Configuration Using the Web Interface
SecurePlatform enables easy configuration of your computer and networking setup, and the Check Point products installed on them.
This section describes the SecurePlatform Web Interface (also known as WebUI). Most of the common operations can be done by using the Web Interface on the SecurePlatform Administration Portal.
|
Note - The Web Interface is not accessible in the FIPS 140-2 compliant mode.
|
First Time Setup Using the Web Interface
After the installation from the DVD is completed, and the computer has been rebooted, a first time setup using the First-Time Configuration Wizard is required in order to:
- Configure the network settings
- Configure the time/date/time zone
- Configure the allowed IPs of SSH and administration Web UI clients
- Select which products will be installed
- Set the initial configuration of installed products
These settings can also be configured after completing the first time setup, using the SecurePlatform Web Interface
Connecting to the Web Interface
The initial configuration of SecurePlatform is performed using the First-Time Configuration Wizard. The SecurePlatform Web Interface lets you further configure SecurePlatform.
To connect to the SecurePlatform Administration Portal:
- Initiate a connection from a browser to the administration IP address:
- For appliances - https://<IP_address>:4434.
- For open servers - https://<IP_address>
Note - Pop-ups must always be allowed on https://<IP_address>.
The login page appears.
- Login with the system administrator login name/password and click Login.
(To log out of the Web Interface, click Close, in the top right of the page.)
Changing the Settings of the SecurePlatform Portal
Configure the settings of the SecurePlatform administration portal in SmartDashboard from the properties of the gateway > . From there you can configure:
- The primary URL of the SecurePlatform administration portal.
- Aliases that automatically redirect to the administration portal.
- A p12 certificate that the portal uses for authentication.
- How the portal can be accessed.
Configure the settings on the page:
- Main URL - The primary URL for the portal. You can use the same IP address for all of the portals with this variation:
- SecurePlatform Web User interface - https://<main gateway IP address>/admin
- Mobile Access Portal - https://<main gateway IP address>/sslvpn
- DLP Portal - https://<main gateway IP address>/dlp
You may choose to have the Mobile Access portal on an external IP address while others are on an internal IP address.
Note - The field must be manually updated if:
- The Main URL field contains an IP address and not a DNS name.
- You change a gateway's IPv4 address to IPv6 or vice versa.
- IP Address - Enter the IP address for the portal.
- Aliases - Click the button to URL aliases that are redirected to the main portal URL. Aliases can be in clear (http://) and will redirect users to the secure portal over HTTPS. For example, portal.example.com can send users to the portal. To make the alias work, it must be resolved to the main URL on your DNS server.
- Certificate - Click Import to import a p12 certificate for the portal website to use. If you do not import a certificate, the portal uses a Check Point auto-generated certificate. This might cause browser warnings if the browser does not recognize the Security Gateway management. All portals on the same IP address use the same certificate.
- Accessibility - Click to select from where the portal can be accessed. The options are based on the topology configured for the Security Gateway.
The portal is accessible through these interfaces:
- Through all interfaces
- Through internal interfaces
- Including undefined internal interfaces
- Including DMZ internal interfaces
- Including VPN encrypted interfaces
- According to the Firewall policy - Select this if there is a rule that states who can access the portal.
Obtaining and Installing a Trusted Server Certificate
To be accepted by an endpoint computer without a warning, gateways must have a server certificate signed by a known certificate authority (such as Entrust, VeriSign or Thawte). This certificate can be issued directly to the gateway, or be a chained certificate that has a certification path to a trusted root certificate authority (CA).
The next sections describe how to get a certificate for a gateway that is signed by a known Certificate Authority (CA):
Generating the Certificate Signing Request
First, generate a Certificate Signing Request (CSR). The CSR is for a server certificate, because the gateway acts as a server to the clients.
|
Note - This procedure creates private key files. If private key files with the same names already exist on the computer, they are overwritten without warning.
|
- From the gateway command line, log in to expert mode.
- Run:
cpopenssl req -new -out <CSR file> -keyout <private key file> -config $CPDIR/conf/openssl.cnf
This command generates a private key. You see this output:
Generating a 2048 bit RSA private key
.+++
...+++
writing new private key to 'server1.key'
Enter PEM pass phrase:
- Enter a password and confirm.
Fill in the data.
- The field is mandatory. This field must have the Fully Qualified Domain Name (FQDN). This is the site that users access. For example:
portal.example.com . - All other fields are optional.
- Send the CSR file to a trusted certificate authority. Make sure to request a Signed Certificate in PEM format. Keep the
.key private key file.
Generating the P12 File
After you get the Signed Certificate for the gateway from the CA, generate a P12 file that has the Signed Certificate and the private key.
- Get the Signed Certificate for the gateway from the CA.
If the signed certificate is in P12 or P7B format, convert these files to a PEM (Base64 encoded) formatted file with a CRT extension.
- Make sure that the CRT file has the full certificate chain up to a trusted root CA.
Usually you get the certificate chain from the signing CA. Sometimes it split into separate files. If the signed certificate and the trust chain are in separate files, use a text editor to combine them into one file. Make sure the server certificate is at the top of the CRT file.
- From the gateway command line, log in to expert mode.
- Use the
*.crt file to install the certificate with the *.key file that you generated. - Run:
cpopenssl pkcs12 -export -out <output file> -in <signed cert chain file> -inkey <private key file>
For example:
cpopenssl pkcs12 -export -out server1.p12 -in server1.crt -inkey server1.key
- Enter the certificate password when prompted.
Installing the Signed Certificate
Install the Third Party signed certificate to create Trust between the Mobile Access Software Blade and the clients.
All portals on the same IP address use the same certificate. Define the IP address of the portal in the Portal Settings page for the blade/feature.
- Import the new certificate to the gateway in SmartDashboard from a page that contains the Portal Settings for that blade/feature. For example:
In the section, click or.
- Install the policy on the gateway.
|
Note - The Repository of Certificates on the IPsec VPN page of the SmartDashboard gateway object is only for self-signed certificates. It does not affect the certificate installed manually using this procedure.
|
Viewing the Certificate
To see the new certificate from a Web browser:
The Security Gateway uses the certificate when you connect with a browser to the portal. To see the certificate when you connect to the portal, click the lock icon that is next to the address bar in most browsers.
The certificate that users see depends on the actual IP address that they use to access the portal- not only the IP address configured for the portal in SmartDashboard.
To see the new certificate from SmartDashboard:
From a page that contains the portal settings for that blade/feature, click in the section.
Status
Use the page to view device and network information about the SecurePlatform machine.
Device Status
This provides a summary of the device status, and displays information such as the machine Host Name, Version and Build, and Installation Type.
Network
Use these pages to configure the network interfaces, routing table, DNS and Host Name.
Network Connections
This page enables you to edit the properties of existing network connections (for example, xDSL connections using PPPoE or PPTP) and to add the following interface:
- VLAN
- Secondary IP
- PPPoE
- PPTP
- Bond
- Bridge
- ISDN
- Loopback
The table displays all available network connections.
To configure network connections:
- To edit the properties of an interface, click the of the interface.
- To delete a connection, select the connection checkbox and click .
|
Note -
- Loopback and Ethernet connection cannot be deleted.
- When a Bridge or Bond is deleted, interfaces allocated for the specific connection are released.
|
- To disable a connection without deleting it, select the checkbox and click .
- To configure a connection to work without an IP address, click .
- To add a connection, click and select the connection type from the drop-down list.
- If the connections were changed while on this page, click .
Routing Table
This page enables you to manage the routing table on your device. You can add or delete static and default routes.
|
Note -
- You cannot edit an existing route. To modify a specific route, delete it and create a new route in its place.
- Be careful not to delete a route that allows you to connect to the device.
|
To delete a route:
Select the checkbox of the specific route and click .
To add a new static route:
- On the e page, click and select . The page appears.
- Supply the:
- Destination IP Address
- Destination Netmask
- Interface (from the drop-down box)
- Security Gateway
- Metric
- Click .
To add a default route:
- On the le page, click and select . The page appears.
- Supply the following:
- Click .
DNS Servers
In the page, you can define up to three DNS servers.
|
Note - Changes in the DNS configuration will take effect only after restarting the device services. To restart device services, use the Device Control page.
|
Host and Domain Name
In the page:
- Supply a .
- Supply a .
- Select a from the drop-down box. The Hostname will be associated with the IP of this interface.
Local Hosts Configuration
This page enables you to configure the host local resolving configuration.
|
Note - Host entries cannot be edited. They must be deleted and recreated. The entry for the local machine is automatically generated, based on the Domain configuration information.
|
To add a Host:
- Click . The page is displayed.
- Supply a .
- Supply a .
- Click .
To delete a Host:
- Select the checkbox of the entry and click .
Device
Use these pages to configure the SecurePlatform machine.
Device Control
This page provides diagnostics information about all the processes that are running on the machine. For each Process, the User, PID, Parent PID, %CPU, % Memory and Command are displayed. You can use the drop-down list to Start, Restart, or Stop all of the Check Point products. In addition, you can shut down the device, reboot it, or download a diagnostic file (cpinfo output) useful for support.
To refresh the information displayed in the page click .
Device Date and Time Setup
This page allows you to define the Device date and time, optionally using NTP.
Manual Device date and time configuration
Enter the current and , as well as setting the . The date must be in the format: dd-Mon-yyyy (e.g. 31-Dec-2003). The time should be: HH:mm (e.g. 23:30).
Use Network Time Protocol (NTP) to synchronize the clock
NTP is used to synchronize clocks of computers on the network.
If the fails to respond, the will be queried .
The field is optional.
Click to set the date and time.
Backup
This page allows you to configure backup settings.
You can choose to configure a scheduled backup, or you can choose to perform an immediate backup operation. The backup data can be stored on your desktop computer, locally (on the device), on a TFTP Server, an SCP Server or an FTP Server.
|
Note - If you use a stock TFTP Server with Unix/Linux flavors, you must create a world writable file having the same name as the proposed backup file before executing the backup. Otherwise, the backup will not succeed. It is strongly recommended that you refer to your TFPT server manual, or simply to the TFPT protocol, and verify that the usage of the utility is compliant with the environment that you are working in.
|
The SecurePlatform backup mechanism enables exporting snapshots of the user configurable configuration. Exported configurations can later be imported in order to restore a previous state in case of failure.
Two common use cases for backup are:
- When the current configuration stops working, a previous exported configuration may be used in order to revert to a previous system state.
- Upgrading to a new SecurePlatform version. The procedure would include:
- Backing up the configuration of the current version
- Installing the new version
To make a backup now, click the link.
To configure a backup schedule, click .
The Backup page displays the . This may be different than the browser machine time.
To restore the backup, run the restore shell command from the device.
Information Backed Up
The information backed up includes:
- All settings performed by the Admin GUI
- Network configuration data
Viewing the Scheduling Status
The following information is displayed:
- Scheduled backup is enabled or disabled.
- The backup destination which can be one of the following: your desktop computer, locally (on the device), on a TFTP Server or a SCP Server.
- The time to start the backup. The current device date and time is displayed, which may be different than the browser machine time
- recurrence interval.
Restoring the Backup
Description
|
To restore the backup, run the restore shell command from the device. When the restore command is executed by itself, without any additional flags, a menu of options is displayed. The options in the menu provide the same functionality, as the command line flags, for the restore command
|
Syntax
|
restore [-h] [-d][[--tftp <ServerIP> <Filename>] |
[--scp <ServerIP> <Username> <Password> <Filename>] |
[--file <Filename>]]
|
Parameters
|
Parameter
|
Description
|
-h
|
obtain usage
|
-d
|
debug flag
|
--tftp <ServerIP> [<Filename>]
|
IP address of TFTP server, from which the configuration is restored, and the filename.
|
--scp <ServerIP> <Username> <Password> [<Filename>]
|
IP address of SCP server, from which the configuration is restored, the username and password used to access the SCP Server, and the filename.
|
--file <Filename>
|
Specify a filename for restore operation, performed locally.
|
|
|
Example
|
When the restore command is executed by itself, without any additional flags, the following menu is displayed:
|
Output
|
Choose one of the following:
---------------------------------------------------
[L] Restore local backup package
[T] Restore backup package from TFTP server
[S] Restore backup package from SCP server
[R] Remove local backup package
[Q] Quit
-------------------------------------------------
|
|
|
Scheduling a Backup
To schedule a backup:
- On thepage, click . The page appears.
- Select .
- Set up the backup schedule.
- Select a device to hold the backup. The options include the current SecurePlatform, a TFTP Server (Trivial File Transfer Protocol: A version of the TCP/IP FTP protocol that has no directory or password capability), or an SCP Server (SCP is a secure FTP protocol).
- Click .
To execute a backup:
Viewing the Backup Log
To view the backup log:
Click . The s page appears. You will see the Device Date and Time, Location (the device to which the backup has been sent), Location IP Address, Backup Status and Details.
Upgrade
To upgrade the device:
- , as directed. If you already downloaded the file, you can skip this step.
- to the upgrade package file.
- Click .
- When you have finished uploading the package, you can click on the link to see detailed information about the package, including version information and the MD5 checksum of the package. This checksum can be used to verify that the package is correct.
- Click .
The Upgrade Status pane provides information such as Action, Start Time, Status and Details.
Device Administrators
Use this page to see the Device administrators, create or delete the Device administrator, and download a One Time Login Key.
To create an administrator:
- On the page, click . The page appears.
- For Check Point appliances only: It is recommended to select , so that the password strength is validated when an administrator is created.
- Provide a name and a password for the Device administrator.
- Click .
To download a One Time Login Key:
- Click .
The page is displayed.
- Supply a challenge-question and answer to protect your Login Key from unauthorized usage.
- Click .
|
Note - The One Time Login Key will be required in case you forget your password. Save this file in a safe place.
|
Web and SSH Clients
In the Web/SSH Clients page, a list of configured client IPs is displayed. Only the configured client IPs are permitted to access SecurePlatform and SSH services. You can add or remove a Web/SSH client.
To remove a Web/SSH client:
Select the specific Web/SSH client checkbox and click .
To add a Web/SSH client:
- In the page, click . The page is displayed.
- Define the host with any of the following list of options:
- IP address
- Resolvable name (resolved locally, not by DNS)
- "Any" - Enables a connection from any Web/SSH Client.
- Wildcards - Use in IP format only (Right:
192.0.2.* Wrong: *.example.com ).
- Click .
Administrator Security Settings
In the page, you can configure session and login parameters for Device administrators.
To configure Administrator Security parameters:
- Set the value.
- In the section, enable and set the .
- Set the .
- Click .
Product Configuration
Use these pages to configure the installed Check Point products on the SecurePlatform machine.
Security Management Administrator
The page lists the configured administrators. If no Security Management administrator has been configured, you can add one. This Security Management Administrator has Read/Write Permissions to Security Management and is allowed to manage the Security Gateway objects and Administrator accounts.
Only one administrator can be added to this list. To add more administrators, use SmartDashboard.
To delete a Security Management Administrator:
Select the specific Security Management Administrator checkbox and click .
To add the first administrator:
- In the page, enter an and a .
- Confirm the password.
- Click .
Security Management GUI Clients
The Security Management GUI Clients page specifies the remote computers from which administrators will be allowed to connect to the Security Management Server. It lists the type, hostname/IP address and netmask of the configured GUI Clients, and enables you to add additional GUI Clients or to remove them.
To delete a GUI Client:
Select the checkbox and click .
To add a new GUI client:
- Click . The page opens.
- Enter either a H, or a .
The Hostname can also contain a Wildcard, an IP address range, or the word 'any', which enables a connection from any GUI Client.
- Click .
Certificate Authority
The page lists key parameters of the Security Management Certificate Authority. The certificate authority is the entity that issues certificates for the Security Management Server, Security Gateways, users and other trusted entities such as OPSEC applications used in the system.
To create a new root certificate for the CA, click .
Download SmartConsole Applications
From this window you can download the SmartConsole applications package from the Device.
Configuring a Security Policy requires SmartConsole. Use the SmartConsole applications to connect to the Security Management Server and manage your Check Point Security Gateways.
If you already have SmartConsole installed, verify that you have the proper version. If you wish to obtain the proper version, click .
Licenses
Use the page to apply a license for the products that you have installed.
To apply a license:
- Click the link to obtain a license from the User Center, if you do not yet have the required license.
- Click .
- Enter the , , , and ; or copy the license string into the clipboard, and click to copy all the information into the fields.
- Click .
|
Note - The recommended way of applying licenses is by using SmartUpdate.
|
Installed Products
Use this page to see which products and versions are installed on the Device.
Performance Optimization
In this page you can download the Performance Optimization Guide which describes how to optimize the performance of Security Gateway for version R70 and later versions. The document also provides an overview of some of the firewall technologies in order to provide a basic understanding of how to configure the gateway parameters to best optimize network performance.
Click to get this document.
|