SmartMap

In This Section: Overview of SmartMap Working with SmartMap

Overview of SmartMap

Most organizations have multiple gateways, hosts, networks and servers. The topology of these organizations is represented in SmartDashboard by network objects. The topology is often highly complex, distributed over many different machines and enforced in many different rules and rule bases. While this layout matches the needs of your organization, it is difficult to visualize, and even harder to translate in a schematic format. While the network objects are easy to use in the Rule Base, it would be easier to understand and troubleshoot the policy if the rules were displayed in a format where they could be understood visually.

The SmartMap Solution

SmartMap view is a visual representation of your network. This view is used to facilitate and enhance the understanding of the physical deployment and organization of your network.

SmartMap is used in order to:

• Convert the logical layout of your organization into a graphical schematic layout which can be exported as an image file, or printed out.
• Show selected network objects, communities and rules within the graphical representation, by right-clicking on these items from numerous places in the various Rule Bases, Object Tree pages and Object List. For enhanced visualization you can zoom into these selected items.
• Edit objects displayed in SmartMap. The changes made will be integrated throughout SmartDashboard.
• Troubleshoot the policy. For instance SmartMap can resolve unresolved objects, and it can make automatic calculations for objects behind the gateway, Install On targets and for anti-spoofing purposes.

Working with SmartMap

Enabling and Viewing SmartMap

Before you begin to work with SmartMap you need to enable it. In this section you can learn how to enable, toggle and launch SmartMap.

Enable SmartMap

It is not possible to work with SmartMap until it has been enabled.

• To enable SmartMap go to Policy > Global Properties > SmartMap.

Toggle SmartMap

In order to clear SmartDashboard of visual clutter, SmartMap can be toggled until such time that you need to work with it again.

Note - When the SmartMap view is hidden or inactive, all of its menus and commands are disabled; however, topology calculations do continue.

• To view SmartMap go to View > SmartMap.
• To disable SmartMap go to View > SmartMap.

Launching SmartMap

SmartMap can be displayed, embedded or docked into the GUI window, or it can be displayed outside of the SmartDashboard window.

• To display SmartMap outside the SmartDashboard window, go to SmartMap > Docked View.

Adjusting and Customizing SmartMap

All of the following options affect the way that SmartMap is viewed or displayed.

Magnifying and Diminishing the SmartMap View

The level of magnification can be selected or customized. The operations that can be executed include:

• enhancing the view so that all or a selected part of SmartMap optimally fits into the display window.
• selecting from one of the displayed zoom values or customizing your own (for example, Zoom In (magnify) or Zoom Out (diminish) the current SmartMap display).
• magnifying an area in SmartMap by dragging the mouse over a specific area. All objects that fall within the area of the selected box will be magnified.

To automatically zoom into a particular area of SmartMap:

1. Select SmartMap > Zoom Mode.
2. Drag the mouse over a specific area in SmartMap.
   The area you selected will zoom into view.

To select the level of magnification

1. Select SmartMap > Select Mode.
2. Drag the mouse over a specific area in SmartMap.
3. Select SmartMap > Zoom > sub menu and select the options that best meet your needs.

Scrolling

If you have an IntelliMouse you can use the scroll wheel to scroll SmartMap.

Adjusting SmartMap using the Navigator

The Navigator is a secondary window that displays an overview of SmartMap. This view can be adjusted by altering the select box. As parts of SmartMap are selected in the Navigator window, the SmartMap display is altered to match the selected area. When the Navigator window is closed, its coordinates are saved and when it is reopened, the same view of SmartMap is displayed.

• To launch the Navigator, go to SmartMap > View Navigator.

Affecting SmartMap Layout (Arranging Styles)

SmartMap enables you to determine the manner in which network objects are placed within SmartMap in one of two possible styles.

• To select a SmartMap style, go to SmartMap > Customization > Arranging Styles and select one of the following:
  • hierarchic — SmartMap resembles a tree graph
  • symmetric — SmartMap resembles star and ring structures

Optimally arranging SmartMap (Global Arrange)

Use Global Arrange to optimally arrange the whole SmartMap within the entire view. SmartMap will be arranged according to the currently set arrange style.

• To arrange the entire SmartMap, go to SmartMap > Arrange > Global Arrange.

Optimally arranging SmartMap (Incremental Arrange)

Use Incremental Arrange to optimally arrange a selected area of SmartMap within the entire view. SmartMap will be arranged according to the currently set arrange style.

• To arrange a selected area, go to SmartMap > Arrange > SmartMap > Arrange > Incremental Arrange.

Working with Network Objects and Groups in SmartMap

Network Objects are represented by standardized icons in SmartMap. Network Object icons are connected by edges. Edges (also called connections) are the lines or links that are drawn automatically or manually between network objects in SmartMap. These connections can be fixed or they can be editable.

In order to work with objects, you need to be in SmartMap > Select Mode, this mode is the default working mode that allows you to select the object in SmartMap.

SmartMap can be used to add and edit network objects. All items in SmartDashboard that are representations of physical network objects, (such as OSE Devices and network objects), can also be seen and edited in the SmartMap view. Objects that are not representations of physical network objects, (such as Address ranges), cannot be seen in SmartMap.

Add a Network Object to SmartMap

1. Right-click in SmartMap and select New Network Object from the displayed menu.
2. Select the object that you would like to add. The Object's Properties window is displayed. Configure the new object.

   Note - You can add a new network object directly to a network. Right-click on a specific network in SmartMap and then continue according to the previous instructions.

Create a Group

1. Select all the objects that you would like to include in the group.
2. Right-click on the selected objects and select Group from the displayed menu.
3. Configure the group by adding or removing objects to and from the group.

Edit Network Objects

1. Do one of the following
   • Double-click on an object in SmartMap, or
   • Right-click on a selected object in SmartMap and select Edit from the displayed menu.
2. Edit the object. Note that if you change the IP address of a selected object, the placement of the object in SmartMap may change accordingly.

Remove Network Objects

1. Right-click on the selected object(s) that you would like to delete.
2. Select Remove from the displayed menu. You are prompted to make sure that you would like to remove the selected object(s)
3. Click Yes to continue.

   Note - A warning will be displayed if you attempt to remove an object that is used in the policy. If you ignore the warning the object will still be removed and SmartMap will be adjusted accordingly.

Fixed Connections versus Editable Connections

• Automatic connections — these are non-editable connections that exist between objects whose topology can be deterministically calculated. These connections can only be changed if the objects connected by them are edited. A non-editable connection can be made into an editable one, if other objects are added or modified. For example, if a host is uniquely connected to a network and later an identical network is defined, the host's connection will be changed from a fixed connection to an editable one to allow for the host to be moved from the one network to the other.
• Editable connections — these are editable connections that can be created automatically by SmartMap by adding or modifying objects (for instance by modifying the connection between contained and containing networks), or they can be manually defined by the user. For example, when ambiguous networks are resolved, or when networks are connected to the Internet or to other networks (either by a containment relation or using a connectivity cloud), these connections can be disconnected by right-clicking on the connecting UTM-1 Edge and selecting Disconnect.

Select an area in SmartMap (Select Mode)

Select an area in SmartMap by dragging the mouse over a specific area. All objects that fall within the area of the select box will be selected. Objects that are selected in Select Mode can be dragged to another area in SmartMap.

To move to Select Mode, go to SmartMap > Select Mode.

Customize color and width of objects and edges

Only the width of edges can be customized.

To change options, go to SmartMap > Customization > View Options.

Setting the Layers for SmartMap

Not all object types can be viewed automatically in SmartMap. You can decide what types of layers you would like to add to your view. You can select from the basic layer which provides you all default objects, and from the OPSEC layer which adds certain OPSEC object types.

To set layers, go to SmartMap > Customization > View Options.

Customize Tooltips for Objects

Select the Information about the network object to be displayed when the cursor passes over the object in SmartMap.

To customize tooltip information, go to SmartMap > Customization > Tooltips Information.

Customize the Display of Object Labels and IP Addresses

Select Object Label and IP Address attributes and limitations.

To customize, go to SmartMap > Customization > Object Label Options.

Working with SmartMap Objects

SmartMap maintains graphic connectivity between different parts of the network by creating and adding several new topology objects, such as:

• Internet Objects — represents the Internet.
• Connectivity Clouds — represents a private web or an Intranet.
• Implied Networks — a network that is created when a created network object has no viable network to which it can be connected. This network is read-only and non-editable although it can be actualized, that is, made into a real network.
• Ambiguous Networks — a network that is created when a created network object has multiple viable networks to which it can be connected. The network object is connected to the ambiguous network and the user must decide to which network the network object should be connected.

  Note - Topology objects, or objects created by the SmartMap view, such as clouds and implied networks, etc., cannot be defined as protected objects. They cannot be included in any group, nor can they be pasted into the SmartDashboard Rule Base.

• Contained Networks — A Contained Network is always derived from the same or lower net mask class as the Containing Network.

Add an Internet Cloud

The Internet Cloud defines connectivity between the network object and a public network without supplying technical details of the path between them. Multiple Internet clouds can be added to SmartMap. These clouds are non-editable. When SmartMap performs calculations it looks for Internet clouds and uses them to identify whether interfaces are external or internal.

To create a new cloud, go to SmartMap > New Internet Cloud.

Add a Connectivity Cloud

The Connectivity Cloud defines connectivity between the network object and a private network without supplying technical details of the path between them. Multiple Connectivity clouds can be added to SmartMap. These clouds are editable.

To add a connectivity cloud, go to SmartMap > New Connectivity Cloud.

Connecting a Network to Internet Clouds

There is always at least one Internet cloud in SmartMap. This cloud cannot be deleted. A line is automatically drawn between an existing network and the sole Internet cloud.

Connecting a network to Connectivity clouds/an Internet cloud, where there is more than one/a Containing Network

1. Right-click on the network you would like to connect to the Connectivity cloud by holding down the ctrl key until all networks are selected.
2. Right-click the last selected network.
3. Select Connect to and select the option that you would like.

Connecting multiple networks to a Connectivity Cloud

Since SmartMap connects networks according to their IP addresses hierarchy, contained networks are automatically connected to their parent network. This connection is editable and can be removed.

1. Select the networks that you would like to connect to the Connectivity cloud.
2. Select Connect Networks.
3. Specify the Connectivity cloud settings.

Viewing the Settings of an Implied network

The Implied network is named by its IP address and a superimposed "I". It is Read Only, unless it is actualized, or made into a real network.

1. Right-click the Implied Network.
2. Select View from the displayed menu.

Actualizing an Implied network

The Implied network is Read Only, unless it is actualized, or made into a real network. This means that it is made into a functioning network with its own specification and legitimate (legal or illegal) IP address.

1. Right-click the Implied network.
2. Select Actualize from the displayed menu.
3. Configure the settings.

Removing the Connection between a Containing and a Contained network

1. Right-click the UTM-1 Edge of the Contained Network.
2. Select Disconnect from the displayed menu.

Working with Folders in SmartMap

Topology collapsing, often referred to as folding, facilitates the use of SmartMap by expanding or collapsing topology structures. This collapsing mechanism simplifies SmartMap, by ridding it of visual clutter, but still preserving its underlying structure. The folding mechanism allows you to collapse certain topology structure types. The folders can be created at the following points:

• On a UTM-1 Edge that is an interface as well as all the objects behind it.
• On any network which has hosts or containing networks.
• On any gateway and its locales.

There are two special folders which can be collapsed:

• Objects To Resolve — contains network objects and unresolved hosts that are ambiguous.
• External Objects — contains hosts which have no networks to which they can be connected (because they do not fit into any network's IP address range) as well as any standalone networks. This folder does not include Check Point installed objects.

Collapsing locales

1. Right-click the locale.
2. Select Collapse Locale from the displayed menu.

Collapsing other Topology Structures

1. Right-click on the object that you would like to collapse.
2. Select Collapse Object where object is a variable depending on the object that you selected.

Expanding Topology folders

1. Right-click the folder which contains the content that you would like to view.
2. Select Expand from the displayed menu.

Viewing the Content of "special" folders

External Objects and Unresolved Objects are two special types of folders which cannot be expanded, but whose contents can be viewed:

1. Right-click the folder whose contents you would like to view.
2. Select Show Contents from the displayed menu.

Hiding the contents of "special" folders

External Objects and Unresolved Objects are two special types of folders which cannot be expanded, but whose contents can be hidden:

1. Right-click the folder whose contents you would like to hide.
2. Select Hide Contents from the displayed menu.

Defining the contents of a "special" folder as a group

1. Right-click the folder whose member you would like to group.
2. Select Define as Group from the displayed menu.
3. Configure the Group Properties window.

Renaming Topology folders

Folders are given a default name. This name can be edited.

1. Right-click the folder that you would like to rename.
2. Select Rename from the displayed menu.
3. Enter a new name for the folder.

Adding the contents of a SmartMap folder to the Rule Base

When the contents of the folder are dragged and copied into the Rule Base you will be prompted to decide whether or not to save the members of the folder as a group, or to add the contents member by member.

1. Select the folder whose contents you would like to add to the Rule Base.
2. Press the Shift key.
3. Drag the selected folder to the desired location in the Rule Base.
4. If the contents are added as a group, configure the Group Properties window.

Editing External Objects

External Objects are hosts which have no viable networks to which they can be connected. That is to say their IP address is not within the range of the IP address of any currently defined network.

1. Right-click the External Objects folder.
2. Select Edit from the displayed menu.
3. Configure the Properties window of the selected external object.

Viewing Gateway Clusters

The gateway cluster objects are never included in the Objects to Resolve folder, even though they may be unresolved.

1. Right-click the selected gateway cluster.
2. Select Show Members from the displayed menu.

Integrating SmartMap and the Rule Base

You can drag rules from the Rule Base and show them in SmartMap. You can enhance your understanding of the displayed rule by adding a Legend. You can paste objects and folders from SmartMap. You can show network objects selected in the Rule Base and some other locations in SmartMap.

Display a Legend for regular and/or NAT rules

The Legend provides a key to the understanding of rules displayed in SmartMap.

• To display a legend, go to SmartMap > Customization > View Options.

Adding the contents of a SmartMap folder to the Rule Base

See Working with Folders in SmartMap.

Pasting Network Objects in the Rule Base

Topology objects (for instance clouds, ambiguous networks, etc.) cannot be pasted into the Rule Base.

1. Right-click on a selected network object.
2. Select Copy to Rule Base from the displayed menu.
3. Right-click the column in which the selected network object should be pasted.
4. Select Paste from the displayed menu.

Viewing a Network Object selected in the Rule Base in SmartMap

1. Select the Network Object in the Rule Base that you would like to show in SmartMap.
2. Drag the network object using the left mouse button, and drop it into SmartMap.

Viewing Network Objects selected in SmartMap in the Rule Base

1. Select the Network Object in SmartMap that you would like to show in the Rule Base.
2. Drag the network object using the left mouse button and the shift and alt buttons of the keyboard, and drop it into SmartMap.

Showing a rule in SmartMap

A rule that you select to show in SmartMap can be shown in a magnified view or according to the current zoom level.

Note - Only Security Policy rules can be shown in SmartMap View.

1. Select a rule in the Rule Base that you would like to display in SmartMap from the rule number.
2. Select Show and a view option from the displayed menu.

Display the Rule Color Legend

Rules appear as combinations of highlighted colors and arrows on SmartMap. For instance, colors are designated to represent the Source, Destination and Install On columns of SmartDashboard. These colors can be viewed in the Rule Color Legend window, which is displayed when a rule is shown.

Drag a rule into SmartMap and the Rule Color Legend is automatically displayed.

Understanding the Rule Color Legend

Rules appear as combinations of highlighted colors and arrows on SmartMap. The colors assigned to the arrows represent the action being performed. The arrow also indicates the direction of the rule; from whence the rule came (source), and to where it is going (destination).

• Red—Drop, Reject
• Green—Accept
• Blue—User Auth, Client Auth, Session Auth
• Purple—Encrypt, Client Encrypt

Rules that require special attention

When rules are shown in SmartMap, the "Any" value is represented by the icon at the base or the head of the arrow, to indicate that the Source or Destination, respectively, is Any.

The rules mentioned below are mapped and displayed in a specific manner:

• Where the Source is Any, the rule is mapped from the Install On to the Destination.
• Where the Destination is Any, the rule is mapped out from the Source to the Install On.
• Where both Source and Destination are Any, only the paths between the Install On cells are shown.

Troubleshooting with SmartMap

SmartMap can be used as a troubleshooting tool, mostly for topology calculations and certain connectivity issues such as duplicated networks and unresolved object interfaces.

For what objects are topology calculations made?

Topology information specifies data about the object interfaces and the IP addresses behind the interfaces.

• Security Gateways with two or more interfaces
• OSE Devices

Calculating topology information

You can calculate topology for objects selected in the following places:

• SmartMap
• Objects Tree
• Objects List

The Legend in the Topology Calculation Results window explains how you are meant to read the Interfaces topology list.

• Red— the results of the calculation are different from the currently defined topology information. This information needs to be approved. Click Approve to display and contrast the current topology information with the resulting topology information. Click Approve all to automatically approve all calculations without comparing and contrasting results.
• Blue— the calculation has been automatically approved.
• Regular— no change has been made to the topology information.

To calculate topology for a selected object

1. Right-click the selected object.
2. Select Calculate Topology from the displayed menu.
3. The Topology Calculation Results window displays the topology information after a calculation has been made for the selected object.

What is SmartMap Helper?

SmartMap Helper teaches you how to solve tasks relating to connectivity such as:

• Duplicated networks
• Unresolved object interfaces

The Helper is a learning tool. Once you understand how to solve these connectivity tasks, you can solve them directly in SmartMap View, and not via the Helper.

Troubleshooting duplicated networks

Duplicated networks occur if there is more than one network with an identical net mask and IP address.

Note - Some network systems may require duplicated networks. Consider the needs of your system before modifying duplicated networks.

To solve duplicated networks you can modify the shared IP address so that they are all unique. Alternately you can delete the duplicated network.

Troubleshooting unresolved object interfaces

When there is more than one viable network to which a network object can be connected, the network object is temporarily connected to an Ambiguous network until such time that it can be properly resolved. See Ambiguous Networks in Working with SmartMap Objects.

What objects can be defined as protected objects?

Any object which does not lead to the Internet can be defined as a protected object. This includes:

• Security Gateway clusters
• Security Gateways with two or more interfaces
• OSE Devices

Defining Protected Objects as Groups

Any object which does not lead to the Internet can be defined as a protected object group.

1. Right-click the selected object(s).
2. Select Define Protected Objects as Group from the displayed menu.
3. Configure the Group Properties window.

Working with SmartMap Output

Once you have set up your deployment there are several operations that can be performed. Make sure that you save and/or install your policy in order to ensure that all the changes made in SmartMap are applied. SmartMap is always displayed in the layout and with the last coordinates that it had when it was last saved. Once SmartMap is saved you can print SmartMap or even export it to another format for ease of use.

The following options are accessible from the SmartMap menu in SmartDashboard:

Print SmartMap

Set the attributes by which SmartMap will be printed. This includes how the output is to be scaled, the size of the margins and finally information to be included (such as page numbers, borders, crop marks, or even a customized caption).

Export SmartMap (as an image file)

Configure the attributes for images that are exported to an image file. Include the type and size of the image. Specify the treatment of folders in the exported image. Specify general information, including name, label, the date of export as well as a logical prefix that can be referred to and understood. This is especially important when saving multiple image files. Finally specify the location to which the image file will be saved and whether you want to open or to print the image files once they have been exported.

Export SmartMap (to Microsoft Visio)

You can configure the settings for SmartMap exported to Microsoft Visio. Specify object data that you would like to include. This includes general information about the object such as name, IP address and net mask. Specify the treatment of folders and icons during the export operation. You can preserve the Check Point icons and colors or you can choose to use icons from the Microsoft Visio stencil. Finally, decide which general information should be included on the output, for instance, the date, a label and the location to which the exported SmartMap will be saved.