Managing Objects

In This Section: Object Categories Adding, Editing, Cloning, Deleting, and Replacing Objects Object Tags Network Object Types

Network Objects, defined in SmartConsole and stored in the proprietary Check Point object database, represent physical and virtual network components (such as gateways, servers, and users), and logical components (such as IP address ranges and Dynamic Objects). Before you create Network Objects, analyze the needs of your organization:

• What are the physical components of your network: devices, hosts, gateways and their active Software Blades?
• What are the logical components: services, resources, applications, ranges?
• Who are the users? How should you group them, and with what permissions?

Object Categories

Objects in SmartConsole represent networks, devices, protocols and resources. SmartConsole divides objects into these categories:

Icon	Object Type	Examples
	Network Objects	Gateways, hosts, networks, address ranges, dynamic objects, security zones
	Services	Services, Service groups
	Custom Applications/Sites	Applications, Categories, Mobile applications
	VPN Communities	Site to Site or Remote Access communities
	Users	Users, user groups, and user templates
	Servers	Trusted Certificate Authorities, RADIUS, TACACS
	Time Objects	Time, Time groups
	UserCheck Interactions	Message windows: Ask, Cancel, Certificate Template, Inform, and Drop
	Limit	Download and upload bandwidth

Adding, Editing, Cloning, Deleting, and Replacing Objects

You can add, edit, delete, and clone objects. A clone is a copy of the original object, with a different name. You can also replace one object in the Policy with another object.

To work with objects, right-click the object in the object tree or in the Object Explorer, and select the action.

You can delete objects that are not used, and you can find out where an object is used.

To clone an object:

1. In the object tree or in the Object Explorer, right-click the object and select Clone.

   The Clone Object window opens.

2. Enter a name for the cloned object.
3. Click OK.

To find out where an object is used:

In the object tree or in the Object Explorer, right-click the object and select Where Used.

To replace an object with a different object:

1. In the object tree or in the Object Explorer, right-click the object and select Where Used.
2. Click the Replace icon.
3. From the Replace with list, select an item.
4. Click Replace.

To delete all instances of an object:

1. In the object tree or in the Object Explorer, right-click the object and select Where Used.
2. Click the Replace icon.
3. From the Replace with list, select None (remove item).
4. Click Replace.

Object Tags

Object tags are keywords or labels that you can assign to network objects or groups of objects for search purposes.

IPS protections have pre-defined tags. Use the tags

• When configuring a Threat Prevention Profile, to determine which protections are activated.
• As search filters, when searching the list of IPS protections.

You cannot add, change or remove tags on IPS protections.

Adding a Tag to an Object

To add a tag to an object:

1. Open the network object for editing.
2. In the Add Tag field, enter the label to associate with this object.
3. Press Enter.

   The new tag shows to the right of the Add Tag field.

4. Click OK.

Network Object Types

In This Section: Networks Network Groups Managing Software Blade Licenses Gateway Cluster More Network Object Types

Networks

A Network is a group of IP addresses defined by a network address and a net mask. The net mask indicates the size of the network.

A Broadcast IP address is an IP address which is destined for all hosts on the specified network. If this address is included, the Broadcast IP address will be considered as part of the network.

Network Groups

A network group is a collection of hosts, gateways, networks or other groups.

Groups are used where you cannot work with single objects, e.g. when working with VPN domains or with topology definitions.

Groups facilitate and simplify network management. Modifications are applied to the group instead of each member of the group.

Grouping Network Objects

To create a group of network objects:

1. In the Objects tree, click New > Network Group.

   The New Network Group window opens.

2. Enter a name for the group
3. Set optional parameters:
   • Object comment
   • Color
   • Tag (as custom search criteria)
4. For each network object or a group of network objects, click the [+] sign and select it from the list that shows.
5. Click OK.

Managing Software Blade Licenses

After an administrator runs the First Time Configuration Wizard on an R80 Security Management Server, and the Security Management Server connects to the Internet, it automatically activates its license and synchronizes with the Check Point User Center. If the Security Management Server loses Internet connectivity before the license is activated, it tries again, on an interval.

If the administrator makes changes to Management Software Blade licenses of an R80 Security Management Server in the Check Point User Center, these changes are automatically synchronized with that Security Management Server.

Note -

• Automatic activation is supported on Check Point appliances only.
• Automatic synchronization is supported on all R80 servers.

To make sure that your environment is synchronized with the User Center, even when the Security Management Server is not connected to the Internet, we recommend that you configure an R80 Check Point server with Internet connectivity as a proxy.

In SmartConsole, you can see this information for most Software Blade licenses:

• License status
• Alerts
• Check Point User Center details

See the R80 Release Notes for a list of supported Software Blades

Configuring a Proxy gateway

To configure a proxy on an R80 Check Point server:

1. On the Security Management Server, add these lines to $CPDIR/tmp/.CPprofile.sh:
   • _cpprof_add HTTP_CLIENT_PROXY_SICNAME "<proxy server sic name>" 0 0
   • _cpprof_add HTTP_CLIENT_PROXY_IP "<proxy server IP>" 0 0
2. Reboot the Security Management Server.

Viewing Licenses

To view license information:

In SmartConsole, go to the Gateways & Servers view, and from the Columns drop-down list, select Licenses.

You can see this information:

• License Status - The general state of the Software Blade licenses:
  • OK - All the blade licenses are valid.
  • Not Activated - Blade licenses are not installed. This is only possible in the first 15 days after the establishment of the SIC with the Security Management Server. After the initial 15 days, the absence of licenses will result in the blade error message.
  • Error with <number> blade(s) - The specified number of blade licenses are not installed or not valid.
  • Warning with <number> blade(s) - The specified number of blade licenses have warnings.
  • N/A - No available information.
• CK (Certificate Key) - Unique key of the license instance.
• SKU - Catalog ID from the Check Point User Center.
• Account ID - User's account ID.
• Support Level - Check Point level of support.
• Support Expiration - Date when the Check Point support contract expires.

To view license information per Software Blade:

1. Select a Security Gateway or a Security Management Server.
2. In the Summary tab below, click the object's license status (for example: OK).

   The Device & License window opens. It shows basic object information and License Status, license Expiration Date, and important quota information (in the Additional Info column) for each Software Blade.

   Notes -

   • Quota information, quota-dependent license statuses, and blade information messages are only supported for R80
   • The tooltip of the SKU is the product name

These are the possible values for the Software Blade License Status:

• Active - The Software Blade is active and the license is valid.
• Available - The Software Blade is not active, but the license is valid.
• No License - The Software Blade is active but the license is not valid.
• Expired - The Software Blade is active, but the license expired.
• About to Expire - The Software Blade is active, but the license will expire in thirty days (default) or less (7 days or less for an evaluation license).
• Quota Exceeded - The Software Blade is active, and the license is valid, but the quota of related objects (gateways, files, virtual systems, and so on, depending on the blade) is exceeded.
• Quota Warning - The Software Blade is active, and the license is valid, but the number of objects of this blade is 90% (default) or more of the licensed quota.
• N/A - The license information is not available.

Monitoring Licenses

To keep track of license issues, you can use:

• License Inventory Report - Shows the status of each Software Blade, gateway, and server license, including warnings and critical issues. You can filter the list of devices and export the report to a file.
• License Status View - Shows the license status for all gateways and servers with the option to click and see more details for each device.

In the License Inventory Report and License Status View, you can also see the Next Expiration Date, which is the closest expiration date of one or more of the Software Blades.

The SmartEvent blade allows you to customize the License Status View and License Inventory Report from the Logs & Monitor view of SmartConsole. It is also possible to view license information from the Gateways & Servers view of SmartConsole without the SmartEvent blade.

To see the License Inventory report from the Logs & Monitor view:

1. In the Logs & Monitor view of SmartConsole, open a new tab.
2. Select Reports.
3. Double-click License Inventory.

   The License Inventory report opens.

To see the License Inventory report from the Gateways & Servers view:

From the Gateways & Servers view, click Actions > License Report.

To filter the list of devices in the License Status report:

1. In the License Status view, click to expand the Options menu on the right.
2. Select View Filter.

   The Edit View Filter window opens.

3. Select a Field to filter results.
4. Select the operation - Equals, Not Equals, or Contains.
5. Enter a filter value.
6. Optional: Click the plus sign to add a filter.
7. Click OK.

   The filtered list of devices shows.

To export the License Status report:

1. In the License Status view, click to expand the Options menu on the right.
2. Select a type of export:
   • Save as PDF
   • Save as Excel - Can convert to csv file also
   • Export - Creates a .cpr file
3. Click Download.

To see the License Status view from Logs & Monitor:

1. In the Logs & Monitor view of SmartConsole, open a new tab.
2. Select Views.
3. Double-click License Status.

   The License Status view opens.

To see a summary of Licenses from Gateways & Servers:

From the Gateways & Servers view, from the Columns menu, click Licenses.

Gateway Cluster

A gateway cluster is a group of Security Gateways with Cluster software installed: ClusterXL, or another Clustering solution. Clustered gateways add redundancy through High Availability or Load Sharing.

More Network Object Types

Address Ranges

An address range is a range of IP addresses on the network, defined by the lowest and the highest IP addresses. Use an Address Range object when you cannot define a range of IP addresses by a network IP and a net mask. The Address Range objects are also necessary for the implementation of NAT and VPN.

Domains

A Domain object lets you define a host or DNS domain by its name only. You do not need the IP address of the site.

• The format of the name is x.y. For example mysite.com or mysite.co.uk.
• A period separates each section of the name.
• For successful resolution to an IP address, the specified domain name must be an actual domain name.
• Name resolution takes place on the Security Gateway, and the result is cached for reuse.

You can also configure the domain object to represent a pattern that will watch all sub-domains. For example: *.mysite.com. This partial domain name will match all sub-domains of mysite.com.

Note - The gateway resolves partial names using DNS reverse lookups, which can be inaccurate and take some time.

After defining a domain object, you can use it in the source and destination columns of an access policy.

Dynamic Objects

A dynamic object is a "logical" object where the IP address will be resolved differently per Security Gateway using the dynamic_objects command.

Dynamic Objects are predefined for:

• LocalMachine-all-interfaces - The DAIP machine interfaces (static and dynamic) are resolved into this object.
• LocalMachine - The external interface (dynamic) of the SmartLSM Security Gateway (as declared in cpconfig when configuring the gateway).
• InternalNet - The internal interface of the SmartLSM Security Gateway (as declared in cpconfig when configuring the gateway).
• AuxiliaryNet - The auxiliary interface of the SmartLSM Security Gateway (as declared in cpconfig when configuring the gateway).
• DMZNet - The DMZ interface of the SmartLSM Security Gateway (as declared in cpconfig when configuring the gateway).

For more information see the Command Line Interface Reference Guide.

Externally Managed Gateways/Hosts

An Externally Managed Security Gateway or a Host is a gateway or a Host which has Check Point software installed on it. This Externally Managed gateway is managed by an external Security Management Server. While it does not receive the Check Point Security Policy, it can participate in Check Point VPN communities and solutions.

Interoperable Devices

An Interoperable Device is a device that has no Check Point Software Blades installed. The Interoperable Device:

• Cannot have a policy installed on it
• Can participate in Check Point VPN communities and solutions.

VoIP Domains

There are five types of VoIP Domain objects:

• VoIP Domain SIP Proxy
• VoIP Domain H.323 Gatekeeper
• VoIP Domain H.323 Gateway
• VoIP Domain MGCP Call Agent
• VoIP Domain SCCP CallManager

In many VoIP networks, the control signals follow a different route through the network than the media. This is the case when the call is managed by a signal routing device. Signal routing is done in SIP by the Redirect Server, Registrar, and/or Proxy. In SIP, signal routing is done by the Gatekeeper and/or gateway.

Enforcing signal routing locations is an important aspect of VoIP security. It is possible to specify the endpoints that the signal routing device is allowed to manage. This set of locations is called a VoIP Domain. For more information refer to Command Line Interface Reference Guide.

Logical Servers

A Logical Server is a group of machines that provides the same services. The workload of this group is distributed between all its members.

When a Server group is stipulated in the Servers group field, the client is bound to this physical server. In Persistent server mode the client and the physical server are bound for the duration of the session.

• Persistency by Service — once a client is connected to a physical server for a specified service, subsequent connection to the same Logical Server and the same service will be redirected to the same physical server for the duration of the session.
• Persistency by Server — once a client is connected to a physical server, subsequent connections to the same Logical Server (for any service) will be redirected to the same physical server for the duration of the session.

Balance Method

The load balancing algorithm stipulates how the traffic is balanced between the servers. There are several types of balancing methods:

• Server Load — The Security Gateway determines which Security Management Server is best equipped to handle the new connection.
• Round Trip Time — On the basis of the shortest round trip time between Security Gateway and the servers, executed by a simple ping, the Security Gateway determines which Security Management Server is best equipped to handle the new connection.
• Round Robin — the new connection is assigned to the first available server.
• Random — the new connection is assigned to a server at random.
• Domain — the new connection is assigned to a server based on domain names.