Managing Administrator Accounts
To successfully manage security for a large network, we recommend that you first set up your administrative team, and delegate tasks.
Creating, Changing, or removing an Administrator
We recommend that you create administrator accounts in SmartConsole, with the procedure below or with the First Time Configuration Wizard.
If you create it through the SmartConsole, you can choose one of these authentication methods:
- Check Point Password
Check Point password is a static password that is configured in SmartConsole. For administrators, the password is stored in the local database on the Security Management Server. For users, it is stored on the local database on the Security Gateway. No additional software is required.
- OS Password
OS Password is stored on the operating system of the computer on which the Security Gateway (for users) or Security Management Server (for administrators) is installed. You can also use passwords that are stored in a Windows domain. No additional software is required.
- RADIUS
Remote Authentication Dial-In User Service (RADIUS) is an external authentication method that provides security and scalability by separating the authentication function from the access server.
Using RADIUS, the Security Gateway forwards authentication requests by remote users to the RADIUS server. For administrators, the Security Management Server forwards the authentication requests. The RADIUS server, which stores user account information, does the authentication.
The RADIUS protocol uses UDP to communicate with the gateway or the Security Management Server.
RADIUS servers and RADIUS server group objects are defined in SmartConsole.
- SecurID
SecurID requires users to both possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA ACE/server and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices, while software tokens reside on the PC or device from which the user wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When a user attempts to authenticate to a protected resource, the one-time use code must be validated by the ACE/server.
Using SecurID, the Security Gateway forwards authentication requests by remote users to the ACE/server. For administrators, it is the Security Management Server that forwards the requests. ACE manages the database of RSA users and their assigned hard or soft tokens. The gateway or the Security Management Server act as an ACE/Agent 5.0 and direct all access requests to the RSA ACE/server for authentication. For additional information on agent configuration, refer to ACE/server documentation.
There are no specific parameters required for the SecurID authentication method.
- TACACS
Terminal Access Controller Access Control System (TACACS) provides access control for routers, network access servers and other networked devices through one or more centralized servers.
TACACS is an external authentication method that provides verification services. Using TACACS, the Security Gateway forwards authentication requests by remote users to the TACACS server. For administrators, it is the Security Management Server that forwards the requests. The TACACS server, which stores user account information, authenticates users. The system supports physical card key devices or token cards and Kerberos secret key authentication. TACACS encrypts the user name, password, authentication services and accounting information of all authentication requests to ensure secure communication.
If you create an administrator through cpconfig
, the Check Point Configuration Tool:
- Check Point Password is automatically configured as the authentication method.
- You must restart Check Point Services to activate the user.
To create an administrator account using SmartConsole:
- Click .
The pane shows by default.
- Click .
The window opens.
- Enter a unique name for the administrator account.
Note - This parameter is case-sensitive.
- Set the Authentication Method, or create a certificate, or the two of them.
Note - If you do not do this, the administrator will not be able to log in to SmartConsole or other SmartConsole clients, such as SmartEvent.
To define an Authentication Method:
Select a method and follow the instructions in Configuring Authentication Methods for Administrators.
To create a Certificate:
In the section, click , enter a password, and save the certificate to a secure location.
- Select a profile for this administrator, or create a new one.
- Set the account date:
- For a permanent administrator - select
- For a temporary administrator - select an date from the calendar
The default expiration date shows, as defined in the Default Expiration Settings. After the expiration date, the account is no longer authorized to access network resources and applications.
- Optional: Configure , and of the administrator.
- Click .
To change an existing administrator account:
- Click > .
- Double-click an administrator account.
The properties window opens.
Configuring Default Expiration for Administrators
If you want to use the same expiration settings for multiple accounts, you can set the default expiration for administrator accounts. You can also choose to show notifications about the approaching expiration date at the time when an administrator logs into SmartConsole or one of the SmartConsole clients. The remaining number of days, during which the account will be alive, shows in the status bar.
To configure the default expiration settings:
- Click .
- Click .
- In the section, select a setting:
- - Select the expiration date from the calendar control
- - Enter the number of days, months, or years (from the day the account is made) before administrator accounts expire
- In the section, select and select the number of to show the message about the approaching expiration date.
- Click .
Deleting an Administrator
To make sure your environment is secure, it is best practice to delete administrator accounts when personnel leave or transfer.
To remove an administrator account:
- Click > .
The pane shows by default.
- Select an administrator account and click .
- Click in the confirmation window that opens.
Revoking Administrator Certificate
If an administrator that authenticates through a certificate is temporarily unable to fulfill administrator duties, you can revoke the certificate for the account. The administrator account remains, but no one can authenticate to the Security Management Server with this account's credentials, until you renew the certificate.
To revoke an administrator certificate:
- Click > .
- Select an administrator account and click .
- In > , click .
Assigning Permission Profiles to Administrators
A permission profile is a predefined set of Security Management Server and SmartConsole administrative permissions that you can assign to administrators. You can assign a permission profile to more than one administrator. Only administrators with applicable permissions can create and manage permission profiles.
Creating and Changing Permission Profiles
Administrators with Super User permissions can create, edit, or delete permission profiles.
To create a new permission profile:
- In SmartConsole, go to .
- Click .
The window opens.
- Enter a unique name for the profile.
- Select a profile type:
- Click .
To change a permission profile:
- In SmartConsole, go to .
- Double-click the profile to change.
- In the configuration window that opens, change the settings as needed.
- Click .
To delete a permission profile:
- In SmartConsole, go to .
- Select a profile and click .
You cannot delete a profile that is assigned to an administrator. To see which administrators use a profile, in the error message, click .
If the profile is not assigned to administrators, a confirmation window opens.
- Click to confirm.
Configuring Customized Permissions
Configure administrator permissions for , , , , , and other permissions. For each resource, define if administrators that are configured with this profile can configure the feature or only see it.
Permissions:
Some resources do not have the Read or Write option. You can only select (for full permissions) or clear (for no permissions) these resources.
To configure customized permissions:
- In the object, in the section, select .
- Configure permissions in these pages of the object:
- If this profile is for administrators with permissions to manage other administrator accounts, in the section, select .
- If this profile is for administrators with permissions to manage sessions, in the section, select .
- Click .
Permissions for Access Control and Threat Prevention
In the object, select the features and the Read or Write administrator permissions for them.
To edit a Layer, a user must have permissions for all Software Blades in the Layer.
- - Install the Access Control Policy on Security Gateways.
- - Download and install new packages of applications and websites, to use in access rules.
- - Install the Threat Prevention Policy on Security Gateways.
- Download and install new packages for IPS protections.
Permissions for Monitoring, Logging, Events, and Reports
In the object, select the features and the Read or Write administrator permissions for them.
Monitoring and Logging Features
These are some of the available features:
Events and Reports Features
These are the permissions for the SmartEvent GUI:
- - The Events tab
- - Events correlation on the Policy tab
- - Reportstab
Defining Trusted Clients
By default, any authenticated administrator can connect to the Security Management Server from any computer. To limit the access to a specified list of hosts, can configure . You can configure in these ways:
- - All hosts (default)
- - A single host with specified IPv4 address
- - Hosts with IPv4 addresses in the specified range
- - Hosts with IPv4 addresses in the subnet defined by the specified IPv4 address and netmask
- - A single host with specified IPv6 address
- - Hosts with IPv6 addresses in the specified range
- - Hosts with IPv6 addresses in the subnet defined by the specified IPv6 address and netmask
- - A host with the specified name
- - Hosts with IP addresses described by the specified regular expression
Configuring Trusted Clients
Administrators with Super User permissions can add, edit, or delete trusted clients.
To add a new trusted client:
- In SmartConsole, go to .
- Click .
The window opens.
- Enter a unique name for the client.
- Select a client type and configure corresponding values:
- - No values to configure
- - Enter an IPv4 address of a host
- - Enter the first and the last address of an IPv4 address range
- - Enter the IPv4 address and the netmask
- - Enter an IPv6 address of a host
- - Enter the first and the last address of an IPv6 address range
- - Enter the IPv6 address and the netmask
- - Enter a host name
- - Enter a regular expression that describes a set of IP addresses
- Click .
To change trusted client settings:
- In SmartConsole, go to .
- Double-click the client you want to edit.
- In the configuration window that opens, change the settings as needed.
- Click .
To delete a permission profile:
- In SmartConsole, go to .
- Select a trusted client and click .
The confirmation window opens.
- Click to confirm.
Administrator Collaboration
More than one administrator can connect to the Security Management Server at the same time. Every administrator has their own username, and works in a session that is independent of the other administrators.
When an administrator logs in to the Security Management Server through SmartConsole, a new editing session starts. The changes that the administrator makes during the session are only available to that administrator. Other administrators see a lock icon on object and rules that are being edited.
To make changes available to all administrators, and to unlock the objects and rules that are being edited, the administrator must publish the session.
Publishing
To make your changes available to other administrators, and to save the database before installing a policy, you must publish the session. When you publish a session, a new database version is created.
When you select , you are prompted to publish all unpublished changes. You cannot install a policy if the included changes are not published.
Before you publish the session, you can add some informative attributes to it.
You can exit SmartConsole without publishing your changes You will see the changes next time you log into SmartConsole.
To publish a session:
In the toolbar, click .
When a session is published, a new database version is created and shows in the list of database revisions.
Note - Before you upgrade the Security Management Server, you must save the database.
To add a name, description, or tag attribute to a session:
- Before you publish, in the toolbar, click .
The window opens.
- Enter a name for the database version.
- Enter a description.
- Add a tag.
- Click .
To save changes without publishing:
- From the SmartConsole , select .
- Click .
Working with Sessions
To see session information:
Click .
When an administrator changes objects, they are saved and locked. To unlock the changed objects, the administrator must do one of these:
- Publish the session - to make the changes available to all the administrators
- Discard the session - to discard the changes
When an administrator that made changes and did not publish the session, is unavailable, and some important objects are locked, you can unlock that session, to continue working with those objects.
To unlock a session that was locked by another administrator:
- To apply session changes and disconnect the administrator's SmartConsole session: right-click the session and select .
- To discard the session changes and disconnect the administrator's SmartConsole session: right-click the session and select .
Working with Database Revisions
After you make changes, you must publish the session, to save changes to the database.
When you publish a session, a new database version is created and shows in the list of database revisions.
Before you publish the session, you can add some informative attributes to it.
To publish a session:
In the toolbar, click .
When you publish a session, a new database version is created and shows in the list of database revisions.
Note - Before you upgrade the Security Management Server, you must save the database.
To add a name, description, or tag attribute to a session:
- Before you publish, in the toolbar, click .
The window opens.
- Enter a name for the database version.
- Enter a description.
- Add a tag.
- Click .
To see saved database versions:
In SmartConsole, go to .
To see the changes made during a specific session:
- In the window, select a session.
- Click .
A separate read-only SmartConsole session opens.
To delete all versions of the database that are older than the selected version:
- In the window, select a session.
- Click .
- In the confirmation window that opens, click .
Important - Deletion is irreversible. Older revisions are deleted permanently.
Configuring Authentication Methods for Administrators
These instructions show how to configure authentication methods for administrators. For users, see Configuring Authentication Methods for Users.
For background information about the authentication methods, see Authentication Methods for Users and Administrators.
Configuring Check Point Password Authentication for Administrators
These instructions show how to configure Check Point Password authentication for administrators.
Check Point password is a static password that is configured in SmartConsole. For administrators, the password is stored in the local database on the Security Management Server. For users, it is stored on the local database on the Security Gateway. No additional software is required.
To configure a Check Point password for a SmartConsole administrator:
- Go to > > .
- Click .
- The window opens.
- Give the administrator a name.
- In , select Check Point Password.
- Click , type the , and it.
- Assign a .
- Click .
- Click .
Click .
Configuring OS Password Authentication for Administrators
These instructions show how to configure OS Password Authentication for administrators.
OS Password is stored on the operating system of the computer on which the Security Gateway (for users) or Security Management Server (for administrators) is installed. You can also use passwords that are stored in a Windows domain. No additional software is required.
To configure an OS password for a SmartConsole administrator:
- Go to > > .
- Click .
- The window opens.
- Give the administrator a name.
- In , select OS Password.
- Assign a .
- Click .
- Click .
Click .
Configuring a RADIUS Server for Administrators
These instructions show how to configure a RADIUS server for SmartConsole administrators. To learn how to configure a RADIUS server, refer to the vendor documentation.
Remote Authentication Dial-In User Service (RADIUS) is an external authentication method that provides security and scalability by separating the authentication function from the access server.
Using RADIUS, the Security Gateway forwards authentication requests by remote users to the RADIUS server. For administrators, the Security Management Server forwards the authentication requests. The RADIUS server, which stores user account information, does the authentication.
The RADIUS protocol uses UDP to communicate with the gateway or the Security Management Server.
RADIUS servers and RADIUS server group objects are defined in SmartConsole.
To configure a RADIUS Server for a SmartConsole administrator:
- In SmartConsole, click > > > > .
- Configure the :
- Give the server a . It can be any name.
- Click and create a with the of the RADIUS server.
- Click .
- Make sure that this host shows in the field of the window.
- In the field, type the secret key that you defined previously on the RADIUS server.
- Click .
- Add a new administrator:
- Go to > > .
- Click .
The window opens.
- Give the administrator the name that is defined on the RADIUS server.
- Assign a .
- In , select RADIUS.
- Select the defined earlier.
- Click .
- Click .
Configuring a SecurID Server for Administrators
These instructions show how to configure a SecurID server for SmartConsole administrators. To learn how to configure a SecurID server, refer to the vendor documentation.
SecurID requires users to both possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA ACE/server and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices, while software tokens reside on the PC or device from which the user wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When a user attempts to authenticate to a protected resource, the one-time use code must be validated by the ACE/server.
Using SecurID, the Security Gateway forwards authentication requests by remote users to the ACE/server. For administrators, it is the Security Management Server that forwards the requests. ACE manages the database of RSA users and their assigned hard or soft tokens. The gateway or the Security Management Server act as an ACE/Agent 5.0 and direct all access requests to the RSA ACE/server for authentication. For additional information on agent configuration, refer to ACE/server documentation.
There are no specific parameters required for the SecurID authentication method.
To configure the Security Management Server for SecurID:
- Connect to the Security Management Server.
- Copy the
sdconf.rec
file to the /var/ace/
folder If the folder does not exist, create the folder.
- Give the
sdconf.rec
file full permissions. Run:chmod 777 sdconf.rec
To configure a SecurID Server for a SmartConsole administrator:
- In SmartConsole, click > > > > .
- Configure the :
- Give the server a . It can be any name.
- Click and select the
sdconf.rec
file. This must be a copy of the file that is on the Security Management Server. - Click .
- Add a new administrator:
- Go to > > .
- Click .
The window opens.
- Give the administrator a name.
- Assign a .
- In , select SecurID.
- In the SmartConsole Menu, click .
Configuring a TACACS Server for Administrators
These instructions show how to configure a TACACS server for SmartConsole administrators. To learn how to configure a TACACS server, refer to the vendor documentation.
To configure a TACACS Server for a SmartConsole administrator:
- In SmartConsole, click > > > > .
- Configure the :
- Give the server a . It can be any name.
- Click and create a with the of the TACACS server.
- Click .
- Make sure that this host shows in the field of the window.
- In the field, type the secret key that you defined previously on the TACACS server.
- Click .
- Add a new administrator:
- Go to > > .
- Click .
The window opens.
- Give the administrator the name that is defined on the TACACS server.
- Assign a .
- In , select TACACS.
- Select the defined earlier.
- Click .
- Click .