Management Portal

In This Section:

Overview of Management Portal

Management Portal enables web-based administration and troubleshooting of the Security Management server. The Management Portal product is included on the release DVD.

The product can be deployed on a dedicated server, or alongside the Security Management server. SSL encrypted connections are used to access the Management Portal web interface. Administrative access can be limited to specific IP addresses. Dedicated administrator users can be limited to Management Portal access only.

Note - Management Portal does not support IPv6.

Deploying the Management Portal on a Dedicated Server

When deploying the Management Portal on a dedicated server, the following actions should be taken to successfully integrate the Management Portal Server with the Security Management server.

During the Management Portal installation you will be asked to choose a SIC (Secure Internal Communication) password that will be used to establish trust with the Security Management server.
On the Security Management server create a network object to represent the Management Portal server.
- Fill in the network objects properties.
- Select Management Portal from the Management tab of the Software Blades list.
Add access rules to allow administrative access to the Management Portal Server.
Create administrator users with Management Portal permissions if you want to restrict access to the Management Portal.
- Administrator users can be limited to Management Portal access only using a Permission profile. Create a Permission profile by selecting the Allow access via Management Portal only permission for the specific administrator.

Deploying the Management Portal on the Security Management

When deploying the Management Portal alongside the Security Management server, the following actions should be taken to successfully integrate the Management Portal component with the Security Management server.

Modify the Security Management server network object to include the Management Portal in its Software Blades list if the Management Portal was installed after the Security Management server. If the Management Portal and the Security Management server were installed from the same wrapper this step is unnecessary.
Add access rules to allow administrative access using TCP 4433 to the Security Management server itself.
Create administrator users with Management Portal permissions if you want to restrict access to the Management Portal.
- Administrator users can be limited to Management Portal access only using a Permission profile. Create a Permission profile by selecting the Allow access via Management Portal only permission for the specific administrator.

Management Portal Commands

smartportalstart: Starts Management Portal services.
smartportalstop: Stops Management Portal services.

Limiting Access to Specific IP Addresses

To allow only specific IP addresses or networks to access the Management Portal, stop the Management Portal and create the hosts.allow file under the Management Portal conf directory (in Windows: C:\program files\CheckPoint\<version>\SmartPortal\portal\conf and in Linux and SecurePlatform: /opt/CPportal-<version>/portal/conf). If the hosts.allow file is not in the Management Portal conf directory you should create it if it is required.

The file format is:

ALL: ALL (to allow all IPs)

ALL: x.x.x.x (to allow specific IPs)

ALL: x.x.x.x/y.y.y.y (to allow specific networks where x.x.x.x is the IP

address and y.y.y.y is the netmask)

Management Portal Configuration

The following Management Portal product properties can be modified by editing the cp_httpd_admin.conf conf file. This file can be found in the Management Portal conf directory.

Note - Any modifications to the cp_httpd_admin.conf file should be done after performing SmartPortalStop.

To change the web server port, modify the PORT attribute (default is TCP 4433).
To use HTTP instead of HTTPS set the SSL attribute to 0. It is not recommended to do this for security reasons and should only be used when troubleshooting.
To change the Web Server certificate modify the SERVCERT (the full path to the certificate) and CERTPWD (the certificate password) attributes.

Connecting to the Management Portal

To connect to the Management Portal:

Open one of the supported browsers and point it to:
https://<Security Management_server_ip>:4433
Authenticate, when requested.

Using the Management Portal

To use the Management Portal, when you connect to it, click the HELP button to display the Management Portal Online Help. The Online help explains the functionality of each window.

Troubleshooting Tools

These are the tools you can use to troubleshoot Management Portal.

Error logs

To see the web daemon (cpwmd) and the web server (cp_http_serve) errors, see the error log files. They are located in the Management Portal log directory:

On Windows computers - C:\program files\CheckPoint\<version>\SmartPortal\portal\log
On Solaris, Linux, and SecurePlatform computers - /opt/CPportal-<version>/portal/log

Web demon error log file: cpwmd.elg

Web server error log file: cphttpd.elg

Debug information

To see debug cpwmd messages run this command: cpwmd debug -app the Management Portal on
To see more detailed debug cpwmd messages, run this command: cpwmd debug -app SmartPortal on TDERROR_ALL_ALL=5
To see additional cp_http_server debug messages:
1. Run this command to stop the daemon: cpwd_admin stop -name CPHTTPD
2. Set the TDERROR_CPHTTPD_ALL environment variable to 5.
3. Set the OPSEC_DEBUG_LEVEL environment variable to 3.
4. Run this command: cp_http_server -v -f <full path to the cp_httpd_admin.conf file>

Data logs

To see CGI log messages of incoming and outgoing data:

Run this command to stop the daemon: cpwd_admin stop -name CPHTTPD
Set the CPWM_DEBUG environment variable to 1
Run cp_http_server.

The output will be written to the cgi_log.txt and cgi_out.txt files in the temp directory (c:\temp on Windows and /tmp on Unix/Linux/SPLAT).