Security Administration

Overview

Again the SMS is the controller. Multiple Security Gateways on different sites can be controlled by a single Security Management Server.

Communications are encrypted via TLS and the certificates

SmartConsole Objects

Objects are used in security policies and rules to define and control network flow

  • Physical Components

    • Check Point Security Gateway and Management Servers

    • Domain Name Servers (DNS)

    • Demilitarized zones (DMZ)

    • Users

  • Logical Components

    • Check Point and third-party services

    • IP address ranges

    • Third-party applications

Object Types

Object Creation Methods

Workflow for Object Creation

  1. Specify general properties

  2. Initiate trusted communication

  3. Activate available Software Blades (license dependant)

Two objects cannot have the same name

These objects can be created and then used later in Security Policy rules (e.g. File Sever at 10.20.10.3 with the mac XXXXXXX)

Secure Trusted Communications

  • Secure Internal Communication

    • Define a one-time password to initialize SIC. The password must match the password defined when the device was installed

  • Trusted Communication

Classic Mode - Manual Configuration

Administrator Management

Different Administrator accounts can be delegated via permissions.

Three default profiles:

Profile
Description

Super User

Full permissions, including management of other users and their sesisons

Read Write All

Full Read and Write permissions

Read Only All

Full Read permissions only

Account properties

Users can authenticate ans use credentials from other servers/services (e.g. RADIUS server)

Administrator Collaboration

User login sessions can be seen by super users along with all of the changes and actions they do.

If someone is working on a rule/object, a lock icon will be on the rule indicating that someone is modifying the rule/object.

These sessions can be disconnected and cut off by super users, this applies to GUI and CLI sessions.

Concurrent Policy Installation

  • One administrator or more can run different policy installation tasks on multiple GWs at the same time

  • Five is the maximum number of policy installation tasks run a the same time. Everything after is queued

  • Access Control needs to be finished being configured before Threat Management; Threat Management will be queued before Access Control always

Logs for all of these configurations of objects are logged for revisions and also timestamped.

With revisions, you can go back in time with the configurations like a snapshot.

Restoring and reverting using revisions cannot be reversed once it's done.

Backup SMS's won't have the revisions of the main server

  • Administrators can define an Approval Cycle for Sessions

    • This ensures configuration changes are reviewed and approved by multiple administrators before they are committed.

Practice Questions

PreviousGateway and Server DeploymentNextLicensing and Contracts

Last updated

Was this helpful?