Checkpoint NGX SmartLSM User Guide

SmartLSM Guide
NGX (R60)
For additional technical information about Check Point products, consult Check Points SecureKnowledge at
https://secureknowledge.checkpoint.com
See the latest version of this document in the User Center at
http://www.checkpoint.com/support/technical/documents/docs_r60.html
Part No.: 701316 May 2005
2003-2005 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
2003-2005 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.
THIRD PARTIES:
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrusts logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust. Verisign is a trademark of Verisign Inc. The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided as is without express or implied warranty. Copyright Sax Software (terminal emulation only). The following statements refer to those portions of the software copyrighted by Carnegie Mellon University. Copyright 1997 by Carnegie Mellon University. All Rights Reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. The following statements refer to those portions of the software copyrighted by The Open Group. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `ÀS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright 1998 The Open Group. The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. GDChart is free for use in your applications and for chart generation. YOU MAY NOT redistribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,
Check Point Software Technologies Ltd.

U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, info@CheckPoint.com International Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com
2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http:/ /www.apache.org/licenses/LICENSE-2.0 The curl license COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1996 - 2004, Daniel Stenberg, <daniel@haxx.se>.All rights reserved. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. The PHP License, version 3.0 Copyright (c) 1999 - 2004 The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact group@php.net. 4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo" 5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes PHP, freely available from <http://www.php.net/>". THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM `ÀS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at group@php.net. For more information on the PHP Group and the PHP project, please see <http:// www.php.net>. This product includes the Zend Engine, freely available at <http:// www.zend.com>. This product includes software written by Tim Hudson (tjh@cryptsoft.com). Copyright (c) 2003, Itai Tzur <itzur@actcom.co.il> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Neither the name of Itai Tzur nor the names of other contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved. Confidential Copyright Notice Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed. Trademark Notice The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600.
U.S. Government Restricted Rights The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in DataGeneral clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987). Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/ Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations. Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT. Limitation of Liability UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU. Copyright ComponentOne, LLC 1991-2002. All Rights Reserved. BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")) Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release
PCRE LICENCE PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself. Written by: Philip Hazel <ph10@cam.ac.uk> University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714. Copyright (c) 1997-2004 University of Cambridge All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Table Of Contents
Chapter 1 Introduction to SmartLSM
Introduction 11 Supported Platforms 11 SmartLSM Overview 12 SmartLSM Profiles & ROBO Gateway Objects 13 Policy Management 13 Policy Localization Dynamic Objects 15 VPN 16 CO Gateway 18 Convert 19 Upgrade 19 VPN-1 Edge/Embedded Integration 20 Supported Features 20 Unsupported Features and Known Limitations 21
Chapter 2
Installation
Overview 23 Installing SVN Foundation 23 Installing the SmartCenter Server 24 Installing a Check Point ROBO Gateway 24 Installing the CO Gateway 24 Installing SmartLSM 24
Chapter 3
Configuration
SmartLSM Overview 25 Logging into SmartLSM 26 Working with the SmartLSM GUI 28 Gateways List Pane 30 Status View Action Status Tab 31 Status View Critical Notifications Tab 31 Menus and Toolbars 32 Menus 32 Toolbar 36 Adding a New VPN-1 Express/Pro ROBO Gateway 36 Adding a VPN-1 Edge/Embedded ROBO Gateway 38 Editing a VPN-1 Express/Pro ROBO Gateway 39 Editing a VPN-1 Edge/Embedded Gateway 48 Updating a CO Gateway 55 Modifying Policies 55 Managing VPN-1 Edge/Embedded Objects in SmartLSM 56 VPN Creation using VPN-1 Edge/Embedded Objects via SmartLSM 57
Table of Contents 7
Adding a VPN-1 Edge/Embedded ROBO Gateway to VPN 57 Special Considerations for VPN Routing 58 ROBO Clusters 59 Creating VPN Rules for VPN-1 Edge/Embedded Objects 63 Downloading a Security Policy to a VPN-1 Edge/Embedded ROBO Gateway from the VPN-1 Edge/Embedded Portal 64 Verifying Security Policy Download to the VPN-1 Edge/Embedded ROBO Gateway 64 Downloading a Security Policy to a VPN-1 Edge/Embedded ROBO Gateway from SmartLSM 65 Deleting a ROBO Gateway Object 65 Upgrading / Importing / Migrating SmartLSM Configurations 65 Push Actions for a Gateway 65 Profiles and Policies 66 Defining Check Point SmartLSM Profiles 66 Defining Policies for the SmartLSM Profile Objects 67 Defining Policy Allowing VPN from ROBO Gateway to CO Gateway 68 Working with a Default Profile 69 Defining a Policy to the Gateway that Protects the SmartCenter Server 69 Working with Dynamic Objects 70 Enforcing Predefined Dynamic Objects in the Rule Base 70 Creating User-defined Dynamic Objects 71 Status Information 72
Chapter 4
Command Line Reference

Introduction 73 Help 73 CLI Actions 74 AddROBO VPN1 75 AddROBO VPN1Edge 77 ModifyROBO VPN1 79 ModifyROBO VPN1Edge 80 ModifyROBOManualVPNDomain 82 ModifyROBOTopology VPN1 82 ModifyROBOTopology VPN1Edge 83 ModifyROBOInterface VPN1 84 ModifyROBOInterface VPN1Edge 85 AddROBOInterface VPN1 86 DeleteROBOInterface VPN1 87 ResetSic 87 ResetIke 88 ExportIke 89 UpdateCO 90 Remove 91 Show 91 ModifyROBOConfigScript 92 ShowROBOConfigScript 93 ShowROBOTopology 94
SmartUpdate Actions for a ROBO Gateway 95 Install 95 Uninstall 96 VerifyInstall 97 Distribute 98 Upgrade 99 VerifyUpgrade 99 GetInfo 100 ShowInfo 100 ShowRepository 101 Stop 101 Start 102 Restart 102 Reboot 103 Push Actions 103 PushPolicy 103 PushDOs 104 GetStatus 105 Converting Gateways 105 Convert ROBO VPN1 105 Convert Gateway VPN1 106 Convert ROBO VPN1Edge 108 Convert Gateway VPN1Edge 108
Chapter 5
Troubleshooting
Status Information 109 Logging 109 VPN Troubleshooting Tools 109
Table of Contents 9
10
CHAPTER
Introduction to SmartLSM
In This Chapter
Introduction Supported Platforms SmartLSM Overview page 11 page 11 page 12
Introduction
Check Point SmartLSM is an integral part of Check Point VPN-1 Pro NG with Application Intelligence. This document describes the SmartLSM features added to VPN-1 Pro NG with Application Intelligence. Please review this information before installing SmartLSM. Please read the SmartCenter Guide for information about VPN-1 Pro.
Supported Platforms
The supported platforms for Check Point SmartLSM are identical to the supported platforms for VPN-1 Pro.
Note - The ROBO Gateway is only supported on the following platforms: Windows, Linux, NOKIA and SecurePlatform.
11
SmartLSM Overview
SmartLSM Overview
In This Section
SmartLSM Profiles & ROBO Gateway Objects Policy Management Policy Localization Dynamic Objects VPN CO Gateway Convert Upgrade VPN-1 Edge/Embedded Integration Supported Features Unsupported Features and Known Limitations
page 13 page 13 page 15 page 16 page 18 page 19 page 19 page 20 page 20 page 21
SmartLSM allows system administrators to manage thousands of simple, similar Check Point Remote Office/Branch Office (ROBO) Gateways from a single SmartCenter Server, in a cost effective way. The SmartLSM management concept is based on SmartLSM Profiles, which are defined in the standard Check Point SmartDashboard. Instead of representing a single physical Gateway, each SmartLSM Profile object represents multiple ROBO Gateways. A separate, scalable and simple utility, the SmartLSM application, is used to define all the ROBO Gateways and their specific properties (e.g. their IKE Certificates). Within this utility each ROBO Gateway is mapped to a Profile object. The same SmartCenter Server that manages ROBO Gateways can also manage standard Check Point CO (Corporate Office) Gateways. SmartLSM reduces the administrative overhead per Gateway, by defining most of the Gateway properties, as well as the Policy, per Profile Object instead of per physical ROBO Gateway. SmartLSM reduces the run-time load on the SmartCenter Server, by allowing you to set a time interval in which the Policy will be fetched; instead of installing a policy each time changes have been made. It does with the help of various Check Point products, such as, Customer Log Module (CLM) and Multi customer Log Module (MLM).
12
SmartLSM Profiles & ROBO Gateway Objects
SmartLSM Profiles & ROBO Gateway Objects

A SmartLSM Profile is used to define a ROBO Gateway type. Each individual ROBO Gateway inherits the majority of its properties, as well as its Policy, from a Profile. Profiles are defined and managed through Check Point SmartDashboard. Once a SmartLSM Profile object is defined in SmartDashboard, you can define the respective ROBO Gateways in SmartLSM. The task of defining each individual ROBO Gateway is simple. You simply specify the name of the ROBO Gateway. The following three properties are also mandatory, but they are selected by default when you create a new ROBO Gateway: ROBO Gateway type, (for VPN-1 Edge/Embedded ROBO Gateway only) - select the type of your VPN-1 Edge/Embedded Gateway device. This cannot be edited once the VPN-1 Edge/Embedded ROBO Gateway has been created. ROBO Gateway version, (for VPN-1 Express/Pro ROBO Gateways only) - the version of the Gateway. The Profile, from which the ROBO Gateway will obtain all of its other properties (the default is the profile that was selected in SmartDashboard, in the Global Properties SmartLSM Profile Based Management page). Varied SmartLSM profiles allow you to differentiate between the various ROBO Gateways (e.g. allow a VPN Encryption Tunnel to be created between CO Gateways and ROBO Gateways mapped to one Profile, but not to ROBO Gateways mapped to another Profile).
Policy Management
Policies are managed per-Profile, and not per-ROBO Gateway, for better scalability. A Policy is defined and installed, via SmartDashboard per Profile. This operation only prepares the Policy files on the SmartCenter Server (it does not push the Policy to any specific Gateway). Policy Fetching The Policy is fetched periodically by the ROBO Gateways. The time interval is configurable per-Profile in the Masters page of the SmartLSM Profile Object. Each ROBO Gateway randomly chooses a time slot, in the periodic fetch interval, to fetch its Policy.
Chapter 1
13
SmartLSM Overview
FIGURE 1-1
Specifying the Fetch Interval in the Masters page
Policy fetching can also be initiated manually, from the ROBO Gateway, or centrally, from the SmartLSM (using the Push Policy command see Push Actions for a Gateway on page 65). Once a Policy is fetched by the ROBO Gateway, it is localized as follows: The specific properties of the ROBO Gateway are used. Anti-Spoofing and Encryption-Domain information are automatically calculated. Automatically calculated Dynamic Objects are assigned their values. Centrally resolved Dynamic Objects are assigned their values.
14
Policy Localization Dynamic Objects
The Policy is installed.

Note - This process is skipped, if there were no changes in the Policy, or in any of the centrally resolved Dynamic Objects.
Policy Localization Dynamic Objects

SmartLSM utilizes Dynamic Objects to localize the Policy of the Profile Object for potentially hundreds and thousands of ROBO Gateways which belong to this Profile. SmartLSM uses several methods to resolve Dynamic Objects values:
1
Automatically Resolved Dynamic Objects these objects automatically get their values when the ROBO Gateway loads a Policy. These objects can be seen in the Dynamic Objects tab of the Edit ROBO Gateway window. They appear by default when a new ROBO Gateway is created: LocalMachine_All_Interfaces the DAIP machine interfaces (static and dynamic) are resolved into this object. LocalMachine the Dynamic Objects value is resolved to the external IP address of the ROBO Gateway, itself (based on the IP address of the interface marked as External). InternalNet the Dynamic Objects value is resolved to the IP address range of the internal network, based on the IP address and netmask of the interface marked as Internal. DMZNet the Dynamic Objects value is resolved to the IP address range of the DMZ network, based on the IP address and netmask of the interface marked as DMZ. AuxiliaryNet the Dynamic Objects value is resolved to the IP address range of the Auxiliary network, based on the IP address and netmask of the interface marked as Auxiliary. Centrally Resolved Dynamic Objects, from the SmartLSM (see Editing a VPN-1 Express/Pro ROBO Gateway on page 39). Locally Resolved Dynamic Objects, which are resolved manually on the ROBO Gateway, itself, via the dynamic_objects command line.
Note - Notice that you must resolve all Dynamic Objects that are used in the policy. An un-resolved Dynamic Object, referenced in a rule, will result in dropping all the packets that match the other characteristics of that rule.
2 3
Chapter 1
15
SmartLSM Overview
VPN
In This Section
VPN Tunnels Third Party Certificate Authority Support Determining the Profile of a ROBO Gateway ROBO Gateway Encryption Domain VPN Tunnels
page 16 page 17 page 17 page 18
SmartLSM supports the inclusion of ROBO Profiles, as members in star VPN Communities (as satellites), and in Remote Access communities (as centers). When a star VPN Community contains an LSM profile object as a satellite, then the settings apply both on the Corporate Office (CO) gateway and to the ROBO gateways. A VPN tunnel can be established from a ROBO Gateway to a regular, static IP address CO Gateway (similar to the way that DAIP Gateways establish VPN tunnels to static IP Gateways). A CO Gateway recognizes (and authenticates) an incoming VPN tunnel, as a tunnel from a ROBO Gateway, using the IKE Certificate of the ROBO Gateway. The CO Gateway treats the peer ROBO Gateway as if it were a regular DAIP Gateway, whose properties are defined by the Profile, to which the ROBO Gateway is mapped. A CO Gateway can also initiate a VPN tunnel to a ROBO Gateway, supported for CO Gateways in version NGX (R60). (In previous versions, traffic was encrypted from the CO Gateway to the ROBO Gateway through Back Connections which entailed initiating a tunnel from the ROBO Gateway to the CO Gateway.) SmartLSM supports VPN routing for satellites. There are two methods of routing VPN traffic, within the VPN community: Domain based VPN Route based VPN In Domain based VPN, packets are routed based on the encryption domain of each of the VPN peers. In Route based VPN, creating a virtual interface on each peer gateway, enables the use of dynamic routing protocol for the purpose of routing VPN traffic, within the VPN community. For more detailed information, refer to the VPN Guide. You can establish VPN tunnelling for ROBO-to-ROBO, or ROBO-to-other Gateway configurations, via the CO Gateway.
16
VPN
Third Party Certificate Authority Support This feature allows generating ROBO IKE certificates (for VPN) from Third Party Certificate Authority (CA) Servers, rather than from the Check Point Internal CA. It allows users to select a CA server object, defined previously using SmartDashboard, and to enter the certificate identifier and a password for a certificate, as shown in the following figure:
FIGURE 1-2 Edit ROBO Gateway VPN tab
At this time, only automatic certificate generation is supported. The user requests a certificate, providing the certificate identifier and a password, and the CA server either returns the certificate or does not.
Note - When a Third Party CA generated ROBO certificate is revoked, you should revoke it actively via the specific CA GUI, and not just remove it from your database, as had been the case when working with the Check Point Internal CA.
Determining the Profile of a ROBO Gateway Upon establishing IKE authentication, a CO Gateway determines which SmartLSM Profile is applied to the initiating ROBO Gateway. This is done by a lookup of the ROBO Gateways IKE DN, in a dedicated ROBO mapping database. This database maps the IKE DN to the respective Profile of the initiating ROBO Gateway.
Chapter 1
17
SmartLSM Overview
If the IKE DN of the initiating ROBO Gateway is not found in the mapping database, then a Default Profile may be selected, instead as the ROBO Gateways profile. To do so, select the Default Profile in the Global Properties SmartLSM Profile Based Management window. You can determine the default mapping by setting a flag in the Global Properties SmartLSM Profile Based Management window. It is important that the mapping database be updated whenever ROBO Gateways are added, deleted or modified. The update can be performed either from the SmartLSM GUI, by selecting Update Corporate Office Gateways in the ROBO Gateways Actions menu, or from SmartDashboard, by reinstalling the policy. ROBO Gateway Encryption Domain The ROBO Gateways encryption domain, can be easily configured, via the ROBO Gateway's
Topology
tab.
In the VPN Domain section, you can select one of the following options: Not defined: No VPN Domain is defined for this Gateway. To enable this Gateway to participate in a VPN, another option must be selected. Only the external interface: From the CO Gateways perspective, the ROBO Gateways encryption domain is defined by the ROBO Gateways external IP address. It is assumed that everything is NAT-hidden, behind the external IP address. All IP Addresses behind the Gateway based on Topology information: A ROBO Gateways encryption domain is automatically calculated, based on the IP address and netmask of the ROBO Gateways internal interfaces. Complicated networks behind a ROBO Gateway are not supported. Manually defined: Manually defined ranges of IP Addresses are included in the VPN.
CO Gateway
The SmartCenter Server has the ability to manage both standard Check Point Gateways and ROBO Gateways. Standard Gateways, which are assigned static IPs, can serve as targets for VPN Tunnels, initiated from ROBO Gateways. These target Gateways are referred to as Corporate Office Gateways, or in short, CO Gateways. Corporate Office Gateways are installed like regular Check Point Gateways. However, after the installation you must run an additional CLI command, LSMenabler on.
18
Convert
Convert
SmartLSM supports fast conversion of a VPN-1 Express/Pro Gateway or VPN-1 Edge Gateway managed via SmartDashboard to a ROBO Gateway, and vice versa. There is no need to delete existing objects and create new objects, since the conversion operation will do this automatically, while preserving the relevant SIC certificates. If you have just started to use SmartLSM you may want to convert Gateways managed via SmartDashboard to ROBO Gateways, in order to manage them through SmartLSM. For example, you may, currently, have only a small number of Branch offices, yet you may want to add many more and decide to manage them all through SmartLSM. You may also need to convert a ROBO Gateway to a Gateway managed via SmartDashboard, if a specific ROBO Gateway has increased its management requirements, and you decide to manage it separately as a regular Gateway. In this case, after converting a ROBO Gateway to a Gateway managed via SmartDashboard, you should complete the conversion operation by defining interfaces, updating VPN communities, and installing policies through SmartDashboard. Check Point services should be restarted afterwards. After any conversion operation, remember to run the Install Policy action on the SmartLSM Profile associated with the new ROBO Gateway. Once this is done, perform Push Policy on the ROBO Gateway.
Upgrade
SmartLSM supports upgrades of Check Point products for ROBO Gateways, via the SmartLSM GUI, using SmartUpdate. In order to upgrade your system follow these steps:
1 2 3 4
Upgrade your SmartCenter server. If you have new Check Point Module Upgrade packages, add them to the SmartUpdate Repository. Upgrade your CO Gateways. Use the SmartLSM GUI to upgrade your ROBO Gateways. The upgrade commands and icons are similar to the SmartUpdate commands. Alternatively, you may use the SmartLSM Command Line Utility, LSMcli.
Chapter 1
19
SmartLSM Overview
VPN-1 Edge/Embedded Integration

SmartLSM supports VPN-1 Edge/Embedded Gateways, as ROBO Gateways. This support exists, by default, when the SmartCenter Server is installed. You must define VPN-1 Edge/Embedded Profiles, via SmartDashboard, and other VPN-1 Edge/Embedded ROBO Gateway properties, via the SmartLSM GUI. Although some VPN-1 Edge/Embedded ROBO Gateways properties may differ from those of VPN-1 Express/Pro ROBO Gateways, such as licenses and products, other aspects of working with VPN-1 Edge/Embedded ROBO Gateways are the same as for VPN-1 Express/Pro ROBO Gateways. For example, in terms of setting up VPN communities, policy installation, or defining troubleshooting statuses. When the Enforce Topology feature of a VPN-1 Edge device is enabled, you can enforce the topology definitions for the VPN-1 Edge ROBO, via the SmartLSM GUI. You can also launch the VPN-1 Edge Portal via the SmartLSM GUI. For more information regarding Check Point and VPN-1 Edge/Embedded integration, refer to the VPN-1 Edge/Embedded Management Solutions Guide.
Supported Features
SmartLSM supports the following NGX (R60) features: DAIP (Dynamically Assigned IP) and static IP address ROBO Gateways. All FireWall features that are supported by NGX R60 DAIP Gateways. Centrally resolved Dynamic Objects. VPN tunnels from ROBO Gateways to CO Gateways, based on IKE with Internal Certificate Authority (ICA) Certificates, and from CO Gateways to ROBO Gateways. ROBO gateways, managed by LSM, support the VPN Tunnel Monitoring feature. Generation of ROBO IKE certificates, for VPN, from Third Party CA Servers. (A Corporate Office Gateway (CO Gateway) recognizes (and authenticates) an incoming VPN tunnel, as a tunnel from a ROBO Gateway, using the IKE Certificate of that ROBO Gateway.) Automatic calculation of Anti-Spoofing information for ROBO Gateways. Periodic, randomized Policy Fetch by the ROBO Gateways. A unique ID (in the form of an IP address) per-ROBO Gateway, used to track logs generated from a ROBO Gateway, even if its external IP address changes. Local logging, CLMs and MLMs, used to reduce the logging load. High level and In-Depth status monitoring of ROBO Gateways.
20
Unsupported Features and Known Limitations
SmartUpdate capabilities ROBO Gateway License Management through SmartLSM, central upgrades of ROBO Gateways. Security Servers are supported on ROBO Gateways. Client Authentication, Session Authentication and User Authentication are supported by ROBO Gateways. VPN-1 Edge/Embedded Gateways are supported as ROBO Gateways Conversion between a ROBO Gateway and a regular Gateway. Command Line Utility to manage ROBO Gateways. ROBO Cluster configuration enables high-availability connectivity to the VPN. Simple configuration of ROBO Gateways encryption domain, using ROBO Gateways Properties Topology tab. When remote control of a VPN-1 Edge device is enabled, you can enforce the topology definitions for the VPN-1 Edge ROBO, via the SmartLSM GUI. You can launch the VPN-1 Edge Portal via the SmartLSM GUI.
Unsupported Features and Known Limitations
Only simple internal networks (as defined by the IP address and Netmask of the internal interfaces) are supported. The SmartLSM GUI cannot update a ROBO Gateway Object, when SmartDashboard is open, in Read/Write mode. Limited support for Remote Access to a ROBO Gateway.
Chapter 1
21
SmartLSM Overview
22
CHAPTER
Installation
In This Chapter
Overview Installing SVN Foundation Installing the SmartCenter Server Installing a Check Point ROBO Gateway Installing the CO Gateway Installing SmartLSM page 23 page 23 page 24 page 24 page 24 page 24
Overview
Check Point SmartLSM is an integral part of Check Point VPN-1 Pro with Application Intelligence. Familiarize yourself with VPN-1 Pro by reading the Check Point SmartCenter Guide provided with this package. Then read this document, which describes the SmartLSM-specific features. This document assumes the reader has a working knowledge of VPN-1 Pro with Application Intelligence.
Installing SVN Foundation

SVN Foundation is needed for SmartCenter Server, ROBO Gateway and CO Gateway. To install the SVN Foundation, use the standard SVN Installation procedure
23
Installing the SmartCenter Server
Installing the SmartCenter Server

To install the SmartCenter Server: Use the standard SmartCenter Server installation procedure. Execute LSMenabler on to enable support for ROBO Gateways on the server
Note - You will need a SmartCenter Pro license to activate SmartLSM functionality.
Installing a Check Point ROBO Gateway

To install a Check Point ROBO Gateway, proceed as follows:
1 2 3
Install the Check Point ROBO Gateway as if you were installing a regular Check Point Gateway. Execute LSMenabler -r on to turn the Gateway into a ROBO Gateway In the cpconfig utility, in the ROBO Interfaces page, make sure that you define an External Interface. The other three options can be completed at a later stage.
No special license is needed for the ROBO Gateway.
Installing the CO Gateway

To install a CO Gateway, proceed as follows: Install the CO Gateway as if you were installing a regular Check Point Gateway. A CO Gateway is identical to a standard NGX Gateway and is installed and configured according to the standard installation procedure. No special license is needed for the CO Gateway. Execute LSMenabler on in order to define this Gateway as a SmartLSM CO Gateway.
Installing SmartLSM
For installation details see the most current online documentation:
http://www.checkpoint.com/support/technical/documents/docs_r60.html
24
CHAPTER
Configuration
In This Chapter
SmartLSM Overview Logging into SmartLSM Menus and Toolbars Managing VPN-1 Edge/Embedded Objects in SmartLSM Deleting a ROBO Gateway Object Upgrading / Importing / Migrating SmartLSM Configurations Push Actions for a Gateway Profiles and Policies Working with Dynamic Objects Status Information page 25 page 26 page 32 page 56 page 65 page 65 page 65 page 66 page 70 page 72
SmartLSM Overview
SmartLSM is used to define and manage ROBO Gateway Objects. The main view of SmartLSM features a spreadsheet look-and-feel interface. Each row represents a ROBO Gateway, with all the relevant information shown as column entries in that row. You can use the Sort, Find and Filter commands to display the required data, thereby facilitating the management of multiple ROBO Gateways, through this GUI.
25
Logging into SmartLSM

In This Section
Working with the SmartLSM GUI Gateways List Pane Status View Action Status Tab Status View Critical Notifications Tab
SmartLSM is a standard Check Point SmartConsole client. As such, you should define the workstation, on which it is running, as a SmartConsole, in the GUI Clients tab of the Check Point Configuration Tool (cpconfig), installed on the SmartCenter Server (FIGURE 3-1). In a Provider-1/SiteManager-1 environment, define your workstation in the SMART Clients view of the Multi-Domain GUI application.
FIGURE 3-1 SMART Clients tab of the Check Point Configuration Tool
In the SmartLSM window, you must supply the credentials of an administrator, who is allowed to work with SmartDashboard.
26
You can use either User/Password combination, or certificate-based authentication, as with standard Check Point SmartConsole clients. Consult the SmartCenter Guide for the standard login information.
Note - You can open multiple SmartLSM windows with Read/Write permissions at the same time, and simultaneously work in SmartDashboard with Read/Write permissions.
The SmartLSM is displayed (FIGURE 3-2).

FIGURE 3-2 SmartLSM ROBO Gateway Setup Utility
SmartLSM consists of two panes: The top pane, the ROBO Gateways List pane, lists the various ROBO Gateways, defined in the system, along with Gateways, defined in SmartDashboard. The bottom pane is called the Status View, and is divided into two tabs: The Status View Critical Notifications tab, highlights objects that require the attention of the system administrator. The Status View Action Status tab, describes the status of the actions, currently, performed on the above Gateways.
Chapter 3
Configuration
27
Working with the SmartLSM GUI

This section discusses the various operation options available in the SmartLSM GUI.
In This Section
Find Show/Hide Columns Filter Sort Column Content Export to File Find
page 28 page 28 page 29 page 29 page 29
In this window, you can enter a string, consisting of any text. The Find operation searches for the specified string, in whatever location you choose to determine, in the Look in field. To open the
Find
window, select
Find
from the
Edit
menu
Find Parameters
Find what Look in
- enter the string that you would like to find - determine whether your search is across all the fields, or a specific field
only.
- the string, for which you are searching, should be the exact replica of the string, entered in the Find what field. If this option is not checked, sub strings will also be searched. Match case - the string, for which you are searching, should match the case of the text, entered in the Find what field. Direction - select the direction in which you would like to search.
Match whole word only
Show/Hide Columns You can choose to show, or hide columns, by selecting View menu.
Show/Hide Columns
from the
In the Show/Hide Columns window, uncheck all the columns that you would like to hide and check all columns that you would like to display. It is also possible to hide a column, by right-clicking on the desired column header, and by choosing Hide Column from the displayed menu. You can also hide columns by dragging the right edge of the column header to the left, until it disappears.
28
Working with the SmartLSM GUI
Filter You can filter the Gateways List to show only specific Gateways. Filtering is done by specifying conditions, on the columns. You can specify multiple column filters, to achieve progressive filtering. For example, if you would like to see only the gateway, whose Policy status is not updated, you can do this quickly and efficiently by selecting to filter the Policy Status column. To filter a column, right-click the desired column header, and select Define the desired filter in the Filter window that is displayed.
Column Filter....
Specify the nature of the filter, in other words, decide what must, or must not be filtered. Generally you will need to enter a value, to be filtered, whether it is the name of a status, an IP Address, etc. The values that you are required to select, or enter, depend on the column that you have chosen to filter. Once a filter exists for a specified column, the funnel icon in the column heading takes on a light green color. This color will disappear when the filter is cleared. You can make multiple filter operations, on a specified Column. To clear all filters in the SmartLSM, select Clear All Filters from the View menu. Alternately, to clear a specific filter, right-click on the desired column, and select Clear Column Filter from the displayed menu. To view existing filters, select Filter Details from the View menu. Sort Column Content To toggle the content of a specified column, between ascending and descending order, click on the desired column heading, and the order of the column content will reverse itself. Export to File Select Export To File from the File menu to export the whole objects list to a specific file. The Export To File window is displayed. Check Show Headers to include the column headers in the export file Stipulate your delimiters in the Use the following Delimiter field. You can use a Tab as a delimiter, or you can specify another delimiter, in the Other field. You can choose to Export all columns, or, you can choose not to export columns which are hidden, by checking Export only shown columns.
Chapter 3
Configuration
29
Gateways List Pane

The top pane provides the information on each Gateway listed, following are some of the displayed fields:
Note - Certain fields are relevant to ROBO Gateways only.
- the name of the Gateway. ID - a unique ID, in the form of an IP address (for a ROBO Gateway), used to track logs, generated from a ROBO Gateway (even if it changes its external IP address). For a regular Gateway, the IP address is displayed. Profile Name - the name of the Profile, assigned to this ROBO Gateway. Gateway Status - the status of the ROBO Gateway, see Status Information on page 72. Policy Status - the status of the Policy, installed on this ROBO Gateway, see Status Information on page 72. Policy - the name of the policy, installed on the Gateway. Last Known IP - the last known IP address of the Gateway. Policy Fetch Time - the full date and time, on which the Policy was last fetched by this ROBO Gateway. Dynamic Objects - the Dynamic Object values that were assigned, for this ROBO Gateway. Comments - the user comment, for this ROBO Gateway. IKE DN - the IKE Distinguished Name that was assigned to this ROBO Gateway. Device ID - the device's external identifying number. Customer Details - the customer details, for this ROBO Gateway. In ROBO Cluster with - the name of the second member, assigned to this ROBO Cluster (or empty if the selected Gateway does not participate in a ROBO Cluster).
Name
30
Status View Action Status Tab
Status View Action Status Tab

The Status View Action Status tab provides the following information, on each action that was initiated from this SmartLSM to one of the Gateways, following are some of the displayed fields: Name - the name of the Gateway. Action - the action that was performed, on the Gateway (e.g. Reboot). Start Time - the full date and time, on which the above action started. Status - the status of the action, which can be one of the following: In Progress, Completed, or Failed. Details - additional information on the action (e.g. the reason for the failure of the action). You can sort the entries, in this view, by clicking on any one of the column headers. You can also clear one or more actions, at a time, from this list. To clear one Action Status, right-click on the desired column heading, and select Clear Selected. To clear all the Action Statuses, right-click on any column heading and select Clear All. To see further details regarding the Action Status, right-click on the desired column heading, and select Action History. The Action History window provides information regarding an action that was initiated from the Check Point SmartLSM to the selected Gateway. It displays a running log of events as they happen at the Gateway, including status information regarding action progress, completion or failure.
Status View Critical Notifications Tab

The
Status View Critical Notifications
tab provides the following information:
- the name of the Gateway. Updated - the time of the status update Gateway Status - the status of the Gateway, see Status Information on page 72 Policy Status - the status of the Policy, installed on this Gateway, see Status Information on page 72
Name
You can sort the entries, in this view, by clicking on any of the column headers.
Chapter 3
Configuration
31
Menus and Toolbars
Menus and Toolbars

In This Section
Menus Toolbar Adding a New VPN-1 Express/Pro ROBO Gateway Adding a VPN-1 Edge/Embedded ROBO Gateway Editing a VPN-1 Express/Pro ROBO Gateway Editing a VPN-1 Edge/Embedded Gateway Updating a CO Gateway Modifying Policies
page 32 page 36 page 36 page 38 page 39 page 48 page 55 page 55
Menus
The SmartLSM menus are described in TABLE 3-1.
TABLE 3-1
SmartLSM Menus Description
Menu
File
Command
Export to File...
Export the content of the Gateways list to a CSV (Comma Separated Values) format, Excel, or HTML file Close SmartLSM Define select new VPN-1 Express/Pro ROBO Gateway or VPN-1 Edge/Embedded ROBO Gateway Edit the selected ROBO Gateway. Find text string Toggle the display of the toolbar Toggle the display of the status bar Toggle the display of the Status View Remove all filters Display all existing filters Show or Hide columns
Exit
Edit
New Edit ROBO Gateway Find
Delete ROBO GatewayDelete the selected ROBO Gateway.

View
Toolbar Status Bar Status View Clear All Filters Filter Details Show/Hide Columns
Default Column Width Restore the default width of the columns
32
Menus
TABLE 3-1
Menu
Manage
Command
Open Selected Policy Open Selected Policy (Read Only) Launch VPN-1 Edge Portal Custom Commands
Open the Policy, installed on this ROBO Gateway Open the Policy, installed on this ROBO Gateway (Read Only) For enabled VPN-1 Edge Gateways Add/Remove/Edit custom commands
Actions
Push Dynamic Objects Push and install values of Dynamic Objects, to the selected Gateway Push Policy Stop Gateway Initiate a Fetch Policy, from the selected Gateway Stop the Check Point Gateway services, on the selected Gateway
Chapter 3
Configuration
33
Menus and Toolbars
TABLE 3-1
Menu
Command
Start Gateway
Start the Check Point Gateway services, on the selected Gateway (Not VPN-1 Edge/Embedded ROBO Gateway) Restart the Check Point Gateway services, on the selected Gateway (Not VPN-1 Edge/Embedded ROBO Gateway) Reboot the selected Gateway Get in-depth status information, about the selected ROBO Gateway (Not VPN-1 Edge/Embedded ROBO Gateway) Upgrade All Packages - Upgrade the Check Point Packages, on selected ROBO Gateway, to the last available. If packages are missing, the Missing Packages window is displayed. You can use SmartUpdate to add the missing packages to the repository. Then, rerun Upgrade All Packages. Distribute Package - Install one or more available Check Point Packages, on the selected ROBO Gateway. To install a Package, select a Package, listed in the Distribute Package window. You can then distribute and/or install packages (new and previously distributed). Uninstall one of the existing Check Point Packages, from the selected ROBO Gateway. Pre-Install Verifier - Verify if the installation of the specified Check Point Package succeeded Get Gateway Data - Retrieves the information about Check Point Packages, installed on selected ROBO Gateway
Restart Gateway
Reboot Gateway Get Status Details...
Packages
Define ROBO Cluster Configure two ROBO Gateways to be members of a ROBO Cluster. Remove ROBO Cluster Disassociate the two members of a ROBO Cluster.
34
Menus
TABLE 3-1
Menu
Command
Update Corporate Office Gateway... Update Selected Corporate Office Gateway

Window
Update a CO Gateway, to reflect all the configuration changes in the ROBO Gateways encryption domain Update a selected CO Gateway, to reflect all the configuration changes in the ROBO Gateways encryption domain Open the Check Point SmartDashboard Open the Check Point SmartView Tracker Open the Check Point SmartView Monitor Open the Check Point SmartView Monitor Open the Check Point Eventia Reporter
SmartDashboard SmartView Tracker SmartView Monitor SmartView Monitor Eventia Reporter
SecureClient Packaging Open the Check Point SecureClient Packaging Tool Tool SmartUpdate
Help
Open the Check Point SmartUpdate Search for the required topic, using the tabs of the Help Topics window: Contents, Index and Find. More about Check Point SmartLSM
Help Topics About Check Point SmartLSM
Gateways List Popup Menu If you right-click a specific Gateway on the Gateways List a popup menu is displayed, allowing you to perform certain actions, relevant to that Gateway. For example, right-clicking a VPN-1 Edge ROBO Gateway displays the following popup menu:
FIGURE 3-3 VPN-1 Edge ROBO Gateway popup menu
You can perform the following actions: Edit the selected ROBO Gateway Create a new ROBO Gateway Delete the selected ROBO Gateway Open the Selected Policy (i.e. the policy, installed on the selected Gateway)
Chapter 3 Configuration
35
Menus and Toolbars
Launch the VPN-1 Edge Portal As well as do all the actions relevant for the selected ROBO Gateway, for more information on possible Action operations, see TABLE 3-1.
Toolbar
The toolbar provides shortcuts to the most commonly used menu commands.
Adding a New VPN-1 Express/Pro ROBO Gateway

SmartLSM supports two types of ROBO Gateways: VPN-1 Express/Pro ROBO Gateways and VPN-1 Edge/Embedded Gateways. To add a new VPN-1 Express/Pro ROBO Gateway, use the Add VPN-1 Express/Pro ROBO Gateway Wizard. Proceed as follows:
1
Select New > VPN-1 Express/Pro ROBO Gateway... from the Edit menu, or click in the toolbar. If you chose the latter, use the drop down menu to define whether to create a new VPN-1 Express/Pro, or VPN-1 Edge/Embedded Gateway. The New VPN-1 Express/Pro ROBO Gateway window is displayed, showing its General page. In the General page, define the name (Name) of the ROBO Gateway and specify free form text (Comments), used to identify the ROBO Gateway (e.g. The Restaurant at the End of the Universe). In the More Information page, specify the version of the selected Gateway type (ROBO Gateway Version), from the drop-down list, and select the Profile (ROBO Gateway Profile) to which the ROBO Gateway is mapped to, from the drop-down list. The default value is the profile that was selected in SmartDashboard, in the Global Properties SmartLSM Profile Based Management page. In the ROBO Gateway Communication properties page: Define an Activation Key that will be used to set up Secure Internal Communication (SIC) Trust, between the ROBO Gateway and the SmartCenter Server. This is the same Activation Key that you should enter in the SIC tab, of the Check Point Configuration Tool (CPConfig), on the ROBO Gateway. You can either enter your own key, or have SmartLSM generate an 8 character long random key for you.
36
Adding a New VPN-1 Express/Pro ROBO Gateway
For automatic generation select the Generate Activation Key Automatically option. and click Generate. The Generated Activation Key window is displayed. The key is displayed in clear text, so you can view it, and enter it, later, on the ROBO Gateway, for the SIC initialization. Choose one of the following: Accept click to accept the automatically generated key, and return to the Communication window. The two Activation Key fields will now display the new key, in hidden text. Be aware that once the generated key is accepted it can no longer be viewed in clear text Cancel click to exit the Generated Activation Key window, without accepting the automatically generated key. For manual key definition, proceed as follows: Select the Activation Key option. Enter your own key, and enter it, again, in the confirmation box. To clear the key, click Clear.
Note - The SIC certificate and the IKE certificate, for this gateway, will be created, only after you click Finish in the Finish page.
You may push the SIC certificate to the ROBO Gateway, if you know its IP address, but if you do not, you may leave the IP address field empty. In this case, in order to complete the initialization process, use the Check Point Configuration tool on the ROBO Gateway, to pull the certificate from the SmartCenter Server.
5 6
In the ROBO Gateways VPN properties page you can select to create a VPN certificate from the Internal CA. In the Finish page, check Edit Robo after creation in order to start working with the newly created object, as soon as you have completed it and click Finish to complete the Robo Gateway creation.
Chapter 3
Configuration
37
Menus and Toolbars
Adding a VPN-1 Edge/Embedded ROBO Gateway

To add a new VPN-1 Edge/Embedded ROBO Gateway:
1
You can either select New>VPN-1 Edge/Embedded ROBO Gateway... from the Edit menu, or click in the toolbar. If you chose the latter, use the drop down menu to define which type of ROBO Gateway, you want to define. The New VPN-1 Edge/Embedded ROBO Gateway window is displayed, showing its General page. In the General page, define the name (Name) of the Gateway and specify free form text, (Comments), used to identify the ROBO Gateway (e.g. Roanoke Call Center.) In the More Information page, specify the type (ROBO Gateway Type) of the VPN-1 Edge/Embedded ROBO Gateway, from the drop-down list and select a Profile (ROBO Gateway Profile) for the ROBO Gateway, from the drop-down list. (The default profile will be the one, set as a default, through SmartDashboard, in the Global Properties SmartLSM Profile Based Management page). In the ROBO Gateway Communication properties page define a Registration Key that will be used to set up Secure Internal Communication (SIC) Trust, between the ROBO Gateway and the SmartCenter Server. You can either enter your own key, or have SmartLSM generate an 8 character long random key for you. It is important to enter the same Registration Key on the VPN-1 Edge/Embedded ROBO Gateway. To automatically generate a Registration Key: Select the Generate Registration Key Automatically option. Click Generate. The Generated Activation Key window is displayed. The key is displayed, in clear text, so you can view it, and enter it later on the ROBO Gateway, for the SIC initialization. Choose one of the following: Accept click to accept the automatically generated key, and return to the Communication window. The two Activation Key fields will now display the new key in hidden text. Cancel click to exit the Generated Activation Key window, without accepting the automatically generated key Be aware that once the generated key is accepted, there is no way to view it in clear text. For manual key definition, proceed as follows: Select the Registration Key option. Enter your own key, and re-enter it in the confirmation box.
2 3
38
Editing a VPN-1 Express/Pro ROBO Gateway
To clear the key, click
Clear.
Note - The IKE certificate, for this gateway, will be created, only after you click Finish in the Finish page.
5 6
In the ROBO Gateways VPN properties page, you can create a VPN certificate from the Internal CA. In the Finish page, check Edit Robo after creation in order to start working with the newly created object, as soon as you have completed it. Finally, click Finish to complete the ROBO Gateway creation.
Once the VPN-1 Edge/Embedded ROBO Gateway object has been created the internal CA issues a certificate to the VPN-1 Edge/Embedded device. This certificate is installed on the device the first time that the VPN-1 Edge/Embedded Gateway connects to the SmartCenter server. Edit the Profile - change the Profile to which ROBO Gateway is mapped. The next time the ROBO Gateway fetches its Policy, it will get the Policy and properties of the new Profile object. NOTE: For the Profile change to take effect, you must perform the following actions: Actively push a Policy. Update the Corporate Office Gateway.

To edit an existing ROBO Gateway.
1
Choose one of the following: Select Edit ROBO Gateway... from the Edit menu, or Click in the toolbar, or Double-click the record of this ROBO Gateway, in the Gateways list pane. The Edit ROBO Gateway window is displayed. Edit properties, by selecting the appropriate tab. Edit the General tab: The Name of the gateway cannot be edited. Comments - enter an optional comment Version - edit the version number of the gateway
Chapter 3
Configuration
39
Menus and Toolbars
Profile
- change the Profile, to which the ROBO Gateway is mapped. The next time the ROBO Gateway fetches its Policy, it will get the Policy and properties of the new Profile object.
Note - If you want the Profile change to take effect immediately, you must perform the following actions: 1) Actively push a Policy to this ROBO Gateway; 2) Update the CO Gateway(s).
- If a certificate was already issued for this gateway, the ROBO Gateways DN (Distinguished Name) will be displayed. This DN will be in the form of: CN=ROBO-name,O=Management-domain-name. For example: CN=R_172,O=mgtHost.acme.com.abcdef . The DN is sometimes referred to as the SIC name of the Gateway.
Secure Internal Communication (SIC)
Viewing or Changing the SIC Trust Click Communication to view, or change the SIC Trust between the ROBO Gateway and the SmartCenter Server. The Communication window is displayed. In the Communication window, the Trust State shows the current trust state with the ROBO gateway. Trust is established only after a certificate has been issued by the SmartCenter Server and delivered to the ROBO Gateway: Uninitialized indicates that the ROBO Gateway does not have a valid SIC certificate (either because it was never initialized, or because its certificate was revoked). Initialized indicates that the ROBO gateway has a valid SIC certificate. Initializing an Uninitialized Gateway To initialize an Uninitialized gateway, proceed as follows: Specify the Activation Key. You can either enter it manually, or have SmartLSM generate it for you (this is done in a manner, similar to that used to specify the Activation Key, when adding a new ROBO gateway). Select one of the following: This machine currently uses this IP address: Enter the IP address. This requires that SIC was initialized on the ROBO Gateway (in other words, the Activation Key was entered), via the cpconfig utility. If the ROBO Gateway's IP address is known, enter this address. This will set the Check Point Certificate Authority to push the SIC certificate. I do not know the current IP address: Click if the ROBO Gateway's IP address is unknown. Check Point Certificate Authority will pull the SIC certificate after the same Activation Key is entered in the ROBO Gateway.
40
Click Initialize. A new SIC certificate will be created for this ROBO gateway, and its trust state will change to Initialized.
If a SIC certificate was not pushed to the ROBO Gateway (if the current IP address of the ROBO Gateway was not entered in the SmartLSM GUI), in order to complete the SIC Trust process, you must: Select Reset & Pull SIC (pull the SIC certificate) on the ROBO Gateway (via the cpconfig utility). Enter the new Activation Key, the Name (or IP Address) of the SmartCenter Server, and the Name given to the ROBO Gateway. This will pull the new certificate from the SmartCenter Server, and will install it on the ROBO Gateway. After cpconfig configuration is complete, restart Check Point Services, on this Gateway, by rebooting the computer. Resetting an established Trust You may want to reset an established SIC Trust, if you have replaced the gateway host machine, or if you have forgotten the Activation Key. Proceed as follows: Click the Reset button. You will be prompted to confirm that you would like to reset SIC. Answer Yes. To complete this procedure, you must Reset SIC on the ROBO Gateway, and restart the Check Point services, by rebooting the machine, after the completion of the configuration, in cpconfig. The Gateways SIC certificate will be revoked, and its Trust State will change to Uninitialized. Now you will be able to specify a new Activation Key, and to re-initialize.
3
Edit the
Details
tab, as necessary:
The following information is reported per ROBO Gateway: The ROBO ID is a unique ID, in the form of an IP address, per-ROBO Gateway. When the ROBO Gateway send logs to a Log Server, it specifies this ROBO ID as the log origin. This allows consistent tracking of the ROBO Gateways logs, even if its external IP address has changed. This ID cannot be edited. Device ID - a free field, used to specify a unique device identification (such as the gateways MAC Address). Customer Details - a free text field, for Customer details. Participates in ROBO cluster with - If the ROBO Gateway is configured as one of the two members of a ROBO cluster, its mate is listed here.
Chapter 3
Configuration
41
Menus and Toolbars
Edit the
Topology
tab, as shown in the following figure:
FIGURE 3-4
VPN-1 Pro Topology tab
The Internal Interface List lists the defined Internal Interfaces and their respective IP Addresses and Network Masks.
Note - ONLY internal interfaces should be defined in the table.
Click Add to define a new Internal Interface. The window is displayed:

VPN-1 Pro Interface Properties window
Interface Properties
FIGURE 3-5
Enter the click OK.
Name, IP Address
and
Net Mask
of the new Internal Interface, and
42
In the VPN Domain area, select one of the options. You can learn more about these options in ROBO Gateway Encryption Domain on page 18. If you select Manually defined, the range table area is enabled and you can enter the desired ranges of IP Addresses. Click Add. The IP Address Range Configuration window is displayed:
VPN-1 Pro IP Address Range configuration window
FIGURE 3-6
Enter an IP Address range and click

VPN VPN-1 Pro VPN tab
OK.
Edit the
FIGURE 3-7
You can select VPN Not supported, meaning that no IKE certificate will be generated for this ROBO gateway. You can select Use Certificate Authority Certificate, meaning that an IKE certificate will be generated for this ROBO gateway.
Chapter 3
Configuration
43
Menus and Toolbars
you must select the Certificate The Certificate Authority Name drop-down list contains all CA server objects, defined in SmartDashboard. You must enter the Key Identifier/Authorization Code. The IKE DN field contains the ROBO Gateways Distinguished Name (DN) of the certificate (when allocated). This DN cannot be edited. You may re-initialize the IKE certificate by clicking the Reset button. Ensure that you update the CO Gateway(s) afterwards.
Authority Name. Packages
If you select
Use Certificate Authority Certificate,
Edit the
FIGURE 3-8
VPN-1 Pro Packages tab
tab displays the Name, Vendor, Major Version, Minor Version and of each package installed. If the Packages are not displayed, they can be fetched by clicking Action > Packages > Get Gateway Data.
Packages Description
The
Edit the Dynamic Objects tab: Dynamic Objects are placeholders for IP Addresses or IP Address ranges. They are defined in SmartDashboard, and can be referenced in the Security Policy and Network Address Translation (NAT) rule bases. In this tab, you can customize the Profiles policy to the specific IP addresses of the edited ROBO gateway. Resolved Dynamic Objects: the following properties are displayed for each Dynamic Object:
44
- the name of the Dynamic Object, as defined in SmartDashboard. First IP - this is the first, or the only IP address, in the IP address range that is assigned to the Dynamic Object. Last IP - this is the last IP address, in the IP address range, that is assigned to the Dynamic Object. Comment - the comment, defined for the Dynamic Object, in SmartDashboard.
Name
The objects are managed using the Add, Edit and Remove buttons. Click Add to add a resolved Dynamic Object, via the Dynamic Object Configuration window. Enter the following information: Name - select the Dynamic Object from the drop-down list. Comments - display the comment entered for that Dynamic Object Resolved IP Address -choose one of the following IP address resolution methods: IP Address - enter the Dynamic Objects IP address. IP Address in Range - enter the Dynamic Objects IP address range. Click OK to add the resolved value. The newly added Object will be displayed in the Resolved Dynamic Objects list. Click Edit to edit the Object, selected in the Resolved Dynamic Objects list, via the Dynamic Object Configuration window. Click Remove to remove the assigned IP address values of the selected Dynamic Object. You will be asked to confirm the delete operation. If you set a value for a Dynamic Object, it will be installed on the ROBO Gateway during the next Policy Installation (e.g. during the periodic fetch). If you want the new values to take effect immediately, you can actively push and install the new values from the SmartLSM (see Push Actions for a Gateway on page 65).
Note - If you do not set a value for a dynamic object that is used in the Policy, the rule that uses the dynamic object will never be matched, and the packet will be dropped.
Edit the Licenses tab: This window shows the licenses that are, currently, installed on this ROBO Gateway. In order to work with a gateway, you must attach a license to it. The following license properties are displayed per license: Name - the name of the license Version - the version of the license
Chapter 3
Configuration
45
Menus and Toolbars
- the state of the license. The license state depends on whether the license is associated with the enforcement module in the License Repository, and whether the license is installed on the remote enforcement module. The state options are: Unattached: Not associated with the enforcement module in the License Repository, and not installed on the remote enforcement module. Engaged: Associated with the enforcement module in the License Repository, but not installed on the remote enforcement module. Attached: Associated with the enforcement module in the License Repository, and installed on the remote enforcement module. SKU/Features - the features enabled by the license IP Address - the IP address enabled by this license. Note that it can be the IP address of this gateway (License Type is 'local'), or the IP address of the Management Server (License Type is 'central'). Expiration Date - the date on which the license expires
State
To Add or Remove a License: Click Add to add a license from the License Repository. All available licenses are displayed in the License Repository window.
Note - In the License Repository, you will only see unattached licenses that can be used on this ROBO. If an original license is in use on another ROBO, you will not see the corresponding upgraded license displayed in the License Repository.
You can select more than one license, at a time, in the License Repository window, and add it to the Licenses tab. This license will be attached to the ROBO Gateway only after clicking OK. If there are unattached licenses that belong to the ROBO gateway a message is displayed in the Licenses tab. In general, this situation occurs after you have finished running the License Upgrade Tool. Click Add these licenses to the list. The upgraded and unattached licenses appear in grey.
Note - The upgraded license is an upgraded version of the original license.
46
Click Remove, to remove an existing license from the Licenses list. This license will be detached from the ROBO Gateway after clicking OK.
Note - The system will not allow the upgrade license to be attached to the ROBO, while the corresponding original license is detached from the ROBO and exists in the License Repository.
If you try to remove the original license from the gateway, while the upgrade license is listed, you will receive a warning that if you proceed, both licenses will be removed. If you click OK, both licenses are removed from the gateway. If you try to remove the upgrade license from the gateway, while the original license is listed, you will receive a notification stating that you may either remove the upgrade license alone, or both licenses, if you so desire. If both the original and the upgrade license are in the License Repository, and you attempt to add the upgrade license to the gateway, you will receive a notification stating that if you proceed, both licenses will be added to the gateway.
Advanced
Edit the
tab:
FIGURE 3-9
VPN-1 Pro Advanced tab
Chapter 3
Configuration
47
Menus and Toolbars
Log Servers select up to two Log Servers from the drop-down lists. These drop-down lists contain log server objects, defined in SmartDashboard. The first is where all logs should be sent (Send logs to), and the second should be used, only when the first cannot be reached (When unreachable, send logs to). Select As defined in ROBO profile to maintain the settings that were configured for Log Servers, when the profile was created, or uncheck As defined in ROBO profile, to create your own Log Servers definitions.
10 At any point while editing the ROBO gateway you can:
Click Action, to perform a variety of product related actions on the edited ROBO gateway, such as Push Dynamic Objects, Push Policy, Start and Stop. You will be asked to save your changes, before any action operation can be performed. Click OK to complete the editing of the ROBO gateway object Click Cancel to cancel editing of the ROBO gateway object
Editing a VPN-1 Edge/Embedded Gateway

To edit an existing VPN-1 Edge/Embedded ROBO Gateway, select it in the Gateways list.
1
Choose one of the following: Select Edit ROBO Gateway... from the Edit menu, or Click in the toolbar, or Double-click the record of a VPN-1 Edge/Embedded ROBO Gateway, in the SmartLSM list pane. The Edit VPN-1 Edge/Embedded Gateway window is displayed. Edit properties by selecting the appropriate tab. You can edit the following VPN-1 Edge/Embedded ROBO Gateway properties: Edit the General tab: The Name of the gateway cannot be edited. Comments enter an optional comment The Gateway Type of the gateway cannot be edited
48
Profile
change the security Profile, assigned to the ROBO Gateway. This will be put into effect, the next time the ROBO Gateway fetches its Policy. It will get the Policy and the properties of the new Profile.
Note - If you want the Profile change to take effect immediately, you must perform the following actions: 1) Push the Policy to the VPN-1 Edge/Embedded Gateway to ensure that the Policy is applied; 2) Update the CO Gateways
If a Registration Key is already entered, it will appear as hidden text ***** in the Registration Key field. You may change the Registration Key, by clicking the New Key button.
Secure Internal Communication (SIC)
Edit the Details tab, as necessary. The following information is reported, per VPN-1 Edge/Embedded ROBO Gateway: The ROBO ID is a unique ID, in the form of an IP address, assigned to each ROBO Gateway. Note that the ROBO ID cannot be edited. When the ROBO Gateway sends logs to a Log Server, it uses this ID, to specify the log origin. This permits consistent tracking of ROBO Gateway logs, even if the external IP address is changed. MAC Address A free field, used to specify the Gateways MAC Address. Customer Details A free text field, for Customer details. Participates in ROBO cluster with If the ROBO Gateway is configured as one of the two members of a ROBO cluster, its mate is listed here. Edit the
Topology
Chapter 3
Configuration
49
Menus and Toolbars
FIGURE 3-10 VPN-1 Edge Topology tab
You can select to enforce Topology definitions on the device. When the ROBO Gateway performs a Fetch, or when management performs a Push to this Gateway, the configuration, set on the Topology tab, will be retrieved. The Internal Interface List presents the defined Internal Interfaces and their respective IP Addresses and Network Masks. Click Edit to modify a selected Internal Interface. The Interface Properties window is displayed:
50
FIGURE 3-11 VPN-1 Edge Interface Properties window
Enter the IP Address and Net Mask of the selected Internal Interface. If the option is allowed, you can select to disable/enable the selected interface. You can select to hide the IP Addresses behind NAT. If the option is allowed, you can select to enable a DHCP Server. If you have selected to enable a DHCP Server, you must then select to allocate IP Addresses from one of the following options: - From the Network behind the interface - From sub range (Enter the sub range values) - Using DHCP Relay Server Click OK. In the VPN Domain area, select one of the displayed options. You can learn more about these options in ROBO Gateway Encryption Domain on page 18. If you select Manually defined, the range table area is enabled and you can enter the desired ranges of IP Addresses. Click Add. The IP Address Range Configuration window is displayed:
FIGURE 3-12 VPN-1 Edge IP Address Range configuration window
Enter an IP Address range and click
OK.
Chapter 3
Configuration
51
Menus and Toolbars
Edit the
VPN
FIGURE 3-13 VPN-1 Edge VPN tab
You can select VPN Not supported, meaning that no IKE certificate will be generated for this ROBO gateway. You can select User Certificate Authority Certificate, meaning that an IKE certificate will be generated for this ROBO gateway. If you select User Certificate Authority Certificate, you must select the Certificate Authority Name. The Certificate Authority Name drop-down list contains all CA server objects, defined in SmartDashboard. You must enter the Key Identifier/Authorization Code. The IKE DN field contains the DN of the certificate (when allocated). Click Generate to allocate. This DN cannot be edited. You may re-initialize the IKE certificate by clicking the Reset button. Ensure that you update the CO Gateway(s) afterwards.
Edit the Firmware tab, as necessary. Use it to identify Firmware, to be installed on the VPN-1 Edge/Embedded Gateway. Choose one of the following: Use default Use the firmware, defined as Default in the SmartUpdate application.
52
Use the firmware, currently installed on the VPN-1 Edge/Embedded Gateway. Use the following firmware Select firmware to be uploaded to the VPN-1 Edge/Embedded Gateway (which will be done, via the SmartUpdate application).
Use ROBO Gateways installed firmware
The Dynamic Objects tab provides access to Dynamic Objects, which are placeholders for IP Address ranges. They are initially defined in SmartDashboard, and are managed through Security Policies and Network Address Translation (NAT) rule bases. You may customize a Dynamic Objects Profile policy to the specific IP addresses of the ROBO gateway. The following properties are displayed for Resolved Dynamic Objects: Name the name of the Dynamic Object, as defined in SmartDashboard. First IP this is the first, or the only IP address, in the IP address range that is assigned to the Dynamic Object. Last IP this is the last IP address, in the IP address range that is assigned to the Dynamic Object. Comment the comment, defined for the Dynamic Object, in SmartDashboard. Add Click Add to add a resolved Dynamic Object, via the Dynamic Object Configuration window. Enter the following information: Name select the Dynamic Object, from the drop-down list. Comments display the comment, entered for that Dynamic Object. Resolved IP Address choose one of the following IP address resolution methods. either enter the Dynamic Objects IP address (IP Address) or enter the Dynamic Objects IP address range (IP Address Range). Click OK to add the resolved value. The newly added Object will be displayed in the Resolved Dynamic Objects list. Edit Click Edit to edit the Object, selected in the Resolved Dynamic Objects list, via the Dynamic Object Configuration window. Remove
Chapter 3
Configuration
53
Menus and Toolbars
Click Remove to remove the assigned IP address values of the selected Dynamic Object. You will be asked to confirm the delete operation. If you set a value for a Dynamic Object, it will be installed on the ROBO Gateway during the next Policy fetch (e.g. during the periodic fetch). If you want the new values to take effect immediately, you can actively push, and install the new values from the SmartLSM.
Note - If you do not set a value for a dynamic object that is used in the Policy, the rule that uses the dynamic object will never be matched, and the packet will be dropped
The Licenses tab displays the Product Key, that is the license string for the ROBO gateway's software, currently, installed on the VPN-1 Edge/Embedded Gateway. If you wish to install an update, you can correct the Product Key, by filling in the Product Key field. Use Show Product Description to display detailed information about the Product Key. The Configuration Script tab allows customized configuration of the VPN-1 Edge device. The Profiles Configuration Script, entered via SmartDashboard, is used to configure a number of devices simultaneously. In SmartLSM it is presented as Read-Only, allowing the administrator to view the complete configuration that will be received by the Edge device. If you want to configure a specific ROBO, you can enter a ROBOs Configuration Script via SmartLSM. For more detailed information about configuration scripts, refer to the Embedded NGX R60 CLI Guide that can be found at http://www.sofaware.com.
10 At any point while editing the VPN-1 Edge/Embedded gateway you can:
Click on Action, to perform a variety of product related actions on the edited VPN-1 Edge/Embedded Gateway, such as Push Dynamic Objects and Push Policy. You will be asked to save your changes, before any action operation can be performed.
Note - The Start and Stop actions are not allowed for the VPN-1 Edge/Embedded Gateway.
Click Click
to complete the editing of the ROBO gateway object Cancel to cancel editing of the ROBO gateway object
OK
54
Updating a CO Gateway
Updating a CO Gateway
To update a CO Gateway, proceed as follows:
1 2
From the Actions menu, choose Update Corporate Office Gateway..., or in the toolbar, click .The Update Corporate Office Gateway window is displayed. Select the CO Gateway to be updated from the Corporate Office Gateway drop-down list, and click OK. The updated CO Gateway now has the latest copy of the ROBO DB, including any Profile changes. Alternatively, select the Gateway you want to update and choose Update Selected Corporate Office Gateway from the Actions menu.
Modifying Policies
You can change the Policy of a Profile, and then install it. The next time a ROBO Gateway, mapped to this Profile, fetches a Policy, it will get the updated Policy. You can change the general properties of the Profile, using SmartDashboard. The next time the ROBO Gateways, mapped to the Profile, fetch their Policy, the changes will take effect. You can actively push a Policy to a specific ROBO Gateway (see Push Actions for a Gateway on page 65).
Chapter 3
Configuration
55
Managing VPN-1 Edge/Embedded Objects in SmartLSM

In This Section
VPN Creation using VPN-1 Edge/Embedded Objects via SmartLSM Adding a VPN-1 Edge/Embedded ROBO Gateway to VPN Special Considerations for VPN Routing ROBO Clusters Creating VPN Rules for VPN-1 Edge/Embedded Objects
page 57 page 57 page 58 page 59 page 63
Downloading a Security Policy to a VPN-1 Edge/Embedded ROBO Gateway from the VPN-1 Edge/Embedded Portal page 64 Verifying Security Policy Download to the VPN-1 Edge/Embedded ROBO Gateway page 64 Downloading a Security Policy to a VPN-1 Edge/Embedded ROBO Gateway from SmartLSM page 65 VPN-1Edge/Embedded ROBO Gateways are managed through SmartLSM. VPN-1Edge/Embedded ROBO Gateways are objects which represent thousands of gateways of branch offices and small organizations. To work with VPN-1 Edge/Embedded via SmartLSM:
1
In SmartDashboard, from the Edge/Embedded profile. In SmartLSM, do the following:
Network Objects
tab, define a SmartLSM VPN-1
Define a VPN-1 Edge/Embedded ROBO Gateway. When this object has been created, a certificate is issued by the Internal CA for the VPN-1 Edge/Embedded device. This certificate is installed on the device, when the VPN-1 Edge/Embedded Gateway receives an update from the SmartCenter Server. In order to create a VPN, you must create a dynamic object, to be placed in the VPN domain of the VPN-1 Edge/Embedded ROBO Gateway. Update the Corporate Office Gateway. In SmartDashboard, do the following:
3 4
5 6
Create a Security Policy, and install it on the SmartLSM VPN-1 Edge/Embedded profile. Install the Security Policy on the VPN-1 Edge/Embedded Gateway.
56
VPN Creation using VPN-1 Edge/Embedded Objects via SmartLSM
VPN Creation using VPN-1 Edge/Embedded Objects via SmartLSM

All VPN-1 Edge/Embedded ROBO Gateways work in unrestricted Site-to-Site mode. In SmartLSM, VPN is supported, using IKE authentication with Check Point internal certificates. For VPN to work, configuration needs to take place in SmartDashboard, as well as in SmartLSM. VPN is created as follows:
1 2
In the VPN-1 Edge/Embedded Portal, verify that a certificate has been installed on the VPN-1 Edge/Embedded Device, before establishing the VPN tunnel. In SmartLSM: Add a dynamic object to the VPN-1 Edge/Embedded ROBO Gateway. In order to implement VPN on VPN-1 Edge/Embedded ROBO Gateways, dynamic objects need to be added to the VPN domain of these Gateways. Update the Corporate Office (CO) Gateway. In SmartDashboard: From the VPN Communities tab, add the CO Gateway and the VPN-1 Edge/Embedded Profile to the VPN Star Community. Make sure that shared secret is only used for external members, and set the properties for the IKE negotiations. In the Security Policy Rule Base, create a rule defining the services allowed, via this community. Install this rule on the CO Gateway (and not on the SmartLSM VPN-1 Edge/Embedded profile).
Adding a VPN-1 Edge/Embedded ROBO Gateway to VPN

In SmartLSM:
1 2 3 4
In the VPN-1 Edge/Embedded ROBO Gateway, add a dynamic object. In the

Dynamic Object Configuration
window, check
Add to VPN domain.
Update the CO Gateway. In SmartDashboard: From the VPN Communities tab, create a VPN Star community, that includes the VPN-1 Edge/Embedded Profile and the CO Gateway, as follows: In the Central Gateway page, click Add. Select the CO gateway from the displayed list, and click OK.
Chapter 3
Configuration
57
In the Satellite Gateways page, click Add. Select the SmartLSM VPN-1 Edge/ Embedded profile from the displayed list, and click OK. In the VPN Properties page, specify the IKE phase properties. In the Advanced Settings > Shared Secret page, uncheck the Use only Shared secret for all External Members. Verify that the certificate is installed on the VPN-1 Edge/Embedded Device, before establishing the VPN tunnel.
5 6 7
In the Security Policy Rule Base, create a rule defining the services allowed, via this community. Install this rule on the CO Gateway (and not on the SmartLSM VPN-1 Edge/Embedded profile). A topology file and a certificate are downloaded to the VPN-1 Edge/Embedded ROBO Gateway. This topology file lists the members of the VPN community, and specifies the encryption information.
Special Considerations for VPN Routing

A limitation exists for VPN routing with ROBO Gateways. The VPN routing option To center and to other satellites through center is not supported by ROBO gateways. To overcome this limitation for VPN-1 Edge and VPN-1 Express/Pro ROBOs: If the branch office Gateways are managed by SmartLSM as ROBO Gateways, enable VPN Routing for a hub and spoke configuration, by editing the vpn_route.conf file, on the relevant ROBO Gateways. For example: Generate a group that contains the encryption domains of all the satellite ROBO Gateways, and call it Robo_domain. Generate a group that contains all the central Gateways, and call it Center_gws. In vpn_route.conf, add the rule:
TABLE 3-2 ROBO Gateways Rule
Destination
Router
Install On
Robo_domain
Center_gws
Robo_profile
Previously, a Star VPN topology supported VPN routing for satellites, only when there was a single Gateway, acting as a router. Multiple router Gateways are now supported, if the following conditions are met: The Gateways, listed under install on in vpn_route.conf or
58
ROBO Clusters
The satellite Gateways, selected in SmartDashboard are also NGX (R60) level Gateways. For more information, refer to Configuring ROBO Gateways and VPN Routing HOWTO in the VPN User Guide.
ROBO Clusters
You can configure two VPN-1 Edge ROBO gateways to comprise a logical entity, called a ROBO Cluster.
Note - A given ROBO gateway can only be a member of one ROBO Cluster.
A ROBO Cluster provides high-availability VPN connectivity by using two devices, each serving as an entry point to the same network. In a ROBO Cluster, there is no state synchronization between the devices. If the active ROBO Cluster member becomes unavailable, the users are not automatically connected to the other member. The party that initiated the communication must actively intervene to reconnect the users. In order to create a topology, in which two VPN-1 Edge ROBO gateways serve as entry points to the same network, a mechanism, such as VRRP clustering, must be configured for that network. This configuration will handle the routing, in situations where only one of the gateways is available, as well as in situations where both of the gateways are available. In the VRRP configuration scheme: The internal (LAN) interfaces of both devices are configured with different IP addresses. Both the interfaces will have a third, shared IP address, that will be utilized by the member, designated as the VRRP master. (The VRRP master designates which ROBO Cluster member will be active.) The external interfaces of both devices will have different IP addresses. The VPN domains of both gateways have to be the same.
Chapter 3
Configuration
59
The Central Office (CO) gateway recognizes that the two VPN-1 Edge ROBO gateways represent entry points to the same network. When the CO gateway initiates communication with that network, it will communicate with the ROBO Cluster member that last communicated with the CO gateway.
Note - The CO gateway may be in contact with several ROBO Clusters, located on different networks.
Creating a ROBO Cluster To create a ROBO Cluster:

1
In the Check Point SmartLSM window, shown in the following figure, right-click the ROBO gateway that you want to designate as a member of the ROBO Cluster:
FIGURE 3-14 Check Point SmartLSM
Select
Actions
and click
Define ROBO Cluster.
60
ROBO Clusters
Alternatively, from the Menu Bar, select the Cluster, as shown in the following figure:
Actions
menu and click
Define ROBO
FIGURE 3-15 Actions menu
In both cases, the figure:
Define ROBO Cluster
window appears, as shown in the following
FIGURE 3-16 Create ROBO Cluster
If the
Member
window was displayed, via the context menu, the First field will contain the name of the ROBO Gateway that you right-clicked, as shown in FIGURE 3-16. If the Define ROBO Cluster window was displayed, via the main menu, you must enter both the First Member and the Second Member.
Define ROBO Cluster Search ROBO Gateway
Click Find. the figure:
window appears, as shown in the following
Chapter 3
Configuration
61
FIGURE 3-17 Search ROBO Gateway
Select the ROBO Gateway that you want as a member of the ROBO Cluster and click OK. The ROBO Cluster membership is indicated in several places, that is, in the Check Point SmartLSM Gateways List and in each of the ROBO Cluster members Details tab, as shown in the following figures:
FIGURE 3-18 Gateways List (with 'In ROBO Cluster with' column)
62
Creating VPN Rules for VPN-1 Edge/Embedded Objects
FIGURE 3-19 ROBO Cluster members Details tab
To remove a ROBO Cluster: In the Check Point SmartLSM window, click Remove ROBO Cluster, from either the Actions submenu of the selected ROBO Gateways context menu, or from the Actions menu, on the Menu Bar.
Creating VPN Rules for VPN-1 Edge/Embedded Objects

In order to create a VPN tunnel between the CO Gateway and the VPN-1 Edge/Embedded ROBO Gateway, you need to define the VPN Star community, and add the CO Gateway, as a Central Gateway, and the VPN-1 Edge ROBO Profile, as the Satellite Gateway. Following are two rules that you may find useful. In the following rules: MyCommunity - represents the VPN Community MyProfile - represents the VPN-1 Edge/Embedded ROBO Profile MyCO - represents the CO Gateway CO_VPN_Domain - represents the encryption domain of the CO, or the group
Chapter 3
Configuration
63
Edge_Net
- represents the exposed Dynamic Objects, in the case of the VPN-1 Edge/Embedded ROBO Gateway, or the network behind the VPN-1 Edge/Embedded Gateway
Rule for outgoing connections Destination VPN Service Action Install On
TABLE 3-3
Source
Any
Any
MyCommunity
ftp telnet
Accept
MyCO
TABLE 3-4
VPN rules: rules for incoming connections Destination VPN Service Action Install On
Source
Edge_Net CO_VPN _Domain
CO_VPN_Domain Edge_Net
Any Any
ftp telnet ftp telnet
Accept Accept
MyProfile MyProfile
Downloading a Security Policy to a VPN-1 Edge/Embedded ROBO Gateway from the VPN-1 Edge/Embedded Portal
1 2
Login from VPN-1 Edge/Embedded portal to my.firewall. Click or Click

Services
and and
Accounts,
and then click
Refresh.
Services
Software Updates,
and then click
Update Now.
The VPN-1 Edge/Embedded ROBO Gateway polls for updates, and downloads the latest Security Policy.
Verifying Security Policy Download to the VPN-1 Edge/Embedded ROBO Gateway
Login from VPN-1 Edge/Embedded portal to my.firewall. Click Reports and then click Event Log. Verify that the following message appears: Installed updated Security Policy (downloaded). Click Setup, Tools and Diagnostics. The VPN-1 Edge/Embedded profile is displayed in the Policy field.
64
Downloading a Security Policy to a VPN-1 Edge/Embedded ROBO Gateway from SmartLSM
Downloading a Security Policy to a VPN-1 Edge/Embedded ROBO Gateway from SmartLSM

Select Actions > Push Policy. The SmartCenter Server pushes the Security Policy to the VPN-1 Edge/Embedded ROBO Gateway.
Deleting a ROBO Gateway Object

To remove a specific ROBO Gateway, select the ROBO Gateway, from the Gateways list, and select Delete ROBO Gateway from the Edit menu. This action revokes all the certificates of the specific ROBO Gateway.
Upgrading / Importing / Migrating SmartLSM Configurations

After importing an existing configuration containing SmartLSM data, either by performing an Advanced Upgrade procedure in SmartCenter (using the upgrade_import command) or by using CMA migration/import tools in the Provider-1 environment, policies should be reinstalled on all Profile objects. Prior to doing this, the ROBO gateways will not be able to fetch an updated policy from the management.
Push Actions for a Gateway

You can manipulate a selected Gateway that has a known IP Address using any of the following tools: The SmartLSM menus (see Menus on page 32) The SmartLSM toolbar (see Toolbar on page 36) Right-click on a Gateway, in the List pane, and select a menu option
Note - If a NAT device prevents the SmartLSM management (SmartCenter Server or Provider-1 CMA) from obtaining the real IP address of the ROBO gateways, the push actions will be unavailable.
You can perform any of the following operations: Launch SmartDashboard launch SmartDashboard. SmartDashboard will open with the last installed Policy, of the respective Profile object. Actions initiate any of the operations, available for the selected ROBO Gateway: Push Dynamic Objects push and install values of Dynamic Objects to the Gateway. Push Policy initiate a manual Fetch Policy, from the ROBO Gateway.
Chapter 3 Configuration 65
Profiles and Policies
Stop Gateway stop the Check Point Gateway services, on the Gateway. (Not for VPN-1 Edge/Embedded ROBO Gateway) Start Gateway start the Check Point Gateway services, on the Gateway. (Not for VPN-1 Edge/Embedded ROBO Gateway) Restart Gateway restart the Check Point services, on the Gateway. Reboot Gateway reboot the Gateway. Get Status Details Display in-depth status information, for the selected Gateway. (Not for VPN-1 Edge/Embedded ROBO Gateway)

In This Section
Defining Check Point SmartLSM Profiles Defining Policies for the SmartLSM Profile Objects Defining Policy Allowing VPN from ROBO Gateway to CO Gateway Working with a Default Profile
Defining Check Point SmartLSM Profiles

Profile objects are defined in SmartDashboard as ROBO SmartLSM Profiles. Proceed as follows:
1
Add a new SmartLSM Profile object as follows From the Network Objects tab, select New > Check Point > SmartLSM Profile, then select whether you would like to create a VPN-1/ FireWall-1 Profile, or a VPN-1 Edge/Embedded Profile. The selected SmartLSM Profile window is displayed, showing its General Properties page. In the General Properties page, define the new object as a SmartLSM Profile, by entering the following settings: To create a new SmartLSM Profile, the only compulsory field. to be entered. is the Name of the Profile Add an optional Comment
Note - By default, the Check Point Products section is set to NG Feature Pack 3, and to VPN-1 Pro.
66
Defining Policies for the SmartLSM Profile Objects
Configure all the additional SmartLSM Profile pages. These pages and the fields, therein, are common to regular Gateway objects. For more information see the SmartCenter Guide. Once all pages are configured, click OK to exit the SmartLSM Profile window. The new Profile will be added to the Network Objects tab of the Objects Tree.
Defining Policies for the SmartLSM Profile Objects

Note - It is recommended to define a separate Policy for every Profile, by configuring, only the Profile object, as the Installable Target of the Policy.
To define Policies for the SmartLSM Profiles object, proceed as follows:

1 2
Use the
LocalMachine
dynamic object to represent the ROBO Gateway.
Use the InternalNet, DMZnet and AuxiliaryNet dynamic objects to represent the respective networks, behind the ROBO Gateway.
Note - You can define and use additional dynamic objects. The values for these dynamic objects will be set centrally, using SmartLSM (see Working with Dynamic Objects on page 70).
You can use dynamic objects in NAT rules as well. Example 1: To hide the InternalNetwork behind the external IP address of the ROBO Gateway, you can define the following rule:.
Example NAT Hide Destination Service Source Destination Service
TABLE 3-5
Source
InternalNet
Any
Any
LocalMachine (H)
Any
Any
Example 2: To configure static NAT on all incoming http traffic, going to a published IP address (the IP address is represented, in the policy, by a dynamic object, called PublishedIP), as if it were going to a web server (represented by a dynamic object, called WebServer), define the following rule:.
TABLE 3-6
Static NAT Destination Service Source Destination Service
Source
Any
PublishedIP
HTTP
Any
WebServer
HTTP
Chapter 3
Configuration
67
4 5
To allow Push actions from the SmartLSM, you must add a rule, allowing an incoming FW1_CPRID service from the SmartCenter Server to LocalMachine Install the Policy on the Profile object. This action only prepares the Policy on the SmartCenter Server, to be fetched by the ROBO Gateways that reference this Profile.
Defining Policy Allowing VPN from ROBO Gateway to CO Gateway

1 2 3 4
Define a Star VPN Community. Configure all the relevant authentication and encryption properties for it. Add the CO Gateway as a
Central Gateway. Satellite Gateway.
Add the Profile that represents the ROBO Gateways as a Add a security rule that allows VPN traffic:
Security rule that allows VPN traffic Destination Service If Via Action
TABLE 3-7
Source
Install On
Time
Any
Any
TELNET
Community
Accept
Any
Any
For example, this rule will allow encrypted telnet traffic that matches the community criteria, defined previously.
5
Define a NAT Hide rule that will hide all the internal networks of a VPN, behind the external IP address of the ROBO Gateway. For example:
Example NAT Hide Rule Destination Service Source Destination Service
TABLE 3-8
Source
InternalNet
Any
Any
LocalMachine Any (H)
Any
This rule hides the InternalNet interface. Define similar rules for DMZNet and AuxiliaryNet, if necessary.
6
To update the CO Gateway with the mapping of ROBO Gateways to Profiles, select the Update Corporate Office Gateway command from the Actions menu, in the SmartLSM Application.
68
Working with a Default Profile
Working with a Default Profile

Default Profiles can be defined and used for VPN purposes. The default profile concept enables the CO Gateway to accept all VPN tunnels, from unknown ROBO Gateways, as if they're mapped to the default profile. This is especially useful in scenarios, where only one profile is used. To work with default profiles, proceed as follows; In SmartDashboard:
1 2 3 4
Define a profile. Check

Default Profiles
in the
Profile Based Management
tab of the
General
Properties
window.
Choose a profile, to be used as the default profile. Install the policy on all CO Gateways.
Defining a Policy to the Gateway that Protects the SmartCenter Server

You must specify explicit rules to allow Management traffic between ROBO Gateways and the SmartCenter Server. Since the ROBO Gateways can have Dynamic IPs, you must use "ANY" to represent all possible ROBO Gateways addresses. Add the following rules:
1 2 3 4 5 6 7 8 9
ANY| SmartCenterServer| FW1| Accept to allow FW Control traffic ANY| SmartCenterServer| CPD| Accept to allow CPD Control traffic ANY| SmartCenterServer| FW1_log| Accept to allow log traffic SmartCenterServer| ANY| CPD_amon| Accept to allow status monitoring traffic ANY| SmartCenterServer| FW1_ica_pull| Accept to allow pulling certificates from the ROBO Gateway SmartCenterServer| ANY| FW1_CPRID| Accept to allow Push actions from SmartLSM (see Push Actions for a Gateway on page 65). SmartCenterServer| ANY| FW1| Accept to allow VPN-1 Pro Control traffic SmartCenterServer| ANY| CPD| Accept to allow CPD Control traffic SmartCenterServer|ANY|FW1_ica_push|Accept to allow pushing certificates to the ROBO Gateway
Chapter 3
Configuration
69
Working with Dynamic Objects
Working with Dynamic Objects

In This Section
Enforcing Predefined Dynamic Objects in the Rule Base Creating User-defined Dynamic Objects
page 70 page 71
Dynamic Objects are placeholders for single IP Addresses, or IP Address ranges, which are dynamically updated. There are two types of Dynamic Objects, which can be installed on SmartLSM VPN-1 Edge/Embedded profiles: Predefined - these objects can be enforced in the rule base, and they cannot be modified or deleted. LocalMachine_All_Interfaces the DAIP machine interfaces (static and dynamic) are resolved into this object. LocalMachine - represents the VPN-1 Edge/Embedded Devices external IP Address InternalNet - represents the LAN, protected by the VPN-1 Edge/Embedded Device DMZNet- represents the DMZ network, protected by the VPN-1 Edge/Embedded Device

AuxiliaryNet
User-defined - these are customized dynamic objects.
Enforcing Predefined Dynamic Objects in the Rule Base

1 2
Create security rules between the predefined Dynamic Object and another object. The second object may be a dynamic object. Install the Security Policy on the SmartLSM VPN-1 Edge/Embedded Profile. For instance: A rule allowing traffic between the LAN and the DMZ, which is installed on a SmartLSM VPN-1 Edge/Embedded Profile, called Profile1.
LAN Rules Destination VPN Service Action Log Install On
TABLE 3-9
Source
InternalNet
DMZNet
*Any Traffic
Any
Accept
- None
Profile1
70
Creating User-defined Dynamic Objects
A rule allowing external hosts to ping the external IP address of the VPN-1 Edge/Embedded Device, configured with the SmartLSM VPN-1 Edge/Embedded Profile, called Profile1, or LSM Profile1
External Hosts Rules VPN Service Action Log Install On
TABLE 3-10
Source
Destination
Any
LocalMachine *Any Traffic
Any
ICMP echo-req uest
- None
Profile1 LSMProfile1
Creating User-defined Dynamic Objects

User-defined dynamic objects must be created and added to the VPN-1 Edge/Embedded ROBO Gateway. These objects serve the following purpose: To expose part, or all of the VPN-1 Edge/Embedded Devices internal network to VPN-1 Pro, in order to create the VPN tunnel. To represent one, or more generic servers that exist in the remote sites. To allow the creation of Security Policy rules, containing the Dynamic Objects, and the installation of these rules on the SmartLSM VPN-1 Edge/Embedded Profile. User-defined dynamic objects are created in SmartDashboard:
1 2
Select
Manage >Network Objects >New > Dynamic Object
Type the name of the dynamic object, and click OK. Once the dynamic object is created it can by used across any number of VPN-1 Edge/Embedded ROBO Gateways, each time, with different subnets and ranges.
For example, a VPN-1 Edge/Embedded Device is configured with the following devices behind it: LAN network 192.168.10.1 - 192.168.10.255 DMZ network 192.168.253.1 - 192.168.253.255 This means that in order to create a VPN tunnel from part of the LAN network (192.168.10.1 - 192.168.10.128) and all of the DMZ network (192.168.253.1 192.168.253.255) to the central gateway, you must expose these parts of the network and add them to the VPN domain as follows: Representing the safe part of the LAN: LSM_DO_Internal 192.168.10.1 192.168.10.128 Representing the entire DMZ: LSM_DO_DMZ 192.168.253.1 - 192.168.253.255
Chapter 3
Configuration
71
Status Information
Status Information
Every Gateway row in the Gateways List pane has two Status fields, which relay status information about the Gateway and the Policy respectively. Following are the various status indications. They are relevant for both Gateways and Policies unless otherwise stipulated: OK the Gateway, or Policy, is up and running Waiting the SmartLSM has not yet received the status from the Server Unknown the status of the Gateway, or policy, is unknown Not Responding (gateway status only) the Gateway has not communicated with the SmartCenter Server Needs Attention (gateway status only) the Gateway is confronted with an issue, and needs to be examined Untrusted (gateway status only) SIC Trust was not established between the Gateway and the SmartCenter Server Not Installed (policy only) the policy has not been installed on the Gateway Not Updated (policy only) the policy has not been updated, the version of the policy installed on the Gateway is not the latest version, reported as fetched by the SmartCenter Server May be out of date (policy only) the ROBO gateway has not fetched its policy, within the periodic fetch interval To get detailed status information for a specific Gateway, select the gateways row, and select Get Status Details from the Actions menu. All the information pertinent to the status will be displayed.
72
CHAPTER

In This Chapter
Introduction Help CLI Actions SmartUpdate Actions for a ROBO Gateway Push Actions Converting Gateways page 73 page 73 page 74 page 95 page 103 page 105
Introduction
Check Point SmartLSM Command Line Utility (LSMcli) is a simple command line utility, an alternative to SmartLSM GUI. LSMcli provides the ability to perform SmartLSM GUI operations from a command line or through a script.
Note - Since LSMcli can run from different locations other than from the SmartConsole clients, be sure to define the location that LSMcli is running from as a GUI client (using cpconfig on the SmartCenter Server)
Help
Displays command line usage and provides examples for different actions. Usage
LSMcli [-h | --help]
73
CLI Actions
CLI Actions
Use this command format to perform a ROBO Gateway command. Usage
LSMcli [-d] <Server> <User> <Pswd> <Action>
Parameters
TABLE 4-1 LSMCli parameters
Parameter Server
User
Explanation
Name/IP address of the Smart Center Server The username used in the standard Check Point authentication method Password used in the standard Check Point authentication method Specific function performed, for example, AddROBO VPN1.
Pswd
Action
LSMCli enables you to perform the following ROBO Gateway commands:
74
AddROBO VPN1
In This Section
AddROBO VPN1 AddROBO VPN1Edge ModifyROBO VPN1 ModifyROBO VPN1Edge ResetSic ResetIke ExportIke UpdateCO Remove Show ModifyROBOConfigScript ShowROBOConfigScript ShowROBOTopology
page 75 page 77 page 79 page 80 page 87 page 88 page 89 page 90 page 91 page 91 page 92 page 93 page 94
AddROBO VPN1
Add a new Check Point ROBO Gateway to SmartLSM. Applicable for Check Point ROBO Gateways only. Use to add a new Check Point ROBO Gateway to the SmartLSM system and assign it a specified security profile. If a one-time password is supplied, an SIC certificate will be created. If an IP address is supplied also, the SIC certificate will be pushed to the ROBO Gateway (in such cases, the ROBO Gateway SIC one-time password should be initialized first). If no IP address is supplied, the SIC certificate will be pulled from the ROBO Gateway afterwards. It is also possible to assign an IP range to Dynamic Objects, specifying whether to add them to the VPN domain. Usage
AddROBO VPN1<RoboName> <Profile> [-RoboCluster=<OtherROBOName>] [-O=<ActivationKey> [-I=<IP>]] [[-CA=<CaName> [-R=<CertificateIdentifier#>] [-KEY=<AuthorizationKey>]]] [-D[E]:<DynamicObjectName>=<IP1>[-<IP2>] [-D[E]:..]]
Chapter 4
75
CLI Actions
Parameters
TABLE 4-2 AddROBO VPN-1 parameters
Parameter
RoboName Profile OtherROBOName
Explanation
Name of a Check Point ROBO Gateway Name of the Profile Name for an already defined ROBO gateway that is to participate in the ROBO Cluster with the newly created ROBO (if the -RoboCluster argument is provided). SIC one-time password. (For this action, a certificate will be generated) IP address of ROBO (For this action, certificate will be pushed to ROBO) Name of the Trusted CA object (created from SmartDashboard). The IKE certificate request will be sent to this CA. A key identifier for the specific certificate. Authorization Key that will be sent to the CA for certificate retrieval. Name of the Dynamic Object Obsolete, refer to the LSMcli command: ModifyROBOManualVPNDomain. IP range for the Dynamic Object
ActivationKey
IP
CaName
CertificateIdentifier# AuthorizationKey
DynamicObjectName E
Ip1-Ip2
Example
AddROBO VPN1 MyRobo AnyProfile AddROBO VPN1 MyRobo AnyProfile -O=MyPass -I=1.2.3.4 -DE:FirstDO=1.1.1.1 AddROBO VPN1 MyRobo AnyProfile -O=MyPass -I=10.10.10.1 -DE:FirstDO=10.10.10.5 -CA=OPSEC_CA -R=cert1233 -KEY=ab345
This action will add a new Check Point ROBO Gateway MyRobo and assign it the specified security profile AnyProfile. A one-time password is supplied, an IP address is supplied and the Dynamic Object is added to the VPN domain.
76
AddROBO VPN1Edge
AddROBO VPN1Edge
Add a new VPN-1 Edge/Embedded Gateway. Applicable for VPN-1 Edge/Embedded Gateways only. Use to add a new VPN-1 Edge/Embedded Gateway to the SmartLSM system and assign it a specified security profile. Specify the product type of the VPN-1 Edge/Embedded Gateway and the firmware installed, which can be set as local, default or user-defined. It is also possible to assign an IP range to Dynamic Objects, specifying whether to add them to the VPN domain. To load new firmware on the VPN-1 Edge/Embedded Gateway, use SmartUpdate. Usage
AddROBO VPN1Edge<RoboName> <Profile> <ProductType> [RoboCluster=<OtherROBOName>] [-O=<RegistrationKey>] [[-CA=<CaName> [R=<CertificateIdentifier#>][-KEY=<AuthorizationKey>]]] [F=LOCAL|DEFAULT|<Firmware-name>] [-M=<MAC>] [-K=<ProductKey>] [D[E]:<D.O. name>=<IP1>[-<IP2>] [-D[E]:..]]
Chapter 4
77
CLI Actions
Parameters
TABLE 4-3 AddROBO VPN-1 Edge parameters
Parameter
RoboName Profile ProductType OtherROBOName
Explanation
Name of the VPN-1 Edge/Embedded Gateway Name of the Profile Product type Name of the already defined ROBO gateway that is to participate in the ROBO Cluster with the newly created ROBO (if the -RoboCluster argument is provided) Registration Key Name of the Trusted CA object (created from SmartDashboard). The IKE certificate request will be sent to this CA. Key identifier of the specific certificate Authorization Key that will be sent to the CA for certificate retrieval Firmware name, or LOCAL or DEFAULT Mac address of the S-box, in the format xx:xx:xx:xx:xx:xx where "x" is a hexadecimal digit Product key (license), in the format xxxxxx-xxxxxx-xxxxxx, where "x" is a hexadecimal digit Name of the Dynamic Object Obsolete, refer to the LSMcli command: ModifyROBOManualVPNDomain. IP range for the Dynamic Object
RegistrationKey CaName
CertificateIdentifier# AuthorizationKey
Firmware-name MAC
ProductKey
DO Name E
Ip1-Ip2
Example
AddROBO VPN1Edge MyRobo AnyProfile SBox-100 AddROBO VPN1Edge MyRobo AnyProfile IP30 -O=AnyRegKey -F=DEFAULT M=00:08:AA:BB:CC:DD -K=123456-ABCDEF-ABC123 AddROBO VPN1Edge MyRobo AnyProfile SBox-100 F=Safe@_Safe@_3.0.23_Generic_Safe@_fcs
78
ModifyROBO VPN1
ModifyROBO VPN1
Modify a Check Point ROBO Gateway. Applicable for Check Point ROBO Gateways only. This action will modify the SmartLSM details for an existing ROBO Gateway and can be used to update properties previously supplied by the user. Usage
ModifyROBO VPN1 <RoboName> [and at least one of: [-P=Profile] [RoboCluster=<OtherROBOName>|-NoRoboCluster] [-D[E]:<D.O. name>=<IP1>[<IP2>]..]
Parameters
TABLE 4-4 ModifyROBO VPN-1 parameters
Parameter
RoboName Profile OtherROBOName
Explanation
Name of the Check Point ROBO Gateway Name of the Profile Name of the already defined ROBO gateway that is to participate in the ROBO Cluster with the newly created ROBO (if the -RoboCluster argument is provided) The -NoRoboCluster parameter is equivalent to the "Remove ROBO Cluster" operation from GUI. When a ModifyROBO VPN1 command with this argument is issued on a ROBO that participates in a ROBO cluster, the cluster will be removed). Name of the Dynamic Object Obsolete, refer to the LSMcli command: ModifyROBOManualVPNDomain. IP range for the Dynamic Object
-NoRoboCluster
DO Name E
Ip1-Ip2
Example
ModifyROBO VPN1 MyRobo -P=MyNewProfile ModifyROBO VPN1 MyRobo -D:MyEmailServer=123.45.67.8 D:MySpecialNet=10.10.10.1-10.10.10.6
Chapter 4
79
CLI Actions
ModifyROBO VPN1Edge
Modify a VPN-1 Edge/Embedded Gateway. Applicable for VPN-1 Edge/Embedded Gateways only. This action will modify the SmartLSM details for an existing VPN-1 Edge/Embedded Gateway and can be used to update properties previously supplied by the user. Usage
ModifyROBO VPN1Edge<RoboName> and at least one of: [-P=<Profile>] [T=<ProductType>] [-RoboCluster=<OtherROBOName>|-NoRoboCluster] [-O= RegistrationKey] [-F=LOCAL|DEFAULT|<Firmware-name>] [-M=<MAC>] [K=<ProductKey>] [-D[E]:<D.O. name>=<IP1>[-<IP2>]..]
80
ModifyROBO VPN1Edge
Parameters
TABLE 4-5 ModifyROBO VPN-1 Edge parameters
Parameter
RoboName Profile ProductType OtherROBOName
Explanation
Name of the VPN-1 Edge/Embedded Gateways Name of the Profile Product type Name of the already defined ROBO gateway that is to participate in the ROBO Cluster with the newly created ROBO (if the -RoboCluster argument is provided) The -NoRoboCluster parameter is equivalent to the "Remove ROBO Cluster" operation from GUI. When a ModifyROBO VPN1 command with this argument is issued on a ROBO that participates in a ROBO cluster, the cluster will be removed). Registration Key Firmware name, LOCAL or DEFAULT Mac address of the S-box, in the format xx:xx:xx:xx:xx:xx where "x" is a hexadecimal digit Product key (license), in the format where "x" is a hexadecimal digit Name of the Dynamic Object Obsolete, refer to the LSMcli command: ModifyROBOManualVPNDomain. IP range for the Dynamic Object
xxxxxx-xxxxxx-xxxxxx,
-NoRoboCluster
RegistrationKey Firmware MAC
ProductKey
DO Name E
Ip1-Ip2
Example
ModifyROBO VPN1Edge MyEdgeROBO -RoboCluster=MyOtherEdgeROBO ModifyROBO VPN1Edge MyEdgeROBO -P=MyNewEdgeProfile -NoRoboCluster
Chapter 4
81
CLI Actions
ModifyROBOManualVPNDomain
Modify the ROBO VPN Domain, to take effect when the selected. Usage
ModifyROBOManualVPNDomain <RoboName> and one of: -Add=<FirstIP-LastIP> Delete=<Index (as shown by the last ShowROBOTopology command)> and optionally: [-IfOverlappingIPRangesDetected=<exit|warn|ignore>]
Manually defined
option is
Parameters
TABLE 4-6 ModifyROBOManual VPN Domain parameters
Parameter
RoboName FirstIP-LastIP Index IfOverlappingIPRanges Detected
Explanation
Name of the Check Point ROBO Gateway IP range Value displayed by ShowInfo command Flag to determine course of action, if overlapping IP ranges are detected. The options are: exit, warn and
ignore
Example
ModifyROBOManualVPNDomain ModifyROBOManualVPNDomain MyRobo -Add=1.1.1.1-1.1.1.2 MyRobo -Delete=1
ModifyROBOTopology VPN1
Modify the ROBO VPN Domain configuration for a selected Gateway. Usage
ModifyROBOTopology VPN1 <RoboName> VPNDomain=<not_defined|external_ip_only|topology|manual>
82
ModifyROBOTopology VPN1Edge
Parameters
TABLE 4-7 ModifyROBOTopology VPN-1 parameters
Parameter
RoboName VPNDomain
Explanation
Name of the Check Point ROBO Gateway Flag to determine the VPN Domain topology. The options are: not_defined, external_ip_only, topology, and manual. not_defined: equivalent to the Not Defined option in the Topology tab of a ROBO gateway in the SmartLSM GUI (or in the ShowROBOTopology output). external_ip_only: equivalent to Only the external
interface
Example
ModifyROBOTopology VPN1
topology: manual:
equivalent to
All IP Addresses behind the
Gateway based on Topology information
equivalent to
Manually defined
MyRobo -VPNDomain=manual
ModifyROBOTopology VPN1Edge
Modify the ROBO VPN-1 Edge VPN Domain configuration for a selected Gateway. Usage
ModifyROBOTopology VPN1Edge <RoboName> and at least one of: [VPNDomain=<not_defined|external_ip_only|topology|manual>] [Enforce=<true|false>]
Chapter 4
83
CLI Actions
Parameters
TABLE 4-8 ModifyROBOTopology VPN-1 Edge parameters
Parameter
RoboName VPNDomain
Explanation
Name of the Check Point ROBO Gateway Flag to configure the VPN Domain topology. The options are: not_defined, external_ip_only, topology, and manual. not_defined: equivalent to the Not Defined option in the Topology tab of a ROBO gateway in the SmartLSM GUI (or in the ShowROBOTopology output). external_ip_only: equivalent to Only the external
interface

Enforce
topology: manual:
equivalent to
All IP Addresses behind the
Gateway based on Topology information
equivalent to
Manually defined
Flag to enable the ROBO VPN1Edge to retrieve the VPN Domain topology, when Push or Fetch are executed.
VPN1Edge MyRobo -VPNDomain=manual -Enforce=true
Example
ModifyROBOTopology
ModifyROBOInterface VPN1
Edits the ROBO VPN1 Internal Interface list. Usage
ModifyROBOInterface VPN1 <RoboName> <InterfaceName> and at least one of: [i=<IPAddress>] [-NetMask=<NetMask>] and optionally: [IfOverlappingIPRangesDetected=<exit|warn|ignore>]
84
ModifyROBOInterface VPN1Edge
Parameters
TABLE 4-9 ModifyROBOInterface VPN-1 parameters
Parameter
RoboName InterfaceName IPAddress NetMask IfOverlappingIPRanges Detected
Explanation
Name of the Check Point ROBO Gateway An existing Interface. The IP Address of the Interface. The NetMask of the Interface. Flag to determine course of action, if overlapping IP ranges are detected. The options are: exit, warn and
ignore
Example
ModifyROBOInterface VPN1 MyRobo eth0 -i=1.1.1.1 -NetMask=255.255.255.0
ModifyROBOInterface VPN1Edge
Edits the ROBO VPN1Edge Internal Interface list. Usage
ModifyROBOInterface VPN1Edge <RoboName> <InterfaceName> and at least one of: [-i=<IPAddress>] [-NetMask=<NetMask>] [-Enabled=<true|false>] [HideNAT=<true|false>] [-DHCPEnabled=<true|false>] [DHCPIpAllocation=<automatic|<FirstIP-LastIP>|<IP Address of DHCP Relay Server>] and optionally: [-IfOverlappingIPRangesDetected=<exit|warn|ignore>]
Chapter 4
85
CLI Actions
Parameters
TABLE 4-10 ModifyROBOInterface VPN-1 Edge parameters
Parameter
RoboName InterfaceName IPAddress NetMask Enabled HideNAT
Explanation
Name of the Check Point ROBO Gateway An existing Interface. The IP Address of the Interface. The NetMask of the Interface. Flag to enable/disable the selected Interface. Flag to specify whether the Interface will be identified by the Gateway IP Address. (Hidden behind NAT) Flag to enable dynamically allocated IP Adresses. Flag to determine how IP Adresses will be dynamically allocated. The options are: automatic, <FirstIPLastIP>, and DHCP Relay Server. Flag to determine course of action, if overlapping IP ranges are detected. The options are: exit, warn and
ignore
DHCPEnabled DHCPIpAllocation
IfOverlappingIPRanges Detected
Example
ModifyROBOInterface VPN1Edge MyRobo DMZ -i=1.1.1.1 -NetMask=255.255.255.0 Enabled=true -HideNAT=false -DHCPEnabled=true -DHCPIpAllocation=automatic
AddROBOInterface VPN1
Add a new Interface to the selected ROBO VPN1 Gateway. Usage
AddROBOInterface VPN1 <RoboName> <InterfaceName> -i=<IPAddress> NetMask=<NetMask>
86
DeleteROBOInterface VPN1
Parameters
TABLE 4-11 AddROBOInterface VPN-1 parameters
Parameter
RoboName InterfaceName IPAddress NetMask
Explanation
Name of the Check Point ROBO Gateway An existing Interface. The IP Address of the Interface. The NetMask of the Interface.
VPN1 MyRobo eth0 -i=1.1.1.1 -NetMask=255.255.255.0
Example
AddROBOInterface
DeleteROBOInterface VPN1
Delete an Interface from the selected ROBO VPN1 Gateway. Usage
DeleteROBOInterface VPN1 <RoboName> <InterfaceName>
Parameters
TABLE 4-12 DeleteROBOInterface VPN-1 parameters
Parameter
RoboName InterfaceName
Explanation
Name of the Check Point ROBO Gateway An existing Interface.
Example
DeleteROBOInterface VPN1 MyRobo eth0
ResetSic
Reset the SIC Certificate of a ROBO Gateway. Applicable for Check Point ROBO Gateways only. This action will revoke the existing Gateway SIC certificate and create a new one using the one-time password provided by the user. If an IP address is supplied for the ROBO Gateway, the SIC certificate will be pushed to the ROBO Gateway, in which case the ROBO Gateway SICs one-time password should be initialized first. Otherwise, if no IP address is given, the SIC certificate will later be pulled from the ROBO Gateway.
Chapter 4
87
CLI Actions
Usage
ResetSic <RoboName> <ActivationKey> [-I=<IP>]
Parameters
TABLE 4-13 ResetSic parameters
Parameter
RoboName ActivationKey
Explanation
Name of the Check Point ROBO Gateway One-time password for the Secure Internal Communications with the ROBO Gateway IP address of ROBO (For this action, certificate will be pushed to ROBO)
IP
Example
ResetSic MyROBO aw47q1 ResetSic MyFixedIPROBO sp36rt1 -I=10.20.30.1
ResetIke
Reset the IKE Certificate of a ROBO Gateway. Applicable for Check Point and VPN-1 Edge/Embedded Gateways. This action will revoke the existing IKE certificate and create a new one. Usage
ResetIke <RoboName>[-CA=<CaName> [-R=<CertificateIdentifier#>] [KEY=<AuthorizationKey>]]
88
ExportIke
Parameters
TABLE 4-14 ResetIke parameters
Parameter
RoboName
Explanation
Name of the Check Point or VPN-1 Edge/Embedded Gateway Name of the Trusted CA object (created from SmartDashboard). The IKE certificate request will be sent to this CA. Key identifier of the specific certificate Authorization Key that will be sent to the CA for the certificate retrieval
CaName
CertificateIdentifier AuthorizationKey
Example
ResetIke MyROBO -CA=OPSEC_CA -R=cer3452s -KEY=ad23fgh
ExportIke
Export the IKE Certificate of a ROBO Gateway into a P12 file, encrypted with a provided password. Usage
ExportIke <RoboName> <Password> <FileName>
Parameters
TABLE 4-15 ExportIke parameters
Parameter
RoboName
Explanation
Name of the ROBO gateway (the one whose certificate will be exported) Password used to protect the p12 file Destination file name (will be created)
Password FileName
Example
ExportIke MyROBO ajg42k93N MyROBOCert.p12
Chapter 4
89
CLI Actions
UpdateCO
Update a Corporate Office Gateway. This action will update the Corporate Office Gateway with up-to-date available information about the ROBO Gateways VPN domains. Perform after adding a new ROBO Gateway to enable the Corporate Office Gateway to initiate a VPN tunnel to the new ROBO Gateway. (Alternatively it is possible to run the Install Policy action on the Corporate Office Gateway to obtain updated VPN Domain information.) Applicable for Corporate Office Gateways only. Usage
UpdateCO <COgw|COgwCluster>
Parameters
TABLE 4-16 UpdateCO parameters
Parameter
Cogw CogwCluster
Explanation
Name of a Corporate Office Gateway Name of a cluster of Corporate Office Gateways
Example
UpdateCO MyCO
90
Remove
Remove
Delete a ROBO Gateway. This action will revoke all the certificates used by the ROBO Gateway, release all the licenses and, finally, will remove the ROBO Gateway. Applicable for Check Point and VPN-1 Edge/Embedded Gateways. Usage
Remove <RoboName> <ID>
Parameters
TABLE 4-17 Remove parameters
Parameter
RoboName
Explanation
Name of VPN-1 Express/Pro or VPN-1 Edge/Embedded Gateway ID of the ROBO Gateway (use the specific ROBO Gateway
Show
ID
to check the ID of
Example
Remove MyRobo 0.0.0.251
Show
Display a list of existing Gateways. Applicable for Check Point and VPN-1 Edge/Embedded Gateways. Usage
Show [-N=Name] [-F= nbcitvpglskd]
Chapter 4
91
CLI Actions
Parameters
TABLE 4-18 Show parameters
Parameter
Name
Explanation
The name of the Gateway to display. If the N flag is not included, this action will print the list of all existing Gateways, including ROBO Gateways, to the stdout (standard output). One can filter the information printed out using the following flags: Name ID Cluster ID IP Address Type Version Profile Gateway status Policy status SIC DN IKE DN List of Dynamic Objects assigned to this ROBO Gateway
-N
n b c i t v p g l s k
d Example
Show MyRobo Show -F=nibtp
ModifyROBOConfigScript
and ShowROBOConfigScript are equivalent to the Configuration Script tab in SmartLSM GUI for VPN-1 Edge ROBO gateways. (Applicable only to VPN-1 Edge ROBO gateways.)
ModifyROBOConfigScript ModifyROBOConfigScript sets the given VPN-1 Edge ROBO gateways configuration script to be a copy of the contents of the given text file <inputScriptFile>. 92
ShowROBOConfigScript
Usage
ModifyROBOConfigScript VPN1Edge <RoboName> <inputScriptFile>
Parameters
TABLE 4-19 ModifyROBOConfigScript parameters
Parameter
RoboName inputScriptFile
Explanation
Name of VPN-1 Edge/Embedded Gateway The given VPN-1 Edge ROBO gateways configuration script is set to be a copy of the contents of the given text file.
Example
ModifyROBOConfigScript VPN1Edge MyRobo myScriptFile
ShowROBOConfigScript
ShowROBOConfigScript shows the given VPN-1 Edge ROBO gateways configuration script, and its Profiles configuration script.
Usage
ShowROBOConfigScript VPN1Edge <RoboName>
Parameters
TABLE 4-20 ShowROBOConfigScript parameters
Parameter
RoboName
Explanation
Name of VPN-1 Edge/Embedded Gateway
Example
ShowROBOConfigScript VPN1Edge MyRobo
Chapter 4
93
CLI Actions
ShowROBOTopology
Displays the Topology information of the ROBO gateway. It lists the defined Interfaces and their respective IP Addresses and Network Masks, and the VPN Domain configuration. The indexes of the manually defined VPN domain IP ranges, on the displayed list, can be used when requesting to delete a range, via the ModifyROBOManualVPNDomain command. Usage
ShowROBOTopology <RoboName>
Parameters
TABLE 4-21 ShowROBOTopology parameters
Parameter
RoboName
Explanation
Name of VPN-1 Express/Pro or VPN-1 Edge/Embedded Gateway
Example
ShowROBOTopology MyRobo
94
Install
SmartUpdate Actions for a ROBO Gateway

Before software can be installed on gateways, it must first be loaded to the SmartCenter Server. Installations are then conducted using SmartUpdate. Before installing software, it is recommended that you check that software is compatible by running the VerifyInstall command first, see VerifyInstall on page 97. Install software using the Install command, seeInstall on page 95. Uninstall using the Uninstall command, see Uninstall on page 96.
In This Section
Install Uninstall VerifyInstall Distribute Upgrade VerifyUpgrade GetInfo ShowInfo ShowRepository Stop Start Restart Reboot
page 95 page 96 page 97 page 98 page 99 page 99 page 100 page 100 page 101 page 101 page 102 page 102 page 103
Install
Install a product to a ROBO Gateway. This action will install the specified software on the ROBO Gateway. Note that the software must be loaded to the SmartCenter Server before attempting to install it to the ROBO Gateway. It is recommended that you run the VerifyInstall command first, before installing software on the ROBO Gateway. Applicable to Check Point ROBO Gateways only. Usage
Install <RoboName> <Product> <Vendor> <Version> <SP> [-P=Profile] [-boot] [-DoNotDistribute]
Chapter 4
95
Parameters
TABLE 4-22 Install parameters
Parameter
RoboName Product Vendor Version SP Profile
Explanation
Name of the Check Point ROBO Gateway Name of the package Name of the vendor of the package Major Version of the package Minor Version of the package Assign a security profile to the ROBO Gateway after installation Reboot the ROBO Gateway after the installation is finished (Optional) Install previously distributed packages.
boot
-DoNotDistribute
Example
Install MyRobo firewall checkpoint NG_AI fcs -P=AnyProfile -boot
Uninstall
Uninstall a product on a ROBO Gateway. This action will uninstall the specified package from the ROBO Gateway. One can use ShowInfo command to see what products are installed on the ROBO Gateway. Applicable to Check Point ROBO Gateways only. Usage
Uninstall <ROBO> <Product> <Vendor> <Version> <SP> [-P=Profile] [-boot]
96
VerifyInstall
Parameters
TABLE 4-23 Unistall parameters
Parameter
ROBO Product Vendor Version SP Profile
Explanation
Name of the Check Point ROBO Gateway Name of the package Name of the vendor of the package Major Version of the package Minor Version of the package Assign a security profile to the ROBO Gateway after installation Reboot the ROBO Gateway after the installation is finished
MyRobo firewall checkpoint NG_AI fcs -boot
boot
Example
Uninstall
VerifyInstall
This action will verify whether selected software can be installed on the ROBO Gateway, i.e. that the software is compatible. Note that this action does not perform an installation. Run this command before using the install command to install software on the ROBO Gateway. Applicable to Check Point ROBO Gateways only. Usage
VerifyInstall <RoboName> <Product> <Vendor> <Version> <SP>
Chapter 4
97
Parameters
TABLE 4-24 VerifyInstall parameters
Parameter
RoboName Product Vendor Version SP
Explanation
Name of the Check Point ROBO Gateway Name of the package Name of the vendor of the package Major Version of the package Minor Version of the package
Example
VerifyInstall MyRobo firewall checkpoint NG_AI fcs
Distribute
This action distributes a package from the Repository to the ROBO Gateway, but does not install it. Usage
Distribute <RoboName> <Product> <Vendor> <Version> <SP>
Parameters
TABLE 4-25 Distribute parameters
Parameter
RoboName Product Vendor Version SP
Explanation
Name of the Check Point ROBO Gateway Name of the package Name of the vendor of the package Major Version of the package Minor Version of the package
Example
Distribute MyRobo fw1 checkpoint NG_AI R54
98
Upgrade
Upgrade
This action upgrades all the (appropriate) available software packages on the ROBO Gateway. Applicable to Check Point ROBO Gateways only. Usage
Upgrade <RoboName> [-P=Profile] [-boot]
Parameters
TABLE 4-26 Upgrade parameters
Parameter
RoboName Profile
Explanation
Name of the Check Point ROBO Gateway Assign a security profile to the ROBO Gateway after installation Reboot the ROBO Gateway after the installation is finished
boot
Example
Upgrade MyRobo -boot
VerifyUpgrade
This action verifies whether selected software can be upgraded on the ROBO Gateway, i.e. that the software is compatible. Note that this action does not perform an installation. Run this command before using the upgrade command. Applicable to Check Point ROBO Gateways only. Usage
VerifyUpgrade <RoboName>
Parameters
TABLE 4-27 VerifyUpgrade parameters
Parameter
RoboName
Explanation
Name of the Check Point ROBO Gateway
Example
VerifyUpgrade MyRobo
Chapter 4
99
GetInfo
This action collects product information from the ROBO Gateway. You must run this command before running the ShowInfo command if you change the product configuration on a ROBO Gateway manually, that is, if you manually upgrade any package rather than use SmartUpdate. Applicable to Check Point ROBO Gateways only. Usage
GetInfo <RoboName>
Parameters
TABLE 4-28 GetInfo parameters
Parameter
RoboName
Explanation
Name of the Check Point ROBO Gateway
Example
GetInfo MyRobo
ShowInfo
This action displays product information for the list of the products installed on the ROBO Gateway. For a Check Point ROBO Gateway, run the GetInfo command before using this action to be sure the information displayed is up-to-date. Applicable to Check Point and VPN-1 Edge/Embedded Gateways. Usage
ShowInfo <VPN1EdgeRoboName>
Parameters
TABLE 4-29 ShowInfo parameters
Parameter
VPN1EdgeRoboName
Explanation
Name of the Check Point or VPN-1 Edge/Embedded Gateway
Example
ShowInfo MyRobo
100
ShowRepository
ShowRepository
This action shows the list of the available products on SmartCenter Server. Use SmartUpdate to manage the products, load new products, remove products, and so on. Usage
ShowRepository
Parameters
TABLE 4-30 ShowRepository parameters
Parameter
None
Explanation
Example
ShowRepository
Stop
This action stops a Gateway. This action will stop Check Point services on the chosen Gateway. Note that this action utilizes CPRID, so CPRID services must be running on the Gateway. Applicable to Check Point Gateways and Check Point ROBO Gateways. Usage
Stop <Robo|Gateway>
Parameters
TABLE 4-31 Stop parameters
Parameter
Robo|Gateway
Explanation
Name of the Check Point ROBO Gateway, or Check Point Gateway
Example
Stop MyRobo
Chapter 4
101
Start
This action starts Check Point services on the chosen Gateway. Note that this action utilizes CPRID, so CPRID services must be running on the Gateway. Applicable to Check Point Gateways and Check Point ROBO Gateways. Usage
Start <Robo|Gateway>
Parameters
TABLE 4-32 Start parameters
Parameter
Robo|Gateway
Explanation
Name of the Check Point ROBO Gateway or Check Point Gateway
Example
Start MyRobo
Restart
This action re-starts Check Point services on the chosen Gateway. Note that this action utilizes CPRID, so CPRID services must be running on the Gateway. Applicable to Check Point ROBO Gateways, VPN-1 Edge/Embedded Gateways and Check Point Gateways. Usage
Restart <Robo|Gateway>
Parameters
TABLE 4-33 Restart parameters
Parameter
Robo|Gateway
Explanation
Name of the Check Point ROBO Gateway, VPN-1 Edge/Embedded Gateway or Check Point Gateway
Example
Restart MyRobo
102
Reboot
Reboot
This action reboots the chosen Gateway. Note that this action utilizes CPRID, so CPRID services must be running on the Gateway. Applicable to Check Point ROBO Gateways, VPN-1 Edge/Embedded Gateways and Check Point Gateways. Usage
Reboot <Robo|Gateway>
Parameters
TABLE 4-34 Reboot parameters
Parameter
Robo|Gateway
Explanation
Name of the Check Point ROBO Gateway, VPN-1 Edge/Embedded Gateways or Check Point Gateway
Example
Reboot MyRobo
Push Actions
The following commands are used to push a gateway Policy, or a Dynamic Object policy respectively. After creating a gateway or dynamic object in the SmartLSM system, it must be assigned a security policy. Use the push action in order to commit the security policy: see PushPolicy on page 103, and PushDOs on page 104.
In This Section
PushPolicy PushDOs GetStatus
page 103 page 104 page 105
PushPolicy
This action pushes a Policy to the chosen Gateway. Note that this action utilizes CPRID, so CPRID services must be running on the Gateway. Applicable to Check Point ROBO Gateways and VPN-1 Edge/Embedded Gateways. Usage
PushPolicy <Robo|Gateway>
Chapter 4
103
Push Actions
Parameters
TABLE 4-35 PushPolicy parameters
Parameter
Robo|Gateway
Explanation
Name of the Check Point / VPN-1 Edge Gateway
Example
PushPolicy MyRobo
PushDOs
This action updates a Dynamic Objects information on the ROBO Gateway. Note that this action will not remove/release the IP range for the deleted Dynamic Object, but only add new ones. To overcome this difficulty, run the PushPolicy command. Applicable to Check Point ROBO Gateways and VPN-1 Edge/Embedded Gateways. Usage
PushDOs <RoboName>
Parameters
TABLE 4-36 PushDOs parameters
Parameter
RoboName
Explanation
Name of the Check Point / VPN-1 Edge/Embedded Gateway
Example
PushDOs MyRobo
104
GetStatus
GetStatus
This action fetches various statistics from the chosen Gateway. Applicable to Check Point ROBO and Check Point Gateways. Usage
GetStatus <Robo|Gateway>
Parameters
TABLE 4-37 GetStatus parameters
Parameter
Robo|Gateway
Explanation
Name of the Check Point ROBO or Check Point Gateway
Example
GetStatus MyRobo
Converting Gateways
The following commands allow you to convert a Gateway from a ROBO Gateway to a regular Gateway and vice versa.
In This Section
Convert ROBO VPN1 Convert Gateway VPN1 Convert ROBO VPN1Edge Convert Gateway VPN1Edge
Convert ROBO VPN1

This action converts a Check Point ROBO Gateway to a Check Point Gateway. You can specify whether the Gateway should be a CO Gateway, or not. Applicable to Check Point ROBO Gateways only. Usage
Convert ROBO VPN1 <Name> [-CO] [-Force]
Chapter 4
105
Converting Gateways
Parameters
TABLE 4-38 Convert ROBO VPN-1 parameters
Parameter
Name
Explanation
Name of the Check Point, or VPN-1 Edge/Embedded Gateway Define as a CO Gateway Convert the Gateway, even if no connection can be established
CO Force
The Force flag should be used with caution, because a forced conversion will succeed even if no connection with the ROBO Gateway exists. If this happens, the user should finish off the remote operations manually on the ROBO Gateway computer, using the following commands: Execute the command LSMenabler r off to turn off ROBO Gateway support. Execute the command LSMenabler on to make the Gateway a CO Gateway. The user must then define Gateway parameters, such as interfaces, communities, policies and so on, using SmartDashboard. The policy should be installed using SmartDashboard.
Note - Using the Daip flag on a computer with no DHCP configured may result in a malfunction of the Gateway.
Example
Convert ROBO VPN1 MyRobo CO Convert ROBO VPN1 MyRobo -Force
Convert Gateway VPN1

Convert a Check Point Gateway to a Check Point ROBO Gateway. You can specify whether the Gateway should have a Dynamic IP Address, or be a CO Gateway, or neither. Applicable to Check Point Gateways only. Usage
Convert Gateway VPN1 <Name> <Profile> [<-E=EXT> [-I=INT] [-D=DMZ] [-A=AUX]] [NoRestart] [-Force]
106
Convert Gateway VPN1
Parameters
TABLE 4-39 Convert Gateway VPN-1 parameters
Parameter
Name
Explanation
Name of the Check Point or VPN-1 Edge/Embedded Gateway Assign a security profile to the ROBO Gateway after installation Name of external interface Name of internal interface Name of auxiliary interface Name of DMZ interface Do not restart Check Point services, on the remote machine, after convert operation has finished Convert the Gateway, even if no connection can be established
Profile
EXT INT DMZ AUX NoRestart
Force
The Force flag should be used with caution, because a forced conversion will succeed even if no connection with the ROBO Gateway exists. If this happens, the user should finish off the remote operations manually on the ROBO Gateway computer, using the following commands: Execute the command LSMenabler r off to turn off ROBO Gateway support. Execute the command LSMenabler on to make the Gateway a CO Gateway. The user must then define Gateway parameters, such as interfaces, communities, policies and so on, using SmartDashboard. The policy should be installed using SmartDashboard. Example
Convert Gateway VPN1 MyGW MyProfile -NoRestart Convert Gateway VPN1 MyGW MyProfile E=hme0 I=hme1 D=hme2 -Force
Chapter 4
107
Converting Gateways
Convert ROBO VPN1Edge

Convert a VPN-1 Edge/Embedded ROBO Gateway to a VPN-1 Edge/Embedded Gateway. You must completely define the Gateway using SmartDashboard, as well as adjusting the security policy and reinstalling it. Applicable to VPN-1 Edge/Embedded Gateways only. Usage
Convert ROBO VPN1Edge <Name>
Parameters
TABLE 4-40 Convert ROBO VPN-1 Edge parameters
Parameter
Name
Explanation
Name of the VPN-1 Edge/Embedded Gateway
Example
Convert ROBO VPN1Edge MyRobo
Convert Gateway VPN1Edge

Convert a VPN-1 Edge/Embedded Gateway to a VPN-1 Edge/Embedded ROBO Gateway. The gateway will be assigned the specified security Profile. You must completely define the Gateway using SmartDashboard, as well as adjusting the security policy and reinstalling it. Applicable to VPN-1 Edge/Embedded Gateways only. Usage
Convert Gateway VPN1Edge <Name> <Profile>
Parameters
TABLE 4-41 Convert Gateway VPN-1 Edge parameters
Parameter
Name Profile
Explanation
Name of the VPN-1 Edge/Embedded Gateway Assign a security profile to the Gateway after installation
Example
Convert Gateway VPN1Edge MyRobo MyProfile
108
CHAPTER
Troubleshooting
Status Information
SmartLSM supports the Sign of Life status notification for every ROBO Gateway.You can get an In-Depth status monitoring information (similar to the information displayed in Check Point SmartView Monitor) per ROBO Gateway. To do so right-click on a ROBO Gateway row, and choose Actions > Get Status Details...
Logging
You can use the ID field of a ROBO Gateway to track logs in the Check Point SmartView Tracker. This ID will be the Origin IP address of all logs generated by a ROBO Gateway (this is necessary since a ROBO Gateway can have a dynamic IP address, so using that IP address as the identifier of logs is futile).
VPN Troubleshooting Tools

You can use the information in the IKE DN field of SmartLSM to track IKE Negotiations between a ROBO Gateway and a peer CO Gateway.
109
VPN Troubleshooting Tools
110
Index
A
Action Stats Pane 31 AddCP 75 AddSW 77 Anti-Spoofing 20 AuxiliaryNet 15
D
DAIP 16 Delete a ROBO Gateway 91 Display a list of existing Gateways 91, 92, 94 DMZNet 15 Dynamic Object 15 resolution methods automatic central 15
Install a product to a ROBO Gateway 95 Internal Certificate Authority see ICA 20 InternalNet 15
L
Large Scale Manager purpose 12 LocalMachine 15, 70 Logging 109 logging 20
C
Certificate 20 CLI Actions 74 CO Gateway 13 Comma Separated Value see CSV 32 conversion Check Point Gateway to ROBO Gateway 19 ROBO Gateway to Check Point Gateway 19 Convert Check Point Gateway to Check Point ROBO Gateway 106 Check Point ROBO Gateway to Check Point Gateway 105 VPN-1 Edge/Embedded Gateway to VPN-1 Edge/ Embedded ROBO Gateway 108 VPN-1 Edge/Embedded ROBO Gateway to VPN-1 Edge/Embedded Gateway 108 Convert CPGW 106 Convert CPROBO 105 Convert SWGW 108 Convert SWROBO 108 Corporate Office Gateway see CO Gateway 13 CPRID service 68 CSV 32
local 15 value resolution methods DMZNet 15 InternalNet 15 LocalMachine 15, 70
M
map Gateway to Profile 12 Modify a Corporate Gateway 79 ModifyCP 79 ModifySW 80
F
Fetch Policy 20
G
Gateways List Pane 30 Gateways List Popup Menu 35 GetInfo 100 GetStatus 105 Getting Product Information 100 Getting Status Information 105
P
periodic fetch interval 13 platforms supported 11 Policy Fetch 13, 20 management 13 Profile 13, 66 definition 12 Profile Gateway define 66 Push Actions for a ROBO Gateway 101, 102, 103, 104 PushDynamicObject 104 Pushing Dynamic Objects 104 Pushing Policy 103 PushPolicy 103
I
ICA 20 ID 109 IKE 20, 109 IKE certificate 16, 20 IKE DN 109 Install 95
111
R
Reboot Gateway 103 Rebooting a Gateway 103 Remote Office/Branch Office see ROBO 12 Remove 91 Reset the IKE Certificate 88 Reset the SIC Certificate 87 ResetIke 88, 89 ResetSic 88 Restart Gateway 102 Restarting a Gateway 102 ROBO 12 ROBO Clusters 59 ROBO Gateway IKE DN 109 ROBO Gateway ID 109
U
Uninstall 96, 97 Uninstall a product on a ROBO Gateway 96 Update a Corporate Office Gateway 90 UpdateCO 90 Upgrade 99 Upgrading All Products 99
V
Verify Installation 97, 99 Verifying Installation of a Product 97 Verifying Upgrade of All Products 99 VerifyUpgrade 99 VPN Encryption Tunnel 13 VPN Routing Special Considerations 58 VPN Tunnel 16, 20
S
Secure Internal Communication see SIC 40 Show 91 ShowInfo 100 Showing Product Information 100 Showing Product Repository 101 ShowRepository 101 SIC 40 Sign of Life status noticiation 109 SmartCenter Server 12 installation 24 SmartLSM 12, 23 Start Gateway 102 status Sign of Life notification 109 Stop 101 Stop Gateway 101 supported 11
T
Third Party Certificate Authority Support 17 Trust 36, 38 see SIC 40 Tunnel see VPN Encryption Tunnel 13
112

Checkpoint NGX SmartLSM User Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Checkpoint NGX SmartLSM User Guide

Uploaded by

Copyright:

Available Formats

SmartLSM Guide

Part No.: 701316 May 2005

2003-2005 Check Point Software Technologies Ltd.

RESTRICTED RIGHTS LEGEND:

Check Point Software Technologies Ltd.

Command Line Reference

SmartLSM Profiles & ROBO Gateway Objects

SmartLSM Profiles & ROBO Gateway Objects

Specifying the Fetch Interval in the Masters page

Policy Localization Dynamic Objects

The Policy is installed.

Policy Localization Dynamic Objects

page 16 page 17 page 17 page 18

VPN-1 Edge/Embedded Integration

Unsupported Features and Known Limitations

Unsupported Features and Known Limitations

Installing SVN Foundation

Installing the SmartCenter Server

Installing the SmartCenter Server

Installing a Check Point ROBO Gateway

No special license is needed for the ROBO Gateway.

Installing the CO Gateway

Logging into SmartLSM

Logging into SmartLSM

page 28 page 30 page 31 page 31

The SmartLSM is displayed (FIGURE 3-2).

Logging into SmartLSM

Working with the SmartLSM GUI

page 28 page 28 page 29 page 29 page 29

Working with the SmartLSM GUI

Logging into SmartLSM

Gateways List Pane

Status View Action Status Tab

Status View Action Status Tab

Status View Critical Notifications Tab

tab provides the following information:

Menus and Toolbars

Menus and Toolbars

page 32 page 36 page 36 page 38 page 39 page 48 page 55 page 55

SmartLSM Menus Description

New Edit ROBO Gateway Find

Delete ROBO GatewayDelete the selected ROBO Gateway.

Default Column Width Restore the default width of the columns

SmartLSM Menus Description

Menus and Toolbars

SmartLSM Menus Description

Reboot Gateway Get Status Details...

SmartLSM Menus Description

Update Corporate Office Gateway... Update Selected Corporate Office Gateway

SmartDashboard SmartView Tracker SmartView Monitor SmartView Monitor Eventia Reporter

Help Topics About Check Point SmartLSM

Menus and Toolbars

Adding a New VPN-1 Express/Pro ROBO Gateway

Adding a New VPN-1 Express/Pro ROBO Gateway

Menus and Toolbars

Adding a VPN-1 Edge/Embedded ROBO Gateway

Editing a VPN-1 Express/Pro ROBO Gateway

To clear the key, click

Editing a VPN-1 Express/Pro ROBO Gateway

Menus and Toolbars

Editing a VPN-1 Express/Pro ROBO Gateway

Menus and Toolbars

tab, as shown in the following figure: