You are on page 1of 3

Configuring Integration with Checkpoint™ Firewall-1® The Configuration Compliance Manager CheckPoint scan module connects to a CheckPoint Management

Server using the OPSEC CPMI API. The CheckPoint Firewall retriever works only on the OPSEC server and not on the individual firewalls. There are several configuration steps that must be taken on the CheckPoint Management Server itself and in Configuration Compliance Manager to use the CheckPoint scan module. Note that the Checkpoint Firewall-1 selection is available only if the Firewalls module has been licensed. Configuring the CheckPoint Management Server The CheckPoint Management Server must be configured to allow connections from the Configuration Compliance Manager Scan Engine to certain services. These services are: •CPMI (tcp/18190) •FW1 (tcp/256) •FW1_key (tcp/265) •FW1_ica_pull (tcp/18210) The CheckPoint Management Server must also be configured to allow the Configuration Compliance Manager Scan Engine to connect with SIC (Secure Internal Communication). This process involves adding an entry for the Configuration Compliance Manager Engine as an OPSEC application, setting up a one-time activation key, then having the Scan Engine connect to the CheckPoint Management Server to get an OPSEC certificate. This is done (from the CheckPoint SmartDashboard in Windows), by going to the Manage menu and selecting "Servers and OPSEC Applications...", then creating a New "OPSEC Application" entry: For Name, enter a name for the OPSEC application. You will need to enter this exact same name into the Configuration Compliance Manager Console. For Host, add an entry for the Configuration Compliance Manager Scan Engine. You'll need to enter the IP address of the engine. Vendor should be "User defined". In the "Client Entities" box, select CPMI and nothing else. Then click the Communication button to set up SIC. In the Communication dialog, enter an Activation Key. This is a one-time password used to establish trust between the Configuration Compliance Manager Scan Engine and the CheckPoint Management Server. You will need to enter this key in the Configuration Compliance Manager Console. Once the key is entered, click the Initialize button, then Close. Configuring Configuration Compliance Manager Once the CheckPoint Management Server is configured to allow the Configuration Compliance Manager Scan Engine, Configuration Compliance Manager must be configured to connect to it.

Either use the administrator account. . If you want to renew the certificate or trust relationship.". To configure Configuration Compliance Manager.. but it is not necessary. and a Network Profile configured that contains the IP address of the CheckPoint Management Server. the Configuration Compliance Manager Console will instruct the appropriate engine to connect to the CheckPoint Management Server to retrieve the SIC certificate.Can't connect to the CheckPoint Management Server. During the configuration process. an entry will be added to the list in the configuration panel in Configuration Compliance Manager. If an error occurs. Make sure the firewall is configured to allow the Scan Engine to connect to it on the needed ports. rc=-1 err=-94 There was a problem when trying to establish an SSL connection.The name has been entered wrong or trust has already been established. •For IP Address. •OPSEC Application Name is the same name entered as part of the configuation process on the CheckPoint Management Server. in the Console go to the Settings menu and select "System. Opsec error. enter the IP address of the CheckPoint Management Server. but it will allow you to continue. All scans using the Scan Engine should be stopped before configuring the CheckPoint authentication. the information will not be saved. in the "Third-Party Integration" section. Opsec error. •Activation Key is the activation key from the configuration process on the CheckPoint Management Server. Click "Add.Before starting this process. Configuration Compliance Manager will warn if scans are running on the engine.. the Console will instruct the Configuration Compliance Manager Scan Engine to retrieve the OPSEC certificate from the CheckPoint Management Server. it cannot be retrieved again without resetting SIC in CheckPoint. This can only happen if there is a Network Profile set up and the Scan Engine is connected. If this is succcessful. ensure that you have the Scan Engine set up. but you cannot change any other entries. rc=-1 err=-96 Connection error . probably peer was not authenticated . Reset the SIC on the CheckPoint and try again..The Activation Key is incorrect. Go to the "CheckPoint Firewall-1 Settings" panel. you have to delete the entry and create a new one. rc=-1 err=-93 The referred entity does not exist in the Certificate Authority . or some other account if the access controls are configured to allow other users. •Username and Password are the authentication credentials required to connect to the CheckPoint Management Server.. Once the certificate is retrieved." to get to the configuration dialog. If you try to Edit an entry. When the OK button is clicked. you will be able to change the Username and Password used to authenticate to the CheckPoint Management Server. Here are some common errors: Opsec error.

. when a scan is performed against the CheckPoint it should gather the data. No extra configuration is needed in the Advanced Scan or Compliance Task configuration dialogs.Scanning Once the trust relationship is established between the Configuration Compliance Manager Scan Engine and the CheckPoint Management Server.