Internet Security Product SuiteGetting Started Guide
Version NGX R65
703049 July 16, 2008
3
© 2003-2008 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks.
For third party notices, see “THIRD PARTY TRADEMARKS AND COPYRIGHTS” on page 145.
4
5
Contents
Chapter 1 Introduction
Welcome...................................................................................9In This Guide ..........................................................................11NGX R65 Documentation .........................................................11Endpoint Security Integration....................................................11Documentation Feedback .........................................................12For New Check Point Customers................................................12What’s New in NGX R65 ..........................................................13
SmartCenter ................................................................... 14FireWall and SmartDefense.............................................. 14Connectra Central Management........................................ 15VPN............................................................................... 15ClusterXL ....................................................................... 15Eventia Analyzer ............................................................. 15Eventia Reporter ............................................................. 16SecureClient Mobile ........................................................ 16UTM-1 Edge................................................................... 16Provider-1/SiteManager-1 ................................................ 16IPS-1............................................................................. 17
Chapter 2 Getting Started
VPN-1 Power/UTM Terminology.................................................24Provider-1/SiteManager-1 Terminology.......................................25Hardware and Software Requirements........................................27Compatibility Tables ................................................................28Supported Upgrade Paths and Interoperability ............................31
VPN-1 Upgrade Paths and Interoperability ........................ 31Upgrading SmartCenter Servers........................................ 32Backward Compatibility For Gateways ............................... 33
6
IPS-1 Upgrade Paths and Interoperability .......................... 34Licensing NGX R65..................................................................35
Licensing VPN-1 Power/UTM............................................ 35Licensing Provider-1/SiteManager-1.................................. 37Licensing IPS-1 .............................................................. 38Licensing Eventia Suite ................................................... 38
Chapter 3 VPN-1 Setup and Installation
Overview .................................................................................41Installing SecurePlatform with VPN-1 ........................................43
Installing SecurePlatform Using the NGX CD ..................... 43Installing SecurePlatform Using the Network ..................... 45Initially Configuring SecurePlatform.................................. 51Installing NGX Products on SecurePlatform ....................... 52Configuring SecurePlatform Using WebUI.......................... 54
Installing NGX Products on Windows..........................................55Installing NGX Products on Solaris or Linux ................................58Installing NGX Products on Nokia ..............................................60
Enabling Native IPSO Security Servers .............................. 63Initially Configuring NGX Products .............................................64Where To From Here? ...............................................................73
Chapter 4 Provider-1 Setup and Installation
Overview .................................................................................75Building the Standard Provider-1 Network ..................................78
Setting Up Networking..................................................... 78Installing the Gateways .................................................... 79Installing and Configuring the MDS................................... 79Installing SmartConsole and the MDG Client...................... 82Installing SmartConsole ................................................... 82Installing the MDG .......................................................... 82Uninstalling Provider-1 .................................................... 83
Table of Contents 7
Logging Into the MDG.............................................................. 84Where To From Here? .............................................................. 87
Chapter 5 IPS-1 Setup and Installation
Overview ................................................................................ 90IPS-1 System Architecture .............................................. 90Platforms....................................................................... 92
IPS-1 Deployment ................................................................... 93IPS-1 Sensor Deployment ............................................... 93IPS-1 Management Deployment....................................... 95
IPS-1 Management Installation and Setup................................. 98Installation of IPS-1 Management Servers ........................ 98
IPS-1 Sensor Appliances........................................................ 104Introduction................................................................. 104
IPS-1 Sensor Installation ....................................................... 109Connecting to IPS-1 Sensors ......................................... 109Installing SecurePlatform and IPS-1 Sensors .................. 110Initial Configuration of IPS-1 Sensors............................. 112Initial Configuration of IPS-1 Power Sensor..................... 114
IPS-1 Management Dashboard Installation .............................. 116Post-Installation Steps........................................................... 116
Configuring NTP on SecurePlatform ............................... 116Completing IPS-1 Management Setup ............................ 118Completing IPS-1 Sensor Setup..................................... 122
Where To From Here? ............................................................ 126
Chapter 6 Installing the Eventia Suite
Eventia Suite Installation ....................................................... 128Standalone Installation vs. Distributed Installation ................... 129
Installing Eventia Suite on Multiple Versions of SmartCenter Management................................................................ 129
Standalone Installation .......................................................... 130Windows Platform ........................................................ 130
8
Solaris & Linux Platforms............................................... 132SecurePlatform ............................................................. 132
Distributed Installation ...........................................................133Windows Platform ......................................................... 133Solaris & Linux & SecurePlatform ................................... 135
Enabling Connectivity Through a Firewall..................................136Preparing Eventia Suite in SmartCenter....................................138
Working with R55 SmartCenter Server............................. 139Preparing Eventia Suite on Provider-1 MDS ..............................140
For Provider-1/SiteManager-1 Version R55 ...................... 140For Provider-1/SiteManager-1 Version R60 ...................... 142For Provider-1/SiteManager-1 Version R61 and Up........... 143
9
Chapter 1Introduction
In This Chapter
WelcomeThank you for choosing Check Point’s Internet Security Product Suite. We hope that you will be satisfied with this solution and our support services. Check Point products provide your business with the most up to date and secure solutions available today.
Check Point also delivers worldwide technical services including educational, professional, and support services through a network of Authorized Training Centers, Certified Support Partners, and Check Point technical support personnel to ensure that you get the most out of your security investment.
Welcome page 9
In This Guide page 11
NGX R65 Documentation page 11
Endpoint Security Integration page 11
Documentation Feedback page 12
For New Check Point Customers page 12
What’s New in NGX R65 page 13
Welcome
10
To extend your organization’s growing security infrastructure and requirements, we recommend that you consider adopting the OPSEC platform (Open Platform for Security). OPSEC is the industry's open, multi-vendor security framework, which has over 350 partners and the largest selection of best-of-breed integrated applications and deployment platforms.
For additional information on the NGX Internet Security Product Suite and other security solutions, go to: http://www.checkpoint.com or call Check Point at 1(800) 429-4391. For additional technical information, go to: http://support.checkpoint.com.
For more information about the current release, see the latest version of the Release Notes at:
http://support.checkpoint.com
Welcome to the Check Point family. We look forward to meeting all of your current and future network, application, and management security needs.
In This Guide
Chapter 1 Introduction 11
In This GuideThis guide provides a brief overview of NGX R65 Internet Security Product Suite applications and deployment and installation procedures.
NGX R65 DocumentationTechnical documentation is available on your NGX R65 CD-ROM at: CD2\Docs\CheckPoint_Suite. These documents can also be found at: http://support.checkpoint.com
To find out about what's new in NGX R65, read the NGX R65 What’s New document.
For information on upgrading your current Check Point deployment, refer to the Check Point R65 Upgrade Guide.
For upgrading Endpoint Security, refer to the Endpoint Security Installation Guide.
Endpoint Security IntegrationFor in-depth documentation of Provider-1/SiteManager-1 and SmartCenter Integration with Check Point Endpoint Security products, refer to:
• Endpoint Security Installation Guide
• R65 SmartCenter Administration Guide
Documentation Feedback
12
Documentation FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to:
For New Check Point CustomersNew Check Point customers can access the Check Point User Center in order to:
• Manage users and accounts
• Activate products
• Get support offers
• Open service requests
• Search the Technical Knowledge Base
To access the Check Point User Center, go to: https://usercenter.checkpoint.com/pub/usercenter/get_started.html.
What’s New in NGX R65
Chapter 1 Introduction 13
What’s New in NGX R65The NGX Internet Security Suite is a Check Point product that provides superior usability and management of your organization’s security environment. SmartCenter is now integrated with Connectra, InterSpect, and Integrity, enabling centralized management and monitoring of all security enforcement points.
NGX R65 has expanded its intelligent inspection technologies in VPN-1 Power and incorporates additional complex application support into state of the art stateful-inspection and application intelligence technology.
The following sections offer a brief overview of the advancements offered in NGX R65. For more information, see the What’s New in Check Point Enterprise Suite NGX R65 document.
In This Section:
SmartCenter page 14
FireWall and SmartDefense page 14
Connectra Central Management page 15
VPN page 15
ClusterXL page 15
Eventia Analyzer page 15
Eventia Reporter page 16
SecureClient Mobile page 16
UTM-1 Edge page 16
Provider-1/SiteManager-1 page 16
IPS-1 page 17
What’s New in NGX R65
14
SmartCenterNGX R65 introduces an additional infrastructure that enables the use of management plug-ins. The new plug-ins architecture introduces the ability to dynamically add new features and support for new products. Management plug-ins offer central management of gateways and other features not supported by your current NGX R65 SmartCenter or Provider-1/SiteManager-1. Management plug-ins supply new and separate packages that consist only of those components necessary for managing new gateway products or specific features, thus avoiding a full upgrade to the next release. Each plug-in:
• Is supplied with relevant documentation
• Is installed on SmartCenter Server or Gateway.
• Requires a specific version of SmartDashboard
For more information, refer to:
• CheckPoint_R65_SmartCenter_AdminGuide.pdf
• CheckPoint_R65_Provider1_AdminGuide.pdf
or visit:
http://www.checkpoint.com/ngx/upgrade/plugin/index.html
FireWall and SmartDefense• AMT Support for Linux and SecurePlatform gateways
• Aggressive Aging
• EPS Enforcement
• Web (URL) Filtering
• Layer-2 Firewall deployment
• SIP enhancements for VoIP
• SYN cookies
What’s New in NGX R65
Chapter 1 Introduction 15
Connectra Central Management• New Connectra tab
• New tab for SmartDefense and Web Intelligence updates
• Support for Provider-1/SiteManager-1
• Support for SmartView Monitor counters
VPN• Same local IP and Cluster IP address for VTIs
• Anti-spoofing for unnumbered interfaces on IPSO
• Dynamic routing support for remote VTIs in clusters
• Configurable metrics for dial-up routes
• Increased interoperability between SecurePlatform and IPSO
• Route-based VPN Improvements
• Customer defined scripts for VPN peers
• Route-based VPN and IP Clustering support
• RIM performance improvements on IPSO
ClusterXL• Interface bonding for creation of a fully meshed redundant
topology in High Availability configurations
• Support for multicast routing failover
Eventia AnalyzerEventia Analyzer, for collecting, correlating, and consolidating network events in a central repository, is now included in the R65 product suite.
What’s New in NGX R65
16
Eventia Reporter• IPv6 Reporting
• DNS implementation
• Remote license management
• Installation options
• Support for multiple SmartCenter Servers from R54 onwards
• Integration with Eventia Analyzer
• Support for multiple Eventia Reporters in deployment
• Result limitation
SecureClient MobileSecureClient Mobile is a new client for mobile devices that includes a VPN and firewall functionality and will be the future platform for additional features, including various security and compliance features. SecureClient Mobile replaces SecureClient for PocketPC. Designed to work on multiple platforms, SecureClient Mobile allows for easy deployment and upgrade.
For more information, the “What’s New” documentation is available online at http://www.checkpoint.com/techsupport/downloads.jsp.
UTM-1 EdgeWith UTM-1 Edge you can now select a destination for the log files. The destination can be the SmartCenter server or Syslog (a standard logging mechanism in Unix based machines).
Provider-1/SiteManager-1• Management Plug-ins View.
What’s New in NGX R65
Chapter 1 Introduction 17
• Install on Dynamic Objects.
• Gateway Function Oriented Global Policy.
• Global Manager.
IPS-1IPS-1 is now included in and delivered with the NGX R65 product suite.
IPS-1 is a Check Point product that provides superior usability and management of your organization’s internal security. The IPS-1 Server can now be integrated with SmartCenter, enabling centralized user management.
Version NGX R65 of IPS-1 also introduces significant improvements in functionality, usability, and design. The release also includes resolution of some limitations.
Check Point recommends that all existing NFR and Check Point customers upgrade their deployments to this version. New deployments should also be installed using the current version. From versions 5.x of all Management Servers, existing installations can be smoothly upgraded. Earlier versions, and all Sensors, will require full software re-installation.
This section briefly lists new features of version NGX R65. For more more information, see the IPS-1 NGX R65 Release Notes.
In This Section
Sensors page 18
IPS-1 Management Dashboard page 19
Alerts Concentrator and IPS-1 Server page 20
System Terminology page 21
What’s New in NGX R65
18
Sensors
Platforms
Check Point delivers the IPS-1 Power 1000 and 2000 (C/F) Sensor, for critical high-bandwidth (up to 4 Gbps in passive mode and 2 Gbps in inline mode) network security applications. The IPS-1 Power Sensors are delivered only as a pre-installed appliance, running BiviOS with Check Point’s IPS-1 software.
For regular (non-Power) Sensors of the current release, Check Point delivers both hardware with pre-installed software, and a software-only version. Both versions include Check Point’s SecurePlatform operating system and the IPS-1 Sensor software.
Regular (non-Power) Sensors are supported only on Check Point’s SecurePlatform. The Sensor installation (for the software-only version, or for eventual re-installation) and command-line configuration procedures are similar to those of Check Point’s VPN-1 network security products.
New Features
• Improved usability of configuration process.
• Enhanced security by hiding the encryption passphrase in cpinfo output.
• Licensing of all components is defined in IPS-1 Management Dashboard’s License Manager, accessible from the Policy Manager.
N-Code Enhancements
• N-Code optimizer performance and functionality improvements.
• New N-Code packet variables.
• The N-Code packet variable system.inline now indicates the Sensor’s current mode.
What’s New in NGX R65
Chapter 1 Introduction 19
• New N-Code tcpwindowmaxsize built-in exception.
IPS-1 Management Dashboard
New Functionality
• System Settings tab in Policy Manager provides additional tools for controlling system behavior and performance.
• Single-tier Profile management.
• Option in Protection Overview to display only changed values.
• Granular control of protections including Active/Inactive, Confidence slider, and protection-specific variables.
• Ability to change Sensor Mode from Policy Manager, and new Sensor Mode column available in Alert Browser.
Usability and Design
• Significant design and usability improvements in all views, windows, and messages.
• Policy Manager now similar to Check Point’s SmartDefense.
• Policy Manager’s less commonly used features hidden except in the new Advanced mode.
• Protections are configured on their own individual pages.
• Protection Overview is now accessed from the Protection navigation tree in Policy Manager.
• Raw N-Code names replaced with user-friendly display names.
• Settings dialogs enhanced to prevent entering invalid configuration data.
• New Tooltips.
• Alert Browser filters have been re-organized alphabetically.
What’s New in NGX R65
20
Other Changes
• IPS-1 Management Dashboard is now supported only on Windows.
Alerts Concentrator and IPS-1 Server
NGX R65 Integration
The IPS-1 Server and Alerts Concentrator can be installed on Check Point’s Linux-based SecurePlatform, in addition to other operating systems. SecurePlatform NGX R65 is supplied with IPS-1.
The IPS-1 Server (alone or with an Alerts Concentrator) can be installed together with a SmartCenter server for managing a VPN-1 deployment. In this case, IPS-1 will access and recognize SmartCenter administrator information, but not regular user information. It will be possible to log into the IPS-1 Server via the IPS-1 Management Dashboard with a SmartCenter Server administrator name and password. For usernames common to both IPS-1 and SmartCenter, the IPS-1 password and privileges will override the SmartCenter settings.
Functionality
• Alert transmission performance from Alerts Concentrators to IPS-1 Server has been significantly improved.
• Space Manager database access performance has been significantly improved.
• Export/Import windows replace the DBTool command-line utility for IPS-1 Server data migration, backup, and restore.
• Import and Export of IPS-1 Server data can now be safely performed while the system is running.
Resolved Limitations
• Fixed problem that caused intermittent database freezes.
What’s New in NGX R65
Chapter 1 Introduction 21
• Space Manager now takes turns with other processes rather than blocking the Management Dashboard’s access to alert data.
System TerminologySome IPS-1 terminology has changed. These include changes resulting from moving to the Check Point product line and other changes. The changes are:
Table 1-1
Old Term New Term
NFR Sentivist IPS-1
Sentivist (Power) Sensor IPS-1 (Power) Sensor
Sentivist Server IPS-1 Alerts Concentrator
Sentivist Enterprise Server IPS-1 Server
Sentivist Protection Center IPS-1 Management Dashboard
Package Protocol (except for some special packages)
Backend Protection Group
Alert definition / signature Protection
Alert rule Action
Alert Configuration (Policy Manager tab)
Alert Actions
Policy Inspector Protection Overview
Inline fail-passthrough Inline fail-open
Inline fail-severed Inline fail-closed
Inline bridge IPS Monitor-Only
Encryption Passphrase Activation Key
What’s New in NGX R65
22
23
Chapter 2 Getting Started
In This Chapter:
This chapter contains information and terminology related to installing NGX R65.
VPN-1 Power/UTM Terminology page 24
Provider-1/SiteManager-1 Terminology page 25
Hardware and Software Requirements page 27
Compatibility Tables page 28
Supported Upgrade Paths and Interoperability page 31
Licensing NGX R65 page 35
VPN-1 Power/UTM Terminology
24
VPN-1 Power/UTM TerminologyThe following VPN-1 Power/UTM terms are used throughout this chapter:
• Distributed Deployment: When the gateway and the SmartCenter server are installed on separate machines.
• Gateway: The VPN-1 engine that enforces the organization’s security policy and acts as a security enforcement point.
• Security Policy: The policy created by the system administrator that regulates the flow of incoming and outgoing communication.
• SmartCenter Server: The server used by the system administrator to manage the security policy. The organization’s databases and security policies are stored on the SmartCenter server and downloaded to the gateway.
• SmartConsole: GUI applications that are used to manage various aspects of security policy enforcement. For example, SmartView Tracker is a SmartConsole application that manages logs.
• SmartDashboard: A SmartConsole GUI application that is used by the system administrator to create and manage the security policy.
• Standalone Deployment: When Check Point components responsible for the management of the security policy (the SmartCenter server and the gateway) are installed on the same machine.
Provider-1/SiteManager-1 Terminology
Chapter 2 Getting Started 25
Provider-1/SiteManager-1 Terminology
The following Provider-1/SiteManager-1 terms are used throughout this chapter.
• Customer: A business entity or subdivision of a business entity whose networks are protected by VPN-1 gateways, VPN-1 UTM Edge appliances or other Check Point compatible firewalls. The Customer’s security policies and network access are managed using Provider-1/SiteManager-1.
• Customer Log Module (CLM): A log server for a single Customer.
• Customer Management Add-on (CMA): The Provider-1 equivalent of the SmartCenter server for a single Customer. Using the CMA, an administrator creates security policies and manages customer gateways.
• GUI Client: A computer running Check Point GUI interfaces, such as the Provider-1 MDG, and other SmartConsole applications.
• Internal Certificate Authority (ICA): In addition to authenticating administrators and users, the ICA creates and manages X.509 compliant certificates for Secure Internal Communication (SIC) between VPN-1 gateways. The MDS has an ICA that secures the Provider-1 management domain. Each CMA has its own ICA to secure its customer’s management domain.
• Multi-Domain Log Module (MLM): An MDS Container dedicated to collecting and storing logs. An MLM is a Container of Customer Log Modules (CLMs).
Provider-1/SiteManager-1 Terminology
26
• Multi-Domain Server (MDS): A server that houses Provider-1 system information. The MDS contains information on Provider-1 deployment, administrators, and customer management. The MDS has two modes:
• Manager: Runs the Provider-1 deployment and is the administrator’s entry point into the Provider-1 environment.
• Container: Holds the Customer Management Add-ons (CMAs).
An MDS can be a Manager, a Container or both.
• Provider-1 Administrator: A security administrator, assigned with granular permissions, that manages specific parts of the Provider-1 system. Administrators can be assigned one of the following four permission levels:
• Provider-1 Superuser: Manages the entire Provider-1 system, which includes all MDS servers, administrators (with all permission levels), Customers and customer networks.
• Customer Superuser: Manages all administrators (with lower permission levels), Customers and customer networks.
• Global Manager: A new type of administrator account in the MDG. With access to Global SmartDashboard, a Global Manager is capable of managing global policies and global objects. For a Global Manager to have additional access to CMA policies, read-write or partial access rights must be specifically assigned.
• Customer Manager: Manages customer networks for specific Customers. Administrators with this permission level can use the MDG application, but they can only view and manage their assigned customers.
• None: Manages customer networks for specific Customers, but cannot access the MDG application.
Hardware and Software Requirements
Chapter 2 Getting Started 27
Hardware and Software RequirementsFor all hardware and software requirements for each product and platform, see the latest version of the relevant Release Notes at:
http://support.checkpoint.com
Compatibility Tables
28
Compatibility TablesIf the existing Check Point implementation contains products that are not supported by NGX R65, the NGX R65 installation process terminates. Table 2-1 and Table 2-2 list the NGX R65 supported Check Point products and VPN clients by platform.
Table 2-1 NGX R65 Supported Products by Platform
Notes to Compatibility Table
1. Anti Virus and Web (URL) Filtering are included on SecurePlatform.
Check Point Product
SolarisRHEL 3.0
Check Point Nokia
Ultra- SPARC 8, 9 &
10
Server 2003
(SP1-2)
2000 Advanced
Server (SP1-4)
2000 Server
(SP1-4)
2000 Profes-sional
(SP1-4)
XP Home & Profes-
sional
kernel 2.4.21
Secure Platform
IPSO 4.1 - 4.2
VPN-1 Power / UTM X X X X X X 1 X 2
SmartCenter Server X X X X X X X 3
Provider-1/SiteManager-1 .Server (MDS)
X X 4 X
VPN-1 Power VSX 5 X
Endpoint Security Server X X X X X
Eventia Suite 6 X X X X X X UserAuthority Server X X X X X X X X X 7
SSL Network Extender Server X X X X X X XSmartConsole Applications X 8 X X X X XProvider-1/SiteManager-1 MDG X X X X X XSmartPortal X X X X X XSmartLSM - Enabled .Management & Enabled .ROBO / CO Gateways
X 9 X X X X X X
ClusterXL X X 10 X X X X X 11
VPN-1 Accelerator Driver II X 12
VPN-1 Accelerator Driver III X X X X X X
VPN-1 Accelerator Driver IV X X X
Advanced Routing X X 13
Performance Pack X X X 14
SecureXL Turbocard X 15
OSE Supported Routers
Microsoft Windows
Platform and Operating System
Nortel Versions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14
Cisco OS Versions: 9.x, 10.x, 11.x, 12.x
Compatibility Tables
Chapter 2 Getting Started 29
2. Anti Virus and Web (URL) Filtering are supported on Nokia IPSO 4.2 only.
3. UTM-1 Edge devices cannot be managed from a SmartCenter server running on a Nokia IPSO platform.
4. Provider-1/SiteManager-1 is supported on both RHEL 3.0 AS and ES.
5. VPN-1 Power VSX gateways are also supported on Crossbeam Systems X-Series Security Services Switches.
6. Eventia Suite includes Eventia Reporter Server, Eventia Analyzer Server, and the Eventia Analyzer Correlation Unit.
7. UserAuthority is not supported on Nokia flash-based platforms.
8. The following SmartConsole clients are not supported on Solaris UltraSPARC platforms: SmartView Monitor, SmartLSM, Eventia Reporter Client, Eventia Analyzer Client, and the SecureClient Packaging Tool.
9. Enabled ROBO Gateways are not supported on Solaris platforms.
10. HA Legacy mode is not supported on Windows Server 2003.
11. ClusterXL is supported only in third party mode with VRRP or IP Clustering.
12. VPN-1 Accelerator Driver II is supported on Solaris 8 only.
13. Nokia provides Advanced Routing as part of IPSO.
14. Nokia provides SecureXL as part of IPSO.
15. NGX-compatible Turbocard driver is available at http://www.checkpoint.com/downloads/quicklinks/downloads_tc.html.
16. RHEL 3.0 & 4.0, AS & ES.
17. Solaris 8 is not supported for IPS-1 Management Server and Alerts Concentrator.
Table 2-2 NGX R65 Supported Clients by Platform
Compatibility Tables
30
Notes to Clients Compatibility Table
1. Microsoft Installer support is required for installation of Endpoint Security clients on the Windows platform.
Check Point Product
Mac Linux
Server 2003 (SP1)
2000 Server / Advanced
Server(SP1-4)
2000 Profes-sional (SP1-4) / XP Home & Professional
Mobile 2003
2003SE 5.0
OS "X"
SecuRemote X X X
SecureClient X X X XSecureClient Mobile XSSL Network Extender X X X
Endpoint Security clients1 X X
Windows
Operating System
Supported Upgrade Paths and Interoperability
Chapter 2 Getting Started 31
Supported Upgrade Paths and Interoperability
In This Section
VPN-1 Upgrade Paths and Interoperability
SmartCenter servers and gateways exist in a wide variety of deployments. Consult Table 2-3 and Table 2-4 to determine which versions of your Management Server and Gateways can be upgraded to NGX R65.
VPN-1 Upgrade Paths and Interoperability page 31
Upgrading SmartCenter Servers page 32
Backward Compatibility For Gateways page 33
IPS-1 Upgrade Paths and Interoperability page 34
Supported Upgrade Paths and Interoperability
32
Upgrading SmartCenter ServersThe following SmartCenter server versions can be upgraded to NGX R65:
Table 2-3 SmartCenter server Upgrade Paths
Release VersionVPN-1 Power/UTM NGX R62VPN-1 Pro/Express NGX R61VPN-1 Pro/Express NGX R60AVPN-1 Pro/Express NGX R60VPN-1 Pro NG R55WVPN-1 Pro/Express NG With Application Intelligence R55VPN-1 Pro/Express NG R55PVPN-1 Pro/Express NG With Application Intelligence R54VPN-1 Pro/Express NG FP3
Express CI R57 (Advanced Upgrade only)GX 2.5
VSX 2.0.1VSX NG AIVSX NG AI Release 2
NGX
NG
VSX
Supported Upgrade Paths and Interoperability
Chapter 2 Getting Started 33
Backward Compatibility For GatewaysNGX R65 SmartCenter server supports the following gateway versions:
Table 2-4 Backward Compatibility for Gateways
Note - NGX R65 cannot manage gateway versions NG, NG FP1, or NG FP2
Release VersionVPN-1 Power/UTM NGX R62VPN-1 Pro/Express NGX R61VPN-1 Pro/Express NGX R60AVPN-1 Pro/Express NGX R60VPN-1 Pro NG R55PVPN-1 Pro NG R55WVPN-1 Pro/Express NG With Application Intelligence R55VPN-1 Pro/Express NG With Application Intelligence R54VPN-1 Pro/Express NG FP3
Express CI R57 GX 2.5, 2.5, NGX
VSX NG AIVSX NG AI Release 2VSX NGX
InterSpect NGXConnectra NGX R62
NGX
VSX
NG
Supported Upgrade Paths and Interoperability
34
Upgrading versions 4.0 and 4.1Upgrading from versions prior to NG (4.0-4.1) is not supported. To upgrade FireWall-1 versions 4.0-4.1, upgrade the installed version to VPN-1 NG R55 (refer to the NG with Application Intelligence R55 Upgrade Guide). Once the VPN-1 NG R55 upgrade is complete, perform an upgrade to NGX R65.
For more information on upgrading your deployment, refer to the Check Point R65 Upgrade Guide.
IPS-1 Upgrade Paths and Interoperability
Upgrade PathsNon-Power Sensors installed on SecurePlatform cannot be upgraded to the current version. A new installation is required.
Alerts Concentrators and IPS-1 Management Servers, including NFR Sentivist Servers and Enterprise Servers, and IPS-1 Power 1000 and 2000 Sensors, of versions 5.x, can be upgraded to the current version. From earlier versions, completely reinstall.
InteroperabilityManagement components of the current release, such as IPS-1 Management Server, Alerts Concentrators and Management Dashboard, are compatible with Sensors of versions 4.1 onwards.
The different management components (IPS-1 Management Server, Alerts Concentrators and Management Dashboard) must always be of the same version.
Licensing NGX R65
Chapter 2 Getting Started 35
Licensing NGX R65Most of the software on this CD is automatically enabled for a 15-day evaluation period. To obtain a permanent license, or to extend the evaluation period, go to the Check Point User Center at: https://usercenter.checkpoint.com.
Customers new to the Check Point User Center should go to: https://usercenter.checkpoint.com/pub/usercenter/get_started.html
For further licensing assistance, contact Account Services at: [email protected], or US +1 972-444-6600, option 5.
In This Section
Licensing VPN-1 Power/UTMLicenses are required for the SmartCenter server and the gateways. No license is required for SmartConsole management clients.
Check Point gateways enforce the license installed on the gateway by counting the number of users that have crossed the gateway. If the maximum number of users is reached, warning messages are sent to the console.
The Check Point software is activated using a certificate key, which is located on the back of the software media pack. The certificate key is used to generate a license key for products that you want to evaluate or purchase. To purchase Check Point products, contact your reseller.
Licensing VPN-1 Power/UTM page 35
Licensing Provider-1/SiteManager-1 page 37
Licensing IPS-1 page 38
Licensing Eventia Suite page 38
Licensing NGX R65
36
Obtaining a License KeyTo obtain a license key from the Check Point User Center:
1. Add the required Check Point products/evaluations to your User Center account by selecting Accounts & Products > Add Products.
2. Generate a license key for your products/evaluations by selecting Accounts & Products > Products.
Select your product(s) and click Activate License. The selected product(s) evaluations have been assigned license keys.
3. Complete the installation and configuration process by doing the following:
a. Read and accept the End Users License Agreement.
b. Import the product license key. Licenses are imported using the Check Point Configuration Tool or SmartUpdate. SmartUpdate allows you to centrally upgrade and manage Check Point software and licenses. The certificate keys associate the product license with the SmartCenter server, which means that:
• The new license remains valid even if the IP address of the Check Point gateway changes.
• Only one IP address is needed for all licenses.
• A license can be detached from one Check Point gateway and assigned to another.
Upgrading VPN-1 Power/UTM LicensesCustomers with versions prior to NGX R60 are required to obtain a new license when they upgrade to NGX R65. Check Point NGX R60 software does not work with licenses from previous NG versions.
The upgrade procedure is free of charge to purchasers of the Software Subscription service (Enterprise Base Support).
Licensing NGX R65
Chapter 2 Getting Started 37
Licenses for versions prior to NG cannot be upgraded directly to NGX. You must first upgrade to NG and then upgrade the licenses from NG to NGX.
The license upgrade procedure runs the license_upgrade command, which makes it easy to automatically upgrade licenses.
For additional information on upgrading licenses, refer to the Upgrading VPN-1 Power/UTM Licenses to NGX R65 chapter in the CheckPoint R65 UpgradeGuide.
Licensing Provider-1/SiteManager-1Provider-1/SiteManager-1 licenses are associated with the IP address of the licensed entity. The Provider-1 Multi-Domain Server (MDS) license is based on the server type: Manager, Container, Combined Manager and Container, or Multi-Domain Log Manager (MLM).
Manager: A license for the administrator's entry point into the Provider-1/SiteManager-1 environment. The Multi-Domain GUI (MDG) and the Global SmartDashboard tools can connect only to MDS servers with this license.
Container: A license that defines the maximum number of CMAs running on the MDS machine. With the exception of Provider-1 Enterprise Edition licenses, multiple container licenses can be added together on one container to enable the container to hold up to a maximum of 250 CMAs. In addition, each CMA requires its own CMA license. CMA Pro Add-on licenses, allowing additional management features at the CMA level, can be purchased in bulk. These purchase packages are called Pro Add-ons for MDS.
Combined Manager and Container: These licenses combine a Manager license with a Container license for a specific number of CMAs. In the case of SiteManager-1 licenses, there are no separate Manager and Container versions available, only the Combined Manager and Container license.
Licensing NGX R65
38
MLM: A comprehensive license that includes the Customer Log Modules (CLMs) it hosts. There is no need for a separate CLM license if CLMs are hosted on an MLM. A CLM hosted on an MDS server requires its own CLM license.
Each gateway requires its own license. Licenses are determined according to the number of computing devices (nodes) protected by the gateway. Provider-1 licenses can be imported using the Check Point command-line licensing tool or Provider-1's MDG. For additional information, refer to the Provider-1/SiteManager-1 Administration Guide.
Licensing IPS-1The IPS-1 Management Server requires a license, defined with the ability to manage a fixed maximum number of Sensors. In a Combined installation where the Alerts Concentrator installed together with the IPS-1 Management Server, the Alerts Concentrator shares the IPS-1 Management Server’s license.
For any separate Alerts Concentrators and for all Sensors, obtain and add licenses. Licenses are added using IPS-1’s Management Dashboard.
The IPS-1 Management Dashboard does not require a license. However, without a licensed IPS-1 Management Server, the IPS-1 Dashboard will function only in Demo mode.
All licenses are stored on the IPS-1 Management Server and must have been generated according to the IPS-1 Management Server’s IP address.
Licensing Eventia SuiteAll Eventia Suite licenses are installed on the Eventia Suite Server (not on the SmartCenter server).
Licensing NGX R65
Chapter 2 Getting Started 39
Correlation Units are licensed by the number of units that are attached to the Eventia Analyzer Server.
Licensing NGX R65
40
41
Chapter 3 VPN-1 Setup and Installation
In This Chapter
OverviewCheck Point software is designed to work across multiple platforms and pre-configured appliances. Each installation differs depending on the product and the platform.
For upgrading an existing installation of VPN-1, see the Upgrade Guide.
VPN-1 NGX R65 can be installed in the following two types of deployments:
• Standalone Deployment: Check Point components that are responsible for the management of the security policy (the SmartCenter server and the gateway) are installed on the same machine.
Overview page 41
Installing SecurePlatform with VPN-1 page 43
Installing NGX Products on Windows page 55
Installing NGX Products on Solaris or Linux page 58
Installing NGX Products on Nokia page 60
Initially Configuring NGX Products page 64
Where To From Here? page 73
Overview
42
• Distributed Deployment: The gateway and the SmartCenter server are installed on different machines.
In both deployments, SmartConsole can be installed on any machine by performing the following steps:
• Install the components that manage or enforce the security policy (for example, the SmartCenter server, the gateway, and the log server).
• Install one or more SmartConsole clients to manage different aspects of VPN-1 Power/UTM. For example, SmartDashboard is used by the system administrator to manage and create the security policy. Any number of SmartConsole GUI applications can be installed on the same machine.
Note - The TCP/IP network protocol must be installed, properly configured, and operational before you begin the installation process.
Installing SecurePlatform with VPN-1
Chapter 3 VPN-1 Setup and Installation 43
Installing SecurePlatform with VPN-1In This Section
Installing SecurePlatform Using the NGX CD
To install SecurePlatform using the NGX R65 CD:
1. Insert CD1 from the media pack into the CD drive, and boot the computer from the CD. After booting, Welcome to Check Point SecurePlatform appears. If you do not press Enter within 90 seconds, the computer boots from the hard drive.
The installation program is loaded.
2. The following options are displayed:
• Device List: When selected, the Hardware Scan Details menu displays.
• Add Driver: When selected, the Devices menu opens. Sometimes updated hardware is incompatible with the previous version’s driver and you receive an error message during installation because the operating system could not find the appropriate hard disk driver. Alternatively, the installation may be complete, but the hardware does not function properly. The Add Driver option enables you to add the missing driver during the installation process.
3. Select OK to install. The System Type screen opens.
Installing SecurePlatform Using the NGX CD page 43
Installing SecurePlatform Using the Network page 45
Initially Configuring SecurePlatform page 51
Installing NGX Products on SecurePlatform page 52
Configuring SecurePlatform Using WebUI page 54
Installing SecurePlatform with VPN-1
44
4. When prompted What type of system would you like to install? Depending on the license you purchased, select one of the following options:
• SecurePlatform
• SecurePlatform Pro (includes the Advanced Routing Suite and additional enhancements such as RADIUS authentication for administrators)
The Keyboard Selection menu opens.
5. Select a keyboard type.
6. From the Network Interface Configuration menu, define the management interface IP address, netmask and default gateway for the first network interface (eth0 on most systems).
7. From the HTTPS Server Configuration menu, enable or disable web-based configuration using SecurePlatform’s WebUI.
8. Select OK.
A message confirms that you are about to format your hard drive.
Warning - The formatting procedure erases all information located on your hard drive.
9. Select OK to format your hard drive, and extract and install SecurePlatform software components. The installation process can take several minutes to complete.
10. Remove the installation CD from the drive.
11. Select OK to reboot your system.
Continue to “Initially Configuring SecurePlatform” on page 51.
Note - If you intend to deploy VPN-1’s remote access or Endpoint Security software, select a port other than 443.
Installing SecurePlatform with VPN-1
Chapter 3 VPN-1 Setup and Installation 45
Installing SecurePlatform Using the Network
SecurePlatform can be installed using the network, by locating the CD distribution files on a remote file server, accessible by the target machine. Three types of servers (and protocols) can be used:
• FTP
• HTTP (web)
• NFS
In order to perform a network based installation:
1. Prepare the file server.
2. Boot the target machine from the SecurePlatform boot diskette.
3. Point the installation program to your server.
Preparing a Network Installation ServerPrepare a Network Installation server by locating the CD distribution files on one of the supported remote file servers.
FTP
To prepare an FTP server as the Network Installation server:
1. Install an FTP server on a machine in your local network, or use an existing server.
2. Create a user account. (FTP installation can be either anonymous, or authenticated.)
3. Create a file server directory that will accommodate the distribution files, and that can be accessed by an FTP client.
Note - A Windows machine cannot be used as an FTP, or HTTP server for installation..
Installing SecurePlatform with VPN-1
46
4. Copy the entire contents of the SecurePlatform CD to the file server directory created in step 3.
5. Test the FTP connectivity from a remote machine before performing the installation.
HTTP
To prepare an HTTP server as the Network Installation server:
1. Install an HTTP server on a machine in your local network, or use an existing server.
2. Create a directory that will accommodate the distribution files and that can be accessed by an HTTP client.
3. Copy the entire contents of the SecurePlatform CD to the file server directory created in step 2.
4. Test accessing the relevant URL from a remote machine, before performing the installation.
NFS
To prepare an NFS server as the Network Installation server:
1. Install an NFS server on a machine, in your local network, or use an existing server.
2. Create a new directory, under a shared subdirectory, that will accommodate the distribution files, and that can be accessed by an NFS client.
Note - You will use the user account and path to access the files.
Note - You will use a URL to access the files
Installing SecurePlatform with VPN-1
Chapter 3 VPN-1 Setup and Installation 47
3. Copy the entire contents of the SecurePlatform CD to the file server directory created in step 2. Alternatively, you can export or mount the CD itself.
4. Test accessing the mounted directory from a remote machine, before performing the installation.
Preparing a Network Installation Boot DisketteYou can install SecurePlatform from the network, using an FTP, HTTP, or NFS server. To do so, you must prepare a special network installation boot diskette, using the cpawrite utility.
You will need:
• a clean (formatted) 1.44 inch diskette
• the SecurePlatform CD
• a Windows PC
1. Insert the diskette and the CD into the PC.
2. Browse the CD to SecurePlatform/Images.
3. Drag the bootnet.img file to the cpawrite icon.
This will start the process that creates the network installation boot diskette.
To install SecurePlatform, using an FTP, HTTP, or NFS server:
1. Insert the floppy Boot Diskette that you created into the floppy drive and boot from there.
After rebooting, the SecurePlatform with Application Intelligence Installation screen is displayed.
2. Click Enter to confirm the installation. If you choose not to continue, you will be asked to remove the CD, or the diskette, and to reboot.
Note - You will use the path to access the files
Installing SecurePlatform with VPN-1
48
After confirmation, the Welcome menu is displayed.
3. Select OK and press Enter. The Installation Method menu is displayed:
Figure 3-1 Installation Method menu
4. Select one of the following network installation methods, select OK, and press Enter.
• NFS image
• FTP
• HTTP
The Interface Selection menu is displayed.
Installing SecurePlatform with VPN-1
Chapter 3 VPN-1 Setup and Installation 49
Figure 3-2 Interface Selection menu
5. Select the Network Interface Card, connected to the network, where the file server is running, select OK and press Enter.
The Configure TCP/IP menu is displayed.
Installing SecurePlatform with VPN-1
50
Figure 3-3 Configure TCP/IP menu
6. Specify the IP settings for this machine, select OK and press Enter. These IP settings will be used to create a TCP session to the file server, and will remain valid after installation is completed.
Depending on your Network Installation Method (FTP, HTTP, NFS), a selection window, asking for session parameters, will be displayed.
7. Enter the session details, select OK and press Enter. When asked for a path, enter the path to the directory where SecurePlatform resides. If you are using non-anonymous FTP, you will be asked for the account details.
The installation program reads the distribution files from the network, and the Welcome menu is displayed.
Note - Do not disconnect the network connection until you are instructed to reboot the target computer.
Installing SecurePlatform with VPN-1
Chapter 3 VPN-1 Setup and Installation 51
Initially Configuring SecurePlatformAfter the operating system installation is complete and the computer has rebooted:
1. From the SecurePlatform boot menu, Start in normal mode.
2. Log in using admin as your username and password.
3. When prompted, change the default username and password. Ensure that the new password contains more than six characters and has a combination of upper and lower cases letters and numbers.
4. Run: sysconfig .
A first-time configuration wizard opens, and displays a Welcome message.
5. Press n to proceed to the next menu.
The following Network Configuration menu options are displayed:
6. Use the menu options to configure:
• The host name
• The domain name and at least one DNS server
• The computer’s network interfaces
• The default gateway (if required)
Option Purpose
Host Name Sets and displays the host name
Domain Name Sets and displays the Domain name
Domain Name Servers Adds, removes, displays Domain name servers
Network Connections Adds, configures, removes, displays network connections.
Routing Sets and shows a default gateway
Installing SecurePlatform with VPN-1
52
7. Once Network Configuration is complete, select the Time and Date Configuration menu option and configure the following:
• Time zone
• Date
• Local time
• Show date and time settings
8. Press n.
The Import Check Point Products Configuration window opens and displays the Fetch Import file from TFTP Server option. If you exported the configuration of another SecurePlatform installation, you can now import that configuration. For additional information, see the Upgrade Guide.
9. Press n to continue to products installation.
Continue here to the following section.
Installing NGX Products on SecurePlatform
The Check Point product installation wizard continues from SecurePlatform’s first-time system configuration (sysconfig) wizard. Alternatively, run: sysconfig, and select Products Installation.
1. The wrapper welcome message appears, beginning the installation wizard. Press n.
2. Read and accept the End User License agreement.
3. Select which version of VPN-1 to install, either Check Point Power or Check Point UTM.
4. Select New Installation, or Installation Using Imported Configuration (the configuration imported in step 8).
Installing SecurePlatform with VPN-1
Chapter 3 VPN-1 Setup and Installation 53
Depending on the VPN-1 version you selected in step 3, a product list is displayed:
5. Select the appropriate products and press n.
a. If you selected SmartCenter, decide whether it should be installed as a primary or secondary SmartCenter and whether a Log server should also be installed.
b. Select whether or not to install the Connectra Management NGX plug-in, which enables the central management of Connectra NGX R62CM gateways.
6. A message validates your choice of SmartCenter server. Press n.
SmartCenter server is installed. The Check Point Configuration Tool guides you through steps to define (for SmartCenter):
a. Licenses
b. Administrators
c. GUI clients
d. A Certificate authority
See: “Using the Configuration Tool on Unix Systems” on page 68.
Check Point Power Check Point UTM
VPN-1 Power VPN-1 UTM
User Authority User Authority
SmartCenter SmartCenter UTM
Eventia Suite Eventia Suite
Endpoint Security Endpoint Security
Performance Pack Performance Pack
SmartPortal SmartPortal
Installing SecurePlatform with VPN-1
54
7. Reboot the machine. IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections, for example, install policy operations. This policy remains in place until you have installed the first Security Policy.
Configuring SecurePlatform Using WebUIYou can also use the WebUI to configure network settings, apply a license, and install and configure products. After system reboot, use your browser to connect to the IP address specified in step 6 on page 44.
Installing NGX Products on Windows
Chapter 3 VPN-1 Setup and Installation 55
Installing NGX Products on WindowsThe NGX R65 installation on a Windows platform is GUI based. The windows displayed during installation differ depending on the installed Check Point components.
To perform a new installation on a Windows platform:
1. Log on as Administrator and insert the CD. The wrapper automatically starts and a Congratulations message displays.
Review the Evaluation Options or select Read More about
Installation and click Forward.
2. Accept the terms of the End Users License Agreement.
3. Select which version of VPN-1 to install, either Check Point Power or Check Point UTM.
4. Select one of the following installation options:
• Demo installation (SmartConsole only)
• New installation
• Installation using an imported configuration (for additional information, refer to the CheckPoint R65 UpgradeGuide)
5. Click Forward.
If you selected Installation Using Imported Configuration, you are prompted to provide the location of the imported configuration file.
Depending on the VPN-1 version you selected in step 3, a list of products is displayed:
Check Point Power Check Point UTM
VPN-1 Power VPN-1 UTM
SmartCenter SmartCenter UTM
Eventia Suite Eventia Suite
Installing NGX Products on Windows
56
6. Select the products you wish to install and click Forward.
a. If you selected SmartCenter, decide whether it should be installed as a primary or secondary SmartCenter and whether a Log server should also be installed.
b. Select whether or not to install the Connectra Management NGX plug-in, which enables the central management of Connectra NGX R62CM gateways.
7. Confirm installation of selected products. Click Forward.
The selected products are installed.
8. To complete the installation process, configure the SmartCenter server or the gateway using the Check Point Configuration Tool. For first time installations, the Configuration Tool runs automatically and prompts you to (for SmartCenter):
a. Add licenses
b. Add administrators
c. Specify remote clients from which an administrator can log into SmartCenter server
d. Initialize the Internal Certificate Authority
e. Export the SmartCenter server fingerprint to a text file
For additional information, refer to the “Configuration Tool Overview” on page 64.
SmartConsole SmartConsole
Endpoint Security Endpoint Security
VPN-1 Client VPN-1 Client
SmartPortal SmartPortal
User Authority User Authority
Installing NGX Products on Windows
Chapter 3 VPN-1 Setup and Installation 57
9. Reboot the machine. IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections, for example, install policy operations. This policy remains in place until you have installed the first Security Policy.
Installing NGX Products on Solaris or Linux
58
Installing NGX Products on Solaris or Linux
NGX R65 installation on Linux and Solaris platforms is run from a command line, with a wizard that guides you through installation. For SecurePlatform there is a separate installation procedure which is described in “Installing SecurePlatform with VPN-1” on page 43.
To perform a new installation on a Linux or Solaris platform:
1. Mount the CD on the appropriate subdirectory.
2. From the root directory of the CD, run:
./UnixInstallScript
The wrapper welcome message appears, beginning the installation wizard. Press n.
3. Read and accept the terms of the End User License Agreement.
4. Select which version of VPN-1 to install, either Check Point Power or Check Point UTM, and press n.
5. Select New Installation and press n.
6. Depending on the VPN-1 version you selected in step 4 a product list is displayed:
Check Point Power Check Point UTM
VPN-1 Power VPN-1 UTM
SmartCenter SmartCenter UTM
Eventia Suite Eventia Suite
Endpoint Security Endpoint Security
Performance Pack (on Solaris) Performance Pack (on Solaris)
SmartPortal SmartPortal
User Authority User Authority
Installing NGX Products on Solaris or Linux
Chapter 3 VPN-1 Setup and Installation 59
7. Select the products you wish to install and press n.
8. If you selected SmartCenter:
a. Select whether it should be installed as a primary or secondary SmartCenter, and whether a Log server should also be installed.
b. Select whether or not to install the Connectra Management NGX plug-in, which enables the central management of Connectra NGX R62CM gateways.
9. Confirm the selected products by pressing n.
10. Once product installation is complete, the Check Point Configuration tool will prompt for various configuration options. For a SmartCenter, the stages are:
a. Add licenses. The Check Point Configuration program only manages local licenses on this machine. The recommended way to manage licenses is using SmartUpdate.
b. Configure GUI clients (a list of hosts that are able to connect to the SmartCenter server using SmartConsole).
c. Configure group permissions by specifying a group name.
d. Configure the Certificate Authority, and save the CA’s Fingerprint to a file.
11. Reboot the machine.
IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections such as install policy operations. This policy remains in place until you have installed the first security policy.
Installing NGX Products on Nokia
60
Installing NGX Products on NokiaThe NGX R65 installation on Nokia platforms is performed from a console or Nokia Network Voyager (a secure web-based network element management application). Use a console to perform the initial configuration.
You can also use Nokia Horizon Manager to install and configure Check Point components on multiple Nokia appliances simultaneously. For additional information, refer to Nokia Horizon Manager documentation on the Nokia Support website:
http://support.nokia.com
NGX R65 software packages for Nokia IPSO 4.1 and 4.2 are available from the Check Point download center at: http://www.checkpoint.com/techsupport/downloads.jsp.
If you have purchased a new Nokia gateway with IPSO 4.2 already installed, then skip to step 13 on page 61.
If you are performing a new installation on an older IPSO gateway, then start here:
Before Installing:
• From the Check Point website, download: IPSO_Wrapper_R65.tgz.
• From Nokia, download: UTM-Base Build 004
To install NGX R65 with UTM functionality:
1. Enter the Network Voyager and open a CLI console.
2. Click System Configuration > Install New IPSO Image.
The New Image Installation Upgrade window opens.
3. Enter the following information (for IPSO 4.2):
Note - Verify from Nokia that you have IPSO 4.2 with UTM compatibility (IPSO 4.2 Build 041)
Installing NGX Products on Nokia
Chapter 3 VPN-1 Setup and Installation 61
Enter URL to the image location
Enter HTTP Realm (for HTTP URLs only)
Enter Username (if applicable)
Enter Password (if applicable)
4. Click Apply.
You are informed that the file download and image installation may take some time.
5. Click Apply.
A message is displayed indicating that the new image installation process has started.
6. When you receive a Success message, click UP > UP > Manage IPSO Images.
The IPSO Image Management window opens.
7. Under the title Select an image for next boot, select the last downloaded image: IPSO 4.2
8. Click Test Boot.
9. Access the CLI console to see when the Reboot is complete. Once the Reboot is complete, go back to the Network Voyager to verify that the image was set properly.
10. In the Network Voyager, click Refresh and log in.
11. If you are not returned to the last window you were in, clickSystem Configuration > Manage IPSO Images.
You should be able to see that the relevant IPSO Image is selected.
12. Select Commit testboot and click Apply.
13. Access the CLI console, and log in.
14. Type newpkg, and press Enter.
15. Use the FTP menu option to transfer the UTM-Base package.
Installing NGX Products on Nokia
62
16. Install the UTM-Base package.
Wait until a message informs you that the process is complete.
17. Activate the UTM-Base package.
18. In Voyager, verify that the UTM Base package is turned ON.
19. On the CLI, type newpkg, and press Enter.
20. Use the FTP menu option to transfer the IPSO_Wrapper_R65.tgz package.
21. Install the IPSO_Wrapper_R65 package.
Wait until a message informs you that the process is complete.
22. Type Reboot and press Enter.
23. From a console connection, run cpconfig.
24. Select a product:
• Check Point Power for headquarters and branch offices
• Check Point UTM for medium-sized businesses
25. Select an installation type, Stand Alone or Distributed.
26. Select Enterprise SmartCenter from the selection list.
27. Specify the SmartCenter type as Primary or Secondary.
28. Add Licenses.
29. Configure an administrator name and password.
30. Configure the GUI clients and hosts which can access the SmartCenter server using SmartConsole.
31. Configure Group Permissions.
32. Configure a pool of characters for use in cryptographic operations. Type randomly until the progress bar is full.
33. Configure the Certificate Authority, and save the CA’s Fingerprint to a file.
34. Start the installed products.
Installing NGX Products on Nokia
Chapter 3 VPN-1 Setup and Installation 63
If you opt not to start the installed products at this time, they can be started later by running cpstart.
35. Reboot.
Enabling Native IPSO Security ServersOnce Anti-virus and Web filtering is enabled, the relevant traffic is blocked from passing through the gateway. If the relevant traffic is not blocked, run the fwlinux2ipso command on the gateway to manually activate the native IPSO security servers. (When the UTM-Base package was installed and activated, the native IPSO security servers should have been activated as well).
Initially Configuring NGX Products
64
Initially Configuring NGX ProductsIn This Section
Configuration Tool OverviewThe Configuration Tool runs automatically once the installation process is complete. The Configuration Tool can also be run manually by running the cpconfig command.
The configuration options vary according to installed product. The examples in this chapter are for a SmartCenter server.
The Configuration Tool is used to configure:
• Licenses: Generates a license for the SmartCenter server and the gateway.
• Administrators: Creates an administrator with SmartCenter server access permissions. The administrator must have Read/Write permissions in order to create the first security policy.
• GUI Clients: Creates a list of names or IP addresses for machines that can connect to the SmartCenter server using SmartConsole.
• Key Hit Session: Creates a random seed for use in various cryptographic operations.
• Certificate Authority: Provides definitions that are used to initiate the Internal Certificate Authority, which enables secure communication between the SmartCenter server and its gateways. For some operating systems, such as Windows, you must specify the name of the host where the ICA resides. You
Configuration Tool Overview page 64
Using the Configuration Tool on Windows Systems page 65
Using the Configuration Tool on Unix Systems page 68
Logging In for the First Time page 69
Initially Configuring NGX Products
Chapter 3 VPN-1 Setup and Installation 65
may use the default name or provide your own. The ICA name should be in the hostname.domain format, for example, ica.checkpoint.com.
• Fingerprint: Verifies the identity of the SmartCenter server the first time you log in to SmartConsole. Upon SmartConsole login, a Fingerprint is displayed. This Fingerprint must match the Fingerprint shown in the Configuration Tool window in order for authentication to succeed. You may want to export this Fingerprint for verification purposes when you log in to SmartConsole for the first time.
Using the Configuration Tool on Windows SystemsTo configure the NGX R65 using the Configuration Tool on Windows systems:
1. Open the Configuration Tool by selecting Start > Run > cpconfig.
2. In the Licenses tab, perform one or both of the following procedures:
a. Fetch one or more licenses from a file.
i. Click Fetch from File.
ii. Browse to the license file, select it and click Open. The license(s) that belong to this host are added.
b. Add a license manually.
i. Click Add. The Add License window opens.
ii. Configure the appropriate options in the Add License window.
iii. Click OK to add the newly configured license.
3. Click Next.
Initially Configuring NGX Products
66
4. In the Administrators tab, click Add. Add an administrator that uses SmartConsole to connect to the SmartCenter server. From NGX version R60, only one administrator can be added using the Configuration Tool. Additional administrators can be added using SmartDashboard.
5. From the Add Administrator window, configure the required parameters and click OK.
6. Click Next.
7. On the GUI Clients tab, add a GUI client.
8. Type the GUI client’s name in the Remote hostname field.
9. Click Add. You can add a GUI client using any of the following formats:
• IP address: For example, 1.2.3.4.
• IP/netmask: A range of IP addresses, for example, 192.168.10.0/255.255.255.0.
• Machine name: For example, Alice, or Alice.checkpoint.com.
• Any: Any IP address.
• IP1-IP2: A range of IP addresses, for example, 192.168.10.8 - 192.168.10.16.
• Wild cards: For example, 192.168.10.
10. Click Next.
11. In the Certificate Authority tab, add a name using the <hostname>.<domain name> format, for example, <hostname>.checkpoint.com. This option enables you to initialize an Internal Certificate Authority (ICA) on the SmartCenter server and a Secure Internal Communication (SIC)
Note - If you do not define at least one GUI client, you can only manage the SmartCenter server from a GUI client that runs on the same machine as the SmartCenter server.
Initially Configuring NGX Products
Chapter 3 VPN-1 Setup and Installation 67
certificate for the SmartCenter server. SIC certificates authenticate communication between Check Point communicating components, or between Check Point communicating components and OPSEC applications.
12. Click Next. The Fingerprint window opens and displays the Fingerprint of the SmartCenter server. The Fingerprint, a text string derived from the SmartCenter server certificate, is used to verify the identity of the SmartCenter server that is being accessed through SmartConsole.
13. From the Fingerprint window, click Export to file and save the file. The Fingerprint is exported to a text file that can be accessed from the SmartConsole client machine(s) and used to confirm the Fingerprint of the SmartCenter server.
14. Once configuration using the Configuration Tool is complete, do the following:
a. From SmartConsole, perform a first time connection to the SmartCenter server. The Fingerprint of the SmartCenter server displays.
b. Ensure that the SmartCenter server Fingerprint matches the Fingerprint displayed in SmartConsole.
15. Close the Configuration Tool.
Note - Components can communicate with each other only once the Certificate Authority is initialized and each component has received a SIC certificate.
Note - Do not perform a first time connection to the SmartCenter server from SmartConsole unless the SmartCenter server Fingerprint is accessible and you can confirm that it matches the Fingerprint displayed in SmartConsole.
Initially Configuring NGX Products
68
Using the Configuration Tool on Unix SystemsTo complete the installation process, use the Check Point Configuration Tool to configure the SmartCenter server or gateway.
To configure the NGX R65 using the Configuration Tool on Unix systems:
1. Access the Configuration Tool.
2. Add licenses. A license can be added manually or fetched from a file.
3. Add administrators. Add an administrator that uses SmartConsole to connect to the SmartCenter server. Only one administrator can be added using the Configuration Tool. Additional administrators can be added using SmartDashboard.
4. Define GUI clients. You can add GUI clients using any of the following formats:
• IP address: For example, 1.2.3.4.
• IP/netmask: A range of IP addresses, for example, 192.168.10.0/255.255.255.0.
• Machine name: For example, Alice, or Alice.checkpoint.com.
• Any: Any IP address.
• IP1-IP2: A range of IP addresses, for example, 192.168.10.8 - 192.168.10.16.
• Wild cards: For example, 192.168.10.
5. Initialize the Internal Certificate Authority.
Note - For first time installations, the Configuration Tool runs automatically. The Configuration Tool can also be run after installation is complete using the cpconfig command.
Initially Configuring NGX Products
Chapter 3 VPN-1 Setup and Installation 69
This option enables you to initialize an Internal Certificate Authority (ICA) on the SmartCenter server and a Secure Internal Communication (SIC) certificate for the SmartCenter server. SIC certificates authenticate communication between Check Point communicating components, or between Check Point communicating components and OPSEC applications.
6. Export the SmartCenter’s fingerprint to a text file. The fingerprint, a text string derived from the SmartCenter server certificate, is used to verify the identity of the SmartCenter server that is being accessed through SmartConsole. The first time SmartConsole connects to the SmartCenter server, compare this string to the string displayed in SmartDashboard.
7. Start the installed products.
Logging In for the First Time
The Login Process
Administrators connect to the SmartCenter server through SmartDashboard using the same process as SmartConsole clients. The administrator and the SmartCenter server are first authenticated (to create a secure channel of communication) and then the selected SmartConsole starts.
After the first login, the administrator can create a certificate for subsequent logins. For additional information on how to create a certificate, refer to the R65 SmartCenter Administration Guide.
Note - Components can communicate with each other only once the Certificate Authority is initialized and each component has received a SIC certificate.
Initially Configuring NGX Products
70
Authenticating the Administrator
To authenticate the administrator:
1. Open SmartDashboard by selecting Start > Programs > Check Point SmartConsole NGX R65 > SmartDashboard.
2. Log in using the User Name and Password defined in the Configuration Tool’s Administrators page during the SmartCenter server installation.
If you are using a locally stored certificate to authenticate your connection, browse to its location and enter the certificate’s password. The certificate’s password can be changed by expanding the More Options link and clicking Change Password.
Initially Configuring NGX Products
Chapter 3 VPN-1 Setup and Installation 71
3. Specify the name or IP address of the target SmartCenter server and click OK.
4. Decide whether to connect in Read Only mode. This mode enables you to view the current configuration without accidentally changing it. It also gives access to SmartCenter server when another designated administrator is already connected.
5. More Options. Clicking the More Options link enables you to fine tune how SmartDashboard connects to SmartCenter server.
• The Change Password button in the Certificate Management area of the dialog enables you to change the password that protects the certificate.
• Session Description. Descriptive information entered here populates the Session ID field available in SmartView
Tracker’s Audit Mode. The field can be used to explain why a particular administrator is connecting to SmartCenter Server.
• Use compressed connection. This option optimizes the connection to SmartCenter server. By default, the connection to SmartCenter server is compressed. For a very large configuration database, disabling the compression may help reduce load on the SmartCenter server.
• Do not save recent connections information. By default, SmartDashboard server remembers the last user ID and SmartCenter to which a connection was made. Select this option to prevent SmartDashboard from displaying the last administrator and SmartCenter server to which the administrator successfully connected.
• Plug-in Demo Mode. This option enables SmartDashboard demo mode to display windows and options specific to a particular plug-in. Select the plug-in from the Versions drop-down box.
Initially Configuring NGX Products
72
6. Manually authenticate the SmartCenter server using the Fingerprint provided during the configuration process.
Note - This step is only necessary the first time you log in from a given client computer, since once the SmartCenter server is authenticated, the Fingerprint is saved in the SmartConsole computer’s registry.
Where To From Here?
Chapter 3 VPN-1 Setup and Installation 73
Where To From Here?You have now learned the basics that you need to get started. The next step is to obtain more advanced knowledge of your Check Point software.
Check Point documentation is available in PDF format on the Check Point CD and the Technical Support download site at: http://support.checkpoint.com
Be sure to also use the Check Point Online Help when you are working with the Check Point SmartConsole clients.
For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at: http://support.checkpoint.com
Where To From Here?
74
75
Chapter 4 Provider-1 Setup and Installation
In This Chapter
OverviewA typical Management Service Provider (MSP) handles many different customer systems. Provider-1/SiteManager-1 is compatible with a wide range of customer security schemes and product deployments. Figure 4-1 shows a sample Provider-1 deployment.
Overview page 75
Building the Standard Provider-1 Network page 78
Logging Into the MDG page 84
Where To From Here? page 87
Overview
76
Figure 4-1 Sample Provider-1 Deployment
The standard Provider-1 deployment has the following components:
• MDS: Each Provider-1 network must have at least one Manager and one Container, which can be installed on the same server, or separately.
• MDG and SmartConsole applications: These applications are installed on a GUI client and support centralized system management.
• CMAs: Each CMA manages the network of a single customer domain. CMAs are installed on a Container MDS.
• Customer gateways: A gateway that protects the customer’s networks.
Overview
Chapter 4 Provider-1 Setup and Installation 77
• NOC gateways: A gateway that protects the MSP headquarters and Network/Security Operations Centers.
Note - Depending on your system specifications, you must decide whether to manage the NOC gateways with a standalone SmartCenter or with the Provider-1 system. For Provider-1 systems, it is common to dedicate a Provider-1 customer as the NOC customer.
Building the Standard Provider-1 Network
78
Building the Standard Provider-1 Network
This section describes how to build your first Provider-1 Operations Center following the workflow shown in Figure 4-2:Figure 4-2
In This Section
Setting Up NetworkingThe MDS server host and the VPN-1 gateways should be TCP/IP ready. The MDS server machine should include at least one interface with an IP address and have the ability to query a DNS server to resolve the IP addresses of other machine names.
Where applicable, ensure that routing is configured to enable IP communication between the:
Setting Up Networking page 78
Installing the Gateways page 79
Installing and Configuring the MDS page 79
Installing SmartConsole and the MDG Client page 82
Installing SmartConsole page 82
Installing the MDG page 82
Uninstalling Provider-1 page 83
Building the Standard Provider-1 Network
Chapter 4 Provider-1 Setup and Installation 79
• CMA/CLM and its managed gateways
• MDS and other MDSs in the system
• MA and CLMs of the same customer
• CMA and its high availability CMA peer
• GUI client and MDS Managers
• GUI client and CMAs/CLMs
Installing the GatewaysInstall both the NOC and the customer gateways. Gateway installation is performed using the Internet Security Product Suite CD. For additional information, refer to: “VPN-1 Setup and Installation” on page 41.
Installing and Configuring the MDS For upgrading an existing installation of Provider-1, see the Upgrade Guide.
All MDS types, whether Manager, Container, or MLM, are created using the same installation process.
To create a primary manager:
1. Verify that you have superuser permissions.
Note - During gateway installation, record the activation key used to initialize the SIC with the each gateway's management server.
Building the Standard Provider-1 Network
80
2. From the mounted directory, navigate to the subdirectory that matches the operating system of your MDS server - solaris2 or linux.
3. For Solaris and Linux, run the mds_setup script.
4. Select whether the MDS is:
• A Manager
• A Container,
• A Manager and Container
• An MLM
If you decide that the MDS is a Manager (or that it is both a Manager and Container) specify whether this MDS is the Primary Manager. At least one Primary Manager must be created.
5. Specify whether the MDS should start automatically with each reboot (recommended). If you choose to restart automatically, select a default base directory when prompted.
6. Read and accept the License Agreement.
A list of the network interfaces on the MDS is displayed.
7. Enter the name of the primary interface — the interface through which the MDS will communicate with other MDSs in the Provider-1/SiteManager-1 network.
Note - When installing the MDS on SecurePlatform, the instal-lation is performed using the SecurePlatform installer on the CD. Do not execute mds_setup script directly.
Note - Any information that you enter at this stage can be modified later by rerunning the mdsconfig utility.
Note - If this is a Container MDS, Provider-1/SiteManager-1 additionally maps CMAs to this interface.
Building the Standard Provider-1 Network
Chapter 4 Provider-1 Setup and Installation 81
8. A 15-day trial license is automatically applied. If you have a valid permanent license, enter it now.
9. Select an operating system users group allowed to access the MDS files. If you do not select a users group, the root users group is given permissions to the files.
10. Initialize the primary Manager’s ICA. The ICA issues certificates to MDSs and administrators so that they can communicate securely with the system once Trust has been established.
A fingerprint is generated for the server. It is recommended to save this fingerprint for later reference.
11. Create an administrator. Enter a name and password, and assign the administrator’s authority level. Create at least one Provider-1 Superuser to set up the Provider-1/SiteManager-1 network. Create other administrators either now or later.
12. Configure at least one GUI Client: a computer authorized to access the MDG. A GUI Client can be identified by either IP address or Name (if the Name is routable on the network). Add other GUI clients either now or later.
13. When the mdsconfig utility finishes, set the source path by running (depending on your shell):
• For csh - source /opt/CPshared/5.0/tmp/.CPprofile.csh
• For sh - . /opt/CPshared/5.0/tmp/.CPprofile.sh
To avoid running the source path command each time you start the MDS, it is recommended to add these lines to your .cshrc or . profile files, respectively.
14. Start the MDS by running the script: mdsstart.
If your current shell is sh or bash, you must exit the shell after the MDS has started.
Building the Standard Provider-1 Network
82
Installing SmartConsole and the MDG Client
The following instructions are used when installing SmartConsole applications on Windows platforms.
Installing SmartConsoleTo install the SmartConsole on Windows platforms:
1. Access the windows/SmartConsole directory on the Provider-1 product CD.
2. Copy the SmartConsole executable to a temporary directory.
3. Start the installation by double-clicking the SmartConsole executable.
4. When the installation has completed, run SmartConsole applications from the Windows Start > Programs > Check Point SmartConsole R65 > SmartDashboard menu option.
Installing the MDGTo install the MDG package:
1. Access the windows/MDG directory on the Provider-1 product CD.
2. Copy the Prov1Gui executable to a temporary directory.
3. Start the installation by double-clicking the Prov1Gui executable.
4. When the installation has completed, run the MDG from the Windows Start > Programs > Check Point SmartConsole R65 > Provider-1 menu option.
Building the Standard Provider-1 Network
Chapter 4 Provider-1 Setup and Installation 83
Uninstalling Provider-1
To uninstall the MDS:
On Linux and Solaris, run:
mds_remove.
To uninstall the MDG and SmartConsole applications:
From the Windows Start menu, select Settings > Control Panel > Add/Remove Programs.
Note - This command is not available on SecurePlatform.
Logging Into the MDG
84
Logging Into the MDG In This Section
Logging Into the MDG for the First TimeTo log in to the MDG for the first time:
1. Type the User Name and Password you defined during MDS installation.
2. Type the name or IP address of the MDS and click OK.
Upon MDG login, a secure communication channel is created to the MDS.
The Customer Contents mode in the MDG General pane opens.:
Logging Into the MDG for the First Time page 84
Demo Mode page 85
Note - When logging in to an MDS server for the first time, you are prompted to compare the Fingerprint of the ICA with the Fingerprint saved during MDS installation, to ensure that you are connected to the correct MDS host.
Logging Into the MDG
Chapter 4 Provider-1 Setup and Installation 85
Figure 4-3 MDG General Pane - Customer Contents Mode
The Customer Contents mode in the MDG General pane provides the following information:
• The Provider-1/SiteManager-1 root.
• The Customers, for example, Flowers, Good-Bank and Perfect-Luggage.
• The CMAs of each Customer, for example, the Customer Good-Bank has a single CMA (Single_CMA_For_Good-Bank).
• The gateways belonging to each Customer.
Demo ModeWhen starting the MDG, you can select Demo mode. This mode does not require authentication or connection to the MDS. Demo mode is used to experiment and learn the MDG. It uses preconfigured sample objects and policies.
Logging Into the MDG
86
Operations performed while in Demo mode are stored in a local database, which allows you to continue a Demo session from the point at which you left off in a previous session.
Where To From Here?
Chapter 4 Provider-1 Setup and Installation 87
Where To From Here?You have now learned the basics that you need to get started. The next step is to obtain more advanced knowledge of your Check Point software.
Check Point documentation is available in PDF format on the Check Point CD and the Technical Support download site at: http://support.checkpoint.com
Be sure to also use the Check Point Online Help when you are working with the Check Point SmartConsole clients.
For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at: http://support.checkpoint.com
Where To From Here?
88
89
Chapter 5 IPS-1 Setup and Installation
In This Chapter
Overview page 90
IPS-1 Deployment page 93
IPS-1 Management Installation and Setup page 98
IPS-1 Sensor Appliances page 104
IPS-1 Sensor Installation page 109
IPS-1 Management Dashboard Installation page 116
Post-Installation Steps page 116
Where To From Here? page 126
Overview
90
OverviewIn This Section
IPS-1 System ArchitectureCheck Point’s IPS-1 is a dedicated intrusion prevention system (IPS) that delivers:
• Mission-critical protection against known and unknown attacks
• Unmatched management capabilities
• Granular forensic analysis
• Flexible deployment
• Confidence Indexing
An IPS-1 deployment includes the following components:
• IPS-1 Sensor: Detects and prevents internal network attacks, and sends alerts to the Alerts Concentrator.
• Alerts Concentrator: Manages and receives alerts from a group of Sensors, and stores the alerts in a MySQL database (included in the Alerts Concentrator installation). Multiple IPS-1 Alerts Concentrators can be distributed throughout the network as needed.
• IPS-1 Management Server: The central Management Server for the entire deployment. Receives and correlates relevant alert information from the Alerts Concentrator(s). Alert information is stored in a MySQL database, which is included in the IPS-1 Management Server installation.
IPS-1 System Architecture page 90
Platforms page 92
Overview
Chapter 5 IPS-1 Setup and Installation 91
• IPS-1 Management Dashboard: Windows-based remote graphical user interface (GUI) to the IPS-1 Management Server, for managing the IPS-1 system and for monitoring alerts. The IPS-1 Dashboard includes a number of independent interlinked windows, primarily:
• Policy Manager for configuring protections and managing the entire IPS-1 system.
• Alert Browser for viewing, tracking, and analyzing real-time alerts.
There are two deployment configurations for IPS-1:
• Combined Deployment - An Alerts Concentrator is installed together with the IPS-1 Management Server on the same computer.
• Distributed Deployment - The IPS-1 Management Server connects to one or more Alerts Concentrators installed on separate computers.
The installation steps for each deployment configuration are found in the Initial Configuration of Management Servers section of the Check Point Internet Security Product Suite Getting Started Guide Version NGX R65.
The following diagram illustrates the components of the IPS-1 system architecture with two Alerts Concentrators in a Distributed Deployment:Figure 5-1 The IPS-1 System
Overview
92
PlatformsThe IPS-1 Server and Alerts Concentrator can be installed on Check Point’s SecurePlatform or on other supported operating systems. SecurePlatform is provided with the IPS-1 installation media.
The IPS-1 Server can be installed together with a SmartCenter server for managing VPN-1 gateways and IPS-1 Sensors from the same platform. In this case, it is possible to log into the IPS-1 Server via the IPS-1 Management Dashboard with a SmartCenter Server administrator username and password. For usernames common to both IPS-1 and SmartCenter, the IPS-1 password and privileges override the SmartCenter settings.
IPS-1 (non-Power) Sensors are supported only on Check Point’s SecurePlatform.
IPS-1 Deployment
Chapter 5 IPS-1 Setup and Installation 93
IPS-1 DeploymentIn This Section
IPS-1 Sensor Deployment
Sensor PlacementIPS-1 Sensors should be deployed at natural choke points according to network topology. Usually, Sensors should be just within the network firewall.
Placing Sensors outside the firewall is not recommended, because the Sensor is not then protected by the firewall, and the unfiltered traffic places a heavier load on the Sensor.
Ideally, network cores should also be protected with Sensors. In most cases, network core topology does not enable these Sensors to be placed inline, in which case the Sensors should be used for intrusion detection in passive mode.
Sensor TopologyIn most cases, IPS-1 Sensors should be placed inline, enabling intrusion prevention. In some cases, such as in a complex switching environment in a network core, Sensors need to be used for intrusion detection in passive mode.
Sensors’ monitoring interfaces are layer-3 transparent and do not have IP addresses. Each Sensor has a management interface that requires an IP address, routable to and from the Alerts Concentrator. For enhanced security, it is recommended that management be on a separate, out-of-band network.
IPS-1 Sensor Deployment page 93
IPS-1 Management Deployment page 95
IPS-1 Deployment
94
For full information on Sensor modes, see the IPS-1 Administration Guide.
Inline Intrusion Prevention
For intrusion prevention, Sensors should be connected inline, so that all of the traffic to be monitored flows through the IPS-1 Sensor. In this configuration, Sensors can drop traffic containing attacks, according to defined and configurable confidence indexing.
Inline Sensors’ behavior upon failure can be configured to either open, passing through all traffic; or closed, severing the traffic path.
Inline Sensors can be set to Bridge (Monitor-Only) mode, to avoid the possibility of false-positive traffic dropping. In bridge mode, you can track what the Sensor would have done in prevention mode. You can fine-tune your prevention settings in bridge mode, and later change to prevention mode.
Passive Intrusion Detection
The IPS-1 Sensor can be placed out of the path of network traffic, in which case it performs intrusion detection only.
For the Sensor to monitor traffic, a monitoring interface of the Sensor should be connected to one of the following:
• A hub’s port
• A switch’s SPAN (or ‘mirror’) port
• A network tap
A network tap has advantages over a switch’s SPAN port. For example, the switch could prevent (or be unable to send) some traffic out of the SPAN port.
For information on configuring and connecting the switch or tap, see the switch’s or tap’s documentation.
IPS-1 Deployment
Chapter 5 IPS-1 Setup and Installation 95
IPS-1 Management Deployment
In This Section
Required IPS-1 Management ComponentsEvery IPS-1 deployment must have exactly one IPS-1 Management Server.
At least one installation of the IPS-1 Management Dashboard on a Windows client host is necessary for managing the IPS-1 environment and for viewing and analyzing alerts.
The appropriate number of Alerts Concentrators varies according to the network and to administrative needs. The following rough guidelines should be considered:
• Each Alerts Concentrator is usually capable of handling around ten Sensors.
• It is not recommended for a single Alerts Concentrator’s database to approach 40 GB; If it does, an additional Alerts Concentrator is recommended.
For a rough estimate of appropriate database size, multiply the volume of monitored traffic (in Gbps) by the number of months of alerts you plan to maintain. The database size (in GB) should approach half of that product.
For example, if the Sensors that send alerts to a particular Alerts Concentrator collectively monitor 5Gbps, and you want to maintain six months of back alerts, the database should be 12-15 GB. However, appropriate database size is also dependent on other factors, such as fine-tuning protections for your system to minimize false positives.
Required IPS-1 Management Components page 95
IPS-1 Management Network page 96
Alerts Concentrator High Availability page 96
IPS-1 Deployment
96
Optionally, one Alerts Concentrator can be installed together with the IPS-1 Management Server in a Combined installation. This Alerts Concentrator will share a license and some processes with the IPS-1 Management Server, but alert information is stored in separate database tables.
IPS-1 Management NetworkFor enhanced security, it is recommended that management be on a separate, out-of-band network.
TCP connectivity is required as follows:
• Connect from the IPS-1 Management Dashboard to the IPS-1 Management Server on port 8443
• Connect from the IPS-1 Management Server to any Alerts Concentrators on port 18272
• Connect from each Alerts Concentrator to the management interfaces of its IPS-1 Sensors, and vice versa, on port 1968
• (optional) Connect from the IPS-1 Management Server to the online update server (ips-packages.checkpoint.com) on port 2013
Make sure the firewalls in between each component are configured to allow this traffic.
Alerts Concentrator High AvailabilityTo ensure continuity of information flow from IPS-1 Sensors to the IPS-1 Management Server in the event of an IPS-1 Alerts Concentrator failure, you can configure an IPS-1 Sensor to report to a secondary IPS-1 Alerts Concentrator. This automatically redirects alerts and event data to the secondary Alerts Concentrator if the active Alerts Concentrator or the Sensor’s connection with it fails. You can deploy the secondary Alerts Concentrator in the same network as the active Alerts Concentrator.
IPS-1 Deployment
Chapter 5 IPS-1 Setup and Installation 97
For information on configuring Alerts Concentrator High Availability, see the IPS-1 Administration Guide.
IPS-1 Management Installation and Setup
98
IPS-1 Management Installation and Setup
In This Section
Installation of IPS-1 Management Servers
This section discusses installing the IPS-1 Management Server and Alerts Concentrator.
The IPS-1 Management Server and Alerts Concentrator can be installed on Check Point’s SecurePlatform or on other supported operating systems. SecurePlatform is supplied with NGX R65.
To install IPS-1 Management Servers together with a SmartCenter, first install the SmartCenter according to the instructions in “VPN-1 Setup and Installation” on page 41. Then follow the instructions in “Installation on an Existing Operating System” on page 102.
To install Check Point’s SecurePlatform, follow the instructions in “Installation of SecurePlatform for IPS-1 Management” on page 99.
To install IPS-1 Management Servers on already installed and configured operating systems, follow the instructions in “Installation on an Existing Operating System” on page 102.
Installation of IPS-1 Management Servers page 98
IPS-1 Management Dashboard Installation page 116
Completing IPS-1 Management Setup page 118
IPS-1 Management Installation and Setup
Chapter 5 IPS-1 Setup and Installation 99
In This Section
Installation of SecurePlatform for IPS-1 ManagementTo install SecurePlatform with the IPS-1 Management Server and/or Alerts Concentrator:
1. Insert CD6 from the media pack into the CD drive, and boot the computer from the CD.
After booting, Welcome to Check Point SecurePlatform appears. Make sure to press Enter within 90 seconds.
The installation program is loaded.
The following options are displayed:
• Device List: When selected, the Hardware Scan Details menu displays.
• Add Driver: When selected, the Devices menu opens. Sometimes updated hardware is incompatible with the previous version’s driver and you receive an error message during installation because the operating system could not find the appropriate hard disk driver. Alternatively, the installation may be complete, but the hardware does not function properly. The Add Driver option enables you to add the missing driver during the installation process.
2. Select OK to install.
The IPS-1 Products window appears.
3. Select Management Server, and OK.
Installation of SecurePlatform for IPS-1 Management page 99
Installation on an Existing Operating System page 102
Initial Configuration of Management Servers page 103
IPS-1 Management Installation and Setup
100
4. Depending on the license you purchased, select one of the following options:
• SecurePlatform
• SecurePlatform Pro (includes the Advanced Routing Suite and additional enhancements such as RADIUS authentication for administrators)
5. Select a keyboard type.
6. In the Management Interface Configuration window, define the management interface IP address, netmask and default gateway. Select OK.
7. Select OK to format your hard drive, and extract and install SecurePlatform software components. The installation process can take several minutes to complete.
8. Press Enter to reboot.
9. When the computer is finished booting, log in with username: admin , and password: admin .
10. As prompted, change the password and username.
11. Run:
sysconfig
The first-time system configuration wizard begins.
12. Press n to proceed to the next menu.
The following Network Configuration menu options are displayed:
Option Purpose
Host Name Sets and displays the host name
Domain Name Sets and displays the Domain name
IPS-1 Management Installation and Setup
Chapter 5 IPS-1 Setup and Installation 101
13. Use the menu options to configure:
• The hostname
• The domain name and at least one DNS server
• The computer’s network interfaces
• The default gateway (if required)
14. Once Network Configuration is complete, press n to continue to Time and Date Configuration. Configure the following:
• Time zone
• Date
• Local time
• Show date and time settings
15. Press n.
Domain Name Servers Adds, removes, displays Domain name servers
Network Connections Adds, configures, removes, displays network connections.
Routing Sets and shows a default gateway
Note - Make sure the hostname and IP address are correctly defined at this stage. The IPS-1 software will take this information from the operating system at installation time. Subsequent changing of the hostname will be reflected in the application.
Note - Network Time Protocol (NTP) can be configured through the command line interface after the all of the installation procedures are complete. For more information, see “Configuring NTP on SecurePlatform” on page 116.
Option Purpose
IPS-1 Management Installation and Setup
102
Continue to “Initial Configuration of Management Servers” on page 103.
Installation on an Existing Operating SystemTo install an IPS-1 Management Server and/or Alerts Concentrator on an already installed and configured supported operating system:
1. Before installing an IPS-1 Management Server on Red Hat Linux, ensure proper connectivity between IPS-1 Management Dashboard and the IPS-1 Management Server by verifying that there is an /etc/hosts table entry for your IP address and server name. For example:
127.0.0.1 localhost localhost.localdomain
192.168.13.5 servername servername.example.com
2. Before an upgrade, do the following:
a. Stop the IPS-1 processes.
b. As a precaution, back up database files by copying the contents of the sdb/data directory to another host.
3. Make sure the hostname and IP address are correctly defined in the operating system. The IPS-1 software will take this information from the operating system at installation time. Subsequent changing of the hostname will not take effect.
4. Insert CD6 from the media pack, and mount it on the appropriate subdirectory.
5. From the CD’s root directory, run:
./UnixInstallScript [-splat]
On SecurePlatform, include the -splat flag. On other supported operating systems, omit the flag.
Continue here to the following section for the configuration process.
IPS-1 Management Installation and Setup
Chapter 5 IPS-1 Setup and Installation 103
Initial Configuration of Management Servers1. Press Enter to scroll down and read the End-User License
Agreement. Then press y to accept.
IPS-1 packages are installed. This may take some time.
2. Answer whether this is an upgrade (y/n). If this is an upgrade, you are then prompted for the previous installation location.
3. Select an IPS-1 product to install:
a. IPS-1 Management Server (all components)
This installs the IPS-1 Management Server as a Combined Deployment, that is an IPS-1 Management Server with an Alerts Concentrator.
b. IPS-1 Management Server (without Alerts Concentrator)
This installs the IPS-1 Management Server as a Distributed Deployment, that is an IPS-1 Management Server only, without an Alerts Concentrator.
c. IPS-1 Alerts Concentrator
4. When installing an Alerts Concentrator, enter and then confirm an activation key with which the Alerts Concentrator will authenticate the IPS-1 Management Server. You will need this activation key when you add the Alerts Concentrator from the IPS-1 Dashboard.
5. When installing an IPS-1 Management Server or Combined installation, type and then confirm an IPS-1 login password. This will be the password to use when logging into the IPS-1 Management Server with the IPS-1 Dashboard for the first time with username: admin .
6. Select whether IPS-1 should start when the computer is booted.
IPS-1 processes start. This completes the installation process.
The IPS-1 Management Server is now configured. Continue to “Post-Installation Steps” on page 116.
IPS-1 Sensor Appliances
104
IPS-1 Sensor Appliances
IntroductionThis chapter discusses setting up Check Point pre-installed appliances. For third-party hardware, set up the hardware according to the third-party documentation, and then continue to “IPS-1 Setup and Installation” on page 89.
For considerations for Sensor location and network topology, see “IPS-1 Sensor Deployment” on page 93.
Check Point currently delivers the following Sensor appliances with the interface configurations listed:
• IPS-1 Sensor 50C:
• Two 10/100Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as an IPS pair with bypass support, or in IDS (passive) mode as two monitoring interfaces
• Two 10/100/1000Mbps copper Ethernet front-panel interfaces, of which one is the management interface and the other can be used in IDS (passive) mode as an additional monitoring interface
• IPS-1 Sensor 100C and 200C:
• Four 10/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces
• Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs without bypass support, or in IDS (passive) mode as additional monitoring interfaces
IPS-1 Sensor Appliances
Chapter 5 IPS-1 Setup and Installation 105
• IPS-1 Sensor 200F:
• Four 10/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces
• Four 1000Mbps Fiber front-panel interface with bypass support
• Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs without bypass support, or in IDS (passive) mode as additional monitoring interfaces
• IPS-1 Sensor 500C:
• Eight 10/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces
• Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as additional monitoring interfaces
• IPS-1 Sensor 500F:
• Eight 10/100/1000Mbps copper Ethernet front-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces
• Four 10/100/1000Mbps copper Ethernet back-panel interfaces, of which one is the management interface and the others can be used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as additional monitoring interfaces
IPS-1 Sensor Appliances
106
• One Gigabit fiber Ethernet front-panel interface with bypass support
• IPS-1 Sensor 1000C
• Eight 10/100/1000 copper Ethernet back-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces
• Two 10/100/1000 built-in copper Ethernet back-panel interfaces, of which one is the management interface and the other should remain unused
• IPS-1 Sensor 1000F
• Eight Gigabit fiber Ethernet back-panel interfaces used in IPS (inline) mode as IPS pairs with bypass support, or in IDS (passive) mode as monitoring interfaces
• Two 10/100/1000 copper Ethernet back-panel interfaces, of which one is the management interface and the other should remain unused
• IPS-1 Power Sensor 1000C/F:
• Eight 10/100/1000 Mbps copper Ethernet interfaces (C model), or Gigabit fiber Ethernet interfaces (F model), used in IPS (inline) mode as IPS pairs, or in IDS (passive) as monitoring interfaces
• One front-panel 10/100Mbps copper Ethernet front-panel interface for management
IPS-1 Sensor Appliances
Chapter 5 IPS-1 Setup and Installation 107
• IPS-1 Power Sensor 2000C/F:
• A Primary chassis unit, including:
• Eight 10/100/1000 Mbps copper Ethernet interfaces (C model), or Gigabit fiber Ethernet interfaces (F model), used in IPS (inline) mode as IPS pairs, or in IDS (passive) as monitoring interfaces
• One front-panel 10/100Mbps copper Ethernet front-panel interface for management
• An Expansion chassis unit, adding processors and RAM
Preparing the Sensor’s EnvironmentThe IPS-1 Sensors require the following:
Table 5-1 IPS-1 Sensor Environmental Requirements
50C 200C/F 500C/F Power C/F
Chassis size 1 Rack Unit (RU), 19” 2 chassis units x 2RU, 19”
Amps AC 6.0/3.0 8.2/4.1 6.7/3.4 4/2 per chassis unit
Voltage Input
Range
100-240 100-127/ 200-240
100-127/ 200-240
90-255
Operating
Temperature
0°C to +40°C
+10°C to +35°C
+10°C to +35°C
0°C to +55°C
Non-Operating
Temperature
-20°C to +80°C
-40°C to +70°C
-40°C to +70°C
-10°C to +70°C
Non-Operating
Relative
Humidity
10-90%, non- condensing @ 35°C
90%, non- condensing @ 35°C
90%, non- condensing @35°C
10-90%, non- condensing @35°C
Emissions FCC Class A Device
IPS-1 Sensor Appliances
108
Mount each unit onto the equipment rack.
Connect the power supply. For the Power Sensor, connect two power supplies to each of the two chassis units.
Setting Up Sensor Appliance Network Connections
Connect the management interface to the management network. On the 50C and Power 2000 models, the management interface is on the front panel. On other models, it should be one of the two built-in interfaces on the rear panel.
For working in IDS (passive), any or all of the remaining interfaces can be used as monitoring ports.
For working in inline IPS mode, the inline pairs must conform to hardware configuration:
• For the 50C, the inline pair is marked on the front panel.
• For the 200 and 500 models, inline pairs are in vertical groupings.
• For the Power Sensors, inline interfaces are on the rear panel, horizontally paired. For example, in the diagram below, s1.e0 is paired with s1.e1 .
Connecting the Power Sensor Chassis Units
With the supplied expansion cable, connect the Primary chassis unit’s Expansion slot A to the Expansion chassis unit’s Expansion slot B:
IPS-1 Sensor Installation
Chapter 5 IPS-1 Setup and Installation 109
IPS-1 Sensor Installation
In This Section
Connecting to IPS-1 SensorsYou can run commands on the IPS-1 Sensor in one of three ways, depending on hardware configuration:
• A connected keyboard and monitor.
• A serial console (DTE to DTE), using terminal emulation software such as HyperTerminal (from Windows) or Minicom (from Unix/Linux systems). Connection parameters for Check Point appliances are:
Connecting to IPS-1 Sensors page 109
Installing SecurePlatform and IPS-1 Sensors page 110
Initial Configuration of IPS-1 Sensors page 112
Initial Configuration of IPS-1 Power Sensor page 114
IPS-1 Sensor Installation
110
• For a regular (non-Power) IPS-1 Sensor appliance: 9600bps, no parity, 1 stop bit (8N1).
• For an IPS-1 Power Sensor: 115200bps, 8 bit, no parity, 1 stop bit, no hardware or software (xon/xoff) flow control
For third-party hardware connection parameters, see the third-party documentation.
• An SSH connection to the Sensor’s management interface (if sshd is configured).
Installing SecurePlatform and IPS-1 Sensors
The following instructions are for installing IPS-1 Sensor software on third-party hardware, or for reinstalling on a Check Point appliance.
IPS-1 (non-Power) Sensors are supported only on Check Point’s SecurePlatform operating system version NGX R65. The IPS-1 Sensor is installed with SecurePlatform in one installation process. You cannot reinstall the Sensor without reinstalling the operating system and formatting the hard disk.
To install SecurePlatform and the IPS-1 Sensor:
1. Insert CD6 from the media pack into the CD drive, and boot the computer from the CD.
After booting, Welcome to Check Point SecurePlatform appears. Make sure to press Enter within 90 seconds.
The installation program is loaded.
The following options are displayed:
• Device List: When selected, the Hardware Scan Details menu displays.
IPS-1 Sensor Installation
Chapter 5 IPS-1 Setup and Installation 111
• Add Driver: When selected, the Devices menu opens. Sometimes updated hardware is incompatible with the previous version’s driver and you receive an error message during installation because the operating system could not find the appropriate hard disk driver. Alternatively, the installation may be complete, but the hardware does not function properly. The Add Driver option enables you to add the missing driver during the installation process.
2. Select OK to install.
The IPS-1 Products window appears.
3. Select Sensor, and OK.
4. Select the type of hardware you are using. If you are installing on hardware provided by Check Point (or old hardware provided by NFR), select Appliance. If you are installing on hardware supplied by another vendor, select Open Sensor.
5. Select a keyboard type. Select OK.
6. In the Networking Device window, select the management interface. Select OK.
7. In the Management Interface Configuration window, define the management interface IP address, netmask and default gateway. Select OK.
8. Select OK to format your hard drive, and extract and install SecurePlatform software components. The installation process can take several minutes to complete.
9. When installation is complete, remove the CD.
10. Press Enter to reboot.
Continue to the following section.
IPS-1 Sensor Installation
112
Initial Configuration of IPS-1 SensorsUpon initial boot of an IPS-1 Power Sensor, follow the instructions in “Initial Configuration of IPS-1 Power Sensor” on page 114.
Upon initial boot of a freshly installed IPS-1 Sensor, including a new regular (non-Power) preinstalled appliance, configure it as follows:
1. Log in with username: admin and password: admin .
2. When prompted, change the password and username.
3. Run:
sysconfig
The first-time system configuration wizard begins.
4. Press n to proceed to the next menu.
The Network Configuration menu options appear.
5. Use the menu options to configure:
• The hostname
• The domain name and at least one DNS server
• The management interface
6. Once Network Configuration is complete, press n to continue to Time and Date Configuration. Configure the following:
• Date
• Time and time zone (GMT is for Power Sensors only)
• Show date and time settings
Enter n.
Note - Network Time Protocol (NTP) can be configured through the command line interface after the all of the installation procedures are complete. For more information, see “Configuring NTP on SecurePlatform” on page 116.
IPS-1 Sensor Installation
Chapter 5 IPS-1 Setup and Installation 113
7. Configure the following Alerts Concentrator options for the Sensor:
• IP address of primary Alerts Concentrator.
• For Alerts Concentrator High Availability, type an IP address of a second Alerts Concentrator. For more information on Alerts Concentrator High Availability, see the IPS-1 Administration Guide.
• An Activation Key, a character string of your choice, which you will enter into the IPS-1 Dashboard when adding the Sensor to an Alerts Concentrator.
Select Next.
8. Configure the Operating Mode options. For each field, select the field with the Enter key, and select the appropriate value.
• Operating Mode - one of the following:
• IDS (passive): intrusion detection, no prevention. Packets do not pass from one interface to another.
• IPS (inline, fail-closed): inline intrusion prevention. In fault conditions, all packets are dropped.
• IPS (inline, fail-open): inline intrusion prevention. In fault conditions, all packets are passed through.
• IPS Monitor-Only (inline, fail-open): inline bridge mode, but without actual prevention.
For more information on Sensor modes, see the IPS-1 Administration Guide.
• Management Interface - displays (read-only) the IP address configured in the operating system.
• Inline Pair(s) - pairs of monitoring interfaces. Depending on your hardware, you may need to define the interface pairs that you will be using.
Select Next to complete the wizard.
IPS-1 Sensor Installation
114
You can modify the Sensor’s settings at anytime by running the cpconfig command.
The IPS-1 Sensor is now installed and configured. Continue to “Post-Installation Steps” on page 116.
Initial Configuration of IPS-1 Power Sensor
Configure a freshly delivered or reinstalled IPS-1 Power Sensor as follows:
1. Log in with the displayed username and password.
2. Set a new login password, and select Next.
3. Set the date and UTC time, and optionally define an NTP server. Select Next.
4. Set the following:
• Hostname and domain name
• The Sensor’s IP information
Select Next.
5. Set the following:
• The IP address of the Primary Alerts Concentrator, and, for an Alerts Concentrator High Availability deployment, the IP address of the second Alerts Concentrator. For more information on Alerts Concentrator High Availability, see the IPS-1 Administration Guide.
• An Activation Key, a character string of your choice, which you will enter into the IPS-1 Dashboard when adding the Sensor to an Alerts Concentrator.
Select Next.
6. Press Enter to see the following available operation modes:
IPS-1 Sensor Installation
Chapter 5 IPS-1 Setup and Installation 115
• IDS (passive): intrusion detection, no prevention.
• IPS (inline, fail-closed): inline intrusion prevention. In fault conditions, all packets are dropped.
• IPS (inline, fail-open): inline intrusion prevention. In fault conditions, all packets are passed through.
• IPS Monitor-Only (inline, fail-open): inline bridge mode, but without actual prevention.
For more information about Sensor modes, see the IPS-1 Administration Guide.
Select an operation mode and select Next. The system reboots.
7. The IPS-1 Power Sensor uses an internal network between components. The network address for this network is preset to 10.10.10.0/24. If this conflicts with your network addressing (for example, the Alerts Concentrator or Sensor are in a network with that same address), reconfigure the internal network address, as follows:
a. Log into the IPS-1 Power Series appliance as admin . The password is the same as for the nfr user
b. At the prompt, type:
configure system
c. At the next prompt, type:
set mccp subset address <address>
where <address> is an available 24-bit network address (For example, 192.168.1.0)
You can modify the Sensor’s settings at anytime by logging on as the nfr user.
The IPS-1 Power Sensor is now configured. Continue to “Post-Installation Steps” on page 116.
IPS-1 Management Dashboard Installation
116
IPS-1 Management Dashboard Installation
IPS-1 Dashboard is a Java application and is supported on:
• Windows 2000 Professional with SP4
• Windows XP Professional with SP2
IPS-1 Dashboard can be installed from CD2. The installation files are also located on CD6 of the media pack in:
windows\CPipsClient
Run the setupwin32 executable, and follow instructions.
Post-Installation StepsOnce the IPS-1 components have been installed, one of the following procedures may be required before deploying them in the network.
In This Section
Configuring NTP on SecurePlatformIPS-1 components rely on Network Time Protocol (NTP) to coordinate the time on each component. Use the following commands to configure and manage NTP.
ntpConfigure and start the Network Time Protocol polling client.
Configuring NTP on SecurePlatform page 116
Completing IPS-1 Management Setup page 118
Completing IPS-1 Sensor Setup page 122
Post-Installation Steps
Chapter 5 IPS-1 Setup and Installation 117
Syntax
Parameters
ntpstop
Stop polling the NTP server.
Syntax
ntpstart
Start polling the NTP server.
ntp <MD5_secret> <interval> <server1> [<server2>[<server3>]]ntp -n <interval> <server1> [<server2>[<server3>]]
Table 5-2 ntp Parameters
parameter meaning
MD5_secret pre-shared secret used to authenticate against the NTP server; use “-n” when authentication is not required.
interval polling interval, in seconds
server[1,2,3] IP address or resolvable name of NTP server
ntpstop
Post-Installation Steps
118
Syntax
Completing IPS-1 Management Setup
In This Section
First LoginAfter installation, your initial login user name is: admin , and the password is the one you entered during the IPS-1 Management Server installation. Begin managing the IPS-1 system as follows:
1. Use the following command to verify that the IPS-1 Server (or Alerts Concentrator) processes are running:
a. On SecurePlatform, enter expert mode by typing expert and pressing enter. On other operating systems, login as root.
b. Run:
/etc/init.d/ips1 start
ntpstart
First Login page 118
The Setup IPS-1 Wizard page 120
Post-Installation Steps
Chapter 5 IPS-1 Setup and Installation 119
2. On the client computer, start the IPS-1 Management Dashboard. A login window appears:
3. Type your username and password, and specify the IPS-1 Server’s IP address or resolvable hostname. By default, port number is 8443.
4. If you are trying to connect to the IPS-1 Server through a proxy server, expand the login window by clicking More Options and check Use Proxy. Type the proxy server’s connection and authentication information. Note that for Digest Proxy only HTTP is supported, not HTTPS.
5. Upon first login, you are prompted to Verify IPS-1 Management Server Certificate. If you are sure the presented certificate is coming from your IPS-1 Management Server, click Trust for the IPS-1 Management Dashboard on the host you are working on to trust this IPS-1 Management Server in the future.
Note - The default username is admin.
When upgrading from a previous version of IPS-1, login with the pre-existing usernames. The default username for prior versions of IPS-1 is nfr.
Post-Installation Steps
120
The Setup IPS-1 WizardIf additional initial configuration is required, the Setup IPS-1 wizard starts after the initial login. The following sections explain the wizard pages that may appear.
Manage Licenses
A freshly installed IPS-1 Management Server comes with a fifteen day trial license. If the trial license has expired, you must add an IPS-1 Management Server license obtained from Check Point’s User Center in order to continue working with IPS-1.
All licenses are stored on the IPS-1 Management Server and must have been generated according to the IPS-1 Management Server’s IP address.
To add a license:
1. Copy your license string, obtained from Check Point’s user center, to the clipboard.
A license string will include the following:
cplic putlic x.x.x.x 1Jan2001 xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx CPMP-IPS-5-NGX xx-xxxxxxxxxxx
2. In the License Manager, click Add.
3. Populate the fields by clicking Paste License. Click OK.
Post-Installation Steps
Chapter 5 IPS-1 Setup and Installation 121
The added license appears in the license list.
In a Distributed Deployment, click Next to continue to the Add Alerts Concentrators page. In a Combined Deployment, the Alerts Concentrator installed with the Server will automatically be added.
Add Alerts Concentrators
Alerts Concentrators can be added now or later, but you must have at least one to proceed.
To add an Alerts Concentrator, click New.
The New Alerts Concentrator window appears:
Post-Installation Steps
122
Configure the Alerts Concentrator settings as follows:
1. In the Host field, type the Alerts Concentrator’s IP address or resolvable hostname.
2. Type and confirm the activation key that you specified during the Alerts Concentrator installation.
3. If there is a proxy server between the IPS-1 Server and the Alerts Concentrator, select Use Proxy and type the proxy’s connection and authentication information.
4. Make sure Receive Alerts is On.
5. If this Alerts Concentrator or the IPS-1 Server’s communication with it might be slower than others, select Avoid this server for help text. When an Alert Browser user right-clicks an alert and selects Alert Details, the IPS-1 Server first attempts to retrieve the Help Text from another Alerts Concentrator.
6. Click OK.
The Alerts Concentrator is added.
Completing IPS-1 Sensor SetupOnce the IPS-1 Sensor is installed and configured, for it to be managed and monitored by IPS-1 management, it needs to be added in the IPS-1 Management Dashboard.
In Policy Manager, add the Sensor to the IPS-1 system, as follows:
Note - Entering the Alert Concentrator’s IP address is preferred to better protect against DNS spoofing.
Note - If you don’t have the activation key, log onto the Alerts Concentrator and set the activation key via the set_activation_key command.
Post-Installation Steps
Chapter 5 IPS-1 Setup and Installation 123
1. In Policy Manager’s Sensors and Concentrators tab, select the Alerts Concentrator to which you are adding the new Sensor and click New Sensor.
The Add New Sensor window appears:
2. Type the Sensor Name exactly as defined on the Sensor itself, and click Next.
3. Type the Sensor’s IP address or resolvable Hostname.
4. Type and confirm the Activation Key, as defined during Sensor installation or in the Sensor’s Management Menu.
Post-Installation Steps
124
Click Next.
5. Select the Local Network Addresses that you want the IPS-1 Sensor to protect from the list of Recently Used Values and use the arrow buttons in the middle of the window to add, remove or change the order of the addresses in list of Selected Host Types.
If your network does not appear in the Recently Used Values list, type the network address and netmask information into the field at the bottom of the window and press enter.
When all of your network addresses are listed in the Selected Host Types, click Next.
6. Select the Local Broadcast Addresses for the protected networks from the Recently Used Values and use the arrow buttons in the middle of the window to add or remove addresses from the list of Selected Host Types.
If your broadcast address does not appear in the Recently Used Values list, type the broadcast address into the field at the bottom of the window and press enter.
When all of your broadcast addresses are listed in the Selected Host Types, click Next.
7. Click New to assign descriptive names to your interfaces.
The Edit Interface Description window appears:
Note - You can reset the Activation key on the Sensor with the cpconfig command, or, in the case of an IPS-1 Power Sensor, by logging in as the nfr user
Post-Installation Steps
Chapter 5 IPS-1 Setup and Installation 125
Enter the raw interface name as it is listed in the Sensor, and enter the descriptive name that you want to assign to that interface. Click OK.
8. Once you have finished modifying the names of the interfaces, press Finish to add the new Sensor to the Alerts Concentrator.
9. To apply the changes, click Install Policy.
For configuring protections and other settings, see the IPS-1 Administration Guide.
Where To From Here?
126
Where To From Here?You have now learned the basics that you need to get started. The next step is to obtain more advanced knowledge of your Check Point software. Information regarding configuration and deployment of IPS-1 can be found in the Check Point IPS-1 Administration Guide.
Check Point documentation is available in PDF format on the Check Point CD and the Technical Support download site at: http://support.checkpoint.com
Be sure to also use the Check Point Online Help when you are working with the Check Point SmartConsole clients.
For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at: http://support.checkpoint.com
127
Chapter 6 Installing the Eventia Suite
In This Chapter
Eventia Suite Installation page 128
Standalone Installation vs. Distributed Installation page 129
Standalone Installation page 130
Distributed Installation page 133
Enabling Connectivity Through a Firewall page 136
Preparing Eventia Suite in SmartCenter page 138
Preparing Eventia Suite on Provider-1 MDS page 140
Eventia Suite Installation
128
Eventia Suite InstallationThis chapter covers installing Eventia Suite. Eventia Suite is comprised of:
• Eventia Reporter, which consists of the Eventia Reporter Server and the Eventia Reporter Client.
• Eventia Analyzer, which consists of the Eventia Analyzer Server, Correlation Unit and the Eventia Analyzer Client.
For Hardware Requirements and Supported Platforms please refer to the Release Notes document.
This installation process consists of three phases:
1. Install Eventia Suite.
2. Prepare Eventia Suite in SmartCenter (refer to “Preparing Eventia Suite in SmartCenter” on page 138).
3. Configuring Eventia Suite (refer to Eventia Analyzer and Eventia Reporter User Guides respectively).
Standalone Installation vs. Distributed Installation
Chapter 6 Installing the Eventia Suite 129
Standalone Installation vs. Distributed Installation
Eventia Reporter can be installed in either a “Standalone” installation or a “Distributed” installation, while the Eventia Analyzer can only be installed on a “Distributed” installation:
• Standalone installation — Eventia Reporter is installed on the same machine as SmartCenter server.
• Distributed installation — Eventia Reporter and Eventia Analyzer are installed on a machine dedicated to reporting.
• When working with Provider-1/SiteManager-1 or SmartCenter on Nokia, Eventia must be installed on a separate machine (distributed).
A distributed installation requires establishing Secure Internal Communication (SIC) between the two machines. The distributed installation is recommended for better performance.
Installing Eventia Suite on Multiple Versions of SmartCenter Management
Eventia Suite in a Distributed installation can work with multiple versions of SmartCenter Management from R54 and up.
When installed on a Distributed deployment, Eventia Suite recognizes all the Network Objects in the SmartCenter Management database via an internal process referred to as dbsync. With dbsync Eventia Suite can recognize objects from multiple versions (that is, from R54 and up).
Note - For Eventia Suite to read logs from a distributed log server, the database must be installed on the log server after the Eventia Suite installation is complete.
Standalone Installation
130
Standalone InstallationIn This Section
Windows Platform1. To install, login as an administrator and launch the wrapper by
double-clicking on the setup executable.
2. Click Next, and accept the terms of the license agreement.
3. Select either:
• Check Point Power
• Check Point UTM
Click Next.
4. Select New Installation.
5. From the Products list, select Eventia Suite. SmartCenter is automatically installed along with Eventia Reporter.
SmartCenter Server is needed because of its log server component.
6. Specify the type of SmartCenter Server to install:
• Primary SmartCenter
• Secondary SmartCenter
• Log Server
If you want a distributed deployment, select Log Server. If you want a standalone deployment, select Primary SmartCenter.
Windows Platform page 130
Solaris & Linux Platforms page 132
SecurePlatform page 132
Standalone Installation
Chapter 6 Installing the Eventia Suite 131
7. From the list of Eventia Suite components, select Eventia Reporter.
8. Click Next, and a list of products to install is displayed.
9. Verify the default install directory, or browse to new location.
10. The Check Point Configuration program, CPConfig, opens.
11. Select Add and enter the Product License information provided by Check Point. Alternatively, you may use the 15-day evaluation license. Select OK, and then Next.
12. The Administrators window appears. Select Add and enter the administrator name and password. Select OK. Then set permissions for the administrator. Add more administrators if you like, and then select Next.
13. The GUI Clients window appears. Type in the IP address for a machine that will run the Eventia Analyzer Client in the Remote Hostname field. Select Add. Add more GUI Clients if you like, and then select Next.
14. To ensure secure communication between the Eventia Analyzer and SmartCenter servers, an identical Activation Key must be set on both. Enter a Secure Internal Communication (SIC) activation key and record it to be entered later on the SmartCenter server. Select Finish.
Return to the wrapper.
15. To complete the installation of the Eventia Reporter and to continue with the next phase of the installation, click Next and reboot the machine.
16. Launch SmartDashboard.
17. Install the Security Policy, (Policy>Install) or install the database (Policy>Install Database).
Standalone Installation
132
Solaris & Linux Platforms1. Mount the CD on the relevant subdirectory.
2. In the mounted directory, run the script: UnixInstallScript.
3. Read the End-User License Agreement (EULA) and if you accept click Yes.
4. Select whether you would like to perform an upgrade or create a new installation.
5. Continue from step 5 on page 130 in order to complete the installation.
SecurePlatform1. After you install SecurePlatform from the CD, select the Eventia
Reporter product from cpconfig or from the SecurePlatform Web GUI.
2. Select whether you would like to perform an upgrade or create a new installation.
3. Continue from step 5 on page 130 in order to complete the installation.
Distributed Installation
Chapter 6 Installing the Eventia Suite 133
Distributed InstallationIn This Section
In a distributed installation, Eventia Suite and SmartCenter server are installed on separate machines.
Windows PlatformOn the machine that will hold the Eventia Suite:
1. Login as an administrator and launch the wrapper by double-clicking on the setup executable.
2. Click Next, and accept the terms of the license agreement.
3. Select either:
• Check Point Power
• Check Point UTM
Click Next.
4. Select New Installation.
5. From the Products list, select Eventia Suite.
6. Specify Log Server as the type of SmartCenter Server to install. SmartCenter Server is needed because of its log server component.
7. From the list of Eventia Suite components, select the components that you want to install (Eventia Analyzer Server, Eventia Correlation Unit, Log Consolidator).
8. Click Next, and a list of products to install is displayed.
9. Verify the default install directory, or browse to new location.
Windows Platform page 133
Solaris & Linux & SecurePlatform page 135
Distributed Installation
134
10. The Check Point Configuration program, CPConfig, opens.
11. Select Add and enter the Product License information provided by Check Point. Alternatively, you may use the 15-day evaluation license. Select OK, and then Next.
12. The Administrators window appears. Select Add and enter the administrator name and password. Select OK. Then set permissions for the administrator. Add more administrators if you like, and then select Next.
13. The GUI Clients window appears. Type in the IP address for a machine that will run the Eventia Analyzer Client in the Remote Hostname field. Select Add. Add more GUI Clients if you like, and then select Next.
14. To ensure secure communication between the Eventia Analyzer and SmartCenter servers, an identical Activation Key must be set on both. Enter a Secure Internal Communication (SIC) activation key and record it to be entered later on the SmartCenter server. Select Finish.
Return to the wrapper.
15. To complete the installation of Eventia Suite and continue with the next phase of the installation, click Next and reboot the machine.
Distributed Installation
Chapter 6 Installing the Eventia Suite 135
Solaris & Linux & SecurePlatform1. Mount the CD from the relevant subdirectory and launch the
wrapper.
2. From the list of Eventia Suite components, select the components that you want to install (Eventia Analyzer Server, Eventia Correlation Unit, Log Consolidator).
3. When prompted, perform a short random keystroke session to collect random data for cryptographic operations.
4. When prompted, create an activation key. Remember this key for later.
5. Enter Finish to complete the installation.
Enabling Connectivity Through a Firewall
136
Enabling Connectivity Through a Firewall
Certain additions to the Rule Base need to be made if a Firewall exists between any Eventia Suite components and the Management Server, and either of the following conditions apply:
• the management is prior to NGX (R60)
• the implied rules have been disabled
If either of these conditions is true, modify the Rule Base to enable connectivity between components as follows:
Table 6-3 Additions to the Rule Base to Enable Connectivity
Source Destination Service
Eventia Analyzer Client
Eventia Analyzer Server
CPMI
Eventia Reporter Client
Eventia Reporter Server
CPMI
Management Server Eventia Analyzer and Reporter Server
CPMI, FW1_ica_push
Eventia Analyzer Server
Management Server FW1_sam
Eventia Analyzer Server
Correlation Unit CPD, CPD_amon
Correlation Unit Eventia Analyzer Server
CPD_seam (TCP/18266)
Third-party devices that issue syslog messages
Log Server enabled to receive syslog messages
UDP syslog
Enabling Connectivity Through a Firewall
Chapter 6 Installing the Eventia Suite 137
For NGX SmartCenter or above, the following rule needs to be added to the Rule Base if a firewall exists between any Eventia Analyzer components and the Management Server:
Source Destination Service
Correlation Unit Log Server LEA
Preparing Eventia Suite in SmartCenter
138
Preparing Eventia Suite in SmartCenter
1. Launch SmartDashboard.
2. Create a new host for each Eventia Suite machine that contains an Eventia Suite component:
Manage > Network Object > New > Check Point > Host
3. In the General Properties window, click Communication and enter the activation key.
4. The version is not automatically entered if the Eventia Suite’s version is newer than SmartCenter. If so, select the most recent version available from the Version drop-down list.
5. In the Check Point product list, select the appropriate Eventia Suite component that you installed on the host that you created in step 2. If the SmartCenter version is pre-NGX, select both SmartView Reporter and Log Server in place of Eventia Analyzer Server or Eventia Correlation Unit.
6. Install the Security Policy, (Policy > Install) or install the database (Policy > Install Database) to make the Eventia Suite functional. This must be performed in order for Eventia Analyzer to function as a log server.
7. To enable the log server on the Eventia server, perform install database in SmartDashboard and select the Eventia server as one of the targets.
Preparing Eventia Suite in SmartCenter
Chapter 6 Installing the Eventia Suite 139
Working with R55 SmartCenter ServerTo enable Eventia Analyzer to block attacks from specific IP addresses, SmartCenter servers of version R55 server must be configured to accept SAM commands from the Eventia Analyzer.
On the Management Server, edit:
$CPDIR\conf\sic_policy.conf.
Under [Inbound rules], and add the following line under # sam proxy:
DN_Mgmt ; Reporting_Tool; Any; sam ; sslca
Preparing Eventia Suite on Provider-1 MDS
140
Preparing Eventia Suite on Provider-1 MDS
Preparing Eventia Suite on Provider-1 MDS varies according to the version you are currently working with. Refer to the appropriate section below based on your version of Provider-1.
In This Section
For Provider-1/SiteManager-1 Version R55
In Provider-1/SiteManager-1 R55, Eventia Suite can read the logs of multiple CMAs with the use of putkey operations.
1. In the Provider-1/SiteManager-1 Global SmartDashboard, create a Check Point Host Object, name it, enter its IP address and enable the product SmartView Reporter.
2. Select Communication and enter the activation key you created during installation. Select Initialize to establish communication.
3. Select Close and OK.
4. From the File menu, select Save.
5. From the MDG, install Global Policy on all CMAs participating with Eventia Suite.
For Provider-1/SiteManager-1 Version R55 page 140
For Provider-1/SiteManager-1 Version R60 page 142
For Provider-1/SiteManager-1 Version R61 and Up page 143
Note - Do not run the Get Version operation. Instead, specify the most recent version possible.
Preparing Eventia Suite on Provider-1 MDS
Chapter 6 Installing the Eventia Suite 141
6. For each CMA participating with Eventia Suite, open its SmartDashboard, select Policy > Install Database, and select only the Log Servers and the CMA from which you want the Eventia Suite to read logs.
7. To enable the syslog server run, the following commands from the command ilne of the Eventia machine:
a. syslog -r
b. cpstop
c. cpstart
8. On the Eventia Suite machine and/or the Correlation Unit machine that will read logs from a CMA, run the command cpstop.
9. Edit the file sic_policy.conf, which is located in the directory $CPDIR/conf. Search for the section [Outbound rules], and change the following lines from:
# for log_export tool and Abacus analyzer
ANY ;ANY ;ANY; lea ; sslca
to:
# for log_export tool, Eventia Analyzer Provider-1
ANY ;ANY ;ANY; lea ; ssl , sslca
10. On the Eventia Suite machine, run the command cpstart.
11. On the Provider-1/SiteManager-1 MDS, run the command mdsstop.
Note - Wait a couple of minutes for the objects to synchronize between the MDS and Eventia Analyzer.
Note - Be sure to insert ssl , before sslca.
Preparing Eventia Suite on Provider-1 MDS
142
12. Edit the file sic_policy.conf, which is located in the directory $CPDIR/conf. In the section [Inbound rules], locate the following two lines:
# log export to DB utility (lea client from any SVN host)
ANY ; CP_PRODUCT; ANY; lea ; sslca
Add the following rule after these lines:
ANY ;ANY ;ANY; lea ; ssl
13. Run the command mdsstart.
14. Execute the putkey operation in the following manner:
a. On the Eventia Suite machine, run cpstop and fw putkey -p [shared_password] [CMA_IP].
b. On the MDS, while in the CMA environment, run mdsstop_customer [CMA_IP] and fw putkey -p [shared_ password] [Eventia Suite Server_IP]
c. Run mdsstart_customer [CMA_IP] on the CMA.
d. Run cpstart on the Eventia Suite machine.
For Provider-1/SiteManager-1 Version R60
1. In Global SmartDashboard, create a Check Point Host Object, name it, and enter its IP address.
Note - Enter the command mdsenv <customer_name> to switch to the appropriate CMA environment. To return to the MDS environment, enter the command mdsenv.
Note - Wait a few minutes for the putkey operation to complete.
Preparing Eventia Suite on Provider-1 MDS
Chapter 6 Installing the Eventia Suite 143
2. Select Communication and enter the activation key you created during installation. Select Initialize to establish communication.
3. Select Close and OK.
4. Make sure that the products Eventia Reporter is enabled.
5. From the File menu, select Save.
6. From the MDG, install Global Policy on all CMAs participating with Eventia Suite.
7. For each CMA participating with Eventia Suite, open its SmartDashboard, select Policy > Install Database, and select only the Log Servers and the CMA from which you want Eventia Analyzer or Reporter to read logs.
8. To enable the syslog server run the following commands from the command line of the Eventia server:
a. syslog -r
b. cpstop
c. cpstart
For Provider-1/SiteManager-1 Version R61 and Up
1. In Global SmartDashboard, create a Check Point Host Object, name it, and enter its IP address.
Note - Do not run the Get Version operation. Instead, specify the most recent version possible.
Note - Wait a couple of minutes for the objects to synchronize between the MDS and Eventia Suite.
Preparing Eventia Suite on Provider-1 MDS
144
2. Select Communication and enter the activation key you created during installation. Select Initialize to establish communication.
3. Select Close and OK.
4. Make sure that the appropriate products (Eventia Reporter, Eventia Analyzer Server, Eventia Correlation Unit and Log Server) are enabled.
5. In the properties of the new Host object, select Log and Masters > Additional Logging Configuration, and enable the property Accept Syslog messages.
6. From the File menu, select Save.
7. From the MDG, install Global Policy on all CMAs participating with Eventia Suite.
8. For each CMA participating with Eventia Suite, open its SmartDashboard, select Policy > Install Database, and select only the Log Servers and the CMA from which you want Eventia Analyzer or Reporter to read logs.
Note - Do not run the Get Version operation. Instead, specify the most recent version possible.
Check Point Software Technologies Ltd.
U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 5 Ha’Solelim Street,Tel-Aviv, 67895, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com
THIRD PARTY TRADEMARKS AND COPYRIGHTS
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust.
Verisign is a trademark of Verisign Inc.
The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided “as is” without express or implied warranty. Copyright © Sax Software (terminal emulation only).
The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.
Copyright 1997 by Carnegie Mellon University. All Rights Reserved.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The following statements refer to those portions of the software copyrighted by The Open Group.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
146
The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group.
The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
147
The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson ([email protected]). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
The curl license
COPYRIGHT AND PERMISSION NOTICE
Copyright (c) 1996 - 2004, Daniel Stenberg, <[email protected]>.All rights reserved.
Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
148
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.
The PHP License, version 3.0
Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].
4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from [email protected]. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes PHP, freely available from <http://www.php.net/>".
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
149
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at [email protected].
For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>.
This product includes software written by Tim Hudson ([email protected]).
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Copyright © 2003, 2004 NextHop Technologies, Inc. All rights reserved.
Confidential Copyright Notice
Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-
150
commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed.
Trademark Notice
The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600.
U.S. Government Restricted Rights
The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial
Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).
Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations.
Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty
THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESENTATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.
151
Limitation of Liability
UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.
Copyright © ComponentOne, LLC 1991-2002. All Rights Reserved.
BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))
Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release
PCRE LICENCE
PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself.
Written by: Philip Hazel <[email protected]>
University of Cambridge Computing Service, Cambridge, England. Phone:
+44 1223 334714.
Copyright (c) 1997-2004 University of Cambridge All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
152
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Eventia Reporter includes software whose copyright is owned by, or licensed from, MySQL AB.