Check Point L-71 Administration Manual Download Page 87

Page: 87 / 124

Appliance Configuration

Check Point 1400 Appliances Centrally Managed Administration Guide R77.20.85 | 87

To configure a

FreeRADIUS

server for non-local appliance users:

Create the dictionary file

dictionary.checkpoint

/etc/freeradius/

on the RADIUS

server:

# Check Point dictionary file for freeradius AAA server

VENDOR

CheckPoint 2620

ATTRIBUTE CP-Gaia-User-Role 229 string
CheckPoint

ATTRIBUTE CP-Gaia-SuperUser-Access 230 integer
CheckPoint

Add to

/etc/freeradius/dictionary

the line:

“$INCLUDE

dictionary.checkpoint”

Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user
configuration file:

CP-Gaia-User-Role =

<role>

Where

<role>

is the name of the administrator role that is defined in the WebUI.

Administrator Role

Value

Super Admin

adminRole

Read only

monitorrole

Networking Admin

networkingrole

To configure an

OpenRADIUS

server for non-local appliance users:

Create the dictionary file

dict.checkpoint

/etc/openradius/subdicts/

on the RADIUS server:

# Check Point Gaia vendor specific attributes

# (Formatted for the OpenRADIUS RADIUS server.)

# Add this file to etc/openradius/subdicts/ and add the line

# "$include subdicts/dict.checkpoint" to etc/openradius/dictionaries

# right after dict.ascend.

$add vendor 2620 CheckPoint

$set default vendor=CheckPoint

space=RAD-VSA-STD

len_ofs=1 len_size=1 len_adj=0

val_ofs=2 val_size=-2 val_type=String

nodec=0 noenc=0

$add attribute 229 CP-Gaia-User-Role

$add attribute 230 CP-Gaia-SuperUser-Access

val_type=Integer

val_size=4

Summary of Contents for L-71

Page 1: ...19 May 2020 Administration Guide CHECK POINT 1400 APPLIANCES CENTRALLY MANAGED Models L 71 L 71W L 71WD L 72 L 72W L 72P R77 20 85 Classification Protected...

Page 2: ...t assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice RESTRICTED RIGHTS LEGEND Use duplication or disclosure by the go...

Page 3: ...k140193 Latest Version of this Document Open the latest version of this document in a Web browser https sc1 checkpoint com documents R77 20 85 1400_Central_AdminGuide html_fr ameset htm Download the l...

Page 4: ...scale Deployment 23 Defining a SmartLSM Appliance Cluster Profile 23 Deploying with SmartProvisioning 24 Installing a Security Policy 25 Viewing the Policy Installation Status 25 SmartProvisioning 28...

Page 5: ...a Hotspot 72 Configuring the Routing Table 74 Configuring MAC Filtering 76 Configuring the DNS Server 79 Configuring the Proxy Server 79 Backup Restore Upgrade and Other System Operations 80 Configuri...

Page 6: ...onitoring Data 113 Viewing Reports 113 Using System Tools 113 SNMP 114 Advanced Configuration 115 Dynamic Routing 115 Upgrade Using a USB Drive 116 Upgrade Using an SD Card 117 Boot Loader 118 Upgrade...

Page 7: ...tion see the 1400 Security Gateway series product page https supportcenter checkpoint com supportcenter portal model version R77 os eventSu bmit_doShowproductpage productTab documents product 490 This...

Page 8: ...ted to an outlet The Power LED on the front panel lights up This indicates that the appliance is turned on The Alert LED on the front panel starts to blink This indicates that the appliance is booting...

Page 9: ...ou configure between 1 and 25 Check Point Appliance gateways using SmartDashboard Then you can manage device settings from SmartProvisioning Large scale deployment Where you configure over 25 Check Po...

Page 10: ...eck Point Appliance before or after you configure the appliance on site Options to define a gateway object Management First Define the gateway object in SmartDashboard before you configure and set up...

Page 11: ...ically when the Gateway connects to the Security Management server for the first time or Initiate trusted communication now 4 Click Connect A status window appears 5 Click Next To configure a dynamic...

Page 12: ...to other sites that participate in VPN community will be encrypted With this option connections that are initiated from other sites that are directed to hosts behind this gateway are not encrypted If...

Page 13: ...ns access the WebUI of the appliance These actions are only required to work with the Cluster Wizard in SmartDashboard Make sure a cable is connected between the two LAN2 SYNC ports of both appliances...

Page 14: ...on the same subnet as the SYNC interface of the second cluster member use a cross Ethernet cable for SYNC interface connection When you use the SmartDashboard cluster wizard the LAN2 interface is the...

Page 15: ...s selected enter a virtual IP Address and Net Mask for the cluster The virtual IP is applied in the next policy installation 13 Click Next 14 Repeat steps 12 14 for each defined interface 15 Click Fin...

Page 16: ...convert an existing Check Point Appliance to a cluster Note The procedures require some downtime Terms used GW the existing Check Point Appliance gateway object that has already established trust and...

Page 17: ...in the list press Help and make sure GW does not match any of the categories that prevent it from being added to a cluster Note Use the information on this Help page to determine if there are any con...

Page 18: ...zone After you associated a security zone object to the applicable interface on the gateway you can use it in a rule To create a rule with a security zone just add the security zone object to the Sou...

Page 19: ...d On each selected gateway independently On all selected gateways if it fails do not install on gateways of the same version 4 Click OK The Installation Process window shows the status of the Network...

Page 20: ...ucceeded Succeeded Policy installation succeeded but there are verification warnings Waiting for first connection A Check Point Appliance object is configured but the gateway is not connected to the S...

Page 21: ...eable IP address of the Security Management Server is manually configured to create a first connection When SIC is established between the appliance and Security Management Server the policy is fetche...

Page 22: ...is firmware upgrade package CP1400AS1100 If you do not use the CP1400AS1100 you cannot select the package in the view For R80 20 Manage the 1400 appliances as 1400 SMB appliances Large scale Deploymen...

Page 23: ...window click Help 5 Click OK and then install the policy Note To activate SmartProvisioning functionality you must install a security policy on the LSM profile 6 Continue in SmartProvisioning on page...

Page 24: ...e sure to configure it correctly The host octet for the Virtual IP addresses can be modified later 5 For each Virtual IP interface double click the text field to enter the interface name security zone...

Page 25: ...d On each selected gateway independently On all selected gateways if it fails do not install on gateways of the same version 4 Click OK The Installation Process window shows the status of the Network...

Page 26: ...ucceeded Succeeded Policy installation succeeded but there are verification warnings Waiting for first connection A Check Point Appliance object is configured but the gateway is not connected to the S...

Page 27: ...dow in these ways From the menu bar Click Policy Policy Installation Status From the toolbar Click the Policy Installation Status icon From the status bar Click Failed or Pending The contents of the P...

Page 28: ...General Properties 1 Enter a Name for the SmartLSM Security Gateway It cannot contain spaces or non alphanumeric characters 2 Enter an optional Comment that identifies the SmartLSM Security Gateway 3...

Page 29: ...t field To clear the key click Clear To initialize certification The SIC certificate must be shared between the Security Management Server and the SmartLSM Security Gateway With this SmartLSM wizard y...

Page 30: ...g a SmartLSM Appliance Cluster Make sure you have a SmartLSM cluster profile defined in SmartDashboard before you create a Small Office Appliance cluster in SmartProvisioning To create a new SmartLSM...

Page 31: ...o this step again for the second member 3 Click Next VPN Properties 1 Select how to create a VPN certificate For a CA certificate from the Internal Check Point CA select I wish to create a VPN Certifi...

Page 32: ...Device Settings You can manage device settings directly on individual gateways or you can use a SmartProvisioning Profile to manage multiple gateways For more information about provisioning profiles...

Page 33: ...ion time can be limited to a specified list of time ranges in the week They start at the nearest time range after firmware settings were applied You can also define that the download takes place immed...

Page 34: ...onization with a Security Gateway that references this profile b According to these time ranges Select to use the Security Gateway time or local time Add Edit Click Add or Edit to open the Time Range...

Page 35: ...on a Provisioning Profile 1 Open the Security Gateway Profile window and select the Hotspot tab 2 Select Manage Hotspot settings centrally from this application 3 Click Advanced The Profile Settings...

Page 36: ...tab other than General 3 Select management settings for gateways that reference the profile Manage settings locally on the device Each gateway that references this profile has its own settings config...

Page 37: ...e following settings Manage these settings on this gateway individually with the values given here Centrally Override mandatory Overriding profile settings is mandatory configure settings here To chan...

Page 38: ...com Note You cannot use Zero Touch if you connect to the internet through a proxy server Zero Touch enables a gateway to automatically fetch settings from the cloud when it is connected to the intern...

Page 39: ...hows the installation status It may take several minutes until the installation is complete Note If a collision is detected between an internal network LAN and an IP returned via DHCP WAN the conflict...

Page 40: ...without using the First Time Configuration Wizard The configuration file lets you configure more settings and parameters than are available in the First Time Configuration Wizard You can deploy config...

Page 41: ...aring the Configuration Files The Check Point Appliance Massive Deployment configuration files are composed of CLIsh commands These are the file names that can be used autoconf clish autoconf XX XX XX...

Page 42: ...onfiguration file Use the set property command to set the appliance to use a configuration file on a USB drive The USB drive can be inserted in the front or the rear USB port You can deploy the config...

Page 43: ...nfiguration Wizard to configure an appliance when the configuration file fails Restore the default settings to a partially configured appliance before you use the First Time Configuration Wizard to en...

Page 44: ...ion script that fails set hostname Demo1 set hostname Setting hostname to Demo1 OK set interface WAN internet primary ipv4 address 66 66 66 11 Error missing argument subnet mask for a new connection A...

Page 45: ...o a secure https site and asks for administrator credentials When you log in you can select the Save user name checkbox to save the administrator s user name The name is saved until you clear the brow...

Page 46: ...d lets you quickly navigate to the blade configuration page It also gives you Access to the basic settings of the blades with the Settings button cogwheel icon and lets you activate the blades Access...

Page 47: ...To go to other blade statistics click the arrows in the header 3 If the blade is turned off a Click View demo to see an example of the statistics shown b Click the X icon to close the demo To view an...

Page 48: ...ing 3 Click Next In the Security Management Server Connection page select a connection method To connect to the Security Management Server now select Connect to the Security Management Server now ente...

Page 49: ...egistration information is not successfully retrieved browse to https smbregistration checkpoint com 3 Complete the applicable fields in the User Center registration Appliance MAC address Appliance re...

Page 50: ...coming services usually indicate servers Zone Shows if the appliance is connected physically or through a wireless connection Traffic Shows upload and download packet rates for all IP addresses when t...

Page 51: ...monitoring report click Demo To close the sample reports click Back The number of current connections in the system is shown for VPN Tunnels Active Devices and Connections You can click the links to o...

Page 52: ...d devices Infected servers Recently active infected devices You can click All Infected Devices to open the Logs Monitoring Infected Devices page High risk applications Shows The number of high risk ap...

Page 53: ...e first 24 hour cycle after an appliance starts up after installation or an update the system adds one more time interval to the delta of the next applicable report interval For example for weekly rep...

Page 54: ...d and sent The number of infected devices servers and recently active infected devices The number of high risk applications the most used high risk applications and the top users of high risk applicat...

Page 55: ...ports and their state To display DSL statistics Click DSL Statistics A window opens and shows the statistic parameters To generate a CPInfo file 1 Click Generate CPInfo File A message next to the butt...

Page 56: ...ion or multiple connections in High Availability or Load Balancing configurations When multiple Internet connections are defined the page shows them in a table You can add a new connection and edit de...

Page 57: ...DSL modem You must enter the IP address the subnet mask default gateway and DNS Server Settings IPoE dynamic IP DSL only The Internet IP of the appliance is imported through DHCP IPoE static IP DSL T...

Page 58: ...a dual stack pure IPv6 network For PPPoE over ATM over VDSL ADSL or IPoE over ATM over VDSL ADSL or for an ADSL interface Enter the VPI number and VCI number you received from your service provider a...

Page 59: ...ss Assignment PPPoE IPv4 only In Local tunnel IP address select if the IP address is obtained automatically or manually configured If manually configured enter the IP address Service Provider Settings...

Page 60: ...nfigured in High Availability or Load Sharing modes When you configure more than one Internet connection the Device Internet page lets you toggle between these options The Advanced setting of each Int...

Page 61: ...able the Wireless network click Disable Enable To edit the radio settings 1 Click Radio settings 2 Select the correct Operation mode Channel Channel width and Transmitter power 3 Click Advanced to set...

Page 62: ...ver This option is also known as WPA Enterprise Network password When authenticating using a password enter a password or click Generate for an automatically generated password Show To see the passwor...

Page 63: ...te automatic rules that are shown in the Access Policy Firewall Policy page Allow access from this network to local networks Wireless network is trusted Log traffic from this network to local networks...

Page 64: ...ally acquired IP address Other Settings You can optionally configure these additional parameters so they will be distributed to DHCP clients Time servers Call manager TFTP server TFTP boot file X Wind...

Page 65: ...cified transmitter You can also use unassigned LAN ports to create an internet connection In the table these ports have the status Assigned to Internet Notes LAN ports assigned to internet connections...

Page 66: ...ork configure the settings for the switch Monitor Mode See below 3 Choose the IP address and Subnet mask the switch uses 4 Use Hotspot Select this checkbox to redirect users to the Hotspot portal befo...

Page 67: ...or mode in the WebUI 1 Go to Device Local Network 2 Select an interface and double click The Edit window opens in the Configuration tab 3 In the Assigned To drop down menu select Monitor Mode The Manu...

Page 68: ...ace is not part of any network and cannot be used One of the existing configured switches or bridges Separate network When selecting a separate network configure this information IP address Subnet mas...

Page 69: ...or more information on the maximum number of VLANs that you can configure for each appliance refer to sk113247 http supportcontent checkpoint com solutions id sk113247 Configure the fields in the tabs...

Page 70: ...the fields in the tabs Configuration tab In Bridge Configuration select the networks you want to be part of the bridge Enable Spanning Tree Protocol When Spanning Tree Protocol STP IEEE 802 1d is ena...

Page 71: ...d IPv6 Settings Configure the Router Advisement fields To create edit a Virtual Access Point VAP See the Device Wireless Network help page DHCP SLAAC Settings tab Note In IPv4 only mode this tab is ca...

Page 72: ...d custom options that are not listed above For each custom option you must configure the name tag type and data fields Configuring a Hotspot In the Device Hotspot page if a network interface was defin...

Page 73: ...t list enter the filter value The list shows the objects that match the filter 4 If necessary click New to add new objects to the list For information on how to create a new object see the Users Objec...

Page 74: ...pply The same user cannot log in to the Hotspot portal from more than one computer at a time On the Active Devices page available through the Home and Logs Monitoring tabs you can revoke Hotspot acces...

Page 75: ...IP address Internet connection Select an internet connection VPN Tunnel VTI Select the VPN Tunnel 3 Click OK 4 Click any source and select an option in the new window that opens Any Specified IP addr...

Page 76: ...vice Local Network page are only available for manually defined routing rules created on this page You cannot edit delete enable and disable routing rules created by the operating system for directly...

Page 77: ...CLI You cannot configure MAC filtering in the WebUI 802 1x Authentication Protocol IEEE 802 1x is a port based network access protocol that provides an authentication mechanism for devices that are ph...

Page 78: ...lect the LAN interface and click Edit 2 The Edit window opens in the Configuration tab 3 Click the Advanced tab 4 Clear Activate 802 1x authentication 5 Click Apply To configure logging for MAC filter...

Page 79: ...ck Point Appliance functions as your DNS proxy and provides DNS resolving services to internal hosts behind it network objects This option is global and applies to all internal networks To get IP addr...

Page 80: ...ick OK in the confirmation message The factory default settings are restored The appliance reboots to complete the operation Note This does not change the software image Only the settings are restored...

Page 81: ...rade The Upgrade Software Wizard opens 2 Follow the Wizard instructions Note The firewall remains active while the upgrade is in process Traffic disruption can only be caused by Saving a local image b...

Page 82: ...licy click the checkbox 3 To enable IPv6 networking click the checkbox 4 Click Apply Note This causes the appliance to reboot Using the Software Upgrade Wizard Follow the instructions in each page of...

Page 83: ...k settings and DNS configuration The backup file also contains the Secure Internal Communication certificate and your license If you want to replace an existing appliance with another one you can rest...

Page 84: ...Only Administrators cannot update appliance configuration but can change their own passwords or run a traffic monitoring report from the Tools page Networking Administrator Limited permissions Networ...

Page 85: ...S server is selected by default 5 Configure the role for each user on the RADIUS server See additional details below Note A user without role definition will get a login error 6 If you select Use defa...

Page 86: ...lted RADIUS server for non local appliance users 1 Create the dictionary file checkpoint dct on the RADIUS server in the default dictionary directory that contains radius dct Add these lines to the fi...

Page 87: ...ole Where role is the name of the administrator role that is defined in the WebUI Administrator Role Value Super Admin adminRole Read only monitorrole Networking Admin networkingrole To configure an O...

Page 88: ...or serial console client 2 Log in to the Clish shell using your user name and password 3 Run Expert 4 Enter the expert password Configuring Administrator Access The Device Administrator Access page l...

Page 89: ...table 6 Change the WEB Port HTTPS and or SSH port if necessary 7 Click Apply An administrator can access the Check Point Appliance using the configured IP addresses through the allowed interface sour...

Page 90: ...Point Appliance Note The appliance name can only contain alphanumeric characters and the hyphen character Do not use the hyphen character as the first or last character Important If the gateway s Inte...

Page 91: ...S account details in one of the supported providers Configure a service that lets you remotely connect to the appliance in instances where it is behind NAT a firewall or has a dynamically assigned IP...

Page 92: ...y The validation token web link and shell link are shown on the page 5 Go to Device Administrator Access Configure Internet as a source for administrator access and set specified IP addresses When the...

Page 93: ...can select and assign a Web portal certificate from the list of installed certificates with the exception of the Default certificate The new certificate must be configured on the Installed Certificate...

Page 94: ...nsult with Check Point support when necessary To filter the list of attributes 1 Enter text in the Type to filter field The search results are dynamically shown as you type 2 To cancel the filter clic...

Page 95: ...the console port There are three modes for working with this port Console This is the default mode configured The port is used to access the appliance s console Active Instead of connecting through t...

Page 96: ...secret 3 For temporary or guest users click Temporary user Enter the expiration date and time 4 To give the user remote access permissions select Remote Access permissions 5 Click Apply The user is ad...

Page 97: ...e Administrators page lists the Check Point Appliance administrators and lets you Create new local administrators Configure the session timeout Limit login failure attempts Administrators can also be...

Page 98: ...nistrator from the list 2 Click Delete 3 Click Yes in the confirmation message Note You cannot delete an administrator who is currently logged in To allow access for administrators defined in a remote...

Page 99: ...the Check Point Appliance When a non local user logs in to the appliance the RADIUS server authenticates the user and assigns the applicable permissions You must configure the RADIUS server to correc...

Page 100: ...ictionary file dictionary checkpoint in etc freeradius on the RADIUS server Check Point dictionary file for freeradius AAA server VENDOR CheckPoint 2620 ATTRIBUTE CP Gaia User Role 229 string CheckPoi...

Page 101: ...CP Gaia User Role add attribute 230 CP Gaia SuperUser Access val_type Integer val_size 4 2 Add the line include subdicts dict checkpoint to etc openradius dictionaries immediately after dict ascend 3...

Page 102: ...1812 Shared secret The secret between the RADIUS server and the Check Point Appliance Show Displays the shared secret Timeout seconds A timeout value in seconds for communication with the RADIUS serv...

Page 103: ...IP protocol if you selected Type Other ICMP type and ICMP code Enter the ICMP type and code that you want the service object to represent as listed in RFC 792 This option is only relevant if you selec...

Page 104: ...does not contain the services you need For information on creating a new service object see the Users Objects Services page 5 Click Apply The New Service Group window opens and shows the services you...

Page 105: ...ry Allow DNS server to resolve this object name When the gateway is the DNS server for your internal networks the name of the server network object is translated to its IP address Exclude from DHCP se...

Page 106: ...administrator of the Security Management Server that centrally manages this gateway must complete prerequisite steps You can use this page to manage URLs lists Add new URLs IP addresses or regular exp...

Page 107: ...d after URLs lists are predefined in the appliance s security policy If a list was removed or renamed in the Security Management Server a warning shows above the table and next to the URLs List in the...

Page 108: ...lick Query Syntax in the table header To see the security log record 1 Select a log entry from the list 2 Click View Details or double click the entry The log record opens To refresh the security log...

Page 109: ...tor notifications for events which occurred on the appliance These are the syslog types Info Informative logs such as policy change information administrator login details and DHCP requests Notice Not...

Page 110: ...l Select Show Obfuscated Fields Obfuscated packets are shown as plain text 6 Select logs to forward System logs Security logs Both system and security logs 7 Click Apply To configure additional syslog...

Page 111: ...installed When you download an infected file there is a possibility that the file was opened or triggered and infected the host or server Object name Shows the object name if the host or server was c...

Page 112: ...e See the Threat Prevention Threat Prevention Blade Control page for a description of the action types Log Select the tracking option None Log or Alert Logs are shown on the Logs Monitoring Security L...

Page 113: ...fresh to manually refresh this page with updated tunnel information Note This page is available from the VPN and Logs Monitoring tabs Viewing Active Connections The Logs Monitoring Connections page sh...

Page 114: ...d enable SNMP versions in addition to v3 SNMP v3 Users To add a new SNMP v3 user click New To edit an existing SNMP v3 user select the user from the list and click Edit To delete an SNMP v3 user selec...

Page 115: ...ospf area backbone ospf_area range ip_prefix on off area backbone ospf_area range ip_prefix restrict on off stub network ip_prefix on off stub network ip_prefix stub network cost 1 677722 set ospf int...

Page 116: ...he power source 2 Place the Boot loader file on a USB drive in the top folder Do not rename the file 3 Make sure the top folder of the USB drive does not contain any previous Boot loader or Firmware i...

Page 117: ...ates a new factory default image Back up your settings so you can restore them after the installation is complete Note From R77 20 85 and higher SD cards are formatted with ext4 In earlier versions SD...

Page 118: ...tenance Mode 4 Restore to Factory Defaults local 5 Install Update Image Boot Loader from Network 6 Restart Boot Loader 7 Run Hardware diagnostics 8 Install DSL Firmware Upload preset configuration fil...

Page 119: ...are asked if you want to manually load the image from a TFTP server or if you want to use automatic mode with a bootp server 4 If you select manual mode you are asked to fill in the IP of the Check P...

Page 120: ...ctivity LEDs blink orange and green alternately to show progress This takes some minutes When this completes the appliance reboots automatically To restore factory defaults with the button on the back...

Page 121: ...y n select y to continue and restore the appliance to its factory defaults settings While factory defaults are restored all LAN Link and Activity LEDs blink orange and green alternately to indicate pr...

Page 122: ......

Page 123: ...an Existing Check Point Appliance to a Cluster 16 Creating a Cluster for New Gateways 13 Creating a Gateway 28 Creating a SmartLSM Appliance Cluster 30 Creating the Security Policy 17 D Defining a Gat...

Page 124: ...onfiguration Files 43 U Upgrade Using a USB Drive 116 Upgrade Using an SD Card 117 Upgrade Using Boot Loader 119 Using System Tools 54 92 113 Using the set property Command 44 Using the Software Upgra...

Search results

Summary of Contents for L-71

Reviews:

Related manuals for L-71

Brands by name

Popular brands

Check Point L-71, Administration Manual

Search results

Summary of Contents for L-71

Reviews:

Related manuals for L-71

Brands by name

Popular brands