Introduction
With the introduction of the FireWall-1 NG product, Check Point has separated the new feature releases from the product fixes. With Feature Packs, Check Point is not simply providing "bug fixes" or "service packs," as the company did with its older software. Feature Packs (FPs) bring new features such as the new log management interface in FP3.The NG FP is now the method by which Check Point will provide cumulative updates and new features to the product.
In NG FP3, Check Point has launched "smart" clients. We focus on the new features of this Security Management Architecture’s smart clients and correlate the new client names to the Check Point clients that you have used in the past. Be sure to review this section well because there are some major differences between these new clients and the old. In the past, these user interfaces were called GUI clients.The three main clients were Policy Editor, Log Viewer, and System Status. For those sites that deployed SecuRemote and/or SecureClient, the SecureClient Packaging Utility was also a GUI client.
As shown in Table 2.1, now there is the SmartDashboard, SmartView Status, SmartView Tracker, SmartView Monitor, and User Monitor.The SmartDashboard is used to modify security policy, just as did the Policy Editor of previous versions. SmartView Tracker is the new Log Viewer, and SmartView Status is the new System Status.
There are some new tools as well, including the User Monitor. This client allows you to view the current users connected through your firewall using SecuRemote and/or SecureClient.
Table 2.1 New FireWall-1 NG FP3 Client Names
|
New Client Name |
Prior Corresponding Client Names |
|
SmartDashboard |
Policy Editor, Policy Manager |
|
SmartViewTracker |
Log Viewer, Log Manager |
|
SmartView Status System |
Status, Status Manager |
|
SmartMap |
Visual Policy Editor (VPE) |
|
SmartView Monitor |
Real-time Monitor, Traffic Monitor |
The most apparent enhancement in the NG series is the management interface. The new Smart-prefixed clients’ center console is named SmartDashboard. SmartDashboard answers the needs of a busy security administrator with plenty of new features.The new pane-based dashboard features new functions such as extended search, collapsible rule base and object trees, and dynamic toolbars.These enrichments address an enterprise-level complex firewall installation’s administrative necessities.
We address the new features of the SmartDashboard in two categories:
■ What’s new in the NG dashboard?
■ A GUI overview of new FP3 features
What’s New in NG SmartDashboard?
The changes in the management GUI are not limited to the new menu items in NG. The change covers a major upgrade in the interface. The new interface offers multiple shortcuts to firewall functions while trying to keep the security desktop organized. The new GUI SmartDashboard’s enhancements are summarized in the following sections.
New Panes
The Object Tree, Object List, and SmartMap are the new panes in NG. These panes accelerate access to security policy and the objects. All screens are modifiable. Although it is possible change the visibility properties of the panes through the View menu, we recommend using the Panes toolbar, which offers shortcuts to managing panes.
The Object Tree
The Object Tree (see Figure 2.1) is the new object explorer of the GUI.This expandable/collapsible left pane is a very handy alternative to the previous "manage-object" menus. When you’re editing an object, the Manage menu requires a minimum of six clicks, but you may execute the same operation with four clicks on the Objects Tree. The Object Tree is also helpful in organizing the objects. When the Sort by Type option is chosen, all the objects are displayed in a collapsed view. So, instead of facing hundreds of objects in the initial manage network objects menu, you may directly go to Check Point nodes in the Object Tree.You still have the option to list the objects in an ungrouped order when the Sort by Name option is checked.The new NG features, such as Where Used, Query Objects, or SmartMap Connection are also accessible through right-click menus of the Object Tree.
The Object Tree has a tabular view. Each tab has its own group of objects, which are expandable under their parent object types.
The Object List
The Object List is the center pane window for accessing the objects. As shown in Figure 2.2, the Object List displays the brief properties of the objects in its own view.
The contents of the Objects pane change dynamically with the chosen groups in the Object Tree pane. This list is helpful for reviewing the existing objects at a glance. The Object List view cannot be grouped under object types, so all the objects are displayed in the same window (unlike the Object Tree). It is also possible to sort all the objects in descending or ascending order via a single click on the column name.
Figure 2.1 The Object Tree
Figure 2.2 The Object List
If your screen resolution does not support higher resolutions, we recommend keeping this Object List pane closed in order to have a crisper view of the policy pane.
SmartMap
When firewall administrators were discussing the pros and the cons of graphical user interface (GUI) versus command line interface (CLI), Check Point moved to the next level: the visual interface. SmartMap (see Figure 2.3) allows administrators to implement security policies, managing objects in a visual environment.The SmartMap interface, which comes with a separate license from Check Point, brings plenty of new built-in functions.The visual topology is calculated automatically with the topology creation algo-rithm.The SmartMap interface is tightly integrated with the other components of the dashboard, such as bidirectional drag-and-drop actions, right-click object editing from SmartMap, or visual topology views from the Object Tree and Rule Base.
Figure 2.3 The SmartMap Pane
It is recommended that you view SmartMap in undocked mode in order to optimize usability of the dashboard desktop in limited screen resolutions.
We do not cover SmartMap in depth since this feature is an optional add-on and a different approach to managing the FireWall-1 NG.This interface is new, and it is expected to have greater functionality in upcoming versions.
Tools & Traps…
What Do I Get If I License SmartMap?
Licensing SmartMap adds the following features to NG SmartDashboard:
■ Dynamic visual policy creation
■ Management of security policy through the visual interface (limited)
■ Expandable and collapsible map views of your Check Point network
■ Bidirectional interaction with the other components of GUI Object Management
■ Recognition of implied and ambiguous networks; actualization of implied networks
■ Exportable topology map; support for various image types and Visio
■ Undockable window; ability to work in a separate window
■ SmartMap helper for solving duplicated networks and unsolved object interfaces
■ Other fancy features such as navigator window, zoom, customization
New Policy Tabs
The Rule Base and the Network Address Translation (NAT) are not the unique policy tabs anymore. With the new functionality, the policy tabs (see Figure 2.4) are extended with Desktop Security, VPN Manager, Web Access, and QoS tabs.The functionality of these policy tabs is detailed in relevant topics. The basic functionality of the tabs is listed here:
■ Desktop Security The policy server rule base for SecureClients.
■ QoS The bandwidth management rule base for the FloodGate-1 product.
■ Web Access Granular access policies for Web applications with the User Authority product.
■ VPN Manager SmartMap-style visual community editing.
Figure 2.4 Policy Tabs
Each policy tab serves a different product and purpose, but all the interfaces share common, unique components to easily manage the policies. All policy tabs carry the simple, column-based colored Check Point Rule Base properties.
The new GUI functionality of the policy tabs for FireWall-1 product is listed in Table 2.2.
Table 2.2 GUI Options
|
Policy Tab |
Security Rule Base |
Address Translation |
Desktop Security |
|
Query Rules |
Yes |
No |
No |
|
Query Objects |
Yes |
No |
No |
|
Drag&Drop rules and objects |
Yes |
Yes |
Yes |
|
Multiple Cut&Paste |
Yes |
Yes |
Yes |
|
Rule Summarization |
Yes |
No |
No |
|
String Search |
Yes |
Yes |
Yes |
