CheckPoint R61 Enterprise GettingStarted PDF

Enterprise
Security
Product Suite
NGX (R61)
For additional technical information about Check Point products, consult Check Point’s
SecureKnowledge at:
https://secureknowledge.checkpoint.com
See the latest version of this document in the User Center at:
http://www.checkpoint.com/support/technical/documents
Print Part No.: 701683

February 15, 2006
Copyright © 2003-2006 Check Point Software Technologies, Ltd. All rights reserved.
Table Of Contents
Chapter 1
Enterprise Security Product Suite NGX R61 5
Welcome 5
In this Guide 6
NGX R61 Documentation 6
Chapter 2
Introduction 7
Overview 7
Product CD-ROMs 8
Customers New to Check Point 12
What’s New in NGX R61 13
Expanded Management Support 13
SmartPortal 14
Integrity NGX 14
VPN-1 Edge 14
Eventia Reporter 15
SmartView Monitor 16
SmartView Tracker 16
SmartUpdate 16
SmartDashboard 17
SmartDefense Services 17
Provider-1/SiteManager-1 18
Licensing Provider-1/SiteManager-1 20
Obtaining Software Installation Packages 21
Chapter 3
Getting Started 23
VPN-1 Pro/Express Terminology 24
Provider-1/SiteManager-1 Terminology 25
Minimum Hardware Requirements 27
Windows & Linux Platforms 27
Solaris Platforms 30
SecurePlatform 32
Minimum Software Requirements 34
Solaris Platform 34
Windows Platform 35
Nokia Platform 35
Linux Platform 36
Compatibility Table 36
Supported Upgrade Paths and Interoperability 39
Licensing NGX R61 40
Licensing VPN-1Pro/Express 40
Licensing Provider-1/SiteManager-1 41
Upgrading Licenses 42
Obtaining VPN-1Pro/Express Licenses 42
Upgrading VPN-1 Pro/Express Licenses 43
Chapter 4
Performing a Fresh Installation 45
Overview 45
VPN-1 Pro/Express 46
NGX R61 Fresh Installation on SecurePlatform 47
NGX R61 Fresh Installation on a Windows Platform 52
NGX R61 Fresh Installation on Solaris 54
NGX R61 Fresh Installation on Linux 56
NGX R61 Fresh Installation on a Nokia Platform 58
Initial Configuration 61
Provider-1/SiteManager-1 69
Overview 69
Building the Basic Provider-1 Network 71
Install and Configure the MDS 72
Install the SmartConsole and the MDG Client 75
Log in to the MDG for the First Time 76
Workflow for Creating Customers 77
Configure a New Customer 78
Create the Customer Network 82
Create a Global Security Policy 83
Configure Global SmartDefense and Web Intelligence 83
Assign Global Policy 85
Operation and Maintenance 88
Where to From Here? 95
4 Getting Started Guide

CHAPTER 1
Enterprise Security Product

Suite NGX R61
In This Chapter
Welcome page 5
In this Guide page 6
NGX R61 Documentation page 6
Welcome
Thank you for choosing Check Point Enterprise Suite NGX. It is
our sincere hope that you will be completely satisfied with this
solution and the service we deliver to you. When you choose Check
Point, you can rely on us to provide your business with the most
secure solutions available.
Check Point also delivers Worldwide Technical Services including
educational, professional and support services through a network of
Authorized Training Centers, Certified Support Partners and
CheckPoint itself to help you get the most out of your security
investment.
To extend your security infrastructure as your network and
application security requirements grow, look to OPSEC
(OpenPlatform for Security), the industry's open, multi-vendor
security framework. With over 350 partners, OPSEC guarantees the
broadest choice of best-of-breed integrated applications and
deployment platforms.
5
In this Guide
Should you wish to obtain more information about this and other
security solutions, please visit us at http://www.checkpoint.com or
call us at 1(800) 829-8391. For additional technical information
consult us at: http://support.checkpoint.com.
Welcome to the Check Point family. We look forward to meeting all
your network and application security and management needs now
and in the future.
In this Guide
This guide provides:
• A brief overview of NGX R61 Enterprise Suite applications
• Installation procedures
NGX R61 Documentation

Technical documentation is available on your NGX R61 CD-ROM
on: CD2\Docs\CheckPoint_Suite
These documents can also be found in the following location:
http://www.checkpoint.com/support/technical/documents
To find out about what's new in NGX R61, read the What's New
Guide.
For the latest information about this version, read the R61 Release
Notes.
For information about upgrading your current Check Point
deployment, refer to the NGX R61 Upgrade Guide.

CHAPTER 2
Introduction
In This Chapter
Overview page 7
Product CD-ROMs page 8
Customers New to Check Point page 12
What’s New in NGX R61 page 13
Obtaining Software Installation Packages page 21
Overview
NGX is a Check Point release that focuses on usability and smarter
management. SmartCenter is now integrated with Connectra,
InterSpect and Integrity, allowing for centralized management and
monitoring of all security enforcement points. IT organizations and
executive management now have full visibility over their entire
security environment.
With NGX R61, Check Point has expanded intelligent inspection
technologies in VPN-1 Pro, incorporating additional complex
application support into state of the art Stateful-Inspection and
Application Intelligence technology.
SmartCenter is now integrated with Connectra, InterSpect and
Integrity, allowing for centralized management and monitoring of
all security enforcement points.
7
Product CD-ROMs
Product CD-ROMs
The NGX R61 media pack contains four CD-ROMs:
CD1: Linux
Linux Packages Contains...

CPvpn Check Point VPN-1 Pro/Express,
SmartCenter Pro/Express
CPrt Eventia Reporter
CPportal SmartPortal
CPppack Performance Pack
CPedgecmp VPN-1 Edge Compatibility package
CPngcmp R55 compatibility package
CPR55Wcmp R55W compatibility package
CPvsxngxcmp VSX NGX compatibility package
CPdr Advanced Routing
CPuas UserAuthority Server
CPinteg Integrity Server
CPacc3 VPN-1 Accelerator Card III
CPinfo CPinfo Utility
CD2: Windows
Windows Contains...
Packages
CPclnt SmartConsole
CPdesktop VPN-1
SecuRemote/SecureClient for
Windows

Windows Contains...
Packages
CPedgecmp VPN-1 Edge Compatibility
package
CPngcmp Check Point R55 compatibility
package
CPinteg IntegrityServer
CPacc2 VPN-1 Accelerator Card II
CPSessionAgt-50 Session Agent
CPinfo CPinfo utility
Integrity Agent
Integrity Flex
Integrity Desktop
Integrity Client Security
Integrity SecureClient
CD3: Solaris2
Solaris2 Contains...
Packages
CPclnt SmartConsole
CPppack Performance Pack
package
Chapter 2 Introduction 9
Product CD-ROMs
Solaris2 Contains...
Packages
CPdr Advanced Routing
CPacc2 VPN-1 Accelerator Card II
CD4: Linux & Solaris
Linux Packages Contains...

CPmds Provider-1/SiteManager-1
CPclnt SmartConsole
CPedgecmp VPN-1 Edge Compatibility package
CPsplatIS SecurePlatform elements
Solaris Package Contains...

CPmds Provider-1/SiteManager-1
CPclnt SmartConsole

Solaris Package Contains...
package
MDG Multi-Domain GUI
SmartConsole SmartConsole
Customers New to Check Point
Customers New to Check Point

For customers new to Check Point, the Check Point User Center
helps you:
• Manage Check Point products
• Maintain subscriptions
• Generate licenses for product activation
To get started with the User Center, visit:
https://usercenter.checkpoint.com/pub/usercenter/get_started.html

Expanded Management Support
What’s New in NGX R61

The following sections offer a small glimpse into the
advancements offered by NGX R61. For additional in-depth
information refer to the NGX R61 What’s New Guide.
In This Section:
Expanded Management Support page 13

SmartPortal page 14
Integrity NGX page 14
VPN-1 Edge page 14
Eventia Reporter page 15
SmartView Monitor page 16
SmartView Tracker page 16
SmartUpdate page 16
SmartDashboard page 17
Expanded Management Support

Support for Perimeter, Internal, Web and Endpoint Security
has been expanded.
What’s New
SmartCenter is the only centralized management solution for
perimeter, internal, Web and endpoint security. It offers an
easy-to-use graphical interface that allows for centralized object
creation and policy definition for all security products in every
geography.
Customer Benefits
• Reduces administration overhead
• Ensures consistent security policies across the network
• Centralized monitoring capability of network and security
events
SmartPortal
What’s New
• SmartPortal can now display SmartDefense and Web
Intelligence settings
• With SmartPortal you can now edit, create, and modify
internal users
Customer Benefits
• Auditors will have a more complete view of security policies
within the organization
• Users without access to SmartDashboard (e.g. technical support
teams) will be able to better troubleshoot network problems
• Users without access to SmartDashboard (e.g. technical support
teams) will be able to manage users, thereby facilitating task
delegations within the organization
Integrity NGX
What’s New
Integrity can now be managed from the same SmartCenter console,
on the same server, and by the same administrators who manage
other Check Point products using the SmartCenter unified
management platform.
Customer Benefits
• Makes enterprise-wide security administration more efficient
for Check Point customers
• Integration lowers IT costs by eliminating the need for separate
management log-ins, servers, and reports
VPN-1 Edge
What’s New
• Centralized management of VPN-1 Edge SmartDefense
protections

Eventia Reporter
• Ability to configure and update anti-virus protection for

all VPN-1 Edge devices
• Ability to configure all QoS rules simultaneously for
VPN-1 Edge devices via SmartDashboard
Customer Benefits
• Ensures consistent policy management across hundreds to
thousands of remote networks
• Quick deployment and ease of administration for
hundreds of remote sites
• Ability to globally update Edge devices on latest
SmartDefense and AV helps ensure that the remote site
does not become the weakest link in the network
Eventia Reporter
What’s New
• Expanded and new reports for Connectra, InterSpect,
Integrity, Express CI and Edge
• Unified product reporting for security and network
activity. For example, the Approved Traffic report now
shows network actions that were accepted by a variety of
Check Point products.
• Ability to filter SmartDefense logs specific to InterSpect
devices
• More granularity in filtering a report by user name.
Customer Benefits
• Customers who have Connectra, InterSpect, Integrity
and/or Express CI will now be able to take advantage of
the flexible and in-depth reporting capabilities of Eventia
Reporter which were previously only available to VPN-1
users
• Provides administrator with a more holistic picture of
their security and network activity trends
SmartView Monitor
What’s New
• Ability to refresh information about a specific gateway and filter
views by gateway types. For example, it is now possible to only
view monitoring information for VPN-1 Edge gateways
• Other usability enhancements include extra menus specific to
each view and ability to set the view that will display first at
startup
Customer Benefits
Increased visibility into real-time detection of security problems and
anomalies.
SmartView Tracker
What’s New
• New predefined queries for Integrity and Express CI
• Express CI offers a description of the specific exposed virus
Customer Benefits
Expanded accessibility to anti-virus and endpoint security logs to
facilitate security analysis and intrusion detection
SmartUpdate
What’s New
• Upgrade process will upgrade both software package and
related HFA in the same process
• Ability to create connection with VPN-1 Edge devices in order
to access the latest software package(s)
• SmartUpdate identifies gateways that do not have the latest
HFAs
• New “Check for Updates” feature checks the Download
Center and local repository for the latest HFAs, and
recommends upgrading where appropriate

SmartDashboard
Customer Benefits
• Enables immediate distribution of latest software to
remote sites to ensure consistent network protection across
the enterprise
• Automated checking for the latest updates help
administrators streamline the maintenance of software and
licenses across the organization
SmartDashboard
What’s New
• Increased administrator flexibility in changing passwords
(administrator who does not manage others can now
change his own password)
• Ability to customize NAT rule sets (give title to a set of
NAT rules)
• Ability to remove or add columns to the Objects List
Customer Benefits
• Improved ease of definition and refinement of security
policies
• Streamlines delegation of administrator access management
SmartDefense Services
What’s New
New SmartDefense Services console integrated into
SmartCenter provides administrators with the ability to check
deployment status and globally push updates for VPN-1 Pro,
VPN-1 Edge, VSX, Express CI, InterSpect and Connectra.
Global SmartDefense for Provider-1 NGX R61 enables
customer to centrally push SmartDefense updates out to
customer SmartCenters.
Customer Benefits
Universal updateability delivering enterprises the power to update
Check Point solutions in real-time against the known and new,
evolving threats:
• Centrally maintain the most current preemptive security for the
Check Point security infrastructure.
• Allow MSPs to sell an additional service at very little additional
investment
• Streamlines management of SmartDefense policies for SP and
large enterprises – e.g. users will know which update was
downloaded as well as which gateway is enforcing that update
Provider-1/SiteManager-1
Provider-1/SiteManager-1 is the only security management solution
that addresses the unique requirements of large multi-policy
environments. For service providers, it consolidates and centralizes
the management of security policies for thousands of customers. For
enterprise network operations centers, Provider-1 simplifies a
complex security policy by segmenting it into manageable sub-
policies for geographic, functional, or other groupings.
NGX R61 contains expanded management support for Perimeter,
Internal, Web and Endpoint Security. Specifically:
Global SmartDefense and Web Intelligence
What’s New
• SmartDefense and Web Intelligence settings can be configured
globally and assigned to selected Customers
• Dynamic SmartDefense updates can be downloaded and
applied to all selected customers who have been assigned the
global SmartDefense settings.
Customer Benefits
• Universal updateability delivering Service Providers and large
enterprises the power to update each Check Point solution in
real-time against the latest known and unknown security threats

• Allows MSPs to sell an additional service at very little

additional investment
• Streamlines the management of SmartDefense updates for
Service Providers and large enterprises – e.g. users will
know which SmartDefense update was downloaded as
well as which gateway is enforcing that update.
Integrity NGX
What’s New
Integrity can now be managed via a Provider-1 CMA enabling:
• The same administrator definitions for Integrity and
VPN-1 solutions
• Endpoint security logs to be displayed in SmartView
Tracker
• New Integrity reports in Eventia Reporter
• Integrity to be launched via SmartDashboard
• Integrity server status to be displayed via SmartView
Monitor
Customer Benefits
• Enables Service Providers and large enterprises to manage
end-point security more efficiently across their networks.
The same administrators dealing with VPN-1 gateways
can now manage Integrity servers.
• Integration lowers IT costs by eliminating the need for
separate management log-ins, servers, and reports.
Eventia Analyzer
What's New
Eventia Analyzer can now be globally defined and configured
to generate centralized, real-time security events for Check
Point and third party devices
Customer Benefit:
• The ability to perform centralized security event correlation
across multiple customer networks (CMAs) enables the Service
Provider or central administrator of a distributed enterprise to
quickly detect security anomalies across their entire networking
environment.
• The flexibility of being able to configure event policies at the
level of the customer (CMA) enables Service Provider and large
enterprise administrators to set up event correlation policies
unique to the customer, and targeted at specific devices
generating logs in that customer's location.
Licensing Provider-1/SiteManager-1
Similar to other Check Point licenses, Provider-1 licenses are bound
to the IP address of the licensed entity.
• The Provider-1 MDS license is based on the MDS type:
Manager, Container, combined Manager and Container, or LM.
• A Container license sets the maximum number of managed
CMAs. Multiple container licenses can be added together on
one Container to allow it to hold more CMAs, up to a
maximum of 250 CMAs.
• Each CMA requires its own CMA license.
• CMA Pro Add-on licenses can be purchased in bulk. These
purchase packages are called “Pro Add-ons for MDS”.
• An MLM license is comprehensive and includes the CLMs it
manages. There is no need for a separate CLM license, if they
are hosted on an MLM.
• A CLM hosted on a non-MLM server requires its own CLM
license.
• The SiteManager-1 MDS license is an MDS Manager plus a
container of SiteManager-1 CMAs. Each SiteManager-1 CMA
requires its own license.
• Each Enforcement module requires its own license. Licenses are
according to the number of computing devices (nodes)
protected by the Enforcement module.

Provider-1 licenses can be imported via the Check Point

configuration Tool or via Provider-1’s MDG, through its
SmartUpdate View. SmartUpdate allows you to centrally
upgrade and manage Check Point software and licenses. See
the Provider-1/SiteManager-1 Guide for details.
Obtaining Software Installation

Packages
NGX R61 software installation packages for Solaris, Windows,
Linux and SecurePlatform are available on the product CD.
NGX R61 software packages for Nokia IPSO 3.9 and 4.0 are
available at the online download center in the following
location:
http://www.checkpoint.com/techsupport/downloads.jsp
Obtaining Software Installation Packages

CHAPTER 3
Getting Started
In This Chapter :
VPN-1 Pro/Express Terminology page 24

Provider-1/SiteManager-1 Terminology page 25
Minimum Hardware Requirements page 27
Minimum Software Requirements page 34
Compatibility Table page 36
Supported Upgrade Paths and Interoperability page 39
Licensing NGX R61 page 40
This chapter contains information and terminology that will help

you successfully install NGX R61.
23
VPN-1 Pro/Express Terminology
VPN-1 Pro/Express Terminology

The following are useful terms that you need to be familiar with to
understand this chapter.
• A Security Policy is created by the system administrator in order
to regulate the incoming and outgoing flow of communication.
• An Enforcement Module is the VPN-1 Pro engine that actively
enforces the organizations Security Policy and a machine that
acts as an Enforcement Point\Gateway.
• The SmartCenter Server is the server used by the system
administrator to manage the Security Policy. The databases and
policies of the organization are stored on the SmartCenter
Server, and are downloaded to the Enforcement module.
• The SmartConsole are different GUI applications that are used
to manage different aspects of the Security Policy. For instance
SmartView Tracker is a SmartConsole that manages logs.
• SmartDashboard is a SmartConsole GUI application that is used
by the system administrator to create and manage the Security
Policy.
• A Standalone deployment is performed when the Check Point
components that are responsible for the management of the
Security Policy (the SmartCenter Server and the Enforcement
Module) are installed on the same machine.
• A Distributed deployment is performed when the Enforcement
Module and the SmartCenter Server are deployed on different
machines.

Provider-1/SiteManager-1 Terminology
The following are useful terms that you need to be familiar
with to understand how to use Provider-1/SiteManager-1.
• A Customer is a business entity whose networks are
protected by VPN-1 Pro modules, VPN-1
Edge/Embedded appliances, or other Check Point
compatible firewalls. The Customer’s Security Policies and
network access are managed using Provider-
1/SiteManager-1.
• The Multi-Domain Server (MDS) houses Provider-1 system
information. It contains details of the Provider-1
deployment, its administrators, and Customer
management information. The MDS has two flavors: the
Manager, which runs the Provider-1 deployment, and the
Container, which holds the Customer Managements Add-Ons
(CMA). The Manager is the administrator’s entry point
into the Provider-1 environment. An MDS can be a
Manager, Container or both.
• A Customer Management Add-On (CMA) is the Provider-1
equivalent of the SmartCenter Server for a single
Customer. Through the CMA, an administrator creates
Security Policies and manages the Customer modules.
• The Multi-Domain Log Module (MLM) is a special MDS
Container that is dedicated to collecting and storing logs.
It is a Container of Customer Log Modules (CLMs).
• The Customer Log Module (CLM) is a log server for a single
Customer.
• Internal Certificate Authority (ICA). The ICA creates and
manages X.509 compliant certificates for Secure Internal
Communication (SIC), for site to site VPN (between
VPN-1 Pro gateways), and for authenticating
administrators and users.
• The MDS has an ICA that secures the Provider-1
management domain.
• Each CMA has its own ICA to secure its Customer’s
management domain.
Chapter 3 Getting Started 25

Provider-1/SiteManager-1 Terminology
• A Provider-1 administrator is a security administrator, assigned

with granular permissions to manage specific parts of the
Provider-1 system. There are four permission levels that can be
assigned:
• An administrator with Provider-1 Superuser permissions can
manage the entire Provider-1 system. This includes
management of all MDS servers, all Administrators (with all
permission levels), all Customers and all Customer
networks.
• An administrator with Customer Superuser permissions can
manage all Administrators (with lower permission levels),
all Customers and all Customer networks.
• An administrator with Customer Manager permissions can
manage Customer networks for specific Customers.
Administrators with this permission level can use the MDG
application, but they can view and manage only those
Customers that are specifically assigned to them.
• An administrator with None Permissions can manage
Customer networks for specific Customers, but is not
allowed access to the MDG application. GUI Client is a
computer running Check Point GUI interfaces, such as the
Provider-1 MDG as well as other SmartConsole
applications.

Windows & Linux Platforms
Minimum Hardware Requirements

In This Section:
Windows & Linux Platforms page 27

Solaris Platforms page 30
SecurePlatform page 32
Minimum Requirements for VPN-1 Pro

On Windows and Linux platforms, the minimum hardware
requirements for installing a VPN-1 Pro SmartCenter Server or
Enforcement Module are:
• Intel Pentium II 300 MHz or equivalent processor
• 300 MB free disk space
• Windows: 256 Mbytes RAM, Linux: 128 Mbytes RAM
(256 Mbytes recommended)
• One or more network adapter cards
• CD-ROM Drive
Minimum Requirements for Provider-

1/SiteManager-1 MDS
On Linux platform, the minimum hardware requirements for
installing the MDS are:
• 256 Mbytes RAM
• CD-ROM Drive

Minimum Requirements for SmartConsole

On Windows the minimum hardware requirements for installing a
SmartConsole, which includes SmartDashboard, SmartView Tracker,
SmartView Monitor, Eventia Reporter, SmartUpdate, SecureClient
packaging tool, and SmartLSM are:
• 256 Mbytes RAM
• One network adapter card
• CD-ROM Drive
• 800 x 600 video adapter card

1/SiteManager-1 MDG
On Windows platforms, the minimum hardware requirements for
installing the MDG are:
• 256 Mbytes RAM
• CD-ROM Drive
Minimum Requirements for

SecuRemote/SecureClient
On Windows and Mac OS-X platforms, the minimum hardware
requirements for installing SecuRemote/SecureClient are:
• 128 MB RAM

Minimum Requirements for Eventia

Reporter
The following minimum hardware requirements are
recommended for an Eventia Reporter Server that processes a
volume of at least 15 GB of logs per day and generates reports
according to the performance numbers limitation. For
deployments that generate fewer logs per day, a machine with
less CPU or memory can be used. This may, however, cause a
degradation in performance.
In addition, if your machine has less physical memory you will
need to change the database cache size. To do this follow the
instructions in the Eventia Reporter User Guide under the section
Changing the Eventia Reporter Database Cache Size.
On Windows and Linux platforms, the minimum hardware
requirements for installing Eventia Reporter are:
• Intel Pentium III 2.0 GHz or equivalent processor
• 80 MB disk space for installation
• 40GB disk space for database
• 1GB RAM
• CD-ROM Drive
To optimize performance:
• Disable DNS resolution - consolidation performance may
improve to 32GB of logs per day.
• Configure the network connection between the Eventia
Reporter Server machine and the SmartCenter or the Log
server, to the optimal speed.
• Use the fastest disk available with a high RPM
(revolutions per minute), and a large buffer size.
• Use UpdateMySQLConfig to tune the database
configuration and adjust the consolidation memory buffers
to use additional memory.
• Increase the machine's memory. It significantly improves
performance.

• Increase the database and log disk size (for example, by several
gigabytes) to enable the Eventia Reporter to cache information
before generating a report. If a report requires additional space
for caching, this fact is noted in the report’s Generation
Information section.
Solaris Platforms

On a Solaris platform, the minimum hardware requirements for
installing a VPN-1 Pro SmartCenter Server or Enforcement Module
are:
• UltraSPARC II
• 100 MB free disk space for installation
• 128 Mbytes RAM, 256 Mbytes recommended
• CD-ROM Drive
Minimum Requirements for SmartConsole

On a Solaris platform, the minimum hardware requirements for
installing a SmartConsole, which includes SmartDashboard,
SmartView Tracker, and SmartUpdate are:
• UltraSPARC III
• 128 Mbytes RAM
• CD-ROM Drive

1/SiteManager-1 MDS
On Solaris platforms, the minimum hardware requirements for
• UltraSPARC II

Solaris Platforms
• 256 Mbytes recommended

• CD-ROM Drive

1/SiteManager-1 MDG
On Solaris platforms, the minimum hardware requirements for
installing the MDG are:
• UltraSPARC III
• 256 Mbytes RAM
• CD-ROM Drive
Minimum Requirements for Eventia

Reporter
The following minimum hardware requirements are
recommended for an Eventia Reporter Server that processes a
volume of at least 15 GB of logs per day and generates reports
according to the performance numbers limitation. For
deployments that generate fewer logs per day, a machine with
less CPU or memory can be used. This may, however, cause a
degradation in performance.
In addition, if your machine has less physical memory you will
need to change the database cache size. To do this follow the
instructions in the Eventia Reporter User Guide under the section
Changing the Eventia Reporter Database Cache Size.
The minimum hardware requirements for installing Eventia
Reporter on a Solaris platform are:
• UltraSPARC III 900MHz processor
• 100 MB disk space for installation
• 40GB disk space for database
• 1GB RAM
• CD-ROM Drive
To optimize performance:
• Disable DNS resolution - consolidation performance may
improve to 32GB of logs per day.
• Configure the network connection between the Eventia
Reporter Server machine and the SmartCenter or the Log
server, to the optimal speed.
• Use the fastest disk available with a high RPM (revolutions per
minute), and a large buffer size.
• Use UpdateMySQLConfig to tune the database configuration
and adjust the consolidation memory buffers to use additional
memory.
• Increase the machine's memory. It significantly improves
performance.
• Increase the database and log disk size (for example, by several
gigabytes) to enable the Eventia Reporter to cache information
before generating a report. If a report requires additional space
for caching, this fact is noted in the report’s Generation
Information section.
SecurePlatform

On SecurePlatform, the minimum hardware requirements for
installing a VPN-1 Pro SmartCenter Server or Enforcement Module
are:
• Intel Pentium III 300+ MHz or equivalent processor
• 4 GB free disk space
• 256 Mbytes (512 Mbytes recommended)
• One or more supported network adapter cards
• CD-ROM Drive (bootable)
For details regarding SecurePlatform on specific hardware platforms,
see
http://www.checkpoint.com/products/supported_platforms/recom
mended.html

SecurePlatform

1/SiteManager-1 MDS
On SecurePlatform, the minimum hardware requirements for
• Intel Pentium III 300 MHz or equivalent processor
• 4 GB free disk space
• 256 Mbytes RAM
• CD-ROM Drive

Minimum Software Requirements
Minimum Software Requirements

In This Section:
Solaris Platform page 34

Windows Platform page 35
Linux Platform page 36
Solaris Platform
Required Packages
• SUNWlibc
• SUNWlibCx
• SUNWter
• SUNWadmc
• SUNWadmfw
Required Patches
Check Point recommends using the Sun Install Check Tool to
check the patch level of your Solaris machines. The Sun Install
Check Tool is available on the Sun download site at
http://www.sun.com/software/installcheck/download.xml. Use the
tool to make sure your Solaris machines have the following or newer
patches.
Solaris 8: the following patches (or newer) are required on Solaris
8 UltraSPARC platforms.
Number System Notes
108528-18 All If the patches 108528-17 and

113652-01 are installed, remove
113652-01, and then install 108528-
18.
110380-03 All
109147-18 All

Windows Platform
Number System Notes
109326-07 All
108434-01 32 bit
108435-01 64 bit
Solaris 9: the following patch (or newer) is required on Solaris

9 UltraSPARC platforms:
Number System Notes
112233-12 All
112902-07 All
116561-03 All Only if dmfe(7D) ethernet driver is
defined on the machine
To verify that you have these patches installed use the

command:
showrev -p | grep <patch number>
The patches can be downloaded from:
http://sunsolve.sun.com. Install the 32-bit patches before
installing 64-bit patches.
Windows Platform
This release requires that Service Packs be applied to Windows
2000 and Windows 2003 systems. This release supports Service
Packs SP1, SP2, SP3, and SP4.
Nokia Platform
This release supports IPSO 3.9, and 4.0 For the latest
information on which IPSO releases are supported, see the
Nokia Support Web at:
http://support.nokia.com.

Compatibility Table
Linux Platform
This release supports Red Hat Enterprise Linux 3.0. For Red Hat
kernel installation instructions, visit:
http://www.redhat.com/support/resources/howto/kernel-
upgrade/kernel-upgrade.html
Compatibility Table
While performing an upgrade, the process looks for unsupported
Check Point products that may already be installed on the targeted
computer. If the existing Check Point implementation contains
products that are not supported by NGX R61, the NGX R61
wrapper will exit. The following table lists the Check Point
products and platforms supported by NGX R61.

Linux Platform
TABLE 3-1 NGX R61 Products, Supported by Platform

Check Point Product Platform and Operating System
RHEL Check Nokia
Solaris Microsoft Windows 3.0 Point IPSO
Ultra- Server 2000 2000 2000 XP kernel Secure 3.9
SPARC 2003 Advanced Server Profes- Home 2.4.21 Platform &
8, 9 & (SP1) Server (SP1-4) sional & 4.0
10 (SP1-4) (SP1-4) Profes-
sional
1
SmartConsole GUI X X X X X X
SmartPortal X X X X X X
VPN-1 Pro Module
X X X X X X X
.(including QoS, Policy Server)
VPN-1 Express CI X
VPN-1 VSX X
2
SmartCenter Server X X X X X X X
ClusterXL (VPN-1 Pro 3 4
X X X X X X X
.Module)
5
UserAuthority X X X X X X X X X
6
Eventia Reporter - Server X X X X X X X
SmartView Monitor X X X X X X X
VPN-1 Accelerator Driver II X
VPN-1 Accelerator Driver III X X X X X X X
7
Performance Pack X X X .
SmartLSM - Enabled
X X X X X X X
.Management
SmartLSM - Enabled ROBO
X X X X X X
Gateways
SmartLSM - Enabled CO
X X X X X X X
.Gateways
8
Advanced Routing X X
9
SecureXL Turbocard X
SSL Network Extender
X X X X X X X
.- Server
X X X
.Server
X X X X X X
.GUI
OSE Supported Routers Nortel Versions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14
Cisco OS Versions: 9.x, 10.x, 11.x, 12.x

Compatibility Table
Notes to Compatibility Table

1 The following SmartConsole Clients are not supported on
Solaris UltraSPARC platforms: Eventia Reporter Client,
SmartView Monitor, SmartLSM and the SecureClient
Packaging Tool.
2 VPN-1 Edge devices cannot be managed from a SmartCenter
server running Nokia IPSO.
3 HA Legacy mode is not supported on Windows Server 2003.
4 ClusterXL supported only in third party mode with VRRP or
IP Clustering.
5 UserAuthority is not supported on Nokia Diskless platforms.
6 Only the Management Add-on of Eventia Reporter is
supported on Nokia. Eventia Reporter is not supported on
Nokia Diskless platforms.
7 Nokia provides SecureXL as part of IPSO.
8 Nokia provides Advanced Routing as part of IPSO.
9 NGX-compatible Turbocard driver is available at
http://www.checkpoint.com/downloads/quicklinks/downloads
_tc.html.
FIGURE 3-1 NGX R61 Clients, Supported by Platform
Check Point Product Platform and Operating System
Microsoft Windows Mac
Server 2000 2000 2000 XP Home Hand-Held OS
2003 Advanced Server Profes- & Profes- PC 2000 "X"
(SP1) Server (SP1-4) sional sional & Pocket
(SP1-4) (SP1-4) PC 2003
SecuRemote X X X X X
SecureClient X X X X X X X
SSL Network Extender X X X

Linux Platform
Supported Upgrade Paths and

Interoperability
NGX R61 upgrade and backward compatibility information:
Version Upgrade Backward

compatibility
NG Supported Not supported
NG FP1 Supported Not supported
NG FP2 Supported Not supported
NG FP3 Supported Supported
NG AI R54 Supported Supported
NG AI R55 Supported Supported
NG R55W Supported Supported
NGX R60 Supported Supported
NGX R60A Supported Supported
Express CI R57 Supported Supported
GX 2.0/2.5/NGX Supported Supported
VSX NG AI release 2 Supported Supported
VSX NGX Supported Supported
Upgrading from versions prior to NG (4.0-4.1) is not

supported. In order to upgrade FireWall-1 versions 4.0-4.1,
upgrade the installed version to VPN-1 NG R55 (refer to the
NG with Application Intelligence R55 Upgrade Guide). Once the
VPN-1 NG R55 upgrade is complete, perform an upgrade to
NGX R61.

Licensing NGX R61
Licensing NGX R61

Licenses are required for the SmartCenter Server and for the
Enforcement Modules. No license is required for the SmartConsole
management clients.
Check Point Gateways enforce the license installed on the gateway
by counting the number of users that have traversed the gateway. If
the limit has been reached, warning messages are sent to the
console.
Check Point software that has not yet been purchased, will work for
a period of 15 days. You are required to go through the User Center
in order to register this software.
Licensing VPN-1Pro/Express
Check Point software is activated with a Certificate Key. Obtain
thisLicense Key by registering the Certificate Key (that appears on
the back of the software media pack) with the Check Point User
Center: https://usercenter.checkpoint.com.
The Certificate Key is used to generate a License Key for products
that you are either evaluating or purchasing. To purchase the
required Check Point products, contact your reseller.
1 Use the Certificate Key on the back of the media pack to
obtain a License Key from the Check Point User Center. The
activation process consists of:
• Adding the Certificate Key
• Activating the products
• Choosing the type of license
• Entering the software details
2 Once you have a License Key, start the installation and
configuration process. During this process, you will be required
to:
• Read the End Users License Agreement and if you accept
it, click Yes.
• Import the license that you obtained from the User Center
for the product that you are installing. Licenses are
imported via the Check Point Configuration Tool or, using
SmartUpdate. SmartUpdate allows you to centrally

upgrade and manage Check Point software and
licenses. The Certificate Keys tie the product license
to the IP address of the SmartCenter Server. This
means that:
• The new license remains valid even if the IP address of
the Check Point Gateway is changed.
• Only one IP address is needed for all licenses.
• A license can be detached from one Check Point.
Gateway and assigned to another.
Similar to other Check Point licenses, Provider-1 licenses are
bound to the IP address of the licensed entity.
• The Provider-1 MDS license is based on the MDS type:
Manager, Container, combined Manager and Container,
or LM.
• A Container license sets the maximum number of
managed CMAs. Multiple container licenses can be added
together on one Container to allow it to hold more
CMAs, up to a maximum of 250 CMAs.
• Each CMA requires its own CMA license.
• CMA Pro Add-on licenses can be purchased in bulk.
These purchase packages are called "Pro Add-ons for
MDS".
• An MLM license is comprehensive and includes the CLMs
it manages. There is no need for a separate CLM license,
if they are hosted on an MLM.
• A CLM hosted on a non-MLM server requires its own
CLM license.
• The SiteManager-1 MDS license is an MDS Manager plus
a container of SiteManager-1 CMAs. Each SiteManager-1
CMA requires its own license.
• Each Enforcement module requires its own license. Licenses
are according to the number of computing devices (nodes)
protected by the Enforcement module. Provider-1 licenses

Licensing NGX R61
can be imported via the Check Point configuration Tool or via

Provider-1's MDG, through its SmartUpdate View.
SmartUpdate allows you to centrally upgrade and manage
Check Point software and licenses. See the Provider-
1/SiteManager-1 Guide for details.
Upgrading Licenses
Customers with versions prior to NGX R60 will be required to
obtain a new license when they upgrade to NGX R61. Check Point
NGX R60 software does not work with licenses from previous NG
versions. The upgrade procedure is free of charge to purchasers of
the Software Subscription service (Enterprise Base Support).
Licenses for versions prior to NG cannot be upgraded directly to
NGX. You must first upgrade to NG and then upgrade the licenses
from NG to NGX. The license upgrade procedure uses the
license_upgrade command line tool, which makes it simple to
automatically upgrade licenses without having to do so manually
though the Check Point User Center Web site.
For detailed information about upgrading licenses, refer to the NGX
R61 Upgrade Guide.
Obtaining VPN-1Pro/Express Licenses

Check Point software is activated with a Certificate Key. Obtain this
License Key by registering the Certificate Key (that appears on the
back of the software media pack) with the Check Point User
Center: https://usercenter.checkpoint.com.
The Certificate Key is used to generate a License Key for products
that you are either evaluating or purchasing.
In order to purchase the required Check Point products, contact
your reseller.
1 Use the Certificate Key on the back of the media pack to
obtain a License Key from the Check Point User Center
The activation process consists of:
• adding the Certificate Key
• activating the products

Upgrading VPN-1 Pro/Express Licenses
• choosing the type of license

• entering the software details
2 Once you have a License Key, start the installation and
configuration process. During this process, you will be
required to:
• read the End Users License Agreement and if you
accept it, click Yes.
• import the license that you obtained from the User
Center for the product that you are installing.
Licenses are imported via the Check Point Configuration
Tool or, using SmartUpdate.
SmartUpdate allows you to centrally upgrade and manage
Check Point software and licenses. The Certificate Keys
tie the product license to the IP address of the
SmartCenter Server. This means that:
• The new license remains valid even if the IP address of
the Check Point Gateway is changed.
• Only one IP address is needed for all licenses.
• A license can be detached from one Check Point
Gateway and assigned to another.
Upgrading VPN-1 Pro/Express Licenses

Customers with versions prior to NGX R60 will be required
to obtain a new license when they upgrade to NGX R61.
Check Point NGX R60 software does not work with licenses
from previous NG versions.
The upgrade procedure is free of charge to purchasers of the
Software Subscription service (Enterprise Base Support).
Licenses for versions prior to NG cannot be upgraded directly
to NGX. You must first upgrade to NG and then upgrade the
licenses from NG to NGX.
The license upgrade procedure uses the license_upgrade
command line tool, which makes it simple to automatically
upgrade licenses without having to do so manually though the
Check Point User Center Web site.

Licensing NGX R61
For detailed information about upgrading licenses refer to the

Upgrading VPN-1 Pro/Express Licenses to NGX R61 chapter of the
NGX R61 Upgrade Guide.

CHAPTER 4
Performing a Fresh
Installation
In This Chapter:
Overview page 45
VPN-1 Pro/Express page 46
Provider-1/SiteManager-1 page 69
Where to From Here? page 95
Overview
Check Point software is designed to work across multiple platforms,
and pre-configured appliances. The “look-and-feel” of each
installation differs depending on the platform. This chapter covers
installing VPN-1 Pro/Express, and Provider-1/SiteManager-1.
45
VPN-1 Pro/Express
VPN-1 Pro/Express
NGX R61 Fresh Installation on SecurePlatform page 47

NGX R61 Fresh Installation on a Windows Platform page 52
NGX R61 Fresh Installation on Solaris page 54
NGX R61 Fresh Installation on a Nokia Platform page 58
Initial Configuration page 61
NGX R61 can be installed:

• A standalone deployment, where the Check Point components that
are responsible for the management of the Security Policy (the
SmartCenter Server and the Enforcement Module) are installed on the
same machine.
• A distributed deployment where the Enforcement Module and the
SmartCenter Server are installed on different machines.
In both deployments, SmartConsole can be installed on any
machine, unless stated otherwise and the following must be
performed:
• Install the components that will manage or enforce the Security Policy
(for instance SmartCenter Server, Enforcement Module, Log Server).
• Install one or more SmartConsole clients to manage different aspects of
VPN-1 Pro/Express (that is, Check Point Enterprise). For instance,
SmartDashboard is used by the system administrator to manage and
create the Security Policy. Any number of SmartConsole GUI
applications can be installed on the same machine.
• The TCP/IP network protocol must be installed, properly configured,
and operational before you begin the installation process.

NGX R61 Fresh Installation on SecurePlatform
NGX R61 Fresh Installation on

SecurePlatform
In This Section:
Install SecurePlatform using NGX R61 CD page 47

Installing NGX R61 Products on SecurePlatform page 49
Installing NGX R61 using WebUI page 51
Install SecurePlatform using NGX R61 CD

1 Insert the bootable NGX R61 CD into the CD drive and
reboot the computer.
After rebooting, the Welcome to Check Point screen is
displayed. If you do not press Enter within 90 seconds,
the computer will boot from the hard drive.
2 Select Enter
The installation program is loaded, and the following
options displayed:
• Device List
If you select Device List, the Hardware Scan Details

menu is displayed.
• Add Driver
If you select Add Driver, the Devices menu is

displayed. There are instances in which updated
hardware is incompatible with the previous version’s
driver. You may receive an error at installation because
the operating system could not find the appropriate hard
disk driver. Alternatively, installation may be completed,
but the hardware does not function properly. The Add
Driver option enables you to add the missing driver
during the installation process.
3 Select OK to proceed with the installation, or Cancel to
abort it.
The System Type window screen is displayed
Chapter 4 Performing a Fresh Installation 47

VPN-1 Pro/Express
4 According to the type of license you have purchased, when

asked What type of system would you like to install?
select one of the following:
• SecurePlatform
• SecurePlatform Pro - including Advanced Routing Suite
and additional enhancements (for example, RADIUS
authentication of administrators).
The Keyboard Selection menu is displayed.
5 Select a keyboard type and select OK.
6 In the Network Interface Configuration menu, specify the
Management Interface IP address, netmask and default gateway
of the first network interface (eth0 on most systems), and select
OK.
7 In the HTTPS Server Configuration menu, specify whether

to enable SecurePlatform to be configured using WEB UI and
a specific port number.
8 Select OK to proceed.
The Confirmation menu is displayed.
9 Select OK to proceed, or Cancel to exit.
Warning - The installation procedure erases all the

information on the hard drive.
The following installation operations are performed:

• hard drive formatting
• software package installation
• post installation procedures
This step can take several minutes, after which the Installation
Complete screen is displayed.
10 Select OK to complete the installation.
11 The system will now reboot. Make sure to remove the CD that
you used during the installation process.

Installing NGX R61 Products on

SecurePlatform
After the OS installation has been completed (steps 1 to 11 in
Install SecurePlatform using NGX R61 CD), and the
computer has been rebooted, a first time setup is required to:
• configure the network settings
• apply the license
• select which products will be installed
• perform the SmartCenter initial setup, if SmartCenter was
selected from the product list
Performing setup for the first time

1 After reboot, when the SecurePlatform boot menu is
displayed, select Start in normal mode.
2 Login.
Use Admin as your Username and Password. When
prompted, change this default user name and password.
Make sure the new password contains more than six
characters, and is a mixture of upper and lower cases
letters and numbers.
3 Run the sysconfig command from the console.
A Welcome message is displayed.
4 The command line setup wizard guides you through the
first-time configuration.
5 Select n to proceed to the next menu, or q to exit the
Wizard.
6 The Network Configuration menu options are
displayed:
• Host Name (Set/Show Host Name)
• Domain Name (Set/Show Domain Name)
• Domain Name Servers (Add/Remove/Show Domain
Name Servers)
• Network Connections
(Add/Configure/Remove/Show Connection)

VPN-1 Pro/Express
• Routing (Set/Show Default Gateway)

Configure:
• the computer’s name
• the domain name, and at least one DNS server
• the computer’s network interfaces
• the default gateway, if required
7 When you have completed Network Configuration, select
the next menu item, Time and Date Configuration, and:
• Set time zone
• Set date
• Set local time
• Show date and time settings
8 Type n to continue the installation.
The Import Check Point Products Configuration screen
appears with the following option: Fetch Import file from
TFTP Server. If you exported the configuration of another
SecurePlatform installation, you can import that configuration
at this point. For more details, see the R61 Upgrade Guide.
9 Type N to start the Check Point product installation wizard.
10 Read and accept the End-User License agreement.
11 Select either Check Point Enterprise/Pro or Check Point
Express for installation.
12 Select New Installation, or Installation Using Imported
Configuration (the configuration fetched in step 8)
Depending on your choice in step 11, a list of products is
displayed:
Check Point Enterprise/Pro Check Point Express

1- VPN-1 Pro 1-VPN-1 Express
2- User Authority 2-SmartCenter Express
3- SmartCenter 3-Eventia Reporter
4- Integrity 4-SmartPortal

5- Eventia Reporter
6- Performance Pack
7- SmartPortal
13 To configure Enterprise SmartCenter or the Enforcement

Module after installation, use the Configuration Tool.
For more information see “Using the Configuration tool
on Unix Systems” on page 66.
14 Reboot the machine.
Once you reboot the machine, IP forwarding is
automatically disabled and a default Security Policy is
applied to the Enforcement Module. This default Security
Policy forbids all inbound connections, except for control
connections (for example, install policy operations, etc.).
This policy remains in place until you have installed the
first Security Policy.
Installing NGX R61 using WebUI

An alternative method of configuring network settings,
applying a license, installing and configuring products is
available through the WebUI. After the system has rebooted,
use your browser to connect to the IP address specified in step
6 on page 48.

VPN-1 Pro/Express
NGX R61 Fresh Installation on a Windows

Platform
The installation on a Windows platform is GUI based. The screens
displayed during this installation differ according to which Check
Point components are installed.
1 Log on as an Administrator and insert the CD.
The Wrapper is launched automatically and a
Congratulations message is displayed.
2 Review the Evaluation Options and/or select Read More

About Installation and click Next.
3 Read the End-Users License Agreement. If you accept the

agreement click I accept the terms of the License
agreement.
4 Select to install Check Point Enterprise/Pro or Check Point

Express.
A list of products is displayed for either option:

VPN-1 Pro VPN-1 Express
SmartCenter SmartCenter Express
Eventia Reporter Eventia Reporter
SmartConsole SmartPortal
Integrity
VPN-1 Client
SmartPortal
User Authority
5 Select the appropriate products, and click Next.

6 Select an installation option
• Demo installation (SmartConsole only)
• New Installation

NGX R61 Fresh Installation on a Windows Platform
• Installation Using Imported Configuration (for more

information see the R61 Upgrade Guide)
7 Click Next.
If you selected Installation Using Imported
Configuration, then will be prompted for the location of
the imported configuration file.
8 To complete the installation process, configure Enterprise
SmartCenter or an Enforcement Module, use the
Configuration Tool. During a first-time install, the
configuration tools runs automatically, prompting you to:
i Add licences
ii Add administrators
iii Initialize the Internal Certificate Authority
iv Define GUI clients
v Export the GUI clients fingerprint to a text file
For more information see “Configuration Tool” on page
61.

VPN-1 Pro/Express
NGX R61 Fresh Installation on Solaris

This is a console-based process. It is run from the command line,
with a main menu that leads you step-by-step through the
installation.
In order to begin the installation, mount the CD on the relevant
subdirectory and:
1 Execute the command ./UnixInstallScript from the root
directory of the CD.
The wrapper welcome message is displayed.
2 Enter n.
3 If you accept the terms of the End-user License
Agreement, enter y.
4 Select which product to install:
• Check Point Enterprise/Pro (intended for headquarters
and branch offices)
• Check Point Express (intended for medium-sized
businesses)
5 Enter n.
6 Select New installation as the installation option.
7 Enter n.
A list of products is displayed:

Integrity SmartPortal
SmartPortal
User Authority

NGX R61 Fresh Installation on Solaris
8 Select the appropriate products and follow the installation

process.
9 Once product installation is complete, use the Check
Point Configuration program to:
i Add licenses. The Check Point Configuration
Program only manages local licenses on this
machine. The recommended way of managing
licenses is through SmartUpdate.
ii Configure GUI clients, a list of hosts which
will be able to connect to this SmartCenter
Server using SmartConsole.
iii Configure group permissions. Specify a
group name.
iv Configure a pool of characters for use in
cryptographic operations. Type randomly until
the progress bar is full. (on Solaris 2.9 only, this
process is automatic).
v Configure the Certificate Authority, and
save the CA’s fingerprint to a file.
vi Start the installed products.
For more detailed information, see: “Using the
Configuration tool on Unix Systems” on page 66.
10 Reboot.

VPN-1 Pro/Express
NGX R61 Fresh Installation on Linux

This is a console-based process. It is run from the command line,
with a main menu that leads you step-by-step through the
installation.
In order to begin the installation, mount the CD on the relevant
subdirectory and:
1 Execute the command ./UnixInstallScript from the root
directory of the CD.
2 Type N for next in order to continue with the installation.
3 Read the End-Users License Agreement.
Press the spacebar to continue to the next License Agreement
page.
If you want to go directly to the end of the License
Agreement, press q on the keyboard.
4 If you accept the terms of the End-user License Agreement,
enter y.
• Check Point Enterprise/Pro (intended for headquarters
and branch offices)
businesses)

SmartPortal
User Authority

NGX R61 Fresh Installation on Linux

process.
ii Configure GUI clients, a list of hosts which
will be able to connect to this SmartCenter
Server using SmartConsole.
iii Configure group permissions. Specify a
group name.
cryptographic operations. Type randomly until
the progress bar is full. (on Solaris 2.9 only, this
process is automatic).
v Configure the Certificate Authority, and
save the CA’s fingerprint to a file.

VPN-1 Pro/Express
NGX R61 Fresh Installation on a Nokia

Platform
Install NGX R61 using a console-based connection or Nokia
Network Voyager which is a secure Web-based network-element
management application, Then, use a console-based connection to
perform the initial configuration.
You can also use Nokia Horizon Manager to install and configure
Check Point components on multiple Nokia appliances
simultaneously. For more information, see the Nokia Horizon
Manager documentation on the Nokia Support Web site:
https://support.nokia.com.
NGX R61 software packages for Nokia IPSO 3.9 and 4.0 are
available at the online download center in the following location:
http://www.checkpoint.com/techsupport/downloads.jsp
1 Copy the IPSO Wrapper to an FTP server on your network.
2 To install the Wrapper with the use of a console-based
connection, enter newpkg at the command prompt and follow
the on-screen instructions. To install the Wrapper by using
Voyager, continue to the next step.
3 From the Voyager home page, go to Manage IPSO images.
Make sure the image is either 3.9 or 4.0.
4 From the Voyager home page, choose System Configuration
> Manage Installed Packages > FTP and Install Packages.
5 Enter the appropriate information to connect to the FTP site

and download the Wrapper, then click Apply.
6 Select the Wrapper from the Site Listing field, then click
Apply.
7 Select the relevant package in the Select a package to

unpack area and click Apply.
8 Scroll down and click the install link that appears. This process
may take several minutes.

NGX R61 Fresh Installation on a Nokia Platform
9 Select Yes in the Install box and click Apply.

Old packages are automatically deactivated, and deleted.
New packages are installed but not activated (cpconfig
activates the new products).
10 After the installation is complete,
reboot, and connect to
the Nokia platform with a console-based connection.
11 Enter cpconfig at the command line.
12 If you accept the terms of the End-user License
Agreement, enter y.
• Check Point Enterprise/Pro (intended for
headquarters and branch offices)
businesses)
14 Select New installation as the installation option.
15 Enter n.

SmartPortal
User Authority

process.

VPN-1 Pro/Express

ii Configure GUI clients, a list of hosts which will
be able to connect to this SmartCenter Server using
SmartConsole.
iii Configure group permissions. Specify a group
name.
cryptographic operations. Type randomly until the
progress bar is full. (on Solaris 2.9 only, this process
is automatic).
v Configure the Certificate Authority, and save
the CA’s fingerprint to a file.
18 Reboot

Initial Configuration
In this section:
Configuration Tool page 61

Logging into the SmartCenter Server for the First Time page 67
Where to From Here? page 95
Configuration Tool
When the installation process is complete, the Configuration
Tool runs automatically. The Configuration tool can also be
manually run by typing cpconfig at the command line.
Configuration Tool Options

The Configuration Tool is used to configure:
• Licenses. Generates a license for the SmartCenter Server
and Enforcement Module.
• Administrators. Create an administrator who has
permissions to access the SmartCenter Server. This
administrator must be given Read/Write permissions in
order to create the first Security Policy.
• GUI Clients. Creates a list of resolvable names or (IP
addresses) for machines which can connect to this
SmartCenter Server using SmartConsole.
• Key Hit Session, enter random key strokes in order to
create a random seed that is used for various cryptographic
purposes. Once the bar is full, the Key Hit session is
complete.
• Certificate Authority, the definitions on this window are
used to initiate the Internal Certificate Authority which is
used in turn to enable secure communication between the
SmartCenter Server and its modules.
For some Operating Systems, such as Windows, you must
specify the name of the host in which the ICA resides.
You may use the default name or supply your own.

VPN-1 Pro/Express
The ICA name should be a resolvable name in the format

hostname.domain; for example ica.checkpoint.com. It is
essential that this name be accurate in order for VPN-1 to
work.
• Fingerprint, verifies the identity of the SmartCenter Server the
first time you login to the SmartConsole.
Upon login to the SmartConsole, a Fingerprint is displayed.
The displayed Fingerprint must match the Fingerprint shown
now in the Configuration Tool window in order for
authentication to succeed. You may choose to export this
Fingerprint, so that you may recall it when you login to the
SmartConsole for the first time, for verification purposes.
Using the Configuration Tool on Windows

To perform initial configuration of NGX R61:
1 Open the Configuration Tool.
Start > Run > cpconfig
2 In the Licenses tab, perform one or both of the following

procedures:
Fetch One or More Licenses from a File

A) Click on Fetch from File.
B) Browse to the license file, select it and click Open.
The license(s) that belong to this host are added.
Add a License Manually

A) Click Add to add a license.
The Add License window is displayed.
B) Configure the Add License window.
C) Click OK to add the newly configured license.
3 Click Next.

4 On the Administrators tab click Add to specify an

administrator.
Add an administrator who will use SmartConsole to
connect to the SmartCenter Server. Starting from NGX
R60, only one administrator can be defined through the
Configuration Tool. Additional administrators can be
defined using SmartDashboard.
5 Configure the parameters in the Add Administrator
window that appears and click OK.
6 Click Next.
7 On the GUI Clients tab, add a GUI Client.
If you do not define at least one GUI Client, you will be
able to manage the SmartCenter Server only from a GUI
Client running on the same machine as the SmartCenter
Server.
8 Enter the GUI Client’s name in the Remote hostname
field.
9 Click Add to add it to the list of allowed GUI Clients.
You can add GUI Clients using any of the following
formats:
• IP address - for example 1.2.3.4
• IP/netmask - A range of addresses, for example
192.168.10.0/255.255.255.0
• Machine name - for example Alice, or
Alice.checkpoint.com
• Any - Any IP without restriction
• IP1-IP2 - A range of addresses, for example
192.168.10.8 - 192.168.10.16
• Wild cards - for example 192.168.10.*
10 Click Next.

VPN-1 Pro/Express
11 On the Certificate Authority tab provide a resolvable name,

in the format <hostname>.<domain name> (for instance,
<hostname>.checkpoint.com).
This option allows you to initialize an Internal Certificate
Authority (ICA) on SmartCenter Server, and to initialize a
Secure Internal Communication (SIC) certificate for the
SmartCenter Server.
SIC certificates are used to authenticate communication
between Check Point communicating components, or between
Check Point communicating components and OPSEC
Applications. Note that your components will not be able to
communicate with each other until the Certificate Authority is
initialized and each component has received a SIC certificate.
12 Click Next.
13 The Fingerprint window displays the fingerprint of the

SmartCenter Server.
The fingerprint is a text string derived from the certificate of
the SmartCenter Server. It is used to verify the identity of the
SmartCenter Server being accessed via the SmartConsole. The
first time a SmartConsole connects to this SmartCenter Server,
you should compare this string to the string displayed in
SmartDashboard.
Use the Fingerprint to Confirm the Identity of the
SmartCenter Server
14 In the Fingerprint window, click Export to file and save the
file.
The fingerprint is exported to a text file, which can be accessed
from the SmartConsole client machine(s) to confirm the
fingerprint of the SmartCenter Server.
Once you have finished using the Configuration Tool perform
the following:
A) From a SmartConsole, perform a first time connection to a
SmartCenter Server. The Fingerprint of a SmartCenter Server
is displayed.
B) Make sure the SmartCenter Server fingerprint is identical to
the fingerprint displayed in the SmartConsole.

Note - You should not perform a first-time connection to a

SmartCenter Server from a SmartConsole unless the
SmartCenter Server fingerprint is readily available and you
are able to confirm it is the same as the fingerprint
displayed in the SmartConsole.
15 Close the Configuration Tool.

VPN-1 Pro/Express
Using the Configuration tool on Unix

Systems
To complete the installation process, configure Enterprise
SmartCenter or an Enforcement Module, use the Configuration
Tool. During a first-time install, the configuration tools runs
automatically, prompting you to:
1 Add licences.
A license can be added manually or fetched from a file.
2 Add administrators.
Add an administrator who will use SmartConsole to connect to
the SmartCenter Server. Starting from NGX R60, only one
administrator can be defined through the Configuration Tool.
Additional administrators can be defined using
SmartDashboard.
3 Define GUI clients.
You can add GUI Clients using any of the following formats:
• IP address - for example 1.2.3.4
• IP/netmask - A range of addresses, for example
192.168.10.0/255.255.255.0
• Machine name - for example Alice, or
Alice.checkpoint.com
• Any - Any IP without restriction
• IP1-IP2 - A range of addresses, for example 192.168.10.8 -
192.168.10.16
• Wild cards - for example 192.168.10.*
4 Initialize the Internal Certificate Authority.

This option allows you to initialize an Internal Certificate
Authority (ICA) on SmartCenter Server, and to initialize a
Secure Internal Communication (SIC) certificate for the
SmartCenter Server.
SIC certificates are used to authenticate communication
between Check Point communicating components, or between
Check Point communicating components and OPSEC
Applications. Note that your components will not be able to

communicate with each other until the Certificate

Authority is initialized and each component has received a
SIC certificate.
5 Export the GUI clients fingerprint to a text file.
The fingerprint is a text string derived from the certificate
of the SmartCenter Server. It is used to verify the identity
of the SmartCenter Server being accessed via the
SmartConsole. The first time a SmartConsole connects to
this SmartCenter Server, you should compare this string
to the string displayed in SmartDashboard.
Use the Fingerprint to Confirm the Identity of the
SmartCenter Server.
6 Start installed products.
The configuration tool can also be run at the command line
after installation is complete by typing cpconfig.
Logging into the SmartCenter Server for

the First Time
Login Process
Administrators connect to the SmartCenter Server through
SmartDashboard using a process that is common to all
SmartConsole clients. In this process, the administrator and the
SmartCenter Server are authenticated, and a secure channel of
communication created. After successful authentication, the
selected SmartConsole is launched.
After the first login, the administrator can create a certificate
for subsequent logins. To find out how to create a certificate,
see: the SmartCenter User Guide.

VPN-1 Pro/Express
Authenticating the Administrator and the

SmartCenter Server
1 Launch SmartDashboard by selecting Start > Programs >
Check Point SmartConsole NGX R61 > SmartDashboard,
and login.
2 Login using the User Name and Password defined in the
Configuration Tool’s Administrators page during the
SmartCenter Server installation.
3 After providing the authentication information, specify the
name or IP address of the target SmartCenter Server and click
OK.
4 Manually authenticate the SmartCenter Server with the

Fingerprint presented during the configuration process in the
Configuration Tool. This step only takes place during first-time
login, since when the SmartCenter Server is authenticated, the
Fingerprint is saved in the SmartConsole machine’s registry.

Overview
In This Section:
Overview page 69
Building the Basic Provider-1 Network page 71
Install and Configure the MDS page 72
Install the SmartConsole and the MDG Client page 75
Log in to the MDG for the First Time page 76
Workflow for Creating Customers page 77
Configure a New Customer page 78
Create the Customer Network page 82
Create a Global Security Policy page 83
Configure Global SmartDefense and Web Intelligence page 83
Assign Global Policy page 85
Operation and Maintenance page 88
Overview
A typical Management Service Provider (MSP) handles many
different customer systems. Provider-1/SiteManager-1’s
flexibility ensures compatibility with a wide range of
customers’ security schemes and product deployments.

FIGURE 4-1 Sample Provider-1 deployment
Components of the basic Provider-1 deployment are:

• MDS. Each Provider-1 network must have at least one
Manager and one Container. They can be installed on the same
server, or separately.
• MDG and SmartConsole applications, installed on a GUI Client
(computer running Check Point Graphical User Interfaces),
support centralized system management.
• CMAs. CMAs are installed on a Container MDS. Each CMA
manages the network of a single Customer domain.
• Customer gateways protect the Customer’s networks.
• NOC gateways protect the MSP headquarters and
Network/Security Operations Centers.
Note - Depending on your system specifications, you need to choose
whether to manage the NOC gateways with a standalone SmartCenter,
or with your Provider-1 system. For the latter, you will typically dedicate
a Provider-1 Customer to be the "NOC" Customer.

Building the Basic Provider-1 Network
Building the Basic Provider-1 Network

This section guides you through the building of your first
Provider-1 Operations Center. The workflow is:
FIGURE 4-2
Set Up Networking
The MDS Server host and the VPN-1 Pro Gateways should be
TCP/IP ready. The MDS Server machine should include at
least one interface with an IP address, and should be able to
query a DNS server in order to resolve the IP addresses of
other machine names.
As applicable, ensure that routing is properly configured to
allow IP communication between:
• a CMA/CLM and its managed gateways
• an MDS and other MDSs in the system
• a CMA and CLMs of the same Customer
• a CMA and its High Availability CMA peer
• a GUI Client and MDS Managers
• a GUI Client and CMAs/CLMs

Install the Gateways

Install the NOC Gateway and the Customer’s Gateway. This
installation is done using the VPN-1 Pro product CD. See: “VPN-1
Pro/Express” on page 46.
Note - For each gateway, record the Activation Key you used for the
initialization of SIC with the gateway's Management Server.
Install and Configure the MDS

The MDS can be installed on either Solaris, Linux, or
SecurePlatform. However, all the MDS servers in a single Provider-1
system must be of the same platform type.
The installation instructions below lead you step-by-step through
the basic system setup. The instructions are to be run from the Unix
command line, and specifically relate to installing the MDS on a
Solaris host. The differences for installing on Linux or
SecurePlatform are noted where relevant. You must have Superuser
permissions on the host to which you will install the MDS.
Note - To install on SecurePlatform, insert the CD and reboot the
machine. The SecurePlatform installation will start, followed by the
Provider-1 installation. At that point, continue according to the
instructions from step 4.
1 Mount the Provider-1 CD on the relevant subdirectory.
2 cd to the mounted directory, and then cd to the directory
<Platform>, where <Platform> stands for the OS (Solaris or
Linux) of the MDS machine.
3 Run the command ./mds_setup and confirm that you want
to proceed with the installation.
4 You are then prompted to select whether this MDS is a
Manager, a Container, both, or an MLM. Select both Manager
and Container. Next you are asked if this is the primary
Manager. Since every Provider-1/SiteManager-1 system should
have a single Primary MDS, you should enter yes.
5 Specify whether the MDS should start automatically with each
computer reboot. The Provider-1 installation then begins,
displaying the names of files as they are extracted.

Install and Configure the MDS
6 The configuration utility mdsconfig is now activated

automatically. The information you enter can be modified
later, by running the mdsconfig utility directly. This
utility allows you to select the MDS interface, add a
license, create administrators and GUI Clients, and start
the MDS.
7 You are then prompted to read the Provider-1 License
Agreement and accept the terms. After you have read the
Agreement and if you comply with the conditions, accept
and continue.
8 Next, a list of those interfaces found in the MDS
computer is provided. Enter the name of the primary
interface, which is the interface through which the MDS
will communicate with any other MDSs created in this
network.
If the setup is for a Container MDS, CMAs will also be
mapped to this primary interface.
9 If you have an evaluation version, a 15-day trial license is
available. If you have a permanent license, enter it now. If
you still need to obtain a permanent license, make sure
that you get it and enter it before the end of the trial
period.
10 You are prompted to enter random keystrokes in order to
initialize a random seed for the authentication and
encryption services. Type randomly on the keyboard until
the bar fills up and you hear a beep.
11 You are prompted to specify a Unix group name for a
group with access and execution permissions. Press
<Enter> to confirm. This step is optional.
12 You are prompted to initialize the primary Manager’s
Internal Certificate Authority. The initialization procedure
takes a short while. It generates a fingerprint of the ICA
certificate. It is recommended to save this fingerprint to a
file, as prompted, because you will be asked to confirm
this fingerprint when you login with your MDG to this
MDS.

13 You are prompted to create an Administrator. If you choose to

do so, provide a name and password, then select the
administrator’s authorization level. Create at least one
administrator with Provider-1 Superuser permissions in
order to set up the Provider-1 network. Other administrators
can be created now or later.
14 The MDS process now starts.
15 You are prompted to configure a GUI client, that is, a
computer that runs the MDG and is authorized to log in to the
MDS. Configure at least one computer as a GUI client. The
computer can be designated by its IP address, or by its name.
You may add other GUI clients now or later. Ensure that
proper routing exists between the GUI clients and the MDS.
16 You are prompted to start the MDS. Enter y to start it.
Alternatively, you can start the MDS later by running the
mdsstart command at the shell prompt.
Note - If your current shell is sh or bash, you must exit the shell after
the MDS has started.

Install the SmartConsole and the MDG Client
Install the SmartConsole and the MDG

Client
The following instructions are for installing the SmartConsole
applications on Windows.
Install the SmartConsole

1 To install the SmartConsole on Windows, access the
directory windows/SmartConsole on the Provider-1
product CD.
2 Copy the installation file
SmartConsole_NGX_R61_windows.exe to a temporary
directory.
3 Start the installation by double-clicking the
SmartConsole_NGX_R61_windows.exe icon.
4 You can now run the SmartConsole applications from the

Windows Start menu. For instance, Start > Programs >
Check Point SmartConsole R60A > SmartDashboard.
Install the MDG

1 To install the MDG Package, access the Provider-1 CD,
windows/MDG directory.
2 Copy the installation file

Prov1Gui_NGX_R61_windows.exe to a temporary
directory.
3 Start the installation by double-clicking the
Prov1Gui_NGX_R60A_windows.exe icon.
4 You can now run the MDG from the Windows Start
menu, Start > Programs > Check Point SmartConsole
R60A > Provider-1.

Uninstalling the MDS or the MDG

To uninstall the MDS, enter the following command: mds_remove.
Uninstall the MDG and SmartConsole applications through
Windows Start menu > Settings > Control Panel >
Add/Remove Programs.
Log in to the MDG for the First Time
Login Process
During the MDG login process, a secure communication channel is
created between the administrator's computer (the GUI Client) and
the MDS. In addition, the administrator is authenticated. After
successful authentication, the MDG starts.
Authenticating the Administrator

1 Login using the User Name and Password that you defined
during the MDS installation.
2 Specify the name or IP address of the MDS and click OK.
3 When you log in to an MDS server for the first time, you are
prompted to compare the fingerprint of its ICA with the
fingerprint that you saved during the MDS installation. This is
to ensure that you are indeed connected to the correct MDS
host.
Demo Mode
When starting the MDG, you can elect to open it in Demo mode.
This mode does not require authentication and does not connect to
the MDS. It is used to experiment with different objects and
features, before you create a real system. It demonstrates several
sample Customers, CMAs, gateways and policies that have been pre-
configured.
It is recommended that you use the Demo mode to familiarize
yourself with the MDG’s various views and modes. Operations
performed while in Demo mode are stored in a local database. This
allows you to continue a Demo session from the point that you left
off in a previous session.

Workflow for Creating Customers
Once you log in, you will see the General View - Customer
Contents Mode:
FIGURE 4-3 General View in the MDG
The central pane shows:

• The VPN-1 Pro root, which represents the VPN-1 Pro
system.
• Customers — for example, the Customers Flowers, Good-
Bank and Perfect-Luggage.
• The CMAs of each Customer — for example, the
Customer Good-Bank has a single CMA,
Single_CMA_For_Good-Bank.
• The Gateways belonging to each Customer.
Workflow for Creating Customers

FIGURE 4-4 Customer creation workflow

Configure a New Customer

New Customers are created using the New Customer Wizard. The
Wizard takes you through all the steps needed to define the
Customer and to create its CMA.
The New Customer Wizard is launched from the MDG’s General
View - Customer Contents Mode.
Start the New Customer Wizard

1 Select Manage menu > New Customer..., or right-click on
the Provider-1/SiteManager-1 root icon, and select the New
Customer... option. The Add Customer Wizard starts.
FIGURE 4-5 First screen in the Add Customer Wizard
2 Enter the Customer name. Let’s call the new Customer

JustLawyers. You can leave all other settings at their default
values.

Customer Details
3 Next, fill in the Customer Properties, for example, a
contact person and a contact e-email.
Assign Global Policy

4 Set whether the Customer should be assigned all Global
Objects or only those used in the Global Policy to which
it is assigned.
Also, if you want the Customer to receive the Global
SmartDefense policy, defined in Global SmartDashboard,
do the following:
a Enable the propertySubscribe Customer to
SmartDefense service. Once a Customer is
subscribed to the SmartDefense service, whenever
Global Policy is assigned, changes to Global
SmartDefense are assigned and ready to be installed
to the Customer as well.
b Set the Assign Mode:
i Set to Merge if you want to allow the

Customer Administrator to make permanent
changes to the SmartDefense policy assigned.
ii Set to Override, if you do not want to allow
the Customer Administrator to make
permanent changes to the SmartDefense policy
assigned.
c Create a database version if you want to allow
Customer Administrators the ability to roll back to
previously installed policy versions.
For details regarding Global SmartDefense, see “Global
Policy” in the Provider-1/SiteManager-1 User Guide.
Assign Administrators to the Customer

5 Next assign administrator(s) to the customer. These
administrators are allowed to manage the new Customer,
according to the permissions you specify for them. Note

that administrators with Superuser permissions are assigned by

default to manage the new Customer with full Read/Write
permissions.
You can create administrator groups to facilitate administrator
assignment. All members of the group you choose are
automatically selected, allowing you to Add or Remove them
as a group. To create a new administrator, click New
Admin.... Then define the new administrator as follows:
a Enter the administrator’s name and select her permission

level.
b In the Authentication tab, select the administrator’s
authentication scheme. If you choose a certificate, create
it in the Certificates tab. The certificate is generated
into a file that should be given to the administrator.
Let’s create two administrators named John and Belinda. John
is defined with Provider-1 Superuser permissions, and has all
privileges. Belinda has Customer Superuser permissions.
Assign GUI Clients

6 Specify the GUI Client (computer) that administrators use to
run MDG and SmartConsole applications. This can be the
computer that you are working on.
Create a CMA
7 Select to create a single Customer Management
Add-on (CMA).
8 Define the CMA, calling it JustCMA, and select the MDS you
created to house this CMA.
9 Provide a virtual IP address for the CMA. Alternatively, the
Provider-1 system can allocate a virtual IP for the CMA from a
predefined IP range. To use this alternative, select the Get
address... > Get Automatic IP Address option.

Add a License to the CMA

10 Import the license file by clicking the Fetch from file...
button. Alternatively, click Add to manually input the
license properties. Enter the required fields from the
license email, as follows:
a In the email, highlight the license string (that starts
with cplic putlic... and ends with an
SKU/Feature) and copy it to the clipboard.
b In the Add License window, click Paste License

to paste the license details from the clipboard. The
license details are inserted into the appropriate
fields.
c To Validate your license, click Calculate to
figure out your Validation Code, and compare
with the one received from the User Center.
11 You have finished creating the first Customer and the
Customer’s CMA! After a short delay, the new Customer
and CMA appear in the MDG display. You can now
launch the SmartConsole applications from the
Customer’s CMA.

Create the Customer Network

Once you have created a Provider-1 “Customer”, your next step is
to create the Customer network.
For details about setting up objects and Security Policies, refer to
the SmartCenter Guide.
For details about setting up VSX in Provider-1, refer to the VPN-1
VSX guide.
The Customer’s network is managed via the CMA of the Customer.
1 Choose the MDG’s General - Customer Contents mode.
2 Select the Customer’s CMA — for example, let’s choose the
Customer JustLawyers’ CMA, JustCMA.
3 Right-click the CMA icon and select Launch Application >
SmartDashboard.
4 Create gateways, network objects and hosts for JustLawyers.

Refer to the sample objects shown in FIGURE 4-6.
5 When you create the Gateway object that represents the
Customer's gateway that you have previously installed, initialize
SIC using the same Activation Key you specified during the
installation process. Verify that the communication status of the
Gateway object changes to Communicating.
6 Create a Security Policy rule base, an example of which is
shown in FIGURE 4-6.
7 Install the Security Policy on the Customer's Gateway.
FIGURE 4-6 Customer objects and the Security Rule Base

Create a Global Security Policy
Create a Global Security Policy

Administrators can create Global Security Policies and apply
them to all Customers, or to selected Customers.
Global Security Policies can be customized per Customer,
using Dynamic Objects. Global Policies can include Global
VPN Communities which facilitate setup of site-to-site VPN
between Gateways managed by different Customers.
Global Security Policies are created using the Global
SmartDashboard, which is launched from the MDG.
To launch the Global SmartDashboard, do the following:
1 In the MDG, click the Global Policies View button in
the left-hand Selection Bar. The Security Policies
Mode is displayed.
2 Launch the Global SmartDashboard by selecting Manage
> Launch Global SmartDashboard.
Global Security Policies are created in a similar manner to

Customer Security Policies. Create the necessary objects and
apply them to rules in the rule base as shown in the example,
FIGURE 4-7. Note that the Place Holder for Customer
Rules in the Global Rule Base allows you to add rules before
and after the Customer’s own rules.
FIGURE 4-7 Sample global policy
Refer to the Provider-1/SiteManager-1 User Guide for further

details.
Configure Global SmartDefense and Web

Intelligence
Global SmartDefense and Web Intelligence are configured via
the Global SmartDashboard.

FIGURE 4-8 Configuring Global SmartDefense
To configure and update Global SmartDefense, do the following:

1 Launch the Global SmartDashboard as described in “Create a
Global Security Policy” on page 83.
2 Select the SmartDefense and Web Intelligence tabs and
review the default configuration.
3 If desired, check for protection updates from either tab by
selecting General > Online Update and authenticating to the
User Center.
4 Modify the SmartDefense and Web Intelligence settings to your
liking, and then select Save.
5 Continue with the steps in Assign Global Policy.


Global Security Policy and SmartDefense settings are assigned
from the MDG.
1 In the MDG, click the Global Policies View button in
the left-hand Selection Bar.
The Security Policies Mode is displayed
2 To assign the Global Policy, right click on a Global Policy
and select Assign/Install Global Policy....
The Assign/Install Global Policy window is displayed.
FIGURE 4-9 Assign/Install Global Policy window
3 Select JustLawyers from the Customers not

assigned to selected Policy window.
4 To install the assigned Policy on the Customer gateway,

check Install last Policy on all gateways of assigned
Customers. This instructs JustLawyers’ CMA to install
the assigned policy on the Customer gateway. This is
equivalent to performing the Install Policy operation on
the gateway in the Customer's SmartDashboard.

5 Click OK. A Global Policy Assignment window shows

each step of the procedure, as the Global Policy is assigned to
the CMAs of the selected Customers.
Check Assignment Status

To check if the policy assignment was successful, you can examine
status details in the Global Policies View - Security Policies and
SmartDefense mode. A green check mark indicates that the CMAs
of this Customer have been assigned the most recent Global Security
Policy and SmartDefense. A red mark in either column indicates
that either the Global Security Policy or SmartDefense
configuration has changed, and that Global Policy should be
reassigned to the relevant Customers.
FIGURE 4-10 Policy assignment details
Working with an Assigned Global Policy

When you assigned the Global Policy to the JustLawyers’
Customer, global objects were added to the Customer's database,
and global rules were inserted into JustLawyers’ Security Policy's
rule base.
To view the assigned policy,
1 Go to the General View in the MDG (in any of the three
available modes).
2 Right click on JustLawyers’ CMA, JustCMA, and select
Launch Application > SmartDashboard.

When SmartDashboard opens, you can see that the global

objects were added to the object lists, and that the global
rules appear before and after the Customer Rules, which
are now framed by two demarcation lines, called “place
holders”, see FIGURE 4-11.
3 Compare the assigned rule base to the Customer's policy
before the assignment (see FIGURE 4-6) and to the
Global Policy rule base (FIGURE 4-9).
FIGURE 4-11 Global Rules in JustLawyers’ Rule Base
The Customer Administrator cannot edit the assigned Global

objects and rules. However, it is possible to use the Global
objects in local rules, local object groups, etc.
Once assigned, the Global Policy is attached to all the
Customer's policies. It remains in effect until the Provider-1
Administrator removes it, or assigns another Global Policy to this
Customer. If the Global Policy is changed (in the Global
SmartDashboard), the Provider-1 Administrator can reassign it
to the respective Customers.
All of these operations are available to the Provider-1
Administrator in the MDG's Global Policy View.
Working with Global SmartDefense

Customers assigned the Global SmartDefense subscription
receive the Global SmartDefense settings and updates each time
Global Policy is assigned.

Operation and Maintenance

Use MDG views to monitor the status of all Provider-1 system
components and the results of management operations.
Administrators use the following status indicators to monitor their
network:
• Monitor network components:
• Status and vital information of Gateways.
• Status and vital information of the management
components (MDSs, CMAs and CLMs).
• Critical notification for components that are not
functioning correctly.
• Monitor status of Global Policies and Global VPN
Communities.
• Monitor Management High Availability status.
• Monitor administrators' activities.
Right-clicking a component in any MDG view shows a menu of
relevant management tools and activities.
Status Monitoring using MDG Views

You can check that all components in the system (gateways,
appliances, CLMs, CMAs, MDSs) are up and running. From the
General View select Manage > Network Objects Mode.

FIGURE 4-12 General View - Network Objects Mode
The top pane displays information on each MDS, CMA, CLM,

Module, and Check Point enabled appliance in the system. For
Modules, CMAs or CLMs, the Customer name is displayed.
For CMAs or CLMs, the hosting MDS is listed. If a Module is
part of a cluster, the cluster to which it belongs is listed.
This view shows the state of a component at a glance, whether
it is running, stopped, disconnected, or not responding.
TABLE 4- 1 Statuses Available per Object
Status Description
Displayed until the first status is received.

The component has started.
The component has stopped.

TABLE 4- 1 Statuses Available per Object
Status Description
The component is disconnected.

At least one of the applications installed (on a
module) is not running properly.
There is either no application installed (on a
module), or the application cannot be reached.
Isolating Component Problems

The Critical Notifications Pane at the bottom of the General View
- Network Objects Mode focuses on components which need
attention. For example, it shows if a gateway has stopped running or
is disconnected. For each component, the name, status and time of
status update is shown.
MDS Status
MDSs are managed through the MDG’s General View - MDS
Contents Mode. This mode allows an administrator to perform
MDS management activities and check all MDS statuses at a glance.
FIGURE 4-13 General View — MDS Contents Mode
Information is displayed for each MDS in the system. MDS

Containers are signified by and MDS Managers are signified
by . An MDS icon with a question mark indicates a new MDS
server which has not yet established communication with the
system.

Global Security Policies and

SmartDefense
To see the status of Global Security Policies and SmartDefense,
use the Global Policies View and select the Security Policies
and SmartDefense mode.
This mode displays the global policies in the system and

information such as:
• when they were last updated
• to which Customers they are assigned
• the time of assignment to the selected Customers
• whether the assigned customers have the updated policy
Administrators in the System

Use the Administrators View to view all administrators in
the system, and the customers for which they are responsible.
In this view you can:
• Add, edit and delete administrators.
• Assign an administrator to managed Customers and set the
administrator’s permissions with respects to each customer.
Use the Connected Administrators View to monitor the
current activities of all administrators that are currently
working with the system. Each row in this view shows an
active management session.
To terminate a session, right-click on the session row, and
select Disconnect....
FIGURE 4-14 Connected Administrators View

Monitor Customer Network Activity

The Provider-1 CMAs and CLMs monitor and log all the traffic,
security, configuration and management events. Use the Check
Point SmartConsole applications to view, analyze and report these
events.
SmartView Tracker
SmartView Tracker shows all the events that were logged either at
the Provider-1 MDS level or at the Customers' CMAs and CLMs.
Use SmartView Tracker to view history and real-time logs, to view
active connections or to audit administrators' actions. Use
SmartView Tracker queries to search, filter and customize the
displayed events.
• To view customer logs, select a CMA or a CLM, then right
click and choose Launch Application > SmartView Tracker.
• To view Audit logs, select an MDS manager, then right click
and choose Launch SmartView Tracker (Audit Mode).
FIGURE 4-15 SmartView Tracker (Demo Mode)
If there is an attack or other suspicious network activity, use

SmartView Tracker to temporarily or permanently terminate the
suspicious connections. For more information about using
SmartView Tracker and setting up monitoring rules, see the
SmartCenter Guide.

SmartView Monitor
SmartView Monitor allows you to inspect network traffic and
connectivity. It provides real-time information about
performance, throughput and security operations of your
managed gateways. Traffic flow can be monitored in many
different ways and cross sections. In the MDG, select a CMA,
then right click and choose Launch Application >
SmartView Monitor.
FIGURE 4-16 SmartView Monitor (Demo Mode)
For more information, see the SmartView Monitor Guide.

Eventia Reporter
Use Eventia Reporter to generate information rich reports about
different aspects of your network.
In the MDG, select Launch Eventia Reporter from the Manage
menu.
FIGURE 4-17 Eventia Reporter (Demo Mode)
See the Eventia Reporter Guide to understand how to generate

Reports.

Where to From Here?

You have now learned the basics that you need to get started.
The next step is to obtain more advanced knowledge of your
Check Point software.
Check Point documentation elaborates on this information and
is available in PDF format on the Check Point CD as well as
on the Technical Support download site at:
http://www.checkpoint.com/support/technical/documents/do
cs_r61.html
Be sure to also use our Online Help when you are working
with the Check Point SmartConsole clients.
For additional technical information about Check Point
products, consult Check Point’s SecureKnowledge at:
https://secureknowledge.checkpoint.com

Where to From Here?

Index
A Configuration
Enforcement Module 61
SmartCenter Server 61
Activation process 42 Configuration Tool 51, 53, 61, 62,
add customer wizard 65, 66, 68
GUI clients 80 Connectra 7
Add Driver 47 console-based connection 58
administrator cpconfig 59
adding 80
administrator authentication 68,
76
Administrators 61
authenticating the SmartCenter
D
Server 68, 76 Demo Mode 76
authentication Device List 47
fingerprint 68, 76 Devices 47
Distributed deployment 24
distributed deployment 46
B
backward compatibility 39 E
End Users License Agreement 43
C Enforcement Module 24, 27, 30,
32, 46, 51, 53, 57, 61, 66
Enforcement module 24
centralized management 7, 13 Enforcement Modules 40
Certificate Authority 61 Enterprise Base Support 43
Certificate Authority (ICA) 64, 66 Enterprise SmartCenter 51, 53, 66
Certificate Key 42 Eventia Reporter 28, 29, 31
Check Point Configuration Tool
43
Check Point Enterprise 46
Check Point Enterprise/Pro 50, F
52
Check Point Express 50, 52 Fetch Import file from TFTP
Check Point Licenses Server 50
Certificate Key 42 Fingerprint 62, 64
Compatibility Table 36 fingerprint 68, 76
INDEX 97
FTP server 58 Linux 27, 56
Linux Platform 36
Log server 29, 32
Logging on
G first time 67, 76
Login
general view authenticating the administrator
overview 90 68, 76
GUI Clients 61
M
H
Minimum Hardware
Hardware Scan Details 47 Requirements 27
HTTPS Server Configuration 48 Windows or Linux 27
Minimum Requirements 27
multiple platforms 45
I
ICA 61 N
Import Check Point Products
Configuration 50 Network Interface Configuration
Installation 48
Enforcement Module 61 Nokia Horizon Manager 58
Integrity 7
Internal Certificate Authority 61
InterSpect 7
IP address 61 O
IPSO 27
IPSO Wrapper 58 Obtaining Licenses 42
OPSEC 64, 66
K
P
Key Hit Session 61
Paste License 81
Provider
Configuring the MDS 72
L Installation 69
Installing gateways 72
License Installing MDG client 75
get details 81 licensing 20
paste 81 MDG hardware requirements on
Licenses 40, 61 Solaris 31
98 INDEX
MDS hardware requirements on SmartView Monitor 28
SecurePlatform 33 SmartView Tracker 24, 28, 30
MDS hardware requirements on Software Requirements 34
Solaris 30 Solaris 30, 56
Networking 71 Solaris 8 UltraSPARC platforms
34
Operations Center 71 Solaris 9 UltraSPARC platforms
Terminology 25 35
Uninstalling MDS and MDG 76 Standalone deployment 24
What’s new 18 standalone deployment 46
provider
login 76
T
R TCP/IP network protocol 46
Time and Date Configuration 50
Red Hat Enterprise Linux 3.0 36
Required Packages 34
Required Patches 34
U
S Upgrade 39
Upgrading Licenses 43
User Center 40
Secure Internal Communication
(SIC) 64, 66
SecureClient 28
SecuRemote 28 V
SecurePlatform 32, 48
Security Policy 24, 46 views
selection bar views general 90
general 90 VPN-1 on SecurePlatform 49
SIC certificate 64, 67 VPN-1 Pro 24, 27, 30, 32, 46
SMART Client machine( 64
SmartCenter 13
SmartCenter Server 24, 27, 30, 32,
67
fingerprint 68, 76
W
SmartConsole 24
SmartConsole clients 46 WEB UI 48
SmartConsole management 40 WebUI 51
SmartDashboard 24, 46 Windows or Linux 27
SmartLSM 28 Windows Platform 35
SmartUpdate 28, 30, 43
INDEX 99
100 INDEX

CheckPoint R61 Enterprise GettingStarted PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CheckPoint R61 Enterprise GettingStarted PDF

Загружено:

Авторское право:

Доступные форматы

Enterprise

Print Part No.: 701683

4 Getting Started Guide

Enterprise Security Product

NGX R61 Documentation

6 Getting Started Guide

Linux Packages Contains...

8 Getting Started Guide

CD4: Linux & Solaris

Linux Packages Contains...

Solaris Package Contains...

10 Getting Started Guide

Customers New to Check Point

12 Getting Started Guide

What’s New in NGX R61

Expanded Management Support page 13

Expanded Management Support

14 Getting Started Guide

• Ability to configure and update anti-virus protection for

16 Getting Started Guide

Global SmartDefense and Web Intelligence

18 Getting Started Guide

• Allows MSPs to sell an additional service at very little

20 Getting Started Guide

Provider-1 licenses can be imported via the Check Point

Obtaining Software Installation

22 Getting Started Guide

VPN-1 Pro/Express Terminology page 24

This chapter contains information and terminology that will help

VPN-1 Pro/Express Terminology

24 Getting Started Guide

Chapter 3 Getting Started 25

• A Provider-1 administrator is a security administrator, assigned

26 Getting Started Guide

Minimum Hardware Requirements

Windows & Linux Platforms page 27

Windows & Linux Platforms

Minimum Requirements for VPN-1 Pro

Minimum Requirements for Provider-

Chapter 3 Getting Started 27

Minimum Requirements for SmartConsole

Minimum Requirements for Provider-

Minimum Requirements for

28 Getting Started Guide

Minimum Requirements for Eventia

Chapter 3 Getting Started 29

Minimum Requirements for VPN-1 Pro

Minimum Requirements for SmartConsole

Minimum Requirements for Provider-

30 Getting Started Guide

• 256 Mbytes recommended

Minimum Requirements for Provider-

Minimum Requirements for Eventia

Minimum Requirements for VPN-1 Pro

32 Getting Started Guide

Minimum Requirements for Provider-

Chapter 3 Getting Started 33

Minimum Software Requirements

Solaris Platform page 34

Number System Notes

108528-18 All If the patches 108528-17 and

34 Getting Started Guide

Number System Notes