Managing Administrator Accounts

To successfully manage security for a large network, we recommend that you first set up your administrative team, and delegate tasks.

Creating, Changing, or removing an Administrator

We recommend that you create administrator accounts in SmartConsole, with the procedure below or with the First Time Configuration Wizard.

If you create it through the SmartConsole, you can choose one of these authentication methods:

• Check Point Password
  Check Point password is a static password that is configured in SmartConsole. For administrators, the password is stored in the local database on the Security Management Server. For users, it is stored on the local database on the Security Gateway. No additional software is required.
• OS Password
  OS Password is stored on the operating system of the computer on which the Security Gateway (for users) or Security Management Server (for administrators) is installed. You can also use passwords that are stored in a Windows domain. No additional software is required.
• RADIUS
  Remote Authentication Dial-In User Service (RADIUS) is an external authentication method that provides security and scalability by separating the authentication function from the access server.

  Using RADIUS, the Security Gateway forwards authentication requests by remote users to the RADIUS server. For administrators, the Security Management Server forwards the authentication requests. The RADIUS server, which stores user account information, does the authentication.

  The RADIUS protocol uses UDP to communicate with the gateway or the Security Management Server.

  RADIUS servers and RADIUS server group objects are defined in SmartConsole.

• SecurID
  SecurID requires users to both possess a token authenticator and to supply a PIN or password. Token authenticators generate one-time passwords that are synchronized to an RSA ACE/server and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices, while software tokens reside on the PC or device from which the user wants to authenticate. All tokens generate a random, one-time use access code that changes approximately every minute. When a user attempts to authenticate to a protected resource, the one-time use code must be validated by the ACE/server.

  Using SecurID, the Security Gateway forwards authentication requests by remote users to the ACE/server. For administrators, it is the Security Management Server that forwards the requests. ACE manages the database of RSA users and their assigned hard or soft tokens. The gateway or the Security Management Server act as an ACE/Agent 5.0 and direct all access requests to the RSA ACE/server for authentication. For additional information on agent configuration, refer to ACE/server documentation.

  There are no specific parameters required for the SecurID authentication method.

• TACACS
  Terminal Access Controller Access Control System (TACACS) provides access control for routers, network access servers and other networked devices through one or more centralized servers.

  TACACS is an external authentication method that provides verification services. Using TACACS, the Security Gateway forwards authentication requests by remote users to the TACACS server. For administrators, it is the Security Management Server that forwards the requests. The TACACS server, which stores user account information, authenticates users. The system supports physical card key devices or token cards and Kerberos secret key authentication. TACACS encrypts the user name, password, authentication services and accounting information of all authentication requests to ensure secure communication.

If you create an administrator through cpconfig, the Check Point Configuration Tool:

• Check Point Password is automatically configured as the authentication method.
• You must restart Check Point Services to activate the user.

To create an administrator account using SmartConsole:

1. Click Manage & Settings > Permissions and Administrators.

   The Administrators pane shows by default.

2. Click New Administrator.

   The New Administrators window opens.

3. Enter a unique name for the administrator account.

   Note - This parameter is case-sensitive.

4. Set the Authentication Method, or create a certificate, or the two of them.

   Note - If you do not do this, the administrator will not be able to log in to SmartConsole or other SmartConsole clients, such as SmartEvent.

   To define an Authentication Method:

   Select a method and follow the instructions in Configuring Authentication Methods for Administrators.

   To create a Certificate:

   In the Certificate Information section, click Create, enter a password, and save the certificate to a secure location.

5. Select a Permissions profile for this administrator, or create a new one.
6. Set the account Expiration date:
   • For a permanent administrator - select Never
   • For a temporary administrator - select an Expire At date from the calendar

   The default expiration date shows, as defined in the Default Expiration Settings. After the expiration date, the account is no longer authorized to access network resources and applications.

7. Optional: Configure Additional Info - Contact Details, Email and Phone Number of the administrator.
8. Click OK.

To change an existing administrator account:

1. Click Manage & Settings > Permissions and Administrators.
2. Double-click an administrator account.

   The Administrators properties window opens.

Configuring Default Expiration for Administrators

If you want to use the same expiration settings for multiple accounts, you can set the default expiration for administrator accounts. You can also choose to show notifications about the approaching expiration date at the time when an administrator logs into SmartConsole or one of the SmartConsole clients. The remaining number of days, during which the account will be alive, shows in the status bar.

To configure the default expiration settings:

1. Click Manage & Settings > Permissions and Administrators > Advanced.
2. Click Advanced.
3. In the Default Expiration Date section, select a setting:
   • Never expires
   • Expire at - Select the expiration date from the calendar control
   • Expire after - Enter the number of days, months, or years (from the day the account is made) before administrator accounts expire
4. In the Expiration notifications section, select Show 'about to expire' indication in administrators view and select the number of days in advance to show the message about the approaching expiration date.
5. Click Publish.

Deleting an Administrator

To make sure your environment is secure, it is best practice to delete administrator accounts when personnel leave or transfer.

To remove an administrator account:

1. Click Manage & Settings > Permissions and Administrators.

   The Administrators pane shows by default.

2. Select an administrator account and click Delete.
3. Click Yes in the confirmation window that opens.

Revoking Administrator Certificate

If an administrator that authenticates through a certificate is temporarily unable to fulfill administrator duties, you can revoke the certificate for the account. The administrator account remains, but no one can authenticate to the Security Management Server with this account's credentials, until you renew the certificate.

To revoke an administrator certificate:

1. Click Manage & Settings > Permissions and Administrators.
2. Select an administrator account and click Edit.
3. In General > Authentication, click Revoke.

Assigning Permission Profiles to Administrators

A permission profile is a predefined set of Security Management Server and SmartConsole administrative permissions that you can assign to administrators. You can assign a permission profile to more than one administrator. Only administrators with applicable permissions can create and manage permission profiles.

Creating and Changing Permission Profiles

Administrators with Super User permissions can create, edit, or delete permission profiles.

To create a new permission profile:

1. In SmartConsole, go to Manage & Settings > Permissions and Administrators > Permission Profiles.
2. Click New Profile.

   The New Profile window opens.

3. Enter a unique name for the profile.
4. Select a profile type:
   • Read/Write All - Administrators can make changes
   • Auditor (Read Only All) - Administrators can see information but cannot make changes
   • Customized - Configure custom settings
5. Click OK.

To change a permission profile:

1. In SmartConsole, go to Manage & Settings > Permissions and Administrators > Permission Profiles.
2. Double-click the profile to change.
3. In the Profile configuration window that opens, change the settings as needed.
4. Click Close.

To delete a permission profile:

1. In SmartConsole, go to Manage & Settings > Permissions and Administrators > Permission Profiles.
2. Select a profile and click Delete.

   You cannot delete a profile that is assigned to an administrator. To see which administrators use a profile, in the error message, click Where Used.

   If the profile is not assigned to administrators, a confirmation window opens.

3. Click Yes to confirm.

Configuring Customized Permissions

Configure administrator permissions for Access Control, Threat Prevention, Monitoring and Logging, Events and Reports, Management, and other permissions. For each resource, define if administrators that are configured with this profile can configure the feature or only see it.

Permissions:

• Not selected - The administrator cannot see the feature.

  Note - If you cannot clear a feature selection, the administrator access to it is mandatory and you cannot make it invisible

• Selected - The administrator can see the feature.
• Read - The administrator can see the feature but cannot make changes.
• Write - The administrator can see the feature and make changes.

Some resources do not have the Read or Write option. You can only select (for full permissions) or clear (for no permissions) these resources.

To configure customized permissions:

1. In the Profile object, in the Overview > Permissions section, select Customized.
2. Configure permissions in these pages of the Profile object:
   • Gateways - configure the Provisioning and the Scripts permissions.
   • Access Control - configure Access Control Policy permissions.
   • Threat Prevention - configure Threat Prevention Policy permissions.
   • Monitoring and Logging - configure permissions to generate and see logs and to use monitoring features.
   • Events and Reports - configure permissions for SmartEvent features.
   • Others - configure permissions for Common Objects, user databases, HTTPS Inspection features, and Client Certificates.
3. If this profile is for administrators with permissions to manage other administrator accounts, in the Management section, select Manage Administrators.
4. If this profile is for administrators with permissions to manage sessions, in the Management section, select Manage Sessions.
5. Click OK.

Permissions for Access Control and Threat Prevention

In the Profile object, select the features and the Read or Write administrator permissions for them.

Access Control

To edit a Layer, a user must have permissions for all Software Blades in the Layer.

• Actions
  • Install Policy - Install the Access Control Policy on Security Gateways.
  • Application Control and URL Filtering Update - Download and install new packages of applications and websites, to use in access rules.

Threat Prevention

• Actions
  • Install Policy - Install the Threat Prevention Policy on Security Gateways.
  • IPS Update - Download and install new packages for IPS protections.

Permissions for Monitoring, Logging, Events, and Reports

In the Profile object, select the features and the Read or Write administrator permissions for them.

Monitoring and Logging Features

These are some of the available features:

• Monitoring
• Management Logs
• Track Logs
• Application and URL Filtering Logs

Events and Reports Features

These are the permissions for the SmartEvent GUI:

• SmartEvent
  • Events - The Events tab
  • Policy - Events correlation on the Policy tab
  • Reports - Reports tab
• SmartEvent Application Control and URL Filtering reports only

Defining Trusted Clients

By default, any authenticated administrator can connect to the Security Management Server from any computer. To limit the access to a specified list of hosts, can configure Trusted Clients. You can configure Trusted Clients in these ways:

• Any - All hosts (default)
• IPv4 Address - A single host with specified IPv4 address
• IPv4 Address Range - Hosts with IPv4 addresses in the specified range
• IPv4 Netmask - Hosts with IPv4 addresses in the subnet defined by the specified IPv4 address and netmask
• IPv6 Address - A single host with specified IPv6 address
• IPv6 Address Range - Hosts with IPv6 addresses in the specified range
• IPv6 Netmask - Hosts with IPv6 addresses in the subnet defined by the specified IPv6 address and netmask
• Name - A host with the specified name
• Wild cards (IP only) - Hosts with IP addresses described by the specified regular expression

Configuring Trusted Clients

Administrators with Super User permissions can add, edit, or delete trusted clients.

To add a new trusted client:

1. In SmartConsole, go to Manage & Settings > Permissions and Administrators > Trusted Clients.
2. Click New.

   The New Trusted Client window opens.

3. Enter a unique name for the client.
4. Select a client type and configure corresponding values:
   • Any - No values to configure
   • IPv4 Address - Enter an IPv4 address of a host
   • IPv4 Address Range - Enter the first and the last address of an IPv4 address range
   • IPv4 Netmask - Enter the IPv4 address and the netmask
   • IPv6 Address - Enter an IPv6 address of a host
   • IPv6 Address Range - Enter the first and the last address of an IPv6 address range
   • IPv6 Netmask - Enter the IPv6 address and the netmask
   • Name - Enter a host name
   • Wild cards (IP only) - Enter a regular expression that describes a set of IP addresses
5. Click OK.

To change trusted client settings:

1. In SmartConsole, go to Manage & Settings > Permissions and Administrators > Trusted Clients.
2. Double-click the client you want to edit.
3. In the Trusted Client configuration window that opens, change the settings as needed.
4. Click OK.

To delete a permission profile:

1. In SmartConsole, go to Manage & Settings > Permissions and Administrators > Trusted Clients.
2. Select a trusted client and click Delete.

   The confirmation window opens.

3. Click Yes to confirm.

Administrator Collaboration

More than one administrator can connect to the Security Management Server at the same time. Every administrator has their own username, and works in a session that is independent of the other administrators.

When an administrator logs in to the Security Management Server through SmartConsole, a new editing session starts. The changes that the administrator makes during the session are only available to that administrator. Other administrators see a lock icon on object and rules that are being edited.

To make changes available to all administrators, and to unlock the objects and rules that are being edited, the administrator must publish the session.

Publishing

To make your changes available to other administrators, and to save the database before installing a policy, you must publish the session. When you publish a session, a new database version is created.

When you select Install Policy, you are prompted to publish all unpublished changes. You cannot install a policy if the included changes are not published.

Before you publish the session, you can add some informative attributes to it.

You can exit SmartConsole without publishing your changes You will see the changes next time you log into SmartConsole.

To publish a session:

In the SmartConsole toolbar, click Publish.

When a session is published, a new database version is created and shows in the list of database revisions.

Note - Before you upgrade the Security Management Server, you must save the database.

To add a name, description, or tag attribute to a session:

1. Before you publish, in the SmartConsole toolbar, click Session.

   The Session Details window opens.

2. Enter a name for the database version.
3. Enter a description.
4. Add a tag.
5. Click OK.

To save changes without publishing:

1. From the SmartConsole Menu, select Exit.
2. Click Exit.

Working with Sessions

To see session information:

Click Manage & Settings > Sessions > View Sessions.

When an administrator changes objects, they are saved and locked. To unlock the changed objects, the administrator must do one of these:

• Publish the session - to make the changes available to all the administrators
• Discard the session - to discard the changes

When an administrator that made changes and did not publish the session, is unavailable, and some important objects are locked, you can unlock that session, to continue working with those objects.

To unlock a session that was locked by another administrator:

• To apply session changes and disconnect the administrator's SmartConsole session: right-click the session and select Publish & Disconnect.
• To discard the session changes and disconnect the administrator's SmartConsole session: right-click the session and select Discard & Disconnect.

Working with Database Revisions

After you make changes, you must publish the session, to save changes to the database.

When you publish a session, a new database version is created and shows in the list of database revisions.

Before you publish the session, you can add some informative attributes to it.

To publish a session:

In the SmartConsole toolbar, click Publish.

When you publish a session, a new database version is created and shows in the list of database revisions.

Note - Before you upgrade the Security Management Server, you must save the database.

To add a name, description, or tag attribute to a session:

1. Before you publish, in the SmartConsole toolbar, click Session.

   The Session Details window opens.

2. Enter a name for the database version.
3. Enter a description.
4. Add a tag.
5. Click OK.

To see saved database versions:

In SmartConsole, go to Manage & Settings > Revisions.

To see the changes made during a specific session:

1. In the Manage & Settings > Revisions window, select a session.
2. Click View.

   A separate read-only SmartConsole session opens.

To delete all versions of the database that are older than the selected version:

1. In the Manage & Settings > Revisions window, select a session.
2. Click Purge.
3. In the confirmation window that opens, click Yes.

   Important - Deletion is irreversible. Older revisions are deleted permanently.

Configuring Authentication Methods for Administrators

These instructions show how to configure authentication methods for administrators. For users, see Configuring Authentication Methods for Users.

For background information about the authentication methods, see Authentication Methods for Users and Administrators.

Configuring Check Point Password Authentication for Administrators

These instructions show how to configure Check Point Password authentication for administrators.

To configure a Check Point password for a SmartConsole administrator:

1. Go to Manage & Settings > Permissions & Administrators > Administrators.
2. Click New.
3. The New Administrator window opens.
4. Give the administrator a name.
5. In Authentication method, select Check Point Password.
6. Click Set New Password, type the Password, and Confirm it.
7. Assign a Permission Profile.
8. Click OK.
9. Click Publish.

Configuring OS Password Authentication for Administrators

These instructions show how to configure OS Password Authentication for administrators.

To configure an OS password for a SmartConsole administrator:

1. Go to Manage & Settings > Permissions & Administrators > Administrators.
2. Click New.
3. The New Administrator window opens.
4. Give the administrator a name.
5. In Authentication method, select OS Password.
6. Assign a Permission Profile.
7. Click OK.
8. Click Publish.

Configuring a RADIUS Server for Administrators

These instructions show how to configure a RADIUS server for SmartConsole administrators. To learn how to configure a RADIUS server, refer to the vendor documentation.

To configure a RADIUS Server for a SmartConsole administrator:

1. In SmartConsole, click Objects > More Object Types > Server > More > New RADIUS.
2. Configure the RADIUS Server Properties:
   1. Give the server a Name. It can be any name.
   2. Click New and create a New Host with the IP address of the RADIUS server.
   3. Click OK.
   4. Make sure that this host shows in the Host field of the Radius Server Properties window.
   5. In the Shared Secret field, type the secret key that you defined previously on the RADIUS server.
   6. Click OK.
3. Add a new administrator:
   1. Go to Manage & Settings > Permissions & Administrators > Administrators.
   2. Click New.

      The New Administrator window opens.

   3. Give the administrator the name that is defined on the RADIUS server.
   4. Assign a Permission Profile.
   5. In Authentication method, select RADIUS.
   6. Select the RADIUS Server defined earlier.
   7. Click OK.
4. Click Publish.

Configuring a SecurID Server for Administrators

These instructions show how to configure a SecurID server for SmartConsole administrators. To learn how to configure a SecurID server, refer to the vendor documentation.

To configure the Security Management Server for SecurID:

1. Connect to the Security Management Server.
2. Copy the sdconf.rec file to the /var/ace/ folder

   If the folder does not exist, create the folder.

3. Give the sdconf.rec file full permissions. Run:

   chmod 777 sdconf.rec

To configure a SecurID Server for a SmartConsole administrator:

1. In SmartConsole, click Objects > More Object Types > Server > More > New SecurID.
2. Configure the SecurID Properties:
   1. Give the server a Name. It can be any name.
   2. Click Browse and select the sdconf.rec file. This must be a copy of the file that is on the Security Management Server.
   3. Click OK.
3. Add a new administrator:
   1. Go to Manage & Settings > Permissions & Administrators > Administrators.
   2. Click New.

      The New Administrator window opens.

   3. Give the administrator a name.
   4. Assign a Permission Profile.
   5. In Authentication method, select SecurID.
4. In the SmartConsole Menu, click Install Database.

Configuring a TACACS Server for Administrators

These instructions show how to configure a TACACS server for SmartConsole administrators. To learn how to configure a TACACS server, refer to the vendor documentation.

To configure a TACACS Server for a SmartConsole administrator:

1. In SmartConsole, click Objects > More Object Types > Server > More > New TACACS.
2. Configure the TACACS Server Properties:
   1. Give the server a Name. It can be any name.
   2. Click New and create a New Host with the IP address of the TACACS server.
   3. Click OK.
   4. Make sure that this host shows in the Host field of the TACACS Server Properties window.
   5. In the Shared Secret field, type the secret key that you defined previously on the TACACS server.
   6. Click OK.
3. Add a new administrator:
   1. Go to Manage & Settings > Permissions & Administrators > Administrators.
   2. Click New.

      The New Administrator window opens.

   3. Give the administrator the name that is defined on the TACACS server.
   4. Assign a Permission Profile.
   5. In Authentication method, select TACACS.
   6. Select the TACACS Server defined earlier.
   7. Click OK.
4. Click Publish.