Upload
hemrsud
View
223
Download
0
Embed Size (px)
Citation preview
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 1/46
Check Point®VPN-1 Edge/EmbeddedManagement Solutions
For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at
https://secureknowledge.checkpoint.com
See the latest version of this document in the User Center at
http://www.checkpoint.com/support/technical/documents/docs_r60.htm
Part No.: 701308
April 2005
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 2/46
Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com
© 2003-2005 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyrightand distributed under licensing restricting their use, copying, distribution, anddecompilation. No part of this product or related documentation may be reproduced inany form or by any means without prior written authorization of Check Point. While everyprecaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein aresubject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
©2003-2005 Check Point Software Technologies Ltd. All rights reserved.
Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa,Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX,FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL,Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy LifecycleManagement, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,
SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView,SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM,User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge,VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the ZoneLabs logo, are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd. or its affiliates. All other product names mentioned herein aretrademarks or registered trademarks of their respective owners. The products describedin this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending
applications.
THIRD PARTIES:
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States andother countries. Entrust’s logos and Entrust product and service names are alsotrademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly ownedsubsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporatecertificate management technology from Entrust.
Verisign is a trademark of Verisign Inc.
The following statements refer to those portions of the software copyrighted by Universityof Michigan. Portions of the software copyright © 1992-1996 Regents of the University of
Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to theUniversity of Michigan at Ann Arbor. The name of the University may not be used toendorse or promote products derived from this software without specific prior writtenpermission. This software is provided “as is” without express or implied warranty.Copyright © Sax Software (terminal emulation only).
The following statements refer to those portions of the software copyrighted by CarnegieMellon University.
Copyright 1997 by Carnegie Mellon University. All Rights Reserved.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appear
in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, INNO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT ORCONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROMLOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR INCONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The following statements refer to those portions of the software copyrighted by The OpenGroup.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The following statements refer to those portions of the software copyrighted by TheOpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.
The following statements refer to those portions of the software copyrighted by EricYoung. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE. Copyright © 1998 The Open Group.
The following statements refer to those portions of the software copyrighted by Jean-loupGailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. Thissoftware is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software. Permissionis granted to anyone to use this software for any purpose, including commercial
applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that youwrote the original software. If you use this software in a product, an acknowledgment inthe product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not bemisrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
The following statements refer to those portions of the software copyrighted by the GnuPublic License. This program is free software; you can redistribute it and/or modify itunder the terms of the GNU General Public License as published by the Free SoftwareFoundation; either version 2 of the License, or (at your option) any later version. Thisprogram is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;without even the implied warranty of MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE. See the GNU General Public License for more details.Youshould have received a copy of the GNU General Public License along with this program;if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,USA.
The following statements refer to those portions of the software copyrighted by ThaiOpen Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expatmaintainers. Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the "Software"), to deal in theSoftware without restriction, including without limitation the rights to use, copy, modify,merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permitpersons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITEDTO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USEOR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUSTreference the author, and include any and all original documentation. Copyright. BruceVerderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998,1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999,
2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 3/46
2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001,2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 JohnEllson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson([email protected]). Portions relating to JPEG and to color quantization copyright2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999,2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of theIndependent JPEG Group. See the file README-JPEG.TXT for more information.Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Vanden Brande. Permission has been granted to copy, distribute and modify gd in anycontext without fee, including a commercial application, provided that this notice ispresent in user-accessible supporting documentation. This does not affect your
ownership of the derived work itself, and the intent is to assure proper credit for theauthors of gd, not to interfere with your productive use of gd. If you have questions, ask."Derived works" includes all programs that utilize the library. Credit must be given inuser-accessible documentation. This software is provided "AS IS." The copyright holdersdisclaim all warranties, either express or implied, including but not limited to impliedwarranties of merchantability and fitness for a particular purpose, with respect to thiscode and accompanying documentation. Although their code does not appear in gd 2.0.4,the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue SoftwareCorporation for their prior contributions.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use thisfile except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
The curl license
COPYRIGHT AND PERMISSION NOTICECopyright (c) 1996 - 2004, Daniel Stenberg, <[email protected]>.All rights reserved.
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright
notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OROTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Except as contained in this notice, the name of a copyright holder shall not be used inadvertising or otherwise to promote the sale, use or other dealings in this Softwarewithout prior written authorization of the copyright holder.
The PHP License, version 3.0
Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, ispermitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.
3. The name "PHP" must not be used to endorse or promote products derived from thissoftware without prior written permission. For written permission, please [email protected].
4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from [email protected]. You may indicatethat your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license from time totime. Each version will be given a distinguishing version number. Once covered code hasbeen published under a particular version of the license, you may always continue to useit under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No oneother than the PHP Group has the right to modify the terms applicable to covered codecreated under this License.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes PHP, freely available from <http://www.php.net/>".
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHPDEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVENIF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at [email protected].
For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>.
This product includes software written by Tim Hudson ([email protected]).
Copyright (c) 2003, Itai Tzur <[email protected]>
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:
Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Neither the name of Itai Tzur nor the names of other contributors may be used toendorse or promote products derived from this software without specific prior writtenpermission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCEOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge,publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons
to whom the Software is furnished to do so, subject to the following conditions: Theabove copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHTHOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHERIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF ORIN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.
Copyright © 2003, 2004 NextHop Technologies, Inc. All rights reserved.
Confidential Copyright Notice
Except as stated herein, none of the material provided as a part of this document may becopied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic,mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute anddownload the materials in this doc-ument for personal, non-commercial use only,provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No materialcontained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violatecopyright laws, trademark laws, the laws of privacy and publicity, and communicationsregulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must
be immediately destroyed.
Trademark Notice
The trademarks, service marks, and logos (the "Trademarks") used and displayed in thisdocument are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may beTrademarks of their respective owners. Nothing in this document should be construed asgranting, by implication, estoppel, or otherwise, any license or right to use any Trademarkdisplayed in the document. The owners aggressively enforce their intellectual propertyrights to the fullest extent of the law. The Trademarks may not be used in any way,including in advertising or publicity pertaining to distribution of, or access to, materials in
this document, including use, without prior, written permission. Use of Trademarks as a"hot" link to any website is prohibited unless establishment of such a link is approved in
advance in writing. Any questions concerning the use of these Trademarks should bereferred to NextHop at U.S. +1 734 222 1600.
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 4/46
U.S. Government Restricted Rights
The material in document is provided with "RESTRICTED RIGHTS." Software andaccompanying documentation are provided to the U.S. government ("Government") in atransaction subject to the Federal Acquisition Regulations with Restricted Rights. TheGovernment's rights to use, modify, reproduce, release, perform, display or disclose are
restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software andNoncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of theCommer-cial
Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).
Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043.Use, duplication, or disclosure by the Government is subject to restrictions as set forth inapplicable laws and regulations.
Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty
THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIESOF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLEPURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRAN-TIES,
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR
ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THISDOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THEUSE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USEOF, OR OTHER-WISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.
Limitation of Liability
UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL OR CONSE-QUENTIAL DAMAGES, INCLUDING,BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, ORTHE
INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR ANEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OFSUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTSIN
THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA,YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THEEXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SOTHE
ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.
Copyright © ComponentOne, LLC 1991-2002. All Rights Reserved.
BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))
Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 5/46
Table of Contents 5
Table Of Contents
Chapter 1 Introduction to VPN-1 Edge/Embedded AppliancesIntroduction 7
The Need for Security & VPN Solutions for Different Sized Organizations 8
The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances 8
Finding the Right Check Point Management Solution 9
An Overview of VPN-1 Edge/Embedded 11VPN-1 Edge and Embedded Device Functionality 14
Chapter 2 Installation and ConfigurationIntroduction to the Installation and Configuration Processes 17
Before You Begin 17
Overview of Workflow for SmartCenter Management Solution 18
Overview of Workflow for SmartLSM Management Solution 18
Configuration Operations 20Installing and Configuring VPN-1 Edge/Embedded Appliances 20
Installing and Configuring VPN-1 Edge/Embedded in SmartCenter 20
Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter 21
Creating and Working with VPN-1 Edge/Embedded objects for SmartLSM 28
Creating a Security Policy for the VPN-1 Edge/Embedded Appliance 31
Security Policy Operations 32
Managing VPN-1 Edge/Embedded Devices with SmartCenter Server 33
Remote Login to the SmartCenter Server 34
Configuring VPN in SmartCenter 35Viewing Logs in the SmartView Tracker 42
Downloading the Latest Firmware from SmartUpdate 43
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 6/46
6
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 7/46
7
CHAPTER 1
Introduction to VPN-1
Edge/EmbeddedAppliances
In This Chapter
Introduction
Thank you for using Check Point VPN-1 Edge and VPN-1 Embedded appliances;
appliances which provide secure connectivity and VPN solutions at affordable prices.
Check Point’s VPN-1 Edge appliances, which include the X-series and S-series
appliances, are easy to install and user-friendly. Moreover, along with the VPN-1
Embedded appliances (such as, Nokia and NEC devices), they are seamlessly and
securely integrated with different Check Point management solutions, such as,
SmartCenter, Provider-1 and SmartLSM.
This document describes how your VPN-1 Edge and VPN-1 Embedded appliances aremanaged using various Check Point management solutions, such as SmartCenter,
Provider-1 and SmartLSM. In this document you will also learn about Check Point
features that the VPN-1 Edge and other Embedded appliances supports, and how to use
these appliances for your VPN solutions.
Introduction page 7
The Need for Security & VPN Solutions for Different Sized Organizations page 8
The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances page 8
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 8/46
The Need for Security & VPN Solutions for Different Sized Organizations
8
The Need for Security & VPN Solutions for Different SizedOrganizations
All enterprises and organizations, large and small, require tailor-made security and VPNsolutions for the management of their remote sites and branch offices. These solutions
must take into consideration that remote sites or branch offices:
• do not necessarily need enterprise-size solutions or costs for their moderate-sized
employee-base.
• do not require advanced Security Policy and VPN configurations but do require full
security and connectivity.
• do not necessarily employ a full-time security administrator and are not necessarilylooking to manage the VPN-1 Pro or VPN-1 Express module themselves.
What these businesses require is a solution that offers connectivity and security at an
affordable rate that is easy to integrate into existing infrastructure and is easy to use.
The Check Point Solution for VPN-1 Edge & VPN-1
Embedded AppliancesVPN-1 Edge is a series of appliances offered by Check Point that provides both
Security and VPN solutions, which are affordable, easy to configure and simple to
manage for securing enterprise remote sites and large-scale VPN deployments. Moreover,
Check Point supports management of other VPN-1 Embedded appliances.
VPN-1 Edge appliances and VPN-1 Embedded appliances support SMART
management and can be used in conjunction with VPN-1 Pro and VPN-1 Express.
VPN-1 Edge and VPN-1 Embedded appliances enable enterprise customers to quickly
and easily create a seamless Check Point Internet security infrastructure. Theses
appliances can be centrally managed and easily incorporated into existing
infrastructures. These appliances do not include moving parts, easy to use and do not
compromise either connectivity or security.
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 9/46
Finding the Right Check Point Management Solution
Chapter 1 Introduction to VPN-1 Edge/Embedded Appliances 9
Finding the Right Check Point Management Solution
The VPN-1 Edge and VPN-1 Embedded appliances can be managed using any one of
the following Check Point management solutions: SmartCenter (Pro or Express),Provider-1 or SmartLSM:
• SmartCenter is considered the standard VPN-1 Edge and Embedded management
solution and is often used in conjunction with SmartLSM. SmartCenter
management is useful for organizations with branch offices who are looking for
affordable alternatives and basic security and VPN solutions for each branch office.
The VPN-1 Edge and VPN-1 Embedded appliances are represented by an object
which is created and managed in SmartDashboard called the VPN-1
Edge/Embedded Gateway.
FIGURE 1-1 SmartCenter Deployment
• SmartLSM , is an extension of SmartCenter providing administrators with an
effective means of provisioning and managing hundreds and thousands of VPN-1
Edge/Embedded ROBO (Remote Office/Branch Office) Gateways. VPN-1Edge/Embedded Profiles and Profile policies are defined in SmartDashboard.
VPN-1 Edge/Embedded ROBO Gateways are provisioned and managed via the
SmartLSM console application. For more information see the SmartLSM Guide .
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 10/46
The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances
10
FIGURE 1-2 SmartLSM Deployment
• Provider-1, is used by large enterprises and by Managed Service Providers to
centrally manage multiple, fully customized, customer domains. VPN-1
Edge/Embedded appliances are integrated transparently with this management
solution. The management capabilities of a Provider-1 CMA (Customer
Management Add-On) are equivalent to those of the SmartCenter Server, including
the SmartLSM extension. Global VPN Communities are currently not supported
for VPN-1 Edge/Embedded appliances.
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 11/46
An Overview of VPN-1 Edge/Embedded
Chapter 1 Introduction to VPN-1 Edge/Embedded Appliances 11
FIGURE 1-3 Provider-1 Deployment
An Overview of VPN-1 Edge/Embedded
In This Section
VPN-1 Edge versus VPN-1 Embedded
Check Point’s VPN-1 Edge appliances are available in two different series:• S-series, which is ideal for telecommuters and small remote offices, require remote
access VPN. This series has a stateful inspection firewall.
• X-series, ideal for sites requiring site-to-site VPN. This series also delivers
additional capabilities such as high performance, high availability, support for
multi-ISPs and automatic recovery.
VPN-1 Edge versus VPN-1 Embedded page 11
Advantages of the VPN-1 Edge/Embedded Appliances page 12
Overview of a Typical Workflow page 13
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 12/46
The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances
12
• W-series, provides secure wireless connectivity for remote sites, branch offices, and
partner sites by integrating a secure wireless access point with market-leading
VPN-1/FireWall-1 technology, high availability support, and simple Web-based
setup.
The following VPN-1 Embedded appliances are also supported:
• Nokia’s IP30 and IP40
• NEC’s SecureBlade, SecureBlade 300
Whatever the series, the VPN-1 Edge/Embedded appliances support any of the Check
Point management solutions (SmartCenter, SmartLSM...etc). Apart from their own
seamless integration and ease of use, they also benefit from most of the advantages of any regular VPN-1 Pro gateway.
Advantages of the VPN-1 Edge/Embedded Appliances
There are several distinct advantages to working with VPN-1 Edge/Embedded devices.
The features that are supported depend on the device that you own:
• Installation, Integration and Configuration - The VPN-1 Edge appliance itself
is easy to install and configure. Moreover, the VPN-1 Edge/Embedded appliancecan be used immediately once SmartCenter (Pro or Express) has been installed. The
appliance is “diskless”. It contains pre-configured software and can be used
out-of-the-box.
• VPN - VPN-1 Edge/Embedded appliances can be implemented in Check Point
VPN-1 solutions which offer full encryption and authentication capabilities. These
Appliances can participate as a peer Gateway in the corporate VPN with just one
click. The appliances can participate in a Site-to-Site Community (both Star or Meshed), or as a Remote Access client. For more information on building VPN
Communities, see the VPN Guide .
• Security - A Security Policy can be enforced on VPN-1 Edge/Embedded
appliances. Some of the security highlights include: support of Check Point’s
patented Stateful Inspection, Anti-spoofing, DoS protection and H.323 VoIP. Some
of the networking highlights include DHCP, NAT support and Access Control.
• Logging and gleaning the status of appliances - The status and traffic of theVPN-1 Edge/Embedded appliances can be monitored and logged using the Check
Point SmartConsole clients: SmartView Tracker and SmartView Status. These tools
can be used for troubleshooting purposes.
• centralized upgrading - the firmware of the VPN-1 Edge/Embedded Device can
be upgraded automatically on account of Check Point SmartUpdate support.
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 13/46
An Overview of VPN-1 Edge/Embedded
Chapter 1 Introduction to VPN-1 Edge/Embedded Appliances 13
Overview of a Typical Workflow
1 Install the VPN-1 Edge and/or Embedded appliance. For more information see
your vendor documentation.
2 Create objects to represent these appliances in the respective management solution
(for example, SmartLSM, etc.). This includes the creation of a VPN-1
Edge/Embedded Profile and a Gateway, where the latter is the network object that
represents the VPN-1 Edge/Embedded appliance.
3 The initial configuration of the appliance and the connection to the SmartCenter
Server is done via a Web GUI called the VPN-1 Edge/Embedded portal
(http://my.firewall). It is imperative that trust is established between theSmartCenter and the device in order that they can communicate freely and securely.
Moreover, connection to the SmartCenter server from the device needs to take
place in order that the management operations carried out by the SmartCenter
server, can be applied. This establishment of trust is equivalent to the SIC (Secure
Internal Communication) process that takes place in SmartCenter between regular
gateways and the SmartCenter Server.
4 Perform management operations. All the management operations such as defining
VPN relations with other gateways, fetching a policy or updating the software
version embedded in the appliance (or firmware , as it is called) is performed by the
SmartCenter Server using any one (or a combination) of the Check Point
management solutions (SmartDashboard, SmartLSM or Provider), or via the
Command Line.
SmartCenter uses a UDP-based protocol which is encrypted (called SWTP_SMS or
SWTP_Gateway) in order to communicate with the VPN-1 Edge/Embeddedappliance. This protocol is enforced in an implied rule in the Security Policy. For
more about SmartCenter management, see the SmartCenter Guide .
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 14/46
The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances
14
VPN-1 Edge and Embedded Device Functionality
In This Section
VPN-1 Edge/Embedded Appliances: VPN Communities andManagement
VPN-1 Edge/Embedded Gateways can participate in two types of VPN communities:
Site-to-Site and Remote Access. These communities are explained in more detail in the
VPN Guide .
Site-to-Site
Unless otherwise stated, VPN-1 Edge and Embedded Device Gateways are added to
communities and participate in the VPN tunnel in the same manner as all VPN-1 Pro
Gateway objects; they are added, like regular participating gateways into the VPN
community (Star or Meshed). Consult the VPN guide for more information on building
VPN between Gateways.
VPN-1 Edge/Embedded as a Remote Access Client
You can configure the VPN-1 Edge/Embedded appliance to act as a remote client, (it
is added to a Remote Access Community). In this case it is configured in an atypical
VPN configuration where the VPN-1 Edge/Embedded Gateway is added as a User group to the VPN-1 community. This User group is created by default and is called
VPN-1 Embedded devices defined as Remote Access. All machines deployed behind the
VPN-1 Edge/Embedded Gateway will also function as Remote Access Clients. This
means that all traffic from these gateways will be tunneled as well.
VPN-1 Edge/Embedded Appliances: VPN Communities and Management page 14
VPN-1 Edge/Embedded and Packet Filtering FireWall page 15
Logging in the SmartView Tracker page 15
Viewing the Status of VPN-1 Edge/Embedded Appliances & VPN Creation page 16
Upgrading VPN-1 Edge/Embedded Appliance Firmware using SmartUpdate page 16
Note - On SmartCenter Express, any VPN-1 Edge/Embedded appliance that is connecting
using Site-to-Site VPN is considered to be an additional managed site; therefore, you are
required to obtain an additional license.
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 15/46
VPN-1 Edge and Embedded Device Functionality
Chapter 1 Introduction to VPN-1 Edge/Embedded Appliances 15
VPN-1 Edge/Embedded Managed by an External Management Server
VPN-1 Edge/Embedded Gateway objects that are managed by an external Management
Server can be defined. These objects can be used in VPN communities. Typically,
externally managed gateway are used in Extranet scenarios with partners, or withadditional Management Servers.
VPN-1 Edge/Embedded and Packet Filtering FireWall
VPN-1 Edge/Embedded appliances use Check Point’s Stateful Inspection technology
just like regular VPN-1 Pro Gateways.
Gateways which are used in the Rule Base, get their Security Policy from theSmartCenter Server. This policy enforces the manner in which connections are allowed
(or not allowed) to pass to and from the VPN-1 Edge/Embedded appliance.
Access Control is used to determine the resources and services that are authorized to be
used. This access authorization sets the level of security. Rules are attributed to VPN-1
Edge/Embedded gateways by installing the rule on a specific gateway. For more about
Access Control, see the FireWall and SmartDefense Guide .
VPN-1 Edge/Embedded appliances can be used with the following actions in theSecurity Policy Rule Base: Accept, Drop and Reject.
Logging in the SmartView Tracker
VPN-1 Edge logs can be generated and sent to a logging server. This server
consolidates all VPN-1 Edge logs in the SmartView Tracker. You can view regular logs
and audit logs (for management operations) in the SmartView Tracker. You can use
these logs to troubleshoot and confirm that connections are passing to and from theVPN-1 Edge/Embedded appliance, according to what is specified in the Security
Policy. SmartView Tracker has a pre-defined query called VPN-1 Edge/Embedded
which can be used to focus on the logs generated from the appliances specifically.
Since the VPN-1 Edge/Embedded Gateway fetches at periodic intervals, you will
notice that logs appear in the SmartView Tracker only after the periodic interval has
passed.
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 16/46
The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances
16
Viewing the Status of VPN-1 Edge/Embedded Appliances & VPNCreation
Use the SmartView Monitor in order to learn more about the status of the VPN-1
Edge\Embedded appliances. SmartView Monitor is available to both VPN-1 Pro andCheck Point Express customers. SmartLSM customers may view the status of their
objects in SmartView Monitor, or in the SmartLSM SmartConsole.
Upgrading VPN-1 Edge/Embedded Appliance Firmware usingSmartUpdate
The firmware of the VPN-1 Edge/Embedded Gateway represents the software that is
running on the appliance. The VPN-1 Edge/Embedded Gateway’s firmware can be
viewed and upgraded using SmartUpdate. This is a centralized management tool which
is used to upgrade all modules in the system by downloading new versions from the
download center. When installing new firmware, the firmware is prepared at the
SmartCenter Server, downloaded and subsequently installed when the VPN-1
Edge/Embedded Gateway fetches for updates. Since the VPN-1 Edge/Embedded
Gateway fetches at periodic intervals, you will notice the upgraded version on the
gateway only after the periodic interval has passed.
Note - SmartLSM is only available to VPN-1 Pro customers.
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 17/46
17
CHAPTER 2
Installation andConfiguration
In This Chapter
Introduction to the Installation and Configuration
ProcessesThe installation and configuration process depends on a number of factors: the
management solution that you are using (whether SmartCenter, SmartLSM or
Provider-1), the type of VPN community that you are configuring as well as the type
of device that you are using.
Before You Begin
Before you can work with the VPN-1 Edge/Embedded appliance, you need to install
and configure it via the VPN-1 Edge/Embedded Portal. This is a Web GUI used
expressly for the management of the appliance. Apart from the actual installation
process you need to perform a first time login to the VPN-1 Edge/Embedded appliance
via the portal. In this first time login you are meant to set up initial administrator
permissions and an authorization permission as well as the Internet connection itself.
For more information, see the relevant vendor documentation.
Introduction to the Installation and Configuration Processes page 17
Before You Begin page 17 Overview of Workflow for SmartCenter Management Solution page 18
Overview of Workflow for SmartLSM Management Solution page 18
Configuration Operations page 20
f kfl f l
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 18/46
Overview of Workflow for SmartCenter Management Solution
18
Overview of Workflow for SmartCenter ManagementSolution
This workflow assumes that you have installed SmartCenter (Pro or Express). For more
information see the Getting Started Guide for NGX R60 .
The following workflow represents the order in which you should work with the
VPN-1 Edge and Embedded appliances. More details about each step in the workflow
can be found in this document.
1 Install and configure the VPN-1 Edge or Embedded appliance. Consult with the
relevant vendor documentation for more information. If you are setting up the
appliance on the network, make sure that it is successfully connected.
2 In SmartDashboard:
• Create the VPN-1 Edge/Embedded Gateways. Make sure that you setup the
VPN-1 Edge/Embedded appliance’s topology properly and add the Gateway to a
VPN Community.
• Create rules for your objects and install the Security Policy. This step should be
repeated whenever a modification to the VPN-1 Edge/Embedded objects aremade.
3 On the VPN-1 Edge/Embedded portal, define your SmartCenter Server as the
VPN-1 Edge/Embedded appliance’s management server. This means that the
SmartCenter Server is now responsible for managing the appliance including VPN
relations, Access Control, Licensing and updates. The communication between the
SmartCenter Server and the VPN-1 Edge/Embedded appliance is securely
connected.
Overview of Workflow for SmartLSM ManagementSolution
This workflow assumes that you have installed SmartCenter Pro. For more information
see the Getting Started Guide for NGX R60 .
The following workflow represents the order in which you should work with theVPN-1 Edge and Embedded appliances. More details about each step in the workflow
can be found in this document.
1 Install and configure the VPN-1 Edge or Embedded appliance. Consult with the
relevant vendor documentation for more information. If you are setting up the
appliance on the network, make sure that it is successfully connected.
2 To enable SmartLSM, run the command LSMenabler on on the SmartCenter Server Pro.
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 19/46
Chapter 2 Installation and Configuration 19
3 In SmartDashboard,
• Create a Smart LSM VPN-1 Edge/Embedded Profiles. When creating the
profile you can specify the VPN community in which you would like the profile
to participate. This step can also take place at a later stage.
• Create one or more dynamic objects to be enforced on the VPN-1
Edge/Embedded ROBO Gateway.
• Create rules for your objects and install the Security Policy. This step should berepeated whenever a modification to the VPN-1 Edge/Embedded ROBO
objects are made. (This step needs to take place after you have created the
VPN-1 Edge/Embedded ROBO Gateway in SmartLSM).
• Close SmartDashboard.
4 In SmartLSM, create a VPN-1 Edge/Embedded ROBO Gateway, add the dynamic
object to the VPN-1 Edge/Embedded ROBO Gateway and update the CO(Corporate Office) Gateway, for more information see the SmartLSM Guide .
5 On the VPN-1 Edge/Embedded portal, define your SmartCenter Server as the
VPN-1 Edge/Embedded appliance’s management server. This means that the
SmartCenter Server is now responsible for managing the appliance including VPN
relations, Access Control, Licensing and updates. The communication between the
SmartCenter Server and the VPN-1 Edge/Embedded appliance is securely
connected.
Note - In SmartLSM, the profile associated with the VPN-1 Edge/Embedded Gateway can only
participate in a Star community for Site-to-Site configuration.
ConfigurationOperations
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 20/46
Configuration Operations
20
Configuration Operations
In This Section
Installing and Configuring VPN-1 Edge/Embedded Appliances
For information on how to install, configure and work with the VPN-1
Edge/Embedded Appliance, consult with the relevant vendor documentation for more
information.
Installing and Configuring VPN-1 Edge/Embedded inSmartCenter
VPN-1 Edge support is enabled automatically during the installation of the
SmartCenter Server (Pro or Express), for version NGX R60. There is no need to install
any additional component.
Installing and Configuring VPN-1 Edge/Embedded in SmartCenter page 20
Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter page 21
Creating and Working with VPN-1 Edge/Embedded objects for SmartLSM page 28
Creating a Security Policy for the VPN-1 Edge/Embedded Appliance page 31
Security Policy Operations page 32
Managing VPN-1 Edge/Embedded Devices with SmartCenter Server page 33
Remote Login to the SmartCenter Server page 34
Configuring VPN in SmartCenter page 35
Configuring VPN-1 in SmartLSM page 41
Viewing Logs in the SmartView Tracker page 42
Downloading the Latest Firmware from SmartUpdate page 43
Note - VPN-1 Edge cannot be managed from a SmartCenter Server running on Nokia.
Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 21/46
Creating and Working with VPN 1 Edge/Embedded objects for SmartCenter
Chapter 2 Installation and Configuration 21
Creating and Working with VPN-1 Edge/Embedded objects forSmartCenter
A VPN-1 Edge/Embedded Gateway object which represents the VPN-1
Edge/Embedded Appliance should be defined in SmartDashboard in order for the
SmartCenter Server to be able to manage the VPN-1 Edge/Embedded appliance:
Create the VPN-1 Edge/Embedded Gateway which represents the VPN-1
Edge/Embedded appliance and associate it with a VPN-1 Edge/Embedded Profile. See
“Creating a VPN-1 Edge/Embedded Gateway” on page 21. During this process you
must assign the previously created profile to the VPN-1 Edge/Embedded Gateway that
is being created.
Creating a VPN-1 Edge/Embedded Gateway
A VPN-1 Edge/Embedded Gateway object is a network object that represents a VPN-1
Edge/Embedded appliance. This Gateway sits on the network and can be managed by
the SmartCenter Server or by an external management server.
1 In the Network Objects tab of the Objects Tree create a new VPN-1
Edge/Embedded Gateway.FIGURE 2-1 Defining a VPN-1 Edge/Embedded Gateway
2 In the VPN-1 Edge/Embedded Gateway - General page, configure (FIGURE 2-2):
• the general settings of the window, including its name and IP Address (whether
static or dynamic), the VPN-1 Edge/Embedded Profile and version information
(Type). It is very important to select the exact version of your appliance. It is
also necessary to define a Password (also known as a Registration Key). Thispassword is used for encryption and authentication purposes.
• the VPN settings, to allow the VPN-1 Edge/Embedded Gateway to become
member of a VPN community, select the VPN Enabled check box and select the
VPN Community type (whether Site to Site or Remote Access).
• the management settings, if this Gateway is managed by an external server,
check Externally Managed Gateway.
Configuration Operations
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 22/46
g p
22
FIGURE 2-2 New VPN-1 Edge/Embedded Gateway configured for Site-to-Site VPN-1
3 In the VPN-1 Edge/Embedded Gateway - Topology page (FIGURE 2-3), the topology
is set automatically because it represents the hard coded device.
The set topology includes the following three interfaces (two internal and one
external):
• DMZ represents a logical second network behind the Safe@Office appliance.
You must connect DMZ computers to the LAN ports. DMZ is a dedicated
Ethernet port (RJ-45) used to connect a DMZ (Demilitarized Zone) computer
or network. Alternatively, the DMZ can serve as a secondary WAN port.
• LAN represents the private network. LAN 1-4 Local Area Network switch:
Four Ethernet ports (RJ-45) are used for connecting computers or other
network devices.
Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 23/46
Chapter 2 Installation and Configuration 23
• WAN represents the external interface to the router. A WAN interface card, is a
network interface card (NIC) that allows devices to connect to a wide area
network. Wide Area Network (WAN): An Ethernet port (RJ-45) used for
connecting your cable or xDSL modem, or for connecting a hub when settingup more than one Internet connection
Although these three interfaces automatically appear in the Topology window, they
are not associated with an IP address and a Network Mask.
If you deselect the Dynamic Address option in the General Properties window and
add a static IP address, the WAN automatically receives the specified static IP
address and its Network Mask is 255.255.255.255.
The Type drop-down list in the General Properties window defines the hardwaretype and its associated topology. Currently all hardware types share the same
topology. Every hardware type has one external interface and two internal
interfaces. It is possible to add only one additional external interface.
Once you have defined the general settings as well as the topology definitions of the
VPN-1 Edge/Embedded Gateway a certificate is automatically created.
For managed devices it is essential to specify the correct network. When managing
multiple devices it is better to define the networks on the devices so as to ensure
that the networks do not overlap one with one another.
For externally managed devices the networks specified depends upon both the
NAT settings on the other side as well as the agreed configuration.
Note - Pre-Shared Secrets work in conjunction with Static IP Addresses only.
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 24/46
Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 25/46
Chapter 2 Installation and Configuration 25
FIGURE 2-4 Configuring the VPN settings
5 In the VPN-1 Edge/Embedded Gateway - Content Filtering page (FIGURE 2-5), select
Use UFP, Use CVP or both if you want to restrict access to Web content and/or
automatically scan your email for the detection and elimination of all known viruses
and vandals, in relation to the specific gateway.
The type of UFP Server and CVP Server used for content filtering is determined inPolicy > Global Properties > VPN-1 Edge/Embedded Gateway window.
Note - To perform a detailed configuration of the created VPN-1 Edge/Embedded Gateway
launch the gateway in a browser. To do this, right-click the specific VPN-1 Edge/EmbeddedGateway and select Manage Devices...
Configuration Operations
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 26/46
26
FIGURE 2-5 Configuring Content Filtering
6 In the VPN-1 Edge/Embedded Gateway - Advanced page (FIGURE 2-6), enter the
following information:
• Product Key enables you to remotely update the current VPN-1
Edge/Embedded gateway license (18 hexadecimal characters in three groups
separated by hyphens).
• MAC Address enables stronger validation of the VPN-1 Edge/Embedded gateway
when communicating with the SmartCenter Server.
• Configuration Script enables you to enter a script for relevant commands and
features. The written script will be downloaded automatically and executed tothe VPN-1 Edge device.
For more detailed information about configuration scripts, refer to the Check Point
Embedded NG CLI Reference Guide v.5 that can be found at
http://www.sofaware.com
Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 27/46
Chapter 2 Installation and Configuration 27
FIGURE 2-6 Configuring Advanced Settings
Configuration Operations
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 28/46
28
Creating and Working with VPN-1 Edge/Embedded objects forSmartLSM
The objects that are used in the SmartLSM management solution are partly created in
SmartDashboard and partly, SmartLSM.
• VPN-1 Edge/Embedded ROBO Gateway object which represents the VPN-1
Edge/Embedded appliance. This object is created in SmartLSM.
• SmartLSM VPN-1 Edge/Embedded Profile which is an object which is associated
with the VPN-1 Edge/Embedded ROBO Gateway and provides it with a basic
Security Policy and VPN definition. This object is created in SmartDashboard,
• A Dynamic Object which is used by the SmartLSM VPN-1 Edge/EmbeddedProfile in order to enforce the Security Policy. This object is created in
SmartDashboard and added to the SmartLSM VPN-1 Edge/Embedded Profile in
SmartLSM.
The order of the creation of the VPN-1 Edge objects is:
1 Create the SmartLSM VPN-1 Edge/Embedded ROBO gateway in
SmartDashboard. See “Creating and Working with VPN-1 Edge/Embedded objects
for SmartCenter” on page 21.
2 Create a Dynamic Object in SmartDashboard.
3 Close SmartDashboard and open SmartLSM.
4 Create the VPN-1 Edge/Embedded ROBO Gateway which represents the VPN-1
Edge/Embedded appliance in SmartLSM, and associate it with a VPN-1
Edge/Embedded ROBO Profile. See “Creating a VPN-1 Edge/Embedded ROBOGateway” on page 30. During this process you must assign the previously created
profile to the VPN-1 Edge/Embedded ROBO Gateway that is being created.
In This Section
Creating a SmartLSM VPN-1 Edge/Embedded ROBO Profile page 29
Creating a VPN-1 Edge/Embedded ROBO Gateway page 30
Creating and Working with VPN-1 Edge/Embedded objects for SmartLSM
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 29/46
Chapter 2 Installation and Configuration 29
Creating a SmartLSM VPN-1 Edge/Embedded ROBO Profile
A security policy is defined for a VPN-1 Edge/Embedded appliance, represented by a
VPN-1 Edge/Embedded ROBO Gateway by associating it to a profile.
Defining VPN-1 Edge/Embedded ROBO Profiles
1 In SmartDashboard, create a new SmartLSM Profile in the Network Objects tab of
the Objects Tree.
FIGURE 2-7 Creating a new SmartLSM Profile in SmartDashboard
2 In the General page, enter the name and an optional comment (FIGURE 2-8).
FIGURE 2-8 Configure the SmartLSM VPN-1/FireWall-1 Profile settings
3 In the VPN page (FIGURE 2-9), enter the type of community that you would like
to associate with the said profile and save the profile by closing it.
Configuration Operations
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 30/46
30
FIGURE 2-9 Configure the SmartLSM VPN-1/FireWall-1 Profile Settings for VPN
Creating a VPN-1 Edge/Embedded ROBO Gateway
A VPN-1 Edge/Embedded ROBO Gateway object is a network object that represents
a VPN-1 Edge/Embedded Appliance that is created and managed in SmartLSM. This
Gateway sits on the network can be managed by the SmartCenter Server or by an
external management server.
Defining VPN-1 Edge/Embedded ROBO Gateways
Before you can create the Edge/Embedded ROBO Gateway make sure that you have
exited the SmartDashboard, if it is in Read/Write mode.
To define VPN-1 Edge/Embedded ROBO Gateways refer to the Adding a VPN-1
Edge/Embedded ROBO Gateway and Managing VPN-1 Edge/Embedded Objects sections in
the NGX R60 SmartLSM user guide.
Creating a Security Policy for the VPN-1 Edge/Embedded Appliance
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 31/46
Chapter 2 Installation and Configuration 31
Creating a Security Policy for the VPN-1 Edge/EmbeddedAppliance
1 Create your Security Policy rules. For more information on creating rules see the
SmartCenter Guide .
When you are creating your rules, be aware that the VPN-1 Edge/Embedded
Gateway can be used in the Install On column even if there is a VPN Community
specified in the VPN column.
You may need a rule that allows designated services (such as ftp, telnet and http) to
be performed by the VPN community. In this rule, the VPN-1 Pro gateway should
be your target.
For example:
TABLE 2-1 Example: a rule allowing services for Site-to-Site and Remote Access communitiesrespectively
TABLE 2-2 Allowing connections from network to VPN-1 Edge/Embedded Gateway
2 Once the rules are complete install your Security Policy (Policy > Install Policy).
The VPN-1 Edge/Embedded Gateway periodically fetch the Security Policy from
the SmartCenter Server. When the policy installation is complete the SmartCenter
Server will attempt to update the VPN-1 Edge/Embedded Gateway with the new
security policy. In order for the changes to take place immediately you can force a
Policy update from the VPN-1 Edge/Embedded Portal.
Source Destination VPN Service Action Install On
Any Any Mesh-comm
ftptelnet
http
Accept VPN1_Pro_GW
All Users or
VPN-1
Embedded
Devices defined
as Remote
Access
Any RA_com
m
ftp
telnet
http
Accept VPN1_Pro_G
W
Source Destination VPN Service Action Install On
Edge_Net VPN_Edge_
Pro_GW
Any Any Accept Any
Configuration Operations
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 32/46
32
Security Policy Operations
In This Section
Installing and uninstalling the Security Policy
When the Security Policy is installed or uninstalled, the Security Policy is automatically
downloaded to or off-loaded from the SmartCenter Server. When the VPN-1Edge/Embedded Gateways check the SmartCenter Server for updates, the activity
(whether installation or uninstallation) is implemented.
• To install, select Policy > Install Policy.
• To uninstall, select Policy > Uninstall Policy.
Downloading a Security Policy
From the VPN-1 Edge/Embedded Portal
1 Login from VPN-1 Edge/Embedded portal to http://my.firewall.
2 Click Services and Accounts and then click Refresh, Or, click Services and Software
Updates and then click Update Now.
3 When the VPN-1 Edge/Embedded Gateway polls for updates, it downloads the
latest Security Policy.
From SmartLSM, select Actions > Push Policy. The SmartCenter Server pushes the
Security Server to the VPN-1 Edge/Embedded ROBO Gateway.
Verifying that the Security Policy was downloaded
1 Login from VPN-1 Edge/Embedded portal to http://my.firewall.
2 Click Reports and then click Event Log.
3 Verify that the following message appears: Installed updated Security Policy
(downloaded).
4 Click Setup, Tools and Diagnostics.
The VPN-1 Edge/Embedded object is displayed in the Policy field.
Installing and uninstalling the Security Policy page 32
Downloading a Security Policy page 32
Verifying that the Security Policy was downloaded page 32
Managing VPN-1 Edge/Embedded Devices with SmartCenter Server
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 33/46
Chapter 2 Installation and Configuration 33
Managing VPN-1 Edge/Embedded Devices with SmartCenterServer
Before you can begin to work with the VPN-1 Edge/Embedded Appliance whether
your appliance is managed in SmartDashboard, or in SmartLSM, you need to logon tothe
VPN-1 Edge/Embedded portal and define the SmartCenter server as the active
management server.
Once successfully completed, this step allows the SmartCenter Server to perform a
number of management operations for the VPN-1 Edge/Embedded Appliance such as
VPN-1 relations, updating the Security Policy and upgrading to later versions of
firmware. Proceed as follows:
1 Browse to http://my.firewall.
2 Enter and confirm your password.
3 In the Services screen, connect to the SmartCenter Server by clicking on Connect.
A wizard is displayed in which you are required to configure the settings of the
SmartCenter Server.FIGURE 2-10 Login to the SmartCenter Server in the VPN-1 Edge Embedded Portal
During the SmartCenter Server setup, you are required to enter the detail of the
VPN-1 Edge/Embedded Gateway object that you created. Note that the Gateway
ID refers to the name of the said gateway and the Password refers to the
Registration Key specified during the creation of the VPN-1 Edge/Embedded
Gateway object.
Configuration Operations
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 34/46
34
FIGURE 2-11 Configuring the Gateway object.
Once this setup is successfully completed, the VPN-1 Edge/Embedded appliance
and the SmartCenter server can communication securely. For more information
about this procedure, see the relevant vendor information.
Remote Login to the SmartCenter Server
If your device is not installed locally, you will need to logon securely to the VPN-1
Edge/Embedded Portal using HTTPS (https://<current IP Address>:981). For
more information see the relevant vendor information
Note - If your device is not installed locally, you will need to logon securely to the VPN-1
Edge/Embedded Portal using HTTPS (https://<current IP Address>:981). For more
information see the relevant vendor information.
Configuring VPN in SmartCenter
C fi i VPN i S tC t
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 35/46
Chapter 2 Installation and Configuration 35
Configuring VPN in SmartCenter
VPN-1 Edge/Embedded Gateway can be added to Site-to-Site communities, as well as
to Remote Access communities. The VPN-1 Edge/Embedded Appliance can also be
configured to act as a Remote Access client. For more information, see the VPN-1Guide . In particular the chapters dealing with:
• Building VPN Between Gateways
• PKI
In This Section
VPN-1 Edge/Embedded Gateway in Site-to-Site VPNConfiguration
For VPN to be established the following must take place:1 The VPN-1 Edge/Embedded Gateway must be defined and configured for
Site-to-Site and a certificate created (if the VPN Community members are to use a
certificate to authenticate).
On the General page (see FIGURE 2-2):
• On the VPN-1 Edge/Embedded Gateway check VPN Enabled and select Site to
Site in order to allow the VPN-1 Edge/Embedded Gateway to participate like
any regular VPN-1 Gateway in a star or meshed community. This means that
any gateway can initiate a VPN tunnel to the VPN-1 Edge/Embedded Gateway
and the VPN-1 Edge/Embedded Gateway can initiate a VPN tunnel to any
other gateway.
• In terms of IP addresses:
• If the VPN-1 Edge/Embedded Gateway has a static IP Address, you can use a
certificate or an IKE pre-shared secret to establish a VPN tunnel. In this casethe password you enter is used for the IKE pre-shared secret.
• If the VPN-1 Edge/Embedded Gateway has dynamic IP Address, (select
Dynamic Address) only a certificate can be used in order to establish a VPN
tunnel. In this case, make sure that you have selected Manually defined in the
VPN-1 Edge/Embedded Gateway - Topology page (see FIGURE 2-3).
• Make sure that the type that you select corresponds to the actual appliance that
you have in your possession.
VPN-1 Edge/Embedded Gateway in Site-to-Site VPN Configuration page 35
VPN-1 Edge/Embedded Gateway in a Remote Access Client Configuration page 38
VPN-1 Edge/Embedded Managed by an External Management Server page 40
Configuration Operations
Add P d th t ill b d l t th VPN 1 Ed /E b dd d P t l
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 36/46
36
• Add a Password that will be used later on the VPN-1 Edge/Embedded Portal
and for the pre-shared secret (if you have a static IP Address).
On the Topology page (see FIGURE 2-3):
• Gateway defined is used for NAT implementation.• Manually Defined is used if the VPN-1 Edge/Embedded Gateway is configured
for dynamic IP Address or if NAT is not being implemented.
On the VPN page (see FIGURE 2-4) generate the certificate and close the VPN-1
Edge/Embedded Gateway.
2 If you do not already have one, create a Star or Meshed community in the VPN
Manager. For more about these communities and how to configure them, see theVPN Guide .
To create a Site-to-Site community:
FIGURE 2-12 Create a new Site-to-Site Community
In a Star Community
• In the Central Gateways page click Add and select the desired VPN-1
Edge/Embedded Gateway. Click OK.
• In the Satellite Gateways page, click Add and select the desired VPN-1
Edge/Embedded Gateway. Click OK.
Note - If you are creating a Star community, it is not recommended to include the VPN-1
Edge/Embedded Gateway as a Central Gateway.
Configuring VPN in SmartCenter
FIGURE 2-13 Add VPN-1 Edge/Embedded Gateway as Satellite Gateway
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 37/46
Chapter 2 Installation and Configuration 37
FIGURE 2 13 Add VPN 1 Edge/Embedded Gateway as Satellite Gateway
In a Meshed Community
• In the Participating Gateways page, click Add and select the desired VPN-1
Edge/Embedded Gateway. ClickOK
.In Star and Meshed Communities
• In the VPN Properties page, specify the properties for the phases of IKE
negotiation.
• In the Shared Secret page, specify whether the VPN community member should
be authenticated using a pre-shared secret or a certificate. If you would like to
use a secret, make sure to select Use only shared secret for all external members.
The secret used is the password defined when the VPN-1 Edge/EmbeddedGateway object was created. If you would like to use certificates as a means of
authentication, make sure that Use only shared secret for all external members is
unchecked.
3 In the Rule Base, create the rules of your Security Policy. See “Creating a Security
Policy for the VPN-1 Edge/Embedded Appliance” on page 31.
4 Install the rule base on the Central Gateways (for a Star community).
Configuration Operations
5 In the VPN-1 Edge/Embedded Portal define the SmartCenter server as the active
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 38/46
38
5 In the VPN-1 Edge/Embedded Portal define the SmartCenter server as the active
management server, see “Managing VPN-1 Edge/Embedded Devices with
SmartCenter Server” on page 33. In the VPN window of the VPN-1
Edge/Embedded Portal, the Site-to-Site configuration is automatically loaded,
including its topology and enterprise profile.
VPN-1 Edge/Embedded Gateway in a Remote Access ClientConfiguration
In order for the VPN-1 Edge/Embedded Gateway to function as a Remote Access
Client, the gateway must be configured to participate in the Remote Access
community. When the VPN-1 Edge/Embedded Gateway object is defined in the
Check Point database, an additional User Group called “All VPN-1 Edge/Embedded
Gateway Appliances” is created. This User Group is used in the definition of the
Remote Access community.
For more information about Remote Access Clients, see the VPN-1 Guide .
Adding the VPN-1 Edge/Embedded Gateway to a Remote Access Community
There are two basic ways to add the VPN-1 Edge/Embedded Gateway to a
community:
• In the VPN-1 Edge/Embedded Gateway - VPN page. click on Add. Select the
community to which you would like to associate the selected gateway.
• In the VPN Manager view, select the Remote Access community to which you
would like to add the VPN-1 Edge/Embedded Gateway. Add the VPN-1
Edge/Embedded Gateway in the Participant User Group page by clicking on Add
and selecting the default User Group called VPN-1 Embedded Devices defined as
Remote Access to which the VPN-1 Edge/Embedded Gateway is associated.
When VPN-1 Edge/Embedded Gateways are configured to work in client mode, it is
important that the SmartCenter Server be deployed outside of the VPN domain of theRemote Access Client. If you are working with Remote Access Automatic login mode,
the SmartCenter Server may be within the VPN domain, however, in this case, you
must create the VPN domain in the VPN-1 Edge/Embedded Gateway before
connecting the VPN-1 Edge/Embedded Gateway to the SmartCenter Server.
For VPN to be established the following must take place:
Note - The User Group All VPN-1 Edge/Embedded Gateway Appliances is not a regular
User Group and as such it doesn’t appear in the Users and Administrators tab of the
Objects Tree.
Configuring VPN in SmartCenter
1 Create a VPN-1 Edge/Embedded Gateway object. Make sure that you select VPN
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 39/46
Chapter 2 Installation and Configuration 39
1 Create a VPN 1 Edge/Embedded Gateway object. Make sure that you select VPN
enabled and Remote Access on the General page. Remote Access means that the
selected VPN Edge Gateway can act as a Remote Access client to the corporate
gateway, no other gateways will be able to initiate a VPN tunnel to this VPN
Edge/Embedded Gateway. This VPN-1 Edge/Embedded Gateway can be enforced
as part of a User Group in a Remote Access VPN community.
If the VPN-1 Edge/Embedded Gateway has a static IP Address, use an IKE
pre-shared secret to establish a VPN tunnel. In this case you will need to enter the
password created on the VPN-1 Edge/Embedded Gateway object.
2 Create a RemoteAccess community in the VPN Manager that includes the VPN-1
Edge/Embedded Gateway object. For more about these communities and how toconfigure them, see the VPN Guide .
• In the Participating Gateways page click Add and select the Central Gateway.
Click OK.
• In the Participant User Groups page, click Add and select VPN-1 Embedded
Devices defined as Remote Access. Click OK.
FIGURE 2-14 Add User Group
• Click OK to exit the Remote Access community window.
Configuration Operations
3 In the Rule Base, define a rule for the Remote Access community and install it on
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 40/46
40
, y
the Gateway. See “Creating a Security Policy for the VPN-1 Edge/Embedded
Appliance” on page 31. Install the Security Policy on the desired gateways.
4 In the VPN-1 Edge/Embedded Portal define the SmartCenter server as the activemanagement server, see “Managing VPN-1 Edge/Embedded Devices with
SmartCenter Server” on page 33.
• In the VPN window of the VPN-1 Edge/Embedded Portal, the Remote Access
configuration is automatically loaded. Create a new Site to represent the VPN-1
Pro Gateway on the VPN-1 Edge/Embedded appliance. On the VPN screen,
click on New Site and run the wizard and do the following steps in the Wizard:
• Add the IP Address of the regular VPN-1 Pro Gateway.
• Check Download Configuration.
• Enter the name of the Site.
• Under VPN Login, select Automatic Login and refer to the vendor documentation
for more information.
5 In SmartDashboard, install the Security Policy.
VPN-1 Edge/Embedded Managed by an External ManagementServer
You can configure the VPN-1 Edge/Embedded appliance to be managed by an external
Management Server. This means that it is not managed by the local SmartCenter or
MDS server. This scenario is typical for Extranet or connection to partner sites. This
requires configuration in two places:
1 On the VPN-1 Edge/Embedded Gateway object:
• On the General page, check Externally Managed Gateway.
• The setting defined in the Topology page, depends on the agreed configuration.
2 Modify the VPN Community to which you are adding the VPN-1
Edge/Embedded. Make sure that you check Use only Shared Secret for all External
Members on the Shared Secret page.
3 Modify the Security Policy, make sure that rule installed on the profile is disabled.
Install the Security Policy.
• On the VPN-1 Edge/Embedded Portal on the VPN screen. Click on New Site
and run the wizard and do the following steps:
• Add the IP Address of the regular VPN-1 Pro Gateway
• Check Download Configuration.
Configuring VPN in SmartCenter
• Configure the routing destination and subnet mask of the external management
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 41/46
Chapter 2 Installation and Configuration 41
server
• Under Authentication, select Use shared secret.
• Click on Connect in order to connect to the VPN-1 Pro Gateway.
Configuring VPN-1 in SmartLSM
VPN-1 Edge/Embedded ROBO Gateways can participate in a meshed Site-to-Site
communities. In SmartLSM, VPN is supported using IKE authentication with Check
Point internal certificates:
1 In the VPN-1 Edge/Embedded Portal, verify that a certificate has been installed on
the VPN-1 Edge/Embedded Device before establishing the VPN tunnel.
2 In SmartLSM:
• Add a dynamic object to the VPN-1 Edge/Embedded ROBO Gateway. In
order to implement VPN on VPN-1 Edge/Embedded ROBO Gateways,
dynamic objects need to be added to the VPN domain of these objects. Make
sure you check Add to VPN domain.
• Update the Corporate Office (CO) Gateway.
3 In SmartDashboard, create a VPN Star community that includes the VPN-1
Edge/Embedded ROBO Gateway and the CO Gateway as follows:
• In the Central Gateway page, click Add. Select the CO gateway from the
displayed list and click OK.
• In the Satellite Gateways page, click Add. Select the SmartLSM VPN-1 Edge/
Embedded profile from the displayed list and click OK.• In the VPN Properties page, specify the IKE phase properties.
• In the Shared Secret page, uncheck the Use only Shared secret for all External
Members.
Make sure that shared secret is only used for external members and set the
properties for the IKE negotiations.
A topology file and a certificate are downloaded to the VPN-1 Edge/Embedded
ROBO Gateway. This topology file lists the members of the VPN communityand specifies the encryption information.
4 On the VPN-1 Edge/Embedded Portal, on the VPN screen specify the
configuration type (whether Site-to-Site or Remote Access and check Download
Configuration.
Configuration Operations
Viewing Logs in the SmartView Tracker
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 42/46
42
For auditing logs, open the Audit view in the SmartView Tracker.
For your convenience add the Origin column to the Audit view (View > Query options
> Query Properties, select Origin) and select the VPN-1 Edge/Embedded appliance that
you would like to track. This enables you to figure out from which VPN-1 Edge
appliance the log was generated.
For security logs: security logs are displayed in the Log view of the SmartView Tracker.
Double-click on the log in order to see more information.
FIGURE 2-15 Viewing Security logs
Downloading the Latest Firmware from SmartUpdate
Downloading the Latest Firmware from SmartUpdate
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 43/46
Chapter 2 Installation and Configuration 43
You can use SmartUpdate to get automatic updates of the latest firmware version. To
download the latest firmware:
1 In the Product Repository pane, right-click a VPN-1 Edge/Embedded Gateway and
select Add from Download Center.
2 In the displayed window, select the firmware that you would like to download and
click Download.
3 In the Product Repository, right-click a VPN-1 Edge/Embedded Gateway and
select Install Product.
4 Select the firmware and click OK.
The firmware is downloaded and sent to the SmartCenter Server who is responsible for
downloading it to the VPN-1 Edge/Embedded Gateways when the latter are ready to
receive it.
Configuration Operations
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 44/46
44
Index
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 45/46
45
AAccess Control 15, 18, 19active management server 38Anti-spoofing 12
ApplianceBefore You Begin 17installing 17managed by External
Management Server 15S-series 11supported 12VPN, Site-to-Site, Remote
Access 14W-series 12
X-series 11Audit view 42authentication 21authentication capabilities 12
Ccentralized management tool 16centralized upgrading 12Check Point Express 16Check Point internal certificates 41Check Point management
solutions 12Check Point’s Stateful Inspection 15client mode 38Configuration Script 26connectivity 8content filtering 25
Corporate Office (CO) Gateway 41CVP Server 25
DDMZ 22dynamic IP Address 35, 36Dynamic Object 19, 28, 41
EEmbedded appliance 18Enable SmartLSM
run LSMenabler 18
encryption 21Ethernet port 22exteranl interface 23External Management Server 40Extranet 40Extranet scenarios 15
Ffirmware 16, 43ftp 31
GGlobal VPN Communities 10
Hhardware type 23High Availability 24high performance 11http 31
//my.firewallconnecting to 13
IIKE authentication 41IKE negotiation 37IKE phase properties 41IKE pre-shared secret 35, 39initial administrator permissions 17
internal interface 23Introduction 7
LLAN 22LAN ports 22large-scale VPN deployments 8
license string 26Licensing 18, 19
MMAC address 26Managed Service Providers 10management operations 33
Management Server 40Management Settings 21Management Solutions 17
SmartCenter, Provider-1,SmartLSM 9
Managing VPN-1 Edge/EmbeddedDevices 33
MDS server 40Meshed Community 35, 36meshed Site-to-Site communities 41multi-ISPs 11
NNAT implementation 36NAT settings 23Network Objects 21, 29NIC 23
OObjects Tree 21
PPKI 35
R
PN-1 Edge/Embedded appliance 28profile 29P l
SmartConsole clients 12SmartLSM 7, 9, 16, 18, 30, 41S LSM l i 28
VPN-1 Edge/Embeddedappliance 13, 15, 17, 34
VPN 1Ed /E b dd d G 9
7/31/2019 VPN 1 Edge Embedded Management
http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 46/46
46
ProtocolSWTP_Gateway 13SWTP_SMS 13
Provider-1 7, 10Provider-1 CMA 10
RRemote Access 14
default User group 14Remote Access Client 12, 35, 38, 39
Remote Access Community 14, 31,35, 38, 40
Remote Access VPNconfigure 38
Remote Access VPN community 39remote client 14Remote Login 34ROBO 9Rule Base 15, 37, 40
Ssecure connectivity 7Security 8security logs 42Securit y Policy 8, 12, 15, 18, 19, 31,
32, 33, 40actions 15
define 31download 32install & uninstall 32verify download 32
security policy 29Security Policy rules 31SIC 13Site-to-Site 14, 31Site-to-Site configuration 19, 38Site-to-Site VPN 14
configure 35Smart LSM VPN-1 Edge/Embedded
Profiles 19SMART management 8SmartCenter 7, 9SmartCenter Express 14SmartCenter management 13SmartCenter Pro 18SmartCenter Server 30
connecting to 13SmartCenter server 34
SmartCenter Server setup 33
SmartLSM management solution 28SmartLSM VPN-1 Edge/ Embedded
Profile 41
SmartLSM VPN-1 Edge/EmbeddedProfile 28SmartLSM VPN-1 Edge/Embedded
ROBO Profilecreate 29
SmartUpdate 16, 43download firmware 43upgrading firmware 16
SmartView Monitor 16SmartView Status
monitoring the status 16SmartView Tracker 15, 42
creating logs 15view logs 42
Star Community 19, 35, 36Stateful Inspection 12static IP Address 35, 39subnet mask 41
Ttelnet 31topology 23
U
UFP Server 25
VVPN
configure 35VPN community 12, 17, 21, 24, 31VPN configuration
in SmartLSM 41VPN Manager 36, 39VPN relations 18, 19VPN settings 21VPN solutions 7, 8, 9VPN Star community 41VPN tunnel 35VPN-1 Edge 7, 18, 20VPN-1 Edge device 26VPN-1 Edge logs 15VPN-1 Edge/Embedded
Appliance 21, 30, 33
VPN-1 Edge/Embedded Gateway 9,15, 24, 26, 31, 35, 43
create 21
VPN-1 Edge/Embedded Gatewayobject 21, 33VPN-1 Edge/Embedded
Gateways 14VPN-1 Edge/Embedded object 18VPN-1 Edge/Embedded Portal 13,
18, 19, 33, 36, 38VPN-1 Edge/Embedded Profile 13,
21VPN-1 Edge/Embedded ROBO 9VPN-1 Edge/Embedded ROBO
Gateway 19, 28, 30, 41create 30
VPN-1 EdgeEmbeddedappliances 16
VPN-1 Embedded appliances 7VPN-1 Express module 8VPN-1 Pro 8, 16VPN-1 Pro gateway 12VPN-1/FireWall-1 technology 12
WWAN 23WAN interface card 23WAN port 22Web content 25Web GUI 17Workflow
SmartCenter management 18SmartLSM Management 18using the appliance 13
XxDSL modem 23