration key that activates the certificate.
i. Enter the number of days the user has to activate the
certificate, before the registration key expires.
ii. Optional: Enter a comment.
iii. Optional: Click Template to preview the email template.
iv. Click Send.

v. Click OK to save this key.

n Certificate file (p12)
Creates a *.p12 certificate file with a private password for the user.
i. Enter and confirm the certificate password.
A password is required to protect the sensitive data in the
certificate file.
ii. Optional: Enter a comment.
iii. Click OK.
iv. Wait for the Save As window to open.

v. In the File name field, make sure to include the username.

vi. In the Save as type field, select Certificate Files (*p12).

The certificate file is in the PKCS #12 format, and has a .p12
extension.
vii. Browse to a secure location on the SmartConsole computer.
viii. Click Save.
ix. Give the user this file and password.
iii. Click OK.

R82 Security Management Administration Guide | 158

Creating a User Account with RADIUS Server Authentication

Notes:
n If a user will not be in the system for some time (for example,

going on an extended leave), you can revoke the certificate. This

leaves the user account in the system, but it cannot be accessed
until you renew the certificate.
n To revoke a key / certificate, select the key / certificate and click

Revoke.

l. On the Encryption page:

You can configure the IKEv2 authentication and encryption settings for Remote
Access VPN.
i. Select IKE.

ii. Click Edit.

The encryption IKE Phase 2 Properties window opens.
iii. On the Authentication page, select the authentication schemes:
i. Password - The user authenticates with a pre-shared secret
password.
ii. Public Key - The user authenticates with a public key contained in a
certificate file.
iv. On the Encryption page, there are no settings to configure.
Youy configure these algorithms in SmartConsole > Global Properties >
Remote Access > VPN - Authentication > section Encryption algorithms.

v. Click OK.
m. Click OK.

3. Optional: Configure a RADIUS server group for SmartConsole user authentication

Note - When defining a group of RADIUS servers, all members of the group
must use the same protocol.

a. In SmartConsole, configure all the servers that you want to include in the server
group. For each server, enter its priority in the group. The lower the number is,
the higher the priority. For example, if you create a group with 3 servers, with
priorities 1,2 and 3, the server with number 1 is approached first, the server with
number 2 second, and the server with number 3, third.
b. Create the server group:
In SmartConsole, go to Object Explorer and click New > Server > More >
RADIUS Group.

R82 Security Management Administration Guide | 159

Creating a User Account with RADIUS Server Authentication

c. Configure the group properties and add servers to the group:

i. Give the group a Name. It can be any name.
ii. Click the plus (+) for each server you want to add, and select each server
from the drop-down list.
iii. Click OK.
iv. Publish the SmartConsole session.
d. Add a new user.
e. Publish the SmartConsole session.
f. Install the Access Control Policy.

Granting User Access Using RADIUS Server Groups

The Security Gateway lets you control access privileges for authenticated RADIUS users,
based on the assignment of users to RADIUS groups. These groups are used in the Security
Policy to restrict or give users access to specified resources. Users are unaware of the groups
to which they belong.
To use RADIUS groups, you must define a return attribute in the RADIUS user profile of the
RADIUS server. This attribute is returned to the Security Gateway and contains the group
name (for example, RAD_<group to which the RADIUS users belong>) to which the users
belong.
Use the RADIUS attribute "Vendor-Specific" (26). Refer to RFC 2865.

R82 Security Management Administration Guide | 160

Creating a User Account with TACACS Server Authentication

Creating a User Account with TACACS Server

Authentication
Terminal Access Controller Access Control System (TACACS) provides access control for
routers, network access servers and other networked devices through one or more centralized
servers.
TACACS is an external authentication method that provides verification services. With
TACACS, the forwards authentication requests by remote users to the TACACS server. The
TACACS server, which stores user account information, authenticates users. The system
supports physical card key devices or token cards and Kerberos secret key authentication.
TACACS encrypts the user name, password, authentication services and accounting
information of all authentication requests to make sure communication is secure.
To configure a Security Gateway to use TACACS authentication, you must set up the server
and enable its use on the Security Gateway.
Users can perform TACACS authentication through a TACACS server or a TACACS server
group. A TACACS server group is a high availability group of identical TACACS servers which
includes any or all the TACACS servers in the system. When you create the group, you define
a priority for each server in the group. If the server with the highest priority fails, the one with
the next highest priority in the group takes over, and so on. If you assign the same priority to all
TACACS servers, the Security Gateway will randomly select one of them for authentication.
After you configure authentication with a TACACS server, you can, in addition, configure
authentication with a certificate file. The user can then authenticate to the Security Gateway
with the TACACS server or the certificate file.

To configure TACACS server authentication for a user

1. In SmartConsole, configure a new TACACS / TACACS+ server object

a. In the top right corner, click the Objects panel.

b. Click New > More > Server > TACACS.
c. In the top field, enter the applicable object name.
d. Optional: Enter the comment.
e. In the Host field, click the drop-down arrow, click New.
f. Create a New Host with the IP address of the TACACS server. Click OK.
g. Make sure that this host shows in the Host field of the New TACACS window.

R82 Security Management Administration Guide | 161

Creating a User Account with TACACS Server Authentication

h. In the Servers type section, select the applicable value.

Best Practice - The default value is TACACS, but we recommend

TACACS+.

i. If you selected TACACS+, then in the a Secret key field, enter the secret key
that you defined previously on the TACACS+ server.
j. In the Priority field, leave the default value 1.
k. Click OK.
l. Publish the SmartConsole session.

2. Create a new user and select TACACS as the authentication method

a. In the top right corner, click the Objects panel.

b. Click New > More > User/Identity > User.
The New User window opens.
c. Choose the applicable user template and click OK.
d. In the top field, enter the applicable object name.
This must be a unique, case sensitive character string.
If you generate a user certificate with a non-Check Point Certificate Authority,
enter the Common Name (CN) component of the Distinguished Name (DN).
For example:

If the DN is: CN = James, O = My Organization, C = My Country

then enter James as the user name.

If you use Common Names as user names, they must contain exactly one string
with no spaces.
e. Optional: Enter the comment.

R82 Security Management Administration Guide | 162

Creating a User Account with TACACS Server Authentication

f. On the General page, configure the applicable settings:

h. On the Authentication page:

i. In the Authentication method field, select TACACS.
ii. In the TACACS server field, leave the default value Any or select the
applicable TACACS server object.

Important - If you do not select an authentication method, the user

cannot log in or use network resources.

i. On the Location page:

i. Configure the allowed sources from which this user can access or send
data and traffic.

These objects must already exist before you can select them.
ii. Configure the allowed destinations to which this user can access or send
data and traffic.

These objects must already exist before you can select them.

R82 Security Management Administration Guide | 163

Creating a User Account with TACACS Server Authentication

j. On the Time page:

If the user has specific working days or hours, you can configure when the user
can be authenticated for access.
n From and To - Enter start time and end time of an expected workday. This
user will not be authenticated if a login attempt is made on a time outside
the given range.
n Days in week or Daily - Select the days on which the user can
authenticate and access resources. This user will not be authenticated if a
login attempt is made on an unselected day.
k. On the Certificates page:
You can configure the applicable certificates for this user for more secured
access control.

R82 Security Management Administration Guide | 164

Creating a User Account with TACACS Server Authentication

v. Click OK to save this key.

n Certificate file (p12)
Creates a *.p12 certificate file with a private password for the user.
i. Enter and confirm the certificate password.
A password is required to protect the sensitive data in the
certificate file.
ii. Optional: Enter a comment.
iii. Click OK.
iv. Wait for the Save As window to open.

v. In the File name field, make sure to include the username.

vi. In the Save as type field, select Certificate Files (*p12).

R82 Security Management Administration Guide | 165

Creating a User Account with TACACS Server Authentication

Notes:
n If a user will not be in the system for some time (for example,

going on an extended leave), you can revoke the certificate. This

leaves the user account in the system, but it cannot be accessed
until you renew the certificate.
n To revoke a key / certificate, select the key / certificate and click

Revoke.

l. On the Encryption page:

You can configure the IKEv2 authentication and encryption settings for Remote
Access VPN.
i. Select IKE.

ii. Click Edit.

v. Click OK.
m. Click OK.

3. Optional: Configure a TACACS server group for SmartConsole user authentication

Note - When defining a group of TACACS servers, all members of the group
must use the same protocol.

a. In SmartConsole, configure all the servers that you want to include in the server
group.
For each server, enter its priority in the group. The lower the number is, the
higher the priority.
For example, if you create a group with 3 servers, with priorities 1,2 and 3, the
server with number 1 is approached first, the server with number 2 second, and
the server with number 3, third.

R82 Security Management Administration Guide | 166

Creating a User Account with TACACS Server Authentication

b. Create the server group:

In SmartConsole, go to Object Explorer and click New > Server > More >
TACACS Group.
c. Configure the group properties and add servers to the group:
i. Give the group a Name. It can be any name.
ii. Click the plus (+) for each server you want to add, and select each server
from the drop-down list.
iii. Click OK.
iv. Publish the SmartConsole session.
d. Add a new user.

e. Publish the SmartConsole session.

f. Install the Access Control Policy.

R82 Security Management Administration Guide | 167

Creating a User Account with SecurID Authentication

Creating a User Account with SecurID

Authentication
SecurID requires users to both possess a token authenticator and to supply a PIN or
password. Token authenticators generate one-time passwords that are synchronized to an
RSA Authentication Manager (AM) and may come in the form of hardware or software.
Hardware tokens are key-ring or credit card-sized devices. Software tokens reside on the PC
or device from which the user wants to authenticate. All tokens generate a random, one-time
use access code that changes approximately every minute. When a user attempts to
authenticate to a protected resource, the one-time use code must be validated by the AM.
The Security Gateway forwards authentication requests by remote users to the AM. The AM
manages the database of RSA users and their assigned hard or soft tokens. The Security
Gateway acts as an AM agent and directs all access requests to the AM for authentication. For
more information on agent configuration, refer to RSA Authentication Manager documentation.
There are no specific parameters required for the SecurID authentication method.
Authentication requests can be sent over SDK-supported API or through REST API.
After you configure SecurID authentication, you can, in addition, configure authentication with
a certificate file. The user can then authenticate to the Security Gateway with the SecurID or
the certificate file.

To configure SecurID authentication for users:

1. Configure the API to send authentication requests

You can select to enable one of two API types:

R82 Security Management Administration Guide | 168

Creating a User Account with SecurID Authentication

n SDK-supported API

A proprietary API that uses a proprietary communication protocol on UDP port

5500 through SDKs available for selected platforms.

To enable SecurID authentication over SDK-supported API

a. Create the [Link] file on an ACE/Server and copy it to your
computer.
For details, refer to the RSA documentation.

Important - Use the IP address of a Security Gateway interface

that connects to the ACE/Server:
l For a specific Security Gateway

Configure the IP address as the authentication agent.

l For a Cluster

Configure these IP addresses as authentication agents:

Physical IP address of each Cluster Member and Cluster
Virtual IP address.
l For a VSX Virtual System on a specific VSX Gateway

Configure these IP addresses as authentication agents:

IP address of the VSX Gateway and IP address of the
Virtual System.
l For a VSX Virtual System on VSX Cluster

Configure these IP addresses as authentication agents:

Cluster Virtual IP address of the VSX Cluster and Cluster
Virtual IP address of the Virtual System.

b. Open the SecurID object in SmartConsole, click Browse and import the
[Link] file into the SecurID object.

c. Install the Access Control policy.

Note - During the policy installation, the [Link] file is

transferred the Security Gateway to /var/ace/[Link].

R82 Security Management Administration Guide | 169

Creating a User Account with SecurID Authentication

n REST API

To enable SecurID authentication over REST API

a. Connect to the command line on the Security Gateway.
b. Log in to the Expert mode.
c. On a VSX Gateway or VSX Cluster Member, go to the context of VSID 0:
vsenv 0

d. Back up the current $CPDIR/conf/[Link] file:

cp -v $CPDIR/conf/[Link]{,_BKP}

e. Edit the $CPDIR/conf/[Link] file.

vi $CPDIR/conf/[Link]

Fill in these fields:

l host - The configured host name of the RSA server.
l port, client key, and accessid - From the RSA SecurID
Authentication API window.
l certificate - The name of the certificate file.
f. Save the changes in the file and exit the editor.

Note - If you do not complete the REST API configuration, the authentication
is performed through the SDK-supported API.

2. Configure user groups

a. In SmartConsole, open the Object Explorer (F11).

b. Click New > More > User/Identity > User Group.
The New User Group window opens.
c. Enter the name of the group.
For example: SecurID_Users
Make sure the group is empty.
d. Click OK.
e. Publish the SmartConsole session.
f. Install the Access Control policy.

R82 Security Management Administration Guide | 170

Creating a User Account with SecurID Authentication

3. Create a new user and define SecurID as the authentication method

This configuration procedure is different for internal users (that are defined in
SmartConsole) and for external users.
To configure SecurID authentication settings for internal users

Internal users are users that you configure in SmartConsole. The Security
Management Server keeps these users in the management database.
a. In SmartConsole, open the Object Explorer (F11).
b. Click New > More > User/Identity > User.
The New User window opens.

c. Choose the applicable user template and click OK.

d. In the top field, enter the applicable object name.
This must be a unique, case sensitive character string.
If you generate a user certificate with a non-Check Point Certificate Authority,
enter the Common Name (CN) component of the Distinguished Name (DN).
For example:
If the DN is: CN = James, O = My Organization, C = My Country
then enter James as the user name.
If you use Common Names as user names, they must contain exactly one
string with no spaces.
e. Optional: Enter the comment.

f. On the General page, configure the applicable settings:

n Email address (optional)
n Mobile phone number (optional)
n Expire at
This is the date, after which the user is no longer authorized to access
network resources and applications.
g. On the Groups page, you can select the applicable user group objects (in
addition or instead those configured in the user template).
h. On the Authentication page, in the Authentication method field, select
SecurID.

R82 Security Management Administration Guide | 171

Creating a User Account with SecurID Authentication

i. On the Location page:

i. Configure the allowed sources from which this user can access or send
data and traffic.
These objects must already exist before you can select them.
ii. Configure the allowed destinations to which this user can access or
send data and traffic.
These objects must already exist before you can select them.
j. On the Time page:
If the user has specific working days or hours, you can configure when the
user can be authenticated for access.
n From and To - Enter start time and end time of an expected workday.
This user will not be authenticated if a login attempt is made at a time
outside the given range.
n Days in week or Daily - Select the days on which the user can
authenticate and access resources. This user will not be authenticated if
a login attempt is made on an unselected day.
k. On the Certificates page:
You can configure the applicable certificates for this user for more secured
access control.

R82 Security Management Administration Guide | 172

Creating a User Account with SecurID Authentication

v. Click OK to save this key.

n Certificate file (p12)
Creates a *.p12 certificate file with a private password for the
user.
i. Enter and confirm the certificate password.
A password is required to protect the sensitive data in the
certificate file.
ii. Optional: Enter a comment.
iii. Click OK.

iv. Wait for the Save As window to open.

v. In the File name field, make sure to include the username.

vi. In the Save as type field, select Certificate Files (*p12).

The certificate file is in the PKCS #12 format, and has a
.p12 extension.
vii. Browse to a secure location on the SmartConsole computer.
viii. Click Save.
ix. Give the user this file and password.
iii. Click OK.

R82 Security Management Administration Guide | 173

Creating a User Account with SecurID Authentication

Notes:
n If a user will not be in the system for some time (for example,

going on an extended leave), you can revoke the certificate.

This leaves the user account in the system, but it cannot be
accessed until you renew the certificate.
n To revoke a key / certificate, select the key / certificate and click

Revoke.

l. On the Encryption page:

You can configure the IKEv2 authentication and encryption settings for
Remote Access VPN.
i. Select IKE.

ii. Click Edit.

The encryption IKE Phase 2 Properties window opens.
iii. On the Authentication page, select the authentication schemes:
i. Password - The user authenticates with a pre-shared secret
password.
ii. Public Key - The user authenticates with a public key contained in
a certificate file.
iv. On the Encryption page, there are no settings to configure.
Youy configure these algorithms in SmartConsole > Global Properties >
Remote Access > VPN - Authentication > section Encryption
algorithms.
v. Click OK.

m. Click OK.

To configure SecurID authentication settings for external users

External users are users that are you configure the Legacy SmartDashboard.
The Security Management Server does not keep these users in the management
database.
a. In SmartConsole, click Manage & Settings > Blades.
b. In the Mobile Access section, click Configure in SmartDashboard.
Legacy SmartDashboard opens.

R82 Security Management Administration Guide | 174

Creating a User Account with SecurID Authentication

c. In the bottom left Network Objects pane, and click Users.

d. Right-click on an empty space and select the applicable option:

n If you support only one external authentication scheme, click New >
External User Profile > Match all users.
n If you support more than one external authentication scheme, click New
> External User Profile > Match by domain.
e. Configure the External User Profile properties:

i. On the General Properties page:

n If selected Match all users, then configure:
l In the External User Profile name field, leave the default
name generic*.
l In the Expiration Date field, set the applicable date.
n If selected Match by domain, then configure:
l In the External User Profile name field, enter the applicable
name. This name is used to authenticate users by the
Authentication Manager.
l In the Expiration Date field, set the applicable date.
l In the Domain Name matching definitions section,
configure the applicable settings.

ii. On the Authentication page:

From the Authentication Scheme drop-down list, select SecurID.
iii. Click OK.
f. From the top toolbar, click Update (or press the CTRL S keys).
g. Close the Legacy SmartDashboard.

4. Complete the SecurID authentication configuration

a. Make sure that connections between the Security Gateway and the
Authentication Manager are not NATed in the Address Translation Rule Base.
On a VSX Virtual System, follow the instructions in sk107281.
b. In SmartConsole, install the Access Control policy.

R82 Security Management Administration Guide | 175

Creating a User Account with SecurID Authentication

When a Security Gateway has multiple interfaces, the SecurID agent on the Security
Gateway sometimes uses the wrong interface IP to decrypt the reply from the
Authentication Manager, and authentication fails.
To overcome this problem, place a new text file, named [Link] in the same
directory as [Link].
The file [Link] should contain this line:

CLIENT_IP=<IP Address>

Where <IP Address> is the primary IP address of the Security Gateway, as defined
on the Authentication Manager. This is the IP address of the interface, to which the
server is routed.

Example:
CLIENT_IP=[Link]

Note - On a VSX Gateway and VSX Cluster Members, you must create the
same [Link] file in the context VSID 0 and in the context of each
applicable Virtual System.

R82 Security Management Administration Guide | 176

Access Roles

Access Roles
Access Role objects let you configure network access according to:
n Networks
n Users and user groups
n Computers and computer groups
n Remote Access VPN clients (supported for Security Gateways R80.10 and higher)
After you activate the Identity Awareness Software Blade, you can create access role objects
and use them in the Source and Destination columns of Access Control Policy rules.

For more information, see the R82 Identity Awareness Administration Guide.

Adding Access Roles

Important - Before you add Active Directory users, machines, or groups to an Access
Role, make sure there is LDAP connectivity between the Security Management
Server and the AD Server that holds the management directory. The management
directory is defined on the Objects Management tab in the Properties window of the
LDAP Account Unit.

To create an Access Role

1. In the object tree, click New> More > User /Identity > Access Role.

The New Access Role window opens.

2. Enter a Name for the access role.
3. Enter a Comment (optional).

4. Select a Color for the object (optional).

5. In the Networks pane, select one of these:
n Any network
n Specific networks - For each network, click and select the network from the
list
6. In the Users pane, select one of these:
n Any user
n All identified users - includes any user identified by a supported authentication
method (internal users, Active Directory users, or LDAP users).

R82 Security Management Administration Guide | 177

Access Roles

n Specific users/groups - For each user or user group, click and select the user
or the group from the list
7. In the Machines pane, select one of these:
n Any machine
n All identified machines - includes machines identified by a supported
authentication method (Active Directory).
n Specific machines - For each machine, click and select the machine from the
list
8. In the Remote Access Clients pane, select the clients for remote access.
9. Click OK.

Identity Awareness engine automatically recognizes changes to LDAP group membership

and updates identity information, including Access Roles.

R82 Security Management Administration Guide | 178

User Directory

User Directory
The Check Point User Directory stores user-specific information.

Note - User Directory requires a special license. If you have the Mobile Access
Software Blade, you have the User Directory license.

The User Directory lets you:

n Configure High Availability, to duplicate user data across multiple servers for backup.
See "Account Units and High Availability" on page 215.
n Configure Multiple Account Units, for distributed databases.
n Define LDAP Account Units, for encrypted User Directory connections.
See "Account Units" on page 209.
n Configure Profiles, to support multiple LDAP vendors.
See "User Directory Profiles" on page 191.

User Directory Considerations

Before you begin, plan your use of User Directory.
n Decide whether to use the User Directory servers for user management, CRL retrieval,
user authentication, or all of those.

See "Working with LDAP Account Units" on page 209.

n Decide how many Account Units you need.
You can have one for each User Directory server, or you can divide branches of one
User Directory server among different Account Units.
See "Account Units" on page 209.
n Decide whether to use High Availability setup.
See "Account Units and High Availability" on page 215.
n Determine the order of priority among the User Directory servers for High Availability and
querying purposes.
See "Setting High Availability Priority" on page 216.
n Assign users to different Account Units, branches, and sub-branches, so that users with
common attributes (such as their role in the organization, permissions, an so on) are
grouped together.
See "Managing Users on a User Directory Server" on page 204.

R82 Security Management Administration Guide | 179

User Directory

Deploying User Directory

User Directory integrates the Security Management Server and an LDAP server and lets the
Security Gateways use the LDAP information.

Item Description

1 Security Gateway - Retrieves LDAP user information and CRLs

2 Internet

3 Security Gateway - Queries LDAP user information, retrieves CRLs, and does
bind operations for authentication

4 Security Management Server - Uses User Directory to manage user information

5 LDAP server - Server that holds one or more Account Units

R82 Security Management Administration Guide | 180

User Directory

Enabling User Directory

In SmartConsole, enable the Security Management Server to manage users in the Account
Unit. See "Working with LDAP Account Units" on page 209.

Note - You cannot use the SmartConsole User Database when the User Directory
LDAP server is enabled.

To enable User Directory on the Security Management Server

1. From the Menu, select Global Properties > User Directory.

The User Directory page opens.
2. Select Use User Directory for Security Gateways.

3. Configure login and password settings.

4. Click OK.
5. In the Gateways & Servers view (Ctrl+1), open the Security Management Server
object for editing
6. On General Properties page, Management tab, select Network Policy Management
and User Directory.
7. Click OK.
8. Install the policy.

User Directory Schema for LDAP

The User Directory default schema is a description of the structure of the data in a user
directory.

It has user definitions defined for an LDAP server.

This schema does not have Security Management Server or Security Gateway specific data,
such as IKE-related attributes, authentication methods, or values for remote users.
You can use the default User Directory schema, if all users have the same authentication
method and are defined according to a default template.
But if users in the database have different definitions, it is better to apply a Check Point
schema to the LDAP server.
See "User Directory Schema for LDAP" above.
The Check Point Schema adds Security Management Server and Security Gateway specific
data to the structure in the LDAP server.
Use the Check Point Schema to extend the definition of objects with user authentication
functionality.

R82 Security Management Administration Guide | 181

User Directory

For example, an Object Class entitled fw1Person is part of the Check Point schema.
This Object Class has mandatory and optional attributes to add to the definition of the Person
attribute.
Another example is [Link] is a standalone attribute that defines a template of user
information.

Schema Checking
When schema checking is enabled, User Directory requires that every Check Point object
class and its associated attributes is defined in the directory schema.
Before you work with User Directory, make sure that schema checking is disabled. Otherwise
the integration will fail.

After the Check Point object classes and attributes are applied to the User Directory server's
schema, you must enable schema checking again.

OID Proprietary Attributes

Each of the proprietary object classes and attributes (all of which begin with "fw1") has a
proprietary Object Identifier (OID), listed below.
Object Class OIDs

object class OID

fw1template [Link].[Link]

fw1person [Link].[Link]

The OIDs for the proprietary attributes begin with the same prefix ("[Link].4.2.0.X").

Only the value of "X" is different for each attribute.

See "User Directory Schema Attributes" below.

User Directory Schema Attributes

The entry's name.

This is also referred to as "Common Name".
For users this can be different from the uid attribute, the name used to login to the Security
Gateway.
This attribute is also used to build the User Directory entry's distinguished name, that is, it is
the RDN of the DN.

R82 Security Management Administration Guide | 182

User Directory

uid

The user's login name, that is, the name used to login to the Security Gateway.
This attribute is passed to the external authentication system in all authentication methods
except for "Internal Password", and must be defined for all these authentication methods.
The login name is used by the Security Management Server to search the User Directory
server(s).
For this reason, each user entry should have its own unique UID value.
It is also possible to login to the Security Gateway using the full DN.
The DN can be used when there is an ambiguity with this attribute or in "Internal Password"
when this attribute may be missing.

The DN can also be used when the same user (with the same uid) is defined in more than
one Account Unit on different User Directory servers.

description

Descriptive text about the user.

The default is "no value".

mail

User's email address.

The default is "no value".

member

An entry can have zero or more values for this attribute.

n In a template: The DN of user entries using this template. DNs that are not users
(object classes that are not one of: "person", "organizationalPerson",
"inetOrgPerson", or "fw1person") are ignored.
n In a group: The DN of user.

userPassword

Must be given if the authentication method (fw1auth-method) is "Internal Password". The

value can be hashed using "crypt". In this case the syntax of this attribute is:
"{crypt}xxyyyyyyyyyyy"

where:

R82 Security Management Administration Guide | 183

User Directory

n "xx" is the "salt"

n "yyyyyyyyyyy" is the hashed password
It is possible (but not recommended) to store the password without hashing. However, if
hashing is specified in the User Directory server, you should not specify hashing here, in
order to prevent the password from being hashed twice. You should also use SSL in this
case, to prevent sending an unencrypted password.
The Security Gateway never reads this attribute, though it does write it. Instead, the User
Directory bind operation is used to verify a password.

fw1authmethod

One of these:
n RADIUS
n TACACS
n SecurID
n OS Password
n Defender
This default value for this attribute is overridden by Default authentication scheme in the
Authentication tab of the Account Unit window in SmartConsole.
For example: a User Directory server can contain User Directory entries that are all of the
object-class "person" even though the proprietary object-class "fw1person" was not
added to the server's schema.
If Default authentication scheme in SmartConsole is "Internal Password", all the users will
be authenticated using the password stored in the "userPassword" attribute.

fw1authserver

"X" in OID fw1person fw1template default

1 y y "undefined"

The name of the server that will do the authentication.

This field must be given if fw1auth-method is "RADIUS" or "TACACS".
For all other values of fw1auth-method, it is ignored. Its meaning is given below:

method meaning

RADIUS name of a RADIUS server, a group of RADIUS servers, or "Any"

R82 Security Management Administration Guide | 184

User Directory

method meaning

TACACS name of a TACACS server

"X" in OID fw1template

2 y

fw1pwdLastMod

The date on which the password was last modified.

The format is yyyymmdd (for example, 20 August 1998 is 19980820).

A password can be modified through the Security Gateway as a part of the authentication
process.

"X" in
fw1person fw1template default
OID

3 y y If no value is given, then the password has

never been modified.

fw1expiration-date

The last date on which the user can login to a Security Gateway, or "no value" if there is no
expiration date.

The format is yyyymmdd (for example, 20 August 1998 is 19980820).

The default is "no value".

"X" in OID fw1person fw1template default

8 y y "no value"

fw1hour-range-from

The time from which the user can login to a Security Gateway.
The format is hh:mm (for example, 8:15 AM is 08:15).

"X" in OID fw1person fw1template default

9 y y "00:00"

R82 Security Management Administration Guide | 185

User Directory

fw1hour-range-to

The time until which the user can login to a Security Gateway.
The format is hh:mm (for example, 8:15 AM is 08:15).

"X" in OID fw1person fw1template default

10 y y "23:59"

fw1day

The days (of week) on which the user can login to a Security Gateway.
Can have the values "SUN","MON", and so on.

"X" in OID fw1person fw1template default

11 y y all days of the week

fw1allowed-src

The names of one or more network objects from which the user can run a client, or "Any" to
remove this limitation, or "no value" if there is no such client.
The names should match the name of network objects defined in Security Management
Server.

"X" in OID fw1person fw1template default

12 y y "no value"

fw1allowed-dst

The names of one or more network objects which the user can access, or "Any" to remove
this limitation, or "no value" if there is no such network object.
The names should match the name of network objects defined on the Security Management
Server.

"X" in OID fw1person fw1template default

13 y y "no value"

fw1allowed-vlan

Not currently used.

R82 Security Management Administration Guide | 186

User Directory

"X" in OID fw1person fw1template default

14 y y "no value"

fw1SR-keym

The algorithm used to encrypt the session key in SecuRemote.

Can be "CLEAR", "FWZ1", "DES", or "Any".

"X" in OID fw1person fw1template default

15 y y "Any"

fw1SR-datam

The algorithm used to encrypt the data in SecuRemote.

Can be "CLEAR", "FWZ1", "DES", or "Any".

"X" in OID fw1person fw1template default

16 y y "Any"

fw1SR-mdm

The algorithm used to sign the data in SecuRemote.

Can be "none" or "MD5".

"X" in OID fw1person fw1template default

17 y y "none"

fw1enc-fwz-expiration

The number of minutes after which a SecuRemote user must re-authenticate himself or
herself to the Security Gateway.

"X" in OID fw1person fw1template

18 y y

fw1sr-auth-track

The exception to generate on successful authentication via SecuRemote.

R82 Security Management Administration Guide | 187

User Directory

Can be "none", "cryptlog", or "cryptalert".

"X" in OID fw1person fw1template default

19 y y "none"

fw1groupTemplate

This flag is used to resolve a problem related to group membership.

The group membership of a user is stored in the group entries to which it belongs, in the
user entry itself, or in both entries.
Therefore there is no clear indication in the user entry if information from the template about
group relationship should be used.

If this flag is "TRUE", then the user is taken to be a member of all the groups to which the
template is a member.
This is in addition to all the groups in which the user is directly a member.

"X" in OID fw1person fw1template default

20 y y "False"

fw1ISAKMP-EncMethod

The key encryption methods for SecuRemote users using IKE.

This can be one or more of: "DES", "3DES".

A user using IKE (formerly known as ISAMP) may have both methods defined.

"X" in OID fw1person fw1template default

21 y y "DES", "3DES"

fw1ISAKMP-AuthMethods

The allowed authentication methods for SecuRemote users using IKE, (formerly known as
ISAMP).
This can be one or more of: "preshared", "signatures".

"X" in OID fw1person fw1template default

22 y y "signatures"

R82 Security Management Administration Guide | 188

User Directory

fw1ISAKMP-HashMethods

The data integrity method for SecuRemote users using IKE, (formerly known as ISAMP).
This can be one or more of: "MD5", "SHA1".
A user using IKE must have both methods defined.

"X" in OID fw1person fw1template default

23 y y "MD5", "SHA1"

fw1ISAKMP-Transform

The IPSec Transform method for SecuRemote users using IKE, (formerly known as
ISAMP).
This can be one of: "AH", "ESP".

"X" in OID fw1person fw1template default

24 y y "ESP"

fw1ISAKMP-DataIntegrityMethod

The data integrity method for SecuRemote users using IKE, (formerly known as ISAMP).
This can be one of: "MD5", "SHA1".

"X" in OID fw1person fw1template default

25 y y "SHA1"

fw1ISAKMP-SharedSecret

The pre-shared secret for SecuRemote users using IKE, (formerly known as ISAMP).
The value can be calculated using the fw ikecrypt command line.

"X" in OID fw1person fw1template

26 y y

fw1ISAKMP-DataEncMethod

fw1ISAKMP-DataEncMethod
The data encryption method for SecuRemote users using IKE, (formerly known as ISAMP).

R82 Security Management Administration Guide | 189

User Directory

"X" in OID fw1person fw1template default

27 y y "DES"

fw1enc-Methods

The encryption method allowed for SecuRemote users.

This can be one or more of: "FWZ", "ISAKMP" (meaning IKE).

"X" in OID fw1person fw1template default

28 y y "FWZ"

fw1userPwdPolicy

Defines when and by whom the password should and can be changed.

"X" in OID fw1person

29 y

fw1badPwdCount

Number of allowed wrong passwords entered sequentially.

"X" in OID fw1person

30 y

fw1lastLoginFailure

Time of the last login failure.

"X" in OID fw1person

31 4

memberof template

DN of the template that the user is a member of.

"X" in OID fw1person

33 4

R82 Security Management Administration Guide | 190

User Directory

Netscape LDAP Schema

To add the propriety schema to your Netscape directory server, use the
$FWDIR/lib/ldap/[Link] file.

Important - This deletes the object class definition from the schema and adds the
updated one in its place.

We recommend that you back up the User Directory server before you run the command.
The ldif file:
n Adds the new attributes to the schema
n Deletes old definitions of fw1person and fw1template
n Adds new definitions of fw1person and fw1template
To change the Netscape LDAP schema, run the ldapmodify command with the [Link]
file.
Note - On some server versions, the delete objectclass operation can return an error,
even if it was successful. Use ldapmodify with the -c (continuous) option.

User Directory Profiles

The User Directory profile is a configurable LDAP policy that lets you define more exact
User Directory requests and enhances communication with the server.
Profiles control most of the LDAP server-specific knowledge. You can manage diverse
technical solutions, to integrate LDAP servers from different vendors.

Use User Directory profiles to make sure that the user management attributes of a Security
Management Server are correct for its associated LDAP server.

For example, if you have a certified OPSEC User Directory server, apply the OPSEC_DS
profile to get enhanced OPSEC-specific attributes.
LDAP servers have difference object repositories, schemas, and object relations.
n The organization's user database may have unconventional object types and relations
because of a specific application.
n Some applications use the cn attribute in the User object's Relatively Distinguished
Name (RDN) while others use uid.
n In Microsoft Active Directory, the user attribute memberOf describes which group the
user belongs to, while standard LDAP methods define the member attribute in the
group object itself.
n Different servers implement different storage formats for passwords.

R82 Security Management Administration Guide | 191

User Directory

n Some servers are considered v3 but do not implement all v3 specifications. These
servers cannot extend the schema.
n Some LDAP servers already have built in support for certain user data, while others
require a Check Point schema extended attribute.
For example, Microsoft Active Directory has the accountExpires user attribute, but
other servers require the Check Point attribute fw1expirationdate, which is part
of the Check Point defined fw1person objectclass.
n Some servers allow queries with non-defined types, while others do not.

Default User Directory Profiles

These profiles are defined by default:

n OPSEC_DS - the default profile for a standard OPSEC certified User Directory.
n Netscape_DS - the profile for a Netscape Directory Server.
n Novell_DS - the profile for a Novell Directory Server.
n Microsoft_AD - the profile for Microsoft Active Directory.

Modifying User Directory Profiles

Profiles have these major categories:

n Common - Profile settings for reading and writing to the User Directory.
n Read - Profile settings only for reading from the User Directory.
n Write - Profile settings only for writing to the User Directory.
Some of these categories list the same entry with different values, to let the server behave
according to type of operation. You can change certain parameters of the default profiles for
finer granularity and performance tuning.

To apply a profile:
1. Open the Account Unit.
2. Select the profile.

To change a profile:
1. Create a new profile.
2. Copy the settings of a User Directory profile into the new profile.
3. Change the values.

R82 Security Management Administration Guide | 192

User Directory

Fetch User Information Effectively

User Directory servers organize groups and members through different means and relations.
User Directory operations are performed by Check Point on users, groups of users, and user
templates where the template is defined as a group entry and users are its members. The
mode in which groups/templates and users are defined has a profound effect on the
performance of some of the Check Point functionality when fetching user information. There
are three different modes:
n Defining a "Member" attribute per member, or "Member" user-to-group membership
mode. In this case, each member of a specific group gets the 'Member" attribute, where
the value of this attribute is the DN of that member.
n Defining a "Memberof" attribute per group, or "MemberOf" user-to-group membership
mode. In this case, each group gets the "Memberof" attribute per group, where the value
of this attribute is the DN of a group entry. This is referred to as "MemberOf" user-to-
group membership mode.
n Defining a "Memberof" attribute per member and group, or "Both" user-to-group
membership mode. In this case both members and groups are given the "Memberof"
attribute.
The most effective mode is the "MemberOf" and "Both" modes where users' group
membership information is available on the user itself and no additional User Directory queries
are necessary.

Setting User-to-Group Membership Mode

Set the user-to-group membership mode in the profile objects for each User Directory server in
the objects_5_0.C file.
n To specify the user-to-group and template-to-group membership mode set the
GroupMembership attribute to one of the following values: "Member", "MemberOf",
"Both" accordingly.
n To specify the user-to-template membership mode set the TemplateMembership
attribute to one of the following values: "Member", "MemberOf" accordingly.
After successfully converting the database, set the User Directory server profile in the
objects_5_0.C file to the proper membership setting and start the Security Management
Server.
Make sure to install policy/user database on all Security Gateways to enable the new
configuration.

Profile Attributes

UserLoginAttr

The unique username User Directory attribute (uid).

R82 Security Management Administration Guide | 193

User Directory

In addition, when fetching users by the username, this attribute is used for query.

Default Other

n uid (most servers) One value allowed

n SamAccountName (in
Microsoft_AD)

UserPasswordAttr

This user password is User Directory attribute.

Default Other

n userPassword (most One value allowed

servers)
n unicodePwd (in
Microsoft_AD)

TemplateObjectClass

The object class for Check Point User Directory templates.

If you change the default value with another object-class, make sure to extend that
objectclass schema definition with relevant attributes from fw1template.

default Other

fw1template Multiple values allowed

ExpirationDateAttr

The account expiration date is User Directory attribute.

This could be a Check Point extended attribute or an existing attribute.

Default Other

n fw1expiration-date (most One value allowed

servers)
n accountExpires (in
Microsoft_AD)

ExpirationDateFormat

Expiration date format.

R82 Security Management Administration Guide | 194

User Directory

This format will be applied to the value defined at ExpirationDateAttr.

Default Other

CP format is yyyymmdd One value allowed

PsswdDateFormat

The format of the password modified date is User Directory attribute.

This formation will be applied to the value defined at PsswdDateAttr.

Default Other

n CP (most servers) format is One value allowed

yyyymmdd
n MS (in Microsoft_AD)

PsswdDateAttr

The password last modified date is User Directory attribute.

Default Other

n fw1pwdLastMod (most One value allowed

servers)
n pwdLastSet (in
Microsoft_AD)

BadPwdCountAttr

User Directory attribute to store and read bad password authentication count.

Default Other

fw1BadPwdCount One value allowed

ClientSideCrypt

If 0, the sent password will not be encrypted.

If 1, the sent password will be encrypted with the algorithm specified in the
DefaultCryptAlgorithm.

R82 Security Management Administration Guide | 195

User Directory

Default Other

n 0 for most servers One value allowed

n 1 for Netscape_DS
if not using encrypted password, SSL is recommended

DefaultCryptAlgorith

The algorithm used to encrypt a password before updating the User Directory server with a
new password.

Default Other

n Plain (for most One value allowed

servers)
n Crypt (for
Netscape_DS)
n SHAI1

CryptedPasswordPrefix

The text to prefix to the encrypted password when updating the User Directory server with a
modified password.

Default Other

{Crypt} (for Netscape_DS) One value allowed

PhoneNumberAttr

User Directory attribute to store and read the user phone number.

Default Other

internationalisednumber One value allowed

AttributesTranslationMap

General purpose attribute translation map, to resolve problems related to peculiarities of

different server types.
For example, an X.500 server does not allow the "-" character in an attribute name.
To enable the Check Point attributes containing "-", specify a translation entry: (e.g., "fw1-
expiration =fw1expiration").

R82 Security Management Administration Guide | 196

User Directory

Default Other

none Multiple values allowed

ListOfAttrsToAvoid

All attribute names listed here will be removed from the default list of attributes included in
read/write operations.
This is most useful in cases where these attributes are not supported by the User Directory
server schema, which might fail the entire operation.
This is especially relevant when the User Directory server schema is not extended with the
Check Point schema extension.

Default Other

There are no values by default. Multiple values

In case the User Directory server was not extended by the Check allowed
Point schema,
the best thing to do is to list here all the new Check Point schema
attributes.

BranchObjectClass

Use this attribute to define which type of objects (objectclass) is queried when the object
tree branches are displayed after the Account Unit is opened in SmartConsole.

Default Other

n Organization OrganizationalUnit Domain (most Multiple values allowed

servers)
n Container (extra for Microsoft_AD)

BranchOCOperator

If "One" is set, an "OR"ed query will be sent and every object that matches the criteria will
be displayed as a branch.
If "All" is set, an "AND"ed query will be sent and only objects of all types will be displayed.

Default Other

One One value allowed

R82 Security Management Administration Guide | 197

User Directory

OrganizationObjectClass

This attribute defines what objects should be displayed with an organization object icon.
A new object type specified here should also be in BranchObjectClass.

Default Other

organization Multiple values allowed

OrgUnitObjectClass

This attribute defines what objects should be displayed with an organization object icon.
A new object type specified here should also be in BranchObjectClass.

Default Other

n organizationalUnit (most Multiple values allowed

servers)
n Contained (added to
Microsoft_AD)

DomainObjectClass

This attribute defines what objects should be displayed with a Domain object icon.
A new object type specified here should also be in BranchObjectClass.

Default Other

Domain Multiple values allowed

UserObjectClass

This attribute defines what objects should be read as user objects.

The user icon will be displayed on the tree for object types specified here.

Default Other

n User (in Microsoft_AD) Multiple values allowed

n Person
OrganizationalPerson
InertOrgPerson
FW1 Person (most
servers)

R82 Security Management Administration Guide | 198

User Directory

UserOCOperator

If "One" is set, an "OR"ed query will be sent and every object that matches one of the types
will be displayed as a user.
If "All" is set, an "AND"ed query will be sent and only objects of all types will be displayed.

Default Other

One One value allowed

GroupObjectClass

This attribute defines what objects should be read as groups.

The group icon will be displayed on the tree for objects of types specified here.

Default Other

n Groupofnames Multiple values allowed

n Groupofuniquenames (most
servers)
n Group
n Groupofnames (in Microsoft_
AD)

GroupOCOperator

If "One" is set, an "OR"ed query will be sent and every object that matches one of the types
will be displayed as a user.

If "All" is set, an "AND"ed query will be sent and only objects of all types will be displayed.

Default Other

One One value allowed

GroupMembership

Defines the relationship Mode between the group and its members (user or template
objects) when reading group membership.

R82 Security Management Administration Guide | 199

User Directory

Default Other

n Member mode defines the member DN in the Group object One value
(most servers) allowed
n MemberOf mode defines the group DN in the member object (in
Microsoft_AD)
n Modes define member DN in Group object and group DN in
Member object.

UserMembershipAttr

Defines what User Directory attribute to use when reading group membership from the user
or template object if GroupMembership mode is 'MemberOf' or 'Both' you may be required
to extend the user/template object schema in order to use this attribute.

Default Other

MemberOf One value allowed

TemplateMembership

Defines the user to template membership mode when reading user template membership
information.

Default Other

n Member mode defines the member DN in the Group object One value
(most servers) allowed
n MemberOf mode defines the group DN in the member object (in
Microsoft_AD)

TemplateMembershipAttr

Defines which attribute to use when reading the User members from the template object, as
User DNs, if the TemplateMembership mode is Member.

Default Other

member Multiple values allowed

UserTemplateMembershipAttr

Defines which attribute to use when reading from the User object the template DN
associated with the user, if the TemplateMembership mode is MemberOf.

R82 Security Management Administration Guide | 200

User Directory

Default Other

member Multiple values allowed

OrganizationRDN

This value will be used as the attribute name in the Relatively Distinguished Name (RDN)
when you create a new organizational unit in SmartConsole.

Default Other

o One value allowed

OrgUnitRDN

This value is used as the attribute name in the Relatively Distinguished Name (RDN) when
you create a new organizational Unit in SmartConsole.

Default Other

ou One value allowed

UserRDN

This value is used as the attribute name in the Relatively Distinguished Name (RDN), when
you create a new User object in SmartConsole.

Default Other

cn One value allowed

GroupRDN

This value is used as the attribute name for the RDN, when you create a new Group object
in SmartConsole.

Default Other

cn One value allowed

DomainRDN

This value is used as the attribute name for the RDN, when you create a new Domain object
in SmartConsole.

R82 Security Management Administration Guide | 201

User Directory

Default Other

dc One value allowed

AutomaticAttrs

This field is relevant when you create objects in SmartConsole.

The format of this field is Objectclass:name:value. Therefore, if the object created is of
type ObjectClass, additional attributes is included in the created object with name 'name'
and value 'value'.

Default Other

user:userAccountControl:66048 Multiple
For Microsoft_AD This means that when a user object is created an extra values
attribute is included automatically: userAccountControl with the value allowed
66048

GroupObjectClass

This field is used when you modify a group in SmartConsole.

The format of this field is ObjectClass:memberattr meaning that for each group objectclass
there is a group membership attribute mapping.
List here all the possible mappings for this User Directory server profile.

When a group is modified, based on the group's objectclass the right group membership
mapping is used.

Default Other

n groupOfNames:member Multiple values allowed

n groupOfUniqueNames:uniqueMember
(All other servers)

OrgUnitObjectClass

This determines which ObjectClass to use when creating/modifying an OrganizationalUnit

object.
These values can be different from the read counterpart.

Default Other

OrganizationalUnit Multiple values allowed

R82 Security Management Administration Guide | 202

User Directory

OrganizationObjectClass

This determines which ObjectClass to use when creating and/or modifying an Organization
object.
These values can be different from the read counterpart.

Default Other

Organization Multiple values allowed

UserObjectClass

This determines which ObjectClass to use when creating and/or modifying a user object.

These values can be different from the read counterpart.

Default Other

n User (in Microsoft_AD) Multiple values allowed

n person
n organizationalPerson
n inetOrgPerson
n fw1Person
n (All other servers)

DomainObjectClass

Determines which ObjectClass to use when creating and/or modifying a domain context
object.

These values can be different from the read counterpart.

Default Other

Domain Multiple values allowed

R82 Security Management Administration Guide | 203

Managing Users on a User Directory Server

Managing Users on a User Directory Server
In SmartConsole, users and user groups in the Account Unit show in the same tree structure
as on the LDAP server.
n To see User Directory users, open Users and Administrators. The LDAP Groups folder
holds the structure and accounts of the server.
n You can change the User Directory templates. Users associated with this template get
the changes immediately. If you change user definitions manually in SmartConsole, the
changes are immediate on the server.

Distributing Users in Multiple Servers

The users of an organization can be distributed across several LDAP servers. Each LDAP
server must be represented by a separate Account Unit.

Managing LDAP Information

User Directory lets you use SmartDashboard to manage information about users and OUs
(Organizational Units) that are stored on the LDAP server.
To manage LDAP information from SmartDashboard

1. In SmartConsole, go to Manage & Settings > Blades.

2. Click Configure in SmartDashboard.

SmartDashboard opens.
3. From the object tree, select Servers and OPSEC.

4. Double-click the Account Unit.

The LDAP domain object opens.
5. Double-click the LDAP branch.
The Security Management Server queries the LDAP server and SmartDashboard
shows the LDAP objects.
6. Expand the Objects List pane.
Example:

R82 Security Management Administration Guide | 204

Managing Users on a User Directory Server

7. Double-click the LDAP object.

The Objects List pane shows the user information.
8. Right-click a user and select Edit.
The LDAP User Properties window opens.
9. Edit the user information and settings. Click OK.

LDAP Groups for the User Directory

Create LDAP groups for the User Directory. These groups classify users according to type and
can be used in Policy rules. You can add users to groups, or you can create dynamic filters.
To create LDAP groups for User Directory

1. In SmartConsole, open Object Categories > New > More > Users > LDAP group.
2. In the New LDAP Group window that opens, select the Account Unit for the User
Directory group.
3. Define Group's Scope - select one of these:
n All Account-Unit's Users - All users in the group
n Only Sub Tree - Users in the specified branch
n Only Group in branch - Users in the branch with the specified DN prefix
4. Apply an advanced LDAP filter:

R82 Security Management Administration Guide | 205

Managing Users on a User Directory Server

a. Click Apply filter for dynamic group.

b. Enter the filter criteria.
5. Click OK.
Examples:
n If the User objects for managers in your organization have the object class
"myOrgManager", define the Managers group with the filter:
objectclass=myOrgManagers
n If users in your organization have an e-mail address ending with [Link], you can
define the US group with the filter: mail=*[Link]

R82 Security Management Administration Guide | 206

Retrieving Information from a User Directory Server

When a Security Gateway requires user information for authentication, it goes through this
process:
1. The Security Gateway searches for the user in the internal management database.
2. If the specified user is not defined in the internal management database, the Security
Gateway queries the LDAP server defined in the Account Unit with the highest priority.
3. If the query against an LDAP server with the highest priority fails (for example, the
connection is lost), the Security Gateway queries the server with the next highest priority.
If there is more than one Account Unit, the Account Units are queried concurrently. The
results of the query are taken from the first Account Unit to meet the conditions, or from
all the Account Units which meet the conditions.
4. If the query against all LDAP servers fails, the Security Gateway matches the user
against the generic external user profile..

Running User Directory Queries

Use queries to get User Directory user or group data. For best performance, query Account
Units when there are open connections. Some connections are kept open by the Security
Gateways, to make sure the user belongs to a group that is permitted to do a specified
operation.
To query User Directory

1. In SmartConsole, go to Manage & Settings > Blades.

2. Click Configure in SmartDashboard.

SmartDashboard opens.

3. In the Objects Tree, click Users.

4. Double-click the Account Unit to open a connection to the LDAP server.
5. Right-click the Account Unit and select Query Users/Group.
The LDAP Query Search window opens.
Click Advanced to select specified objects types, such as Users, groups, or
templates.
6. Define the query.
7. To add more conditions, select or enter the values and click Add.
Query conditions:

R82 Security Management Administration Guide | 207

Retrieving Information from a User Directory Server

n Attributes - Select a user attribute from the drop-down list, or enter an attribute.
n Operators - Select an operator from the drop-down list.
n Value - Enter a value to compare to the entry's attribute. Use the same type and
format as the actual user attribute. For example, if Attribute is fw1expiration-date,
then Value must be in the yyyymmdd syntax.
n Free Form - Enter your own query expression. See RFC 1558 for information about
the syntax of User Directory (LDAP) query expressions.
n Add - Appends the condition to the query (in the text box to the right of Search
Method).
Example of a Query

If you create a query where:

n Attributes=mail
n Contains
n Value=Andy
The server queries the User Directory with this filter:

filter:(&(|(objectclass=fw1person)(objectclass=person)
(objectclass=organizationalPerson)(objectclass=inetOrgPerson))
(|(cn=Brad)(mail=*Andy*)))

Querying Multiple LDAP Servers

The Security Management Server and the Security Gateways can work with multiple LDAP
servers concurrently. For example, if a Security Gateway needs to find user information, and it
does not know where the specified user is defined, it queries all the LDAP servers in the
system. (Sometimes a Security Gateway can find the location of a user by looking at the user
DN, when working with certificates.)

R82 Security Management Administration Guide | 208

Account Units

Account Units
An Account Unit represents branches of user information on one or more LDAP servers. The
Account Unit is the interface between the LDAP servers and the Security Management Server
and Security Gateways.
You can have a number of Account Units representing one or more LDAP servers. Users are
divided among the branches of one Account Unit, or between different Account Units.

Note - When you enable the Identity Awareness and Mobile Access Software Blade ,
SmartConsole opens a First Time Configuration Wizard. The Active Directory
Integration window of this wizard lets you create a new Active Directory Account Unit.
After you complete the wizard, SmartConsole creates the Active Directory object and
Account Unit.

Working with LDAP Account Units

Use the LDAP Account Unit Properties window in SmartConsole to create a new or to edit an
existing Account Unit or to create a new one manually.

To create or edit an existing LDAP Account Unit:

1. n Create: In the Objects tab, click New > More > User/Identity > LDAP Account
unit.
n Edit: In SmartConsole, open the Object Explorer (press the CTRL+E keys) >
Users/Identities > go to the required LDAP Account Unit, right-click it and select
Edit.
The LDAP Account Unit Properties window opens.

2. Edit the settings in these tabs:

R82 Security Management Administration Guide | 209

Account Units

n General

Configure how the Security Management Server uses the Account Unit
These are the configuration fields in the General tab:
l Name - Name of the Account Unit
l Comment - Optional comment
l Color - Optional color associated with the Account Unit
l Profile - LDAP vendor
l Domain - Domain of the Active Directory servers, when the same user
name is used in multiple Account Units (this value is also necessary for AD
Query and SSO)
l Prefix - Prefix for non-Active Directory servers, when the same user name
is used in multiple Account Units
l Account Unit usage - Select applicable options:
o CRL retrieval - The Security Management Server manages how the
CA sends information about revoked certificates to the Security
Gateways
o User Management - The Security Management Server uses the user
information from this LDAP server (you must enable User Directory
on the Security Management Server).

Note - LDAP SSO (Single Sign On) is only supported for

Account Unit objects that use User Management.
o Active Directory Query - This Active Directory server is used as an
Identity Awareness source.

Note - This option is only available if the Profile is set to

Microsoft_AD.
l Enable Unicode support - Encoding for LDAP user information in non-
English languages
l Active Directory SSO configuration - Click to configure Kerberos SSO for
Active Directory - Domain Name, Account Name, Password, and Ticket
encryption method

R82 Security Management Administration Guide | 210

Account Units

n Servers

Manage LDAP servers that are used by this Account Unit. You can add, edit, or
delete LDAP server objects.
To configure an LDAP server for the Account Unit:
a. To add a new server, click Add.
To edit an existing one, select it from the table and click Edit.
The LDAP Server Properties window opens.
b. From the Host drop-down menu, select the server object.
c. Optional: If necessary, create a new LDAP server object:

i. Close the LDAP Server Properties window.

ii. In SmartConsole, go to the Object Explorer.
iii. Click New > Host.
iv. In the New Host window that opens, enter the settings for the LDAP
server.
v. Click OK.
vi. Reopen the LDAP Server Properties window > Servers, and select
the newly created host.
d. Fill in this information:
l Port
l Username
l Login DN
l Password
l Default priority
l Select access permissions for the Check Point Gateways:
o Read data from this server
o Write data to this server

Note - If you create the LDAP account unit to submit group

queries, you do not need any special permissions.

R82 Security Management Administration Guide | 211

Account Units

e. In the Encryption tab, you can configure LDAPS.

Note - LDAPS is required for Active Directory integration on

Windows Server 2025 and recommended for earlier versions.

Configure these settings:

I. Select Use Encryption (SSL) - Enables LDAPS.
II. Encryption port - The LDAPS port is automatically populated. You
can modify it as needed.

Note - When you select Use Encryption (SSL), the Port

field in the General tab is automatically greyed out, and only
the Encryption port in the Encryption tab is used for LDAP
communication.

III. Click Fetch to retrieve this information:

l Server Name - The subject of the LDAPS server certificate.
l CA - Certificate of the root CA that signed the LDAPS server
certificate.

Note - If you renew or replace the LDAPS server

certificate using the same CA and Server Name,
Security Gateways version R82 or higher trust the new
certificate automatically.
l Server - Fingerprint of the LDAPS server certificate.

IV. Verify that the fetched information is correct.

V. Optional: Select CRL check to have the Security Gateway verify that
the server certificate is not revoked.

Note - If you enable CRL check, you must make sure that
the LDAPS server certificate contains a CRL Distribution
Point extension of type HTTP, and that the Security
Gateway can access this URL.

VI. Min/Max Encryption Strength - Use the default values provided:

l Export for minimum encryption strength
l Strong for maximum encryption strength
f. Click OK.

R82 Security Management Administration Guide | 212

Account Units

To remove an LDAP server from the Account Unit:

a. Select a server from the table.
b. Click Remove.
If all the configured servers use the same login credentials, you can modify them
simultaneously.

To configure the login credentials for all servers simultaneously:

a. Click Update Account Credentials.
The Update Account to All Servers window opens.

b. Enter the login credentials.

c. Click OK.

R82 Security Management Administration Guide | 213

Account Units

n Objects Management

Configure the LDAP server for the Security Management Server to query and the
branches to use

Note - Make sure there is LDAP connectivity between the Security

Management Server and the LDAP Server that holds the management
directory.

To configure LDAP query parameters:

a. From the Server to connect drop-down menu, select the LDAP server
object.
b. Click Fetch branches.

The Security Management Server queries and shows the LDAP branches.
c. Configure Branches in use:
l To add a branch, click Add and in the LDAP Branch Definition
window that opens, enter a new Branch Path
l To edit a branch, click Edit and in the LDAP Branch Definition
window that opens, modify the Branch Path
l To delete a branch, select it and click Delete
d. Select Prompt for password when opening this Account Unit if necessary
(optional).

e. Configure the number of Return entries that are stored in the LDAP
database (the default is 500).

R82 Security Management Administration Guide | 214

Account Units

n Authentication

Configure the authentication scheme for the Account Unit. These are the
configuration fields in the Authentication tab:
l Use common group path for queries - Select to use one path for all the
LDAP group objects (only one query is necessary for the group objects)
l Allowed authentication schemes - Select one or more authentication
schemes allowed to authenticate users in this Account Unit - Check Point
Password, SecurID, RADIUS, OS Password, or TACACS
l Users' default values - The default settings for new LDAP users:
o User template - Template that you created
o Default authentication scheme - One of the authentication schemes
selected in the Allowed authentication schemes section
l Limit login failures (optional):
o Lock user's account after - Number of login failures, after which the
account gets locked
o Unlock user's account after - Number of seconds, after which the
locked account becomes unlocked
l IKE pre-shared secret encryption key - Pre-shared secret key for IKE
users in this Account Unit

3. Click OK.

4. Install the Access Control Policy.

Account Units and High Availability

With User Directory replications for High Availability, one Account Unit represents all the
replicated User Directory servers. For example, you can define two User Directory server
replications on one Account Unit, and two Security Gateways can use the same Account unit.

R82 Security Management Administration Guide | 215

Account Units

Item Description

1 Security Management Server - Manages user data in User Directory. It has an

Account Unit object, where the two servers are defined.

2 User Directory server replication.

3 Security Gateway - Queries user data and retrieves CRLs from nearest User
Directory server replication (2).

4 Internet

5 Security Gateway - Queries user data and retrieves CRLs from nearest User
Directory server replication (6).

6 User Directory server replication.

Setting High Availability Priority

With multiple replications, define the priority of each LDAP server in the Account Unit. Then
you can define a server list on the Security Gateways.
Select one LDAP server for the Security Management Server to connect to. The Security
Management Server supports only one LDAP server replication. You must synchronize all
other replications for standby purposes.
To set priority on the Account Unit

1. Open the LDAP Account Unit Properties window.

2. Open the Servers tab.
3. Add the LDAP servers of this Account Unit in the required order of priority.

R82 Security Management Administration Guide | 216

Configuring Users on an External LDAP Server

LDAP is an external identity integration technology supported by Check Point.
An LDAP provides these capabilities:
n The Security Gateway can use the LDAP data to authenticate and authorize users.
n The Security Gateway can retrieve CRLs when using certificate information.
Other identity integration options include: Check Point management internal user database,
Entra ID, and Check Point Infinity Identity.

Microsoft Active Directory

For an overview of Microsoft Active Directory, see Active Directory Domain Services.
The branch CN=Schema, CN=Configuration, DCROOT contains all schema definitions.
Check Point can take advantage of an existing Active Directory object as well as add new
types. For users, the existing user can be used "as is" or be extended with fw1person as an
auxiliary of "User" for full feature granularity. The existing Active Directory "Group" type is
supported "as is". A User Directory template can be created by adding the fw1template
object-class. This information is downloaded to the directory using the schema_microsoft_
[Link] file (see "Adding New Attributes to the Active Directory" on page 219).

Performance

For certain Software Blades, the information which is related to the Active Directory group-is
stored in the user object. Therefore, when fetching the user object, no additional query is
necessary in order to assign the group to the user. The same is true for users and templates. In
some cases, The Security Gateway sends additional queries. See sk128212.

Manageability

SmartConsole allows the creation and management of existing and new objects. However,
some specific Active Directory fields are not enabled in SmartConsole.

Enforcement

You can work with the existing Active Directory objects without extending the schema. This is
made possible by defining an Internal Template object and assigning to it the User Directory
Account Unit defined on the Active Directory server.
For example, if you wish to enable all users with IKE+Hybrid based on the Active Directory
passwords, create a new template with the IKE properties enabled and "Check Point
password" as the authentication method.

R82 Security Management Administration Guide | 217

Configuring Users on an External LDAP Server

Updating the Registry Settings

To modify the Active Directory schema, add a new registry DWORD key named Schema
Update Allowed with the value different from zero under
HKLM\System\CurrentControlSet\Services\NTDS\Parameters.

Delegating Control

Delegating control over the directory to a specific user or group is important because by default
the system administrator is not allowed to modify the schema or even manage directory
objects through User Directory protocol.
To delegate control over the directory

1. On the Domain Controller, open the Active Directory Users and Computers Control
console.
2. Right-click the domain name displayed in the left pane and select Delegate control
from the right-click menu.
The Delegation of Control wizard window is displayed.
3. Add a user or a group to the list of users who can control the directory.
4. Reboot the machine.

Extending the Active Directory Schema

Modify the file with the Active Directory schema, to use SmartConsole to configure the Active
Directory users.

To extend the Active Directory schema

1. From the Security Gateway, go to the directory of the schema file: $FWDIR/lib/ldap.
2. Copy schmea_microsoft_ad.ldif to the C:\ drive in the Active Directory server.
3. From Active Directory server, with a text editor open the schema file.
4. Find the value DOMAINNAME, and replace it with the name of your domain in LDIF format.
For example, the domain [Link] in LDIF format is:
DC=sample,DC=checkpoint,DC=com

5. Make sure that there is a dash character - at the end of the modify section.
This is an example of the modify section.

R82 Security Management Administration Guide | 218

Configuring Users on an External LDAP Server

dn: CN=User,CN-
Schema,CN=Configuration,DC=sample,DC=checkpoint,DC=com
changetype: modify
add: auxiliaryClass
auxiliaryClass: [Link].[Link]
-

6. Run:
ldifde -i -f c:/schema_microsoft_ad.ldif

Adding New Attributes to the Active Directory

Below is an example in LDAP Data Interchange (LDIF) format which shows how to add one
attribute to the Microsoft Active Directory:

dn:CN=fw1auth-method,CN=Schema,CN=Configuration,DCROOT
changetype: add
adminDisplayName: fw1auth-method
attributeID: [Link].[Link]
attributeSyntax: [Link]
cn: fw1auth-method
distinguishedName:
CN=fw1auth-method,CN=Schema,CN=Configuration,DCROOT
instanceType: 4
isSingleValued: FALSE
LDAPDisplayName: fw1auth-method
name: fw1auth-method
objectCategory:
CN=Attribute-
Schema,CN=ConfigurationCN=Schema,CN=Configuration,DCROOT
ObjectClass: attributeSchema
oMSyntax: 20
rangeLower: 1
rangeUpper: 256
showInAdvancedViewOnly: TRUE

You can add all Check Point attributes in the same way.
The definitions of all attributes in LDIF format are contained in the schema_microsoft_
[Link] file located in the $FWDIR/lib/ldap directory.
Before attempting to run the ldapmodify command, edit schema_microsoft_ad.ldif
and replace all instances of DCROOT with the domain root of your organization. For example, if
your domain is [Link], replace DCROOT with
dc=support,dc=checkpoint,dc=com.

R82 Security Management Administration Guide | 219

Configuring Users on an External LDAP Server

After modifying the file, run the ldapmodify command to load the file into the directory. For
example if you use the system administrator account of the
dc=support,dc=checkpoint,dc=com domain, the command syntax will be as follows:

Note - A shell script is available for UNIX gateways. The script is at:
$FWDIR/lib/ldap/update_schema_microsoft_ad
ldapmodify -c -h [Link] -D
cn=administrator,cn=users,dc=support,dc=checkpoint,dc=com" -w
SeCrEt -f $FWDIR/lib/ldap/schema_microsoft_ad.ldif

Updating the user or service account password to the LDAP

account unit on the Active Directory
Security Gateways authenticate to the LDAP server using the LDAP server user name and
password saved in the SmartConsole LDAP account unit. After establishing a connection to
the LDAP server from a Security Gateway, the Security Gateway reuses this connection to
transmit subsequent LDAP queries without undergoing reauthentication.
If you update the password in the Active Directory on the LDAP server, you must do these
steps for the changes to apply:
1. Update the information in the LDAP account unit.
2. Install policy.

R82 Security Management Administration Guide | 220

Managing Gateways

Managing Gateways
This section describes how to create, update, and manage Security Gateways, and to use
Secure Internal Communication (SIC) methods for Check Point platforms and products to
authenticate each other.

Secure Internal Communication (SIC)

Check Point platforms and products authenticate each other through one of these Secure
Internal Communication (SIC) methods:
n Certificates
n Standards-based TLS for the creation of secure channels (for information about
supported TLS versions, see sk178505)
n Encryption
SIC creates trusted connections between Security Gateways, management servers and other
Check Point components. Trust is required to install polices on Security Gateways and to send
logs between Security Gateways and management servers.

Note - To see SIC errors, examine the $CPDIR/log/sic_info.elg file on the

Security Management Server and on the Security Gateway.

Initializing Trust
To establish the initial trust, a Security Gateway and a Security Management Server use a
one-time password. After the initial trust is established, further communication is based on
security certificates.

Note - Make sure the clocks of the Security Gateway and Security Management
Server are synchronized, before you initialize trust between them. This is necessary
for SIC to succeed. To set the time settings of the Security Gateway and Security
Management Server, go to the Gaia Portal > System Management > Time.

To initialize Trust

1. In SmartConsole, open the Security Gateway network object.

2. In the General Properties page of the Security Gateway, click Communication.
3. In the Communication window, enter the Activation Key that you created during
installation of the Security Gateway.
4. Click Initialize.
The ICA signs and issues a certificate to the Security Gateway.

R82 Security Management Administration Guide | 221

Managing Gateways

Trust state is Initialized but not trusted. The Internal Certificate Authority (ICA) issues
a certificate for the Security Gateway, but does not yet deliver it.
The two communicating peers authenticate over SSL with the shared Activation Key.
The certificate is downloaded securely and stored on the Security Gateway. The
Activation Key is deleted.
The Security Gateway can communicate with Check Point hosts that have a security
certificate signed by the same ICA.

SIC Status
After the Security Gateway receives the certificate issued by the ICA, the SIC status shows if
the Security Management Server can communicate securely with this Security Gateway:
n Communicating - Secure communication is established.
n Unknown - There is no connection between the Security Gateway and Security
Management Server.
n Not Communicating - The Security Management Server can contact the Security
Gateway, but cannot establish SIC. A message shows more information.

Managing Trust State

If the Trust State is compromised (keys were leaked, certificates were lost) or objects changed
(user leaves, open server upgraded to an appliance), reset the Trust State. When you reset
Trust, the SIC certificate is revoked.

The Certificate Revocation List (CRL) is updated for the serial number of the revoked
certificate. The ICA signs the updated CRL and issues it to all Security Gateways during the
next SIC connection. If two Security Gateways have different CRLs, they cannot authenticate.

1. In SmartConsole, from the Gateways & Servers view, double-click the Security
Gateway object.
2. Click Communication.
3. In the Trusted Communication window that opens, click Reset.
4. Install Policy on the Security Gateways.
This deploys the updated CRL to all Security Gateways. If you do not have a Rule Base
(and therefore cannot install a policy), you can reset Trust on the Security Gateways.

Important - Before you can establish a new trust state in SmartConsole, make
sure the same one-time activation password is configured on the Security
Gateway and on the Security Management Server.

R82 Security Management Administration Guide | 222

Managing Gateways

Troubleshooting SIC

If SIC fails to initialize

1. Make sure there is connectivity between the Security Gateway and the Security
Management Server.
2. Make sure that the Security Management Server and the Security Gateway use the
same SIC activation key (one-time password).
3. If the Security Management Server is behind a Security Gateway, make sure there are
rules that allow connections between the Security Management Server and the remote
Security Gateway. Make sure Anti-Spoofing settings are correct.
4. Make sure the name and IP address of the Security Management Server are in the
/etc/hosts file on the Security Gateway.
If the IP address of the Security Management Server is mapped through static NAT by its
local Security Gateway, add the public IP address of the Security Management Server to
the /etc/hosts file on the remote Security Gateway. Make sure the IP address
resolves to the server's hostname.
5. Make sure the date and time settings of the operating systems are correct. If the Security
Management Server and remote Security Gateway reside in different time zones, the
remote Security Gateway may have to wait for the certificate to become valid.
6. Try to establish SIC again.
To establish a new trust state for a Security Gateway

a. Open the command line interface on the Security Gateway.

b. Run:

cpconfig
c. Enter the number for Secure Internal Communication and press Enter.
d. Enter y to confirm.
e. Enter and confirm the activation key.
f. When done, enter the number for Exit.
g. Wait for Check Point processes to stop and automatically restart.

In SmartConsole:
a. In the General Properties window of the Security Gateway, click
Communication.

R82 Security Management Administration Guide | 223

Managing Gateways

b. In the Trusted Communication window, enter the one-time password (activation

key) that you entered on the Security Gateway.
c. Click Initialize.
d. Wait for the Certificate State field to show Trust established.
e. Click OK.

7. Remote user access to resources and Mobile Access - If you install a certificate on a
Security Gateway with the Mobile Access Software Blade already enabled, you must
reinstall the policy. Otherwise, remote users are not able to reach network resources.

Understanding the Check Point Internal Certificate Authority

(ICA)
The ICA (Internal Certificate Authority) is created on the Security Management Server when
you configure it for the first time. The ICA issues certificates for authentication:
n Secure Internal Communication (SIC) - Authenticates communication between
Security Management Servers, and between Security Gateways and Security
Management Servers.
n VPN certificates for gateways - Authentication between members of the VPN
community, to create the VPN tunnel.
n Users - For strong methods to authenticate user access according to authorization and
permissions.

ICA Clients
In most cases, certificates are handled as part of the object configuration. To control the ICA
and certificates in a more granular manner, you can use one of these ICA clients:
n The Check Point Configuration Tool - This is the cpconfig CLI utility. One of the
options creates the ICA, which issues a SIC certificate for the Security Management
Server.
n SmartConsole - SIC certificates for Security Gateways and administrators, VPN
certificates, and user certificates.
n "The ICA Management Tool" on page 654 - VPN certificates for users and advanced ICA
operations.
See audit logs of the ICA in SmartConsole Logs & Events > New Tab > Open Audit Logs
View.

SIC Certificate Management

Manage SIC certificates in:

R82 Security Management Administration Guide | 224

Managing Gateways

n Communication tab of the Security Gateway properties window.

n "The ICA Management Tool" on page 654.
Certificates have these configurable attributes:

Attributes Default Comments

validity 5 years

key size 2048 bits

KeyUsage 5 Digital Signature and Key encipherment

ExtendedKeyUsage 0 (no KeyUsage) VPN certificates only

To learn more about key size values, see RSA key lengths.
To view license information for each Software Blade

Step Instructions

1 Select a Security Gateway or a Security Management Server.

2 In the Summary tab below, click the object's License Status (for example:
OK).
The Device & License Information window opens. It shows basic object
information and License Status, license Expiration Date, and important quota
information (in the Additional Info column) for each Software Blade.
Notes:
n Quota information, quota-dependent license statuses, and blade
information messages are only supported for R80 and higher.
n The tooltip of the SKU is the product name.

The possible values for the Software Blade License Status are:

Status Description

Active The Software Blade is active and the license is valid.

Available The Software Blade is not active, but the license is valid.

No License The Software Blade is active but the license is not valid.

Expired The Software Blade is active, but the license expired.

About to The Software Blade is active, but the license will expire in thirty days
Expire (default) or less (7 days or less for an evaluation license).

R82 Security Management Administration Guide | 225

Managing Gateways

Status Description

Quota The Software Blade is active, and the license is valid, but the quota of
Exceeded related objects (Security Gateways, Virtual Systems, files, and so on,
depending on the blade) is exceeded.

Quota The Software Blade is active, and the license is valid, but the number of
Warning objects of this blade is 90% (default) or more of the licensed quota.

N/A The license information is not available.

Creating a New Security Gateway

A Security Gateway enforces security policies configured on the Security Management Server.
To install security policies on the Security Gateway, configure the Security Gateway object in
SmartConsole.

To define a new Security Gateway object

1. From the navigation toolbar, select Gateways & Servers.
2. Click New, and select Gateway.
The Check Point Security Gateway Creation window opens.
3. Click Classic Mode.

The Check Point Gateway properties window opens and shows the General Properties
screen.

4. Enter the host Name and the IPv4 Address or IPv6 Address.
5. Click Communication.
The Trusted Communication window opens.
6. Select a Platform.

Important - Make sure to select the correct Appliance model. Otherwise, policy
installation may fail.

7. In the Authentication section, enter and confirm the One-time password.

If you selected Small Office Appliance platform, make sure Initiate trusted
communication automatically when the Gateway connects to the Security
Management Server for the first time is selected.

R82 Security Management Administration Guide | 226

Managing Gateways

8. Click Initialize to establish trusted communication with the Security Gateway (see
"Secure Internal Communication (SIC)" on page 221).
If trust fails to establish, click OK to continue configuring the Security Gateway.
9. Click OK.
10. The Get Topology Results window that opens, shows interfaces successfully configured
on the Security Gateway.
11. Click Close.
12. In the Platform section, select the Hardware, the Version, and the OS.
If trust is established between the server and the Security Gateway, click Get to
automatically retrieve the information from the Security Gateway.

13. Select the Software Blades to enable on the Security Gateway.

For some of the Software Blades a first-time setup wizard will open. You can run the
wizard now or later. For more on the setup wizards, see the relevant Administration
Guide.

Note - You cannot add additional information fields to the Security Gateway object.

R82 Security Management Administration Guide | 227

Manually Updating the Gateway Topology

As the network changes, you must update the Security Gateway topology.

To update the Security Gateway topology

1. In SmartConsole, click Gateways & Servers.
2. Double-click the Security Gateway object.
The Security Gateway property window opens.
3. Click Network Management.
4. Click Get Interfaces and select the applicable option:
n Get Interfaces With Topology
A warning window asks if you want to overwrite the existing Topology and Anti-
Spoofing settings.
Click Yes.

Note - The physical interfaces that are part of a Bridge interface always
appear with the topology "Undefined".
Workaround: Use the API command "get-interfaces".
n Get Interfaces Without Topology

Note - For more information about the Get Interfaces feature, see sk183590.

5. The Get Topology Results window opens.

6. Click Accept.
7. Configure the applicable Topology and Anti-Spoofing settings for the interfaces.
8. Click OK.
9. Install the Access Control Policy.

R82 Security Management Administration Guide | 228

Manually Updating the Gateway Topology

Get Interfaces API

You can use the Check Point API to execute the Get Interfaces command.
The Get Interfaces API:
n Supports a larger number of interfaces compared with SmartConsole.
n Supports these interfaces which are not supported by SmartConsole: Bridge and Bond
interfaces without IP addresses.
n Configures the default topology for internal networks for Security Gateway and
ClusterXL R80.20 and higher to Network defined by routes, where applicable (the
default in SmartConsole is This network (Internal)).
n Does not get unnecessary Bridge and Bond satellite interfaces.

The Get Interfaces API command only supports Security Gateways and ClusterXL that run on
Gaia operating system.
For explanations on how to use the API Get Interfaces command, see the Check Point
Management API Reference (at the top, select the correct version) .

R82 Security Management Administration Guide | 229

Dynamically Updating the Security Gateway Topology

Dynamically Updating the Security Gateway

Topology
When selected, the range of IP addresses behind the internal interface is automatically
calculated every second (default value) without the need for the administrator to click Get
Interfaces and install a policy.

To configure dynamic topology updates

1. Open Gateway Properties > Network Management.
2. Select an interface and click Edit.

3. In the Topology section, click Modify.

4. In the Leads To section, select Network defined by routes.
5. Click OK.
This default update value is configured in SmartConsole > Preferences and set to one
second. The value set here applies to all internal interfaces for all gateways in the Domain.

To set the update value for a specific interface

1. Open Gateway Properties > Network Management.
2. Select an interface and click Actions > Settings.

3. Select Use custom update time (seconds) and set the applicable update time.
4. Click OK.

Dynamic Anti-Spoofing
When Anti-Spoofing is selected and you click Get interfaces, the Security Gateway generates
a list of valid IP addresses based on the IP address and netmask of the interface and the
routes assigned to the interface.
Anti-Spoofing drops packets with a source IP address that does not belong to the network
behind the packet's interface. For example, packets with an internal IP address that comes
from an external interface.
When the Network defined by routes option is selected along with Perform Anti-Spoofing
based on interface topology, you get Dynamic Anti-Spoofing. The valid IP addresses range is
automatically calculated without the administrator having to do click Get Interfaces or install a
policy.

R82 Security Management Administration Guide | 230

Managing Licenses

Managing Licenses
After you run the First Time Configuration Wizard on a Security Management Server, and the
Security Management Server connects to the User Center, it automatically activates its license
. If the Security Management Server loses Internet connectivity before the license is activated,
it tries again, on an interval.
If you make changes to Management Software Blade licenses of a Security Management
Server in the Check Point User Center, these changes are automatically synchronized with
that Security Management Server.

Notes:
n Automatic activation is supported on Check Point appliances only.
n Automatic synchronization is supported on all R80.30 servers and
higher.

To make sure that your environment is synchronized with the User Center, even when the
Security Management Server is not connected to the Internet, we recommend that you
configure a Check Point server with Internet connectivity as a proxy.

R82 Security Management Administration Guide | 231

Managing Server and Gateway Licenses

Starting from R81, you can add or remove licenses manually in SmartConsole.
Adding and removing a license

Step Instructions

1 In SmartConsole, from the left navigation panel, click Gateways & Servers.

2 In the top pane, select the object of the applicable Management Server or
Security Gateway.

3 In the bottom pane, click the Licenses tab.

4 Add or remove a license:

n To add a license from a license file:
a. Click Add and select License File.
b. Browse for the license file.
c. Select the license file.
d. Click Open.
n To add a license from a license string:
a. Click Add and select License String.
b. Paste the license string.
c. Click OK.
n To remove a license:
a. Select the license in the leftmost column.
b. Click Remove.

R82 Security Management Administration Guide | 232

Managing Server and Gateway Licenses

Note - To add or remove licenses on the Licenses tab, an administrator must have
the Run One Time Script permission selected in their profile. To assign this
permission, in SmartConsole, go to Manage & Settings > Permissions &
Administrators > Permission Profiles. Open the relevant permission profile, go to
Gateways > Scripts, and select Run One-Time Scripts.
See also "Assigning Permission Profiles to Administrators" on page 116

You can see these columns with license information:

Column Description

IP Address The IP address, for which this license

was generated.

Expiration Date Date when the Check Point support

contract expires.

CK Unique Certificate Key of the license

instance.

SKU Catalog ID from the Check Point User

Center.
Note - SmartConsole R81 and higher does not support viewing a license of Spark
Firewall appliances with Gaia Embedded OS (in the "Gateways & Servers" view,
select the Security Gateway object > in the bottom pane, click the "Licenses" tab).
Workaround: Use SmartUpdate to view the licenses.
Important - To distribute licenses to Cloud Firewall IaaS Security Gateways, see the
R82 CloudGuard Controller Administration Guide.

R82 Security Management Administration Guide | 233

Viewing Licenses in SmartConsole

To view license information

Step Instructions

1 From the left navigation panel, click Gateways & Servers.

2 From the Columns drop-down list, select Licenses.

You can see these columns:

Column Description

License The general state of the Software Blade licenses:

Status
n OK - All the blade licenses are valid.
n Not Activated - Blade licenses are not installed. This is only possible
in the first 15 days after the establishment of the SIC with the Security
Management Server. After the initial 15 days, the absence of licenses
will result in the blade error message.
n Error with <number> blade(s) - The specified number of blade
licenses are not installed or not valid.
n Warning with <number> blade(s) - The specified number of blade
licenses have warnings.
n N/A - No available information.

CK Unique Certificate Key of the license instance.

SKU Catalog ID from the Check Point User Center.

Account ID User's account ID.

Support Check Point level of support.

Level

Support Date when the Check Point support contract expires.

Expiration

To view license information for each Software Blade

Step Instructions

1 Select a Security Gateway or a Security Management Server.

R82 Security Management Administration Guide | 234

Viewing Licenses in SmartConsole

Step Instructions

2 In the Summary tab below, click the object's License Status (for example: OK).
The Device & License Information window opens. It shows basic object
information and License Status, license Expiration Date, and important quota
information (in the Additional Info column) for each Software Blade.
Notes:
n Quota information, quota-dependent license statuses, and blade
information messages are only supported for R80 and higher.
n The tooltip of the SKU is the product name.

The possible values for the Software Blade License Status are:

Status Description

Active The Software Blade is active and the license is valid.

Available The Software Blade is not active, but the license is valid.

No License The Software Blade is active but the license is not valid.

Expired The Software Blade is active, but the license expired.

About to The Software Blade is active, but the license will expire in thirty days
Expire (default) or less (7 days or less for an evaluation license).

Quota The Software Blade is active, and the license is valid, but the quota of
Exceeded related objects (Security Gateways, files, virtual systems, and so on,
depending on the blade) is exceeded.

Quota The Software Blade is active, and the license is valid, but the number of
Warning objects of this blade is 90% (default) or more of the licensed quota.

N/A The license information is not available.

Viewing license information for VSX

SmartConsole reports an error when viewing licenses of Virtual System or Virtual Router
objects.

To see the VSX license information:

Select the VSX Gateway or VSX Cluster object (and not objects of Virtual Systems or Virtual
Routers).

R82 Security Management Administration Guide | 235

Monitoring Licenses in SmartConsole

To keep track of license issues, you can use these options:

Option Description

License To see and export license information for Software Blades on each specific
Status view Security Management Server, Security Gateway, or Log Server object.

License To see filter and export license status information for all configured Security
Status Management Server, Security Gateway, or Log Server objects.
report

License To see filter and export license information for Software Blades on all
Inventory configured Security Management Server, Security Gateway, or Log Server
report objects.

The SmartEvent Software Blade lets you customize the License Status and License
Inventory information from the Logs & Events view of SmartConsole.
It is also possible to view license information from the Gateways & Servers view of
SmartConsole without enabling the SmartEvent blade on Security Management Server.

The Gateways & Servers view in SmartConsole lets you see and export the License
Inventory report.

Step Instructions

1 View the License Inventory report from the Gateways & Servers view:
1. In SmartConsole, from the left navigation panel, click Gateways & Servers.
2. From the top toolbar, click Actions > License Report.
3. Wait for the SmartView to load and show this report.
By default, this report contains:
n Inventory page: Blade Names, Devices Names, License Statuses
n License by Device page: Devices Names, License statuses, CK, SKU,

Account ID, Support Level, Next Expiration Date

2 Export the License Inventory report from the Gateways & Servers view:
1. In the top right corner, click the Options button.
2. Select the applicable export option - Export to Excel, or Export to PDF.

R82 Security Management Administration Guide | 236

Monitoring Licenses in SmartConsole

The Logs & Events view in SmartConsole lets you see, filter and export the License Status
report.

Step Instructions

1 View License Status report from the Logs & Events view:
1. In SmartConsole, from the left navigation panel, click Logs & Events
2. At the top, open a new tab by clicking New Tab, or [+].
3. In the left section, click Views.
4. In the list of reports, double-click License Status.
5. Wait for the SmartView to load and show this report.
By default, this report contains:
n Names of the configured objects, License status for each object, CK,

SKU, Account ID, Support Level, Next Expiration Date

2 Filter the License Status report in the Logs & Events view:
1. In the top right corner, click the Options button > View Filter.
The Edit View Filter window opens.
2. Select a Field to filter results. For example, Device Name, License Status,
Account ID.
3. Select the logical operator - Equals, Not Equals, or Contains.
4. Select or enter a filter value.
Note - Click the X icon to delete a filter.
5. Optional: Click the + icon to configure additional filters.
6. Click OK to apply the configured filters.
The report is filtered based on the configured filters.

3 Export the License Status report in the Logs & Events view:

1. In the top right corner, click the Options button.

2. Select the applicable export option - Export to Excel, or Export to PDF.

R82 Security Management Administration Guide | 237

Monitoring Licenses in SmartConsole

The Logs & Events view in SmartConsole lets you see, filter and export the License
Inventory report.

Step Instructions

1 View the License Inventory report from the Logs & Events view:
1. In SmartConsole, from the left navigation panel, click Logs & Events
2. At the top, open a new tab by clicking New Tab, or [+].
3. In the left section, click Reports.
4. In the list of reports, double-click License Inventory.
5. Wait for the SmartView to load and show this report.
By default, this report contains:
n Inventory page: Blade Names, Devices Names, License Statuses
n License by Device page: Devices Names, License statuses, CK, SKU,

Account ID, Support Level, Next Expiration Date

2 Filter the License Inventory report in the Logs & Events view:
1. In the top right corner, click the Options button > Report Filter.
The Edit Report Filter window opens.
2. Select a Field to filter results. For example, Blade Name, Device Name,
License Overall Status, Account ID.
3. Select the logical operator - Equals, Not Equals, or Contains.
4. Select or enter a filter value.
Note - Click the X icon to delete a filter.
5. Optional: Click the + icon to configure additional filters.
6. Click OK to apply the configured filters.
The report is filtered based on the configured filters.

3 Export the License Inventory report in the Logs & Events view:
1. In the top right corner, click the Options button.
2. Select the applicable export option - Export to Excel, or Export to PDF.

License or Quota Changes

The SmartConsole GUI client is not aware of license or quota changes in real time. As a result,
the alert for 'License quota Exceeded' does not pop up immediately when the license quota is
exceeded on the Security Management Server.

To see the license changes:

1. Connect with SmartConsole to the Security Management Server.
2. From the left navigation panel, click Logs & Events.

R82 Security Management Administration Guide | 238

Monitoring Licenses in SmartConsole

3. From the top, click [+] to open a new tab.

4. Open the Compliance view (for more information, see sk120256 - ATRG: Compliance
Blade (R80.10 and higher)).
Changes in quota data in the entitlement or compliance are updated after:
n Compliance midnight scan
n License changes
n Running the 'cpstop ; cpstart' commands on the Security Management Server

R82 Security Management Administration Guide | 239

Security Gateway Indicators

An administrator manages multiple Security Gateways in SmartConsole. The Security
Gateway indicators feature in the Gateways & Servers view helps the administrator verify
which Jumbo Hotfix Accumulators are installed and ensure all Security Gateways are up to
date with the recommended versions.
In the Gateways & Servers view, the Version column displays the current Jumbo Hotfix
Accumulator installed on each Security Gateway. When you hover over the Version column, if
the currently installed Jumbo Hotfix Accumulator is not recommended, a message appears
suggesting the recommended Jumbo Hotfix Accumulator for installation.
The Version column shows an indicator based on the Security Gateway status:
n No color indicator:
l The Security Gateway is updated. The latest Jumbo Hotfix Accumulator is installed
on the Security Gateway.
l The Jumbo Hotfix Accumulator installed on Security Gateway is not the latest. A
message appears suggesting the recommended Jumbo Hotfix Accumulator for
installation.
n Yellow color indicator - The Jumbo Hotfix Accumulator take is too old, and requires
upgrading to the recommended Jumbo Hotfix Accumulator.
n Red color indicator - The version installed on the Security Gateway is unsupported.
n Gray color indicator - There is no available information about the Security Gateway. A
gray indicator appears in these cases:
l The Security Gateway is of a version of take that do not support the feature.
l The Security Gateway is not connected to the Check Point Download Center for at
least a month.
l The Check Point Download Center does not allow updates on the Security
Gateway.
l The Security Gateway has no license or contract.
For a list of indicator exceptions, see sk182159.
The Security Gateway indicators also appear in the Summary tab for each Security Gateway
at the bottom of the Gateways & Servers view.
You can filter the Gateways & Servers view based on the Gateway indicators. To do so, go to
the top toolbar menu, select the filter icon , and then select version warning. From the
available options, you can select:

R82 Security Management Administration Guide | 240

Security Gateway Indicators

n None - Security Gateways with no color indicator

n Unsupported - Security Gateways with a red color indicator
n Alert - Security Gateways with a yellow color indicator
n N/A - Security Gateways with a gray color indicator

Notes:
n Indications for Cluster Members show for each Cluster Member independently
and not for the Security Cluster object.
n Upgrading a VSX Gateway also upgrades all related Virtual Gateways.

Installing the Recommended Take on the Security Gateway

When you hover over the Security Gateway, a message appears indicating the Jumbo Hotfix
Accumulator to install on the Security Gateway.

To postpone the installation date Jumbo Hotfix Accumulator on the Security Gateway
1. Click the Options button in the message.
A window opens with the name of the recommended Jumbo Hotfix Accumulator take
number.

2. In this window you can set a reminder for a future installation date. Select the required
future rescheduling time from the drop-down menu. If you select the Apply to all
gateways and servers checkbox, the reminder is set to all Security Gateways and
servers to which the Hotfix applies.
3. Click OK.
The indicator turns off on all relevant Security Gateways and servers.

To install the recommended Jumbo Hotfix Accumulator on the Security Gateway

1. Click the Open Installation Window button.
The Install Jumbo/Hotfix window opens.

R82 Security Management Administration Guide | 241

Security Gateway Indicators

2. In the Hotfix/Jumbo section, select one of these options:

n Install the Recommended Hotfix/Jumbo
or
Install a Specific Hotfix/Jumbo
a. Enter the version number / Hotfix file name.
b. Click the search icon next to the text box.
This process makes sure that the package is available for download from the
Check Point servers.
3. In the Gateways section, see the Security Gateway that you selected for this installation.

Note - To install the package on more than one Security Gateway or Cluster
Member, go to the Gateways & Servers view, press and hold the CTRL key to
select all the required Security Gateways and Cluster Members. Then, from the
top toolbar menu, click Actions and select Install Jumbo/Hotfix.

4. In the Settings section, select the applicable option for the High Availability cluster:
n Install on all cluster members - Installs the selected package on all members in
this cluster (active and standby). This can cluster failover and interrupt the traffic.
n Install on non-active members only - Installs the selected package only on
standby cluster members.
l Once installation is complete, turn non-active member to active - Changes
the cluster state of a standby cluster member to active.
5. In the Download package timing section - Select this check box if you want to download
the package during the verification process: Download/Deliver package to Security
Gateways as part of verification. If you do not select this check box, the verification
process is performed first and then the file is downloaded as a separate action.
6. In the Advanced section, select the source from which the Security Gateway downloads
the package:
n Automatic - If the package is in the Package Repository, the Management Server
transfers it to the Security Gateway. If the package is not in the Package
Repository, the Security Gateway downloads it from the Check Point Cloud.
n Gateway - The Security Gateway downloads the package from the Check Point
Cloud. The Security Gateway must be connected to the Internet.
n Management - The Security Gateway downloads the package from the
Management Server.
7. At the bottom, click Verify.

R82 Security Management Administration Guide | 242

Security Gateway Indicators

The verification process starts. The verification process makes sure that the selected
Hotfix can be installed on the targets. The verification process makes sure this package
does not override other installed Hotfixes and that enough free disk space is available for
the process to complete.
To see the progress of the verification process open the Tasks view in the bottom left
corner of SmartConsole and click Details.
Example:

8. Click Install.
9. Central Deployment makes sure that Access Control Policy is installed.
10. After the installation is complete, you must install the applicable Threat Prevention policy
on the target Security Gateways and Clusters.

R82 Security Management Administration Guide | 243

Central Deployment of Hotfixes and Version Upgrades

Central Deployment of Hotfixes and Version

Upgrades
Introduction
Use Central Deployment in SmartConsole to perform batch deployment of:
n Jumbo Hotfix Accumulators and Hotfixes on Security Gateways and Cluster Members.
n Upgrade Packages on Security Gateways, Cluster Members, Log Servers and
secondary management.
n Uninstall Jumbo Hotfix Accumulators and Hotfixes.

You can Deploy a Hotfix or Upgrade Package from:

n The Check Point Cloud.
n The Package Repository on the Management Server.
First, you must upload the applicable package to the Package Repository. See "Adding a
package to the Package Repository" on page 246.
To use Central Deployment through the API, see the Check Point Management API Reference
(at the top, select the correct version) .

Best Practice - Use the Package Repository on the Management Server if the
target's connectivity to the Management Server is better than the target's connectivity
to the cloud, or if the target is overloaded with traffic.
Note - You can select up to 30 Security Gateways and Cluster Members, but
installation can take place only on 10 targets at the same time. The Management
Server places each target above the 10th in a queue. Each time an installation
completes on one of the targets, the Management Server installs it on the next target
in the queue.

R82 Security Management Administration Guide | 244

Central Deployment of Hotfixes and Version Upgrades

Some Security Gateways have Recommended Hotfixes. See the Recommended Jumbo
column in the Gateways & Servers view:

You can deploy a Recommended Jumbo Hotfix Accumulator or a specific Jumbo Hotfix
Accumulator take.

Prerequisites
To use Central Deployment:
n The administrator must have SmartUpdate write permission on the Management Server.
n The latest build of the CPUSE Deployment Agent must be installed on the target Security
Gateways and Cluster Members or on the Management Server.
n SIC must already be established between the Management Server and the target
Security Gateways and Cluster Members.
n A policy must be installed on the target Security Gateways and Cluster Members.
n Only full clusters can be selected (you cannot select one cluster member).
To use Central Deployment directly from the Check Point Cloud:
1. The Management Server must be able to connect to the Check Point Cloud.
2. The target Security Gateways and Cluster Members must be able to connect to the
Check Point Cloud.

R82 Security Management Administration Guide | 245

Central Deployment of Hotfixes and Version Upgrades

Limitations
n Upgrade from the R80.30, R80.20, and R80.10 versions (to upgrade from these versions
to a higher version, use the CPUSE in-place upgrade).
n Central Deployment does not support:
l Connecting from SmartConsole to the Security Management Server through a
proxy server.
In this case, use the applicable API command.
l ClusterXL in Load Sharing mode.
l VRRP Cluster.
l Security Group in Maestro.
l Security Group on Scalable Chassis 40000 / 60000.
l ElasticXL Cluster.
l For Centrally Managed Spark Firewall Appliances running Gaia Embedded
operating system:
o Downloading the package from the Check Point Cloud. You must manually
add the required package to the Package Repository on the Security
Management Server.
o When using SmartConsole Central Deployment to install a firmware package
of the same version, but of a lower build number than is already installed on a
Spark Firewall appliance, the "Verify" action does not compare the firmware
build numbers. Therefore, SmartConsole shows that "The package is valid
for installation", while in fact, the installation will fail by design.
l On Multi-Domain Servers, SmartConsole connected to the Global Domain, or the
Multi-Domain Server context.

Installation
Adding a package to the Package Repository

1. From the left navigation panel, click Manage & Settings.

2. From the left tree, click Package Repository.
3. Click New and select one of these options:
n Download from cloud - To download the package to the Package Repository
from the Check Point Cloud, paste the package CPUSE identifier and click
Download.

R82 Security Management Administration Guide | 246

Central Deployment of Hotfixes and Version Upgrades

n Upload from local - To upload the package to the Package Repository from
your device, browse to the applicable package and click Open.
After the download or upload is complete, the package appears in the Package
Repository window in SmartConsole > Manage & Settings view.

Notes:
n Add one package to the repository at a time.
n For Spark Firewall Appliances that run Gaia Embedded OS [Link] and
higher, you must download a special TAR package (that contains the
firmware image and the required configuration file [Link]) and use the
"Upload from local" option.
n When you upload a package to the Package Repository in a Multi-Domain
environment:
l You can upload the package to the Global Domain. In this case, you

can see the uploaded package from all Domains and install it on the
Domain or Domains of your choice.
l You can upload the package to a specific Domain. In this case, you can

see the package and install it only on that specific Domain.

Installing a Hotfix or Upgrade Package on multiple Security Gateways or Cluster Members

Warning - Before you install firmware on a Spark Firewall appliance that runs Gaia
Embedded OS, you must disconnect any external storage from the USB port (at
the minimum, make sure that the external storage does not contain firmware
images for Spark Firewall appliances).
Best Practice - Central deployment of Hotfixes or upgrade packages on the
Security Management Server relies on the status reports from the managed Gaia
servers. Therefore, we recommend to wait for two minutes after the Gaia server is
up and running before you install a Hotfix or upgrade package.

1. From the left navigation panel, click Gateways & Servers.

2. Select the target Security Gateways or Cluster Members for deployment.
To select multiple targets, press and hold the CTRL key.
To upgrade Cluster Members, select the cluster object.
3. From the toolbar menu, click Actions and select one of these options:
n Install Hotfix/Jumbo
n Version Upgrade
The Install Hotfix or Version Upgrade window opens, and shows information about
the selected targets and their corresponding recommended Hotfix or Upgrade
Package.

R82 Security Management Administration Guide | 247

Central Deployment of Hotfixes and Version Upgrades

4. If you selected "Install Hotfix/Jumbo", in the "Hotfix/Jumbo" section, select one of these
options:

n Install the Recommended Hotfix/Jumbo

or
n Install a Specific Hotfix/Jumbo

Note - If there is no recommended Jumbo Hotfix Accumulator for the

selected targets, this option is grayed out. If a recommended Jumbo
Hotfix Accumulator applies only to some of the selected targets, the
deployment takes place only for those targets.

a. Enter the Hotfix file name.

You can copy the Hotfix file name from the applicable SK article to the
Install Specific Hotfix text box.

Note - Use the field "Install a Specific Hotfix/Jumbo" to install

a firmware package on Spark Firewall Appliances that run Gaia
Embedded OS [Link] and higher. The Management
Server considers firmware packages based on the same main
version as Jumbo Hotfixes. For example, all firmware
packages [Link] are based on the main version R81.10.

Example for a Security Gateway R80.20:

b. Click the search icon next to the text box to find the available package.

If you selected "Version Upgrade", in the "Upgrade Version" window, select one of
these options:

n Upgrade to the Recommended Major Version

or
n Upgrade to a Specific Major Version
a. Enter the version number.
b. Click the search icon next to the text box to find the available package.

5. In the Gateways section, you see the targets you selected for installing the package.
6. In the Settings section, select the applicable option for the High Availability cluster:

R82 Security Management Administration Guide | 248

Central Deployment of Hotfixes and Version Upgrades

n Install on all cluster members - Installs the selected package on all members in
this cluster (active and standby). This can cluster failover and interrupt the
traffic.
n Install on non-active members only - Installs the selected package only on
standby cluster members.
l Once installation is complete, turn non-active member to active -
Changes the cluster state of a standby cluster member to active.
7. In the Advanced section, select where the Security Gateway downloads package
from:
n Automatic - If the package is in the Package Repository, the Management
Server transfers it to the Security Gateway. If the package is not in the Package
Repository, the Security Gateway downloads it from the Check Point Cloud.
n Gateway - The Security Gateway downloads the package from the Check Point
Cloud. The Security Gateway must be connected to the Internet.
n Management - The Security Gateway downloads the package from the
Management Server.
8. At the bottom, click Verify.
The verification process starts. The verification process makes sure that the selected
Hotfix or Upgrade Package can be installed on the targets. The verification process
makes sure this package does not override other installed Hotfixes and that enough
free disk space is available for the process to complete.

To see the progress of the verification process open the Tasks view in the bottom left
corner of SmartConsole and click Details.
Example:

9. Click Install.
10. Central Deployment makes sure that Access Control Policy is installed.

R82 Security Management Administration Guide | 249

Central Deployment of Hotfixes and Version Upgrades

11. After the installation is complete, you must install the applicable Threat Prevention
policy on the target Security Gateways and Clusters.

Notes:
n If different targets have different recommended Hotfixes or Upgrade Packages,
each target gets its applicable recommended Hotfix or Upgrade Package.
n Before you install a firmware on a Spark Firewall appliance that runs Gaia
Embedded operating system, you must disconnect an external storage from the
USB port (at minimum, make sure it does not contain firmware images for Spark
Firewall appliances).

Uninstalling a Hotfix or a Jumbo Hotfix Accumulator

To uninstall a Hotfix or a Jumbo Hotfix Accumulator

1. From the left navigation panel, click Gateways & Servers.
2. Select the target Security Gateways or Cluster Members for deployment.
To select multiple targets, press and hold the CTRL key.
To uninstall the package on Cluster Members, select the cluster object.
3. From the toolbar menu, click Actions and select Uninstall Hotfix/Jumbo.
The Uninstall Hotfix/Jumbo window opens.
4. In the Hotfix/Jumbo section, enter the Hotfix/Jumbo to uninstall.

5. In the Gateways section, see the targets you selected for uninstalling the Hotfix or
Jumbo Hotfix Accumulator.
6. At the bottom, click Verify.

The verification process starts. The verification process makes sure all necessary
conditions are met so that the selected Hotfix or Jumbo Hotfix Accumulator can be
uninstalled from the targets.
To see the progress of the verification process open the Tasks view in the bottom left
corner of SmartConsole and click Details.
7. Click Uninstall.

How the Central Deployment Upgrades a Cluster

When you use the Central Deployment to install a software package on all members of a
ClusterXL in High Availability mode or VSX Cluster (non-VSLS), the Central Deployment
follows these steps:

R82 Security Management Administration Guide | 250

Central Deployment of Hotfixes and Version Upgrades

1. Verifies that the states of the Cluster Members are valid (Active and Standby).
2. Prepares the Access Control Policy for the Cluster:
a. Changes the version in the Cluster object.
b. Changes the applicable configuration settings and Access Control Policy.
3. Upgrades the Standby Cluster Member to the new version.
4. Runs a Multi-Version Cluster (MVC):
a. Makes sure the upgraded Cluster Member is in the Standby or Ready state.
b. Performs cluster failover to one of the upgraded Cluster Members.
5. Upgrades the former Active Cluster Member.

6. Verifies that the states of the Cluster Members are valid (Active and Standby).

R82 Security Management Administration Guide | 251

Configuring a Security Gateway to Access the Management Server or Log Server at its NATed

Configuring a Security Gateway to Access the

Management Server or Log Server at its NATed
IP Address
Note - The procedure in this section applies to Security Gateways versions R81.20
and lower. For Security Gateways versions R82 and higher, see "Security
Management behind NAT" on page 489.

You can configure a Security Gateway to access the Security Management Server or Log
Server at the server's NATed IP address for fetching policy or sending logs.

This diagram describes the flow of this process:

Procedure:
1. Connect to the command line on the Security Gateway / each Cluster Member.
2. Log in to the Expert mode.
3. On a VSX Gateway / each VSX Cluster Member, go to the context of the applicable
Virtual System:

vsenv <VSID>

4. Run the applicable command (this change survives reboot):

a. To force the Security Gateway / Cluster Member to connect only to the public
(NATed) IP address (this is the default behavior) of the Management Server or Log
Server, run:

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 FORCE_NATTED_IP

-n 1

b. To force the Security Gateway / Cluster Member to connect only to the real IP
address of the Management Server or Log Server, run:

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 FORCE_NATTED_IP

-n 0

R82 Security Management Administration Guide | 252

Configuring a Security Gateway to Access the Management Server or Log Server at its NATed

Notes:
n This change survives reboot.
n In a Cluster, you must configure all the Cluster Members in the

same way.

5. Restart the FWD process:

See the instructions in sk97638 > section Infrastructure Processes.

Running Scripts
SmartConsole lets you run administrative scripts on Security Gateways and Security
Management Servers without direct command-line access. You can execute one-time scripts
or reuse predefined scripts from the repository, simplifying Gaia management and automation
tasks.

One Time Script

You can manually enter and run a command line script on the selected GaiaSecurity
Gateways. This feature is useful for scripts that you do not need to run more than one time. It
also lets you run Gaia Clish and other commands directly from SmartConsole.

Understanding One-Time Scripts

If you specify a script:

n By default, the maximum size of a script is 8 KB.
n The output from the script shows in the Tasks tab at the bottom of the Gateways &
Servers view.
n The Run One Time Script window does not support interactive or continuous scripts. To
run interactive or continuous scripts, open a command shell.

Note - SmartConsole limits the length of a script's output. For more, see sk181529.

Running a one-time script

Step Instructions

1 Right-click the Security Gateway.

2 Select Scripts > Run One Time Script.

R82 Security Management Administration Guide | 253

Configuring a Security Gateway to Access the Management Server or Log Server at its NATed

Step Instructions

3 The Run One Time Script window opens.

You can:
n Enter the command in the Script Body text box and specify script
arguments, or
n Load the complete command from a text file
Notes:
l By default, the maximum size of a script is 8 kilobytes.

l This value can be changed in SmartConsole > Main

application menu > Global properties > Advanced >

Configure > Central Device Management > device_settings_
max_script_length_in_KB.

4 Click Run.
The output from the script shows in the Tasks tab > Results column.
n Double-click the task to view the output in a larger window.
n You can also right-click the task and select View, then Copy to Clipboard
Notes:
l The Run One Time Script window does not support interactive

or continuous scripts. To run interactive or continuous scripts,

open a command shell.
l If the Security Gateways are not part of a Cloning Group, you

can run a script on multiple Security Gateways at the same

time.

One Time Script Options

Script Body - Enter the script commands.

Load from File - Load a prepared script.

Comment - Enter a text comment (optional).
Run - Click to run the script that you entered.

Script Repository
You can run a predefined script from the script repository.

R82 Security Management Administration Guide | 254

Configuring a Security Gateway to Access the Management Server or Log Server at its NATed

To run a script from the repository:

Step Description

1 In the Gateways & Servers view, right-click the Security Gateways or Security
Management Servers on which you want to run scripts.

2 Select Scripts > Scripts Repository.

The Scripts Repository window opens.

3 Do one of these steps:

n Select an existing script from the list, click Run, enter Arguments if needed,
and click Run.
n Click New to create a new script for the repository, or load it from a text file.
Click OK.

The output from the script shows in the Tasks tab at the bottom of the Gateways & Servers
view.
Notes:
n The Scripts Repository window does not support interactive or continuous scripts. To
run interactive or continuous scripts, open a command shell.
n You can run the script on multiple Security Gateways or Security Management Servers
at the same time.
n For a cluster object, the script will run automatically on all cluster members.
n The ~ character is not supported in scripts for security reasons.

R82 Security Management Administration Guide | 255

Configuring Implied Rules or Kernel Tables for Security Gateways

Configuring Implied Rules or Kernel Tables for

Security Gateways
Introduction
An administrator configures Security Policy and other inspection settings in SmartConsole.
During a policy installation, the Management Server creates the applicable files and transfers
them to the target Security Gateways.
The Management Server creates these files based on:
n Security Policy in SmartConsole
n Global properties in SmartConsole
n Security Gateway properties
n Multiple configuration files on the Management Server that control the inspection of
various network protocols
It is possible to modify these configuration files on the Management Server to fine-tune the
inspection in your network (in Check Point INSPECT language).
There are two main categories of these configuration files:
n Files for Security Gateways that have the same software version as the Management
Server.
n Files for Security Gateways that have the a lower software version than the Management
Server. This category is called "Backward Compatibility".

Configuration files
File Name Controls Location

[Link] User-defined implied rules. See "Location of

'[Link]' Files on the
Management Server"
on page 259

implied_ Default implied rules. See "Location of

[Link] 'implied_rules.def'
Files on the
Management Server"
on page 260

R82 Security Management Administration Guide | 256

Configuring Implied Rules or Kernel Tables for Security Gateways

File Name Controls Location

[Link] Definitions of various kernel tables. See "Location of

'[Link]' Files on the
Management Server"
on page 262

[Link] VPN encryption macros. See "Location of

'[Link]' Files on the
Management Server"
on page 264

vpn_table.def Definitions for various kernel tables that See "Location of 'vpn_
hold VPN data. [Link]' Files on the
For example, VPN timeouts, number of Management Server"
VPN tunnels, whether a specific kernel on page 266
table should be synchronized between
cluster members, and others.

[Link] VPN encryption macros for X11 server See "Location of

(X Window System) traffic. '[Link]'
Files on the
Management Server"
on page 270

[Link] Definitions of packet inspection for See "Location of

various network protocols. '[Link]' Files on the
Management Server"
on page 272

[Link] Definitions of packet inspection for See "Location of

DHCP traffic - DHCP Request, DHCP '[Link]' Files on the
Reply, and DHCP Relay. Management Server"
on page 274

[Link] Definitions of packet inspection for GTP See "Location of

(GPRS Tunnelling Protocol) traffic. '[Link]' Files on the
Management Server"
on page 276

R82 Security Management Administration Guide | 257

Configuring Implied Rules or Kernel Tables for Security Gateways

Configuration Procedure
1. Connect to the command line on the Security Management Server.
2. Log in to the Expert mode.
3. Back up the current file:

cp -v /<Full Path to File>/<File Name>{,_BKP}

Example:

cp -v $FWDIR/conf/[Link].FW1{,_BKP}

4. Edit the current file:

vi /<Full Path to File>/<File Name>

Example:

vi $FWDIR/conf/[Link].FW1

5. Make the applicable changes as described in the applicable SK article, or as instructed

by Check Point Support.
6. Save the changes in the file and exit the editor.
7. Connect with SmartConsole to the Security Management Server.

8. In SmartConsole, install the Access Control Policy on the applicable Security Gateway or
Cluster object.

R82 Security Management Administration Guide | 258

Location of '[Link]' Files on the Management Server

The '[Link]' files contain the user-defined implied rules.

Important:
n You must edit this file in the context of the applicable Domain Management
Server.
To go to the required context, use the command:
mdsenv <IP Address or Name of Domain Management Server>
n If the required file does not exist, create a copy of the
$FWDIR/conf/[Link].FW1 file, rename it, and edit it.

Location of files on an R82 Security Management Server:

Version of the Target Security Gateway Location of the File

R82 $FWDIR/conf/[Link].FW1

R81.20 $FWDIR/conf/[Link].R8120CMP

R81.10 $FWDIR/conf/[Link].R8120CMP

R81.10.x on Spark Firewall Appliances 1500 $FWDIR/conf/[Link].SFWR81CMP

/ 1600 / 1800

R81 $FWDIR/conf/[Link].R8120CMP

R80.40 $FWDIR/conf/[Link].R8040CMP

R80.30SP in Maestro $FWDIR/conf/[Link].R8040CMP

R80.30 $FWDIR/conf/[Link].R8040CMP

R80.20SP in Maestro, or Scalable Chassis $FWDIR/conf/[Link].R8040CMP

R80.20 $FWDIR/conf/[Link].R8040CMP

R80.20.x on Spark Firewall Appliances 1500 $FWDIR/conf/[Link].SFWR80CMP

/ 1600 / 1800

R80.10 $FWDIR/conf/[Link].R8040CMP

R82 Security Management Administration Guide | 259

Location of 'implied_rules.def' Files on the Management Server

Location of 'implied_rules.def' Files on the Management

Server
The 'implied_rules.def' files contain the default implied rules.

Important:
n You must edit this file in the context of the applicable Domain Management
Server.
To go to the required context, use the command:
mdsenv <IP Address or Name of Domain Management Server>
n If the required file does not exist, create a copy of the $FWDIR/lib/implied_
[Link] file, rename it, and edit it.

Location of files on an R82 Security Management Server:

Version of the Target Security Gateway Location of the File

R82 $FWDIR/lib/implied_rules.def

R81.20 /opt/CPR8120CMP-R82/lib/implied_
[Link]

R81.10 /opt/CPR8120CMP-R82/lib/implied_
[Link]

R81.10.x on Spark Firewall Appliances 1500 /opt/CPSFWR81CMP-

/ 1600 / 1800 R82/lib/implied_rules.def

R81 /opt/CPR8120CMP-R82/lib/implied_
[Link]

R80.40 /opt/CPR8040CMP-R82/lib/implied_
[Link]

R80.30SP in Maestro /opt/CPR8040CMP-R82/lib/implied_

[Link]

R80.30 /opt/CPR8040CMP-R82/lib/implied_
[Link]

R80.20SP in Maestro, or Scalable Chassis /opt/CPR8040CMP-R82/lib/implied_

[Link]

R80.20 /opt/CPR8040CMP-R82/lib/implied_
[Link]

R82 Security Management Administration Guide | 260

Location of 'implied_rules.def' Files on the Management Server

Version of the Target Security Gateway Location of the File

R80.20.x on Spark Firewall Appliances 1500 /opt/CPSFWR80CMP-

/ 1600 / 1800 R82/lib/implied_rules.def

R80.10 /opt/CPR8040CMP-R82/lib/implied_
[Link]

R82 Security Management Administration Guide | 261

Location of '[Link]' Files on the Management Server

The '[Link]' files contain definitions of various kernel tables for Security Gateways.

Location of files on an R82 Security Management Server:

Version of the Target Security Gateway Location of the File

R82 $FWDIR/lib/[Link]

R81.20 /opt/CPR8120CMP-
R82/lib/[Link]

R81.10 /opt/CPR8120CMP-
R82/lib/[Link]

R81.10.x on Spark Firewall Appliances 1500 / /opt/CPSFWR81CMP-

1600 / 1800 R82/lib/[Link]

R81 /opt/CPR8120CMP-
R82/lib/[Link]

R80.40 /opt/CPR8040CMP-
R82/lib/[Link]

R80.30SP in Maestro /opt/CPR8040CMP-

R82/lib/[Link]

R80.30 /opt/CPR8040CMP-
R82/lib/[Link]

R80.20SP in Maestro, or Scalable Chassis /opt/CPR8040CMP-

R82/lib/[Link]

R80.20 /opt/CPR8040CMP-
R82/lib/[Link]

R80.20.x on Spark Firewall Appliances 1500 / /opt/CPSFWR80CMP-

1600 / 1800 R82/lib/[Link]

R82 Security Management Administration Guide | 262

Location of '[Link]' Files on the Management Server

Version of the Target Security Gateway Location of the File

R80.10 /opt/CPR8040CMP-
R82/lib/[Link]

R82 Security Management Administration Guide | 263

Location of '[Link]' Files on the Management Server

The '[Link]' files contain VPN encryption macros.

Location of files on an R82 Security Management Server:

Version of the Target Security Gateway Location of the File

R82 $FWDIR/lib/[Link]

R81.20 /opt/CPR8120CMP-
R82/lib/[Link]

R81.10 /opt/CPR8120CMP-
R82/lib/[Link]

R81.10.x on Spark Firewall Appliances 1500 / /opt/CPSFWR81CMP-

1600 / 1800 R82/lib/[Link]

R81 /opt/CPR8120CMP-
R82/lib/[Link]

R80.40 /opt/CPR8040CMP-
R82/lib/[Link]

R80.30SP in Maestro /opt/CPR8040CMP-

R82/lib/[Link]

R80.30 /opt/CPR8040CMP-
R82/lib/[Link]

R80.20SP in Maestro, or Scalable Chassis /opt/CPR8040CMP-

R82/lib/[Link]

R80.20 /opt/CPR8040CMP-
R82/lib/[Link]

R80.20.x on Spark Firewall Appliances 1500 / /opt/CPSFWR80CMP-

1600 / 1800 R82/lib/[Link]

R82 Security Management Administration Guide | 264

Location of '[Link]' Files on the Management Server

Version of the Target Security Gateway Location of the File

R80.10 /opt/CPR8040CMP-
R82/lib/[Link]

R82 Security Management Administration Guide | 265

Location of 'vpn_table.def' Files on the Management Server

The 'vpn_table.def' files contain definitions for various kernel tables that hold VPN data.
For example, VPN timeouts, number of VPN tunnels, whether a specific kernel table should be
synchronized between cluster members, and others.

Important:
n You must edit this file in the context of the applicable Domain Management
Server.
To go to the required context, use the command:
mdsenv <IP Address or Name of Domain Management Server>
n If the required file does not exist, create a copy of the $FWDIR/lib/vpn_
[Link] file, rename it, and edit it.

Location of files on an R82 Security Management Server:

Version of the Target Security Gateway Location of the File

R82 $FWDIR/lib/vpn_table.def

R81.20 /opt/CPR8120CMP-R82/lib/vpn_
[Link]

R81.10 /opt/CPR8120CMP-R82/lib/vpn_
[Link]

R81.10.x on Spark Firewall Appliances 1500 / /opt/CPSFWR81CMP-R82/lib/vpn_

1600 / 1800 [Link]

R81 /opt/CPR8120CMP-R82/lib/vpn_
[Link]

R80.40 /opt/CPR8040CMP-R82/lib/vpn_
[Link]

R80.30SP in Maestro /opt/CPR8040CMP-R82/lib/vpn_

[Link]

R80.30 /opt/CPR8040CMP-R82/lib/vpn_
[Link]

R80.20SP in Maestro, or Scalable Chassis /opt/CPR8040CMP-R82/lib/vpn_

[Link]

R80.20 /opt/CPR8040CMP-R82/lib/vpn_
[Link]

R82 Security Management Administration Guide | 266

Location of 'vpn_table.def' Files on the Management Server

Version of the Target Security Gateway Location of the File

R80.20.x on Spark Firewall Appliances 1500 / /opt/CPSFWR80CMP-R82/lib/vpn_

1600 / 1800 [Link]

R80.10 /opt/CPR8040CMP-R82/lib/vpn_
[Link]

R82 Security Management Administration Guide | 267

Location of 'vpn_route.conf' Files on the Management Server

Location of 'vpn_route.conf' Files on the Management

Server
The 'vpn_route.conf' files contain the configuration for Domain-Based Site to Site VPN.

Important:
n You must edit this file in the context of the applicable Domain Management
Server.
To go to the required context, use the command:
mdsenv <IP Address or Name of Domain Management Server>
n If the required file does not exist, create a copy of the $FWDIR/conf/vpn_
[Link] file, rename it, and edit it.

Location of files on an R82 Security Management Server:

Version of the Target Security Gateway Location of the File

R82 $FWDIR/conf/vpn_route.conf

R81.20 /opt/CPR8120CMP-R82/conf/vpn_
[Link]

R81.10 /opt/CPR8120CMP-R82/conf/vpn_
[Link]

R81.10.x on Spark Firewall Appliances 1500 / /opt/CPSFWR81CMP-R82/conf/vpn_

1600 / 1800 [Link]

R81 /opt/CPR8120CMP-R82/conf/vpn_
[Link]

R80.40 /opt/CPR8040CMP-R82/conf/vpn_
[Link]

R80.30SP in Maestro /opt/CPR8040CMP-R82/conf/vpn_

[Link]

R80.30 /opt/CPR8040CMP-R82/conf/vpn_
[Link]

R80.20SP in Maestro, or Scalable Chassis /opt/CPR8040CMP-R82/conf/vpn_

[Link]

R80.20 /opt/CPR8040CMP-R82/conf/vpn_
[Link]

R82 Security Management Administration Guide | 268

Location of 'vpn_route.conf' Files on the Management Server

Version of the Target Security Gateway Location of the File

R80.20.x on Spark Firewall Appliances 1500 / /opt/CPSFWR80CMP-R82/conf/vpn_

1600 / 1800 [Link]

R80.10 /opt/CPR8040CMP-R82/conf/vpn_
[Link]

R82 Security Management Administration Guide | 269

Location of '[Link]' Files on the Management Server

Location of '[Link]' Files on the Management

Server
The '[Link]' files contain VPN encryption macros for X11 server (X Window
System) traffic.

Location of files on an R82 Security Management Server:

Version of the Target Security Gateway Location of the File

R82 $FWDIR/lib/[Link]

R81.20 /opt/CPR8120CMP-
R82/lib/[Link]

R81.10 /opt/CPR8120CMP-
R82/lib/[Link]

R81.10.x on Spark Firewall Appliances 1500 / /opt/CPSFWR81CMP-

1600 / 1800 R82/lib/[Link]

R81 /opt/CPR8120CMP-
R82/lib/[Link]

R80.40 /opt/CPR8040CMP-
R82/lib/[Link]

R80.30SP in Maestro /opt/CPR8040CMP-

R82/lib/[Link]

R80.30 /opt/CPR8040CMP-
R82/lib/[Link]

R80.20SP in Maestro, or Scalable Chassis /opt/CPR8040CMP-

R82/lib/[Link]

R80.20 /opt/CPR8040CMP-
R82/lib/[Link]

R82 Security Management Administration Guide | 270

Location of '[Link]' Files on the Management Server

Version of the Target Security Gateway Location of the File

R80.20.x on Spark Firewall Appliances 1500 / /opt/CPSFWR80CMP-

1600 / 1800 R82/lib/[Link]

R80.10 /opt/CPR8040CMP-
R82/lib/[Link]

R82 Security Management Administration Guide | 271

Location of '[Link]' Files on the Management Server

The '[Link]' files contain definitions of packet inspection for various network protocols.

Location of files on an R82 Security Management Server:

Version of the Target Security Gateway Location of the File

R82 $FWDIR/lib/[Link]

R81.20 /opt/CPR8120CMP-
R82/lib/[Link]

R81.10 /opt/CPR8120CMP-
R82/lib/[Link]

R81.10.x on Spark Firewall Appliances 1500 / /opt/CPSFWR81CMP-

1600 / 1800 R82/lib/[Link]

R81 /opt/CPR8120CMP-
R82/lib/[Link]

R80.40 /opt/CPR8040CMP-
R82/lib/[Link]

R80.30SP in Maestro /opt/CPR8040CMP-

R82/lib/[Link]

R80.30 /opt/CPR8040CMP-
R82/lib/[Link]

R80.20SP in Maestro, or Scalable Chassis /opt/CPR8040CMP-

R82/lib/[Link]

R80.20 /opt/CPR8040CMP-
R82/lib/[Link]

R80.20.x on Spark Firewall Appliances 1500 / /opt/CPSFWR80CMP-

1600 / 1800 R82/lib/[Link]

R82 Security Management Administration Guide | 272

Location of '[Link]' Files on the Management Server

Version of the Target Security Gateway Location of the File

R80.10 /opt/CPR8040CMP-
R82/lib/[Link]

R82 Security Management Administration Guide | 273

Location of '[Link]' Files on the Management Server

The '[Link]' files contain definitions of packet inspection for DHCP traffic - DHCP
Request, DHCP Reply, and DHCP Relay.

Location of files on an R82 Security Management Server:

Version of the Target Security Gateway Location of the File

R82 $FWDIR/lib/[Link]

R81.20 /opt/CPR8120CMP-
R82/lib/[Link]

R81.10 /opt/CPR8120CMP-
R82/lib/[Link]

R81.10.x on Spark Firewall Appliances 1500 / /opt/CPSFWR81CMP-

1600 / 1800 R82/lib/[Link]

R81 /opt/CPR8120CMP-
R82/lib/[Link]

R80.40 /opt/CPR8040CMP-
R82/lib/[Link]

R80.30SP in Maestro /opt/CPR8040CMP-

R82/lib/[Link]

R80.30 /opt/CPR8040CMP-
R82/lib/[Link]

R80.20SP in Maestro, or Scalable Chassis /opt/CPR8040CMP-

R82/lib/[Link]

R80.20 /opt/CPR8040CMP-
R82/lib/[Link]

R82 Security Management Administration Guide | 274

Location of '[Link]' Files on the Management Server

Version of the Target Security Gateway Location of the File

R80.20.x on Spark Firewall Appliances 1500 / /opt/CPSFWR80CMP-

1600 / 1800 R82/lib/[Link]

R80.10 /opt/CPR8040CMP-
R82/lib/[Link]

R82 Security Management Administration Guide | 275

Location of '[Link]' Files on the Management Server

The '[Link]' files contain definitions of packet inspection for GTP (GPRS Tunnelling
Protocol) traffic.

Location of files on an R82 Security Management Server:

Version of the Target Security Gateway Location of the File

R82 $FWDIR/lib/[Link]

R81.20 /opt/CPR8120CMP-
R82/lib/[Link]

R81.10 /opt/CPR8120CMP-
R82/lib/[Link]

R81.10.x on Spark Firewall Appliances 1500 / /opt/CPSFWR81CMP-

1600 / 1800 R82/lib/[Link]

R81 /opt/CPR8120CMP-
R82/lib/[Link]

R80.40 /opt/CPR8040CMP-
R82/lib/[Link]

R80.30SP in Maestro /opt/CPR8040CMP-

R82/lib/[Link]

R80.30 /opt/CPR8040CMP-
R82/lib/[Link]

R80.20SP in Maestro, or Scalable Chassis /opt/CPR8040CMP-

R82/lib/[Link]

R80.20 /opt/CPR8040CMP-
R82/lib/[Link]

R82 Security Management Administration Guide | 276

Location of '[Link]' Files on the Management Server

Version of the Target Security Gateway Location of the File

R80.20.x on Spark Firewall Appliances 1500 / /opt/CPSFWR80CMP-

1600 / 1800 R82/lib/[Link]

R80.10 /opt/CPR8040CMP-
R82/lib/[Link]

R82 Security Management Administration Guide | 277

The HealthCheck Point Tool

HealthCheck Point (HCP) tool is a self-updatable suite of tools designed for:
n Tests: Assesses the health of your system.
n WTS (What's The Story): Provides a timeline of critical and informative events that
occurred in the system.
n Topology: Visualizes the firewall topology.
The HCP tool runs on the managed Security Gateways every 6 hours and sends the status
report to the Security Management Server / Domain Management Server.
The HCP status report in SmartConsole is disabled by default for all managed devices.

When the HCP status report is enabled, SmartConsole shows the HCP status report as part of
the overall system status.
For more information on the HCP tool, see sk171436.
To enable the HCP tool status reports for multiple managed devices

1. Go to the Gateways & Servers view, press and hold the Ctrl key and left-click each
device you wish to select.
2. From the top toolbar, click Actions.
3. From the drop-down menu, select Enable HealthCheck Point Alerts.

To disable the HCP tool status reports for multiple managed devices

1. Go to the Gateways & Servers view, press and hold the Ctrl key and left-click each
device you wish to select.

2. From the top toolbar, click Actions.

3. From the drop-down menu, select Disable HealthCheck Point Alerts.

To enable the HCP tool status reports for a specific managed device

1. Go to the Gateways & Servers view.

2. Right-click the managed device object.
3. From the drop-down menu, select Actions and select Enable HealthCheck Point
Alerts.

R82 Security Management Administration Guide | 278

The HealthCheck Point Tool

To disable the HCP tool status reports for a specific managed device

1. Go to the Gateways & Servers view.

2. Right-click the managed device object.
3. From the drop-down menu, select Actions and select Disable HealthCheck Point
Alerts.

To enable the HCP tool status reports for a specific Legacy VSX Gateway / Legacy VSX Cluster

1. Close all SmartConsole windows.

2. Connect with the Database Tool (GuiDBEdit Tool) to the Security Management Server
/ Domain Management Server.

3. In the top left panel, go to Table > Network Objects and click network_objects.
4. In the top right-panel, click the Legacy VSX Gateway / Legacy VSX Cluster object.
5. In the bottom panel, right-click the attribute "hcp" > click "Edit" > change the value to
"true" > click OK.
6. Save the changes: click the File menu > Save All.
7. Close the Database Tool (GuiDBEdit Tool).

To disable the HCP tool status reports for a specific Legacy VSX Gateway / Legacy VSX Cluster

1. Close all SmartConsole windows.

2. Connect with the Database Tool (GuiDBEdit Tool) to the Security Management Server
/ Domain Management Server.
3. In the top left panel, go to Table > Network Objects and click network_objects.

4. In the top right-panel, click the Legacy VSX Gateway / Legacy VSX Cluster object.
5. In the bottom panel, right-click the attribute "hcp" > click "Edit" > change the value to
"false" > click OK.
6. Save the changes: click the File menu > Save All.
7. Close the Database Tool (GuiDBEdit Tool).

R82 Security Management Administration Guide | 279

The HealthCheck Point Tool

Statuses in SmartConsole
SmartConsole shows these statues in the Gateways & Servers view:
n - Success
n - Warning
n - Error
n - No status was reported

Best Practice - Install the HCP Extension in SmartConsole as described in sk171436.

To resolve the "Warning" or "Error" statuses, click the HealthCheck Point button in
the Gateways & Servers view, and see the HCP report.

To see the HCP status in SmartConsole:

1. In the Gateways & Servers view, right-click the Security Gateway object.
2. From the drop-down menu, select Monitor.
3. In the window that opens, go to Device Status.
4. Scroll down to the HealthCheck Point section.
Here you can view the status, including both a short and a detailed description of it.

Note - In the Gateways & Servers view:

n For a short description of the HCP status, hover over the Status column of

a Security Gateway.
n For a detailed description of HCP status, select a specific Security

Gateway, and go to the Alerts tab at the bottom panel of the screen.

Limitations
n The status of a Traditional VSX Virtual System is not shown on the Virtual System object
itself.
Instead, it is displayed on the parent Legacy VSX Gateway / Legacy VSX Cluster object.
n For SMO Security Gateway objects that represent Scalable Platforms (ElasticXL,
Maestro, Scalable Chassis), the HealthCheck Point status is an aggregate status for the
entire Security Group (and not individually for each Security Group Member).

R82 Security Management Administration Guide | 280

Managing Objects

Managing Objects
Network Objects are defined in SmartConsole and stored in the proprietary Check Point object
database. They represent physical and virtual network components (such as Security
Gateways, servers, and users), and logical components (such as IP address ranges and
Dynamic Objects). Each of these components corresponds to an object in your Check Point
security management configuration. Before you create Network Objects, analyze the needs of
your organization:
n What are the physical components of your network: devices, hosts, Security Gateways
and their active Software Blades?
n What are the logical components: services, resources, applications, ranges?
n Who are the users? How should you group them, and with what permissions?

Note - In SmartConsole, when you configure properties of an object and create a new
object from the original object, the new object is not available in the original Object
Editor.

To resolve this issue:

1. After you close the second Object Editor, click OK in the original Object Editor.
2. Edit the original object again. The new object is now available.

R82 Security Management Administration Guide | 281

Object Categories

Object Categories
Objects in SmartConsole represent networks, devices, protocols and resources.
SmartConsole divides objects into these categories:

Icon Object Type Examples

Network Objects Security Gateways, hosts, networks, address ranges,

dynamic objects, security zones

Services Services, Service groups

Custom Applications, Categories, Mobile applications

Applications/Sites

VPN Communities Site to Site or Remote Access communities

Users Users, user groups, and user templates

Data Types International Bank Account Number - IBAN, HIPAA -

Medical Record Number - MRN, Source Code.

Servers Trusted Certificate Authorities, RADIUS, TACACS

Time Objects Time, Time groups

UserCheck Message windows: Ask, Cancel, Certificate Template,

Interactions Inform, and Drop

Limit Download and upload bandwidth

Important:
After policy installation, a bandwidth limit is not
enforced on a connection that is matched to an
Access Control rule with the Action "Limit" in one of
these scenarios:
n The 'Keep all connections' option is selected in
the security object
n The 'Keep connections open after the policy
has been installed' option is selected in the
Service object used in this rule

R82 Security Management Administration Guide | 282

Actions with Objects

You can add, edit, delete, and clone objects. A clone is a copy of the original object, with a
different name. You can also replace one object in the Policy with another object.

Note - Do not create two objects with the same name. A validation error shows when
you try to publish the SmartConsole session. To resolve, change one of the object
names.

To work with objects, right-click the object in the object tree or in the Object Explorer, and
select the action.
You can delete objects that are not used, and you can find out where an object is used.

To clone an object
1. In the object tree or in the Object Explorer, right-click the object and select Clone.
The Clone Object window opens.
2. Enter a name for the cloned object.
3. Click OK.

To find out where an object is used

In the object tree or in the Object Explorer, right-click the object and select Where Used.

To replace an object with a different object

1. In the object tree or in the Object Explorer, right-click the object and select Where Used.

2. Click the Replace icon.

3. From the Replace with list, select an item.
4. Click Replace.

To delete all instances of an object

1. In the object tree or in the Object Explorer, right-click the object and select Where Used.
2. Click the Replace icon.
3. From the Replace with list, select None (remove item).
4. Click Replace.

R82 Security Management Administration Guide | 283

Actions with Objects

Notes:
n When you create a new object ("object 2") from within an editor of another
existing object ("object 1"), object 2 may not appear in the editor of object 1
immediately. To see object 2 in the editor of object 1, click OK to close object 1
and open it again.
n In SmartConsole, you can only search or filter for objects whose name contain
two or more characters.

R82 Security Management Administration Guide | 284

Object Tags

Object Tags
Object tags are keywords or labels that you can assign to the network objects or groups of
objects for search purposes. These are the types of tags you can assign:
n User tags - Assigned manually to individual objects or groups of objects
n System tags - Predefined keywords, such as "application"
Each tag has a name and a value. The value can be static, or dynamically filled by detection
engines.

Adding a Tag to an Object

To add a tag to an object

1. Open the network object for editing.
2. In the Add Tag field, enter the label to associate with this object.
3. Press Enter.
The new tag shows to the right of the Add Tag field.
4. Click OK.

R82 Security Management Administration Guide | 285

Network Object Types

This section describes various object types available in SmartConsole.

Networks
A Network is a group of IP addresses defined by a network address and a net mask. The net
mask indicates the size of the network.
A Broadcast IP address is an IP address which is destined for all hosts on the specified
network. If this address is included, the Broadcast IP address will be considered as part of the
network.

R82 Security Management Administration Guide | 286

Network Groups

Network Groups
A Network Group is a collection of hosts, gateways, networks, or other groups. Groups can be
used to facilitate and simplify network management. When you have the same set of objects
which you want to use in different places in the Rule Base, you can create a group to include
such set of objects and reuse it. Modifications are applied to the group instead of to each
member of the group.
Groups are also used where SmartConsole lets you select only one object, but you need to
work with more than one. For example, in the Security Gateway object > Network
Management > VPN Domain > Manually defined, you can only select on object from the
drop-down menu. If you want to select more than one object for your VPN Domain, you can
create a group, add the required objects to the group, and select the group from the drop-down
menu.

Grouping Network Objects

To create a group of network objects

1. In the Objects tree, click New > Network Group.
The New Network Group window opens.
2. Enter a name for the group
3. Set optional parameters:
n Object comment
n Color
n Tag (as custom search criteria)

4. For each network object you want to add, click the [+] sign and select it from the list that
shows.
5. Click OK.
From version R80.20.M2, you can also associate groups to a network object directly from the
object editor.

To associate groups to a network object

1. Open the object editor, and go to Groups in the navigation tree.
2. For each group you want to add, click the [+] sign and select it from the list that shows.

R82 Security Management Administration Guide | 287

Check Point Hosts

A Check Point Host can have multiple interfaces but no routing takes place. It is an endpoint
that receives traffic for itself through its interfaces. (In comparison, a Security Gateway routes
traffic between its multiple interfaces.) For example, if you have two unconnected networks
that share a common Security Management Server and Log Server, configure the common
server as a Check Point Host object.
A Check Point Host has one or more Software Blades installed. But if the Firewall blade is
enabled on the Check Point Host, it cannot function as a Security Gateway. The Host requires
SIC and other features provided by the actual Security Gateway.
A Check Point Host has no routing mechanism, is not capable of IP forwarding, and cannot be
used to implement Anti-Spoofing. If the host must do any of these, convert it to be a Security
Gateway.

The Security Management Server object is a Check Point Host.

R82 Security Management Administration Guide | 288

Gateway Cluster

Gateway Cluster
A cluster is a group of Security Gateways configured as one logical object. Clustered gateways
add redundancy through High Availability or Load Sharing.
For more information, see the R82 ClusterXL Administration Guide.

R82 Security Management Administration Guide | 289

Address Ranges

Address Ranges
An Address Range is a range of IP addresses on the network, defined by the lowest and the
highest IP addresses. Use an Address Range object when you cannot define a range of IP
addresses by a network IP and a net mask. The Address Range objects are also necessary for
the implementation of NAT and VPN.

R82 Security Management Administration Guide | 290

Wildcard Objects

Wildcard Objects
Wildcard objects are IP address objects that share a common pattern that can be permitted or
denied access in a security policy.

Note - This feature is only supported for Security Gateways R80.20 and higher.

To create a new wildcard object

1. Open Object Explorer > New > More > Network Object > Wildcard object.
2. Enter the Wildcard IP address and Wildcard Netmask in IPv4 or IPv6 Format.
3. Click OK.

Understanding Wildcard Objects

The wildcard object contains a wildcard IP address and a wildcard netmask.
The wildcard netmask is the mask of bits that indicate which parts of the IP address must
match and which do not have to match. For example:

Wildcard IP: 194. 29. 0. 1

Wildcard Netmask: 0. 0. 3. 0

The third octet represents the mask of bits. If we convert the 3 to binary, we get 00000011.

The 0 parts of the mask must match the equivalent bits of the IP address.
The 1 parts of the mask do not have to match, and can be any value.

0 0 0 0 0 0 1 1
Must match the equivalent bits in the IP address Do not have to match

The binary netmask produces these possible decimal values:

128 64 32 16 8 4 2 1
Binary Decimal
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 1 1
0 0 0 0 0 0 1 0 2
0 0 0 0 0 0 1 1 3

The netmask permits only these IP addresses:

R82 Security Management Administration Guide | 291

Wildcard Objects

n [Link]
n [Link]
n [Link]
n [Link]
Examples of Use Cases

Scenario One
A supermarket chain has all of its cash registers on subnet 194.29.x.1, where x defines the
region. In this use case, all the cash registers in this region must have access to the
database server at [Link].

Instead of defining 256 hosts ([Link], [Link], [Link]....[Link]), the

administrator creates a wildcard object that represents all the cash registers in the region:

Wildcard IP: 194. 29. 0. 1

Wildcard Mask: 0. 0. 255. 0

The wildcard object can now be added to the Access Control Policy.

Source Destination Action Track

Wildcard Object Database server object Accept Log

Scenario Two
In this use case, a supermarket chain has stores in Europe and Asia.

The 192.30.0-255.1 network contains both the Asian and European regions, and the stores
within those regions.

R82 Security Management Administration Guide | 292

Wildcard Objects

Item Description

1 Database Server for Europe

2 Database Server for Asia

3 European and Asia network

The administrator wants stores in the European and Asia regions to access different
database servers. In this topology, the third octet of the European and Asia network's IP
address will be subject to a wildcard. The first four bits of the wildcard will represent the
region and the last four bits will represent the store number.

Bits that represent the region Bits that represent the store number

0000 0000

In the Wildcard IP:

n The Asia region is represented by 0001xxxx (Region 1 in decimal)
n The European region is represented by 0010xxxx (Region 2 in decimal)
In binary:

Binary Decimal
Region Store
0001 0000 16 - Asia Region
0010 0000 32 - European Region

R82 Security Management Administration Guide | 293

Wildcard Objects

To include all the stores of a particular region, the last four bits of the wildcard mask must be
set to 1 (15 in Decimal):

Binary Decimal
Region Store
xxxx 1111 15 - all Asian stores
xxxx 1111 15 - all European stores

A wildcard object that represents all the Asian stores will look like this:

Wildcard IP address [Link] (The region)

Wildcard netmask [Link] (for stores in the region)

For this range of IP addresses: 192.30.16-31.1

A wildcard object that represents all the European stores will look like this:

Wildcard IP address [Link] (the region)

Wildcard netmask [Link] (for stores in the region)

For this range of IP addresses: 192.30.32-47.1

The administrator can now use these wildcard objects in the Access Control Policy:

Source Destination Action Track

Asian Stores Wildcard Database Server for Asia Accept Log

European Stores Wildcard Database Server for Europe Accept Log

Scenario Three
In this scenario, the netmask bits are not consecutive.

Wildcard IP 1 1 0 1
Wildcard mask 0 0 5 0

Wildcard IP 00000001.00000001.00000000.00000001
Wildcard Mask 00000000.00000000.00000101.00000000

Mask:

R82 Security Management Administration Guide | 294

Wildcard Objects

0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0

Which will match only these IP addresses:

IP
Binary Comment
Address

[Link] 00000001.00000001.00000000.00000001 The IP address itself

[Link] 00000001.00000001.00000001.00000001 The equivalent bit at

position 23 does not matter

[Link] 00000001.00000001.00000100.00000001 The equivalent bit at

position 21 does not matter

[Link] 00000001.00000001.00000101.00000001 The equivalent bits at

positions 21 and 23 do not
matter

IPv6
The same principles apply to IPv6 addresses. For example, if the wildcard object has these
values:

IPv6 Address 2001::1:10:0:1:41

Wildcard netmask 0::ff:0:0

The wildcard will match: 2001::1:10:0-255:1:41

R82 Security Management Administration Guide | 295

Domains

Domains
A Domain object represents a host or DNS domain by its name only. It is not necessary to
have the IP address of the site.
You can use the Domain object in the source and destination columns of an Access Control
Policy.
You can configure a Domain object in two ways:
n Select FQDN
In the object name, use the Fully Qualified Domain Name (FQDN).
Use the format .x.y.z (with a dot "." before the FQDN).

For example, if you use .[Link] then the Security Gateway matches
[Link]

This option is supported for R80.10 and higher, and is the default. It is more accurate and
faster than the non-FQDN option.
The Security Gateway looks up the FQDN with a direct DNS query, and uses the result in
the Rule Base.
This option supports SecureXL Accept templates.
Using Domain objects with this option in a rule has no effect on the performance of the
rule, or of the rules that come after it.
n Clear FQDN

This option enforces the domain and its sub-domains.

In the object name, use the format .x.y for the name.

For example, use .[Link] or .[Link] for the name.

If you use .[Link], then the Security Gateway matches [Link] and
[Link]

The Security Gateway resolves the name using DNS reverse lookups, which can be
inaccurate.
The Security Gateway uses the result in the Rule Base, and caches the result to use
again.

R82 Security Management Administration Guide | 296

Updatable Objects

Updatable Objects
Introduction to Updatable Objects
An Updatable Object is a network object that represents an external service, such as Office
365, AWS, GEO locations, and more. External services providers publish lists of IP addresses
or Domains or both to allow access to their services. These lists are dynamically updated.
Updatable objects derive their contents from these published lists of the providers, which
Check Point uploads to the Check Point cloud. The updatable objects are updated
automatically on the Security Gateway each time the provider changes a list. There is no need
to install policy for the updates to take effect.
You can use updatable objects in all three types of policies: Access Control, Threat
Prevention, and HTTPS Inspection.

You can use an updatable object in the Access Control, Threat Prevention or the HTTPS
Inspection policy as a Source or a Destination. In the Threat Prevention policy, you can also
use an updatable object as the Protected Scope.

Notes:
n For Access Control, this feature is supported on Security Gateways R80.20 and
higher.
n For Threat Prevention and HTTPS Inspection, this feature is supported on
Security Gateways R80.40 and higher.
n Updatable Objects cannot be added to a network group.

Adding an Updatable Object to the Access Control Policy

1. Make sure the Security Management Server / Domain Management Server and the
Security Gateway have access to the Check Point cloud in the Internet (see sk83520).

2. Connect with SmartConsole to the Security Management Server / Domain Management

Server.
3. From the left navigation panel, click Security Policies.
4. In the top panel, click Access Control > Policy.
5. Add a new rule in the required position.
6. In the Destination column, click the + icon.

Note - You can also add Updated objects in the Source column.

7. In the top right corner, click Import > Updatable Objects.

The Updatable Objects window opens.
8. Select the Updatable objects to add.

R82 Security Management Administration Guide | 297

Updatable Objects

9. Click OK.
The selected Updatable objects are added in the rule column.
10. Configure other columns in this rule.
11. Publish the SmartConsole session.
12. Install the Access Control Policy.

Adding an Updatable Object to the Custom Threat Prevention Policy

1. Make sure the Security Management Server / Domain Management Server and the
Security Gateway have access to the Check Point cloud in the Internet (see sk83520).
2. Connect with SmartConsole to the Security Management Server / Domain Management
Server.
3. From the left navigation panel, click Security Policies.
4. In the top panel, click Threat Prevention > Custom Policy.
5. Add a new rule in the required position.
6. In the Protected Scope column, click the + icon.
7. In the top right corner, click Import > Updatable Objects.
The Updatable Objects window opens.

Note - You can also add objects to the Source column.

8. Select the Updatable objects to add.

9. Click OK.

The selected Updatable objects are added in the rule column.

10. Configure other columns in this rule.
11. Publish the SmartConsole session.
12. Install the Threat Prevention Policy.

R82 Security Management Administration Guide | 298

Updatable Objects

Adding an Updatable Object to the HTTPS Inspection Policy

1. Make sure the Security Management Server / Domain Management Server and the
Security Gateway have access to the Check Point cloud in the Internet (see sk83520).
2. Connect with SmartConsole to the Security Management Server / Domain Management
Server.
3. From the left navigation panel, click Security Policies.
4. In the top panel, click the applicable policy:
n HTTPS Inspection > Inbound Policy
n HTTPS Inspection > Outbound Policy

5. Add a new rule in the required position.

6. In the Destination column, click the + icon.

Note - You can also add Updated objects in the Source column.

7. In the top right corner, click Import > Updatable Objects.

The Updatable Objects window opens.
8. Select the Updatable objects to add.
9. Click OK.
The selected Updatable objects are added in the rule column.

10. Configure other columns in this rule.

11. Publish the SmartConsole session.

12. Install the HTTPS Inspection Policy.

R82 Security Management Administration Guide | 299

Updatable Objects

Monitoring Updatable Objects

You can monitor how the Updatable Objects update their corresponding IP addresses in
SmartConsole or SmartView in the Logs & Events view > the Logs tab.
Follow the most applicable procedure for you.
Procedure 1 - Show all logs for the slected Updatable object from a policy

1. From the left navigation panel, click Security Policies.

2. In the top panel, click the applicable policy:
n Access Control > Policy
n Threat Prevention > Custom Policy

3. Locate a rule that contains the relevant Updated object.

4. Hover the moouse cursor over the Updated object.
5. In the menu that appears, click the Show Logs icon (the clipboard icon).
The Logs window opens and contains the name of the Updatable Object enclosed in
double quotes in the top search field.
6. On the left side, select the applicable period.
7. Double-click the relevant log entry.
The Log Details window opens.

8. When the update is successful, the Status field shows:

Succeeded

Procedure 2 - Search for the specific Updatable object in logs

1. From the left navigation panel, click Logs & Events > Logs.
2. In the top search bar, enter the name of the Updatable Object enclosed in double
quotes.
Example:
"Office365 Services"

3. On the left side, select the applicable period.

4. Double-click the relevant log entry.
The Log Details window opens.
5. When the update is successful, the Status field shows:

R82 Security Management Administration Guide | 300

Updatable Objects

Succeeded

R82 Security Management Administration Guide | 301

Updatable Objects

Updating the Updatable Objects through the Management Server

If your Security Gateway is not connected to the Internet, then it can get the updates for the
Updatable Objects through the Management Server (that would act as a proxy server):
1. Connect to the command line on the Security Gateway / each Cluster Member / Scalable
Platform Security Group.
2. Log in to the Expert mode.
3. Back up the current configuration file:

cp -v $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml{,_BKP}

4. Edit the current configuration file:

vi $CPDIR/conf/downloads/dl_prof_ONLINE_SERVICES.xml

5. Change the value of the "ProxyRoute" parameter from 0 to 1:

Example (refer to the bottom of the file):

<?xml version="1.0" encoding="UTF-8"?>

<DownloadPreferences>
<ModuleName>Online_Services</ModuleName>
<ID>111</ID>
<Version>1.0</Version>
<Files>online_services_gw.tgz</Files>
<DeletionMethod>2</DeletionMethod>
<Interval>120</Interval>
<SVT_Log_ID>Firewall</SVT_Log_ID>
<SVT_Log_Desc>IPs and Domains for Online Services
objects</SVT_Log_Desc>
<SVT_Log_Severity>2</SVT_Log_Severity>
<SVT_Log_Failure_Impact>Online Services objects update has
failed</SVT_Log_Failure_Impact>
<CK_Identifier>fw1:6.0:xlate</CK_Identifier>
<CK_Identifier>fw1:6.0:auth</CK_Identifier>
<CK_Identifier>fw1:6.0:content</CK_Identifier>
<URL>
[Link]
taService?wsdl</URL>
<Updatable>Yes</Updatable>
<ProxyRoute>1</ProxyRoute>
</DownloadPreferences>

6. Save the changes in the file and exit the editor.

R82 Security Management Administration Guide | 302

Updatable Objects

7. On Scalable Platform Security Group, copy the modified file to all Security Group
Members:

asg_cp2blades $CPDIR/conf/downloads/dl_prof_ONLINE_
[Link]

8. To apply the new proxy value, restart Check Point services. On the Security Gateway,
run:

cpstop; cpstart

Important - Running the cpstop command on a Check Point Security Gateway stops
all Check Point services, including Firewall, VPN, and Software Blades.

R82 Security Management Administration Guide | 303

Dynamic Objects

Dynamic Objects
A Dynamic Object is a "logical" object where the IP address is resolved differently for each
Security Gateway, using the "dynamic_objects" command.
For Security Gateways R80.10 and higher, dynamic objects support SecureXL Accept
templates. Therefore, there is no performance impact on a rule that uses a dynamic object, or
on rules that come after it.
Dynamic Objects are predefined for LocalMachine-all-interfaces. The DAIP computer
interfaces (static and dynamic) are resolved into this object.

R82 Security Management Administration Guide | 304

Generic Data Center Objects

From R81, you can enforce access to and from IP addresses defined in files located in external
web servers.
To do that, use the Generic Data Center object in SmartConsole. The Generic Data Center
object points to a JSON file in an external server which contains the IP addresses which you
want to access. This way, when the Generic Data Center object is used in a policy,
SmartConsole can retrieve the IP information from the JSON file as necessary.
You can host the JSON file also locally on the Security Management Server.
This feature is useful in cases where one administrator creates the Rule Base and defines the
objects, and another administrator manages the content of these objects.

This feature is supported in the Access Control, Threat Prevention, HTTPS Inspection, and
NAT Rule Bases.
The feature is supported only on a Security Management Server R81 and higher, and Security
Gateway (Cluster) R81 and higher.
After you create the Generic Data Center object, any change made in the file is automatically
enforced on the Security Gateway with no need to install policy.
To create the JSON file, follow the guidelines described in sk167210.
Using the Generic Data Center object in a Security Policy

1. In SmartConsole, go to the Object Explorer and click New > More > Cloud > Data
Center > Generic Data Center.

The New Generic Data Center object window opens.

2. Configure these fields:

a. URL - Enter the URL of the JSON file.

b. Interval - Enter the internal at which the file is sampled.
The default interval is 60 seconds.
c. Add Custom Header - If you need to add a custom header to the request to the
server, select this checkbox and enter the Key and Value.
d. Click Test Connection to make sure you can access the file.
3. Add the applicable Generic Data Center object to your Rule Base:
In the Source or Destination column, click Import > Data Center > Generic Data
Center, and select the applicable data center object from the list.

Note - The list contains all the data center objects included in you JSON file.

R82 Security Management Administration Guide | 305

Generic Data Center Objects

4. Install Policy.

Limitations
n You can make up to 15,000 changes in a JSON file between two time intervals at which
the JSON file is sampled, with a maximum of 30,000 IP addresses.
n A Security Gateway supports a total of 5,000 objects of these types: Dynamic objects,
Updatable objects, Generic Data Center objects, and Network Feed objects.

R82 Security Management Administration Guide | 306

Security Zones

Security Zones
With Security Zones you can create a strong Access Control Policy that controls the traffic
between parts of the network.
A Security Zone object represents a part of the network (for example, the internal network or
the external network). You assign a network interface of a Security Gateway to a Security
Zone. You can then use the Security Zone objects in the Source and Destination columns of
the Rule Base.
Use Security Zones to:
n Simplify the Policy. Apply the same rule to many Security Gateways.
n Add networks to Security Gateways interfaces without changing the Rule Base.

For example, in the diagram, we have three Security Zones for a typical network: ExternalZone
(1), DMZZone (2) and InternalZone (3).
n Security Gateway (4) has three interfaces. One interface is assigned to ExternalZone
(1), one interface is assigned to DMZZone (2), and one interface is assigned to
InternalZone (3).
n Security Gateway (5) has two interfaces. One interface is assigned to ExternalZone (1)
and one interface is assigned to InternalZone (3).

A Security Gateway interface can belong to only one Security Zone. Interfaces to different
networks can be in the same Security Zone.

Workflow
1. Configure Security Zone objects.
Or, use the predefined Security Zones (see "Predefined Security Zones" on page 309 ).

R82 Security Management Administration Guide | 307

Security Zones

2. Assign Security Gateway interfaces to Security Zones (see "Creating and Assigning
Security Zones" below).
3. Use the Security Zone objects in the Source and Destination of a rule.
For example:

Source Destination VPN Service Action

InternalZone ExternalZone Any Traffic Any Accept

4. Install the Access Control Policy (see "Installing the Access Control Policy" on
page 403).

Processing Flow for Rule Base Execution when using Security Zones
and NAT Rules
1. Matching NAT Rules
The system performs NAT Rule Base matching as the first step. It identifies and records
the outbound IP address, which is used both for translation and routing. This step
ensures the system can map traffic to the appropriate Security Zones.
2. Retrieving the Outgoing Interface
After identifying the outbound IP address, the kernel queries the routing API to determine
the corresponding network interface. The system then assigns this interface to the
appropriate outbound Security Zone. This assignment ensures that Rule Base execution
aligns with the NAT configurations and accurately routes traffic.

3. Executing the Rule Base

Using the configured outbound interface and Security Zone, the system applies Security
Policies to manage traffic. This ensures that all traffic adheres to predefined rules,
supporting efficient and accurate network operations.
Example: Resolving Conflicts with Third-Party Tools
Third-party Rule Base tools, such as Algosec, may encounter conflicts when analyzing Check
Point policies. These conflicts arise because the Rule Base does not explicitly define NAT-
translated IPs. To resolve this, the system processes the NAT Rule Base before executing the
main Rule Base. By combining NAT data with routing information, it configures the correct
outgoing interface zone. This integration allows third-party tools to interpret the policy correctly
and enforce traffic rules without errors.

Creating and Assigning Security Zones

Before you can use Security Zones in the Rule Base, you must assign Security Gateway
interfaces to Security Zones.

R82 Security Management Administration Guide | 308

Security Zones

To create a Security Zone

1. In the Objects bar (F11), click New > More > Network Object > Security Zone.
The Security Zone window opens.
2. Enter a name for the Security Zone.
3. Enter an optional comment or tag.
4. Click OK.

To assign an interface to a Security Zone

1. In the Gateways & Servers view, right-click a Security Gateway object and select Edit.

The Gateway Properties window opens.

2. In the Network Management pane, right-click an interface and select Edit.
The Interface window opens. The Topology area of the General pane shows the
Security Zone to which the interface is already bound. By default, the Security Zone is
calculated according to where the interface Leads To.
3. Click Modify.
The Topology Settings window opens.
4. In the Security Zone area, click User Defined and select Specify Security Zone.
5. From the drop-down box, select a Security Zone.

Or click New to create a new one.

6. Click OK.

Predefined Security Zones

These are the predefined Security Zones, and their intended purposes:
n WirelessZone - Networks that can be accessed by users and applications with a
wireless connection.
n ExternalZone - Networks that are not secure, such as the Internet and other external
networks.
n DMZZone - A DMZ (demilitarized zone) is sometimes referred to as a perimeter network.
It contains company servers that can be accessed from external sources.
A DMZ lets external users and applications access specific internal servers, but prevents
the external users accessing secure company networks.

R82 Security Management Administration Guide | 309

Security Zones

Add rules to the Security Gateway Rule Base that allow traffic to the company DMZ. For
example, a rule that allows HTTP and HTTPs traffic to your web server in the DMZ.
n InternalZone - Company networks with sensitive data that must be protected and used
only by authenticated users.

Limitations
n NAT policy supports Security Zones only for R81 Security Gateways and higher.
n You can use Security Zones in the Threat Prevention Rule Base, but Threat Prevention
logs do not display Security Zone fields.
n If the clean-up rule contains Security Zones, it might prevent the creation of Drop
templates for that rule.

R82 Security Management Administration Guide | 310

Externally Managed Gateways and Hosts

An Externally Managed Security Gateway or a Host is a Security Gateway or a Host which has
Check Point software installed on it.
This Externally Managed Security Gateway is managed by an external Management Server.
While it does not receive the Check Point Security Policy, it can participate in Check Point VPN
communities and solutions.

R82 Security Management Administration Guide | 311

Interoperable Devices

Interoperable Devices
An Interoperable Device is a device that has no Check Point Software Blades installed.
The Interoperable Device:
n Cannot have a policy installed on it
n Can participate in Check Point VPN communities and solutions.

R82 Security Management Administration Guide | 312

VoIP Domains

VoIP Domains
There are five types of VoIP Domain objects:
n VoIP Domain SIP Proxy
n VoIP Domain H.323 Gatekeeper
n VoIP Domain H.323 Gateway
n VoIP Domain MGCP Call Agent
n VoIP Domain SCCP Call Manager
In many VoIP networks, the control signals follow a different route through the network than
the media. This is the case when the call is managed by a signal routing device. Signal routing
is done in SIP by the Redirect Server, Registrar, and/or Proxy. In SIP, signal routing is done by
the Gatekeeper and/or Gateway.
Enforcing signal routing locations is an important aspect of VoIP security. It is possible to
specify the endpoints that the signal routing device is allowed to manage. This set of locations
is called a VoIP Domain.
For more information, see the R82 VoIP Administration Guide.

R82 Security Management Administration Guide | 313

Logical Servers

Logical Servers
A Logical Server is a group of machines that provides the same services. The workload of this
group is distributed between all its members.
When a Server group is stipulated in the Servers group field, the client is bound to this
physical server.
There are two modes of operation:
n Persistency by Service - Once a client is connected to a physical server for a specified
service, subsequent connection to the same Logical Server and the same service will be
redirected to the same physical server for the duration of the session.
n Persistency by Server - Once a client is connected to a physical server, subsequent
connections to the same Logical Server (for any service) are redirected to the same
physical server for the duration of the session.

Balance Method

The load balancing algorithm stipulates how the traffic is balanced between the servers. There
are several types of balancing methods:
n Server Load - The Security Gateway determines which Security Management Server is
best equipped to handle the new connection.
n Round Trip Time - On the basis of the shortest round trip time between Security
Gateway and the servers, executed by a simple ping, the Security Gateway determines
which Security Management Server is best equipped to handle the new connection.
n Round Robin - The new connection is assigned to the first available server.
n Random - The new connection is assigned to a server at random.
n Domain - The new connection is assigned to a server based on domain names.
Fore more information, see the R82 Quantum Security Gateway Guide > Chapter
ConnectControl - Server Load Balancing.

R82 Security Management Administration Guide | 314

Open Security Extension (OSE) Devices

With the Open Security Extension (OSE) features you can manage third-party devices with
the Check Point SmartConsole. The number of managed devices, both hardware and software
packets, depends on your license. OSE devices commonly include hardware security devices
for routing or dedicated Network Address Translation and Authentication appliances. Security
devices are managed in the Security Policy as Embedded Devices.
The Security Management Server generates Access Lists from the Security Policy and
downloads them to selected routers and open security device. Check Point supports these
devices:

OSE Device Supported Versions

Cisco Systems 9.x, 10.x, 11.x, 12.x

The Check Point Rule Base must not have these objects. If it does, the Security Management
Server does not generate Access Lists.
n Drop (in the Action column)
n Encrypt (Action)
n Alert (Action)
n RPC (Service)
n ACE (Service)
n Authentication Rules
n Negate Cell

Defining OSE Device Interfaces

OSE devices report their network interfaces and setup at boot time. Each OSE device has a
different command to list its configuration. You must define at least one interface for each
device, or Install Policy will fail.

To define an OSE Device

1. From the Object Explorer, click New > More.
2. Click Network Object > More > OSE Device.
3. Enter the general properties (see "OSE Device Properties Window - "General" Tab" on
the next page).
We recommend that you also add the OSE device to the host lists on other servers:
hosts (Linus) and lmhosts (Windows).

R82 Security Management Administration Guide | 315

Open Security Extension (OSE) Devices

4. Open the Topology tab and add the interfaces of the device.
You can enable Anti-Spoofing on the external interfaces of the device. Double-click the
interface. In the Interface Properties window > Topology tab, select External and
Perform Anti-Spoofing.
5. Open the Setup tab and define the OSE device and its administrator credentials (see
"Anti-Spoofing Parameters and OSE Devices Setup (Cisco)" below).

OSE Device Properties Window - "General" Tab

n Name - The name of the OSE device, as it appears in the system database on the
server.
n IP Address -The device's IP address.
n Get Address - Click this button to resolve the name to an address.
n Comment - Text to show on the bottom of the Network Object window when this object
is selected.
n Color - Select a color from the drop-down list. The OSE device will be represented in the
selected color in SmartConsole, for easier tracking and management.
n Type - Select from the list of supported vendors.

Anti-Spoofing Parameters and OSE Devices Setup (Cisco)

For Cisco (Version 10.x and higher) devices, you must specify the direction of the filter rules
generated from anti-spoofing parameters. The direction of enforcement is specified in the
Setup tab of each router.
For Cisco routers, the direction of enforcement is defined by the Spoof Rules Interface
Direction property.

Access List No - The number of Cisco access lists enforced. Cisco routers Version 12x and
below support an ACL number range from 101-200. Cisco routers Version 12x and above
support an ACL range number from 101-200 and also an ACL number range from 2000-2699.
Inputting this ACL number range enables the support of more interfaces.
For each credential, select an option:
n None - Credential is not needed.
n Known - The administrator must enter the credentials.
n Prompt - The administrator will be prompted for the credentials.
Username - The name required to logon to the OSE device.
Password - The Administrator password (Read only) as defined on the router.
Enable Username - The user name required to install Access Lists.

R82 Security Management Administration Guide | 316

Open Security Extension (OSE) Devices

Enable Password - The password required to install Access Lists.

Version - The Cisco OSE device version (9.x, 10.x, 11.x, 12.x).
OSE Device Interface Direction - Installed rules are enforced on data packets traveling in this
direction on all interfaces.
Spoof Rules Interface Direction - The spoof tracking rules are enforced on data packets
traveling in this direction on all interfaces.

R82 Security Management Administration Guide | 317

Managing Policies

Managing Policies
SmartConsole offers a number of tools that address policy management tasks, both at the
definition stage and for maintenance.
At the definition stage:
n Policy Packages let you group different types of policies, to be installed together on the
same installation targets.
n Predefined Installation Targets let you associate each package with a set of gateways.
You do not have to repeat the gateway selection process each time you install a Policy
Package.

At the maintenance level:

n Search gives versatile search capabilities for network objects and the rules in the Rule
Base.
n Database version control lets you track past changes to the database.

Working with Policy Packages

A policy package is a collection of different types of policies. After installation, the Security
Gateway enforces all the policies in the package. A policy package can have one or more of
these policy types:
n Access Control - consists of these types of rules:
l Firewall
l NAT
l Application Control & URL Filtering
l Content Awareness
l Mobile Access
n QoS - Quality of Service rules for bandwidth management
n Desktop Security - the Firewall policy for endpoint computers that have the Endpoint
Security VPN remote access client installed as a standalone client.
n Threat Prevention - consists of:

R82 Security Management Administration Guide | 318

Managing Policies

l IPS - IPS protections continually updated by IPS Services

l Anti-Bot & Advanced DNS- Detects bot-infected machines, prevents bot damage
by blocking bot commands and Control (C&C) communications
l Anti-Virus - Includes heuristic analysis, stops viruses, worms, and other malware at
the gateway
l Threat Emulation - Detects zero-day and advanced polymorphic attacks by
opening suspicious files in a sandbox
l Threat Extraction- Extracts potentially malicious content from e-mail attachments
before they enter the corporate network
l Zero Phishing - Prevents unknown zero-day and known phishing attacks on
websites in real-time, by utilizing industry leading Machine-Learning algorithms
and patented inspection technologies.
n HTTPS Inspection - Consists of rules to inspect traffic encrypted by the Transport Layer
Security (TLS) protocol between internal browser clients and web servers. From R82 on,
the HTTPS Inspection policy is divided into Inbound Policy and Outbound Policy.

Important - Legacy SmartDashboard does not show the QoS and Desktop policies
when an administrator with read-only permissions is logged in, and the "Desktop
Security" policy is enabled in the policy package.

The installation process:

n Runs a heuristic verification on rules to make sure they are consistent and that there are
no redundant rules.

If there are verification errors, the policy is not installed. If there are verification warnings
(for example, if anti-spoofing is not enabled for a Security Gateway with multiple
interfaces), the policy package is installed with a warning.
n Makes sure that each of the Security Gateways enforces at least one of the rules. If none
of the rules are enforced, the default drop rule is enforced.
n Distributes the user database and object database to the selected installation targets.
You can create different policy packages for different types of sites in an organization.
Example

An organization has four sites, each with its own requirements. Each site has a different set
of Software Blades installed on the Security Gateways:

R82 Security Management Administration Guide | 319

Managing Policies

Item Security Gateway Installed Software Blades

1 Sales California Firewall, VPN

2 Sales Alaska Firewall, VPN, IPS, DLP

3 Executive management Firewall, VPN, QoS, and Mobile Access

4 Server farm Firewall

5 Internet

To manage these different types of sites efficiently, you need to create three different Policy
Packages . Each Package includes a combination of policy types that correspond to the
Software Blades installed on the site's Security Gateway. For example:
n A policy package that includes the Access Control policy type. The Access Control
policy type controls the firewall, NAT, Application Control & URL Filtering, and
Content Awareness Software Blades. This package also determines the VPN
configuration.
Install the Access Control policy package on all Security Gateways.
n A policy package that includes the QoS policy type for the QoS blade on Security
Gateway that manages bandwidth.
Install this policy package on the executive management Security Gateway.
n A policy package that includes the Desktop Security Policy type for the Security

R82 Security Management Administration Guide | 320

Managing Policies

Gateway that handles Mobile Access.

Install this policy package on the executive management Security Gateway.

Creating a New Policy Package

1. From the Menu, select Manage policies and layers.

The Manage policies and layers window opens.
2. Click New.
The New Policy window opens.
3. Enter a name for the policy package.
4. In the General page > Policy types section, select one or more of these policy types:
n Access Control & HTTPS Inspection
n Threat Prevention
n QoS, select Recommended or Express
n Desktop Security
To see the QoS, and Desktop Security policy types, enable them on one or more
Gateways:
Go to gateway editor > General Properties > Network Security tab:
n For QoS, select QoS
n For Desktop Security, select IPSec VPN and Policy Server
5. On the Installation targets page, select the gateways the policy will be installed on:
n All gateways
n Specific gateways - For each gateway, click the [+] sign and select it from the
list.
To install Policy Packages correctly and eliminate errors, each Policy Package is
associated with a set of appropriate installation targets.
6. Click OK.
7. Click Close.
The new policy shows on the Security Policies page.

Adding a Policy Type to an Existing Policy Package

1. From the Menu, select Manage policies and layers.

The Manage policies and layers window opens.

R82 Security Management Administration Guide | 321

Managing Policies

2. Select a policy package and click the Edit button.

3. The New Policy package window opens.
4. On the General > Policy types page, select the policy type to add:
n Access Control & HTTPS Inspection
n Threat Prevention
n QoS, select Recommended or Express
n Desktop Security
5. Click OK.

Installing a Policy Package

1. On the Global Toolbar, click Install Policy.

The Install Policy window opens and shows the installation targets (Security
Gateways).
2. From the Select a policy menu, select a policy package.
3. Select one or more policy types that are available in the package.
4. Select the Install Mode:
n Install on each selected gateway independently - Install the policy on each
target gateway independently of others, so that if the installation fails on one of
them, it doesn't affect the installation on the rest of the target gateways.

Note - If you select For Gateway clusters install on all the members, if fails do
not install at all, the Security Management Server makes sure that it can install
the policy on all cluster members before it begins the installation. If the policy
cannot be installed on one of the members, policy installation fails for all of them.
n Install on all selected gateways, if it fails do not install on gateways of the
same version - Install the policy on all the target gateways. If the policy fails to
install on one of the gateways, the policy is not installed on other target
gateways.
5. Click Install.

R82 Security Management Administration Guide | 322

Managing Policies

Installing the User Database

When you make changes to user definitions through SmartConsole, they are saved to the
user database on the Security Management Server. User authentication methods and
encryption keys are also saved in this database. The user database does not contain
information about users defined externally to the Security Gateway (such as users in
external User Directory groups), but it does contain information about the external groups
themselves (for example, on which Account Unit the external group is defined). Changes to
external groups take effect only after the policy is installed, or the user database is
downloaded from the Security Management Server.
You must choose to install the policy or the user database, based on the changes you
made:
n Install the policy, if you modified additional components of the Policy Package (for
example, added new Security Policy rules) that are used by the installation targets
n Install the user database, if you only changed the user definitions or the administrator
definitions - from the Menu, select Install Database
The user database is installed on:
n Security Gateways - during policy installation
n Check Point hosts with one or more Management Software Blades enabled - during
database installation
You can also install the user database on Security Gateways and on a remote server, such
as a Log Server, from the command line interface on the Security Management Server.

To install user database from the command line interface:

On the Security Management Server, run in the Expert mode:

fwm dbload <Main IP address of Name of Security Gateway Object>

For more information, see the R82 CLI Reference Guide - Chapter Security Management
Server Commands - Section fwm - Sub-section fwm dbload.

Note - Check Point hosts that do not have active Management Software Blades do
not get the user database installed on them.

Uninstalling the Access Control Policy

You can uninstall the Access Control policy using the command line interface on the
Security Gateway.

R82 Security Management Administration Guide | 323

Managing Policies

To uninstall the Access Control policy

1. Connect to the command line on the Security Gateway.

2. Log in to the Expert mode.
3. Run:

fw unloadlocal

Warning
n The "fw unloadlocal" command prevents all traffic from passing
through the Security Gateway (Cluster Member), because it disables the
IP Forwarding in the Linux kernel on the Security Gateway (Cluster
Member).
n The "fw unloadlocal" command removes all policies from the Security
Gateway (Cluster Member). This means that the Security Gateway
(Cluster Member) accepts all incoming connections destined to all active
interfaces without any filtering or protection enabled.

For more information, see the R82 CLI Reference Guide - Chapter Security Gateway
Commands - Section fw - Sub-section fw unloadlocal.
For uninstalling other Security Policies, check the relevant Administration Guides.

R82 Security Management Administration Guide | 324

Viewing Rule Logs

You can search for the logs that are generated by a specific rule, from the Security Policy or
from the Logs & Events > Logs tab.

To see logs generated by a rule (from the Security Policy)

1. In SmartConsole, go to the Security Policies view.
2. In the Access Control Policy or Threat Prevention Policy, select a rule.
3. In the bottom pane, click one of these tabs to see:
n Logs - By default, shows the logs for the Current Rule. You can filter them by
Source, Destination, Blade, Action, Service, Port, Source Port, Rule (Current
rule is the default), Origin, User, or Other Fields.
n History (Access Control Policy only) - List of rule operations (Audit logs) related to
the rule in chronological order, with the information about the rule type and the
administrator that made the change.

To see logs generated by a rule (by Searching the Logs)

1. In SmartConsole, go to the Security Policies view.
2. In the Access Control Policy or Threat Prevention Policy, select a rule.
3. Right-click the rule number and select Copy Rule UID.

4. In the Logs & Events > Logs tab, search for the logs in one of these ways:
n Paste the Rule UID into the query search bar and press Enter.
n For faster results, use this syntax in the query search bar:
layer_uuid_rule_uuid:*_<UID>

For example, paste this into the query search bar and press Enter:
layer_uuid_rule_uuid:*_46f0ee3b-026d-45b0-b7f0-5d71f6d8eb10

R82 Security Management Administration Guide | 325

Policy Installation History

How to work with the policy installation history
In the Installation History you can choose a Security Gateway, a date and time when the Policy
was installed, and:
n See the revisions that were installed on the Security Gateway and who installed the
Policy.
n See the changes that were installed and who made the changes.
n Revert to a specific version, and install the last "good" Policy.

To work with the Policy installation history:

1. In SmartConsole, go to Security Policies.
2. From the Access Tools or the Threat Prevention Tools, select Installation History.
3. In the Gateways section, select a Security Gateway.
4. In the Policy Installation History section, select an installation date.
5. Perform the applicable action:
n To see the revisions that were installed and who made them:
Click View installed changes.
n To see the changes that were installed and who made them :
Click View.
n To revert to a specific version of the policy:
Click Install specific version.

R82 Security Management Administration Guide | 326

Concurrent Install Policy

Starting from R81, one administrator or more can run different policy installation tasks on
multiple gateways at the same time. In earlier versions, you can only run the same policy
installation task on multiple gateways at the same time.
Concurrent Install Policy only supports the Access Control and Threat Prevention policies. It
does not support the Desktop and QoS policies.
The maximum number of policy installation tasks (of different policies) that can run at the same
time is 5. If more than 5 policy installation requests are sent, any request beyond the first 5
gets in a queue.
The running and the queued tasks appear in the Recent Tasks window at the bottom left of
your screen.
Note - In the first installation, you cannot install both the Access Control and Threat Prevention
policies on the same gateway at the same time. You must install one and then the other.

R82 Security Management Administration Guide | 327

Accelerated Install Policy

R81 introduces the Accelerated Install Policy feature for the Access Control policy. When the
Access Control policy installation is accelerated, the installation duration is decreased
significantly.
Policy installation is accelerated depending on the changes that were made to the Access
Control policy since the last installation.
For example, creating a Host object and adding it to an Access Control rule triggers
accelerated policy installation.
For more information about accelerated install policy and a detailed list on the events that
trigger accelerated policy installation, see sk169096.

R82 Security Management Administration Guide | 328

Creating an Access Control Policy

This section provides the instructions for working with Access Control Policies.

Introducing the Unified Access Control Policy

Define one, unified Access Control Policy. The Access Control Policy lets you create a simple
and granular Rule Base that combines all these Access Control features:
n Firewall - Control access to and from the internal network.
n Application & URL Filtering - Block applications and sites.
n Content Awareness - Restrict the Data Types that users can upload or download.
n IPsec VPN and Mobile Access - Configure secure communication with Site-to-Site and
Remote Access VPN.
n Identity Awareness - Identify users, computers, and networks.
There is no need to manage separate Rule Bases. For example, you can define one, intuitive
rule that: Allows users in specified networks, to use a specified application, but prevents
downloading files larger than a specified size. You can use all these objects in one rule:
n Security Zones
n Services
n Applications and URLs
n Data Types
n Access Roles
Information about these features is collected in one log:
n Network
n Protocol
n Application
n User
n Accessed resources
n Data Types

R82 Security Management Administration Guide | 329

The Columns of the Access Control Rule Base

These are the columns of the rules in the Access Control policy. Not all of these are shown by
default. To select a column that does not show, right-click on the header of the Rule Base, and
select it.

Column Description

No Rule number in the Rule Base Layer.

Hits Number of times that connections match a rule.

See "Analyzing the Rule Base Hit Count" on page 412.

Name Name that the system administrator gives this rule.

Source Network objects that define:

Destination n Where the traffic starts
n The destination of the traffic
See "Source and Destination Column" on the next page.

VPN The VPN Community to which the rule applies.

See "VPN Column" on the next page.

Services & Services, Applications, Categories, and Sites.

Applications If Application & URL Filtering is not enabled, only Services show.
See "Services & Applications Column" on page 332.

Content The data asset to protect, for example, credit card numbers or medical
records.
You can set the direction of the data to Download Traffic (into the
organization), Upload Traffic (out of the organization), or Any Direction.
See "Content Column" on page 336.

Action Action that is done when traffic matches the rule. Options include: Accept,
Drop, Ask, Inform (UserCheck message), Inline Layer, and Reject.
See "Actions" on page 338.

Track Tracking and logging action that is done when traffic matches the rule.
See "Tracking Column" on page 340.

Install On Network objects that will get the rule(s) of the policy.
See "Installing the Access Control Policy" on page 403.

Time Time period that this rule is enforced.

R82 Security Management Administration Guide | 330

The Columns of the Access Control Rule Base

Column Description

Comment An optional field that lets you summarize the rule.

Source and Destination Column

In the Source and Destination columns of the Access Control Policy Rule Base, you can add
Network objects including groups of all types.
Here are some of the Network objects you can include:
n Network (see "Networks" on page 286 and "Network Groups" on page 287)
n Host
n Zones (see "Security Zones" on page 307)
n Dynamic Objects (see "Dynamic Objects" on page 304)
n Domain Objects (see "Domains" on page 296)
n Access Roles
n Updatable Objects (see "Updatable Objects" on page 297)

To Learn More About Network Objects

You can add network objects to the Source and Destination columns of the Access Control
Policy. See "Managing Objects" on page 281.

VPN Column
You can configure rules for Site-to-Site VPN, Remote Access VPN, and the Mobile Access
Portal and clients.

To make a rule for a VPN Community, add a Site-to-Site Community or a Remote Access VPN
Community object to this column, or select Any to make the rule apply to all VPN
Communities.
When you enable Mobile Access on a Security Gateway, the Security Gateway is
automatically added to the RemoteAccess VPN Community. Include that Community in the
VPN column of the rule or use Any to make the rule apply to Mobile Access Security
Gateways. If the Security Gateway was removed from the VPN Community, the VPN column
must contain Any.

IPsec VPN

The IPsec VPN solution lets the Security Gateway encrypt and decrypt traffic to and from other
Security Gateways and clients. Use SmartConsole to easily configure VPN connections
between Security Gateways and remote devices.

R82 Security Management Administration Guide | 331

The Columns of the Access Control Rule Base

For Site-to-Site Communities, you can configure Star and Mesh topologies for VPN networks,
and include third-party gateways.
The VPN tunnel guarantees:
n Authenticity - Uses standard authentication methods
n Privacy - All VPN data is encrypted
n Integrity - Uses industry-standard integrity assurance methods

IKE and IPsec

The Check Point VPN solution uses these secure VPN protocols to manage encryption keys,
and send encrypted packets. IKE (Internet Key Exchange) is a standard key management
protocol that is used to create the VPN tunnels. IPsec is protocol that supports secure IP
communications that are authenticated and encrypted on private or public networks.

Mobile Access to the Network

Check Point Mobile Access lets remote users easily and securely use the Internet to connect
to internal networks. Remote users start a standard HTTPS request to the Mobile Access
Security Gateway, and authenticate with one or more secure authentication methods.
The Mobile Access Portal lets mobile and remote workers connect easily and securely to
critical resources over the internet. Check Point Mobile Apps enable secure encrypted
communication from unmanaged smartphones and tablets to your corporate resources.
Access can include internal apps, email, calendar, and contacts.
To include access to Mobile Access applications in the Rule Base, include the Mobile
Application in the Services & Applications column.
To give access to resources through specified remote access clients, create Access Roles for
the clients and include them in the Source column of a rule.

To Learn More About VPN

To learn more about Site-to-Site VPN and Remote Access VPN, see these guides:
n R82 Site to Site VPN Administration Guide
n R82 Remote Access VPN Administration Guide
n R82 Mobile Access Administration Guide

Services & Applications Column

In the Services & Applications column of the Access Control Rule Base, define the
applications, sites, and services that are included in the rule. A rule can contain one or more:

R82 Security Management Administration Guide | 332

The Columns of the Access Control Rule Base

n Services
n Applications
n Mobile Applications for Mobile Access
n Web sites
n Default categories of Internet traffic
n Custom groups or categories that you create, that are not included in the Check Point
Application Database.

Service Matching

The Security Gateway identifies (matches) a service according to IP protocol, TCP and UDP
port number, and protocol signature.
To make it possible for the Security Gateway to match services by protocol signature, you
must enable Application & URL Filtering on the Security Gateway and on the Ordered Layer
(see "Enabling Access Control Features" on page 371 ).
You can configure TCP and UDP services to be matched by source port.

Application Matching

If an application is allowed in the policy, the rule is matched only on the Recommended
services of the application. This default setting is more secure than allowing the application on
all services. For example: a rule that allows Facebook, allows it only on the Application Control
Web Browsing Services: http, https, HTTP_proxy, and HTTPS_proxy.

If an application is blocked in the policy, it is blocked on all services. It is therefore blocked on

all ports.
You can change the default match settings for applications.
Configuring Matching for an Allowed Application

You can configure how a rule matches an application or category that is allowed in the
policy. You can configure the rule to match the application in one of these ways:
n On any service
n On a specified service
To do this, change the Match Settings of the application or category. The application or
category is changed everywhere that it is used in the policy.

R82 Security Management Administration Guide | 333

The Columns of the Access Control Rule Base

To change the matched services for an allowed application or category:

1. In a rule which has applications or categories in the Services & Applications column,
double-click an application or category.
2. Select Match Settings.
3. Select an option:
n The default is Recommended services. The defaults for Web services are the
Application Control Web Browsing Services.
n To match the application with all services, click Any.
n To match the application on specified services, click Customize, and add or
remove services.
n To match the application with all services and exclude specified services, click
Customize, add the services to exclude, and select Negate.
4. Click OK.

Configuring Matching for Blocked Applications

By default, if an application is blocked in the policy, it is blocked on all services. It is

therefore blocked on all ports.
You can configure the matching for blocked applications so that they are matched on the
recommended services. For Web applications, the recommended services are the
Application Control Web browsing services.
If the match settings of the application are configured to Customize, the blocked application
is matched on the customized services service. It is not matched on all ports.

To configure matching for blocked applications:

1. In SmartConsole, go to Manage & Settings > Blades > Application & URL Filtering >
Advanced Settings > Application Port Match
2. Configure Match application on 'Any' port when used in 'Block' rule:
n Selected - This is the default. If an application is blocked in the Rule Base, the
application is matched to Any port.
n Not selected - If an application is blocked in the Rule Base, the application is
matched to the services that are configured in the application object of the
application. However, some applications are still matched on Any. These are
applications (Skype, for example) that do not limit themselves to a standard set
of services.

R82 Security Management Administration Guide | 334

The Columns of the Access Control Rule Base

Summary of Application Matching in a "Block" Rule

Application - Checkbox: Match web application on Blocked Application is

Match Setting 'Any' port when used in 'Block' rule Matched on Service

Recommended Selected (default) Any

services (default)

Recommended Not selected Recommended

services (default) services

Customize Not relevant Customized

Any Not relevant Any

Adding Services, Applications, and Sites to a rule

You can add services, applications and sites to a rule.

Note - Rules with applications or categories do not apply to connections from or to the
Security Gateway.

To add services, applications or sites to a rule:

1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
2. To add applications to a rule, select a Layer with Applications and URL Filtering
enabled.
3. Right-click the Services & Applications cell for the rule and select Add New Items.
4. Search for the services, sites, applications, or categories.

5. Click the + next to the ones you want to add.

Creating Custom Applications, Categories, and Groups

You can create custom applications, categories or groups, which are not included in the
Check Point Application Database.

To create a new application or site:

1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
2. Select a Layer with Applications and URL Filtering enabled.
3. Right-click the Services & Applications cell for the rule and select Add New Items.
The Application viewer window opens.

R82 Security Management Administration Guide | 335

The Columns of the Access Control Rule Base

4. Click New > Custom Applications/Site > Application/Site.

5. Enter a name for the object.
6. The default matched services for a custom application or site are Web Browsing
Services. Starting from R82 SmartConsole Releases Build 1055 or higher, you can
change the matched services for a custom application or site:
a. In the Match Settings tab, go to Services and select Customize.
b. Click the + sign.
c. From the list that opens, select the required services.
7. Enter one or more URLs.
If you used a regular expression in the URL, click URLs are defined as Regular
Expressions.

Note - If the application or site URL is defined as a regular expression you

must use the correct syntax. See sk165094.

8. Click OK.

To create a custom category

1. In the Security Policies view of SmartConsole, go to the Access Control Policy.

2. Select a Layer with Applications and URL Filtering enabled.
3. Right-click the Services & Applications cell for the rule and select Add New Items.

The Application viewer window opens.

4. Click New > Custom Applications/Site > User Category.

5. Enter a name for the object.

6. Enter a description for the object.
7. Click OK.

Content Column
You can add Data Types to the Content column of rules in the Access Control Policy.
To use the Content column, you must enable Content Awareness, in the General Properties
page of the Security Gateway, and on the Layer.
A Data Type is a classification of data. The Security Gateway classifies incoming and outgoing
traffic according to Data Types, and enforces the Policy accordingly.
You can set the direction of the data in the Policy to Download Traffic (into the organization),
Upload Traffic (out of the organization), or Any Direction.

R82 Security Management Administration Guide | 336

The Columns of the Access Control Rule Base

There are two kinds of Data Types: Content Types (classified by analyzing the file content) and
File Types (classified by analyzing the file ID).
Content Type examples:
n PCI - credit card numbers
n HIPAA - Medical Records Number - MRN
n International Bank Account Numbers - IBAN
n Source Code - JAVA
n U.S. Social Security Numbers - According to SSA
n Salary Survey Terms

File type examples:

n Viewer File - PDF
n Executable file
n Database file
n Document file
n Presentation file
n Spreadsheet file

Data Type Group

A Data Type group is a logical collection of individual Data Types. It allows you to combine
multiple Data Types into a single group, which reduces the number of rules and simplifies
policy management. A Data Type group can include both:
n File Types (for example, credit card numbers, social security numbers, source code)
n File Content types (for example, PDF files, presentations, spreadsheets)
The Data Type Group is matched if any of its members (File Type or File Content type) is
detected in the inspected traffic.
When you create a Data Type Group:
n In the File Type section, you can select only file types from a pre-defined list. Custom
Data Types you create do not appear in the drop-down list.

Note - To create a group with custom file types, use the Traditional Data Type
Group.
n In the File Content section, you can select both from the pre-defined list, as well as any
custom Data Types you created.

R82 Security Management Administration Guide | 337

The Columns of the Access Control Rule Base

Notes:
n The Content Awareness Software Blade supports HTTP, HTTPS, SMTP, and
FTP protocols on all ports. It is fully integrated with the Access Control unified
Rule Base.
n The Content Awareness Software Blade does not match Binary Certificate *.cer
files to the 'Certificates and Private Keys' Data Type.
n Content Awareness and Data Loss Prevention (DLP) both use Data Types.
However, they have different features and capabilities. They work
independently, and the Security Gateway enforces them separately.
n If an inline layer has Archive File in the content column of the parent rule, and
another value in the content column in one of the sub-rules (for example:
Presentation File), then if the matched archive includes the other value (in this
example: a presentation file), the rule is not matched. Use a regular rule for both
content types.
n If a content column of a rule includes the Compound Data Type Group or
Traditional Data Type Group with an Archive File Data Type and another Data
Type (for example: PCI - Credit Card Numbers), then if an archive file which
contains a file with credit cards is uploaded or downloaded, the rule is not
matched.
n If a rule with Archive File in the content column is matched, and a lower rule in
the Rule Base has a Data Type which is contained in the archive file, then the
lower rule in the Rule Base is matched as well.

Limitations:
n Content Awareness supports more than 60 character sets (charsets) for text
files, including Japanese, Korean, Greek, and Arabic. If the inspected traffic
does not include a supported charset, Content Awareness uses UTF-8 for
decoding. To see the list of supported charsets, and to learn how to change the
default charset, see sk116155.
n Content Awareness supports Data Types based on file name. For specific
HTTP traffic where the file name is not part of the URL or content-disposition
header, the file name may be incorrect.

To learn more about the Data Types, open the Data Type object in SmartConsole and press
the ? button (or F1 key) to see the Help.
To learn more about DLP, see the R82 Data Loss Prevention Administration Guide.

Actions

Action Meaning

Accept Accepts the traffic

R82 Security Management Administration Guide | 338

The Columns of the Access Control Rule Base

Action Meaning

Drop Drops the traffic. The Security Gateway does not send a response to the
originating end of the connection and the connection eventually does a
time-out. If no UserCheck object is defined for this action, no page is
displayed.

Ask Asks the user a question and adds a confirmatory check box, or a reason
box. Uses a UserCheck object.

Inform Sends a message to the user attempting to access the application or the
content. Uses a UserCheck object.

To see these actions, right-click and select More:

Reject Rejects the traffic. The Security Gateway sends an RST packet to the
originating end of the connection and the connection is closed.

UserCheck Configure how often the user sees the configured message when the
Frequency action is ask, inform, or block.

Confirm Select the action that triggers a UserCheck message:

UserCheck
n Per rule - UserCheck message shows only once when traffic
matches a rule.
n Per category - UserCheck message shows for each matching
category in a rule.
n Per application/Site - UserCheck message shows for each matching
application/site in a rule.
n Per Data type - UserCheck message shows for each matching data
type.

Limit Limits the bandwidth that is permitted for a rule.

Add a Limit object to configure a maximum throughput for uploads and
downloads.
Important:
After policy installation, a bandwidth limit is not enforced on a
connection that is matched to an Access Control rule with the Action
"Limit" in one of these scenarios:
n The 'Keep all connections' option is selected in the security
object
n The 'Keep connections open after the policy has been
installed' option is selected in the Service object used in this rule

R82 Security Management Administration Guide | 339

The Columns of the Access Control Rule Base

Action Meaning

Enable Redirects HTTP traffic to an authentication (captive) portal. After the user
Identity is authenticated, new connections from this source are inspected without
Captive requiring authentication.
Portal Important - A rule that drops traffic, with the Source and Destination
parameters defined as Any, also drops traffic to and from the Captive
Portal.

Tracking Column
These are some of the Tracking options:
n None - Do not generate a log.
n Log -This is the default Track option. It shows all the information that the Security
Gateway used to match the connection.
n Accounting - Select this to update the log at 10 minute intervals, to show how much data
has passed in the connection: Upload bytes, Download bytes, and browse time.

To Learn More About Tracking

To learn more about Tracking options, see the R82 Logging and Monitoring Administration
Guide.

R82 Security Management Administration Guide | 340

Rule Matching in the Access Control Policy

The Security Gateway determines the rule to apply to a connection. This is called matching a
connection. Understanding how the Security Gateway matches connections will help you:
n Get better performance from the Rule Base.
n Understand the logs that show a matched connection.
Examples of Rule Matching

These example Rule Bases show how the Security Gateway matches connections.
Note that these Rule Bases intentionally do not follow the best practices for Access Control
Rules (see "Best Practices for Access Control Rules" on page 378). This is to make the
explanations of rule matching clearer.
Rule Base Matching - Example 1

For this Rule Base:

Services &
No Source Destination Content Action
Applications

1 InternalZone Internet ftp-pasv Download Drop

executable
file

2 Any Any Any Executable Accept

file

3 Any Any Gambling Any Drop

(Category)

4 Any Any Any Any Accept

This is the matching procedure for an FTP connection:

Part of Security Gateway

Inspection result
connection action

SYN Run the Rule Base: Final match (drop on rule 1).
Look for the first Shows in the log.
rule that matches: The Security Gateway does not turn on the
inspection engines for the other rules.
n Rule 1 -
Match.

R82 Security Management Administration Guide | 341

Rule Matching in the Access Control Policy

Rule Base Matching - Example 2

For this Rule Base:

Services &
No. Source Destination Content Action
Applications

1 InternalZone Internet Any Download Drop

executable
file

2 Any Any Gambling Any Drop

(category)

3 Any Any ftp Any Drop

4 Any Any Any Any Accept

This is the matching procedure when browsing to a file sharing Web site. Follow the rows
from top to bottom. Follow each row from left to right:

Part of
Security Gateway action Inspection result
connection

SYN Run the Rule Base. Possible match

Look for the first rule that matches: (Continue to inspect the
connection).
n Rule 1 - Possible match.
n Rule 2 - Possible match.
n Rule 3 - No match.
n Rule 4 - Match.

HTTP Header The Security Gateway turns on inspection Application: File sharing
engines to examine the data in the (category).
connection. Content: Don't know yet.
In this example turn on the:
n URL Filtering engine - Is it a
gambling site?
n Content Awareness engine - Is it an
executable file?

R82 Security Management Administration Guide | 342

Rule Matching in the Access Control Policy

Part of
Security Gateway action Inspection result
connection

Optimize the Rule Base matching. Possible match

Look for the first rule that matches: (Continue to inspect the
connection).
n Rule 1 - Possible match.
n Rule 2 - No match.
n Rule 3 - No match.
n Rule 4 - Match.

HTTP Body Examine the file. Data: PDF file.

Optimize the Rule Base matching. Final match (accept on

Look for the first rule that matches: rule 4).
Shows in the log.
n Rule 1 - No match.
n Rule 2 - No match.
n Rule 3 - No match.
n Rule 4 - Match.

Rule Base Matching - Example 3

For this Rule Base:

Services &
No. Source Destination Content Action
Applications

1 InternalZone Internet Any Download Drop

executable
file

2 Any Any Gambling Any Drop

(Category)

3 Any Any Any Any Accept

This is the matching procedure when downloading an executable file from a business
Web site. Follow the rows from top to bottom. Follow each row from left to right:

R82 Security Management Administration Guide | 343

Rule Matching in the Access Control Policy

Part of
Security Gateway action Inspection result
connection

SYN Run the Rule Base. Possible match

Look for the first rule that matches: (Continue to inspect the
connection).
n Rule 1 - Possible match.
n Rule 2 - Possible match.
n Rule 3 - Match.

HTTP Header The Security Gateway turns on inspection Application: Business

engines to examine the content in the (Category).
connection. Content: Don't know
In this example turn on the: yet.
n URL Filtering engine - Is it a
gambling site?
n Content Awareness engine - Is it an
executable file?

Optimize the Rule Base matching. Possible match

Look for the first rule that matches: (Continue to inspect the
connection).
n Rule 1 - Possible match.
n Rule 2 - No match.
n Rule 3 - Match.

HTTP Body Examine the file. Content: Executable

file.

Optimize the Rule Base matching. Final match (drop on

Look for the first rule that matches: rule 1).
Shows in the log.
n Rule 1 - Match.
n Rule 2 - No match.
n Rule 3 - Match.

The matching examples show that:

n The Security Gateway sometimes runs the Rule Base more than one time. Each
time it runs, the Security Gateway optimizes the matching, to find the first rule that
applies to the connection.

R82 Security Management Administration Guide | 344

Rule Matching in the Access Control Policy

n If the rule includes an application, or a site, or a service with a protocol signature (in
the Application and Services column), or a Data Type (in the Content column), the
Security Gateway:
l Turns on one or more inspection engines.
l Postpones making the final match decision until it has inspected the body of
the connection.
n The Security Gateway searches for the first rule that applies to (matches) a
connection. If the Security Gateway does not have all the information it needs to
identify the matching rule, it continues to inspect the traffic.

R82 Security Management Administration Guide | 345

Creating a Basic Access Control Policy

A Security Gateway controls access to computers, clients, servers, and applications using a
set of rules that make up an Access Control Rule Base. You need to configure a Rule Base
with secure Access Control and optimized network performance.
A strong Access Control Rule Base:
n Allows only authorized connections and prevents vulnerabilities in a network.
n Gives authorized users access to the correct internal resources.
n Efficiently inspects connections.

Basic Rules
Best Practice - These are basic Access Control rules we recommend for all Rule Bases:
n Stealth rule that prevents direct access to the Security Gateway
n Cleanup rule that drops all traffic that is not matched by the earlier rules in the
policy

Use Case - Basic Access Control

This use case shows a Rule Base for a simple Access Control security policy. (The Hits, VPN
and Content columns are not shown.)

Services &
Destinatio
No Name Source Applicatio Action Track Install On
n
ns

1 Admin Admins Group of Any Accept Log Policy

Access (Access Security Targets
to Role) Gateways
Security
Gateway
s

2 Stealth Any Group of Any Drop Alert Policy

Security Targets
Gateways

3 Critical Internal Finance Any Accept Log CorpGW

subnet HR
R&D

4 Tech TechSuppo Remote1- HTTP Accept Alert Remote1G

support rt web W

R82 Security Management Administration Guide | 346

Creating a Basic Access Control Policy

Services &
Destinatio
No Name Source Applicatio Action Track Install On
n
ns

5 DNS Any DNS Domain Accept None Policy

server UDP Targets

6 Mail and Any DMZ HTTP Accept Log Policy

Web HTTPS Targets
servers SMTP

7 SMTP Mail NOT SMTP Accept Log Policy

Internal Targets
net group

8 DMZ & IntGroup Any Any Accept Log Policy

Internet Targets

9 Cleanup Any Any Any Drop Log Policy

rule Targets

Explanations for rules:

Rule Explanation

1 Admin Access to Gateways - SmartConsole administrators are allowed to

connect to the Security Gateways.

2 Stealth - All internal traffic that is NOT from the SmartConsole administrators to
one of the Security Gateways is dropped. When a connection matches the Stealth
rule, an alert window opens in SmartView Monitor.

3 Critical subnet - Traffic from the internal network to the specified resources is
logged. This rule defines three subnets as critical resources: Finance, HR, and
R&D.

4 Tech support - Allows the Technical Support server to access the Remote-1 web
server which is behind the Remote-1 Security Gateway. Only HTTP traffic is
allowed. When a packet matches the Tech support rule, the Alert action is done.

5 DNS server - Allows UDP traffic to the external DNS server. This traffic is not
logged.

6 Mail and Web servers - Allows incoming traffic to the mail and web servers that
are located in the DMZ. HTTP, HTTPS, and SMTP traffic is allowed.

R82 Security Management Administration Guide | 347

Creating a Basic Access Control Policy

Rule Explanation

7 SMTP - Allows outgoing SMTP connections to the mail server. Does not allow
SMTP connections to the internal network, to protect against a compromised mail
server.

8 DMZ and Internet - Allows traffic from the internal network to the DMZ and
Internet.

9 Cleanup rule - Drops all traffic that does not match one of the earlier rules.

Use Case - Inline Layer for Each Department

This use case shows a basic Access Control Policy with a sub-policy for each department. The
rules for each department are in an Inline Layer. An Inline Layer is independent of the rest of
the Rule Base. You can delegate ownership of different Layers to different administrators.

Services &
Destinati Conten
No Name Source Applicatio Action Track
on t
ns

1 Critical Internal Finance Any Any Accept Log

subnet HR

2 SMTP Mail NOT smtp Any Accept Log

internal
network
(Group)

3 R&D R&D Roles Any Any Any TechSupp N/A

departme ort Layer
nt

3.1 R&D Any R&D Any Any Accept Log

servers servers
(Group)
QA
network

3.2 R&D InternalZo Source ssh Any Accept Log

source ne control http
control servers https
(Group)

--- --- --- --- --- --- --- ---

R82 Security Management Administration Guide | 348

Creating a Basic Access Control Policy

Services &
Destinati Conten
No Name Source Applicatio Action Track
on t
ns

3.X Cleanup Any Any Any Any Drop Log

rule

4 QA QA Any Any Any QA Layer N/A

departme network
nt

4.1 Allow Any R&D Web Any Accept Log

access to Servers Services
R&D (Group)
servers

--- --- --- --- --- --- --- ---

4.Y Cleanup Any Any Any Any Drop Log

rule

5 Allow all Any Employee Web Any Accept None

users to portal Services
access
employee
portal

--- --- --- --- --- --- --- ---

9 Cleanup Any Any Any Any Drop Log

rule

Explanations for rules:

Rules Explanation

1 General rules for the whole organization.

R82 Security Management Administration Guide | 349

Creating a Basic Access Control Policy

Rules Explanation

3 An Inline Layer for the R&D department.

3.1 Rule 3 is the parent rules of the Inline Layer. The Action is the name of the Inline
3.2 Layer.
--- If a packet does not match on parent rule 3:
3.X Matching continues to the next rule outside the Inline Layer (rule 4).
If a packet matches on parent rule 3:
Matching continues to 3.1, first rule inside the Inline Layer. If a packet matches
on this rule, the rule action is done on the packet.
If a packet does not match on rule 3.1, continue to the next rule inside the Inline
Layer, rule 3.2. If there is no match, continue to the remaining rules in the Inline
Layer. --- means one or more rules.
The packet is matched only inside the inline layer. It never leaves the inline
layer, because the inline layer has an implicit cleanup rule. It is not matched on
rules 4, 5 and the other rules in the Ordered Layer.
Rule 3.X is a cleanup rule. It drops all traffic that does not match one of the
earlier rules in the Inline Layer. This is a default explicit rule. You can change or
delete it.
Best Practice - Have an explicit cleanup rule as the last rule in each Inline Layer
and Ordered Layer.

4 Another Inline Layer, for the QA department.

4.1
---
4.Y

5 More general rules for the whole organization.

-- One or more rules.

9 Cleanup rule - Drop all traffic that does not match one of the earlier rules in the
Ordered Layer. This is a default explicit rule. You can change or delete it.
Best Practice - Have an explicit cleanup rule as the last rule in each Inline Layer
and Ordered Layer.

R82 Security Management Administration Guide | 350

Default Cell Values

Starting from R81.10:
n The default value for the Source, Destination, and Services & Applications columns in
a new rule is "None".
In versions R81 and lower, the default value for these columns in a new rule is "Any".
n The default value a cell gets after removing the last object from the cell is "None".
The "last object" is the object that remained the last object in the cell after all other
objects were removed.
In versions R81 and lower, the default value for the last object deleted from a cell is
"Any".
To configure the default values for the Source, Destination, and Services & Applications
columns:
1. In the Manage & Settings view > Policy Settings > Rule Base Cell Settings.
2. In Security Access Defaults, select the values for the Source, Destination and Services
& Applications columns.

To configure the value for the Source, Destination, and Services & Applications columns
after removing the last object from a cell:
1. In the Manage & Settings view > Policy Settings > Rule Base Cell Settings.

2. In the After removing the last object in a cell section, select one of these options:
n Add 'None' to the cell - After removing the last object from a cell, the value in the
cell becomes "None".
n Add the object according to the Rule Base cell default - After removing the last
object in a cell, the value in the cell becomes as configured in the Security Access
Defaults section.

Note - Right-click a cell to switch between "Any" and "None".

R82 Security Management Administration Guide | 351

Default Cell Values

Enforcement of Rules with the Value "None"

On Security Gateways with versions from R80.10 to R81, the policy is installed without rules
that contain the value "None" in one or more cells.

To configure the message which appears when a rule has "None":

Go to Manage & Settings > Policy Settings > Rule Base Cell Settings > 'None' object
behavior

Upgrading of a Management Server from R81 and Lower

Versions
During an upgrade from R81 and lower versions:
n Default value for the Source, Destination, and Services & Applications columns
remains "Any".
n Default value after the last object in a cell is removed becomes "None".

R82 Security Management Administration Guide | 352

Creating Application Control and URL Filtering Rules

Creating Application Control and URL Filtering

Rules
Create and manage the Policy for Application Control and URL Filtering in the Access Control
Policy, in the Access Control view of SmartConsole. Application Control and URL Filtering
rules define which users can use specified applications and sites from within your organization
and what application and site usage is recorded in the logs.
To learn which applications and categories have a high risk, look through the Application Wiki
in the Access Tools part of the Security Policies view. Find ideas for applications and
categories to include in your Policy.

To see an overview of your Access Control Policy and traffic, see the Access Control view in
Logs & Events > New Tab > Views.

Best Practice - Do not use Application Control and URL Filtering in the same rule,
this may lead to wrong rule matching. Use Application Control and URL Filtering in
separate rules. This makes sure that the URL Filtering rule is used as soon as the
category is identified. For more information, see sk174045.

If your Security Gateways / Cluster Members are not connected to the Internet directly, they
use the Management Server as a proxy server to update the Application Control package and
URL Filtering package.
The feature is enabled by default.
n To disable the feature, run in the Expert mode on the Security Gateway / each Cluster
Member
cpprod_util FwSetParam CP_BLADE_UPDATE_PROXY_MGMT_DISABLE 1
n To enable the feature again, run in the Expert mode on the Security Gateway / each
Cluster Member:
cpprod_util FwSetParam CP_BLADE_UPDATE_PROXY_MGMT_DISABLE 0

Monitoring Applications

Scenario: I want to monitor all Facebook traffic in my organization. How can I do this?

To monitor all Facebook application traffic:

1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
2. Select a Layer with Applications and URL Filtering enabled.

R82 Security Management Administration Guide | 353

Creating Application Control and URL Filtering Rules

3. Click one of the Add rule toolbar buttons to add the rule in the position that you
choose in the Rule Base. The first rule matched is applied.
4. Create a rule that includes these components:
n Name - Give the rule a name, such as Monitor Facebook.
n Source - Keep it as Any so that it applies to all traffic from the organization.
n Destination - Keep it as Internet so that it applies to all traffic going to the
internet or DMZ.
n Services & Applications - Click the plus sign to open the Application viewer.
Add the Facebook application to the rule:
a. Start to type "face" in the Search field. In the Available list, see the
Facebook application.
b. Click each item to see more details in the description pane.
c. Select the items to add to the rule.

Note - Applications are matched by default on their Recommended

services. You can change this (see "Configuring Matching for an
Allowed Application" on page 333). Each service runs on a specific
port. The recommended Web Browsing Services are http, https,
HTTP_proxy, and HTTPS_proxy.
n Action - Select Accept
n Track - Select Log
n Install On - Keep it as Policy Targets for or all Security Gateways, or choose
specific Security Gateways, on which to install the rule

The rule allows all Facebook traffic but logs it. You can see the logs in the Logs & Events
view, in the Logs tab. To monitor how people use Facebook in your organization, see the
Access Control view (SmartEvent Server required).

Blocking Applications and Informing Users

Scenario: I want to block pornographic sites in my organization, and tell the user about the
violation. How can I do this?

To block an application or category of applications and tell the user about the policy
violation:
1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
2. Choose a Layer with Applications and URL Filtering enabled.
3. Create a rule that includes these components:

R82 Security Management Administration Guide | 354

Creating Application Control and URL Filtering Rules

n Services & Applications - Select the Pornography category.

n Action - Drop, and a UserCheck Blocked Message - Access Control
The message informs users that their actions are against company policy and
can include a link to report if the website is included in an incorrect category.
n Track - Log

Note - This Rule Base example contains only those columns that are
applicable to this subject.

Services &
Destinatio Install
Name Source Application Action Track
n On
s

Block Any Internet Pornograph Drop Log Policy

Porn y (category) Blocked Targets
Messag
e

The rule blocks traffic to pornographic sites and logs attempts to access those sites. Users
who violate the rule receive a UserCheck message that informs them that the application is
blocked according to company security policy. The message can include a link to report if
the website is included in an incorrect category.

Important - A rule that blocks traffic, with the Source and Destination parameters
defined as Any, also blocks traffic to and from the Captive Portal.

Limiting Application Traffic

Scenario: I want to limit my employees' access to streaming media so that it does not
impede business tasks.
If you do not want to block an application or category, there are different ways to set limits
for employee access:
n Add a Limit object to a rule to limit the bandwidth that is permitted for the rule.
n Add one or more Time objects to a rule to make it active only during specified times.
The example rule below:
n Allows access to streaming media during non-peak business hours only.
n Limits the upload throughput for streaming media in the company to 1 Gbps.

R82 Security Management Administration Guide | 355

Creating Application Control and URL Filtering Rules

To create a rule that allows streaming media with time and bandwidth limits:
1. In the Security Policies view of SmartConsole, go to the Access Control Policy.
2. Choose a Layer with Applications and URL Filtering enabled.
3. Click one of the Add Rule toolbar buttons to add the rule in the position that you
choose in the Rule Base.
4. Create a rule that includes these components:
n Services & Applications - Media Streams category.

Note - Applications are matched on their Recommended services,

where each service runs on a specific port, such as the default
Application Control Web browsing Services: http, https, HTTP_
proxy, HTTPS_proxy and quic. To change this, see "Services &
Applications Column" on page 332.
n Action - Click More and select Action: Accept, and a Limit object.
n Time - Add a Time object that specifies the hours or time period in which the rule
is active.
Note - The Time column is not shown by default in the Rule Base table. To see
it, right-click on the table header and select Time.

Services
Sourc Destinati and Trac Insta Tim
Name Action
e on Applicati k ll On e
ons

Limit Any Internet Media Accept Log All Off-

Streami Streams Uploa Wor
ng (Categor d_ k
Media y) 1Gbps

R82 Security Management Administration Guide | 356

Creating Application Control and URL Filtering Rules

Best Practice - The Application Control Limit option enforces bandwidth

restrictions by dropping packets when the configured threshold is reached.
This mechanism implements a hard limit and does not perform traffic shaping.
Traffic types that are sensitive to packet loss, such as TCP-based bulk transfers,
may react negatively to packet drops. When packets are dropped, TCP
retransmission and congestion control mechanisms are triggered, which can lead
to:
n Reduced throughput
n Unstable transfer rates
n Possible application-level failures
To avoid throughput degradation and connection instability, do not use the Limit
option for traffic that is sensitive to packet loss. If bandwidth control is required for
such traffic, consider using a mechanism that performs traffic shaping instead of
packet dropping, such as QoS.

Important:
n In ClusterXL Load Sharing modes, the specified bandwidth limit is divided
between all configured Cluster Members, regardless of the cluster state. For
example, if a maximum limit requirement is 30 Gbps, and there are three
Cluster Members, you must configure the Limit object in the rule to 30 Gbps /
3 = 10 Gbps.
n In a Scalable Platform Security Group, the specified bandwidth limit is divided
between all Security Group Members, regardless of their state. For example,
if a maximum limit requirement is 30 Gbps, and there are three Security
Group Members, you must configure the Limit object in the rule to 30 Gbps / 3
= 10 Gbps.

Using Identity Awareness Features in Rules

Scenario: I want to allow a Remote Access application for a specified group of users and
block the same application for other users. I also want to block other Remote Access
applications for everyone. How can I do this?
If you enable Identity Awareness on a Security Gateway, you can use it together with
Application Control to make rules that apply to an access role. Use access role objects to
define users, machines, and network locations as one object.
In this example:
n You have already created an Access Role Identified_Users that represents all
identified users in the organization. You can use this to allow access to applications
only for users who are identified on the Security Gateway.
n You want to allow access to the Radmin Remote Access tool for all identified users.

R82 Security Management Administration Guide | 357

Creating Application Control and URL Filtering Rules

n You want to block all other Remote Access tools for everyone within your
organization. You also want to block any other application that can establish remote
connections or remote control.

To do this, add two new rules to the Rule Base:

1. Create a rule and include these components:
n Source - The Identified_Users access role
n Destination -Internet
n Services & Applications - Radmin
n Action -Accept

2. Create another rule below and include these components:

n Source - Any
n Destination - Internet
n Services & Applications - The category: Remote Administration
n Action - Block

Services &
Install
Name Source Destination Application Action Track
On
s

Allow Identified_ Internet Radmin Allow Log All

Radmin to Users
Identified
Users

Block Any Internet Remote Block Log All

other Administration
Remote
Admins

Notes on these rules:

n Because the rule that allows Radmin is above the rule that blocks other
Remote Administration tools, it is matched first.
n The Source of the first rule is the Identified_Users access role. If you use an
access role that represents the Technical Support department, then only
users from the technical support department are allowed to use Radmin.
n Applications are matched on their Recommended services, where each
service runs on a specific port, such as the default Application Control Web
browsing services: http, https, HTTP_proxy, HTTPS_proxy, and quic.
To change this see Changing Services for Applications and Categories.

R82 Security Management Administration Guide | 358

Creating Application Control and URL Filtering Rules

For more about Access Roles and Identity Awareness, see the R82 Identity Awareness
Administration Guide.

Blocking Sites

Scenario: I want to block sites that are associated with categories that can cause liability
issues. Most of these categories exist in the Application Database but there is also a custom
defined site that must be included. How can I do this?
You can do this by creating a custom group and adding all applicable categories and the
site to it. If you enable Identity Awareness on a Security Gateway, you can use it together
with URL Filtering to make rules that apply to an access role. Use access role objects to
define users, machines, and network locations as one object.
In this example:
n You have already created
l An Access Role that represents all identified users in the organization
(Identified_Users).
l A custom application for a site named FreeMovies.
n You want to block sites that can cause liability issues for everyone within your
organization.
n You will create a custom group that includes Application Database categories as well
as the previously defined custom site named FreeMovies.
To create a custom group

1. In the Object Explorer, click New > More > Custom Application/Site >
Application/Site Group.

2. Give the group a name. For example, Liability_Sites.

3. Click + to add the group members:
n Search for and add the custom application FreeMovies.
n Select Categories, and add the ones you want to block (for example
Anonymizer, Critical Risk, and Gambling)
n Click Close
4. Click OK.
You can now use the Liability_Sites group in the Access Control Rule Base.

In the Rule Base, add a rule similar to this

In the Security Policies view of SmartConsole, go to the Access Control Policy.

R82 Security Management Administration Guide | 359

Creating Application Control and URL Filtering Rules

n Source - The Identified_Users access role

n Destination - Internet
n Services & Applications - Liability_Sites
n Action - Drop

Note - Applications are matched on their Recommended services, where

each service runs on a specific port, such as the default Application
Control Web Browsing Services: http, https, HTTP_proxy, and
HTTPS_proxy. To change this see Changing Services for Applications
and Categories.

Services &
Name Source Destination Action Track
Applications

Block sites Identified_ Internet Liability_Sites Drop Log

that may Users
cause a
liability

Blocking URL Categories

Scenario: I want to block pornographic sites. How can I do this?
You can do this by creating a rule that blocks all sites with pornographic material with the
Pornography category. If you enable Identity Awareness on a Security Gateway, you can use it
together with URL Filtering to make rules that apply to an access role. Use access role objects
to define users, machines, and network locations as one object.
In this example:
n You have already created an Access Role (Identified_Users) that represents all
identified users in the organization.
n You want to block sites related to pornography.
The procedure is similar to "Blocking Applications and Informing Users" on page 354.

Using Dynamic URL Lists for Application Control and URL Filtering
Starting from R82 Jumbo Hotfix Accumulator Take 41, you can create a Dynamic URL List for
Application Control and URL Filtering. The Dynamic URL List allows automatic update of the
URL list based on a feed file, without requiring a policy installation for each URL change.
Policy installation is only needed when modifying the configuration of the URL list itself (such
as adding a new Dynamic URL List object or changing feed location). This feature provides
greater flexibility and efficiency when managing allow lists and block lists.

R82 Security Management Administration Guide | 360

Creating Application Control and URL Filtering Rules

To configure a Dynamic URL List

1. Create a file with the list of URLs
Prepare a plain-text file named [Link], which contains the required URLs.

Notes:
n Enter each URL entry on a new line.
n You can configure URLs using Regular Expressions:

Example: To match [Link] and its sub-domains (such as

[Link], you can configure the URL in one of these
ways:
\/example\.com
\.example\.com
\/example\.com|\.example\.com
For more examples on defining URLs as Regular Expressions, see
sk165094.
n Lines beginning with the # character are considered comments and are
ignored.

2. Optional: Create a Version file

Create a plain-text file named Version in the same directory as the [Link] file.
The file must contain a timestamp of the last update of the [Link] file. The
timestamp must be in Unix Epoch format
3. Create the dynamic configuration file for the URLs

Create a plain-text file named dynamic_urls_lists.C (this name is mandatory and

case-sensitive) in the format of the example below.

This example contains two URLs and uses HTTP authentication in the Urls2 list:

R82 Security Management Administration Guide | 361

Creating Application Control and URL Filtering Rules

(
:dynamic_urls_lists (
: (
:name (Urls1) # Must be the same as the name of the Custom
Application/Site object in SmartConsole
:path ([Link] # Must be the same as
configured in the file "[Link]" and in the Custom
Application/Site object
:regex (false)
)
: (
:name (Urls2) # Must match the name of the Custom
Application/Site object in SmartConsole
:path ([Link] # Must be the same as
configured in the file "[Link]" and in the Custom
Application/Site object
:username (user123)
:password (7f737d777d1c) # Obfuscated password
:regex (true)
)
)
:update_interval (300) # Update interval in seconds
)

R82 Security Management Administration Guide | 362

Creating Application Control and URL Filtering Rules

Notes:
n Strings that appear after the # character are considered comments and

are ignored.
n In the name field, enter the application name. This name must match the

name of the Custom Application/Site object you created in

SmartConsole.
n In the field :path, enter the applicable URL exactly as you configured it in

the [Link] file .

To specify the URL using a Regular Expression:
l In the file [Link], enter the URL using a Regular Expression

l In the path field, enter the URL using a Regular Expression

l In the regex field, configure the value true.

Example:
To match [Link] and its sub-domains (such as
[Link]), configure the URL in one of these ways:
\/example\.com
\.example\.com
\/example\.com|\.example\.com
For more examples on defining URLs as Regular Expressions, see
sk165094.
n If HTTP authentication is required (RFC 7617):
l In the :username field, enter the username.

l In the :password field, enter the password.

Important - Obfuscate the password using this Expert mode

command:
obfuscate_password <Password String>
l If authentication is used, it is relevant for both the [Link] and

Version files.

4. In SmartConsole, create a Custom Application/Site object for each URL list

R82 Security Management Administration Guide | 363

Creating Application Control and URL Filtering Rules

a. In SmartConsole, go to the Object Explorer, click New > More > Custom
Application/Site > Application/Site.
The New Application/Site window opens:

b. Enter the list name.

c. In General > General > Primary Category, select Custom_Application Site.
d. In General > Match By > URL List, click the + sign.
e. Enter the path to the list. In this example: [Link]
f. If relevant, select URLs are defined as Regular Expressions.
g. Click OK.
h. Repeat these steps for each URL list.
5. Deploy the configuration to the Security Gateway:

R82 Security Management Administration Guide | 364

Creating Application Control and URL Filtering Rules

a. Copy the dynamic_urls_lists.C file to the Security Gateway / each Cluster

Member / Scalable Platform Security Group to this directory:
$FWDIR/appi/update/

Important - In the VSNext / VSX mode, you must copy the dynamic_
urls_lists.C file to the $FWDIR/appi/update/ directory in the
context of the specific Virtual Gateway / Virtual System:
i. Connect to the command line on the VSNext Security Group/ VSX
Gateway / VSX Cluster.
ii. Log in to the Expert mode.
iii. Go to the context of the specific Virtual Gateway / Virtual System.
Run:
vsenv <VSID>
iv. Go to the directory. Run:
cd $FWDIR/appi/update/
v. Get the absolute path. Run:
pwd

b. On a Scalable Platform Security Group, copy the file to each Security Group
Member. Run:
asg_cp2blades $FWDIR/appi/update/dynamic_urls_lists.C

Important - In the VSNext / VSX mode, you must copy the file
$FWDIR/appi/update/dynamic_urls_lists.C to the context of the
specific Virtual Gateway / Virtual System. Instead of the $FWDIR path, use
the absolute path from step a.

c. In SmartConsole, install the Access Control policy on the Security Gateway /

Security Cluster / Virtual Gateway / Virtual System object.
6. Make sure that the URL list is accessible from the Security Gateway.

R82 Security Management Administration Guide | 365

Creating Application Control and URL Filtering Rules

Notes:
n After each change in the dynamic_urls_lists.C file, you must install the
Access Control policy.
Changes in the file with URLs ([Link]) do not require policy installation.
n If an invalid URL format is detected or if the URL list cannot be downloaded, the
Security Gateway generates a log, and the URLs are not updated
n There is no validation in SmartConsole.
n To manually force an update, delete these files on the Security Gateway /
Cluster Member / Security Group:
$FWDIR/appi/update/URL_List_Version
$FWDIR/appi/update/URL_List_next_update
Important - In the VSNext / VSX mode, you must delete these files to the
context of the specific Virtual Gateway / Virtual System.
n To check the update status, examine this file:
$FWDIR/appi/update/URL_List_status.C
Important - In the VSNext/ VSX mode, examine this file in the context of the
specific Virtual Gateway/ Virtual System.

Best Practices:
n Avoid using overly complex Regular Expressions or unnecessary wildcards, as
they can increase the CPU utilization on the Security Gateway.
n Maintain the version file to prevent unnecessary actions and prevent updates
when not needed.

R82 Security Management Administration Guide | 366

Ordered Layers and Inline Layers

A policy is a set of rules that the Security Gateway enforces on incoming and outgoing traffic.
There are different policies for Access Control and for Threat Prevention.
You can organize the Access Control rules in more manageable subsets of rules using
Ordered Layers and Inline Layers.

The Need for Ordered Layers and Inline Layers

Ordered Layers and Inline Layers helps you manage your cyber security more efficiently. You
can:
n Simplify the Rule Base, or organize parts of it for specific purposes.
n Organize the Policy into a hierarchy, using Inline Layers, rather than having a flat Rule
Base.
An Inline Layer is a sub-policy which is independent of the rest of the Rule Base.
n Reuse Ordered Layers in multiple Policy packages, and reuse Inline Layers in multiple
Layers.
n Simplify the management of the Policy by delegating ownership of different Layers to
different administrators.
n Improve performance by reducing the number of rules in a Layer.

Order of Rule Enforcement in Inline Layers

The Ordered Layer can contain Inline Layers.
This is an example of an Inline Layer:

No. Source Destination VPN Services Action

2 Lab_network Any Any Any Lab_rules

2.1 Any Any Any https Allow

http

2.2 Any Any Any Any Drop

The Inline Layer has a parent rule (Rule 2 in the example), and sub rules (Rules 2.1 and 2.2).
The Action of the parent rule is the name of the Inline Layer.

R82 Security Management Administration Guide | 367

Ordered Layers and Inline Layers

If the packet does not match the parent rule of the Inline Layer, the matching continues to the
next rule of the Ordered Layer (Rule 3).
If a packet matches the parent rule of the Inline Layer (Rule 2), the Security Gateway checks it
against the sub rules:
n If the packet matches a sub rule in the Inline Layer (Rule 2.1), no more rule matching is
done.
n If none of the higher rules in the Ordered Layer match the packet, the explicit Cleanup
Rule is applied (Rule 2.2). If this rule is missing, the Implicit Cleanup Rule is applied
(see "Types of Rules in the Rule Base" on page 373). No more rule matching is done.

Important:
n Always add an explicit Cleanup Rule at the end of each Inline Layer, and make
sure that its Action is the same as the Action of the Implicit Cleanup Rule.
n For Security Gateways R80.10 and lower, the second layer behaves like an
Application Control policy.

Order of Rule Enforcement in Ordered Layers

When a packet arrives at the Security Gateway, the Security Gateway checks it against the
rules in the first Ordered Layer, sequentially from top to bottom, and enforces the first rule that
matches a packet.
If the Action of the matching rule is Drop, the Security Gateway stops matching against later
rules in the Policy Rule Base and drops the packet. If the Action is Accept, the Security
Gateway continues to check rules in the next Ordered Layer.

Item Description

1 Ordered Layer 1

R82 Security Management Administration Guide | 368

Ordered Layers and Inline Layers

Item Description

2 Ordered Layer 2

3 Ordered Layer 3

If none of the rules in the Ordered Layer match the packet, the explicit Default Cleanup Rule
is applied. If this rule is missing, the Implicit Cleanup Rule is applied (see "Types of Rules in
the Rule Base" on page 373).
Every Ordered Layer has its own implicit cleanup rule. You can configure the rule to Accept or
Drop in the Layer settings (see "Configuring the Implicit Cleanup Rule" on page 375).

Important - Always add an explicit Cleanup Rule at the end of each Ordered Layer,
and make sure that its Action is the same as the Action of the Implicit Cleanup Rule.

Creating an Inline Layer

An Inline Layer is a sub-policy, which is independent of the rest of the Rule Base.
The workflow for making an Inline Layer is:
1. Create a parent rule for the Inline Layer. Make a rule that has one or more properties that
are the same for all the rules in the Inline Layer. For example, rules that have the same
source, or service, or group of users.
2. Create sub-rules for the Inline Layer. These are rules that define in more detail what to
do if the Security Gateway matches a connection to the parent rule. For example, each
sub-rule can apply to specified hosts, or users, or services, or Data Types.
To create an Inline Layer

1. Add a rule to the Ordered Layer. This is the parent rule.

2. In the Source, Destination, VPN, and Services & Applications cells, define the
match conditions for the Inline Layer.
3. Click the Action cell of the rule. Instead of selecting a standard action, select Inline
Layer > New Layer.
4. The Layer Editor window opens.
5. Configure the properties of the Inline Layer:

R82 Security Management Administration Guide | 369

Ordered Layers and Inline Layers

a. Enable one or more of these Blades for the rules of Inline Layer:
n Firewall
n Application & URL Filtering
n Content Awareness
n Mobile Access
b. Optional: It is a best practice to share Layers with other Policy packages when
possible. To enable this, select Multiple policies can use this layer.
c. Click Advanced.
d. Configure the Implicit Cleanup Rule to Drop or Accept (see "Types of Rules in
the Rule Base" on page 373).
e. Click OK.
The name of the Inline Layer shows in the Action cell of the rule.
6. Under the parent rule of the Inline Layer, add sub-rules.
7. Make sure there is an explicit cleanup rule as the last rule of the Inline Layer (see
"Types of Rules in the Rule Base" on page 373).

Note - A Remote Access VPN community object is not supported in the parent rule
of an Inline Layer if the action is "Inline Layer".
To resolve this issue: Use "*Any" in the parent rule instead of the Remote Access
VPN community object. You can use the Remote Access VPN community object in
the rules in the inline layer.

Creating an Ordered Layer

To create an Ordered Layer

1. In SmartConsole, click Menu > Manage Policies and Layers.

2. In the left pane, click Layers.
You will see a list of the Layers. You can select Show only shared Layers.
3. Click the New icon in the upper toolbar.
4. Configure the settings in the Layer Editor window.
5. Optional: It is a best practice to share Layers with other Policy packages when
possible. To enable this select Multiple policies can use this layer.
6. Click OK.
7. Click Close.

R82 Security Management Administration Guide | 370

Ordered Layers and Inline Layers

8. Publish the SmartConsole session.

This Ordered Layer is not yet assigned to a Policy Package.

To add an Ordered Layer to the Access Control Policy

1. In SmartConsole, click Security Policies.

2. Right-click a Layer in the Access Control Policy section and select Edit Policy.
The Policy window opens.
3. In the Access Control section, click the plus sign.
You will see a list of the Layers that you can add. These are Layers that have Multiple
policies can use this layer enabled.

4. Select the Layer.

5. Click OK.
6. Publish the SmartConsole session.

Enabling Access Control Features

Before creating the Access Control Policy, you must enable the Access Control features that
you will use in the Policy.
Enable the features on the:
n Security Gateways, on which you will install the Policy.
n Ordered Layers and Inline Layers of the Policy. Here you can enable:
l Firewall. This includes VPN (see "VPN Column" on page 331).
l Application & URL Filtering (see "Services & Applications Column" on page 332).
l Content Awareness (see "Content Column" on page 336).
l Mobile Access (see "Mobile Access to the Network" on page 501).
Enabling Access Control Features on a Security Gateway

1. In SmartConsole, from the left navigation panel, click Gateways & Servers and
double-click the Security Gateway object.
The General Properties window of the Security Gateway opens.
2. From the navigation tree, click General Properties.
3. In the Network Security tab, select one or more of these Access Control features:

R82 Security Management Administration Guide | 371

Ordered Layers and Inline Layers

n IPsec VPN
n Mobile Access
n Application Control
n URL Filtering
n Content Awareness
n Identity Awareness
4. Click OK.

Enabling Access Control Features on a Layer

To enable the Access Control features on an Ordered Layer:

1. In SmartConsole, click Security Policies.
2. Under Access Control, right-click Policy and select Edit Policy.

3. Click options for the Layer.

4. Click Edit Layer.

The Layer Editor window opens and shows the General view.
5. Enable the Blades that you will use in the Ordered Layer:
n Firewall.
n Application & URL Filtering
n Content Awareness
n Mobile Access
6. Click OK.

To enable the Access Control features on an Inline Layer

1. In SmartConsole, click Security Policies.

2. Select the Ordered Layer.
3. In the parent rule of the Inline Layer, right-click the Action column, and select Inline
Layer > Edit Layer.
4. Enable the Blades that you will use in the Inline Layer:
n Firewall
n Application & URL Filtering

R82 Security Management Administration Guide | 372

Ordered Layers and Inline Layers

n Content Awareness
n Mobile Access

Note - Do not enable a Blade that is not enabled in the Ordered Layer.

5. Click OK.

Types of Rules in the Rule Base

There are three types of rules in the Rule Base- explicit, implied and implicit.

Explicit rules

The rules that the administrator configures explicitly, to allow or to block traffic based on
specified criteria.

Important - The default Cleanup rule is an explicit rule that is added by default to
every new layer. You can change or delete the default Cleanup rule. We recommend
that you have an explicit Cleanup rule as the last rule in each layer.

Implied rules
The default rules that are available as part of the Global properties configuration and cannot
be edited. You can only select the implied rules and configure their position in the Rule Base:
n First - Applied first, before all other rules in the Rule Base - explicit or implied
n Last - Applied last, after all other rules in the Rule Base - explicit or implied, but before
the Implicit Cleanup Rule
n Before Last - Applied before the last explicit rule in the Rule Base

Implied rules are configured to allow connections for different services that the Security
Gateway uses. For example, the Accept Control Connections rules allow packets that control
these services:
n Installation of the security policy on a Security Gateway
n Sending logs from a Security Gateway to the Security Management Server
n Connecting to third party application servers, such as RADIUS and TACACS
authentication servers

Implicit cleanup rule

The default "catch-all" rule for the Layer that deals with traffic that does not match any explicit
or implied rules in the Layer. It is made automatically when you create a Layer.
Implicit cleanup rules do not show in the Rule Base.

R82 Security Management Administration Guide | 373

Ordered Layers and Inline Layers

The default implicit cleanup rule action is Drop. This is because most Policies have Allow List
rules (the Accept action). If the Layer has Blacklist rules (the Drop action), you can change the
action of the implicit cleanup rule to Accept in the Layer Editor.

Order in which the Security Gateway applies the rules

1. First Implied Rule - No explicit rules can be placed before it.
2. Explicit Rules - These are the rules that you create.
3. Before Last Implied Rules - Applied before the last explicit rule.
4. Last Explicit Rule - We recommend that you use a Cleanup rule as the last explicit rule.

Note - If you use the Cleanup rule as the last explicit rule, the Last Implied Rule
and the Implicit Cleanup Rule are not enforced.

5. Last Implied Rule - Remember that although this rule is applied after all other explicit
and implied rules, the Implicit Cleanup Rule is still applied last.
6. Implicit Cleanup Rule - The default rule that is applied if none of the rules in the Layer
match.
Configuring the Implied Rules

Some of the implied rules are enabled by default. You can change the default configuration
as necessary.

To configure the implied rules:

1. In SmartConsole, select the Access Control Policy.

2. From the toolbar above the policy, select Actions > Implied Rules.

The Implied Policy window opens.

3. In the left pane, click Configuration.
4. Select a rule to enable it, or clear a rule to disable it.
5. For the enabled rules, select the position of the rules in the Rule Base: First, Last, or
Before Last (see "Types of Rules in the Rule Base" on the previous page).
6. Click OK and install the policy.

Showing the Implied Rules

In SmartConsole, from the Security Policies View, select Actions > Implied Rules.
The Implied Policy window opens.
It shows only the implied rules, not the explicit rules.

R82 Security Management Administration Guide | 374

Ordered Layers and Inline Layers

Configuring the Implicit Cleanup Rule

To configure the Implicit Cleanup Rule:

1. In SmartConsole, click Menu > Manage Policies and Layers.
2. In the left pane, click Layers.
3. Select a Layer and click Edit.
The Layer Editor opens.
4. Click Advanced
5. Configure the Implicit Cleanup Rule to Drop or Accept.

6. Click OK.
7. Click Close.
8. Publish the SmartConsole session.

Administrators for Access Control Layers

You can create administrator accounts dedicated to the role of Access Control, with their own
installation and SmartConsole Read/Write permissions.
You can also delegate ownership of different Layers to different administrators. See
"Configuring Permissions for Access Control Layers" on page 120.

Sharing Layers
You may need to use the same rules in different parts of a Policy, or have the same rules in
multiple Policy packages.

There is no need to create the rules multiple times. Define an Ordered Layer or an Inline Layer
one time, and mark it as shared. You can then reuse the Inline Layer or Ordered layer in
multiple policy packages or use the Inline Layer in multiple places in an Ordered Layer. This is
useful, for example, if you are an administrator of a corporation and want to share some of the
rules among multiple branches of the corporation:
n It saves time and prevents mistakes.
n To change a shared rule in all of the corporation's branches, you must only make the
change once.
To mark a Layer as shared

1. In SmartConsole, click Menu > Manage policies and layers.

2. In the left pane, click Layers.

R82 Security Management Administration Guide | 375

Ordered Layers and Inline Layers

3. Select a Layer in Access Control or in Threat Prevention.

4. Right-click and select Edit Layer.
5. Configure the settings in the Layer Editor window.
6. In General, select Multiple policies and rules can use this layer.
7. Click OK.
8. Click Close.
9. Publish the SmartConsole session.

To reuse a Threat Prevention Ordered Layer

1. In SmartConsole, go to Menu > Manage policies and layers > Policies.

2. Right-click the required policy and click Edit. The policy properties window opens.
3. In the Threat Prevention box, click the + sign.
4. Select the layer you want to include in this policy package.
5. Click OK.
6. Close the policy properties window.
7. In SmartConsole, install the policy.
8. Repeat this procedure for all policy packages.
For examples of Inline Layers and Ordered Layer, see "Use Cases for the Unified Rule
Base" on page 380.

Visual Division of the Rule Base with Sections

To better manage a policy with a large number of rules, you can use Sections to divide the
Rule Base into smaller, logical components. The division is only visual and does not make it
possible to delegate administration of different Sections to different administrators.
Exporting Layer Rules to a .CSV File

You can export Layer rules to a .CSV file. You can open and change the .CSV file in a
spreadsheet application such as Microsoft Excel.

To export Layer rules to a .CSV file:

1. In SmartConsole, click Menu > Manage Policies and Layers.
The Manage Layers window opens.
2. Click Layers.

R82 Security Management Administration Guide | 376

Ordered Layers and Inline Layers

3. Select a Layer, and then click Actions > Export selected Layer.
4. Enter a path and file name.

Managing Policies and Layers

To work with Ordered Layers and Inline Layers in the Access Control Policy, select Menu >
Manage policies and layers in SmartConsole.
The Manage policies and layers window shows.

To see the Layer in the policy package and their attributes:

In the Layers pane of the window, you can see:
n Name - Layer name
n Number of Rules - Number of rules in the Layer
n Modifier - The administrator who last changed the Layer configuration.
n Last Modified -Date the Layer was changed.
n Show only Shared Layers - A shared Layer has the Multiple policies and rules can use
this Layer option selected (see "Sharing Layers" on page 375).
n Layer Details
l Used in policies - Policy packages that use the Layer
l Mode:
o Ordered - An Ordered Layer. In a Multi-Domain Security Management
environment, it includes global rules and a placeholder for local, Domain
rules.
o Inline - An Inline Layer, also known as a Sub-Policy.
o Not in use - A Layer that is not used in a Policy package.

To see the rules in the Layer:

1. Select a Layer.
2. Right-click and select Open layer in policy.

R82 Security Management Administration Guide | 377

Best Practices for Access Control Rules

1. Make sure you have these rules:
n Stealth rule that prevents direct access to the Security Gateway.
n Cleanup rule that drops all traffic that is not allowed by the earlier rules in the
policy.
2. Use Layers to add structure and hierarchy of rules in the Rule Base.
3. Add all rules that are based only on source and destination IP addresses and ports, in a
Firewall/Network Ordered Layer at the top of the Rule Base.
4. Create Firewall/Network rules to explicitly accept safe traffic, and add an explicit cleanup
rule at the bottom of the Ordered Layer to drop everything else.
5. Create an Application Control Ordered Layer after the Firewall/Network Ordered Layer.
Add rules to explicitly drop unwanted or unsafe traffic. Add an explicit cleanup rule at the
bottom of the Ordered Layer to accept everything else.
Alternatively, put Application Control rules in an Inline Layer as part of the
Firewall/Network rules. In the parent rule of the Inline Layer, define the Source and
Destination.
6. Share Ordered Layers and Inline Layers when possible.
7. If you have one Ordered Layer for Firewall/Network rules, and another Ordered Layer for
Application Control - Add all rules that examine applications, Data Type, or Mobile
Access elements, to the Application Control Ordered Layer, or to an Ordered Layer after
it.
8. Turn off the XFF inspection, unless the Security Gateway is behind a proxy server. For
more, see sk92839.
9. Disable a rule when working on it. Enable the rule when you want to use it.
Disabled rules do not affect the performance of the Security Gateway.
To disable a rule, right-click in the No. column of the rule and select Disable.

Best Practices for Efficient rule Matching

1. Place rules that check the source, destination, and port (network rules) higher in the Rule
Base.
Reason: Network rules are matched sooner, and turn on fewer inspection engines.
2. Place rules that check applications and content (Data Types) below network rules.

R82 Security Management Administration Guide | 378

Best Practices for Access Control Rules

3. Do not define a rule with "Any" in the Source column and in the Destination column and
with an Application or a Data Type.
For example, these rules are not recommended:

Services &
Source Destination Content
Applications

Any Any Facebook

Any Any Credit Card numbers

Instead, define one of these recommended rules:

Services &
Source Destination Content
Applications

Any Internet Facebook

Any Object that Credit Card numbers

represents the
relevant server

Reason for 2 and 3: Application Control and Content Awareness rules require content
inspection.
Therefore, they:
n Allow the connection until the Security Gateway has inspected connection header
and body.
n May affect performance.

4. For rules with Data Types:

Place rules that check File Types higher in the Rule Base than rules that check for
Content Types. See "Content Column" on page 336.
Reason: File Types are matched sooner than Content Types.
5. Do not use Application Control and URL Filtering in the same rule, this may lead to
wrong rule matching. Use Application Control and URL Filtering in separate rules. This
makes sure that the URL Filtering rule is used as soon as the category is identified. For
more information, see sk174045.
To see examples of some of these best practices, see the "Use Cases for the Unified Rule
Base" on page 380 and "Creating a Basic Access Control Policy" on page 346.

R82 Security Management Administration Guide | 379

Use Cases for the Unified Rule Base

Here are some use cases that show examples of rules that you can define for the Access
Control Policy.
Use Case - Application Control and Content Awareness Ordered Layer

This use case shows an example unified Access Control Policy. It controls applications and
content in one Ordered Layer.

Services
N Destin & Conten Actio Tra
Name Source VPN
o. ation Applicati t n ck
ons

General compliance (1)

1 Block Any Internet Any Anonymi Any Drop Log

categorie zer Bloc
s Critical k
Risk Mess
age

Block risky executables (2)

2 Block Internal Internet Any Uncateg Downlo Drop Log

downloa Zone orized ad
d of High Risk Traffic
executab Execut
le files able
from File
uncatego
rized and
high risk
sites

Credit card data (3-4)

R82 Security Management Administration Guide | 380

Use Cases for the Unified Rule Base

Services
N Destin & Conten Actio Tra
Name Source VPN
o. ation Applicati t n ck
ons

3 Allow Finance Web Any https Upload Acce Log

uploadin (Access Servers Traffic pt
g Role) PCI -
of credit Credit
cards Card
number Number
s, by s
finance,
and only
over
HTTPS

4 Block Any Web Any Any Any Drop Log

other Servers Directio
credit n
cards PCI -
from Credit
company Card
Web Number
servers s

Inform about sensitive data over VPN (5)

5 Inform Any Any RemoteA Any Any Infor Log

the user ccess Directio m
about n
sensitive Salary
data Survey
from Report
VPN
sites

Cleanup (6)

6 Cleanup Any Any Any Any Any Acce Log

rule pt

Explanations for rules:

R82 Security Management Administration Guide | 381

Use Cases for the Unified Rule Base

Rule Explanation

1 General Compliance section - Block access to unacceptable Web sites and

applications.

2 Block risky executables section - Block downloading of high risk executable

files.

3-4 Credit card data section - Allow uploading of credit cards numbers only by the
finance department, and only over HTTPS. Block other credit cards.

5 Block sensitive data over VPN section - A remote user that connects over the
organization's VPN sees an informational message.

6 cleanup rule - Accept all traffic that does not match one of the earlier rules.

Use Case - Inline Layer for Web Traffic

This use case shows an example Access Control Policy that controls Web traffic. The Web
server rules are in an Inline Layer.

Services
Destinati & Trac
No Name Source Content Action
on Applicatio k
ns

1 Headquart HQ Proxy Web Any Ask Log

er WEB Proxy Web
traffic - via Access
proxy Policy
Access
Noti...
once a
day
per
applic...

2 Allow Proxy Internet Web Any Accept None

Proxy to
the
Internet

R82 Security Management Administration Guide | 382

Use Cases for the Unified Rule Base

Services
Destinati & Trac
No Name Source Content Action
on Applicatio k
ns

3 Allow local Local Internet Web Any Ask Log

branch to Branch Web
access the Access
internet Policy
directly Access
Noti...
once a
day
per
applic...

4 Web InternalZo Web Web Any Web N/A

Servers ne Servers Servers
protecti
on

4.1 Block Any Any NEGATE Any Drop Log

browsing D
with Google
unapprove Chrome
d Internet
browsers Explorer
11
Firefox
Safari

4.2 Inform Any Any https Upload Inform Log

user when Traffic Access
uploading PCI - Noti...
Credit Credit once a
Cards only Card day
over Number per
HTTPS s applic...

R82 Security Management Administration Guide | 383

Use Cases for the Unified Rule Base

Services
Destinati & Trac
No Name Source Content Action
on Applicatio k
ns

4.3 Block Any Any Any Any Drop Log

Credit Directio Block
Cards n Messag
PCI - e
Credit
Card
Number
s

4.4 Block Any Any Any Downlo Drop Log

downloadi ad
ng of Traffic
sensitive HIPAA -
content Medical
Record
Headers

4.5 Cleanup Any Any Any Any Accept None

rule

5 Ask user InternalZo Internet PayPal Any Ask Log

when ne Directio Compan
sending n y Policy
credit PCI - Access
cards to Credit Noti...
PayPal Card once a
Number day
s per
applic...

6 Cleanup Any Any Any Any Drop Log

rule

Explanations for rules:

Rule Explanation

4 This is the parent rule of the Inline Layer. The Action is the name of the Inline
Layer. If a packet matches on the parent rule, the matching continues to rule
4.1 of the Inline Layer. If a packet does not match on the parent rule, the
matching continues to rule 5.

R82 Security Management Administration Guide | 384

Use Cases for the Unified Rule Base

Rule Explanation

4.1 If a packet matches on rule 4.1, the rule action is done on the packet, and no
-4.4 more rule matching is done. If a packet does not match on rule 4.1, continue to
rule 4.2. The same logic applies to the remaining rules in the Inline Layer.

4.5 If none of the higher rules in the Ordered Layer match the packet, the explicit
Cleanup Rule is applied. The Cleanup rule is a default explicit rule. You can
change or delete it. We recommend that you have an explicit cleanup rule as
the last rule in each Inline Layer and Ordered Layer.

Use Case - Content Awareness Ordered Layer

This use case shows a Policy that controls the upload and download of data from and to the
organization.
There is an explanation of some of the rules below the Rule Base.

Services
Destinati & Trac
No Name Source Content Action
on Applicatio k
ns

Regulatory compliance

1 Block the InternalZo Internet Any Downloa Drop Log

download ne d Traffic
of Executa
executable ble file
files

2 Allow Finance Web https Upload Accept Log

uploading (Access Servers Traffic
of credit Role) PCI -
cards Credit
numbers Card
by finance Numbers
users, only
over
HTTPS

R82 Security Management Administration Guide | 385

Use Cases for the Unified Rule Base

Services
Destinati & Trac
No Name Source Content Action
on Applicatio k
ns

3 Block other InternalZo Web Any Any Drop Log

credit cards ne Servers Direction Block
from PCI - Messag
company Credit e
Web Card
servers Numbers

Personally Identifiable Information

4 Matches InternalZo Internet Any Upload Inform Log

U.S. Social ne Traffic Access
Security U.S. Notifi...
Numbers Social once a
(SSN) Security day
allocated Numbers per
by the U.S. - applicat
Social Accordin i...
Security g to SSA
Administrat
ion (SSA).

5 Block InternalZo Internet Any Downloa Drop Log

downloadin ne d Traffic Block
g of HIPAA - Messag
sensitive Medical e
medical Records
information Headers

Human Resources

6 Ask user InternalZo Internet Any Upload Ask Log

when ne Traffic Compa
uploading Salary ny Policy
documents Survey once a
containing Report day
salary per
survey applicat
reports. i...

Intellectual Property

R82 Security Management Administration Guide | 386

Use Cases for the Unified Rule Base

Services
Destinati & Trac
No Name Source Content Action
on Applicatio k
ns

7 Matches InternalZo Internet Any Any Restrict N/A

data ne Direction source
containing Source code
source Code
code

7.1 Any Any Any Downloa Accept Log

d Traffic
Source
Code

7.2 Any Any Any Upload Ask Log

Traffic Compan
Source y Policy
Code once a
day
per
applicat
i...

7.3 Cleanup Any Any Any Any Drop Log

Inline Layer Block
Messag
e

Explanations for rules:

Rule Explanation

1-3 Regulatory Compliance section - Controls the upload and download of

executable files and credit cards.
You can set the direction of the Content. In rule 1 it is Download Traffic, in rule
2 it is Upload Traffic, and in rule 3 it is Any Direction.
Rule 1 controls executable files, which are File Types. The File Type rule is
higher in the Rule Base than rules with Content Types (Rules 2 to 7). This
improves the efficiency of the Rule Base, because File Types are matched
sooner than Content Types.

R82 Security Management Administration Guide | 387

Use Cases for the Unified Rule Base

Rule Explanation

4-5 Personally Identifiable Information section - Controls the upload and

download of social security number and medical records.
The rule Action for rule 4 is Inform. When an internal user uploads a file with a
social security number, the user sees a message.

6 Human resources section - Controls the sending of salary survey information

outside of the organization.
The rule action is Ask. If sensitive content is detected, the user must confirm
that the upload complies with the organization's policy.

7 Intellectual Property section - A group of rules that control how source code
leaves the organization.
Rule 7 is the parent rule of an Inline Layer (see "Ordered Layers and Inline
Layers" on page 367). The Action is the name of the Inline Layer.
If a packet matches on rule 7.1, matching stops.
If a packet does not match on rule 7.1, continue to rule 7.2. In a similar way, if
there is no match, continue to 7.3. The matching stops on the last rule of the
Inline Layer. We recommend that you have an explicit cleanup rule as the last
rule in each Inline Layer

Use Case - Application & URL Filtering Ordered Layer

This use case shows some examples of URL Filtering and Application Control rules for a
typical policy that monitors and controls Internet browsing. (The Hits, VPN and Install On
columns are not shown.)

Destinatio Services &

No. Name Source Action Track Time
n Applications

1 Liability Any Internet Potential Drop Log Any

sites liability Blocked
(group) Message

2 High risk Any Internet High Risk Drop Log Any

application iTunes Blocked
s Anonymizer Message
(category)

3 Allow IT IT Any Radmin Allow Log Work-

departmen (Acces Hours
t Remote s Role)
Admin

R82 Security Management Administration Guide | 388

Use Cases for the Unified Rule Base

Destinatio Services &

No. Name Source Action Track Time
n Applications

4 Allow HR Internet Facebook Allow Log Any

Facebook (Acces Downloa
for HR s Role) d_1Gbps

5 Block Any Internet Streaming Drop Log Any

these Media Blocked
categories Protocols Message
Social
Networking
P2P File
Sharing
Remote
Administrati
on

6 Log all Any Internet Any Allow Log Any

application
s

Explanations for rules:

R82 Security Management Administration Guide | 389

Use Cases for the Unified Rule Base

Rule Explanation

1 Liability sites - Blocks traffic to sites and applications in the custom Potential_
liability group. The UserCheck Blocked Message is shown to users and explains
why their traffic is blocked. See "Blocking Sites" on page 359.
Scenario: I want to block sites that are associated with categories that can
cause liability issues. Most of these categories exist in the Application Database
but there is also a custom defined site that must be included. How can I do this?
You can do this by creating a custom group and adding all applicable categories
and the site to it. If you enable Identity Awareness on a Security Gateway, you
can use it together with URL Filtering to make rules that apply to an access role.
Use access role objects to define users, machines, and network locations as
one object.
In this example:
n You have already created
l An Access Role that represents all identified users in the

organization (Identified_Users).
l A custom application for a site named FreeMovies.

n You want to block sites that can cause liability issues for everyone within
your organization.
n You will create a custom group that includes Application Database
categories as well as the previously defined custom site named
FreeMovies.

To create a custom group:

1. In the Object Explorer, click New > More > Custom Application/Site >
Application/Site Group.
2. Give the group a name. For example, Liability_Sites.
3. Click + to add the group members:
n Search for and add the custom application FreeMovies.
n Select Categories, and add the ones you want to block (for example

Anonymizer, Critical Risk, and Gambling)

n Click Close

4. Click OK.
You can now use the Liability_Sites group in the Access Control Rule Base.

In the Rule Base, add a rule similar to this:

In the Security Policies view of SmartConsole, go to the Access Control Policy.
n Source - The Identified_Users access role
n Destination - Internet
n Services & Applications - Liability_Sites
n Action -Drop

R82 Security Management Administration Guide | 390

Use Cases for the Unified Rule Base

Rule Explanation

Note - Applications are matched on their Recommended services,

where each service runs on a specific port, such as the default
Application Control Web Browsing Services: http, https, HTTP_
proxy, and HTTPS_proxy. To change this see Changing Services
for Applications and Categories.

Services &
Name Source Destination Action Track
Applications

Block Identified_ Internet Liability_Sites Drop Log

sites Users
that
may
cause a
liability

2 High risk applications - Blocks traffic to sites and applications in the High Risk
category and blocks the iTunes application. The UserCheck Block Message is
shown to users and explains why their traffic is blocked.

3 Allow IT department Remote Admin - Allows the computers in the IT

department network to use the Radmin application. Traffic that uses Radmin is
allowed only during the Work-Hours (set to 8:00 through 18:30, for example).

4 Allow Facebook for HR - Allows computers in the HR network to use Facebook.

The total traffic downloaded from Facebook is limited to 1 Gbps, there is no
upload limit.

5 Block these categories - Blocks traffic to these categories: Streaming Media,

Social Networking, P2P File Sharing, and Remote Administration. The
UserCheck Blocked Message is shown to users and explains why their traffic is
blocked.
Note - The Remote Administration category blocks traffic that uses the
Radmin application. If this rule is placed before rule 3, then this rule can
also block Radmin for the IT department.

6 Log all applications - Logs all traffic that matches any of the URL Filtering and
Application Control categories.

R82 Security Management Administration Guide | 391

Self-Managed Security Gateways

1. On the Management Server, in the Access Control, you create a new Policy Layer and
configure it as a Dynamic Layer.
2. On the Security Gateway, you configure the required Access Control rules in this
Dynamic Layer with the Gaia API call "set-dynamic-content" (in the JSON format).
The Dynamic Layer works only as a container for rules that you configure on the Security
Gateway. After you run the Gaia API command on the Security Gateway, it ignores all rules in
this Dynamic Layer that were configured in SmartConsole. If permanent rules are needed (for
example, to allow access from a remote API client), you must configure them in the main policy
on the Management Server and not in Dynamic Layers.
For additional information, refer to sk182252.

R82 Security Management Administration Guide | 392

Self-Managed Security Gateways

R82 Security Management Administration Guide | 393

Self-Managed Security Gateways

Notes:
l To see the current rules and to copy the current complete JSON, run the

Gaia API call "show-dynamic-layer" on the Security Gateway.

l If necessary, you can delete all rules in the Dynamic Layer on the Security

Gateway. See "Resetting a Dynamic Layer" on page 401.

R82 Security Management Administration Guide | 394

Self-Managed Security Gateways

a. In the top left corner, click Menu > Manage policies and layers.
b. In the left panel, click Policies.

R82 Security Management Administration Guide | 395

Self-Managed Security Gateways

c. Right-click the applicable Policy Package and click Edit.

k. In the policy, to the right of the Access Control section, you now see the Layer
called Network (default name) and the new Dynamic Layer.

Important - You can change the order of these Policy Layers.

l. Click OK to close the Policy window.

To configure an Inline Layer in a specific Access Control policy in a specific rule

a. From the left navigation panel, click Security Policies.

b. If you need to open a different Security Policy:
i. At the top, click the [+] tab.
ii. Click the required policy.
c. In the Access Control section, click Policy.

R82 Security Management Administration Guide | 396

Self-Managed Security Gateways

d. Locate the applicable rule.

To configure a shared Ordered Layer to use in several Access Control Policies

a. In the top left corner, click Menu > Manage policies and layers.
b. In the left panel, click Layers > Access Control.
c. From the top tool bar, click New.
d. Enter the name for this Policy Layer.

R82 Security Management Administration Guide | 397

Self-Managed Security Gateways

You can change it later in SmartConsole.

h. Click OK to close the Layer Editor window.

i. In the left panel, click Policies.

j. Right-click the applicable Policy Package and click Edit.

Important - You can change the order of these Policy Layers.

n. Click OK to close the Policy window.

o. Click Close to close the Manage policies and layers window.

R82 Security Management Administration Guide | 398

Self-Managed Security Gateways

Best Practice - To avoid losing connectivity loss for the API client, add the
applicable rule only in a static Policy Layer (that is not configured as a Dynamic
Layer).

Workflow for a remote REST API client (based on the Postman application)

a. Install the Postman application.

R82 Security Management Administration Guide | 399

Self-Managed Security Gateways

d. Configure the required API variables:

i. In the left panel, in the Gaia REST API collection, click the top folder Gaia
API.
ii. Add these variables:

Variable
Variable Value Comment
Name

username Username of the The default user is admin.

applicable user in the You can create other users
Gaia OS on the Security (see the Requirements
Gateway. section).

password Password of the You configure this

applicable user in the password.
Gaia OS on the Security
Gateway.

ip IP Address of the Gaia This is the IP address on

Management Interface the Security Gateway /
on the Security Gateway each Cluster Member /
/ each Cluster Member / Security Group, to which
Security Group. the API client connects.

sid Initially, empty. Use this variable to contain

the required SID after
running the Gaia API call
"login".

e. Get the Login Session ID (SID):

R82 Security Management Administration Guide | 400

Self-Managed Security Gateways

g. Run the API call "set-dynamic-content" on the Security Gateway / each

viii. Paste the entire response with the Task ID.

ix. In the top right corner, click Send.
x. In the bottom panel, see the API response for the API call "set-
dynamic-content".

6. Optional: Examine the configured dynamic Access Control rules.

Resetting a Dynamic Layer

To remove all dynamic rules, you must reset the Dynamic Layer that contains these rules on
the Security Gateway.
Procedure

Run the Gaia API call "set-dynamic-content" on the Security Gateway and use
"operation": "reset".

R82 Security Management Administration Guide | 401

Self-Managed Security Gateways

Syntax part for a remote REST API client

"access-layers-content": [
{
"name": "<Name_of_Dynamic_Layer>",
"operation": "reset",
"rulebase": []
}
]

R82 Security Management Administration Guide | 402

Installing the Access Control Policy

Important - With the "fw up_execute" command, you can examine the Security
Gateway behavior (R82 and above) for a specified traffic before you make changes to
your Access Control Policy. See the R82 CLI Reference Guide > Chapter "Security
Gateway Commands" > Section "fw" > Section "fw up_execute".

1. On the Global Toolbar, click Menu > Verify Access Control Policy > select the required
policy > click Verify.
Alternatively, click the left Security Policies view > Access Control > from the top
toolbar, click Actions > Verify Access Policy.
Note - Starting from R82, it is possible to verify the Access Control policy before you
publish the session.
Make the required changes.
2. On the top Global Toolbar, click Publish session.
3. On the top Global Toolbar, click Install Policy.
The Install Policy window opens showing the Security Gateways.
4. If there is more than one Policy package: From the Policy drop-down list, select a policy
package.
5. Select Access Control. You can also select other Policies.
6. If there is more than one Security Gateway: Select the Security Gateways, on which to
install the policy.
7. Select the Install Mode:
n Install on each selected gateway independently - Install the policy on each target
Security Gateway independently of others, so that if the installation fails on one of
them, it doesn't affect the installation on the rest of the target Security Gateways.

Note - If you select For Gateway Clusters, if installation on a cluster

member fails, do not install on that cluster, the Security Management
Server makes sure that it can install the policy on all cluster members
before it begins the installation. If the policy cannot be installed on one of
the members, policy installation fails for all of them.

R82 Security Management Administration Guide | 403

Installing the Access Control Policy

n Install on all selected gateways, if it fails do not install on gateways of the same
version - Install the policy on all the target Security Gateways. If the policy fails to
install on one of the Security Gateways, the policy is not installed on other target
Security Gateways.

Note - gateways of the same version refers to the same internal

Backward Compatibility family of versions (and not the version configured
in Security Gateway objects). For example:
l Versions R81-R82.x belong to the same internal Backward

Compatibility family of versions.

l Versions R80.x belong to the same internal Backward Compatibility

family of versions.

8. Click Install.

Access Control Policy Insights

Access Control Policy Insights analyzes Access Control policies and network traffic to identify
opportunities for optimization. It examines traffic patterns and policy configurations, and
suggests modifications to improve your security posture.

Key Benefits
n Reduces attack surface by making rules more restrictive and eliminating unnecessary
traffic permissions
n Simplifies access control policies for easier management and auditing

Access Control Policy Insights is supported on all Management Server configurations

(Standalone, High Availability, Multi-Domain Server, Smart-1 Cloud).
See "Telemetry and Data Processing" on page 408 for information on the data which Access
Control Policy Insights processes.

Note - Access Control Policy Insights is based on self-updatable code. To review the
recent changes, see sk183421.

Known Limitations
Access Control Policy Insights only analyzes rules that meet these criteria:
n The Action is Accept, Ask, or Inform.
n The Track column is not set to None.
n To create insights in the Source and Destination columns, objects in these columns
must be of type Any, Host, Network, Group (using IPv4).

R82 Security Management Administration Guide | 404

Installing the Access Control Policy

n Insights that modify the Services & Applications column require that this column
contains only these types of objects: tcp/udp services, icmp, rpc and dce-rpc.
n In a Multi-Domain environment, only Domain rules are analyzed. Global Domain rules
are not analyzed, and no recommendations are generated for them.

Prerequisites
n R82 Jumbo Hotfix Accumulator Take 14 or higher
n R82 SmartConsole Releases Build 1055 or higher
n Access Control Policy Insights license. For more information, contact Account Services.
n Auto-update package (afw_AutoUpdate) version 71 or higher. The auto-update
package is usually installed automatically when version and Jumbo Hotfix Accumulator
requirements are met. For manual installation instructions, see sk183421.
n The Management Server and all Log Servers must have internet access.

Activating Access Control Policy Insights

Note - Access Control Policy Insights does not rely on the Log Sharing or
Configuration Sharing settings. Instead, it uploads log telemetry data and Policy
Packages, rules, and objects to the Check Point Portal for analysis.

Procedure
1. Connect your Security Management Server to the Check Point Portal.

See "To connect your Security Management Server and Security Gateway objects from
SmartConsole to the Check Point Portal" on page 558.
2. In SmartConsole > Infinity Services view> locate the Access Control Policy Insights
card:
a. Toggle the switch to On.
b. Accept the Terms and Conditions.
The card status changes from Inactive to Initializing.
3. Make sure that there is an Insights button in the top-left corner of the Access Control
Rule Base.

R82 Security Management Administration Guide | 405

Installing the Access Control Policy

Notes:
n During initialization, the system:
l Uploads policy package information, rules, and network objects to the

cloud.
l Sends telemetry data from Log Servers (including log telemetry).

l Prepares the cloud environment for analysis.

n After the activation process, the log analysis may take several hours (up to 48
hours in large environments). Therefore, suggestions do not appear
immediately.

Important - After activation on a new system with no log history, it takes 90 days
before high confidence insights become available. To see preliminary insights
sooner, in the Access Control Policy Insights window, select Show additional low
confidence suggestions.

Insights
Calculation Process
Access Control Policy Insights are calculated in Check Point's Infinity Cloud using uploaded
policy and telemetry data. The calculation process:
n Runs every two weeks
n Analyzes traffic patterns against policy configurations
n Generates actionable recommendations

Types of Insights
n Remove unmatched objects - Identifies objects in rules that never received matching
traffic based on log analysis.
l Benefit: Makes rules more restrictive by removing unnecessary objects.
l Result: Prevents unauthorized traffic from passing through.
n Replace existing objects - Identifies overly broad objects that can be replaced with more
specific alternatives.
For example: A network object with only one IP address that receives traffic. Replacing
an object with a more specific one reduces attack surface while maintaining legitimate
access.
n Delete disabled rules - Identifies disabled rules in the Security Policy and permanently
deletes them from the Rule Base.
n Disable unmatched rules - Identifies rules that never received matching traffic based on
log analysis.

R82 Security Management Administration Guide | 406

Installing the Access Control Policy

Confidence Level
High Confidence Insights

High confidence insights are based on rules that:

n Have telemetry logging data covering at least 90 consecutive days,
n Were not modified in the past 90 days.

Low Confidence insights

Insights that do not meet one or both these criteria.

By default, low confidence insights are not displayed in SmartConsole. To see low confidence
insights, select the Show additional low confidence suggestions check box.

Best Practice - Review low confidence suggestions carefully before implementing them.

Security Impact
The insight’s security impact is calculated according to the proposed change in the rule. For
example:
n Removing one open port from a rule has a low security impact
n Replacing "Any" in the Source column with a single host IP address has a high security
impact.

Access Control Policy Insights utilizes the security impact score to focus on insights that are
more significant and hide insights with negligible impact.
High-impact insights with a high confidence level are marked in SmartConsole with a star icon
next to them.

Managing Access Control Policy Insights

To view insights for a Policy Layer

1. In SmartConsole, go to the Security Policies view > Access Control.
2. Click the Insights button at the top-left corner.

To view insights for a specific rule

1. In SmartConsole, go to the Security Policies view > Access Control.
2. Select the required rule.

R82 Security Management Administration Guide | 407

Installing the Access Control Policy

3. In the bottom pane, click the Insights tab.

4. Click the Open button to open the Access Control Policy Insights window.

Available Actions
For each insight, you can select one of these options:
n Apply - Implement the suggested change in the Rule Base. You must publish your
session for the change to take effect.
n Partial Selection - Lets you select specific objects within an insight (for example: specific
hosts, networks or services) and apply changes only to the selected items. This flexibility
lets you focus only on relevant changes and avoid unintended changes. To enable
Partial Selection, toggle this setting to ON in the upper-left corner above the insights
table.
n Decline - Reject the insight. The insight is moved to the Declined suggestions section,
and you can reuse it from there.

To use a suggestion from the Declined suggestions section

1. Select the required suggestion and click the Undo decline button.
2. In the Suggestions section, select the required suggestion and click Apply.
3. Publish your changes and Install Policy.
n Decide later - Move the suggestion to the Decide later section. The suggestion remains
available for use in the future. This is useful for insights requiring additional analysis.

To use a suggestion from the Decide later section

1. Select the required suggestion and click the Move back button.

2. In the Suggestions section, select the required suggestion and click Apply.
3. Publish your changes and Install Policy.

Telemetry and Data Processing

Access Control Policy Insights uses log telemetry to determine traffic patterns without the need
to send complete logs to the cloud.
When Access Control Policy Insights is active, the log telemetry service scans all logs, and
processes only the relevant logs and fields that are required for Access Control Policy Insights
calculation.
This reduces the volume of data sent to the Check Point Portal for further processing.
Collected data fields:

R82 Security Management Administration Guide | 408

Installing the Access Control Policy

Field Description Example

service Connection 443

(service
destination
port)

calc_service Calculate https

service name

proto Protocol 6
number

src Source IP [Link]

address

dst Destination IP [Link]

address

action Rule match Accept

action

orig Gateway cp_mgmt

Origin

time Log time (by 2025-06-

day) 18T00:00:00:000

rule_name Name of the Clean up

Access
Control rule
(match table)

rule_action (by Rule action by ("Accept")

layer) layer (match
table)

rule_uid Rule ID in the ["0E3B6901-8AB0-

Access 4b1e-A317-
Control policy 8BE33055FB44"]
to which the
connection
was matched
(match table)

layer_match_table Layer ID ["024b3a8f-b24e-

(table) 4df8-b3ee-
17009886dad5"]

R82 Security Management Administration Guide | 409

Installing the Access Control Policy

Field Description Example

count Connection 301

number

In addition to log telemetry, Access Control Policy Insights also uploads policy package
information, rules, and network objects to the cloud. Data is stored and processed according to
the Check Point Portal’s “region” configuration.

Additional Clarifications Regarding Data Handling and Privacy

n Data Usage: The collected data is used exclusively for generating insights, which are
calculated approximately every two weeks.
n Data Processing: Data is securely parsed and prepared in a protected environment
before the insights engine analyzes it.
n Customer Consent: Data processing begins only after you enable the feature and accept
the terms.
n Encryption: All data is encrypted, ensuring full protection of the information.
n Access Control: Access to data is strictly limited to authorized system components and
personnel, based on the principle of least privilege.
n Controlled Data Locations: Your data is stored and processed in a dedicated geographic
region, according to Check Point Portal’s region configuration.
n All data collection and processing practices comply with Check Point’s strict security and
privacy standards.
For detailed information about compliance, certifications, and privacy commitments, see
Check Point's Trust-Point.

Background Activities
Access Control Policy Insights works in the background of the Security Management Servers
and Log Servers.
It uses the Management API and Check Point Portal API to do these activities, and generates
audit logs which record these actions:
n Periodically check whether Access Control Policy Insights is active and licensed.
n Periodically check when the next calculation is supposed to take place in the cloud and
upload the latest policy packages, rules, and objects to the cloud.
n Send log telemetry data to the cloud.

R82 Security Management Administration Guide | 410

Installing the Access Control Policy

The Access Control Policy Insights Window

In each category in the Access Control Policy Insights window, you can see the latest date on
which the presented information is based.
The number in each category represents the number of suggestions for this category.
Next to each suggestion, one of these options appears:

n
: Recommended - Suggestions with high security impact and high confidence.
n No icon - Suggestions with security impact but no conclusive confidence due to limited
data.

n
: Low Confidence - Not enough logs and time to have conclusive confidence. For
example, new rules, rules that changed recently, or other cases when data is limited.
To export the information in the Access Control Policy Insights window as a CSV file. Click the
Export to CSV button, at the bottom left corner of the Access Control Policy Insights window.

Filtering Insights
You can filter the suggestions based on these categories:
n Recommended (the default option) - Suggestions with the highest security impact. The
insight’s security impact is calculated according to the proposed change in the rule. This
enables Access Control Policy Insights to focus on more significant insights and hide
those with low impact.

High-impact insights with a high confidence level are marked in SmartConsole with a star
icon.
n All - Valuable suggestions.

Show additional low confidence suggestions - When you select this checkbox, it shows
suggestions with low confidence, in addition to the Recommended and All suggestions. Low
confidence suggestions are for new rules, rules that changed recently, or other cases when
data is limited. These suggestions are not displayed by default.

R82 Security Management Administration Guide | 411

Analyzing the Rule Base Hit Count

Use the Hit Count feature to show the number of connections that each rule matches.
Use the Hit Count data to:
n Analyze a Rule Base - You can delete rules that have no matching connection

Note - If you see a rule with a zero Hit Count it only means that in the Security
Gateways enabled with Hit Count there were no matching connections. There
can be matching connections on other Security Gateways.
n Better understand the behavior of the Access Control Policy
The Hit Count value appears as:
n The percentage of the rule hits from total hits
n The indicator level (very high, high, medium, low, or zero)
The percentage and indicator level are configured in the Access Control Policy Rule Base.
When you enable Hit Count, the Security Management Server collects the data from
supported Security Gateways (version R75.40 and higher).
Hit Count works independently from logging and tracks the hits even if the Track option is
None.

Note - From R81, Hit Count is also supported in the NAT Rule Base (requires Security
Gateways R81 and higher).

Enabling or Disabling Hit Count

By default, Hit Count is globally enabled for all supported Security Gateways. The timeframe
setting that defines the data collection time range is configured globally. If necessary, you can
disable Hit Count for one or more Security Gateways.
After you enable or disable Hit Count you must install the Policy for the Security Gateway to
start or stop collecting data.
To enable or disable Hit Count globally

1. In SmartConsole, click Menu > Global properties.

2. Select Hit Count from the tree.
3. Select the options:
n Enable Hit Count - Select to enable or clear to disable all Security Gateways to
monitor the number of connections each rule matches.

R82 Security Management Administration Guide | 412

Analyzing the Rule Base Hit Count

n Keep Hit Count data up to - Select one of the time range options. The default is
3 months. Data is kept in the Security Management Server database for this
period and is shown in the Hits column.
4. Click OK.
5. Install the Policy.

To enable or disable Hit Count on each Security Gateway:

1. From the Gateway Properties for the Security Gateway, select Hit Count from the
navigation tree.
2. Select Enable Hit Count to enable the feature or clear it to disable Hit Count.
3. Click OK.

4. Install the Policy.

Hit Count Display

Configuring the Hit Count Display

These are the options you can configure for how matched connection data is shown in the
Hits column:
n Value - Shows the number of matched hits for the rule from supported Security
Gateways. Connection hits are not accumulated in the total Hit Count for:
l Security Gateways that are not supported
l Security Gateways that have disabled the Hit Count feature
The values are shown with these letter abbreviations:
l K = 1,000
l M = 1,000,000
l G = 1,000,000,000
l T = 1,000,000,000,000
For example, 259K represents 259 thousand connections, and 2M represents 2
million connections.
n Percentage - Shows the percentage of the number of matched hits for the rule from
the total number of matched connections. The percentage is rounded to a tenth of a
percent.
n Level - The Hit Count level is a label for the range of hits according to the table.

R82 Security Management Administration Guide | 413

Analyzing the Rule Base Hit Count

The Hit Count range = Maximum hit value - Minimum hit value (does not include zero
hits)

Hit Count Level Icon Range

Zero 0 hits

Low Less than 10 percent of the Hit Count range

Medium Between 10 - 70 percent of the Hit Count range

High Between 70 - 90 percent of the Hit Count range

Very High Above 90 percent of the Hit Count range

To show the Hit Count in the Rule Base:

Right-click the heading row of the Rule Base and select Hits.

To configure the Hit Count in a rule

1. Right-click the rule number of the rule.

2. Select Hit Count and one of these options (you can repeat this action to configure
more options):
n Timeframe - Select All, 1 day, 7 days, 1 month, or 3 months
n Display - Select Percentage, Value, or Level

To update the Hit Count in a rule

1. Right-click the rule number of the rule.

2. Select Hit Count > Refresh.

R82 Security Management Administration Guide | 414

Preventing IP Spoofing

Preventing IP Spoofing
IP spoofing replaces the untrusted source IP address with a fake, trusted one, to hijack
connections to your network. Attackers use IP spoofing to send malware and bots to your
protected network, to execute DoS attacks, or to gain unauthorized access.
Anti-Spoofing detects if a packet with an IP address that is behind a certain interface, arrives
from a different interface. For example, if a packet from an external network has an internal IP
address, Anti-Spoofing blocks that packet.

Example:
The diagram shows a Security Gateway with interfaces 2 and 3, and 4, and some example
networks behind the interfaces.

For the Security Gateway, Anti-Spoofing makes sure that:

n All incoming packets to 2 come from the Internet (1)
n All incoming packets to 3 come from [Link]
n All incoming packets to 4 come from [Link] or [Link]

If an incoming packet to 2 has a source IP address in network [Link], the packet is

blocked, because the source address is spoofed.
When you configure Anti-Spoofing protection on a Check Point Security Gateway interface,
the Anti-Spoofing is done based on the interface topology. The interface topology defines
where the interface Leads To (for example, External (Internet) or Internal), and the Security
Zone of interface.
Configuring Anti-Spoofing

Make sure to configure Anti-Spoofing protection on all the interfaces of the Security
Gateway, including internal interfaces.

R82 Security Management Administration Guide | 415

Preventing IP Spoofing

To configure Anti-Spoofing for an interface:

1. In SmartConsole, from the left navigation panel, click Gateways & Servers and
double-click the Security Gateway object.
The Gateway Properties window opens.
2. From the navigation tree, select Network Management.
3. Click Get Interfaces.
4. Click Accept.
The Security Gateway network topology shows. If SmartConsole fails to automatically
retrieve the topology, make sure that the details in the General Properties section are
correct and the Security Gateway, the Security Management Server, and the
SmartConsole can communicate with each other.
5. Select an interface and click Edit.
The interface properties window opens.
6. From the navigation tree, click General.
7. In the Topology section of the page, click Modify.
The Topology Settings window opens.
8. In the Leads To section, select the type of network, to which this interface leads:
n Internet (External) - This is the default setting. It is automatically calculated from
the topology of the Security Gateway. To update the topology of an internal
network after changes to static routes, click Network Management > Get
Interfaces in the Gateway Properties window.
n Override - Override the default setting.

If you Override the default setting:

R82 Security Management Administration Guide | 416

Preventing IP Spoofing

n Internet (External) - All external/Internet addresses

n This Network (Internal) -
l Not Defined - All IP addresses behind this interface are considered a part
of the internal network that connects to this interface
l Network defined by the interface IP and Net Mask - Only the network
that directly connects to this internal interface
l Network defined by routes - The Security Gateway dynamically
calculates the topology behind this interface. If the network of this interface
changes, there is no need to click Get Interfaces and install a policy. For
more, see "Dynamically Updating the Security Gateway Topology" on
page 230.
l Specific - A specific object (a Network, a Host, an Address Range, or a
Network Group) behind this internal interface
l Interface leads to DMZ - The DMZ that directly connects to this internal
interface
9. Optional: In the Security Zone section, select User defined, check Specify Security
Zone and choose the zone of the interface.
10. Configure Anti-Spoofing options (see "Anti-Spoofing Options" on the next page).
Make sure that Perform Anti-Spoofing based on interface topology is selected.
11. Select an Anti-Spoofing action:
n Prevent - Drops spoofed packets
n Detect - Allows spoofed packets. To monitor traffic and to learn about the
network topology without dropping packets, select this option together with the
Spoof Tracking Log option.
12. Configure Anti-Spoofing exceptions (optional). For example, configure addresses,
from which packets are not inspected by Anti-Spoofing:

a. Select Don't check packets from.

b. Select an object from the drop-down list, or click New to create a new object.
13. Configure Spoof Tracking - select the tracking action that is done when spoofed
packets are detected:
n Log - Create a log entry (default)
n Alert - Show an alert
n None - Do not log or alert
14. Click OK twice to save Anti-Spoofing settings for the interface.
For each interface, repeat the configuration steps. When finished, install the Access Control
policy.

R82 Security Management Administration Guide | 417

Preventing IP Spoofing

Anti-Spoofing Options
n Perform Anti-Spoofing based on interface topology - Select this option to enable
spoofing protection on this external interface.
n Anti-Spoofing action is set to - Select this option to define if packets will be rejected (the
Prevent option) or whether the packets will be monitored (the Detect option). The Detect
option is used for monitoring purposes and should be used in conjunction with one of the
tracking options. It serves as a tool for learning the topology of a network without actually
preventing packets from passing.
n Don't check packets from - Select this option to make sure anti-spoofing does not take
place for traffic from internal networks that reaches the external interface. Define a
network object that represents those internal networks with valid addresses, and from
the drop-down list, select that network object. The anti-spoofing enforcement
mechanism disregards objects selected in the Don't check packets from drop-down
menu.
n Spoof Tracking - Select a tracking option.

R82 Security Management Administration Guide | 418

Configuring the NAT Policy

This chapter outlines the process of configuring NAT64 (Network Address Translation from
IPv6 to IPv4) on a Check Point Security Gateway.
NAT64 is a technology that enables communication between IPv6-only clients and IPv4-only
servers. The configuration involves defining rules on a Check Point Security Gateway to
translate packet headers using the IPv4/IPv6 Translation Algorithm (RFC 6145). The Security
Gateway performs N:M translation, supporting scenarios like Hide NAT behind a single IPv4
address or a range of addresses.

Getting Started with NAT

1. Learn about types of NAT Rules and types of NAT Methods (below in this topic).

2. Follow the applicable procedure:

n "Working with Automatic NAT Rules" on page 427 (for IPv4 or IPv6 translation)
n "Working with Manual NAT Rules" on page 437 (for IPv4 or IPv6 translation)
n "Working with NAT46 Rules" on page 444 (for IPv4-to-IPv6 translation)
n "Working with NAT64 Rules" on page 459 (for IPv6-to-IPv4 translation)
3. Configure the applicable NAT advanced settings (see " Advanced NAT Settings" on
page 480).
4. Install the Access Control Policy.

Introduction
NAT (Network Address Translation) is a feature of the Firewall Software Blade and replaces
IPv4 and IPv6 addresses to add more security. NAT protects the identity of a network and
does not show internal IP addresses to the Internet.
The Security Gateway can change:
n The source IP address in a packet.
n The destination IP address in a packet.
n The TCP / UDP port in a packet.
Example flow

1. An internal computer sends a packet to an external computer

2. The Security Gateway translates the source IP address to a new one.
3. The packet comes back from the external computer

R82 Security Management Administration Guide | 419

Configuring the NAT Policy

4. The Security Gateway translates the new IP address back to the original IP address.
5. The packet from the external computer goes to the correct internal computer.

Types of NAT Rules

In SmartConsole, you can create these types of NAT rules:

How to change these

NAT Rules How to create these NAT rules?
NAT rules?

Automatic Management Server creates these rules You must change the
NAT Rules automatically based on the NAT settings you NAT settings in objects'
configure in objects' properties (on the NAT properties on the NAT
page) page.

Manual NAT You create these rules, select all objects and You change these rules.
Rule the NAT method.

Important - The supported number of NAT rules in each policy is limited. See the R82
Release Notes > section "Maximum Supported Items".

R82 Security Management Administration Guide | 420

Configuring the NAT Policy

Types of NAT Methods

You can configure one of these NAT methods for Automatic NAT Rules and in Manual NAT
Rules:
Hide

The Security Gateway changes the source IP address of all connections from a source to
the same IP address - either that of the Security Gateway's outgoing interface, or an IP
address you configure.

Hide > Hide behind gateway

The Security Gateway changes the source IP address of all connections from a source to
the same IP address of the Security Gateway's outgoing interface.

Hide > Hide behind IP address

The Security Gateway changes the source IP address of all connections from a source to
the same IP address your configure.

Notes:
n When you configure Hide NAT, connections can only start from internal
computers.
The Security Gateway does not allow external traffic to access internal
resources.
n If you enable this configuration in an object that represents one IP address (a
Host object), then this gives you a one-to-one address translation.
n If you enable this configuration in an object that represents many IP
addresses (a Network object, an Address Range object), then this gives you
a many-to-one address translation.
n The Security Gateway uses port numbers to translate all specified internal IP
addresses to a single external IP address - port numbers from 600 to 1023,
and from 10,000 to 60,000.
The Security Gateway can translate up to 50,000 connections at the same
time.
n You cannot use Hide NAT for these configurations:
l Traffic that uses protocols where the port number cannot be changed.

l An external server that uses IP addresses to identify different

computers and clients.

R82 Security Management Administration Guide | 421

Configuring the NAT Policy

Example diagram

Item Description

1 Internal computers

2 Security Gateway configured with Hide NAT

3 External computers and servers on the Internet

Sample Hide NAT Workflow

1. Internal computer A ([Link]) sends a packet to an external computer.
2. The Security Gateway intercepts the packet and translates the source IP address
from ([Link]) to [Link], and port 11000.
3. The external computer sends back a packet to [Link], to port 11000.

4. The Security Gateway translates the packet's IP address from [Link] to [Link]
and sends it to internal computer A.

Internal Security Gateway Internet

computer A translates receives
([Link]) this address from packet from
sends packet to [Link] to [Link], [Link], from
Internet and port 11000 port 11000

Internet sends
Security Gateway
back Internal
translates
packet to computer A
this address from [Link]
[Link], to receives packet
to [Link]
port 11000

R82 Security Management Administration Guide | 422

Configuring the NAT Policy

Static

The Security Gateway changes the source IP address of all connections from a source to
the IP address your configure.

Notes:
n When you configure Static NAT, the Security Gateway allows external traffic
to access internal resources.
n If you enable this configuration in an object that represents one IP address (a
Host object), then this gives you a one-to-one address translation.
n If you enable this configuration in an object that represents many IP
addresses (a Network object, an Address Range object), then this gives you
a many-to-one address translation.
The Security Gateway translates each internal IP address to a different
external IP address.
Important - The range of the translated IP addresses is the same as the
range of the source IP addresses.

Example diagram

Item Description

1 Internal computers

2 Security Gateway configured with Static NAT

3 External computers and servers on the Internet

R82 Security Management Administration Guide | 423

Configuring the NAT Policy

Example traffic flow with Static NAT

1. An external computer on the Internet sends a packet to [Link].
2. The Security Gateway translates the IP address from [Link] to [Link] and
sends the packet to internal computer A.
3. Internal computer A ([Link]) sends back a packet to the external computer.
4. The Security Gateway intercepts the packet and translates the source IP address
from [Link] to [Link].
5. Internal computer B ([Link]) sends a packet to an external computer.
6. The Security Gateway intercepts the packet translates the source IP address from
[Link] to [Link].

Security Gateway Internal

Internet sends translates computer A
packet to [Link] this address from ([Link])
[Link] to [Link] receives packet

Internal computer A Security Gateway

Internet receives
([Link]) translates
packet from
sends packet to this address from
[Link]
Internet [Link] to [Link]

Security Gateway
Internal computer B
translates Internet receives
([Link])
this address from packet from
sends packet to
[Link] to [Link]
Internet
[Link]

NAT Rules in SmartConsole

The NAT Rule Base has two sections in that specify how the IP addresses and Ports are
translated:
n Original - with columns Source, Destination, and Services
n Translated - with columns Source, Destination, and Services

R82 Security Management Administration Guide | 424

Configuring the NAT Policy

Example of Automatic NAT Rules

Origin Origin Translat Translat

Original Translat
al al ed ed Insta Comme
No Destinat ed
Sourc Servic Destinat Service ll On nts
ion Source
e es ion s

Automatic Generated Rules

NAT Rules for X (Y-Z)

1 Object1 Object2 Any = Original = Original = Original Policy

Target
s

2 Object3 Object4 Any S Object5 S Object6 = Original Policy

Target
s

3 Object7 Object8 Any H Object9 H Object10 = Original Policy

Target
s

Example of a Manual NAT rule

Origin Origin Translat Translat

Original Translat
al al ed ed Insta Comme
No Destinat ed
Sourc Servic Destinat Service ll On nts
ion Source
e es ion s

Automatic Generated Rules

Manual Lower Rules

4 Object11 Object12 Any S Object13 = Original = Original Policy

Target
s

5 Object14 Object15 Any = Original S Object16 = Original Policy

Target
s

R82 Security Management Administration Guide | 425

Configuring the NAT Policy

Order of NAT Rule Enforcement

The Security Gateway enforces the NAT Rule Base in a sequential manner - in the order you
place the rules in the NAT Policy (see the No. column).
The Security Gateway enforces Automatic NAT and Manual NAT rules in different ways.
Explanation

n Manual NAT rules - The Security Gateway enforces the first Manual NAT rule that
matches a connection. The Security Gateway does not examine other Manual NAT
rules.
n Automatic NAT rules - The Security Gateway can enforce two Automatic NAT rules
that match a connection - one rule for the Source and one for the Destination. When a
connection matches two Automatic NAT rules, the Security Gateway enforces those
rules.

Note - SmartConsole organizes the Automatic NAT rules in this order:

1. Static NAT rules for the Security Gateway, or Host (computer or server)
objects
2. Hide NAT rules for the Security Gateway, or Host objects
3. Static NAT rules for Network or Address Range objects
4. Hide NAT rules for Network or Address Range objects

R82 Security Management Administration Guide | 426

Working with Automatic NAT Rules

You can create Automatic NAT rules for these objects:
n Security Gateways
n Hosts
n Networks
n Address Ranges
The Management Server creates two Automatic NAT rules for Static NAT, to translate the
source and the destination of the packets.
For Hide NAT, one rule translates the source of the packets.

For Network and Address Range objects, the Management Server creates a different rule to
NOT translate intranet traffic. IP addresses for computers on the same object are not
translated.
This table summarizes the Automatic NAT rules:

Type of Traffic Automatic NAT - Static Automatic NAT - Hide

Internal to external Rule translates source IP Rule translates source IP

address address

External to internal Rule translates N/A (External connections

destination IP address are not allowed)

Intranet (for network and Rule does not translate Rule does not translate IP
address range objects) IP address address

Example of Automatic NAT Rules

Static NAT for a Network object

Origin Origin Translat Transla

Original Transla
N al al ed ted Install Comme
Destinat ted
o Sourc Servic Destinat Service On nts
ion Source
e es ion s

Automatic Generated Rules

NAT Rules for HR (1-3)

R82 Security Management Administration Guide | 427

Working with Automatic NAT Rules

Origin Origin Translat Transla

Original Transla
N al al ed ted Install Comme
Destinat ted
o Sourc Servic Destinat Service On nts
ion Source
e es ion s

1 HR HR Any = = = Polic
Origin Origin Origin y
al al al Targe
ts

2 HR Any Any S HR = = Polic

(Valid Origin Origin y
Addres al al Targe
s) ts

3 Any HR Any = S HR = Polic

(Valid Origin Origin y
Addres al al Targe
s) ts

1. Intranet connections in the HR network are not translated.

The Security Gateway does not translate a connection between two computers that
are part of the HR object.
The Security Gateway does not apply rules 2 and 3 to traffic that matches rule 1.
2. Connections from IP addresses from the HR network to any IP address (usually
external computers) are translated to the Static NAT IP address.
3. Connections from any IP address (usually external computers) to the HR are
translated to the Static NAT IP address.

Hide NAT for an Address Range object

Origin Origin Translat Transla

Original Transla
N al al ed ted Install Comme
Destinat ted
o Sourc Servic Destinat Service On nts
ion Source
e es ion s

Automatic Generated Rules

NAT Rules for Sales (1-2)

1 Sales Sales Any = = = Polic

Origin Origin Origin y
al al al Targe
ts

R82 Security Management Administration Guide | 428

Working with Automatic NAT Rules

Origin Origin Translat Transla

Original Transla
N al al ed ted Install Comme
Destinat ted
o Sourc Servic Destinat Service On nts
ion Source
e es ion s

2 Sales Any Any H Sales = = Polic

(Hiding Origin Origin y
Addres al al Targe
s) ts

1. Intranet connections in the Sales address range are not translated.

The Firewall does not translate a connection between two computers that use IP
addresses that are included in the Sales object.

The Firewall does not apply rule 2 to traffic that matches rule 1.
2. Connections from IP addresses from the Sales address range to any IP address
(usually external computers) are translated to the Hide NAT IP address.

R82 Security Management Administration Guide | 429

Working with Automatic NAT Rules

Configuring Automatic NAT

Configure the NAT settings in each object, for which you need to create Automatic NAT rules,
and configure the Access Control rules to allow traffic to the applicable objects.
Procedure

1. From the left navigation panel, click Gateways & Servers.

2. Double-click the Security Gateway object.
The General Properties window of the gateway opens.
3. From the navigation tree, select NAT > Advanced.
4. Select Add automatic address translation rules to hide this Gateway behind
another Gateway.
5. Select the Translation method: Hide or Static.
6. Configure the NAT IP address for the object.
n Hide behind Gateway - Uses the IP address of the corresponding Security
Gateway's interface
n Hide behind IP address - Enter the IP address.
7. Click Install on Gateway and select All or the Security Gateway that translates the IP
address.
8. Click OK.

9. Install the Access Control Policy.

R82 Security Management Administration Guide | 430

Working with Automatic NAT Rules

Example Deployment
Example

The goal for this sample deployment is to configure:

n Static NAT for the Email server and the Web server on the internal network.
These servers can be accessed from the Internet using public addresses.
n Hide NAT for the users on the internal network that gives them Internet access.
This network cannot be accessed from the Internet.

R82 Security Management Administration Guide | 431

Working with Automatic NAT Rules

Item Description

1 Internal computers (Alaska_LAN, IPv6 2001:db8::/64)

2 Web server (Alaska_Web, IPv6 2001:db8:0:10::5 is translated to IPv6

2001:db8:0:a::5)

3 Mail server (Alaska_Mail, IPv6 2001:db8:0:10::6 is translated to IPv6

2001:db8:0:a::6)

4 Security Gateway (Alaska_GW, external IPv6 2001:db8:0:a::1)

5 External computers and servers in the Internet

Configuration Procedure:

1. Configure Automatic Static NAT for the Web server:

a. Double-click the Alaska_Web object.

b. From the left, click NAT.

c. Select Add Automatic Address Translation Rules.
d. In Translation method, select Static.
e. Select Hide behind IP Address and enter 2001:db8:0:a::5.
f. Click OK
2. Enable Automatic Static NAT for the EMail server:
a. Double-click the Alaska_Mail object.
b. From the left, click NAT.
c. Select Add Automatic Address Translation Rules.

R82 Security Management Administration Guide | 432

Working with Automatic NAT Rules

d. In Translation method, select Static.

e. Select Hide behind IP Address and enter 2001:db8:0:a::6.
f. Click OK.
3. Enable Automatic Hide NAT for the internal computers:
a. Double-click the Alaska_LAN object.
b. From the left, click NAT.
c. Select Add Automatic Address Translation Rules.
d. In Translation method, select Hide.
e. Select Hide behind Gateway.

4. Click OK.
5. Install the Access Control Policy.
The Management Server creates these Automatic NAT rules in Security Policies view >
Access Control > NAT:

Origin Origin Translat Transla

Original Transla
N al al ed ted Install Comme
Destinat ted
o Sourc Servic Destinat Service On nts
ion Source
e es ion s

Automatic Generated Rules

NAT Rules for Sales (1-2)

1 Alask Alaska_ Any = = = Polic

a_ Web Origin Origin Origin y
Web al al al Targe
ts

2 Alask Any Any S = = Polic

a_ Alaska_ Origin Origin y
Web Web al al Targe
(Valid ts
Addres
s)

R82 Security Management Administration Guide | 433

Working with Automatic NAT Rules

Origin Origin Translat Transla

Original Transla
N al al ed ted Install Comme
Destinat ted
o Sourc Servic Destinat Service On nts
ion Source
e es ion s

3 Any Alaska_ Any = S = Polic

Web Origin Alaska_ Origin y
al Web al Targe
(Valid ts
Addres
s)

4 Alask Alaska_ Any = = = Polic

a_ Mail Origin Origin Origin y
Mail al al al Targe
ts

5 Alask Any Any S = = Polic

a_ Alaska_ Origin Origin y
Mail Mail al al Targe
(Valid ts
Addres
s)

6 Any Alaska_ Any = S = Polic

Mail Origin Alaska_ Origin y
al Mail al Targe
(Valid ts
Addres
s)

7 Alask Alaska_ Any = = = Polic

a_ LAN Origin Origin Origin y
LAN al al al Targe
ts

8 Alask Any Any H = = Polic

a_ Alaska_ Origin Origin y
LAN LAN al al Targe
(Hiding ts
Addres
s)

R82 Security Management Administration Guide | 434

Working with Automatic NAT Rules

Automatic Hide NAT to External Networks

For large and complex networks, it can be impractical to configure the Hide NAT settings for all
the internal IP addresses.
Explanation

An easy alternative is to enable a Security Gateway to automatically Hide NAT for all traffic
with external networks. The Security Gateway translates all traffic that goes through an
external interface to the valid IP address of that interface.
In this sample configuration, computers in internal networks open connections to external
servers on the Internet. The source IP addresses of internal clients are translated to the IP
address of an external interface.

Item Description

1 Internal networks

2 Security Gateway is configured with Automatic Hide NAT.

2A and 2B Two external interfaces [Link] and [Link].

1 -->3 External computers and servers on the Internet

Source IP addresses are translated to the applicable external interface IP address:

[Link] or [Link].

Note - If a connection matches a regular NAT rule and a NAT-for-internal-networks

rule, the regular NAT rule takes precedence.

R82 Security Management Administration Guide | 435

Working with Automatic NAT Rules

To enable Automatic Hide NAT:

1. From the left navigation panel, click Gateways & Servers.
2. Double-click the Security Gateway object.
3. From the navigation tree, click NAT.
4. Select Hide internal networks behind the Gateway's external IP.
5. Click OK.
6. Install the Access Control Policy.

Note - When you enable this option, no rule is added to the NAT Rule Base. You
can see the NAT activity in the Firewall logs.

R82 Security Management Administration Guide | 436

Working with Manual NAT Rules

For some deployments, it is necessary to manually define the NAT rules.
For example:
n Rules that are restricted to specific destination IP addresses and to specific source IP
addresses
n Translating both source and destination IP addresses in the same packet.
n Static NAT in only one direction
n Translating services (destination ports)
n Rules that only use specified services (ports)
n Translating IP addresses for dynamic objects
General workflow when working with manual NAT rules:
1. Create SmartConsole objects that use the valid (NATed) IP addresses.
2. Create Manual NAT rules to translate the original IP addresses of the objects to valid IP
addresses.
3. Configure the Access Control Policy to allow traffic to the applicable translated objects
with the valid IP addresses.

Note - For Manual NAT rules, it is necessary to configure Proxy ARP entries to
associate the translated IP address. See "Automatic and Proxy ARP" on page 480.

Example of a Manual NAT Rule

Origin Origin Translat Translat

Original Translat
al al ed ed Install Comme
No Destinat ed
Sourc Servic Destinat Service On nts
ion Source
e es ion s

1 HTT Web_ http = S Web_ = Polic

P_ Server Origin Server Origin y
Client al al Targe
ts

R82 Security Management Administration Guide | 437

Working with Manual NAT Rules

Configuring Manual NAT

Procedure

1. From the left navigation tree, click Security Policies.

2. Click Access Control > NAT.
3. Add a new rule in one of these ways:
n From the top toolbar, click the Add Rule icon (the leftmost icon).
n If there are existing Manual NAT rules, then right-click in the No. column of the
applicable rule > in the line New Rule, click Above or Below.
4. In the new rule, select the required objects and configure the required translation.

If the required objects do not exist, you can create them in the selection window (in the
top right corner, click New).
5. Install the Access Control Policy.

Configuring Hide NAT behind Address Range

By default, when an administrator configures a Hide NAT rule and in the Translated Source
column selects an Address Range object, the Security Gateway selects a Hide IP address
from this range based only on the connection's source IP address.
You can configure the Security Gateway to select a Hide IP address from the configured
range based on the connection's source IP address and source port:

1. Connect to the command line on the Security Gateway / each Cluster Member.
2. Enable the corresponding kernel parameter. Run:
fw ctl set -f int fwx_hide_range_with_port 1

3. Reboot the Security Gateway / each Cluster Member.

Note - In a cluster, this can cause a failover.

Example Deployment
Example

This example configuration shows how to let external computers access an internal web
server and an internal mail server in a DMZ network from one IP address.
To do this, you must configure Hide NAT for the DMZ network object and create manual
NAT rules for the servers.

R82 Security Management Administration Guide | 438

Working with Manual NAT Rules

Item Description

1 External computers and servers on the Internet

2 Security Gateway (Alaska_GW, external IPv6 2001:db8:0:c::1)

3 DMZ network (Alaska_DMZ, IPv6 2001:db8:a::/128)

4 Web server (Alaska_DMZ_Web, IPv6 2001:db8:a::35:5 is translated to IPv6

2001:db8:0:c::1)

5 Mail server (Alaska_DMZ_Mail, IPv6 2001:db8:a::35:6 is translated to IPv6

2001:db8:0:c::1)

Configuration Procedure:
1. Configure Automatic Hide NAT for the DMZ network:

a. Double-click the Network object Alaska_DMZ.

b. From the left, click NAT.
c. Select Add Automatic Address Translation Rules.

d. In Translation method, select Hide.

e. Select Hide behind Gateway.
f. Click OK.
The Management Server creates these Automatic NAT rules in Security Policies view
> Access Control > NAT:

R82 Security Management Administration Guide | 439

Working with Manual NAT Rules

Origi Origina Origi Transla Transl

Transl
N nal l nal ted ated Install Comm
ated
o. Sour Destina Servi Destina Servic On ents
Source
ce tion ces tion es

1 Alask Alaska_ Any = = = Poli

a_ DMZ Origi Origi Origi cy
DMZ nal nal nal Targ
ets

2 Alask Any Any H = = Poli

a_ Alask Origi Origi cy
DMZ a_DMZ nal nal Targ
(Hiding ets
Addres
s)

2. Create a Manual NAT rule to translate incoming HTTP traffic to the internal Web
server:

R82 Security Management Administration Guide | 440

Working with Manual NAT Rules

a. In SmartConsole, go to Security Policies view > Access Control > NAT.

b. Add a new rule (#3) below the existing Automatic NAT rules.
c. Select these objects:

Origi Origin Origi Transl Transl Transl

N nal al nal ated ated ated Instal Comm
o. Sour Destin Servi Sourc Destin Servic l On ents
ce ation ces e ation es

1 Alas Alask Any = = = Poli

ka_ a_DMZ Origi Origi Origi cy
DMZ nal nal nal Targ
ets

2 Alas Any Any H = = Poli

ka_ Alask Origi Origi cy
DMZ a_ nal nal Targ
DMZ ets
(Hidin
g
Addre
ss)

3 Any Alask http = S = Poli

a_GW Origi Alask Origi cy
nal a_ nal Targ
DMZ_ ets
Web

3. Create a Manual NAT rule to translate incoming SMTP traffic to the internal Mail
server:

R82 Security Management Administration Guide | 441

Working with Manual NAT Rules

a. Add a new rule (#4) below the existing NAT rules.

b. Select these objects:

Origi Origin Origi Transl Transl Transl

N nal al nal ated ated ated Instal Comm
o. Sour Destin Servi Sourc Destin Servic l On ents
ce ation ces e ation es

1 Alas Alask Any = = = Poli

ka_ a_DMZ Origi Origi Origi cy
DMZ nal nal nal Targ
ets

2 Alas Any Any H = = Poli

ka_ Alask Origi Origi cy
DMZ a_ nal nal Targ
DMZ ets
(Hidin
g
Addre
ss)

3 Any Alask http = S = Poli

a_GW Origi Alask Origi cy
nal a_ nal Targ
DMZ_ ets
Web

4 Any Alask smtp = S = Poli

a_GW Origi Alask Origi cy
nal a_ nal Targ
DMZ_ ets
Mail

4. Create an Access Control rule to allow the incoming HTTP and SMTP traffic to the
internal servers:

R82 Security Management Administration Guide | 442

Working with Manual NAT Rules

a. In SmartConsole, go to Security Policies > Access Control > NAT.

b. Add a new rule.
c. Select these objects:

Services
N Sour Destina VP & Actio Tra Install
Name
o ce tion N Applicati n ck On
ons

... Incomi Any Alaska_ An http Acce Log Polic

ng DMZ y smtp pt y
HTTP Targe
and ts
SMTP
traffic
to
intern
al
server
s

5. Install the Access Control Policy.

R82 Security Management Administration Guide | 443

Working with NAT46 Rules

Note - NAT46 rules are only supported on Security Gateways and Cluster Members
R80.20 and higher.

Overview
NAT46 rules translate IPv4 traffic to IPv6 traffic without maintaining any session information on
a Security Gateway.
Properties of Stateless NAT46

n Performs 1:1 IP address mapping.

n The system generates the translated source IPv6 address as a combination of these
two parts:
1. A user-defined Network object with an IPv6 address defined with the 96-bit
prefix.
2. The source IPv4 address, which is added as a 32-bit suffix.

NAT46 use case scenarios

n [IPv4 Network] --- (Internet) --- [Security Gateway] --- [IPv6 Network]
Common use case for Content Providers.
n [IPv4 Network] --- [Security Gateway] --- (Internet) --- [IPv6 Network]

Common use case for Enterprises.

Example of NAT46 Translation Flow

Example topology:
[IPv4 Client] --- (internal) [Security Gateway] (external) --- [IPv6 Server]
Where:

Item Description

IPv4 Client IPv4 real address is [Link]

IPv6 NATed address is 2001:DB8:90::[Link]/96

Security Gateway IPv4 address is [Link]/24

internal interface

Security Gateway IPv6 address is 2001:DB8:5001::1/96

external interface

R82 Security Management Administration Guide | 444

Working with NAT46 Rules

Item Description

IPv6 Server IPv6 real address is 2001:DB8:5001::30/96

IPv4 NATed address is [Link]/24

IPv6 NATed network IPv6 address of the network on the external Security Gateway
side is 2001:DB8:90::/96
These IPv6 addresses are used to translate the IPv4 address
of the IPv4 Client to IPv6 address

IPv4 NATed network IPv4 address of the network on the internal Security Gateway
side is [Link]/24
These IPv4 addresses are used to translate the IPv6 address
of the IPv6 Server to IPv4 address

Traffic flow:
1. IPv4 Client opens an IPv4 connection to the NATed IPv4 address of the IPv6 Serve
From IPv4 address [Link] to IPv4 address [Link]
2. Security Gateway performs these NAT translations:
a. From the source IPv4 address [Link] to the source IPv6 address
2001:DB8:90::[Link]/96
b. From the destination IPv4 address [Link] to the destination IPv6 address
2001:DB8:5001::30

3. IPv6 Server receives this request connection as from the IPv6 address
2001:DB8:90::[Link]/96 to the IPv6 address 2001:DB8:5001::30
4. IPv6 Server replies to this connection from the IPv6 address 2001:DB8:5001::30 to
the IPv6 address 2001:DB8:90::[Link]/96
5. Security Gateway performs these NAT translations:
a. From the source IPv6 address 2001:DB8:5001::30 to the source IPv4 address
[Link]
b. From the destination IPv6 address 2001:DB8:90::[Link]/96 to the
destination IPv4 address [Link]
6. IPv4 Client receives this reply connection as from the IPv4 address [Link] to the
IPv4 address [Link]
To summarize:

R82 Security Management Administration Guide | 445

Working with NAT46 Rules

n Request: [IPv4 Client] ---> [Security Gateway] ---> [IPv6 Server]

Field in packet Original IPv4 packet NATed IPv6 packet

Source IP [Link] / 24 2001:DB8:90::[Link] / 96

Destination IP [Link] / 24 2001:DB8:5001::30 / 96

n Reply: [IPv4 Client] <--- [Security Gateway] <--- [IPv6 Server]

Field in packet Original IPv6 packet NATed IPv4 packet

Source IP 2001:DB8:5001::30 / 96 [Link] / 24

Destination IP 2001:DB8:90::[Link] / 96 [Link] / 24

Known Limitations for NAT46

n NAT46 rules are only supported on Security Gateways and Cluster Members R80.20
and higher.
n NAT46 does not support VoIP traffic.
n NAT46 does not support FTP traffic.
n NAT46 does not support protocols that require state information between Control and
Data connections.

Configuring NAT46
Step 1 - Prepare Security Gateway / Cluster Members for NAT46

Note - In a Cluster, you must configure all the Cluster Members in the same way.

R82 Security Management Administration Guide | 446

Working with NAT46 Rules

Step Instructions

1 Make sure that an IPv6 address is assigned to the interface that connects to
the destination IPv6 network, and the IPv6 network prefix length is equal to 96.
Note - This can be any valid IPv6 address with the IPv6 network prefix length
equal to 96.
n In Gaia Portal:
Click Network Management > Network Interfaces.
n In Gaia Clish:
Run:
show interface <Name of Interface> ipv6-address

If such IPv6 address is not assigned yet, assign it now.

For details, see the R82 Gaia Administration Guide - Chapter Network
Management - Section Network Interfaces - Section Physical Interfaces.

R82 Security Management Administration Guide | 447

Working with NAT46 Rules

Step Instructions

2 Make sure that the routing is configured to send the traffic that is destined to
the NATed IPv4 addresses (defined in the Translated Destination column in
the NAT46 rule) through the interface that connects to the destination IPv6
network.
n In Gaia Portal:
Click Advanced Routing > Routing Monitor.
n In Gaia Clish:
Run:
show route

If such route does not already exist, add it in Gaia Clish.

For details, see the R82 Gaia Administration Guide.
Run these commands in Gaia Clish:
1. Add the static route:
set static route <NATed Destination IPv4
Addresses>/<NATed IPv4 Net Mask> nexthop gateway
logical <Name of Interface that connects to the
real IPv6 Network> on
Example topology:
[IPv4 Client] --- (NATed IPv4 of IPv6 side are [Link]/24) [Security
Gateway] (eth3) --- [IPv6 Server]
In such case, configure the IPv4 route using this command:
set static route [Link]/24 nexthop gateway logical
eth3 on
2. Save the configuration:
save config

R82 Security Management Administration Guide | 448

Working with NAT46 Rules

Step Instructions

3 Make sure that the number of IPv6 CoreXL Firewall instances is equal to the
number of IPv4 CoreXL Firewall instances.
1. Connect to the command line on the Security Gateway.
2. Log in to Gaia Clish, or Expert mode.
3. Show the number of IPv6 CoreXL Firewall instances:
fw6 ctl multik stat
4. Show the number of IPv4 CoreXL Firewall instances. Run:
fw ctl multik stat
5. If the number of IPv6 CoreXL Firewall instances is less than the number
of IPv4 CoreXL Firewall instances, then do these steps:
a. Run:
cpconfig
b. Select Check Point CoreXL
c. Select Change the number of IPv6 firewall instances
d. Configure the number of IPv6 CoreXL Firewall instances to be the
same as the number of IPv4 CoreXL Firewall instances
e. Select Exit
f. Reboot the Security Gateway
6. Connect to the command line on the Security Gateway.
7. Log in to Gaia Clish, or Expert mode.
8. Show the number of IPv6 CoreXL Firewall instances. Run:
fw6 ctl multik stat
9. Show the number of IPv4 CoreXL Firewall instances. Run:
fw ctl multik stat

Example output:

R82 Security Management Administration Guide | 449

Working with NAT46 Rules

Step Instructions

[Expert@GW:0]# fw6 ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 0 | 0
1 | Yes | 2 | 0 | 4
2 | Yes | 1 | 0 | 2
[Expert@GW:0]#
[Expert@GW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 10 | 14
1 | Yes | 2 | 6 | 15
2 | Yes | 1 | 7 | 15
[Expert@GW:0]#

Step 2 - Configure NAT46 Rules

Configure NAT46 rules as Manual NAT rules in the Access Control Policy.
Make sure that you add Access Control rules that allow this NAT traffic.
1. Configure an applicable source IPv4 object (IPv4 Host, IPv4 Address Range, or IPv4
Network).
To configure a source IPv4 Host object

a. Click Objects menu > New Host.

b. In the Object Name field, enter the applicable name.

c. In the Comment field, enter the applicable text.

d. Click the General page of this object.
e. In the IPv4 address field, enter the source IPv4 address.
f. In the IPv6 section:
Do not enter anything
g. On the NAT page of this object:
Do not configure anything.
h. Configure the applicable settings on other pages of this object.
i. Click OK.

R82 Security Management Administration Guide | 450

Working with NAT46 Rules

To configure a source IPv4 Network object

a. Click Objects menu > New Network.

b. In the Object Name field, enter the applicable name.
c. In the Comment field, enter the applicable text.
d. Click the General page of this object.
e. In the IPv4 section:
i. In the Network address field, enter the IPv4 address of your source
IPv4 network.
ii. In the Net mask field, enter the net mask of your source IPv4 network.

f. In the IPv6 section:

Do not enter anything.
g. On the NAT page of this object:
Do not configure anything.
h. Click OK.

To configure a source IPv4 Address Range object

a. Click Objects menu > More object types > Network Object > Address
Range > New Address Range.

b. In the Object Name field, enter the applicable name.

c. In the Comment field, enter the applicable text.

d. Click the General page of this object.

e. In the IPv4 section:
i. In the First IP address field, enter the first IPv4 address of your IPv4
addresses range.
ii. In the Last IP address field, enter the last IPv4 address of your IPv4
addresses range.
f. In the IPv6 section:
Do not enter anything.
g. On the NAT page of this object:
Do not configure anything.
h. Click OK.

R82 Security Management Administration Guide | 451

Working with NAT46 Rules

2. Configure a destination IPv4 Host object.

This object represents the destination IPv4 address, to which the IPv4 sources
connect.
To configure a translated destination IPv4 Host object

a. Click Objects menu > New Network.

b. In the Object Name field, enter the applicable name.
c. In the Comment field, enter the applicable text.
d. Click the General page of this object.
e. In the IPv4 section:

i. In the Network address field, enter the IPv4 address of your destination
IPv4 network.
ii. In the Net mask field, enter the net mask of your destination IPv4
network.
f. In the IPv6 section:
Do not enter anything.
g. On the NAT page of this object:
Do not configure anything.
h. Click OK.

3. Configure a translated source IPv6 Network object with an IPv6 address defined with
the 96-bit prefix.

This object represents the translated source IPv6 addresses, to which you translate
the source IPv4 addresses.
To configure a translated source IPv6 Network object with an IPv6 address defined with
the 96-bit prefix

a. Click Objects menu > New Network.

b. In the Object Name field, enter the applicable name.
c. In the Comment field, enter the applicable text.
d. Click the General page of this object.
e. In the IPv4 section:
Do not enter anything.

R82 Security Management Administration Guide | 452

Working with NAT46 Rules

f. In the IPv6 section:

i. In the Network address field, enter the translated source IPv6 address.
ii. In the Prefix field, enter the number 96.
g. On the NAT page of this object:
Do not configure anything.
h. Click OK.

4. Configure a translated destination IPv6 Host object.

This object represents the translated destination IPv6 address, to which the translated
IPv4 sources connect.
To configure a translated destination IPv6 Host object

a. Click Objects menu > New Host.

b. In the Object Name field, enter the applicable name.
c. In the Comment field, enter the applicable text.
d. Click the General page of this object.
e. In the IPv4 section:
Do not enter anything.
f. In the IPv6 section:

In the Network address field, enter the destination static IPv6 address.
g. On the NAT page of this object:

Do not configure anything.

h. Configure the applicable settings on other pages of this object.
i. Click OK.

5. Create a Manual NAT46 rule.

R82 Security Management Administration Guide | 453

Working with NAT46 Rules

Procedure

a. From the left Navigation Toolbar, click Security Policies.

b. In the top Access Control section, click NAT.

R82 Security Management Administration Guide | 454

Working with NAT46 Rules

c. Right-click on the Manual Lower Rules section title, and near the New Rule,
click Above or Below.
Configure this NAT46 rule:

Original Original Translate Translated Translate

Original
Destinatio Service d Destinatio d
Source
n s Source n Services

Any IPv4 Any IPv6 IPv6 = Original

or Host Network Host
Source object object object
IPv4 with an
Host IPv6
object address
or defined
Source with
IPv4 the 96-bit
Addres prefix
s
Range
object
or
Source
IPv4
Networ
k
object

Do these steps:

i. In the Original Source column, add the applicable IPv4 object.

In this rule column, NAT46 rules support only these types of objects:
n *Any
n Host with a static IPv4 address
n Address Range with IPv4 addresses
n Network with IPv4 address

R82 Security Management Administration Guide | 455

Working with NAT46 Rules

ii. In the Original Destination column, add the IPv4 Host object that
represents the destination IPv4 address, to which the IPv4 sources
connect.
In this rule column, NAT46 rules support only IPv4 Host objects.
iii. In the Original Services column, you must leave the default Any.
iv. In the Translated Source column, add the IPv6 Network object with an
IPv6 address defined with the 96-bit prefix.
In this rule column, NAT64 rules support only IPv6 Network objects with
an IPv6 address defined with the 96-bit prefix.
v. In the Translated Source column, right-click the IPv6 Network object
with the 96-bit prefix > click NAT Method > click Stateless NAT46.

The 46 icon shows in the Translated Source column.

vi. In the Translated Destination column, add the IPv6 Host object
represents the translated destination IPv6 address, to which the
translated IPv4 sources connect.
In this rule column, NAT46 rule supports only an IPv6 Host objects.
vii. In the Translated Services column, you must leave the default =
Original.
To summarize, you must configure only these NAT46 rules (rule numbers are
for convenience only):

Original Translate Translat

Origin Original Translat
d ed
# al Destinati Service ed
Destinati
Source on s Source Services
on

1 Any IPv4 Any IPv6 IPv6 =

Host Network Host Origina
object object object l
with an
IPv6
address
defined
with
the 96-bit
prefix

R82 Security Management Administration Guide | 456

Working with NAT46 Rules

Original Translate Translat

Origin Original Translat
d ed
# al Destinati Service ed
Destinati
Source on s Source Services
on

2 IPv4 IPv4 *Any IPv6 IPv6 =

Host Host Network Host Origina
object object object object l
with with an
a static IPv6
IPv4 address
addres defined
s with
the 96-bit
prefix

3 IPv4 IPv4 *Any IPv6 IPv6 =

Addres Host Network Host Origina
s object object object l
Range with an
object IPv6
address
defined
with
the 96-bit
prefix

4 IPv4 IPv4 *Any IPv6 IPv6 =

Networ Host Network Host Origina
k object object object l
object with an
IPv6
address
defined
with
the 96-bit
prefix

6. Install the Access Control Policy.

R82 Security Management Administration Guide | 457

Working with NAT46 Rules

Logging of NAT46 Traffic

Explanation

In the Security Gateway log for NAT64 connection, the source and destination IPv6
addresses show in their original IPv6 format.
To identify a NAT46 entry, look in the More section of the Log Details window.

Field in Log Description

Xlate (NAT) Shows the translated source IPv6 address, to which the Security
Source IP Gateway translated the original source IPv4 address

Xlate (NAT ) Shows the translated destination IPv6 address, to which the Security
Destination IP Gateway translated the original destination IPv4 address

More Identifies the entry as NAT46 traffic (Nat46 enabled)

R82 Security Management Administration Guide | 458

Working with NAT64 Rules

Overview
NAT64 translation (RFC 6146) lets IPv6-only client communicate with IPv4-only server using
unicast UDP, TCP, or ICMP.
Definition on an IPv6-only client

One of these:
n A host with a networking stack that implements only IPv6.
n A host with a networking stack that implements both IPv4 and IPv6 protocols, but with
only IPv6 connectivity.
n A host that runs an IPv6-only client application.

Definition of an IPv4-only server

One of these:
n A host with a networking stack that implements only IPv4.
n A host with a networking stack that implements both IPv4 and IPv6 protocols, but with
only IPv4 connectivity.
n A host that runs an IPv4-only server application.

The translation of IP addresses is done by translating the packet headers according to the
IP/ICMP Translation Algorithm defined in RFC 6145. The IPv4 addresses of IPv4 hosts are
translated to and from IPv6 addresses using the algorithm defined in RFC 6052, and an IPv6
prefix assigned to the stateful NAT64 for this specific purpose.

Note - For information about DNS64, see RFC 6147.

Properties of Stateful NAT64

n Performs N:M translation:

l N must be greater than M
l If M=1, performs a Hide NAT behind a single IPv4 address.
l If M>1, performs a Hide NAT behind a range of IPv4 addresses.
n Gives good IPv4 address preservation (multiplexed using ports).
n Saves connection states and binding.

R82 Security Management Administration Guide | 459

Working with NAT64 Rules

n There are no requirements on the assignment of IPv6 addresses to IPv6 clients. Any
mode of IPv6 address assignment is legitimate (Manual, DHCP6, SLAAC).
n It is a scalable solution.

NAT64 use case scenarios

n [IPv6 Network] --- (Internet) --- [Security Gateway] --- [internal IPv4 Network]
Common use case for Content Providers. DNS64 is not needed.
n [internal IPv6 Network] --- [Security Gateway] --- (Internet) --- [IPv4 Network]
Common use case for Carriers, ISPs, Enterprises. DNS64 is required.
n [IPv6 Network] --- [Security Gateway] --- [IPv4 Network]

Common use case for Enterprises. DNS64 is required.

Standards supported for NAT64

n RFC 6144 - Framework for IPv4/IPv6 Translation

n RFC 6146 - Stateful NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers
n RFC 6052 - IPv6 Addressing of IPv4/IPv6 Translators
n RFC 6145 - IP/ICMP Translation Algorithm
n RFC 2428 - FTP Extensions for IPv6 and NATs
n RFC 6384 - An FTP Application Layer Gateway (ALG) for IPv6-to-IPv4 Translation

Known Limitations for NAT64

NAT64 rules do not support:
n VoIP traffic.
n HTTPS Inspection.
n SSL de-multiplexer.
n Security Gateway in HTTP Proxy mode.
n IPS protection "HTTP Header Spoofing".

Example of NAT64 Translation Flow

Example topology

[IPv6 Client] --- (interface) [Security Gateway] (internal) --- [IPv4 Server]
Where:

R82 Security Management Administration Guide | 460

Working with NAT64 Rules

Item Description

IPv6 Client IPv6 real address is 1111:1111::0100/96

Security IPv6 address is 1111:1111::1/96

Gateway
external
interface

Security IPv4 address is [Link]/24

Gateway IPv6 address is 3333:4444::1/96
internal
interface

IPv4 Server IPv4 real address is [Link]/24

IPv6 NATed address is 1111:2222::0A00:0064/96

IPv6 NATed IPv6 address of the network on the external Security Gateway side is
network 1111:2222::/96
These IPv6 addresses are used to translate the IPv4 address of the
IPv4 Server to the IPv6 address

IPv4 NATed IPv4 address of the network on the internal Security Gateway side is
network [Link]/24
These IPv4 addresses are used to translate the IPv6 address of the
IPv6 Client to the IPv4 address

Example traffic flow

1. IPv6 Client opens an IPv6 connection to the NATed IPv6 address of the IPv4 Server:

From the IPv6 Client's IPv6 real address 1111:1111::0100 to the IPv4 Server's NATed
IPv6 address 1111:2222::0A00:0064
Where:
The "1111:2222::" part is the NATed IPv6 subnet
The "0A00:0064" part is [Link]
2. Security Gateway performs these NAT translations:

R82 Security Management Administration Guide | 461

Working with NAT64 Rules

a. Translate the IPv6 Client's source address from the real IPv6 address
1111:1111::0100 to the special concatenated source IPv6 address
0064:FF9B::0101:01X
Where:
The "0064:FF9B::" part is a well-known prefix reserved for NAT64 (as defined by
the RFC)
The "0101:01XX" part is 1.1.1.X
b. Translate the IPv6 Client's source address from the special concatenated
source IPv6 address 0064:FF9B::0101:01XX to the source IPv4 address 1.1.1.X
c. Translate the IPv6 Client's NATed destination address from the IPv6 address
1111:2222::0A00:0064 to the NATed destination IPv4 address [Link]

3. IPv4 Server receives this request connection as from the source IPv4 address 1.1.1.X
to the destination IPv4 address [Link]
4. IPv4 Server replies to this connection from the source IPv4 address [Link] to the
destination IPv4 address 1.1.1.X
5. Security Gateway performs these NAT translations:
a. Translate the IPv4 Server's source real IPv4 address [Link] to the source
NATed IPv6 address 1111:2222::0A00:0064
b. Translate the IPv6 Client's NATed destination IPv4 address 1.1.1.X to the
destination special concatenated IPv6 address 0064:FF9B::0101:01X
Where:
The "64:FF9B::" part is a well-known prefix reserved for NAT64 (as defined by
the RFC)

The "0101:01XX" part is 1.1.1.X

c. Translate the IPv6 Client's destination special concatenated IPv6 address
0064:FF9B::0101:01XX to the destination IPv6 real address 1111:1111::0100
6. IPv6 Client receives this reply connection as from the source IPv6 address
1111:2222::0A00:0064 to the destination IPv6 address 1111:1111::0100

R82 Security Management Administration Guide | 462

Working with NAT64 Rules

Example summary

n Request: [IPv6 Client] ---> [Security Gateway] ---> [IPv4 Server]

Field in packet Original IPv6 packet NATed IPv4 packet

Source IP 1111:1111::0100 / 96 1.1.1.X / 24

Destination IP 1111:2222::0A00:0064 / 96 [Link] / 24

n Reply: [IPv6 Client] <--- [Security Gateway] <--- [IPv4 Server]

Field in packet Original IPv4 packet NATed IPv6 packet

Source IP [Link] / 24 1111:2222::0A00:0064 / 96

Destination IP 1.1.1.X / 24 1111:1111::0100 / 96

Configuring NAT64
Step 1 - Prepare the Security Gateway for NAT64

Note - In a Cluster, you must configure all the Cluster Members in the same way.

Step Instructions

1 Make sure that an IPv6 address is assigned to the interface that connects to
the destination IPv4 network, and the IPv6 network prefix length is equal to, or
less than 96.
Note - This can be any valid IPv6 address with the IPv6 network prefix
length equal to, or less than 96.
n In Gaia Portal:
Click Network Management > Network Interfaces.
n In Gaia Clish:
Run:
show interface <Name of Interface> ipv6-address

If such IPv6 address is not assigned yet, assign it now.

For details, see the R82 Gaia Administration Guide - Chapter Network
Management - Section Network Interfaces - Section Physical Interfaces.

R82 Security Management Administration Guide | 463

Working with NAT64 Rules

Step Instructions

2 Make sure that the IPv6 routing is configured to send the traffic that is destined
to the NATed IPv6 addresses (defined in the Original Destination column in the
NAT64 rule) through the interface that connects to the destination IPv4
network.
n In Gaia Portal:
Click Advanced Routing > Routing Monitor.
n In Gaia Clish:
Run:
show ipv6 route

If such route does not already exist, add it in Gaia Clish.

For details, see the R82 Gaia Administration Guide.
Run these commands in Gaia Clish:
a. Add the static route:
set ipv6 static-route <NATed Destination IPv6
Addresses>/<96 or less> nexthop gateway <Any IPv6
Address from the IPv6 subnet of the Interface that
connects to the destination real IPv4 network> on
Example topology:
[IPv6 Client] --- (NATed IPv6 of IPv4 side are 1111:2222::/96) [Security
Gateway] (eth3 with IPv6 3333:4444::1) --- [IPv4 Server]
In such case, configure the IPv6 route using this command:
set ipv6 static-route 1111:2222::/96 nexthop gateway
3333:4444::10 on
b. Save the configuration:
save config

R82 Security Management Administration Guide | 464

Working with NAT64 Rules

Step Instructions

3 Make sure that the number of IPv6 CoreXL Firewall instances is equal to the
number of IPv4 CoreXL Firewall instances.
1. Connect to the command line on the Security Gateway.
2. Log in to Gaia Clish, or Expert mode.
3. Show the number of IPv6 CoreXL Firewall instances:
fw6 ctl multik stat
4. Show the number of IPv4 CoreXL Firewall instances:
fw ctl multik stat
5. If the number of IPv6 CoreXL Firewall instances is less than the number
of IPv4 CoreXL Firewall instances, then do these steps:
i. Run:
cpconfig
ii. Select Check Point CoreXL
iii. Select Change the number of IPv6 firewall instances
iv. Configure the number of IPv6 CoreXL Firewall instances to be the
same as the number of IPv4 CoreXL Firewall instances
v. Select Exit
vi. Reboot the Security Gateway
6. Connect to the command line on the Security Gateway.
7. Log in to Gaia Clish, or Expert mode.
8. Show the number of IPv6 CoreXL Firewall instances:
fw6 ctl multik stat
9. Show the number of IPv4 CoreXL Firewall instances:
fw ctl multik stat

Example output:
[Expert@GW:0]# fw ctl multik
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 10 | 14
1 | Yes | 2 | 6 | 15
2 | Yes | 1 | 7 | 15
[Expert@GW:0]#
[Expert@GW:0]# fw6 ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 0 | 0
1 | Yes | 2 | 0 | 4
2 | Yes | 1 | 0 | 2
[Expert@GW:0]#

Step 2 - Configure NAT64 Rules

Define NAT64 rules as Manual NAT rules in the Access Control Policy.

R82 Security Management Administration Guide | 465

Working with NAT64 Rules

Make sure that you add access rules that allow this NAT traffic.
1. Define a source IPv6 Network object.
This object represents the source IPv6 addresses, which you translate to source IPv4
addresses.
Procedure

a. Click Objects menu > New Network.

b. In the Object Name field, enter the applicable name.
c. In the Comment field, enter the applicable text.
d. Click the General page of this object.

e. In the IPv4 section:

Do not enter anything.
f. In the IPv6 section:
i. In the Network address field, enter the IPv6 address of your IPv6
network, which you translate to source IPv4 addresses.
ii. In the Prefix field, enter the prefix of your IPv6 network.
g. On the NAT page of this object:
Do not configure anything.
h. Click OK.

R82 Security Management Administration Guide | 466

Working with NAT64 Rules

2. Define a translated destination IPv6 Network object with an IPv4-embedded IPv6

address, or a translated destination IPv6 Host object with a static IPv6 address.

This object represents the translated destination IPv6 address, to which the IPv6
sources connect.
Procedure

a. Click Objects menu > New Network.

b. In the Object Name field, enter the applicable name.
c. In the Comment field, enter the applicable text.
d. Click the General page of this object.
e. In the IPv4 section:
Do not enter anything.

R82 Security Management Administration Guide | 467

Working with NAT64 Rules

f. In the IPv6 section:

i. In the Network address field, enter the destination IPv4-embedded
IPv6 address (also called IPv4-mapped IPv6 address), to which the
IPv6 sources connect.
Such IPv6 address contains (from left to right) 80 "zero" bits, followed by
16 "one" bits, and then the 32 bits of the IPv4 address -
0:0:0:0:0:FFFF:X.Y.Z.W, where X.Y.Z.W are the four octets of the
destination IPv4 address.
For example, for IPv4 network [Link], the IPv4-embedded IPv6
address is 0:0:0:0:0:FFFF:[Link], or 0:0:0:0:0:FFFF:C0A8:0300.
For more information, see RFC 6052.
These IPv4-embedded IPv6 addresses are published by an external
DNS64 server.
ii. In the Prefix field, enter the applicable IPv6 prefix.
Note - You can define IPv4-embedded IPv6 addresses only for these object
types: Address Range, Network, and Host.
g. On the NAT page of this object:
Do not configure anything.
h. Click OK.

R82 Security Management Administration Guide | 468

Working with NAT64 Rules

3. Define a translated source IPv4 Address Range object.

This object represents the translated source IPv4 addresses, to which you translate
the original source IPv6 addresses.
Procedure

a. Click Objects menu > More object types > Network Object > Address
Range > New Address Range.
b. In the Object Name field, enter the applicable name.
c. In the Comment field, enter the applicable text.
d. Click the General page of this object.

R82 Security Management Administration Guide | 469

Working with NAT64 Rules

e. In the IPv4 section:

i. In the First IP address field, enter the first IPv4 address of your IPv4
addresses range, to which you translate the source IPv6 addresses.
ii. In the Last IP address field, enter the last IPv4 address of your IPv4
addresses range, to which you translate the source IPv6 addresses.

Notes:
n This IPv4 addresses range must not use private IPv4

addresses (see RFC 1918 and Menu > Global properties >
Non Unique IP Address Range
n This IPv4 addresses range must not be used on the IPv4 side

of the network.
n We recommend that you define a large IPv4 addresses range

for more concurrent NAT64 connections.

f. In the IPv6 section:

Do not enter anything.
g. On the NAT page of this object:
Do not configure anything.
h. Click OK.

4. Create a Manual NAT64 rule.

R82 Security Management Administration Guide | 470

Working with NAT64 Rules

Procedure

a. From the left navigation tree, click Security Policies.

b. In the top Access Control section, click NAT.

R82 Security Management Administration Guide | 471

Working with NAT64 Rules

c. Right-click on the Manual Lower Rules section title, and near the New Rule,
click Above or Below.
Configure this Manual NAT64 rule:

Important - Some combinations of object types are not supported in

the Original Source and Original Destination columns. See the
summary table with the supported NAT rules at the bottom of this
section.

i. In the Original Source column, add the IPv6 object for your original
source IPv6 addresses.
In this rule column, NAT64 rules support only these types of objects:
n *Any
n Host with a static IPv6 address
n Address Range with IPv6 addresses
n Network with IPv6 address
ii. In the Original Destination column, add a translated destination IPv6
object with an IPv4-embedded IPv6 address.
In this rule column, NAT64 rules support only these types of objects:
n Host with a static IPv6 address
n Address Range with IPv4-embedded IPv6 addresses
n Network with an IPv4-embedded IPv6 address
iii. In the Original Services column, you must leave the default Any.

iv. In the Translated Source column, add the IPv4 Address Range object
for your translated source IPv4 addresses range.
In this rule column, NAT64 rules support only these types of objects:
n Host with a static IPv4 address, only if in the Original Source
column you selected a Host with a static IPv6 address
n Address Range with IPv4 addresses

R82 Security Management Administration Guide | 472

Working with NAT64 Rules

v. In the Translated Source column, right-click the IPv4 Address Range

object > click NAT Method > click Stateful NAT64:
n The Translated Packet Destination column shows = Embedded
IPv4 Address.
n The 64 icon shows in both the Translated Source and Translated
Destination columns.
In this rule column, NAT64 rule supports only these types of objects:
n Host with a static IPv4 address, only if in the Original Source
column you selected a Host with a static IPv6 address
n Embedded IPv4 Address

vi. In the Translated Services column, you must leave the default =
Original.
d. Install the Access Control Policy.

5. Install the Access Control Policy.

To summarize, you must configure only these Manual NAT64 rules (rule numbers are for
convenience only):

Original Original Original Translated Translated Translated

#
Source Destination Services Source Destination Services

1 Any IPv6 Any IPv4 IPv4 =

Host Address Host Original
object with Range object
a static object
IPv6
address

2 Any IPv6 Any IPv4 Embedded =

Address Address IPv4 Original
Range Range Address
object with object
an
IPv4-
embedded
IPv6
addresses

R82 Security Management Administration Guide | 473

Working with NAT64 Rules

Original Original Original Translated Translated Translated

#
Source Destination Services Source Destination Services

3 Any IPv6 Any IPv4 Embedded =

Network Address IPv4 Original
object with Range Address
an IPv4- object
embedded
IPv6
address

4 IPv6 IPv6 *Any IPv4 IPv4 =

Host Host Host Host Original
object object with object object
with a static
a static IPv6
IPv6 address
address

5 IPv6 IPv6 *Any IPv4 Embedded =

Host Address Address IPv4 Original
object Range Range Address
with object with object
a static IPv4-
IPv6 embedded
address IPv6
addresses

6 IPv6 IPv6 *Any IPv4 Embedded =

Host Network Address IPv4 Original
object object with Range Address
with an object
a static IPv4-
IPv6 embedded
address IPv6
address

7 IPv6 IPv6 *Any IPv4 IPv4 =

Address Host Address Host Original
Range object with Range object
object a static object
IPv6
address

R82 Security Management Administration Guide | 474

Working with NAT64 Rules

Original Original Original Translated Translated Translated

#
Source Destination Services Source Destination Services

8 IPv6 IPv6 *Any IPv4 Embedded =

Address Address Address IPv4 Original
Range Range Range Address
object object with object
IPv4-
embedded
IPv6
addresses

9 IPv6 IPv6 *Any IPv4 Embedded =

Address Network Address IPv4 Original
Range object with Range Address
object an object
IPv4-
embedded
IPv6
address

10 IPv6 IPv6 *Any IPv4 IPv4 =

Network Host Address Host Original
object object with Range object
a static object
IPv6
address

11 IPv6 IPv6 *Any IPv4 Embedded =

Network Address Address IPv4 Original
object Range Range Address
object with object
IPv4-
embedded
IPv6
addresses

12 IPv6 IPv6 *Any IPv4 Embedded =

Network Network Address IPv4 Original
object object with Range Address
an object
IPv4-
embedded
IPv6
address

R82 Security Management Administration Guide | 475

Working with NAT64 Rules

Step 3 - Configure additional settings for NAT64

You can configure the additional settings that control the NAT64 translation mechanism.
These settings are compliant with RFC 6145.

Best Practice - We recommend that you change the default settings only if you are
familiar with the technology.

Procedure
1. Close all SmartConsole windows connected to the Management Server.
2. Connect with Database Tool (GuiDBEdit Tool) to the applicable Security Management
Server or Domain Management Server.
3. In the top left section, click Table > Global Properties > properties.
4. In the top right section, click firewall_properties.

5. In the bottom section, scroll to these Field Names:

n nat64_add_UDP_checksum
n nat64_avoid_PMTUD_blackhole
n nat64_copy_type_of_service
n nat64_error_message_on_dropped_packets

R82 Security Management Administration Guide | 476

Working with NAT64 Rules

6. Right-click the applicable parameter in the Field Name column and click Edit.
7. Select the applicable Value (true, or false) and click OK.

Field Name Description

nat64_add_UDP_ This parameter controls whether the translator should

checksum calculate and add a valid UDP checksum value to a packet, if
the packet checksum value is zero.
This is important because, by default, an IPv4 UDP packet
with a checksum value of zero is dropped on the IPv6 side.
Default: false

nat64_avoid_ This parameter controls whether to allow packet

PMTUD_ fragmentation on the IPv4 (destination) side during PMTU
blackhole discovery.
Enable this setting if some equipment combinations cause
PMTU discovery to fail.
Default: false

nat64_copy_ This parameter controls whether to copy the traffic Class

type_of_ Field to the Type Of Service field, and set the Type Of
service Service field in the translated packet to zero.
Default: true

R82 Security Management Administration Guide | 477

Working with NAT64 Rules

Field Name Description

nat64_error_ This parameter controls whether to generate an audit log

message_on_ after a connection is closed.
dropped_ For each closed connection, the log shows:
packets n Connection information (source and destination IP

address, source port, and service).

n Translated source IP address and source port.
n Start time and end time.
n If the connection was closed because the connection

expired, log shows additional information in the TCP

End Reason field.
If this field does not show in the log, the connection was
closed with a TCP RST, or with a TCP FIN, and did not
expire.
Default: true

8. Save the changes (click File > Save All).

9. Close the Database Tool (GuiDBEdit Tool).
10. Connect with the SmartConsole to the applicable Security Management Server or
Domain Management Server.
11. Install the Access Control Policy.

R82 Security Management Administration Guide | 478

Working with NAT64 Rules

Logging of NAT64 traffic

Explanation

In the Security Gateway log for NAT64 connection, the source and destination IPv6
addresses show in their original IPv6 format.
To identify a NAT64 entry, in the Log Details window, look at the More section.

Field in Log Description

Xlate (NAT) Shows the translated source IPv4 address, to which the Security
Source IP Gateway translated the original source IPv6 address

Xlate (NAT ) Shows the translated destination IPv4 address, to which the Security
Destination IP Gateway translated the original destination IPv6 address

More Identifies the entry as NAT64 traffic (Nat64 enabled)

R82 Security Management Administration Guide | 479

Advanced NAT Settings
This section describes advanced NAT configuration in specific scenarios.

Automatic and Proxy ARP

Giving a computer on the internal network an IP address from an external network using NAT
makes that computer appear on the external network. When NAT on the Security Gateway is
configured automatically, the Security Gateway replies on behalf of translated network objects
to ARP Requests that are sent from the external network for the IP address of the internal
computer.

Item Description

1 Computer on the internal network with IP address [Link]

2 Security Gateway with external interface IP address [Link] responds to

ARP Requests on behalf of translated internal objects

3 Translated IP Address [Link] on the external network

4 External network

If you are using manual NAT rules, you must configure Proxy ARP entries to associate the
translated IP address with the MAC address of the Security Gateway interface that is on the
same network as the translated IP addresses.
See sk30197 for more information about configuring:
n Proxy ARP for IPv4 Manual NAT.
n Proxy ARP for Scalable Platforms.
Proxy ARP entries are not generated automatically for CGNAT translated Address Ranges. To
resolve this issue, configure the Proxy ARP entries manually. Refer to sk30197.
See sk91905 for more about configuring Proxy NDP for IPv6 Manual NAT.

R82 Security Management Administration Guide | 480

NAT and Anti-Spoofing

NAT is performed after Anti-Spoofing checks, which are performed only on the source IP
address of the packet.
This means that spoofing protection is configured on the interfaces of the Security Gateway in
the same way as NAT.

R82 Security Management Administration Guide | 481

Disabling NAT in a VPN Tunnel

When communicating within a VPN, it is normally not necessary to perform NAT.
You can disable NAT in a VPN tunnel with a single click in the VPN community object.
Disabling NAT in a VPN tunnel by defining a NAT rule slows down the performance of the
VPN.

R82 Security Management Administration Guide | 482

Internal Communication with Overlapping Addresses

If two internal networks have overlapping (or partially overlapping) IP addresses, Security
Gateway enables:
n Communication between the overlapping internal networks.
n Communication between the overlapping internal networks and the outside world.
n Enforcement of a different security policy for each overlapping internal network.

Example Network Configuration

Example topology:

For example, assume both Network 2A and Network 2B share the same address space
([Link]/24).

Therefore, it is not possible to use standard NAT to enable communication between the two
networks.
Instead, it is necessary to perform overlapping NAT on a per-interface basis.
n Users in Network 2A, who want to communicate with users in Network 2B, must use the
[Link]/24 network as a destination.
n Users in Network 2B, who want to communicate with users in Network 2A, must use the
[Link]/24 network as a destination.
The Security Gateway (4) translates the IP addresses in this way for each individual interface:

Interface IP Address Translation on the Interface

4A n Inbound source IP addresses are translated to the virtual network

[Link]/24.
n Outbound destination IP addresses are translated to the network
[Link]/24.

R82 Security Management Administration Guide | 483

Internal Communication with Overlapping Addresses

Interface IP Address Translation on the Interface

4B n Inbound source IP addresses are translated to the network

[Link]/24.
n Outbound destination IP addresses are translated to the network
[Link]/24.

4C Overlapping NAT is not configured for this interface.

Instead, use NAT Hide in the normal way (not on a per-interface basis) to
hide source addresses behind the interface's IP address ([Link]).

Communication Examples

Example 1 - Communication Between Internal Networks

If user 1A, at IP address [Link] in Network 2A, wants to connect to user 1B, at IP
address [Link] (the same IP address) in Network 2B, user 1A opens a connection to
the IP address [Link].
Communication Between Internal Networks
Source IP Destination IP
Step
address address

Interface 4A - before NAT [Link] [Link]

Interface 4A - after NAT [Link] [Link]

Security Gateway enforces the security policy

for packets from network [Link]/24 to
network [Link]/24.

Interface 4B - before NAT [Link] [Link]

Interface 4B - after NAT [Link] [Link]

Example 2 - Communication Between an Internal Network and the Internet

User 1A, at IP address [Link] in Network 2A, connects to IP address [Link] on

the Internet (3).
Communication Between an Internal Network and the Internet
Source IP Destination
Step
address IP address

Interface 4A - before NAT [Link] [Link]

R82 Security Management Administration Guide | 484

Internal Communication with Overlapping Addresses

Communication Between an Internal Network and the Internet (continued)

Source IP Destination
Step
address IP address

Interface 4A - after NAT [Link] [Link]

The Security Gateway (4) enforces the security

policy for packets from network [Link]/24 to
the Internet (3).

Interface 4C - before NAT [Link] [Link]

Interface 4C - after NAT Hide [Link] [Link]

Routing Considerations

To allow routing from Network 2A to Network 2B (in our example above), you must configure
the required routes on the Security Gateway:

Destination Network Address Default Gateway

[Link] / 24 [Link]

For configuration instructions, see the R82 Gaia Administration Guide > Chapter "Network
Management" > Section "IPv4 Static Routes".

Object Database Configuration

To activate the overlapping NAT feature, use Database Tool (GuiDBEdit Tool), or the dbedit
command (see skI3301).
In our example network, the per-interface values for the interface 4A and the interface 4B are:

Parameter Value

enable_overlapping_nat true

overlap_nat_dst_ipaddr The overlapping IP addresses (before NAT).

In our example, [Link] for both interfaces.

overlap_nat_src_ipaddr The IP addresses after NAT.

In our example:
n [Link] for interface 4A.
n [Link] for interface 4B.

R82 Security Management Administration Guide | 485

Internal Communication with Overlapping Addresses

Parameter Value

overlap_nat_netmask The net mask of the overlapping IP addresses.

In our example, [Link].

R82 Security Management Administration Guide | 486

Multicast Access Control

Multicast IP transmits one copy of each datagram (IP packet) to a multicast address, where
each recipient in the group takes their copy. The routers in the network forward the datagrams
only to routers and hosts with access to receive the multicast packets.
To configure multicast access control

1. Open a Security Gateway object.

2. On the Network Management page, select an interface and click Edit.
3. On Interface > Advanced, click Drop Multicast packets by the following conditions.
4. Select a multicast policy for the interface:
n Drop multicast packets whose destination is in the list
n Drop all multicast packets except those whose destination is in the list
When access is denied to a multicast group on an interface for outbound IGMP
packets, inbound packets are also denied.
If you do not define access restrictions for multicast packets, multicast datagrams to
one interface of the Security Gateway are allowed out of all other interfaces.
5. Click Add.
The Add Object window opens, with the Multicast Address Ranges object selected.
6. Click New > Multicast Address Range.

The Multicast Address Range Properties window opens.

7. Enter a name for this range.

8. Define an IP address Range or a Single IP Address in the range: [Link] -

[Link].
Class D IP addresses are reserved for multicast traffic and are allocated dynamically.
The multicast address range [Link] - [Link] is used only for the
destination address of IP multicast traffic.
Every IP datagram whose destination address starts with 1110 is an IP multicast
datagram. The remaining 28 bits of the multicast address range identify the group to
which the datagram is sent.

R82 Security Management Administration Guide | 487

Multicast Access Control

The [Link] - [Link] range is reserved for LAN applications that are
never forwarded by a router. These addresses are permanent host groups. For
example: an ICMP request to [Link] is answered by all multicast capable hosts
on the network, [Link] is answered by all routers with multicast interfaces, and
[Link] is answered by all PIM routers. To learn more, see the
[Link]
The source address for multicast datagrams is always the unicast source address.
9. Click OK.
10. In the Add Object window, Click OK.
11. In the Interface Properties window, Click OK.
12. In the Security Gateway window, Click OK.

13. In the Rule Base, add a rule that allows the multicast address range as the
Destination.
14. In the Services of the rule, add the multicast protocols.
n Multicast routing protocols - For example: Protocol-Independent Multicast
(PIM), Distance Vector Multicast Routing Protocol (DVMRP), and Multicast
Extensions to OSPF (MOSPF).
n Dynamic registration -Hosts use the Internet Group Management Protocol
(IGMP) to let the nearest multicast router know they want to belong to a
specified multicast group. Hosts can leave or join the group at any time.
15. Install the policy.

R82 Security Management Administration Guide | 488

Security Management behind NAT

Overview

Explanation

The Security Management Server sometimes uses a private IP address (as listed in RFC
1918), or some other non-routable IP address, because of the lack of public IP addresses.
NAT (Static or Hide) for the Security Management Server IP address can be configured in
one click, while still allowing connectivity with managed Security Gateways. All Security
Gateways can be controlled from the Security Management Server, and logs can be sent to
the Security Management Server. NAT can also be configured for a Management High
Availability server and a Log Server.

Example:

Item Description

1 Primary Security Management Server.

n Original IP address - [Link]
n Translated IP address - [Link]

2 Local Security Gateway that is directly connected to the Security Management

Server.
The Remote Security Gateway connects to the Security Management Server
through this Local Security Gateway.

3 Remote Security Gateway that must connect to the Security Management

Server.

Configuring NAT for Control Connections on the Security Management Server

1. From the left navigation panel, click Gateways & Servers.

2. Double-click the Security Management Server object.

R82 Security Management Administration Guide | 489

Security Management behind NAT

3. From the left navigation tree, click NAT.

4. Select Add Automatic Address Translation rules.
5. In the Translation method field, select Static.
6. Configure the applicable IP address.
In our example - [Link]

Note - In a High Availability environment, you must configure one static IP

address for each Security Management Server.

7. Select one of these two options:

n Install on Gateway - The Security Gateway that performs this NAT. In our
example, the local Security Gateway that is directly connected to the Security
Management Server (item 2 in the diagram).
n Do not create automatic NAT rules - The Security Management Server is behind
a non-Check Point device that handles the NAT.
8. Connections from Security Gateways to this server. Select one of these options:
n Based on topology configuration (use the server's translated or original IP
address).
n Use this server's original IP address.
n Use this server's translated IP address.
9. Optional: Select Apply for Security Gateway control connections - This option performs
NAT on VPN control connections to and from the Security Management Server. This
makes it possible to install a policy or collect logs across a NAT gateway.
10. Click OK.

11. Install the Access Control Policy on the applicable Security Gateways.

Configuration on the Security Gateway

For each Security Gateway, you can decide whether to use the definitions on the Management
Server / Log Server or to override the settings of the Management Server / Log Serverand
configure other settings for the specific Security Gateway.

To configure management behind NAT settings for a specific Security Gateway:

1. In SmartConsole, go to the Gateways & Servers view, and double-click the relevant
Security Gateway object.
2. In the Security Gateway object editor, from the left navigation menu, select NAT >
Management / Log Servers.

R82 Security Management Administration Guide | 490

Security Management behind NAT

3. The default option is Use Management Server / Log Server settings.

4. To override the default settings, select one of these options:
n Use the remote server's original /translated IP address based on the topology
n Use only the original IP address for the remote servers.
n Use only the translated IP address for the remote servers.

Notes:
n Security Management Server behind NAT is not supported on a Standalone
server (where the Security Management Server also acts as a Security
Gateway) that receives connections from outside the NATed domain (for
example, when it receives SAM commands).
n The procedure and instructions in this section apply to a Log Server behind NAT
as well.

R82 Security Management Administration Guide | 491

IP Pool NAT

IP Pool NAT
Overview

An IP Pool is a range of IP addresses that are routable to the Security Gateway.

IP Pool NAT ensures proper routing for encrypted connections in these VPN connection
scenarios:
n Remote Access Client to MEP (Multiple Entry Point) Security Gateways
n Security Gateway to MEP Security Gateways
When a connection is opened from a Remote Access Client or a client behind a Security
Gateway, to a server behind the MEP Security Gateways, the packets are routed through one
of the MEP Security Gateways.

Return packets in the connection must be routed back through the same Security Gateway in
order to maintain the connection.
To ensure that this occurs, each of the MEP Security Gateways maintains a pool of IP
addresses that are routable to the Security Gateway.
When a connection is opened to a server, the Security Gateway substitutes an IP address
from the IP pool for the source IP address.
Reply packets from the server return to the Security Gateway, which restores the original
source IP address and forwards the packets to the source.

R82 Security Management Administration Guide | 492

IP Pool NAT

NAT Priorities

IP Pool NAT can be used both for encrypted (VPN) and non-encrypted (decrypted by the
Security Gateway) connections.

Note - To enable IP Pool NAT for clear connections through the Security Gateway, it
is necessary to configure the required INSPECT settings in the applicable [Link]
file (see "Location of '[Link]' Files on the Management Server" on page 259).
Contact Check Point Support for assistance.

For non-encrypted connections, IP Pool NAT has the following advantages over Hide NAT:
n New back connections (for example, X11) can be opened to the NATed host.
n User-to-IP server mapping of protocols that allow one connection per IP can work with a
number of hosts instead of only one host.
n IPsec, GRE, and IGMP protocols can be NATed using IP Pool NAT (and Static NAT).
Hide NAT works only with TCP, UDP, and ICMP protocols.
Because of these advantages, you can specify that IP Pool NAT has priority over Hide NAT, if
both match the same connection. Hide NAT is only applied if the IP pool is used up.

The order of NAT priorities:

1. Static NAT
2. IP Pool NAT
3. Hide NAT

Because Static NAT has all of the advantages of IP Pool NAT and more, it has a higher priority
than the other NAT methods.

R82 Security Management Administration Guide | 493

IP Pool NAT

IP Pool per Interface

You can define a separate IP address pool on one or more of the Security Gateway interfaces
instead of defining a single pool of IP addresses for the Security Gateway.
Defining an IP pool per interface solves routing issues that occur when the Security Gateway
has more than two interfaces.
Sometimes it is necessary that reply packets return to the Security Gateway through the same
Security Gateway interface.

Example:
This example diagram shows one of the MEP Security Gateways in a Remote Access Client to
a MEP Security Gateway deployment:

Item Description

1 Packets from source host:

Source: Original
Destination:

2 VPN tunnel through the Internet

3 MEP Security Gateway

3A IP Pool 1 packets:
Source: 10.55.8.x
Destination:

3B IP Pool 2 packets:
Source: 10.55.10.x
Destination:

4 Internal network [Link]

5 Target host in internal network [Link]

R82 Security Management Administration Guide | 494

IP Pool NAT

If a remote client opens a connection to the internal network, reply packets from hosts inside
the internal networks are routed to the correct Security Gateway interface through the use of
static IP pool NAT addresses.
The remote client's IP address is NATed to an address in the IP pool on one of the Security
Gateway interfaces. The addresses in the IP pool can be routed only through that Security
Gateway interface so that all reply packets from the target host are returned only to that
interface. Therefore, it is important that the IP NAT pools of the interfaces do not overlap.
When the packet returns to the Security Gateway interface, the Security Gateway restores the
remote peer's source IP address.
The routing tables on the routers that lie behind the Security Gateway must be edited so that
addresses from a Security Gateway IP pool are returned to the correct Security Gateway
interface.

Switching between IP Pool NAT per Security Gateway and IP Pool NAT per interface and then
installing the security policy deletes all IP Pool allocation and all NATed connections.

Reusing IP Pool Addresses for Different Destinations

IP Pool addresses can be reused for different destinations, which makes more efficient use of
the addresses in the pool. If a pool contains N addresses, then any number of clients can be
assigned an IP from the pool as long as there are no more than N clients per server.
Using IP Pool allocation per destination, two different clients can receive the same IP from the
pool as long as they communicate with different servers (connections 1 and 2). When reusing
addresses from the IP Pool, back connections are supported from the original server only
(connection 3). This means that connections back to the client can be opened only from the
specific server to which the connection was opened.

R82 Security Management Administration Guide | 495

IP Pool NAT

Item Description

1 Security Gateway with IP Pool addresses A to Z

2 Clients.
Source: Original
Destination:

3A NATed packet from connection 3.

Source: A
Destination:

4A NATed packet from connection 4.

Source: A
Destination:

5A NATed packet from reply connection 5.

Source: Original
Destination: A

6A This server cannot open a connection with Destination A back to the client.

R82 Security Management Administration Guide | 496

IP Pool NAT

The default Do not reuse IP Pool NAT behavior means that each IP address in the IP Pool is
used once (connections 1 and 2 in the following illustration). In this mode, if an IP pool contains
20 addresses, up to 20 different clients can be NATed and back connections can be opened
from any source to the client (connection 3).

Item Description

1 Security Gateway with IP Pool addresses A to Z.

2 Clients.
Source: Original
Destination:

3A NATed packet from connection 3.

Source: A
Destination:

4A NATed packet from connection 4.

Source: Z
Destination:

5 Connection.
Source: Original
Destination: A

Switching between the Reuse and Do not reuse modes and then installing the security policy,
deletes all IP Pool allocations and all NATed connections.

IP Pool Configuration Procedure

1. Enable IP Pool NAT in Global Properties

a. From the SmartConsole Menu, click Global properties.

b. In the Global properties > NAT page, select Enable IP Pool NAT and the
required tracking options.
c. Click OK.

R82 Security Management Administration Guide | 497

IP Pool NAT

2. For each Security Gateway or Security Gateway interface, create an object that represents
its IP pool NAT addresses

This object can be a Network, Network Group, or Address Range.

Important:
n In a Cluster, you must configure separate IP Pool for each Cluster

Member.
n It is not possible to configure a separate IP Pool for each Cluster

Member interface.

For example, for an Address Range, do the following:

a. From the Objects Bar (F11), In the network objects tree, select New > More >
Network Object > Address Range > Address Range.

b. In the General tab, enter the first and last IP addresses of the range.
c. Click OK.

3. Enable and configure IP Pool NAT in the Security Gateway object

a. From the left navigation panel, click Gateways & Servers.

b. Double-click the Security Gateway / Cluster object.
c. From the left, expand NAT and click IP Pool NAT.
d. In the IP Pool NAT page, select one of these options:
In a Security Gateway object:
n Allocate IP Addresses from and then select the address range you
created to configure IP Pool NAT for the whole Security Gateway.
n Define IP Pool NAT on Gateway interfaces to configure IP Pool NAT per
interface.
In a Cluster object:
n Define IP Pool NAT on each cluster member
n Define IP Pool NAT on cluster member interfaces to configure IP Pool
NAT per interface.

R82 Security Management Administration Guide | 498

IP Pool NAT

e. Optional: Select one or more of these options:

n Use IP Pool NAT for VPN client connections
n Use IP Pool NAT for gateway to gateway connections
n Prefer IP Pool NAT over Hide NAT to specify that IP Pool NAT has
priority over Hide NAT, if both match the same connection. Hide NAT is
only applied if the IP pool was used up.
f. Optional: Configure the applicable advanced settings.
Click Advanced and configure:
i. Return unused addresses to IP Pool after
Addresses in the pool are reserved for 60 minutes (default), even if the
user logs off. If the user disconnects from their ISP and then redials and
reconnects, there will be two Pool NAT addresses in use for the user until
the first address from the IP Pool times out. If users regularly lose their ISP
connections, you may want to decrease the time-out to prevent the IP Pool
from being depleted.
ii. Reuse IP addresses from the pool for different destinations
This is a good option unless it is necessary to allow back connections to be
opened to clients from any source, rather than just from the specific server
to which the client originally opened the connection.
g. Click OK to close the Advanced IP Pool NAT Configuration window.

h. In a cluster object:
i. From the left, click Cluster Members.
ii. Double-click each Cluster Member.

iii. From the top, click the IP Pool NAT tab.

iv. Select Use IP Pool NAT.
v. In the Allocate IP addresses from field, select the applicable object for
this Cluster Member.

Important - In a Cluster, you must configure separate IP Pool for

each Cluster Member. It is not possible to configure a separate IP
Pool for each Cluster Member interface.

vi. Click OK to close the Cluster Member Properties window.

i. Click OK to close the Security Gateway / Cluster object.

4. Install the Security Policy

R82 Security Management Administration Guide | 499

IP Pool NAT

a. Connect with the SmartConsole to the Security Management Server.

b. Install the Access Control Policy on the remote Security Gateway / Cluster.

5. Edit the routing table of each internal router

Configure the applicable routes so that packets with an IP address assigned from the
NAT pool are routed to the appropriate Security Gateway or, if using IP Pools per
interface, the appropriate Security Gateway interface.

R82 Security Management Administration Guide | 500

Mobile Access to the Network

To give access to resources through specified remote access clients, create Access Roles for
the clients and include them in the Source column of a rule.

Check Point Mobile Access Solutions

Check Point Mobile Access has a range of flexible clients and features that let users access
internal resources from remote locations. All these solutions include these features:
n Enterprise-grade, secure connectivity to corporate resources
n Strong user authentication
n Granular access control
For more information about the newest versions of Mobile Access solutions and clients, go to
sk67820.

Client-Based vs. Clientless

Check Point remote access solutions use IPsec and SSL encryption protocols to create secure
connections. All Check Point clients can work through NAT devices, hotspots, and proxies in
situations with complex topologies, such as airports or hotels. These are the types of
installations for remote access solutions:
n Client-based - Client application installed on endpoint computers and devices. The
client supplies access to most types of corporate resources according to the access
privileges of the user.
n Clientless - Users connect through a web browser and use HTTPS connections.
Clientless solutions usually supply access to web-based corporate resources.
n On demand client - Users connect through a web browser and a client is installed when
necessary. The client supplies access to most types of corporate resources according to
the access privileges of the user.

R82 Security Management Administration Guide | 501

Mobile Access to the Network

Mobile Access Clients

n Capsule Workspace - An app that creates a secure container on the mobile device to
give users access to internal websites, file shares, and Exchange servers.
n Capsule Connect - A full L3 tunnel app that gives users network access to all mobile
applications.
n Check Point Mobile for Windows - A Windows IPsec VPN client that supplies secure
IPsec VPN connectivity and authentication.

Mobile Access Web Portal

The Mobile Access Portal is a clientless SSL VPN solution that supplies secure access to web-
based resources. After users authenticate to the portal, they can access Mobile Access
applications such as Outlook Web App and a corporate wiki.

SSL Network Extender

SSL Network Extender is an on-demand SSL VPN client and is installed on the computer or
mobile device from an Internet browser. It supplies secure access to internal network
resources.

R82 Security Management Administration Guide | 502

Configuring Mobile Access to Network Resources

Sample Mobile Access Workflow
This is a high-level workflow to configure remote access to Mobile Access applications and
resources.
1. Use SmartConsole to enable the Mobile Access Software Blade on the Security
Gateway.
2. Follow the steps in the Mobile Access Configuration wizard to configure these settings:
a. Select mobile clients.
b. Define the Mobile Access Portal.

c. Define applications, for example Outlook Web App.

d. Connect to the AD server for user information.
3. Select the policy type:
n The default is to use the Legacy Policy, configured in the Mobile Access tab in
SmartConsole.
n To include Mobile Access in the Unified Access Control Policy, select this in
Gateway Properties > Mobile Access.
4. Add rules to the Policy:
n For Legacy Policy: Add rules in SmartConsole. Select Security Policies > Shared
Policies> Mobile Access > Open Mobile Access Policy in SmartConsole
n For Unified Access Control Policy: Add rules in SmartConsole > Security Policies
Access Control Policy.

5. Configure the authentication settings in Gateway Properties > Mobile Access >
Authentication.
6. Install the Access Control Policy on the Security Gateway.
Users can access mobile applications through the configured Mobile Access Portal with
the defined authentication method.
7. Optional: Give secure access to users through the Capsule Workspace app with
certificate authentication.
a. In the Security Gateway object > Mobile Access > Authentication, click Settings,
and select Require client certificate.

R82 Security Management Administration Guide | 503

Configuring Mobile Access to Network Resources

b. Use the Certificate Creation and Distribution Wizard (in the Security Policies view
> Client Certificates > New).
c. Users download the Capsule Workspace app.
d. Users open the Capsule Workspace app and enter the Mobile Access Site Name
and necessary authentication, such as user name and password.

Select the
Configure Update the
Enable Mobile policy type and
settings in Mobile Authentication
Access add rules to
Access wizard settings
policy

Users can
Users download Generate a Install the
access
app, open it, and certificate for the Access Control
internal
enter settings clients Policy
resources

Sample Mobile Access Deployment

This is a sample deployment of a Mobile Access Security Gateway with an AD and Exchange
server in the internal network.

Item Description

1 Mobile devices

2 Mobile Access tunnels

3 Internet (external networks)

4 Mobile Access Security Gateway

R82 Security Management Administration Guide | 504

Configuring Mobile Access to Network Resources

Item Description

5 Internal network resources, AD and Exchange servers

In this sample Mobile Access deployment, a mobile device uses a Mobile Access tunnel to
connect to the internal network. The Mobile Access Security Gateway decrypts the packets
and authenticates the user. The connection is allowed and the mobile device connects to the
internal network resources.

Using the Mobile Access Configuration Wizard

This procedure describes how to enable and configure the Mobile Access Software Blade on a
Security Gateway with the Configuration wizard. For this sample configuration, the AD user
group Mobile Access contains all the users that are allowed to connect to the internal network.
The deployment is based on the Sample Mobile Access Deployment.
This configuration lets these clients connect to internal resources:
n Android and iOS mobile devices
n Windows and Mac computers
n Internet browsers can open a SSL Network Extender connection to the internal network

To configure Mobile Access:

1. In SmartConsole, go to Gateways & Servers and double-click the Security Gateway
object.

The General Properties window opens.

2. In the General Properties > Network Security section, select Mobile Access.

The Mobile Access page of the Mobile Access Configuration Wizard opens.
3. Configure the Security Gateway to allow connections from the Internet and mobile
devices. Select these options:
n Web
n Mobile Devices - Select the required options.
n Desktops/Laptops -Select the required options.
4. Click Next.
The Web Portal page opens.
5. Enter the primary URL for the Mobile Access Portal.
The default is: [Link] Address of Security Gateway>/sslvpn
6. Click Next.

R82 Security Management Administration Guide | 505

Configuring Mobile Access to Network Resources

The Applications page opens.

7. Configure the applications to show:
a. In Web Applications, make sure Demo web application (World Clock) is
selected.
b. In Mail/Calendar/Contacts, enter the domain for the Exchange server and select:
n Mobile Mail (including push mail notifications)
n ActiveSync Applications
n Outlook Web App
The Mobile Access Portal shows links to the Demo web and Outlook Web App
applications. The client on the mobile device shows links to the other applications.

8. Click Next.
The Active Directory page opens.
9. Select the AD domain and enter the user name and password.
10. Click Connect.
The Security Gateway makes sure that it can connect to the AD server.
11. Click Next.
The Users page opens.
Click Add and then select the group Mobile Access.

12. Click Next and then click Finish.

The Mobile Access Configuration Wizard closes.

13. Click OK.

The Gateway Properties window closes.

Allowing Mobile Connections

The Mobile Access Configuration Wizard enables and configures the Mobile Access Software
Blade. It is necessary to add Firewall rules to allow connections from the VPN clients on the
computers and devices. Create a Host Node object for the Exchange server, all of the other
objects are predefined.

R82 Security Management Administration Guide | 506

Configuring Mobile Access to Network Resources

Destinatio Install
Name Source VPN Service Action Track
n On

Mobile Any ExchngSr RemoteAcce HTTP Accept Mobile Log

Access vr ss HTTPS Access
Users MSExchan GW
ge

All connections from the RemoteAccess VPN community to the Exchange server are allowed.
These are the only protocols that are allowed: HTTP, HTTPS, and MS Exchange. This rule is
installed on Security Gateway in the MobileAccessGW group.

Defining Access to Applications

Use the Security Policies page in SmartConsole to define rules that let users access Mobile
Access applications. The applications that are selected in the Configuration Wizard are
automatically added to this page. You can also create and edit the rules that include these
SmartConsole objects:
n Users and user groups
n Mobile Access applications
n Mobile Access Security Gateways

Activating Single Sign-On

Enable the SSO (Single Sign-On) feature to let users authenticate one time for applications
that they use during Mobile Access sessions. The credentials that users enter to log in to the
Mobile Access Portal can be re-used automatically to authenticate to different Mobile Access
applications. SSO user credentials are securely stored on the Mobile Access Security
Gateway for that session and are used again if users log in from different remote devices. After
the session is completed, the credentials are stored in a database file.
By default, SSO is enabled on new Mobile Access applications that use HTTP. Most Web
applications authenticate users with specified Web forms. You can configure SSO for an
application to use the authentication credentials from the Mobile Access Portal. It is not
necessary for users to log in again to each application.
To configure SSO

1. In SmartConsole, go to Security Policies > Shared Policies > Mobile Access.

2. Click Open Mobile Access Policy in SmartDashboard.
3. In the Mobile Access tab, select Additional Settings > Single Sign-On.
The Single Sign-On page opens.
4. Select an application and click Edit.

R82 Security Management Administration Guide | 507

Configuring Mobile Access to Network Resources

The application properties window opens and shows the Single Sign On page.

For Web form applications

1. In the Application Single Sign-On Method section, select Advanced and click Edit.
The Advanced window opens.
2. Select This application reuses the portal credentials. Users are not prompted.
3. Click OK.
4. Select This application uses a Web form to accept credentials from users.
5. Click OK.
6. Install the policy.

R82 Security Management Administration Guide | 508

Connecting to a Citrix Server

Citrix Services
The Mobile Access Software Blade integrates the Citrix clients and services. It is not
necessary to use STA (Secure Ticketing Authority) servers in a Mobile Access Security
Gateways deployment because Mobile Access uses its own STA engine. You can also use
Mobile Access in a deployment with STA and CSG (Citrix Secure Gateway) servers.
The Mobile Access server certificate must use a FQDN (Fully Qualified Domain Name) that is
issued to the FQDN of the Mobile Access Security Gateway.

Sample Deployment with Citrix Server

This is a sample deployment of a Mobile Access Security Gateway and a Citrix web server in
the DMZ. The Citrix XenApp server is connected to the internal network.

Item Description

1 Mobile devices

2 Mobile Access tunnels

3 Internet (external networks)

4 Security Gateway for the internal network

5 Mobile Access Security Gateway in the DMZ

6 Citrix web interface

7 Internal network resources

8 Citrix XenApp (MetaFrame) server

R82 Security Management Administration Guide | 509

Connecting to a Citrix Server

Configuring Citrix Services for Mobile Access

This procedure describes how to configure Mobile Access to let remote users connect to Citrix
applications. The deployment is based on the Sample Deployment with Citrix Server (see
"Sample Deployment with Citrix Server" on the previous page).

To configure Citrix services:

1. In SmartConsole, go to Manage & Settings > Blades.
2. In the Mobile Access, click Configure in SmartDashboard.
3. In the Mobile Access tab, click Applications > Citrix Services.
4. Click New.

The General Properties page of the Citrix Service window opens.

5. Enter the Name for the Citrix server object.
6. From the navigation tree, click Web Interface.
7. Create a new object for the Citrix web interface server, in Servers, click Manage > New
> Host.
The Host Node window opens.
8. Enter the settings for the Citrix web interface server.
9. Click OK.

10. In Services, select one or more of these services that the Citrix web interface server
supports:
n HTTP
n HTTPS
11. From the navigation tree, click Link in Portal.
12. Configure the settings for the link to the Citrix services in the Mobile Access Portal:
n Link text - The text that is shown for the Citrix link
n URL - The URL for the directory or sub-directory of the Citrix application
n Tooltip - Text that is shown when the user pauses the mouse pointer above the
Citrix link
13. From the navigation tree, select Additional Settings > Single Sign On.
14. Enable Single Sign On for Citrix services, select these options:

R82 Security Management Administration Guide | 510

Connecting to a Citrix Server

n Turn on single Sign On for this application

n Prompt users for their credentials, and store them for future use
15. Click OK.
The Citrix server object is added to Defined Citrix Services.
16. From the Mobile Access navigation tree, select Policy.
17. Add the Citrix services object to the applicable rules.
a. Right-click on the Applications cell of a rule and select Add Applications.
b. Select the Citrix services object.
18. Install the policy.

R82 Security Management Administration Guide | 511

Compliance Check

Compliance Check
The Mobile Access Software Blade lets you use the Endpoint Security on Demand feature to
create compliance policies and add more security to the network. Mobile devices and
computers are scanned one time to make sure that they are compliant before they can connect
to the network.
The compliance scanner is installed on mobile devices and computers with ActiveX (for
Internet Explorer on Windows) or Java. The scan starts when the Internet browser tries to
open the Mobile Access Portal.

Compliance Policy Rules

The compliance policy is composed of different types of rules. You can configure the security
and compliance settings for each rule or use the default settings.

These are the rules for a compliance policy:

n Windows security - Microsoft Windows hotfixes, patches and Service Packs.
n Anti-Spyware protection - Anti-Spyware software.
n Anti-Virus protection - Anti-Virus software version and virus signature files.
n Firewall - Personal Firewall software.
n Spyware scan - Action that is done for different types of spyware.
n Custom - Compliance rules for your organization, for example: applications, files, and
registry keys.
n OR group - A group of the above rules. An endpoint computer is compliant if it meets one
of the rules in the group.

Creating a Compliance Policy

By default, Endpoint Security on Demand only allows endpoint computers that are compliant
with the compliance policy log in to the Mobile Access Portal.

To create a compliance policy:

1. In SmartConsole, go to Manage & Settings > Blades.
2. In the Mobile Access section, click Configure in SmartDashboard.
3. On the Mobile Access tab, select Endpoint Security on Demand > Endpoint
Compliance.
4. Click Edit policies.
The Policies window opens.
5. Click New Policy.

R82 Security Management Administration Guide | 512

Compliance Check

The Policies > New Policy window opens.

6. Enter the Name and Description for the policy.
7. Click Add.
The Add Enforcement Rules window opens.
8. Select rules for the policy.
You can also create new rules - click New Rule, and configure the rule settings.
9. Click OK.
The Policies > New Policy window shows the rules for the policy.
10. Select Bypass spyware scan if necessary.

When selected, the scan for endpoint computers that are compliant with the Anti-Virus or
Anti-Spyware settings is changed. These computers do not scan for spyware when they
connect to a Mobile Access Security Gateway.
11. Click OK.
The Policies window opens.
12. Click OK.

Configuring Compliance Settings for a Security Gateway

The Firewall on a Mobile Access Security Gateway only allows access to endpoint computers
that are compliant with the compliance policy.

This procedure shows how to configure the Laptop Computer policy for a Security Gateway
(see "Compliance Policy Rules" on the previous page).

To configure the compliance settings:

1. In SmartConsole, go to Manage & Settings > Blades.
2. In the Mobile Access section, click Configure in SmartDashboard.
3. In the Mobile Access tab, select Endpoint Security on Demand > Endpoint
Compliance.
4. Select the Security and click Edit.
The Endpoint Compliance page of the Security Gateway properties window opens.
5. Select Scan endpoint machine when user connects.
6. Select Threshold policy and from the drop-down menu select Laptop Computer.

R82 Security Management Administration Guide | 513

Compliance Check

7. Click OK.
8. Install the policy on the Mobile Access Security Gateway.

Secure Workspace

Secure Workspace is a security solution that allows remote users to connect to enterprise
network resources safely and securely. The Secure Workspace virtual workspace provides a
secure environment on endpoint computers that is segregated from the "real" workspace.
Users can only send data from this secure environment through the Mobile Access Portal.
Secure Workspace users can only access permitted applications, files, and other resources
from the virtual workspace.
Secure Workspace creates an encrypted folder on the computer called My Secured
Documents and can be accessed from the virtual desktop. This folder contains temporary user
files. When the session terminates, Secure Workspace deletes this folder and all other session
data.
For more about configuring Secure Workspace and Mobile Access VPN, see the R82 Mobile
Access Administration Guide.
To enable Secure Workspace on a Mobile Access Security Gateway

1. In SmartConsole, go to Manage & Settings > Blades.

2. In the Mobile Access section, click Configure in SmartDashboard.
Legacy SmartDashboard opens.
3. In the Mobile Access tab, click Endpoint Security on Demand > Secure Workspace.

4. Select the Security Gateway and click Edit.

The Check Point Secure Workspace page of the Security Gateway properties
window opens.
5. Select This gateway supports access to applications from within Check Point
Secure Workspace.
6. Click OK.
7. Install the policy.

R82 Security Management Administration Guide | 514

Secure Workspace

Secure Workspace
Secure Workspace is a security solution that allows remote users to connect to enterprise
network resources safely and securely. The Secure Workspace virtual workspace provides a
secure environment on endpoint computers that is segregated from the "real" workspace.
Users can only send data from this secure environment through the Mobile Access Portal.
Secure Workspace users can only access permitted applications, files, and other resources
from the virtual workspace.
Secure Workspace creates an encrypted folder on the computer called My Secured
Documents and can be accessed from the virtual desktop. This folder contains temporary user
files. When the session terminates, Secure Workspace deletes this folder and all other session
data.
For more about configuring Secure Workspace and Mobile Access VPN, see the R82 Mobile
Access Administration Guide.

To enable Secure Workspace on a Mobile Access Security Gateway

1. In SmartConsole, go to Manage & Settings > Blades.
2. In the Mobile Access section, click Configure in SmartDashboard.
Legacy SmartDashboard opens.
3. In the Mobile Access tab, click Endpoint Security on Demand > Secure Workspace.
4. Select the Security Gateway and click Edit.

The Check Point Secure Workspace page of the Security Gateway properties window
opens.
5. Select This gateway supports access to applications from within Check Point Secure
Workspace.
6. Click OK and then install the policy.

R82 Security Management Administration Guide | 515

To Learn More About Mobile Access

To learn more about Mobile Access VPN, see the R82 Mobile Access Administration Guide.

R82 Security Management Administration Guide | 516

Site-to-Site VPN

Site-to-Site VPN
The basis of Site-to-Site VPN is the encrypted VPN tunnel. Two Security Gateways negotiate
a link and create a VPN tunnel and each tunnel can contain more than one VPN connection.
One Security Gateway can maintain more than one VPN tunnel at the same time.

Sample Site-to-Site VPN Deployment

Item Description

A, B Security Gateways

2 VPN tunnel

3 Internal network in VPN domain

4 Host 4

5 Host 5

In this sample VPN deployment, Host 4 and Host 5 securely send data to each other. The
Security Gateways perform IKE negotiation and create a VPN tunnel. They use the IPsec
protocol to encrypt and decrypt data that is sent between Host 4 and Host 5.

VPN Workflow

Host 4 sends Security Gateways A

Security Gateway A
packet to Host &B
encrypts data
5 create VPN tunnel

Host 5 receives Encrypted data is sent

Security Gateway B
unencrypted through
decrypts data
data VPN tunnel

VPN Communities
A VPN Domain is a collection of internal networks that use Security Gateways to send and
receive VPN traffic. Define the resources that are included in the VPN Domain for each
Security Gateway. Then join the Security Gateways into a VPN community - collection of VPN
tunnels and their attributes. Network resources of different VPN Domains can securely
communicate with each other through VPN tunnels that terminate at the Security Gateways in
the VPN communities.

R82 Security Management Administration Guide | 517

Site-to-Site VPN

VPN communities are based on Star and Mesh topologies. In a Mesh community, there are
VPN tunnels between each pair of Security Gateway. In a Star community, each satellite
Security Gateway has a VPN tunnel to the central Security Gateway, but not to other Security
Gateways in the community.

Mesh Topology Star Topology

Item Description

1 Security Gateway

2 Satellite Security Gateways

3 Central Security Gateway

Sample Star Deployment

This section explains how to configure a VPN star community. This deployment lets the
satellite Security Gateways connect to the internal network of the central Security Gateway.
The internal network object is named: Internal-network.

To create a new VPN Star Community:

1. In SmartConsole, go to the Security Policies page.

2. In the Access Tools section, click VPN Communities.

3. Click New and select Star Community.

The New Star Community window opens.
4. Enter the name for the community.
5. From the navigation tree, select Encryption.
6. Configure the VPN encryption methods and algorithms for the VPN community.
7. Click OK.

To configure star VPN for the Security Gateways

For each Security Gateway in the VPN community, follow these configuration steps.

R82 Security Management Administration Guide | 518

Site-to-Site VPN

1. In SmartConsole, go to the Gateways & Servers page and double-click the Security
Gateway object.
The Security Gateway properties window opens.
2. In the Network Security section of the General Properties page, select IPsec VPN.
3. From the navigation tree, go to Network Management > VPN Domain.
n For the central Security Gateway, click Manually defined and select the
Internal-network object
n For a satellite Security Gateway, select All IP addresses
4. From the navigation tree, click IPsec VPN.
5. Configure the Security Gateway as a member of a VPN star community.

a. In the This Security Gateway participates in the following VPN Communities

section, click Add.
The Add this Gateway to Community window opens.
b. Select the VPN Community.
c. Click OK.
6. Click OK.
After you create a community and configure Security Gateways, add those Security
Gateways to the community as a center or as a satellite Security Gateway.

To add a Security Gateway to a new star community

1. In SmartConsole, go to the Security Policies page.

2. In the Access Tools section, click VPN Communities.

3. Select the new star community and click Edit.
The Star Community window opens.
4. In the Gateways page, add Security Gateways to the community:
n Center Gateways - Click Add and select center Security Gateways. Select
Mesh center gateways, if necessary.
n Satellite Gateways - Click Add and select satellite Security Gateways.
5. Click OK.

R82 Security Management Administration Guide | 519

Site-to-Site VPN

Sample Combination VPN Community

Item Description

1 London Security Gateway

2 New York Security Gateway

3 London - New York Mesh community

4 London company partner (external network)

5 London Star community

6 New York company partner (external network)

7 New York Star community

This deployment is composed of a Mesh community for London and New York Security
Gateways that share internal networks. The Security Gateways for external networks of
company partners do not have access to the London and New York internal networks.
However, the Star VPN communities let the company partners access the internal networks of
the sites that they work with.

Allowing VPN Connections

To allow VPN connections between Security Gateways in specific VPN communities, add
Access Control rules that accept such connections.
To allow all VPN traffic to hosts and clients on the internal networks of a specific VPN
community, select these options in the Encrypted Traffic section of the properties
configuration window for that VPN Community:

R82 Security Management Administration Guide | 520

Site-to-Site VPN

n For a meshed community: Accept all encrypted traffic

n For a Star Community: Accept all encrypted traffic on Both center and satellite
gateways, or Accept all encrypted traffic on Satellite gateways only.

Sample VPN Access Control Rules

This table shows sample VPN rules for an Access Control Rule Base. (The Action, Track and
Time columns are not shown. Action is set to Allow, Track is set to Log, and Time is set to
Any.)

No. Name Source Destination VPN Service Install On

1 - Any NEGATED BranchOffices Any BranchOffices

Member LondonOffices LondonOffices
Security
Gateways

2 Site-to- Any Any All_GwToGw FTP-port Policy Targets

site VPN HTTP
HTTPS
SMTP

3 Remote Any Any RemoteAccess HTTP Policy Targets

access HTTPS
IMAP

1. Automatic rule that SmartConsole adds to the top of the Implied Rules when the Accept
All Encrypted Traffic configuration option is selected for the BranchOffices VPN
community and the LondonOffices VPN community. This rule is installed on all the
Security Gateways in these communities. It allows all VPN traffic to hosts and clients on
the internal networks of these communities. Traffic that is sent to the Security Gateways
in these VPN communities is dropped.
Note - This automatic rule can apply to more than one VPN community.
2. Site-to-site VPN - Connections between hosts in the VPN Domains of all Site-to-Site
VPN communities are allowed. These are the only protocols that are allowed: FTP,
HTTP, HTTPS and SMTP.
3. Remote access - Connections between hosts in the VPN Domains of Remote Access
VPN community are allowed. These are the only protocols that are allowed: HTTP,
HTTPS, and IMAP.

To Learn More About Site-to-Site VPN

To learn more about site-to-Site VPN, see the R82 Site to Site VPN Administration Guide.

R82 Security Management Administration Guide | 521

Remote Access VPN

If employees remotely access sensitive information from different locations and devices,
system administrators must make sure that this access does not become a security
vulnerability. Check Point's Remote Access VPN solutions let you create a VPN tunnel
between a remote user and the internal network. The Mobile Access Software Blade extends
the functionality of Remote Access solutions to include many clients and deployments.

VPN Connectivity Modes

When securely connecting remote clients with the internal resources, organizations face
connectivity challenges, such as these:
n The IP addresses of a remote access client might be unknown
n The remote access client can be connected to a LAN with internal IP addresses (such
as, at hotels)
n It is necessary for the remote client to use protocols that are not supported
The Check Point IPsec VPN Software Blade provides these VPN connectivity modes to help
organizations resolve those challenges:
n Office Mode
Remote users can be assigned the same or non-routable IP addresses from the local
ISP. Office Mode solves these routing problems and encapsulates the IP packets with an
available IP address from the internal network. Remote users can send traffic as if they
are in the office and avoid VPN routing problems.
n Visitor Mode
Remote users can be restricted to using only HTTP and HTTPS protocols. Visitor Mode
lets these users tunnel all protocols through regular TCP connections on port 443.

Sample Remote Access VPN Workflow

Here is an example of a Remote Access VPN workflow:
1. Use SmartConsole to enable Remote Access VPN on the Security Gateway.
2. Add the remote user information to the Security Management Server:
n Create and configure an LDAP Account Unit
n Enter the information in the SmartConsole user database
Optional: Configure the Security Gateway for remote user authentication.
3. Define the Access Control and encryption rules for the Security Gateway.
4. Create the group objects to use in the Security Gateway rules:

R82 Security Management Administration Guide | 522

Remote Access VPN

n LDAP Group object - for an LDAP Account Unit

n User Group object - for users configured in the SmartConsole user database
5. Create and configure the encryption settings for the VPN community object in Menu >
Global properties > Remote Access > VPN - Authentication and Encryption.
6. Add Access Control rules to the Access Control Rule Base to allow VPN traffic to the
internal networks.

Enable remote access

VPN

Configure LDAP LDAP SmartConsole

Manage Users? Configure users
Account Unit

Configure Configure
user user
authentication authentication

Create LDAP
Create user
user Create VPN Community
group object
group object

Configure rules
for VPN access
in Access Control
Rule Base

Install policy

R82 Security Management Administration Guide | 523

Remote Access VPN

Configuring the Security Gateway for a Remote Access

Community
Make sure that the VPN Software Blade is enabled before you configure the Remote Access
community.
To configure the Security Gateway for Remote Access

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
The Security Gateway object opens and shows the General Properties page.
2. From the navigation tree, click IPsec VPN.
The page shows the VPN communities that the Security Gateway is participating.

3. To add the Security Gateway to a Remote Access community:

a. Click Add.
b. Select the community.
c. Click OK.
4. From the navigation tree, click Network Management > VPN Domain.
5. Configure the VPN Domain.

To configure the settings for Visitor Mode

1. From the navigation tree, click VPN Clients > Office Mode.

2. Configure the settings for Office Mode.

Note - Office Mode support is mandatory on the Security Gateway side.

3. Click OK.
4. Publish the SmartConsole session.

To Learn More About Remote Access VPN

See the R82 Remote Access VPN Administration Guide.

R82 Security Management Administration Guide | 524

Implied Rules

Implied Rules
The Check PointSecurity Management Server and its managed objects (Security Gateways,
Cluster Members, Log Servers, and so on) communicate with each other through the Check
Point protocols. By default, each Access Control policy contains predefined implied rules that
allow the required internal Check Point communication.

To view the implied rules in SmartConsole:

1. From the left navigation panel, click Security Policies.
2. In the top left panel, click Access Control > Policy.
3. From the top toolbar, click Actions > Implied Rules.

To configure the implied rules in SmartConsole:

1. In the top left corner, click Menu > Global properties.
2. In the Firewall page, select the applicable options and configure the order of the implied
rules.
3. Click OK
4. Install the Access Control policy on each managed Security Gateway / Cluster / Virtual
System.
For more information, see sk179346.

R82 Security Management Administration Guide | 525

Creating a New Threat Prevention Policy

Creating a New Threat Prevention

Policy
To learn about configuring a Threat Prevention Policy, see the R82 Threat Prevention
Administration Guide.

Installing the Threat Prevention Policy

The IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction Software Blades have a
dedicated Threat Prevention Policy. You can install this policy separately from the policy
installation of the Access Control Software Blade. Install only the Threat Prevention Policy to
minimize the performance impact on the Security Gateways.

To install the Threat Prevention Policy:

1. From the Global toolbar, click Install Policy.
The Install Policy window opens and shows the installation targets (Security Gateways).
2. Select Threat Prevention.
3. Select Install Mode:
n Install on each selected gateway independently - Install the policy on the
selected Security Gateways without reference to the other targets. A failure to
install on one Security Gateway does not affect policy installation on other Security
Gateways.
If the Security Gateway is a member of a cluster, install the policy on all the
members. The Security Management Server makes sure that it can install the
policy on all the members before it installs the policy on one of them. If the policy
cannot be installed on one of the members, policy installation fails for all of them.
n Install on all selected gateways, if it fails do not install on gateways of the same
version - Install the policy on all installation targets. If the policy fails to install on
one of the Security Gateways, the policy is not installed on other targets of the
same version.
4. Click OK.

R82 Security Management Administration Guide | 526

Creating a New Threat Prevention Policy

Unified Access Policy for SASE

and Network Security
This integration lets you manage SASE Internet Access policy and HTTPS Inspection policy
directly from SmartConsole. By centralizing policy management, you ensure consistent policy
enforcement across products, streamline governance for security policies, and consolidate
operations into one trusted, management platform.

Prerequisites
n Security Management Server version R82 with Jumbo Hotfix Accumulator Take 73 or
higher.
n Active Check Point Portal tenant in the US and EU regions with an active SASE
application.
n Security Management Server must be connected to the Check Point Portal. See
"Connecting On-Premises Management Servers and Security Gateways to the Check
Point Portal" on page 557 for more information.
n SASE SKU for Internet Access (for example: CP-SASE-IA-ESS*).
To activate Internet Access on your tenant:

R82 Security Management Administration Guide | 527

Creating a New Threat Prevention Policy

1. Log in to the Check Point Portal.

2. Navigate to Menu > Hybrid Mesh Network Security > SASE > Internet Access >
Access Policy.
3. In the top-right corner, enable the Status button.
n Integration of Azure or Okta Identity Provider on both the Check Point Portal and SASE.
See the SCIM documentation for configuration instructions.

Activating Unified Access Policy for SASE

Procedure

1. In SmartConsole, go to the Infinity Services view.

2. Go to the SASE card, and click Switch to Quantum.

3. In the Manage Internet Access using SmartConsole window that opens, click I Agree.

R82 Security Management Administration Guide | 528

Creating a New Threat Prevention Policy

The system creates a new policy package dedicated to SASE. The status of the SASE
card changes to Internet Access policy is managed in SmartConsole

4. Go to the Security Policies view > Access Control. A new policy package named SASE
Internet Access is created. It contains default rules for Internet Access and HTTPS
Inspection.

R82 Security Management Administration Guide | 529

Creating a New Threat Prevention Policy

Important -
Existing SASE policies are not imported to the Security Management Server
and are overridden on the first policy installation in SmartConsole.

5. In the new SASE Internet Access policy package, create the required rules.

6. Click Install Policy, and from the drop-down menu select SASE Internet Access.

R82 Security Management Administration Guide | 530

Creating a New Threat Prevention Policy

Notes:
n Program-based rules remain managed only in SASE.
n The rules of the new SASE Internet Access layer are also displayed in the
Check Point Portal SASE application, but as read-only rules.

To share the SASE Internet Access and HTTPS Inspection Outbound Policy Layers
across policy packages:
1. In your policy package, navigate to the rule where you want to add the Layer.

2. Click the Action column for that rule.

3. Select Inline Layer, and from the drop-down menu, select the applicable Layer to add.

Supported Policies and Objects

The SASE Internet Access policy package supports these objects:

R82 Security Management Administration Guide | 531

Creating a New Threat Prevention Policy

n In the Network Security Internet Access policy Layer:

l Identity Provider users and groups in the Source column (as part of an Access
Role).
l Check Point's URL Filtering web categories
l Custom URLs
l Application Control blade
n In the HTTPS Inspection Outbound Layer:
l Identity Provider users and groups in the Source column (as part of an Access
Role).
l Web categories, domains, and IP addresses in the Destination column.

For more information, see the SASE bypass policy configuration.

n Using of unsupported objects in SASE Internet Access policy package results in a
validation error.

Mapping of Policy Component Display between

Network Security and SASE
Network Security Access Network Security SASE IA
SASE equivalent
Control Policy Component Layer Equivalent

Access Control Policy Internet Access SASE Internet Access

HTTPS Inspection Policy HTTPS Inspection HTTPS Inspection Outbound

Policy

Destination column N/A Displays the value Any

Services & Applications Destination column Destination column displays

column displays the service the service or application
name

Logs
Each security feature or module in SASE generates and manages its own logs. You can
forward these logs from SASE to Events & AIOps for centralized monitoring and analysis.

R82 Security Management Administration Guide | 532

Creating a New Threat Prevention Policy

Switching Back to SASE Management

To switch back to SASE management:
1. In SmartConsole, go to the Infinity Services view.
2. In the SASE card, click the 3 dots menu, and select Switch to Cloud Management.
After returning to SASE, the policy management seamlessly continues in SASE from the point
where you last managed it in SmartConsole.

R82 Security Management Administration Guide | 533

Analyzing Threats

Analyzing Threats
Networks today are more exposed to cyber threats than ever. This creates a challenge for
organizations in understanding the security threats and assessing damage.
SmartConsole helps the security administrator find the cause of cyber threats, and remediate
the network.
The Logs & Events > Logs view presents the threats as logs.
The other views in the Logs & Events view combine logs into meaningful security events. For
example, malicious activity that occurred on a host in the network in a selected time interval
(the last hour, day, week or month). They also show pre- and post-infections statistics.

You can create rich and customizable views and reports for log and event monitoring, which
inform key stakeholders about security activities. For each log or event, you can see a lot of
useful information from the ThreatWiki and IPS Advisories about the malware, the virus or the
attack.
For information, see the:
n R82 Threat Prevention Administration Guide.
n R82 Logging and Monitoring Administration Guide.

R82 Security Management Administration Guide | 534

UserCheck in the Access Control Policy

UserCheck in the Access Control

Policy
This section describes how to configure and use UserCheck.
When you enable the UserCheck feature, the Security Gateway sends messages to users
about possible non-compliant behavior or dangerous Internet browsing, based on the rules an
administrator configured in the Security Policy. This helps users prevent security incidents and
learn about the organizational security policy. You can develop an effective policy based on
logged user responses. Create UserCheck objects and use them in the Rule Base, to
communicate with the users.

These Software Blades support the UserCheck feature:

n Data Loss Prevention
n Access Control:
l Application Control
l URL Filtering
l Content Awareness
n Threat Prevention:
l Anti-Bot
l Anti-Virus
l Threat Emulation
l Threat Extraction
l Zero Phishing

Getting Started with UserCheck for the Data Loss Prevention Software Blade:
See the R82 Data Loss Prevention Administration Guide > Chapter "UserCheck".

R82 Security Management Administration Guide | 535

UserCheck in the Access Control Policy

Getting Started with UserCheck for the Application Control, URL Filtering, and Content
Awareness Software Blades:
1. In SmartConsole, in the Security Gateway / Cluster object:
a. Enable the applicable Access Control Software Blades.
b. Configure the applicable UserCheck settings.
See "Configuring UserCheck" on page 537.
c. Optional: Download the UserCheck Client and install it on endpoint computers.
See the R82 Quantum Security Gateway Guide > Chapter "UserCheck Client".
2. Optional: In the Global Properties, configure the applicable UserCheck settings.

3. Configure the applicable UserCheck Interaction Objects.

See "UserCheck Interaction Objects for Access Control Software Blades" on page 541.
4. Configure the applicable Access Control Policy.
See "Creating an Access Control Policy" on page 329:
In Access Control rules, click in the Action column > click the applicable menu Drop,
Ask, or Inform > select the required UserCheck Interaction object.
5. Install the Access Control Policy on the Security Gateway / Cluster object.
6. Additional Configuration:
n "Localizing and Customizing the UserCheck Portal" on page 548

R82 Security Management Administration Guide | 536

Configuring UserCheck

Configuring UserCheck
Enable or disable UserCheck directly on the Security Gateway. When UserCheck is enabled,
the user's Internet browser shows the UserCheck messages in a new window. If users connect
to the Security Gateway remotely, set the internal interface of the Security Gateway (on the
Topology page) to be the same as the Main URL for the UserCheck Portal.
To configure UserCheck on a Security Gateway

Step Instructions

1 From the left navigation panel, click Gateways & Servers.

2 Double-click the Security Gateway / Cluster object.

3 In the left panel, click UserCheck.

4 Select Enable UserCheck for active blades.

5 In the UserCheck Web Portal section, the Main URL field shows the primary
URL for the web portal that shows the UserCheck notifications.
You can use the suggested Main URL or manually enter a different Main URL.

6 Optional:
Click Aliases to add URL aliases that redirect different hostnames to the Main
URL.
For example: [Link]
The aliases must be resolved to the portal IP address on the corporate DNS
server.

7 In the Certificate section, click Import to import a certificate that the portal uses
to authenticate to the Security Management Server.
By default, the portal uses a certificate from the Check Point Internal Certificate
Authority (ICA).
This might generate warnings if the user browser does not recognize Check
Point as a trusted Certificate Authority.
To prevent these warnings, import your own certificate from a recognized
external authority.
Note - After you download your certificate, you can click Replace to
replace it with a different certificate, and click View to see the certificate
information.

R82 Security Management Administration Guide | 537

Configuring UserCheck

Step Instructions

8 In the Accessibility section, click Edit to configure interfaces on the Security

Gateway through which the portal can be accessed.
These options are based on the topology configured in the Security Gateway
object.
You must configure the topology settings on the Network Manegment page.
Select the applicable option when the Security Gateway must send users to the
UserCheck Portal based on how they connect:
n Through all interfaces
n Through internal interfaces (default)
l Including undefined internal interfaces

l Including DMZ internal interfaces

l Including VPN encrypted interfaces (default)

Applies to interfaces used for establishing route-based VPN

tunnels (VTIs)
n According to the Firewall Policy
Select this option if there is an Access Control rule that determinces who
can access the UserCheck Portal.
If the Main URL is set to an external interface, you must set the Accessibility to
one of these:
n Through all interfaces
You must select this option if this is a VSX Gateway / VSX Cluster.
n According to the Firewall Policy

9 UserCheck Client - The UserCheck Client is installed on user devices to

communicate with the Security Gateway and show UserCheck Interaction
notifications to users.
n Activate UserCheck Client support
This enables UserCheck through the UserCheck Client.
n Download Client
This downloads the installation file for the UserCheck Client.

Note - The link is not active until the UserCheck Portal is up.

See the R82 Quantum Security Gateway Guide > Chapter "UserCheck Client".

R82 Security Management Administration Guide | 538

Configuring UserCheck

Step Instructions

10 In the Mail Server section, configure a mail server for UserCheck.

This server sends notifications to users that the Security Gateway cannot notify
using other means, if the server knows the email address of the user.
For example, if a user sends an email which matched on a rule, the Security
Gateway cannot redirect the user to the UserCheck Portal because the traffic is
not HTTP.
If the user does not have a UserCheck Client, UserCheck sends an email
notification to the user.
n Use the default settings
Click the link to see which mail server is configured.
n Use specific settings for this gateway
Select this option to override the default mail server settings.
n Send emails using this mail server
Select a mail server from the list, or click New and define a new mail
server.

11 Click OK to close the Security Gateway / Cluster object.

12 If there is encrypted traffic through an internal interface, add a new rule to the
Firewall Layer of the Access Control Policy.
Example rule:
Services &
Source Destination VPN Action
Applications

Any Security Gateway on Any UserCheck Accept

which UserCheck
Client is enabled

R82 Security Management Administration Guide | 539

Configuring UserCheck

Step Instructions

13 Install the Access Control Policy to enable UserCheck for these Access Control
Software Blades.
n Application Control
n URL Filtering
n Content Awareness
n Data Loss Prevention
Install the Threat Prevention Policy to enable UserCheck for these Threat
Prevention Software Blades:
n Anti-Bot
n Anti-Virus
n Threat Emulation
n Threat Extraction
n Zero Phishing

UserCheck CLI
See the R82 CLI Reference Guide - Chapter "Security Gateway Commands" - Section
"usrchk".

R82 Security Management Administration Guide | 540

UserCheck Interaction Objects for Access Control Software Blades

UserCheck Interaction Objects for Access

Control Software Blades
This section describes how to configure UserCheck Interaction Objects.
UserCheck Interaction Objects add flexibility and give the Security Gateway a mechanism to
communicate with users.
You use the UserCheck Interaction Objects in the "Action" column of the Access Control
Policy to:
n Help users with decisions that can be dangerous to the organization security.
n Share the organization changing internet policy for web applications and sites with users,
in real-time.

Note - You create and edit UserCheck Interaction objects for the Access Control
policy only in SmartConsole.

UserCheck Interaction Action Types

Action
Description
Type

Ask Users get a message that asks if they want to continue to the requested site.
UserCheck Interaction with this action type appear in Access Control rules
Profiles > when you click in the Action column > in the menu Ask.

Block Users get a message that the company policy blocked access to the requested
site.
UserCheck Interaction with this action type appear in Access Control rules
Profiles > when you click in the Action column > in the menu Drop.

Cancel After a user gets an Inform or Ask notification and clicks Cancel, they get a
message that they cancelled their request to access a site.

Inform Users get a message about the company policy for the requested site and they
must click OK to continue to the site.

R82 Security Management Administration Guide | 541

UserCheck Interaction Objects for Access Control Software Blades

Default UserCheck Interaction Objects for Access Control

Explanation
Notes:
n These default objects open in the read-only view.
n You can right-click each default object and click
Clone.
n To preview a default UserCheck Interaction object,
click it.

1. From the left navigation panel, click Security Policies.

2. In the top panel, click Access Control.

3. In the bottom panel, click Access Tools, click UserCheck.

4. These are the default UserCheck Interaction objects for Access Control:

Default UserCheck Interaction Object Action Type

Company Policy Ask

Blocked Message - Access Control Block

Cancel Page - Access Control Cancel

Access Approval Inform

Access Notification Inform

Creating New UserCheck Interaction Objects for Access

Control
Procedure

1. From the left navigation panel, click Security Policies.

2. In the top panel, click Access Control.
3. In the bottom panel Access Tools, click UserCheck.
4. From the top toolbar, click New > click the applicable UserCheck Interaction:

Note - You can right-click a default UserCheck Interaction object > click
Clone, and then edit the cloned object as required.

R82 Security Management Administration Guide | 542

UserCheck Interaction Objects for Access Control Software Blades

n Ask UserCheck
If you select this UserCheck Interaction object in a Threat Prevention profile in
the applicable Software Blade, then internal users get a message that asks them
if they want to continue with the request or not.
To continue with their request, users are expected to enter a reason.
n Inform UserCheck
If you select this UserCheck Interaction object in a Threat Prevention profile in
the applicable Software Blade, then internal users get an informative message.
Users can continue or cancel their request.
n Block UserCheck

If you select this UserCheck Interaction object in a Threat Prevention profile in

the applicable Software Blade, then internal users get a message that their
request was blocked.
5. Optional: In the top corner, on the right side of the icon, click the downward arrow and
select the desired color.
6. In the top field, enter an object name.
7. Optional: In the Comment field, enter the applicable text.
8. In the left panel, click the Message page:
a. To select a language for the message (English is the default), above the
message section, click the Languages button > select the required languages >
click OK.

Note - The corresponding tab appears for each language you select.

b. To insert a variable field into the message, from the top toolbar, click Insert Field
and click the applicable variable.

Notes:
n When the Ask, Inform, or Block action occurs, the UserCheck

Portal and UserCheck Client replaces these variables with

applicable values in the message.
n To resolve the Username variable, you must enable the Identity

Awareness Software Blade and configure the required settings.

See the R82 Identity Awareness Administration Guide.

R82 Security Management Administration Guide | 543

UserCheck Interaction Objects for Access Control Software Blades

c. To add your logo, in the message body, click Add Logo > click > click Add
new image > browse to the required image file and select it > click Open.

Notes:
n The height of the image must be 176 pixels

or less.
n The width of the image must be 52 pixels or

less.

d. To insert special fields for user input, from the top toolbar, click Insert User
Input and click the applicable option.

Important:
n To change the view to raw HTML code, click Source at

the top.
To go back, click Design.
n You can preview the final message after you save this

object.

9. In the left panel, click the Settings page:

a. In the Languages section:
Select the language for the UserCheck page, if a user did not configure a default
language in their web browser.
b. In the Fallback Action section:

Note - This section appears only in the UserCheck Interaction object of

the type Ask and Inform.

Select the UserCheck action, if it is not possible to show a UserCheck

notification on a user's computer:

Fallback
Behavior
Action

Allow Allows the user to access the website or application.

The UserCheck Client (if installed) shows the notification.

Drop The Security Gateway tries to show the notification in the

application that caused the notification.
If it cannot, and the UserCheck Client is installed, the
UserCheck Client shows the notification.
Blocks the website or application, even if the user does not see
the notification.

R82 Security Management Administration Guide | 544

UserCheck Interaction Objects for Access Control Software Blades

c. In the Conditions section:

Note - This section appears only in the UserCheck Interaction object of

the type Ask and Inform.

Select the required condition that users must meet to send their data through the
Security Gateway:

Condition Behavior

User accepted and This applies if on the Message page, from the
selected the confirm Insert User Input menu you inserted the element
checkbox Confirm Checkbox.
In the message, users must select the checkbox
before they can access the application.

User filled some This applies if on the Message page, from the
textual input Insert User Input menu you inserted the element
Textual Input.
Users must enter text in the text field before they
can access the application.
For example, you might require that users to enter
an explanation for use of the application.

10. Click OK.

11. Preview this UserCheck Interaction in the right pane in each available language and
each available view:
n Regular View
n Mobile
n Agent
n Email
n R80.10 and Higher Gateways
n Earlier Gateways
12. Install the Access Control Policy.

R82 Security Management Administration Guide | 545

Send Email Notifications in Plain Text

Not all emails clients can handle emails in rich text or HTML format.
To accommodate such clients, you can configure the Security Gateway to send email
notification in plain text without images, in addition to the HTML format.
The user's email client decides which format to show.
1. Connect to the command line to the Security Gateway / each Cluster Member / Scalable
Platform Security Group.
2. Log in to the Expert mode.
3. Back up the configuration file:
n On a Security Gateway / each Cluster Member:

cp -v $FWDIR/conf/[Link]{,_BKP}

n On a Scalable Platform Security Group:

g_all cp -v $FWDIR/conf/[Link]{,_BKP}

4. Edit the configuration file:

vi $FWDIR/conf/[Link]

5. Change the value of the applicable parameter:

from

:send_emails_with_no_images (false)

:send_emails_with_no_images (true)

6. Save the changes in the file and exit the editor..

7. On a Scalable Platform Security Group, copy the modified file to all Security Group
Members:

asg_cp2blades $FWDIR/conf/[Link]

8. Kill the userchkd process to load the new configuration:

R82 Security Management Administration Guide | 546

Send Email Notifications in Plain Text

n On a Security Gateway / each Cluster Member:

killall userchkd

n On a Scalable Platform Security Group:

g_all killall userchkd

The Security Gateway / Cluster Member / Security Group automatically restarts this
process.

R82 Security Management Administration Guide | 547

Localizing and Customizing the UserCheck Portal

Localizing and Customizing the UserCheck

Portal
For more information, see sk83700.

R82 Security Management Administration Guide | 548

External Network Feeds

A network feed object is a network object that lets you enforce feeds that are generated on
external HTTP/HTTPS servers. The feed can contain IP addresses (single or ranges),
domains, or both.
For example:
n Single IP ([Link])
n Range ([Link]-[Link])
n IP + masklen ([Link]/24)
n FQDN domain ([Link])
n Non-FQDN domain (*.[Link])
The feed must be written in a supported format (see below). The Security Gateway fetches,
parses, and updates the network feed object automatically according to the feed changes on
the external source server. There is no need to install policy for the updates to take effect. You
can use an external network feed object in the Access Control / HTTPS Inspection / NAT policy
as a source, or a destination.

Note - Local feeds hosted on the Security Gateway are not supported.

Use Case
This feature is relevant for any customer who wants to use an external source as a network
data provider, and use this data in the Rule Base.

When you use a network feed, the Security Gateway updates the feed automatically, which:
n Requires less manual maintenance of the feed
n Reduces the number of policy installations
n Simplifies policy configuration

R82 Security Management Administration Guide | 549

External Network Feeds

Notes:
n To work well, the Security Gateway must have access to the feed server
through HTTP/HTTPS. Otherwise, the Security Gateway cannot fetch the feed.
n A Security Gateway supports up to 500 network feed objects. Each object can
hold up to 50,000 IP addresses.
n A Security Gateway supports a total of 5,000 objects of these types: Dynamic
objects, Updatable objects, Generic Data Center objects, and Network Feed
objects. A Security Gateway supports a total of 350,000 IP addresses and
12,500 domains in all of these object types combined.
n Dynamic and domain objects enforce the network feeds on the Security
Gateway.
n SmartConsole shows logs for update feed events (if there is an Error/Warning
during the update), and for a successful feed update. Search for the network
feed name in the logs search field.
n You can define network feeds as global objects in Multi-Domain Server
environments.
n Make sure that the Security Gateways can always reach the network feed. If the
network feed is not reachable or accessible, the latest cached version is used.
n Make sure that the network feed only contains valid entries. The Security
Gateways ignore invalid entries and use the rest of the list.

Configuration
To configure an external network feed:

1. In SmartConsole, go to the Object Explorer.

2. Click New > More > Network Object > Network Feed.
The New Network Feed window opens.

3. Configure Network settings:

Feed URL - Configure the URL which gives access to the external server feed.

Best Practice - Use HTTPS and not HTTP.

4. Feed Parsing:
Format - Configure the content structure in the feed, so the Security Gateway knows
how to parse the feed. The supported formats are Flat list and JSON.
If you select the Flat list format, configure these settings:
n Data type - From the drop-down menu, select: Domain, IP Address or IP
Address/Domain, so the Security Gateway knows which data type to enforce.

R82 Security Management Administration Guide | 550

External Network Feeds

n Delimiter - Separates between the data values in the feed.

n Ignore lines with prefix - Defines which lines to ignore in the feed.
If you select the JSON format, configure these settings:
n Data Type - From the drop-down menu, select: Domain, IP Address or IP
Address/Domain, so the Security Gateway knows which data type to enforce.
n JSON Query - Defined how to extract the data from the feed in JQ syntax. For
more information on JQ, visit [Link]
5. Advanced Settings:
n Authentication - Enter the username and password with which you authenticate to
the URL.
n Network:
l Use gateway proxy for connection - Select this checkbox to use the proxy
when the Security Gateway connects to the external server.
l Check feed interval - Interval in minutes for the feed update on the Security
Gateway. The default is 60 minutes.
6. Test Feed:
a. Click the Test Feed button to verify the connectivity of the Security Gateway or
Security Cluster to the Feed URL and the certificate validity of the server that
contains the Feed URL.
The Test Feed window opens.

b. In the Select gateway field, from the drop-down menu, select the Security
Gateway on which you want to run the test:
n If the test succeeds, you get a test completed successfully message.
n If the test fails, you get an error message.
n If the test fails because of an invalid certificate, this error message appears:
Test failed to authenticate the server certificate.
In this case, you can override the error message and connect to the server if
you trust it.
Select Accept certificate anyway to connect to the server.
7. Click OK.
8. Use the New Network Feed object in your Access Control Rule Base.
9. Install the Access Control policy.

R82 Security Management Administration Guide | 551

External Network Feeds

Working with Trusted CAs for External Network

Feeds
The Security Gateway downloads network feeds from external HTTPS servers. To validate
these external HTTPS servers, the Security Gateway relies on its preconfigured Trusted CAs
list.
Check Point updates the Trusted CAs list regularly. The Security Management Server
downloads the list from the Check Point Download Center, and the administrator installs the
policy on the Security Gateways to apply these changes.

To view and manage the list of Trusted Certificates:

1. In SmartConsole, go to Manage & Settings > Blades > General > Trusted Certificates.
The Trusted Certificates window opens.
2. In the Trusted CAs Package tab:
a. You can see these details about the Trusted CAs Package:
n Whether it is up-to-date
n Package version
n The last update timestamp
n The date on which these statuses were checked

b. Select how to update the package:

n Automatically - The Trusted CAs package is updated automatically on the
Security Management Server once a day at 2:00 AM.
n Manually - Select one of these options:
l Update now to update the package from the Download Center, or
l Import Trusted CAs Package to import the package manually from
your local device. For instructions on how to import the Trusted CAs list,
see sk64521.

R82 Security Management Administration Guide | 552

External Network Feeds

c. In the Certificates section, you can do these actions:

n View all the certificates included in the package.

n
Select a certificate and click to view the details of a specific certificate.

n Select a certificate and click to export the certificate. For example, to

export the certificate to other systems, or distribute it to clients.
n Enable or disable certificates - Select a certificate, in the toolbar go to
Actions, and from the drop-down menu select Enable or Disable.

Note - You can select all certificates by clicking the top checkbox.

3. In the Custom Trusted Certificates tab, you can:

n
Click to manually import to the Security Management Server certificates that
are not included in the default Check Point Trusted CAs package. For example:
internal or third-party certificates.

n
Click to view the details of a specific certificate.

n
Click to remove a certificate from the custom certificate list.

n Click to export a certificate. For example, to distribute it to clients or export it to

other systems.

4. Install policy.

Monitoring
To monitor network feeds on the Security Gateway, run these commands in the Expert mode:

Note - In a cluster, run these commands on all Cluster Members.

Operation Command

See error and warning messages for grep -i <Name of Network Feed>
network feed update events $FWDIR/log/efo_error.elg

Get a list of IP addresses for all network dynamic_objects -efo_show

feeds that are used in the policy

Get a list of Domains and IP ranges related dynamic_objects -efo <Name of

to a specific network feed Network Feed>

R82 Security Management Administration Guide | 553

External Network Feeds

Operation Command

Get a list of Domains associated with a domains_tool -ip <IP Address>

specific IP address

Get a list of IP addresses associated with a domains_tool -d <Name of Domain>

specific Domain

R82 Security Management Administration Guide | 554

External Network Feeds

Troubleshooting
To debug network feeds on the Security Gateway, run these commands in the Expert mode:

Note - In a cluster, run these procedures on all Cluster Members.

Operation Procedure

Collect the kernel debug for Important - This kernel debug causes high CPU load.
network feed matching Schedule a maintenance window.
For more information, see the R82 Quantum Security
Gateway Guide > Chapter Kernel Debug.
1. Configure the kernel debug options:
fw ctl debug 0
fw ctl debug -buf 8200
fw ctl debug -m RAD_KERNEL all
fw ctl debug -m DOMO all
fw ctl debug -m UP all
2. Examine the kernel debug settings:
fw ctl debug -m
3. Start the kernel debug:
fw ctl kdebug -T -f > /var/log/kernel_
[Link]
4. Replicate the issue.
5. Stop the kernel debug - press the CTRL+C keys.
6. Reset the kernel debug options:
fw ctl debug 0
7. Analyze the kernel debug output file:
/var/log/kernel_debug.txt

Collect the policy installation 1. In the first shell, start the debug:
debug to see information fw -d fetchlocal -d $FWDIR/state/__
about network feeds tmp/FW1/ >> /var/log/policy_
[Link] 2>&1
2. In the second shell, monitor the output file:
tail -f /var/log/policy_
[Link]
3. In the first shell, stop the debug:
Press the CTRL+C keys.
4. In the second shell, stop monitoring the output file:
Press the CTRL+C keys.
5. Analyze the debug output file:
/var/log/policy_installation.txt

R82 Security Management Administration Guide | 555

External Network Feeds

Operation Procedure

Collect the debug of the 1. In the first shell, start the debug:
network feed update events TDERROR_ALL_ALL=1 dynamic_objects -efo_
update <Name of Network Feed> >>
/var/log/network_feed_update.txt 2>&1
2. In the second shell, monitor the output file:
tail -f /var/log/network_feed_
[Link]
3. In the first shell, stop the debug:
Press the CTRL+C keys.
4. In the second shell, stop monitoring the output file:
Press the CTRL+C keys.
5. Analyze the debug output file:
/var/log/network_feed_update.txt

R82 Security Management Administration Guide | 556

Connecting On-Premises Management Servers and Security Gateways to the Check Point

Connecting On-Premises
Management Servers and Security
Gateways to the Check Point
Portal
For information about releases, see sk177205 -Connecting an On-Premises Management
Server to the Check Point Portal - Release Updates.
You can connect from your on-premises Management Server and Security Gateways to the
Check Point Portal. This lets you:
n Run services that are managed in the Check Point Portal on your Management Server
and Security Gateways.
To see the full list of services, go to SmartConsole > Infinity Services view.
For some services for the Management Server, you must enable Configuration Sharing
and Log Sharing. See the documentation for the specific service in the Check Point
Portal Administration Guide.
n See a unified log view of all your Check Point products, in the cloud and on-premises.
This way, you can search for logs and events from all Check Point products in the same
place.
n Use new administrator capabilities on the on-premises Management Server.
For example, you can run management APIs on the on-premises Management Server
through the Check Point Portal securely from anywhere in the world.

Prerequisites
n You must have a valid license for each Check Point Portal application or service that you
use.
n In the SmartConsole Access Control Rule Base, add this rule for Check Point Security
Gateways. Use Check Point Services as an updatable object (see"Updatable Objects"
on page 297):

Source Destination Services Action

Any Check Point Services http Allow

R82 Security Management Administration Guide | 557

Connecting On-Premises Management Servers and Security Gateways to the Check Point

n For non-Check Point gateways, allow access to the domains listed in Scenario 3 of
sk179105.
n You must have the Manage integration with Infinity Services option selected on your
permission profile. To have this option selected:
1. Go to Manage & Settings > Permissions & Administrators > Permission Profiles
2. Open the relevant Permission Profile.
3. Go to Management, and select Manage integration with Infinity Services.

Connecting Your Security Management Server

and Security Gateway to the Check Point Portal
Notes:
n When connecting a Security Management Server to the Check Point Portal, its
Dedicated Log Servers are automatically connected to the Check Point Portal.

To connect your Security Management Server and Security Gateway objects from
SmartConsole to the Check Point Portal

1. In SmartConsole, go to the Infinity Services view.

Click Get Started.
The Instructions window opens.

2. If you do not already have an account in the Check Point Portal, click Create Account.
For information about how to open an Check Point Portal account, see Getting Started
with the Check Point Portal in the Check Point Portal Administration Guide.

3. In Connect to the Check Point Portal and get a token, click Get Token to retrieve a
token from the Check Point Portal to create trust between your Management Server
and your Check Point Portal account.
4. If you have more than one account, the Select Account window in the Check Point
Portal opens.
Select the applicable account from the drop-down list and click Next.

Note - Each Management Server can connect to one account only.

5. The Connect my Self-hosted Security Management Environment and Security

Gateways to Infinity page opens.

R82 Security Management Administration Guide | 558

Connecting On-Premises Management Servers and Security Gateways to the Check Point

Select the check box that indicates that you agree to share your Management Server
data with the Check Point Portal, and click Next.
The Copy This to SmartConsole page opens.
6. Copy the token and paste it in the Instructions window in SmartConsole.
The Management Server connects to the Check Point Portal.
7. Some services require a running agent on the Security Gateways. You can configure
automatic onboarding of Security Gateways when connecting the Management
Server to the cloud. In Connection timing for Security Gateways, select one of these
options:
n Immediately (the default option) - All supported Security Gateways are
connected to the Check Point Portal immediately when the Security
Management Server / Domain Management Server is connected to the Check
Point Portal.
n After policy installation - All supported Security Gateways are connected to
Check Point Portal only after the Security Management Server / Domain
Management Server is connected to Check Point Portal and you install the
Access Control policy.
8. Click Connect.

To configure the connection timing of Security Gateways to the Check Point Portal

1. In SmartConsole > Infinity Services view, click the three dots menu at the top right
corner of the page:

2. Select Gateway Connector.

The Gateway Connector window opens.

R82 Security Management Administration Guide | 559

Connecting On-Premises Management Servers and Security Gateways to the Check Point

3. Select one of these two options:

n Immediately (the default option) - All supported Security Gateways are
connected to the Check Point Portal immediately when the Security
Management Server / Domain Management Server is connected to the Check
Point Portal.
n After policy installation - All supported Security Gateways are connected to
Check Point Portal only after the Security Management Server / Domain
Management Server is connected to Check Point Portal and you install the
Access Control policy.
4. Click OK.

Note - For more information on Security Gateway onboarding, see sk180557.

To connect to the applicable service in the Check Point Portal from SmartConsole

1. From the left navigation panel, click Infinity Services.

2. Go to the applicable service and connect to it.
For more information about each one of the services, see the Check Point Portal
Administration Guide.

Sharing Configuration Information with the

Check Point Portal
To share your on-premises Management Server configuration information with the Check Point
Portal

1. In SmartConsole > Infinity Services view, click the three dots menu at the top right
corner of the page.

R82 Security Management Administration Guide | 560

Connecting On-Premises Management Servers and Security Gateways to the Check Point

2. Select Configuration Sharing.

The Configuration Sharing window opens.
3. Toggle the Enable button to ON.
4. Click OK.
The Management Server configuration information is now synchronized with the Check
Point Portal.

Note - You cannot edit objects shared from the Management Server in the Check
Point Portal.

Sharing Logging Information with the Check

Point Portal
Sharing logging information with the Check Point Portal is subject to daily quota based on your
contract. The log sharing quota is calculated on a daily basis and automatically renews at
midnight (00:00) UTC each day.
To share your on-premises Management Server log information with the Check Point Portal

1. In SmartConsole > Infinity Services view > click the three dots menu at the top right
corner of the page.

R82 Security Management Administration Guide | 561

Connecting On-Premises Management Servers and Security Gateways to the Check Point

2. Select Log Sharing.

The Log Sharing window opens.
3. Toggle the Enable button to ON.
4. Select the products whose log information you want to share:
n All products
n Specific products - Select the applicable products from the drop-down list.
5. Click OK.

The Management Server now synchronizes the log information with the Check Point Portal.

To make sure that the synchronization took place:

1. Go to the Check Point Portal > the Infinity Events application.

2. In the left navigation panel, click Logs.

Note - To enable log sharing on a Standalone server, the server must have:
n For an incoming log rate of less than 500 logs per second - at least 2 CPU
cores and 16GB of RAM.
n For an incoming log rate of more than 500 logs per second - at least 4 CPU
cores and 16GB of RAM.

Troubleshooting
For Troubleshooting issues, see sk181504.

R82 Security Management Administration Guide | 562

HTTPS Inspection

HTTPS Inspection
HTTPS Internet traffic uses the TLS (Transport Layer Security) protocol and is encrypted to
give data privacy and integrity. However, HTTPS traffic has a possible security risk and can
hide illegal user activity and malicious traffic. The enabled Software Blades on the Security
Gateway cannot inspect HTTPS traffic because it is encrypted. HTTPS Inspection lets the
Security Gateway intercept TLS connections and decrypt their traffic for inspection by the
enabled Software Blades.
There are two modes of HTTPS Inspection:
n Outbound HTTPS Inspection - To protect against malicious traffic that is sent from an
internal client to an external site or server.
n Inbound HTTPS Inspection - To protect internal servers from malicious requests that
arrive from the Internet or an external network.
The Security Gateway uses certificates and becomes an intermediary between the client
computer and the secure web site. All data is kept private in HTTPS Inspection logs. Only
administrators with HTTPS Inspection permissions can see all the fields in such logs.
For information on what's new in HTTPS Inspection starting from R80.20, see sk163594.

R82 Security Management Administration Guide | 563

HTTPS Inspection

Intercepting HTTPS Connections

Outbound HTTPS Inspection
Outbound connections are HTTPS connections that arrive from an internal client to an external
server.
Outbound connection flow

1. An HTTPS request (from an internal client to an external server) arrives at the Security
Gateway.
2. The Security Gateway intercepts the HTTPS request.

3. The Security Gateway determines whether the HTTPS request matches an existing
HTTPS Inspection rule:
n If the HTTPS request does not match a rule, the Security Gateway does not
intercept the HTTPS connection.
In this case, HTTPS Inspection is bypassed.
n If the HTTPS request matches a rule, the Security Gateway intercepts the
HTTPS connection and continues to the next step.
4. The Security Gateway validates the certificate of the external server.
By default, the Security Gateway uses the Online Certificate Status Protocol (OCSP)
to check for certificate revocation.

If the certificate does not support OCSP, the Security Gateway uses the Certificate
Revocation List (CRL) to check for certificate revocation.

5. The Security Gateway creates a new certificate for the connection to the external
server.
6. The Security Gateway decrypts HTTPS traffic.
7. The Security Gateway calls the enabled Software Blades to inspect the decrypted
HTTPS traffic.
8. If the Security Policy allows this traffic, the Security Gateway encrypts the HTTP
connection.
9. The Security Gateway sends the HTTPS request to the external server.

R82 Security Management Administration Guide | 564

HTTPS Inspection

Inbound HTTPS Inspection

Inbound connections are HTTPS connections that arrive from an external client and connect to
a server in the DMZ or the internal network.
Inbound connection flow

1. An HTTPS request (from an external client to an internal server) arrives at the Security
Gateway.

Note - By design, the Security Gateway/Cluster is intentionally configured not

to perform HTTPS Inspection on traffic directed towards it. To change this
behavior, follow sk114574.

2. The Security Gateway intercepts the HTTPS request.

3. The Security Gateway determines whether the HTTPS request matches an existing
HTTPS Inspection rule:
n If the HTTPS request does not match a rule, the Security Gateway does not
intercept the HTTPS connection.
In this case, the HTTPS Inspection is bypassed.
n If the HTTPS request matches a rule, the Security Gateway intercepts the
HTTPS connection and continues to the next step.
4. The Security Gateway uses the certificate for the internal server to create an HTTPS
connection with the external client.

5. The Security Gateway creates a new HTTPS connection with the internal server.
6. The Security Gateway decrypts the HTTPS traffic.
7. The Security Gateway calls the enabled Software Blades to inspect the decrypted
HTTPS traffic.
8. If the Security Policy allows this traffic, the Security Gateway encrypts the HTTP
connection.
9. The Security Gateway sends the HTTPS request to the internal server.

R82 Security Management Administration Guide | 565

HTTPS Inspection

Getting Started with HTTPS Inspection

This section shows an example of how to configure a Security Gateway to intercept outbound
and inbound HTTPS traffic.

Step Instructions

1 Enable the relevant Software Blades on the Security Gateway.

You must enable HTTPS Inspection on the Security Gateway for the enabled
Software Blades to inspect the decrypted HTTPS traffic.

2 Configure the applicable HTTPS Inspection Policy - Inbound and Outbound.

See "HTTPS Inspection Policy" on the next page

3 Configure the Security Gateway to use inbound certificates.

See "Working with Inbound CA Certificates" on page 571.

4 Configure HTTPS Inspection on the Security Gateway:

a. Configure the Security Gateway to use outbound certificates and deploy the
certificates in your organization.
See "Working with Outbound CA Certificates" on page 576
b. Enable HTTPS Inspection on the Security Gateway.
c. Configure additional settings.
See "Configuring HTTPS Inspection on the Security Gateway" on page 572.

5 Install the Access Control Policy.

R82 Security Management Administration Guide | 566

HTTPS Inspection

HTTPS Inspection Policy

The HTTPS Inspection rules define how the Security Gateways intercepts the HTTPS
connections.
Starting from R82, the HTTPS Inspection policy is divided into "Inbound Policy" and "Outbound
Policy".
The HTTPS Inspection rules can use the URL Filtering categories to identify traffic for different
websites and applications. For example, to protect the privacy of your users, you can use a
rule to ignore HTTPS traffic to banks and financial institutions.
By default, a Security Gateway enforces HTTPS Inspection for all enabled supported Software
Blades.

These are the Software Blades that support HTTPS Inspection:

n Access Control:
l Application Control
l URL Filtering
l Content Awareness
l Data Loss Prevention
n Threat Prevention:
l IPS
l Anti-Virus
l Anti-Bot
l Threat Emulation
l Threat Extraction
l Zero Phishing

To enforce HTTPS Inspection for a specific Software Blade, you must:

1. Enable the required Software Blade in the Security Gateway object.
2. Create an applicable rule in the HTTPS Inspection policy and in the Blade column, select
the required Software Blade.
You can create different HTTPS Inspection layers in different policy packages. When you
create a new policy package, you can use the pre-defined HTTPS Inspection layer, or
customize the HTTPS Inspection layer to fit your security needs.
You can share an HTTPS Inspection layer across multiple policy packages.

R82 Security Management Administration Guide | 567

HTTPS Inspection

Columns in HTTPS Inspection Security Policy

These are the columns in the HTTPS Inspection Security Policy rules:
(To show or hide columns, right-click any column header.)

Column Description

No. Rule number in the HTTPS Inspection Rule Base.

Name Name that the system administrator gives this rule.

Source Network object that defines where the traffic starts.

Destination Network object that defines the destination of the traffic.

Services The services (protocols) that are intercepted or bypassed.

By default, the services https on port 443 and HTTP_and_HTTPS
proxy on port 8080 are intercepted.
You can add or delete services in this column.

Site Category Categories for applications or web sites that are intercepted or
bypassed.

Action The action taken by the Security Gateway when it matches HTTPS
traffic to a rule.
n Inspect - The Security Gateway intercepts the HTTPS
connection.
n Bypass - The Security Gateway does not intercept the HTTPS
connection.

Important - For more information about the connection flow and

this action, see:
n "Outbound HTTPS Inspection" on page 564
n "Inbound HTTPS Inspection" on page 565

Track Tracking and logging action that is done when traffic matches the rule.

Blade By default, contains the value "All" to inspect the decrypted HTTPS
traffic by all the enabled supported Software Blades.
You can select specific Software Blades to inspect the decrypted
HTTPS traffic.

R82 Security Management Administration Guide | 568

HTTPS Inspection

Column Description

Install On Security Gateways that will enforce this HTTPS Inspection Policy.
By default, this column contains the object Policy HTTPS Targets.
This object automatically applies to all Security Gateways that have
HTTPS Inspection enabled.
In this column, you can only select Security Gateways that have HTTPS
Inspection enabled.

Certificate This column exists only in the "Inbound Policy".

In this column, you select the certificate that the internal server uses for
the rule.

Comment An optional field to add a description for the rule.

Configuring HTTPS Inspection Policy

Establish distinct HTTPS Inspection rules for outbound and inbound traffic within the
corresponding outbound and inbound policies.
The inbound rules use a different certificate for each internal server.
You can also create bypass rules for traffic that is sensitive and should not be intercepted.
Make sure that the bypass rules are at the top of the Outbound Policy.

Important - Every change in the Outbound Policy or Inbound Policy requires the
installation of the Access Control policy.

R82 Security Management Administration Guide | 569

HTTPS Inspection

Sample Outbound HTTPS Inspection Rule Base

This table shows a sample HTTPS Inspection Outbound Rule Base for a typical policy.

Sourc Destinati Servic Site Trac Install

No Name Action
e on es Category k On

1 Financi *Any Interne https Financi Bypas Log HTTPS

al sites t HTTP_ al s Polic
HTTP Service y
S_ s Targe
proxy ts

2 Outbou *Any Interne https Any Inspe Log HTTPS

nd t HTTP_ ct Polic
traffic HTTP y
S_ Targe
proxy ts

1. Financial sites - This is a bypass rule that does not intercept HTTPS connections to
websites that are defined in the "Financial Services" category.
2. Outbound traffic - This rule intercepts HTTPS connections to the Internet. This rule
uses the Outbound CA certificate.

Sample Inbound HTTPS Inspection rule

This table shows a sample HTTPS Inspection Inbound rule for a typical policy.

Sourc Service
No Name Destination Action Certificate
e s

1 Inboun *Any WebCalendarSer https Inspec WebCalendarSe

d traffic ver t rver CA

Inbound traffic - This rule intercepts HTTPS connections to the network object
WebCalendarServer. This rule uses the WebCalendarServer certificate.

HTTPS Inspection Policy Enforcement

HTTPS Inspection Rule Base enforcement consists of two steps:
1. Matching the connection against the Rule Base.
2. Calculating the action to be performed.

R82 Security Management Administration Guide | 570

HTTPS Inspection

The action is calculated according to the matched rule, the Software Blades defined on the
matched rule and the rule exceptions. In certain scenarios, the action in the matched rule is
Inspect, but as a result of Step 2, the action is changed to Bypass. In such case, the HTTPS
Inspection log is sent with data from the matched rule, but the action in the logged action is
Bypass.

Working with Inbound CA Certificates

By design, the Security Gateway / Security Cluster is intentionally configured not to perform
HTTPS Inspection on traffic directed towards it. To change this behavior, follow sk114574.

Assigning a Server Certificate for Inbound HTTPS

Inspection
When a client from outside the organization initiates an HTTPS connection to an internal web
server (for example, a server located in the organization's DMZ behind the Security Gateway,
the Security Gateway can intercept the traffic.
To perform HTTPS Inspection in this scenario, the Security Gateway must impersonate the
internal web server.
This requires the Security Gateway to present the TLS certificate of the internal web server
and have access to the server's certificate private key.
Therefore, the administrator must export the certificate and the private key from the internal
web server in the *.p12 format (which includes both) and then import this P12 file to
SmartConsole.

After importing the server's certificate, the administrator can add the corresponding certificate
object to the HTTPS Inspection Inbound Policy.
To add a server certificate for inbound HTTPS Inspection

Step Instructions

1 In SmartConsole, go to Security Policies view > HTTPS Inspection > Inbound

Policy > from the top toolbar, click Inbound Certificates.

2 Click Import.
The Import Inbound Certificate window opens.

3 Enter a Certificate name and a Comment (optional).

4 Browse to the certificate file.

5 Enter the Password.

Enter the same password that was used to protect the private key of the
certificate on the server.

R82 Security Management Administration Guide | 571

HTTPS Inspection

Step Instructions

6 Click OK.

7 Click Close.

The Successful Import window opens the first time you import a server certificate. It shows
you where to add the object in the HTTPS Inspection policy.
Click Don't show this again if you do not want to see the window each time you import a
server certificate and Close.

Configuring HTTPS Inspection on the Security

Gateway
You must configure HTTPS Inspection on each Security Gateway separately.

To configure HTTPS Inspection on a Security Gateway:

Step Instructions

1 From the SmartConsole Gateways & Servers view, double-click the Security
Gateway object.

2 Click HTTPS Inspection.

3 Optional: If the outbound CA certificate is already created or imported for another

Security Gateway, you can use the global certificate or override it by selecting a
specific certificate for each Security Gateway.
To override the global certificate, navigate to HTTPS Inspection > Step 1 in the
Security Gateway object, select Override global setting and select the required
certificate from the drop-down list.

4 Import or Create an outbound CA certificate for HTTPS Inspection.

See "Working with Outbound CA Certificates" on page 576.

5 Export and Deploy the outbound certificate in your organization.

See "Exporting and Deploying the Generated CA Certificate" on page 579.

6 In Step 3, select Enable HTTPS Inspection.

R82 Security Management Administration Guide | 572

HTTPS Inspection

Step Instructions

7 Configure the HTTPS Inspection Deployment Mode:

n Full inspection - HTTPS connections are intercepted based on the HTTPS
Inspection policy.
n Learning mode - You can configure partial deployment of HTTPS
Inspection to estimate its effect on connectivity and performance issues.
With Learning mode, the Security Gateway intercepts a small percentage
of the traffic to identify connectivity issues and estimate the expected
resource consumption for the configured HTTPS Inspection policy.
To see the effect of the learning mode or the statuses of all Security
Gateways, go to the Security Policies view > HTTPS Inspection >
Outbound Policy or Inbound Policy > in the HTTPS Inspection Tools
section, click Deployment.
For more information, see "HTTPS Inspection Deployment View" on
page 575.

R82 Security Management Administration Guide | 573

HTTPS Inspection

Step Instructions

8 In Additional Settings > Edit, configure the client side and server side fail mode.
In case of a client or a server connection error, you can select one of these
modes:
n Fail Open - The Security Gateway does not perform HTTPS Inspection on
connections that failed on the server side or client side (HTTPS Inspection
is bypassed).
n Fail Close - The Security Gateway blocks connections that failed as a result
of internal system error or server connection error (server side error) or as a
result of client connectivity issues.
You can handle server and client errors based on the global settings, or override
the global settings for the specific Security Gateway. To configure Fail-mode
configuration globally for all Security Gateways, see "Fail Mode" on page 584.

To configure fail mode for a specific Security Gateway:

a. In Additional Settings, click Edit.
The HTTPS Inspection Settings window opens.
b. Configure Server Side Fail Mode - In case of an internal system error or a
server connection error, select one of these options:
n Use the global setting - The default global setting is Fail Open.
n Override global settings - Select Fail-Open or Fail-Close.

c. Client-Side Fail Mode - In case of a client connectivity issue is detected,

select one of these two options:
n Use the global setting - The default global setting is Fail Open.
n Override global settings - Select Fail-Open or Fail-Close.

Notes:
n In the Fail-Open mode, the Security Gateway blocks the first

connection, but does not intercept subsequent connections with

the same source and destination hostname, it bypasses them.
n In the Security Gateway versions R81.20 and lower, in case of a

client-side error, the connection is always blocked (Fail-Close).

You cannot change the behavior in these versions.

R82 Security Management Administration Guide | 574

HTTPS Inspection

Step Instructions

9 Configure Bypass Under Load - This feature allows connectivity when the
Security Gateway experiences heavy load (arising from any reason, not
necessarily HTTPS Inspection). The Security Gateway reacts quickly to CPU
spikes to avoid connection interruptions and temporarily bypasses HTTPS
Inspection until the load stabilizes. During the bypass, the Security Gateway does
not intercept the HTTPS traffic. After the Security Gateway stabilizes, it attempts
to resume HTTPS Inspection to minimize the bypass duration. If persistent high
load is detected after inspection resumes, the Security Gateway gradually
increases the bypass duration to maintain stability.
This feature is disabled by default.
Important - To configure log type for Bypass Under Load, go to Security
Policies > HTTPS Inspection > Inbound Policy or Outbound Policy >
HTTPS Inspection Tools > Advanced Settings > Other > Bypass Under
Load Logging.
Note - You configure Bypass Under Load for each Security Gateway
separately. There are no global settings for this feature.

10 Click OK and Install the Access Control Policy.

HTTPS Inspection Deployment View

This view presents the statuses and recommendations for Security Gateways with HTTPS
Inspection enabled in Learning Mode.

It also shows the inspection status of each Security Gateway, as follows:

n Full inspection - Displayed when Full Inspection is configured on the Security Gateway.
The Security Gateway intercepts all HTTPS connections based on the configured
HTTPS Inspection policy.
n Learning mode - Displayed when Learning mode is configured on the Security Gateway.
Here you can see the effect of the learning mode deployment and a recommendation
regarding the deployment of HTTPS Inspection.
n Categorized HTTPS Inspection only - Displayed when HTTPS Inspection is disabled
on the Security Gateway and Categorized HTTPS websites is globally configured
(Manage and Settings view > Blades > Application Control & URL Filtering >
Advanced Settings > URL Filtering).
n Disabled - HTTPS Inspection is not enabled on the Security Gateway and the
Categorized HTTPS websites option is disabled.

R82 Security Management Administration Guide | 575

HTTPS Inspection

Working with Outbound CA Certificates

The outbound CA certificates are used by the Security Gateways managed on the Security
Management Server. The first time you enable HTTPS Inspection on one of the Security
Gateways, you must create an outbound CA certificate for HTTPS Inspection or import a CA
certificate already deployed in your organization. Starting from R82, you can create or import
additional outbound certificates.

Creating an Outbound CA Certificate

The outbound CA certificate is saved with a CER file extension and uses a password to
encrypt the private key of the file. The Security Gateways use this password to sign certificates
for the HTTPS Inspection. You must keep this password secure because it is also used by
other Security Management Servers that import the CA certificate to open the file.
After you create an outbound CA certificate, you must export it so it can be distributed to
internal clients. If you do not deploy the generated outbound CA certificate on internal clients,
users receive TLS error messages in their browsers when connecting to HTTPS sites. You can
configure a troubleshooting option that logs such connections.
After you create the outbound CA certificate, use it in rules that intercept outbound HTTPS
traffic in the HTTPS Inspection policy.
To create an outbound CA certificate

Step Instructions

1 In SmartConsole Gateways & Servers view, double -click the Security

Gateway object.
The Gateway Properties window opens.

2 In the navigation tree, click HTTPS Inspection.

3 In Step 1, click Create.

Note - To create the first outbound certificate, you can also go to the
Security Policies view > HTTPS Inspection > Outbound Policy > from
the top toolbar, click Outbound Certificates.

4 Enter the necessary information:

n Issued by (DN) - Enter the domain name of your organization.
n Private key password - Enter the password that is used to encrypt the
private key of the CA certificate.
n Retype private key password - Enter the password again.
n Valid from - Select the date range for which the CA certificate is valid.

5 Click OK.

R82 Security Management Administration Guide | 576

HTTPS Inspection

Step Instructions

6 Export and deploy the CA certificate.

See "Exporting and Deploying the Generated CA Certificate" on page 579.

Importing an Outbound CA Certificate

You can import a CA certificate that is already deployed in your organization or import a CA
certificate created on one Security Management Server to another Security Management
Server.

Best Practice - Use private CA Certificates.

For each Security Management Server that has Security Gateways with HTTPS Inspection
enabled, you must:
1. Import the CA certificate.
2. Enter the password the Security Management Server uses to open the CA certificate file
and sign the certificates for users. Use this password only when you import the certificate
to a new Security Management Server.
To import an outbound CA certificate

Step Instructions

1 If the CA certificate was created on another Security Management Server,

export the certificate from the Security Management Server, on which it was
created.
See "Exporting a Certificate from one Security Management Server to Another"
on page 580.

2 In the SmartConsole Gateways & Servers view, double-click the Security

Gateway object.

3 In the navigation tree, click HTTPS Inspection.

4 In Step 1, click Import.

Note - You can also import the first outbound certificate you create
through the Security policies view > HTTPS Inspection > Outbound
Policy > from the top toolbar click Outbound Certificate.

5 Browse to the certificate file.

6 Enter the private key password.

7 Click OK.

R82 Security Management Administration Guide | 577

HTTPS Inspection

Step Instructions

8 If the CA certificate was created on another Security Management Server,

deploy it to clients.
Click "Exporting and Deploying the Generated CA Certificate" on the next
page.

R82 Security Management Administration Guide | 578

HTTPS Inspection

Exporting and Deploying the Generated CA Certificate

To prevent users from getting warnings about the generated CA certificates that HTTPS
Inspection uses, install the generated CA certificate used by HTTPS Inspection as a trusted
CA. You can distribute the CA with different distribution mechanisms such as Windows GPO.
This adds the generated CA to the trusted root certificates repository on client computers.
When users run standard updates, the generated CA is in the CA list and they do not receive
certificate warnings in their browsers.
To distribute a certificate with a GPO

Step Instructions

1 Export the certificate from the Security Gateway:

To export an outbound certificate, use one of these two options:
Option 1

a. In SmartConsole, go to the Security Policies view > HTTPS Inspection

> Outbound Policy.
b. In the top tool bar, click Outbound Certificates.
The Manage Outbound Certificates window opens.
c. Select the required certificate, and click the button.
d. Select the required folder in which to save the certificate, and click Save.

Option 2

a. In SmartConsole > the Gateways & Servers view > double-click the
required Security Gateway object.
The Security Gateway object editor opens.
b. From the left menu, go to HTTPS Inspection.
c. In Step 2, click Export Certificate.
d. Select the required folder in which to save the certificate, and click Save

2 Use the Group Policy Management Console to add the certificate to the
Trusted Root Certification Authorities certificate store.
See "Deploying Certificates using Group Policy" on the next page.

3 Push the GPO Policy to the client computers in the organization.

Note - Make sure that the CA certificate is pushed to the client computer
organizational unit.

4 Test the CA certificate distribution by browsing to an HTTPS site from one of

the client computers.
Also, make sure the CA certificate shows the name you entered for the CA
certificate that you created in the Issued by field.

R82 Security Management Administration Guide | 579

HTTPS Inspection

Deploying Certificates using Group Policy

You can use this procedure to deploy a certificate to multiple client computers with Active
Directory Domain Services and a Group Policy Object (GPO). A GPO can contain multiple
configuration options, and is applied to all computers in the scope of the GPO.

Important - Membership in the local Administrators group, or equivalent, is necessary

to complete this procedure.

To deploy a certificate using Group Policy

Step Instructions

1 On the Microsoft Windows Server, open the Group Policy Management

Console.

2 Find an existing GPO or create a new GPO to contain the certificate settings.
Make sure the GPO is associated with the domain, site, or organization unit
whose users you want affected by the policy.

3 Right-click the GPO and select Edit.

The Group Policy Management Editor opens and shows the contents of the
policy object.

4 Open Computer Configuration > Policies > Windows Settings > Security
Settings > Public Key Policies > Trusted Publishers.

5 Click Action > Import.

6 Do the instructions in the Certificate Import Wizard to find and import the
certificate you exported from SmartConsole.

7 In the navigation pane, click Trusted Root Certification Authorities and repeat
steps 5-6 to install a copy of the certificate to that store.

Exporting a Certificate from one Security Management

Server to Another
If you use more than one Security Management Server in your organization, you must first
export the CA certificate with the "export_https_cert" CLI command from the Security
Management Server on which it was created before you can import it to other Security
Management Servers.
Command syntax

export_https_cert -help

R82 Security Management Administration Guide | 580

HTTPS Inspection

export_https_cert {[-local] | [-s <server address>]} [-f

<certificate file name in the FWDIR/tmp/ directory>]

To export the CA certificate

On the Security Management Server, run this command:

$FWDIR/bin/export_https_cert -local -f <certificate file name in

the FWDIR/tmp/ directory>

Example:

$FWDIR/bin/export_https_cert -local -f [Link]

Note - On a Multi-Domain Security Management Server, you must run this
command in the context of the applicable Domain Management Server (mdsenv
<IP Address of Domain Management Server>).

R82 Security Management Administration Guide | 581

HTTPS Inspection

Working with Trusted CAs for Outbound HTTPS Inspection

When a client initiates a TLS connection to a server, the Security Gateway intercepts the TLS
connection. The Security Gateway intercepts the traffic and creates a new TLS connection
from the Security Gateway to the designated server.
When the Security Gateway establishes a TLS connection to the designated server, it must
validate the server certificate.
HTTPS Inspection comes with a preconfigured list of trusted CAs. This list is updated by
Check Point when necessary and is downloaded automatically from the Check Point
Download Center to the Management Server. After you get the Trusted CA update on the
Security Management Server, you must install the policy on the Security Gateways. You can
select to disable the automatic update option and manually update the Trusted CA list. See
sk64521.

If the Security Gateway receives a non-trusted server certificate, by default the user gets a
self-signed certificate and not the generated certificate. A page notifies the user that there is a
problem with the server security certificate, but lets the user continue to the server.
You can change the default setting to block untrusted server certificates. Go to Security
Policies > HTTPS Inspection > HTTPS Inspection Tools > Advanced Settings > Server
Validations > select Untrusted server certificates.
To manage the list of Trusted Certificates, in SmartConsole, go to the Security Policies view >
HTTPS Inspection > in the HTTPS Inspection Tools section, click Trusted Certificates.
You can do these actions, in the Trusted Certificates window:
n In the Trusted CAs Package tab:
l You can check if the trusted CAs package is up-to-date. You can see details about
the downloaded package version, the last update timestamp, and the last check for
these statuses. You can update the certificates in one of two ways:
o Automatic update:
Select Update Trusted CA package automatically. The Trusted CAs
package is updated automatically once a day at 2:00 AM.
o Manual update:
Select Updated Trusted CAs Package manually, and click Update Now or
Import Trusted CAs Package, to manually update the package.

R82 Security Management Administration Guide | 582

HTTPS Inspection

l In the Certificates section, you can view all certificates included in the package,
export certificates, enable or disable certificates.
To enable or disable certificates:
1. Select the applicable certificates using the checkboxes.
Note - You can select all certificates by clicking the top checkbox.
2. From the top-menu, click Actions, and select Enable or Disable
n In the Custom Trusted Certificates tab, you can import, export or delete a certificate.

Note - To apply changes in the Trusted CAs settings, install policy on the applicable
Security Gateway.

R82 Security Management Administration Guide | 583

HTTPS Inspection

HTTPS Inspection Global Settings

You can configure HTTPS Inspection global settings for all Security Gateways in Security
Policies > HTTPS Inspection > HTTPS Inspection Tools > Advanced Settings.

Fail Mode

To change the global settings for the fail mode

1. Go to the Security Policies view> HTTPS Inspection > Inbound Policy or Outbound
Policy > in the HTTPS Inspection Tools section, click Advanced Settings.
2. Go to Fail Mode, and select the applicable settings:

a. In Server Side Fail Mode, select one of these options:

n Bypass all requests (Fail-Open)
n Block all requests (Fail-Close)
b. In Client Side Fail Mode, select one of these options:
n Bypass all requests (Fail-Open)
n Block all requests (Fail-Close)

Notes:
n In the Fail-Open mode, the Security Gateway blocks the first

connection, but does not intercept subsequent connections with the

same source and destination hostname, it bypasses them.
n In the Security Gateway versions R81.20 and lower, in case of a

client-side error, the connection is always blocked (Fail-Close). You

cannot change the behavior in these versions.

Categorization Mode
Configure a mode for categorizing HTTPS sites:
n Background - All requests are allowed until categorization is complete. When a request
cannot be categorized with a cached response, an uncategorized response is received.
Access to the site is allowed. In the background, the Check Point Online Web Service
continues the categorization procedure. The response is then cached locally for future
requests. This option reduces latency in the categorization procedure.
n Hold - This is the default setting. When a request cannot be categorized with the cached
responses, it remains blocked until the Check Point Online Web Service completes
categorization.

R82 Security Management Administration Guide | 584

HTTPS Inspection

Server Validations
When a Security Gateway receives an untrusted certificate from a website server, the settings
in this section define when to drop the connection.
n Untrusted server certificate:
l When selected traffic from a site with an untrusted server certificate is immediately
dropped. The user gets an error page that states that the browser cannot display
the webpage.
l When cleared, a self-signed certificate shows on the client machine when there is
traffic from an untrusted server. The user is notified that there is a problem with the
website's security certificate, but the user can continue to the website (default).
n Revoked server certificate (validate CRL):
l When selected, the Security Gateway validates the site certificate of each server.
The Security Gateway validates the certificate using the Online Certificate Status
Protocol (OCSP) standard. OCSP is faster and uses much less memory than
Certificate Revocation List (CRL) Validation, which is used for certificate validation
in releases lower than R80.10.
l When cleared, the Security Gateway does not check for revocations of server site
certificates.
If OCSP is not supported for a server certificate, the Security Gateway uses CRL
validation. If the CRL cannot be reached, the certificate is considered trusted. This is the
default configuration. An HTTPS Inspection log is issued that indicates that the CRL
could not be reached.
You can change this behavior in Database Tool (GuiDBEdit Tool):
Procedure
Important - This change applies to all Security Gateways with enabled
HTTPS Inspection

1. Close all SmartConsole windows.

2. Connect with the Database Tool (GuiDBEdit Tool) to the Management Server.
3. In the top left panel, click Other > ssl_inspection.
4. In the top right panel, click general_confs_obj and change.
5. In the bottom panel, right-click the attribute "drop_if_crl_cannot_be_reached" >
click Edit.
6. Change the value from "false" to "true" > click OK.
7. From the top, click the File menu and click Save All.

R82 Security Management Administration Guide | 585

HTTPS Inspection

8. Close the Database Tool (GuiDBEdit Tool).

9. Connect with SmartConsole to the Management Server.
10. Install the Access Control policy.

To validate the CRL, the Security Gateway must have access to the Internet. For
example, if a proxy server is used in the organizational environment, you must configure
the Security Gateway to use this proxy server.

To configure the proxy server for the Security Gateway:

Optionally, you can use the default proxy server configured in SmartConsole Global
Properties.

1. In SmartConsole, go to the Gateways & Servers view, and double-click the

Security Gateway that requires proxy configuration.
2. Go to Network Management > Proxy.
3. Select Use custom proxy settings for this network object and Use proxy server,
and enter the proxy IP address.
4. Click OK.
5. Install the Access Control policy.

Important - Make sure that there is a rule in the Rule Base that allows outgoing
HTTP from the Security Gateway
n Expired Server Certificate
l When selected, the Security Gateway drops the connection if the server certificate
expired.
l When cleared, the Security Gateway creates a certificate with the expired date.
The user can continue to the website (default).
n Track validation errors
Select whether to log the server validation (you can see the logs in the Logs & Events
view > Logs in SmartConsole), or trigger other notifications.

Certificate Blocking
You can create a list of certificates that are blocked. Traffic from servers using these
certificates is dropped. If a certificate in the list is also in the Trusted CAs list, the block
certificate list overrides the Trusted CAs list.
n New - Lets you add a certificate. Enter the certificate serial number (in hexadecimal
format HH:HH) and a comment that describes the certificate.
n Edit - Lets you change the details of the blocked certificate list.

R82 Security Management Administration Guide | 586

HTTPS Inspection

n Delete - Lets you delete a certificate from the blocked certificate list.
n Search - Lets you search for a certificate in the blocked certificate list.
n Track dropped traffic - Select whether to log the server validation (you can see the logs
in the Logs & Events view > Logs in SmartConsole), or trigger other notifications.

Bypass Allow Lists

Check Point dynamically updates lists of well-known update services and certificate-pinned
applications that can be bypassed for improved connectivity.
n Well-known update services - Some well-known update services must be bypassed to
function correctly. For the list of updated services, see sk98655.
n Certificate-pinned Applications - Some mobile and desktop applications trust only
specific server certificates. Such applications may terminate the connection due to a
trust issue when presented with a certificate signed by HTTPS Inspection’s outbound CA
certificate. When a connection from a client which is classified as a certificate-pinned
application is detected, the selected action is taken.
Available actions:

Action Action Description

Bypass HTTPS Inspection is bypassed to ensure uninterrupted connectivity, and a

‘bypass’ log is sent.

Detect HTTPS Inspection is not bypassed, and a "Detect" log is sent. The application
may show errors or malfunction.

None HTTPS Inspection is not bypassed, and a dedicated log is not sent. The
application may show errors or malfunction.

Session Logs
Starting in R82, the Security Gateway can send session logs, which provide a visual overview
of the TLS traffic passing through it.
To allow the Security Gateway to send these logs:
1. Select Send session logs.
2. In the HTTPS Inspection Rule Base, set the Track column of the applicable rules to Log.
HTTPS Inspection session logs group individual connections into session logs based on
several common characteristics:

R82 Security Management Administration Guide | 587

HTTPS Inspection

n Source IP
n Destination IP
n SNI (Server Name Indication)
n HTTPS Inspection Action: Whether the traffic is bypassed or intercepted.
n Bypass Reason: Applicable only if the traffic is bypassed.
n Time Window: Connections that occur within the same 3-hour period.
By aggregating connections with these characteristics, session logs are used to create
statistics views, including Bypass and Inspect decisions. For more details, see "HTTPS
Inspection Statistics View" on the next page.

Other
Intermediate CA
Use the "Certificate Authority Information Access" extension to retrieve certificates that
are missing from the certificate action.
Automatically retrieve intermediate CA certificates:
n When selected, intermediate CA certificates issued by trusted root CA certificates that
are not part of the certificate chain are automatically retrieved using the information on
the certificate (default).
n When cleared, a web server certificate signed by an intermediate CA and not sent as
part of the certificate chain, is considered untrusted.

Bypass Under Load Logging

To configure the log type for Bypass Under Load:
1. Go to the Security Policies view > HTTPS Inspection > Inbound Policy or Outbound
Policy
2. In the HTTPS Inspection Tools section, click Advanced Settings.
3. Click Other.
4. In the Bypass Under Load Logging section, in the Track field, select the applicable
option.
5. Click OK.
6. Install the Access Control policy.

R82 Security Management Administration Guide | 588

HTTPS Inspection

HTTPS Inspection Statistics View

Starting in R82, you can view HTTPS Inspection statistics in the Logs & Events view and in
SmartView. The HTTPS Inspection statistics view provides a visual overview of HTTPS traffic
that passes through the Security Gateway, including bypass and inspect statistics. The
Statistics view is updated every time the Security Gateway sends a session log. (see "Session
Logs" on page 587).

Configuration
1. Enable the required Software Blades on the Management Server or Log Server

a. Connect with SmartConsole to the Management Server.

b. On the left navigation panel, go to the Gateways & Servers view.

c. Double-click the object of the Management Server or Log Server, to which the
Security Gateway sends its logs.
d. In the left panel, click General Properties.
e. In the Management tab, select these Software Blades:
n Logging & Status
n SmartEvent Server
n SmartEvent Correlation Unit

f. Click OK and publish your changes.

g. In the top left corner, click Menu > Install database.
h. Select all objects and click Install.

i. Monitor the task progress in the bottom left corner.

2. Enable HTTPS Inspection session logs on the Security Gateway

a. In SmartConsole, go to the Manage & Settings view > Blades > HTTPS
Inspection > Advanced Settings.
The HTTPS Inspection - Global Settings window opens.
b. In the left navigation tree, go to Session Logs.
c. Select Session Logs and click OK.

Viewing HTTPS Inspection Statistics

You can view the HTTPS Inspection statistics in these two locations:

R82 Security Management Administration Guide | 589

HTTPS Inspection

In SmartConsole

1. On the left navigation panel, click Logs & Events.

2. At the top, click [+] to open a new tab.
3. In the left section, click Views.
4. In the top search field, enter: HTTPS.
5. Double-click the view called HTTPS Inspection Statistics.

In SmartView

1. With a web browser, connect to the SmartView portal on the Management Server or
Log Server, to which the Security Gateway sends its logs.

For example:
[Link]
2. At the top, click [+] to open a new tab.
3. In the left section, click Views.
4. In the top search field, enter: HTTPS
5. Double-click the view HTTPS Inspection Statistics

To see log details:

1. In the HTTPS Inspection Statistics view, double-click the applicable chart or graph to see
all the related session logs.
2. Double-click the applicable session log to see all the related connection logs (appear in
the bottom panel).
3. Double-click the applicable connection log to see the complete log details.

R82 Security Management Administration Guide | 590

HTTPS Inspection

SNI support for Site Categorization

Starting from R80.30, a new functionality allows the categorization of HTTPS sites before the
HTTPS Inspection begins, and prevents connectivity failure if the inspection does not succeed.
SNI is an extension to the TLS protocol, which indicates the hostname at the start of the TLS
handshaking process.
The categorization is performed by examining the SNI field in the client hello message at the
beginning of the TLS handshaking process. To make sure that you reached the right site, the
SNI is verified against the Subject Alternative Name of the host, which appears in the
certificate.
After the identity of the host is known and verified, the site is categorized, and it is determined
whether the connection should be intercepted or not.
SNI support is enabled by default.

HTTPS Inspection on Non-Standard Ports

Applications that use HTTP normally send the HTTP traffic to the TCP port 80. Some
applications send HTTP traffic on other ports also. You can configure some Software Blades to
only inspect HTTP traffic on port 80, or to also inspect HTTP traffic on non-standard ports.
The security policies inspect all HTTP traffic, even if it is sent using non-standard ports. This
option is enabled by default. You can configure this option in the Manage & Settings view >
Blades > Threat Prevention > Advanced Settings > General > HTTPS Inspection. If you
make this change, you must install the Access Control policy.

R82 Security Management Administration Guide | 591

HTTPS Inspection

Inspection of TLS v1.3 Traffic

Starting from R81, the Check Point Security Gateway can intercept traffic that relies on
Transport Layer Security (TLS) v1.3 (see RFC 8446).
From R81.10, this feature is enabled by default for Security Gateways (and Cluster Members)
that use the User Space Firewall (USFW)).
For the list of supported platforms, see sk167052.

Notes:
n To disable the inspection of the TLS v1.3 traffic for testing purposes, set the
value of the global parameter "fwtls_enable_tlsio" to 0 with this
command:
fw ctl set -f int fwtls_enable_tlsio 0
n To enable the inspection of the TLS v1.3 traffic again, set the value of the global
parameter "fwtls_enable_tlsio" to 1 with this command:
fw ctl set -f int fwtls_enable_tlsio 1
n HTTPS Inspection does not support TLS v1.3 when the Security Gateway /
Cluster is configured as an HTTP/HTTPS Proxy (sk110013).

Inspection of HTTP/3 protocol (RFC 9114)

Starting from R82, Check Point Security Gateways can inspect the decrypted inbound and
outbound HTTP/3 traffic based on the configuration of the enabled Software Blades.

HTTP/3 is a new version of the HTTP protocol designed to improve speed, reliability, and
security, by using the QUIC transport protocol, which operates over UDP instead of TCP. The
HTTP/3 protocol (RFC 9114) optimizes transport of HTTP semantics over QUIC.

HTTP/3 retains all core features of HTTP/2, while enhancing efficiency through reduced
latency and improved performance.
HTTP/3 over TLS enables HTTP/3 connections over a secure TLS connection.

Best Practice - For Security Gateways running version R81.20 and earlier, block the
QUIC protocol as described in sk111754.

Using HTTPS/3 the in a Rule Base

For transparent QUIC inspection, the QUIC service was added default HTTPS services group.
You can use it in the Access Control policy in the Services & Applications column, and in the
HTTPS Inspection policy, in the Services column.
For example:

R82 Security Management Administration Guide | 592

HTTPS Inspection

Categor
y/
N Sour Destinat Servic Trac Blad Install
Name Custom Action
o. ce ion es k e On
Applicat
ion

1 QUIC - *Any Intern quic Games Bypas Log All Polic

Bypas et s y
s the HTTPS
"game Targe
s" ts
categ
ory

2 QUIC - *Any Intern quic Any Inspe Log All Polic

Inspec et ct y
t HTTPS
Targe
ts

Monitoring the HTTP/3 inspection

You can view the HTTP/3 inspection statistics on the Security Gateway in CPView:
1. Connect to the command line on the Security Gateway, and run:
cpview

2. At the top, click Advanced > HTTP-Parser > QUIC.

Example output:
|-------------------------------------------------------------------
--------------------------------------------------------------------
--------------------|
| [Link]

13Jul2024 16:48:27 |
|-------------------------------------------------------------------
--------------------------------------------------------------------
--------------------|
| Overview SysInfo Network CPU I/O Software-blades Hardware-Health
Management Advanced
|
|-------------------------------------------------------------------
--------------------------------------------------------------------
--------------------|

R82 Security Management Administration Guide | 593

HTTPS Inspection
| Logging CPU-Profiler Memory Network SDWAN SecureXL ClusterXL
CoreXL PrioQ Streaming NAT MUX Routed RAD Conn-Tracker UP HTTP-
Parser SSH-Parser CPAQ >>
|-------------------------------------------------------------------
--------------------------------------------------------------------
--------------------|
| General HTTP3-Information QUIC

|
|-------------------------------------------------------------------
--------------------------------------------------------------------
--------------------|
| Connections overview

|
|

|
| Processed Connections: 0

|
| HTTPS Inspection - Inspect: 0

|
| Website Categorization: 0

|
| HTTPS Inspection - Bypass on first packet: 0

|
| HTTPS Inspection - Bypass on category/app: 0

|
| Downgraded: 0

|
| Closed with error: 0

|
| ------------------------------------------------------------------
--------------------------------------------------------------------
------------------- |
| Downgrade reasons

|
|

R82 Security Management Administration Guide | 594

HTTPS Inspection
| QUIC inspection disabled 0

|
| Strict Hold is active 0

|
| Exception 0

|
| ------------------------------------------------------------------
--------------------------------------------------------------------
------------------- |
| QUIC Errors

|
|

R82 Security Management Administration Guide | 595

R82 Security Management Administration Guide | 596

HTTPS Inspection
| Unexpected HTTP/2 setting 0
0
|
| First control frame is not SETTINGS 0
0
|
| Got stream while going away 0
0
|
| Refuse push stream 0
0
|
| Request is incomplete 0
0
|
| Parsing error: frame contains invalid headers 0
0
|
| Content error 0
0
|
| Version fallback 0
0
|
| Stream QPACK decompression error 0
0
|
| Error interpreting QPACK encoder stream 0
0
|
| Error interpreting QPACK decoder stream 0
0
|
| Invalid certificate 0
0
|
| ------------------------------------------------------------------
--------------------------------------------------------------------
------------------- |

R82 Security Management Administration Guide | 597

HTTPS Inspection

Limitations
n The Security Gateways supports HTTP/3 inspection only when it runs in the User Space
Firewall (USFW) mode, which is the default in versions R82 and higher.
The Security Gateway downgrades HTTP/3 traffic to an earlier HTTP version when it
operates in the kernel mode firewall.
For information about the User Space Firewall (USFW) mode, see the Release Notes for
your version and sk167052.
n The Security Gateway drops HTTP/3 traffic when the Threat Prevention "Deep
Inspection" mode is enabled.
n Chromium-based web browsers allow HTTP/3 traffic only if the HTTPS Inspection
certificate is signed by a trusted CA from the Chromium trust list.
Chromium-based web browsers do not allow adding certificates for HTTP/3 traffic to the
browser's trusted store. See sk111754.
n Inspection of QUIC traffic over a proxy is not supported.
n All other protocols, except HTTP/3, will be downgraded to an earlier HTTP version.

Blocking TLS Connections

You can block inbound TLS 1.0 and TLS 1.1 connections through a Security Gateway to
internal networks, and outbound TLS 1.0 and TLS 1.1 connections from internal networks to a
Security Gateway.

Prerequisites
n Management Server R80 and higher.
n Security Gateway R80.10 and higher.
n Enable the Application & URL Filtering Layer in the Access Control Policy.
n Enable the Application & URL Filtering blade on the Security Gateway.
n This procedure works in all these configuration combinations:

HTTPS Inspection is HTTPS Inspection is

enabled disabled

Categorize HTTPS Yes Yes

websites
is enabled

R82 Security Management Administration Guide | 598

HTTPS Inspection

HTTPS Inspection is HTTPS Inspection is

enabled disabled

Categorize HTTPS Yes Yes

websites"
is disabled
Notes:
l To enable categorize HTTPS websites: In SmartConsole, go to the

Manage & Settings view > Blades > Application Control & URL
Filtering, click Advanced Settings > URL Filtering > Select Categorize
HTTPS websites.
l To enable HTTPS Inspection: in SmartConsole, go to the Gateways &

Servers view, double click the required Security Gateway or Security

Cluster object, in the Security Gateway or Security Cluster editor, go to the
HTTPS Inspection page, and select Enable HTTPS Inspection.
l When HTTPS Inspection is enabled, blocking TLS connections works in

both Kernel Space Firewall (KSFW) and User Space Firewall (USFW).
For more information about these Firewall modes, see sk167052.

Procedure
Part 1 - Create User-Defined Services

1. Use SmartConsole to connect to the Security Management Server or the Domain

Management Server that manages this Security Gateway.

2. In the top-right corner in SmartConsole, click Objects and the icon, which opens
the Object Explorer window.
3. In the top search field, search for:

tls

R82 Security Management Administration Guide | 599

HTTPS Inspection

4. To block TLS 1.0 connections:

a. Right-click the predefined service tls1.0, and click Clone.
The New TCP Service window opens.

b. In the Name field, change the name from tls1.0_Clone to the required name.

For example: tls1.0_Block

c. Optional: In the Comment field, enter the applicable text.
For example: User-defined service to block TLS 1.0 connections
d. In the left panel, click Advanced.

R82 Security Management Administration Guide | 600

HTTPS Inspection

e. In the top section, select Protocol Signature.

f. Click OK.
5. To block TLS 1.1 connections:
a. Right-click the predefined service tls1.1, and click Clone.
The New TCP Service window opens.

R82 Security Management Administration Guide | 601

HTTPS Inspection

b. In the Name field, change the name from tls1.1_Clone to the required name.
For example: tls1.1_Block
c. Optional: In the Comment field, enter the applicable text.
For example: User-defined service to block TLS 1.1 connections.
d. In the left panel, click Advanced.
e. In the top section, select Protocol Signature.

f. Click OK.
Example result:

6. Close the Object Explorer window.

Part 2 - Configure the Security Gateway

1. In SmartConsole, go to the Gateways & Servers view.

2. Double-click the applicable Security Gateway or Security Cluster object.

R82 Security Management Administration Guide | 602

HTTPS Inspection

The Security Gateway or Security Cluster editor opens.

3. In the General Properties page, go to the Network Security tab.
4. Select the Application Control Software Blade.
5. Click OK.

Part 3 - Enable the Application & URL Filtering Layer

1. In the top left corner of SmartConsole, click , and select Manage policies and
layers.
2. Right-click the applicable policy that you installed on the Security Gateway or Security
Cluster > click Edit.

3. In the Access Control row, click in the top right corner, and select Edit Layer.

R82 Security Management Administration Guide | 603

HTTPS Inspection

4. On the General page, in the Blades section, select Application & URL Filtering.

5. Click OK to close the Layer Editor window.

R82 Security Management Administration Guide | 604

HTTPS Inspection

6. Click OK to close the Policy window.

7. Close the Manage policies and layers window.

Part 4 - Configure the Access Control Policy

1. In the left navigation panel in SmartConsole, click Security Policies.

2. In the Access Control section, click Policy.
3. Add the applicable new rules to block TLS 1.0 and TLS 1.1 connections:

Services &
Destinatio Conten
Name Source VPN Applicatio Action Track
n t
ns

Block Applicabl Applicable Any User- Any Drop Log

TLS e Source Destinatio defined or
1.0 n services None
tls1.0_
Block

Block Applicabl Applicable Any User- Any Drop Log

TLS e Source Destinatio defined or
1.1 n services None
tls1.1_
Block

4. Publish the session.

5. Install the Access Control policy on the Security Gateway or Security Cluster object.

R82 Security Management Administration Guide | 605

Client Certificates for Smartphones and Tablets

Client Certificates for Smartphones

and Tablets
To allow your users to access their resources using their handheld devices, make sure they
can authenticate to the Security Gateway with client certificates.
In many organizations, the daily task of assigning and maintaining client certificates is done by
a different department than the one that maintains the Security Gateways. The computer help
desk, for example. You can create an administrator that is allowed to use SmartConsole to
create client certificates, while restricting other permissions (see "Giving Permissions for
Client Certificates" on page 610).
To configure client certificates, open SmartConsole and go to Security Policies > Access
Control > Access Tools > Client Certificates.
To configure the Mobile Access policy, go to Manage & Settings > Blades > Mobile Access >
Configure in SmartDashboard. The Client Certificates page in SmartConsole is a shortcut to
the SmartDashboard Mobile Access tab, Client Certificates page.

Managing Client Certificates

Check Point Mobile Apps for mobile devices can use certificate-only authentication or two-
factor authentication with client certificates and username/password. The certificate is signed
by the internal CA of the Security Management Server that manages the Mobile Access
Security Gateway.

Manage client certificates in Security Policies > Access Control > Access Tools > Client
Certificates.

The page has two panes.

n In the Client Certificates pane:
l Create, edit, and revoke client certificates.
l See all certificates, their status, expiration date and enrollment key. By default, only
the first 50 results show in the certificate list. Click Show more to see more results.
l Search for specified certificates.
l Send certificate information to users.
n In the Email Templates for Certificate Distribution pane:
l Create and edit email templates for client certificate distribution.
l Preview email templates.

R82 Security Management Administration Guide | 606

Client Certificates for Smartphones and Tablets

Creating Client Certificates

Note - If you use LDAP or AD, creation of client certificates does not change the LDAP or AD
server. If you get an error message regarding LDAP/AD write access, ignore it and close the
window to continue.
To create and distribute certificates with the client certificate wizard:

1. In SmartConsole, select Security Policies > Access Control > Access Tools > Client
Certificates.
2. In the Client Certificates pane, click New.
The Certificate Creation and Distribution wizard opens.

3. In the Certificate Distribution page, select how to distribute the enrollment keys to
users. You can select one or both options.
a. Send an email containing the enrollment keys using the selected email
template -Each user gets an email, based on the template you choose, that
contains an enrollment key.
n Template - Select the email template that is used.
n Site - Select the Security Gateway, to which users connect.
n Mail Server - Select the mail server that sends the emails.
You can click Edit to view and change its details.

b. Generate a file that contains all of the enrollment keys - Generate a file for
your records that contains a list of all users and their enrollment keys.
4. Optional: To change the expiration date of the enrollment key, edit the number of
days in Users must enroll within x days.
5. Optional: Add a comment that will show next to the certificate in the certificate list on
the Client Certificates page.
6. Click Next.
The Users page opens.
7. Click Add to add the users or groups that require certificates.
n Type text in the search field to search for a user or group.
n Select a type of group to narrow your search.
8. When all included users or groups show in the list, click Generate to create the
certificates and send the emails.

R82 Security Management Administration Guide | 607

Client Certificates for Smartphones and Tablets

9. If more than 10 certificates are being generated, click Yes to confirm that you want to
continue.
A progress window shows. If errors occur, an error report opens.
10. Click Finish.
11. Click Save.
12. In SmartConsole, install the Policy.

Revoking Certificates
If the status of a certificate is Pending Enrollment, after you revoke it, the certificate does not
show in the Client Certificate list.
To revoke one or more certificates

1. Select the certificate or certificates from the Client Certificate list.

2. Click Revoke.
3. Click OK.
After you revoke a certificate, it does not show in the Client Certificate list.

Creating Templates for Certificate Distribution

To create or edit an email template

1. In SmartConsole, select Security Policies > Access Control > Access Tools > Client
Certificates.

2. To create a new template: In the Email Templates for Certificate Distribution pane,
select New.
To edit a template: In the Email Templates for Certificate Distribution pane, double-
click a template.
The Email Template opens.
3. Enter a Name for the template.
4. Optional: Enter a Comment. Comments show in the Mail Template list on the Client
Certificates page.
5. Optional: Click Languages to change the language of the email.

R82 Security Management Administration Guide | 608

Client Certificates for Smartphones and Tablets

6. Enter a Subject for the email. Click Insert Field to add a predefined field, such as a
Username.
7. In the message body add and format text. Click Insert Field to add a predefined field,
such as Username, Registration Key, or Expiration Date.
8. Click inside the E-mail Template body.
9. Click Insert Link and select the type of link to add (link or QR code).
n Site and Certificate Creation

For users who already have a Check Point app installed.

When users scan the QR code or go to the link, it creates the site and
registers the certificate.

Select the client type that will connect to the site- Select one client type that
users will have installed:
l Capsule Workspace - An app that creates a secure container on the
mobile device to give users access to internal websites, file shares, and
Exchange servers.
l Capsule Connect/VPN - A full Layer 3 tunnel app that gives users
network access to all mobile applications.

n Download Application

Direct users to download a Check Point App for their mobile devices.

Select the client device operating system:

l iOS
l Android
Select the client type that will connect to the site- Select one client type that
users will have installed:
l Capsule Workspace - An app that creates a secure container on the
mobile device to give users access to internal websites, file shares, and
Exchange servers.
l Capsule Connect/VPN - A full Layer 3 tunnel app that gives users
network access to all mobile applications.

n Custom URL

Lets you configure your own URL.

R82 Security Management Administration Guide | 609

Client Certificates for Smartphones and Tablets

For each link type, you can select which elements are added to the mail template

n Link URL - Enter the full link address.

n QR Code - When enabled, users scan the code with their mobile devices.
n HTML Link - When enabled, users tap the link on their mobile devices.
You can select both QR Code and HTML Link to include both in the email.
n Display Text - Enter the text for the link title.

10. Click OK.

11. Optional: Click Preview in Browser to see a preview of how the email will look.
12. Click OK.

13. Publish the changes.

Cloning a Template
Clone an email template to create a template that is similar to one that already exists.
To create a clone of an email template

1. Select a template from the template list in the Client Certificates page.
2. Click Clone.

3. A new copy of the selected template opens for you to edit.

Giving Permissions for Client Certificates

You can create an administrator that is allowed to use SmartConsole to create client
certificates, and restrict other permissions.
To make an administrator for client certificates

1. Define an administrator (see "Managing Administrator Accounts" on page 75

2. Create a customized profile for the administrator, with permission to handle client
certificates. Configure this in the Others page of the Administrator Profile. Restrict
other permissions (see "Assigning Permission Profiles to Administrators" on
page 116).

R82 Security Management Administration Guide | 610

Preferences and Management Settings

Preferences and Management

Settings
This section describes various settings in SmartConsole.

Database Revisions
The Security Management architecture has built-in revisions. Each publish operation creates a
new revision which contains only the changes from the previous revisions.
Benefits of the revision architecture:
n Safe recovery from a crisis, restoring a database to a good known revision.
n Fast policy verification, based on the differences between installed versions
n More efficient Management High Availability.

Important - Before using the revision feature consider these limitations:

n Database Revision revert operation is not supported on a Backup Security
Management Server.
n Reverting to a previous revision is an irreversible operation. Versions that are
newer than the target revision are lost.
n Changes apply to objects only and not to the file system.
n Tasks, SIC, and Licenses are not reverted.
n The revert action disconnects all other connected users and discards all of their
private sessions.
n Revision is not supported in these scenarios:
l For the Endpoint Security Management Server.

l If SmartConsole and the Security Management Server are connected

through a proxy server, the GUI for this feature is not supported. In this
case, use the applicable API command.
l VSX configuration or related networks differ between the source and

target revisions.
l A new Multi-Domain Server, a Security Management Server or a Check

Point object was created or deleted after the target revision date.
l The corresponding revision of the Global Domain, or the IPS or

Application Control components was purged.

n When you revert to a previous revision, a configuration of Site to Site VPN
Tunnel with Native Cloud is not saved. (See R82 Site to Site VPN
Administration Guide > Chapter Seamless Site to Site VPN Tunnel with
Native Cloud.).

R82 Security Management Administration Guide | 611

Preferences and Management Settings

Best Practices:
1. We recommend to update the IPS and Application Control signatures and install
the policy after the revert. Install policy if changes to log destinations are
applied.
2. If you need a full environment restore to a certain point in time, use Restore
Backup. All work done after the backup is lost. To learn more, see the: R82
Gaia Administration Guide
3. We recommend to purge irrelevant revisions. Accumulating too many revisions
can create a heavy load on the server, which may cause disk and performance
issues.

To see saved database versions:

In SmartConsole, go to Manage & Settings > Sessions > Revisions.

To open a specific revision:

1. Go to Manage & Settings > Sessions > Revisions, and select a revision.
The bottom pane shows the audit logs of the changes made in the revision.
2. Optional: Click View.
A separate read-only SmartConsole session opens.

To compare between two revisions:

1. In SmartConsole, go to Manage & Settings > Sessions > Revisions.

2. Select a revision.
3. In the toolbar, click Changes.

4. Select the revision to compare to:

n The current revision
Or
n A previous revision in the list. If you select this option, select the applicable revision
from the list.
A changes report is generated. The report shows a comparison between the two
selected revisions.

To revert to an earlier revision

1. Go to Manage & Settings > Sessions > Revisions, and select a revision.
2. In Actions, click Revert to this Revision.

R82 Security Management Administration Guide | 612

Preferences and Management Settings

The Revert to Revision wizard opens.

To delete all versions of the database that are older than the selected version:
1. Go to Manage & Settings > Sessions > Revisions, and select a revision.
2. In Actions, click Purge.
3. In the confirmation window that opens, click Yes.

Important - Purge is irreversible. When you purge, that revision and older revisions
are deleted.
Notes:
n When connected with SmartConsole to a Security Management Server,
sessions that were published through the Management API in the system
Domain are not shown in the Revisions view.
n When you connect with the Management API to the Domain of a Security
Management Server and run the show sessions API command with view-
published-sessions set to true, sessions that were published through
SmartConsole are not returned, even if they include changes in the system
Domain.

R82 Security Management Administration Guide | 613

Setting IP Address Versions of the Environment

Many objects and rules use IP addresses. Configure the version that your environment uses to
see only relevant options.
To set IP address version

1. Click Manage & Settings.

2. Click Preferences.
3. Select the IP address version that your environment uses: IPv4, IPv6, or IPv4 and
IPv6.
4. Select how you want to see subnets: Mask Length or Subnet Mask.

R82 Security Management Administration Guide | 614

Restoring Window Default

Some windows in the SmartConsole offer administrators the option to not see the window
again. You can undo this selection, and restore all windows to show again.
This option is available only if administrators selected do not show in a window.
To restore windows from "do not show"

1. Click Manage & Settings.

2. Click Preferences.
3. In the User Preferences area, click Restore All Messages.

R82 Security Management Administration Guide | 615

Configuring the Login Window

Administrators in your environment use SmartConsole daily. Customize the Login window, to
set the environment to comply with your organization's culture.
To customize the Login window

1. Click Manage & Settings.

2. Click Preferences > Login Message.
The Login Message window opens.
3. Select Show custom message during login.

4. In Customize Message, enter a Header and Message for administrators to see.

The default suggestion is:
Warning
This system is for authorized use only

5. If you want the message to have a warning icon, in Customize Layout, select Add
warning sign.
6. If you want the Login window to show your organization's logo, in Customize Layout,
select Add logo and then Browse to an image file.

R82 Security Management Administration Guide | 616

Synchronization with UserCenter

You can add information regarding your environment to User Center, such as Security
Gateway name, version, and active blades. Check Point uses this additional information for
better inventory management, pro-active support, and more efficient ticket resolution.
To learn more, see sk94064.
To sync with User Center

1. In SmartConsole, click Manage & Settings.

2. Click Sync with User Center
3. Select Synchronize information once a day.

R82 Security Management Administration Guide | 617

Inspection Settings

Inspection Settings
You can configure inspection settings for the Security Gateway:
n Deep packet inspection settings
n Protocol parsing inspection settings
n VoIP packet inspection settings
The Security Management Server comes with two preconfigured inspection profiles for the
Security Gateway:
n Default Inspection
n Recommended Inspection
When you configure a Security Gateway, the Default Inspection profile is enabled for it. You
can also assign the Recommended Inspection profile to the Security Gateway, or to create a
custom profile and assign it to the Security Gateway.
To activate the Inspection Settings, install the Access Control Policy.

Configuring Inspection Settings

To configure Inspection Settings

1. In SmartConsole, go to the Manage & Settings > Blades view.

2. In the General section, click Inspection Settings.

The Inspection Settings window opens.

You can:
n Edit inspection settings.
n Edit user-defined Inspection Settings profiles. You cannot change the Default
Inspection profile and the Recommended Inspection profile.
n Assign Inspection Settings profiles to Security Gateways.
n Configure exceptions to settings.

To edit a setting

1. In the Inspection Settings > General view, select a setting.

2. Click Edit.
3. In the window that opens, select a profile, and click Edit.

R82 Security Management Administration Guide | 618

Inspection Settings

The settings window opens.

4. Select the Main Action:
n Default Action - preconfigured action
n Override with Action - from the drop-down menu, select an action with which to
override the default - Accept, Drop, Inactive (the setting is not activated)
5. Configure the Logging Settings
Select Capture Packets, if you want to be able to examine packets that were blocked
in Drop rules.
6. Click OK.
7. Click Close.

For advanced configuration of SYN attacks, see sk120476.

To view settings for a certain profile

1. In the Inspection Settings > General view, click View > Show Profiles.
2. In the window that opens, select Specific Inspection settings profiles.
3. Select profiles.
4. Click OK.
Only settings for the selected profiles are shown.

You can add, edit, or delete custom Inspection Settings profiles.

To edit a custom Inspection Settings profile

1. In the Inspection Settings > Profiles view, select a profile.

2. Click Delete, to remove it, or click Edit to change the profile name, associated color,
or tag.
3. If you edited the profile attributes, Click OK to save the changes.

To add a new Inspection Settings profile

1. In the Profiles view, click New.

2. In the New Profile window that opens, edit the profile attributes:
3. Click OK.

R82 Security Management Administration Guide | 619

Inspection Settings

To assign an Inspection Settings profile to a Security Gateway

1. In the Inspection Settings > Gateways view, select a Security Gateway, and click
Edit.
2. In the window that opens, select an Inspection Settings profile.
3. Click OK.

To configure exceptions to inspection settings

1. In the Inspection Settings > Exceptions view, click New to add a new exception, or
select an exception and click Edit to modify an existing one.
The Exception Rule window opens.

2. Configure the exception settings:

n Apply To - select the Profile to which to apply the exception
n Protection - select the setting
n Source - select the source Network Object, or select IP Address and enter a
source IP address
n Destination - select the destination Service Object
n Service - select Port/Range, TCP or UDP, and enter a destination port number
or a range of port numbers
n Install On - select a Security Gateway, on which to install the exception

3. Click OK.
To enforce the changes, install the Access Control Policy.

R82 Security Management Administration Guide | 620

SmartTasks

SmartTasks
Management SmartTasks let you configure automatic actions according to different triggers in
the system. A SmartTask is a combination of trigger and action.
n Triggers are events – currently defined in terms of existing management operations,
such as installing a policy or publishing a session.
n Actions are automatic responses that take place after the trigger event , such as running
a script, posting a web request or sending email.

Available Triggers

Note - Listed in the order they appear in SmartConsole.

n Before Publish - Fired when an administrator publishes a session. The SmartTask

passes the sessions meta-data (publishing administrator, domain information and
session name) to the action. If the local Management API server is available, the session
changes about to be published are formatted as a response to the "show changes" API.
n After Publish - Fired after an administrator successfully publishes a session. The
SmartTask passes the same information to the action as the Before Publish trigger.
n Before Install Policy - Fired before a policy is installed. The SmartTask provides the
action information related to the policy installation task, such as the package to be
installed, the administrator who initiated the installation and the task's result.
Additionally, it provides details about the policies which are currently installed on each
Security Gateway, and the policies scheduled for installation in the current operation.
n After Install Policy - Fired after a policy is installed. The SmartTask passes to the action
information related to the policy installation task, such as the package installed, the
administrator who initiated the installation and the task's result.
n CloudGuard Controller Event - Fired when a new log is generated that matches this
query in SmartConsole > Logs & Events view > Logs tab:

blade:"CloudGuard IaaS" AND severity:Critical

More Information

The Management Server creates events in this JSON format:

{
"severity": "<VALUE1>",

R82 Security Management Administration Guide | 621

SmartTasks

"log-description": "<VALUE2>",
"product": "CloudGuard IaaS",
"gateway-name": "<VALUE3>",
"datacenter-name": [
"<VALUE4>",
"<VALUE5>",
"...",
"<VALUEx>"
],
"version": "1.0"
}

This is an example script (in the Action field, select Run Script):

#!/bin/sh
input=$(echo $1 | base64 --decode)
severity=$(echo $input | jq '.severity')
message=$(echo $input | jq '."log-description"')
gw_name=$(echo $input | jq '."gateway-name"')
dc_name=$(echo $input | jq '."datacenter-name"')
echo -e "Subject: CloudGuard Controller event\r\n\r\nSeverity:
$severity\r\nMessage: $message\r\nData Center: $dc_
name\r\nGateway: $gw_name" | sendmail --domain=[Link] -f no-
reply@[Link] -v admin@[Link] --host=[Link] >
/dev/null
echo "Email sent"

n After Submit - Fired after an administrator submits the current session for approval by
another administrator (see "Approval Cycle for Sessions (SmartWorkflow and Identity
Provider)" on page 132).
n Before Submit - Fired immediately before an administrator submits the current session
for approval by another administrator (see "Approval Cycle for Sessions (SmartWorkflow
and Identity Provider)" on page 132).
n Before Reject - Fired immediately before an administrator rejects a submitted session
(see "Approval Cycle for Sessions (SmartWorkflow and Identity Provider)" on page 132).
n After Reject - Fired after an administrator rejects a submitted session (see "Approval
Cycle for Sessions (SmartWorkflow and Identity Provider)" on page 132).
n Before Login - Fired immediately before an administrator logs in to SmartConsole.

R82 Security Management Administration Guide | 622

SmartTasks

n After Approve - Fired after an administrator approves the session created by another
administrator (see "Approval Cycle for Sessions (SmartWorkflow and Identity Provider)"
on page 132.
n Before Approve - Fired immediately before an administrator approves the session
created by another administrator (see "Approval Cycle for Sessions (SmartWorkflow and
Identity Provider)" on page 132).

Available Actions
n Run Script - Runs a pre-defined Repository Script. The first parameter that the script
gets is a path to a file that contains the trigger's data. When the script is not configured to
run on the local machine, the trigger's data is passed as Base64 encoded JSON data,
which can be decoded to implement custom business logic. However, when the script is
configured to run on the local machine, no decoding is needed.

For SmartTasks configured to run with "Before" operation triggers, the repository script
can signal whether to abort or continue the operation by printing a JSON object with the
"result" and optional "message" fields and then exit with code 0. If the value of the
"result" field is "failure" the operation aborts.
For SmartTasks configured to run with other triggers, exit code 0 is treated as success.
Any other exit code is treated as failure.

Note - By default, Repository Scripts run on the local Security Management

Server although this can be customized using the Web API.
n Web Request - Executes an HTTPS POST web request to the configured URL. The
trigger's data is passed as JSON data to the request's payload.

Notes:
l The configured URL must start with HTTPS and the target web server

capable of handling such requests.

l For web servers with self-signed SSL certificates, establish trust by

specifying the certificate's fingerprint. You can get the fingerprint by

clicking Get Fingerprint in the SmartTask editor or by viewing the
certificate in a web browser.

For SmartTasks configured to run with "Before" operation triggers, the repository script
can signal whether to abort or continue the operation by responding with JSON object
"result" and optional "message" fields and a status of 200 OK. If the value of the "result"
field is "failure" the operation aborts.
For SmartTasks configured to run with other triggers, a "200 OK" return code is treated
as success. Any other exit code is treated as failure.
n Send Mail - Sends a configured email.

R82 Security Management Administration Guide | 623

SmartTasks

Notes:
l Before you select this action, you must configure a Server object of type

SMTP Server that represents your SMTP server.

l You must configure the email template on the Advanced pane.

l You can use this action only for these triggers: After Install Policy, After

Submit, After Approve, After Publish, After Reject.

Configuring SmartTask Properties

1. Enter a unique name for the SmartTask - The name property is required and case
sensitive.
2. Switch the SmartTask ON or OFF using the toggle button.
3. Optional - Enter a description for the SmartTask.

4. Select a trigger for the SmartTask.

5. Select an action that will happen once the trigger is fired.
6. Custom Data – You can add additional information to the JSON data sent with the trigger
information by adding a JSON object to the Custom Data field. The JSON custom data is
concatenated to the trigger's payload and passed to the action.
7. Optional - Add tags for the SmartTask object.

SmartTask Advanced Properties

The available advanced options depend on the action selected on the General tab.

Send Web Request

n Time-out – Number of seconds before the request times out and the request aborted.
n If the HTTPS request times out - Treat the time-out as an error and abort the event or
continue normally.
n X-chkp-shared-secret – Enter a shared secret that can be used by the target web server
to identify the Security Management Server. The value is sent as part of the request in
the X-chkp-shared-secret header in the out-going web request.

Run script
n Time-out – Number of seconds before the request times out and the request aborted.
n If the script fails to run or times-out – Treat time-out (or execution failure) as an error
and abort the event or continue normally.

Send Email
Enter these email details:

R82 Security Management Administration Guide | 624

SmartTasks

n To
n Cc
n Sender
n Subject
n Attachment
n Body text
You can use the pre-defined options in the "To", "Cc", and "Sender" fields only for
administrators that have an email address defined in SmartConsole. You cannot use these
fields for administrators that are connected through an Identity Provider.
For administrators that do not have an email address defined in SmartConsole, do one of
these:
n Manually enter the applicable email addresses of the administrators, or
n Create a mailing list of the administrators in your email program, and use the mailing list
in the relevant field.
For example:
In an "After Session Approve" SmartTask, an administrator reviews and approves a change
made by a submitter.
In the Email Configuration fields:
In the "To" field, instead of the pre-defined Submitter email" field, enter a mailing list of all the
submitters.
In the "Cc" field, instead of the pre-defined "All reviewers" field" enter a mailing list of all the
reviewers.

In the "Sender" field, instead of the pre-defined "Reviewer email" field, enter a dummy email,
such as "SmartTask@[Link]".
For more information about the approval cycle workflow, see "Session Flow for Administrators"
on page 126.
Example

Use Case:
A company policy dictates that the publish operation must be used with a service request
number as a prefix to the session name before saving any changes to the database, so the
administrators can see what the rationale for changing the security policy was.

R82 Security Management Administration Guide | 625

SmartTasks

Procedure:
Add the Validate Session Name Prefix to the Scripts Repository.
1. Save the script in the repository.
Instructions

a. Click Gateways & Servers > Scripts > Scripts Repository > New ( )

b. Give the script a name.

c. In the Content text box, paste the script code below.
d. Click OK to save the script in the repository.

Script Code
#!/bin/bash
JQ=${CPDIR}/jq/jq
data=`echo $1 | base64 --decode -i`

# Extracting the required session name prefix for the session

name based on the input JSON
sessionNamePrefix=`echo $data | $JQ -r .\"custom-
data\".\"session-name-prefix\"`

# If there's no input session name prefix, publish is allowed

if [[ $sessionNamePrefix = "null" ]] || [[ -z
"$sessionNamePrefix" ]]; then
printf '{"result":"success"}\n'
exit 0
fi

# Extracting the actual session name

sessionName=`echo $data | $JQ -r .session.\"session-name\"`

# Abort the publish if the session doesn't contain a name at

all
if [[ $sessionName = "null" ]]; then
m1="Corporate Policy requires you to use a service
request number for the session's name prefix."
m2="For example: ${sessionNamePrefix}######"
m3="Session name is missing. Please change your session's
name to meet the requirements and try to publish again."
printf '{"result":"failure","message":"%s %s
%s"}\n' "$m1" "$m2" "$m3"
exit 0
fi

R82 Security Management Administration Guide | 626

SmartTasks

# Abort the publish if the session name doesn't match the

expected prefix
if [[ ! $sessionName == $sessionNamePrefix* ]]; then
m1="Corporate Policy requires you to use a ticket number
as the session's name."
m2="For example: ${sessionNamePrefix}###### "
m2=${m2//\"/\\\"}
m3="Please change your session's name to meet the
requirements and publish again."
printf '{"result":"failure","message":"%s %s
%s"}\n' "$m1" "$m2" "$m3"
exit 0
else
# Session name matches the expected prefix, publish is
allowed
printf '{"result":"success"}\n'
exit 0
fi

2. Create a SmartTask to run the session validation script.

Instructions

a. Go to Manage & Settings > Tasks > SmartTasks > New ( ).

b. Give the new SmartTask a name (you can call it "Validate Session
Name Before Publish")

c. In the Trigger and Action section, select from the drop down menu:
Before Publish and Run Script.

d. In the Select script from repository drop down, select the script saved in Step
1.
e. In the Custom Data field, enter this string:
{"session-name-prefix": "CR"}

Note - The variable "session-name-prefix" correlates to the variable

used at the beginning of the script in Step 1. If these are not identical,
this script cannot work and the process fails.

R82 Security Management Administration Guide | 627

SmartTasks

3. Publish the SmartConsole session.

4. Add a network object.
5. Publish the changes using the required prefix.

Note - If you publish the session without using the prefix, the process fails.

R82 Security Management Administration Guide | 628

Management High Availability

This chapter descibes the configuration of Management High Availability.

Overview of Management High Availability

High Availability is redundancy and database backup for management servers. Synchronized
servers have the same policies, rules, user definitions, network objects, and system
configuration settings.
Management High Availability uses the built-in revisions technology and allows the High
Availability procedure to synchronize only the changes done since the last synchronization.
This provides:
n Real-time updates between peer Management Servers.
n Minimum effect on the Management Server resources.
The first management server installed is the primary. If the primary Security Management
Server fails, or is off line for maintenance, the administrator can initiate a changeover, so that
the secondary server takes over.

Notes:
n For High Availability (and Load Sharing) environments for Security Gateways,
see the R82 ClusterXL Administration Guide.
n For High Availability environments for Endpoint Security, see the R82 Harmony
Endpoint Security Server Administration Guide.

R82 Security Management Administration Guide | 629

The High Availability Environment

A Management High Availability environment includes:
n One Active Security Management Server
n One or more Standby Security Management Server
For full redundancy, the active management server at intervals synchronizes its database with
the secondary server or servers.

Active vs. Standby

In a standard High Availability configuration there is one Active server at a time. The
administrator uses the Active server to manage the High Availability configuration. The Active
server automatically synchronizes the standby server(s) at regular intervals. You can open a
Standby server only in Read Only mode. If the Active server fails, you can initiate a
changeover to make a Standby server become the Active server. If communication with the
Active server fails, there may be more than one Active server. This is called Collision Mode.

Primary Server vs. Secondary Server

The sequence in which you install management servers defines them as Primary or
Secondary. The first management server installed becomes the Primary active server. When
you install more Security Management Servers, you define them as Secondary. Secondary
servers are Standby servers by default.

Important notes about backing up and restoring in Management High Availability

environment:
n To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability
environment at the same time.
n Make sure other administrators do not make changes in SmartConsole until the
backup operation is completed.
For more information:
n About Gaia Backup and Gaia Snapshot, see the R82 Gaia Administration
Guide.
n About the "migrate export" and "migrate import" commands, see the
R82 CLI Reference Guide.
n About the "mds_backup" and "mds_restore" commands, see the R82 CLI
Reference Guide.
n About Virtual Machine Snapshots, see the vendor documentation.

R82 Security Management Administration Guide | 630

Configuring a Secondary Security Management Server in SmartConsole

Configuring a Secondary Security Management

Server in SmartConsole
In the SmartConsole connected to the Primary Security Management Server, create a Check
Point Host object for the Secondary Security Management Server. After you publish the
SmartConsole session, synchronization starts between the Primary and Secondary Security
Management Servers.

To configure the Secondary Security Management Server in SmartConsole:

1. Connect with SmartConsole to the Primary Security Management Server.

2. In the Object Explorer, click New > More > Network Object > Gateways and Servers >
Check Point Host.
3. In the General Properties page, enter a unique name and IP address for the Secondary
Security Management Server.
4. In the Software Blades section, go to the Management tab, and select Network Policy
Management.
This automatically selects the Secondary Server, Logging and Status, and
Provisioning.
5. Create the SIC trust between the Secondary Security Management Server and the
Primary:

a. Click Communication.
b. Enter the SIC Activation Key of the secondary server.

c. Click Initialize.
d. Click Close.
6. Click OK.
7. Publish the SmartConsole session to save these session changes to the database.
The initialization and synchronization between the Security Management Servers start.
8. Monitor these tasks in the Task List, in the SmartConsole System Information area. Wait
for the Task List to show that a full sync has completed.
9. Open the High Availability Status window and make sure there is one Active Security
Management Server, and one Standby Security Management Server.
10. For each Security Gateway / Cluster, open the Security Gateway / Cluster object > go to
Fetch Policy, click Add, and add the Secondary Security Management Server.

R82 Security Management Administration Guide | 631

Configuring a Secondary Security Management Server in SmartConsole

Note - If you create an administrator on the Primary Security Management Server

through cpconfig, the administrator cannot log in to SmartConsole of the
Secondary Management Server until full synchronization from the Primary to the
Secondary server is performed.

R82 Security Management Administration Guide | 632

Synchronizing Active and Standby Servers

At intervals, the Active server synchronizes with the standby server or servers, and when you
publish the SmartConsole session. Sessions that are not published are not synchronized.

Monitoring High Availability

The High Availability Status window shows the status of each Security Management Server in
the High Availability configuration.

To see the server status in your High Availability environment:

1. Open SmartConsole and connect to a primary or secondary server.

2. On the Menu, click High Availability.

The High Availability Status window opens.
For the management server and its peer or peers in the High Availability configuration, the
High Availability Status window shows:
n A Warning or Error message - The message shows if there is a problem between the
High Availability peers.
n Connected To - The server that SmartConsole is connected to. Also, the High
Availability mode of the server (Active or Standby), and the synchronization status and
actions of the server.
n Peers - The servers that the connected server sees. Also, the High Availability mode of
each server (Active or Standby), and the synchronization status and actions of each
server.

Monitoring Synchronization Status and Actions

Status messages can be general, meaning that they apply to the full system, or they can apply
to a specified active or standby server. General messages show in the yellow overview
banner.

General Status messages

Description
in overview banner

The database of the primary Security Management Server is

identical with the database of the secondary.

Some servers could not be A communication issue prevents synchronization, or some

synchronized other synchronization issue exists.

The active and standby servers are not communicating.

R82 Security Management Administration Guide | 633

Synchronizing Active and Standby Servers

General Status messages

Description
in overview banner

Communication Problem Some services are down or cannot be reached.

Collision or HA conflict More than one management server configured as active. Two
active servers cannot sync with each other.

When connected to a specified active management server:

Status
Peer Status Additional Information
window area:

Connected Active SmartConsole is connected to the active

to: management server.

Peers Standby The peer is in standby. The message can also

show:
n Sync problem, last time sync
n Synchronized successfully. Last sync
time: <time>
n No communication

Not communicating,
last sync time

Active A state of collision exists between two servers

both defined as active.

When connected to a specified Standby Management Server:

Status window
Peer Status Description
area:

Connected to: Standby Also shows: last sync time.

Peers Active The peer is on standby. The message can also

show:
n No communication, last sync time
n OK., last sync time: <time>
n Sync problem, last sync time (in any
direction)

Standby or Can also show: no communication.

Unknown

R82 Security Management Administration Guide | 634

Changing a Server to Active or Standby

The Active server synchronizes with the Standby server or servers at intervals, and when you
publish the session. Sessions that are not published are not synchronized.
Changeover between the primary (active) and secondary (standby) management server is not
automatic. If the Active fails or it is necessary to change the Active to a Standby, you must do
this manually. When the management server becomes Standby it becomes Read Only, and
gets all changes from the new Active server.
When you initiate changeover, all public data is synchronized from the new Active to the new
Standby server after the Standby becomes Active. Data from the new Active overrides the
data on the new Standby. Unpublished changes are not synchronized.

Best Practice - We recommend that you publish the SmartConsole session before
initiating a changeover to the Standby Security Management Server.

To Interchange the Active and Standby

1. Connect with SmartConsole to the Standby Security Management Server.
2. Click the Menu button and select High Availability.
The High Availability Status window opens.
3. Use the Action buttons to change the Standby server to Active.
This changes the previous Active server to Standby.

Working in Collision Mode

You can make more than one server Active. You may need to do that if there is no connectivity
to the primary. When you change the Standby to Active, it becomes Active without telling the
current Active server to become Standby. This is known as collision mode. You can later
change one of the Active servers to Standby, and return to the standard configuration.
When in collision mode, the Active servers do not sync even if they have network connectivity.
When you change one of them to Standby, sync starts and overwrites the data on the Standby
server with the remaining Active data.

Changeover Between Active and Standby

Changeover between the primary (active) and secondary (standby) management server is not
automatic. If the Active fails or it is necessary to change the Active to a Standby, you must do
this manually. When the management server becomes Standby it becomes Read Only, and
gets all changes from the new Active server.

R82 Security Management Administration Guide | 635

High Availability Troubleshooting

These error messages show in the High Availability Status window when synchronization
fails:

Not Communicating
Solution:
1. Check connectivity between the servers.
2. Test SIC.

Collision or HA Conflict
More than one management server is configured as active.
Solution:
1. From the main SmartConsole menu, select Management High Availability.
The High Availability Status window opens.
2. Use the Actions button to set one of the active servers to standby.

Warning - When this server becomes the Standby, all its data is overwritten by
the active server.

Sync Error
Solution:
Do a manual sync.

Unlocking the Administrator

In a High Availability environment, if an administrator is locked on the Standby Management
Server, the administrator is not locked and does not appear as locked on the Active
Management Server. Therefore, you cannot unlock the administrator on the Active
Management Server.

To unlock the administrator:

Use the API command unlock-administrator on the Standby Management Server. See
the Check Point Management API Reference (at the top, select the correct version) .

R82 Security Management Administration Guide | 636

Environments with Endpoint Security

Environments that include Endpoint Security require additional steps and information.
For details, see High Availability in the R82 Harmony Endpoint Security Server Administration
Guide.

R82 Security Management Administration Guide | 637

High Availability Disaster Recovery

The first Management Server installed is the Primary Server and all servers installed
afterwards are Secondary Servers. The Primary Server acts as the synchronization master.
When the Primary server is down, secondary servers cannot synchronize their databases until
a Secondary is promoted to Primary and the initial sync completes.
If the Primary Management Server becomes permanently unavailable:
Promote the Secondary Management Server to Primary, and create a new Primary Server with
the IP address of the original Primary Server.

Step Instruction

1 Change the Secondary Management Server from Standby to Active.

2 Promote the Secondary Management Server to be Primary (no need to remove

instances of the old Primary Management object and install database).
Before you start - Make sure that the Primary Server is offline.
a. Set the Secondary Server to Active.
b. On the Secondary Management Server that you will promote, run:
#$FWDIR/bin/promote_util
#cpstop
c. Remove the $FWDIR/conf/mgha* files. They contain information about
the current Secondary settings. These files will be recreated when you start
the Check Point services.
d. Make sure you have a mgmtha license on the newly promoted server.
Note - All licenses must have the IP address of the promoted Security
Management Server.
e. Run cpstart on the promoted server.
f. Open SmartConsole, and:
i. Remove all instances of the old Primary Management object.
To see all of the instances, right-click the object and select Where
Used.
Note - When you remove the old Primary Management Server, all
previous licenses are revoked.
ii. Install database.

3 Install the new Secondary Management Server with the IP of the old Primary
Management Server.

4 Reset SIC and create SIC to the new Secondary Management Server

R82 Security Management Administration Guide | 638

High Availability Disaster Recovery

To switch back to the original setup (to set the original Primary Management Server as the
Primary Management Server again):

Step Instruction

1 Change the new Secondary Management Server from Standby to Active.

2 Promote the new Secondary Management Server to be the Primary Management

Server.
Promote the Secondary Management Server to be Primary (no need to remove
instances of the old Primary Management object and install database).
Before you start - Make sure that the primary server is offline.
a. Set the Secondary Server to Active.
b. On the Secondary Management Server that you promote, run:
#$FWDIR/bin/promote_util
#cpstop
c. Remove the $FWDIR/conf/mgha* files. They contain information about
the current Secondary settings. These files will be recreated when you start
the Check Point services.
d. Make sure you have a mgmtha license on the newly promoted server.
Note - All licenses must have the IP address of the promoted Security
Management Server.
e. Run cpstart on the promoted server.
f. Open SmartConsole, and:

i. Remove all instances of the old Primary Management object.

To see all of the instances, right-click the object and select Where
Used.
Note - When you remove the old Primary Management Server, all
previous licenses are revoked.
ii. Install database.

3 Install the new Secondary Management Server with the IP of the old Primary
Management Server.

4 Reset SIC and create SIC to the Secondary Management Server

Important - Check Point product licenses are linked to IP addresses. At the end of the
disaster recovery you must make sure that licenses are correctly assigned to your
servers

R82 Security Management Administration Guide | 639

Compliance

Compliance
The Check Point Compliance blade is a dynamic solution that continuously monitors the
Check Point security infrastructure. The blade uses the Continuous Compliance Monitoring
(CCM) technology to examine Security Gateways, Software Blades, policies, and
configuration settings against an extensive database of regulatory standards and security best
practices. The blade suggests corrective measures to correct any security issues.
The Compliance blade performs these automatic scans:
n Daily - One automatic scan per day, to find changes to gateway and policy configurations
made with CLI or scripts.
n SmartConsole changes - Automatic scan that detects when an administrator changes
objects that have an effect on Security Gateway or policy configuration (the scan occurs
after you publish the changes.)
You can also run manual scans.

To enable the Compliance blade on your Security Management Server:

1. In SmartConsole, go to the Gateways & Servers view, and double-click on the Security
Management Server object.
The Security Management Server editor opens.
2. In the General Properties page, go to Management, and select Compliance.

3. Click OK.

To view the Compliance dashboard:

1. In SmartConsole, go to the Logs & Events view, and click + sign to open a new tab.
The New Tab opens.
2. Click Compliance.

The Compliance View

The Compliance view includes 5 widgets:
n Security Best Practices
n Gateways
n Blades

R82 Security Management Administration Guide | 640

Compliance

n Action Items and Messages

n Regulatory Compliance

The Compliance Scoring System

The Compliance blade calculates a numeric score for each best practice test for the
organization Security Gateways, Software Blades, and regulations. The score is the average
of the test results for each object examined.
This is the Check Point Compliance blade scoring system:

Security
Score in % Comments
Status

Poor 0-50 0 = non-compliant

Medium 50-75

Good 75-99

Secure 100 Compliant

N/A Not Appears when:

Applicable
n The applicable Software Blade is not installed on the
Security Management Server.
Or
n The Security Gateway does not support the examined
feature.

This chapter explains how to work with each Compliance view. For details about system
requirements, troubleshooting and debugging, see sk120256.

R82 Security Management Administration Guide | 641

The Security Best Practices Compliance View

The Security Best Practices Compliance view displays status information for each best
practice.
The top table shows these details related to the best practice:
n Active - Select to activate the best practice test. Clear to deactivate it.
n Blade - Blade related to this best practice.
n ID - Check Point Compliance ID assigned to the best practice.
n Name - Name and brief description of the regulatory requirement related to the best
practice.
n Status - Poor, Medium, Good, Secure, or N/A. We recommend that you resolve "Poor"
status items immediately.
The bottom section shows these items for the selected best practice test:
n Description - Detailed description of the best practice test.
n Action Item - Steps required to become compliant, including alternative scenarios.
n Dependency - Shows when the selected best practice is dependent on another best
practice. This test is only performed if the other best practice is compliant.
n Relevant Objects - Objects related to the selected best practice test and their status.
You can activate or deactivate the selected best practice test for specified objects (this
section shows only when the best practice is applicable to specific objects.)
n Relevant Regulatory Requirements - Link to a list of all the regulatory standards which
are applicable to the best practice.

To search for a certain value, enter a string in the search box:

To search for a certain parameter in a specific field, enter: field name:string

R82 Security Management Administration Guide | 642

The Security Best Practices Compliance View

To group results, select Blade or Status in the grouping field;

To sort search results by a certain field, click the field header.

Creating User-Defined Best Practices

You can define your own, custom Security Best Practices based on organizational security
requirements.
To create a new Firewall Security Best Practice:

1. In the 'Compliance tab > Security Best Practices pane .> click See All.
2. Click New, and select Firewall Best Practice.
The New Firewall Best Practice window opens.
3. Enter the Name and Description for this best practice.
4. Enter the Action Item generated by this best practice.
5. In the Best Practice Rule Definition section, enter the rule matching criteria in the
table cells. A Security Best Practice match occurs when all table cells match one or
more rules in the Rule Base (Logical AND).

R82 Security Management Administration Guide | 643

The Security Best Practices Compliance View

a. Hit Count - Select a hit count level. A match occurs when the hit count for a rule
is equal to or exceeds the specified hit count level. For example: To check the
Rule Base for unused rules, you can select Hit Count Zero.
b. Name
c. Source - Select one or more source objects.
d. Destination - Select one or more destination objects.
e. VPN - Select one or more VPN communities.
f. Services & Applications - Select one or more services or applications.
g. Action - The action which the rule triggers.
h. Track - The tracking method for the rule.

i. Install On - Security Gateways / Security Clusters to which the rule applies.

j. Time - Select the times at which the rule applies.
k. Comment - Enter a comment if necessary.
l. Optional: click Advanced Settings to select the percentage of the Rule Base to
scan and the direction of scan (Top or Bottom). For example, select Bottom
30% to scan 30% of the Rule Base starting from the bottom (last rule in the Rule
Base).

Note - You can right-click a cell, and select Negate Cell to exclude the cell
from matching. This feature is not available in the Name and Comment cells.

6. In the Best Practice Scoring section configure these settings:

a. Violation Definition - Define if a match occurs when the best practice is
matched by a rule or not. Select one of these options:
n Rule found - A match occurs when the best practice is matched by a rule in
the Rule Base.
n Rule not found - A match occurs when the best practice is not matched by
a rule in the Rule Base.
Select the level of Tolerance - A violation occurs when there are more than the
specified number of matches (Default = 0). For example, if the tolerance is set to
0, the Compliance Blade creates a violation when the first match occurs. If the
tolerance is set to 3, the Compliance Blade creates a violation when the fourth
match occurs. The Tolerance option applies only to the Rule found option.

R82 Security Management Administration Guide | 644

The Security Best Practices Compliance View

b. Rule Index Display Criteria - Define when the Rule Index (rule number) shows
in the Relevant Objects pane in the Security Best Practices view. This lets you
easily see which rules cause or prevent violations:
n Display rules that match - Shows rules that match the criteria specified in
a Security Best Practice.
n Display rules that don't match - Shows rules that do not match the criteria
specified in a Security Best Practice.
n Don't display rules - Does not show the rule.
7. Click OK.
The new best practice is added to the list of best practices.

8. Publish your changes.

To create a new Gaia OS Security Best Practice:

1. In the 'Compliance tab > Security Best Practices pane .> click See All.
2. Click New, and select Gaia OS Best Practice.
The new Gaia OS Best Practice window opens.
3. Enter the Name and Description for this best practice.
4. Enter the Action Item generated by this best practice.
5. Enter the Practice Script to run on the Security Gateways or load the script from a file.

6. Enter the Expected Output - If the script output is equal to the Expected Output, the
best practice status is secure.
7. Click OK.

The new best practice is added to the list of best practices.

8. Publish your changes.

Best Practice - We recommend that you run a manual scan after you create a new
Security Best Practice. The scan reevaluates the Compliance status, to reflect any
configuration changes. To do a manual scan . go to the Manage & Settings view >
Blades > Compliance > Settings > click the Rescan button. You cannot perform any
actions in the Compliance tab while the scan runs.

Activating and Deactivating Best Practice Tests

You can activate or deactivate enforcement of best practices by test, by Security Gateway, by
Software Blade or by other objects. Activation changes are applied after the next scan.
By default, all best practice tests are active.

R82 Security Management Administration Guide | 645

The Security Best Practices Compliance View

To deactivate a best practice for the entire organization:

1. Go to the Security Best Practices view > and select a best practice.
2. Right-click and select Deactivate.
The Expiration Details window opens.
3. Select Never or enter an expiration date. If you select an expiration date, the best
practice test is automatically activated on that date.
4. In the Comment box, explain why it is necessary to deactivate this Compliance test.

To activate a best practice test that is not currently active:

n Go to the Security Best Practices view, select a best practice, right-click and select
Activate.
Or
n Go to the Manage & Settings > view > Blades > Compliance > Inactive Objects >
Inactive Security Best Practices > select the applicable security best practice and
click Remove.

To deactivate a best practice for a specific Security Gateway:

1. Go to the Manage & Settings > view > Blades > Compliance > Inactive Objects.
2. In the Inactive Gateways section, click Add.
3. Enter or select a Security Gateway or a Security Cluster.

Note - To activate the best practice for the Security Gateway, select the Security
Gatewayand click Remove. When prompted, click Yes.

To deactivate a best practice for a specific object:

1. Go to the Manage & Settings > view > Blades > Compliance > Inactive Security
Best Practices on Specific Objects.
2. In the Inactive Gateways section, click Add.
3. Enter or select a Security Gateway or a Security Cluster.

Best Practice - We recommend that you run a manual scan after you activate or
deactivate best practice tests. The scan reevaluates the compliance status, to reflect
any configuration changes. To do a manual scan, go to the Manage & Settings view
> Blades > Compliance > Settings > click the Rescan button. You cannot perform
any actions in the Compliance tab while the scan runs.

R82 Security Management Administration Guide | 646

The Gateways View

This widget displays security status of the Security Gateway - the five Security Gateways with
the highest Compliance scores, lowest Compliance scores, or a predefined set of Favorites.
To see the results of all Security Gateways, click See All
To see the best practices which are applicable to a specific Security Gateway / Security
Cluster, click the specific Security Gateway / Security Cluster.
The top table shows these details related to the best practice:
n Active - Select to activate the best practice test. Clear to deactivate it.
n Blade - Blade related to this best practice.
n ID - Check Point Compliance ID assigned to the best practice.
n Name - Name and brief description of the regulatory requirement related to the best
practice.
n Status - Poor, Medium, Good, Secure, or N/A. We recommend that you resolve "Poor"
status items immediately.
The bottom section shows these items for the selected best practice test:
n Description - Detailed description of the best practice test.
n Action Item - Steps required to become compliant, including alternative scenarios.
n Dependency - Shows when the selected best practice is dependent on another best
practice. This test is only performed if the other best practice is compliant.
n Relevant Objects - Objects related to the selected best practice test and their status.
You can activate or deactivate the selected best practice test for specified objects (this
section shows only when the best practice is applicable to specific objects.)
n Relevant Regulatory Requirements - Link to a list of all the regulatory standards which
are applicable to the best practice.

R82 Security Management Administration Guide | 647

The Blades View

This widget displays the security status by Software Blade - the average scores for the five
Software Blades with the highest number of security best practices implemented. To see the
result for a specific Software Blade, click it. To see the results for all Software Blades, click
See All
The top table shows these details related to the best practice:
n Active - Select to activate the best practice test. Clear to deactivate it.
n Blade - Blade related to this best practice.
n ID - Check Point Compliance ID assigned to the best practice.
n Name - Name and brief description of the regulatory requirement related to the best
practice.
n Status - Poor, Medium, Good, Secure, or N/A. We recommend that you resolve "Poor"
status items immediately.
The bottom section shows these items for the selected best practice test:
n Description - Detailed description of the best practice test.
n Action Item - Steps required to become compliant, including alternative scenarios.
n Dependency - Shows when the selected best practice is dependent on another best
practice. This test is only performed if the other best practice is compliant.
n Relevant Objects - Objects related to the selected best practice test and their status.
You can activate or deactivate the selected best practice test for specified objects (this
section shows only when the best practice is applicable to specific objects.)
n Relevant Regulatory Requirements - Link to a list of all the regulatory standards which
are applicable to the best practice.

R82 Security Management Administration Guide | 648

The Action Items and Messages View

When a Best Practice test finds a deficiency, the Check Point Compliance blade automatically
generates an Action Item. The Action Item shows a helpful description for the corrective
measures to take in order to amend the deficiency. You can assign a due date to an Action
Item and monitor corrective steps. Due dates are not assigned to Action Items when they are
generated. When you complete the corrective steps, the Check Point Compliance blade
deletes the Action Item after the next scan.
This widget has 3 sections:
n Action Items

This widget displays the updated status of pending action items for your organization:
l Upcoming items - Action items whose due dates is in the next 30 days.
l Future items - Action items whose due dates is after more than 30 days.
l Unscheduled items - Action items without defined due dates.
l Overdue items - Action items that are overdue.

Best Practice - Resolve overdue action items immediately

To open the action items for a status category, click Action Items:
In the top table, see these details related to the action item:
l Due Date - Optionally assigned due date for resolving this Action Item. A due
date is not automatically assigned when an Action Item is generated.
l Blade - Blade related to the applicable best practice.
l ID - Check Point Compliance ID assigned to the applicable best practice.
l Name - Name and brief description of the regulatory requirement related to the
applicable best practice.
l Status - Poor, Medium, Good, Secure, or N/A. We recommend that you resolve
"Poor" status items immediately.
In the bottom section, you can see these items for the selected action item:
l Action Item Description - Steps required to become complaint.
l Due Date - Optionally assigned due date for resolving this Action Item.

R82 Security Management Administration Guide | 649

The Action Items and Messages View

l Dependency - Shows when the selected best practice is dependent on another

best practice. This test is only performed if the other best practice is compliant.
l Relevant Objects - Objects related to the selected best practice test and their
status. You can activate or deactivate the selected best practice test for
specified objects (this section shows only when the best practice is applicable to
specific objects.)
l Relevant Regulatory Requirements - Link to a list of all the regulatory
standards which are applicable to the best practice.

n Alert Messages

Alerts are generated when a configuration change causes Compliance status

degradation. To see all alert messages, click Security Alerts.

n System Messages

System Message inform about system issues related to the Compliance, for example,
Compliance package update. To see all system messages, click System Messages.

To assign a due date to an Action Item:

1. In SmartConsole. go to the Logs & Events view > Compliance tab > Action Items and
Messages > Pending Action Items > Unscheduled items.
2. Select an Action Item.
3. In the Action Item Description section, click Schedule Now. If the Action Item already
has an assigned due date, click the date link to change it.
4. In the window that opens, enter or select a due date and click OK.

R82 Security Management Administration Guide | 650

The Regulatory Compliance View

This widget displays Compliance statistics for selected regulatory standards:
n The number of regulatory requirements examined for each regulatory standard.
n Average Compliance scores.

To select the regulatory standards displayed:

1. Click this icon in the top right corner of the Regulatory Compliance pane: .

2. In the Select Regulations and Standards window, select the standards to show in the
Overview.

To see the compliance score for all regulatory requirements, click See All.
To see details of a specific standard, click the standard. The top table shows these items:
n ID - Check Point Compliance ID assigned to the best practice.
n Status - Poor, Medium, Good, Secure, or N/A. We recommend that you resolve "Poor"
status items immediately.
n Name - Name and brief description of the regulatory requirement.
The bottom section shows these items:
n Description - Detailed description of the best practice test.
n Relevant best practices - Applicable best practice for the selected requirement, and
their Compliance status.
n Relevant objects - Objects related to the selected best practice test and their status. You
can activate or deactivate the selected best practice test for specified objects (this
section shows only when the best practice is applicable to specific objects.)
You can select the regulatory standards that are applicable to your organization. By default, all
supported regulatory standards are active.

To activate or deactivate regulatory standards:

1. Go to the Manage & Settings view > Blades > Compliance > Settings.
The Settings window opens.
2. In the Active Regulations section, select / clear the applicable regulatory standards.
3. Publish you changes.

R82 Security Management Administration Guide | 651

The Regulatory Compliance View

To import a regulatory standard to SmartConsole:

1. Save the applicable regulatory standard locally in an XML file.
2. Go to the Manage & Settings view > Blades > Compliance > Settings.
The Settings window opens.
3. Go to the Active Regulations section and click Actions > Import.
4. Browse to the XML file you want to import, and click Open.
The regulation now appears in the list of User-defined Regulations.
5. Double-click the regulation.

The regulation window opens.

6. Click Save.
The process may take a few minutes to complete.
7. Publish your changes.

Best Practice - We recommend that you run a manual scan after you make changes
to the regulatory standards list. The scan reevaluates the compliance status, to reflect
any configuration changes. To do a manual scan, click the Rescan button in the
Engine Status section. You cannot perform any actions in the Compliance tab while
the scan runs.

R82 Security Management Administration Guide | 652

Creating Reports

Creating Reports
You can generate a report to show a summary of the Compliance status or a report on the
implementation of a specific regulatory standard.

To create a report:
1. In SmartConsole, go to the Logs & Events view, and click the + sign to open a New
Tab..
A New Tab opens.
2. Select the Reports view.

3. From the displayed list, select Compliance Blade.

4. Click Open.
The report opens.
5. Optional : In the toolbar, go to Actions to create reports in the PDF and CSV formats. To
find an exported report, go to the Logs & Events view > open a New Tab > Archive.

To create a report per regulation:

1. In the Compliance view, go to the Regulatory Compliance pane, and select See All.
2. Click the required regulatory standard.

3. In the top tool bar, click Generate Report.

4. From the top toolbar, you can select to create reports in these output formats:
n PDF document
n An email with attached PDF
n Output to printer
n HTML output to your browser.

R82 Security Management Administration Guide | 653

The ICA Management Tool

Overview
In the ICA Management Tool, an administrator can:
n Manage certificates

Warning - Do not use the ICA Management Tool to change SIC certificates or
VPN certificates. Change SIC and VPN certificates in SmartConsole only. Use
the ICA Management Tool for user certificate operations only, such as
certificate creation.
n Recreate CRLs
n Configure the Internal Certificate Authority (ICA) parameters
n Remove expired certificates

Note - The ICA Management Tool supports TLS.

Check Point ICA is fully compliant with X.509 standards for both certificates and CRLs. See
the related X.509 and PKI documentation, and RFC 2459 for more information.
For more information, see sk102837: Best Practices - ICA Management Tool configuration

Connecting to the ICA Management Tool

The ICA Management Tool is disabled by default.

To connect to the ICA Management Tool:

1. In SmartConsole, configure the required administrator and user objects.
You must create a certificate for these administrators and users.
You use this certificate to configure the permitted users in the ICA Management Tool and
in the client web browsers.
2. In the command line on the Management Server, add the required administrators and
users that are permitted to use the ICA Management Tool.

cpca_client set_mgmt_tool add ...

See "cpca_client set_mgmt_tool" on page 756.

3. In the command line on the Management Server, start the ICA Management Tool.

R82 Security Management Administration Guide | 654

The ICA Management Tool

cpca_client set_mgmt_tool on

See "cpca_client set_mgmt_tool" on page 756.

4. Check the status of the ICA Management Tool:

cpca_client set_mgmt_tool print

See "cpca_client set_mgmt_tool" on page 756.

5. Import the administrator's / user's certificate into the Windows Certificate Store:
a. Right-click the *.p12 file you saved when you created the required administrator /
user, and click Install PFX.

The Certificate Import Wizard opens.

b. In the Store Location section, select the applicable option:
n Current User (this is the default)
n Local Machine
c. Click Next.
d. Enter the same certificate password you used when you created the required
administrator / user certificate.
e. Clear Enable strong private key protection.
f. Select Mark this key as exportable.

g. Click Next.
h. Select Place all certificates in the following store > click Browse > select
Personal > click OK.
i. Click Next.
j. Click Finish.
6. In a web browser, connect to the ICA Management Tool:

[Link] Address of the Management Server>:18265

Important - The fact that the TCP port 18265 is open is not a vulnerability. The
ICA Management Tool Portal is secured and protected by SSL. In addition, only
authorized administrators and users are allowed to access it using a certificate.

7. A dialog box with this message appears:

Client Authentication
Identification

R82 Security Management Administration Guide | 655

The ICA Management Tool

The Web site you want to view requests identification.

Select the certificate to use when connecting.

8. Select the appropriate certificate for authenticating to the ICA Management Tool.
9. Click OK.
10. In the Security Alert dialog box, click Yes.

R82 Security Management Administration Guide | 656

The ICA Management Tool

The ICA Management Tool Portal

Item Pane Description

1 Menu Shows a list of operation.

2 Operations n Manage certificates

In this pane, you manage the existing certificates.
The window divides into Search attributes configuration
and Bulk operation configuration.
n Create Certificates
In this pane, you can create new certificates.
n Configure the CA
In this pane, you can configure the Internal Certificate
Authority parameters.
You can also view the CA's time, name, and the version
and build number of the Security Management Server.
n Manage CRLs
In this pane, you can download, publish, and recreate
CRLs.

3 Results Shows the results of the applied operation.

This window consists of a table with a list of certificates and
certificate attributes.

R82 Security Management Administration Guide | 657

User Certificate Management

Internally managed User Certificates can be initialized, revoked or have their registrations
removed using the ICA Management Tool. User Certificates of users managed on an LDAP
server can only be managed using the ICA Management Tool.
This table shows User Certificate attributes that can be configured using the ICA Management
Tool

Attributes Default Configurable Comments

validity 2 years yes

key size 2048 bits yes Can be set to 4096

bits

DN of User certificates CN=user no This DN is appended

managed by the internal name, to the DN of the ICA
database OU=users

DN of User certificates yes Depends on LDAP

managed on an LDAP server branch

KeyUsage 5 yes Digital signature and

Key encipherment

ExtendedKeyUsage 0 (no yes

KeyUsage)

Modifying the Key Size for User Certificates

If the user completes the registration from the Remote Access machine, the key size can be
configured in the Advanced Configuration page in SmartConsole.

To configure the key size

1. From the Menu, select Global Properties.
2. Go to Advanced, and in the Advanced Configuration section, click configure.
The Advanced Configuration window opens.
3. Go to the Certificates and PKI properties page.
4. Set the new key size for this property: user_certs_key_size.
5. Click OK.

R82 Security Management Administration Guide | 658

User Certificate Management

You can also change the key size using the Database Tool (GuiDBEdit Tool). Change the key
size as it is listed in users_certs_key_size Global Property. The new value is
downloaded when you update the site.

R82 Security Management Administration Guide | 659

Performing Multiple Simultaneous Operations

The ICA Management Tool can do multiple operations at the same time. For example:
n Run an LDAP query for the details of all the organization's employees
n Create a file out of this data, and then use this file to:
l Start (initialize) the creation of certificates for all employees
l Send a notification about the new certificates to each of those employees
These operations can be done simultaneously:
n Start (initialize) user certificates
n Revoke user certificates
n Send mail to users
n Remove expired certificates
n Remove certificates for which the registration procedure was not completed

R82 Security Management Administration Guide | 660

ICA Administrators with Reduced Privileges

The ICA Management Tool supports administrators with limited privileges. These
administrators cannot execute multiple concurrent operations, and their privileges include only
these:
n Basic searches
n Initialization of certificates for new users

R82 Security Management Administration Guide | 661

Operations with Certificates

Management of SIC Certificates
SIC certificates are managed using SmartConsole.

Management of Security Gateway VPN Certificates

VPN certificates are managed in the VPN page of the corresponding network object. These
certificates are issued automatically when the IPSec VPN blade is defined for the Check Point
Security Gateway or host. This definition is specified in the General Properties window of the
corresponding network object.

If a VPN certificate is revoked, a new one is issued automatically.

Management of User Certificates in SmartConsole

The user certificates of users that are managed on the internal database are managed in
SmartConsole.
For more information, see User Certificates in the R82 Remote Access VPN Administration
Guide.

Notifying Users about Certificate Initialization

The ICA Management Tool can be configured to send a notification to users about certificate
initialization.

To send mail notifications:

1. In the Menu pane, click Configure the CA.

2. In the Management Tool Mail Attributes area, configure:

n The mail server
n The mail "From" address
n An optional "To" address, which can be used if the users' address is not know
The administrator can use this address to get the certificates on the user's behalf
and forward them later.
3. Click Apply.

Retrieving the ICA Certificate Files

See "cpca_client set_ca_services" on page 753.

R82 Security Management Administration Guide | 662

Operations with Certificates

Searching for a Certificate

There are two search options:
n A basic search that includes only the user name, type, status and the serial number
n An advanced search that includes all the search fields (can only be performed by
administrators with unlimited privileges)

To do a certificate search:
In the Manage Certificates page, enter the search parameters, and click Search.

Basic Search Parameters

n User Name - Username string (by default, this field is empty)
n Type - Drop-down list with these options:
l Any (default)
l SIC
l Gateway
l Internal User or LDAP user
n Status - Drop-down list with these options:
l Any (default)
l Pending
l Valid
l Revoked
l Expired
l Renewed (superseded)
n Serial Number - Serial number of the requested certificate (by default, this field is empty)

Advanced Search Attributes

In addition to the parameters of the basic search, specify these parameters:
n Sub DN - DN substring (by default, this field is empty)
n Valid From - Date, from which the certificate is valid, in the format dd-mmm-yyyy
[hh:mm:ss] (for example 15-Jan-2003) (by default, this field is empty)

R82 Security Management Administration Guide | 663

Operations with Certificates

n Valid To - Date until which the certificate is valid, in the format dd-mmm-yyyy [hh:mm:ss]
(for example 14-Jan-2003 15:39:26) (by default, this field is empty)
n CRL Distribution Point - Drop-down list with these options:
l Any (default)
l No CRL Distribution Point (for certificates issued before the management upgrade
- old CRL mode certificates)
The list also shows all available CRL numbers.

The Search Results

The results of a search show in the Search Results pane. This pane consists of a table with a
list of searched certificate attributes such as:
n (SN) Serial Number - The SN of the certificate
n User Name (CN) - The string between the first equals sign ("=") and the next comma (",")
n DN
n Status - One of these: Pending, Valid, Revoked, Expired, Renewed (superseded)
n The date, from which certificates are valid until the date they expire

Note - The status bar shows search statistics after each search.

Viewing and Saving Certificate Details

You can view or save the certificate details that show in the search results.

To view and save certificate details

Click on the DN link in the Search Results pane.
n If the status is pending, the certificate information together with the registration key
shows, and a log entry is created and shows in SmartConsole > Logs & Events > Logs.
n If the certificate was already created, you can save it on a disk or open directly (if the
operating system recognizes the file extension)

Removing and Revoking Certificates and Sending Email

Notifications
1. In the Menu pane, click Manage Certificates.
2. Search for a Certificate with set attributes (see "Searching for a Certificate" on the
previous page).

R82 Security Management Administration Guide | 664

Operations with Certificates

The results show in the Search Results pane.

3. Select the certificates, as needed, and click one of these options:
n Revoke Selected - revokes the selected certificates and removes pending
certificates from the CA's database
n Remove Selected - removes the selected certificates from the CA's database and
from the CR
Note - You can only remove expired or pending certificates.
n Mail to Selected - sends mail for all selected pending certificate
The mail includes the authorization codes. Messages to users that do not have an
email defined are sent to a default address. For more information, see "Notifying
Users about Certificate Initialization" on page 662.

Submitting a Certificate Request to the CA

There are three ways to submit certificate requests to the CA:
n Initiate - A registration key is created on the CA and used once by a user to create a
certificate
n Generate - A certificate file is created and associated with a password which must be
entered when the certificate is accessed
n PKCS#10 - When the CA receives a PKCS#10 request, the certificate is created and
delivered to the requester
To initiate a certificate

1. In the Menu pane, select Create Certificates > Initiate.

2. Enter a User Name or Full DN, or click Advanced and fill in the form:
n Certificate Expiration Date - Select a date or enter the date in the format dd-
mmm-yyyy [hh:mm:ss] (the default value is two years from the date of creation)
n Registration Key Expiration Date - Select a date or enter the date in the format
dd-mmm-yyyy [hh:mm:ss] (the default value is two weeks from the date of
creation)
3. Click Go.
A registration key is created and show in the Results pane.
If necessary, click Send mail to user to email the registration key. The number of
characters in the email is limited to 1900.
4. The certificate becomes usable after entering the correct registration key.

R82 Security Management Administration Guide | 665

Operations with Certificates

To generate a certificate

1. In the Menu pane, select Create Certificates > Generate.

2. Enter a User Name or Full DN, or click Advanced and fill in the form:
n Certificate Expiration Date - Select a date or enter the date in the format dd-
mm-yyyy [hh:mm:ss] (the default value is two years from the date of
creation)
n Registration Key Expiration Date - Select a date or enter the date in the format
dd-mm-yyyy [hh:mm:ss] (the default value is two weeks from the date of
creation)
3. Enter a password.

4. Click Go.
5. Save the P12 file, and supply it to the user.

To create a PKCS#10 certificate

1. In the Menu pane, select Create Certificates > PKCS#10.

2. Paste into the space the encrypted base-64 buffer text provided.
You can also click on Browse for a file to insert (IE only) to import the request file.
3. Click Create and save the created certificate.
4. Supply the certificate to the requester.

Initializing Multiple Certificates Simultaneously

You can initialize a batch of certificates at the same time.
To initialize several certificates simultaneously

1. Create a file with the list of DNs to initialize.

Note - There are two ways to create this file - through an LDAP query or a
non-LDAP query.

2. In the Menu pain, go to Create Certificates > Advanced.

3. Browse to the file you created.

R82 Security Management Administration Guide | 666

Operations with Certificates

n To send registration keys to the users, select Send registration keys via email
n To receive a file that lists the initialized DNs with their registration keys, select
Save results to file
This file can later be used in a script.
4. Click Initiate from file.

Files created through LDAP Queries

The file initiated by the LDAP search has this format:

n Each line after a blank line or the first line in the file represents one DN to be initialized
n If the line starts with "mail=", the string continues with the mail of the use

If no email is given, the email address will be taken from the ICA's "Management Tool
Mail To Address" attribute.
n If there is a line with the not_after attribute, then the value at the next line is the
Certificate Expiration Date.
The date is given in seconds from now.
n If there is a line with the is otp_validity attribute, then the value at the next line is
the Registration Key Expiration Date.
The date is given in seconds from now.
Here is an example of an LDAP Search output:

not_after
86400
otp_validity
3600
uid=user_1,ou=People,o=intranet,dc=company,dc=com
mail=user_1@[Link]
<blank_line>
...
uid=...

For more information, see "Configuring Users on an External LDAP Server" on page 217.

Files created through a Simple Non-LDAP Query

It is possible to create a simple (non-LDAP) query by configuring the DN + email in a file

using this format:

R82 Security Management Administration Guide | 667

Operations with Certificates

<email address 1> space <DN 1>

... blank line as a separator ...
<email address 2> space <DN 2>

R82 Security Management Administration Guide | 668

CRL

CRL
CRL Management
By default, the CRL is valid for one week. This value can be configured. New CRLs are issued:
n When approximately 60% of the CRL validity period has passed
n Immediately following the revocation of a certificate
It is possible to recreate a specified CRL using the ICA Management Tool. The utility acts as a
recovery mechanism in the event that the CRL is deleted or corrupted. An administrator can
download a DER encoded version of the CRL using the ICA Management Tool.

CRL Modes
The ICA can issue multiple CRLs. Multiple CRLs prevent one CRL from becoming larger than
10K. If the CRL exceeds 10K, IKE negotiations can fail when trying to open VPN tunnels.
Multiple CRLs are created by attributing each certificate issued to a specified CRL. If revoked,
the serial number of the certificate shows in the specified CRL.
The CRL Distribution Point (CRLDP) extension of the certificate contains the URL of the
specified CRL. This ensures that the correct CRL is retrieved when the certificate is validated.

CRL Operations
You can download, update, or recreate CRLs through the ICA management tool.

To do operations with CRLs

1. In the Menu pane, select Manage CRLs.

2. From the drop-down box, select one or more CRLs.

3. Select an action:
n Click Download to download the CRL.
n Publish the SmartConsole session to renew the CRL after changes have been
made to the CRL database.
This operation is done at an interval set by the CRL Duration attribute.
n Click Recreate to recreate the CRL.

R82 Security Management Administration Guide | 669

CA Procedures

CA Procedures
CA Cleanup
To clean up the CA, you must remove the expired certificates. You can remove the expired
certificates manually or automatically.

To manually remove expired certificates:

1. Make sure that the time set on the Security Management Server is correct.
2. In the Menu pane, select Manage CRLs > Clean the CA's Database and CRLs from
expired certificates.

Automatic removal of expired certificates:

n After each restart, all expired certificates are cleaned automatically.
n In addition, an automatic cleaning operation is scheduled to set every 3 weeks, starting
from:
l The first time you turn on the device.
l Each restart you do on the device.

Configuring the CA

To configure the CA
1. In the Menu pane, select Configure the CA.

2. Edit the"CA Data Types and Attributes" below as necessary.

3. In the Operations pane, select an operation:
n Apply - Save and enter the CA configuration settings.
If the values are valid, the configured settings become immediately effective. All
non-valid strings are changed to the default values.
n Cancel - Reset all values to the values in the last saved configuration.
n Restore Default - Revert the CA to its default configuration settings.
Entering the string Default in one of the attributes will also reset it to the default
after you click Configure. Values that are valid will be changed as requested, and
others will change to default values.

CA Data Types and Attributes

The CA data types are:

R82 Security Management Administration Guide | 670

CA Procedures

n Time - displayed in the format: <number> days <number> seconds, for example:
CRL Duration: 7 days 0 seconds

You can enter the values in the format in which they are displayed (<number> days
<number> seconds) or as a number of seconds.
n Integer - a regular integer, for example: SIC Key Size: 2048
n Boolean - the values can be true or false (not case sensitive), for example: Enable
renewal: true
n String - an alphanumeric string, for example: Management Tool DN prefix:
cn=tests

These are the CA attributes, in alphabetical order:

Attribute Comment Values Default

Authorization The number of characters of the min-6 6

Code Length authorization codes. max-12

CRL Duration The period of time for which the CRL min-5 1 week
is valid. minutes
max-1
year

Enable For User certificates. This is a true or true

Renewal Boolean value setting which false
stipulates whether to enable renewal
or not.

Grace Period The amount of time the old certificate min-0 1 week
Before will remain in Renewed (superseded) max-5
Revocation state. years

Grace Period The amount of time between min-10 1 day

Check Period sequential checks of the Renewed minutes
(superseded) list in order to revoke max-1
those whose duration has passed. week

IKE Certificate The amount of time an IKE certificate min-10 1 year

Validity Period will be valid. minutes
max-3
years

IKE Certificate Certificate purposes for describing the means no

Extended Key type of the extended key usage for KeyUsage
Usage IKE certificates. Refer to RFC 2459.

R82 Security Management Administration Guide | 671

CA Procedures

Attribute Comment Values Default

IKE Certificate Certificate purposes for describing the Digital signature

Key usage certificate operations. Refer to RFC and Key
2459. encipherment

Management Determines the DN prefix of a DN that possible CN=

Tool DN prefix will be created when entering a user values
name. CN=
UID=

Management Determines the DN suffix of a DN that ou=users

Tool DN suffix will be created when entering a user
name.

Management For security reasons the mail sending true or false

Tool Hide Mail button after displaying a single false
Button certificate can be hidden.

Management The SMTP server that will be used in -

Tool Mail order to send registration code mails.
Server It has no default and must be
configured in order for the mail
sending option to work.

Management The amount of time a registration min-10 2 weeks

Tool code is valid when initiated using the minutes
Registration Management Tool. max-2
Key Validity months
Period

Management The amount of time that a user min-one 2 years

Tool User certificate is valid when initiated using week
Certificate the Management Tool. max-20
Validity Period years

Management When sending mails this is the email -

Tool Mail From address that will appear in the from
Address field. A report of the mail delivery
status will be sent to this address.

Management The email subject field. -

Tool Mail
Subject

R82 Security Management Administration Guide | 672

CA Procedures

Attribute Comment Values Default

Management The text that appears in the body of Registration Key:

Tool Mail Text the message. 3 variables can be used $REG_KEY
Format in addition to the text: $REG_KEY Expiration:
(user's registration key); $EXPIRE
$EXPIRE (expiration time); $USER
(user's DN).

Management When the send mail option is used, -

Tool Mail To the emails to users that have no email
address address defined will be sent to this
address.

Max The maximum capacity of a CRL in min-3 400

Certificates Per the new CRL mode. max-400
Distribution
Point

New CRL Mode A Boolean value describing the CRL 0 for old true
mode. CRL mode
1 for new
mode

Number of The number of certificates that will be min-1 approx 700

certificates per displayed in each page of the search max-
search page window. approx
700

Number of The number of digits of certificate min-5 5

Digits for Serial serial numbers. max-10
Number

Revoke This flag determines whether to true or true

renewed revoke an old certificate after it has false
certificates been renewed. The reason for not
revoking this is to prevent the CRL
from growing each time a certificate is
renewed.
If the certificate is not revoked the
user may have two valid certificates.

SIC Key Size The key size in bits of keys used in possible 2048
SIC. values:
1024
2048
4096

R82 Security Management Administration Guide | 673

CA Procedures

Attribute Comment Values Default

SIC Certificate Certificate purposes for describing the Digital signature

Key usage certificate operations. Refer to RFC and Key
2459. encipherment

SIC Certificate The amount of time a SIC certificate min-10 5 years

Validity Period will be valid. minutes
max-20
years

User Certificate Certificate purposes for describing the means no

Extended Key type of the extended key usage for KeyUsage
Usage User certificates. Refer to RFC 2459.

User Certificate The key size in bits of the user's Possible 2048
Key Size certificates. values:
1024
2048
4096

User Certificate Certificate purposes for describing the Digital signature

Key usage certificate operations. Refer to RFC and Key
2459 encipherment

R82 Security Management Administration Guide | 674

Certificate Longevity and Statuses

Certificates issued by the ICA have a defined validity period. When period ends, the certificate
expires.
SIC certificates, VPN certificates for Security Gateways and User certificates can be created in
one step in SmartConsole. User certificates can also be created in two steps using
SmartConsole or the ICA Management Tool. The two steps are:
n Initialization - during this step a registration code is created for the user. When this is
done, the certificate status is pending
n Registration - when the user completes the registration procedure in the remote client.
After entering the registration code the certificate becomes valid.

The advantages are:

Enhanced security
n The private key is created and stored on the user's machine
n The certificate issued by the ICA is downloaded securely to the client.
Pre-issuance automatic and administrator-initiated certificate removal
If a user does not complete the registration procedure in a given period (two weeks by default),
the registration code is automatically removed. An administrator can remove the registration
key before the user completes the registration procedure. After that, the administrator can
revoke the user certificate.

Explicit or Automatic Renewal of User certificates ensuring continuous User connectivity

A user certificate of type PKCS12 can be renewed explicitly by the user. A PKCS12 certificate
can also be set to renew automatically when it is about to expire. This renewal operation
ensures that the user can continuously connect to the organization's network. The
administrator can choose when to set the automatic revoke old user certificates.
One more advantage is:
Automatic renewal of SIC certificates ensuring continuous SIC connectivity
SIC certificates are renewed automatically after 75% of the validity time of the certificate has
passed. If, for example, the SIC certificate is valid for five years. After 3.75 years, a new
certificate is created and downloaded automatically to the SIC entity. This automatic renewal
ensures that the SIC connectivity of the Security Gateway is continuous. The administrator can
revoke the old certificate automatically or after a set period of time. By default, the old
certificate is revoked one week after certificate renewal.

R82 Security Management Administration Guide | 675

Gaia API Proxy

Check Point products support API commands. See the Check Point API Reference.
With the Gaia API Proxy feature on a Management Server, you run the Gaia API commands
on managed Security Gateways and Cluster Members:
1. An administrator connects with an API Client to a Management Server.
2. From the Management Server, an administrator runs the Gaia API commands on
managed Security Gateways and Cluster Members.
The Gaia API Proxy feature on the R82 Management Server works with all managed Security
Gateways and Cluster Members that support the Gaia API.

Example diagram

Item Description

1 An API Client

2 A Management Server with the Gaia API Proxy feature

3 A managed Security Gateway

4 A managed ClusterXL

A Management API communication

B Gaia API communication

R82 Security Management Administration Guide | 676

Gaia API Proxy

Important:
n Scalable Platform Security Groups do not support this feature (Known
Limitation MBS-10832).
n The Gaia API Proxy on the Management Server sends Gaia API command to
the Security Gateway or Cluster Members over HTTPS.
The Access Control policy for the Security Gateway or ClusterXL must explicitly
allow HTTPS traffic from the Management Server to the Security Gateway or
Cluster Members.
n You must use an API client in which you can manually configure the API
Request Body (for example, Postman).

Workflow:
1. Run the Management API "login" command to log in to the Management Server

See the Check Point Management API Reference (at the top, select the correct
version) .
Run the Management API command "login" to log in to the Management Server.

Important - The administrator that logs in must have the Run One Time
Script permission enabled in the assigned permission profile. See "Assigning
Permission Profiles to Administrators" on page 116.

R82 Security Management Administration Guide | 677

Gaia API Proxy

API Command:

Part of
API
Value
Comma
nd

API POST [Link] Address of Management

Request Server>/web_api/login
URL
Example:
[Link]

API Content-Type: application/json

Request
Headers

API {
Request "user" : "<Username of Management Server
Body Administrator>",
"password" : "<Password of Management Server
Administrator>"
}

The Management API command "login" returns the Session Unique Identifier (SID)
token - refer to the value of "sid".

You must use this value in the Gaia API commands.

R82 Security Management Administration Guide | 678

Gaia API Proxy

Example API Response:

{
"uid": "<Session UID>",
"sid": "7yek60S3bwr7C_R-fgzE7luUFdP_ylNKYF2MAsmRL-U",
"url": "[Link]
"session-timeout": <Number of Seconds>,
"last-login-was-at": {
"posix": <Timestamp>,
"iso-8601": "<Timestamp>"
},
"api-server-version": "<API Version of Management
Server>",
"user-name": "<Username of Management Server
Administrator>",
"user-uid": "<UID of Management Server Administrator>"
}

2. Run the Gaia API commands on managed Security Gateways and Cluster Members

See the Check Point Gaia API Reference (at the top, select the correct version) .
You must send Gaia API commands in the same API client (in which you sent the
Management API command "login"):

Part
of
API
Value
Co
mm
and

API POST [Link] Address of Management Server>/web_

Req api/gaia-api/<Gaia API Version of Security
uest Gateway>/<Gaia API Command>
UR
L Example:
[Link] API
Version of Security Gateway>/show-version

API Content-Type: application/json

Req
uest X-chkp-sid: <From response to Management API command
Hea "login", paste value of "sid">
ders

R82 Security Management Administration Guide | 679

Gaia API Proxy

Part
of
API
Value
Co
mm
and

API If a Gaia API command does not require parameters:

Req {
uest "target" : "<Security Gateway Object>"
Bod }
y
If a Gaia API command requires parameters:
{
"target" : "<Security Gateway Object>",
"<Name of Parameter 1>" : "<Value of Parameter
1>",
"<Name of Parameter 2>" : "<Value of Parameter
2>",
...,
"<Name of Parameter N>" : "<Value of Parameter N>"
}
In the parameter "target", you must identify the managed Security
Gateway or Cluster Member in one of these ways:
n Main IP address of the object
n Name of the object
n UID of the object

3. The Gaia API Proxy logs in to the specified Security Gateway or Cluster Member

The Gaia API Proxy on the Management Server interprets the Gaia API command and
logs in to the specified Security Gateway or Cluster Member.
a. This login returns the SID for the Security Gateway or Cluster Member.
b. The Gaia API Proxy uses this SID to run the Gaia API commands.
c. The Gaia API Proxy saves this SID in its database:
n The SID timeout is 580 seconds on the Management Server.
n The SID timeout is 10 minutes on a Security Gateway or Cluster Member.

4. The Gaia API Proxy forwards the response from the Security Gateway or Cluster Member
to the API client

R82 Security Management Administration Guide | 680

Gaia API Proxy

n To increase performance, the Gaia API Proxy saves the response in the Gaia
API Proxy cache on the Management Server.
n If the Gaia API Proxy gets the same Gaia API request during the cache timeout,
it returns the Gaia API response from its cache and updates the cache.
n An administrator can configure these cache parameters in the
$FWDIR/api/conf/[Link] file on the Management Server:

Note - After you change the $FWDIR/api/conf/[Link] file,

you must reload the API server configuration with the "api reconf"
command (either in the Expert mode or in Gaia Clish).

Accepted
Parameter Description
Values

timeout 0, or greater Specifies the time, after which the next Gaia
API command triggers a cache update for that
Gaia API command:
l 0

The Gaia API proxy does not use cache

l <integer>

The Gaia API proxy saves the Gaia API

responses in its cache for the specified
number of seconds (default: 60
seconds)

total_ integer Specifies the number of unique Security

gateways Gateways and Cluster Members, from which
to save the Gaia API responses.

maximum_ integer Specifies the number of unique Gaia API

entries commands to save for each Security Gateway
and Cluster Member.

R82 Security Management Administration Guide | 681

Testing New SmartConsole Features

Testing New SmartConsole

Features
You can influence Check Point product development by selecting and testing one or more of
the new features listed here.

To test a new SmartConsole feature:

1. From the left navigation panel, click Manage & Settings..
2. Click Preferences.

3. In the Check Point Lab section (at the bottom), select the feature you want to test.
4. Publish the SmartConsole session.

R82 Security Management Administration Guide | 682

Command Line Reference

See the R82 CLI Reference Guide.
Below is a limited list of applicable commands.

R82 Security Management Administration Guide | 683

Syntax Legend for CLI Commands

Whenever possible, this guide lists commands, parameters and options in the alphabetical
order.
This guide uses this convention in the Command Line Interface (CLI) syntax:

Character Description

TAB Shows the available nested subcommands:

main command
→ nested subcommand 1
→ → nested subsubcommand 1-1
→ → nested subsubcommand 1-2
→ nested subcommand 2
Example:
cpwd_admin
config
-a <options>
-d <options>
-p
-r
del <options>
Meaning, you can run only one of these commands:
n This command:
cpwd_admin config -a <options>
n Or this command:
cpwd_admin config -d <options>
n Or this command:
cpwd_admin config -p
n Or this command:
cpwd_admin config -r
n Or this command:
cpwd_admin del <options>

Curly brackets or Enclose a list of available commands or parameters, separated by

braces the vertical bar |.
{} User can enter only one of the available commands or parameters.

R82 Security Management Administration Guide | 684

Syntax Legend for CLI Commands

Character Description

Angle brackets Enclose a variable.

<> User must explicitly specify a supported value.

Square brackets or Enclose an optional command or parameter, which user can also
brackets enter.
[]

R82 Security Management Administration Guide | 685

contract_util

contract_util
Description
Works with the Check Point Service Contracts.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util [-d]
check <options>
cpmacro <options>
download <options>
mgmt
print <options>
summary <options>
update <options>
verify

Parameters

Parameter Description

check Checks whether the Security Gateway is eligible for an upgrade.

<options> See "contract_util check" on page 688.

cpmacro Overwrites the current [Link] file with the specified [Link] file.
<options> See "contract_util cpmacro" on page 689.

download Downloads all associated Check Point Service Contracts from the User
<options> Center, or from a local file.
See "contract_util download" on page 690.

mgmt Delivers the Service Contract information from the Management Server to
the managed Security Gateways.
See "contract_util mgmt" on page 692.

print Shows all the installed licenses and whether the Service Contract covers
<options> these license, which entitles them for upgrade or not.
See "contract_util print" on page 693.

R82 Security Management Administration Guide | 686

contract_util

Parameter Description

summary Shows post-installation summary.

<options> See "contract_util summary" on page 694.

update Updates Check Point Service Contracts from your User Center account.
<options> See "contract_util update" on page 695.

verify Checks whether the Security Gateway is eligible for an upgrade.

This command also interprets the return values and shows a meaningful
message.
See "contract_util verify" on page 696.

R82 Security Management Administration Guide | 687

contract_util check

Description
Checks whether the Security Gateway is eligible for an upgrade.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util check
{-h | -help}
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

hfa Checks whether the Security Gateway is eligible for an upgrade to a higher
Hotfix Accumulator.

maj_ Checks whether the Security Gateway is eligible for an upgrade to a higher
upgrade Major version.

min_ Checks whether the Security Gateway is eligible for an upgrade to a higher
upgrade Minor version.

upgrade Checks whether the Security Gateway is eligible for an upgrade.

R82 Security Management Administration Guide | 688

contract_util cpmacro

Description
Overwrites the current [Link] file with the specified [Link] file, if the specified is
newer than the current file.
For more information about the [Link] file, see sk96217: What is a [Link] file?

Syntax

contract_util cpmacro /<path_to>/[Link]

This command shows one of these messages:

Message Description

CntrctUtils_ The contract_util cpmacro command failed:

Write_cp_macro
returned -1
n Failed to create a temporary file.
n Failed to write to a temporary file.
n Failed to replace the current file.

CntrctUtils_ The contract_util cpmacro command was able to

Write_cp_macro overwrite the current file with the specified file, because the
returned 0 specified file is newer.

CntrctUtils_ The contract_util cpmacro command did not overwrite the

Write_cp_macro current file, because it is newer than the specified file.
returned 1

R82 Security Management Administration Guide | 689

contract_util download

Description
Downloads all associated Check Point Service Contracts from User Center, or from a local file.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util download
{-h | -help}
local
{-h | -help}
[{hfa | maj_upgrade | min_upgrade | upgrade}] <Service
Contract File>
uc
{-h | -help}
[-i] [{hfa | maj_upgrade | min_upgrade | upgrade}]
<Username> <Password> [<Proxy Server> [<Proxy Username>:<Proxy
Password>]]

R82 Security Management Administration Guide | 690

contract_util download

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-i Interactive mode - prompts the user for the User Center

credentials and proxy server settings.

local Specifies to download the Service Contract from the local

file.
This is equivalent to the "cplic contract put"
command (see "cplic contract" on page 773).

uc Specifies to download the Service Contract from the User

Center.

hfa Downloads the information about a Hotfix Accumulator.

maj_upgrade Downloads the information about a Major version.

min_upgrade Downloads the information about a Minor version.

upgrade Downloads the information about an upgrade.

<Username> Your User Center account e-mail address.

<Password> Your User Center account password.

<Proxy Server> [<Proxy Specifies that the connection to the User Center goes
Username>:<Proxy through the proxy server.
Password>]
n <Proxy Server> - IP address of resolvable
hostname of the proxy server
n <Proxy Username> - Username for the proxy
server.
n <Proxy Password> - Password for the proxy
server.
Note - If you do not specify the proxy server explicitly, the
command uses the proxy server configured in the
management database.

<Service Contract Path to and the name of the Service Contract file.
File> First, you must download the Service Contract file from
your User Center account.

R82 Security Management Administration Guide | 691

contract_util mgmt

Description
Delivers the Service Contract information from the Management Server to the managed
Security Gateways.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util mgmt

R82 Security Management Administration Guide | 692

contract_util print

Description
Shows all the installed licenses and whether the Service Contract covers these license, which
entitles them for upgrade or not.
This command can show which licenses are not recognized by the Service Contract file.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util [-d] print

{-h | -help}
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Shows a formatted table header and more information.

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

R82 Security Management Administration Guide | 693

contract_util summary

Description
Shows post-installation summary and whether this Check Point computer is eligible for
upgrades.

Syntax

contract_util summary
hfa
maj_upgrade
min_upgrade
upgrade

Parameters

Parameter Description

hfa Shows the information about Hotfix Accumulator.

maj_upgrade Shows the information about Major version.

min_upgrade Shows the information about Minor version.

upgrade Shows the information about an upgrade.

R82 Security Management Administration Guide | 694

contract_util update

Description
Updates the Check Point Service Contracts from your User Center account.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util update
[-proxy <Proxy Server>:<Proxy Port>]
[-ca_path <Path to [Link] File>]

Parameters

Parameter Description

update Updates Check Point Service Contracts (attached to pre-

installed licenses) from your User Center account.

-proxy <Proxy Specifies that the connection to the User Center goes through
Server>:<Proxy the proxy server:
Port>
n <Proxy Server> - IP address of resolvable hostname
of the proxy server.
n <Proxy Port> - The applicable port on the proxy
server.
Note - If you do not specify the proxy explicitly, the
command uses the proxy configured in the management
database.

-ca_path <Path to Specifies the path to the Certificate Authority Bundle file (ca-
[Link] File> [Link]).
Note - If you do not specify the path explicitly, the
command uses the default path.

R82 Security Management Administration Guide | 695

contract_util verify

Description
Checks whether the Security Gateway is eligible for an upgrade.
This command is the same as the "contract_util check" on page 688 command, but it also
interprets the return values and shows a meaningful message.
For more information about Service Contract files, see sk33089: What is a Service Contract
File?

Syntax

contract_util verify

R82 Security Management Administration Guide | 696

cp_conf

cp_conf
Description
Configures or reconfigures a Check Point product installation.

Note - The available options for each Check Point computer depend on the
configuration and installed products.

Syntax on a Management Server

cp_conf
-h
admin <options>
auto <options>
ca <options>
client <options>
finger <options>
lic <options>
snmp <options>

Parameters

Parameter Description

-h Shows the entire built-in usage.

admin Configures Check Point system administrators for the Security

<options> Management Server.
See "cp_conf admin" on page 699.

auto Shows and configures the automatic start of Check Point products during
<options> boot.
See "cp_conf auto" on page 702.

ca n Configures the Certificate Authority's (CA) Fully Qualified Domain

<options> Name (FQDN).
n Initializes the Internal Certificate Authority (ICA).
See "cp_conf ca" on page 703.

client Configures the GUI clients that can use SmartConsole to connect to the
<options> Security Management Server.
See "cp_conf client" on page 705.

R82 Security Management Administration Guide | 697

cp_conf

Parameter Description

finger Shows the ICA's Fingerprint.

<options> See "cp_conf finger" on page 709.

lic Manages Check Point licenses.

<options> See "cp_conf lic" on page 710.

snmp Do not use these outdated commands.

<options> To configure SNMP, see the R82 Gaia Administration Guide - Chapter
System Management - Section SNMP.

R82 Security Management Administration Guide | 698

cp_conf admin

Description
Configures Check Point system administrators for the Security Management Server.

Notes:
n Multi-Domain Server does not support this command.
n Only one administrator can be defined in the "cpconfig" on page 764 menu.
To define additional administrators, use SmartConsole.
n This command corresponds to the option Administrator in the "cpconfig" on
page 764 menu.

Syntax

cp_conf admin
-h
add [<UserName> <Password> {a | w | r}]
add -gaia [{a | w | r}]
del <UserName1> <UserName2> ...
get

R82 Security Management Administration Guide | 699

cp_conf admin

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add [<UserName> Adds a Check Point system administrator:

<Password> {a | w | r}]
n <UserName> - Specifies the administrator's
username
n <Password> - Specifies the administrator's
password
n a - Assigns all permissions - read settings, write
settings, and manage administrators
n w - Assigns permissions to read and write settings
only (cannot manage administrators)
n r - Assigns permissions to only read settings

add -gaia [{a | w | r}] Adds the Gaia administrator user admin:
n a - Assigns all permissions - read settings, write
settings, and manage administrators
n w - Assigns permissions to read and write settings
only (cannot manage administrators)
n r - Assigns permissions to only read settings

del <UserName1> Deletes the specified system administrators.

<UserName2> ...

get Shows the list of the configured system administrators.

get -gaia Shows the management permissions assigned to the

Gaia administrator user admin.

R82 Security Management Administration Guide | 700

cp_conf admin

Example 1 - Adding a Check Point system administrator

[Expert@MGMT:0]# cp_conf admin add

Administrator name: admin
Administrator admin already exists.
Do you want to change Administrator's Permissions (y/n) [n] ? y

Administrator admin was modified successfully and has

Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; )

[Expert@MGMT:0]#

Example 2 - Adding the Gaia administrator user

[Expert@MGMT:0]# cp_conf admin add -gaia

Permissions for all products (Read/[W]rite All, [R]ead Only All, [C]ustomized) c
Permission for SmartUpdate (Read/[W]rite, [R]ead Only, [N]one) w
Permission for Monitoring (Read/[W]rite, [R]ead Only, [N]one) w
Administrator admin was added successfully and has
Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get -gaia

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; ) - Gaia admin

[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia a

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products with Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia w

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products without Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia r

Administrator admin already exists.

Administrator admin was modified successfully and has

Read Only Permission for all products
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 701

cp_conf auto

Description
Shows and controls which of Check Point products start automatically during boot.

Note - This command corresponds to the option Automatic start of Check Point
Products in the "cpconfig" on page 764 menu.

Syntax on a Management Server in Gaia Clish or the Expert mode

cp_conf auto
-h
{enable | disable} <Product1> <Product2> ...
get all

Parameters

Parameter Description

-h Shows the applicable built-in usage.

{enable | disable} Controls whether the installed Check Point

<Product1> <Product2> ... products start automatically during boot.
This command is for Check Point use only.

get all Shows which of these Check Point products start

automatically during boot:
n Check Point Security Gateway
n QoS (former FloodGate-1)
n SmartEvent Suite

Example from a Security Management Server

[Expert@MGMT:0]# cp_conf auto get all

Check Point Security Gateway is not installed

QoS is not installed

The SmartEvent Suite will start automatically at boot time.

[Expert@MGMT:0]#

R82 Security Management Administration Guide | 702

cp_conf ca

Description
This command changes the settings of the Internal Certificate Authority (ICA).

Note - On a Security Management Server, this command corresponds to the option

Certificate Authority in the "cpconfig" on page 764 menu.

Syntax

cp_conf ca
-h
fqdn <FQDN Name>
init

Parameters

Parameter Description

-h Shows the applicable built-in usage.

fqdn <FQDN Configures the Fully Qualified Domain Name (FQDN) for the Internal
Name> Certificate Authority (ICA).
The "<FQDN Name>" is the text string in this format:
[Link]
Notes:
n The existing certificates for configured objects are not
revoked.
n The existing ICA certificate is not changed.
n The Management Server uses the specified "<FQDN Name>"
to configure the Certificate Revocation List Distribution Point
(CRL DP) property in all certificates that the ICA generates.
Refer to this command: "cpca_client get_crldp" on page 740

init Initializes the Internal Certificate Authority (ICA).

R82 Security Management Administration Guide | 703

cp_conf ca

Example

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
[Link]
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cp_conf ca fqdn [Link]

Trying to contact Certificate Authority. It might take a while...
Certificate was created successfully
[Link] was successfully set to the Internal CA
[Expert@MyMGMT:0]#

R82 Security Management Administration Guide | 704

cp_conf client

Description
Configures the GUI clients that are allowed to connect with SmartConsoles to the Security
Management Server.

Notes:
n Multi-Domain Server does not support this command.
n This command corresponds to the option GUI Clients in the "cpconfig" on
page 764 menu.

Syntax

cp_conf client
add <GUI Client>
createlist <GUI Client 1> <GUI Client 2> ...
del <GUI Client 1> <GUI Client 2> ...
get

R82 Security Management Administration Guide | 705

cp_conf client

Parameters

Parameter Description

-h Shows the built-in usage.

<GUI Client> <GUI Client> can be one of these:

n One IPv4 address (for example,
[Link]), or
one IPv6 address (for example,
3731:54:65fe:2::a7)
n One hostname (for example, MyComputer)
n "Any" - To denote all IPv4 and IPv6
addresses without restriction
n A range of IPv4 addresses (for example,
[Link]/[Link]), or
a range of IPv6 addresses (for example,
2001::1/128)
n IPv4 address wildcard (for example,
192.168.10.*)

add <GUI Client> Adds a GUI client.

createlist <GUI Client 1> Deletes the current allowed GUI clients and creates
<GUI Client 2> ... a new list of allowed GUI clients.

del <GUI Client 1> <GUI Deletes the specified the GUI clients.
Client 2> ...

get Shows the allowed GUI clients.

Examples
Example 1 - Configure one IPv4 address
[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add [Link]

[Link] was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

[Link]
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del [Link]

[Link] was deleted successfully
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 706

cp_conf client

Example 2 - Configure one hostname

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add MySmartConsoleHost

MySmartConsoleHost was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

MySmartConsoleHost
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del MySmartConsoleHost

MySmartConsoleHost was deleted successfully
[Expert@MGMT:0]#

Example 3 - Configure "Any"

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add "Any"

Any was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del "Any"

Any was deleted successfully
[Expert@MGMT:0]#

Example 4 - Configure a range of IPv4 addresses

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add [Link]/[Link]

[Link]/[Link] was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

[Link]/[Link]
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del [Link]/[Link]

[Link]/[Link] was deleted successfully
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 707

cp_conf client

Example 5 - Configure IPv4 address wildcard

[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.*

172.20.168.* was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.*
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.*

172.20.168.* was deleted successfully
[Expert@MGMT:0]#

Example 6 - Delete the current list and create a new list of allowed GUI clients
[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add [Link]/[Link]

[Link]/[Link] was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

[Link]/[Link]
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist [Link]/[Link] [Link]

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

[Link]/[Link]
[Link]
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist "Any"

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 708

cp_conf finger

Description
Shows the Internal Certificate Authority's Fingerprint.
This fingerprint is a text string derived from the ICA certificate on the Security Management
Server, Multi-Domain Server, or Domain Management Server.
This fingerprint verifies the identity of the Security Management Server, Multi-Domain Server,
or Domain Management Server when you connect to it with SmartConsole.

Note - This command corresponds to the option Certificate's Fingerprint in the

"cpconfig" on page 764 menu.

Syntax

cp_conf finger
-h
get

Parameters

Parameter Description

-h Shows the applicable built-in usage.

get Shows the ICA's Fingerprint.

Example

[Expert@MGMT:0]# cp_conf finger get

EDNA COCO MOLE ATOM ASH MOT SAGE NINE ILL TINT HI CUBE
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 709

cp_conf lic

Description
Shows, adds and deletes Check Point licenses.

Note - This command corresponds to the option Licenses and contracts in the
"cpconfig" on page 764 menu.

Syntax on a Management Server in Gaia Clish or the Expert mode

cp_conf lic
-h
add -f <Full Path to License File>
add -m <Host> <Date> <Signature Key> <SKU/Features>
del <Signature Key>
get [-x]

R82 Security Management Administration Guide | 710

cp_conf lic

Parameters

Parameter Description

-h Shows the applicable built-in usage.

add -f <Full Path to Adds a license from the specified Check Point
License File> license file.
You get this license file in the Check Point User
Center.
This is the same command as the "cplic db_add" on
page 775.

add -m <Host> <Date> Adds the license manually.

<Signature Key> You get these license details in the Check Point
<SKU/Features> User Center.
This is the same command as the "cplic db_add" on
page 775.

del <Signature Key> Delete the license based on its signature.

This is the same command as the "cplic del" on
page 780.

get [-x] Shows the local installed licenses.

If you specify the "-x" parameter, output also
shows the signature key for every installed license.
This is the same command as the "cplic print" on
page 784.

Example 1 - Adding the license from the file

[Expert@HostName:0]# cp_conf lic add -f ~/[Link]

License was installed successfully.
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
[Link] 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#

R82 Security Management Administration Guide | 711

cp_conf lic

Example 2 - Adding the license manually

[Expert@MyHostName:0]# cp_conf lic add -m MyHostName 25Aug2019

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
License was successfully installed
[Expert@MyHostName:0]#

[Expert@MyHostName:0]# cp_conf lic get

Host Expiration Signature Features
[Link] 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@MyHostName:0]#

R82 Security Management Administration Guide | 712

cp_log_export

cp_log_export
Description
Exports Check Point logs over syslog.
For more information, see sk122323 and R82 Logging and Monitoring Administration Guide.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cp_log_export
cp_log_export <command-name> help

Parameters

Parameter Description

No Parameters Shows the built-in general help.

<command-name> help Shows the built help for the specified internal command.

R82 Security Management Administration Guide | 713

cp_log_export

Internal Commands

Name Description

add Configures a new Check Point Log Exporter.

cp_log_export add name <Name> target-server <Target-
Server> target-port <Target-Server-Port> protocol
{udp | tcp} [Optional Arguments]

delete Removes an existing Log Exporter.

cp_log_export delete name <Name>

reexport Resets the current log position and exports all logs again based on the
configuration.
cp_log_export reexport name <Name> --apply-now
cp_log_export reexport name <Name> start-position
<Position of Last Exported Log> --apply-now
cp_log_export reexport name <Name> start-position
<Position of Gap Start> end-position <Position of
Gap End> --apply-now

restart Restarts a Log Exporter process.

cp_log_export restart name <Name>

set Updates an existing Log Exporter configuration.

cp_log_export set name <Name> [<Optional Arguments>]

show Shows the current Log Exporter configuration.

cp_log_export show [<Optional Arguments>]

start Starts an existing Log Exporter process.

cp_log_export start name <Name>

status Shows a Log Exporter overview status.

cp_log_export status [<Optional Arguments>]

stop Stops an existing Log Exporter process.

cp_log_export stop name <Name>

R82 Security Management Administration Guide | 714

cp_log_export

Internal Command Arguments

Req
uired
for
"rest
Req art",
Requ Requ
Requ Requ uired "sho
ired ired
ired ired for w",
for for
for for "rec "stat
Name Description "dele "reex
"add" "set" onf" us",
te" port"
com com com "star
com com
mand mand man t",
mand mand
d "sto
p"
com
man
d

--apply-now Applies immediately Optio Optio Man N/A N/A Man

any change that was nal nal dator dator
done with the "add", y y
"set", "delete", or
"reexport"
command.

ca-cert Specifies the full Optio Optio N/A N/A N/A N/A
<Path> path to the CA nal nal
certificate file
*.pem.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

R82 Security Management Administration Guide | 715

cp_log_export

client-cert Specifies the full Optio Optio N/A N/A N/A N/A
<Path> path to the client nal nal
certificate *.p12.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

client- Specifies the Optio Optio N/A N/A N/A N/A

secret challenge phrase nal nal
<Phrase> used to create the
client certificate
*.p12.
Important -
Applicable only
when the value
of the
"encrypted"
argument is
"true".

R82 Security Management Administration Guide | 716

cp_log_export

domain- On a Multi-Domain Man Man Man N/A Opti Man

server {mds Server, specifies the dator dator dator onal dator
| all} applicable Domain y y y y
Management Server
context.
On a Multi-Domain
Log Server,
specifies the
applicable Domain
Log Server context.
Important:
n "mds" (in
small
letters) -
Exports
all logs
from only
the main
MDS
level.
n "all" (in
small
letters) -
Exports
all logs
from all
Domains.

R82 Security Management Administration Guide | 717

cp_log_export

enabled Default: true Optio Optio N/A N/A N/A N/A

{true | nal nal
false}

encrypted Specifies whether to Optio Optio N/A N/A N/A N/A

{true | use TSL (SSL) nal nal
false} encryption to send
the logs.
Default: false

end-position Specifies the end N/A N/A N/A N/A N/A Optio
<Position> position, up to which nal
to export the logs.

export- Specifies whether to Optio Optio N/A N/A N/A N/A

attachment- add a field to the nal nal
ids {true | exported logs that
false} represents the ID of
log's attachment (if
exists).
Default: false

R82 Security Management Administration Guide | 718

cp_log_export

export- Specifies whether to Optio Optio N/A N/A N/A N/A

attachment- add a field to the nal nal
link {true | exported logs that
false} represents a link to
SmartView that
shows the log card
and automatically
opens the
attachment.
Default: false

export-link Specifies whether to Optio Optio N/A N/A N/A N/A

{true | add a field to the nal nal
false} exported logs that
represents a link to
SmartView that
shows the log card.
Default: false

R82 Security Management Administration Guide | 719

cp_log_export

export-link- Specifies whether to Optio Optio N/A N/A N/A N/A

ip {true | make the links to nal nal
false} SmartView use a
custom IP address
(for example, for a
Log Server behind
NAT).
Important -
Applicable only
when the value
of the
"export-
link"
argument is
"true", or the
value of the
"export-
attachment-
link"
argument is
"true".
Default: false

export-log- Specifies whether to Optio Optio N/A N/A N/A N/A

position export the log's nal nal
{true | position.
false} Default: false

R82 Security Management Administration Guide | 720

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

action-in export all logs that nal nal
{"Action1"," contain a specific
Action2",... value in the "Action"
| false} field.
Each value must be
surrounded by
double quotes ("").
Multiple values are
supported and must
be separated by a
comma without
spaces.
To see all valid
values:
1. In
SmartConsole
, go to the
Logs &
Events view
and open the
Logs tab.
2. In the top
query field,
enter action:
and a letter.
Examples of values:

R82 Security Management Administration Guide | 721

cp_log_export

n Accept
n Block
n Bypass
n Detect
n Drop
n HTTPS
Bypass
n HTTPS
Inspect
n Prevent
n Reject

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

R82 Security Management Administration Guide | 722

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

blade-in export all logs that nal nal
{"Blade1","B contain a specific
lade2",... | value in the "Blade"
false} field (the object
name of the
Software Blade that
generated these
logs).
Each value must be
surrounded by
double quotes ("").
Multiple values are
supported and must
be separated by a
comma without
spaces.
To see all valid
values:
1. In
SmartConsole
, go to the
Logs &
Events view
and open the
Logs tab.

R82 Security Management Administration Guide | 723

cp_log_export

2. In the top
query field,
enter blade:
and a letter.
Examples of values:
n Anti-Bot
n Firewall
n HTTPS
Inspection
n Identity
Awareness
n IPS
Valid Software
Blade families:
n Access
n TP
n Endpoint
n Mobile

R82 Security Management Administration Guide | 724

cp_log_export

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

R82 Security Management Administration Guide | 725

cp_log_export

filter- Specifies whether to Optio Optio N/A N/A N/A N/A

origin-in export all logs that nal nal
{"Origin1"," contain a specific
Origin2",... value in the "Origin"
| false} field (the object
name of the Security
Gateway / Cluster
Member that
generated these
logs).
Each origin value
must be surrounded
by double quotes
("").
Multiple values are
supported and must
be separated by a
comma without
spaces.

R82 Security Management Administration Guide | 726

cp_log_export

Important -
This parameter
replaces any
other filter
configuration
that was
declared earlier
on this field
directly in the
filtering XML
file. Other field
filters are not
overwritten.

format Specifies the format, Optio Optio N/A N/A N/A N/A
{generic | in which the logs are nal nal
cef | json | exported.
leef | Default: syslog
logrhythm |
rsa | splunk
| syslog}

R82 Security Management Administration Guide | 727

cp_log_export

name Specifies the unique Man Man Man Opti Opti Man
"<Name>" name of the Log dator dator dator onal. onal. dator
Exporter y y y By By y
configuration. defa defa
ult, ult,
appli appli
es to es to
all. all.

R82 Security Management Administration Guide | 728

cp_log_export

Notes:
n Allowed
characters
are: Latin
letters, digits
("0-9"),
minus ("-"),
underscore
("_"), and
period (".").
n Must start
with a letter.
n The minimum
length is two
characters.
n The "add"
command
creates a new
target
directory with
the specified
unique name
in the
$EXPORTERD
IR/target
s/ directory.

R82 Security Management Administration Guide | 729

cp_log_export

protocol Specifies the Layer Man Optio N/A N/A N/A N/A
{tcp | udp} 4 Transport protocol dator nal
to use (TCP or y
UDP).
There is no default
value.

R82 Security Management Administration Guide | 730

cp_log_export

read-mode Specifies the mode, Optio Optio N/A N/A N/A N/A
{raw | semi- in which to read the nal nal
unified} log files.
n raw -
Specifies to
export log
records
without any
unification.
n semi-
unified -
Specifies to
export log
records with
step-by-step
unification.
That is, for
each log
record, export
a record that
unifies this
record with all
previously-
encountered
records with
the same ID.

R82 Security Management Administration Guide | 731

cp_log_export

Default: semi-
unified
Default: raw

reconnect- Specifies the Optio Optio N/A N/A N/A N/A

interval interval (in minutes) nal nal
{<Number> | after which the Log
default} Exporter must
connect again to the
target server after
the connection is
lost.
To disable, enter the
value "default".
There is no default
value.

start- Specifies the start N/A N/A N/A N/A N/A Optio
position position, from which nal
<Position> to export the logs.

target-port Specifies the Man Optio N/A N/A N/A N/A

<Target- listening port on the dator nal
Server-Port> target server, to y
which you export the
logs.

R82 Security Management Administration Guide | 732

cp_log_export

target- Specifies the IP Man Optio N/A N/A N/A N/A

server address or FQDN of dator nal
<Target- the target server, to y
Server> which you export the
logs.

time-in- Specifies whether to Optio Optio N/A N/A N/A N/A

milli {true export logs with the nal nal
| false} time resolution in
milliseconds.
Requires Security
Gateways R81 and
higher.
Default: false

R82 Security Management Administration Guide | 733

cpca_client

cpca_client
Description
Execute operations on the Internal Certificate Authority (ICA).

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d]
create_cert <options>
double_sign <options>
get_crldp <options>
get_pubkey <options>
init_certs <options>
lscert <options>
recreate_crls
revoke_cert <options>
revoke_non_exist_cert <options>
search <options>
set_ca_services <options>
set_cert_validity <options>
set_mgmt_tool <options>
set_sign_hash <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

create_cert Issues a SIC certificate for the Security Management Server or

<options> Domain Management Server.
See "cpca_client create_cert" on page 736.

R82 Security Management Administration Guide | 734

cpca_client

Parameter Description

double_sign Creates a second signature for a certificate.

<options> See "cpca_client double_sign" on page 738.

get_crldp Shows how to access a CRL file from a CRL Distribution Point.
<options> See "cpca_client get_crldp" on page 740.

get_pubkey Saves the encoding of the public key of the ICA's certificate to a file.
<options> See "cpca_client get_pubkey" on page 741.

init_certs Imports a list of DNs for users and creates a file with registration keys
<options> for each user.
See "cpca_client init_certs" on page 742.

lscert Shows all certificates issued by the ICA.

<options> See "cpca_client lscert" on page 743.

recreate_crls Recreates all CRLs in the Internal CA database after you manually
remove expired certificates from the Internal CA database as
described in sk42424.
See cpca_client recreate_crls.

revoke_cert Revokes a certificate issued by the ICA.

<options> See "cpca_client revoke_cert" on page 746.

revoke_non_ Revokes a non-existent certificate issued by the ICA.

exist_cert See "cpca_client revoke_non_exist_cert" on page 749.
<options>

search Searches for certificates in the ICA.

<options> See "cpca_client search" on page 750.

set_ca_ Controls the Certificate Authority Services Portal.

services See "cpca_client set_ca_services" on page 753.
<options>

set_cert_ Configures the default certificate validity period for new certificates.
validity See "cpca_client set_cert_validity" on page 755.
<options>

set_mgmt_tool Controls the ICA Management Tool.

<options> See "cpca_client set_mgmt_tool" on page 756.

set_sign_hash Sets the hash algorithm that the CA uses to sign the file hash.
<options> See "cpca_client set_sign_hash" on page 761.

R82 Security Management Administration Guide | 735

cpca_client create_cert

Description
Issues a SIC certificate for the Security Management Server or Domain Management Server.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] create_cert [-p <CA port number>] -n "CN=<Common

Name>" -f <Full Path to PKCS12 file> [-w <Password>] [-k {SIC |
USER | IKE | ADMIN_PKG}] [-c "<Comment for Certificate>"]

R82 Security Management Administration Guide | 736

cpca_client create_cert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-p <CA port Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the
Certificate Authority.
The default TCP port number is 18209.

-n "CN=<Common Sets the CN to the specified <Common Name>.

Name>"

-f <Full Path Specifies the PKCS12 file, which stores the certificate and keys.
to PKCS12 file>

-w <Password> Optional. Specifies the certificate password.

-k {SIC | USER Optional. Specifies the certificate kind.

| IKE | ADMIN_
PKG}

-c "<Comment Optional. Specifies the certificate comment (must enclose in double

for quotes).
Certificate>"

Example

[Expert@MGMT:0]# cpca_client create_cert -n "cn=cp_mgmt" -f $CPDIR/conf/sic_cert.p12

R82 Security Management Administration Guide | 737

cpca_client double_sign

Description
Creates a second signature for a certificate.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] double_sign [-p <CA port number>] -i <Certificate

File in PEM format> [-o <Full Path to Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-p <CA port Optional. Specifies the TCP port on the Security Management
number> Server or Domain Management Server, which is used to connect to
the Certificate Authority.
The default TCP port number is 18209.

-i Imports the specified certificate (only in PEM format).

-o <Full Path Optional. Saves the certificate into the specified file.
to Output
File>

R82 Security Management Administration Guide | 738

cpca_client double_sign

Example

[Expert@MGMT:0]# cpca_client double_sign -i [Link]

Requesting Double Signature for the following Certificate:

refCount: 1
Subject: Email=example@[Link],CN=[Link] Class 2 Policy
Validation Authority,O=exampleO\, Inc.,L=ExampleL Validation Network

Double Sign of Cert:

======================
(
: (
:dn ("Email=example@[Link],CN=[Link] Class 2
Policy Validation Authority,O=exampleO\, Inc.,L=exampleL Validation Network")
:doubleSignCert (52016390... ... ...ebb67e96)
:return_code (0)
)
)

[Expert@MGMT:0]#

R82 Security Management Administration Guide | 739

cpca_client get_crldp

Description
Shows the Fully Qualified Domain Name (FQDN) configured for the Internal Certificate
Authority (ICA) with the ""cp_conf ca" on page 703" command.
The Management Server uses this FQDN:
1. To configure the Certificate Revocation List Distribution Point (CRL DP) property in all
certificates that the ICA generates.
2. To create the URL for accessing the CRL.
Example: [Link]

Syntax

cpca_client [-d] get_crldp [-p <ICA port number>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p <ICA Optional.
port Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate Authority.
The default TCP port number is 18264.

Example

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
[Link]
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cpca_client get_crldp

[Link]
[Expert@MyMGMT:0]

R82 Security Management Administration Guide | 740

cpca_client get_pubkey

Description
Saves the encoding of the public key of the ICA's certificate to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] get_pubkey [-p <CA port number>] <Full Path to

Output File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-p <CA port Specifies the TCP port on the Security Management Server or Domain
number> Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

Example

[Expert@MGMT:0]# cpca_client get_pubkey /tmp/[Link][Expert@MGMT:0]#

[Expert@MGMT:0]# cat /tmp/[Link]
3082010a... ... ...f98b8910
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 741

cpca_client init_certs

Description
Imports a list of Distinguished Names (DN) for users and creates a file with registration keys for
each user.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] init_certs [-p <CA port number>] -i <Full Path to

Input File> -o <Full Path to Output File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-p <CA port Optional. Specifies the TCP port on the Security Management Server or
number> Domain Management Server, which is used to connect to the Certificate
Authority.
The default TCP port number is 18209.

-i <Full Imports the specified file.

Path to Make sure to use the full path.
Input File> Make sure that there is an empty line between each DN in the specified
file.
Example:
...CN=test1,OU=users...
<Empty Line>
...CN=test2,OU=users...

-o <Full Saves the registration keys to the specified file.

Path to This command saves the error messages in the <Name of Output
Output File> File>.failures file in the same directory.

R82 Security Management Administration Guide | 742

cpca_client lscert

Description
Shows all certificates issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] lscert [-dn <SubString>] [-stat {Pending | Valid

| Revoked | Expired | Renewed}] [-kind {SIC | IKE | User | LDAP}]
[-ser <Certificate Serial Number>] [-dp <Certificate Distribution
Point>]

R82 Security Management Administration Guide | 743

cpca_client lscert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

-dn <SubString> Optional. Filters the search results to those with a DN

that matches the specified <SubString>.
This command does not support multiple values.

-stat {Pending | Valid | Optional. Filters the search results to those with
Revoked | Expired | certificate status that matches the specified status.
Renewed} This command does not support multiple values.

-kind {SIC | IKE | User | Optional. Filters the search results to those with
LDAP} certificate kind that matches the specified kind.
This command does not support multiple values.

-ser <Certificate Serial Optional. Filters the search results to those with
Number> certificate serial number that matches the specified
serial number.
This command does not support multiple values.

-dp <Certificate Optional. Filters the search results to the specified

Distribution Point> Certificate Distribution Point (CDP).
This command does not support multiple values.

R82 Security Management Administration Guide | 744

cpca_client lscert

Example

[Expert@MGMT:0]# cpca_client lscert -stat Revoked

Operation succeeded. rc=0.
5 certs found.

Subject = CN=VSX2,O=MyDomain_Server.[Link].s6t98x
Status = Revoked Kind = SIC Serial = 5521 DP = 0
Not_Before: Sun Apr 8 14:10:01 2018 Not_After: Sat Apr 8 14:10:01 2023

Subject = CN=VSX1,O=MyDomain_Server.[Link].s6t98x
Status = Revoked Kind = SIC Serial = 9113 DP = 0
Not_Before: Sun Apr 8 14:09:02 2018 Not_After: Sat Apr 8 14:09:02 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.[Link].s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpca_client lscert -kind IKE

Operation succeeded. rc=0.
3 certs found.

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.[Link].s6t98x

Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023

Subject = CN=VSX_Cluster VPN Certificate,O=MyDomain_Server.[Link].s6t98x

Status = Valid Kind = IKE Serial = 64655 DP = 1
Not_Before: Mon Apr 9 19:36:31 2018 Not_After: Sun Apr 9 19:36:31 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.[Link].s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 745

cpca_client revoke_cert

Description
Revokes a certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_cert [-p <CA port number>] -n "CN=<Common

Name>" -s <Certificate Serial Number>

R82 Security Management Administration Guide | 746

cpca_client revoke_cert

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-n Specifies the certificate CN.

"CN=<Common To get the CN, run the "cpca_client lscert" on page 743 command and
Name>" examine the text that you see between the "Subject =" and the
",O=...".
Example
From this output:
Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.[Link].s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02
2023

you get this syntax:

-n "CN=VS1 VPN Certificate

Note - You can use the parameter '-n' only, or together with the
parameter "-s".

-s Specifies the certificate serial number.

<Certificate To see the serial number, run the "cpca_client lscert" on page 743
Serial command.
Number> Note - You can use the parameter "-s" only, or together with the
parameter "-n".

Example 1 - Revoking a certificate specified by its CN

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.[Link].s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -n "CN=VS1 VPN Certificate"
Certificate was revoked successfully
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 747

cpca_client revoke_cert

Example 2 - Revoking a certificate specified by its serial number.

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.[Link].s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -s 27214
Certificate was revoked successfully
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 748

cpca_client revoke_non_exist_cert

Description
Revokes a non-existent certificate issued by the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] revoke_non_exist_cert -i <Full Path to Input

File>

Parameters

Paramet
Description
er

-d Runs the cpca_client command under debug.

-i Specifies the file that contains the list of the certificate to revoke.
<Full You must create this file in the same format as the "cpca_client lscert" on
Path page 743 command prints its output.
to
Input Example
File> Subject = CN=cp_mgmt,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 30287 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri
Apr 7 19:40:12 2023
<Empty Line>
Subject = CN=cp_mgmt,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 60870 DP = 0
Not_Before: Sat Apr 7 19:40:13 2018 Not_After: Fri
Apr 7 19:40:13 2023

Note - This command saves the error messages in the <Name of Input
File>.failures file.

R82 Security Management Administration Guide | 749

cpca_client search

Description
Searches for certificates in the ICA.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] search <String> [-where {dn | comment | serial |

device_type | device_id | device_name}] [-kind {SIC | IKE | User |
LDAP}] [-stat {Pending | Valid | Revoked | Expired | Renewed}] [-
max <Maximum Number of Results>] [-showfp {y | n}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the
command itself.
Best Practice - If you use this
parameter, then redirect the output
to a file, or use the script
command to save the entire CLI
session.

<String> Specifies the text to search in the

certificates.
You can enter only one text string that
does not contain spaces.

R82 Security Management Administration Guide | 750

cpca_client search

Parameter Description

-where {dn | comment | serial | Optional. Specifies the certificate's field,

device_type | device_id | device_ in which to search for the string:
name}
n dn - Certificate DN
n comment - Certificate comment
n serial - Certificate serial
number
n device_type - Device type
n device_id - Device ID
n device_name - Device Name
The default is to search in all fields.

-kind {SIC | IKE | User | LDAP} Optional. Specifies the certificate kind
to search.
You can enter multiple values in this
format:
-kind <Kind1> <Kind2> <Kind3>
The default is to search for all kinds.

-stat {Pending | Valid | Revoked | Optional. Specifies the certificate status

Expired | Renewed} to search.
You can enter multiple values in this
format:
-stat <Status1> <Status2>
<Status3>
The default is to search for all statuses.

-max <Maximum Number of Results> Optional. Specifies the maximum

number of results to show.
n Range: 1 and greater
n Default: 200

-showfp {y | n} Optional. Specifies whether to show the

certificate's fingerprint and thumbprint:
n y - Shows the fingerprint and
thumbprint (this is the default)
n n - Does not show the fingerprint
and thumbprint

R82 Security Management Administration Guide | 751

cpca_client search

Example 1

[Expert@MGMT:0]# cpca_client search samplecompany -where comment -kind SIC LDAP -stat Pending
Valid Renewed

Example 2

[Expert@MGMT:0]# cpca_client search [Link] -where dnOperation succeeded. rc=0.

1 certs found.

Subject = CN=[Link],O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
Fingerprint = XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX
Thumbprint = xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
[Expert@MGMT:0]#

Example 3

[Expert@MGMT:0]# cpca_client search [Link] -where dn -showfp nOperation succeeded. rc=0.

1 certs found.

Subject = CN=[Link],O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 752

cpca_client set_ca_services

Description
This command enables and disables the Certificate Authority Services Portal on the
Management Server on the TCP port 18268.
From this portal, you can download the applicable Internal Certificate Authority certificates.
For trust purposes, you can install this certificate on the applicable Security Gateways,
externally managed Site to Site VPN peer gateways, Remote Access VPN clients, clients that
use Clientless VPN, and so on.

Note - In R82, the TCP port 18264 on the Management Server is available only for the
retrieval of the CRL (Certificate Revocation List).

Syntax

cpca_client set_ca_services {on | off}

Parameters

Parameter Description

on Enables the Certificate Authority Services Portal

off Disables the Certificate Authority Services Portal

Procedure for a Security Management Server

Enabling the Certificate Authority Services Portal

1. Connect to the command line on the Security Management Server.

2. Log in to the Expert mode.
3. Enable the Certificate Authority Services Portal:

cpca_client set_ca_services on

4. With a web browser, connect to:

[Link] Address of Security Management Server>:18268

5. Download the required certificate.

6. Install this certificate on the applicable computers.

R82 Security Management Administration Guide | 753

cpca_client set_ca_services

Disabling the Certificate Authority Services Portal

1. Connect to the command line on the Security Management Server.

2. Log in to the Expert mode.
3. Disable the Certificate Authority Services Portal:

cpca_client set_ca_services off

Procedure for a Domain Management Server

Enabling the Certificate Authority Services Portal

1. Connect to the command line on the Multi-Domain Server.

2. Log in to the Expert mode.

3. Go to the context of the Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

4. Enable the Certificate Authority Services Portal:

cpca_client set_ca_services on

5. With a web browser, connect to:

[Link] Address of Domain Management Server>:18268

6. Download the required certificate.

7. Install this certificate on the applicable computers.

Disabling the Certificate Authority Services Portal

1. Connect to the command line on the Multi-Domain Server.

2. Log in to the Expert mode.
3. Go to the context of the Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

4. Disable the Certificate Authority Services Portal:

cpca_client set_ca_services off

R82 Security Management Administration Guide | 754

cpca_client set_cert_validity

Description
This command configures the default certificate validity period for new certificates.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n The new certificate validity period applies only to certificate you create after this
change.

Syntax

cpca_client set_cert_validity -k {SIC | IKE | USER} [-y <Number of

Years>] [-d <Number of Days>] [-h <Number of Hours>] [-s <Number
of Seconds>]

Parameters

Parameter Description

-k {SIC | IKE | USER} Specifies the certificate type.

-y <Number of Years> Specifies the validity period in years.

-d <Number of Days> Specifies the validity period in days.

-h <Number of Hours> Specifies the validity period in hours.

-s <Number of Seconds> Specifies the validity period in seconds.

Example

[Expert@MGMT:0]# cpca_client set_cert_validity -k IKE -y 3

cert validity period was changed successfully.
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 755

cpca_client set_mgmt_tool

Description
Controls the ICA Management Tool.
This tool is disabled by default.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

See sk102837: Best Practices - ICA Management Tool configuration

Syntax

cpca_client [-d] set_mgmt_tool {on | off | add | remove | clean |

print} [-p <CA port number>] [{-a <Administrator DN> | -u <User
DN> | -c <Custom User DN>}]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

on Starts the ICA Management Tool.

off Stops the ICA Management Tool.

add Adds the specified administrator, user, or custom user that is

permitted to use the ICA Management Tool.

remove Removes the specified administrator, user, or custom user that is

permitted to use the ICA Management Tool.

clean Removes all administrators, users, or custom users that are

permitted to use the ICA Management Tool.

print Shows the configured administrators, users, or custom users that

are permitted to use the ICA Management Tool.

R82 Security Management Administration Guide | 756

cpca_client set_mgmt_tool

Parameter Description

-a Optional. Specifies the DN of the administrator that is permitted to

<Administrator use the ICA Management Tool.
DN> Must specify the full DN as appears in SmartConsole
Procedure

1. Open Object Explorer > Users

2. Open the Administrator object or a User object properties
3. Click the Certificates pane
4. Select the certificate and click the pencil icon
5. Click View certificate details
6. In the Certificate Info window, click the Details tab
7. Click the Subject field
8. Concatenate all fields

Example:
-a "CN=ICA_Tool_Admin,OU=users,O=MGMT.s6t98x"

-u <User DN> Optional. Specifies the DN of the user that is permitted to use the
ICA Management Tool.
Must specify the full DN as appears in SmartConsole:
Procedure

1. Open Object Explorer > Users

Example:
-u "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

R82 Security Management Administration Guide | 757

cpca_client set_mgmt_tool

Parameter Description

-c <Custom Optional. Specifies the DN for the custom user that is permitted to
User DN> use the ICA Management Tool.
Must specify the full DN as appears in SmartConsole.
Procedure

1. Open Object Explorer > Users

Example:
-c "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

Note - If you run the "cpca_client set_mgmt_tool" command without the

parameter "-a" or "-u", the list of the permitted administrators and users is not
changed. The previously defined permitted administrators and users can start and
stop the ICA Management Tool.

R82 Security Management Administration Guide | 758

cpca_client set_mgmt_tool

To connect to the ICA Management Tool

cpca_client set_mgmt_tool add ...

3. In the command line on the Management Server, start the ICA Management Tool.

cpca_client set_mgmt_tool on

4. Check the status of the ICA Management Tool:

cpca_client set_mgmt_tool print

5. Import the administrator's / user's certificate into the Windows Certificate Store:.
a. Right-click the *.p12 file you saved when you created the required administrator /
user, and click Install PFX.
The Certificate Import Wizard opens.

b. In the Store Location section, select the applicable option:

n Current User (this is the default)
n Local Machine

c. Click Next.
d. Enter the same certificate password you used when you created the required
administrator / user certificate.
e. Clear Enable strong private key protection.
f. Select Mark this key as exportable.
g. Click Next.
h. Select Place all certificates in the following store > click Browse > select
Personal > click OK.
i. Click Next.
j. Click Finish.

R82 Security Management Administration Guide | 759

cpca_client set_mgmt_tool

6. In a web browser, connect to the ICA Management Tool:

[Link] Address of the Management Server>:18265

7. A dialog box with this message appears:

Client Authentication
Identification
The Web site you want to view requests identification.
Select the certificate to use when connecting.

8. Select the appropriate certificate for authenticating to the ICA Management Tool.
9. Click OK.
10. In the Security Alert dialog box, click Yes.

R82 Security Management Administration Guide | 760

cpca_client set_sign_hash

Description
Sets the hash algorithm that the CA uses to sign the file hash. Also, see sk103840.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_client [-d] set_sign_hash {sha1 | sha256 | sha384 | sha512}

Important - After this change, you must restart the Check Point services with these
commands:
n On Security Management Server, run:
1. cpstop
2. cpstart
n On a Multi-Domain Server, run:
1. mdsstop_customer <Name or IP Address of Domain
Management Server>
2. mdsstart_customer <Name or IP Address of Domain
Management Server>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

{sha1 | sha256 | sha384 | The hash algorithms that the CA uses to sign the
sha512} file hash.
The default algorithm is SHA-256.

R82 Security Management Administration Guide | 761

cpca_client set_sign_hash

Example

[Expert@MGMT:0]# cpca_client set_sign_hash sha256

You have selected the signature hash function SHA-256

WARNING: This hash algorithm is not supported in Check Point gateways prior to R71.
WARNING: It is also not supported on older clients and SG80 R71.

Are you sure? (y/n)

y
Internal CA signature hash changed successfully.
Note that the signature on the Internal CA certificate has not changed, but this has no security
implications.
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpstop ; cpstart

R82 Security Management Administration Guide | 762

cpca_create

cpca_create
Description
Creates new Check Point Internal Certificate Authority database.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cpca_create [-d] -dn <CA DN>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect
the output to a file, or use the script command to
save the entire CLI session.

-dn <CA DN> Specifies the Certificate Authority Distinguished Name (DN).

R82 Security Management Administration Guide | 763

cpconfig

cpconfig
Description
This command starts the Check Point Configuration Tool.
This utility configures specific settings for the installed Check Point products.

Syntax

cpconfig

Note - On a Multi-Domain Server, run the "mdsconfig" command.

R82 Security Management Administration Guide | 764

cpconfig

Menu Options

Note - The options shown depend on the configuration and installed products.

Menu Option Description

Licenses and Manages Check Point licenses and contracts on this server.
contracts

Administrator Configures Check Point system administrators for this server.

GUI Clients Configures the GUI clients that can use SmartConsole to connect to
this server.

SNMP Extension Obsolete. Do not use this option anymore.

To configure SNMP, see the R82 Gaia Administration Guide -
Chapter System Management - Section SNMP.

Random Pool Configures the RSA keys, to be used by Gaia Operating System.

Certificate Initializes the Internal Certificate Authority (ICA) and configures the
Authority Certificate Authority's (CA) Fully Qualified Domain Name (FQDN).

Certificate's Shows the ICA's Fingerprint.

Fingerprint This fingerprint is a text string derived from the server's ICA
certificate.
This fingerprint verifies the identity of the server when you connect to
it with SmartConsole.

Automatic start of Shows and controls which of the installed Check Point products start
Check Point automatically during boot.
Products

Exit Exits from the Check Point Configuration Tool.

R82 Security Management Administration Guide | 765

cpconfig

Example - Menu on a Security Management Server

[Expert@MyMGMT:0]# cpconfig
This program will let you re-configure
your Check Point Security Management Server configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) Administrator
(3) GUI Clients
(4) SNMP Extension
(5) Random Pool
(6) Certificate Authority
(7) Certificate's Fingerprint
(8) Automatic start of Check Point Products

(9) Exit

Enter your choice (1-9) :

R82 Security Management Administration Guide | 766

cpinfo

cpinfo
Description
A utility that collects diagnostics data on your Check Point computer at the time of execution.
It is mandatory to collect these data when you contact Check Point Support about an issue on
your Check Point server.
For more information, see sk92739.

R82 Security Management Administration Guide | 767

cplic

cplic
Description
The cplic command manages Check Point licenses.
You can run this command in Gaia Clish or in the Expert mode.
License Management is divided into three types of commands:

Licensing
Applies To Description
Commands

Local licensing Management You execute these commands locally on the

commands Servers, Check Point computers.
Security Gateways
and Cluster
Members

Remote Management You execute these commands on the Security

licensing Servers only Management Server or Domain Management
commands Server.
These changes affect the managed Security
Gateways and Cluster Members.

License Management You execute these commands on the Security

Repository Servers only Management Server or Domain Management
commands Server.
These changes affect the licenses stored in the
local license repository.

Syntax for Local Licensing on a Management Server itself

cplic [-d]
{-h | -help}
check <options>
contract <options>
del <options>
print <options>
put <options>

R82 Security Management Administration Guide | 768

cplic

Syntax for Remote Licensing on managed Security Gateways and Cluster Members

cplic [-d]
{-h | -help}
del <options>
get <options>
put <options>
upgrade <options>

Syntax for License Database Operations on a Management Server

cplic [-d]
{-h | -help}
db_add <options>
db_print <options>
db_rm <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-h | -help} Shows the applicable built-in usage.

check Confirms that the license includes the feature on the local Security
<options> Gateway or Management Server.
See "cplic check" on page 771.

contract Manages (deletes and installs) the Check Point Service Contract on
<options> the local Check Point computer.
See "cplic contract" on page 773.

db_add Applies only to a Management Server.

<options> Adds licenses to the license repository on the Management Server.
See "cplic db_add" on page 775.

R82 Security Management Administration Guide | 769

cplic

Parameter Description

db_print Applies only to a Management Server.

<options> Shows the details of Check Point licenses stored in the license
repository on the Management Server.
See "cplic db_print" on page 777.

db_rm Applies only to a Management Server.

<options> Removes a license from the license repository on the Management
Server.
See "cplic db_rm" on page 779.

del <options> Deletes a Check Point license on a host, including unwanted

evaluation, expired, and other licenses.
See "cplic del" on page 780.

del <Object Detaches a Central license from a remote managed Security Gateway
Name> or Cluster Member.
<options> See "cplic del <object name>" on page 781.

get <options> Applies only to a Management Server.

Retrieves all licenses from managed Security Gateways and Cluster
Members into the license repository on the Management Server.
See "cplic get" on page 782.

print Prints details of the installed Check Point licenses on the local Check
<options> Point computer.
See "cplic print" on page 784.

put <options> Installs and attaches licenses on a Check Point computer.

See "cplic put" on page 787.

put <Object Attaches one or more Central or Local licenses to a remote managed
Name> Security Gateways and Cluster Members.
<options> See "cplic put <object name>" on page 790.

upgrade Applies only to a Management Server.

<options> Upgrades licenses in the license repository with licenses in the
specified license file.
See "cplic upgrade" on page 793.

R82 Security Management Administration Guide | 770

cplic check

Description
Confirms that the license includes the feature on the local Security Gateway or Management
Server. See sk66245.

Syntax

cplic check {-h | -help}

cplic [-d] check [-p <Product>] [-v <Version>] [{-c | -count}] [-t
<Date>] [{-r | -routers}] [{-S | -SRusers}] <Feature>

You can run this command:

n On a Management Server / Security Gateway / Cluster Member in Gaia Clish or the
Expert mode
n On a Scalable Platform Security Group in Gaia gClish or the Expert mode

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-p Product, for which license information is requested.

<Product> Some examples of products:
n fw1 - FireWall-1 infrastructure on Security Gateway / Cluster Member
/ Security Group (all Software Blades), or Management Server (all
Software Blades)
n mgmt - Multi-Domain Server infrastructure
n services - Entitlement for various services
n cvpn - Mobile Access
n etm - QoS (FloodGate-1)
n eps - Endpoint Software Blades on Management Server

-v Product version, for which license information is requested.

R82 Security Management Administration Guide | 771

cplic check

Parameter Description

{-c | - Outputs the number of licenses connected to this feature.

count}

-t <Date> Checks license status on future date.

Use the format ddmmyyyy.
A feature can be valid on a given date on one license, but invalid on
another.

{-r | - Checks how many routers are allowed.

routers} The <Feature> option is not needed.

{-S | - Checks how many SecuRemote users are allowed.

SRusers}

<Feature> Feature, for which license information is requested.

Example from a Management Server

[Expert@MGMT]# cplic print -p
Host Expiration Primitive-Features
W.X.Y.Z 24Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:comp fw1:6.0:compunlimited fw1:6.0:cluster-1 fw1:6.0:cpxmgmt_qos_u_sites
fw1:6.0:sprounl fw1:6.0:nxunlimit fw1:6.0:swp evnt:6.0:smrt_evnt fw1:6.0:fwc fw1:6.0:ca fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv
fw1:6.0:cmd evnt:6.0:alzd5 evnt:6.0:alzc1 evnt:6.0:alzs1 fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:sme10 etm:6.0:rtm_u fw1:6.0:cep1 fw1:6.0:rt
fw1:6.0:cemid fw1:6.0:web_sec_u fw1:6.0:workflow fw1:6.0:ram1 fw1:6.0:routers fw1:6.0:supmgmt fw1:6.0:supunlimit fw1:6.0:prov
fw1:6.0:atlas-unlimit fw1:6.0:filter fw1:6.0:ui psmp:6.0:psmsunlimited fw1:6.0:vpe_unlimit fw1:6.0:cluster-u fw1:6.0:remote1 fw1:6.0:aes
fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:dbvr_unlimit fw1:6.0:cmpmgmt fw1:6.0:rtmmgmt fw1:6.0:fgmgmt fw1:6.0:blades
fw1:6.0:cpipv6 fw1:6.0:mgmtha fw1:6.0:remote
[Expert@MGMT]#

Example from a Management Server in High Availability

[Expert@MGMT]# cplic check -p fw1 -v 6.0 -c mgmtha
cplic check 'mgmtha': 1 licenses
[Expert@MGMT]#

R82 Security Management Administration Guide | 772

cplic contract

Description
Deletes the Check Point Service Contract on the local Check Point computer.
Installs the Check Point Service Contract on the local Check Point computer.

Note
n For more information about Service Contract files, see sk33089: What is a
Service Contract File?
n If you install a Service Contract on a managed Security Gateway / Cluster
Member / Scalable Platform Security Group, you must update the license
repository on the applicable Management Server - either with the "cplic get" on
page 782 command, or in SmartUpdate.

Syntax

cplic contract -h
cplic [-d] contract
del
-h
<Service Contract ID>
put
-h
[{-o | -overwrite}] <Service Contract File>

You can run this command:

n On a Management Server / Security Gateway / Cluster Member in Gaia Clish or the
Expert mode
n On a Scalable Platform Security Group in Gaia gClish or the Expert mode

R82 Security Management Administration Guide | 773

cplic contract

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

del Deletes the Service Contract from the

$CPDIR/conf/[Link] file on the local Check Point
computer.

put Merges the Service Contract to the $CPDIR/conf/[Link]

file on the local Check Point computer.

<Service ID of the Service Contract.

Contract ID>

{-o | - Specifies to overwrite the current Service Contract.

overwrite}

<Service Path to and the name of the Service Contract file.

Contract File> First, you must download the Service Contract file from your Check
Point User Center account.

R82 Security Management Administration Guide | 774

cplic db_add

Description
Adds licenses to the license repository on the Management Server.
When you add Local licenses to the license repository, Management Server automatically
attaches them to the managed Security Gateway / Cluster Member with the matching IP
address.
When you add Central licenses, you must manually attach them.

Note - You get the license details in the Check Point User Center.

Syntax

cplic db_add {-h | -help}

cplic [-d] db_add -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Features>]

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Management Server / Domain

Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
Case sensitive. Hyphens are optional.

R82 Security Management Administration Guide | 775

cplic db_add

Parameter Description

< The SKU of the license summarizes the features included in the
SKU/Features> license.
For example, CPSUITE-EVAL-3DES-vNG

Example
If the file [Link].lic contains one or more licenses, the command "cplic db_add -
l [Link].lic" produces output similar to:

[Expert@MGMT]# cplic db_add -l [Link].lic

Adding license to database ...
Operation Done
[Expert@MGMT]#

R82 Security Management Administration Guide | 776

cplic db_print

Description
Shows the details of Check Point licenses stored in the license repository on the Management
Server.

Syntax

cplic db_print {-h | -help}

cplic [-d] db_print {<Object Name> | -all} [{-n | -noheader}] [-x]
[{-t | -type}] [{-a | -attached}]

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

<Object Prints only the licenses attached to <Object Name>.

Name> <Object Name> is the name of the Security Gateway / Cluster Member
object as defined in SmartConsole.

-all Prints all the licenses in the license repository.

{-n | - Prints licenses with no header.

noheader}

-x Prints licenses with their signatures.

{-t | - Prints licenses with their type: Central or Local.

type}

{-a | - Shows to which object the license is attached.

attached} Useful, if the parameter "-all" is specified.

R82 Security Management Administration Guide | 777

cplic db_print

Example

[Expert@MGMT:0]# cplic db_print -all

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
[Link] 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@MGMT:0]#

[Expert@MGMT:0]# cplic db_print -all -x -a

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
[Link] 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX MGMT
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 778

cplic db_rm

Description
Removes a license from the license repository on the Management Server.
After you remove the license from the repository, it can no longer use it.

Warning - You can run this command ONLY after you detach the license with the
"cplic del" on page 780 command.

Syntax

cplic db_rm {-h | -help}

cplic [-d] db_rm <Signature>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 784
command.

Example
[Expert@MGMT:0]# cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn

R82 Security Management Administration Guide | 779

cplic del

Description
Deletes a Check Point license on a host, including unwanted evaluation, expired, and other
licenses.
This command can delete a license on both local computer, and on remote managed
computers.

Syntax

cplic del {-h | -help}

cplic [-d] del [-F <Output File>] <Signature> <Object Name>

You can run this command:

n On a Management Server / Security Gateway / Cluster Member in Gaia Clish or the
Expert mode
n On a Scalable Platform Security Group in Gaia gClish or the Expert mode

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-F <Output Saves the command output to the specified file.

File>

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on page 784
command.

<Object The name of the Security Gateway / Cluster Member object as

Name> configured in SmartConsole.

R82 Security Management Administration Guide | 780

cplic del <object name>

Description
Detaches a Central license from a remote managed Security Gateway or Cluster Member.
When you run this command, it automatically updates the license repository.
The Central license remains in the license repository as an unattached license.

Syntax

cplic del {-h | -help}

cplic [-d] del <Object Name> [-F <Output File>] [-ip <Dynamic IP
Address>] <Signature>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the
entire CLI session.

<Object Name> The name of the Security Gateway / Cluster Member object as
defined in SmartConsole.

-F <Output File> Saves the command output to the specified file.

-ip <Dynamic IP Deletes the license on the DAIP Security Gateway with the
Address> specified IP address.
Note - If this parameter is used, then object name must be a
DAIP Security Gateway.

<Signature> The signature string within the license.

To see the license signature string, run the "cplic print" on
page 784 command.

R82 Security Management Administration Guide | 781

cplic get

Description
Retrieves all licenses from managed Security Gateways and Cluster Members into the license
repository on the Management Server.
This command helps synchronize the license repository with the managed Security Gateways
and Cluster Members.
When you run this command, it updates the license repository with all local changes.

Syntax

cplic get {-h | -help}

cplic [-d] get
-all
<IP Address>
<Host Name>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-all Retrieves licenses from all Security Gateways and Cluster Members in the
managed network.

<IP The IP address of the Security Gateway / Cluster Member, from which
Address> licenses are to be retrieved.

<Host The name of the Security Gateway / Cluster Member object as defined in
Name> SmartConsole, from which licenses are to be retrieved.

R82 Security Management Administration Guide | 782

cplic get

Example
If the Security Gateway with the object name MyGW contains four Local licenses, and the
license repository contains two other Local licenses, the command "cplic get MyGW"
produces output similar to this:

[Expert@MGMT:0]# cplic get MyGW

Get retrieved 4 licenses.
Get removed 2 licenses.
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 783

cplic print

Description
Prints details of the installed Check Point licenses on the local Check Point server.

Notes:
n On a Security Gateway / Cluster Member / Scalable Platform Security Group,
this command prints all installed licenses (both Local and Central).
n Before installing a valid license, and after you establish SIC between this
Security Gateway / Cluster Member and its Management Server, this command
shows the trial license.

Syntax

cplic print {-h | -help}

cplic [-d] print[{-n | -noheader}] [-x] [{-t | -type}] [-F <Output
File>] [{-p | -preatures}] [-D]

You can run this command:

n On a Management Server / Security Gateway / Cluster Member in Gaia Clish or the
Expert mode
n On a Scalable Platform Security Group in Gaia gClish or the Expert mode

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

{-n | -noheader} Prints licenses without the output header.

-x Prints licenses and their signature.

{-t | -type] Prints licenses and their type: Central or Local.

-F <Output File> Saves the command output to the specified file.

R82 Security Management Administration Guide | 784

cplic print

Parameter Description

{-p | -preatures} Prints licenses and their primitive features.

Best Practice - Use this syntax:
cplic print -n -p | tr ' ' '\n' |
sort -u

-D On a Multi-Domain Server, prints only Domain licenses.

Example 1

[Expert@HostName:0]# cplic print

Host Expiration Features
[Link] 25Aug2019 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

Example 2

[Expert@HostName:0]# cplic print -n

[Link] 25Aug2019 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

Example 3

[Expert@HostName:0]# cplic print -x

Host Expiration Signature Features
[Link] 25Aug2019 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

Example 4

[Expert@HostName:0]# cplic print -t

Type Host Expiration Features
central [Link] 25Aug2019 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

R82 Security Management Administration Guide | 785

cplic print

Example 5

[Expert@HostName:0]# cplic print -t

Host Expiration Features
[Link] 25Aug2019 CPMP-XXX CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:zp fw1:6.0:ctnt ...
[Expert@HostName:0]#

[Expert@HostName:0]# cplic print -n -p | tr ' ' '\n' | sort -u

25Aug2019
[Link]
::CK-XXXXXXXXXXXX
::CPMP-XXX
cvpn:6.0:cvpn
cvpn:6.0:mobmail
...
etm:6.0:fg
etm:6.0:fgmgmt
etm:6.0:fgvpn
...
evnt:6.0:alzd100
evnt:6.0:smrt_evnt
...
fw1:6.0:abot
fw1:6.0:appi
fw1:6.0:av
fw1:6.0:blades
fw1:6.0:cmpmgmt
...
ips:6.0:alcr
ips:6.0:app2070c1
...
mgmt:6.0:gblp
...
smb:6.0:smp1

[Expert@HostName:0]#

R82 Security Management Administration Guide | 786

cplic put

Description
Installs one or more Local licenses on a Check Point computer.

Note - You get the license details in the Check Point User Center.

Syntax

cplic put {-h | -help}

cplic [-d] put [{-o | -overwrite}] [{-c | -check-only}] [{-s | -
select}] [-F <Output File>] [{-P | -Pre-boot}] [{-k | -kernel-
only}] -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Features>]

You can run this command:

n On a Management Server / Security Gateway / Cluster Member in Gaia Clish or the
Expert mode
n On a Scalable Platform Security Group in Gaia gClish or the Expert mode

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

{-o | - On a Security Gateway / Cluster Member / Scalable Platform Security

overwrite} Group, this command erases only the local licenses, but not central
licenses that are installed remotely.

{-c | -check- Verifies the license. Checks if the IP of the license matches the Check
only} Point computer and if the signature is valid.

{-s | - Selects only the local license whose IP address matches the IP
select} address of the Check Point computer.

R82 Security Management Administration Guide | 787

cplic put

Parameter Description

-F <Output Saves the command output to the specified file.

File>

{-P | -Pre- Use this option after you have upgraded and before you reboot the
boot} Check Point computer.
Use of this option will prevent certain error messages.

{-K | - Pushes the current valid licenses to the kernel.

kernel-only} For use by Check Point Support only.

-l <License Name of the file that contains the license.

File>

<Host> Hostname or IP address of the Security Gateway / Cluster Member /

Scalable Platform Security Group for a local license.
Hostname or IP address of the Security Management Server / Domain
Management Server for a central license.

<Expiration The license expiration date.

Date>

<Signature> The signature string within the license.

Case sensitive. The hyphens are optional.

< The SKU of the license summarizes the features included in the
SKU/Features> license.
For example: CPSUITE-EVAL-3DES-vNG

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration The license expiration date. It can be never.

date

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the
license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

R82 Security Management Administration Guide | 788

cplic put

Example

[Expert@HostName:0]# cplic put -l [Link]

Host Expiration SKU
[Link] 14Jan2016 CPSB-SWB CPSB-ADNC-M CK0123456789ab
[Expert@HostName:0]#

R82 Security Management Administration Guide | 789

cplic put <object name>

Description
Attaches one or more Central or Local licenses to a remote managed Security Gateways and
Cluster Members.
When you run this command, it automatically updates the license repository.

Note
n You get the license details in the Check Point User
Center.
n You can attach more than one license.

Syntax

cplic put {-h | -help}

cplic [-d] put <Object Name> [-ip<Dynamic IP Address> ] [-F
<Output File>] -l <License File> [<Host>] [<Expiration Date>]
[<Signature>] [<SKU/Feature>]

R82 Security Management Administration Guide | 790

cplic put <object name>

Parameters

Parameter Description

{-h | -help} Shows the applicable built-in usage.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

<Object Name> The name of the Security Gateway / Cluster Member object, as
defined in SmartConsole.

-ip <Dynamic Installs the license on the Security Gateway with the specified IP
IP Address> address.
This parameter is used to install a license on a Security Gateway with
dynamically assigned IP address (DAIP).
Note - If you use this parameter, then the object name must be
that of a DAIP Security Gateway.

-F <Output Saves the command output to the specified file.

File>

-l <License Installs the licenses from the <License file>.

File>

<Host> Hostname or IP address of the Security Management Server /

Domain Management Server.

<Expiration The license expiration date.

Date>

<Signature> The license signature string.

Case sensitive. The hyphens are optional.

<SKU/Features> The SKU of the license summarizes the features included in the
license.
For example: CPSUITE-EVAL-3DES-vNG

R82 Security Management Administration Guide | 791

cplic put <object name>

Copy and paste the parameters from the license received from the User Center:

Parameter Description

host The IP address of the external interface (in quad-dot notation).

The last part cannot be 0 or 255.

expiration The license expiration date. It can be never.

date

signature The license signature string.

Case sensitive. The hyphens are optional.

SKU/features A string listing the SKU and the Certificate Key of the license.
The SKU of the license summarizes the features included in the
license.
For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab

R82 Security Management Administration Guide | 792

cplic upgrade

Description
Upgrades licenses in the license repository with licenses in the specified license file.

Note - You get this license file in the Check Point User Center.

Syntax

cplic upgrade {-h | -help}

cplic [-d] upgrade -l <Input File>

Parameters

Parameter Description

{-h | - Shows the applicable built-in usage.

help}

-l <Input Upgrades the licenses in the license repository and Check Point Security
File> Gateways / Cluster Members to match the licenses in the specified file.

Example
This example explains the procedure to upgrade the licenses in the license repository.
There are two Software Blade licenses in the input file:
n One license does not match any license on a remote managed Security Gateway.
n The other license matches an NGX-version license on a managed Security Gateway that
has to be upgraded.
Workflow in this example:
1. Upgrade the Security Management Server to the latest version.
Ensure that there is connectivity between the Security Management Server and the
Security Gateways with the previous product versions.
2. Import all licenses into the license repository.
You can also do this after you upgrade the products on the remote Security Gateways.
3. Run this command:

R82 Security Management Administration Guide | 793

cplic upgrade

cplic get -all

Example:

[Expert@MyMGMT]# cplic get -all

Getting licenses from all modules ...
MyGW:
Retrieved 1 licenses

4. To see all the licenses in the repository, run this command:

cplic db_print -all -a

Example:

[Expert@MyMGMT]# cplic db_print -all -a

Retrieving license information from database ...

The following licenses appear in the database:

==================================================
Host Expiration Features
[Link] Never CPFW-FIG-25-53 CK49C3A3CC7121 MyGW1
[Link] 26Nov2017 CPSB-SWB CPSB-ADNC-M CK0123456789ab MyGW2

5. In the Check Point User Center, view the licenses for the products that were upgraded
from version NGX to a Software Blades license.
You can also create new upgraded licenses.
6. Download a file containing the upgraded licenses.
Only download licenses for the products that were upgraded from version NGX to
Software Blades.
7. If you did not import the version NGX licenses into the repository, import the version NGX
licenses now.

Use this command:

cplic get -all

8. Run the license upgrade command:

cplic upgrade -l <Input File>

n The licenses in the downloaded license file and in the license repository are
compared.
n If the certificate keys and features match, the old licenses in the repository and in
the remote Security Gateways are updated with the new licenses.
n A report of the results of the license upgrade is printed.

R82 Security Management Administration Guide | 794

cppkg

cppkg
Description
Manages the SmartUpdate software packages repository on the Security Management
Server.

Important - Installing software packages with the SmartUpdate is not supported for
Security Gateways running on Gaia OS.

Syntax

cppkg
add <options>
{del | delete} <options>
get
getroot
print
setroot <options>
Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run mdsenv).

R82 Security Management Administration Guide | 795

cppkg

Parameters

Parameter Description

add <options> Adds a SmartUpdate software package to the repository.

See "cppkg add" on page 797.

{del | delete} Deletes a SmartUpdate software package from the repository.

<options> See "ppkg delete" on page 798.

get Updates the list of the SmartUpdate software packages in the

repository.
See "cppkg get" on page 800.

getroot Shows the path to the root directory of the repository (the value of
the environment variable $SUROOT).
See "cppkg getroot" on page 801.

print Prints the list of SmartUpdate software packages in the repository.

See "cppkg print" on page 802.

setroot Configures the path to the root directory of the repository.

<options> See "cppkg setroot" on page 803.

R82 Security Management Administration Guide | 796

cppkg add

Description
Adds a SmartUpdate software package to the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).
n This command does not overwrite existing packages. To overwrite an existing
package, you must first delete the existing package.
n You get the SmartUpdate software packages from the Check Point Support
Center.

Syntax

cppkg add <Full Path to Package | DVD Drive [Product]>

Parameters

Parameter Description

<Full Path to Specifies the full local path on the computer to the SmartUpdate
Package> software package.

DVD Drive [Product] Specifies the DVD root path.

Example: /mnt/CPR80

Example - Adding R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg add /var/log/CP1100_6.0_4_0_-.tgz

Adding package to the repository
Getting the package type...
Extracting the package files...
Copying package to the repository...
Package was successfully added to the repository
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20Gaia Embedded R77.20
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 797

ppkg delete

Description
Deletes SmartUpdate software packages from the SmartUpdate software packages
repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg del ["<Vendor>" "<Product>" "<Major Version>" "<OS>" "<Minor

Version>"]
cppkg delete ["<Vendor>" "<Product>" "<Major Version>" "<OS>"
"<Minor Version>"]

Parameters

Parameter Description

del | When you do not specify optional parameters, the command runs in the
delete interactive mode. The command shows the menu with applicable options.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

"< Specifies the product name. Enclose in double quotes.

Product>"

"<Major Specifies the package Major Version. Enclose in double quotes.

Version>"

"<OS>" Specifies the package OS. Enclose in double quotes.

"<Minor Specifies the package Minor Version. Enclose in double quotes.

Version>"

Notes:
n To see the values for the optional parameters, run the "cppkg print" on page 802
command.
n You must specify all optional parameters, or no parameters.

R82 Security Management Administration Guide | 798

ppkg delete

Example 1 - Interactive mode

[Expert@MGMT:0]# cppkg delete

Select package:
--------------------
(0) Delete all
(1) CP1100 Gaia Embedded Check Point R77.20 R77.20

(e) Exit

Enter your choice : 1

You chose to delete 'CP1100 Gaia Embedded Check Point R77.20 R77.20', Is this correct? [y/n] : y

Package was successfully removed from the repository

[Expert@MGMT:0]#

Example 2 - Manually deleting the specified package

Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20Gaia Embedded R77.20
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg delete "Check Point" "CP1100" "R77.20" "Gaia Embedded" "R77.20"
Package was successfully removed from the repository
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 799

cppkg get

Description
Updates the list of the SmartUpdate software packages in the SmartUpdate software
packages repository based on the real content of the repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg get

Example

[Expert@MGMT:0]# cppkg get

Update successfully completed
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 800

cppkg getroot

Description
Shows the path to the root directory of the SmartUpdate software packages repository (the
value of the environment variable $SUROOT)

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg getroot

Example

[Expert@MGMT:0]# cppkg getroot

[cppkg 7119 4128339728]@MGMT[29 May 19:16:06] Current repository root is set to :
/var/log/cpupgrade/suroot
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 801

cppkg print

Description
Prints the list of SmartUpdate software packages in the SmartUpdate software packages
repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).

Syntax

cppkg print

Example - R77.20 HFA_75 (R77.20.75) firmware package for 1100 Appliances

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20Gaia Embedded R77.20
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 802

cppkg setroot

Description
Configures the path to the root directory of the SmartUpdate software packages repository.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
MDS (run the mdsenv command).
n The default path is: /var/log/cpupgrade/suroot
n When changing repository root directory:
l This command copies the software packages from the old repository to

the new repository. A package in the new location is overwritten by a

package from the old location, if the packages have the same name.
l This command updates the value of the environment variable $SUROOT in

the Check Point Profile shell scripts ($CPDIR/tmp/.[Link] and

$CPDIR/tmp/.[Link]).

Syntax

cppkg setroot <Full Path to Repository Root Directory>

Example

[Expert@MGMT:0]# cppkg setroot /var/log/my_directory

Repository root is set to : /var/log/cpupgrade/suroot

Note : When changing repository root directory :

1. Old repository content will be copied into the new repository

2. A package in the new location will be overwritten by a package in the old
location, if the packages have the same name

Change the current repository root ? [y/n] : y

The new repository directory does not exist. Create it ? [y/n] : y

Repository root was set to : /var/log/my_directory

Notice : To complete the setting of your directory, reboot the machine!

[Expert@MGMT:0]#

R82 Security Management Administration Guide | 803

cpprod_util

cpprod_util
Description
This utility works with Check Point Registry ($CPDIR/registry/HKLM_registry.data)
without manually opening it:
n Shows which Check Point products and features are enabled on this Check Point
computer.
n Enables and disables Check Point products and features on this Check Point computer.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpprod_util CPPROD_GetValue "<Product>" "<Parameter>" {0|1}

cpprod_util CPPROD_SetValue "<Product>" "<Parameter>" {1|4}
"<Value>" {0|1}
cpprod_util -dump

R82 Security Management Administration Guide | 804

cpprod_util

Parameters

Parameter Description

CPPROD_ Gets the configuration status of the specified product or feature:

GetValue
n 0 - Disabled
n 1 - Enabled

CPPROD_ Sets the configuration for the specified product or feature.

SetValue Important - Do not run these commands unless explicitly instructed
by Check Point Support or R&D to do so.

"< Specifies the product or feature.

Product>"

"< Specifies the configuration parameter for the specified product or feature.
Parameter
>"

"<Value>" Specifies the value of the configuration parameter for the specified
product or feature:
n One of these integers: 0, 1, 4
n A string

dump Creates a dump file of the Check Point Registry

($CPDIR/registry/HKLM_registry.data) in the current working
directory.
The name of the output file is RegDump.

R82 Security Management Administration Guide | 805

cpprod_util

Notes
n If you run the "cpprod_util" command without parameters, it prints:
l The list of all available products and features (for example,
"FwIsFirewallMgmt", "FwIsLogServer", "FwIsStandAlone")
l The type of the expected argument when you configure a product or feature ("no-
parameter", "string-parameter", or "integer-parameter")
l The type of the returned output ("status-output", or "no-output")
n To redirect the output of the "cpprod_util" command, it is necessary to redirect the
stderr to stdout:

cpprod_util <options> > <output file> 2>&1

Example:

cpprod_util > /tmp/output_of_cpprod_util.txt 2>&1

Examples
Example - Showing a list of all installed Check Point Products Packages on a Management
Server
[Expert@MGMT:0]# cpprod_util CPPROD_GetInstalledProducts
CPFC
IDA
MGMT
FW1
SecurePlatform
NGXCMP
EdgeCmp
SFWCMP
SFWR75CMP
SFWR77CMP
FLICMP
R75CMP
R7520CMP
R7540CMP
R76CMP
R77CMP
PROVIDER-1
Reporting Module
SmartLog
CPinfo
VSEC
DIAG
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a Management Server

[Expert@MGMT:0]# cpprod_util FwIsFirewallMgmt
1
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 806

cpprod_util

Example - Checking if this Check Point computer is configured as a Standalone

[Expert@MGMT:0]# cpprod_util FwIsStandAlone
0
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as a Primary in High Availability

[Expert@MGMT:0]# cpprod_util FwIsPrimary
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Active in High Availability

[Expert@MGMT:0]# cpprod_util FwIsActiveManagement
1
[Expert@MGMT:0]#

Example - Checking if this Management Server is configured as Backup in High Availability

[Expert@MGMT:0]# cpprod_util FwIsSMCBackup
1
[Expert@MGMT:0]#

Example - Checking if this Check Point computer is configured as a dedicated Log Server
[Expert@MGMT:0]# cpprod_util FwIsLogServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartProvisioning blade is enabled

[Expert@MGMT:0]# cpprod_util FwIsAtlasManagement
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Server blade is enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerServer
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the SmartEvent Correlation Unit blade is
enabled
[Expert@MGMT:0]# cpprod_util RtIsAnalyzerCorrelationUnit
1
[Expert@MGMT:0]#

Example - Checking if on this Management Server the Endpoint Policy Management blade is
enabled
[Expert@MGMT:0]# cpprod_util UepmIsInstalled
1
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 807

cpprod_util

Example - Checking if this Management Server is configured as Endpoint Policy Server

[Expert@MGMT:0]# cpprod_util UepmIsPolicyServer
0
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 808

cprid

cprid
Description
Manages the Check Point Remote Installation Daemon (cprid).
This daemon is used for remote upgrade and installation of Check Point products on the
managed Security Gateways.

Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run these commands in the context of the
MDS (run mdsenv).

Commands

Syntax Description

cpridstart Starts the Check Point Remote Installation Daemon (cprid).

cpridstop Stops the Check Point Remote Installation Daemon (cprid).

run_cprid_ Stops and then starts the Check Point Remote Installation Daemon
restart (cprid).

R82 Security Management Administration Guide | 809

cprinstall

cprinstall
Description
Performs installation of Check Point product packages and associated operations on remote
managed Security Gateways.

Important - Installing software packages with this command is not supported for
Security Gateways that run on Gaia OS.
Notes:
n This command requires a license for SmartUpdate.
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n On the remote Security Gateways these are required:
l SIC Trust must be established between the Security Management Server

and the Security Gateway.

l The cpd daemon must run.

l The cprid daemon must run.

Syntax

cprinstall
boot <options>
cprestart <options>
cpstart <options>
cpstop <options>
delete <options>
get <options>
install <options>
revert <options>
show <options>
snapshot <options>
transfer <options>
uninstall <options>
verify <options>

R82 Security Management Administration Guide | 810

cprinstall

Parameters

Parameter Description

boot Reboots the managed Security Gateway.

<options> See "cprinstall boot" on page 813.

cprestart Runs the cprestart command on the managed Security Gateway.

<options> See "cprinstall cprestart" on page 814.

cpstart Runs the cpstart command on the managed Security Gateway.

<options> See "cprinstall cpstart" on page 815.

cpstop Runs the cpstop command on the managed Security Gateway.

<options> See "cprinstall cpstop" on page 816.

delete Deletes a snapshot (backup) file on the managed Security Gateway.

<options> See "cprinstall delete" on page 817.

get n Gets details of the products and the operating system installed on
<options> the managed Security Gateway.
n Updates the management database on the Security Management
Server.
See "cprinstall get" on page 818.

install Installs Check Point products on the managed Security Gateway.

<options> See "cprinstall install" on page 819.

revert Restores the managed Security Gateway that runs on SecurePlatform OS

<options> from a snapshot saved on that Security Gateway.
See "cprinstall revert" on page 822.

show Displays all snapshot (backup) files on the managed Security Gateway
<options> that runs on SecurePlatform OS.
See "cprinstall show" on page 823.

snapshot Creates a snapshot on the managed Security Gateway that runs on

<options> SecurePlatform OS and saves it on that Security Gateway.
See "cprinstall snapshot" on page 824.

transfer Transfers a software package from the repository to the managed Security
<options> Gateway without installing the package.
See "cprinstall transfer" on page 825.

uninstall Uninstalls Check Point products on the managed Security Gateway.

<options> See "cprinstall uninstall" on page 827.

R82 Security Management Administration Guide | 811

cprinstall

Parameter Description

verify Confirms these operations were successful:

<options>
n If a specific product can be installed on the managed Security
Gateway.
n That the operating system and currently installed products the
managed Security Gateway are appropriate for the software
package.
n That there is enough disk space to install the product the managed
Security Gateway.
n That there is a CPRID connection with the managed Security
Gateway.
See "cprinstall verify" on page 829.

R82 Security Management Administration Guide | 812

cprinstall boot

Description
Reboots the managed Security Gateway.

Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

cprinstall boot <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT]# cprinstall boot MyGW

R82 Security Management Administration Guide | 813

cprinstall cprestart

Description
Runs the cprestart command on the managed Security Gateway.

Syntax

cprinstall cprestart <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT:0]# cprinstall cprestart MyGW

R82 Security Management Administration Guide | 814

cprinstall cpstart

Description
Runs the cpstart command on the managed Security Gateway.

Syntax

cprinstall cpstart <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example
[Expert@MGMT]# cprinstall cpstart MyGW

R82 Security Management Administration Guide | 815

cprinstall cpstop

Description
Runs the cpstop command on the managed Security Gateway.

Syntax

cprinstall cpstop {-proc | -nopolicy} <Object Name>

Parameters

Parameter Description

-proc Kills the Check Point daemons and Security Servers, while it maintains the
active Security Policy running in the Check Point kernel.
Rules with generic Allow, Drop or Reject action based on services, continue
to work.

-nopolicy Kills the Check Point daemons and Security Servers and unloads the
Security Policy from the Check Point kernel.

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

Example
[Expert@MGMT]# cprinstall cpstop -proc MyGW

R82 Security Management Administration Guide | 816

cprinstall delete

Description
Deletes a snapshot (backup) file on the managed Security Gateway that runs on
SecurePlatform OS.

Syntax

cprinstall delete <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

<Snapshot Specifies the name of the snapshot (backup) on SecurePlatform OS.

File>

Example
[Expert@MGMT]# cprinstall delete MyGW Snapshot25Apr2017

R82 Security Management Administration Guide | 817

cprinstall get

Description
n Gets details of the products and the operating system installed on the managed Security
Gateway.
n Updates the management database on the Security Management Server.

Syntax

cprinstall get <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example:

[Expert@MGMT]# cprinstall get MyGW

Checking cprid connection...
Verified
Operation completed successfully
Updating machine information...
Update successfully completed
'Get Gateway Data' completed successfully
Operating system Major Version Minor Version
------------------------------------------------------------------------
SecurePlatform R75.20R75.20

Vendor Product Major Version Minor Version

------------------------------------------------------------------------
Check Point VPN-1 Power/UTM R75.20R75.20Check Point SecurePlatform
R75.20R75.20Check Point SmartPortal R75.20R75.20
[Expert@MGMT]#

R82 Security Management Administration Guide | 818

cprinstall install

Description
Installs Check Point products on the managed Security Gateway.

Important - Installing software packages with this command is not supported for
Security Gateways that run Gaia OS.
Notes:
n Before transferring the software package, this command runs the "cprinstall
verify" on page 829 command.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n To see the values for the package attributes, run the "cppkg print" on page 802
command.

Syntax

cprinstall install [-boot] [-backup] [-skip_transfer] <Object

Name> "<Vendor>" "<Product>" "<Major Version>" "<Minor Version>"

R82 Security Management Administration Guide | 819

cprinstall install

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after installing the package.
Note - Only reboot after ALL products have the same version. Reboot is
canceled in certain scenarios.

-backup Creates a snapshot on the managed Security Gateway before installing

the package.
Note - Only on Security Gateways that runs on SecurePlatform OS.

-skip_ Skip the transfer of the package.

transfer

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Specifies the package Major Version. Enclose in double quotes.

Version>"

"<Minor Specifies the package Minor Version. Enclose in double quotes.

Version>"

R82 Security Management Administration Guide | 820

cprinstall install

Example

[Expert@MGMT]# cprinstall install -boot MyGW "checkpoint" "firewall" "R75" "R75.20"

Installing firewall R75.20 on MyGW...

Info : Testing Check Point Gateway
Info : Test completed successfully.
Info : Transferring Package to Check Point Gateway
Info : Extracting package on Check Point Gateway
Info : Installing package on Check Point Gateway
Info : Product was successfully applied.
Info : Rebooting the Check Point Gateway
Info : Checking boot status
Info : Reboot completed successfully.
Info : Checking Check Point Gateway
Info : Operation completed successfully.
[Expert@MGMT]#

R82 Security Management Administration Guide | 821

cprinstall revert

Description
Restores the managed Security Gateway that runs on SecurePlatform OS from a snapshot
saved on that Security Gateway.

Syntax

cprinstall revert <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File> To see the names of the saved snapshot files, run the "cprinstall show" on
page 823 command.

R82 Security Management Administration Guide | 822

cprinstall show

Description
Displays all snapshot (backup) files on the managed Security Gateway that runs on
SecurePlatform OS.

Syntax

cprinstall show <Object Name>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in

Name> SmartConsole.

Example

[Expert@MGMT]# cprinstall show GW1

SU_backup.tzg
[Expert@MGMT]#

R82 Security Management Administration Guide | 823

cprinstall snapshot

Description
Creates a snapshot on the managed Security Gateway that runs on SecurePlatform OS and
saves it on that Security Gateway.

Syntax

cprinstall snapshot <Object Name> <Snapshot File>

Parameters

Parameter Description

<Object The name of the Security Gateway object as configured in SmartConsole.

Name>

<Snapshot Name of the SecurePlatform snapshot file.

File> To see the names of the saved snapshot files, run the "cprinstall show" on
page 823 command.

R82 Security Management Administration Guide | 824

cprinstall transfer

Description
Transfers a software package from the repository to the managed Security Gateway without
installing the package.

Syntax

cprinstall transfer <Object Name> "<Vendor>" "<Product>" "<Major

Version>" "<Minor Version>"

R82 Security Management Administration Guide | 825

cprinstall transfer

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>"

R82 Security Management Administration Guide | 826

cprinstall uninstall

Description
Uninstalls Check Point products on the managed Security Gateway.

Important - Uninstalling software packages with this command is not supported for
Security Gateways running on Gaia OS.
Notes:
n You must run this command from the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n Before uninstalling product packages, this command runs the "cprinstall verify"
on page 829 command.
n After uninstalling a product package, you must run the "cprinstall get" on
page 818 command.
n To see the values for the package attributes, run the "cppkg print" on page 802
command.

Syntax

cprinstall uninstall [-boot] <Object Name> "<Vendor>" "<Product>"

"<Major Version>" "<Minor Version>"

R82 Security Management Administration Guide | 827

cprinstall uninstall

Parameters

Parameter Description

-boot Reboots the managed Security Gateway after uninstalling the

package.
Note - Reboot is canceled in certain scenarios.

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>"

Example
[Expert@MGMT]# cprinstall uninstall MyGW "checkpoint" "firewall" "R75.20" "R75.20"
Uninstalling firewall R75.20 from MyGW...
Info : Removing package from Check Point Gateway
Info : Product was successfully applied.
Operation Success. Please get network object data to complete the operation.
[Expert@MGMT]#
[Expert@MGMT]# cprinstall get

R82 Security Management Administration Guide | 828

cprinstall verify

Description
Confirms these operations were successful:
n If a specific product can be installed on the managed Security Gateway.
n That the operating system and currently installed products the managed Security
Gateway are appropriate for the software package.
n That there is enough disk space to install the product the managed Security Gateway.
n That there is a CPRID connection with the managed Security Gateway.

Syntax

cprinstall verify <Object Name> "<Vendor>" "<Product>" "<Major

Version>" ["<Minor Version>"]

R82 Security Management Administration Guide | 829

cprinstall verify

Parameters

Parameter Description

<Object Name> The name of the Security Gateway object as configured in

SmartConsole.

"<Vendor>" Specifies the package vendor. Enclose in double quotes.

Example:
n checkpoint
n Check Point

"<Product>" Specifies the product name. Enclose in double quotes.

Examples:
n SVNfoundation
n firewall
n floodgate
n CP1100
n VPN-1 Power/UTM
n SmartPortal

"<Major Specifies the package major version. Enclose in double quotes.

Version>"

"<Minor Specifies the package minor version. Enclose in double quotes.

Version>" This parameter is optional.

Example 1 - Verification succeeds

[Expert@MGMT]# cprinstall verify MyGW "checkpoint" "SVNfoundation" "R75.20"
Verifying installation of SVNfoundation R75.20 on MyGW...
Info : Testing Check Point Gateway.
Info : Test completed successfully.
Info : Installation Verified, The product can be installed.

Example 2 - Verification fails

[Expert@MGMT]# cprinstall verify MyGW "checkpoint" "SVNfoundation" "R75.20"
Verifying installation of SVNfoundation R75.20 on MyGW...
Info : Testing Check Point Gateway
Info : SVN Foundation R75 is already installed on [Link]
Operation Success. Product cannot be installed, did not pass dependency check.

R82 Security Management Administration Guide | 830

cpstart

cpstart
Description
Manually starts all Check Point processes and applications.

Notes:
n For the cprid daemon, use the "cprid" on page 809
command.
n For manually starting specific Check Point processes, see
sk97638.

Syntax

cpstart

R82 Security Management Administration Guide | 831

cpstat

cpstat
Description
Shows the status and statistics information for Check Point applications.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>]
[-o <Polling Interval> [-c <Count>] [-e <Period>]] <Application
Flag>

Note - You can write the parameters in the syntax in any order.

Parameters

Parameter Description

-d Runs the command in debug mode.

-h <Host> Optional.
When you run this command on a Management Server, this parameter
specifies the managed Security Gateway / ClusterXL object.
<Host> is an IPv4 address, a resolvable hostname, or a DAIP object
name.
The default is localhost.

-p <Port> Optional.
Port number of the Application Monitoring (AMON) server.
The default port is 18192.

-s <SICname> Optional.
Secure Internal Communication (SIC) name of the Application
Monitoring (AMON) server.

R82 Security Management Administration Guide | 832

cpstat

Parameter Description

-f <Flavor> Optional.
Specifies the type of the information to collect.
If you do not specify a flavor explicitly, the command uses the first flavor
in the <Application Flag>. To see all flavors, run the cpstat
command without any parameters.

-o <Polling Optional.
Interval> Specifies the polling interval (in seconds) - how frequently the
command collects and shows the information.
Examples:
n 0 - The command shows the results only once and the stops (this
is the default value).
n 5 - The command shows the results every 5 seconds in the loop.
n 30 - The command shows the results every 30 seconds in the
loop.
n N - The command shows the results every N seconds in the loop.
Use this parameter together with the "-c <Count>" parameter and the
"-e <Period>" parameter.
Example:
cpstat os -f perf -o 2

-c <Count> Optional.
Specifies how many times the command runs and shows the results
before it stops.
You must use this parameter together with the "-o <Polling
Interval>" parameter.
Examples:
n 0 - The command shows the results repeatedly every <Polling
Interval> (this is the default value).
n 10 - The command shows the results 10 times every <Polling
Interval> and then stops.
n 20 - The command shows the results 20 times every <Polling
Interval> and then stops.
n N - The command shows the results N times every <Polling
Interval> and then stops.
Example:
cpstat os -f perf -o 2 -c 2

R82 Security Management Administration Guide | 833

cpstat

Parameter Description

-e <Period> Optional.
Specifies the time (in seconds), over which the command calculates the
statistics.
You must use this parameter together with the "-o <Polling
Interval>" parameter.
You can use this parameter together with the "-c <Count>"
parameter.
Example:
cpstat os -f perf -o 2 -c 2 -e 60

<Application Mandatory.
Flag> See the table below with flavors for the application flags.

These flavors are available for the application flags

Note - The available flags depend on the enabled Software Blades. Some flags are
supported only by a Security Gateway / ClusterXL, and some flags are supported only
by a Management Server.

Feature or
Flag Flavors
Software Blade

List of enabled blades fw, ips, av, urlf, vpn, cvpn,

Software Blades aspm, dlp, appi, anti_bot,
default, content_awareness,
threat-emulation, default

Operating os default, ifconfig, routing,

System routing6, memory, old_memory, cpu,
disk, perf, multi_cpu, multi_disk,
raidInfo, sensors, power_supply,
hw_info, all, average_cpu,
average_memory, statistics,
updates, licensing, connectivity,
vsx

Firewall fw default, interfaces, policy, perf,

hmem, kmem, inspect, cookies,
chains, fragments, totals,
totals64, ufp, http, ftp, telnet,
rlogin, smtp, pop3, sync, log_
connection, all

R82 Security Management Administration Guide | 834

cpstat

Feature or
Flag Flavors
Software Blade

HTTPS https_ default, hsm_status, all

Inspection inspection

Identity identityServer default, authentication, logins,

Awareness ldap, components, adquery, idc,
muh

Application appi default, subscription_status,

Control update_status, RAD_status, top_
last_hour, top_last_day, top_last_
week, top_last_month

URL Filtering urlf default, subscription_status,

update_status, RAD_status, top_
last_hour, top_last_day, top_last_
week, top_last_month

IPS ips default, statistics, all

Anti-Virus ci default

Threat antimalware default, scanned_hosts, scanned_

Prevention mails, subscription_status,
update_status, ab_prm_contracts,
av_prm_contracts, ab_prm_
contracts, av_prm_contracts

R82 Security Management Administration Guide | 835

cpstat

Feature or
Flag Flavors
Software Blade

Threat Emulation threat- default, general_statuses, update_

emulation status, scanned_files, malware_
detected, scanned_on_cloud,
malware_on_cloud, average_process_
time, emulated_file_size, queue_
size, peak_size, file_type_stat_
file_scanned, file_type_stat_
malware_detected, file_type_stat_
cloud_scanned, file_type_stat_
cloud_malware_scanned, file_type_
stat_filter_by_analysis, file_
type_stat_cache_hit_rate, file_
type_stat_error_count, file_type_
stat_no_resource_count, contract,
downloads_information_current,
downloading_file_information,
queue_table, history_te_incidents,
history_te_comp_hosts

Threat Extraction scrub default, subscription_status,

threat_extraction_statistics

Mobile Access cvpn cvpnd, sysinfo, products, overall

VSX vsx default, stat, traffic, conns,

cpu, all, memory, cpu_usage_per_
core

IPsec VPN vpn default, product, IKE, ipsec,

traffic, compression, accelerator,
nic, statistics, watermarks, all

Data Loss dlp default, dlp, exchange_agents,

Prevention fingerprint

Content ctnt default

Awareness

QoS fg all

High Availability ha default, all

Policy Server for polsrv default, all

Remote Access
VPN clients

R82 Security Management Administration Guide | 836

cpstat

Feature or
Flag Flavors
Software Blade

Desktop Policy dtps default, all

Server for
Remote Access
VPN clients

LTE / GX gx default, contxt_create_info,

contxt_delete_info, contxt_update_
info, contxt_path_mng_info, GXSA_
GPDU_info, contxt_initiate_info,
gtpv2_create_info, gtpv2_delete_
info, gtpv2_update_info, gtpv2_
path_mng_info, gtpv2_cmd_info, all

Management mg default, log_server, indexer

Server

Certificate ca default, crl, cert, user, all

Authority

SmartEvent cpsemd default

SmartEvent cpsead default

Correlation Unit

Log Server ls default

CloudGuard vsec default

Controller

SmartReporter svr default

Provisioning PA default
Agent

Thresholds thresholds default, active_thresholds,

configured with destinations, error
the
"threshold_
config"
command

Historical status persistency product, TableConfig, SourceConfig

values

Examples

R82 Security Management Administration Guide | 837

cpstat

Example - CPU utilization

[Expert@HostName:0]# cpstat -f cpu os
CPU User Time (%): 1
CPU System Time (%): 0
CPU Idle Time (%): 99
CPU Usage (%): 1
CPU Queue Length: -
CPU Interrupts/Sec: 172
CPUs Number: 8

[Expert@HostName:0]#

Example - Performance
[Expert@HostName:0]# cpstat os -f perf -o 2 -c 2 -e 60

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741331456
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741331456
Free Real Memory (Bytes): 4489732096
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 0
CPU System Time (%): 0
CPU Idle Time (%): 100
CPU Usage (%): 0
CPU Queue Length: -
CPU Interrupts/Sec: 135
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741556736
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741556736
Free Real Memory (Bytes): 4489506816
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 3
CPU System Time (%): 0
CPU Idle Time (%): 97
CPU Usage (%): 3
CPU Queue Length: -
CPU Interrupts/Sec: 140
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

[Expert@HostName:0]#

R82 Security Management Administration Guide | 838

cpstat

Example - List of current connected sessions on a Management Server

[Expert@MGMT:0]# cpstat -f default mg

Product Name: Check Point Security Management Server

Major version: 6
Minor version: 0
Build number: 994000031
Is started: 1
Active status: active
Status: OK

[Expert@MGMT:0]#

R82 Security Management Administration Guide | 839

cpstop

cpstop
Description
Manually stops all Check Point processes and applications.

Notes:
n For the cprid daemon, use the "cprid" on page 809 command.
n For manually stopping specific Check Point processes, see
sk97638.

Syntax

cpstop

R82 Security Management Administration Guide | 840

cpview

cpview
Overview of CPView

Description
CPView is a text based built-in utility on a Check Point computer.
CPView Utility shows statistical data that contain both general system information (CPU,
Memory, Disk space) and information for different Software Blades (only on a Security
Gateway / ClusterXL / Scalable Platform Security Group).
The CPView continuously updates the data in easy to access views.

On a Security Gateway / ClusterXL / Scalable Platform Security Group, you can use this
statistical data to monitor the performance.
For more information, see sk101878.

Syntax

cpview --help

CPView User Interface

The CPView user interface has three sections:

Section Description

Header This view shows the time the statistics in the third view are collected.
It updates when you refresh the statistics.

Navigation This menu bar is interactive. Move between menus with the arrow keys and
mouse.
A menu can have sub-menus and they show under the menu bar.

View This view shows the statistics collected in that view.

These statistics update at the refresh rate.

R82 Security Management Administration Guide | 841

cpview

Using CPView
Use these keys to navigate the CPView:

Key Description

Arrow Moves between menus and views. Scrolls in a view.

keys

Home Returns to the Overview view.

Enter Changes to the View Mode.

On a menu with sub-menus, the Enter key moves you to the lowest level sub-
menu.

Esc Returns to the Menu Mode.

Q Quits CPView.

Use these keys to change CPView interface options:

Key Description

R Opens a window where you can change the refresh rate.

The default refresh rate is 2 seconds.

W Changes between wide and normal display modes.

In wide mode, CPView fits the screen horizontally.

S Manually sets the number of rows or columns.

M Switches on/off the mouse.

P Pauses and resumes the collection of statistics.

Use these keys to save statistics, show help, and refresh statistics:

Key Description

C Saves the current page to a file. The file name format is:
cpview_<ID of the cpview process>.cap<Number of the
capture>

H Shows a tooltip with CPView options.

Space Immediately refreshes the statistics.

bar

R82 Security Management Administration Guide | 842

cpwd_admin

cpwd_admin
Description
The Check Point WatchDog (cpwd) is a process that invokes and monitors critical processes
such as Check Point daemons on the local computer, and attempts to restart them if they fail.
Among the processes monitored by Watchdog are fwm, fwd, cpd, DAService, and others.
The list of monitored processes depends on the installed and configured Check Point products
and Software Blades.
The Check Point WatchDog writes monitoring information to the $CPDIR/log/[Link] log
file.

The cpwd_admin utility shows the status of the monitored processes, and configures the
Check Point WatchDog.

There are two types of Check Point WatchDog monitoring

Monitoring Description

Passive WatchDog restarts the process only when the process terminates
abnormally.
In the output of the cpwd_admin list command, the MON column shows
N for passively monitored processes.

Active WatchDog checks the process status every predefined interval.

WatchDog makes sure the process is alive, as well as properly functioning
(not stuck on deadlocks, frozen, and so on).
In the output of the cpwd_admin list command, the MON column shows
Y for actively monitored processes.
The list of actively monitored processes is predefined by Check Point.
Users cannot change or configure it.

R82 Security Management Administration Guide | 843

cpwd_admin

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin
config <options>
del <options>
detach <options>
exist
flist <options>
getpid <options>
kill
list <options>
monitor_list
start <options>
start_monitor
stop <options>
stop_monitor

Parameters

Parameter Description

config Configures the Check Point WatchDog.

<options> See "cpwd_admin config" on page 846.

del Temporarily deletes a monitored process from the WatchDog database of

<options> monitored processes.
See "cpwd_admin del" on page 849.

detach Temporarily detaches a monitored process from the WatchDog monitoring.

<options> See "cpwd_admin detach" on page 850.

exist Checks whether the WatchDog process cpwd is alive.

See "cpwd_admin exist" on page 851.

flist Saves the status of all monitored processes to a $CPDIR/tmp/cpwd_

<options> list_<Epoch Timestamp>.lst file.
See "cpwd_admin flist" on page 852.

getpid Shows the PID of a monitored process.

<options> See "cpwd_admin getpid" on page 854.

R82 Security Management Administration Guide | 844

cpwd_admin

Parameter Description

kill Terminates the WatchDog process cpwd.

<options> See "cpwd_admin kill" on page 855.
Important - Do not run this command unless explicitly instructed by
Check Point Support or R&D to do so.

list Prints the status of all monitored processes on the screen.

See "cpwd_admin list" on page 856.

monitor_ Prints the status of actively monitored processes on the screen.

list See "cpwd_admin monitor_list" on page 859.

start Starts a process as monitored by the WatchDog.

<options> See "cpwd_admin start" on page 860.

start_ Starts the active WatchDog monitoring - WatchDog monitors the

monitor predefined processes actively.
See "cpwd_admin start_monitor" on page 862.

stop Stops a monitored process.

<options> See "cpwd_admin stop" on page 863.

stop_ Stops the active WatchDog monitoring - WatchDog monitors all processes
monitor only passively.
See "cpwd_admin stop_monitor" on page 865.

R82 Security Management Administration Guide | 845

cpwd_admin config

Description
Configures the Check Point WatchDog.

Important - After changing the WatchDog configuration parameters, you must restart
the WatchDog process with the "cpstop" and "cpstart" commands (which restart
all Check Point processes).

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin config
-h
-a <options>
-d <options
-p
-r

Parameters

Parameter Description

-h Shows built-in usage.

-a <Configuration_Parameter_1>=<Value_ Adds the WatchDog configuration

1> <Configuration_Parameter_2>=<Value_ parameters.
2> ... <Configuration_Parameter_ Note - Spaces are not allowed
N>=<Value_N> between the name of the
configuration parameter, the
equal sign, and the value.

-d <Configuration_Parameter_1> Deletes the WatchDog

<Configuration_Parameter_2> ... configuration parameters that user
<Configuration_Parameter_N> added with the "cpwd_admin
config -a" command.

-p Shows the WatchDog configuration

parameters that user added with the
"cpwd_admin config -a"
command.

-r Restores the default WatchDog

configuration.

These are the available configuration parameters and the accepted values:

R82 Security Management Administration Guide | 846

cpwd_admin config

Configuration Accepted
Description
Parameter Values

no_limit n Range: -1, If rerun_mode=1, specifies the maximum number

0, >0 of times the WatchDog tries to restart a process.
n Default: 5 n -1 - Always tries to restart
n 0 - Never tries to restart
n >0 - Tries this number of times

num_of_procs n Range: 30 Configures the maximum number of processes

- 20000 managed by the WatchDog.
n Default:
10000

rerun_mode n 0 Configures whether the WatchDog restarts

n 1 (default) processes after they fail:
n 0 - Does not restart a failed process. Monitor
and log only.
n 1 - Restarts a failed process (this is the
default).

reset_ n Range: > 0 Configures the time (in seconds) the WatchDog
startups n Default: waits after the process starts and before the
3600 WatchDog resets the process's startup_counter
to 0.
To see the process's startup counter, in the output of
the cpwd_admin list command, refer to the
#START column.

sleep_mode n 0 Configures how the WatchDog restarts the process:

n 1 (default) n 0 - Ignores timeout and restarts the process
immediately
n 1 - Waits for the duration of sleep_timeout

sleep_ n Range: 0 - If rerun_mode=1, specifies how much time (in

timeout 3600 seconds) passes from a process failure until
n Default: 60 WatchDog tries to restart it.

stop_timeout n Range: > 0 Configures the time (in seconds) the WatchDog
n Default: 60 waits for a process stop command to complete.

R82 Security Management Administration Guide | 847

cpwd_admin config

Configuration Accepted
Description
Parameter Values

zero_timeout n Range: > 0 After failing no_limit times to restart a process,

n Default: the WatchDog waits zero_timeout seconds
7200 before it tries again.
The value of the zero_timeout must be greater
than the value of the timeout.

The WatchDog saves the user defined configuration parameters in the

$CPDIR/registry/HKLM_registry.data file in the ": (Wd_Config" section:

("CheckPoint Repository Set"

: (SOFTWARE
: (CheckPoint
: (CPshared
:CurrentVersion (6.0)
: (6.0
... ...
: (reserved
... ...
: (Wd
: (Wd_Config
:Configuration_Parameter_1 ("[4]Value_1"):Configuration_Parameter_2 ("
[4]Value_2")
)
)
... ...

Example

[Expert@HostName:0]# cpwd_admin config -p

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -a sleep_timeout=120 no_limit=12
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog Configuration parameters are:
sleep_timeout : 120
no_limit : 12
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#

[Expert@HostName:0]# cpwd_admin config -r

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#

R82 Security Management Administration Guide | 848

cpwd_admin del

Description
Temporarily deletes a monitored process from the WatchDog database of monitored
processes.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 856 command does not show the deleted
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"cpstart" on page 831 command.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin del -name <Application Name>

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 856 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

Example

[Expert@HostName:0]# cpwd_admin del -name FWD

cpwd_admin:
successful Del operation
[Expert@HostName:0]#

R82 Security Management Administration Guide | 849

cpwd_admin detach

Description
Temporarily detaches a monitored process from the WatchDog monitoring.

Notes:
n WatchDog stops monitoring the detached process, but the process stays alive.
n The "cpwd_admin list" on page 856 command does not show the detached
process anymore.
n This change applies until all Check Point services restart during boot, or with the
"cpstart" on page 831 command.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin detach -name <Application Name>

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 856 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

Example

[Expert@HostName:0]# cpwd_admin detach -name FWD

cpwd_admin:
successful Detach operation
[Expert@HostName:0]#

R82 Security Management Administration Guide | 850

cpwd_admin exist

Description
Checks whether the WatchDog process cpwd is alive.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin exist

Example

[Expert@HostName:0]# cpwd_admin exist

cpwd_admin: cpWatchDog is running
[Expert@HostName:0]#

R82 Security Management Administration Guide | 851

cpwd_admin flist

Description
Saves the status of all WatchDog monitored processes to a file.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin flist [-full]

Parameters

Parameter Description

-full Shows the verbose output.

Output

Column Description

APP Shows the WatchDog name of the monitored process.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_TIME Shows the time when the WatchDog started the monitored process for the
last time.

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_
limit configuration parameters (see "cpwd_admin config" on page 846).

MON Shows how the WatchDog monitors this process (see the explanation for
the "cpwd_admin" on page 843):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

R82 Security Management Administration Guide | 852

cpwd_admin flist

Example

[Expert@HostName:0]# cpwd_admin flist

/opt/CPshrd-R82/tmp/cpwd_list_1564617600.lst
[Expert@HostName:0]#

R82 Security Management Administration Guide | 853

cpwd_admin getpid

Description
Shows the PID of a WatchDog monitored process.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin getpid -name <Application Name>

Parameters

Parameter Description

<Application Name of the monitored Check Point process as you see in the output of
Name> the "cpwd_admin list" on page 856 command in the leftmost column
APP.
Examples:
n FWM
n FWD
n CPD
n CPM

Example

[Expert@HostName:0]# cpwd_admin getpid -name FWD

5640
[Expert@HostName:0]#

R82 Security Management Administration Guide | 854

cpwd_admin kill

Description
Terminates the WatchDog process cpwd.

Important - Do not run this command unless explicitly instructed by Check Point
Support or R&D to do so.
To restart the WatchDog process, you must restart all Check Point services with the
"cpstop" on page 840 and "cpstart" on page 831 commands.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin kill

R82 Security Management Administration Guide | 855

cpwd_admin list

Description
Prints the status of all WatchDog monitored processes on the screen.

Note - By default, WatchDog monitors a maximum of 10000 processes.

To increase this threshold, use the command "cpwd_admin config -a num_of_
procs=<value>".
See "cpwd_admin config" on page 846.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin list [-full]

Parameters

Parameter Description

-full Shows the verbose output.

R82 Security Management Administration Guide | 856

cpwd_admin list

Output

Column Description

APP Shows the WatchDog name of the monitored process.

PID Shows the PID of the monitored process.

STAT Shows the status of the monitored process:

n E - executing
n T - terminated

#START Shows how many times the WatchDog started the monitored process.

START_TIME Shows the time when the WatchDog started the monitored process for the
last time.

SLP/LIMIT In verbose output, shows the values of the sleep_timeout and no_
limit configuration parameters (see "cpwd_admin config" on page 846).

MON Shows how the WatchDog monitors this process (see the explanation for
the "cpwd_admin" on page 843):
n Y - Active monitoring
n N - Passive monitoring

COMMAND Shows the command the WatchDog run to start this process.

Examples
Example - Default output on a Management Server
[Expert@HostName:0]# cpwd_admin list
APP PID STAT #START START_TIME MON COMMAND
CPVIEWD 19738 E 1 [17:50:44] 31/5/2019 N cpviewd
HISTORYD 0 T 0 [17:54:44] 31/5/2019 N cpview_historyd
CPD 19730 E 1 [17:54:45] 31/5/2019 Y cpd
SOLR 19935 E 1 [17:50:55] 31/5/2019 N java_solr /opt/CPrt-
R82/conf/[Link]
RFL 19951 E 1 [17:50:55] 31/5/2019 N LogCore
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2019 N SmartView
INDEXER 20032 E 1 [17:50:55] 31/5/2019 N /opt/CPrt-R82/log_indexer/log_
indexer
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2019 N /opt/CPSmartLog-
R82/smartlog_server
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2019 N cp3dlogd
EPM 20251 E 1 [17:50:56] 31/5/2019 N startEngine
DASERVICE 20404 E 1 [17:50:59] 31/5/2019 N DAService_script
[Expert@HostName:0]#

R82 Security Management Administration Guide | 857

cpwd_admin list

Example - Verbose output on a Management Server

[Expert@HostName:0]# cpwd_admin list -full
APP PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
CPVIEWD 19738 E 1 [17:50:44] 31/5/2019 60/5 N
PATH = /opt/CPshrd-R82/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 T 0 [17:54:44] 31/5/2019 60/5 N
PATH = /opt/CPshrd-R82/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
CPD 19730 E 1 [17:54:45] 31/5/2019 60/5 Y
PATH = /opt/CPshrd-R82/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
SOLR 19935 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R82/bin/java_solr
COMMAND = java_solr /opt/CPrt-R82/conf/[Link]
--------------------------------------------------------------------------------
RFL 19951 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R82/bin/LogCore
COMMAND = LogCore
--------------------------------------------------------------------------------
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R82/bin/SmartView
COMMAND = SmartView
--------------------------------------------------------------------------------
INDEXER 20032 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPrt-R82/log_indexer/log_indexer
COMMAND = /opt/CPrt-R82/log_indexer/log_indexer
--------------------------------------------------------------------------------
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPSmartLog-R82/smartlog_server
COMMAND = /opt/CPSmartLog-R82/smartlog_server
ENV = LANG=C
--------------------------------------------------------------------------------
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2019 60/5 N
PATH = /opt/CPuepm-R82/bin/cp3dlogd
COMMAND = cp3dlogd
--------------------------------------------------------------------------------
EPM 20251 E 1 [17:50:56] 31/5/2019 60/5 N
PATH = /opt/CPuepm-R82/bin/startEngine
COMMAND = startEngine
--------------------------------------------------------------------------------
DASERVICE 20404 E 1 [17:50:59] 31/5/2019 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#

R82 Security Management Administration Guide | 858

cpwd_admin monitor_list

Description
Prints the status of actively monitored processes on the screen.
See the explanation about the active monitoring in "cpwd_admin" on page 843.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin monitor_list

Example

[Expert@HostName:0]# cpwd_admin monitor_list

cpwd_admin:
APP FILE_NAME NO_MSG_TIMES LAST_MSG_TIME
CPD CPD_5420_4714.mntr 0/10 [19:00:33] 31/5/2019
[Expert@HostName:0]#

R82 Security Management Administration Guide | 859

cpwd_admin start

Description
Starts a process as monitored by the WatchDog.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin start -name <Application Name> -path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>] [-slp_timeout <Timeout>] [-retry_limit {<Limit> |
u}]

Parameters

Parameter Description

-name Name, under which the cpwd_admin list command shows

<Application the monitored process in the leftmost column APP.
Name> Examples:
n FWM
n FWD
n CPD
n CPM

-path "<Full Path The full path (with or without Check Point environment variables)
to Executable>" to the executable including the executable name.
Must enclose in double quotes.
Examples:
n For FWM: "$FWDIR/bin/fwm"
n For FWD: "/opt/CPsuite-R82/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd"
n For CPM: "/opt/CPsuite-
R82/fw1/scripts/[Link]"
n For SICTUNNEL: "/opt/CPshrd-R82/bin/cptnl"

R82 Security Management Administration Guide | 860

cpwd_admin start

Parameter Description

-command The command and its arguments to run.

"<Command Must enclose in double quotes.
Syntax>" Examples:
n For FWM: "fwm"
n For FWM on Multi-Domain Server: "fwm mds"
n For FWD: "fwd"
n For CPD: "cpd"
n For CPM: "/opt/CPsuite-
R82/fw1/scripts/[Link] -s"
n For SICTUNNEL: "/opt/CPshrd-R82/bin/cptnl -c
"/opt/CPuepm-R82/engine/conf/cptnl_
[Link]""

-env {inherit | Configures whether to inherit the environment variables from the
<Env_ shell.
Var>=<Value>}
n inherit - Inherits all the environment variables
(WatchDog supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to the
specified environment variable

-slp_timeout Configures the specified value of the "sleep_timeout"

<Timeout> configuration parameter.
See "cpwd_admin config" on page 846.

-retry_limit Configures the value of the "retry_limit" configuration

{<Limit> | u} parameter.
See "cpwd_admin config" on page 846.
n <Limit> - Tries to restart the process the specified
number of times
n u - Tries to restart the process unlimited number of times

Example
For the list of process and the applicable syntax, see sk97638.

R82 Security Management Administration Guide | 861

cpwd_admin start_monitor

Description
Starts the active WatchDog monitoring. WatchDog monitors the predefined processes
actively.
See the explanation for the "cpwd_admin" on page 843 command.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin start_monitor

Example

[Expert@HostName:0]# cpwd_admin start_monitor

cpwd_admin:
CPWD has started to perform active monitoring on Check Point services/processes
[Expert@HostName:0]#

R82 Security Management Administration Guide | 862

cpwd_admin stop

Description
Stops a WatchDog monitored process.

Important - This change does not survive reboot.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin stop -name <Application Name> [-path "<Full Path to

Executable>" -command "<Command Syntax>" [-env {inherit | <Env_
Var>=<Value>]

Parameters

Parameter Description

-name <Application Name under which the cpwd_admin list command shows
Name> the monitored process in the leftmost column APP.
Examples:
n FWM
n FWD
n CPD
n CPM

-path "<Full Path The full path (with or without Check Point environment
to Executable>" variables) to the executable including the executable name.
Must enclose in double quotes.
Examples:
n For FWM: "$FWDIR/bin/fwm"
n For FWD: "/opt/CPsuite-R82/fw1/bin/fw"
n For CPD: "$CPDIR/bin/cpd_admin"

-command "<Command The command and its arguments to run.

Syntax>" Must enclose in double quotes.
Examples:
n For FWM: "fw kill fwm"
n For FWD: "fw kill fwd"
n For CPD: "cpd_admin stop"

R82 Security Management Administration Guide | 863

cpwd_admin stop

Parameter Description

-env {inherit | Configures whether to inherit the environment variables from

<Env_Var>=<Value>} the shell.
n inherit - Inherits all the environment variables
(WatchDog supports up to 80 environment variables)
n <Env_Var>=<Value> - Assigns the specified value to
the specified environment variable

Example
For the list of process and the applicable syntax, see sk97638.

R82 Security Management Administration Guide | 864

cpwd_admin stop_monitor

Description
Stops the active WatchDog monitoring. WatchDog monitors all processes only passively.
See the explanation for the "cpwd_admin" on page 843 command.

Syntax on a Management Server in Gaia Clish or the Expert mode

cpwd_admin stop_monitor

Example

[Expert@HostName:0]# cpwd_admin stop_monitor

cpwd_admin:
CPWD has stopped performing active monitoring on Check Point services/processes
[Expert@HostName:0]#

R82 Security Management Administration Guide | 865

dbedit

dbedit
Description
Edits the management database - the $FWDIR/conf/objects_5_0.C file - on the Security
Management Server or Domain Management Server. See skI3301.

Important - Do NOT run this command, unless explicitly instructed by Check Point
Support or R&D to do so. Otherwise, you can corrupt settings in the management
database.

Syntax

dbedit -help
dbedit [-globallock] [{-local | -s <Management_Server>}] [{-u
<Username> | -c <Certificate>}] [-p <Password>] [-f <File_Name>
[ignore_script_failure] [-continue_updating]] [-r "<Open_Reason_
Text>"] [-d <Database_Name>] [-listen] [-readonly] [-session]
Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Parameters

Parameter Description

-help Prints the general help.

-globallock When you work with the dbedit utility, it partially locks the management
database. If a user configures objects in SmartConsole at the same
time, it causes problems in the management database.
This option does not let SmartConsole, or a dbedit user to make
changes in the management database.
When you specify this option, the dbedit commands run on a copy of
the management database. After you make the changes with the
dbedit commands and run the savedb command, the dbedit utility
saves and commits your changes to the actual management database.

-local Connects to the localhost ([Link]) without using

username/password.
If you do not specify this parameter, the dbedit utility asks how to
connect.

R82 Security Management Administration Guide | 866

dbedit

Parameter Description

-s Specifies the Security Management Server - by IP address or

<Management_ HostName.
Server> If you do not specify this parameter, the dbedit utility asks how to
connect.

-u Specifies the username, with which the dbedit utility connects to the
<Username> Security Management Server.
Mandatory parameter when you specify the "-s <Management_
Server>" parameter.

-c Specifies the user's certificate file, with which the dbedit utility connects
< to the Security Management Server.
Certificate> Mandatory parameter when you specify the "-s <Management_
Server>" parameter.

-p Specifies the user's password, with which the dbedit utility connects to
<Password> the Security Management Server.
Mandatory parameter when you specify the "-s <Management_
Server>" and "-u <Username>" parameters.

-f <File_ Specifies the file that contains the applicable dbedit internal commands
Name> (see the section "dbedit Internal Commands" below):
n create <object_type> <object_name>
n modify <table_name> <object_name> <field_name>
<value>
n update <table_name> <object_name>
n delete <table_name> <object_name>
n print <table_name> <object_name>
n quit

Note - Each command is limited to 4096 characters.

ignore_ Continues to execute the dbedit internal commands in the file and
script_ ignores errors.
failure You can use it when you specify the "-f <File_Name>" parameter.

-continue_ Continues to update the modified objects, even if the operation fails for
updating some of the objects (ignores the errors and runs the update_all
command at the end of the script).
You can use it when you specify the "-f <File_Name>" parameter.

-r "<Open_ Specifies the reason for opening the database in read-write mode
Reason_ (default mode).
Text>"

R82 Security Management Administration Guide | 867

dbedit

Parameter Description

-d Specifies the name of the database, to which the dbedit utility should
<Database_ connect (for example, mdsdb).
Name>

-listen The dbedit utility "listens" for changes (use this mode for advanced
troubleshooting with the assistance of Check Point Support).
The dbedit utility prints its internal messages when a change occurs in
the management database.

-readonly Specifies to open the management database in read-only mode.

-session Session Connectivity.

dbedit Internal Commands

Note - To see the available tables, class names (object types), attributes and values,
connect to Management Server with Database Tool (GuiDBEdit Tool) (see sk13009).

Command Description, Syntax, Examples

-h Description:
Prints the general help.
Syntax:
dbedit> -h

-q Description:
Quits from dbedit.
quit Syntax:
dbedit> -q
dbedit> quit [-update_all | -noupdate]
Examples:
n Exit the utility and commit the remaining modified objects
(interactive mode):
dbedit> quit
n Exit the utility and update all the remaining modified objects:
dbedit> quit -update_all
n Exit the utility and discard all modifications:
dbedit> quit -no_update

R82 Security Management Administration Guide | 868

dbedit

Command Description, Syntax, Examples

update Description:
Saves the specified object in the specified table (for example,
"network_objects", "services", "users").
Syntax:
dbedit> update <table_name> <object_name>
Example:
Save the object My_Service in the table services:
dbedit> update services My_Service

update_all Description:
Saves all the modified objects.
Syntax:
dbedit> update_all

_print_set Description:
Prints the specified object from the specified table (for example,
"network_objects", "services", "users") as it appears in the
$FWDIR/conf/objects_5_0.C file (sets of attributes).
Syntax:
dbedit> _print_set <table_name> <object_name>
Example:
Print the object My_Obj from the table network_objects:
dbedit> print network_objects My_Obj

print Description:
Prints the list of attributes of the specified object from the specified
table (for example, "network_objects", "properties",
"services", "users").
Syntax:
dbedit> print <table_name> <object_name>
Examples:
n Print the object My_Obj from the table network_objects (in
"Network Objects"):
dbedit> print network_objects my_obj
n Print the object firewall_properties from the table properties (in
"Global Properties"):
dbedit> print properties firewall_properties

R82 Security Management Administration Guide | 869

dbedit

Command Description, Syntax, Examples

printxml Description:
Prints in XML format the list of attributes of the specified object from the
specified table (for example, "network_objects", "properties",
"services", "users").
You can export the settings from a Management Server to an XML file
that you can use later with external automation systems.
Syntax:
dbedit> printxml <table_name> [<object_name>]
Examples:
n Print the object My_Obj from the table network_objects:
dbedit> printxml network_objects my_obj
n Print the object firewall_properties from the table properties (in
"Global Properties"):
dbedit> printxml properties firewall_
properties

printbyuid Description:
Prints the attributes of the object specified by its UID (appears in the
$FWDIR/conf/objects_5_0.C file at the beginning of the object as
"chkpf_uid ({...})").
Syntax:
dbedit> printbyuid {object_id}
Example:
Print the attributes of the object with the specified UID:
dbedit> printbyuid {D3833F1D-0A58-AA42-865F-
39BFE3C126F1}

R82 Security Management Administration Guide | 870

dbedit

Command Description, Syntax, Examples

query Description:
Prints all the objects in the specified table.
Optionally, you can query for objects with specific attribute and value -
query is separated by a comma after "query <table_name>"
(spaces are not allowed between the <attribute> and '<value>').
Syntax:
dbedit> query <table_name> [ ,
<attribute>='<value>' ]
Examples:
n Print all objects in the table users:
dbedit> query users
n Print all objects in the table network_objects that are defined as
Management Servers:
dbedit> query network_objects,
management='true'
n Print all objects in the table services with the name ssh:
command_sdbedit> query services, name='ssh'
n Print all objects in the table services with the port 22:
dbedit> query services, port='22'
n Print all objects with the IP address [Link]:
dbedit> query network_objects,
ipaddr='[Link]'

whereused Description:
Checks where the specified object used in the database.
Prints the number of places, where this object is used and relevant
information about each such place.
Syntax:
dbedit> whereused <table_name> <object_name>
Example:
Check where the object My_Obj is used:
dbedit> whereused network_objects My_Obj

R82 Security Management Administration Guide | 871

dbedit

Command Description, Syntax, Examples

create Description:
Creates an object of specified type (with its default values) in the
database.
Restrictions apply to the object's name:
n Object names can have a maximum of 100 characters.
n Objects names can contain only ASCII letters, numbers, and
dashes.
n Reserved words will be blocked by the Management Server (refer
to sk40179).
Syntax:
dbedit> create <object_type> <object_name>
Example:
Create the service object My_Service of the type tcp_service (with its
default values):
dbedit> create tcp_service my_service

delete Description:
Deletes an object from the specified table.
Syntax:
dbedit> delete <table_name> <object_name>
Example:
Delete the service object My_Service from the table services:
dbedit> delete services my_service

R82 Security Management Administration Guide | 872

dbedit

Command Description, Syntax, Examples

modify Description:
Modifies the value of specified attribute in the specified object in the
specified table (for example, "network_objects", "services",
"users") in the management database.
Syntax:
dbedit> modify <table_name> <object_name> <field_
name> <value>
Examples:
n Modify the color to red in the object My_Service in the table
services:
dbedit> modify services My_Service color red
n Add a comment to the object MyObj:
dbedit> modify network_objects MyObj comments
"Created by fwadmin with dbedit"
n Set the value of the global property ike_use_largest_possible_
subnets in the table properties to false:
dbedit> modify properties firewall_properties
ike_use_largest_possible_subnets false
n Create a new interface on the Security Gateway My_FW and
modify its attributes - set the IP address / Mask and enable Anti-
Spoofing on interface with "Element Index"=3 (check the
attributes of the object My_FW in Database Tool (GuiDBEdit
Tool) (see sk13009)):

R82 Security Management Administration Guide | 873

dbedit

Command Description, Syntax, Examples

dbedit> addelement network_objects My_FW

interfaces interface
dbedit> modify network_objects My_FW
interfaces:3:officialname NAME_OF_INTERFACE
dbedit> modify network_objects My_FW
interfaces:3:ipaddr IP_ADDRESS
dbedit> modify network_objects My_FW
interfaces:3:netmask NETWORK_MASK
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:access
specific
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:allowed
network_objects:group_name
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:perform_anti_
spoofing true
dbedit> modify network_objects MyObj FieldA
LINKSYS
n In the Owned Object MyObj change the value of FieldB to
NewVal:
dbedit> modify network_objects MyObj
FieldA:FieldB NewVal
n In the Linked Object MyObj change the value of FieldA from B to
C:
dbedit> modify network_objects MyObj FieldA
B:C

R82 Security Management Administration Guide | 874

dbedit

Command Description, Syntax, Examples

lock Description:
Locks the specified object (by administrator) in the specified table (for
example, "network_objects", "services", "users") from being
modified by other users.
For example, if you connect from a remote computer to this
Management Server with admin1 and lock an object, you are be able to
connect with admin2, but are not able to modify the locked object, until
admin1 releases the lock.
Syntax:
dbedit> lock <table_name> <object_name>
Example:
Lock the object My_Service_Obj in the table services in the database:
dbedit> lock services My_Service_Obj

addelement Description:
Adds a specified multiple field / container (with specified value) to a
specified object in specified table.
Syntax:
dbedit> addelement <table_name> <object_name>
<field_name> <value>
Examples:
n Add the element BranchObjectClass with the value Organization
to a multiple field Read in the object My_Obj in the table ldap:
dbedit> addelement ldap My_Obj
Read:BranchObjectClass Organization
n Add the service MyService to the group of services
MyServicesGroup in the table services:
dbedit> addelement services MyServicesGroup
'' services:MyService
n Add the network MyNetwork to the group of networks
MyNetworksGroup in the table network_objects:
dbedit> addelement network_objects
MyNetworksGroup '' network_objects:MyNetwork

R82 Security Management Administration Guide | 875

dbedit

Command Description, Syntax, Examples

rmelement Description:
Removes a specified multiple field / container (with specified value)
from a specified object in specified table.
Syntax:
dbedit> rmelement <table_name> <object_name>
<field_name> <value>
Examples:
n Remove the service MyService from the group of services
MyServicesGroup from the table services:
dbedit> rmelement services MyServicesGroup ''
services:MyService
n Remove the network MyNetwork from the group of networks
MyNetworksGroup from the table network_objects:
dbedit> rmelement network_objects
MyNetworksGroup '' network_objects:MyNetwork
n Remove the element BranchObjectClass with the value
Organization from the multiple field Read in the object My_Obj in
the table ldap:
dbedit> rmelement ldap my_obj
Read:BranchObjectClass Organization

rename Description:
Renames the specified object in specified table.
Syntax:
dbedit> rename <table_name> <object_name> <new_
object_name>
Example:
Rename the network object london to chicago in the table network_
objects:
dbedit> rename network_objects london chicago

R82 Security Management Administration Guide | 876

dbedit

Command Description, Syntax, Examples

rmbyindex Description:
Removes an element from a container by element's index.
Syntax:
dbedit> rmbyindex <table_name> <object_name>
<field_name> <index_number>
Example:
Remove the element backup_log_servers from the container log_
servers by element index 1 in the table network_objects:
dbedit> rmbyindex network_objects g log_
servers:backup_log_servers 1

add_owned_ Description:
remove_name Adds an owned object (and removes its name) to a specified owned
object field (or container).
Syntax:
dbedit> add_owned_remove_name <table_name>
<object_name> <field_name> <value>
Example:
Add the owned object My_Gateway (and remove its name) to the
owned object field (or container) my_external_products:
dbedit> add_owned_remove_name network_objects My_
Gateway additional_products owned:my_external_
products

is_delete_ Description:
allowed Checks if the specified object can be deleted from the specified table
(object cannot be deleted if it is used by other objects).
Syntax:
dbedit> is_delete_allowed <table_name> <object_
name>
Example:
dbedit> is_delete_allowed network_objects MyObj
Check if the object MyObj can be deleted from the table network_
objects:

R82 Security Management Administration Guide | 877

dbedit

Command Description, Syntax, Examples

set_pass Description:
Sets specified password for specified user.
Notes:
n The password must contain at least 4 characters and no more
than 50 characters.
n This command cannot change the administrator's password.
Syntax:
dbedit> set_pass <Username> <Password>
Example:
Set the password 1234 for the user abcd:
dbedit> set_pass abcd 1234

savedb Description:
Saves the database. You can run this command only when the
database is locked globally (when you start the dbedit utility with the
"dbedit -globallock" command).
Syntax:
dbedit> savedb

savesession Description:
Saves the session. You can run this command only when you start the
dbedit utility in session mode (with the "dbedit -session"
command).
Syntax:
dbedit> savesession

R82 Security Management Administration Guide | 878

fw
Description
n Performs various operations on Security or Audit log files.
n Kills the specified Check Point processes.
n Manages the Suspicious Activity Monitoring (SAM) rules.
n Manages the Suspicious Activity Policy editor.

Syntax

fw [-d]
fetchlogs <options>
hastat <options>
kill <options>
log <options>
logswitch <options>
lslogs <options>
mergefiles <options>
repairlog <options>
sam <options>
sam_policy <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

fetchlogs Fetches the specified Check Point log files - Security

<options> ($FWDIR/log/*.log*) or Audit ($FWDIR/log/*.adtlog*), from the
specified Check Point computer.
See "fw fetchlogs" on page 881.

hastat Shows information about Check Point computers in High Availability

<options> configuration and their states.
See "fw hastat" on page 885.

R82 Security Management Administration Guide | 879

Parameter Description

kill Kills the specified Check Point process.

<options> See "fw kill" on page 886.

log Shows the content of Check Point log files - Security

<options> ($FWDIR/log/*.log) or Audit ($FWDIR/log/*.adtlog).
See "fw log" on page 887.

logswitch Switches the current active Check Point log file - Security
<options> ($FWDIR/log/[Link]) or Audit ($FWDIR/log/[Link]).
See "fw logswitch" on page 897.

lslogs Shows a list of Check Point log files - Security ($FWDIR/log/.log)

<options> or Audit ($FWDIR/log/*.adtlog*), located on the local computer or a
remote computer.
See "fw lslogs" on page 901.

mergefiles Merges several Check Point log files - Security ($FWDIR/log/*.log)

<options> or Audit ($FWDIR/log/*.adtlog), into a single log file.
See "fw mergefiles" on page 904.

repairlog Rebuilds pointer files for Check Point log files - Security
<options> ($FWDIR/log/*.log) or Audit ($FWDIR/log/*.adtlog).
See "fw repairlog" on page 907.

sam Manages the Suspicious Activity Monitoring (SAM) rules.

<options> See "fw sam" on page 908.

sam_policy Manages the Suspicious Activity Policy editor that works with these type
<options> of rules:
or n Suspicious Activity Monitoring (SAM) rules.
samp
<options>
n Rate Limiting rules.
See "fw sam_policy" on page 916.

R82 Security Management Administration Guide | 880

fw fetchlogs

Description
Fetches the specified Security log files ($FWDIR/log/*.log*) or Audit log files
($FWDIR/log/*.adtlog*) from the specified Check Point server.

Important - You can run this command in the Expert mode or in Gaia Clish (Gaia
gClish on Scalable Platforms).

Syntax

fw [-d] fetchlogs [-f <Name of Log File 1>] [-f <Name of Log File
2>]... [-f <Name of Log File N>] <Target>

R82 Security Management Administration Guide | 881

fw fetchlogs

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-f <Name Specifies the name of the log file to fetch. Need to specify name only.
of Log Notes:
File N>
n If you do not specify the log file name explicitly, the command
transfers all Security log files ($FWDIR/log/*.log*) and all Audit
log files ($FWDIR/log/*.adtlog*).
n The specified log file name can include wildcards * and ? (for
example, 2017-0?-*.log).
If you enter a wildcard, you must enclose it in double quotes or single
quotes.
n You can specify multiple log files in one command.
You must use the -f parameter for each log file name pattern.
n This command also transfers the applicable log pointer files.

<Target> Specifies the remote Check Point server, with which this local Check Point
server has established SIC trust.
Notes:
n The local and the remote servers must have established SIC trust.
n The local server can be a Security Management Server, a Log Server,
a Cluster Member.
n The remote server can be a Security Gateway, a Cluster Member, a
Log Server, or a Security Management Server in High Availability
deployment.
n You can specify the remote managed server by its main IP address or
Object Name as configured in SmartConsole.

R82 Security Management Administration Guide | 882

fw fetchlogs

Notes:
n This command moves the specified log files from the $FWDIR/log/ directory on the
specified Check Point server.
Meaning, it deletes the specified log files on the specified Check Point server after it
copies them successfully.
n This command moves the specified log files to the $FWDIR/log/ directory on the local
Check Point server, on which you run this command.
n This command cannot fetch the active log files $FWDIR/log/[Link] or
$FWDIR/log/[Link].
To fetch these active log files:

1. Perform the log switch on the applicable Check Point server:

See "fw logswitch" on page 897.

fw logswitch [-audit] [-h <IP Address or Hostname>]

2. Fetch the rotated log file from the applicable Check Point server:

fw fetchlogs -f <Log File Name> <IP Address or Hostname>

n This command renames the log files it fetched from the specified Check Point server.
The new log file name is the concatenation of these:
l The Check Point server's name (as configured in SmartConsole).
l Two underscore (_) characters.
l The original log file name
Example: MyGW__2019-06-01_000000.log

R82 Security Management Administration Guide | 883

fw fetchlogs

Example - Fetching log files from a Management Server

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
5796KB 2019-06-01_000000.log
4610KB [Link]
[Expert@HostName:0]#

[Expert@HostName:0]# fw fetchlogs -f 2019-06-01_000000 MyGW

File fetching in process. It may take some time...
File MyGW__2019-06-01_000000.log was fetched successfully
[Expert@HostName:0]#

[Expert@HostName:0]# ls $FWDIR/log/MyGW*
/opt/CPsuite-R82/fw1/log/MyGW__2019-06-01_000000.log
/opt/CPsuite-R82/fw1/log/MyGW__2019-06-01_000000.logaccount_ptr
/opt/CPsuite-R82/fw1/log/MyGW__2019-06-01_000000.loginitial_ptr
/opt/CPsuite-R82/fw1/log/MyGW__2019-06-01_000000.logptr
[Expert@HostName:0]#

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2019-05-16_000000.log
9KB 2019-05-17_000000.log
11KB 2019-05-18_000000.log
4610KB [Link]
[Expert@HostName:0]#

R82 Security Management Administration Guide | 884

fw hastat

Description
Shows information about Check Point computers in High Availability configuration and their
states.

Note - This command is outdated. On Management Servers, run the "cpstat" on

page 832 command.

Syntax

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

Parameters

Parameter Description

<Target1> Specifies the Check Point computers to query.

<Target2> ... If you run this command on the Management Server, you can enter the
<TargetN> applicable IP address, or the resolvable HostName of the managed
Security Gateway or Cluster Member.
If you do not specify the target, the command queries the local computer.

Example - Querying the cluster members from the Management Server

[Expert@MGMT:0]# fw hastat [Link]

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
[Link] 1 active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat [Link]

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
[Link] 2 stand-by OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat [Link] [Link]

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
[Link] 1 active OK
[Link] 2 stand-by OK
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 885

fw kill

Description
Kills the specified Check Point processes.

Important:
n Make sure the killed process is restarted, or restart it manually. See sk97638.
n You can run this command in the Expert mode or in Gaia Clish (Gaia gClish on
Scalable Platforms).

Syntax

fw [-d] kill [-t <Signal Number>] <Name of Process>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-t <Signal Specifies which signal to send to the Check Point process.

Number> For the list of available signals and their numbers, run the kill -l
command.
For information about the signals, see the manual pages for the
kill and signal.
If you do not specify the signal explicitly, the command sends Signal
15 (SIGTERM).
Note - Processes can ignore some signals.

<Name of Specifies the name of the Check Point process to kill.

Process> To see the names of the processes, run the ps auxwf command.

Example
fw kill fwd

R82 Security Management Administration Guide | 886

fw log

Description
Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit
($FWDIR/log/*.adtlog).

Important - You can run this command in the Expert mode or in Gaia Clish (Gaia
gClish on Scalable Platforms).

Syntax

fw log {-h | -help}

fw [-d] log [-a] [-b "<Start Timestamp>" "<End Timestamp>"] [-c
<Action>] [{-f | -t}] [-g] [-H] [-h <Origin>] [-i] [-k {<Alert
Name> | all}] [-l] [-m {initial | semi | raw}] [-n] [-o] [-p] [-q]
[-S] [-s "<Start Timestamp>"] [-e "<End Timestamp>"] [-u
<Unification Scheme File>] [-w] [-x <Start Entry Number>] [-y <End
Entry Number>] [-z] [-#] [<Log File>]

Parameters

Parameter Description

{-h | -help} Shows the built-in usage.

Note - The built-in usage does not show some of the parameters
described in this table.

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-a Shows only Account log entries.

R82 Security Management Administration Guide | 887

fw log

Parameter Description

-b "<Start Shows only entries that were logged between the specified start and
Timestamp>" end times.
"<End
Timestamp>"
n The <Start Timestamp> and <End Timestamp> may be a
date, a time, or both.
n If date is omitted, then the command assumes the current date.
n Enclose the "<Start Timestamp>" and "<End
Timestamp> in single or double quotes (-b 'XX' 'YY", or -b
"XX" "YY).
n You cannot use the "-b" parameter together with the "-s" or "-
e" parameters.
n See the date and time format below.

-c <Action> Shows only events with the specified action. One of these:
n accept
n drop
n reject
n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Notes:
n The fw log command always shows the Control (ctl) actions.
n For login action, use the authcrypt.

-e "<End Shows only entries that were logged before the specified time.
Timestamp>" Notes:
n The <End Timestamp> may be a date, a time, or both.
n Enclose the <End Timestamp> in single or double quotes (-e
'...', or -e "...").
n You cannot use the "-e" parameter together with the "-b"
parameter.
n See the date and time format below.

R82 Security Management Administration Guide | 888

fw log

Parameter Description

-f This parameter:
1. Shows the saved entries that match the specified conditions.
2. After the command reaches the end of the currently opened log
file, it continues to monitor the log file indefinitely and shows the
new entries that match the specified conditions.
Note - Applies only to the active log file $FWDIR/log/[Link] or
$FWDIR/log/[Link]

-g Does not show delimiters.

The default behavior is:
n Show a colon (:) after a field name
n Show a semi-colon (;) after a field value

-H Shows the High Level Log key.

-h <Origin> Shows only logs that were generated by the Security Gateway with
the specified IP address or object name (as configured in
SmartConsole).

-i Shows log UID.

-k {<Alert Shows entries that match a specific alert type:

Name> | all}
n <Alert Name> - Show only entries that match a specific alert
type:
l alert

l mail

l snmp_trap

l spoof

l user_alert

l user_auth

n all - Show entries that match all alert types (this is the default).

-l Shows both the date and the time for each log entry.
The default is to show the date only once above the relevant entries,
and then specify the time for each log entry.

R82 Security Management Administration Guide | 889

fw log

Parameter Description

-m Specifies the log unification mode:

n initial - Complete unification of log entries. The command
shows one unified log entry for each ID. This is the default.
If you also specify the -f parameter, then the output does not
show any updates, but shows only entries that relate to the start
of new connections. To shows updates, use the semi
parameter.
n semi - Step-by-step unification of log entries. For each log
entry, the output shows an entry that unifies this entry with all
previously encountered entries with the same ID.
n raw - No log unification. The output shows all log entries.

-n Does not perform DNS resolution of the IP addresses in the log file
(this is the default behavior).
This significantly speeds up the log processing.

-o Shows detailed log chains - shows all the log segments in the log
entry.

-p Does not perform resolution of the port numbers in the log file (this is
the default behavior).
This significantly speeds up the log processing.

-q Shows the names of log header fields.

-S Shows the Sequence Number.

-s "<Start Shows only entries that were logged after the specified time.
Timestamp>" Notes:
n The <Start Timestamp> may be a date, a time, or both.
n If the date is omitted, then the command assumed the current
date.
n Enclose the <Start Timestamp> in single or double quotes
(-s '...', or -s "...").
n You cannot use the "-s" parameter together with the "-b"
parameter.
n See the date and time format below.

R82 Security Management Administration Guide | 890

fw log

Parameter Description

-t This parameter:
1. Does not show the saved entries that match the specified
conditions.
2. After the command reaches the end of the currently opened log
file, it continues to monitor the log file indefinitely and shows the
new entries that match the specified conditions.
Note - Applies only to the active log file $FWDIR/log/[Link] or
$FWDIR/log/[Link]

-u Specifies the path and name of the log unification scheme file.
<Unification The default log unification scheme file is:
Scheme File> $FWDIR/conf/log_unification_scheme.C

-w Shows the flags of each log entry (different bits used to specify the
"nature" of the log - for example, control, audit, accounting,
complementary, and so on).

-x <Start Shows only entries from the specified log entry number and below,
Entry Number> counting from the beginning of the log file.

-y <End Entry Shows only entries until the specified log entry number, counting from
Number> the beginning of the log file.

-z In case of an error (for example, wrong field value), continues to show

log entries.
The default behavior is to stop.

-# Show confidential logs in clear text.

<Log File> Specifies the log file to read.

If you do not specify the log file explicitly, the command opens the
$FWDIR/log/[Link] log file.
You can specify a switched log file.

R82 Security Management Administration Guide | 891

fw log

Date and Time format

Part of timestamp Format Example

Date only MMM DD, YYYY June 11, 2018

Time only HH:MM:SS 14:20:00

Note - In this case, the command assumes
the current date.

Date and Time MMM DD, YYYY June 11, 2018

HH:MM:SS 14:20:00

Output
Each output line consists of a single log entry, whose fields appear in this format:
Note - The fields that show depends on the connection type.

HeaderDateHour ContentVersion HighLevelLogKey Uuid SequenceNum

Flags Action Origin IfDir InterfaceName LogId ...

This table describes some of the fields.

Field Header Description Example

HeaderDateHour Date and Time 12Jun2018 12:56:42

ContentVersion Version 5

HighLevelLogKey High Level Log <max_null>, or empty

Key

Uuid Log UUID (0x5b1f99cb,0x0,0x3403a8c0,0xc00000

00)

SequenceNum Log Sequence 1

Number

R82 Security Management Administration Guide | 892

fw log

Field Header Description Example

Flags Internal flags 428292

that specify the
"nature" of the
log - for
example,
control, audit,
accounting,
complementary,
and so on

Action Action n accept

performed on n dropreject
this connection n encrypt
n decrypt
n vpnroute
n keyinst
n authorize
n deauthorize
n authcrypt
n ctl

Origin Object name of MyGW

the Security
Gateway that
generated this
log

IfDir Traffic direction n <

through n >
interface:
n <-
Outbound
(sent by a
Security
Gateway)
n >-
Inbound
(received
by a
Security
Gateway)

R82 Security Management Administration Guide | 893

fw log

Field Header Description Example

InterfaceName Name of the n eth0

Security n daemon
Gateway n N/A
interface, on
which this traffic
was logged
If a Security
Gateway
performed some
internal action
(for example,
log switch), then
the log entry
shows daemon

LogId Log ID 0

Alert Alert Type n alert

n mail
n snmp_trap
n spoof
n user_alert
n user_auth

OriginSicName SIC name of the CN=MyGW,O=MyDomain_

Security [Link].s6t98x
Gateway that
generated this
log

inzone Inbound Local

Security Zone

outzone Outbound External

Security Zone

service_id Name of the ftp

service used to
inspect this
connection

R82 Security Management Administration Guide | 894

fw log

Field Header Description Example

src Object name or MyHost

IP address of
the connection's
source
computer

dst Object name or MyFTPServer

IP address of
the connection's
destination
computer

proto Name of the tcp

connection's
protocol

sport_svc Source port of 64933

the connection

ProductName Name of the n VPN-1 & FireWall-1

Check Point n Application Control
product that n FloodGate-1
generated this
log

ProductFamily Name of the Network

Check Point
product family
that generated
this log

Examples
Example 1 - Show all log entries with both the date and the time for each log entry
fw log -l

R82 Security Management Administration Guide | 895

fw log

Example 2 - Show all log entries that start after the specified timestamp
[Expert@MyGW:0]# fw log -l -s "June 12, 2018 12:33:00"
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
[Link].s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_name: Host
Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
[Link].s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_
table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_
uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_
START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933;
ProductFamily: Network;

... ... ...

[Expert@MyGW:0]#

Example 3 - Show all log entries between the specified timestamps

[Expert@MyGW:0]# fw log -l -b "June 12, 2018 12:33:00" 'June 12, 2018 12:34:00'
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
[Link].s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_name: Host
Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:45 5 N/A 1 ctl MyGW > LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
[Link].s6t98x; description: Contracts; reason: Could not reach
"[Link] Check DNS and Proxy configuration on the gateway.; Severity: 2;
status: Failed; version: 1.0; failure_impact: Contracts may be out-of-date; update_service: 1; ProductName: Security
Gateway/Management; ProductFamily: Network;
[Expert@MyGW:0]#

Example 4 - Show all log entries with action "drop"

[Expert@MyGW:0]# fw log -l -c drop
12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
[Link].s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_
table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_
uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_
START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933;
ProductFamily: Network;
[Expert@MyGW:0]#

Example 5 - Show all log entries with action "drop", show all field headers, and show log flags
[Expert@MyGW:0]# fw log -l -q -w -c drop
HeaderDateHour: 12Jun2018 12:33:39; ContentVersion: 5; HighLevelLogKey: <max_null>; LogUid: ; SequenceNum: 1; Flags: 428292; Action:
drop; Origin: MyGW; IfDir: <; InterfaceName: eth0; Alert: ; LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_
[Link].s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_
table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_
uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_
START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933;
ProductFamily: Network;
[Expert@MyGW:0]#

Example 6 - Show only log entries from 0 to 10 (counting from the beginning of the log file)
[Expert@MyGW:0]# fw log -l -x 0 -y 10
... ...
[Expert@MyGW:0]#

R82 Security Management Administration Guide | 896

fw logswitch

Description
Switches the current active log file:
1. Closes the current active log file.
2. Renames the current active log file.
3. Creates a new active log file with the default name.

Notes:
n By default, this command switches the active Security log file -
$FWDIR/log/[Link]
n You can specify to switch the active Audit log file - $FWDIR/log/[Link]

Important You can run this command in the Expert mode or in Gaia Clish (Gaia
gClish on Scalable Platforms).

Syntax

fw [-d] logswitch
[-audit] [<Name of Switched Log>]
-h <Target> [[+ | -]<Name of Switched Log>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-audit Specifies to switch the active Audit log file ($FWDIR/log/[Link]).

You can use this parameter only on a Management Server.

R82 Security Management Administration Guide | 897

fw logswitch

Parameter Description

-h Specifies the remote server, on which to switch the log.

<Target> Notes:
n The local and the remote servers must have established SIC trust.
n The local server can be a Security Management Server, a Log
Server.
n The remote server can be a Security Gateway, a Log Server, or a
Security Management Server in High Availability deployment.
n You can specify the remote managed server by its main IP address or
Object Name as configured in SmartConsole.

<Name of Specifies the name of the switched log file.

Switched Notes:
Log>
n If you do not specify this parameter, then a default name is:
<YYYY-MM-DD_HHMMSS>.log
<YYYY-MM-DD_HHMMSS>.adtlog
For example, 2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the
switch log file is:
<Specified_Log_Name>.log
<Specified_Log_Name>.adtlog
n The log switch operation fails if the specified name for the switched
log matches the name of an existing log file.
n The maximum length of the specified name of the switched log file is
230 characters.

+ Specifies to copy the active log from the remote server to the local server.
Notes:
n If you specify the name of the switched log file, you must write it
immediately after this + (plus) parameter.
n The command copies the active log from the remote server and saves
it in the $FWDIR/log/ directory on the local server.
n The default name of the saved log file is:
<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the
saved log file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command copies the log file from the remote server, it
compresses the file.

R82 Security Management Administration Guide | 898

fw logswitch

Parameter Description

- Specifies to transfer the active log from the remote server to the local
server.
Notes:
n The command saves the copied active log file in the $FWDIR/log/
directory on the local server and then deletes the switched log file on
the remote server.
n If you specify the name of the switched log file, you must write it
immediately after this - (minus) parameter.
n The default name of the saved log file is:
<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log
For example, MyGW__2018-03-26_174455.log
n If you specify the name of the switched log file, then the name of the
saved log file is:
<Gateway_Object_Name>__<Specified_Log_Name>.log
n When this command transfers the log file from the remote server, it
compresses the file.
n As an alternative, you can use the "fw fetchlogs" on page 881
command.

Compression
When this command transfers the log files from the remote server, it compresses the file with
the gzip command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation of
LZ77 method. The compression ratio varies with the content of the log file and is difficult to
predict. Binary data are not compressed. Text data, such as user names and URLs, are
compressed.
Example - Switching the active Security log on a Security Management Server or Security
Gateway
[Expert@MGMT:0]# fw logswitch
Log file has been switched to: 2018-06-13_182359.log
[Expert@MGMT:0]#

Example - Switching the active Audit log on a Security Management Server

[Expert@MGMT:0]# fw logswitch -audit
Log file has been switched to: 2018-06-13_185711.adtlog
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 899

fw logswitch

Example - Switching the active Security log on a managed Security Gateway and copying the
switched log
[Expert@MGMT:0]# fw logswitch -h MyGW +
Log file has been switched to: 2018-06-13_185451.log
[Expert@MGMT:0]#
[Expert@MGMT:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R82/fw1/log/[Link]
/opt/CPsuite-R82/fw1/log/MyGW__2018-06-13_185451.log
[Expert@MGMT:0]#

[Expert@MyGW:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R82/fw1/log/[Link]
/opt/CPsuite-R82/fw1/log/2018-06-13_185451.log
[Expert@MyGW:0]#

R82 Security Management Administration Guide | 900

fw lslogs

Description
Shows a list of Security log files ($FWDIR/log/*.log) and Audit log files
($FWDIR/log/*.adtlog) residing on the local server or a remote server.

Important - You can run this command in the Expert mode or in Gaia Clish (Gaia
gClish on Scalable Platforms).

Syntax

fw [-d] lslogs [-f <Name of Log File 1>] [-f <Name of Log File 2>]
... [-f <Name of Log File N>] [-e] [-r] [-s {name | size | stime |
etime}] [<Target>]

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-f <Name of Specifies the name of the log file to show.

Log File> Need to specify only the name.
Notes:
n If the log file name is not specified explicitly, the command
shows all Security log files ($FWDIR/log/*.log).
n File names may include * and ? as wildcards (for example,
2019-0?-*).
If you enter a wildcard, you must enclose it in double quotes or
single quotes.
n You can specify multiple log files in one command.
You must use the "-f" parameter for each log file name
pattern:
-f <Name of Log File 1> -f <Name of Log File
2> ... -f <Name of Log File N>

R82 Security Management Administration Guide | 901

fw lslogs

Parameter Description

-e Shows an extended file list. It includes the following information for

each log file:
n Size - The total size of the log file and its related pointer files
n Creation Time - The time the log file was created
n Closing Time - The time the log file was closed
n Log File Name - The file name

-r Reverses the sort order (descending order).

-s {name | Specifies the sort order of the log files using one of the following sort
size | stime | options:
etime}
n name - The file name
n size - The file size
n stime - The time the log file was created (this is the default
option)
n etime - The time the log file was closed

<Target> Specifies the remote Check Point server, with which this local Check
Point server has established SIC trust.
Notes:
n The local and the remote servers must have established SIC
trust.
n The local server can be a Security Management Server, a Log
Server, a Security Gateway, a Cluster Member.
n The remote server can be a Security Gateway, a Cluster
Member, a Log Server, or a Security Management Server in
High Availability deployment.
n You can specify the remote managed server by its main IP
address or Object Name as configured in SmartConsole.

Example 1 - Default output

[Expert@HostName:0]# fw lslogs
Size Log file name
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.log
9KB 2019-06-16_000000.log
10KB 2019-06-17_000000.log
9KB [Link]
[Expert@HostName:0]#

R82 Security Management Administration Guide | 902

fw lslogs

Example 2 - Showing all log files

[Expert@HostName:0]# fw lslogs -f "*"

Size Log file name
9KB [Link]
9KB [Link]
9KB 2019-05-29_000000.adtlog
9KB 2019-05-29_000000.log
9KB 2019-05-20_000000.adtlog
9KB 2019-05-20_000000.log
[Expert@HostName:0]#

Example 3 - Showing only log files specified by the patterns

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

Example 4 - Showing only log files specified by the patterns and their extended
information

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15'

Size Log file name
9KB 2019-06-14_000000.adtlog
9KB 2019-06-14_000000.log
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
[Expert@HostName:0]#

Example 5 - Showing only log files specified by the patterns, sorting by name in reverse
order

[Expert@HostName:0]# fw lslogs -f "2019-06-14" -f '2019-06-15' -e -s name -r

Size Creation Time Closing Time Log file name
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.log
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2019-06-15_000000.adtlog
9KB 13Jun2018 18:23:59 14Jun2018 0:00:00 2019-06-14_000000.log
9KB 13Jun2018 0:00:00 14Jun2018 0:00:00 2019-06-14_000000.adtlog
[Expert@HostName:0]#

Example 6 - Showing only log files specified by the patterns, from a managed Security
Gateway with main IP address [Link]

[Expert@MGMT:0]# fw lslogs -f "2019-06-14" -f '2019-06-15' [Link]

Size Log file name
11KB 2019-06-15_000000.adtlog
11KB 2019-06-15_000000.log
9KB 2019-06-14_000000.log
9KB 2019-06-14_000000.adtlog
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 903

fw mergefiles

Description
Merges several Security log files ($FWDIR/log/*.log) into a single log file.
Merges several Audit log files ($FWDIR/log/*.adtlog) into a single log file.

Important:
n Do not merge the active Security file $FWDIR/log/[Link] with other Security
switched log files.
Switch the active Security file $FWDIR/log/[Link] (with the "fw logswitch" on
page 897 command) and only then merge it with other Security switched log
files.
n Do not merge the active Audit file $FWDIR/log/[Link] with other Audit
switched log files.
Switch the active Audit file $FWDIR/log/[Link] (with the "fw logswitch"
on page 897 command) and only then merge it with other Audit switched log
files.
n This command unifies logs entries with the same Unique-ID (UID). If you rotate
the current active log file before all the segments of a specific log arrive, this
command merges the records with the same Unique ID from two different files,
into one fully detailed record.
n If the size of the final merged log file exceeds 2GB, this command creates a list
of merged files, where the size of each merged file size is not more than 2GB.
The user receives this warning:
Warning: The size of the files you have chosen to merge
is greater than 2GB. The merge will produce two or more
files.
The names of merged files are:
l <Name of Merged Log File>.log
l <Name of Merged Log File>_1.log
l <Name of Merged Log File>_2.log
l ... ...

l <Name of Merged Log File>_N.log

Important - You can run this command in the Expert mode or in Gaia Clish (Gaia
gClish on Scalable Platforms).

R82 Security Management Administration Guide | 904

fw mergefiles

Syntax

fw [-d] mergefiles {-h | -help}

fw [-d] mergefiles [-r] [-s] [-t <Time Conversion File>] <Name of
Log File 1> <Name of Log File 2> ... <Name of Log File N> <Name of
Merged Log File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

{-h | -help} Shows the built-in usage.

-r Removes duplicate entries.

-s Sorts the merged file by the Time field in log records.

-t <Time Conversion Specifies a full path and name of a file that instructs this
File> command how to adjust the times during the merge.
This is required if you merge log files from Log Servers
configured with different time zones.
The file format is:
<IP Address of Log Server #1> <Signed
Date Time #1 in Seconds>
<IP Address of Log Server #2> <Signed
Date Time #2 in Seconds>
... ...
Notes
n You must specify the absolute path and the file
name.
n The name of the time conversion file cannot
exceed 230 characters.

R82 Security Management Administration Guide | 905

fw mergefiles

Parameter Description

<Name of Log File 1> Specifies the log files to merge.

... <Name of Log File Notes:
N>
n You must specify the absolute path and the
name of the input log files.
n The name of the input log file cannot exceed
230 characters.

<Name of Merged Log Specifies the output merged log file.

File> Notes:
n The name of the merged log file cannot
exceed 230 characters.
n If a file with the specified name already exists,
the command stops and asks you to remove
the existing file, or to specify another name.
n The size of the merged log file cannot exceed
2 GB. In such scenario, the command creates
several merged log files, each not exceeding
the size limit.

Example - Merging Security log files

[Expert@HostName:0]# ls -l $FWDIR/*.log
-rw-rw-r-- 1 admin root 189497 Sep 7 00:00 2019-09-07_000000.log
-rw-rw-r-- 1 admin root 14490 Sep 9 09:52 2019-09-09_000000.log
-rw-rw-r-- 1 admin root 30796 Sep 10 10:56 2019-09-10_000000.log
-rw-rw-r-- 1 admin root 24503 Sep 10 13:08 [Link]
[Expert@HostName:0]#
[Expert@HostName:0]# fw mergefiles -s $FWDIR/2019-09-07_000000.log $FWDIR/2019-09-09_000000.log
$FWDIR/2019-09-10_000000.log /var/log/[Link]
[Expert@HostName:0]#
[Expert@HostName:0]# ls -l /var/log/[Link]*
-rw-rw---- 1 admin root 213688 Sep 10 13:18 /var/log/[Link]
-rw-rw---- 1 admin root 8192 Sep 10 13:18 /var/log/[Link]
-rw-rw---- 1 admin root 80 Sep 10 13:18 /var/log/2019-Sep-Merged.logaccount_ptr
-rw-rw---- 1 admin root 2264 Sep 10 13:18 /var/log/2019-Sep-Merged.loginitial_ptr
-rw-rw---- 1 admin root 4448 Sep 10 13:18 /var/log/[Link]
[Expert@HostName:0]#

R82 Security Management Administration Guide | 906

fw repairlog

Description
Check Point Security log file ($FWDIR/log/*.log) and Audit log files
($FWDIR/log/*.adtlog) are databases, with special pointer files.
If these log pointer files become corrupted (which causes the inability to read the log file), this
command can rebuild them.

Log File Type Log File Location Log Pointer Files

Security log $FWDIR/log/.log .logptr

*.logaccount_ptr
*.loginitial_ptr
*.logLuuidDB

Audit log $FWDIR/log/.adtlog .adtlogptr

*.adtlogaccount_ptr
*.adtloginitial_ptr
*.adtlogLuuidDB

Important - You can run this command in the Expert mode or in Gaia Clish (Gaia
gClish on Scalable Platforms).

Syntax

fw [-d] repairlog [-u] <Name of Log File>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

-u Specifies to rebuild the unification chains in the log file.

<Name of Log File> The name of the log file to repair.

Example - Repairing the Audit log file

fw repairlog -u 2019-06-17_000000.adtlog

R82 Security Management Administration Guide | 907

fw sam

Description
Manages the Suspicious Activity Monitoring (SAM) rules. You can use the SAM rules to block
connections to and from IP addresses without the need to change or reinstall the Security
Policy. For more information, see sk112061.
You can create the Suspicious Activity Rules in two ways:
n In SmartConsole from Monitoring Results
n In CLI with the fw sam command

Notes:
n See the "fw sam_policy" on page 916 and "sam_alert" on page 1019
commands.
n SAM rules consume some CPU resources on Security Gateway.
Best Practice - The SAM Policy rules consume some CPU resources on
Security Gateway. Set an expiration for rules that gives you time to
investigate, but does not affect performance. Keep only the required SAM
Policy rules. If you confirm that an activity is risky, edit the Security Policy,
educate users, or otherwise handle the risk.
n Logs for enforced SAM rules (configured with the fw sam command) are stored
in the $FWDIR/log/[Link] file.
By design, the file is purged when the number of stored entries reaches
100,000.
This data log file contains the records in one of these formats:
<type>,<actions>,<expire>,<ipaddr>
<type>,<actions>,<expire>,<src>,<dst>,<dport>,<ip_p>
n SAM Requests are stored on the Security Gateway in the kernel table sam_
requests.
n IP Addresses that are blocked by SAM rules, are stored on the Security
Gateway in the kernel table sam_blocked_ips.

Note - To configure SAM Server settings for a Security Gateway or Cluster:

1. Connect with SmartConsole to the applicable Security Management Server or
Domain Management Server.
2. From the left navigation panel, click Gateways & Servers.
3. Open the Security Gateway or Cluster object.
4. From the left tree, click Other > SAM.
5. Configure the settings.
6. Click OK.
7. Install the Access Control Policy on this Security Gateway or Cluster object.

R82 Security Management Administration Guide | 908

fw sam

Important:
n You can run this command in the Expert mode or in Gaia Clish (Gaia gClish on
Scalable Platforms).
n In a Cluster, you must configure all the Cluster Members in the same way.
n On Scalable Platforms, you must connect to the applicable Security Group.
n VSNext mode and Traditional VSX mode do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.

Syntax
n To add or cancel a SAM rule according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-t <Timeout>] [-l <Log
Type>] [-C] [-e <key=val>]+ [-r] -{n|i|I|j|J} <Criteria>

n To delete all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] -D

n To monitor all SAM rules:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all

n To monitor SAM rules according to criteria:

fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM
Server>] [-f <Security Gateway>] [-r] -M -{i|j|n|b|q}
<Criteria>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to a
file, or use the script command to save the entire CLI session.

-v Enables verbose mode.

In this mode, the command writes one message to stderr for each Security
Gateway, on which the command is enforced. These messages show
whether the command was successful or not.

R82 Security Management Administration Guide | 909

fw sam

Parameter Description

-s <SAM Specifies the IP address (in the X.X.X.X format) or resolvable HostName of
Server> the Security Gateway that enforces the command.
The default is localhost.

-S <SIC Specifies the SIC name for the SAM server to be contacted. It is expected
Name of that the SAM server has this SIC name, otherwise the connection fails.
SAM Notes:
Server>
n If you do not explicitly specify the SIC name, the connection
continues without the SIC names comparison.
n For more information about enabling the SIC, refer to the OPSEC
API Specification.
n On VSX Gateway, run the fw vsx showncs -vs <VSID> command
to show the SIC name for the applicable Virtual System.

-f Specifies the Security Gateway, on which to enforce the action.

<Security <Security Gateway> can be one of these:
Gateway>
n All - Default. Specifies to enforce the action on all managed Security
Gateways, where SAM Server runs.
You can use this syntax only on Security Management Server or
Domain Management Server.
n localhost - Specifies to enforce the action on this local Check Point
computer (on which the fw sam command is executed).
You can use this syntax only on Security Gateway or StandAlone.
n Gateways - Specifies to enforce the action on all objects defined as
Security Gateways, on which SAM Server runs.
You can use this syntax only on Security Management Server or
Domain Management Server.
n Name of Security Gateway object - Specifies to enforce the action on
this specific Security Gateway object.
You can use this syntax only on Security Management Server or
Domain Management Server.
n Name of Group object - Specifies to enforce the action on all specific
Security Gateways in this Group object.

Notes:
n You can use this syntax only on Security Management Server or
Domain Management Server.
n VSX Gateways and VSX Cluster Members do not support
Suspicious Activity Monitoring (SAM) Rules. See sk79700.

R82 Security Management Administration Guide | 910

fw sam

Parameter Description

-D Cancels all inhibit ("-i", "-j", "-I", "-J") and notify ("-n") parameters.
Notes:
n To "uninhibit" the inhibited connections, run the fw sam
command with the "-C" or "-D" parameters.
n It is also possible to use this command for active SAM requests.

-C Cancels the fw sam command to inhibit connections with the specified

parameters.
Notes:
n These connections are no longer inhibited (no longer rejected or
dropped).
n The command parameters must match the parameters in the
original fw sam command, except for the -t <Timeout>
parameter.

-t Specifies the time period (in seconds), during which the action is enforced.
<Timeout> The default is forever, or until you cancel the fw sam command.

-l <Log Specifies the type of the log for enforced action:

Type>
n nolog - Does not generate Log / Alert at all
n short_noalert - Generates a Log
n short_alert - Generates an Alert
n long_noalert - Generates a Log
n long_alert - Generates an Alert (this is the default)

-e Specifies rule information based on the keys and the provided values.
<key=val>+ Multiple keys are separated by the plus sign (+).
Available keys are (each is limited to 100 characters):
n name - Security rule name
n comment - Security rule comment
n originator - Security rule originator's username

-r Specifies not to resolve IP addresses.

-n Specifies to generate a "Notify" long-format log entry.

Notes:
n This parameter generates an alert when connections that match
the specified services or IP addresses pass through the Security
Gateway.
n This action does not inhibit / close connections.

R82 Security Management Administration Guide | 911

fw sam

Parameter Description

-i Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Each inhibited connection is logged according to the log type.
n Matching connections are rejected.

-I Inhibits (drops or rejects) new connections with the specified parameters,

and closes all existing connections with the specified parameters.
Notes:
n Matching connections are rejected.
n Each inhibited connection is logged according to the log type.

-j Inhibits (drops or rejects) new connections with the specified parameters.

Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-J Inhibits new connections with the specified parameters, and closes all
existing connections with the specified parameters.
Notes:
n Matching connections are dropped.
n Each inhibited connection is logged according to the log type.

-b Bypasses new connections with the specified parameters.

-q Quarantines new connections with the specified parameters.

-M Monitors the active SAM requests with the specified actions and criteria.

all Gets all active SAM requests. This is used for monitoring purposes only.

<Criteria> Criteria are used to match connections.

The criteria and are composed of various combinations of the following
parameters:
n Source IP Address
n Source Netmask
n Destination IP Address
n Destination Netmask
n Port (see IANA Service Name and Port Number Registry)
n Protocol Number (see IANA Protocol Numbers)

R82 Security Management Administration Guide | 912

fw sam

Parameter Description

Possible combinations are (see the explanations below this table):

n src <IP>
n dst <IP>
n any <IP>
n subsrc <IP> <Netmask>
n subdst <IP> <Netmask>
n subany <IP> <Netmask>
n srv <Src IP> <Dest IP> <Port> <Protocol>
n subsrv <Src IP> <Src Netmask> <Dest IP> <Dest
Netmask> <Port> <Protocol>
n subsrvs <Src IP> <Src Netmask> <Dest IP> <Port>
<Protocol>
n subsrvd <Src IP> <Dest IP> <Dest Netmask> <Port>
<Protocol>
n dstsrv <Dest IP> <Port> <Protocol>
n subdstsrv <Dest IP> <Dest Netmask> <Port>
<Protocol>
n srcpr <IP> <Protocol>
n dstpr <IP> <Protocol>
n subsrcpr <IP> <Netmask> <Protocol>
n subdstpr <IP> <Netmask> <Protocol>
n generic <key=val>

Explanation for the <Criteria> syntax

Parameter Description

src <IP> Matches the Source IP address of the connection.

dst <IP> Matches the Destination IP address of the

connection.

any <IP> Matches either the Source IP address or the

Destination IP address of the connection.

subsrc <IP> <Netmask> Matches the Source IP address of the connections

according to the netmask.

subdst <IP> <Netmask> Matches the Destination IP address of the

connections according to the netmask.

R82 Security Management Administration Guide | 913

fw sam

Parameter Description

subany <IP> <Netmask> Matches either the Source IP address or

Destination IP address of connections according to
the netmask.

srv <Src IP> <Dest IP> Matches the specific Source IP address,
<Port> <Protocol> Destination IP address, Service (port number) and
Protocol.

subsrv <Src IP> <Netmask> Matches the specific Source IP address,

<Dest IP> <Netmask> <Port> Destination IP address, Service (port number) and
<Protocol> Protocol.
Source and Destination IP addresses are assigned
according to the netmask.

subsrvs <Src IP> <Src Matches the specific Source IP address, source
Netmask> <Dest IP> <Port> netmask, destination netmask, Service (port
<Protocol> number) and Protocol.

subsrvd <Src IP> <Dest IP> Matches specific Source IP address, Destination
<Dest Netmask> <Port> IP, destination netmask, Service (port number) and
<Protocol> Protocol.

dstsrv <Dest IP> <Service> Matches specific Destination IP address, Service

<Protocol> (port number) and Protocol.

subdstsrv <Dest IP> Matches specific Destination IP address, Service

<Netmask> <Port> <Protocol> (port number) and Protocol.
Destination IP address is assigned according to
the netmask.

srcpr <IP> <Protocol> Matches the Source IP address and protocol.

dstpr <IP> <Protocol> Matches the Destination IP address and protocol.

subsrcpr <IP> <Netmask> Matches the Source IP address and protocol of

<Protocol> connections.
Source IP address is assigned according to the
netmask.

subdstpr <IP> <Netmask> Matches the Destination IP address and protocol of

<Protocol> connections.
Destination IP address is assigned according to
the netmask.

R82 Security Management Administration Guide | 914

fw sam

Parameter Description

generic <key=val>+ Matches the GTP connections based on the

specified keys and provided values.
Multiple keys are separated by the plus sign (+).
Available keys are:
n service=gtp
n imsi
n msisdn
n apn
n tunl_dst
n tunl_dport
n tunl_proto

R82 Security Management Administration Guide | 915

fw sam_policy

Description
Manages the Suspicious Activity Policy editor that works with these types of rules:
n Suspicious Activity Monitoring (SAM) rules.
See sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules.
n Rate Limiting rules.
See sk182350 - How to configure Rate Limiting rules for DoS Mitigation.
Also, see these commands:
n "fw sam" on page 908
n "sam_alert" on page 1019

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

Important:
n Configuration you make with these commands, survives reboot.
n You can run this command in the Expert mode or in Gaia Clish (Gaia gClish on
Scalable Platforms).
n In a Cluster, you must configure all the Cluster Members in the same way.
n On Scalable Platforms, you must connect to the applicable Security Group.
n VSNext mode and Traditional VSX mode do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.

Best Practice - The SAM Policy rules consume some CPU resources on Security
Gateway. Set an expiration for rules that gives you time to investigate, but does not
affect performance. Keep only the required SAM Policy rules. If you confirm that an
activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.

R82 Security Management Administration Guide | 916

fw sam_policy

Syntax for IPv4

fw [-d] sam_policy
add <options>
batch
del <options>
get <options>
fw [-d] samp
add <options>
batch
del <options>
get <options>

Syntax for IPv6

fw6 [-d] sam_policy

add <options>
batch
del <options>
get <options>
fw6 [-d] samp
add <options>
batch
del <options>
get <options>

R82 Security Management Administration Guide | 917

fw sam_policy

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then
redirect the output to a file, or use the script
command to save the entire CLI session.

add <options> Adds one Rate Limiting rule one at a time.

See "fw sam_policy add" on page 919.

batch Adds or deletes many Rate Limiting rules at a time.

See "fw sam_policy batch" on page 932.

del <options> Deletes one configured Rate Limiting rule one at a time.
See "fw sam_policy del" on page 934.

get <options> Shows all the configured Rate Limiting rules.

See "fw sam_policy get" on page 938.

R82 Security Management Administration Guide | 918

fw sam_policy add

Description
The "fw sam_policy add" and "fw6 sam_policy add" commands:
n Add one Suspicious Activity Monitoring (SAM) rule at a time.
n Add one Rate Limiting rule at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]

[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

Syntax to configure a Suspicious Activity Monitoring (SAM) rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]
[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] ip <IP Filter Arguments>

R82 Security Management Administration Guide | 919

fw sam_policy add

Syntax to configure a Rate Limiting rule for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]

[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments>

Syntax to configure a Rate Limiting rule for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>]
[-f <Target>] [-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule
Originator">] [-z "<Zone>"] quota <Quota Filter Arguments

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-u Optional.
Specifies that the rule category is User-defined.
Default rule category is Auto.

-a {d | n | Mandatory.
b} Specifies the rule action if the traffic matches the rule conditions:
n d - Drop the connection.
n n - Notify (generate a log) about the connection and let it through.
n b - Bypass the connection - let it through without checking it against
the policy rules.
Note - Rules with action set to Bypass cannot have a log or limit
specification. Bypassed packets and connections do not count
towards overall number of packets and connection for limit
enforcement of type ratio.

-l {r | a} Optional.
Specifies which type of log to generate for this rule for all traffic that
matches:
n -r - Generate a regular log
n -a - Generate an alert log

R82 Security Management Administration Guide | 920

fw sam_policy add

Parameter Description

-t Optional.
<Timeout> Specifies the time period (in seconds), during which the rule will be
enforced.
Default timeout is indefinite.

-f <Target> Optional.
Specifies the target Security Gateways, on which to enforce the Rate
Limiting rule.
<Target> can be one of these:
n all - This is the default option. Specifies that the rule should be
enforced on all managed Security Gateways.
n Name of the Security Gateway or Cluster object - Specifies that the
rule should be enforced only on this Security Gateway or Cluster
object (the object name must be as defined in the SmartConsole).
n Name of the Group object - Specifies that the rule should be
enforced on all Security Gateways that are members of this Group
object (the object name must be as defined in the SmartConsole).

-n "<Rule Optional.
Name>" Specifies the name (label) for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"This\ is\ a\ rule\ name\ with\ a\ backslash\
\\"

-c "<Rule Optional.
Comment>" Specifies the comment for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"This\ is\ a\ comment\ with\ a\ backslash\ \\"

R82 Security Management Administration Guide | 921

fw sam_policy add

Parameter Description

-o "<Rule Optional.
Originator Specifies the name of the originator for this rule.
>" Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.
n Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"Created\ by\ John\ Doe"

-z "<Zone>" Optional.
Specifies the name of the Security Zone for this rule.
Notes:
n You must enclose this string in double quotes.
n The length of this string is limited to 128 characters.

ip <IP Mandatory (use this ip parameter, or the quota parameter).

Filter Configures the Suspicious Activity Monitoring (SAM) rule.
Arguments> Specifies the IP Filter Arguments for the SAM rule (you must use at least
one of these options):
[-C] [-s <Source IP>] [-m <Source Mask>] [-d
<Destination IP>] [-M <Destination Mask>] [-p
<Port>] [-r <Protocol>]
See the explanations below.

R82 Security Management Administration Guide | 922

fw sam_policy add

Parameter Description

quota Mandatory (use this quota parameter, or the ip parameter).

<Quota Configures the Rate Limiting rule.
Filter Specifies the Quota Filter Arguments for the Rate Limiting rule (see the
Arguments> explanations below):
n [flush true]
n [source-negated {true | false}] source <Source>
n [destination-negated {true | false}] destination
<Destination>
n [service-negated {true | false}] service
<Protocol and Port numbers>
n [<Limit1 Name> <Limit1 Value>] [<Limit2 Name>
<Limit2 Value>] ...[<LimitN Name> <LimitN
Value>]
n [track <Track>]

Important:
n The Quota rules are not applied immediately to the Security
Gateway. They are only registered in the Suspicious Activity
Monitoring (SAM) policy database. To apply all the rules from
the SAM policy database immediately, add "flush true" in
the fw samp add command syntax.
n Explanation:
For new connections rate (and for any rate limiting in general),
when a rule's limit is violated, the Security Gateway also drops
all packets that match the rule.
The Security Gateway computes new connection rates on a
per-second basis.
At the start of the 1-second timer, the Security Gateway allows
all packets, including packets for existing connections.
If, at some point, during that 1 second period, there are too
many new connections, then the Security Gateway blocks all
remaining packets for the remainder of that 1-second interval.
At the start of the next 1-second interval, the counters are
reset, and the process starts over - the Security Gateway
allows packets to pass again up to the point, where the rule’s
limit is violated.

R82 Security Management Administration Guide | 923

fw sam_policy add

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM)
rules

Argument Description

-C Specifies that open connections should be closed.

-s <Source IP> Specifies the Source IP address.

-m <Source Mask> Specifies the Source subnet mask (in dotted decimal format -
x.y.z.w).

-d <Destination Specifies the Destination IP address.

IP>

-M <Destination Specifies the Destination subnet mask (in dotted decimal format -
Mask> x.y.z.w).

-p <Port> Specifies the port number (see IANA Service Name and Port
Number Registry).

-r <Protocol> Specifies the protocol number (see IANA Protocol Numbers).

R82 Security Management Administration Guide | 924

fw sam_policy add

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules

Argument Description

flush true Specifies to compile and load the quota rule to the
SecureXL immediately.

[source-negated {true | Specifies the source type and its value:

false}] source <Source>
n any
The rule is applied to packets sent from all
sources.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent from:
l Specified IPv4 addresses (x.y.z.w)

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent from:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

n cc:<Country Code>
The rule matches the country code to the
source IP addresses assigned to this
country, based on the Geo IP database.
The two-letter codes are defined in ISO
3166-1 alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the source IP addresses that
are assigned to this organization, based on
the Geo IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.
Notes:
n Default is: source-negated false
n The source-negated true processes all
source types, except the specified type.

R82 Security Management Administration Guide | 925

fw sam_policy add

Argument Description

[destination-negated {true Specifies the destination type and its value:

| false}] destination
n any
<Destination>
The rule is applied to packets sent to all
destinations.
n range:<IP Address>
or
range:<IP Address Start>-<IP
Address End>
The rule is applied to packets sent to:
l Specified IPv4 addresses (x.y.z.w)

l Specified IPv6 addresses

(xxxx:yyyy:...:zzzz)
n cidr:<IP Address>/<Prefix>
The rule is applied to packets sent to:
l IPv4 address with Prefix from 0 to 32

l IPv6 address with Prefix from 0 to 128

n cc:<Country Code>
The rule matches the country code to the
destination IP addresses assigned to this
country, based on the Geo IP database.
The two-letter codes are defined in ISO
3166-1 alpha-2.
n asn:<Autonomous System Number>
The rule matches the AS number of the
organization to the destination IP addresses
that are assigned to this organization, based
on the Geo IP database.
The valid syntax is ASnnnn, where nnnn is a
number unique to the specific organization.
Notes:
n Default is: destination-negated false
n The destination-negated true will
process all destination types except the
specified type

R82 Security Management Administration Guide | 926

fw sam_policy add

Argument Description

[service-negated {true | Specifies the Protocol number (see IANA Protocol

false}] service <Protocol Numbers) and Port number (see IANA Service
and Port numbers> Name and Port Number Registry):
n <Protocol>
IP protocol number in the range 1-255
n <Protocol Start>-<Protocol End>
Range of IP protocol numbers
n <Protocol>/<Port>
IP protocol number in the range 1-255 and
TCP/UDP port number in the range 1-65535
n <Protocol>/<Port Start>-<Port
End>
IP protocol number and range of TCP/UDP
port numbers from 1 to 65535
Notes:
n Default is: service-negated false
n The service-negated true will process
all traffic except the traffic with the specified
protocols and ports

R82 Security Management Administration Guide | 927

fw sam_policy add

Argument Description

[<Limit 1 Name> <Limit 1 Specifies quota limits and their values.

Value>] [<Limit 2 Name> Note - Separate multiple quota limits with spaces.
<Limit 2 Value>] ...
n concurrent-conns <Value>
[<Limit N Name> <Limit N
Value>] Specifies the maximum number of
concurrent active connections that match this
rule.
n concurrent-conns-ratio <Value>
Specifies the maximum ratio of the
concurrent-conns value to the total number
of active connections through the Security
Gateway, expressed in parts per 65536
(formula: N / 65536).
n pkt-rate <Value>
Specifies the maximum number of packets
per second that match this rule.
n pkt-rate-ratio <Value>
Specifies the maximum ratio of the pkt-rate
value to the rate of all connections through
the Security Gateway, expressed in parts per
65536 (formula: N / 65536).
n byte-rate <Value>
Specifies the maximum total number of bytes
per second in packets that match this rule.
n byte-rate-ratio <Value>
Specifies the maximum ratio of the byte-rate
value to the bytes per second rate of all
connections through the Security Gateway,
expressed in parts per 65536 (formula: N /
65536).
n new-conn-rate <Value>
Specifies the maximum number of
connections per second that match the rule.
n new-conn-rate-ratio <Value>
Specifies the maximum ratio of the new-
conn-rate value to the rate of all connections
per second through the Security Gateway,
expressed in parts per 65536 (formula: N /
65536).

R82 Security Management Administration Guide | 928

fw sam_policy add

Argument Description

[track <Track>] Specifies the tracking option:

n source
Counts connections, packets, and bytes for
specific source IP address, and not
cumulatively for this rule.
n source-service
Counts connections, packets, and bytes for
specific source IP address, and for specific
IP protocol and destination port, and not
cumulatively for this rule.

Examples
Example 1 - Rate Limiting rule with a range
fw sam_policy add -a d -l r -t 3600 quota service any source range:[Link]-[Link] new-conn-rate 5 flush true

Explanations:
n This rule drops packets for all connections (-a d) that exceed the quota set by this
rule, including packets for existing connections.
n This rule logs packets (-l r) that exceed the quota set by this rule.
n This rule will expire in 3600 seconds (-t 3600).
n This rule limits the rate of creation of new connections to 5 connections per second
(new-conn-rate 5) for any traffic (service any) from the source IP addresses in
the range [Link] - [Link] (source range:[Link]-
[Link]).

Note - The limit of the total number of log entries per second is configured with the
fwaccel dos config set -n <rate> command.
n This rule will be compiled and loaded on the SecureXL, together with other rules in the
Suspicious Activity Monitoring (SAM) policy database immediately, because this rule
includes the "flush true" parameter.

R82 Security Management Administration Guide | 929

fw sam_policy add

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source cc:QQ byte-rate 0

Explanations:
n This rule logs and lets through all packets (-a n) that exceed the quota set by this
rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to all packets except (service-negated true) the packets with
IP protocol number 1, 50-51, 6 port 443 and 17 port 53 (service 1,50-
51,6/443,17/53).
n This rule applies to all packets from source IP addresses that are assigned to the
country with specified country code (cc:QQ).
n This rule does not let any traffic through (byte-rate 0) except the packets with IP
protocol number 1, 50-51, 6 port 443 and 17 port 53.
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service any pkt-rate 0

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to packets from the Autonomous System number 64500
(asn:AS64500).
n This rule applies to packets from source IPv6 addresses FFFF:C0A8:1100/120
(cidr:[::FFFF:C0A8:1100]/120).
n This rule applies to all traffic (service any).
n This rule does not let any traffic through (pkt-rate 0).
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

Example 4 - Rate Limiting rule with an Allow List

fw sam_policy add -a b quota source range:[Link]-[Link] service 6/80

Explanations:

R82 Security Management Administration Guide | 930

fw sam_policy add

n This rule bypasses (-a b) all packets that match this rule.
Note - The Access Control Policy and other types of security policy rules still apply.
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to packets from the source IP addresses in the range [Link] -
[Link] (range:[Link]-[Link]).
n This rule applies to packets sent to TCP port 80 (service 6/80).
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ concurrent-conns-ratio 655 track source

Explanations:
n This rule drops (-a d) all packets that match this rule.
n This rule does not log any packets (the -l r parameter is not specified).
n This rule does not expire (the timeout parameter is not specified). To cancel it, you
must delete it explicitly.
n This rule applies to all traffic (service any).
n This rule applies to all sources except (source-negated true) the source IP
addresses that are assigned to the country with specified country code (cc:QQ).
n This rule limits the maximum number of concurrent active connections to
655/65536=~1% (concurrent-conns-ratio 655) for any traffic (service any)
except (service-negated true) the connections from the source IP addresses
that are assigned to the country with specified country code (cc:QQ).
n This rule counts connections, packets, and bytes for traffic only from sources that
match this rule, and not cumulatively for this rule.
n This rule will not be compiled and installed on the SecureXL immediately, because it
does not include the "flush true" parameter.

R82 Security Management Administration Guide | 931

fw sam_policy batch

Description
The "fw sam_policy batch" and "fw6 sam_policy batch" commands:
n Add and delete many Suspicious Activity Monitoring (SAM) rules at a time.
n Add and delete many Rate Limiting rules at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

Procedure
1. Start the batch mode

n For IPv4, run:

fw sam_policy batch << EOF

n For IPv6, run:

fw6 sam_policy batch << EOF

R82 Security Management Administration Guide | 932

fw sam_policy batch

2. Enter the applicable commands

n Enter one "add" or "del" command on each line, on as many lines as

necessary.
Start each line with only "add" or "del" parameter (not with "fw samp").
n Use the same set of parameters and values as described in these commands:
l "fw sam_policy add" on page 919
l "fw sam_policy del" on page 934
n Terminate each line with a Return (ASCII 10 - Line Feed) character (press
Enter).

3. End the batch mode

Type EOF and press Enter.

Example of a Rate Limiting rule for IPv4

[Expert@HostName]# fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service
any source range:[Link]-[Link] new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:[Link]-[Link] service 6/80

EOF
[Expert@HostName]#

R82 Security Management Administration Guide | 933

fw sam_policy del

Description
The "fw sam_policy del" and "fw6 sam_policy del" commands:
n Delete one configured Suspicious Activity Monitoring (SAM) rule at a time.
n Delete one configured Rate Limiting rule at a time.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

R82 Security Management Administration Guide | 934

fw sam_policy del

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter,
then redirect the output to a file, or use the
script command to save the entire CLI
session.

'<Rule UID>' Specifies the UID of the rule you wish to delete.
Important:
n The quote marks and angle brackets
('<...>') are mandatory.
n To see the Rule UID, run the "fw
sam_policy get" on page 938
command.

R82 Security Management Administration Guide | 935

fw sam_policy del

Procedure
1. List all the existing rules in the Suspicious Activity Monitoring policy database

List all the existing rules in the Suspicious Activity Monitoring policy database.
n For IPv4, run:

fw sam_policy get

n For IPv6, run:

fw6 sam_policy get

The rules show in this format:

operation=add uid=<Value1,Value2,Value3,Value4> target=...

timeout=... action=... log= ... name= ... comment=...
originator= ... src_ip_addr=... req_tpe=...

Example for IPv4:

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a>
target=all timeout=300 action=notify log=log name=Test\ Rule
comment=Notify\ about\ traffic\ from\ [Link]
originator=John\ Doe src_ip_addr=[Link] req_tpe=ip

2. Delete a rule from the list by its UID

n For IPv4, run:

fw [-d] sam_policy del '<Rule UID>'

n For IPv6, run:

fw6 [-d] sam_policy del '<Rule UID>'

Example for IPv4:

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

R82 Security Management Administration Guide | 936

fw sam_policy del

3. Add the flush-only rule

n For IPv4, run:

fw samp add -t 2 quota flush true

n For IPv6, run:

fw6 samp add -t 2 quota flush true

Explanation:
The "fw samp del" and "fw6 samp del" commands only remove a rule from the
persistent database. The Security Gateway continues to enforce the deleted rule until
the next time you compiled and load a policy. To force the rule deletion immediately,
you must enter a flush-only rule right after the "fw samp del" and "fw6 samp del"
command. This flush-only rule immediately deletes the rule you specified in the
previous step, and times out in 2 seconds.

Best Practice - Specify a short timeout period for the flush-only rules. This
prevents accumulation of rules that are obsolete in the database.

R82 Security Management Administration Guide | 937

fw sam_policy get

Description
The "fw sam_policy get" and "fw6 sam_policy get" commands:
n Show all the configured Suspicious Activity Monitoring (SAM) rules.
n Show all the configured Rate Limiting rules.

Notes:
n These commands are interchangeable:
l For IPv4: "fw sam_policy" and "fw samp".

l For IPv6: "fw6 sam_policy" and "fw6 samp".

n You can run these commands in Gaia Clish, or Expert mode.

n Security Gateway stores the SAM Policy rules in the
$FWDIR/database/sam_policy.db file.
n Security Gateway stores the SAM Policy management settings in the
$FWDIR/database/sam_policy.mng file.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t

<Type> [+{-v '<Value>'}] [-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t
<Type> [+{-v '<Value>'}] [-n]]

R82 Security Management Administration Guide | 938

fw sam_policy get

Parameters
Note - All these parameters are optional.

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output to
a file, or use the script command to save the entire CLI session.

-l Controls how to print the rules:

n In the default format (without "-l"), the output shows each rule on
a separate line.
n In the list format (with "-l"), the output shows each parameter of a
rule on a separate line.
n See "fw sam_policy add" on page 919.

-u '<Rule Prints the rule specified by its Rule UID or its zero-based rule index.
UID>' The quote marks and angle brackets ('<...>') are mandatory.

-k '<Key>' Prints the rules with the specified predicate key.

The quote marks are mandatory.

-t <Type> Prints the rules with the specified predicate type.

For Rate Limiting rules, you must always use "-t in".

+{-v Prints the rules with the specified predicate values.

'<Value>'} The quote marks are mandatory.

-n Negates the condition specified by these predicate parameters:

n -k
n -t
n +-v

Examples
Example 1 - Output in the default format
[Expert@HostName:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify

log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ [Link] originator=John\ Doe
src_ip_addr=[Link] req_tpe=ip

R82 Security Management Administration Guide | 939

fw sam_policy get

Example 2 - Output in the list format

[Expert@HostName:0]# fw samp get -l

uid
<5ac3965f,00000000,3403a8c0,0000264a>
target
all
timeout
2147483647
action
notify
log
log
name
Test\ Rule
comment
Notify\ about\ traffic\ from\ [Link]
originator
John\ Doe
src_ip_addr
[Link]
req_type
ip

Example 3 - Printing a rule by its Rule UID

[Expert@HostName:0]# fw samp get -u '<5ac3965f,00000000,3403a8c0,0000264a>'
0
operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300 action=notify
log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\ [Link] originator=John\ Doe
src_ip_addr=[Link] req_tpe=ip

R82 Security Management Administration Guide | 940

fw sam_policy get

Example 4 - Printing rules that match the specified filters

R82 Security Management Administration Guide | 941

fw sam_policy get

[Expert@HostName:0]# fw samp get

no corresponding SAM policy requests
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d -l r -t 3600 quota service any source
range:[Link]-[Link] new-conn-rate 5 flush true
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a n -l r quota service 1,50-51,6/443,17/53 service-negated
true source cc:QQ byte-rate 0
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a b quota source range:[Link]-[Link] service
6/80
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp add -a d quota service any source-negated true source cc:QQ
concurrent-conns-ratio 655 track source
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite
action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655
track=source req_type=quota
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3586 action=drop
log=log service=any source=range:[Link]-[Link] new-conn-rate=5 flush=true req_
type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite
action=bypass source=range:[Link]-[Link] service=6/80 req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service' -t in -v '6/80'
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite
action=bypass source=range:[Link]-[Link] service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'service-negated' -t in -v 'true'
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source' -t in -v 'cc:QQ'
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite
action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655
track=source req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k source -t in -v 'cc:QQ' -n
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3291 action=drop
log=log service=any source=range:[Link]-[Link] new-conn-rate=5 flush=true req_
type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite
action=bypass source=range:[Link]-[Link] service=6/80 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'source-negated' -t in -v 'true'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite
action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655
track=source req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'byte-rate' -t in -v '0'
operation=add uid=<5baa9431,00000000,860318ac,00002efd> target=all timeout=indefinite
action=notify log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-
rate=0 req_type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'flush' -t in -v 'true'
operation=add uid=<5baa9422,00000000,860318ac,00002eea> target=all timeout=2841 action=drop
log=log service=any source=range:[Link]-[Link] new-conn-rate=5 flush=true req_
type=quota
[Expert@HostName:0]#
[Expert@HostName:0]# fw samp get -k 'concurrent-conns-ratio' -t in -v '655'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite

R82 Security Management Administration Guide | 942

fw sam_policy get

action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655

track=source req_type=quota
[Expert@HostName:0]#

R82 Security Management Administration Guide | 943

fwm

fwm
Description
Performs various management operations and shows various management information.

Notes:
n For debug instructions, see the description of the fwm process in sk97638.
n On a Multi-Domain Server, you must run these commands in the context of the
applicable Domain Management Server.

Syntax

fwm [-d]
dbload <options>
exportcert <options>
fetchfile <options>
fingerprint <options>
getpcap <options>
ikecrypt <options>
load [<options>]
logexport <options>
mds <options>
printcert <options>
sic_reset
snmp_trap <options>
unload [<options>]
ver [<options>]
verify <options>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

R82 Security Management Administration Guide | 944

fwm

Parameter Description

dbload Downloads the user database and network objects information to the
<options> specified targets
See "fwm dbload" on page 947.

exportcert Export a SIC certificate of the specified object to file.

<options> See "fwm exportcert" on page 948.

fetchfile Fetches a specified OPSEC configuration file from the specified source
<options> computer.
See "fwm fetchfile" on page 949.

fingerprint Shows the Check Point fingerprint.

<options> See "fwm fingerprint" on page 951.

getpcap Fetches the IPS packet capture data from the specified Security
<options> Gateway.
See "fwm getpcap" on page 953.

ikecrypt Encrypts a secret with a key.

<options> See "fwm ikecrypt" on page 955.

load This command is obsolete for R80 and higher.

<options> Use the "mgmt_cli" on page 1000 command to load a policy to a
managed Security Gateway.
See "fwm load" on page 956.

logexport Exports a Security log file ($FWDIR/log/*.log) or Audit log file

<options> ($FWDIR/log/*.adtlog) to an ASCII file.
See "fwm logexport" on page 957.

mds <options> Shows information and performs various operations on Multi-Domain

Server.
See "fwm mds" on page 962.

printcert Shows a SIC certificate's details.

<options> See "fwm printcert" on page 964.

sic_reset Resets SIC on the Management Server.

See "fwm sic_reset" on page 970.

snmp_trap Sends an SNMP Trap to the specified host.

<options> See "fwm snmp_trap" on page 971.

unload Unloads the policy from the specified managed Security Gateways.
<options> See "fwm unload" on page 974.

R82 Security Management Administration Guide | 945

fwm

Parameter Description

ver <options> Shows the Check Point version of the Management Server.
See "fwm ver" on page 978.

verify This command is obsolete for R80 and higher.

<options> Use the "mgmt_cli" on page 1000 command to verify a policy.
See "fwm verify" on page 979.

R82 Security Management Administration Guide | 946

fwm dbload

Description
Copies the user database and network objects information to specified managed servers with
one or more Management Software Blades enabled.

Important - This command is obsolete for R80 and higher.

Use the API command "install-database" to install the database on the
applicable servers.
See the Check Point Management API Reference (at the top, select the correct
version) .

R82 Security Management Administration Guide | 947

fwm exportcert

Description
Export a SIC certificate of the specified managed object to a file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] exportcert -obj <Name of Object> -cert <Name of CA> -file
<Output File> [-withroot] [-pem]

Parameters

Parameter Description

-d Runs the command in debug mode.

<Name of Specifies the name of the managed object, whose certificate you wish
Object> to export.

<Name of CA> Specifies the name of Certificate Authority, whose certificate you wish
to export.

<Output File> Specifies the name of the output file.

-withroot Exports the certificate's root in addition to the certificate's content.

-pem Save the exported information in a text file.

Default is to save in a binary file.

R82 Security Management Administration Guide | 948

fwm fetchfile

Description
Fetches a specified OPSEC configuration file from the specified source computer.
This command supports only the [Link] or fwopsec.v4x files.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] fetchfile -r <File> [-d <Local Path>] <Source>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the output
to a file, or use the script command to save the entire CLI
session.

-r <File> Specifies the relative fw1 directory.

This command supports only these files:
n conf/[Link]
n conf/fwopsec.v4x

-d <Local Specifies the local directory to save the fetched file.

Path>

<Source> Specifies the managed remote source computer, from which to fetch
the file.
Note - The local and the remote source computers must have
established SIC trust.

R82 Security Management Administration Guide | 949

fwm fetchfile

Example

[Expert@MGMT:0]# fwm fetchfile -r "conf/[Link]" -d /tmp [Link]

Fetching conf/[Link] from [Link]...
Done
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 950

fwm fingerprint

Description
Shows the Check Point fingerprint.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] fingerprint [-d]

<IP address of Target> <SSL Port>
localhost <SSL Port>

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the
entire CLI session.
The debug options are:
n fwm -d
Runs the complete debug of all fwm actions.
For complete debug instructions, see the description of the
fwm process in sk97638.
n fingerprint -d
Runs the debug only for the fingerprint actions.

<IP address of Specifies the IP address of a remote managed computer.

Target>

<SSL Port> Specifies the SSL port number.

The default is 443.

R82 Security Management Administration Guide | 951

fwm fingerprint

Example 1 - Showing the fingerprint on the local Management Server

[Expert@MGMT:0]# fwm fingerprint localhost 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email
Address,CN=[Link],L=Locality Name (eg\, city)
#FINGER 11:A6:F7:1F:B9:F5:15:BC:F9:7B:5F:DC:28:FC:33:C5
##
[Expert@MGMT:0]#

Example 2 - Showing the fingerprint from a managed Security Gateway

[Expert@MGMT:0]# fwm fingerprint [Link] 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email
Address,CN=[Link],L=Locality Name (eg\, city)
#FINGER 5C:8E:4D:B9:B4:3A:58:F3:79:18:F1:70:99:8B:5F:2B
##
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 952

fwm getpcap

Description
Fetches the IPS packet capture data from the specified Security Gateway.
This command only works with IPS packet captures stored on the Security Gateway in the
$FWDIR/log/captures_repository/ directory.
This command does not work with other Software Blades, such as Anti-Bot and Anti-Virus that
store packet captures in the $FWDIR/log/blob/ directory on the Security Gateway.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] getpcap -g <Security Gateway> -u '{<Capture UID>}' -p

Parameters

Parameter Description

-d Runs the command in debug mode.

-g Specifies the main IP address or Name of Security Gateway object as

-u ' Specifies the Unique ID of the packet capture file.

{<Capture To see the Unique ID of the packet capture file, open the applicable log
UID>}' file in SmartConsole > Logs & Events > Logs.

-p <Local Specifies the local path to save the specified packet capture file.
Path> If you do not specify the local directory explicitly, the command saves the
packet capture file in the current working directory.

R82 Security Management Administration Guide | 953

fwm getpcap

Example

[Expert@MGMT:0]# fwm getpcap -g [Link] -u '{0x4d79dc02,0x10000,0x220da8c0,0x1ffff}'

/var/log/
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 954

fwm ikecrypt

Description
Encrypts the password of an Endpoint VPN Client user using IKE. The resulting string must
then be stored in the LDAP database.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] ikecrypt <Key> <Password>

Parameters

Parameter Description

-d Runs the command in debug mode.

<Key> Specifies the IKE Key as defined in the LDAP Account Unit properties
window on the Encryption tab.

<Password> Specifies the password for the Endpoint VPN Client user.

Example

[Expert@MGMT:0]# fwm ikecrypt MySecretKey MyPassword

OUQJHiNHCj6HJGH8ntnKQ7tg
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 955

fwm load

Description
Loads a policy on a managed Security Gateway.

Important - This command is obsolete for R80 and higher.

Use the API command "install-policy" to load a policy on a managed Security
Gateway.
See the Check Point Management API Reference (at the top, select the correct
version) .

R82 Security Management Administration Guide | 956

fwm logexport

Description
Exports a Security log file ($FWDIR/log/*.log) or Audit log file ($FWDIR/log/*.adtlog)
to an ASCII file.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm logexport -h
fwm [-d] logexport [{-d <Delimiter> | -s}] [-t <Table Delimiter>]
[-i <Input File>] [-o <Output File>] [{-f | -e}] [-x <Start Entry
Number>] [-y <End Entry Number>] [-z] [-n] [-p] [-a] [-u
<Unification Scheme File>] [-m {initial | semi | raw}]

Parameters

Parameter Description

-h Shows the built-in usage.

-d Runs the command in debug mode.

-d Specifies the output delimiter between fields of log entries:

<Delimiter>
| -s
n -d <Delimiter> - Uses the specified delimiter.
n -s - Uses the ASCII character #255 (non-breaking space) as the
delimiter.
Note - If you do not specify the delimiter explicitly, the default is a
semicolon (;).

R82 Security Management Administration Guide | 957

fwm logexport

Parameter Description

-t <Table Specifies the output delimiter inside table field.

Delimiter> Table field would look like:
ROWx:COL0,ROWx:COL1,ROWx:COL2, and so on
Note - If you do not specify the table delimiter explicitly, the default is a
comma (,).

-i <Input Specifies the name of the input log file.

File> Notes:
n This command supports only Security log file
($FWDIR/log/*.log) and Audit log file
($FWDIR/log/*.adtlog)
n If you do not specify the input log file explicitly, the command
processes the active Security log file $FWDIR/log/[Link]

-o <Output Specifies the name of the output file.

File> Note - If you do not specify the output log file explicitly, the command
prints its output on the screen.

-f After reaching the end of the currently opened log file, specifies to
continue to monitor the log file indefinitely and export the new entries as
well.
Note - Applies only to the active log file: $FWDIR/log/[Link] or
$FWDIR/log/[Link]

-e After reaching the end of the currently opened log file, continue to
monitor the log file indefinitely and export the new entries as well.
Note - Applies only to the active log file: $FWDIR/log/[Link] or
$FWDIR/log/[Link]

-x <Start Starts exporting the log entries from the specified log entry number and
Entry below, counting from the beginning of the log file.
Number>

-y <End Starts exporting the log entries until the specified log entry number,
Entry counting from the beginning of the log file.
Number>

-z In case of an error (for example, wrong field value), specifies to

continue the export of log entries.
The default behavior is to stop.

-n Specifies not to perform DNS resolution of the IP addresses in the log

file (this is the default behavior).
This significantly speeds up the log processing.

R82 Security Management Administration Guide | 958

fwm logexport

Parameter Description

-p Specifies to not to perform resolution of the port numbers in the log file
(this is the default behavior).
This significantly speeds up the log processing.

-a Exports only Account log entries.

-u Specifies the path and name of the log unification scheme file.
<Unification The default log unification scheme file is:
Scheme File> $FWDIR/conf/log_unification_scheme.C

-m {initial Specifies the log unification mode:

| semi |
raw}
n initial - Complete unification of log entries. The command
exports one unified log entry for each ID. This is the default.
If you also specify the "-f" parameter, then the output does not
export any updates, but exports only entries that relate to the start
of new connections. To export updates as well, use the "semi"
parameter.
n semi - Step-by-step unification of log entries. For each log entry,
exports entry that unifies this entry with all previously
encountered entries with the same ID.
n raw - No log unification. Exports all log entries.

R82 Security Management Administration Guide | 959

fwm logexport

The output of the fwm logexport command appears in tabular format.

The first row lists the names of all log fields included in the log entries.
Each of the next rows consists of a single log entry, whose fields are sorted in the same order
as the first row.
If a log entry has no information in a specific field, this field remains empty (as indicated by two
successive semi-colons ";;").
You can control which log fields appear in the output of the command output:

Step Instructions

1 Create the $FWDIR/conf/[Link] file:

[Expert@MGMT:0]# touch $FWDIR/conf/[Link]

2 Edit the $FWDIR/conf/[Link] file:

[Expert@MGMT:0]# vi $FWDIR/conf/[Link]

3 To include or exclude the log fields from the output, add these lines in the
configuration file:
[Fields_Info]
included_fields = field1,field2,field3,<REST_OF_
FIELDS>,field100
excluded_fields = field10,field11
Where:
n You can specify only the included_fields parameter, only the
excluded_fields parameter, or both.
n The num field must always appear first. You cannot manipulate this field.
n The <REST_OF_FIELDS> is an optional reserved token that refers to a list of
fields.
l If you specify the "-f" parameter, then the <REST_OF_FIELDS> is

based on a list of fields from the $FWDIR/conf/logexport_

default.C file.
l If you do not specify the "-f" parameter, then the <REST_OF_FIELDS>

is based on the input log file.

4 Save the changes in the file and exit the Vi editor.

5 Export the logs:

fwm logexport <options>

R82 Security Management Administration Guide | 960

fwm logexport

Example 1 - Exporting all log entries

[Expert@MGMT:0]# fwm logexport -i [Link]

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_
id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_
name;fg-1_client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_
name;description;status;version;comment;update_service;reason;Severity;failure_impact
0;13Jun2018;19:47:54;CXL1_192.168.3.52;control; ;;daemon;inbound;VPN-1 & FireWall-1;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_Server.[Link].s6t98x;5;18446744073709551615;2;Log file
has been switched to: [Link];Network;;;;;;;;;;;;
1;13Jun2018;19:47:54;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
[Link],O=MyDomain_
[Link].s6t98x;5;18446744073709551615;1;;Network;Default;Default;;;;;;;;;;
... ...
35;13Jun2018;19:55:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
[Link],O=MyDomain_
[Link].s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host
Redirect;;;;;;;;;
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
[Link].s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>
;1;;;
... ...
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
[Link].s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could
not reach "[Link] Check DNS and Proxy
configuration on the gateway.;2;Contracts may be out-of-date
... ...
[Expert@MGMT:0]#

Example 2 - Exporting only log entries with specified numbers

[Expert@MGMT:0]# fwm logexport -i [Link] -x 36 -y 47

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_
id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_
name;fg-1_client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_
name;description;status;version;comment;update_service;reason;Severity;failure_impact
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
[Link].s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>
;1;;;
37;13Jun2018;19:56:06;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
[Link],O=MyDomain_
[Link].s6t98x;5;18446744073709551615;2;;Network;Default;Default;Host
Redirect;;;;;;;;;
... ...
46;13Jun2018;19:56:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_
[Link],O=MyDomain_
[Link].s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host
Redirect;;;;;;;;;
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-
1;CN=CXL1_192.168.3.52,O=MyDomain_
[Link].s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could
not reach "[Link] Check DNS and Proxy
configuration on the gateway.;2;Contracts may be out-of-date
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 961

fwm mds

Description
n Shows the Check Point version of the Multi-Domain Server.
n Rebuilds status tree for Global VPN Communities.

Note - On a Multi-Domain Server, you can run this command:

n In the context of the MDS:
mdsenv
n In the context of a Domain Management Server:
mdsenv <IP Address or Name of Domain
Management Server>

Syntax

fwm [-d] mds

ver
rebuild_global_communities_status {all | missing}

Parameters

Parameter Description

-d Runs the command in debug mode.

ver Shows the Check Point version of the Multi-Domain Server.

rebuild_global_ Rebuilds status tree for Global VPN Communities:

communities_status
n all - Rebuilds status tree for all Global VPN
Communities.
n missing - Rebuild status tree only for Global VPN
Communities that do not have status trees.

R82 Security Management Administration Guide | 962

fwm mds

Example

[Expert@MDS:0]# fwm mds ver

This is Check Point Multi-Domain Security Management R82 - Build
11
[Expert@MDS:0]#

R82 Security Management Administration Guide | 963

fwm printcert

Description
Shows a SIC certificate's details.

Note:
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] printcert

-obj <Name of Object> [-cert <Certificate Nick Name>] [-
verbose]
-ca <CA Name> [-x509 <Name of File> [-p]] [-verbose]
-f <Name of Binary Certificate File> [-verbose]

R82 Security Management Administration Guide | 964

fwm printcert

Parameters

Item Description

-d Runs the command in debug mode.

-obj <Name of Object> Specifies the name of the managed object, for which to
show the SIC certificate information.

-cert <Certificate Specifies the certificate nick name.

Nick Name>

-ca <CA Name> Specifies the name of the Certificate Authority.

Note - Check Point CA Name is internal_ca.

-x509 <Name of File> Specifies the name of the X.509 file.

-p Specifies to show the SIC certificate as a text file.

-f <Name of Binary Specifies the binary SIC certificate file to show.

Certificate File>

-verbose Shows the information in verbose mode.

R82 Security Management Administration Guide | 965

fwm printcert

Examples
Example 1 - Showing the SIC certificate of a Management Server
[Expert@MGMT:0]# fwm printcert -ca internal_ca
Subject: O=[Link].s6t98x
Issuer: O=[Link].s6t98x
Not Valid Before: Sun Apr 8 13:41:00 2018 Local Time
Not Valid After: Fri Jan 1 05:14:07 2038 Local Time
Serial No.: 1
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint:
is CA
MD5 Fingerprint:
7B:F9:7B:4C:BD:40:B9:1C:AB:2C:AE:CF:66:2E:E7:06
SHA-1 Fingerprints:
1. A6:43:3A:2B:1A:04:7F:A6:36:A6:2C:78:BF:22:D9:BC:F7:7E:4D:73
2. KEYS HEM GERM PIT ABUT ROVE RAW PA IQ FAWN NUT SLAM
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 966

fwm printcert

Example 2 - Showing the SIC certificate of a Management Server in verbose mode

[Expert@MGMT:0]# fwm printcert -ca internal_ca -verbose
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] fwa_db_init: called
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] fwa_db_init: closing existing database
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] do_links_getver: strncmp failed. Returning -2
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] db_fetchkey: entering
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] PubKey:
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] Modulus:
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] ae b3 75 36 64 e4 1a 40 fe c2 ad 2f 9b 83 0b 45
f1 00 04 bc
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 3f 77 77 76 d1 de 8a cf 9f 32 78 8b d4 b1 b4 be
db 75 cc c8
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] c2 6d ff 3e aa fe f1 2b c3 0a b0 a2 a5 e0 a8 ab
45 cd 87 32
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] ac c6 9f a4 a9 ba 30 79 08 fa 59 4c d2 dc 3d 36
ca 17 d7 c1
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] b2 a2 41 f5 89 0f 00 d4 2d f2 55 d2 30 a5 32 c7
46 7a 6b 32
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 29 0f 53 9f 35 42 91 e5 7d f7 30 6d bc b3 f2 ae
f3 f0 ed 88
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] c4 d7 7d 0c 2d f6 5f c8 ed 9f 9a 57 54 79 d0 0f
0b 2f 9c 0d
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 94 2e f0 f4 66 62 f7 ae 2e f8 8e 90 08 ba 63 85
b6 46 2f b7
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] a7 01 29 9a 14 58 a8 ef eb 07 17 4e 95 8b 2f 48
5f d3 18 10
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 3f 00 d5 03 d7 fd 45 45 ca 67 5b 34 be b8 00 ae
ea 9a cd 50
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] d6 e7 a2 81 86 78 11 d7 bf 04 9f 8b 43 3f f7 36
5f ed 31 a8
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] a3 9d 8b 0a de 05 fb 5c 44 2e 29 e3 3e f4 dd 50
01 0f 86 9d
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 55 16 a3 4d f8 90 2d 13 c6 c1 28 57 f8 3e 7c 59
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] Exponent: 65537 (0x10001)
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52]
X509 Certificate Version 3
refCount: 1
Serial Number: 1
Issuer: O=[Link].s6t98x
Subject: O=[Link].s6t98x
Not valid before: Sun Apr 8 13:41:00 2018 Local Time
Not valid after: Fri Jan 1 05:14:07 2038 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint (Critical):
is CA

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] destroy_rand_mutex: destroy

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] cpKeyTaskManager::~cpKeyTaskManager: called.
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 967

fwm printcert

Example 3 - Showing the SIC certificate of a managed Cluster object

[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244

printing all certificates of CXL_192.168.3.244

defaultCert:
Host Certificate (level 0):
Subject: CN=CXL_192.168.3.244 VPN Certificate,O=[Link].s6t98x
Issuer: O=[Link].s6t98x
Not Valid Before: Sun Jun 3 19:58:19 2018 Local Time
Not Valid After: Sat Jun 3 19:58:19 2023 Local Time
Serial No.: 85021
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Subject Alternate Names:
IP Address: [Link]
CRL distribution points:
[Link]
CN=ICA_CRL2,O=[Link].s6t98x
Key Usage:
digitalSignature
keyEncipherment
Basic Constraint:
not CA
MD5 Fingerprint:
B1:15:C7:A8:2A:EE:D1:75:92:9F:C7:B4:B9:BE:42:1B
SHA-1 Fingerprints:
1. BC:7A:D9:E2:CD:29:D1:9E:F0:39:5A:CD:7E:A9:0B:F9:6A:A7:2B:85
2. MIRE SANK DUSK HOOD HURD RIDE TROY QUAD LOVE WOOD GRIT WITH

*****
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 968

fwm printcert

Example 4 - Showing the SIC certificate of a managed Cluster object in verbose mode
[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244 -verbose
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] fwa_db_init: called
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] fwa_db_init: closing existing database
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] do_links_getver: strncmp failed. Returning -2

printing all certificates of CXL_192.168.3.244

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] db_fetchkey: entering

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 1 certificates
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] PubKey:
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] Modulus:
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] df 35 c3 45 ca 42 16 6e 21 9e 31 af c1 fd 20 0a
3d 5b 6f 5d
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] e0 a2 0c 0e fa fa 5e e5 91 9d 4e 73 77 fa db 86
0b 5e 5d 0c
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] ce af 4a a4 7b 30 ed b0 43 7d d8 93 c5 4b 01 f4
3d b5 d8 f4
... ... ...
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 34 b1 db ac 18 4f 11 bd d2 fb 26 7d 23 74 5c d9
00 a1 58 1e
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 60 7c 83 44 fa 1e 1e 86 fa ad 98 f7 df 24 4a 21
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] Exponent: 65537 (0x10001)
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45]
X509 Certificate Version 3
refCount: 1
Serial Number: 85021
Issuer: O=[Link].s6t98x
Subject: CN=CXL_192.168.3.244 VPN Certificate,O=[Link].s6t98x
Not valid before: Sun Jun 3 19:58:19 2018 Local Time
Not valid after: Sat Jun 3 19:58:19 2023 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyEncipherment
Subject Alternate names:
IP: [Link]
Basic Constraint:
not CA
CRL distribution Points:
URI: [Link]
DN: CN=ICA_CRL2,O=[Link].s6t98x

defaultCert:

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] destroy_rand_mutex: destroy

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] cpKeyTaskManager::~cpKeyTaskManager: called.
*****
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 969

fwm sic_reset

Description
Resets SIC on the Management Server.
For detailed procedure, see sk65764: How to reset SIC.

Warning:
n Before you run this command, take a Gaia Snapshot and a full backup of the
Management Server.
This command resets SIC between the Management Server and all its
managed objects.
n This operation breaks trust in all Internal CA certificates and SIC trust
across the managed environment.
Therefore, we do not recommend it at all, except for real disaster recovery.

Note
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] sic_reset

Parameters

Parameter Description

-d Runs the command in debug mode.

R82 Security Management Administration Guide | 970

fwm snmp_trap

Description
Sends an SNMPv1 Trap to the specified host.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n On a Multi-Domain Server, the SNMP Trap packet is sent from the IP address of
the Leading Interface.

Syntax

fwm [-d] snmp_trap [-v <SNMP OID>] [-g <Generic Trap Number>] [-s
<Specific Trap Number>] [-p <Source Port>] [-c <SNMP Community>]
<Target> ["<Message>"]

R82 Security Management Administration Guide | 971

fwm snmp_trap

Parameters

Parameter Description

-d Runs the command in debug mode.

-v <SNMP OID> Specifies an optional SNMP OID to bind with the message.

-g <Generic Trap Specifies the generic trap number.

Number> One of these values:
n 0 - For coldStart trap
n 1 - For warmStart trap
n 2 - For linkDown trap
n 3 - For linkUp trap
n 4 - For authenticationFailure trap
n 5 - For egpNeighborLoss trap
n 6 - For enterpriseSpecific trap (this is the default
value)

-s <Specific Trap Specifies the unique trap type.

Number> Valid only of generic trap value is 6 (for
enterpriseSpecific).
Default value is 0.

-p <Source Port> Specifies the source port, from which to send the SNMP Trap
packets.

-c <SNMP Specifies the SNMP community.

Community>

<Target> Specifies the managed target host, to which to send the SNMP
Trap packets.
Enter an IP address of a resolvable hostname.

"<Message>" Specifies the SNMP Trap text message.

R82 Security Management Administration Guide | 972

fwm snmp_trap

Example - Sending an SNMP Trap from a Management Server and capturing the traffic on
the Security Gateway

[Expert@MGMT:0]# fwm snmp_trap -g 2 -c public [Link] "My Trap Message"

[Expert@MGMT:0]#

[Expert@MyGW_192.168.3.52:0]# tcpdump -s 1500 -vvvv -i eth0 udp and host [Link]

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
22:49:43.891287 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 103)
[Link].53450 > MyGW_192.[Link]: [udp sum ok] { SNMPv1 { Trap(58) E:2620.1.1
[Link] linkDown 1486440 E:2620.[Link]="My Trap Message" } }
Pressed CTRL+C
[Expert@MyGW_192.168.3.52:0]#

R82 Security Management Administration Guide | 973

fwm unload

Description
Unloads the policy from the specified managed Security Gateways or Cluster Members.

Warning:
1. The fwm unload command prevents all traffic from passing through the
Security Gateway (Cluster Member), because it disables the IP Forwarding in
the Linux kernel on the specified Security Gateway (Cluster Member).
2. The fwm unload command removes all policies from the specified Security
Gateway (Cluster Member).
This means that the Security Gateway (Cluster Member) accepts all incoming
connections destined to all active interfaces without any filtering or protection
enabled.

Notes:
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>
n If it is necessary to remove the current policy, but keep the Security Gateway
(Cluster Member) protected, then run the "comp_init_policy" command on
the Security Gateway (Cluster Member).
n To load the policies on the Security Gateway (Cluster Member), run one of
these commands on the Security Gateway (Cluster Member), or reboot:
l "fw fetch"

l "cpstart"

Syntax

fwm [-d] unload <GW1> <GW2> ... <GWN>

R82 Security Management Administration Guide | 974

fwm unload

Parameters

Parameter Description

-d Runs the command in debug mode.

<GW1> <GW2> Specifies the managed Security Gateways by their main IP address or
... <GWN> Object Name as configured in SmartConsole.

R82 Security Management Administration Guide | 975

fwm unload

Example

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name: CXL_Policy
Policy install time: Wed Oct 23 18:23:14 2019
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

[Link] = 1
[Link] = 1
[Link] = 1
[Link] = 1
[Link] = 1
[Link] = 1
[Link] = 1
[Link] = 1
[Link] = 1
[Link] = 1
[Link] = 1
[Link].bond0.mc_forwarding = 0
[Link] = 1
[Link].eth1.mc_forwarding = 0
[Link] = 1
[Link].eth2.mc_forwarding = 0
[Link] = 1
[Link].eth0.mc_forwarding = 0
[Link] = 1
[Link].mc_forwarding = 0
[Link] = 1
[Link].mc_forwarding = 0
[Link] = 1
[Link].mc_forwarding = 0
[Link] = 1
[Expert@MyGW:0]#

[Expert@MGMT:0]# fwm unload MyGW

Uninstalling Policy From: MyGW

Security Policy successfully uninstalled from MyGW...

Security Policy uninstall complete.

[Expert@MGMT:0]#

R82 Security Management Administration Guide | 976

fwm unload

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name:
Policy install time:
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

[Link] = 0
[Link] = 0
[Link] = 0
[Link] = 0
[Link] = 0
[Link] = 0
[Link] = 0
[Link] = 0
[Link] = 0
[Link] = 0
[Link] = 0
[Link].bond0.mc_forwarding = 0
[Link] = 0
[Link].eth1.mc_forwarding = 0
[Link] = 0
[Link].eth2.mc_forwarding = 0
[Link] = 0
[Link].eth0.mc_forwarding = 0
[Link] = 0
[Link].mc_forwarding = 0
[Link] = 0
[Link].mc_forwarding = 0
[Link] = 0
[Link].mc_forwarding = 0
[Link] = 0
[Expert@MyGW:0]#

R82 Security Management Administration Guide | 977

fwm ver

Description
Shows the Check Point version of the Security Management Server.

Note - On a Multi-Domain Server, you can run this command:

n In the context of the MDS:
mdsenv
n In the context of a Domain Management Server:
mdsenv <IP Address or Name of Domain
Management Server>

Syntax

fwm [-d] ver [-f <Output File>]

Parameters

Parameter Description

-d Runs the command in debug mode.

-f <Output Specifies the name of the output file, in which to save this information.
File>

Example

[Expert@MGMT:0]# fwm ver

This is Check Point Security Management Server R82 - Build 11
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 978

fwm verify

fwm verify
Important - This command is obsolete for R80 and higher. Use the "mgmt_cli" on
page 1000 command to verify a policy on a managed Security Gateway.

Description
Verifies the specified policy package without installing it.

Note
On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm [-d] verify <Policy Name>

Parameters

Parameter Description

-d Runs the command in debug mode.

<Policy Specifies the name of the policy package as configured in SmartConsole.

Name>

Example

[Expert@MGMT:0]# fwm verify Standard

Verifier messages:
Error: Rule 1 Hides rule 2 for Services & Applications: any .
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 979

inet_alert

inet_alert
Description
Notifies an Internet Service Provider (ISP) when a company's corporate network is under
attack. This command forwards log messages generated by the alert daemon on your Check
Point Security Gateway to an external Management Station. This external Management
Station is usually located at the ISP site. The ISP can then analyze the alert and react
accordingly.
This command uses the Event Logging API (ELA) protocol to send the alerts. The
Management Station receiving the alert must be running the ELA Proxy.

If communication with the ELA Proxy is to be authenticated or encrypted, a key exchange must
be performed between the external Management Station running the ELA Proxy at the ISP site
and the Check Point Security Gateway generating the alert.

Procedure

Step Instructions

1 Connect with SmartConsole to the applicable Security Management Server or

Domain Management Server, which manages the applicable Security Gateway
that should forward log messages to an external Management Station.

2 From the top left Menu, click Global properties.

3 Click on the [+] near the Log and Alert and click Alerts.

4 Clear the Send user defined alert no. 1 to SmartView Monitor.

5 Select the next option Run UserDefined script under the above.

6 Enter the applicable inet_alert syntax (see the Syntax section below).

7 Click OK.

8 Install the Access Control Policy on the applicable Security Gateway.

R82 Security Management Administration Guide | 980

inet_alert

Syntax

inet_alert -s <IP Address> [-o] [-a <Auth Type>] [-p <Port>] [-f
<Token> <Value>] [-m <Alert Type>]
Notes:
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Parameters

Parameter Description

-s <IP The IPv4 address of the ELA Proxy (usually located at the ISP site).
Address>

-o Prints the alert log received to stdout.

Use this option when inet_alert is part of a pipe syntax (<some
command> | inet_alert ...).

-a <Auth Specifies the type of connection to the ELA Proxy.

Type> One of these values:
n ssl_opsec - The connection is authenticated and encrypted (this is
the default).
n auth_opsec - The connection is authenticated.
n clear - The connection is neither authenticated, nor encrypted.

-p <Port> Specifies the port number on the ELA proxy. Default port is 18187.

-f <Token> A field to be added to the log, represented by a <Token> <Value> pair

<Value> as follows:
n <Token> - The name of the field to be added to the log. Cannot
contain spaces.
n <Value> - The field's value. Cannot contain spaces.
This option can be used multiple times to add multiple <Token>
<Value> pairs to the log.

R82 Security Management Administration Guide | 981

inet_alert

Parameter Description

-m <Alert The alert to be triggered at the ISP site.

Type> This alert overrides the alert specified in the log message generated by the
alert daemon.
The response to the alert is handled according to the actions specified in
the ISP Security Policy:
These alerts execute the OS commands:
n alert - Popup alert command
n mail - Mail alert command
n snmptrap - SNMP trap alert command
n spoofalert - Anti-Spoof alert command

These NetQuota and ServerQuota alerts execute the OS commands

specified in the $FWDIR/conf/objects.C: file:
value=clientquotaalert. Parameter=clientquotaalertcmd

Exist Status

Exit Status Description

0 Execution was successful.

102 Undetermined error.

103 Unable to allocate memory.

104 Unable to obtain log information from stdin

106 Invalid command line arguments.

107 Failed to invoke the OPSEC API.

Example
inet_alert -s [Link] -a clear -f product cads -m alert

This command specifies to perform these actions in the event of an attack:

n Establish a clear connection with the ELA Proxy located at IP address [Link]
n Send a log message to the specified ELA Proxy. Set the product field of this log message
to cads
n Trigger the OS command specified in the SmartConsole > Menu > Global properties >
Log and Alert > Popup Alert Command field.

R82 Security Management Administration Guide | 982

ldapcmd

ldapcmd
Description
This is an LDAP utility that controls these features:

Feature Description

Cache LDAP cache operations, such as emptying the cache, as well as providing
debug information.

Statistics LDAP search statistics, such as:

n All user searches
n Pending lookups (when two or more lookups are identical)
n Total lookup time (the total search time for a specific lookup)
n Cache statistics such as hits and misses
These statistics are saved in the $FWDIR/log/ldap_pid_<Process
PID>.stats file.

Logging View the alert and warning logs.

Syntax

ldapcmd [-d <Debug Level>] -p {<Process Name> | all} <Command>

R82 Security Management Administration Guide | 983

ldapcmd

Parameters

Parameter Description

-d <Debug Runs the command in debug mode with the specified TDERROR
Level> debug level.
Valid values are from 0 (disabled) to 5 (maximum level,
recommended).

-p {<Process Runs on a specified Check Point process, or all supported Check

Name> | all} Point processes.

<Command> One of these commands:

n cacheclear {all | UserCacheObject |
TemplateCacheObject |
TemplateExtGrpCacheObject}
l all - Clears cache for all objects

l UserCacheObject - Clears cache for user objects

l TemplateCacheObject - Clears cache for template

objects
l TemplateExtGrpCacheObject - Clears cache for

external template group objects

n cachetrace {all | UserCacheObject |
TemplateCacheObject |
TemplateExtGrpCacheObject}
l all - Traces cache for all objects

l UserCacheObject - Traces cache for user objects

l TemplateCacheObject - Traces cache for template

objects
l TemplateExtGrpCacheObject - Traces cache for

external template group objects

n log {on | off}
l on - Creates LDAP logs

l off - Does not create LDAP logs

n stat {<Print Interval in Sec> | 0}

l <Print Interval in Sec> - How frequently to

collect the statistics

l 0 - Stops collecting the statistics

R82 Security Management Administration Guide | 984

ldapcompare

ldapcompare
Description
This is an LDAP utility that performs compare queries and prints a message whether the result
returned a match or not.
This utility opens a connection to an LDAP directory server, binds, and performs the
comparison specified on the command line or from a specified file.

Syntax

ldapcompare [-d <Debug Level>] [<Options>] <DN> {<Attribute>

<Value> | <Attribute> <Base64 Value>}

Parameters

Parameter Description

-d <Debug Runs the command in debug mode with the specified TDERROR
Level> debug level.
Valid values are from 0 (disabled) to 5 (maximum level,
recommended).

<Options> See the tables below:

n Compare options
n Common options

<DN> Specifies the Distinguished Name.

<Attribute> Specifies the assertion attribute.

<Value> Specifies the assertion value.

<Base64 Value> Specifies the Base64 encoding of the assertion value.

R82 Security Management Administration Guide | 985

ldapcompare

Compare options

Option Description

-E [!]<Extension> Specifies the compare extensions.

[=<Extension Parameter>] Note - The exclamation sign "!" indicates criticality.
For example: !dontUseCopy = Do not use Copy

-M Enables the Manage DSA IT control.

Use the "-MM" option to make it critical.

-P <LDAP Protocol Version> Specifies the LDAP protocol version. Default version
is 3.

-z Enables the quiet mode.

The command does not print anything. You can use
the command return values.

Common options

Option Description

-D <Bind DN> Specifies the LDAP Server administrator Distinguished

Name.

R82 Security Management Administration Guide | 986

ldapcompare

Option Description

-e [!]<Extension> Specifies the general extensions:

[=<Extension Parameter>] Note - The exclamation sign "!" indicates criticality.
n [!]assert=<Filter>
RFC 4528; an RFC 4515 filter string
n [!]authzid=<Authorization ID>
RFC 4370; either "dn:<DN>", or
"u:<Username>"
n [!]chaining[=<Resolve Behavior>
[/<Continuation Behavior>]]
One of these:
l "chainingPreferred"

l "chainingRequired"

l "referralsPreferred"

l "referralsRequired"

n [!]manageDSAit
RFC 3296
n [!]noop
n ppolicy
n [!]postread[=<Attributes>]
RFC 4527; a comma-separated list of attributes
n [!]preread[=<Attributes>]
RFC 4527; a comma-separated list of attributes
n [!]relax
n abandon
SIGINT sends the abandon signal; if critical,
does not wait for SIGINT. Not really controls.
n cancel
SIGINT sends the cancel signal; if critical, does
not wait for SIGINT. Not really controls.
n ignore
SIGINT ignores the response; if critical, does not
wait for SIGINT. Not really controls.

-h <LDAP Server> Specifies the LDAP Server computer by its IP address

or resolvable hostname.

-H <LDAP URI> Specifies the LDAP Server Uniform Resource Identifier

(s).

-I Specifies to use the SASL Interactive mode.

-n Dry run - shows what would be done, but does not

actually do it.

R82 Security Management Administration Guide | 987

ldapcompare

Option Description

-N Specifies not to use the reverse DNS to canonicalize

SASL host name.

-o <Option>[=<Option Specifies the general options:

Parameter>] nettimeout={<Timeout in Sec> | none |
max}

-O <Properties> Specifies the SASL security properties.

-p <LDAP Server Port> Specifies the LDAP Server port. Default is 389.

-Q Specifies to use the SASL Quiet mode.

-R <Realm> Specifies the SASL realm.

-U <Authentication Specifies the SASL authentication identity.

Identity>

-v Runs in verbose mode (prints the diagnostics to

stdout).

-V Prints version information (use the "-VV" option only).

-w <LDAP Admin Password> Specifies the LDAP Server administrator password (for
simple authentication).

-W Specifies to prompt the user for the LDAP Server

administrator password.

-x Specifies to use simple authentication.

-X <Authorization Specifies the SASL authorization identity (either

Identity> "dn:<DN>", or "u:<Username>" option).

-y <File> Specifies to read the LDAP Server administrator

password from the <File>.

-Y <SASL Mechanism> Specifies the SASL mechanism.

-Z Specifies to start the TLS request.

Use the "-ZZ" option to require successful response.

R82 Security Management Administration Guide | 988

ldapmemberconvert

ldapmemberconvert
Description
This is an LDAP utility that ports from the "Member" attribute values in LDAP group entries to
the "MemberOf" attribute values in LDAP member (User or Template) entries.
This utility converts the LDAP server data to work in either the "MemberOf" mode, or "Both"
mode. The utility searches through all specified group or template entries that hold one or
more "Member" attribute values and modifies each value. The utility searches through all
specified group/template entries and fetches their "Member" attribute values.
Each value is the DN of a member entry. The entry identified by this DN is added to the
"MemberOf" attribute value of the group/template DN at hand. In addition, the utility delete
those "Member" attribute values from the group/template, unless you run the command in the
"Both" mode.
When your run the command, it creates a log file [Link] in the current
working directory. The command logs all modifications done and errors encountered in that log
file.

Important - Back up the LDAP server database before you run this conversion utility.

Syntax

ldapmemberconvert [-d <Debug Level>] -h <LDAP Server> -p <LDAP

Server Port> -D <LDAP Admin DN> -w <LDAP Admin Password> -m
<Member Attribute Name> -o <MemberOf Attribute Name> -c <Member
ObjectClass Value> [-B] [-f <File> | -g <Group DN>] [-L <LDAP
Server Timeout>] [-M <Number of Updates>] [-S <Size>] [-T <LDAP
Client Timeout>] [-Z]

R82 Security Management Administration Guide | 989

ldapmemberconvert

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR
debug level.
Valid values are from 0 (disabled) to 5 (maximum level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Server Specifies the LDAP Server port. Default is 389.

Port>

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-m <Member Specifies the LDAP attribute name when fetching and (possibly)
Attribute Name> deleting a group Member attribute value.

-o <MemberOf Specifies the LDAP attribute name for adding an LDAP

Attribute Name> "MemberOf" attribute value.

-c <Member Specifies the LDAP "ObjectClass" attribute value that defines,

ObjectClass which type of member to modify.
Value> You can specify multiple attribute values with this syntax:
-c <Member Object Class 1> -c <Member Object
Class 2> ... -c <Member Object Class N>

-B Specifies to run in "Both" mode.

-f <File> Specifies the file that contains a list of Group DNs separated by a
new line:
<Group DN 1>
<Group DN 2>
...
<Group DN N>
Length of each line is limited to 256 characters.

R82 Security Management Administration Guide | 990

ldapmemberconvert

Parameter Description

-g <Group DN> Specifies the Group or Template Distinguished Name, on which

to perform the conversion.
You can specify multiple Group DNs with this syntax:
-g <Group DN 1> -g <Group DN 2> ... -g
<Group DN N>

-L <LDAP Server Specifies the Server side time limit for LDAP operations, in
Timeout> seconds.
Default is "never".

-M <Number of Specifies the maximum number of simultaneous member LDAP

Updates> updates.
Default is 20.

-S <Size> Specifies the Server side size limit for LDAP operations, in
number of entries.
Default is "none".

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is "never".

-Z Specifies to use SSL connection.

Notes
There are two "GroupMembership" modes. You must keep these modes consistent:
n template-to-groups
n user-to-groups

For example, if you apply conversion on LDAP users to include the "MemberOf" attributes for
their groups, then this conversion has to be applied on LDAP defined templates for their
groups.

R82 Security Management Administration Guide | 991

ldapmemberconvert

Troubleshooting
Symptom:
A command fails with an error message stating the connection stopped unexpectedly when
you run it with the parameter -M <Number of Updates>.
Root Cause:
The LDAP server could not handle that many LDAP requests simultaneously and closed the
connection.
Solution:
Run the command again with a lower value for the "-M" parameter. The default value should
be adequate, but can also cause a connection failure in extreme situations. Continue to reduce
the value until the command runs normally. Each time you run the command with the same set
of groups, the command continues from where it left off.

R82 Security Management Administration Guide | 992

ldapmemberconvert

Examples
Example 1

A group is defined with the DN "cn=cpGroup,ou=groups,ou=cp,c=us" and these

attributes:

...
cn=cpGroup
uniquemember="cn=member1,ou=people,ou=cp,c=us"
uniquemember="cn=member2,ou=people,ou=cp,c=us"
...

For the two member entries:

...
cn=member1
objectclass=fw1Person
...

and:

...
cn=member2
objectclass=fw1Person
...

Run:
[Expert@MGMT:0]# ldapconvert -g cn=cpGroup,ou=groups,ou=cp,c=us -h MyLdapServer -d cn=admin -w secret -m uniquemember -o memberof -c
fw1Person

The result for the group DN is:

...
cn=cpGroup
...

The result for the two member entries is:

...
cn=member1
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

and:

...
cn=member2
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

If you run the same command with the "-B" parameter, it produces the same result, but the
group entry is not modified.

R82 Security Management Administration Guide | 993

ldapmemberconvert

Example 2

If there is another member attribute value for the same group entry:
uniquemember="cn=template1,ou=people, ou=cp,c=us"

and the template is:

cn=member1
objectclass=fw1Template

Then after running the same command, the template entry stays intact, because of the
parameter "-c fw1Person", but the object class of "template1" is "fw1Template".

R82 Security Management Administration Guide | 994

ldapmodify

ldapmodify
Description
This is an LDAP utility that imports users to an LDAP server. The input file must be in the LDIF
format.

Syntax

ldapmodify [-d <Debug Level>] [-h <LDAP Server>] [-p <LDAP Server
Port>] [-D <LDAP Admin DN>] [-w <LDAP Admin Password>] [-a] [-b]
[-c] [-F] [-k] [-n] [-r] [-v] [-T <LDAP Client Timeout>] [-Z] [ -f
<Input File> .ldif | < <Entry>]

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified TDERROR
debug level.
Valid values are from 0 (disabled) to 5 (maximum level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Server Specifies the LDAP Server port. Default is 389.

Port>

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

R82 Security Management Administration Guide | 995

ldapmodify

Parameter Description

-a Specifies that this is the LDAP "add" operation.

-b Specifies to read values from files (for binary attributes).

-c Specifies to ignore errors during continuous operation.

-F Specifies to force changes on all records.

-k Specifies the Kerberos bind.

-K Specifies the Kerberos bind, part 1 only.

-n Specifies to print the LDAP "add" operations, but do not actually

perform them.

-r Specifies to replace values, instead of adding values.

-v Specifies to run in verbose mode.

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is "never".

-Z Specifies to use SSL connection.

-f <Input Specifies to read from the <Input File>.ldif file.

File>.ldif The input file must be in the LDIF format.

< <Entry> Specifies to read the entry from the stdin.

The "<" character is mandatory part of the syntax.
It specifies the input comes from the standard input (from the data
you enter on the screen).

R82 Security Management Administration Guide | 996

ldapsearch

ldapsearch
Description
This is an LDAP utility that queries an LDAP directory and returns the results.

Syntax

ldapsearch [-d <Debug Level>] [-h <LDAP Server>] [-p <LDAP Port>]
[-D <LDAP Admin DN>] [-w <LDAP Admin Password>] [-A] [-B] [-b
<Base DN>] [-F <Separator>] [-l <LDAP Server Timeout>] [-s
<Scope>] [-S <Sort Attribute>] [-t] [-T <LDAP Client Timeout>] [-
u] [-z <Number of Search Entries>] [-Z] <Filter> [<Attributes>]

Parameters

Parameter Description

-d <Debug Level> Runs the command in debug mode with the specified
TDERROR debug level.
Valid values are from 0 (disabled) to 5 (maximum level,
recommended).

-h <LDAP Server> Specifies the LDAP Server computer by its IP address or

resolvable hostname.
If you do not specify the LDAP Server explicitly, the command
connects to localhost.

-p <LDAP Port> Specifies the LDAP Server port. Default is 389.

-D <LDAP Admin Specifies the LDAP Server administrator Distinguished Name.

DN>

-w <LDAP Admin Specifies the LDAP Server administrator password.

Password>

-A Specifies to retrieve attribute names only, without values.

R82 Security Management Administration Guide | 997

ldapsearch

Parameter Description

-B Specifies not to suppress the printing of non-ASCII values.

-b <Base DN> Specifies the Base Distinguished Name (DN) for search.

-F <Separator> Specifies the print separator character between attribute names

and their values.
The default separator is the equal sign (=).

-l <LDAP Server Specifies the Server side time limit for LDAP operations, in
Timeout> seconds.
Default is "never".

-s <Scope> Specifies the search scope. One of these:

n base
n one
n sub

-S <Sort Specifies to sort the results by the values of this attribute.

Attribute>

-t Specifies to write values to files in the /tmp/ directory.

Writes each <attribute>-<value> pair to a separate file named:
/tmp/ldapsearch-<Attribute>-<Value>
For example, for the fw1color attribute with the value a00188,
the command writes to the file named:
/tmp/ldapsearch-fw1color-a00188

-T <LDAP Client Specifies the Client side timeout for LDAP operations, in
Timeout> milliseconds.
Default is never.

-u Specifies to show user-friendly entry names in the output.

For example:
shows cn=Babs Jensen, users, omi
instead of cn=Babs Jensen, cn=users,cn=omi

-z <Number of Specifies the maximum number of entries to search on the LDAP

Search Entries> Server.

-Z Specifies to use SSL connection.

<Filter> LDAP search filter compliant with RFC-1558.

For example:
objectclass=fw1host

R82 Security Management Administration Guide | 998

ldapsearch

Parameter Description

<Attributes> Specifies the list of attributes to retrieve.

If you do not specify attributes explicitly, then the command
retrieves all attributes.

Example
[Expert@MGMT:0]# ldapsearch -p 18185 -b cn=omi objectclass=fw1host objectclass

With this syntax, the command:

1. Connects to the LDAP Server to port 18185.

2. Connects to the LDAP Server with Base DN "cn=omi".

3. Queries the LDAP directory for "fw1host" objects.
4. For each object found, prints the value of its "objectclass" attribute.

R82 Security Management Administration Guide | 999

mgmt_cli

mgmt_cli
Description
The mgmt_cli tool works directly with the management database on your Management
Server.

Syntax on Management Server or Security Gateway running on Gaia OS

mgmt_cli <Command Name> <Command Parameters> <Optional Switches>

Syntax on SmartConsole computer running on Windows OS 32-bit

Open Windows Command Prompt and run these commands:

cd /d "%ProgramFiles%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
mgmt_cli.exe <Command Name> <Command Parameters> <Optional
Switches>

Syntax on SmartConsole computer running on Windows OS 64-bit

Open Windows Command Prompt and run these commands:

cd /d "%ProgramFiles
(x86)%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
mgmt_cli.exe <Command Name> <Command Parameters> <Optional
Switches>

Notes
n For a complete list of the mgmt_cli options, enter the mgmt_cli (mgmt_cli.exe)
command and press Enter.
n For more information, see the Check Point Management API Reference (at the top,
select the correct version) .

R82 Security Management Administration Guide | 1000

migrate

migrate
Important - This command is used to migrate the management database from R80.10
and lower versions.
For more information, see the R82 Installation and Upgrade Guide.

Description
Exports the management database and applicable Check Point configuration.
Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

n To back up and restore a consistent environment, make sure to collect and
restore the backups and snapshots from all servers in the High Availability
environment at the same time.
n Make sure other administrators do not make changes in SmartConsole until the
backup operation is completed.
For more information:
n About Gaia Backup and Gaia Snapshot, see the R82 Gaia Administration
Guide.
n About Virtual Machine Snapshots, see the vendor documentation.

Notes:
n You must run this command from the Expert mode.
n If it is necessary to back up the current management database, and you do not
plan to import it on a Management Server that runs a higher software version,
then you can use the built-in command in the $FWDIR/bin/upgrade_tools/
directory.
n If you plan to import the management database on a Management Server that
runs a higher software version, then you must use the migrate utility from the
migration tools package created specifically for that higher software version.
See the Installation and Upgrade Guide for that higher software version.
n If this command completes successfully, it creates this log file:
/var/log/opt/CPshrd-R82/migrate-<[Link].DD_HH.[Link]>.log
For example: /var/log/opt/CPshrd-R82/migrate-2019.06.14_11.[Link]
n If this command fails, it creates this log file:
$CPDIR/log/migrate-<[Link].DD_HH.[Link]>.log
For example: /opt/CPshrd-R82/log/migrate-2019.06.14_11.[Link]

R82 Security Management Administration Guide | 1001

migrate

Syntax
n To see the built-in help:

[Expert@MGMT:0]# ./migrate -h

n To export the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate export [-l | -x] [-n]
[--exclude-uepm-postgres-db] [--include-uepm-msi-files] /<Full
Path>/<Name of Exported File> &

n To import the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate import [-l | -x] [-n]
[--exclude-uepm-postgres-db] [--include-uepm-msi-files] /<Full
Path>/<Name of Exported File>..txz &

Parameters

Parameter Description

-h Shows the built-in help.

yes | nohup This syntax:

./migrate ...
& 1. Sends the "yes" input to the interactive "migrate" command
through the pipeline.
2. The "nohup" forces the "migrate" command to ignore the
hangup signals from the shell.
3. The "&" forces the command to run in the background.
As a result, when the CLI session closes, the command continues to
run in the background.
See:
n sk133312
n [Link]
n [Link]

export Exports the management database and applicable Check Point

configuration.

import Imports the management database and applicable Check Point

configuration that were exported from another Management Server.

R82 Security Management Administration Guide | 1002

migrate

Parameter Description

-l Exports and imports the Check Point logs without log indexes in the
$FWDIR/log/ directory.
Important:
n The command can export only closed logs (to which the
information is not currently written).
n If you use this parameter, it can take the command a long
time to complete (depends on the number of logs).

-x Exports and imports the Check Point logs with their log indexes in the
$FWDIR/log/ directory.
Important:
n This parameter only supports Management Servers and
Log ServersR80.10 and higher.
n The command can export only closed logs (to which the
information is not currently written).
n If you use this parameter, it can take the command a long
time to complete (depends on the number of logs and
indexes).

-n Runs silently (non-interactive mode) and uses the default options for
each setting.
Important:
n If you export a management database in this mode and the
specified name of the exported file matches the name of an
existing file, the command overwrites the existing file
without prompting.
n If you import a management database in this mode, the
"migrate import" command runs the "cpstop"
command automatically.

--exclude- n During the export operation, does not back up the PostgreSQL
uepm- database from the Endpoint Security Management Server.
postgres-db n During the import operation, does not restore the PostgreSQL
database on the Endpoint Security Management Server.

--include- n During the export operation, backs up the MSI files from the
uepm-msi- Endpoint Security Management Server.
files n During the import operation, restores the MSI files on the
Endpoint Security Management Server.

/<Full Path>/ Absolute path to the exported database file.

This path must exist.

R82 Security Management Administration Guide | 1003

migrate

Parameter Description

<Name of n During the export operation, specifies the name of the output
Exported file.
File> The command automatically adds the *.txz extension.
n During the import operation, specifies the name of the exported
file.
You must manually enter the **.txz extension in the end.

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# ./migrate export /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.txz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R82/migrate-2019.06.14_11.[Link]
[Expert@MGMT:0]#

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate export /var/log/My_Migrate_Export

Execution finished with errors. See log file '/opt/CPshrd-R82/log/migrate-2019.06.14_
[Link]' for further details
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 1004

migrate_server

migrate_server
Important - This command is used to migrate the management database from
R80.20.M1, R80.20, R80.20.M2, R80.30, and higher versions.
For more information, see:
n sk135172 - Upgrade Tools
n The R82 Installation and Upgrade Guide

Description
Exports the management database and applicable Check Point configuration.
Imports the exported management database and applicable Check Point configuration.

Backing up and restoring in Management High Availability environment:

Notes:
n You must run this command from the Expert mode.
n If it is necessary to back up the current management database, and you do not
plan to import it on a Management Server that runs a higher software version,
then you can use the built-in command in the $FWDIR/scripts/ directory.
n If you plan to import the management database on a Management Server that
runs a higher software version, then you must use the migrate_server utility
from the migration tools package created specifically for that higher software
version. See the Installation and Upgrade Guide for that higher software
version.
n If this command completes successfully, it creates this log file:
/var/log/opt/CPshrd-R82/migrate-<[Link].DD_HH.[Link]>.log
For example: /var/log/opt/CPshrd-R82/migrate-2022.06.14_11.[Link]
n If this command fails, it creates this log file:
$CPDIR/log/migrate-<[Link].DD_HH.[Link]>.log
For example: /opt/CPshrd-R82/log/migrate-2024 - 2026.06.14_11.[Link]

R82 Security Management Administration Guide | 1005

migrate_server

Important - If it is necessary to back up the current management database, and you

do not plan to import it on a Management Server that runs a higher software version,
then you must make sure the source Management Server and the target
Management Server run the same Jumbo Hotfix Accumulator Take and all other
private hotfixes.
To see all the installed software packages, you can run this command: cpinfo -y
all

R82 Security Management Administration Guide | 1006

migrate_server

Syntax
n To see the built-in help:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server -h

n To see the build number of the installed Upgrade Tools package:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server print_installed_tools -v R82

n To run the Pre-Upgrade Verifier:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server verify -v R82 [-skip_
upgrade_tools_check]

n To export the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server export -v R82 [-skip_
upgrade_tools_check] [-l | -x] [--include-uepm-msi-files] [--
exclude-uepm-postgres-db] [--ignore_warnings] /<Full
Path>/<Name of Exported File>

n To import the management database and configuration:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server import -v R82 [-skip_
upgrade_tools_check] [-l | -x] [/var/log/[Link]] [--
include-uepm-msi-files] [--exclude-uepm-postgres-db] /<Full
Path>/<Name of Exported File>.tgz

n To import the Domain Management Server database and configuration on a Security

Management Server:

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server migrate_import_domain -v R82
[-skip_upgrade_tools_check] [-l | -x] [/var/log/[Link]] [--
include-uepm-msi-files] [--exclude-uepm-postgres-db] /<Full
Path>/<Name of Exported File>.tgz

R82 Security Management Administration Guide | 1007

migrate_server

Parameters

Parameter Description

-h Shows the built-in help.

R82 Security Management Administration Guide | 1008

migrate_server

Parameter Description

--verify_ Runs the Pre-Export Verifier for all Management Servers and Log
all_servers Servers in your environment.
Notes:
n This parameter is valid only for the migrate_server
verify and migrate_server export operations.
n List of servers, on which you can run the migrate_server
verify -v <VERSION> --verify_all_servers
command and the migrate_server export -v
<VERSION> --verify_all_servers command:
l Security Management Server (Primary and Secondary)

l Multi-Domain Security Management Server (Primary and

Secondary)
l Endpoint Security Management Server (Primary and

Secondary)
l Multi-Domain Log Server

n List of remote servers, to which the migrate_server

verify -v <VERSION> --verify_all_servers
command and the migrate_server export -v
<VERSION> --verify_all_servers command can
connect from the current server:
l Security Management Server (Primary and Secondary)

l Multi-Domain Security Management Server (Primary and

Secondary)
l Endpoint Security Management Server (Primary and

Secondary)
l Multi-Domain Log Server

l Dedicated Log Servers

l Dedicated SmartEvent Servers

l Security Management Servers configured as a Backup of

a Domain Management Server

Note - Servers that are configured on a specific Domain on a

Multi-Domain Security Management Server will be verified only
if there is a Domain Server of that Domain on the current Multi-
Domain Security Management Server.

R82 Security Management Administration Guide | 1009

migrate_server

Parameter Description

--verify_ Runs the Pre-Export Verifier only for the current Management Server /
local_only Log Server, on which you run this command.
Note - This parameter is valid only for the migrate_server
verify and migrate_server export operations.

-skip_ The remote Management Server / Log Servers do not try to connect to
tools_ Check Point Cloud to check for a more recent version of the Upgrade
check_on_ Tools.
remote Notes:
n This parameter is valid only for the migrate_server
verify and migrate_server export operations.
n This parameter is valid only when you specify the parameter -
-verify_all_servers.

-force-
upgrade- When the source and target servers are on the same major version,
flow
n "migrate_server" uses an accelerated flow to migrate the data.
n This flag forces the full migration flow.

-mask Hides sensitive information in exported database.

--no_ Disable the progress bar.

progress_
bar
or
-npb

export Exports the management database and applicable Check Point

configuration.

R82 Security Management Administration Guide | 1010

migrate_server

Parameter Description

import Imports the management database and applicable Check Point

configuration that were exported from another Management Server.
Important:
n This command automatically restarts Check Point services (runs
the "cpstop" and "cpstart" commands).
n This note applies to a Multi-Domain Security Management
environment, if at least one of the servers changes its IPv4 address
comparing to the source server, from which you exported its
database.
You must do these steps before you start the upgrade and import:
1. You must create a special JSON configuration file with the
new IPv4 address(es).
Syntax:
[{"name":"<Name of Server 1 Object in
SmartConsole>","newIpAddress4":"<New IPv4
Address of Server 1>"},
{"name":"<Name of Server 2 Object in
SmartConsole>","newIpAddress4":"<New IPv4
Address of Server 2>"}]
Example:
[{"name":"MyPrimaryMultiDomainServer","new
IpAddress4":"[Link]"},
{"name":"MySecondaryMultiDomainServer","ne
wIpAddress4":"[Link]"}]
2. You must call this file: [Link]
3. You must put this file on all servers in this directory: /var/log/

migrate_ On a Security Management Server, imports the management database

import_ and applicable Check Point configuration that were exported from a
domain Domain Management Server.
Important - This command automatically restarts Check Point
services (runs the "cpstop" and "cpstart" commands).

verify Verifies the management database and applicable Check Point

configuration that were exported from another Management Server.

-v R82 Specifies the version, to which you plan to migrate / upgrade.

R82 Security Management Administration Guide | 1011

migrate_server

Parameter Description

-skip_ The current Management Server / Log Server, on which you run this
upgrade_ command, does not try to connect to Check Point Cloud to check for a
tools_check more recent version of the Upgrade Tools.
Best Practice - Use this parameter on the Management Server / Log
Server that is not connected to the Internet.

-l <Days> Exports the specified number of previous days of logs without log
indexes.

-x Exports and imports the Check Point logs with their log indexes in the
$FWDIR/log/ directory.
Important:
n Before you use this parameter, it is necessary to make sure all
log indexes are closed and saved.
Run this command in the Expert mode and wait for the output
to show "Solr stopped":
$RTDIR/scripts/[Link]
n This parameter only supports Management Servers and Log
Servers R80.10 and higher.
n The command can export only closed logs (to which the
information is not currently written).
n If you use this parameter, it can take the command a long time
to complete (depends on the number of logs and indexes).

-x <Days> Exports the specified number of previous days of logs with log indexes.

-n Runs silently (non-interactive mode) and uses the default options for each
setting.

R82 Security Management Administration Guide | 1012

migrate_server

Parameter Description

/var/log/md Important:
[Link]
n In the Upgrade Tools for R81.10 build higher than 996000356,
the syntax is (this filename is mandatory):
Previously:
-change_ /var/log/[Link]
ips_file You must create the file /var/log/[Link] and not use the
/<Full parameter "-change_ips_file".
Path n In the Upgrade Tools for R81.10 build 996000356 and lower,
>/<
the syntax was:
Name>.json
-change_ips_file /<Full Path>/<Name of JSON
File>.json

Specifies the absolute path to the special JSON configuration file with
new IPv4 addresses.
This file is mandatory during an upgrade of a Multi-Domain Security
Management environment.
Even if only one of the servers migrates to a new IP address, all the other
servers must get this configuration file for the import process.
Syntax:
[{"name":"<Name of Server 1 Object in
SmartConsole>","newIpAddress4":"<New IPv4 Address
of Server 1>"},
{"name":"<Name of Server 2 Object in
SmartConsole>","newIpAddress4":"<New IPv4 Address
of Server 2>"}]
Example:
[{"name":"MyPrimaryMultiDomainServer","newIpAddress
4":"[Link]"},
{"name":"MySecondaryMultiDomainServer","newIpAddres
s4":"[Link]"}]

R82 Security Management Administration Guide | 1013

migrate_server

Parameter Description

--ignore_ If during an upgrade procedure, the Pre-Upgrade Verifier shows

warnings warnings, you can use this parameter to ignore warnings and continue
or the upgrade.
-ivw Important - To prevent issues during and after upgrade, we strongly
recommend to resolve all issues and not use this parameter.

--exclude- n During the export operation, does not back up the licenses from the
licenses Management Server.
n During the import operation, does not restore the license on the
Management Server.

-o <Path to Path to the archived file from which to import the database.
File>

-sn <Name Name of the Domain Management Server

of Domain
Server>

-dsi <IP IP address of the Management Server.

address of
Domain
Server>

-skip_logs Skip the import of logs (without log indexes).

Example 1 - Export operation succeeded

[Expert@MGMT:0]# cd $FWDIR/scripts/
[Expert@MGMT:0]# ./migrate_server export -v R82 /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.tgz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R82/migrate-2024 - 2026.06.14_11.[Link]
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 1014

migrate_server

Example 2 - Export operation failed

[Expert@MGMT:0]# ./migrate_server export /var/log/My_Migrate_Export

Execution finished with errors. See log file '/opt/CPshrd-R82/log/migrate-2024 - 2026.06.14_
[Link]' for further details
[Expert@MGMT:0]#

R82 Security Management Administration Guide | 1015

queryDB_util

queryDB_util
Description
Searches in the management database for objects or policy rules.

Important - This command is obsolete for R80 and higher. Use the "mgmt_cli" on
page 1000 command to search in the management database for objects or policy
rules according to search parameters.

R82 Security Management Administration Guide | 1016

rs_db_tool

rs_db_tool
Description
Manages Dynamically Assigned IP address (DAIP) gateways in a DAIP database.

Syntax
n To add an entry to the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation add -name <Object

Name> -ip <IPv4 Address> -ip6 <Pv6 Address> -TTL <Time-To-
Live>

n To fetch a specific entry from the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation fetch -name

n To delete a specific entry from the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation delete -name

n To list all entries in the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation list

n To synchronize the DAIP database:

[Expert@MGMT:0]# rs_db_tool [-d] -operation sync

Note - You must run this command from the Expert mode.

R82 Security Management Administration Guide | 1017

rs_db_tool

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command itself.
Best Practice - If you use this parameter, then redirect the
output to a file, or use the script command to save the entire
CLI session.

-name <Object Specifies the name of the DAIP object.

Name>

-ip <IPv4 Specifies the IPv4 address of the DAIP object

Address>

-ip6 <IPv6 Specifies the IPv6 address of the DAIP object.

Address>

-TTL <Time-To- Specifies the relative time interval (in seconds), during which the
Live> entry is valid.

R82 Security Management Administration Guide | 1018

sam_alert

sam_alert
Description
For SAM v1, this utility executes Suspicious Activity Monitoring (SAM) actions according to the
information received from the standard input.
For SAM v2, this utility executes Suspicious Activity Monitoring (SAM) actions with User
Defined Alerts mechanism.

Important:
n You must run this command on the Management Server.
n You can run this command only in the Expert mode.
n On a Multi-Domain Server, you must run this command in the context of the
applicable Domain Management Server:
mdsenv <IP Address or Name of Domain Management Server>

Notes:
n VSX Gateways and VSX Cluster Members do not support Suspicious Activity
Monitoring (SAM) Rules. See sk79700.
n See the "fw sam" on page 908 and "fw sam_policy" on page 916 commands.

SAM v1 syntax

sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

Parameters for SAM v1

Parameter Description

-v Enables the verbose mode for the "fw sam" command.

-o Specifies to print the input of this tool to the standard output (to use with
pipes in a CLI syntax).

-s <SAM Specifies the SAM Server to be contacted. Default is "localhost".

Server>

-t <Time> Specifies the time (in seconds), during which to enforce the action. The
default is forever.

R82 Security Management Administration Guide | 1019

sam_alert

Parameter Description

-f Specifies the Security Gateway / Cluster object, on which to run the

<Security operation.
Gateway> Important - If you do not specify the target Security Gateway /
Cluster object explicitly, this command applies to all managed
Security Gateways and Clusters.

-C Cancels the specified operation.

-n Specifies to notify every time a connection, which matches the specified

criteria, passes through the Security Gateway / ClusterXL / Security
Group.

-i Inhibits (drops or rejects) connections that match the specified criteria.

-I Inhibits (drops or rejects) connections that match the specified criteria

and closes all existing connections that match the specified criteria.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of connections.

-srv Matches specific source, destination, protocol and port.

R82 Security Management Administration Guide | 1020

sam_alert

SAM v2 syntax

sam_alert -v2 [-v] [-O] [-S <SAM Server>] [-t <Time>] [-f
<Security Gateway>] [-n <Name>] [-c "<Comment">] [-o
<Originator>] [-l {r | a}] -a {d | r| n | b | q | i} [-C] {-ip
|-eth} {-src|-dst|-any|-srv}

Parameters for SAM v2

Parameter Description

-v2 Specifies to use SAM v2.

-v Enables the verbose mode for the "fw sam" command.

-O Specifies to print the input of this tool to the standard output (to
use with pipes in a CLI syntax).

-S <SAM Server> Specifies the SAM server to be contacted. Default is

"localhost".

-t <Time> Specifies the time (in seconds), during which to enforce the
action. The default is forever.

-f <Security Specifies the Security Gateway / Cluster object, on which to run

Gateway> the operation.
Important - If you do not specify the target Security
Gateway / Cluster object explicitly, this command applies
to all managed Security Gateways and Clusters.

-n <Name> Specifies the name for the SAM rule.

Default is empty.

-c "<Comment>" Specifies the comment for the SAM rule.

Default is empty.
You must enclose the text in the double quotes or single
quotes.

-o <Originator> Specifies the originator for the SAM rule.

Default is "sam_alert".

R82 Security Management Administration Guide | 1021

sam_alert

Parameter Description

-l {r | a} Specifies the log type for connections that match the specified
criteria:
n r - Regular
n a - Alert
Default is None.

-a {d | r| n | b Specifies the action to apply on connections that match the

| q | i} specified criteria:
n d - Drop
n r - Reject
n n - Notify
n b - Bypass
n q - Quarantine
n i - Inspect

-C Specifies to close all existing connections that match the

criteria.

-ip Specifies to use IP addresses as criteria parameters.

-eth Specifies to use MAC addresses as criteria parameters.

-src Matches the source address of connections.

-dst Matches the destination address of connections.

-any Matches either the source or destination address of

connections.

-srv Matches specific source, destination, protocol and port.

Example
See sk110873: How to configure Security Gateway to detect and prevent port scan.

R82 Security Management Administration Guide | 1022

stattest

stattest
Description
Check Point AMON client to query SNMP OIDs.
You can use this command as an alternative to the standard SNMP commands for debug
purposes - to make sure the applicable SNMP OIDs provide the requested information.

Syntax to query a Regular OID

n On a Management Server / Security Gateway / Cluster Member:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] [-v <VSID>] [-t <Timeout>] <Regular_OID_1> <Regular_OID_2> ...
<Regular_OID_N>

Notes:
n These Regular OIDs are specified in the SNMP MIB files.
n For Check Point MIB files, see sk90470.

Syntax to query a Statistical OID

n On a Management Server / Security Gateway / Cluster Member:
stattest get [-d] [-h <Host>] [-p <Port>] [-x <Proxy Server>] -l <Polling Interval> -r <Polling Duration> [-v <VSID>] [-t
<Timeout>] <Statistical_OID_1> <Statistical_OID_2> ... <Statistical_OID_N>

Notes:
n These Statistical OIDs take some time to "initialize".
n For example, to calculate an average, it is necessary to collect enough samples.
n Check Point statistical OIDs are registered in the $CPDIR/conf/statistical_
[Link] file.

R82 Security Management Administration Guide | 1023

stattest

Parameters

Parameter Description

-d Runs the command in debug mode.

Use only if you troubleshoot the command
itself.
Best Practice - If you use this
parameter, then redirect the output to a
file, or use the script command to
save the entire CLI session.

-h <Host> Specifies the remote Check Point host to

query by its IP address or resolvable
hostname.

-p <Port> Specifies the port number, on which the

AMON server listens. Default port is 18192.

-x <Proxy Server> Specifies the Proxy Server by its IP address

or resolvable hostname.
Note - Use only when you query a
remote host.

-l <Polling Interval> Specifies the time in seconds between

queries.
Note - Use only when you query a
Statistical OID.

-r <Polling Duration> Specifies the time in seconds, during which

to run consecutive queries.
Note - Use only when you query a
Statistical OID.

-t <Timeout> Specifies the session timeout in

milliseconds.

<Regular_OID_1> <Regular_OID_2> Specifies the Regular OIDs to query.

... <Regular_OID_N> Notes:
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

R82 Security Management Administration Guide | 1024

stattest

Parameter Description

<Statistical_OID_1> Specifies the Statistical OIDs to query.

<Statistical_OID_2> ... Notes:
<Statistical_OID_N>
n OID must not start with period.
n Separate the OIDs with spaces.
n You can specify up to 100 OIDs.

Example - Query a Regular OID

Query the CPU Idle utilization at the OID [Link].4.1.2620.[Link].3 (procIdleTime).
[Expert@HostName]# stattest get [Link].4.1.2620.[Link].2

Example - Query a Statistical OID

Query the CPU Idle utilization at the OID [Link].4.1.2620.[Link].3 (procIdleTime).
Information is collected with intervals of 5 seconds during 5 seconds
[Expert@HostName]# stattest get -l 5 -r 5 [Link].4.1.2620.[Link].3

R82 Security Management Administration Guide | 1025

threshold_config

threshold_config
Description
You can configure a variety of different SNMP thresholds that generate SNMP traps, or alerts.
You can use these thresholds to monitor many system components automatically without
requesting information from each object or device.
You configure these SNMP Monitoring Thresholds only on the Security Management Server,
Multi-Domain Server, or Domain Management Server.
During policy installation, the managed a Security Gateway and Clusters receive and apply
these thresholds as part of their policy.

For more information, see sk90860: How to configure SNMP on Gaia OS.

Procedure

Step Instructions

1 Connect to the command line on the Management Server.

2 Log in to the Expert mode.

3 On a Multi-Domain Server, switch to the context of the applicable Domain

Management Server:
[Expert@HostName:0]# mdsenv <Name or IP address of Domain
Management Server>

4 Go to the Threshold Engine Configuration menu:

[Expert@HostName:0]# threshold_config

R82 Security Management Administration Guide | 1026

threshold_config

Step Instructions

5 Select the applicable options and configure the applicable settings

(see the Threshold Engine Configuration Options table below).
Threshold Engine Configuration Options:
---------------------------------------

(1) Show policy name

(2) Set policy name
(3) Save policy
(4) Save policy to file
(5) Load policy from file
(6) Configure global alert settings
(7) Configure alert destinations
(8) View thresholds overview
(9) Configure thresholds

(e) Exit (m) Main Menu

Enter your choice (1-9) :

6 Exit from the Threshold Engine Configuration menu.

7 Stop the CPD daemon:

[Expert@HostName:0]# cpwd_admin stop -name CPD -path
"$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
See "cpwd_admin stop" on page 863.

8 Start the CPD daemon:

[Expert@HostName:0]# cpwd_admin start -name CPD -path
"$CPDIR/bin/cpd" -command "cpd"
See "cpwd_admin start" on page 860.

9 Wait for 10-20 seconds.

10 Verify that CPD daemon started successfully:

[Expert@HostName:0]# cpwd_admin list | egrep "STAT|CPD"
See "cpwd_admin list" on page 856.

11 In SmartConsole, install the Access Control Policy on Security Gateways and

Clusters.

R82 Security Management Administration Guide | 1027

threshold_config

Threshold Engine Configuration Options

Menu item Description

(1) Show policy Shows the name of the current configured threshold policy.
name

(2) Set policy Configures the name for the threshold policy.
name If you do not specify it explicitly, then the default name is "Default
Profile".

(3) Save policy Saves the changes in the current threshold policy.

(4) Save policy Exports the configured threshold policy to a file.

to file If you do not specify the path explicitly, the file is saved in the current
working directory.

(5) Load policy Imports a threshold policy from a file.

from file If you do not specify the path explicitly, the file is imported from the
current working directory.

(6) Configure Configures global settings:

global alert
settings
n How frequently alerts are sent (configured delay must be
greater than 30 seconds)
n How many alerts are sent

(7) Configure Configures the SNMP Network Management System (NMS), to

alert which the managed Security Gateways and Cluster Members send
destinations their SNMP alerts.
Configure Alert Destinations Options:
-------------------------------------
(1) View alert destinations
(2) Add SNMP NMS
(3) Remove SNMP NMS
(4) Edit SNMP NMS

(8) View Shows a list of all available thresholds and their current settings.
thresholds These include:
overview
n Name
n Category (see the next option "(9)")
n State (disabled or enabled)
n Threshold (threshold point, if applicable)
n Description

R82 Security Management Administration Guide | 1028

threshold_config

Menu item Description

(9) Configure Shows the list of threshold categories to configure.

thresholds Thresholds Categories
----------------------
(1) Hardware
(2) High Availability
(3) Local Logging Mode Status
(4) Log Server Connectivity
(5) Networking
(6) Resources
See the Thresholds Categories table below.

Thresholds Categories

Category Sub-Categories

(1) Hardware Hardware Thresholds:

--------------------
(1) RAID volume state
(2) RAID disk state
(3) RAID disk flags
(4) Temperature sensor reading
(5) Fan speed sensor reading
(6) Voltage sensor reading

(2) High Availability High Availability Thresholds:

-----------------------------
(1) Cluster member state changed
(2) Cluster block state
(3) Cluster state
(4) Cluster problem status
(5) Cluster interface status

(3) Local Logging Local Logging Mode Status Thresholds:

Mode Status -------------------------------------
(1) Local Logging Mode

(4) Log Server Log Server Connectivity Thresholds:

Connectivity -----------------------------------
(1) Connection with log server
(2) Connection with all log servers

R82 Security Management Administration Guide | 1029

threshold_config

Category Sub-Categories

(5) Networking Networking Thresholds:

----------------------
(1) Interface Admin Status
(2) Interface removed
(3) Interface Operational Link Status
(4) New connections rate
(5) Concurrent connections rate
(6) Bytes Throughput
(7) Accepted Packet Rate
(8) Drop caused by excessive traffic

(6) Resources Resources Thresholds:

---------------------
(1) Swap Memory Utilization
(2) Real Memory Utilization
(3) Partition free space
(4) Core Utilization
(5) Core interrupts rate

R82 Security Management Administration Guide | 1030

threshold_config

Notes:
n If you run the threshold_config command locally on a Security Gateway or
Cluster Members to configure the SNMP Monitoring Thresholds, then each
policy installation erases these local SNMP threshold settings and reverts them
to the global SNMP threshold settings configured on the Management Server
that manages this Security Gateway or Cluster.
n On a Security Gateway and Cluster Members, you can save the local Threshold
Engine Configuration settings to a file and load it locally later.
n The Threshold Engine Configuration is stored in the
$FWDIR/conf/[Link] file.
n In a Multi-Domain Security Management environment:
l You can configure the SNMP thresholds in the context of Multi-Domain

Server (MDS) and in the context of each individual Domain Management

Server.
l Thresholds that you configure in the context of the Multi-Domain Server

are for the Multi-Domain Server only.

l Thresholds that you configure in the context of a Domain Management

Server are for that Domain Management Server and its managed Security
Gateway and Clusters.
l If an SNMP threshold applies both to the Multi-Domain Server and a

Domain Management Server, then configure the SNMP threshold both in

the context of the Multi-Domain Server and in the context of the Domain
Management Server.
However, in this scenario you can only get alerts from the Multi-Domain
Server, if the monitored object exceeds the threshold.
Example:
If you configure the CPU threshold, then when the monitored value
exceeds the configured threshold, it applies to both the Multi-Domain
Server and the Domain Management Server. However, only the Multi-
Domain Server generates SNMP alerts.

R82 Security Management Administration Guide | 1031

Glossary

Glossary
A

Active Security Management Server

The Management Server in Management High Availability that is currently configured as
Active.

Anti-Bot
Check Point Software Blade on a Security Gateway that blocks botnet behavior and
communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.

Anti-Spam
Check Point Software Blade on a Security Gateway that provides comprehensive
protection for email inspection. Synonym: Anti-Spam & Email Security. Acronyms: AS,
ASPAM.

Anti-Virus
Check Point Software Blade on a Security Gateway that uses real-time virus signatures
and anomaly-based protections from ThreatCloud to detect and block malware at the
Security Gateway before users are affected. Acronym: AV.

Application Control
Check Point Software Blade on a Security Gateway that allows granular control over
specific web-enabled applications by using deep packet inspection. Acronym: APPI.

Audit Log
Log that contains administrator actions on a Management Server (login and logout,
creation or modification of an object, installation of a policy, and so on).

Bridge Mode
Security Gateway or Virtual System that works as a Layer 2 bridge device for easy
deployment in an existing topology.

R82 Security Management Administration Guide | 1032

Glossary

Cluster
Two or more Security Gateways that work together in a redundant configuration - High
Availability, or Load Sharing.

Cluster Member
Security Gateway that is part of a cluster.

Compliance
Check Point Software Blade on a Management Server to view and apply the Security
Best Practices to the managed Security Gateways. This Software Blade includes a
library of Check Point-defined Security Best Practices to use as a baseline for good
Security Gateway and Policy configuration.

Content Awareness
Check Point Software Blade on a Security Gateway that provides data visibility and
enforcement. Acronym: CTNT.

CoreXL
Performance-enhancing technology for Security Gateways on multi-core processing
platforms. Multiple Check Point Firewall instances are running in parallel on multiple
CPU cores.

CoreXL Firewall Instance

On a Security Gateway with CoreXL enabled, the Firewall kernel is copied multiple
times. Each replicated copy, or firewall instance, runs on one processing CPU core.
These firewall instances handle traffic at the same time, and each firewall instance is a
complete and independent firewall inspection kernel. Synonym: CoreXL FW Instance.

R82 Security Management Administration Guide | 1033

Glossary

CoreXL SND
Secure Network Distributor. Part of CoreXL that is responsible for: Processing incoming
traffic from the network interfaces; Securely accelerating authorized packets (if
SecureXL is enabled); Distributing non-accelerated packets between Firewall kernel
instances (SND maintains global dispatching table, which maps connections that were
assigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewall
instances is statically based on Source IP addresses, Destination IP addresses, and the
IP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision to stick
to a particular FWK daemon is done at the first packet of connection on a very high level,
before anything else. Depending on the SecureXL settings, and in most of the cases, the
SecureXL can be offloading decryption calculations. However, in some other cases,
such as with Route-Based VPN, it is done by FWK daemon.

CPUSE
Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can
automatically update Check Point products for the Gaia OS, and the Gaia OS itself.

DAIP Gateway
Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway, on which the
IP address of the external interface is assigned dynamically (by a DHCP server, by an
ISP).

Data Loss Prevention

Check Point Software Blade on a Security Gateway that detects and prevents the
unauthorized transmission of confidential information outside the organization. Acronym:
DLP.

Data Type
Classification of data in a Check Point Security Policy for the Content Awareness
Software Blade.

Distributed Deployment
Configuration in which the Check Point Security Gateway and the Security Management
Server products are installed on different computers.

Dynamic Object
Special object type, whose IP address is not known in advance. The Security Gateway
resolves the IP address of this object in real time.

R82 Security Management Administration Guide | 1034

Glossary

Endpoint Policy Management

Check Point Software Blade on a Management Server to manage an on-premises
Endpoint Security environment.

Expert Mode
The name of the elevated command line shell that gives full system root permissions in
the Check Point Gaia operating system.

Gaia
Check Point security operating system that combines the strengths of both
SecurePlatform and IPSO operating systems.

Gaia Clish
The name of the default command line shell in Check Point Gaia operating system. This
is a restricted shell (role-based administration controls the number of commands
available in the shell).

Gaia Portal
Web interface for the Check Point Gaia operating system.

Hotfix
Software package installed on top of the current software version to fix a wrong or
undesired behavior, and to add a new behavior.

HTTPS Inspection
Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets
Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection.
Acronyms: HTTPSI, HTTPSi.

R82 Security Management Administration Guide | 1035

Glossary

ICA
Internal Certificate Authority. A component on Check Point Management Server that
issues certificates for authentication.

Identity Awareness
Check Point Software Blade on a Security Gateway that enforces network access and
audits data based on network location, the identity of the user, and the identity of the
computer. Acronym: IDA.

Identity Logging
Check Point Software Blade on a Management Server to view Identity Logs from the
managed Security Gateways with enabled Identity Awareness Software Blade.

Inline Layer
Set of rules used in another rule in Security Policy.

Internal Network
Computers and resources protected by the Firewall and accessed by authenticated
users.

IPS
Check Point Software Blade on a Security Gateway that inspects and analyzes packets
and data for numerous types of risks (Intrusion Prevention System).

IPsec VPN
Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and
Remote Access VPN access.

Jumbo Hotfix Accumulator

Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA.

R82 Security Management Administration Guide | 1036

Glossary

Kerberos
An authentication server for Microsoft Windows Active Directory Federation Services
(ADFS).

Log Server
Dedicated Check Point server that runs Check Point software to store and process logs.

Logging & Status

Check Point Software Blade on a Management Server to view Security Logs from the
managed Security Gateways.

Management High Availability

Deployment and configuration mode of two Check Point Management Servers, in which
they automatically synchronize the management databases with each other. In this
mode, one Management Server is Active, and the other is Standby. Acronyms:
Management HA, MGMT HA.

Management Interface
(1) Interface on a Gaia Security Gateway or Cluster member, through which
Management Server connects to the Security Gateway or Cluster member. (2) Interface
on Gaia computer, through which users connect to Gaia Portal or CLI.

Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security
Management Server.

Manual NAT Rules

Manual configuration of NAT rules by the administrator of the Check Point Management
Server.

R82 Security Management Administration Guide | 1037

Glossary

Mobile Access
Check Point Software Blade on a Security Gateway that provides a Remote Access VPN
access for managed and unmanaged clients. Acronym: MAB.

Multi-Domain Log Server

Dedicated Check Point server that runs Check Point software to store and process logs
in a Multi-Domain Security Management environment. The Multi-Domain Log Server
consists of Domain Log Servers that store and process logs from Security Gateways that
are managed by the corresponding Domain Management Servers. Acronym: MDLS.

Multi-Domain Security Management Server

Dedicated Check Point server that runs Check Point software to host virtual Security
Management Servers called Domain Management Servers. Synonym: Multi-Domain
Security Management Server. Acronym: MDS.

Network Object
Logical object that represents different parts of corporate topology - computers, IP
addresses, traffic protocols, and so on. Administrators use these objects in Security
Policies.

Network Policy Management

Check Point Software Blade on a Management Server to manage an on-premises
environment with an Access Control and Threat Prevention policies.

Open Server
Physical computer manufactured and distributed by a company, other than Check Point.

Package Repository
Collection of software packages that were uploaded to the Management Server. You can
easily install these packages in SmartConsole on the managed Security Gateways.

R82 Security Management Administration Guide | 1038

Glossary

Permission Profile
Predefined group of SmartConsole access permissions assigned to Domains and
administrators. With this feature you can configure complex permissions for many
administrators with one definition.

Policy Layer
Layer (set of rules) in a Security Policy.

Policy Package
Collection of different types of Security Policies, such as Access Control, Threat
Prevention, QoS, and Desktop Security. After installation, Security Gateways enforce all
Policies in the Policy Package.

Primary Security Management Server

The Security Management Server in Management High Availability that you install as
Primary.

Provisioning
Check Point Software Blade on a Management Server that manages large-scale
deployments of Check Point Security Gateways using configuration profiles. Synonyms:
SmartProvisioning, SmartLSM, Large-Scale Management, LSM.

QoS
Check Point Software Blade on a Security Gateway that provides policy-based traffic
bandwidth management to prioritize business-critical traffic and guarantee bandwidth
and control latency.

Rule
Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause
specified actions to be taken for a communication session.

Rule Base
All rules configured in a given Security Policy. Synonym: Rulebase.

R82 Security Management Administration Guide | 1039

Glossary

Secondary Security Management Server

The Security Management Server in Management High Availability that you install as
Secondary.

SecureXL
Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that
passes through a Security Gateway.

Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and
enforce Security Policies for connected network resources.

Security Management Server

Dedicated Check Point server that runs Check Point software to manage the objects and
policies in a Check Point environment within a single management Domain. Synonym:
Single-Domain Security Management Server.

Security Policy
Collection of rules that control network traffic and enforce organization guidelines for
data protection and access to resources with packet inspection.

SIC
Secure Internal Communication. The Check Point proprietary mechanism with which
Check Point computers that run Check Point software authenticate each other over SSL,
for secure communication. This authentication is based on the certificates issued by the
ICA on a Check Point Management Server.

SmartConsole
Check Point GUI application used to manage a Check Point environment - configure
Security Policies, configure devices, monitor products and events, install updates, and
so on.

SmartDashboard
Legacy Check Point GUI client used to create and manage the security settings in
versions R77.30 and lower. In versions R80.X and higher is still used to configure
specific legacy settings.

R82 Security Management Administration Guide | 1040

Glossary

SmartProvisioning
Check Point Software Blade on a Management Server (the actual name is
"Provisioning") that manages large-scale deployments of Check Point Security
Gateways using configuration profiles. Synonyms: Large-Scale Management,
SmartLSM, LSM.

SmartUpdate
Legacy Check Point GUI client used to manage licenses and contracts in a Check Point
environment.

Software Blade
Specific security solution (module): (1) On a Security Gateway, each Software Blade
inspects specific characteristics of the traffic (2) On a Management Server, each
Software Blade enables different management capabilities.

Standalone
Configuration in which the Security Gateway and the Security Management Server
products are installed and configured on the same server.

Standby Security Management Server

The Security Management Server in Management High Availability that is currently
configured as Standby.

Threat Emulation
Check Point Software Blade on a Security Gateway that monitors the behavior of files in
a sandbox to determine whether or not they are malicious. Acronym: TE.

Threat Extraction
Check Point Software Blade on a Security Gateway that removes malicious content from
files. Acronym: TEX.

Traditional VSX Gateway

Physical server that hosts Traditional VSX virtual networks, including all Virtual Devices
that provide the functionality of physical network devices. It holds at least one Virtual
System, which is called VS0.

R82 Security Management Administration Guide | 1041

Glossary

Updatable Object
Network object that represents an external service, such as Microsoft 365, AWS, Geo
locations, and more.

URL Filtering
Check Point Software Blade on a Security Gateway that allows granular control over
which web sites can be accessed by a given group of users, computers or networks.
Acronym: URLF.

User Database
Check Point internal database that contains all users defined and managed in
SmartConsole.

User Directory
Check Point Software Blade on a Management Server that integrates LDAP and other
external user Management Servers with Check Point products and security solutions.

User Group
Named group of users with related responsibilities.

User Template
Property set that defines a type of user on which a security policy will be enforced.

VSX
Virtual System Extension. Check Point virtual networking solution, hosted on a computer
or cluster with virtual abstractions of Check Point Security Gateways and other network
devices. These Virtual Devices provide the same functionality as their physical
counterparts.

Zero Phishing
Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides
real-time phishing prevention based on URLs. Acronym: ZPH.

R82 Security Management Administration Guide | 1042

CP R80 SecurityManagement AdminGuide
100% (1)
CP R80 SecurityManagement AdminGuide
172 pages
Check Point Security Management: Administration Guide
No ratings yet
Check Point Security Management: Administration Guide
172 pages
Check Point R80 Admin Guide
No ratings yet
Check Point R80 Admin Guide
175 pages
Check Point R80
No ratings yet
Check Point R80
320 pages
Security Managment Document
100% (2)
Security Managment Document
509 pages
CP R77 SecurityManagement AdminGuide
No ratings yet
CP R77 SecurityManagement AdminGuide
161 pages
CP R81.20 Quantum SecurityManagement AdminGuide
No ratings yet
CP R81.20 Quantum SecurityManagement AdminGuide
730 pages
附件02-CP R80.40 SmartProvisioning AdminGuide
No ratings yet
附件02-CP R80.40 SmartProvisioning AdminGuide
689 pages
R81.20 Quantum Security Admin Guide
No ratings yet
R81.20 Quantum Security Admin Guide
916 pages
CP R80.40 SecurityManagement AdminGuide
No ratings yet
CP R80.40 SecurityManagement AdminGuide
609 pages
Security Management R80.10 (Part of Check Point Infinity) : Administration Guide
No ratings yet
Security Management R80.10 (Part of Check Point Infinity) : Administration Guide
305 pages
CP R81 Quantum SecurityManagement AdminGuide
No ratings yet
CP R81 Quantum SecurityManagement AdminGuide
652 pages
CP R82.10 Quantum SecurityManagement AdminGuide
No ratings yet
CP R82.10 Quantum SecurityManagement AdminGuide
1,038 pages
Security Management Server Guide R75.40
No ratings yet
Security Management Server Guide R75.40
139 pages
CP R77 SecurityManagement AdminGuide PDF
No ratings yet
CP R77 SecurityManagement AdminGuide PDF
175 pages
CP R76 Security Management Tutorial
No ratings yet
CP R76 Security Management Tutorial
158 pages
R82 Threat Prevention Admin Guide
No ratings yet
R82 Threat Prevention Admin Guide
517 pages
CP R75 SecurityManagement AdminGuide PDF
No ratings yet
CP R75 SecurityManagement AdminGuide PDF
178 pages
R81 Quantum Security Management Guide
No ratings yet
R81 Quantum Security Management Guide
723 pages
CP R77.20 EndpointSecurity AdminGuide
No ratings yet
CP R77.20 EndpointSecurity AdminGuide
168 pages
CP R80BC ApplicationControlURLFiltering AdminGuide
No ratings yet
CP R80BC ApplicationControlURLFiltering AdminGuide
50 pages
CP R81.10 Quantum SecurityManagement AdminGuide
No ratings yet
CP R81.10 Quantum SecurityManagement AdminGuide
660 pages
CP R80BC SecurityGateway TechAdminGuide
No ratings yet
CP R80BC SecurityGateway TechAdminGuide
37 pages
CP R81.20 ThreatPrevention AdminGuide
No ratings yet
CP R81.20 ThreatPrevention AdminGuide
340 pages
CP R80.40 ThreatPrevention AdminGuide
No ratings yet
CP R80.40 ThreatPrevention AdminGuide
269 pages
CP R81.10 Quantum SecurityManagement AdminGuide
No ratings yet
CP R81.10 Quantum SecurityManagement AdminGuide
877 pages
CP R77.30.01 EndpointSecurity AdminGuide PDF
No ratings yet
CP R77.30.01 EndpointSecurity AdminGuide PDF
241 pages
CP R81 ThreatPrevention AdminGuide
No ratings yet
CP R81 ThreatPrevention AdminGuide
427 pages
CP R77 Multi-DomainSecurityManagement AdminGuide
No ratings yet
CP R77 Multi-DomainSecurityManagement AdminGuide
159 pages
CP R80BC QoS AdminGuide
No ratings yet
CP R80BC QoS AdminGuide
29 pages
CP R80.10 EndpointSecurity AdminGuide
No ratings yet
CP R80.10 EndpointSecurity AdminGuide
190 pages
CP R80.10 ThreatPrevention AdminGuide
No ratings yet
CP R80.10 ThreatPrevention AdminGuide
150 pages
Identity Awareness Admin Guide for R80
No ratings yet
Identity Awareness Admin Guide for R80
23 pages
CP R80.20 RemoteAccessVPN AdminGuide
No ratings yet
CP R80.20 RemoteAccessVPN AdminGuide
161 pages
TMCM 5.0 Ag
No ratings yet
TMCM 5.0 Ag
476 pages
Administration Center User Guide v8
No ratings yet
Administration Center User Guide v8
254 pages
R82 Quantum Security Gateway Guide
No ratings yet
R82 Quantum Security Gateway Guide
433 pages
Check Point Security Administration Lab Manual
100% (3)
Check Point Security Administration Lab Manual
270 pages
CP R77 CLI ReferenceGuide
100% (1)
CP R77 CLI ReferenceGuide
131 pages
Check Point IPS: Administration Guide
No ratings yet
Check Point IPS: Administration Guide
77 pages
CP R76SP.50 SecuritySystem AdminGuide PDF
No ratings yet
CP R76SP.50 SecuritySystem AdminGuide PDF
398 pages
Etrust Antivirus Administrator Guide
No ratings yet
Etrust Antivirus Administrator Guide
194 pages
Multi-Domain Security Management R80.10: Administration Guide
No ratings yet
Multi-Domain Security Management R80.10: Administration Guide
76 pages
CP ES E80.40 AdminGuide Octubre 2012 PDF
No ratings yet
CP ES E80.40 AdminGuide Octubre 2012 PDF
151 pages
Ccsar80 Theory
No ratings yet
Ccsar80 Theory
271 pages
CP R76SP.30 Security System AdministrationGuide
No ratings yet
CP R76SP.30 Security System AdministrationGuide
311 pages
CP R77 Multi-DomainSecurityManagement AdminGuide
No ratings yet
CP R77 Multi-DomainSecurityManagement AdminGuide
157 pages
R81 Threat Prevention Admin Guide
No ratings yet
R81 Threat Prevention Admin Guide
290 pages
CP R77 IPS AdminGuide
No ratings yet
CP R77 IPS AdminGuide
87 pages
CP R75.40 Multi-DomainSecurityManagement AdminGuide
No ratings yet
CP R75.40 Multi-DomainSecurityManagement AdminGuide
143 pages
Check Point Security Administration Student Manual R77.30
No ratings yet
Check Point Security Administration Student Manual R77.30
240 pages
Firewall R75.40 Administration Guide
No ratings yet
Firewall R75.40 Administration Guide
201 pages
CP R80.40 EndpointSecurity AdminGuide
No ratings yet
CP R80.40 EndpointSecurity AdminGuide
295 pages
CP R77 CLI ReferenceGuide
No ratings yet
CP R77 CLI ReferenceGuide
131 pages
CP R82 DataLossPrevention AdminGuide
No ratings yet
CP R82 DataLossPrevention AdminGuide
336 pages
CP R80.30 GA EndpointSecurity AdminGuide
No ratings yet
CP R80.30 GA EndpointSecurity AdminGuide
257 pages
Check Point R7x Common Criteria Administration Guide
No ratings yet
Check Point R7x Common Criteria Administration Guide
171 pages
Check Point Security Administration Student Manual
100% (10)
Check Point Security Administration Student Manual
240 pages
CP R80.10 EndpointSecurity AdminGuide
No ratings yet
CP R80.10 EndpointSecurity AdminGuide
190 pages
CP R82 SmartProvisioning AdminGuide
No ratings yet
CP R82 SmartProvisioning AdminGuide
221 pages
CP R82 CarrierSecurity AdminGuide
No ratings yet
CP R82 CarrierSecurity AdminGuide
103 pages
Configuring DPI Engine Overview
No ratings yet
Configuring DPI Engine Overview
19 pages
Risk Analysis Configuration Guide
No ratings yet
Risk Analysis Configuration Guide
4 pages
Quantum Force 3950 Datasheet
No ratings yet
Quantum Force 3950 Datasheet
7 pages
WAF Configuration Examples Guide
No ratings yet
WAF Configuration Examples Guide
7 pages
H3C UniServer R5300 G6 Overview
No ratings yet
H3C UniServer R5300 G6 Overview
1 page
Ipcpx39a Operating Instructions EnUS en-US
No ratings yet
Ipcpx39a Operating Instructions EnUS en-US
136 pages
Overview of Laptop Computers
No ratings yet
Overview of Laptop Computers
1 page
Game Mechanics and Player Functions
No ratings yet
Game Mechanics and Player Functions
2 pages
Unsupervised Data Selection for ASR
No ratings yet
Unsupervised Data Selection for ASR
5 pages
NZ Dbi Sala Sealed Blok SRL 34009 34008 Datasheet
No ratings yet
NZ Dbi Sala Sealed Blok SRL 34009 34008 Datasheet
17 pages
All Informations and Sizes For A Paper Sizes A0, A1, A2, A3, A4, A5 ...
No ratings yet
All Informations and Sizes For A Paper Sizes A0, A1, A2, A3, A4, A5 ...
2 pages
Previewpdf
No ratings yet
Previewpdf
31 pages
K-Map Problems and Solutions
No ratings yet
K-Map Problems and Solutions
18 pages
Multi-Mode PFC Front End Design
No ratings yet
Multi-Mode PFC Front End Design
15 pages
Kioti Daedong CS2610 Service Manual
No ratings yet
Kioti Daedong CS2610 Service Manual
24 pages
CHN-201 Heat Transfer Tutorial 2
No ratings yet
CHN-201 Heat Transfer Tutorial 2
2 pages
Small Wind Turbine Installation Guide
No ratings yet
Small Wind Turbine Installation Guide
5 pages
AS-160 Biochemistry Analyzer Manual
No ratings yet
AS-160 Biochemistry Analyzer Manual
86 pages
Design Change Procedures for Development
No ratings yet
Design Change Procedures for Development
4 pages
Sight vs. Sound Reaction Times
No ratings yet
Sight vs. Sound Reaction Times
10 pages
PMSM Motor Fundamentals and Control
No ratings yet
PMSM Motor Fundamentals and Control
32 pages
Electronic Communication Systems Overview
No ratings yet
Electronic Communication Systems Overview
79 pages
Computer Security Exam Questions 2024
No ratings yet
Computer Security Exam Questions 2024
2 pages
Payroll and Heating System Algorithms
No ratings yet
Payroll and Heating System Algorithms
19 pages
Number Theory and Divisibility Basics
80% (5)
Number Theory and Divisibility Basics
49 pages
Cybersecurity in Cooperative Driving Automation
No ratings yet
Cybersecurity in Cooperative Driving Automation
19 pages
E-Pass Ticket Booking Guidelines
No ratings yet
E-Pass Ticket Booking Guidelines
2 pages
Knight Brothers Army List v2.50
No ratings yet
Knight Brothers Army List v2.50
3 pages
Tudip Technologies - QA Engineer (Fresher) Interview Questions
No ratings yet
Tudip Technologies - QA Engineer (Fresher) Interview Questions
4 pages
Ficha Cat Minicargadores 236B3 en 0
No ratings yet
Ficha Cat Minicargadores 236B3 en 0
16 pages
Monthly Gantt Chart Overview
No ratings yet
Monthly Gantt Chart Overview
3 pages
Supply Chain 5.0: Review of Impacts and Challenges
No ratings yet
Supply Chain 5.0: Review of Impacts and Challenges
11 pages
30-Day Side Hustle Challenge Guide
No ratings yet
30-Day Side Hustle Challenge Guide
12 pages
Soil Stabilization via Stone Columns
No ratings yet
Soil Stabilization via Stone Columns
12 pages
Tender for Steel Support Works at INTAN
No ratings yet
Tender for Steel Support Works at INTAN
2 pages

CP R82 SecurityManagement AdminGuide

Uploaded by

CP R82 SecurityManagement AdminGuide

Uploaded by

07 May 2026

RESTRICTED RIGHTS LEGEND:

Check Point R82

Latest Version of this Document in English

R82 Security Management Administration Guide | 3

R82 Security Management Administration Guide | 4

10 March Updated "Gaia API Proxy" on page 676

01 January Updated "Account Units" on page 209

29 December Updated"Searching the SmartConsole Rule Bases" on page 43

15 December Updated "Access Control Policy Insights " on page 404

14 December n Updated "Access Roles" on page 177

03 December Updated "Account Units" on page 209

23 November Updated "External Network Feeds" on page 549

12 November Updated "Access Control Policy Insights " on page 404

02 November Updated "Access Control Policy Insights " on page 404

29 October Updated "Planning Security Management" on page 53

28 October Updated "Updating the Updatable Objects through the Management

R82 Security Management Administration Guide | 5

09 October Updated "Access Control Policy Insights " on page 404

01 October Updated "Session Flow for Administrators" on page 126

29 Updated "Self-Managed Security Gateways" on page 392

28 Updated "Working with Automatic NAT Rules" on page 427

16 Updated "Secure Internal Communication (SIC)" on page 221

03 Updated "Creating Application Control and URL Filtering Rules" on

28 May 2025 Updated "Connecting On-Premises Management Servers and Security

27 April 2025 Updated "HTTPS Inspection" on page 563

06 April 2025 Added "Blocking TLS Connections" on page 598

R82 Security Management Administration Guide | 6

23 March Added "Access Control Policy Insights " on page 404

14 March Updated the chapter "UserCheck in the Access Control Policy" on

25 February Updated "Central Deployment of Hotfixes and Version Upgrades" on

01 January Updated "Security Zones" on page 307

15 December Updated "HTTPS Inspection" on page 563

01 December Updated "SmartTasks" on page 621

04 November Updated "The HealthCheck Point Tool" on page 278

R82 Security Management Administration Guide | 7

21 October First release of this document

R82 Security Management Administration Guide | 8

R82 Security Management Administration Guide | 9

R82 Security Management Administration Guide | 10

Assigning Permission Profiles to Administrators 116

R82 Security Management Administration Guide | 11

Creating a User Account with OS Password Authentication 150

R82 Security Management Administration Guide | 12

Configuring Users on an External LDAP Server 217

R82 Security Management Administration Guide | 13

License or Quota Changes 238

R82 Security Management Administration Guide | 14

Location of '[Link]' Files on the Management Server 274

R82 Security Management Administration Guide | 15

R82 Security Management Administration Guide | 16

To Learn More About VPN 332

R82 Security Management Administration Guide | 17

Sharing Layers 375

R82 Security Management Administration Guide | 18

Filtering Insights 411

R82 Security Management Administration Guide | 19

Example of NAT64 Translation Flow 460

R82 Security Management Administration Guide | 20

Sample Mobile Access Workflow 503

R82 Security Management Administration Guide | 21

Installing the Threat Prevention Policy 526

R82 Security Management Administration Guide | 22

HTTPS Inspection 563

R82 Security Management Administration Guide | 23

R82 Security Management Administration Guide | 24

Configuring SmartTask Properties 624

R82 Security Management Administration Guide | 25

The Action Items and Messages View 649

R82 Security Management Administration Guide | 26

Configuring the CA 670

R82 Security Management Administration Guide | 27

cpca_client lscert 743

R82 Security Management Administration Guide | 28

cppkg setroot 803

R82 Security Management Administration Guide | 29