A GUI Overview of New FP3 Features
Besides basic object and rule management properties of SmartDashboard, new tools and windows accelerate the daily life of an administrator. The new policy installation interface aims to remove the burden of policies on multiple firewalls by classifying the installation targets.The Sections feature simplifes the view of complex rule bases by organizing the rules under certain section headers. Furthermore, the database revision tool is Check Point’s first attempt to control change management on the rule bases.
The New Policy Installation Interface
The new user interface offers detailed control of the installation process.The installation targets, live process indication, and organized error indication lists are the new extended features in policy installation. The new features make SmartDashboard installations cleaner.
You’ll see four main windows during the policy installation. In the Install Policy window (see Figure 2.9), you can define the policy types to be installed. NAT policy and Security policy are installed together by default. It is possible to install Desktop Security and VPN-1 Net policies individually. Depending on your deployment’s complexity, you have an option to choose Select All or Clear All. In the Installation Mode properties, you may choose to install the policy independently or dependently. This option enables you to specify what to do if the Security Policy installation is unsuccessful for one or more of the selected modules. When dependent installation is chosen, the policy will not be installed if any of the installations fail.These rules do not apply to pre-NG gateways.
Figure 2.9 The Install Policy Window
Select Installation Target Window.This window (see Figure 2.10) is very useful if you install policy on specific servers. Once you set the installation targets, you don’t have to deselect each host in your objects database.You may define the installation targets per policy. This feature is very helpful if you are managing multiple firewall networks from a single management server.
During the installation, you can view the stages and percentage of the operation in the Installation Process window (see Figure 2.11).
Figure 2.10 The Installation Target Window
Figure 2.11 The Installation Process Window
When you click the Show Errors button, you can see the processes in real time from the Verification and Installation Errors screen (see Figure 2.12). If the installation completed successfully, this button disappears.
Figure 2.12 The Verification and Installation Errors Window
Using Sections in the Security Rule Base
Although search functions release the pain of navigating a Security Rule Base, navigating a complex Security Rule Base with more than 30 rules is a continuing problem. With FP3, Check Point addresses this issue by simply applying the same expand/collapse logic to its Security Rule Base. Now you can organize rules under sections.
Applying a section is simple. Highlight the rule where you want to add a section. From either the Rules—Add Section Title menu or the right-mouse-click Add Section Title menu, you can choose to add a section above or below the highlighted rule.
Enter the name of the section in the header pop-up menu, and that is all you need. Remember that all the rules below that section will be added to the new section.You do not have an option to choose the number of rules to add, so starting from the bottom is a good idea. Since rule base order must remain intact, you may not deploy logical sections and reorganize the rules in different sequences; you may only summarize the existing rules in existing order. Collapsed rules organized under sections are shown in Figure 2.13.
Figure 2.13 Sections of Rules on SmartDashboard
Version Control with Database Revision Control
With FP3, Check Point improved the revisioning system.You may save an existing database on SmartCenter Server. Once it is saved, you can go back to the previous states of the database.
With revision control you can create, view, restore, and delete the previous database versions. If you want to deactivate this feature, you need to uncheck Revision Control from the Global Properties window.You then need to save the policy and unload the policy from the module.The last step is to push the policy to the module again. If you do not unload the policy first, all attempts to load a new policy will fail.
This tool requires a separate license, and it should not be considered a complete version control system.You should consider the following issues before deployment:
■ It is not possible to edit previous versions; they are accessible only in readonly mode.
■ Only FP2 backward compatibility is supported. Restoring FP2 databases on the remote module is possible only through the command line.
■ You may not compare the changes with the Database Revision Tool.
■ Key management is not versioned.
