Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Configuration Using the Web Interface

In This Section:

First Time Setup Using the Web Interface

Connecting to the Web Interface

Status

Network

Device

Product Configuration

SecurePlatform enables easy configuration of your computer and networking setup, and the Check Point products installed on them.

This section describes the SecurePlatform Web Interface (also known as WebUI). Most of the common operations can be done by using the Web Interface on the SecurePlatform Administration Portal.

Note - The Web Interface is not accessible in the FIPS 140-2 compliant mode.

First Time Setup Using the Web Interface

After the installation from the DVD is completed, and the computer has been rebooted, a first time setup using the First-Time Configuration Wizard is required in order to:

  • Configure the network settings
  • Configure the time/date/time zone
  • Configure the allowed IPs of SSH and administration Web UI clients
  • Select which products will be installed
  • Set the initial configuration of installed products

These settings can also be configured after completing the first time setup, using the SecurePlatform Web Interface

Connecting to the Web Interface

The initial configuration of SecurePlatform is performed using the First-Time Configuration Wizard. The SecurePlatform Web Interface lets you further configure SecurePlatform.

To connect to the SecurePlatform Administration Portal:

  1. Initiate a connection from a browser to the administration IP address:
    • For appliances - https://<IP_address>:4434.
    • For open servers - https://<IP_address>

    Note - Pop-ups must always be allowed on https://<IP_address>.

    The login page appears.

  2. Login with the system administrator login name/password and click Login.

    (To log out of the Web Interface, click Close, in the top right of the page.)

Changing the Settings of the SecurePlatform Portal

Configure the settings of the SecurePlatform administration portal in SmartDashboard from the properties of the gateway > SecurePlatform Settings. From there you can configure:

  • The primary URL of the SecurePlatform administration portal.
  • Aliases that automatically redirect to the administration portal.
  • A p12 certificate that the portal uses for authentication.
  • How the portal can be accessed.

Configure the settings on the page:

  • Main URL - The primary URL for the portal. You can use the same IP address for all of the portals with this variation:
    • SecurePlatform Web User interface - https://<main gateway IP address>/admin
    • Mobile Access Portal - https://<main gateway IP address>/sslvpn
    • DLP Portal - https://<main gateway IP address>/dlp

    You may choose to have the Mobile Access portal on an external IP address while others are on an internal IP address.

    Note - The Main URL field must be manually updated if:

    • The Main URL field contains an IP address and not a DNS name.
    • You change a gateway's IPv4 address to IPv6 or vice versa.
  • IP Address - Enter the IP address for the portal.
  • Aliases - Click the Aliases button to Add URL aliases that are redirected to the main portal URL. Aliases can be in clear (http://) and will redirect users to the secure portal over HTTPS. For example, portal.example.com can send users to the portal. To make the alias work, it must be resolved to the main URL on your DNS server.
  • Certificate - Click Import to import a p12 certificate for the portal website to use. If you do not import a certificate, the portal uses a Check Point auto-generated certificate. This might cause browser warnings if the browser does not recognize the Security Gateway management. All portals on the same IP address use the same certificate.
  • Accessibility - Click Edit to select from where the portal can be accessed. The options are based on the topology configured for the Security Gateway.

    The portal is accessible through these interfaces:

    • Through all interfaces
    • Through internal interfaces
      • Including undefined internal interfaces
      • Including DMZ internal interfaces
      • Including VPN encrypted interfaces
    • According to the Firewall policy - Select this if there is a rule that states who can access the portal.

Previous

Next

Obtaining and Installing a Trusted Server Certificate

To be accepted by an endpoint computer without a warning, gateways must have a server certificate signed by a known certificate authority (such as Entrust, VeriSign or Thawte). This certificate can be issued directly to the gateway, or be a chained certificate that has a certification path to a trusted root certificate authority (CA).

The next sections describe how to get a certificate for a gateway that is signed by a known Certificate Authority (CA):

Related Topics

Generating the Certificate Signing Request

Generating the P12 File

Installing the Signed Certificate

Generating the Certificate Signing Request

First, generate a Certificate Signing Request (CSR). The CSR is for a server certificate, because the gateway acts as a server to the clients.

Note - This procedure creates private key files. If private key files with the same names already exist on the computer, they are overwritten without warning.

  1. From the gateway command line, log in to expert mode.
  2. Run:

    cpopenssl req -new -out <CSR file> -keyout <private key file> -config $CPDIR/conf/openssl.cnf

    This command generates a private key. You see this output:

    Generating a 2048 bit RSA private key
    .+++
    ...+++
    writing new private key to 'server1.key'
    Enter PEM pass phrase:

  3. Enter a password and confirm.

    Fill in the data.

    • The Common Name field is mandatory. This field must have the Fully Qualified Domain Name (FQDN). This is the site that users access. For example: portal.example.com.
    • All other fields are optional.
  4. Send the CSR file to a trusted certificate authority. Make sure to request a Signed Certificate in PEM format. Keep the .key private key file.

Generating the P12 File

After you get the Signed Certificate for the gateway from the CA, generate a P12 file that has the Signed Certificate and the private key.

  1. Get the Signed Certificate for the gateway from the CA.

    If the signed certificate is in P12 or P7B format, convert these files to a PEM (Base64 encoded) formatted file with a CRT extension.

  2. Make sure that the CRT file has the full certificate chain up to a trusted root CA.

    Usually you get the certificate chain from the signing CA. Sometimes it split into separate files. If the signed certificate and the trust chain are in separate files, use a text editor to combine them into one file. Make sure the server certificate is at the top of the CRT file.

  3. From the gateway command line, log in to expert mode.
  4. Use the *.crt file to install the certificate with the *.key file that you generated.
    1. Run:

      cpopenssl pkcs12 -export -out <output file> -in <signed cert chain file> -inkey <private key file>

      For example:
      cpopenssl pkcs12 -export -out server1.p12 -in server1.crt -inkey server1.key

    2. Enter the certificate password when prompted.

Installing the Signed Certificate

Install the Third Party signed certificate to create Trust between the Mobile Access Software Blade and the clients.

All portals on the same IP address use the same certificate. Define the IP address of the portal in the Portal Settings page for the blade/feature.

  1. Import the new certificate to the gateway in SmartDashboard from a page that contains the Portal Settings for that blade/feature. For example:
    • Gateway Properties > Mobile Access > Portal Settings
    • Gateway Properties > Platform Portal
    • Gateway Properties > Data Loss Prevention
    • Gateway Properties > Identity Awareness > Browser-Based Authentication > Settings > Access Settings

    In the Certificate section, click Import or Replace.

  2. Install the policy on the gateway.

Note - The Repository of Certificates on the IPsec VPN page of the SmartDashboard gateway object is only for self-signed certificates. It does not affect the certificate installed manually using this procedure.

Viewing the Certificate

To see the new certificate from a Web browser:

The Security Gateway uses the certificate when you connect with a browser to the portal. To see the certificate when you connect to the portal, click the lock icon that is next to the address bar in most browsers.

The certificate that users see depends on the actual IP address that they use to access the portal- not only the IP address configured for the portal in SmartDashboard.

To see the new certificate from SmartDashboard:

From a page that contains the portal settings for that blade/feature, click View in the Certificate section.

Status

Use the Status page to view device and network information about the SecurePlatform machine.

Device Status

This provides a summary of the device status, and displays information such as the machine Host Name, Version and Build, and Installation Type.

Network

Use these pages to configure the network interfaces, routing table, DNS and Host Name.

Network Connections

This page enables you to edit the properties of existing network connections (for example, xDSL connections using PPPoE or PPTP) and to add the following interface:

  • VLAN
  • Secondary IP
  • PPPoE
  • PPTP
  • Bond
  • Bridge
  • ISDN
  • Loopback

The Network Connections table displays all available network connections.

To configure network connections:

  • To edit the properties of an interface, click the Name of the interface.
  • To delete a connection, select the connection checkbox and click Delete.

Note -

  • Loopback and Ethernet connection cannot be deleted.
  • When a Bridge or Bond is deleted, interfaces allocated for the specific connection are released.
  • To disable a connection without deleting it, select the checkbox and click Disable.
  • To configure a connection to work without an IP address, click Remove IP.
  • To add a connection, click New and select the connection type from the drop-down list.
  • If the connections were changed while on this page, click Refresh.

Routing Table

This page enables you to manage the routing table on your device. You can add or delete static and default routes.

Note -

  • You cannot edit an existing route. To modify a specific route, delete it and create a new route in its place.
  • Be careful not to delete a route that allows you to connect to the device.

To delete a route:

Select the checkbox of the specific route and click Delete.

To add a new static route:

  1. On the Routing Table page, click New and select Route. The Add New Route page appears.
  2. Supply the:
    • Destination IP Address
    • Destination Netmask
    • Interface (from the drop-down box)
    • Security Gateway
    • Metric
  3. Click Apply.

To add a default route:

  1. On the Routing Table page, click New and select Default Route. The Add Default Route page appears.
  2. Supply the following:
    • Security Gateway
    • Metric
  3. Click Apply.

DNS Servers

In the DNS Servers page, you can define up to three DNS servers.

Note - Changes in the DNS configuration will take effect only after restarting the device services. To restart device services, use the Device Control page.

Host and Domain Name

In the Host and Domain Name page:

  1. Supply a Hostname.
  2. Supply a Domain Name.
  3. Select a Management Interface from the drop-down box. The Hostname will be associated with the IP of this interface.

Local Hosts Configuration

This page enables you to configure the host local resolving configuration.

Note - Host entries cannot be edited. They must be deleted and recreated. The entry for the local machine is automatically generated, based on the Domain configuration information.

To add a Host:

  1. Click New. The Add Host page is displayed.
  2. Supply a Hostname.
  3. Supply a Host IP Address.
  4. Click Apply.

To delete a Host:

  • Select the checkbox of the entry and click Delete.

Device

Use these pages to configure the SecurePlatform machine.

Device Control

This page provides diagnostics information about all the processes that are running on the machine. For each Process, the User, PID, Parent PID, %CPU, % Memory and Command are displayed. You can use the Device Control drop-down list to Start, Restart, or Stop all of the Check Point products. In addition, you can shut down the device, reboot it, or download a diagnostic file (cpinfo output) useful for support.

To refresh the information displayed in the page click Refresh.

Device Date and Time Setup

This page allows you to define the Device date and time, optionally using NTP.

Manual Device date and time configuration

Enter the current Date and Time, as well as setting the Time Zone. The date must be in the format: dd-Mon-yyyy (e.g. 31-Dec-2003). The time should be: HH:mm (e.g. 23:30).

Use Network Time Protocol (NTP) to synchronize the clock

NTP is used to synchronize clocks of computers on the network.

If the Primary NTP Server fails to respond, the Secondary NTP Server will be queried .

The Shared Secret field is optional.

Click Apply to set the date and time.

Backup

This page allows you to configure backup settings.

You can choose to configure a scheduled backup, or you can choose to perform an immediate backup operation. The backup data can be stored on your desktop computer, locally (on the device), on a TFTP Server, an SCP Server or an FTP Server.

Note - If you use a stock TFTP Server with Unix/Linux flavors, you must create a world writable file having the same name as the proposed backup file before executing the backup. Otherwise, the backup will not succeed. It is strongly recommended that you refer to your TFPT server manual, or simply to the TFPT protocol, and verify that the usage of the utility is compliant with the environment that you are working in.

The SecurePlatform backup mechanism enables exporting snapshots of the user configurable configuration. Exported configurations can later be imported in order to restore a previous state in case of failure.

Two common use cases for backup are:

  • When the current configuration stops working, a previous exported configuration may be used in order to revert to a previous system state.
  • Upgrading to a new SecurePlatform version. The procedure would include:
    • Backing up the configuration of the current version
    • Installing the new version

To make a backup now, click the Backup now link.

To configure a backup schedule, click Scheduled backup.

The Backup page displays the Current device date and time. This may be different than the browser machine time.

To restore the backup, run the restore shell command from the device.

Information Backed Up

The information backed up includes:

  • All settings performed by the Admin GUI
  • Network configuration data

Viewing the Scheduling Status

The following information is displayed:

  • Status: Scheduled backup is enabled or disabled.
  • Backup to: The backup destination which can be one of the following: your desktop computer, locally (on the device), on a TFTP Server or a SCP Server.
  • Start at: The time to start the backup. The current device date and time is displayed, which may be different than the browser machine time
  • Recur every: recurrence interval.

Restoring the Backup

Description

To restore the backup, run the restore shell command from the device. When the restore command is executed by itself, without any additional flags, a menu of options is displayed. The options in the menu provide the same functionality, as the command line flags, for the restore command

Syntax

restore [-h] [-d][[--tftp <ServerIP> <Filename>] |
[--scp <ServerIP> <Username> <Password> <Filename>] |
[--file <Filename>]] 

Parameters

Parameter

Description

-h

obtain usage

-d

debug flag

--tftp <ServerIP> [<Filename>]

IP address of TFTP server, from which the configuration is restored, and the filename.

--scp <ServerIP> <Username> <Password> [<Filename>]

IP address of SCP server, from which the configuration is restored, the username and password used to access the SCP Server, and the filename.

--file <Filename>

Specify a filename for restore operation, performed locally.

 

Example

When the restore command is executed by itself, without any additional flags, the following menu is displayed:

Output

Choose one of the following:
---------------------------------------------------
[L]     Restore local backup package
[T]     Restore backup package from TFTP server
[S]     Restore backup package from SCP server
[R]     Remove local backup package
[Q]     Quit
-------------------------------------------------
 

Scheduling a Backup

To schedule a backup:

  1. On the Backup page, click Scheduled backup. The Scheduled backup page appears.
  2. Select Enable backup recurrence.
  3. Set up the backup schedule.
  4. Select a device to hold the backup. The options include the current SecurePlatform, a TFTP Server (Trivial File Transfer Protocol: A version of the TCP/IP FTP protocol that has no directory or password capability), or an SCP Server (SCP is a secure FTP protocol).
  5. Click Apply.

To execute a backup:

  • Click Backup now.

Viewing the Backup Log

To view the backup log:

Click View backup log. The s page appears. You will see the Device Date and Time, Location (the device to which the backup has been sent), Location IP Address, Backup Status and Details.

Upgrade

To upgrade the device:

  1. Download an upgrade package, as directed. If you already downloaded the file, you can skip this step.
  2. Browse to the upgrade package file.
  3. Click Upload package to device.
  4. When you have finished uploading the package, you can click on the Package currently found on device link to see detailed information about the package, including version information and the MD5 checksum of the package. This checksum can be used to verify that the package is correct.
  5. Click Start Upgrade.

    The Upgrade Status pane provides information such as Action, Start Time, Status and Details.

Device Administrators

Use this page to see the Device administrators, create or delete the Device administrator, and download a One Time Login Key.

To create an administrator:

  1. On the Device Administrators page, click New. The Add Administrators page appears.
  2. For Check Point appliances only: It is recommended to select Secure Password Scheme, so that the password strength is validated when an administrator is created.
  3. Provide a name and a password for the Device administrator.
  4. Click Apply.

To download a One Time Login Key:

  1. Click Download.

    The Login Key Challenge page is displayed.

  2. Supply a challenge-question and answer to protect your Login Key from unauthorized usage.
  3. Click OK.

    Note - The One Time Login Key will be required in case you forget your password. Save this file in a safe place.

Web and SSH Clients

In the Web/SSH Clients page, a list of configured client IPs is displayed. Only the configured client IPs are permitted to access SecurePlatform and SSH services. You can add or remove a Web/SSH client.

To remove a Web/SSH client:

Select the specific Web/SSH client checkbox and click Remove.

To add a Web/SSH client:

  1. In the Web/SSH Clients page, click Add. The Add Web/SSH Client page is displayed.
  2. Define the host with any of the following list of options:
    • IP address
    • Resolvable name (resolved locally, not by DNS)
    • "Any" - Enables a connection from any Web/SSH Client.
    • Wildcards - Use in IP format only (Right: 192.0.2.* Wrong: *.example.com).
  3. Click Apply.

Administrator Security Settings

In the Administrator Security page, you can configure session and login parameters for Device administrators.

To configure Administrator Security parameters:

  1. Set the Administrator Session Timeout value.
  2. In the Administrator Login Restrictions section, enable and set the Lock Administrator account after <x> login failures.
  3. Set the Unlock Administrator account after <y> minutes.
  4. Click Apply.

Product Configuration

Use these pages to configure the installed Check Point products on the SecurePlatform machine.

Security Management Administrator

The Security Management Administrators page lists the configured administrators. If no Security Management administrator has been configured, you can add one. This Security Management Administrator has Read/Write Permissions to Security Management and is allowed to manage the Security Gateway objects and Administrator accounts.

Only one administrator can be added to this list. To add more administrators, use SmartDashboard.

To delete a Security Management Administrator:

Select the specific Security Management Administrator checkbox and click Remove.

To add the first administrator:

  1. In the Add Security Management Administrator page, enter an Administrator Name and a New Password.
  2. Confirm the password.
  3. Click Apply.

Security Management GUI Clients

The Security Management GUI Clients page specifies the remote computers from which administrators will be allowed to connect to the Security Management Server. It lists the type, hostname/IP address and netmask of the configured GUI Clients, and enables you to add additional GUI Clients or to remove them.

To delete a GUI Client:

Select the checkbox and click Remove.

To add a new GUI client:

  1. Click Add. The Add GUI Client page opens.
  2. Enter either a Hostname/IP address, or a Network.

    The Hostname can also contain a Wildcard, an IP address range, or the word 'any', which enables a connection from any GUI Client.

  3. Click Apply.

Certificate Authority

The Certificate Authority page lists key parameters of the Security Management Certificate Authority. The certificate authority is the entity that issues certificates for the Security Management Server, Security Gateways, users and other trusted entities such as OPSEC applications used in the system.

To create a new root certificate for the CA, click Reset.

Download SmartConsole Applications

From this window you can download the SmartConsole applications package from the Device.

Configuring a Security Policy requires SmartConsole. Use the SmartConsole applications to connect to the Security Management Server and manage your Check Point Security Gateways.

If you already have SmartConsole installed, verify that you have the proper version. If you wish to obtain the proper version, click Start Download.

Licenses

Use the Licenses page to apply a license for the products that you have installed.

To apply a license:

  1. Click the Check Point User Center link to obtain a license from the User Center, if you do not yet have the required license.
  2. Click New.
  3. Enter the IP Address, Expiration Date, SKU/Features, and Signature Key; or copy the license string into the clipboard, and click Paste License to copy all the information into the fields.
  4. Click Apply.

    Note - The recommended way of applying licenses is by using SmartUpdate.

Installed Products

Use this page to see which products and versions are installed on the Device.

Performance Optimization

In this page you can download the Performance Optimization Guide which describes how to optimize the performance of Security Gateway for version R70 and later versions. The document also provides an overview of some of the firewall technologies in order to provide a basic understanding of how to configure the gateway parameters to best optimize network performance.

Click Start Download to get this document.

 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print