Open Security Extension (OSE) Devices

The Open Security Extension features let you manage third-party devices with the Check Point SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. The number of managed devices, both hardware and software packets, depends on your license. OSE devices commonly include hardware security devices for routing or dedicated Network Address Translation and Authentication appliances. Security devices are managed in the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. as Embedded Devices.

The Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. generates Access Lists from the Security Policy and downloads them to selected routers and open security device. Check Point supports these devices:

OSE Device

Supported Versions

Cisco Systems

9.x, 10.x, 11.x, 12.x

The Check Point Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. must not have these objects. If it does, the Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. does not generate Access Lists.

  • Drop (in the Action column)

  • Encrypt (Action)

  • Alert (Action)

  • RPC (Service)

  • ACE (Service)

  • Authentication Rules

  • Negate Cell

Defining OSE Device Interfaces

OSE devices report their network interfaces and setup at boot time. Each OSE device has a different command to list its configuration. You must define at least one interface for each device, or Install Policy will fail.

To define an OSE Device

  1. From the Object Explorer, click New > More.

  2. Click Network Object > More > OSE Device.

  3. Enter the general properties (see OSE Device Properties Window - "General" Tab).

    We recommend that you also add the OSE device to the host lists on other servers: hosts (Linus) and lmhosts (Windows).

  4. Open the Topology tab and add the interfaces of the device.

    You can enable Anti-Spoofing on the external interfaces of the device. Double-click the interface. In the Interface Properties window > Topology tab, select External and Perform Anti-Spoofing.

  5. Open the Setup tab and define the OSE device and its administrator credentials (see Anti-Spoofing Parameters and OSE Devices Setup (Cisco)).

OSE Device Properties Window - "General" Tab

  • Name - The name of the OSE device, as it appears in the system database on the server.

  • IP Address -The device's IP address.

  • Get Address - Click this button to resolve the name to an address.

  • Comment - Text to show on the bottom of the Network Object window when this object is selected.

  • Color - Select a color from the drop-down list. The OSE device will be represented in the selected color in SmartConsole, for easier tracking and management.

  • Type - Select from the list of supported vendors.

Anti-Spoofing Parameters and OSE Devices Setup (Cisco)

For Cisco (Version 10.x and higher) devices, you must specify the direction of the filter rules generated from anti-spoofing parameters. The direction of enforcement is specified in the Setup tab of each router.

For Cisco routers, the direction of enforcement is defined by the Spoof Rules Interface Direction property.

Access List No - The number of Cisco access lists enforced. Cisco routers Version 12x and below support an ACL number range from 101-200. Cisco routers Version 12x and above support an ACL range number from 101-200 and also an ACL number range from 2000-2699. Inputting this ACL number range enables the support of more interfaces.

For each credential, select an option:

  • None - Credential is not needed.

  • Known - The administrator must enter the credentials.

  • Prompt - The administrator will be prompted for the credentials.

Username - The name required to logon to the OSE device.

Password - The Administrator password (Read only) as defined on the router.

Enable Username - The user name required to install Access Lists.

Enable Password - The password required to install Access Lists.

Version - The Cisco OSE device version (9.x, 10.x, 11.x, 12.x).

OSE Device Interface Direction - Installed rules are enforced on data packets traveling in this direction on all interfaces.

Spoof Rules Interface Direction - The spoof tracking rules are enforced on data packets traveling in this direction on all interfaces.