High-End Security Product Suite
Getting Started Guide
Version NGX R65
702024
January 30, 2008
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 1 Wednesday, January 30, 2008 2:53 PM
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 2 Wednesday, January 30, 2008 2:53 PM
3
© 2003-2007 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part of
this product or related documentation may be reproduced in any form or by any means without prior
written authorization of Check Point. While every precaution has been taken in the preparation of
this book, Check Point assumes no responsibility for errors or omissions. This publication and
features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
©2003-2008 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor,
Application Intelligence, Check Point Endpoint Security, Check Point Express, Check Point Express
CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra
Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa,
DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia
Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection
Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity
SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC,
OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle
Management, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home,
Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform

Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security
Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter
Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense,
SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate,
SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP,
SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard,
UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial,
UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express
CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient,
VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web
Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField,
ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs,
and the Zone Labs logo are trademarks or registered trademarks of Check Point Software
Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company.
All other product names mentioned herein are trademarks or registered trademarks of their
respective owners. The products described in this document are protected by U.S. Patent No.
5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be
protected by other U.S. Patents, foreign patents, or pending applications.
For third party notices, see “THIRD PARTY TRADEMARKS AND COPYRIGHTS” on page 61.
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 3 Wednesday, January 30, 2008 2:53 PM
4
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 4 Wednesday, January 30, 2008 2:53 PM
5
Contents
Chapter 1
High-End Security Suite
Welcome...................................................................................8
In This Guide ............................................................................9
Documentation ..........................................................................9
Endpoint Security Integration...................................................... 9

Feedback ................................................................................ 10
Chapter 2
Introduction
Overview ................................................................................. 11
For New Check Point Customers................................................ 12
What's New in the High-End Security Suite ................................ 13
Provider-1/SiteManager-1 ................................................ 13
VPN-1 Power VSX ........................................................... 14
Management Plug-Ins...................................................... 15
Chapter 3
Getting Started
Provider-1 Terminology............................................................. 18
VSX Terminology...................................................................... 20
High-End System Requirements ................................................ 21
Compatibility Table.................................................................. 21
Supported Upgrade Paths and Interoperability............................24
Upgrading Management Servers ....................................... 24
Backward Compatibility For Gateways ............................... 25
Licensing ................................................................................ 27
Licensing Provider-1/SiteManager-1 ................................. 28
VSX-CMA Bundle Licenses............................................... 29
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 5 Wednesday, January 30, 2008 2:53 PM
6
For More Information....................................................... 30
Upgrading Licenses......................................................... 30
Chapter 4
Performing a New Installation
Overview .................................................................................31
Installing and Configuring Provider-1/SiteManager-1 ...................32
Overview......................................................................... 32

Building the Basic Provider-1 Network .............................. 34
Installing and Configuring the MDS................................... 35
Installing the SmartConsole and MDG Clients .................... 38
Logging in to the MDG for the First Time ........................... 39
Provider-1 and SMP Integration.................................................42
Licensing Issues.............................................................. 42
Installation ..................................................................... 43
Configuration Fine Tuning ................................................ 43
Importing VPN-1 UTM Edge Devices to Provider-1.............. 44
The Import Tool: ImportEdgeFromSMP.............................. 47
Installing and Configuring VPN-1 Power VSX...............................51
Installing VPN-1 Power VSX on SecurePlatform.................. 51
First Time Login.............................................................. 56
Initial Configuration ........................................................ 57
Configuration on the Management Server........................... 58
Where To From Here? ...............................................................59
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 6 Wednesday, January 30, 2008 2:53 PM
7
Chapter
1
High-End Security Suite
In This Chapter:
Welcome page 8
In This Guide page 9
Documentation page 9
Feedback page 10
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 7 Wednesday, January 30, 2008 2:53 PM
Welcome
8
Welcome

Thank you for choosing the Check Point High-End Security Suite. We
hope that you will be satisfied with this security solution and the
service that Check Point provides.
Check Point delivers Worldwide Technical Services including
educational, professional and support services, through a network of
authorized training centers, certified support partners, and a variety of
Check Point resources.
In order to extend your security infrastructure as your network and
application security requirements grow, Check Point recommends
using OPSEC (Open Platform for Security), the industry leader in
open, multi-vendor security frameworks. OPSEC has over 350
partners and guarantees the widest range of best-of-breed integrated
applications and deployment platforms.
To obtain more information about this and other security solutions,
refer to: or call us at 1(800) 429-4391.
For additional technical information, refer to:
.
Welcome to the Check Point family. We look forward to meeting all of
your current and future network and application security and
management needs.
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 8 Wednesday, January 30, 2008 2:53 PM
In This Guide
Chapter 1 High-End Security Suite 9
In This Guide
This guide provides:
• A brief overview of the High-End Security Suite applications
• Installation procedures
Documentation
Technical documentation is available on your distribution CD-ROM at:
CD2\Docs\CheckPoint_Suite

.
These documents can also be found at:
/>To see what is new in version NGX R65 and for the latest technical
information, refer to the R65 What’s New.
For information on upgrading your current Check Point deployment,
refer to the Check Point R65 Upgrade Guide.
Endpoint Security Integration
For in-depth documentation of Provider-1/SiteManager-1 and
SmartCenter Integration with Check Point Endpoint Security products,
refer to:
• Endpoint Security Server Installation Guide
• R65 SmartCenter Administration Guide
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 9 Wednesday, January 30, 2008 2:53 PM
Feedback
10
Feedback
Check Point is engaged in a continuous effort to improve its
documentation. Please help us by sending your comments to:

CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 10 Wednesday, January 30, 2008 2:53 PM
11
Chapter
2
Introduction
In This Chapter:
Overview
The current Check Point release focuses on usability and
smarter management. SmartCenter is now integrated with
Connectra, InterSpect and Endpoint Security, which allows for
centralized management and monitoring of all security

enforcement points. This enhanced functionality provides IT
organizations and executive management with full visibility
over their entire security environment.
The current version includes expanded intelligent inspection
technologies in VPN-1 Power, which incorporate additional
application support into state-of-the-art Stateful-Inspection
and Application Intelligence technologies.
Overview page 11
For New Check Point Customers page 12
What's New in the High-End Security Suite page 13
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 11 Wednesday, January 30, 2008 2:53 PM
For New Check Point Customers
12
For New Check Point Customers
For new Check Point customers, the Check Point User Center can
help you:
• Manage Users & Accounts
• Activate Products
• Get Support Offers
• Open Service Requests
• Search the Technical Knowledge Base
To access the Check Point User Center, go to:
/>CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 12 Wednesday, January 30, 2008 2:53 PM
What's New in the High-End Security Suite
Chapter 2 Introduction 13
What's New in the High-End Security
Suite
The following sections offer a brief overview of the advancements
offered by NGX R65.
In This Section:

Provider-1/SiteManager-1
• Management Plug-ins View. This new View indicates whether a
plug-in is activated per Customer, and displays a Needs Attention
notification for any plug-in that has not been activated properly.
• Install on Dynamic Objects. Installs a security policy on dynamic
objects.
• Gateway Function Oriented Global Policy. Global security rules
can now be installed on specific gateways or groups of gateways
for a Customer CMA, allowing gateways with different functions
to receive different global security rules. When installing global
policy to a number of similarly configured CMAs, the relevant
global rules are installed to all of the relevant gateways on each
CMA.
This feature is particularly useful for enterprise deployments of
Provider-1, where Customer CMAs typically represent geographic
subdivisions of an enterprise. For example, an enterprise
deployment may have Customer CMAs for business units in New
York, Boston, and London, and each CMA will be similarly
configured, with a gateway (or gateways) to protect a DMZ, and
others to protect the perimeter. This new capability allows an
Provider-1/SiteManager-1 page 13
VPN-1 Power VSX page 14
Management Plug-Ins page 15
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 13 Wednesday, January 30, 2008 2:53 PM
VPN-1 Power VSX
14
administrator to configure the global policy so that certain global
security rules are installed to DMZ gateways, wherever they
exist, and different rules are installed to the perimeter gateways.
• Global Manager. Global Manager is a new type of administrator

account in the MDG. With access to Global SmartDashboard, a
Global Manager is capable of managing global policies and
global objects. For a Global Manager to have additional access
to CMA policies, read-write or partial access rights must be
specifically assigned.
VPN-1 Power VSX
VPN-1 Power VSX provides the ability to:
• Distribute Virtual Systems on different members of a cluster,
effectively spreading the Virtual System traffic load within the
cluster, with Cluster XL Virtual System Load Sharing.
• Manage the processing power of a VSX machine, with Resource
Control.
• Control the network quality of service in the VSX network
environment, with Check Point Lightweight QoS Enforcement.
It also initiates support for a range of network interface cards and
servers.
For complete details on what’s new in this version, and for the latest
technical information, refer to the VPN-1 Power VSX NGX Scalability
Pack Release Notes, available at:
/>CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 14 Wednesday, January 30, 2008 2:53 PM
Management Plug-Ins
Chapter 2 Introduction 15
Management Plug-Ins
NGX R65 introduces an additional infrastructure that enables the use
of management plug-ins. The new plug-ins architecture introduces the
ability to dynamically add new features and support for new products.
Management plug-ins offer central management of gateways and
features not supported by your current NGX R65 SmartCenter or
Provider-1/SiteManager-1. Management plug-ins supply new and
separate packages that consist only of those components necessary

for managing new gateway products or specific features, thus avoiding
a full upgrade to the next release. Each plug-in:
• Is supplied with relevant documentation
• Is installed on SmartCenter Server or Gateway.
• Requires a specific version of SmartDashboard
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 15 Wednesday, January 30, 2008 2:53 PM
Management Plug-Ins
16
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 16 Wednesday, January 30, 2008 2:53 PM
17
Chapter
3
Getting Started
In This Chapter:
This chapter describes terminology used throughout this
manual, installation requirements, and licensing information.
Provider-1 Terminology page 18
VSX Terminology page 20
High-End System Requirements page 21
Compatibility Table page 21
Supported Upgrade Paths and Interoperability page 24
Licensing page 27
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 17 Wednesday, January 30, 2008 2:53 PM
Provider-1 Terminology
18
Provider-1 Terminology
Provider-1 refers to the complete Provider-1/SiteManager-1 product
functionality. The following Provider-1 terms are used throughout this
manual:
• Customer: A business entity or subdivision of a business entity

whose networks are protected by VPN-1 gateways, VPN-1 UTM
Edge appliances or other Check Point compatible firewalls.
Customer security policies and network access are managed
using Provider-1/SiteManager-1.
• Customer Log Module (CLM): A log server for a single customer.
• Customer Management Add-On (CMA): The Provider-1
equivalent of the SmartCenter server for a single customer.
Through the CMA, an administrator creates security policies and
manages the customer gateways.
•GUI Client: A computer running one or more of the
SmartConsole applications, for example, the Provider-1 MDG.
• Internal Certificate Authority (ICA): The component that creates
and manages X.509 compliant certificates for Secure Internal
Communication (SIC), site-to-site VPN communication (between
VPN-1 gateways), and the authentication of administrators and
users.
• The MDS has an ICA that secures the Multiple Domain
Server (MDS) domain.
• Each CMA has its own ICA to secure its customer’s
management domain.
• Multi-Domain Server (MDS): The MDS houses Provider-1 system
information including details of the Provider-1 deployment, its
administrators and customer management datum. There are two
types of MDSes: the Manager, which runs the Provider-1
deployment, and the Container, which holds the Customer
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 18 Wednesday, January 30, 2008 2:53 PM
Provider-1 Terminology
Chapter 3 Getting Started 19
Management Add-Ons (CMA). The Manager is the
administrator’s entry point into the Provider-1 environment. An

MDS can be a Manager, a Container, or both.
• Multi-Domain Log Module (MLM): A special MDS container that
collects and stores logs. It contains multiple Customer Log
Modules (CLMs).
• Provider-1 Administrator: A security administrator that is
assigned with granular permissions to manage specific parts of
the Provider-1 system. The following four permission levels can
be assigned:
• Provider-1 Superuser: Manages the entire Provider-1
system, which includes the management of all MDS
servers, all administrators (with all permission levels), all
customers, and all customer networks.
• Customer Superuser: Manages all administrators (with
lower permission levels), all customers, and all customer
networks.
• Global Manager: A new type of administrator account in
the MDG. With access to Global SmartDashboard, a Global
Manager is capable of managing global policies and global
objects. For a Global Manager to have additional access to
CMA policies, read-write or partial access rights must be
specifically assigned.
• Customer Manager: Manages customer networks for
specific customers. Administrators with this permission
level can also use the MDG application, however, they can
view and manage only those customers that have been
specifically assigned to them.
•None: Manages customer networks for specific customers,
but cannot access the MDG application.
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 19 Wednesday, January 30, 2008 2:53 PM
VSX Terminology

20
VSX Terminology
The following VPN-1 Power VSX (VPN-1 Power VSX NGX Scalability
Pack) terms are used throughout this manual:
• Virtual Router: An independent routing domain within a VSX
gateway that functions like a physical router. It is used to direct
packets arriving at the VSX gateway through a shared interface
to the relevant Virtual System or to direct traffic arriving from
Virtual Systems to a shared interface or other Virtual Systems.
•Virtual Switch: A virtual entity that provides layer-2 connectivity
between Virtual Systems and connectivity to a shared interface.
As with a physical switch, each Virtual Switch maintains a
forwarding table with a list of MAC addresses and their
associated ports.
• Virtual System: A routing and security domain featuring firewall
and VPN capabilities. Multiple Virtual Systems can run
concurrently on a single VSX gateway, isolated from one another
by their use of separate system resources and data storage.
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 20 Wednesday, January 30, 2008 2:53 PM
High-End System Requirements
Chapter 3 Getting Started 21
High-End System Requirements
For Provider-1/SiteManager-1 and VPN-1 Power VSX NGX hardware
and software system requirements, see the R65 Release notes at:
/>Compatibility Table
If the existing Check Point implementation contains products that are
not supported by NGX, the NGX installation process terminates.
Table 3-1 and Ta ble 3-2 list the NGX R65 supported Check Point
products and clients by platform.
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 21 Wednesday, January 30, 2008 2:53 PM

Compatibility Table
22
Table 3-1 NGX R65 Supported Products, By Platform
Compatibility Table Notes
1. Anti Virus and URL Filtering are included on SecurePlatform.
2. Anti Virus and URL Filtering are supported on Nokia IPSO 4.2
only.
3. VPN-1 UTM Edge devices cannot be managed from a
SmartCenter server running on a Nokia IPSO platform.
4. Provider-1/SiteManager-1 supported on both RHEL 3.0 AS and
ES.
Check Point Product
Solaris
RHEL
3.0
Check
Point Nokia
Ultra-
SPARC
8, 9 &
10
Server
2003
(SP1-2)
2000
Advanced
Server
(SP1-4)
2000
Server

(SP1-4)
2000
Profes-
sional
(SP1-4)
XP Home
& Profes-
sional
kernel
2.4.21
Secure
Platform
IPSO
4.1 -
4.2
VPN-1 Po wer / UTM X XXX X
X
1
X
2
SmartCenter Serve r X XXX XX
X
3
Provider-1/SiteManager-1
.Server (MDS)
X
X
4
X
VPN-1 Power VSX

5
X
Endpoint Security server X X X X X
Eventia Suite
6
X XXX XX
UserAuthority server X XXXXXXX
X
7
SSL Network Extender server X XXX XXX
SmartConsole Applications
X
8
XXXXX
Provider-1/SiteManager-1 MDG X XXXXX
SmartPortal X XXX XX
SmartLSM - Enabled
.Management & Enabled
.ROBO / CO Gateways
X
9
XXX XXX
ClusterXL X

X
10
XX XX
X
11
VPN-1 Accelerator Driver II


X
12
VPN-1 Accelerator Driver III X XXX XX
VPN-1 Accelerator Driver IV X X X
Advanced Routing X
X
13
Performance Pack XX
X
14
SecureXL Turbocard

X
15
OSE Supported Routers Nortel Ve rsions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14
Cisco OS Versions: 9.x, 10.x, 11.x, 12.x
Microsoft Windows
Platform and Operating System
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 22 Wednesday, January 30, 2008 2:53 PM
Compatibility Table
Chapter 3 Getting Started 23
5. VPN-1 Power VSX gateways are also supported on Crossbeam
Systems X-Series Security Services Switches.
6. Eventia Suite includes Eventia Reporter Server, Eventia Analyzer
Server, and the Eventia Analyzer Correlation Unit.
7. UserAuthority is not supported on Nokia flash-based platforms.
8. The following SmartConsole clients are not supported on Solaris
UltraSPARC platforms: SmartView Monitor, SmartLSM, Eventia
Reporter Client, Eventia Analyzer Client, and the SecureClient

Packaging Tool.
9. Enabled ROBO Gateways are not supported on Solaris platforms.
10. HA Legacy mode is not supported on Windows Server 2003.
11. ClusterXL is supported only in third party mode with VRRP or IP
Clustering.
12. VPN-1 Accelerator Driver II is supported on Solaris 8 only.
13. Nokia provides Advanced Routing as part of IPSO.
14. Nokia provides SecureXL as part of IPSO.
15. NGX-compatible Turbocard driver is available at
/>tml.
Table 3-2 NGX R65 Supported Clients, By Platform
Check Point Product
Mac Linux
Server
2003
(SP1)
2000 Server
/ Advanced
Server
(SP1-4)
2000 Profes-
sional (SP1-4)
/ XP Home &
Professional
Mobile
2003
2003SE
5.0
OS
"X"

SecuRemote X X X
SecureClient X X X X
SecureClient Mobile X
SSL Network Extender X XX
Windows
Operating System
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 23 Wednesday, January 30, 2008 2:53 PM
Supported Upgrade Paths and Interoperability
24
Supported Upgrade Paths and
Interoperability
Management servers and gateways exist in a wide variety of
deployments. Consult Table 3-3 and Ta ble 3-4 to determine which
versions of your management server and gateways can be upgraded to
NGX R65.
Upgrading Management Servers
Table 3-3 The following MDS versions can be upgraded to NGX R65:
Release Version
VPN-1 Power/UTM NGX R62
VPN-1 Pro/Express NGX R61
VPN-1 Pro/Express NGX R60A
VPN-1 Pro/Express NGX R60
VPN-1 Pro NG R55W
VPN-1 Pro/Express NG With Application Intelligence R55
VPN-1 Pro/Express NG With Application Intelligence R54
NGX
NG
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 24 Wednesday, January 30, 2008 2:53 PM
Backward Compatibility For Gateways
Chapter 3 Getting Started 25

Backward Compatibility For Gateways
NGX R65 management supports backward compatibility for the
following gateway versions:
Table 3-4 Backward Compatibility for gateways
Note - NGX R65 cannot manage gateway versions NG, NG
FP1, or NG FP2
Release Version
VPN-1 Power/UTM NGX R62
VPN-1 Pro/Express NGX R61
VPN-1 Pro/Express NGX R60A
VPN-1 Pro/Express NGX R60
VPN-1 Pro NG R55P
VPN-1 Pro NG R55W
VPN-1 Pro/Express NG With Application Intelligence R55
VPN-1 Pro/Express NG With Application Intelligence R54
VPN-1 Pro/Express NG FP3
Ex pre ss CI
R57
GX
2.5, 2.5, NGX
VSX NG AI
VSX NG AI Release 2
VSX NGX
InterSpect
NGX
Connectra
NGX R62
NGX
VSX
NG

CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 25 Wednesday, January 30, 2008 2:53 PM