Network Objects

Introduction to Objects

Network Objects are created in order to represent actual physical machines and components such as gateway, servers, as well as logical components such as IP Address Ranges and Dynamic Objects.

Objects are created and managed by the system administrator via SmartDashboard.

All objects are managed using SmartDashboard; therefore, it is recommended that the objects database must not be accessed or edited directly. In this appendix you will find general information about network objects, including configuration specifications, where necessary.

The Objects Creation Workflow

1. Objects created by the system administrator, are automatically stored in the objects database on the Security Management server in $FWDIR/conf/objects_5_0.c.
2. When the Security Policy is installed on the Security Gateway, Security Management server computes the objects.c file for the Security Gateway. This file is computed and derived from the objects_5_0.c file.
3. Security Management server downloads the objects.c file to the Security Gateway.
4. When a policy is installed, all changes made to objects are applied and saved. These changes are also registered in the objects database which is automatically updated.

Viewing and Managing Objects

When an object is created it is allocated an iconic representation that can be viewed and applied from any of the following locations:

• Objects Tree is the Objects manager from which objects are created, viewed and managed. To make sure that all network objects folders are displayed, right-click on the Network Objects root, and uncheck Do not show empty folders.
• Objects List is the view from which detailed information about specific objects categories is displayed (such as all the available networks).
• Rule Base is the view in which objects are implemented and applied to the rules which make up the Security Policy.
• SmartMap is the view in which the objects implemented in the Rule Base are displayed in a graphical representation.

Network Objects

Check Point Objects

Security Gateways

A Security Gateway object is a gateway with more than one interface on which Check Point Software Blades are installed. At least a firewall blade is installed, although other Check Point Software Blade such as QoS or Monitoring may also be installed). This gateway sits on the network that serves as an entry point to the LAN and is managed by the Security Management server. A Security Gateway is characterized as follows:

• it has one or more Software Blades installed
• where the IPSec VPN blade is installed, it requires a VPN license
• it is a routing mechanism that is capable of IP forwarding
• since it has more than one interface it can be used in order to implement anti-spoofing.

If the Security Gateway that you defined does not need to perform IP forwarding or anti-spoofing, you can convert it to a Check Point host.

Configuring a Security Gateway Object

This procedure includes the basic steps for defining a Security Gateway object in SmartDashboard. You can find detailed procedures for Software Blade and feature configuration in the applicable Administration Guide. You can find explanations for fields and options in the Online Help for each window.

To configure a Security Gateway object:

1. In SmartDashboard, right-click Network Objects and select Security Gateway/Management.
2. Select Wizard Mode.
3. On the General Properties page, enter the Security Gateway name.

   This name must match the host name defined in the Security Gateway computer operating system.

4. Select the Security Gateway platform from the list.

   If you select a Check Point appliance or Open Server, you must manually select the installed operating system later.

5. Enter the IPv4 and IPv6 addresses or select Dynamic IP Address.

   Dynamic address can be assigned for IPv4 and/or IPv6.

6. On the Secure Internal Communication page, enter the One-time password that you defined during the Security Gateway installation.
7. On the Installation Wizard Completion page, select Edit Gateway properties and then click Finish.
8. On the Check Point Gateway - General Properties page, select the operating system from the OS list.
9. Select the installed Software Blades from the Network Security and Management tabs.

Converting a Security Gateway into a Check Point host

You can convert a Security Gateway to a Check Point host by right-clicking the Security Gateway in the Objects Tree and selecting Convert to Host.

UTM-1 Edge Gateway

A UTM-1 Edge gateway object is a network object that represents a UTM-1 Edge gateway. This gateway sits on the network and can be managed by the Security Management server or by an external management server.

Defining UTM-1 Edge Gateway Objects

1. In the Network Objects tab of the Objects Tree, create a new UTM-1 Edge gateway.
2. Configure the general settings of the window, including its name and IP address (whether static or dynamic) and version information.
3. To define the UTM-1 Edge gateway as a member of a VPN community, select the VPN Enabled check box and select the VPN Community type (whether Site to Site or Remote Access).

Check Point Host

A Check Point host is a host with only one interface, on which Check Point software has been installed, and which is managed by the Security Management server.

A Check Point host is characterized as follows:

• It has one or more Check Point Software Blades installed.
• It is not a routing mechanism and is not capable of IP forwarding.
• Since it only has one interface, its topology cannot be modified and therefore it cannot be used to implement Anti-spoofing.
• It requires a SecureServer license and not a VPN license.

If you have defined a Check Point host and you are trying to use it to perform IP forwarding or anti-spoofing, you must convert it to a Security Gateway.

Converting a Check Point host into a Security Gateway

You can convert a Check Point host to a Security Gateway by right-clicking the Check Point host in the Objects Tree and selecting Convert to Gateway.

Gateway Cluster

A gateway cluster is a group of Security Gateway machines on which Check Point software has been installed which have been configured to provide failover services using ClusterXL or another Cluster solution.

Converting a Cluster Member into a Security Gateway

You can detach a Cluster member from a gateway cluster and convert it into a Security Gateway:

1. Right-click on a Cluster object in the Objects Tree or List and select Detach Cluster Members.
2. Select the member from the displayed window and click Detach.
3. Ignore the warning in order to complete the conversion.

   The Gateway Properties window of the converted cluster member opens.

4. Click OK to finalize the conversion.

Externally Managed Gateways/Hosts

An Externally Managed Security Gateway or a Host is a gateway or a Host which has Check Point software installed on it. This Externally Managed gateway is managed by an external Security Management server. While it does not receive the Check Point Security Policy, it can participate in Check Point VPN communities and solutions.

Nodes

A node can represent any network entity. The two most common uses of this object are to create non-Check Point Security Gateways and Hosts.

• A gateway node is a gateway which does not have Check Point software installed.
• A host node is a host which does not have Check Point software installed.

Converting Nodes

• Gateway Nodes can be converted to Host Nodes and vice versa. Right-click on the specified Node in the Objects Tree and selecting Convert to Host or Gateway.
• Gateway Nodes can be converted to Security Gateways. Right-click on the gateway Node in the Objects Tree and select Convert to Check Point Gateway.
• Host Nodes can be converted to Check Point hosts. Right-click on the specified Host Node in the Objects Tree and select Convert to Check Point Host.

Interoperable Device

An Interoperable Device is a device which has no Check Point Software Blades installed. This device is managed by any Management Server, including Security Management server, although it cannot receive the Check Point Security Policy, and it can participate in Check Point VPN communities and solutions.

Networks

A Network is a group of IP addresses defined by a network address and a net mask. The net mask indicates the size of the network.

A Broadcast IP address is an IP address which is destined for all hosts on the specified network. If this address is included, the Broadcast IP address will be considered as part of the network.

Domains

This object defines a DNS domain name.

The format of the domain name is .x.y, where each section of the domain name is demarcated by a period. For instance .mysite.com or .mysite.co.uk. The domain name that is specified must be an actual domain name in order that it can be resolved to a valid IP address. The first time that a domain name is resolved by the Security Gateway, a brief delay may occur. Once the domain name has been resolved it is entered into the cache, and no further delays will take place on any subsequent access attempts. On account of the initial delays which may occur for each new domain name, the rules that contain Domain objects in their Source or Destination should be placed towards the end of the Rule Base.

Groups

A network objects group is a collection of hosts, gateways, networks or other groups.

Groups are used in cases where you cannot work with single objects, e.g. when working with VPN domains or with topology definitions.

In addition, groups can greatly facilitate and simplify network management, since they allow you to perform operations only once instead of repeating them for every group member.

The Group Properties window lists the network objects included from the group versus those excluded from the group. To configure the group, move objects between the lists as needed.

To include an unlisted network object in the group, create it now by clicking New.

This window shows collapsed sub-groups, without listing their members. For a list of all group members (including the sub-groups' members), click View Expanded Group.

Open Security Extension (OSE) Devices

Overview to OSE Devices

The Open Security Extension features enable Check Point to manage third-party open security extension devices (OSE). The number of managed devices depends on your license. Devices include hardware and software packet filters. Check Point also supports hardware security devices which provide routing and additional security features, such as Network Address Translation and Authentication. Security devices are managed in the Security Policy as Embedded Devices. The Security Management server generates Access Lists from the Security Policy and downloads them to selected routers and open security device. Check Point supports these devices:

OSE Device	Supported Versions
Cisco Systems	9.x, 10.x, 11.x, 12.x
Nortel	13.x, 14.x

When working with a Cisco Router (that is, OSE object), the Rule Base should not contain one of the following. If one of the following is included in the Rule Base, the Security Management server will fail to generate Access Lists from the rules.

• Drop (in the Action column)
• Encrypt (Action)
• Alert (Action)
• RPC (Service)
• <??AH>(Service)
• ACE (Service)
• Authentication Rules
• Negate Cell

OSE Device Properties Window — General Tab

• Name — The name of the OSE device, as it appears in the system database on the server.
• IP Address — The device's IP address.
• Get Address — Click this button to resolve the name to an address.
• Comment — Text to show on the bottom of the Network Object window when this object is selected.
• Color — Select a color from the drop-down list. The OSE device will be represented in the selected color in SmartConsole, for easier tracking and management.
• Type — Select from the list of supported vendors.

OSE Device Properties Window — Topology Tab

To add an interface, click New. The Interface Properties window opens.

Interface Properties > General:

• Name — Name of the network interface as specified in the router's interface configuration scheme. This name does not include a trailing number.
• IP Address — The IP address of the device.
• Net Mask — The net mask of the device.

Defining Router Anti-Spoofing Properties

You can define anti-spoofing parameters when installing Access Lists on Cisco routers (version 10.x and higher).

To implement anti-spoofing on Cisco routers:

1. In the Interfaces Properties window, define the Valid Addresses for the router.
2. In the General tab, define the 3rd-party properties of the router.
3. Repeat for each Cisco router.

Note - Only external interfaces log spoofing attempts.

OSE - Setup

For Cisco (Version 10.x and higher) and Nortel OSE devices, you must specify the direction of the filter rules generated from anti-spoofing parameters. The direction of enforcement is specified in the Setup tab of each router.

For Cisco routers, the direction of enforcement is defined by the Spoof Rules Interface Direction property.

Access List No — The number of Cisco access lists enforced. Cisco routers Version 12x and below support an ACL number range from 101-200. Cisco routers Version 12x and above support an ACL range number from 101-200 and also an ACL number range from 2000-2699. Inputting this ACL number range enables the support of more interfaces.

For each credential, select an option:

• None — Credential is not needed.
• Known — The administrator must enter the credentials.
• Prompt — The administrator will be prompted for the credentials.

Username — The name required to logon to the OSE device.

Password — The Administrator password (Read only) as defined on the router.

Enable Username — The user name required to install Access Lists.

Enable Password — The password required to install Access Lists.

Version — The Cisco OSE device version (9.x, 10.x, 11.x, 12.x).

OSE Device Interface Direction — Installed rules are enforced on data packets traveling in this direction on all interfaces.

Spoof Rules Interface Direction — The spoof tracking rules are enforced on data packets traveling in this direction on all interfaces.

Logical Servers

A Logical Server is a group of machines that provides the same services. The workload of this group is distributed between all its members.

When a Server group is stipulated in the Servers group field, the client is bound to this physical server. In Persistent server mode the client and the physical server are bound for the duration of the session.

• Persistency by Service — once a client is connected to a physical server for a specified service, subsequent connection to the same Logical Server and the same service will be redirected to the same physical server for the duration of the session.
• Persistency by Server — once a client is connected to a physical server, subsequent connections to the same Logical Server (for any service) will be redirected to the same physical server for the duration of the session.

Balance Method

The load balancing algorithm stipulates how the traffic is balanced between the servers. There are several types of balancing methods:

• Server Load — The Security Gateway determines which Security Management server is best equipped to handle the new connection.
• Round Trip Time — On the basis of the shortest round trip time between Security Gateway and the servers, executed by a simple ping, the Security Gateway determines which Security Management server is best equipped to handle the new connection.
• Round Robin — the new connection is assigned to the first available server.
• Random — the new connection is assigned to a server at random.
• Domain — the new connection is assigned to a server based on domain names.

Address Ranges

An Address Range object stipulates the range of IP addresses used in the network from the first to the last IP address.

This object is used when the networks themselves do not have IP address-net mask alignment, so an Address Range is necessary for the implementation of:

• NAT, and
• VPN

Dynamic Objects

A dynamic object is a "logical" object where the IP address will be resolved differently per Security Gateway using the dynamic_objects command.

The following are the predefined Dynamic Objects:

• LocalMachine-all-interfaces – The DAIP machine interfaces (static and dynamic) are resolved into this object.
• LocalMachine – The external interface (dynamic) of the ROBO gateway (as declared in cpconfig when configuring the ROBO gateway).
• InternalNet – The internal interface of the ROBO gateway (as declared in cpconfig when configuring the ROBO gateway).
• AuxiliaryNet – The auxiliary interface of the ROBO gateway (as declared in cpconfig when configuring the ROBO gateway).
• DMZNet – The DMZ interface of the ROBO gateway (as declared in cpconfig when configuring the ROBO gateway).

For more information see the R77 Command Line Interface Reference Guide.

VoIP Domains

There are five types of VoIP Domain objects:

• VoIP Domain SIP Proxy
• VoIP Domain H.323 Gatekeeper
• VoIP Domain H.323 Gateway
• VoIP Domain MGCP Call Agent
• VoIP Domain SCCP CallManager

In many VoIP networks, the control signals follow a different route through the network than the media. This is the case when the call is managed by a signal routing device. Signal routing is done in SIP by the Redirect Server, Registrar, and/or Proxy. In SIP, signal routing is done by the Gatekeeper and/or gateway.

Enforcing signal routing locations is an important aspect of VoIP security. It is possible to specify the endpoints that the signal routing device is allowed to manage. This set of locations is called a VoIP Domain. For more information refer to R77 Command Line Interface Reference Guide.