Sie sind auf Seite 1von 70

SmartView Monitor

NGX (R60)

For additional technical information about Check Point products, consult Check Points SecureKnowledge at:

https://secureknowledge.checkpoint.com
See the latest version of this document in the User Center at:

http://www.checkpoint.com/support/technical/documents/docs_r60.html

Part No.: 701311 May 2005

2003-2005 Check Point Software Technologies Ltd.


All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:


Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:
2003-2005 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.

THIRD PARTIES:
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrusts logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust. Verisign is a trademark of Verisign Inc. The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided as is without express or implied warranty. Copyright Sax Software (terminal emulation only). The following statements refer to those portions of the software copyrighted by Carnegie Mellon University. Copyright 1997 by Carnegie Mellon University. All Rights Reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. The following statements refer to those portions of the software copyrighted by The Open Group. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright 1998 The Open Group. The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. GDChart is free for use in your applications and for chart generation. YOU MAY NOT redistribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,

Check Point Software Technologies Ltd.


U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, info@CheckPoint.com International Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http:/ /www.apache.org/licenses/LICENSE-2.0 The curl license COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1996 - 2004, Daniel Stenberg, <daniel@haxx.se>.All rights reserved. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. The PHP License, version 3.0 Copyright (c) 1999 - 2004 The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact group@php.net. 4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo" 5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes PHP, freely available from <http://www.php.net/>". THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at group@php.net. For more information on the PHP Group and the PHP project, please see <http:// www.php.net>. This product includes the Zend Engine, freely available at <http:// www.zend.com>. This product includes software written by Tim Hudson (tjh@cryptsoft.com). Copyright (c) 2003, Itai Tzur <itzur@actcom.co.il> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Neither the name of Itai Tzur nor the names of other contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved. Confidential Copyright Notice Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed. Trademark Notice The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600.

U.S. Government Restricted Rights The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in DataGeneral clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987). Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/ Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations. Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRAN-TIES, EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHER-WISE RESPECTING, THE MATERIAL IN THIS DOCUMENT. Limitation of Liability UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSE-QUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU. Copyright ComponentOne, LLC 1991-2002. All Rights Reserved. BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")) Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release

Table Of Contents
Chapter 1 SmartView Monitor Overview
Introduction 7 SmartView Monitor Considerations 9 Whats In This Book 10

Chapter 2

Before You Begin


Introduction 11 Terminology 11 Understanding the User Interface 12 Gateways View 13 Traffic View 14 Counters View 15 Tunnels View 17 Remote Users View 18

Chapter 3

Monitoring Gateways
Gateways Solution 19 How does it work? 20 Gateway Statuses 21 Displaying Gateway Information 22 Views about a Specific Gateway 27 Interfering Actions 27 Thresholds 28 Alert Dialog 28 Configuring Gateway Views 29 Defining the Frequency at which Status Information is Fetched 30 Start/Stop Cluster Member 30 Select and Run a Gateways View 30 View In-Depth Information about a Specific Gateway 30 Create a Custom Gateway View 31 Edit a Predefined or Custom Gateway View 31 Defining a Threshold 32 Define Global Threshold Settings 32 Delete a Custom Gateway View 33 Copy a Gateway View 33 Rename a Custom Gateway View 33 Export a Custom Traffic or Counter View 33

Chapter 4

Monitoring Traffic or Counters


Traffic or Counters Solution 35

Table of Contents 5

Traffic 36 Counters 37 Traffic or Counters Configuration 38 Select and Run a Predefined or Custom Traffic or Counter View 39 Create a New Traffic or Counters Results View 39 Create a Real-Time Custom Traffic or Counter View 41 Create a History Traffic or Counter View 42 Edit a Predefined Custom or Traffic View 43 Edit a Custom Traffic or Counter View 43 Copy a Traffic or Counter View 44 Rename a Custom Traffic or Counter View 44 Delete a Custom Traffic or Counter View 44 Export a Custom Traffic or Counter View 44 Recording a Traffic or Counter View 45

Chapter 5

Monitoring Tunnels
Tunnels Solution 47 Tunnel View Configuration 48 Run a Tunnel View 49 Create a Custom Tunnel View 50 Edit a Custom Tunnel View 51 Edit a Predefined Tunnel View 52 Delete a Custom Tunnel View 52 Copy a Tunnel View 52 Rename a Custom Tunnel View 53

Chapter 6

Monitoring Remote Users


Remote Users Solution 55 Remote Users View Configuration 55 Run a Remote Users View 57 Create a Custom Remote Users View 58 Edit a Custom Remote Users View 59 Edit a Predefined Remote Users View 59 Delete a Custom Remote Users View 59 Copy a Remote Users View 60 Rename a Custom Remote Users View 60

Chapter 7

Monitoring Suspicious Activity Rules


The Need for Suspicious Activity Rules 61 Suspicious Activity Rules Solution 61 Configure Suspicious Activity Rules 62 Create a Suspicious Activity Rule 62 Manage Suspicious Activity Rules 64

CHAPTER

SmartView Monitor Overview


In This Chapter
Introduction SmartView Monitor Considerations Whats In This Book page 7 page 9 page 10

Introduction
Corporate networks in todays dynamic business environment are often comprised of many networks and VPN-1 Pro gateways that support a diverse set of applications and user needs. The challenge of managing an increasing array of system traffic can put enormous pressure on IT staffing capacity and network resources. With SmartView Monitor, Check Point offers you a cost effective solution to obtain a complete picture of network and security performance; and to respond quickly and efficiently to changes in gateways, tunnels, remote users and traffic flow patterns or security activities. SmartView Monitor is a high-performance network and security analysis system that helps you easily administer your network by establishing work habits based on learned system resource patterns. Based on Check Points Security Management Architecture (SMART), SmartView Monitor provides a single, central interface for monitoring network activity and performance of Check Point applications. SmartView Monitor allows administrators to easily configure and monitor different aspects of network activities. Graphical customized and pre-defined view can easily be viewed from an integrated, intuitive GUI.

Introduction

Pre-defined views include the most frequently used traffic, counter, tunnel, gateway, and remote user information. For example, Check Point System Counters collect information on the status and activities of Check Point products (for example, VPN-1 Pro, etc.). Using custom or pre-defined views, administrators can drill down on the status of a specific gateway and/or a segment of traffic to identify top bandwidth hosts that may be affecting network performance. If suspicious activity is detected, administrators can immediately apply a security rule to the appropriate Check Point gateway to block that activity. These security rules can be created dynamically via the graphical interface and be set to expire within a certain time period. Real-time and historical reports (that is, flexible, graphical reporting) of monitored events can be generated to provide a comprehensive view of gateways, tunnels, remote users, network, security and VPN-1 Pro performance over time. The following list describes the key features of SmartView Monitor and how it is employed. Gateways SmartView Monitor enables information about the status of all gateways in the system to be collected from these gateways. This information is gathered by the SmartCenter Server and can be viewed in an easy-to-use SmartConsole. The views can be customized so that details about the gateway(s) can be shown in a manner that best meets the administrators needs. Traffic / Counters SmartView Monitor delivers a comprehensive solution for monitoring and analyzing network traffic and network usage. You can generate fully detailed or summarized graphs and charts for all connections when monitoring traffic and for numerous rates and figures when counting usage throughout the network. The Traffic view also enables filtering according to categories (for example, services, IP addresses, interfaces, security rules, etc.). Tunnels SmartView Monitor enables system administrators to monitor connectivity between gateways. With the information collected by SmartView Monitor system administrators are able to sustain privacy, authentication and integrity. By showing real-time information about active tunnels (for example, information about its state and activities, volume of traffic, which hosts are most active, etc.), administrators can verify whether the tunnel(s) is working properly.

Remote Users The Remote User Monitor is an administrative feature allowing you to keep track of VPN remote users currently logged on (that is, SecuRemote, SecureClient and SNX, and in general any IPSec client connecting to the VPN gateway). It provides you with a comprehensive set of filters which enables you to easily navigate through the obtained results. With information about current open sessions, overlapping sessions, route traffic, connection time, etc., the Remote User Monitor is able to provide detailed information about remote users connectivity experience. This feature enables you to view real-time and historical statistics about open remote access sessions.

SmartView Monitor Considerations


In view of the fact that SmartView Monitor enables graphical views of different types of measurements such as bandwidth, round trip time, packet rate, CPU usage, etc., the most efficient way to yield helpful information is to create a view based on your specific needs. With SmartView Monitor it is possible to create customized views for view types (for example, status, traffic, system statistics and tunnels). The customization allows control over filtering what to view, and over the values to display (for example, the columns in the Gateway Status view). The following are just two examples of the numerous scenarios for which SmartView Monitor can offer information: If a companys Internet access is slow, a Traffic view and report can be created to ascertain what may be clogging up the companys gateway interface. The view can be based on a review of specific Services, Security Rules, Network Objects, etc., that may be known to impede the flow of Internet traffic. If the SmartView Monitor Traffic view indicates that users are aggressively using such Services or Network Objects (for example, Peer to Peer application, HTTP, etc.), the cause of the slow Internet access has been determined. If aggressive use is not the cause, the network administrator will have to look at other avenues (for instance, performance degradation may be the result of memory overload). If employees who are working away from the office cannot connect to the network a Counter view and report can be created to determine what may be prohibiting network connections. The view can be based on CPU Usage %, Total Physical Memory, VPN Tunnels, etc., to collect information about the status, activities hardware and software usage of different Check Point products in real-time. If the SmartView Monitor Counter view indicates that there are more failures than successes, it is possible that the company cannot accommodate the mass number of employees attempting to log on at once.
Chapter 1 SmartView Monitor Overview

Whats In This Book

Whats In This Book


The SmartView Monitor User Guide is divided into five chapters SmartView Monitor Overview provides an introduction to the SmartView Monitor Solution and briefly describes how it works. Before You Begin describes useful terms that help you better understand SmartView Monitor concepts and explains the SmartView Monitor GUI so that you are comfortable with the SmartConsole before you begin to work. Monitoring Gateways describes how information about the status of all gateways in the system is collected from these gateways. This chapter shows how this information is gathered by the SmartCenter Server and how it can be viewed. Monitoring Traffic or Counters describes the essence of monitoring network traffic and how to configure Traffic views to suit your needs. This chapter also describes the nature of counting specific characteristics of your network and how to configure Counter views so that you obtain the beneficial information. Monitoring Tunnels describes how monitoring Tunnels is beneficial to your organization and explains how to configure Tunnel views. Monitoring Remote Users describes an administrative feature that allows you to keep track of SecuRemote users currently logged on to specific Policy Servers and how you can easily navigate through the obtained results.

10

CHAPTER

Before You Begin


In This Chapter
Introduction Terminology Understanding the User Interface page 11 page 11 page 12

Introduction
This chapter provides useful terms that help you better understand SmartView Monitor terminology and explains the SmartView Monitor GUI so that you are comfortable with the SmartConsole before you begin to work.

Terminology
The following are useful terms that you should be familiar with in order to better understand the information that is presented throughout this user guide. Views generate reports about the network according to network targets, filters and specific settings (for example, Monitor Rate). Custom View a view generated by the SmartView Monitor user. This type of view is created from scratch or is based on a modified version of a predefined view. Predefined View an out of the box view for common network scenarios. A Predefined View cannot be changed. Counters generates reports about the status, activities, hardware and software usage of different Check Point products in real-time or history mode. Traffic provides transaction information about network sessions in a given time interval Tunnel an encrypted connection between two gateways.
11

Understanding the User Interface

provides information about the status of all Check Point supported hosts. Users provides information about remote access VPN clients (for example, secure Remote Secure Client and others that are interoperable with VPN clients). History provides information about previous Traffic or Counters data. Real-Time provides information about Traffic or Counters data as it is generated. Suspicious Activity Rules security rules that are applied immediately. These rules can instantly block suspicious connections that are not restricted by the currently enforced security policy. Threshold contains predefined actions that are triggered when the status of an application is changed or when an event has occurred. Cluster indicates a group of servers and resources that act like a single system. This group enables high availability and in some cases, load balancing and parallel processing. High Availability is a system or component that is continuously operational for a long length of time. Availability can be measured relative to "100% operational" or "never failing."
Gateways

Understanding the User Interface


The SmartView Monitor GUI is divided into a number of features. Refer to the following sections for a visual representation of each SmartView Monitor view. The type of Custom or Predefined view results that appear on the screen are directly related to whether a Traffic, Counter, Tunnel, Gateway or Remote User view is selected.

In This Section
Gateways View Traffic View Counters View Tunnels View Remote Users View page 13 page 14 page 15 page 17 page 18

12

Gateways View

Gateways View
To understand the following list preceding it.
FIGURE 2-1 Gateways View Gateways

view refer to the numbers in the figure and the

1 2

Tree View Toolbars

lists all the

Custom

and

Predefined

views.

include shortcuts of SmartView Monitor options. The same options can also be accessed from the SmartView Monitor menus. The lower of the two toolbars is view specific.

Results View provides information about all the gateways in the organization as well as pertinent information about the gateway such as its IP Addresses, the last time it was updated as well as its status. This information is directly linked to the view selected in the Tree View. Each row in the table represents a Gateway. Gateway Details

4 5

an HTML view that behaves like a browser and allows the user to hit links associated with a variety of data about the selected gateway.

At the bottom of the screen there is a button for every view that is currently running in SmartView Monitor (that is, a minimized view). As the number of running views grows the visibility of these buttons is aided by a tool tip. This tool

Chapter 2

Before You Begin

13

Understanding the User Interface

tip displays the full name of the view on which the cursor is standing. When this occurs a tool tip the with specific views full name appears when the cursor is placed over the button.

Traffic View
To understand the following preceding it.
FIGURE 2-2 Traffic View Traffic

view refer to the numbers in the figure and the list

1 2

Tree View

lists all the

Custom

and

Predefined

views.

Toolbars include shortcuts of SmartView Monitor options. The same options can also be accessed from the SmartView Monitor menus. The lower of the two toolbars is view specific. Results View

3 4 5

(that is, bar, line, pie chart) provides information that is directly linked to the view selected and run from the Tree View. includes a textual view (that is, report) of the
Traffic

Legend

view results

Traffic Status Bar displayed at the bottom of the SmartView Monitor contains system information (for example, system uptime, traffic flow, etc.) about the gateway associated with the selected view.

14

Counters View

At the bottom of the screen there is a button for every view that is currently running in SmartView Monitor (that is, a minimized view). As the number of running views grows the visibility of these buttons is aided by a tool tip. This tool tip displays the full name of the view on which the cursor is standing. When this occurs a tool tip the with specific views full name appears when the cursor is placed over the button.

Counters View
To understand the following list preceding it.
FIGURE 2-3 Counters View Counters

view refer to the numbers in the figure and the

1 2

Tree View Toolbars

lists all the

Custom

and

Predefined

views.

include shortcuts of SmartView Monitor options. The same options can also be accessed from the SmartView Monitor menus. The lower of the two toolbars is view specific.

Results View

(that is, bar, line, pie chart) provides information that is directly linked to the view selected and run from the Tree View.

Chapter 2

Before You Begin

15

Understanding the User Interface

4 5

Legend

includes a textual view (that is, report) of the

Counters

view results

Counter Status Bar displayed at the bottom of the SmartView Monitor contains system information (for example, system uptime, traffic flow, etc.) about the gateway associated with the selected view.

At the bottom of the screen there is a button for every view that is currently running in SmartView Monitor (that is, a minimized view). As the number of running views grows the visibility of these buttons is aided by a tool tip. This tool tip displays the full name of the view on which the cursor is standing. When this occurs a tool tip the with specific views full name appears when the cursor is placed over the button.

16

Tunnels View

Tunnels View
To understand the following list preceding it.
FIGURE 2-4 Tunnels View Tunnels

view refer to the numbers in the figure and the

1 2

Tree View Toolbars

lists all the

Custom

and

Predefined

views.

include shortcuts of SmartView Monitor options. The same options can also be accessed from the SmartView Monitor menus. The lower of the two toolbars is view specific. provides information that is directly linked to the view selected in the Each row in the table represents a Tunnel.

3 4

Results View Tree View.

At the bottom of the screen there is a button for every view that is currently running in SmartView Monitor (that is, a minimized view). As the number of running views grows the visibility of these buttons is aided by a tool tip. This tool tip displays the full name of the view on which the cursor is standing. When this occurs a tool tip the with specific views full name appears when the cursor is placed over the button.

Chapter 2

Before You Begin

17

Understanding the User Interface

Remote Users View


To understand the following preceding it.
FIGURE 2-5 Users

view refer to the numbers in the figure and the list

Remote Users View

1 2

Tree View Toolbars

lists all the

Custom

and

Predefined

views.

include shortcuts of SmartView Monitor options. The same options can also be accessed from the SmartView Monitor menus. The lower of the two toolbars is view specific.
Results View Tree View.

3 4

provides information that is directly linked to the view selected in the Each row in the table represents a User.

At the bottom of the screen there is a button for every view that is currently running in SmartView Monitor (that is, a minimized view). As the number of running views grows the visibility of these buttons is aided by a tool tip. This tool tip displays the full name of the view on which the cursor is standing. When this occurs a tool tip the with specific views full name appears when the cursor is placed over the button.

18

CHAPTER

Monitoring Gateways
In This Chapter
Gateways Solution Configuring Gateway Views page 19 page 29

Gateways Solution
In This Section
How does it work? Gateway Statuses Displaying Gateway Information Views about a Specific Gateway Interfering Actions Thresholds Alert Dialog page 20 page 21 page 22 page 27 page 27 page 28 page 28

Check Point enables information about the status of all gateways in the system to be collected from these gateways. This information is gathered by the SmartCenter server and can be viewed in SmartView Monitor. The information gathered includes status information about: Check Point gateways OPSEC gateways Network objects

19

Gateways Solution

SmartView Monitor - Gateways, is the SmartConsole from which all gateway statuses are displayed and viewed. SmartView Monitor - Gateways displays a snapshot of all Check Point products, such as VPN-1 Pro, Cluster XL, etc., as well as third party products (for example, OPSEC-partner gateways). SmartView Monitor - Gateways is very similar in operation to the SNMP daemon, which also provides a mechanism to ascertain information about gateways in the system.
FIGURE 3-1 Gathering Status Information

In FIGURE 3-1 information is retrieved by the SmartCenter server from all the gateways in the system using the AMON protocol after SIC has been initialized. Information that the SmartCenter server retrieves, is displayed in SmartView Monitor Gateways.

How does it work?


The SmartCenter server acts as an AMON (Application Monitoring) client. It collects information about specific Check Point gateways installed, using the AMON protocol. The source for this information is the Check Point gateway, which acts as the AMON server itself, or any other OPSEC gateway, which runs an AMON server. The Check Point gateway, in turn, makes a status update request via APIs, from various other components such as: The kernel Security Servers An alternate source for status collection may be any AMON client, such as an OPSEC partner, which uses the AMON protocol.
20

Gateway Statuses

The information is fetched at a subscribed interval which is defined by the system administrator. The AMON protocol is SIC- based so information can be retrieved once SIC has been initialized.

Gateway Statuses
When discussing the status of Gateways in the system, there are general statuses which occur for both the gateway or the machine on which the Check Point software is installed, and the product which represents the applications installed on the gateway. Over-all Statuses Waiting OK Attention No License Above Threshold Problem Critical Problem No gateway Untrusted Unknown Application Statuses Waiting OK Disconnected Untrusted Problem Warning

Chapter 3

Monitoring Gateways

21

Gateways Solution

Displaying Gateway Information


In SmartView Monitor - Gateways, information is displayed per Check Point or OPSEC gateway. To display information about the gateway, click the specific gateway in the Gateways Results view. Elaborate details about the gateway will be displayed in the adjacent Gateway Details window. This information includes general information such as the name, IP Address, version, OS and the status of the specified gateway, or gateway specific information, such as: System Information Unified Package - the version number. OS Information - the name, the version name/number, the build number, the service pack and any additional information about the Operating System in use. CPU - the percentage of CPU consumption in general and specifically by the user, by the system, and the amount of time that the CPU has been idle. Memory - the total amount of virtual memory, what percentage of this total is being used. The total amount of real memory, what percentage of this total is being used, the amount of real memory available for use. Disk - the percentage/total of free space on the disk, the total amount of free space, as well as the actual amount of free space available for use.

22

Displaying Gateway Information

VPN-1 Pro Policy information - the name of the Security Policy installed on the VPN-1 Pro gateway and the date and time that this policy was installed. Packets - the number of packets accepted, dropped and logged by the VPN-1 Pro gateway. UFP Cache performance - the hit ratio percentage as well as the total number of hits handled by the cache, the number of connections inspected by the UFP Server. Hash Kernel Memory (the memory status) and System Kernel Memory (the OS memory)- the total amount of memory allocated and used. The total amount of memory blocks used. The number of memory allocations, as well as those allocation operations which failed, The number of times that the memory allocation has been freed up, or has failed to be freed up. The NAT Cache, including the total amount of hits and misses. Virtual Private Networks VPN is divided into three main statuses: Current which represents the current number of active output. High Watermark represents the maximum number of current output and, Accumulative data which represents the total number of the output. This includes Active Tunnels - this includes all types of active VPN peers to which there is currently an open IPsec tunnel. This is useful for tracking the proximity to a VPN Net license and the activity level of the VPN-1 Pro gateway. High Watermark includes the maximum number of VPN peers for which there was an open IPsec tunnel since the gateway was restarted. RemoteAccess - this includes all types of RemoteAccess VPN users with which there is currently an open IPsec tunnel. This is useful for tracking the activity level and load patterns of VPN-1 Pro gateways serving as a remote access server. High Watermark includes the maximum number of RemoteAccess VPN users with which there was an open IPsec tunnel since the gateway was restarted. Tunnels Establishment Negotiation: The current rate of successful Phase I IKE Negotiations (measured in Negotiations per second). Useful for tracking the activity level and load patterns of a VPN-1 Pro gateway serving as a remote access server. High Watermark includes the highest rate of successful Phase I IKE Negotiations since the Policy was installed (measured in Negotiations per second). Also, Accumulative consists the total number of successful Phase I IKE Negotiations since the Policy was installed.

Chapter 3

Monitoring Gateways

23

Gateways Solution

Failed - the current failure rate of Phase I IKE Negotiations can be used for troubleshooting, for instance, denial of service, or for heavy a load of VPN remote access connections. High Watermark includes the highest rate of failed Phase I IKE negotiations since the Policy was installed. And finally, Accumulative is the total number of failed Phase I IKE negotiations since the Policy was installed. Concurrent - the current number of concurrent IKE negotiations. Useful for tracking the behavior of VPN connection initiation, especially in large deployments of remote access VPN scenarios. High Watermark includes the maximum number of concurrent IKE negotiations since the Policy was installed. Encrypted and Decrypted throughput - the current rate of encrypted/decrypted traffic (measured in Mbps). Encrypted/decrypted throughput is useful (in conjunction with encrypted/decrypted packet rate) for tracking VPN usage and VPN performance of the VPN-1 Pro gateway. High Watermark includes the maximum rate of encrypted/decrypted traffic (measured in Mbps) since the gateway was restarted. And finally, Accumulative includes the total encrypted/decrypted traffic since the gateway was restarted (measured in Mbps). Encrypted and Decrypted packets - the current rate of encrypted/decrypted packets (measured in packets per second). Encrypted/decrypted packet rate is useful (in conjunction with encrypted/decrypted throughput) for tracking VPN usage and VPN performance of the VPN-1 Pro gateway. High Watermark includes the maximum rate of encrypted/decrypted packets since the gateway was restarted. And finally, Accumulative, the total number of encrypted packets since the gateway was restarted. Encryption and Decryption errors - the current rate at which errors are encountered by the VPN-1 Pro gateway (measured in errors per second). Useful for troubleshooting VPN connectivity issues. High Watermark includes the maximum rate at which errors are encountered by the VPN-1 Pro gateway (measured in errors per second) since the gateway was restarted. And finally, the total number of errors encountered by the VPN-1 Pro gateway since the gateway was restarted. Hardware - the name of the VPN Accelerator Vendor, and the status of the Accelerator. General errors such as the current rate at which VPN Accelerator general errors are encountered by the VPN-1 Pro gateway (measured in errors per second). The High Watermark includes the maximum rate at which VPN Accelerator general errors are encountered by the VPN-1 Pro gateway (measured in errors per second) since the gateway was restarted. And finally the total number of VPN Accelerator general errors encountered by the VPN-1 Pro gateway since the gateway was restarted. IP Compression - Compressed/Decompressed packets statistics and errors.

24

Displaying Gateway Information

Check Point QoS Policy information - the name of the QoS Policy and the date and time that it was installed. Number of interfaces - the number of interfaces on the Check Point QoS gateway. Information about the interfaces applies to both inbound and outbound traffic. This includes the maximum and average amount of bytes that pass per second, as well as, the total number of conversations, where conversations are active connections and connections that are anticipated as a result of prior inspection. Examples are data connections in FTP, and the second half of UDP connections. Packet and Byte information, the number of packets and bytes in Check Point QoSs queues. ClusterXL The gateways working mode, whether or not it is active, and its place in the priority sequence. There are three possible working modes (ClusterXL/Load Sharing or Sync only). There are 4 types of running modes, (Active, standby, ready and down). Interfaces include the interface(s) recognized by the VPN-1 Pro gateway. The interface information includes the IP Address and status of the specified interface. Whether or not the connection passing through the interface is verified, trusted or shared. Problem Notes contains descriptions of the problem notification device such as its status, priority and when the status was last verified. OPSEC The version name/number and build number of the Check Point OPSEC SDK and OPSEC product. The amount of time (in seconds) since the OPSEC gateway has been up and running. The OPSEC vendor may add additional fields to their OPSEC Application gateways details. SmartCenter The synchronization status indicates the status of the peer SmartCenter Servers in relation to that of the selected SmartCenter Server. This status can be viewed in the Management High Availability Servers window, whether you are connected to the Active or Standby SmartCenter Server. The possible synchronization statuses are: Never been synchronized - immediately after the Secondary SmartCenter has been installed, it has not yet undergone the first manual synchronization that brings it up to date with the Primary Management.

Chapter 3

Monitoring Gateways

25

Gateways Solution

Synchronized - the peer is properly synchronized and has the same database information and installed Security Policy. Advanced - the SmartCenter Server is more advanced than the standby server, it is more up-to-date. Lagging - the SmartCenter Server has not been synchronized properly. Collision - the active SmartCenter Server and its peer have different installed policies and databases. The administrator must perform manual synchronization and decide which of the SmartCenter Servers to overwrite. Clients - the number of connected clients on the SmartCenter Server, the name of the SmartConsole, the administrator responsible for administering the SmartConsole, the name of the SmartConsole host, the name of the locked database and the type of SmartConsole application, such as SmartDashboard, User Monitor etc.

UserAuthority WebAccess Plugin Performance - the number of http requests accepted and rejected. Policy info - the name of the WebAccess policy and the last time that the policy was updated. UAS info - the name of the UA Server host, the IP Address and port number of the UAG Server. The number of requests sent to the UA Server and the time it took for the request to be handled. Global UA WebAccess - the number of currently open sessions and the time passed since the last session was opened. Policy Server The number of licensed users who are currently connected. Log Server Indicates whether or not the SmartCenter server is active. The number of licensed users who are currently connected. Elaborate details about the named connected client, including, then name of the administrator, managing the selected Log Server, the host of the Log Server and the name of the database if it is locked. The type of application that can be tracked by the Log Server.

26

Views about a Specific Gateway

Views about a Specific Gateway


SmartView Monitor - Gateways allows you to define views for specific gateways. From within this view it is possible to access information about the following: Monitor Tunnels - provides a list of Tunnels associated with the selected gateway. Tunnels are secure links between VPN-1 Pro gateways that ensure secure connections between an organizations gateways and an organizations gateways and remote access clients. The option of viewing a list of tunnels associated with a specific gateway enable you to keep track of the tunnels normal function, so that possible malfunctions and connectivity problems can be accessed and solved as soon as possible. For additional information about Tunnels refer to the Monitoring Tunnels chapter. Monitor Remote Users - provides a list of SecuRemote users currently logged on to the specific Policy Servers. On the SmartView Monitor - Gateways interface you will be able to view all the SecuRemote users currently logged on to specific policy servers. Monitor Traffic or Counters - provides information about monitored and analyzed network traffic and network usage associated with the selected gateway. You can generate fully detailed or summarized graphs and charts for all connections intercepted and logged when monitoring traffic and for numerous rates and figures when counting usage throughout the network. For additional information about Traffic or Counter refer to the Monitoring Traffic or Counters chapter.

Interfering Actions
After reviewing the status of certain Clients, in SmartView Monitor, you may decide to take decisive action for a particular Client or Cluster Member, for instance: Disconnect client - if you have the correct permissions, you can choose to disconnect one or more of the connected SmartConsole clients. Start/Stop Cluster member - All Cluster Members of a given Gateway Cluster can be viewed via SmartView Monitor - Gateways. You can start or stop a selected Cluster Member.

Chapter 3

Monitoring Gateways

27

Gateways Solution

Thresholds
For each kind of Check Point application there is a set of status parameters that can be monitored. When the status of an application is changed or when an event has occurred, predefined actions can be triggered. This is done by defining Thresholds (that is, limits) and actions to be taken if these Thresholds are reached or exceeded. To Define a Threshold refer to Defining a Threshold page 32

Alert Dialog
Alerts provide real-time information about vulnerabilities to computing systems and how they can be eliminated. Check Point alerts users to potential threats to the security of their systems and provides information about how to avoid, minimize, or recover from the damage. Alerts are sent by the VPN-1 Pro modules to the SmartCenter Server. The Smart Center server then forwards these alerts to the SmartView Monitor SmartConsole, which is actively connected to the SmartCenter server. Alerts are sent in order to draw the administrators attention to problematic gateways, and are displayed in SmartView Monitor. These alerts are sent: If certain rules or attributes, which are set to be tracked as alerts, are matched by a passing connection, If system events, also called System Alerts, are configured to trigger an alert when various predefined thresholds are surpassed. The administrator can define alerts to be sent for different gateways. These alerts are sent under certain conditions, such is if they have been defined for certain policies, or if they have been set for different properties. By default an alert is sent as a pop up message to the administrators desktop when a new alert arrives to SmartView Monitor. Alerts can also be sent for certain predefined system events. If certain predefined conditions are set, you can get an alert for certain critical situation updates. These are called System Alerts. For example, if free disk space is less than 10%, or if a security policy has been changed. System Alerts are characterized as follows: defined per product. For instance you may define certain System Alerts for Unified Package and other System Alerts for Check Point QoS. they may be global or per gateway. This means that you can set global alert parameters for all gateways in the system, or you can specify a particular action to be taken on alert on the level of every Check Point gateway. displayed and viewed via the same user-friendly window.

28

Alert Dialog

Configuring Gateway Views


The following pages contain a number of different sets of steps that will instruct you on how to work with SmartView Monitor Gateway views. To obtain an explicit understanding about the fields, text boxes, drop-down lists, etc., in each window refer to SmartView Monitor Online Help.

In This Section
Defining the Frequency at which Status Information is Fetched Start/Stop Cluster Member Select and Run a Gateways View View In-Depth Information about a Specific Gateway Create a Custom Gateway View Edit a Predefined or Custom Gateway View Defining a Threshold Define Global Threshold Settings Delete a Custom Gateway View Copy a Gateway View Rename a Custom Gateway View Export a Custom Traffic or Counter View page 30 page 30 page 30 page 30 page 31 page 31 page 32 page 32 page 33 page 33 page 33 page 33

Chapter 3

Monitoring Gateways

29

Configuring Gateway Views

Defining the Frequency at which Status Information is Fetched


Define the frequency at which status information will be gathered by the SmartCenter Server from the Check Point gateways, and sent to SmartView Monitor. This is referred to as the Status Fetching Interval, and it is defined in the Gateways Properties window. By default a status check takes place every 60 seconds.

Start/Stop Cluster Member


Select a specific Cluster Member of a given Gateway Cluster in the Gateway window, right-click and select Start or Stop respectively.

Select and Run a Gateways View


When a Gateways view is run the results appear in the SmartView Monitor SmartConsole. A Gateways view can be run. from an existing view by creating a new view by changing an existing view 1 In the SmartView Monitor SmartConsole, click on an existing Gateway view. The view results (that is, a list of all the available gateways) appears in the Results View.

View In-Depth Information about a Specific Gateway


1 2 3 Run the
Gateway

view for which you would like to view information.


Results View.

Right-click the specific gateway in the

Select Gateway Details. The window that appears provides you with information about system performance, licenses, High Availability, etc., for the selected gateway.

30

Create a Custom Gateway View

Create a Custom Gateway View


1 2 3 4 In the SmartView Monitor SmartConsole, select The Dialog window appears.
File > New > Gateways View.

Select the topics for which you would like to receive information in the fields list and move them to the Show these fields in the grid list. Click OK. The results of the view appear in the SmartView Monitor console. In the Gateways view that appears in the name of the new Gateways view.
Custom

Available

branch of the

Tree View

type the

Edit a Predefined or Custom Gateway View


Unlike a Custom view, the changes you make to a Predefined view cannot be saved. To save the changes you must perform Save As and subsequently create a new view. 1 2 3 4 In the Custom branch of the to change. Click the
View Properties Tree View

select the

Gateway

view that you would like


Results View. Show these

button in the toolbar directly above the

Make the required changes by adding or removing topics from the fields in the grid list. Click OK. The results of the view appear in the SmartView Monitor console.

Note - If you are editing a Custom Gateway view the results (changes) are automatically saved. If you are editing a Predefined Gateway view the results in the Results View are not saved.

5 6

To save these results of a Predefined view that has been changed, select the View In Tree button in the toolbar directly above the Results View. Enter a name for the new Gateways view and click Save. The edited Gateways view will appear as a new view in the Tree View.
Custom

Save

branch of the

Chapter 3

Monitoring Gateways

31

Configuring Gateway Views

Defining a Threshold
1 2 3 4 In the
Custom

or

Predefined

branch of the

Tree View

run a

Gateways

view.

Select the gateway for which you would like to change one or more thresholds. Right-click and select In the
System Alert System Alert Configure Thresholds.

area select Custom: provides you with the following three options: Same As Global applies the global threshold settings to the selected gateway. Custom enables you to select specific thresholds for the selected gateway. None removes all thresholds from the selected gateway.

Select the application whose threshold you would like to change and make the necessary changes with the fields provided. The Action column provides you with the following options: none does not send an alert. log sends a log entry to the database. alert sends a pop window to your desktop. mail sends a mail alert to your Inbox. snmptrap sends a SNMP alert to the SNMP GUI. useralert sends a customized alert in the manner that you configure.
Note - To configure these Action options go to SmartDashboard > Policy > Global Properties > Log and Alert > Alert Commands.

Click the

Save

button to save your changes.

Define Global Threshold Settings


1 2 3 4 5 In the
Custom

or

Predefined

branch of the

Tree View

run a

Gateways

view.

Select the gateway for which you would like to change one or more thresholds. Right-click and select Click the
Configure Thresholds.

Global Settings

button.

Select the application whose threshold you would like to change and make the necessary changes with the fields provided.

32

Delete a Custom Gateway View

6 7

Click the Save & Close button to save your changes and close the Settings window. Click the Save & Close button to save your changes and close the window.

Global Threshold

Threshold Settings

Delete a Custom Gateway View


1 2 3 In the Custom branch of the delete.
Tree View

select the
Delete.

Gateways

view you would like to

Right click the selected view and select Select


Yes

to delete the selected

Custom

view.

Copy a Gateway View


1 2 3 In the Custom or Predefined branch of the you would like to copy. Select
Copy. Tree View

right-click the

Gateways

view

Right click the Custom branch of the Tree View and select Paste. A copy of the Predefined or Custom view appears under the Custom branch.

Rename a Custom Gateway View


1 2 3 In the Custom branch of the you would like to change. Select
Rename. Enter. Tree View

right-click the

Gateways

view whose name

Type the new name and press

Export a Custom Traffic or Counter View


1 2 3 Right-click the Gateways view you would like to export. Select
Export Settings.

Select the directory in which you would like to save the exported view settings and click Save. A file with an svm_setting extension is created.

Chapter 3

Monitoring Gateways

33

Configuring Gateway Views

34

CHAPTER

Monitoring Traffic or Counters


In This Chapter
Traffic or Counters Solution Traffic or Counters Configuration page 35 page 38

Traffic or Counters Solution


SmartView Monitor provides you with the tools that enable you to be aware of traffic associated with specific network activities, servers, clients, etc., and the status of activities, hardware and software usage of different Check Point products in real-time. Among other things, this knowledge will enable you to block specific traffic when a threat is imposed assume instant control of traffic flow on a gateway learn about how many tunnels are currently open or about the rate of new connections passing through the VPN-1 Pro gateway. SmartView Monitor delivers a comprehensive solution for monitoring and analyzing network traffic and network usage. You can generate fully detailed or summarized graphs and charts for all connections intercepted and logged when monitoring traffic and for numerous rates and figures when counting usage throughout the network.

In This Section
Traffic Counters page 36 page 37

35

Traffic or Counters Solution

Traffic
Traffic Monitoring provides in-depth details on network traffic and activity. As a network administrator you can generate traffic information to: Analyze network traffic patterns. Network traffic patterns help administrators determine which services demand the most network resources. Audit and estimate costs of network use. Monitoring traffic can provide information on how the use of network resources is divided among corporate users and departments. Reports summarizing customer use of services, bandwidth and time can provide a basis for estimating costs per user or department. Identify the departments and users that generate the most traffic and the times of peak activity. Detect and monitor suspicious activity. Network administrators can produce graphs and charts documenting blocked traffic, alerts, rejected connections, or failed authentication attempts in order to identify possible intrusion attempts. A
TABLE 4-1 Traffic

view can be created to monitor the

Traffic

types listed in the following table.

Traffic Types

Traffic Type Services IPs/Network Objects Security Rules Interfaces Connections Tunnels Virtual Link Packet Size Distribution QoS

Explanation

Displays the current status view about Services used through the selected gateway. Displays the current status view about active IPs/Network Objects through the selected gateway. Displays the current status view about the most frequently used Security Rules. The Name column in the legend states the rule number as previously configured in SmartDashboard. Displays the current status view about the Interfaces associated with the selected gateway. Displays the current status view about current connections initiated through the selected gateway. Displays the current status view about the Tunnels associated with the selected gateway and their usage. Displays the current traffic status view between two gateways (for example, Bandwidth, Bandwidth Loss and Round Trip Time). Displays the current status view about packets according to the size of the packets. Displays the current traffic level for each QoS rule.

36

Counters

Traffic Legend Output The values that you see in the legend depend on the
Traffic

view you are running.

All units in the view results appear in configurable Intervals.

Counters
Monitoring Counters provides in-depth details about Check Point application usage and activities. As a network administrator you can generate system status information about: Resource usage for the variety of components associated with the VPN-1 Pro server. For example, the average use of real physical memory, the average percent of CPU time used by user applications, free disk space, etc. VPN-1 Pro performance statistics for a variety of firewall components. For example, the average number of concurrent CVP sessions handled by the HTTP security server, the number of concurrent IKE negotiations, the number of new sessions handled by the SMTP security server, etc. Detect and monitor suspicious activity. Network administrators can produce graphs and charts documenting the number of alerts, rejected connections, or failed authentication attempts in order to identify possible intrusion attempts.

Chapter 4

Monitoring Traffic or Counters

37

Traffic or Counters Configuration

Traffic or Counters Configuration


The following pages contain a number of different sets of steps that will instruct you on how to configure Traffic or Counter views. To obtain an explicit understanding about the fields, text boxes, drop-down lists, etc., in each window refer to SmartView Monitor Online Help.

In This Section
Select and Run a Predefined or Custom Traffic or Counter View Create a New Traffic or Counters Results View Create a Real-Time Custom Traffic or Counter View Create a History Traffic or Counter View Edit a Predefined Custom or Traffic View Edit a Custom Traffic or Counter View Copy a Traffic or Counter View Rename a Custom Traffic or Counter View Delete a Custom Traffic or Counter View Export a Custom Traffic or Counter View Recording a Traffic or Counter View page 39 page 39 page 41 page 42 page 43 page 43 page 44 page 44 page 44 page 44 page 45

38

Select and Run a Predefined or Custom Traffic or Counter View

Select and Run a Predefined or Custom Traffic or Counter View


When a Traffic or Counter view is run the results appear in the SmartView Monitor SmartConsole. A Traffic or Counter view can be run from an existing view by creating a new view by changing an existing view 1 In the SmartView Monitor SmartConsole, select a Traffic or Counter view in the Tree View and double click the Traffic or Counter view that you would like to run. A list of available gateways appears. Select the gateway for which you would like to run the selected view.
Traffic

2 3

or

Counter

Click OK. The results of the selected view appear in the SmartView Monitor SmartConsole.

Create a New Traffic or Counters Results View


A View is the output that is displayed when changing an existing Custom/Predefined view. The new View is not automatically saved in the Custom/Predefined branch of the Tree View. For example purposes, we will create a real-time 1 2
Properties Traffic

view for

Services.

Right-click the view you would like to change and select window appears. Select
Real-Time. Real-Time

Properties.

The

Query

provides information about currently monitored traffic or counters. Select History for previously logged information. Select the topic about which you would like to create a the drop-down list provided.
Real-Time

traffic view in

Note - The remaining tabs in the Query Properties window change according to the type of view you are creating and the selection you made in the Real-Time drop-down list.

Select the Target of this Custom Traffic view. The Target is the gateway for which you would like to monitor traffic.

Chapter 4

Monitoring Traffic or Counters

39

Traffic or Counters Configuration

5 6 7 8 9

Click the Select the Click the Click the

Monitor by Services Services Filter

tab.
Traffic

for which you would like to create a custom

view.

tab and make the relevant selections. tab and make the relevant selections.

Settings

Click Save if your new view is based on an existing Custom view Save As and type a new view name, if your new view is based on a view. The Select Gateway/Interface window appears.

Predefined

10 Select the gateway or interface for which you would like to create/run this new view. 11 Click OK. A Traffic view appears in the Custom branch of the Tree View. When based on an existing Custom view, the new view properties will remain a part of the specific Custom view. When based on an existing Predefined view, the new view will become a new Custom view as described in step 12 above.

40

Create a Real-Time Custom Traffic or Counter View

Create a Real-Time Custom Traffic or Counter View


1 In the SmartView Monitor SmartConsole, click the Custom branch of the View. For example purposes we will create a real-time Traffic view for Services. Right click the Custom branch and select The Query Properties window appears. Select
Real-Time. Real-Time New Traffic View. Tree

2 3 4

provides information about currently monitored traffic or counters.


Real-Time

Select the topic about which you would like to create a the drop-down list provided.

traffic view in

Note - The remaining tabs in the Query Properties window change according to the type of view you are creating and the selection you made in the Real-Time drop-down list.

5 6 7 8 9

Select the Target of this Custom Traffic view. The Target is the gateway or cluster for which you would like to monitor traffic. Click the Select the Click the Click the
Monitor by Services Services Filter

tab.

for which you would like to create a custom traffic view.

tab and make the relevant selections. tab and make the relevant selections.

Settings

10 Click Save. The Select Gateway/Interface window appears. 11 Select the gateway or interface for which you would like to create this new view. 12 Click
OK. Custom

13 Type the name of the new

view and press

Enter.

Chapter 4

Monitoring Traffic or Counters

41

Traffic or Counters Configuration

Create a History Traffic or Counter View


1 In the SmartView Monitor SmartConsole, click the Custom branch of the View. For example purposes we will create a real-time Traffic view for Services. Right click the Custom branch and select The Query Properties window appears. Select
History History New Traffic View. Tree

2 3 4

in the Type section. provides information about previously monitored traffic or counters.

Select the Target of this custom Traffic or Counter view. The Target is the gateway for which you would like to view previously monitored traffic. Click the Traffic History tab or the are creating.
Counter

5 6 7 8 9

tab, depending on the type of view you

In the Time Frame drop-down list, select the period of time for which you would like to view previously monitored traffic or counters. In the remaining lists, select the topic for which you are interested in viewing previously monitored information. Click Save. The Select Gateway window appears. Select the gateway for which you would like to create this new view.
OK. Custom

10 Click

11 Type the name of the new

view and press

Enter.

42

Edit a Predefined Custom or Traffic View

Edit a Predefined Custom or Traffic View


You cannot change a Predefined view in the Predefined branch of the Tree View. Therefore, when you change a Predefined views properties you will need to save the view in the Custom branch of the Tree View in order to preserve those changes. 1 2 3 4 5 6 In the SmartView Monitor SmartConsole, right-click the that you would like to edit Click Properties. The Query Properties window appears. Make the necessary changes in the tabs provided and click The Save to Tree window appears. Enter a name for the new Custom view. The Select Gateway/Interface window appears. Select the gateway for which you would like to create this new view. Click OK. The new view is run and can be viewed in the SmartView Monitor SmartConsole and the changes will be preserved in a new view in the Custom branch of the Tree View.
Save As Traffic

or

Counter

view

Edit a Custom Traffic or Counter View


1 2 3 4 In the SmartView Monitor SmartConsole, select the View. Right-click the
Traffic Custom

branch of the

Tree

or

Counter

view that you would like to edit

Click Properties. The Query Properties window appears. Make the necessary changes in the tabs provided and click changes. The Select Gateway/Interface window appears.
Save

to preserve your

5 6

Select the gateway for which you would like to create this new view. Click OK. The new view is run and the changes to the selected view are saved in the branch of the Tree View.
Custom

Chapter 4

Monitoring Traffic or Counters

43

Traffic or Counters Configuration

Copy a Traffic or Counter View


1 2 3 4 In the SmartView Monitor SmartConsole, right-click the you would like to copy. Select the Select
Predefined Traffic

or

Counters

view

or

Custom

view you would like to copy.

Copy.

Right-click the Custom branch of the Tree View and select Paste. A copy of the Predefined or Custom view appears under the Custom branch of the Tree View.

Rename a Custom Traffic or Counter View


1 2 3 4 In the SmartView Monitor SmartConsole, select the View. Right-click the Select
Rename. Enter. Traffic Custom

branch of the

Tree

or

Counters

view you would like to rename.

Type the new name and press

Delete a Custom Traffic or Counter View


1 2 3 4 In the SmartView Monitor SmartConsole, select the View. Right-click the Select Select
Delete. Yes Traffic Custom

branch of the

Tree

or

Counters

view you would like to delete.

to delete the selected

Custom

view.

Export a Custom Traffic or Counter View


1 2 3 In the SmartView Monitor SmartConsole, right-click the you would like to export. Select
Export Properties. Traffic

or

Counters

view

Select the directory in which you would like to save the exported view settings and click Save. A file with an svm_setting extension is created

44

Recording a Traffic or Counter View

Recording a Traffic or Counter View


When recording a Traffic or Counter view results. 1
Counter

view you are saving a record of the

Traffic

or

In the SmartView Monitor SmartConsole, run the Traffic or Counters view you would like to record Refer to Select and Run a Predefined or Custom Traffic or Counter View on page 39 for additional information. Open the Traffic menu and select A Save As window appears.
Recording > Record.

2 3 4

Give the record a name and save it in the relevant directory. Click Save. The word Recording appears underneath the Traffic or Counter toolbar. The appearance of this word signifies that the view currently running is being recorded and saved. To stop recording, open the Traffic menu and select Recording > Stop. A record of the view results is saved in the directory you selected in step 4 above. the

Play the Results of a Recorded Traffic or Counter View 1 2 3 In the SmartView Monitor SmartConsole, select The Select Recorded File window appears.
Traffic > Recording > Play.

Access the directory in which the recorded file is kept and select the relevant record. Click Open. The results of the selected recorded view begin to run and the word appears underneath the toolbar.
Playing

Note - The difference between Play and Fast Play in the Recording menu is that Fast Play runs the recorded view results at a faster rate.

Pause or Stop the Results of a Recorded View that is Playing To pause the record select Traffic > Recording > Pause. Click Recording > Play to resume playing the previously recorded Traffic or Counter view results.

Chapter 4

Monitoring Traffic or Counters

45

Traffic or Counters Configuration

To stop the record select

Traffic > Recording > Stop.

46

CHAPTER

Monitoring Tunnels
In This Chapter
Tunnels Solution Tunnel View Configuration page 47 page 48

Tunnels Solution
VPN Tunnels are secure links between VPN-1 Pro gateways and ensure secure connections between an organizations gateways and an organizations gateways and remote access clients. Once Tunnels are created and put to use, you are able to keep track of their normal function, so that possible malfunctions and connectivity problems can be accessed and solved as soon as possible. To ensure this security level, SmartView Monitor can recognize malfunctions and connectivity problems by constantly monitoring and analyzing the status of an organizations Tunnels. With the use of Tunnel views, you can generate fully detailed reports that include information about all the Tunnels that fulfill the specific Tunnel views conditions. With this information it is possible to monitor Tunnel status, the Community with which a Tunnel is associated, the gateways to which the Tunnel is connected, etc. For an in depth understanding of Permanent Tunnels and Tunnel granularity refer to the Tunnel Management chapter in the VPN Guide.

47

Tunnel View Configuration

Tunnel View Configuration


The following pages contain a number of different sets of steps that will instruct you on how to work with SmartView Monitor Tunnel views.
Note - If a Tunnel is deleted from SmartDashboard, the Tunnel Results View contains the deleted Tunnel for an hour after it was deleted. Likewise, if a community is edited (that is, Tunnels are removed or added), the Results View will contain the deleted communities tunnels for one hour after they were deleted.

To obtain an explicit understanding about the fields, text boxes, drop-down lists, etc., in each window refer to SmartView Monitor Online Help.

In This Section
Run a Tunnel View Create a Custom Tunnel View Edit a Custom Tunnel View Edit a Predefined Tunnel View Delete a Custom Tunnel View Copy a Tunnel View Rename a Custom Tunnel View page 49 page 50 page 51 page 52 page 52 page 52 page 53

48

Run a Tunnel View

Run a Tunnel View


When a Tunnel view is run the results appear in the SmartView Monitor SmartConsole. A Tunnel view can be run from an existing view by creating a new view by changing an existing view A
Tunnels

view can be created and run for Down Permanent Tunnels Permanent Tunnels Tunnels on Community Tunnels on Gateway

In This Section
Run a Down Tunnel View Run a Permanent Tunnel View Run a Tunnels on Community View Run a Tunnels on Gateway View Run a Down Tunnel View
Down Tunnel

page 49 page 49 page 50 page 50

view results list all the

Tunnels

that are currently not active.


Tunnels

1 2

In the SmartView Monitor SmartConsole, click the

icon in the

Tree View.

In the Tunnels branch, double click the Predefined or Custom Down Tunnel view that you would like to run. A list of all the Down Tunnels associated with the selected views properties appears.

Run a Permanent Tunnel View


Permanent Tunnel

view results list all the existing is a


Tunnel

Permanent Tunnels

and their current

status. A 1
Permanent Tunnel

that is constantly kept active.


Tunnels

In the SmartView Monitor SmartConsole, click the

icon in the

Tree View.

Chapter 5

Monitoring Tunnels

49

Tunnel View Configuration

In the Tunnels branch, double click the Predefined or Custom Permanent Tunnel view that you would like to run. A list of all the Permanent Tunnels associated with the selected views properties appears.

Run a Tunnels on Community View


Tunnels on Community

view results list all the

Tunnels

associated with a selected


Tunnels

Community. 1 2 In the SmartView Monitor SmartConsole, click the In the


Tunnels Community

icon in the

Tree View.

branch, double click the Predefined or view that you would like to run. A list of all Communities appears.
Tunnels

Custom Tunnels on

3 4

Select the Community whose Select OK. A list of all the


Tunnels

you would like to monitor.

associated with the selected Community appears.

Run a Tunnels on Gateway View


Tunnels on Gateway

view results list all the

Tunnels

associated with a selected Gateway.


Tunnels

1 2

In the SmartView Monitor SmartConsole, click the

icon in the

Tree View.

In the Tunnels branch, double click Tunnels on Gateway view that you would like to run in either the Custom or Predefined branch of the Tree View. A list of all the gateways appears. Select the gateway whose Select OK. A list of all the
Tunnels Tunnels

3 4

and their status you would like to see.

associated with the selected gateway appears.

Create a Custom Tunnel View


1 2 In the SmartView Monitor SmartConsole, select The Query Properties window appears.
File > New > Tunnels View.

Select Prompt on to generate a report about a specific Tunnel, Community or Gateway. Do not select Prompt on if your view is not specifically about one these three. Prompt on signifies that you will be asked for the specific Tunnel, Community or Gateway on which to base your view, as soon as you decide to run the view.

50

Edit a Custom Tunnel View

Select either Show one record per tunnel or Show two records per tunnel. By selecting Show two records per tunnel a more accurate status is displayed since the report will provide the status for the tunnels in both directions. In the Show column, select the filter that should be associated with this view and in the Filter column edit the selected filters by clicking the corresponding Any(*) link and selecting the relevant objects. Click the Advanced button to set a limit to the number of lines displayed in the report that will appear. The Records limitation window appears. Enter a record limitation and click
OK.

6 7

If you select the Run when pressing OK option, the specific view will be activated as soon as you click the OK button and the results will immediately appear in the SmartView Monitor SmartConsole. If you do not select the Run when pressing OK option you must right click the specific custom view and select Run to activate the view. Click OK. A Tunnels view appears in the Type the name of the new
Custom

8 9

branch of the

Tree View.

Tunnel

view and press

Enter.

Edit a Custom Tunnel View


1 2 3 4 5 6 In the SmartView Monitor SmartConsole, click the
View. Custom

branch in the

Tree

In the Custom branch, select the change.

Tunnel

view whose settings you would like to


Properties. OK Save.

Right click the selected view and select

Make the necessary changes in the tabs provided and click Click the
Save View in Tree

button on the toolbar and click


Yes

When you are asked to replace the specific view click properties are saved. The changes are saved automatically.

so that the new

Chapter 5

Monitoring Tunnels

51

Tunnel View Configuration

Edit a Predefined Tunnel View


You cannot change a Predefined view in the Predefined branch Tree View. Therefore, when you change a Predefined views properties you will need to save the view in the Custom branch of the Tree View in order to preserve those changes. 1 2 3 4 5 6 In the SmartView Monitor SmartConsole, click the
Tunnels

icon in the

Tree View.

Select the view whose settings you would like to change. Click the
View Properties

button in the toolbar provided.


OK

Make the necessary changes in the tabs provided and click Click the
Save View in Tree

button in the toolbar provided.


Custom

Enter a name for the new view and click OK. The changes will be preserved in a new view in the View.

branch of the

Tree

Delete a Custom Tunnel View


1 2 3 4 In the SmartView Monitor SmartConsole, click the View. In the Custom branch of the delete.
Tree View Custom

branch in the

Tree

select the
Delete.

Tunnels

view you would like to

Right click the selected view and select Select


Yes

to delete the selected

Tunnels

view.

Copy a Tunnel View


1 2 3 In the SmartView Monitor SmartConsole, click the or Predefined) in the Tree View. Right click the selected view and select
Copy. Tunnels

view (that is,

Custom

Right click the Custom branch of the of the Tree View and select Paste. A copy of the Predefined or Custom view appears under the Custom branch.

52

Rename a Custom Tunnel View

Rename a Custom Tunnel View


1 2 3 4 In the SmartView Monitor SmartConsole, click the View. Right click the Select
Rename. Enter. Tunnels Custom

branch of the

Tree

view whose name you would like to change.

Type the new name and press

Chapter 5

Monitoring Tunnels

53

Tunnel View Configuration

54

CHAPTER

Monitoring Remote Users


In This Chapter
Remote Users Solution Remote Users View Configuration page 55 page 55

Remote Users Solution


The Remote User Monitor is an administrative feature allowing you to keep track of SecuRemote users currently logged on to the specific Policy Servers. The Remote User Monitor provides you with a comprehensive set of filters which makes the view definition process user-friendly and highly efficient and enables you to easily navigate through the obtained results. With information about current open sessions, overlapping sessions, route traffic, connection time, etc., the Remote User Monitor is able to provide detailed information about remote users connectivity experience. This SmartView Monitor feature enables you to view real-time and historical statistics about open remote access sessions.

Remote Users View Configuration


The following pages contain a number of different sets of steps that will instruct you on how to work with SmartView Monitor Remote Users views. If specific view results information is not relevant for a particular Remote User, the column representing the information will show N/A for the Remote User. To obtain an explicit understanding about the fields, text boxes, drop-down lists, etc., in each window refer to SmartView Monitor Online Help.

55

Remote Users View Configuration

In This Section
Run a Remote Users View Create a Custom Remote Users View Edit a Custom Remote Users View Edit a Predefined Remote Users View Delete a Custom Remote Users View Copy a Remote Users View Rename a Custom Remote Users View page 57 page 58 page 59 page 59 page 59 page 60 page 60

56

Run a Remote Users View

Run a Remote Users View


When a Remote Users view is run the results appear in the SmartView Monitor SmartConsole. A Remote Users view can be run from an existing view by creating a new view by changing an existing view A Remote Users view can be created and run for a specific user all users a specific gateway

In This Section
Run a Remote User View for a Specific User Run a Remote User View for all Users Run a Remote User View for a Specific Gateway Run a Remote User View for a Specific User 1 2 3 In the SmartView Monitor SmartConsole, click In the Remote Users branch, click Get User by The Please choose User DN window appears.
Remote Users

page 57 page 57 page 57

in the

Tree View.

Name.

Enter the specific UserDN in the area provided and click The view results appear in the Results View.

OK.

Run a Remote User View for all Users 1 2 In the SmartView Monitor SmartConsole, click In the Remote Users branch, click All Users. The view results appear in the Results View.
Remote Users

in the

Tree View.

Run a Remote User View for a Specific Gateway 1 2 In the SmartView Monitor SmartConsole, click In the Remote Users branch, click Users by The Select Gateway window appears.
Remote Users

in the

Tree View.

Gateway.

Chapter 6

Monitoring Remote Users

57

Remote Users View Configuration

Select the gateway for which you would like to run the view and click The view results appear in the Results View.

OK.

Create a Custom Remote Users View


1 2 In the SmartView Monitor SmartConsole, select The Query Properties window appears.
File > New > Remote Users View.

Select Prompt on to generate a Remote Users report about a specific User or Gateway. Do not select Prompt on if your view is not specifically about one these two. Prompt on signifies that you will be asked for the specific UserDN or Gateway on which to base your view, as soon as you decide to run the view. In the Show column, select the filter that should be associated with this view and in the Filter column edit the selected filters by clicking the corresponding Any(*) link and selecting the relevant objects. Click the Advanced button to set a limit to the number of lines displayed in the report that will appear. The Records limitation window appears. Enter a record limitation and click
OK.

5 6 7

Click OK. A Remote Users view appears in the Type a name for the new

Custom

branch of the

Tree View.

Remote Users

view and press

Enter.

58

Edit a Custom Remote Users View

Edit a Custom Remote Users View


1 2 3 4 5 6 In the SmartView Monitor SmartConsole, click the
View. Custom

branch in the

Tree

In the Custom branch, select the to change.

Remote Users

view whose settings you would like

Right click the selected view and select

Properties. OK Save.

Make the necessary changes in the tabs provided and click Click the
Save View in Tree

button on the toolbar and click


Yes

When you are asked to replace the specific view click properties are saved. The changes are saved automatically.

so that the new

Edit a Predefined Remote Users View


You cannot change a Predefined view in the Predefined branch Tree View. Therefore, when you change a Predefined views properties you will need to save the view in the Custom branch of the Tree View in order to preserve those changes. 1 2 3 4 5 6 In the SmartView Monitor SmartConsole, click the View.
Remote Users

icon in the

Tree

Select the view whose settings you would like to change. Click the
View Properties

button in the toolbar provided.


OK

Make the necessary changes in the tabs provided and click Click the
Save View in Tree

button in the toolbar provided.


Custom

Enter a name for the new view and click OK. The changes will be preserved in a new view in the View.

branch of the

Tree

Delete a Custom Remote Users View


1 2 3 In the SmartView Monitor SmartConsole, click the
View. Custom

branch in the

Tree

In the Custom branch of the Tree View select the to delete. Right click the selected view and select
Delete.

Remote Users

view you would like

Chapter 6

Monitoring Remote Users

59

Remote Users View Configuration

Select

Yes

to delete the selected

Remote Users

view.

Copy a Remote Users View


1 2 3 In the SmartView Monitor SmartConsole, click the Custom or Predefined) in the Tree View. Right click the selected view and select
Copy. Remote Users

view (that is,

Right click the Custom branch of the of the Tree View and select Paste. A copy of the Predefined or Custom view appears under the Custom branch.

Rename a Custom Remote Users View


1 2 3 4 In the SmartView Monitor SmartConsole, click the View. Right click the Select
Rename. Enter. Remote Users Custom

branch of the

Tree

view whose name you would like to change.

Type the new name and press

60

CHAPTER

Monitoring Suspicious Activity Rules


In This Chapter
The Need for Suspicious Activity Rules Suspicious Activity Rules Solution Configure Suspicious Activity Rules page 61 page 61 page 62

The Need for Suspicious Activity Rules


The connection of enterprise and public networks is a great information security challenge, since connections that provide access to employees and customers can also act as an open doorway for those who want to attack the network and its applications. Modern business needs require that information be easily accessed while at the same time it remains secure and private. The fast changing network environment demands the ability to immediately react to a security problem without having to change the entire networks security rule base (for example, you want to instantly block a specific user). All inbound and outbound network activity should be inspected and identified as suspicious when necessary (for instance, when network or system activity indicates that someone is attempting to break in).

Suspicious Activity Rules Solution


Suspicious Activity Rules is a utility integrated into SmartView Monitor that is used to modify access privileges upon detection of any suspicious network activity (for example, several attempts to gain unauthorized access).

61

Configure Suspicious Activity Rules

The detection of suspicious activity is based on the creation of Suspicious Activity rules. Suspicious Activity rules are security rules that enable the system administrator to instantly block suspicious connections that are not restricted by the currently enforced security policy. These rules, once set (usually with an expiration date), can be applied immediately without the need to perform an Install Policy operation (see the SmartCenter Guide for additional information).

Configure Suspicious Activity Rules


To block traffic when a threat is imposed, SmartView Monitor offers the tools needed to create and manage suspicious activity rules. These rules are based on your knowledge of the network and enable you to instantly block suspicious connections during real-time.

In This Section
Create a Suspicious Activity Rule Manage Suspicious Activity Rules page 62 page 64

Create a Suspicious Activity Rule


A
Suspicious Activity

rule can be created from scratch or directly from

Predefined

or

Custom

view results.

Create a Suspicious Activity Rule 1 2 3 4 Select the


Tools

menu and

Suspicious Activity Rules...

Click the Add button. The Block Suspicious Activity window is displayed. Select
Apply On

for either all VPN-1 Pro gateways or for a specific gateway.

In the Source section select Any to define blockage of all source machines or indicate a specific IP Address or Network. If you would like to indicate a specific network source, define both the source machines IP and its Network Mask. In the Destination section select Any to define the blockage of all destination machines or define a specific IP address. If you would like to indicate a specific network destination, define both the destination machines IP and its Network Mask.

62

Create a Suspicious Activity Rule

6 7 8

In the Service section select that you wish to block.

Any

for blocking all services or define a specific service

In the Expiration section select a Relative time at which this rule should expire or defining an Absolute Date and Time of expiration. Click the Advanced button to decide how SmartView Monitor will react to behavior that applies to this rule. The Advanced window is displayed. a) Select either Drop, Reject or Notify in the Action drop-down list. Notify indicates that a notification about the defined activity will be sent but the activity will not be blocked. Drop indicates that packets will be dropped without sending the communicating peer a notification. Reject indicates that packets will be rejected along with a notification to the communicating peer that the packet has been rejected. b) Select No Log, Log or Alert in the Track drop-down list. c) Check Close Connections to close all active connections matching this rule. Click
OK

to return to the

Block Suspicious Activity

window.

10 Click

Enforce

to save and execute this rule.

Create a Suspicious Activity Rule based on the Results When running a Traffic or Counter view you can create a Suspicious Activity rule from the results that appear on the SmartView Monitor SmartConsole. 1 2 In the SmartView Monitor SmartConsole, click View.
Traffic

or

Counters

in the

Tree

In the Traffic or Counters view tree, double click the view that you would like to run. A list of available gateways and clusters appears.

Predefined

or

Custom

traffic

3 4 5

Select the gateway for which you would like to run the selected view.

Traffic

or

Counter

Click OK. The results of the selected view appear in the SmartView Monitor SmartConsole. In the area of the screen in which the results appear, right click the Service, Network Object, Tunnel, etc., that you would like to block.

Chapter 7

Monitoring Suspicious Activity Rules

63

Configure Suspicious Activity Rules

Select Block Source. The Block Suspicious Activity window is displayed containing all of the settings associated with the selected view results. Modify any or none of the settings that appear. Click
Enforce

7 8

to save and execute this rule.

Manage Suspicious Activity Rules


The Enforced Suspicious Activity Rules window provides a display of the currently enforced rules. If a rule that conflicts with another rule is added, the conflicting rule remains hidden. For example, if a rule was defined for dropping all http traffic and an additional rule is defined for rejecting http traffic, only the dropped rule, which is the dominant rule, will be displayed. Once one or more Suspicious Activity rules are created SmartView Monitor enables you to: View the rules that are currently being enforced on a gateway or on all the gateways. Remove or add new rules.
Note - To add a new Suspicious Activity rule refer to Create a Suspicious Activity Rule on page 62.

View a Suspicious Activity Rule 1 2 3 In the SmartView Monitor SmartConsole, click View.
Traffic

or

Counters

in the

Tree

Select the Tools menu and Suspicious Activity Rules. The Enforced Suspicious Activity Rules window is displayed. Select Apply on All to view all the Suspicious Activity rules or rules associated with a specific gateway or cluster.
Show On

to view

Remove a Suspicious Activity Rule 1 2 In the SmartView Monitor SmartConsole, click View.
Traffic

or

Counters

in the

Tree

Select the Tools menu and Suspicious Activity Rules. The Enforced Suspicious Activity Rules window is displayed.

64

Manage Suspicious Activity Rules

3 4 5 6

Select Apply on All to view all the Suspicious Activity rules or rules associated with a specific gateway or cluster. Select the rule that you would like to remove from the Rules window. Click Click
Remove. Yes

Show On

to view

Enforced Suspicious Activity

to remove the rule.

Chapter 7

Monitoring Suspicious Activity Rules

65

Configure Suspicious Activity Rules

66

Index

A
access privileges 61 Accumulative data 23 Active Tunnels 23 Advanced 26 AMON 20 AMON protocol 20 APIs 20 Application Statuses 21 authentication 8

Custom Traffic view 41 Custom Tunnel View 31, 50, 58 Custom View 11 CVP sessions 37

F
Failed 24 failed authentication attempt 37

D
Delete 44, 52, 59 denial of service 24 Details Check Point QoS 25 High Availability 25 OPSEC 25 SmartCenter 25 Virtual Private Networks 23 VPN-1 Pro 23 Details View Check Point QoS 25 Management 25 OPSEC 25 Policy Server 26 VPN-1 Pro 23 Disk 22 Down Permanent Tunnels 49 Down Tunnel 49 Down Tunnel view 49

G
gateway 21 Gateway Details 13 Gateway Status view 9 Gateways 8, 12, 13 gateways 7 Gateways Results view 22 Gateways Solution 19 Gateways view 13 Global UA WebAccess 26

B
Bandwidth 36 bandwidth 36 block traffic 62

C
central interface 7 Check Point gateways 19 Check Point QoS 25 Check Points Security Management Architecture 7 Clients 26 Cluster 12 Cluster XL 20 Collision 26 Community 50 Concurrent 24 concurrent IKE negotiations 24 Configure Suspicious Activity Rules 46, 62 connections 36 connectivity problems 47 Copy 52, 60 Counters 8, 11, 37 Counters view 15 CPU 22 CPU time 37 CPU usage 9 CPU Usage % 9 Current 23

H
Hardware 24 Hash Kernel Memory 23 High Availability 12 high availability 12 High Watermark 23, 24 historical statistics 9 History 12, 39, 42 History View 42 HTTP security server 37

E
Edit a Custom Remote Users View 59 Edit a view 43 Encrypted and Decrypted packets 24 Encrypted and Decrypted throughput 24 Encryption and Decryption errors 24 enforced rules 64 Export Properties 44

I
IKE negotiations 37 integrity 8 Interfaces 36 intrusion attempt 37 IP Compression 24 IPs/Network Objects 36 IPSec client 9 IPsec tunnel 23 IT staffing capacity 7

67

K
kernel 20

Predefined view 43, 52 pre-defined view 7 privacy 8 Problem Notes 25 product 21 Prompt on 50, 58

suspicious activity 8, 36 Suspicious Activity Rules 12, 61, 62 Synchronized 26 System Counters 8 System Information 22 System Kernel Memory 23

L
Lagging 26 Legend 14 load balancing 12

Q
QoS rule 36 Query Properties window 39, 41, 43, 50, 58

T
Terminology 11 The Need for Monitoring Traffic and Counters 61 The Need for SmartView Monitor 7 Threat 62 Threshold 12, 28 Time Frame 42 Total Physical Memor 9 Traffic 8, 11, 36 Traffic and Counter View 39 Traffic and Counters Solution 35 Traffic and Counters View 14 Traffic and Counters ViewConfiguration 38 Traffic History 42 Traffic Legend Output 37 Traffic View 36 Traffic view 14 Tree View 13, 39, 43, 50, 59 Tunnel Configuration 29, 48, 55 Tunnel granularity 47 Tunnel queries 47 Tunnel status 47 Tunnels 11, 36 tunnels 7 Tunnels Establishment Negotiation 23 Tunnels on Community 49, 50 Tunnels on Community View 50 Tunnels on Gateway 49 Tunnels on Gateway View 50 Tunnels Solution 47, 55 Tunnels View 17 Tunnels view 17

M
manual synchronization 26 Memory 22 Monitor by Services 40, 41

R
real physical memory 37 Real-Time 12, 41 real-time information 8 Real-Time traffic 39 Record a view 45 recording a Traffic or Counter view 45 Records limitation window 51, 58 rejected connections 37 remote access VPN clients 12 Remote User Monitor 9, 55 remote users 7 remote users connectivity 9 RemoteAccess 23 Rename 44, 53, 60 Reports 36 Resource usage 37 Results View 13, 39, 48 Round Trip Time 36 Run a Remote Users View 57 Run when Pressing OK 51

N
NAT Cache 23 network traffic 8 network usage 8 Never been synchronized 25 Number of interfaces 25

O
OPSEC 19, 20, 22, 25 OS Information 22 Over-all Statuses 21

P
Packets 23 packets 36 parallel processing 12 Permanent Tunnel 49 Permanent Tunnel view 49 Permanent Tunnels 47, 49 Phase I IKE Negotiations 23 Plugin Performance 26 Policy info 26 Policy information 23, 25 Policy Server 26 Policy Servers 10, 55 Predefined 59 Predefined View 11

S
SecureClient 9 SecuRemote 9 SecuRemote users 10, 55 Security Rules 36 Services 36 Show one record per tunnel 51 Show two records per tunnel 51 SIC 20 SmartView Monitor Considerations 8, 9 SMTP security server 37 SNMP daemon 20 SNX 9

U
UA Server host 26 UAG Server 26 UAS info 26 UDP connections 25 UFP Cache performance 23 Understanding the GUI 12 Unified Package 22 UserAuthority WebAccess 26 UserDN 58

68

W Users 12 Users View 18 Users view 18

V
View 39 View Properties 59 Views 11 virtual memory 22 Virtual Private Networks 23 VPN Accelerator Vendor 24 VPN Net license 23 VPN peers 23 VPN remote users 9 VPN Tunnels 47 VPN-1 Pro 7, 8, 20, 23 VPN-1 Pro gateway 35 VPN-1 Pro gateways 47 VPN-1 Pro performance statistics 37

W
Whats In This Book 10

69

70