Getting Started

In This Section:

Before you begin deploying a Check Point security solution, familiarize yourself with:

Check Point SmartConsole
Basic setup of a Check Point Security Management Server
Basic setup of Check Point Security Gateways
Administrative task delegation
Security management in a non-GUI environment

Understanding SmartConsole

Check Point SmartConsole makes it easy to manage security for complex networks. Before you start to configure your network security environment and policies, become familiar with Check Point SmartConsole.

Tour of SmartConsole

For a guided tour of SmartConsole, click the What's New button at the bottom left of the window. Click the < and > icons to scroll between the different What's New screens.

SmartConsole Toolbars

Global Toolbar (top of SmartConsole)

	Description
	The main SmartConsole Menu: Manage policies Manage layers Open Object Explorer New object (opens menu to create a new object) Publish session Discard session Session details Install policy Verify policy Install Database Uninstall Threat policy Management High Availability Manage Licenses and Packages Global Properties View (opens menu to select a View to open) Enter Session Details
	Create new objects or open the Object Explorer
	Install policy on managed gateways

Description

The main SmartConsole Menu:

Manage policies
Manage layers
Open Object Explorer
New object (opens menu to create a new object)
Publish session
Discard session
Session details
Install policy
Verify policy
Install Database
Uninstall Threat policy
Management High Availability
Manage Licenses and Packages
Global Properties
View (opens menu to select a View to open)
Enter Session Details

Create new objects or open the Object Explorer

Install policy on managed gateways

Session Management Toolbar (top of SmartConsole)

	Description
	Discard changes made during the session
	Enter session details and see the number of changes made in the session
	Commit policy changes to the database and make them visible to other administrators Note - The changes are saved on the gateways and enforced after the next policy install

Description

Discard changes made during the session

Enter session details and see the number of changes made in the session

Commit policy changes to the database and make them visible to other administrators

Note - The changes are saved on the gateways and enforced after the next policy install

Navigation Toolbar (left side of SmartConsole)

	Keyboard Shortcut	Description
	Ctrl+1	Gateway configuration view: Manage Security Gateways Activate Software Blades Add, edit, or delete gateways and clusters (including virtual clusters) Run scripts Backup and restore gateways Open a command line interface on the gateway View gateway status
	Ctrl+2	Security Policies Access Control view: Manage the Access Control Software Blades: DLP, VPN, Application Control and URL Filtering, and Mobile Access Edit multiple policies at the same time Add, edit, or delete NAT rules Security Policies Threat Prevention view: Manage the Threat Prevention Software Blades: IPS, Anti-Bot, Anti-Virus, Threat Emulation Edit the unified threat Rule Base Configure threat profiles for all Software Blades Add, edit, or delete exceptions and exception groups Both views: Install policies See logs and details
	Ctrl+3	Logs & Monitor view: See high level graphs and plots Search through logs Schedule customized reports Monitor gateways See compliance information
	Ctrl+4	Manage & Settings view - review and configure the Security Management Server settings: Administrators - connected and disconnected Permissions profiles Trusted clients Sessions Blades Revisions Network management preferences Idle timeout Login message

Command Line Interface Button (left bottom corner of SmartConsole)

	Keyboard Shortcut	Description
	F9	Open a command line interface for management scripting and API

Object Management Tab (right side of SmartConsole)

	Description
Objects	Manage security and network objects

Validations Tab (right side of SmartConsole)

	Description
Validations	See validation warnings and errors

System Information Area (bottom of SmartConsole)

	Description
Task List	See management tasks in progress and expand to see recent tasks
Server Details	See the IP address of the server to which SmartConsole is connected
Status of Changes	See the number of changes made in the session and their status
Connected Users	See connected users

Search Engine

In each view you can search the Security Management Server database for information relevant to the view. For example:

Gateway, by name or IP address
Access Control rule
NAT rule
Threat Prevention profile
Specific threat or a threat category
Object tags

Access and Threat Tools

The Access Tools section in the Security Policies Access Control view and the Threat Tools section in the Security Policies Threat Prevention view give you more management and data collection tools.

Access Tools in the Security Policies Access Control view:

Tool	Description
VPN Communities	Create, edit, or delete VPN Communities.
Updates	Update the Application Control and URL Filtering database, schedule updates, and configure updates.
UserCheck	Configure UserCheck interaction objects for Access Control policy actions.
Client Certificates	Create and distribute client certificates that allow users to authenticate to the Gateway from handheld devices.
Application Wiki	Browse to the Check Point AppWiki. Search and filter the Web 2.0 Applications Database, to use Check Point security research in your policy rules for actions on applications, apps, and widgets.
Installation History	See the Policy installation history for each Gateway, and who made the changes. See the revisions that were made during each installation, and who made them. Revert to a specific version of the Policy.

Threat Tools in the Security Policies Threat Prevention view:

Tool	Description
Profiles	Create, edit, or delete profiles.
IPS Protections	Edit IPS protections per profile.
Protections	See statistics on different protections
Whitelist Files	Configure Whitelist Files list
Updates	Configure updates to the Malware database, Threat Emulation engine and images, and the IPS database.
UserCheck	Configure UserCheck interaction objects for Threat Prevention policy actions.
Threat Wiki	Browse to the Check Point ThreatWiki. Search and filter Check Point's Malware Database, to use Check Point security research to block malware before it enters your environment, and to best respond if it does get in.

Shared Policies

The Shared Policies section in the Security Policies view gives access to granular Software Blades.

Shared policies are installed with the Access Control Policy.

Software Blade	Description
Mobile Access	Launch Mobile Access policy in a SmartConsole. Configure how your remote users access internal resources, such as their email accounts, when they are mobile.
DLP	Launch Data Loss Prevention policy in a SmartConsole. Configure advanced tools to automatically identify data that must not go outside the network, to block the leak, and to educate users.
Geo Policy	Create a policy for traffic to or from specific geographical or political locations.
HTTPS Policy	The HTTPS Policy allows the Security Gateway to inspect HTTPS traffic to prevent security risks related to the SSL protocol. To launch the HTTPS Policy, click Manage & Settings > Blades > HTTPS Inspection > Configure in SmartDashboard

Command Line Interface

You can also configure objects and rules through the command line interface, which you can access from SmartConsole.

	Click to open the command line interface.
	Open the Command Line Reference to learn about Session management commands, Host commands, Network commands, and Rule commands.

In addition to the command line interface, you can create and run API scripts to manage configuration and operations on the Security Management Server. See Managing Security with the API and CLI.

Connecting to the Security Management Server through SmartConsole

To log in to a Security Management Server through Check Point SmartConsole, you must have an administrator account configured on the Security Management Server. You can create an administrator account with cpconfig or with the Check Point First Time Configuration Wizard.

To log in to the Security Management Server through SmartConsole:

Launch the SmartConsole application.
Enter your administrator authentication credentials.
Enter the name or the IP address of the Security Management Server.
Click Login.
The SmartConsole authenticates the Security Management Server and shows the fingerprint.
Confirm the fingerprint.

The fingerprint and the IP address of the Security Management Server are saved to the Windows registry and are available for future Security Management Server authentications.

Setting Up for Security Management

To start setting up your security environment, configure the Security Management Server and the Security Gateways. The Security Gateways enforce the security policy that you define on the Security Management Server.

To configure the Security Management Server in SmartConsole:

Find the Security Management Server object.
You can search for it by name or IP address in the Search box at the top of the pane.

When you select the Security Management Server object, the Summary tab at the bottom of the pane shows the Software Blades that are enabled on it.
Open the object properties window, and enable the Management Software Blades, as necessary:
- Network Policy Management - Manage a comprehensive security policy, unified for all security functionalities.
- Endpoint Policy Management - Manage security and data on end-user computers and hand-held devices. Enable this Software Blade if you have or will install an Endpoint Security Management Server.
- Logging & Status - Monitor security events and status of gateways, VPNs, users, and more, with advanced visuals and data management features.
- Identity Awareness - Add user identities, and data of their computers and devices, from Active Directory domains, to log entries.
- Monitoring - See a complete picture of network and security performance, for rapid response to security events and traffic pattern changes.
- User Directory - Populate your security scope with user accounts from the LDAP servers in your environment.
- SmartEvent - Manage and correlate security events in real-time.

To configure the Security Gateways in SmartConsole:

From the navigation toolbar, select Gateways & Servers.
Click New, and select Gateway.
In the Check Point Security Gateway Creation window that opens, select a configuration mode:
- Wizard Mode - run the configuration wizard
- Classic Mode - configure the gateway in classic mode

Setting up for Team Work

As an administrator, you can delegate tasks, such as defining objects and users, to other administrators. Make sure to create administrator accounts with the privileges that are required to accomplish those tasks.

If you are the only administrator, we recommend that you create a second administrator account with Read Only permissions, which is useful for troubleshooting, consultation, or auditing.

Managing Security through API and CLI

You can configure and control the Security Management Server with the new command line tools and through web services. You must first configure the API server.

The API server runs scripts that automate daily tasks and integrate the Check Point solutions with third party systems such as virtualization servers, ticketing systems, and change management systems.

You can use these tools to run API scripts on the Security Management Server:

Standalone management tool, included with SmartConsole. You can copy this tool to Windows or Gaia computers.
- mgmt_cli.exe (Windows)
- mgmt_cli (Gaia)
Web Services API that allows communication and data exchange between the clients and the Security Management Server through the HTTP protocol. It also lets other Check Point processes communicate with the management server through the HTTPS protocol. The API commands are stored in XML format.

All API clients use the same port as the Gaia portal.

To learn more about the management APIs, to see code samples, and to take advantage of user forums, see the Developers Network section of the Exchange Point Portal.

Configuring the API Server

To configure the API Server:

In SmartConsole, go to Manage & Settings > Blades.
In the Management API section, click Advanced Settings.
The Management API Settings window opens.
Configure the Startup Settings and the Access Settings.

Management API Settings

Startup Settings
- Select Automatic start to automatically start the API server when the Security Management Server starts.
  In these environments, Automatic start is selected by default:
  - Distributed Security Management Servers (without gateway functionality) with at least 4GB of RAM
  - Standalone Security Management Servers (with gateway functionality) with at least 8GB of RAM
In other environments, to reduce the memory consumption on the management server, Automatic start is not selected by default.
Access Settings
Configure IP addresses from which the API server accepts requests:
- Management server only (default) - API server will accept scripts and web service requests only from the Security Management Server. You must open a command line interface on the server and use the mgmt_cli utility to send API requests.
- All IP addresses that can be used for GUI clients - API server will accept scripts and web service requests from the same devices that are allowed access to the Security Management Server.
- All IP addresses - API server will accept scripts and web-service requests from any device.

To apply changes, you must publish the session, and run the api restart command on the Security Management Server.

Planning Security Management

After installing the Security Management Server and the Security Gateways, you can continue with network security configuration for your environment.

Define your organization's topology

Network topology consists of network components, both physical and logical, such as physical and virtual Security Gateways, hosts, hand-held devices, CA servers, third-party servers, services, resources, networks, address ranges, and groups. Each of these components corresponds to an object in your Check Point security management configuration. Configure those objects in SmartConsole.

Define users and user groups that your security environment protects

You can add users and groups to the database manually, through LDAP and User Directory, or with the help of Active Directory.

Define access rules for protection of your organization's resources

Configure access rules and group them in policies that are enforced on the Security Gateways. You can define access policies based on traffic, applications, Web sites, and data. Set up preventative actions against known threats with Check Point Anti-Virus and Anti-Malware. Educate users about the validity and security of the operations they attempt with the help of UserCheck. Track network traffic and events through logging and monitoring.

Enforce access policies

Configure the Security Gateways. Make sure to activate the appropriate Software Blades. Then, install your policies on the Security Gateways.