Preferences and Management Settings

In This Section: Database Revisions Setting IP Address Versions of the Environment Restoring Window Defaults Configuring the Login Window Testing New SmartConsole Features Sync with User Center Inspection Settings SmartConsole Extensions

Database Revisions

The Security Management architecture has built-in revisions. Each revision is a new restore point in the database. It contains only the changes from the previous revision. Revisions therefore need only a small amount of disk space, and are created fast. Other benefits of this architecture are:

• Fast policy verification, based on the difference between installed revisions.
• More efficient Management High Availability.
• Safe recovery from a crisis.

This diagram shows the database revisions over time:

1. Install
2. Upgrade
3. Publish
4. Publish
5. Publish

Working with Database Revisions

To see saved database versions:

In SmartConsole, go to Manage & Settings > Revisions.

To see the changes made during a specific revision:

1. In the Manage & Settings > Revisions window, select revision.

   The bottom pane shows the audit logs of the changes made in the revision.

2. Optional: Click View.

   A separate read-only SmartConsole session opens.

To delete all versions of the database that are older than the selected version:

1. In the Manage & Settings > Revisions window, select a revision.
2. Click Purge.
3. In the confirmation window that opens, click Yes.

   Important - Deletion is irreversible. When you purge, that revision and older revisions are deleted permanently.

Managing a Crisis Using Database Revisions

Case	A connectivity or security problem after making changes to the policy and installing the policy
Solution	Go to Security Policies > Installation History. In the Policy Installation History, choose the last known good version and click Install specific version. After a Gateway is safely installed, the Gateway has the last good revision, and the Security Management Server has the most recent revision. To see the changes made in the revision, browse the audit logs in the bottom pane of the revision.
Case	Network problem after downloading a Threat Prevention update and installing it on gateways.
Solution	From Security Policies > Threat Prevention > Threat Tools > Updates, in the IPS section, choose an update that is known to be good. Click Switch to Version. Install the Threat Prevention Policy. The Gateway gets that version of the IPS protections. Other network objects and policies do not change.

More Database Revision Scenarios:

• Need a full environment restore to a certain point in time.

  Best Practice: Use Restore Backup. All work done after the backup is lost. To learn more, see the R80.20 Gaia Administration Guide.

• To revert to a previous state, use Revert Policy. This reverts the structure of the Rule Base, but not the objects used in the Rule Base.

Setting IP Address Versions of the Environment

Many objects and rules use IP addresses. Configure the version that your environment uses to see only relevant options.

To set IP address version:

1. Click Manage & Settings.
2. Click Preferences.
3. Select the IP address version that your environment uses: IPv4, IPv6, or IPv4 and IPv6.
4. Select how you want to see subnets: Mask Length or Subnet Mask.

Restoring Window Defaults

Some windows in the SmartConsole offer administrators the option to not see the window again. You can undo this selection, and restore all windows to show again.

This option is available only if administrators selected do not show in a window.

To restore windows from "do not show":

1. Click Manage & Settings.
2. Click Preferences.
3. In the User Preferences area, click Restore All Messages.

Configuring the Login Window

Administrators in your environment use SmartConsole daily. Customize the Login window, to set the environment to comply with your organization's culture.

To customize the Login window:

1. Click Manage & Settings.
2. Click Preferences > Login Message.

   The Login Message window opens.

3. Select Show custom message during login.
4. In Customize Message, enter a Header and Message for administrators to see.

   The default suggestion is:
   Warning
This system is for authorized use only

5. If you want the message to have a warning icon, in Customize Layout, select Add warning sign.
6. If you want the Login window to show your organization's logo, in Customize Layout, select Add logo and then Browse to an image file.

Testing New SmartConsole Features

You can influence Check Point product development by selecting and testing one or more of the new features listed here.

To test a new SmartConsole feature:

1. Click Manage & Settings.
2. Click Preferences.
3. In the Check Point Lab area, select the feature you want to test:
   • Enable Session pane - Review all changes before you publish

Sync with User Center

You can add information regarding your environment to User Center, such as gateway name, version, and active blades. Check Point uses this additional information for better inventory management, pro-active support, and more efficient ticket resolution.

To learn more, see sk94064.

To sync with User Center:

1. In SmartConsole, click Manage & Settings.
2. Click Sync with User Center
3. Select Synchronize information once a day.

Inspection Settings

You can configure inspection settings for the Firewall:

• Deep packet inspection settings
• Protocol parsing inspection settings
• VoIP packet inspection settings

The Security Management Server comes with two preconfigured inspection profiles for the Firewall:

• Default Inspection
• Recommended Inspection

When you configure a Security Gateway, the Default Inspection profile is enabled for it. You can also assign the Recommended Inspection profile to the Security Gateway, or to create a custom profile and assign it to the Security Gateway.

To activate the Inspection Settings, install the Access Control Policy.

Note - In a pre-R80 SmartConsole, Inspection Settings are configured as IPS Protections.

Configuring Inspection Settings

To configure Inspection Settings:

1. In SmartConsole, go to the Manage & Settings > Blades view.
2. In the General section, click Inspection Settings.

   The Inspection Settings window opens.

You can:

• Edit inspection settings.
• Edit user-defined Inspection Settings profiles. You cannot change the Default Inspection profile and the Recommended Inspection profile.
• Assign Inspection Settings profiles to Security Gateways.
• Configure exceptions to settings.

To edit a setting:

1. In the Inspection Settings > General view, select a setting.
2. Click Edit.
3. In the window that opens, select a profile, and click Edit.

   The settings window opens.

4. Select the Main Action:
   • Default Action - preconfigured action
   • Override with Action - from the drop-down menu, select an action with which to override the default - Accept, Drop, Inactive (the setting is not activated)
5. Configure the Logging Settings

   Select Capture Packets, if you want to be able to examine packets that were blocked in Drop rules.

6. Click OK.
7. Click Close.

To view settings for a certain profile:

1. In the Inspection Settings > General view, click View > Show Profiles.
2. In the window that opens, select Specific Inspection settings profiles.
3. Select profiles.
4. Click OK.

   Only settings for the selected profiles are shown.

You can add, edit, clone, or delete custom Inspection Settings profiles.

To edit a custom Inspection Settings profile:

1. In the Inspection Settings > Profiles view, select a profile.
2. Click Delete, to remove it, or click Edit to change the profile name, associated color, or tag.
3. If you edited the profile attributes, click OK to save the changes.

To add a new Inspection Settings profile:

1. In the Profiles view, click New.
2. In the New Profile window that opens, edit the profile attributes:
3. Click OK.

To assign an Inspection Settings profile to a Security Gateway:

1. In the Inspection Settings > Gateways view, select a gateway, and click Edit.
2. In the window that opens, select an Inspection Settings profile.
3. Click OK.

To configure exceptions to inspection settings:

1. In the Inspection Settings > Exceptions view, click New to add a new exception, or select an exception and click Edit to modify an existing one.

   The Exception Rule window opens.

2. Configure the exception settings:
   • Apply To - select the Profile to which to apply the exception
   • Protection - select the setting
   • Source - select the source Network Object, or select IP Address and enter a source IP address
   • Destination - select the destination Service Object
   • Service - select Port/Range, TCP or UDP, and enter a destination port number or a range of port numbers
   • Install On - select a gateway on which to install the exception
3. Click OK.

To enforce the changes, install the Access Control Policy.

SmartConsole Extensions

SmartConsole Extensions is an open platform within SmartConsole which allows it to integrate with web-based interfaces of other systems. For example, you can create a web-interface for an existing ticketing system, and integrate it within SmartConsole so that associated tickets are seen for every rule in the Rule Base.

Customers, vendors, and third-parties can develop their own Extensions to integrate into SmartConsole.

Importing Extensions into SmartConsole

The client system that runs SmartConsole saves installed Extensions locally. You must install Extensions on each client system that runs SmartConsole.

To import an extension:

1. On SmartConsole, go to Manage & Settings > Preferences > SmartConsole Extensions > +.

   The Import SmartConsole Extension window opens.

2. Enter the web-service manifest URL for the manifest file and click OK. The URL must be an HTTPS URL.

   Note - When the hosting server uses an invalid SSL certificate (self-signed), it prompts an Invalid Certificate confirmation window. Confirm the server's fingerprint against the SSL certificate which runs the Extension by selecting View Certificate. On the Certificate window, you can enable trust for this certificate with a click on Install Certificate to use the Certificate Import Wizard.

SmartConsole retrieves the manifest file and displays these Extension details in the SmartConsole Extension Installation window:

Parameter Name	Description	Example
Name	Extension displayed name	Demo Extension
Provider	The URL for the Extension service entry point	ACME Labs
Server Name	The Extension provider hosting server name	acme.com
Certificate	Server Certificate
Required Permission	The required accessibility which Extension request to acquire	Read relevant objects from the installed location

You can disable Extensions from SmartConsole. To disable an Extension, clear the box next to the Extension name. To uninstall an Extension, select the Extension and click the X above the Extension list. You do not need to restart SmartConsole to install, uninstall, enable, or disable Extensions.

Configuring Extension Settings

To configure the Extension settings:

In SmartConsole, go to Manage & Settings > Preferences > SmartConsole Extensions, double-click the Extension you imported. The Settings window for the Extension opens:

• The Extension Key allows any string you enter to identify the Extension.
• Key Data allows developers to customize the extensions through these keys, such as choosing a color theme.

Certified Check Point Extensions and Development

Extensions reviewed and verified by Check Point are distinguished by a green check sign.

To learn more about developing extensions, see the SmartConsole Extension Developer Guide.