In This Section: |
Network Objects, defined in SmartConsole and stored in the proprietary Check Point object database, represent physical and virtual network components (such as gateways, servers, and users), and logical components (such as IP address ranges and Dynamic Objects). Before you create Network Objects, analyze the needs of your organization:
Objects in SmartConsole represent networks, devices, protocols and resources. SmartConsole divides objects into these categories:
Icon |
Object Type |
Examples |
---|---|---|
Network Objects |
Gateways, hosts, networks, address ranges, dynamic objects, security zones |
|
Services |
Services, Service groups |
|
Custom Applications/Sites |
Applications, Categories, Mobile applications |
|
VPN Communities |
Site to Site or Remote Access communities |
|
Users |
Users, user groups, and user templates |
|
Servers |
Trusted Certificate Authorities, RADIUS, TACACS |
|
Time Objects |
Time, Time groups |
|
UserCheck Interactions |
Message windows: Ask, Cancel, Certificate Template, Inform, and Drop |
|
Limit |
Download and upload bandwidth |
You can add, edit, delete, and clone objects. A clone is a copy of the original object, with a different name. You can also replace one object in the Policy with another object.
To work with objects, right-click the object in the object tree or in the Object Explorer, and select the action.
You can delete objects that are not used, and you can find out where an object is used.
To clone an object:
The Clone Object window opens.
To find out where an object is used:
In the object tree or in the Object Explorer, right-click the object and select Where Used.
To replace an object with a different object:
To delete all instances of an object:
Object tags are keywords or labels that you can assign to network objects or groups of objects for search purposes.
IPS protections have pre-defined tags. Use the tags
You cannot add, change or remove tags on IPS protections.
To add a tag to an object:
The new tag shows to the right of the Add Tag field.
In This Section: |
A Network is a group of IP addresses defined by a network address and a net mask. The net mask indicates the size of the network.
A Broadcast IP address is an IP address which is destined for all hosts on the specified network. If this address is included, the Broadcast IP address will be considered as part of the network.
A network group is a collection of hosts, gateways, networks or other groups.
Groups are used where you cannot work with single objects, e.g. when working with VPN domains or with topology definitions.
Groups facilitate and simplify network management. Modifications are applied to the group instead of each member of the group.
To create a group of network objects:
The New Network Group window opens.
After an administrator runs the First Time Configuration Wizard on an R80 Security Management Server, and the Security Management Server connects to the Internet, it automatically activates its license and synchronizes with the Check Point User Center. If the Security Management Server loses Internet connectivity before the license is activated, it tries again, on an interval.
If the administrator makes changes to Management Software Blade licenses of an R80 Security Management Server in the Check Point User Center, these changes are automatically synchronized with that Security Management Server.
Note -
To make sure that your environment is synchronized with the User Center, even when the Security Management Server is not connected to the Internet, we recommend that you configure an R80 Check Point server with Internet connectivity as a proxy.
In SmartConsole, you can see this information for most Software Blade licenses:
See the R80 Release Notes for a list of supported Software Blades
To configure a proxy on an R80 Check Point server:
CPDIR/tmp/.CPprofile.sh
:cpprof_add HTTP_CLIENT_PROXY_SICNAME "<proxy server sic name>" 0 0
_cpprof_add HTTP_CLIENT_PROXY_IP "<proxy server IP>" 0 0
To view license information:
In SmartConsole, go to the Gateways & Servers view, and from the Columns drop-down list, select Licenses.
You can see this information:
To view license information per Software Blade:
The Device & License window opens. It shows basic object information and License Status, license Expiration Date, and important quota information (in the Additional Info column) for each Software Blade.
Notes -
These are the possible values for the Software Blade License Status:
To keep track of license issues, you can use:
In the License Inventory Report and License Status View, you can also see the Next Expiration Date, which is the closest expiration date of one or more of the Software Blades.
The SmartEvent blade allows you to customize the License Status View and License Inventory Report from the Logs & Monitor view of SmartConsole. It is also possible to view license information from the Gateways & Servers view of SmartConsole without the SmartEvent blade.
To see the License Inventory report from the Logs & Monitor view:
The License Inventory report opens.
To see the License Inventory report from the Gateways & Servers view:
From the Gateways & Servers view, click Actions > License Report.
To filter the list of devices in the License Status report:
The Edit View Filter window opens.
The filtered list of devices shows.
To export the License Status report:
To see the License Status view from Logs & Monitor:
The License Status view opens.
To see a summary of Licenses from Gateways & Servers:
From the Gateways & Servers view, from the Columns menu, click Licenses.
A gateway cluster is a group of Security Gateways with Cluster software installed: ClusterXL, or another Clustering solution. Clustered gateways add redundancy through High Availability or Load Sharing.
An address range is a range of IP addresses on the network, defined by the lowest and the highest IP addresses. Use an Address Range object when you cannot define a range of IP addresses by a network IP and a net mask. The Address Range objects are also necessary for the implementation of NAT and VPN.
A Domain object lets you define a host or DNS domain by its name only. You do not need the IP address of the site.
x.y.
For example mysite.com
or mysite.co.uk
. You can also configure the domain object to represent a pattern that will watch all sub-domains. For example: *.mysite.com
. This partial domain name will match all sub-domains of mysite.com
.
Note - The gateway resolves partial names using DNS reverse lookups, which can be inaccurate and take some time.
After defining a domain object, you can use it in the source and destination columns of an access policy.
A dynamic object is a "logical" object where the IP address will be resolved differently per Security Gateway using the dynamic_objects
command.
Dynamic Objects are predefined for:
cpconfig
when configuring the gateway).cpconfig
when configuring the gateway).cpconfig
when configuring the gateway).cpconfig
when configuring the gateway).For more information see the Command Line Interface Reference Guide.
An Externally Managed Security Gateway or a Host is a gateway or a Host which has Check Point software installed on it. This Externally Managed gateway is managed by an external Security Management Server. While it does not receive the Check Point Security Policy, it can participate in Check Point VPN communities and solutions.
An Interoperable Device is a device that has no Check Point Software Blades installed. The Interoperable Device:
There are five types of VoIP Domain objects:
In many VoIP networks, the control signals follow a different route through the network than the media. This is the case when the call is managed by a signal routing device. Signal routing is done in SIP by the Redirect Server, Registrar, and/or Proxy. In SIP, signal routing is done by the Gatekeeper and/or gateway.
Enforcing signal routing locations is an important aspect of VoIP security. It is possible to specify the endpoints that the signal routing device is allowed to manage. This set of locations is called a VoIP Domain. For more information refer to Command Line Interface Reference Guide.
A Logical Server is a group of machines that provides the same services. The workload of this group is distributed between all its members.
When a Server group is stipulated in the Servers group field, the client is bound to this physical server. In Persistent server mode the client and the physical server are bound for the duration of the session.
The load balancing algorithm stipulates how the traffic is balanced between the servers. There are several types of balancing methods: