Print Download PDF Send Feedback

Previous

Next

Managing Users and Objects

In This Section:

User Awareness Blade Control

Users

Administrators

Authentication Servers

Applications & URLs

Services

Service Groups

Network Objects

Network Object Groups

This section describes how to set up and manage users (User Awareness, users, administrators, and authentication servers) and network resources.

User Awareness Blade Control

In the User Awareness page you can turn the blade on or off and use the configuration wizard to configure sources to get user identities, for logging and configuration purposes.

User Awareness lets you configure the Check Point Appliance to show user based logs instead of IP address based logs and enforce access control for individual users and user groups.

To use User Awareness, you must configure identification methods to get information about users and user groups. After the gateway acquires the identity of a user, user-based rules can be enforced on the network traffic in the Access Policy.

User Awareness can use these sources to identify users:

AD Query

The Check Point Appliance registers to receive security event logs from the AD domain controllers when the security policy is installed. This requires administrator privileges for the AD server. When a user authenticates with AD credentials, these event logs are generated and are sent to the Security Gateway. The Check Point Appliance can then identify the user based on the AD security event log.

Browser-Based Authentication

Browser-Based Authentication uses a web interface to authenticate users before they can access network resources or the Internet. When users try to access a protected resource, they must log in to a web page to continue. This is a method that identifies locally defined users or users that were not successfully identified by other methods. You can configure the Browser-Based Authentication to appear for all traffic but because this method of identification is not seamless to the end users, it is commonly configured to appear when you access only specific network resources or the Internet to avoid the overhead required from end users when they identify themselves. For traffic that is not HTTP based, you can also configure that all unidentified are blocked from accessing the configured resources or Internet until they identify themselves first through the Browser-Based Authentication.

To turn on User Awareness on or off:

Select the On or Off option.

Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services.

Use the User Awareness configuration wizard to enable and configure the blade. You can configure the basic details of the identity sources. After initial configuration, you can select the Active Directory Queries or Browser-Based Authentication checkboxes under Policy Configuration and click Configure to configure more advanced settings.

To configure User Awareness with the wizard:

  1. Click the configuration wizard link.

    The User Awareness Wizard opens.

  2. Select one or more user identification methods (see above for descriptions of methods) and click Next.

For Active Directory Queries:

If you have an existing Active Directory server, click Use existing Active Directory servers.

To define a new Active Directory server:

  1. Click Define a new Active Directory server.
  2. Enter the Domain, IP address, User name, Password, and User DN. For the User DN, click Discover for automatic discovery of the DN of the object that represents that user or enter the user DN manually.
  3. You can optionally select Use user groups from specific branch only if you want to use only part of the user database defined in the Active Directory. In Branch, enter the branch name.
  4. Click Next.

For Browser-Based Authentication:

  1. To block access for unauthenticated users when the portal is not available, select Block unauthenticated users when the captive portal is not applicable. This configuration option forces users using non-HTTP traffic to login first through Browser-Based Authentication.
  2. Select if unidentified users are redirected to captive portal for All traffic or Specific destinations. In most cases, all traffic is not used because it is not a seamless identification method.
  3. Under Specific destinations, select Internet or Selected network objects. If you select Selected network objects, select the objects from the list or create new objects.
  4. Click Finish.

To edit settings and configure portal customization for Browser-Based Authentication:

  1. Under Policy Configuration, select Browser-Based Authentication and click Configure.
  2. In the Identification tab, you can edit settings configured in the wizard if necessary.
  3. In the Customization tab, select the relevant options:
    • Users must agree to the following conditions - You can require that users agree to legal conditions. In the text box, enter the conditions that are shown to the user.
    • Upload - Lets you upload a company logo. Browse to the logo file and click Apply. The logo is shown in the Displayed Logo section.
    • Use Default - Uses the default logo.
  4. In the Advanced tab:
    • Portal Address - Keep the default setting which is the address the Captive Portal runs on the Check Point Appliance or enter a different portal address.
    • Session timeout - Sets for how long an authenticated user can access the network or Internet before they have to authenticate again.
    • Enable Unregistered guests login - Allow an unregistered, guest user to be identified in the logs by name and not only by IP address. An unregistered user is an unmanaged non-AD user, typically a partner or a contractor. To gain access, guests enter their company name, email address, phone number (optional), and name.

      Configure the Guest Session timeout. This is the number of minutes for which a guest user can access network resources. The default timeout is 180 minutes.

      Guest access is logged. The name of the guest shows in the User column of the Logs and Monitoring tab. The other details show in the full log entry.

    • Force quick cache timeout if user closes portal window - When the portal is closed, the user is logged out.
  5. Click Apply.

Note - This page is available from Access Policy > User Awareness Blade Control and Users & Objects > User Awareness.

Users

In the Users & Objects > Users page you can create local users and user groups. To use these objects in the Access Policy, make sure to activate User Awareness.

User objects are used to define the different terms under which users can operate. These include:

To add a new local user:

  1. Click New > Local User.
  2. Enter a User name, Password, and Comments (optional). You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
  3. For temporary or guest users, click Temporary user.

    Enter the expiration date and time.

  4. To give the user remote access permissions, select Remote Access permissions.
  5. Click Apply.

    The user is added to the table on the page.

To add a new local users group with remote access permissions:

  1. Click New > Users Group.
  2. Enter a Group name.
  3. To give the group remote access permissions, select Remote Access permissions.
  4. To select initial users to add to the group, click the relevant checkboxes from the user list or click New to create new users.

    You can see a summary of the group members above the user list.

  5. To remove a user, click the X next to the user name.
  6. Click Apply.

    The group is added to the table on the page.

To automatically delete expired local users:

  1. Go to Device > Advanced Settings.
  2. Select User Management.
  3. Click Edit.

    The User Management window opens.

  4. Click the checkbox for Automatically delete expired local users.
  5. Click Apply.

    Expired local users are automatically deleted every 24 hours (after midnight).

To edit a user or group:

  1. Select the user or group from the list.
  2. Click Edit.
  3. Make the relevant changes and click Apply.

To delete a user or group:

  1. Select the user or group from the list.
  2. Click Delete.
  3. Click OK in the confirmation message.

    The user or group is deleted.

Administrators

The Device > Administrators page lists the Check Point Appliance administrators and lets you:

Administrators can also be defined in a remote RADIUS server and you can configure the appliance to allow them access. Authentication of those remotely defined administrators is done by the same RADIUS server.

Administrator Roles:

Two administrators with write permissions cannot log in at the same time. If an administrator is already logged in, a message shows. You can choose to log in with Read-Only permission or to continue. If you continue the login process, the first administrator session ends automatically.

The correct Administrator Role must be configured to perform the operations listed below. If not, a Permission Error message shows.

To create a local administrator:

  1. Click New.

    The Add Administrator page opens.

  2. Configure the parameters (name, password, and password confirmation). The hyphen (-) character is allowed in the administrator name. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
  3. Select the Administrator Role.
  4. Click Apply.

    The name and Administrator Role is added to the table. When logged in to the WebUI, the administrator name and role is shown at the top of the page.

To edit the details of locally defined administrators:

  1. Select the administrator from the table and click Edit.
  2. Make the relevant changes.
  3. Click Apply.

To delete a locally defined administrator:

  1. Select an administrator from the list.
  2. Click Delete.
  3. Click Yes in the confirmation message.

Note - You cannot delete an administrator who is currently logged in.

To allow access for administrators defined in a remote RADIUS server:

  1. Make sure administrators are defined in the remote RADIUS server.
  2. Make sure a RADIUS server is defined on the appliance. If there is no server, click the RADIUS configuration link at the top of this page. You must configure the IP address and shared secret used by the RADIUS server.
  3. When you have a configured RADIUS server, click edit permissions.

    The RADIUS Authentication window opens.

  4. Click the Enable RADIUS authentication for administrators checkbox.

    Use roles defined on RADIUS server is selected by default.

  5. Configure the role for each user on the RADIUS server. See additional details below.

    Note - A user without role definition will get a login error.

  6. If you select Use default role for RADIUS users, select the Administrators Role:
    • Super Admin
    • Read only
    • Networking Admin
  7. To define groups, click Use specific RADIUS groups only and enter the RADIUS groups separated by a comma.
  8. Click Apply.

To set the Session Timeout value for both local and remotely defined administrators:

  1. Click Security Settings.

    The Administrators Security Settings window opens.

  2. Configure the session timeout (maximum time period of inactivity in minutes). The maximum value is 999 minutes.
  3. To limit login failure attempts, click the Limit administrators login failure attempts checkbox.
  4. Enter the number of Maximum consecutive login attempts allowed before an administrator is locked out.
  5. In Lock period, enter the time (in seconds) that must pass before a locked out administrator can attempt to log in again.
  6. To enforce password complexity on administrators, click the checkbox and enter the number of days for the password to expire.
  7. Click Apply.

Note - This page is available from the Device and Users & Objects tabs.

Configuring a RADIUS Server for non-local Check Point Appliance users:

Non-local users can be defined on a RADIUS server and not in the Check Point Appliance. When a non-local user logs in to the appliance, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.

Note - The configuration of the RADIUS Servers may change according to the type of operating system on which the RADIUS Server is installed.

Note - If you define a RADIUS user with a null password (on the RADIUS server), the appliance cannot authenticate that user.

To configure a Steel-Belted RADIUS server for non-local appliance users:

  1. Create the dictionary file checkpoint.dct on the RADIUS server, in the default dictionary directory (that contains radius.dct). Add these lines to the file:

    @radius.dct

    MACRO CheckPoint-VSA(t,s) 26 [vid=2620 type1=%t% len1=+2 data=%s%]

    ATTRIBUTE CP-Gaia-User-Role CheckPoint-VSA(229, string) r
    ATTRIBUTE CP-Gaia-SuperUser-Access CheckPoint-VSA(230, integer) r

  2. Add the following lines to the vendor.ini file on RADIUS server (keep in alphabetical order with the other vendor products in this file):

    vendor-product = Check Point Appliance
    dictionary = nokiaipso
    ignore-ports = no
    port-number-usage = per-port-type
    help-id = 2000

  3. Add to the dictiona.dcm file the line:
    “@checkpoint.dct”
  4. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> allowed values are:

    Administrator Role

    Value

    Super Admin

    adminrole

    Read only

    monitorrole

    Networking Admin

    networkingrole

To configure a FreeRADIUS server for non-local appliance users:

  1. Create the dictionary file dictionary.checkpoint in /etc/freeradius/ on the RADIUS server:

    #
    # Check Point dictionary file for freeradius AAA server
    #
    VENDOR CheckPoint 2620
    ATTRIBUTE CP-Gaia-User-Role 229 string CheckPoint
    ATTRIBUTE CP-Gaia-SuperUser-Access 230 integer CheckPoint

  2. Add to /etc/freeradius/dictionary the line:
    “$INCLUDE dictionary.checkpoint”
  3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> is the name of the administrator role that is defined in the WebUI.

    Administrator Role

    Value

    Super Admin

    adminrole

    Read only

    monitorrole

    Networking Admin

    networkingrole

To configure an OpenRADIUS server for non-local appliance users:

  1. Create the dictionary file dict.checkpoint in
    /etc/openradius/subdicts/
    on the RADIUS server:

    # Check Point Gaia vendor specific attributes
    # (Formatted for the OpenRADIUS RADIUS server.)
    # Add this file to etc/openradius/subdicts/ and add the line
    # "$include subdicts/dict.checkpoint" to etc/openradius/dictionaries
    # right after dict.ascend.

    $add vendor 2620 CheckPoint

    $set default vendor=CheckPoint
    space=RAD-VSA-STD
    len_ofs=1 len_size=1 len_adj=0
    val_ofs=2 val_size=-2 val_type=String
    nodec=0 noenc=0

    $add attribute 229 CP-Gaia-User-Role
    $add attribute 230 CP-Gaia-SuperUser-Access val_type=Integer val_size=4

     

  2. Add the line
    $include subdicts/dict.checkpoint
    to
    /etc/openradius/dictionaries
    immediately after dict.ascend
  3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> is the name of the administrator role that is defined in the WebUI.

    Administrator Role

    Value

    Super Admin

    adminrole

    Read only

    monitorrole

    Networking Admin

    networkingrole

To log in as a Super User:

A user with super user permissions can use the Check Point Appliance shell to do system-level operations, including working with the file system.

  1. Connect to the Check Point Appliance platform using an SSH client or serial console client.
  2. Log in to the Clish shell using your user name and password.
  3. Run Expert
  4. Enter the expert password.

Authentication Servers

In the Authentication Servers page you can define and view different authentication servers where users can define both an external user database and the authentication method for users in that database.

You can define these types of authentication servers:

To add a RADIUS server:

  1. Click Configure.
  2. In the Primary tab, enter this information:
    • IP address - The IP address of the RADIUS server.
    • Port - The port number through which the RADIUS server communicates with clients. The default is 1812.
    • Shared secret - The secret (pre-shared information used for message "encryption") between the RADIUS server and the Check Point Appliance. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
      • Show - Displays the shared secret.
    • Timeout (seconds) - A timeout value in seconds for communication with the RADIUS server. The timeout default is 3 seconds.
  3. Repeat step 2 for a Secondary RADIUS server if applicable.

    Note - If you want to remove information you entered in IP address and shared secret, you can click Clear.

  4. Click Apply.

    The primary and secondary servers (if defined) are added to the RADIUS section on the page.

RADIUS servers can be used for:

To edit a RADIUS server:

  1. Click the IP address link of the RADIUS server you want to edit.
  2. Make the necessary changes.
  3. Click Apply.

    The changes are updated in the RADIUS server.

To delete a RADIUS server:

Click the Remove link next to the RADIUS server you want to delete.

The RADIUS server is deleted.

To configure remote access permissions for users defined in the RADIUS server:

  1. Click permissions for RADIUS users.
  2. Select or clear the Enable RADIUS authentication for remote access users checkbox.
  3. When selected, choose which users are given remote access permissions:
    • To allow all users defined in the RADIUS server to authenticate - Select All users defined on RADIUS server
    • Specific user groups defined in the RADIUS server - Select For specific RADIUS groups only and enter in the text field the names of the user groups separated by commas.
    • To allow administrators with Read-only permissions to authenticate - Select Read-only Administrators
  4. Click Apply.

To add an Active Directory domain:

  1. In the Active Directory section, click New.

    The Add new Domain window opens.

  2. Enter this information:
    • Domain - The domain name.
    • IP address - The IP address of one of the domain controllers of your domain.
    • User name - The user must have administrator privileges to ease the configuration process and create a user based policy using the users defined in the Active Directory.
    • Password - The user's password. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
    • User DN - Click Discover for automatic discovery of the DN of the object that represents that user or enter the user DN manually. For example: CN=John James,OU=RnD,OU=Germany,O=Europe,DC=Acme,DC=com
  3. Select Use user groups from specific branch only if you want to use only part of the user database defined in the Active Directory. Enter the branch in the Branch full DN in the text field.
  4. Click Apply.

When an Active Directory is defined, you can select it from the table and choose Edit or Delete when necessary.

When you edit, note that the Domain information is read-only and cannot be changed.

When you add a new Active Directory domain, you cannot create another object using an existing domain.

To configure remote access permissions for all users defined in Active Directory:

By default, users defined in the Active Directory are not given remote access permissions. Instead, in the VPN > Remote Access Users page all users defined locally or in Active Directories can be selected to be granted remote access permissions per user.

  1. Click permissions for Active Directory users.
  2. Select All users in the Active Directory. With this option, it is not necessary to go to the VPN > Remote Access Users page and select specific users.

    Note that most Active Directories contain a large list of users and you might not want to grant them all remote access permissions to your organization. Usually you keep the Selected Active Directory user groups option and configure remote access permissions through VPN > Remote Access Users page.

  3. Click Apply.

To change synchronization mode with the defined Active Directories:

  1. Click Configure in the toolbar of the Active Directory table.
  2. Select one of the options - Automatic synchronization or Manual synchronization. When Manual synchronization is selected, you can sync the user database known to the appliance in all locations that this user database can be viewed. For example, the Users & Objects > Users page or the Source picker in the Firewall Rule Base in the Access Policy > Firewall Policy page.
  3. Click Apply.

To edit an Active Directory:

  1. Select the Active Directory from the list.
  2. Click Edit.
  3. Make the relevant changes and click Apply.

To delete an Active Directory:

  1. Select the Active Directory from the list.
  2. Click Delete.
  3. Click OK in the confirmation message.

    The Active Directory is deleted.

Note - This page is available from the VPN and Users & Objects tabs.

Applications & URLs

In the Users & Objects > Applications & URLs page you can define application groups, custom applications, and view the full list of available applications. You can then use them in the access policy together with the applications and URLs that are in the Application Database. A custom application group lets you define multiple categories and/or sites to use in the access policy Rule Base.

To configure the access policy, click the applications default policy link or click the Applications Blade Control page link.

For more information about all built in applications and categories, click the Check Point AppWiki link at the top of the page.

Note - When URL Filtering is selected in the Access Policy > Firewall Blade Control page, rules containing URLs and custom applications are enforced.

What is a custom application?

Most applications are browser based. A custom application can be defined using a string or regular expression search on URLs.

What is a category?

Each URL is inspected by the Check Point Cloud using the URL Filtering blade and can be matched to one or more built in categories (for example, phishing sites, high bandwidth, gambling, or shopping, etc.).

The Application and Categories List

A list of applications and categories is shown according to a filter that is shown above the list. There are 4 filters:

A tag icon is shown next to categories and dedicated application icons are shown next to applications.

In the Application Database, each application is assigned to one primary category based on its most defining aspect. It also has additional categories which are characteristics of the application. For example, Pinterest - its primary category is social networking and its additional categories are share photos and SSL protocol. If a category is in a rule, the rule matches all applications that are marked with the category.

If new applications are added to an additional category that is in the access policy Rule Base, the rule is updated automatically when the database is updated.

To search for a category or application:

  1. Filter the list to show the required view.
  2. Enter the text of the category of application in the Filter box.

    As you type, the list is filtered.

To create a custom URL:

  1. Select New > URL.
  2. Enter the URL.
  3. Click Apply.

    You can use the URL in a rule.

To create a custom application:

  1. Select New > Application.
  2. Enter a name for the custom application.
  3. Select a Primary category from the list.
  4. Select All URLs are regular expressions if you want to use regular expressions instead of partial strings. Regular expressions use PCRE syntax (for example, to block www.malicioussite.com using a regular expression you can use .*\.malicioussite\.com)
  5. Click New to add a partial string or regular expression that the appliance will detect in the URL and then click OK.
  6. Do step 5 to add more related strings or regular expressions. The custom application will be matched if one of the strings or expressions is found.
  7. Click the Additional Categories tab to select more categories if necessary.
  8. Click Apply.

    You can use the application in a rule.

To create a custom applications group:

  1. Select New > Applications Group.
  2. Enter a Group name.
  3. Select the applications and categories to add as group members. To filter the selection list by common, categories, custom, or all, click the link.

    The group members window shows a quick view of the selected items. You can quickly remove a selected item by clicking the x next to it.

  4. If necessary, click New to add a custom application or URL to the list. For information on creating a custom application, see above.
  5. Click Apply.

    You can use the custom application group in a rule.

Services

The Users & Objects > Services page lists the system services configured in the system. In this page you can add new services, edit services, and delete services.

You use service objects to easily define the different network protocols. This is usually with IP protocol and ports (used by the TCP and UDP IP protocols).

These objects can be used to define your security policy, as well as policy based routing rules. Many service objects are predefined with the system and cannot be deleted. Those predefined "system services" represent the appliance's ability to perform deep inspection on those services for connectivity and security reasons. The system services sometimes have additional configuration options.

To create a new service:

  1. Click New.
  2. In the Service tab, enter information in the fields that apply to the type of service you select. Note that not all fields may show:
    • Name - Enter the service's name.
    • Type - Select the service type from the list:
      • TCP
      • UDP
      • ICMP - Select this option if it is necessary to represent a specific option within the ICMP protocol. Note that this is an advanced option.
      • Other - Select this option to represent any IP protocol other than TCP or UDP.
    • Ports - Enter the port(s) if you selected Type - TCP or UDP. Port numbers and/or ranges can be entered by separating with commas.
    • IP Protocol - Enter the IP protocol if you selected Type - Other.
    • ICMP type and ICMP code - Enter the ICMP type and code that you want the service object to represent as listed in RFC 792. This option is only relevant if you selected Type - ICMP.
    • Comments - Enter an optional comment.
    • Disable inspection for this service – Select this checkbox to disable deep inspection of traffic matching this service. This option is only available for built-in services.
  3. In the Advanced tab, enter information in the fields that apply to the type of service you selected. Note that not all fields may show depending on the service type.

    General

    • Session timeout (in seconds) - Time in seconds before the session times out.
    • Use source port - Select this option and enter a port number for the client side service. If specified, only those source port numbers are accepted, dropped, or rejected when inspecting packets of this service. Otherwise, the source port is not inspected.
    • Accept replies (relevant for non-TCP services) - When cleared, server to client packets are treated as a different connection.
    • Match (a highly advanced option to be used only by Check Point Support)

    Connection handling

    • Keep connections open after policy has been installed - Even if they are not allowed under the new policy. If you change this setting, the change does not affect open connections, but only future connections.
    • Synchronize connections on cluster - Enables state-synchronized High Availability or Load Sharing on a cluster. Of the services allowed by the Rule Base, only those with Synchronize connections on cluster are synchronized as they pass through the cluster. By default, all new and existing services are synchronized.
    • Start synchronizing X seconds after the connection was initiated - For TCP services, enable this option to delay telling the Check Point Appliance about a connection so that the connection is only synchronized if it still exists in X seconds after the connection is initiated. Some TCP services (HTTP for example) are characterized by connections with a very short duration. There is no point in synchronizing these connections because every synchronized connection consumes gateway resources, and the connection is likely to have finished by the time a failover occurs.

    Aggressive aging

    This feature can be configured from the Device > Advanced page. When the appliance is under load, older connections are removed from memory faster to make room for new connections.

    • Enable aggressive aging - Select this option to manage connections table capacity and reduce gateway memory consumption to increase durability and stability.
    • Aggressive aging timeout (in seconds) - Time in seconds before the session times out.
  4. Click Apply.

To edit a service:

  1. Select a service from the list.
  2. Click Edit.
  3. Make the necessary changes. Note that not all fields can be edited.
  4. Click Apply.

To delete a service:

  1. Select the service from the list. Note that you can only delete a user defined service.
  2. Click Delete.
  3. Click Yes in the confirmation message.

To filter for a specified service:

  1. In the Type to filter box, enter the service name or part of it.
  2. As you enter text, the list is filtered and shows matching results.

Built-in System Services

Some built-in services represent Check Point's ability to perform deep inspection of the specific protocol. These system services cannot be deleted. When you edit them, the ports which you configure decide when the deep inspection occurs and you can add or change default ports. Some system services have additional configuration which affect the way the deep inspection is performed.

Service Groups

The Users & Objects > Service Groups page lists the service groups defined in the system. In this page you can add new service groups, and edit or delete existing service groups.

We recommend you define service groups to configure the security policy. If the security policy is configured with groups and not specified objects, it is much easier to maintain the policy over time. If you decide to add new service objects to the system, you only need to add them to the relevant groups and your policy automatically applies.

There are built in service groups for common services.

Some of these service groups also contain additional configuration for the inspection of the specific protocol.

To create a new service group:

  1. Click New.

    The New Service Group window opens.

  2. Enter a Name for the group and Comments (optional).
  3. Click Select to show the full list of available services and select the relevant checkboxes.
  4. Click New if the existing list does not contain the services you need. For information on creating a new service object, see the Users & Objects > Services page.
  5. Click Apply.

    The New Service Group window opens and shows the services you selected.

  6. You can also click New from the New Service Group window.
  7. To remove a service object from the group list, select it and click Remove.
  8. Click Apply.

    The service group is added to the list of groups.

To edit a service group:

  1. Select a group from the list.
  2. Click Edit.
  3. Make the necessary changes.
  4. Click Apply.

To delete a service group:

  1. Select the group from the list. Note that you can only delete a user defined service group.
  2. Click Delete.
  3. Click Yes in the confirmation message.

To filter for a specified service group:

  1. In the Type to filter box, enter the service group name or part of it.
  2. As you enter text, the list is filtered and shows matching results.

Built-in System Service Groups

Some built-in service groups represent Check Point's ability to perform deep inspection of a specific protocol. Such system service groups cannot be deleted. They contain a list of built in services which you can restore if you edit the content of such groups by clicking Reset.

Some system service groups have additional configuration which affect the way the deep inspection is performed.

DNS - The Firewall settings tab lets you configure NAT support over DNS. Note that this option affects the performance of DNS traffic and is normally not needed unless your organization uses both NAT and an internal DNS server accessible to the Internet. The IPS settings tab lets you configure how and when DNS deep inspection is performed. Select the relevant options.

Network Objects

The Users & Objects > Network Objects page lists the network objects defined in the system. In this page you can add new network objects, edit network objects, and delete network objects. In most cases, the most common use for these objects is to define a security policy and exceptions to it. These objects can be used as hosts for the internal DNS service and their IP addresses can be configured as fixed for the internal DHCP service.

These are the available network object types:

To create a Single IP network object:

  1. Click New.

    The New Network Object window opens.

  2. In Type, select Single IP.
  3. Enter an IP address and Object name.
  4. Select or clear these options as necessary:
    • Allow DNS server to resolve this object name - When the gateway is the DNS server for your internal networks, the name of the server/network object is translated to its IP address.
    • Exclude from DHCP service - The internal DHCP service does not distribute the configured IP address of this server/network object to anyone.
      • Reserve IP address in DHCP service for MAC - The internal DHCP service distributes the configured IP address only to this server/network object based on its MAC address.
      • Enter the MAC address - This is required for IP reservation. When you create the object from the Active Devices page, the MAC address is detected automatically.
  5. Click Apply.

To create an IP Range network object:

  1. Click New.

    The New Network Object window opens.

  2. In Type, select IP Range.
  3. In the Start IP and End IP fields, enter the IP addresses that represent the start of the IP range and end of the IP range.
  4. Enter the Object name.
  5. Select or clear this option as necessary:
    • Exclude from DHCP service - The internal DHCP service does not distribute the configured IP range to anyone.
  6. Click Apply.

To create a Network type network object:

  1. Click New.

    The New Network Object window opens.

  2. In Type, select Network.
  3. Enter a Network address and Subnet mask.
  4. Enter the Object name.
  5. Click Apply.

To edit a network object:

  1. Select a network object from the list.
  2. Click Edit.
  3. Make the necessary changes.
  4. Click Apply.

To delete a network object:

  1. Select the network object from the list.
  2. Click Delete.
  3. Click Yes in the confirmation message.

To filter for a specified network object:

  1. In the Type to filter box, enter the name of the network object or part of it.
  2. As you enter text, the list is filtered and shows matching results.

Network Object Groups

The Users & Objects > Network Object Groups page lists the network object groups defined in the system. In this page you can add new network object groups, edit network object groups, and delete network object groups.

We recommend you define groups for network objects to configure the security policy. If you configure security policy with groups and not specified objects, it is much easier to maintain the policy over time. When new network objects are added to the system, you only need to add them to the relevant groups and your policy automatically applies.

To create a new network object group:

  1. Click New.

    The New Network Object Group window opens.

  2. Enter a Name for the group and Comments (optional).
  3. Click Select to show the full list of available network objects and choose the relevant checkboxes.
  4. Click New if the existing list does not contain the network object you need. For information on creating a new network object, see the Users & Objects > Network Objects page.
  5. Click Apply.

    The New Network Object Group window opens and shows the services you selected.

  6. You can also click New from the New Network Object Group window.
  7. To remove a network object from the group list, select it and click Remove.
  8. Click Apply.

    The network object group is added to the list of groups.

To edit a network object group:

  1. Select a group from the list.
  2. Click Edit.
  3. Make the necessary changes.
  4. Click Apply.

To delete a network object group:

  1. Select the group from the list.
  2. Click Delete.
  3. Click Yes in the confirmation message.

To filter for a specified service group:

  1. In the Type to filter box, enter the network object group name or part of it.
  2. As you enter text, the list is filtered and shows matching results.