Print Download PDF Send Feedback

Previous

Next

Managing Objects

In This Section:

Object Categories

Adding, Editing, Cloning, Deleting, and Replacing Objects

Object Tags

Network Object Types

Network Objects, defined in SmartConsole and stored in the proprietary Check Point object database, represent physical and virtual network components (such as gateways, servers, and users), and logical components (such as IP address ranges and Dynamic Objects). Before you create Network Objects, analyze the needs of your organization:

Object Categories

Objects in SmartConsole represent networks, devices, protocols and resources. SmartConsole divides objects into these categories:

Icon

Object Type

Examples

Network Objects

Gateways, hosts, networks, address ranges, dynamic objects, security zones

Services

Services, Service groups

Custom Apps Icon

Custom Applications/Sites

Applications, Categories, Mobile applications

VPN Communities

Site to Site or Remote Access communities

Users icon

Users

Users, user groups, and user templates

Data Types

International Bank Account Number - IBAN, HIPAA - Medical Record Number - MRN, Source Code.

Servers

Trusted Certificate Authorities, RADIUS, TACACS

Time Objects

Time, Time groups

UserCheck Interactions

Message windows: Ask, Cancel, Certificate Template, Inform, and Drop

Limit

Download and upload bandwidth

Adding, Editing, Cloning, Deleting, and Replacing Objects

You can add, edit, delete, and clone objects. A clone is a copy of the original object, with a different name. You can also replace one object in the Policy with another object.

Note - Do not create two objects with the same name. You will see a validation error when you try to publish. To resolve, change one of the object names.

To work with objects, right-click the object in the object tree or in the Object Explorer, and select the action.

You can delete objects that are not used, and you can find out where an object is used.

To clone an object:

  1. In the object tree or in the Object Explorer, right-click the object and select Clone.

    The Clone Object window opens.

  2. Enter a name for the cloned object.
  3. Click OK.

To find out where an object is used:

In the object tree or in the Object Explorer, right-click the object and select Where Used.

To replace an object with a different object:

  1. In the object tree or in the Object Explorer, right-click the object and select Where Used.
  2. Click the Replace icon.
  3. From the Replace with list, select an item.
  4. Click Replace.

To delete all instances of an object:

  1. In the object tree or in the Object Explorer, right-click the object and select Where Used.
  2. Click the Replace icon.
  3. From the Replace with list, select None (remove item).
  4. Click Replace.

Object Tags

Object tags are keywords or labels that you can assign to the network objects or groups of objects for search purposes. These are the types of tags you can assign:

Each tag has a name and a value. The value can be static, or dynamically filled by detection engines.

Adding a Tag to an Object

To add a tag to an object:

  1. Open the network object for editing.
  2. In the Add Tag field, enter the label to associate with this object.
  3. Press Enter.

    The new tag shows to the right of the Add Tag field.

  4. Click OK.

Network Object Types

In This Section:

Networks

Network Groups

Check Point Hosts

Gateway Cluster

More Network Object Types

Networks

A Network is a group of IP addresses defined by a network address and a net mask. The net mask indicates the size of the network.

A Broadcast IP address is an IP address which is destined for all hosts on the specified network. If this address is included, the Broadcast IP address will be considered as part of the network.

Network Groups

A network group is a collection of hosts, gateways, networks or other groups.

Groups are used where you cannot work with single objects, e.g. when working with VPN domains or with topology definitions.

Groups facilitate and simplify network management. Modifications are applied to the group instead of each member of the group.

Grouping Network Objects

To create a group of network objects:

  1. In the Objects tree, click New > Network Group.

    The New Network Group window opens.

  2. Enter a name for the group
  3. Set optional parameters:
    • Object comment
    • Color
    • Tag (as custom search criteria)
  4. For each network object or a group of network objects, click the [+] sign and select it from the list that shows.
  5. Click OK.

Check Point Hosts

A Check Point Host can have multiple interfaces but no routing takes place. It is an endpoint that receives traffic for itself through its interfaces. (In comparison, a Security Gateway routes traffic between its multiple interfaces.) For example, if you have two unconnected networks that share a common Security Management Server and Log Server, configure the common server as a Check Point Host object.

A Check Point Host has one or more Software Blades installed. But if the Firewall blade is installed on the Check Point Host, it cannot function as a firewall. The Host requires SIC and other features provided by the actual firewall.

A Check Point Host has no routing mechanism, is not capable of IP forwarding, and cannot be used to implement Anti-spoofing. If the host must do any of these, convert it to be a Security Gateway.

The Security Management Server object is a Check Point Host.

Note - When you upgrade to R80.10 from R77.30 or earlier versions, Node objects are converted to Host objects.

Gateway Cluster

A gateway cluster is a group of Security Gateways with Cluster software installed: ClusterXL, or another Clustering solution. Clustered gateways add redundancy through High Availability or Load Sharing.

More Network Object Types

Address Ranges

An address range is a range of IP addresses on the network, defined by the lowest and the highest IP addresses. Use an Address Range object when you cannot define a range of IP addresses by a network IP and a net mask. The Address Range objects are also necessary for the implementation of NAT and VPN.

Domains

A Domain object lets you define a host or DNS domain by its name only. It is not necessary to have the IP address of the site.

You can use the Domain object in the source and destination columns of an Access Control Policy.

You can configure a Domain object in two ways:

Dynamic Objects

A dynamic object is a "logical" object where the IP address is resolved differently for each Security Gateway, using the dynamic_objects command.

For R80.10 Security Gateways and higher, dynamic objects support SecureXL Accept templates. Therefore, there is no performance impact on a rule that uses a dynamic object, or on rules that come after it.

Dynamic Objects are predefined for LocalMachine-all-interfaces. The DAIP computer interfaces (static and dynamic) are resolved into this object.

Security Zones

Security Zones let you to create a strong Access Control Policy that controls the traffic between parts of the network.

A Security Zone object represents a part of the network (for example, the internal network or the external network). You assign a network interface of a Security Gateway to a Security Zone. You can then use the Security Zone objects in the Source and Destination columns of the Rule Base.

Use Security Zones to:

For example, in the diagram, we have three Security Zones for a typical network: ExternalZone (1), DMZZone (2) and InternalZone (3).

A Security Gateway interface can belong to only one Security Zone. Interfaces to different networks can be in the same Security Zone.

Workflow

  1. Define Security Zone objects. Or, use the predefined Security Zones.
  2. Assign Gateway interfaces to Security Zones.
  3. Use the Security Zone objects in the Source and Destination of a rule. For example:

    Source

    Destination

    VPN

    Service

    Action

     

    InternalZone

    ExternalZone

    Any Traffic

    Any

    Accept

     

  4. Install the Access Control Policy.
Creating and Assigning Security Zones

Before you can use Security Zones in the Rule Base, you must assign Gateway interfaces to Security Zones.

To create a Security Zone:

  1. In the Objects bar (F11), click New > More > Network Object > Security Zone.

    The Security Zone window opens.

  2. Enter a name for the Security Zone.
  3. Enter an optional comment or tag.
  4. Click OK.

To assign an interface to a Security Zone

  1. In the Gateways & Servers view, right-click a Security Gateway object and select Edit.

    The Gateway Properties window opens.

  2. In the Network Management pane, right-click an interface and select Edit.

    The Interface window opens. The Topology area of the General pane shows the Security Zone to which the interface is already bound. By default, the Security Zone is calculated according to where the interface Leads To.

  3. Click Modify.

    The Topology Settings window opens.

  4. In the Security Zone area, click User Defined and select Specify Security Zone.
  5. From the drop-down box, select a Security Zone.

    Or click New to create a new one.

  6. Click OK.
Predefined Security Zones

These are the predefined security zones, and their intended purposes:

Externally Managed Gateways/Hosts

An Externally Managed Security Gateway or a Host is a gateway or a Host which has Check Point software installed on it. This Externally Managed gateway is managed by an external Security Management Server. While it does not receive the Check Point Security Policy, it can participate in Check Point VPN communities and solutions.

Interoperable Devices

An Interoperable Device is a device that has no Check Point Software Blades installed. The Interoperable Device:

VoIP Domains

There are five types of VoIP Domain objects:

In many VoIP networks, the control signals follow a different route through the network than the media. This is the case when the call is managed by a signal routing device. Signal routing is done in SIP by the Redirect Server, Registrar, and/or Proxy. In SIP, signal routing is done by the Gatekeeper and/or gateway.

Enforcing signal routing locations is an important aspect of VoIP security. It is possible to specify the endpoints that the signal routing device is allowed to manage. This set of locations is called a VoIP Domain. For more information refer to the R80.10 VoIP Administration Guide.

Logical Servers

A Logical Server is a group of machines that provides the same services. The workload of this group is distributed between all its members.

When a Server group is stipulated in the Servers group field, the client is bound to this physical server. In Persistent server mode the client and the physical server are bound for the duration of the session.

Balance Method

The load balancing algorithm stipulates how the traffic is balanced between the servers. There are several types of balancing methods:

Open Security Extension (OSE) Devices

The Open Security Extension features let you manage third-party devices with the Check Point SmartConsole. The number of managed devices, both hardware and software packets, depends on your license. OSE devices commonly include hardware security devices for routing or dedicated Network Address Translation and Authentication appliances. Security devices are managed in the Security Policy as Embedded Devices.

The Security Management Server generates Access Lists from the Security Policy and downloads them to selected routers and open security device. Check Point supports these devices:

OSE Device

Supported Versions

Cisco Systems

9.x, 10.x, 11.x, 12.x

The Check Point Rule Base must not have these objects. If it does, the Security Management Server will not generate Access Lists.

Defining OSE Device Interfaces

OSE devices report their network interfaces and setup at boot time. Each OSE device has a different command to list its configuration. You must define at least one interface for each device, or Install Policy will fail.

To define an OSE Device:

  1. From the Object Explorer, click New > More.
  2. Click Network Object > More > OSE Device.
  3. Enter the general properties.

    We recommend that you also add the OSE device to the host lists on other servers: hosts (Linus) and lmhosts (Windows).

  4. Open the Topology tab and add the interfaces of the device.

    You can enable Anti-Spoofing on the external interfaces of the device. Double-click the interface. In the Interface Properties window > Topology tab, select External and Perform Anti-Spoofing.

  5. Open the Setup tab and define the OSE device and its administrator credentials.
OSE Device Properties Window — General Tab
Anti-Spoofing Parameters and OSE Devices Setup (Cisco)

For Cisco (Version 10.x and higher) devices, you must specify the direction of the filter rules generated from anti-spoofing parameters. The direction of enforcement is specified in the Setup tab of each router.

For Cisco routers, the direction of enforcement is defined by the Spoof Rules Interface Direction property.

Access List No — The number of Cisco access lists enforced. Cisco routers Version 12x and below support an ACL number range from 101-200. Cisco routers Version 12x and above support an ACL range number from 101-200 and also an ACL number range from 2000-2699. Inputting this ACL number range enables the support of more interfaces.

For each credential, select an option:

Username — The name required to logon to the OSE device.

Password — The Administrator password (Read only) as defined on the router.

Enable Username — The user name required to install Access Lists.

Enable Password — The password required to install Access Lists.

Version — The Cisco OSE device version (9.x, 10.x, 11.x, 12.x).

OSE Device Interface Direction — Installed rules are enforced on data packets traveling in this direction on all interfaces.

Spoof Rules Interface Direction — The spoof tracking rules are enforced on data packets traveling in this direction on all interfaces.