Check Point password is a static password that is configured in SmartConsole. For administrators, the password is stored in the local database on the Security Management Server. For users, it is stored on the local database on the Security Gateway. No additional software is required.
OS Password is stored on the operating system of the computer on which the Security Gateway (for users) or Security Management Server (for administrators) is installed. You can also use passwords that are stored in a Windows domain. No additional software is required.
Remote Authentication Dial-In User Service (RADIUS) is an external authentication method that provides security and scalability by separating the authentication function from the access server.
Using RADIUS, the Security Gateway forwards authentication requests by remote users to the RADIUS server. For administrators, the Security Management Server forwards the authentication requests. The RADIUS server, which stores user account information, does the authentication.
The RADIUS protocol uses UDP to communicate with the gateway or the Security Management Server.
RADIUS servers and RADIUS server group objects are defined in SmartConsole.
SecurID requires users to both possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA ACE/server and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices, while software tokens reside on the PC or device from which the user wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When a user attempts to authenticate to a protected resource, the one-time use code must be validated by the ACE/server.
Using SecurID, the Security Gateway forwards authentication requests by remote users to the ACE/server. For administrators, it is the Security Management Server that forwards the requests. ACE manages the database of RSA users and their assigned hard or soft tokens. The gateway or the Security Management Server act as an ACE/Agent 5.0 and direct all access requests to the RSA ACE/server for authentication. For additional information on agent configuration, refer to ACE/server documentation.
There are no specific parameters required for the SecurID authentication method.
Terminal Access Controller Access Control System (TACACS) provides access control for routers, network access servers and other networked devices through one or more centralized servers.
TACACS is an external authentication method that provides verification services. Using TACACS, the Security Gateway forwards authentication requests by remote users to the TACACS server. For administrators, it is the Security Management Server that forwards the requests. The TACACS server, which stores user account information, authenticates users. The system supports physical card key devices or token cards and Kerberos secret key authentication. TACACS encrypts the user name, password, authentication services and accounting information of all authentication requests to ensure secure communication.
To create an administrator account using SmartConsole:
Click Manage & Settings>Permissions and Administrators.
The Administrators pane shows by default.
Click New Administrator.
The New Administrators window opens.
Enter a unique name for the administrator account.
Note - This parameter is case-sensitive.
Set the Authentication Method, or create a certificate, or the two of them.
Note - If you do not do this, the administrator will not be able to log in to SmartConsole.
Select a Permissions profile for this administrator, or create a new one.
Set the account Expiration date:
For a permanent administrator - select Never
For a temporary administrator - select an Expire At date from the calendar
The default expiration date shows, as defined in the Default Expiration Settings. After the expiration date, the account is no longer authorized to access network resources and applications.
Optional: Configure Additional Info - Contact Details, Email and Phone Number of the administrator.
Click OK.
To change an existing administrator account:
Click Manage & Settings > Permissions and Administrators.
Double-click an administrator account.
The Administrators properties window opens.
Creating an administrator with cpconfig
We do not recommend creating an administrator with cpconfig, the Check Point Configuration Tool. Use it only if there is no access to SmartConsole or the Gaia Portal. If you use cpconfig to create an administrator:
You must restart Check Point Services to activate the administrator.
It does not show the other administrators
Check Point Password is automatically configured as the authentication method.
Creating a Certificate for Logging in to SmartConsole
When you define an administrator, you must configure the authentication credentials for the administrator.
The authentication credentials for the administrator can be one of the supported authentication methods, or a certificate, or the two of them.
You can create a certificate file in SmartConsole. The administrator can use this file to log in to SmartConsole using the Certificate File option. The administrator must provide the password for the certificate file.
You can import the certificate file to the CryptoAPI (CAPI) certificate repository on the Microsoft Windows SmartConsole computer. The administrator can use this stored certificate to log in to SmartConsole using the CAPI Certificate option. The SmartConsole administrator does not need to provide a password.
To create a certificate file:
In the New Administrator window, in the Certificate Information section, click Create.
Enter a password.
Click OK.
Save the certificate file to a secure location on the SmartConsole computer.
The certificate file is in the PKCS #12 format, and has a .p12 extension.
Note - Give the certificate file and the password to the SmartConsole administrators. The administrator must provide this password when logging in to SmartConsole with the Certificate File option.
To Import the certificate file to the CAPI repository:
On the Microsoft Windows SmartConsole computer, double-click the certificate file.
Follow the instructions.
Configuring Default Expiration for Administrators
If you want to use the same expiration settings for multiple accounts, you can set the default expiration for administrator accounts. You can also choose to show notifications about the approaching expiration date at the time when an administrator logs into SmartConsole or one of the SmartConsole clients. The remaining number of days, during which the account will be alive, shows in the status bar.
To configure the default expiration settings:
Click Manage & Settings>Permissions and Administrators > Advanced.
Click Advanced.
In the Default Expiration Date section, select a setting:
Never expires
Expire at - Select the expiration date from the calendar control
Expire after - Enter the number of days, months, or years (from the day the account is made) before administrator accounts expire
In the Expiration notifications section, select Show 'about to expire' indication in administrators view and select the number of days in advance to show the message about the approaching expiration date.
Click Publish.
Setting SmartConsole Timeout
Use the SmartConsole in a secure manner, and enforce secure usage for all administrators. Setting a SmartConsole timeout is a basic requirement for secure usage. When an administrator is not using the SmartConsole, it logs out.
To set the SmartConsole timeout:
Click Manage & Settings.
Select Permissions & Administrators > Advanced.
In the Idle Timeout area, select Perform logout after being idle.
Enter a number of minutes.
When a SmartConsole is idle after this number of minutes, the SmartConsole automatically logs out the connected administrator, but all changes are preserved.
Deleting an Administrator
To make sure your environment is secure, the best practice is to delete administrator accounts when personnel leave or transfer.
To remove an administrator account:
Click Manage & Settings > Permissions and Administrators.
The Administrators pane shows by default.
Select an administrator account and click Delete.
Click Yes in the confirmation window that opens.
Revoking Administrator Certificate
If an administrator that authenticates through a certificate is temporarily unable to fulfill administrator duties, you can revoke the certificate for the account. The administrator account remains, but no one can authenticate to the Security Management Server with the certificate. However, if the account has an additional authentication method (a password, for example), that method can be used to authenticate to the account.
To revoke an administrator certificate:
Click Manage & Settings > Permissions and Administrators.
Select an administrator account and click Edit.
In General > Authentication, click Revoke.
Assigning Permission Profiles to Administrators
A permission profile is a predefined set of Security Management Server and SmartConsole administrative permissions that you can assign to administrators. You can assign a permission profile to more than one administrator. Only Security Management Server administrators with the Manage Administrators permission in the profile can create and manage permission profiles.
Administrators with Super User permissions can edit, create, or delete permission profiles.
These are the predefined, default permission profiles. You cannot change or delete the default permission profiles. You can clone them, and change the clones:
Read Only All - Full Read Permissions. No Write permissions.
Read Write All - Full Read and Write Permissions.
Super User - Full Read and Write Permissions, including managing administrators and sessions.
To change the permission profile of an administrator:
Click Manage & Settings > Permissions and Administrators.
Double-click the administrator account.
The Administrators properties window opens.
In the Permissions section, select another Permission Profile from the list.
Click OK.
To change a permission profile:
In SmartConsole, go to Manage & Settings > Permissions and Administrators > Permission Profiles.
Double-click the profile to change.
In the Profile configuration window that opens change the settings as needed.
Click Close.
To create a new permission profile:
In SmartConsole, go to Manage & Settings > Permissions and Administrators > Permission Profiles.
Click New Profile.
The New Profile window opens.
Enter a unique name for the profile.
Select a profile type:
Read/Write All - Administrators can make changes to all features
Auditor (Read Only All) - Administrators can see all information but cannot make changes
In SmartConsole, go to Manage & Settings > Permissions and Administrators > Permission Profiles.
Select a profile and click Delete.
You cannot delete a profile that is assigned to an administrator. To see which administrators use a profile, in the error message, click Where Used.
If the profile is not assigned to administrators, a confirmation window opens.
Click Yes to confirm.
Configuring Customized Permissions
Configure administrator permissions for Gateways, Access Control, Threat Prevention, Others, Monitoring and Logging, Events and Reports, Management. For each resource, define if administrators that are configured with this profile can configure the feature or only see it.
Permissions:
Selected - The administrator has this feature.
Not selected - The administrator does not have this feature.
Note - If you cannot clear a feature selection, the administrator access to it is mandatory.
Some features have Read and Write Options. If the feature is selected:
Read - The administrator has the feature but cannot make changes.
Write - The administrator has the feature and can make changes.
To configure customized permissions:
In the Profile object, in the Overview > Permissions section, select Customized.
Configure permissions in these pages of the Profile object:
Gateways - configure the Provisioning and the Scripts permissions.
In the Management section, configure this profile with permissions to:
Manage Administrators - Manage other administrator accounts.
Manage Sessions - Lets the administrator configure the session management settings (single or multiple sessions)
the session mode for single or multiple sessions
High Availability Operations -Configure and work with High Availability.
Management API Login - Log in with the management API.
Click OK.
Configuring Permissions for Access Control Layers
You can simplify the management of the Access Control Policy by delegating ownership of different Layers to different administrators.
To do this, assign a permission profile to the Layer. The permission Profile must have this permission: Edit Layer by the selected profiles in a layer editor.
An administrator that has a permission profile with this permission can manage the Layer.
Workflow:
Give Layer permissions to an administrator profile.
Assign the permission profile to the Layer.
To give Layer permissions to an administrator profile:
In the Profile object, in the Access Control > Policy section, select Edit Layer by the selected profiles in a layer editor.
Click OK.
To assign a permission profile to a Layer:
In SmartConsole, click Menu > Manage policies and layers.
In the left pane, click Layers.
Select a Layer.
Click Edit.
In the left pane, select Permissions.
Click +
Select a profile with Layer permissions.
Click OK.
Click Close.
Publish the session.
Configuring Permissions for Access Control and Threat Prevention
In the Profile object, select the features and the Read or Write administrator permissions for them.
Access Control
To edit a Layer, a user must have permissions for all Software Blades in the Layer.
Actions
Install Policy - Install the Access Control Policy on Security Gateways.
Application & URL Filtering Update - Download and install new packages of applications and websites, to use in access rules.
Threat Prevention
Actions
Install Policy - Install the Threat Prevention Policy on Security Gateways.
IPS Update - Download and install new packages for IPS protections.
Configuring Permissions for Monitoring, Logging, Events, and Reports
In the Profile object, select the features and the Read or Write administrator permissions for them.
Monitoring and Logging Features
These are some of the available features:
Monitoring
Management Logs
Track Logs
Application and URL Filtering Logs
Events and Reports Features
These are the permissions for SmartEvent:
SmartEvent
Events - views in SmartConsole > Logs & Monitor
Policy - SmartEvent Policy and Settings on SmartEvent GUI.
Reports - in SmartConsole >Logs & Monitor
SmartEvent Application & URL Filtering reports only
Defining Trusted Clients
By default, any authenticated administrator can connect to the Security Management Server from any computer. To limit the access to a specified list of hosts, can configure Trusted Clients. You can configure Trusted Clients in these ways:
Any - All hosts (default)
IPv4 Address - A single host with specified IPv4 address
IPv4 Address Range - Hosts with IPv4 addresses in the specified range
IPv4 Netmask - Hosts with IPv4 addresses in the subnet defined by the specified IPv4 address and netmask
IPv6 Address - A single host with specified IPv6 address
IPv6 Address Range - Hosts with IPv6 addresses in the specified range
IPv6 Netmask - Hosts with IPv6 addresses in the subnet defined by the specified IPv6 address and netmask
Name - A host with the specified name
Wild cards (IP only) - Hosts with IP addresses described by the specified regular expression
Configuring Trusted Clients
Administrators with Super User permissions can add, edit, or delete trusted clients.
To add a new trusted client:
In SmartConsole, go to Manage & Settings > Permissions and Administrators > Trusted Clients.
Click New.
The New Trusted Client window opens.
Enter a unique name for the client.
Select a client type and configure corresponding values:
Any - No values to configure
IPv4 Address - Enter an IPv4 address of a host
IPv4 Address Range - Enter the first and the last address of an IPv4 address range
IPv4 Netmask - Enter the IPv4 address and the netmask
IPv6 Address - Enter an IPv6 address of a host
IPv6 Address Range - Enter the first and the last address of an IPv6 address range
IPv6 Netmask - Enter the IPv6 address and the netmask
Name - Enter a host name
Wild cards (IP only) - Enter a regular expression that describes a set of IP addresses
Click OK.
To change trusted client settings:
In SmartConsole, go to Manage & Settings > Permissions and Administrators > Trusted Clients.
Double-click the client you want to edit.
In the Trusted Client configuration window that opens, change the settings as needed.
Click OK.
To delete a trusted client:
In SmartConsole, go to Manage & Settings > Permissions and Administrators > Trusted Clients.
Select a trusted client and click Delete.
The confirmation window opens.
Click Yes to confirm.
Restricting Administrator Login Attempts
For administrators that login to the Security Management Server using a Check Point password, you can configure these login restrictions:
The number of login attempts before SmartConsole automatically locks an administrator.
The number of minutes before SmartConsole unlocks the administrator's account after it was locked.
To configure login restrictions:
Go to the Manage & Settings view or to the Multi-Domain view.
Go to Permissions & Administrators > Advanced > Login Restrictions.
Note - these restrictions apply only to administrators that authenticate to the Security Management Server using a Check Point password.
Unlocking Administrators
An administrator who has the Manage Administrators permission can unlock another administrator if the locked administrator authenticates to the Security Management Server using a Check Point password.
To unlock an administrator:
Go to the Manage & Settings view or to the Multi-Domain view.
Right-click the locked administrator and select Unlock Administrator.
Note - the Unlock Administrator feature does not apply to administrators using other authentication methods.
Unlocking a Locked Administrator
Session Flow for Administrators
In SmartConsole, administrators work with sessions. A session is created each time an administrator logs into SmartConsole. Changes made in the session are saved automatically. These changes are private and available only to the administrator. To avoid configuration conflicts, other administrators see a lock icon on objects and rules that are being edited in other sessions.
Administrators can publish or discard their private changes. To include private changes in the policy installation, sessions containing these private changes must be published. This is also true if you want to make your private changes available to other administrators. Unpublished changes from other sessions are not included in the policy installation.
Before you publish a session, we recommend that you give the session a name and add a brief description that documents the work process.
Publishing a Session
The validations pane in SmartConsole shows configuration error messages. Examples of errors are object names that are not unique, or the use of objects that are not valid in the Rule Base. Make sure you correct these errors before publishing.
To publish a session:
On the SmartConsole toolbar, click Publish. When a session is published, a new database version is created and shows in the list of database revisions.
To add a name or description to a session:
In the SmartConsole toolbar, click Session.
The Session Details window opens.
Enter a name for the database version.
Enter a description.
Click OK.
To discard a session:
In the SmartConsole toolbar, click Discard.
Working in SmartConsole Session View
The Session view shows all unpublished sessions in the system. The view shows the sessions of the current administrator, sessions of other administrators and sessions from other applications. The columns in the view can be customized and show the session owner, name, description, connection mode, number of private changes, number of locks, application and other values.
To see session information, click Manage & Settings > Sessions > View Sessions.
Actions available to administrators on private sessions are determined by the Manage Sessions permission on their profile.
Administrators without the Manage Session permission can:
Administrators with the Manage Session Permission can:
Publish and discard their own sessions
See sessions opened by other administrators, the number the locks they have and number of changes they have made
Take over sessions created by applications, for example sessions created by the API command line tool
Publish and discard their own sessions
See sessions opened by other administrators, the number the locks they have and number changes they have made
Publish & Disconnect the private sessions of other administrators
Disconnect & Discard the private sessions of other administrators
Disconnect another administrator's private session
Take over sessions created by applications, for example sessions created by the API command line tool
Take over the private sessions of other administrators.
Note: If you want to keep changes made in your own private session, publish these changes before you take over the session of another administrator. If you do not publish your changes, you will lose them. When you take over, you disconnect the other administrator's SmartConsole session.
Publish & Disconnect the private sessions of other administrators. The action applies to both SmartConsole sessions and command line API sessions.
Disconnect the private session of other administrators
Discard & Disconnect the private session of other administrators
Administrators Working with Multiple Sessions
Administrators working with multiple sessions can open multiple new private sessions without publishing changes made in their current private session.
Use Case
Suppose you are making changes in a private session and are asked to solve some immediate problem. The task involves making a change and publishing it. You do not wish to publish or discard your current private session.
You open a new private session, make the change required resolve the issue, publish the change, then return to your previous private session.
To do this, you need to work with multiple sessions. To switch on multiple sessions, you need the Manage Sessions permission selected on your administrator profile.
To enable working in multiple sessions:
Open the relevant permission profile.
Make sure the Manage Sessions permission is selected on the Management page.
Select Each administrator can manage multiple SmartConsole sessions at the same time.
Publish the change.
When working with multiple sessions, you can:
Open and manage multiple sessions to the Security Management Server using the same administrator account
Switch between the active session and previously saved sessions
Publish, discard and disconnect other sessions
Take over other sessions
The SmartConsole Session menu
After multiple sessions are enabled, the SmartConsole Session menu has these new options:
Option
Description
Edit sessions details
Lets you change the session name and description.
Create new session
In the current window
Opens a new session in the current SmartConsole
In a new window
Opens a new session in a new SmartConsole
Recent
Shows a list of recent sessions. Selecting a session opens the session in the current SmartConsole
More
Opens the Open Session window that shows sessions that you previously created and saved.
Sessions shown in this window are owned by the current user in the current domain.
The Open Session > Actions menu has options to open a saved session in the current SmartConsole or open the session in a new SmartConsole.
The SmartConsole Session View
When multiple sessions are enabled, you can perform these additional actions:
Action
You can:
For sessions that you own
Discard and Disconnect
Publish and Disconnect
Disconnect
Open an older session
For sessions owned by other administrators that have made private changes
Publish and Disconnect their changes
Discard and Disconnect
Disconnect
Take over their changes
For sessions owned by other administrators that have not made private sessions
Disconnect
Take over
Notes:
When working in single session, you need to publish or discard your changes before taking over another session. In multiple sessions, you do not have to publish or discard your session before taking over the session of another administrator.
In multiple sessions, an administrator connecting from another desktop to an already connected session can still take over the connected session by default.
Switching between Multiple and Single Session
If the session management settings switch from multiple SmartConsole sessions to allow only a single SmartConsole session at a time:
Administrators can still publish, discard and open sessions that they own.
Cannot create new sessions until they have published or discarded all their unpublished sessions with private sessions
Cannot take over the sessions of other administrators or applications (for example sessions created with API commands in the mgmt_cli utility) until they have published or discarded all their previously saved private sessions.
Configuring Authentication Methods for Administrators
Configuring Check Point Password Authentication for Administrators
These instructions show how to configure Check Point Password authentication for administrators.
Check Point password is a static password that is configured in SmartConsole. For administrators, the password is stored in the local database on the Security Management Server. For users, it is stored on the local database on the Security Gateway. No additional software is required.
To configure a Check Point password for a SmartConsole administrator:
Go to Manage & Settings > Permissions & Administrators > Administrators.
Click New.
The New Administrator window opens.
Give the administrator a name.
In Authentication method, select Check Point Password.
Click Set New Password, type the Password, and Confirm it.
Assign a Permission Profile.
Click OK.
Click Publish.
Click Publish.
Configuring OS Password Authentication for Administrators
OS Password is stored on the operating system of the computer on which the Security Gateway (for users) or Security Management Server (for administrators) is installed. You can also use passwords that are stored in a Windows domain. No additional software is required.
To configure an OS password for a SmartConsole administrator:
Go to Manage & Settings > Permissions & Administrators > Administrators.
Click New.
The New Administrator window opens.
Give the administrator a name.
In Authentication method, select OS Password.
Assign a Permission Profile.
Click OK.
Click Publish.
Click Publish.
Configuring a RADIUS Server for Administrators
These instructions show how to configure a RADIUS server for SmartConsole administrators. To learn how to configure a RADIUS server, refer to the vendor documentation.
Remote Authentication Dial-In User Service (RADIUS) is an external authentication method that provides security and scalability by separating the authentication function from the access server.
Using RADIUS, the Security Gateway forwards authentication requests by remote users to the RADIUS server. For administrators, the Security Management Server forwards the authentication requests. The RADIUS server, which stores user account information, does the authentication.
The RADIUS protocol uses UDP to communicate with the gateway or the Security Management Server.
RADIUS servers and RADIUS server group objects are defined in SmartConsole.
To configure a RADIUS Server for a SmartConsole administrator:
In SmartConsole, click Objects > More Object Types > Server > More > New RADIUS.
Configure the RADIUS Server Properties:
Give the server a Name. It can be any name.
Click New and create a New Host with the IP address of the RADIUS server.
Click OK.
Make sure that this host shows in the Host field of the Radius Server Properties window.
In the Shared Secret field, type the secret key that you defined previously on the RADIUS server.
Click OK.
Click Publish.
Add a new administrator:
Go to Manage & Settings > Permissions & Administrators > Administrators.
Click New.
The New Administrator window opens.
Give the administrator the name that is defined on the RADIUS server.
Assign a Permission Profile.
In Authentication method, select RADIUS.
Select the RADIUS Server defined earlier.
Click OK.
Click Publish.
Configuring a SecurID Server for Administrators
These instructions show how to configure a SecurID server for SmartConsole administrators. To learn how to configure a SecurID server, refer to the vendor documentation.
SecurID requires users to both possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA ACE/server and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices, while software tokens reside on the PC or device from which the user wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When a user attempts to authenticate to a protected resource, the one-time use code must be validated by the ACE/server.
Using SecurID, the Security Gateway forwards authentication requests by remote users to the ACE/server. For administrators, it is the Security Management Server that forwards the requests. ACE manages the database of RSA users and their assigned hard or soft tokens. The gateway or the Security Management Server act as an ACE/Agent 5.0 and direct all access requests to the RSA ACE/server for authentication. For additional information on agent configuration, refer to ACE/server documentation.
There are no specific parameters required for the SecurID authentication method.
To configure the Security Management Server for SecurID:
Connect to the Security Management Server.
Copy the sdconf.rec file to the /var/ace/ folder
If the folder does not exist, create the folder.
Give the sdconf.rec file full permissions. Run:
chmod 777 sdconf.rec
To configure a SecurID Server for a SmartConsole administrator:
In SmartConsole, click Objects > More Object Types > Server > More > New SecurID.
Configure the SecurID Properties:
Give the server a Name. It can be any name.
Click Browse and select the sdconf.rec file. This must be a copy of the file that is on the Security Management Server.
Click OK.
Add a new administrator:
Go to Manage & Settings > Permissions & Administrators > Administrators.
Click New.
The New Administrator window opens.
Give the administrator a name.
Assign a Permission Profile.
In Authentication method, select SecurID.
In the SmartConsole Menu, click Install Database.
Configuring a TACACS Server for Administrators
These instructions show how to configure a TACACS server for SmartConsole administrators. To learn how to configure a TACACS server, refer to the vendor documentation.
To configure a TACACS Server for a SmartConsole administrator:
In SmartConsole, click Objects > More Object Types > Server > More > New TACACS.
Configure the TACACS Server Properties:
Give the server a Name. It can be any name.
Click New and create a New Host with the IP address of the TACACS server.
Click OK.
Make sure that this host shows in the Host field of the TACACS Server Properties window.
In the Shared Secret field, type the secret key that you defined previously on the TACACS server.
Click OK.
Click Publish.
Add a new administrator:
Go to Manage & Settings > Permissions & Administrators > Administrators.
Click New.
The New Administrator window opens.
Give the administrator the name that is defined on the TACACS server.
