Beruflich Dokumente
Kultur Dokumente
P/N 704007
2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information
Latest Version
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=10833 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Revision History
Date 18 August 2010 15 August 2010 Description Uploaded online version First release of this document (printed book)
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Security Gateway 80 Getting Started Guide).
Welcome
Warning - This appliance does not contain any user-serviceable parts. Do not remove any covers or attempt to gain access to the inside of the product. Opening the device or modifying it in any way has the risk of personal injury and will void your warranty. The following instructions are for trained service personnel only. To prevent damage to any system board, it is important to handle it with care. The following measures are generally sufficient to protect your equipment from static electricity discharge: When handling the board, to use a grounded wrist strap designed for static discharge elimination. Touch a grounded metal object before removing the board from the antistatic bag. Handle the board by its edges only. Do not touch its components, peripheral chips, memory modules or gold contacts. When handling processor chips or memory modules, avoid touching their pins or gold edge fingers. Restore the communications appliance system board and peripherals back into the antistatic bag when they are not in use or not installed in the chassis. Some circuitry on the system board can continue operating even though the power is switched off. Under no circumstances should the lithium battery cell used to power the real-time clock be allowed to short. The battery cell may heat up under these conditions and present a burn hazard. Warning - DANGER OF EXPLOSION IF BATTERY IS INCORRECTLY REPLACED. REPLACE ONLY WITH SAME OR EQUIVALENT TYPE RECOMMENDED BY THE MANUFACTURER. DISCARD USED BATTERIES ACCORDING TO THE MANUFACTURERS INSTRUCTIONS. Disconnect the system board power supply from its power source before you connect or disconnect cables or install or remove any system board components. Failure to do this can result in personnel injury or equipment damage. Avoid short-circuiting the lithium battery; this can cause it to superheat and cause burns if touched. Do not operate the processor without a thermal solution. Damage to the processor can occur in seconds.
For California:
Perchlorate Material - special handling may apply. See http://www.dtsc.ca.gov/hazardouswaste/perchlorate The foregoing notice is provided in accordance with California Code of Regulations Title 22, Division 4.5, Chapter 33. Best Management Practices for Perchlorate Materials. This product, part, or both may include a lithium manganese dioxide battery which contains a perchlorate substance. Proposition 65 Chemical Chemicals identified by the State of California, pursuant to the requirements of the California Safe Drinking Water and Toxic Enforcement Act of 1986, California Health & Safety Code s. 25249.5, et seq. ("Proposition 65"), that is "known to the State to cause cancer or reproductive toxicity" (see http://www.calepa.ca.gov) WARNING: Handling the cord on this product will expose you to lead, a chemical known to the State of California to cause cancer, and birth defects or other reproductive harm. Wash hands after handling.
Page 4
Welcome
To assure continued compliance, any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. (Example - use only shielded interface cables when connecting to computer or peripheral devices).
Page 5
Welcome
Product Disposal
This symbol on the product or on its packaging indicates that this product must not be disposed of with your other household waste. Instead, it is your responsibility to dispose of your waste equipment by handing it over to a designated collection point for the recycling of waste electrical and electronic equipment. The separate collection and recycling of your waste equipment at the time of disposal will help to conserve natural resources and ensure that it is recycled in a manner that protects human health and the environment. For more information about where you can drop off your waste equipment for recycling, please contact your local city office or your household waste disposal service.
Page 6
Contents
Important Information .............................................................................................. 3 Health and Safety Information ................................................................................. 4 Introduction ............................................................................................................... 8 Welcome ................................................................................................................8 Shipping Carton Contents ......................................................................................8 Terminology ...........................................................................................................9 Security Gateway 80 Overview .............................................................................. 10 Security Gateway Software Blades ......................................................................10 This Getting Started Guide Provides: ...................................................................10 Getting Started ........................................................................................................ 11 Prerequisites ........................................................................................................11 Configuring Security Gateway 80 .........................................................................12 Step 1: Defining the Security Gateway 80 Object in SmartDashboard ...........12 Step 2: Preparing to Install the Security Policy ................................................18 Step 3: Setting Up Security Gateway 80 .........................................................19 Step 4: Connecting the Cables ........................................................................19 Step 5: Initial Configuration of the Appliance ...................................................20 Front Panel ...........................................................................................................29 Back Panel ...........................................................................................................30 Restoring Factory Defaults ...................................................................................31 Support and Further Information .......................................................................... 32 Support .................................................................................................................32 Where To From Here? .........................................................................................32 Appendix A: Security Management Issues .......................................................... 33 Viewing the Policy Installation Status ...................................................................33 Configuring Notification Settings ..........................................................................36 Appendix B: Browser Security Warnings ............................................................. 37 Index ........................................................................................................................ 39
Chapter 1
Introduction
Important - Prior to reading this Getting Started Guide, ensure that you have read and understood the information in the versions release notes (http://supportcenter.checkpoint.com) and the Security Gateway 80 Known Limitations SecureKnowledge article (http://supportcontent.checkpoint.com/solutions?id=sk52180).
Welcome
Thank you for choosing Check Point's Internet Security Product Suite. We hope that you will be satisfied with this solution and our support services. Check Point products provide your business with the most up to date and secure solutions available today. Check Point also delivers worldwide technical services including educational, professional and support services through a network of Authorized Training Centers, Certified Support Partners and Check Point technical support personnel to ensure that you get the most out of your security investment. For additional information on the Check Point Internet Security Product Suite and other security solutions, refer to: http://www.checkpoint.com (http://www.checkpoint.com) or call Check Point at 1(800) 429-4391. For additional technical information, refer to: http://support.checkpoint.com (http://supportcenter.checkpoint.com). Welcome to the Check Point family. We look forward to meeting all of your current and future network, application and management security needs.
Page 8
License Agreement
Terminology
The following Security Gateway 80 terms are used throughout this guide: Gateway: The Security Gateway engine that enforces the organization's security policy and acts as a security enforcement point. Security Policy: The policy created by the system administrator that regulates the flow of incoming and outgoing communication. Security Management server: The server used by the system administrator to manage the security policy. The organization's databases and security policies are stored on the Security Management server and downloaded to the gateway. SmartConsole: GUI applications that are used to manage various aspects of security policy enforcement. For example, SmartView Tracker is a SmartConsole application that manages logs. SmartDashboard: A SmartConsole GUI application that is used by the system administrator to create and manage the security policy.
Introduction
Page 9
Page 10
Chapter 2
Getting Started
This section contains information related to configuring Security Gateway 80 using the SmartDashboard in the Security Management server and the First Time Configuration Wizard for configuring the appliance. In This Chapter Prerequisites Configuring Security Gateway 80 Front Panel Back Panel Restoring Factory Defaults 11 12 29 30 31
Prerequisites
To manage the Security Gateway 80 appliance, you need to install a Security Management Server and SmartConsole clients that support Security Gateway 80. These Security Management Server versions support Security Gateway 80: For R70 version R70.40 and higher For R71 version R71.20 and higher
Page 11
Getting Started
Page 12
Click Next. The Trusted Communication page appears. 6. If you specified a static IP address, the Authentication and Trusted Communication sections appear (if you specified a dynamic IP address, go to step 7). a) In the Authentication section, select one of the options: Initiate trusted communication securely by using a one-time password - the one-time password is used to authenticate communication between the Security Gateway and the Security Management server in a secure manner. Provide a one-time password and confirm it. This password is only used for establishing the initial trust. Once established, trust is based on security certificates. Important - This password must be identical to the one-time password defined for the appliance in the First Time Configuration Wizard. Initiate trusted communication without authentication (less secure) - select this option only if you are sure that there is no risk of imposture (for example, when in a lab setting).
b) In the Trusted Communication section, select one of the initialization options: Initiate trusted communication automatically when the Gateway connects to the Security Management server for the first time - trust will be established when the Gateway will connect for the first time.
Getting Started
Page 13
Initiate trusted communication now and click Connect. A status window appears. Use this option only if you have already set up the appliance.
The Trust state field displays the current trust status. Click Next and go to step 8. 7. If you specified a dynamic IP address, the Gateway Identifier and Authentication sections appear. a) Select one of the identifiers: Gateway name specify the same name that you will provide for the appliance during its initial configuration. MAC address specify the MAC address that appears on a sticker located on the appliance or on the box. First to connect specifies that this Gateway will be the first appliance to connect. Note - For your convenience, if the gateway name matches, the Security Management Server will identify the gateway regardless of its MAC address. b) In the Authentication section, select one of the options: Initiate trusted communication securely by using a one-time password - the one-time password is used to authenticate communication between the Security Gateway and the Security Management server in a secure manner. Provide a one-time password and confirm it. This password is only used for establishing the initial trust. Once established, trust is based on security certificates. Important - This password must be identical to the one-time password defined for the appliance in the First Time Configuration Wizard. Initiate trusted communication without authentication (less secure) - select this option only if you are sure that there is no risk of imposture (for example, when in a lab setting).
Getting Started
Page 14
Click Next. 8. In the Blade Activation page, select the security and software blades that you want to activate and configure. To configure blades now: a) Ensure that the Activate and configure software blades now option is selected. b) Select the checkboxes next to the blades you want to activate and configure. To configure blades later: Select the Activate and configure software blades later option. This is done by editing the object from the Network Objects tree.
Click Next. 9. If you selected to activate and configure software blades now, configure the options relevant to your selections: For NAT, the Hide internal networks behind the Gateways external IP checkbox is selected by default. Un-check it, if you do not want to use this feature. For IPSec VPN: Ensure that the VPN community has been predefined. If it is a star community, Security Gateway 80 will be added as a satellite gateway.
Getting Started Page 15
Select a VPN community that the Gateway participates in from the Participate in a site to site community list.
For IPS: Select a profile from the Assign IPS Profile list or click Manage to create/edit an IPS profile. For URL Filtering, Anti-Spam and Email Security, Anti-Virus and Anti-Malware, there are no additional settings that need to be configured.
Click Next. 10. If you selected IPSEC VPN, configure VPN Encryption Domain settings. To hide the VPN domain, select Hide VPN domain behind this gateway's external IP. The VPN domain consists of network objects behind this gateway. Instead of defining the network topology behind this gateway, it is possible to use this option, which sets the VPN domain to be this gateways external IP address. This option is only relevant if you chose to hide all internal networks behind this gateways external IP (see gateways NAT settings). All outgoing traffic from networks behind this gateway to other sites that participate in VPN community will be encrypted (including replies, of course). Note - If you choose this option, connections that are initiated from other sites that are directed to hosts behind this gateway will not be encrypted. If you need such access to hosts behind this gateway, either choose other options (define VPN topology) or, if possible, make sure all traffic from other sites is directed to this gateways external IP and define corresponding NAT port-forwarding rules, such as: Translate the destination of incoming HTTP connections that are directed to this gateways external IP to the IP address of a web server behind this gateway. To create a new VPN domain group, go to step 11. To select a predefined VPN domain, go to step 12. 11. To create a new VPN domain group: a) Ensure that the Create a new VPN domain option is selected. b) In the Name field, specify a name for the group. c) From the Available objects list, select the relevant object(s) and click to the VPN domain members list. d) If required, you can create a new object by pressing New. 12. To select a predefined VPN domain: . The objects are added
Getting Started
Page 16
a) Choose the Select an existing VPN domain option. b) From the VPN Domain list, select the domain.
Click Next. 13. In the Installation Wizard Completion page, you can view a summary of the configuration parameters that have been set and can perform further actions. Select Edit Gateway properties for further configuration if you want to continue configuring the Security Gateway. Upon clicking Finish, this will open the General Properties page of the newly defined object.
Click Finish.
Getting Started
Page 17
5. Continue tracking the status of the security policy installation with the Policy Installation Status window and the status bar ("Viewing the Policy Installation Status" on page 33).
Getting Started
Page 18
Getting Started
Page 19
You can click the Cancel button on any one of the wizard pages to discard changes and start the wizard again. This restores the factory default settings and causes the appliance to reboot. Alternatively, you can save the settings that have been configured and close the wizard. Note - After you complete the wizard, you use the WebUI (Web User Interface) to change settings and configure additional settings. To open the WebUI, got to http://my.firewall or enter the IP address of the Security Gateway 80 appliance in your browser (either http://<appliance IP> or https://<appliance IP>:4434). If a security warning message appears, confirm it and continue. For more details, see Appendix B: Browser Security Warnings (on page 37).
1. To access the First Time Configuration Wizard, initiate a connection from your browser to http://my.firewall and confirm the security message. The Welcome page of the Security Gateway 80 First Time Configuration Wizard appears.
Click Next. 2. In the Authentication Details page, provide the following details to enable subsequent logging in to the Security Gateway 80 WebUI application: Administrator Name: It is recommended to change the default "admin" login name of the administrator. Note that the name is case sensitive.
Getting Started
Page 20
Password: While entering a password, you can use the Password strength meter to measure the strength of your password. This meter is only used as an indicator and does not enforce creation of a password with a specific number of characters or character combination. The minimum length for a strong password is 6 characters that contains at least one capital letter, one lower case letter and a special character. If you specify such a password, a green bar in the last section of the meter will appear. It is strongly recommended to create a password using both uppercase and lowercase letters.
Click Next. 3. In the Appliance Date and Time Settings page, configure the appliance's date, time and time zone settings. The host computer's settings are used for the default date, time and time zone values. If required, change the time zone setting to reflect your exact location. Note that although not specified, Daylight Savings Time is automatically enabled by default. This can be changed in the WebUI application. Note - NTP (Network Time Protocol) is supported but requires configuration via the WebUI. In the Security Gateway 80 WebUI, click Device > Date and Time.
Getting Started
Page 21
Click Next. 4. In the Appliance Name page, specify a name for the appliance that is used to identify the Security Gateway 80 appliance and a domain name. The Domain Name field is not mandatory. Important - In general, it is not required to define the same name here and in SmartDashboard's Security Gateway 80 gateway object. However, if the gateway does not use a static IP for its Internet connection, SmartDashboard requires a unique identifier for the gateway. If you choose Gateway name as the identifier, the Appliance Name must be identical to the one specified in SmartDashboard.
Click Next.
Getting Started
Page 22
5. In the Internet Connection page, configure your Internet connectivity details or select the Configure Internet connection later option and then configure connectivity via the WebUI application at a later time. To configure Internet connection now: a) Ensure that Configure Internet connection now is selected. b) From the Connection Protocol drop down list, select the protocol used for connecting to the Internet. c) Fill in the fields required for the selected connection protocol. The information required varies per protocol and can be obtained from your Internet Service Provider (ISP). Static IP - A fixed (non-dynamic) IP address. PPPoE - a network protocol for encapsulating Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly with DSL services where individual users connect to the DSL modem over Ethernet and in plain Metro Ethernet networks. PPTP - the Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. L2TP - Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy. DHCP - Dynamic Host Configuration Protocol (DHCP) automatically issues IP addresses within a specified range to devices on a network. Bridge - connects multiple network segments at the data link layer (Layer 2). A single LAN WAN bridge is supported. d) In the DNS Server field (that appears for Static IP and Bridge connections), enter the DNS server addresses information in the relevant fields. For DHCP, PPPoE, PPTP and L2TP, the DNS settings are supplied by your service provider. You can override these settings later in the WebUI application under Network > DNS page. It is recommended to configure the DNS since Security Gateway 80 needs to perform DNS resolving for various purposes. For example, for connecting to Check Point User Center during license activation or when Anti Virus, Web Filtering or Anti Spam services are enabled. e) Click Connect to save the connection settings and test the Internet connection. Indication regarding success or failure of the connection appears at the bottom of the page. To configure the Internet connection at a later time:
Getting Started
Page 23
Click Next. Note - If you configure the appliance in a lab with the intention of it connecting to the Internet only once it is deployed in a remote office, set the connection details and click Next (without Connect). Once the appliance will be set up in the remote office, it will connect automatically once it is connected to the Internet. 6. In the Local Network page, select whether to enable switch on LAN ports and configure your network settings. You can modify the IP address and connectivity will be maintained as the appliance's original IP is kept as an alias IP until the first time you boot the appliance. Note - DHCP is enabled by default and a default range is configured. Make sure to set the range accordingly and be careful not to include predefined static IPs in your network. Set the exclusion range for IP addresses that should not be defined by the DHCP server.
Getting Started
Page 24
Click Next. 7. In the Security Management Server Connection (SIC) page, provide details for connecting to the Security Management server: a) Select one of the following options for authenticating trusted communication: Initiate trusted communication securely by using a one-time password - the one-time password is used to authenticate communication between the Security Gateway 80 Security Gateway and the Security Management server in a secure manner. Provide a one-time password and confirm it. This password is only used for establishing the initial trust. Once established, trust is based on security certificates. Important - This password must be identical to the Secure Communication authentication one-time password configured for the Security Gateway 80 object in the SmartDashboard of the Security Management server. Initiate trusted communication without authentication (not secure) - select this option only if you are sure that there is no risk of imposture (for example, when in a lab setting). Configure one-time password later - set the one-time password at a later time using the WebUI application.
b) To connect to the Security Management server now, select Connect to the Security Management server now, enter the Security Management server IP and click Connect. Upon successful connection to the Security Management server, the security policy will automatically be fetched and installed (make sure a policy was prepared in SmartDashboard. If one wasn't prepared, an error shows and the appliance will keep the "Outgoing Policy".) If trust was established but the gateway could not fetch the policy, you can investigate the issue with the Security Management server administrator and following resolution, attempt to fetch it by clicking the Fetch Policy button that appears instead of the Connect button. c) To connect to the Security Management server later, select Connect to the Security Manager server later.
Getting Started
Page 25
Click Next. 8. In the Access Policy page, define the IP addresses that can access the Security Gateway 80 appliance. Select one of these options: Any IP Address - allows administrator access from any IP address. Select the interface type from which the IP addresses can obtain access from the Interface list. Specific IP Address - click Add and define the IP address that has access to the appliance. Then select the interface type from which the IP addresses can obtain access from the Interface list.
Click Next. 9. In the License Activation page, select a method for activating the software blade licenses. a) To activate a license now:
Getting Started
Page 26
Select Choose how to activate the license and either: (i) Click Obtain License from User Center and then Activate License. The Security Gateway 80 appliance will contact Check Point's User Center and will install the license automatically. To use a proxy server, click the Set Proxy link, select the checkbox and enter the address and port. Note that this option is available only if you are connected to the Internet. (ii) Click Import Activation file and then Browse to select a license activation file. You can receive the activation file by doing one of these offline procedures: Using your User Center account - log into your User Center account from a PC connected to the Internet and select the specific container of your Security Gateway 80 appliance, then within the Product Information tab, click on License, click on Activate and then this message is shown: "Licenses were generated successfully". Click Get Activation File and save your activation file locally. Registering your appliance - go to http://register.checkpoint.com, fill in your appliance details and then click Activate. This message is shown: "Licenses were generated successfully". Click Get Activation File and save your activation file locally. Click Activate License (once you click this, you will see the option Reactivate License). The software blades associated with this license and their expiration dates are shown. b) To set trial licenses that are valid for 30 days, click Activate later (use trial license).
Click Next.
Getting Started
Page 27
10. Click Finish to complete the First Time Configuration Wizard. The WebUI application appears. You can configure additional settings if required.
Getting Started
Page 28
Front Panel
Front Panel
Key Description 1 2 3 USB1 port. Power LED - green when the appliance is turned on. Notice LED
Blinking green during boot. Blinking red when there is no Internet connection. Refer to the WebUI Logs > System Logs page for more details. Solid red when the appliance has a resource problem such as memory shortage. Refer to the WebUI Logs > Traffic Logs page for more details.
LAN1 - LAN8, DMZ and WAN port LEDs - when a specific port is inactive, both of the port's indicators are not lit. Link Indicator
Orange indicates that the port speed is 1000 Mbps. Green indicates that the port speed is 100 Mbps. Not lit indicates that the port speed is 10 Mbps.
Activity Indicator
Solid green when link is up and no traffic is encountered. Blinking green when encountering traffic.
USB1 and USB2 port LEDs - orange when a USB device is connected.
Getting Started
Page 29
Back Panel
Back Panel
Key Description 1 2 Power outlet - for connecting the power supply unit's cable. Reboot button - enables you to forcibly reboot the appliance. The button is recessed into the appliance chassis to prevent accidental reboot. The appliance will reboot immediately after pressing the button. LAN1 - LAN8 - built in Ethernet ports. LAN2/SYNC - in a cluster configuration, a cable needs to be connected between this port on both appliances taking part in the cluster. The cluster sync port can be configured to a port other than LAN2. Refer to the Security Gateway 80 Administration Guide for more information. DMZ and WAN - built in Ethernet ports. USB2 - second USB port. Console - serial connection configured in 115200 bps. Factory Defaults button - enables you to restore the appliance to its factory defaults. The button is recessed into the appliance chassis to prevent accidental restoring of factory default settings. See Restoring Factory Defaults. ("Restoring Factory Defaults" on page 31)
4 5 6 7
Getting Started
Page 30
To restore the Security Gateway 80 appliance to its default factory configuration using the WebUI:
1. In the Security Gateway 80 WebUI, click Appliance > System Operations. The System Operations pane opens. 2. Under Appliance, click Factory Defaults. 3. In the pop-up window that opens, click OK. 4. While factory defaults are being restored, all LAN Link and Activity LEDs will blink orange and green alternately to indicate progress. 5. This will take up to a few minutes. Upon completion, the appliance will boot automatically.
To restore the Security Gateway 80 appliance to its default factory configuration using the button on the back panel:
1. Press the Factory defaults button using a pin and hold it for at least 3 seconds. 2. When the Power and Notice LEDs are lit, release the button. 3. While factory defaults are being restored, all LAN Link and Activity LEDs will blink orange and green alternately to indicate progress. 4. This will take up to a few minutes. Upon completion, the appliance will boot automatically.
To restore the Security Gateway 80 appliance to its default factory configuration using Uboot (boot loader):
1. While connected with a console connection to the appliance (using the serial console connection on the back panel of the appliance), boot the appliance and press Ctrl-C. 2. After pressing Ctrl-C, the Secure Platform Embedded Boot Menu is shown. Welcome to SecurePlatform Embedded Boot Menu: 1. Start in normal Mode 2. Start in debug Mode 3. Start in maintenance Mode 4. Restore to Factory Defaults (local) 5. Install/Update Image/Boot-Loader from Network 6. Install/Update Image from USB 7. Install/Update Boot-Loader from USB 8. Restart Boot-Loader Please enter your selection : 3. Press 4 to select Restore to Factory Defaults (local). 4. Once prompted: "Are you sure? (y/n)" choose y to continue and restore the appliance to its factory defaults settings. 5. While factory defaults are being restored, all LAN Link and Activity LEDs will blink orange and green alternately to indicate progress. 6. This will take up to a few minutes. Upon completion, the appliance will boot automatically.
Getting Started
Page 31
Chapter 3
Support and Further Information
In This Chapter Support Where To From Here? 32 32
Support
For additional technical information about Check Point products, consult the Check Point Support Center at: http://support.checkpoint.com (http://supportcenter.checkpoint.com)
Page 32
Chapter 4
Appendix A: Security Management Issues
In This Chapter Viewing the Policy Installation Status Configuring Notification Settings 33 36
The status bar is updated dynamically each time a gateway attempts to install a policy or attempts to connect to the Security Management server. The result of these actions also appear in SmartDashboard popup notification balloons that appear in SmartDashboard upon the occurrence of such events. You can configure these notifications ("Configuring Notification Settings" on page 36). To track the status of the last policy installed on each gateway, you can use the Policy Installation Status window. The window has two sections. The top section shows a list of gateways and status information regarding the installed policy. You can use the filter fields to focus on certain policies of interest and hide other data by defining the appropriate criteria per field. Once you have applied the filtering criteria, only entries matching the selected criteria are shown. If the system logs trusted communication (SIC) attempts from unknown gateways, a yellow status bar appears below the filter fields.
Page 33
The bottom section shows details of a row you select in the gateway list (errors that occurred, the date the policy was prepared, verification warnings). If there is a yellow status bar, clicking Show details shows the details of unknown gateways attempting to connect to the Security Management Server.
These statuses can appear in this window: Icon Policy status Succeeded Succeeded Description Policy installation succeeded. Policy installation succeeded but there are verification warnings. Communication settings were set up on the Gateway object; waiting for first connection with the appliance to establish trust and if a policy has been prepared, it will attempt to install it. If connection settings were set up for a Security Gateway 80 appliance, but a policy was not prepared, the Policy Type column shows "No Policy Prepared" and upon first connection only trust will be established. Waiting for first connection Same as above but there are warnings that indicate attempts to establish trust that failed or there are verification warnings.
Page 34
Icon
Description The policy remains in the pending status until the Gateway successfully connects to the Security Management server and retrieves the policy. This status appears when the Security Management server has problems connecting to the Gateway. For example, if the Gateway is unavailable for receiving communication, as in behind NAT. Note that this status is applicable only if the first or previous install policy operation was successful.
Same as above but there are verification warnings. Warning. Information. Policy not installed due to a verification error. Policy installation failed.
You can access the Policy Installation Status window in the following ways: From the menu bar - click Policy > Policy Installation Status. From the toolbar - click the Policy Installation Status icon From the status bar - click on either the Failed or Pending link. The contents of the Policy Installation Status window are shown filtered according to the link clicked. From notification balloons - click the See Details link in the balloon.
Page 35
Page 36
Chapter 5
Appendix B: Browser Security Warnings
When you log in to the appliance from the Internet Explorer or Mozilla FireFox browser, you might see a security warning. You can safely confirm the warning and continue to log in as usual. Mozilla FireFox
1. Click I understand the Risks 2. Click Add Exception. The Add Security Exception dialog box opens. 3. Click Confirm Security Exception. Internet Explorer
Page 37
Index
A
Appendix A Security Management Issues 33 Appendix B Browser Security Warnings 37
B
Back Panel 30
C
Configuring Notification Settings 36 Configuring Security Gateway 80 12
F
Front Panel 29
G
Getting Started 11
H
Health and Safety Information 4
I
Important Information 3 Introduction 8
P
Prerequisites 11
R
Restoring Factory Defaults 31
S
Security Gateway 80 Overview 10 Security Gateway Software Blades 10 Shipping Carton Contents 8 Step 1 Defining the Security Gateway 80 Object in SmartDashboard 12 Step 2 Preparing to Install the Security Policy 18 Step 3 Setting Up Security Gateway 80 19 Step 4 Connecting the Cables 19 Step 5 Initial Configuration of the Appliance 20 Support 32 Support and Further Information 32
T
Terminology 9 This Getting Started Guide Provides: 10
V
Viewing the Policy Installation Status 33