Checkpoint NGX Smart View Monitor User Guide

7/31/2019 Checkpoint NGX Smart View Monitor User Guide

1/72

SmartView Monitor

NGX (R60)

For additional technical information about Check Point products, consult Check Points SecureKnowledge at:

https://secureknowledge.checkpoint.com

See the latest version of this document in the User Center at:

http://www.checkpoint.com/support/technical/documents/docs_r60.html

Part No.: 701311

May 2005
https://secureknowledge.checkpoint.com/http://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttps://secureknowledge.checkpoint.com/


2/72


3/72

Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

2003-2005 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyrightand distributed under licensing restricting their use, copying, distribution, anddecompilation. No part of this product or related documentation may be reproduced inany form or by any means without prior written authorization of Check Point. While everyprecaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein aresubject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

2003-2005 Check Point Software Technologies Ltd. All rights reserved.

Check Point, Application Intelligence, Check Point Express, the Check Point logo,AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa,Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX,FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL,Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy LifecycleManagement, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,

SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView,SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM,User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge,VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the ZoneLabs logo, are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd. or its affiliates. All other product names mentioned herein aretrademarks or registered trademarks of their respective owners. The products describedin this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending

applications.

THIRD PARTIES:

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States andother countries. Entrusts logos and Entrust product and service names are alsotrademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly ownedsubsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporatecertificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by Universityof Michigan. Portions of the software copyright1992-1996 Regents of the University of

Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to theUniversity of Michigan at Ann Arbor. The name of the University may not be used toendorse or promote products derived from this software without specific prior writtenpermission. This software is provided as is without express or implied warranty.CopyrightSax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by CarnegieMellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation forany purpose and without fee is hereby granted, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appear

in supporting documentation, and that the name of CMU not be used in advertising orpublicity pertaining to distribution of the software without specific, written priorpermission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, INNO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT ORCONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROMLOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR INCONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenGroup.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by TheOpenSSL Project. This product includes software developed by the OpenSSL Project foruse in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.

The following statements refer to those portions of the software copyrighted by EricYoung. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE. Copyright1998The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loupGailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. Thissoftware is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software. Permissionis granted to anyone to use this software for any purpose, including commercial

applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that youwrote the original software. If you use this software in a product, an acknowledgment inthe product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not bemisrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the GnuPublic License. This program is free software; you can redistribute it and/or modify itunder the terms of the GNU General Public License as published by the Free SoftwareFoundation; either version 2 of the License, or (at your option) any later version. Thisprogram is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;without even the implied warranty of MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE. See the GNU General Public License for more details.Youshould have received a copy of the GNU General Public License along with this program;if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,USA.

The following statements refer to those portions of the software copyrighted by ThaiOpen Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expatmaintainers. Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the "Software"), to deal in theSoftware without restriction, including without limitation the rights to use, copy, modify,merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permitpersons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITEDTO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,

ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USEOR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUSTreference the author, and include any and all original documentation. Copyright. BruceVerderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998,1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999,

2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,


4/72

2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001,2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 JohnEllson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson([email protected]). Portions relating to JPEG and to color quantization copyright2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999,2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of theIndependent JPEG Group. See the file README-JPEG.TXT for more information.Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Vanden Brande. Permission has been granted to copy, distribute and modify gd in anycontext without fee, including a commercial application, provided that this notice ispresent in user-accessible supporting documentation. This does not affect your

ownership of the derived work itself, and the intent is to assure proper credit for theauthors of gd, not to interfere with your productive use of gd. If you have questions, ask."Derived works" includes all programs that utilize the library. Credit must be given inuser-accessible documentation. This software is provided "AS IS." The copyright holdersdisclaim all warranties, either express or implied, including but not limited to impliedwarranties of merchantability and fitness for a particular purpose, with respect to thiscode and accompanying documentation. Although their code does not appear in gd 2.0.4,the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue SoftwareCorporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use thisfile except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICECopyright (c) 1996 - 2004, Daniel Stenberg, .All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose

with or without fee is hereby granted, provided that the above copyright

notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OROTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWAREOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used inadvertising or otherwise to promote the sale, use or other dealings in this Softwarewithout prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, ispermitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list ofconditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from thissoftware without prior written permission. For written permission, please [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appearin their name, without prior written permission from [email protected]. You may indicatethat your software works in conjunction with PHP by saying "Foo for PHP" instead ofcalling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time totime. Each version will be given a distinguishing version number. Once covered code hasbeen published under a particular version of the license, you may always continue to useit under the terms of that version. You may also choose to use such covered code underthe terms of any subsequent version of the license published by the PHP Group. No oneother than the PHP Group has the right to modify the terms applicable to covered codecreated under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes PHP, freely available from ".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' ANDANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHPDEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVENIF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf ofthe PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see . This product includes the Zend Engine, freely available at .

This product includes software written by Tim Hudson ([email protected]).

Copyright (c) 2003, Itai Tzur

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:

Redistribution of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

Neither the name of Itai Tzur nor the names of other contributors may be used toendorse or promote products derived from this software without specific prior writtenpermission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCEOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge,publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons

to whom the Software is furnished to do so, subject to the following conditions: Theabove copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHTHOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHERIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF ORIN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.

Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved.

Confidential Copyright Notice

Except as stated herein, none of the material provided as a part of this document may becopied, reproduced, distrib-uted, republished, downloaded, displayed, posted ortransmitted in any form or by any means, including, but not lim-ited to, electronic,mechanical, photocopying, recording, or otherwise, without the prior written permission ofNextHop Technologies, Inc. Permission is granted to display, copy, distribute anddownload the materials in this doc-ument for personal, non-commercial use only,provided you do not modify the materials and that you retain all copy-right and otherproprietary notices contained in the materials unless otherwise stated. No materialcontained in this document may be "mirrored" on any server without written permission ofNextHop. Any unauthorized use of any material contained in this document may violatecopyright laws, trademark laws, the laws of privacy and publicity, and communicationsregulations and statutes. Permission terminates automatically if any of these terms orcondi-tions are breached. Upon termination, any downloaded and printed materials must

be immediately destroyed.Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in thisdocument are registered and unregistered Trademarks of NextHop in the US and/or othercountries. The names of actual companies and products mentioned herein may beTrademarks of their respective owners. Nothing in this document should be construed asgranting, by implication, estoppel, or otherwise, any license or right to use any Trademarkdisplayed in the document. The owners aggressively enforce their intellectual propertyrights to the fullest extent of the law. The Trademarks may not be used in any way,including in advertising or publicity pertaining to distribution of, or access to, materials in

this document, including use, without prior, written permission. Use of Trademarks as a"hot" link to any website is prohibited unless establishment of such a link is approved inadvance in writing. Any questions concerning the use of these Trademarks should bereferred to NextHop at U.S. +1 734 222 1600.


5/72

U.S. Government Restricted Rights

The material in document is provided with "RESTRICTED RIGHTS." Software andaccompanying documentation are provided to the U.S. government ("Government") in atransaction subject to the Federal Acquisition Regulations with Restricted Rights. TheGovernment's rights to use, modify, reproduce, release, perform, display or disclose are

restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software andNoncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of theCommer-cial

Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

Use of the material in this document by the Government constitutes acknowledgment ofNextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043.Use, duplication, or disclosure by the Government is subject to restrictions as set forth inapplicable laws and regulations.

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIESOF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLEPURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRAN-TIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR

ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THISDOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THEUSE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USEOF, OR OTHER-WISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL OR CONSE-QUENTIAL DAMAGES, INCLUDING,BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, ORTHE

INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR ANEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OFSUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTSIN

THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA,YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THEEXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SOTHE

ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.

Copyright ComponentOne, LLC 1991-2002. All Rights Reserved.

BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))

Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release


6/72


7/72

Table of Contents 7

Table Of Contents

Chapter 1 SmartView Monitor OverviewIntroduction 9

SmartView Monitor Considerations 11

Whats In This Book 12

Chapter 2 Before You BeginIntroduction 13

Terminology 13

Understanding the User Interface 14

Gateways View 15

Traffic View 16

Counters View 17

Tunnels View 19

Remote Users View 20

Chapter 3 Monitoring GatewaysGateways Solution 21

How does it work? 22

Gateway Statuses 23

Displaying Gateway Information 24

Views about a Specific Gateway 29

Interfering Actions 29

Thresholds 30

Alert Dialog 30

Configuring Gateway Views 31

Defining the Frequency at which Status Information is Fetched 32

Start/Stop Cluster Member 32

Select and Run a Gateways View 32

View In-Depth Information about a Specific Gateway 32

Create a Custom Gateway View 33

Edit a Predefined or Custom Gateway View 33Defining a Threshold 34

Define Global Threshold Settings 34

Delete a Custom Gateway View 35

Copy a Gateway View 35

Rename a Custom Gateway View 35

Export a Custom Traffic or Counter View 35

Chapter 4 Monitoring Traffic or CountersTraffic or Counters Solution 37


8/72

8

Traffic 38

Counters 39

Traffic or Counters Configuration 40

Select and Run a Predefined or Custom Traffic or Counter View 41

Create a New Traffic or Counters Results View 41

Create a Real-Time Custom Traffic or Counter View 43

Create a History Traffic or Counter View 44

Edit a Predefined Custom or Traffic View 45

Edit a Custom Traffic or Counter View 45

Copy a Traffic or Counter View 46

Rename a Custom Traffic or Counter View 46

Delete a Custom Traffic or Counter View 46

Export a Custom Traffic or Counter View 46Recording a Traffic or Counter View 47

Chapter 5 Monitoring TunnelsTunnels Solution 49

Tunnel View Configuration 50

Run a Tunnel View 51

Create a Custom Tunnel View 52

Edit a Custom Tunnel View 53Edit a Predefined Tunnel View 54

Delete a Custom Tunnel View 54

Copy a Tunnel View 54

Rename a Custom Tunnel View 55

Chapter 6 Monitoring Remote UsersRemote Users Solution 57

Remote Users View Configuration 57Run a Remote Users View 59

Create a Custom Remote Users View 60

Edit a Custom Remote Users View 61

Edit a Predefined Remote Users View 61

Delete a Custom Remote Users View 61

Copy a Remote Users View 62

Rename a Custom Remote Users View 62

Chapter 7 Monitoring Suspicious Activity RulesThe Need for Suspicious Activity Rules 63

Suspicious Activity Rules Solution 64

Configure Suspicious Activity Rules 64

Create a Suspicious Activity Rule 64

Manage Suspicious Activity Rules 66


9/72

9

CHAPTER 1

SmartView Monitor

Overview

In This Chapter

Introduction

Corporate networks in todays dynamic business environment are often comprised of

many networks and VPN-1 Pro gateways that support a diverse set of applications and

user needs. The challenge of managing an increasing array of system traffic can putenormous pressure on IT staffing capacity and network resources. With SmartView

Monitor, Check Point offers you a cost effective solution to obtain a complete picture

of network and security performance; and to respond quickly and efficiently to changes

in gateways, tunnels, remote users and traffic flow patterns or security activities.

SmartView Monitor is a high-performance network and security analysis system that

helps you easily administer your network by establishing work habits based on learned

system resource patterns.Based on Check Points Security Management Architecture(SMART), SmartView Monitor provides a single, central interface for monitoring

network activity and performance of Check Point applications.

SmartView Monitor allows administrators to easily configure and monitor different

aspects of network activities. Graphical customized and pre-defined views can easily be

viewed from an integrated, intuitive GUI.

Introduction page 9

SmartView Monitor Considerations page 11Whats In This Book page 12


10/72

Introduction

10

Pre-defined views include the most frequently used traffic, counter, tunnel, gateway,

and remote user information. For example, Check Point System Counters collect

information on the status and activities of Check Point products (for example, VPN-1

Pro, etc.). Using custom or pre-defined views, administrators can drill down on thestatus of a specific gateway and/or a segment of traffic to identify top bandwidth hosts

that may be affecting network performance. If suspicious activity is detected,

administrators can immediately apply a security rule to the appropriate Check Point

gateway to block that activity. These security rules can be created dynamically via the

graphical interface and be set to expire within a certain time period.

Real-time and historical reports (that is, flexible, graphical reporting) of monitored

events can be generated to provide a comprehensive view of gateways, tunnels, remoteusers, network, security and VPN-1 Pro performance over time.

The following list describes the key features of SmartView Monitor and how it is

employed.

Gateways

SmartView Monitor enables information about the status of all gateways in the

system to be collected from these gateways. This information is gathered by theSmartCenter Server and can be viewed in an easy-to-use SmartConsole. The views

can be customized so that details about the gateway(s) can be shown in a manner

that best meets the administrators needs.

Traffic / Counters

SmartView Monitor delivers a comprehensive solution for monitoring and

analyzing network traffic and network usage. You can generate fully detailed or

summarized graphs and charts for all connections when monitoring traffic and for

numerous rates and figures when counting usage throughout the network. The

Traffic view also enables filtering according to categories (for example, services, IP

addresses, interfaces, security rules, etc.).

Tunnels

SmartView Monitor enables system administrators to monitor connectivity between

gateways. With the information collected by SmartView Monitor system

administrators are able to sustain privacy, authentication and integrity. By showing

real-time information about active tunnels (for example, information about its state

and activities, volume of traffic, which hosts are most active, etc.), administrators

can verify whether the tunnel(s) is working properly.


11/72

Chapter 1 SmartView Monitor Overview 11

Remote Users

The Remote User Monitor is an administrative feature allowing you to keep track

of VPN remote users currently logged on (that is, SecuRemote, SecureClient and

SNX, and in general any IPSec client connecting to the VPN gateway). It providesyou with a comprehensive set of filters which enables you to easily navigate through

the obtained results.

With information about current open sessions, overlapping sessions, route traffic,

connection time, etc., the Remote User Monitor is able to provide detailed

information about remote users connectivity experience. This feature enables you

to view real-time and historical statistics about open remote access sessions.

SmartView Monitor Considerations

In view of the fact that SmartView Monitor enables graphical views of different types

of measurements such as bandwidth, round trip time, packet rate, CPU usage, etc., the

most efficient way to yield helpful information is to create a view based on your

specific needs.

With SmartView Monitor it is possible to create customized views for view types (for

example, status, traffic, system statistics and tunnels). The customization allows control

over filtering what to view, and over the values to display (for example, the columns in

the Gateway Status view).

The following are just two examples of the numerous scenarios for which SmartView

Monitor can offer information:

If a companys Internet access is slow, a Traffic view and report can be created to

ascertain what may be clogging up the companys gateway interface. The view canbe based on a review of specific Services, Security Rules, Network Objects, etc.,

that may be known to impede the flow of Internet traffic. If the SmartView

Monitor Traffic view indicates that users are aggressively using such Services or

Network Objects (for example, Peer to Peer application, HTTP, etc.), the cause of

the slow Internet access has been determined. If aggressive use is not the cause, the

network administrator will have to look at other avenues (for instance, performance

degradation may be the result of memory overload). If employees who are working away from the office cannot connect to the network

a Counter view and report can be created to determine what may be prohibiting

network connections. The view can be based on CPU Usage %, Total Physical

Memory, VPN Tunnels, etc., to collect information about the status, activities

hardware and software usage of different Check Point products in real-time. If the

SmartView Monitor Counter view indicates that there are more failures than

successes, it is possible that the company cannot accommodate the mass number of

employees attempting to log on at once.


12/72

Whats In This Book

12

Whats In This Book

The SmartView Monitor User Guide is divided into five chapters

SmartView Monitor Overview provides an introduction to the SmartView MonitorSolution and briefly describes how it works.

Before You Begin describes useful terms that help you better understand

SmartView Monitor concepts and explains the SmartView Monitor GUI so that

you are comfortable with the SmartConsole before you begin to work.

Monitoring Gateways describes how information about the status of all gateways in

the system is collected from these gateways. This chapter shows how this

information is gathered by the SmartCenter Server and how it can be viewed. Monitoring Traffic or Counters describes the essence of monitoring network traffic

and how to configure Traffic views to suit your needs. This chapter also describes

the nature of counting specific characteristics of your network and how to

configure Counter views so that you obtain the beneficial information.

Monitoring Tunnels describes how monitoring Tunnels is beneficial to your

organization and explains how to configure Tunnel views.

Monitoring Remote Users describes an administrative feature that allows you to

keep track of SecuRemote users currently logged on to specific Policy Servers and

how you can easily navigate through the obtained results.


13/72

13

CHAPTER 2

Before You Begin

In This Chapter

Introduction

This chapter provides useful terms that help you better understand SmartView Monitor

terminology and explains the SmartView Monitor GUI so that you are comfortable

with the SmartConsole before you begin to work.

TerminologyThe following are useful terms that you should be familiar with in order to better

understand the information that is presented throughout this user guide.

Views generate reports about the network according to network targets, filters and

specific settings (for example, Monitor Rate).

Custom View a view generated by the SmartView Monitor user. This type of

view is created from scratch or is based on a modified version of a predefined

view.

Predefined View an out of the box view for common network scenarios. A

Predefined View cannot be changed.

Countersgenerates reports about the status, activities, hardware and software usage

of different Check Point products in real-time or history mode.

Traffic provides transaction information about network sessions in a given time

interval Tunnel an encrypted connection between two gateways.

Introduction page 13

Terminology page 13

Understanding the User Interface page 14


14/72

Understanding the User Interface

14

Gateways provides information about the status of all Check Point supported hosts.

Users provides information about remote access VPN clients (for example, secure

Remote Secure Client and others that are interoperable with VPN clients).

History provides information about previous Traffic or Counters data.

Real-Time provides information about Traffic or Counters data as it is generated.

Suspicious Activity Rules security rules that are applied immediately. These rules

can instantly block suspicious connections that are not restricted by the currently

enforced security policy.

Threshold contains predefined actions that are triggered when the status of an

application is changed or when an event has occurred. Cluster indicates a group of servers and resources that act like a single system. This

group enables high availability and in some cases, load balancing and parallel

processing.

High Availability is a system or component that is continuously operational for a

long length of time. Availability can be measured relative to "100% operational" or

"never failing."


The SmartView Monitor GUI is divided into a number of features. Refer to the

following sections for a visual representation of each SmartView Monitor view.

The type ofCustom orPredefined view results that appear on the screen are directly

related to whether a Traffic, Counter, Tunnel, Gateway orRemoteUser view is selected.

In This Section

Gateways View page 15

Traffic View page 16

Counters View page 17

Tunnels View page 19

Remote Users View page 20


15/72

Gateways View

Chapter 2 Before You Begin 15

Gateways View

To understand the following Gateways view refer to the numbers in the figure and the

list preceding it.

FIGURE 2-1 Gateways View

1 Tree View lists all the Custom and Predefined views.

2 Toolbars include shortcuts of SmartView Monitor options. The same options can

also be accessed from the SmartView Monitor menus. The lower of the two

toolbars is view specific.

3 Results View provides information about all the gateways in the organization as well

as pertinent information about the gateway such as its IP Addresses, the last time it

was updated as well as its status. This information is directly linked to the view

selected in the Tree View. Each row in the table represents a Gateway.

4 Gateway Details an HTML view that behaves like a browser and allows the user to

hit links associated with a variety of data about the selected gateway.

5 At the bottom of the screen there is a button for every view that is currently

running in SmartView Monitor (that is, a minimized view). As the number of

running views grows the visibility of these buttons is aided by a tool tip. This tool


16/72


16

tip displays the full name of the view on which the cursor is standing. When this

occurs a tool tip with the specific views full name appears when the cursor is

placed over the button.

Traffic View

To understand the following Traffic view refer to the numbers in the figure and the list

preceding it.

FIGURE 2-2 Traffic View





3 Results View (that is, bar, line, pie chart) provides information that is directly linked

to the view selected and run from the Tree View.

4 Legend includes a textual view (that is, report) of the Traffic view results

5 Traffic Status Bar displayed at the bottom of the SmartView Monitor contains

system information (for example, system uptime, traffic flow, etc.) about the

gateway associated with the selected view.


17/72

Counters View





tip displays the full name of the view on which the cursor is standing. When thisoccurs a tool tip with the specific views full name appears when the cursor is


Counters View

To understand the following Counters view refer to the numbers in the figure and the

list preceding it.

FIGURE 2-3 Counters View





3 Results View (that is, bar, line, pie chart) provides information that is directly linked

to the view selected and run from the Tree View.

d d h f


18/72


18

4 Legend includes a textual view (that is, report) of the Counters view results

5 Counter Status Bar displayed at the bottom of the SmartView Monitor contains

system information (for example, system uptime, traffic flow, etc.) about the

gateway associated with the selected view.







Tunnels View


19/72

Tunnels View


Tunnels View

To understand the following Tunnels view refer to the numbers in the figure and the

list preceding it.

FIGURE 2-4 Tunnels View





3 Results View provides information that is directly linked to the view selected in the

Tree View. Each row in the table represents a Tunnel.


running in SmartView Monitor (that is, a minimized view). As the number ofrunning views grows the visibility of these buttons is aided by a tool tip. This tool






20/72


20

Remote Users View

To understand the following Users view refer to the numbers in the figure and the list

preceding it.

FIGURE 2-5 Remote Users View





3 Results View provides information that is directly linked to the view selected in the

Tree View. Each row in the table represents a User.








21/72

21

CHAPTER 3

Monitoring Gateways

In This Chapter

Gateways Solution

In This Section

Check Point enables information about the status of all gateways in the system to be

collected from these gateways. This information is gathered by the SmartCenter serverand can be viewed in SmartView Monitor. The information gathered includes status

information about:

Check Point gateways

OPSEC gateways

Network objects

Gateways Solution page 21

Configuring Gateway Views page 31

How does it work? page 22

Gateway Statuses page 23

Displaying Gateway Information page 24

Views about a Specific Gateway page 29

Interfering Actions page 29

Thresholds page 30

Alert Dialog page 30

Gateways Solution


22/72

y

22

SmartView Monitor - Gateways, is the SmartConsole from which all gateway statuses

are displayed and viewed. SmartView Monitor - Gateways displays a snapshot of all

Check Point products, such as VPN-1 Pro, Cluster XL, etc., as well as third party

products (for example, OPSEC-partner gateways).SmartView Monitor - Gateways is very similar in operation to the SNMP daemon,

which also provides a mechanism to ascertain information about gateways in the system.

FIGURE 3-1 Gathering Status Information

In FIGURE 3-1 information is retrieved by the SmartCenter server from all the

gateways in the system using the AMON protocol after SIC has been initialized.Information that the SmartCenter server retrieves, is displayed in SmartView Monitor -

Gateways.

How does it work?

The SmartCenter server acts as an AMON (Application Monitoring) client. It collects

information about specific Check Point gateways installed, using the AMON protocol.

The source for this information is the Check Point gateway, which acts as the AMON

server itself, or any other OPSEC gateway, which runs an AMON server. The Check

Point gateway, in turn, makes a status update request via APIs, from various other

components such as:

The kernel

Security Servers

An alternate source for status collection may be any AMON client, such as an OPSECpartner, which uses the AMON protocol.

Gateway Statuses


23/72

Chapter 3 Monitoring Gateways 23

The information is fetched at a subscribed interval which is defined by the system

administrator. The AMON protocol is SIC- based so information can be retrieved once

SIC has been initialized.

Gateway Statuses

When discussing the status of Gateways in the system, there are general statuses which

occur for both thegateway or the machine on which the Check Point software is

installed, and theproductwhich represents the applications installed on the gateway.

Over-all Statuses

Waiting OK

Attention

No License

Above Threshold

Problem

Critical Problem

No gateway

Untrusted

Unknown

Application Statuses

Waiting

OK

Disconnected

Untrusted

Problem

Warning

Gateways Solution


24/72

24

Displaying Gateway Information

In SmartView Monitor - Gateways, information is displayed per Check Point or

OPSEC gateway.

To display information about the gateway, click the specific gateway in the Gateways

Results view. Elaborate details about the gateway will be displayed in the adjacent

Gateway Details window.

This information includes general information such as the name, IP Address, version,

OS and the status of the specified gateway, or gateway specific information, such as:

System Information

Unified Package - the version number. OS Information - the name, the version name/number, the build number, the

service pack and any additional information about the Operating System in use.

CPU - the percentage of CPU consumption in general and specifically by the user,

by the system, and the amount of time that the CPU has been idle.

Memory - the total amount of virtual memory, what percentage of this total is

being used. The total amount of real memory, what percentage of this total is being

used, the amount of real memory available for use.

Disk - the percentage/total of free space on the disk, the total amount of free space,

as well as the actual amount of free space available for use.

System Information page 24

VPN-1 Pro page 25

Virtual Private Networks page 25

Check Point QoS page 27

ClusterXL page 27

OPSEC page 27

SmartCenter page 27

UserAuthority WebAccess page 28

Policy Server page 28

Log Server page 28



25/72


VPN-1 Pro

Policy information - the name of the Security Policy installed on the VPN-1 Pro

gateway and the date and time that this policy was installed.

Packets - the number of packets accepted, dropped and logged by the VPN-1 Progateway.

UFP Cache performance - the hit ratio percentage as well as the total number of

hits handled by the cache, the number of connections inspected by the UFP Server.

Hash Kernel Memory (the memory status) and System Kernel Memory (the OS

memory)- the total amount of memory allocated and used. The total amount of

memory blocks used. The number of memory allocations, as well as those

allocation operations which failed. The number of times that the memoryallocation has freed up, or has failed to free up. The NAT Cache, including the

total amount of hits and misses.

Virtual Private Networks

VPN is divided into three main statuses:

Current represents the current number of active output.

High Watermark represents the maximum number of current output

Accumulative data which represents the total number of the output.

This includes

Active Tunnels - this includes all types of active VPN peers to which there is

currently an open IPsec tunnel. This is useful for tracking the proximity to a VPN Net

license and the activity level of the VPN-1 Pro gateway. High Watermark includes the

maximum number of VPN peers for which there was an open IPsec tunnel sincethe gateway was restarted.

RemoteAccess - this includes all types of RemoteAccess VPN users with which

there is currently an open IPsec tunnel. This is useful for tracking the activity level

and load patterns of VPN-1 Pro gateways serving as a remote access server. High

Watermark includes the maximum number of RemoteAccess VPN users with

which there was an open IPsec tunnel since the gateway was restarted.

Tunnels Establishment Negotiation:

The current rate of successful Phase I IKE Negotiations (measured in Negotiations

per second). This is useful for tracking the activity level and load patterns of a

VPN-1 Pro gateway serving as a remote access server. High Watermark includes the

highest rate of successful Phase I IKE Negotiations since the Policy was installed

(measured in Negotiations per second). Also, Accumulative consists the total

number of successful Phase I IKE Negotiations since the Policy was installed.

Gateways Solution


26/72

26

Failed - the current failure rate of Phase I IKE Negotiations can be used for

troubleshooting, for instance, denial of service, or for heavy a load of VPN remote

access connections. High Watermark includes the highest rate of failed Phase I IKE

negotiations since the Policy was installed. And finally, Accumulative is the totalnumber of failed Phase I IKE negotiations since the Policy was installed.

Concurrent - the current number of concurrent IKE negotiations. This is useful

for tracking the behavior of VPN connection initiation, especially in large

deployments of remote access VPN scenarios. High Watermark includes the

maximum number of concurrent IKE negotiations since the Policy was installed.

Encrypted and Decrypted throughput - the current rate of

encrypted/decrypted traffic (measured in Mbps). Encrypted/decrypted throughputis useful (in conjunction with encrypted/decrypted packet rate) for tracking VPN

usage and VPN performance of the VPN-1 Pro gateway. High Watermark includes

the maximum rate of encrypted/decrypted traffic (measured in Mbps) since the

gateway was restarted. And finally, Accumulative includes the total

encrypted/decrypted traffic since the gateway was restarted (measured in Mbps).

Encrypted and Decrypted packets - the current rate of encrypted/decrypted

packets (measured in packets per second). Encrypted/decrypted packet rate is useful(in conjunction with encrypted/decrypted throughput) for tracking VPN usage and

VPN performance of the VPN-1 Pro gateway. High Watermark includes the

maximum rate of encrypted/decrypted packets since the gateway was restarted. And

finally, Accumulative, the total number of encrypted packets since the gateway was

restarted.

Encryption and Decryption errors - the current rate at which errors are

encountered by the VPN-1 Pro gateway (measured in errors per second). This isuseful for troubleshooting VPN connectivity issues. High Watermark includes the

maximum rate at which errors are encountered by the VPN-1 Pro gateway

(measured in errors per second) since the gateway was restarted. And finally, the

total number of errors encountered by the VPN-1 Pro gateway since the gateway

was restarted.

Hardware - the name of the VPN Accelerator Vendor, and the status of the

Accelerator. General errors such as the current rate at which VPN Acceleratorgeneral errors are encountered by the VPN-1 Pro gateway (measured in errors per

second). The High Watermark includes the maximum rate at which VPN

Accelerator general errors are encountered by the VPN-1 Pro gateway (measured in

errors per second) since the gateway was restarted. And finally the total number of

VPN Accelerator general errors encountered by the VPN-1 Pro gateway since the

gateway was restarted.

IP Compression - Compressed/Decompressed packets statistics and errors.



27/72


Check Point QoS

Policy information - the name of the QoS Policy and the date and time that it

was installed.

Number of interfaces - the number of interfaces on the Check Point QoSgateway. Information about the interfaces applies to both inbound and outbound

traffic. This includes the maximum and average amount of bytes that pass per

second, as well as, the total number of conversations, where conversations are active

connections and connections that are anticipated as a result of prior inspection.

Examples are data connections in FTP, and the second half of UDP connections.

Packet and Byte information, the number of packets and bytes in Check Point

QoSs queues.

ClusterXL

The gateways working mode, whether or not it is active, and its place in the

priority sequence. There are three possible working modes (ClusterXL/Load

Sharing or Sync only). There are 4 types of running modes, (Active, standby, ready

and down).

Interfaces include the interface(s) recognized by the VPN-1 Pro gateway. Theinterface information includes the IP Address and status of the specified interface.

Whether or not the connection passing through the interface is verified, trusted or

shared.

Problem Notes contains descriptions of the problem notification device such as its

status, priority and when the status was last verified.

OPSEC The version name/number and build number of the Check Point OPSEC SDK andOPSEC product. The amount of time (in seconds) since the OPSEC gateway has

been up and running.

The OPSEC vendor may add additional fields to their OPSEC Application

gateways details.

SmartCenter

The synchronization status indicates the status of the peer SmartCenter Servers in

relation to that of the selected SmartCenter Server. This status can be viewed in the

Management High Availability Servers window, whether you are connected to the

Active or Standby SmartCenter Server. The possible synchronization statuses are:

Never been synchronized - immediately after the Secondary SmartCenter has

been installed, it has not yet undergone the first manual synchronization that

brings it up to date with the Primary Management.

Gateways Solution


28/72

28

Synchronized - the peer is properly synchronized and has the same database

information and installed Security Policy.

Advanced - the SmartCenter Server is more advanced than the standby server,

it is more up-to-date. Lagging - the SmartCenter Server has not been synchronized properly.

Collision - the active SmartCenter Server and its peer have different installed

policies and databases. The administrator must perform manual synchronization

and decide which of the SmartCenter Servers to overwrite.

Clients - the number of connected clients on the SmartCenter Server, the name of

the SmartConsole, the administrator responsible for administering the

SmartConsole, the name of the SmartConsole host, the name of the locked

database and the type of SmartConsole application, such as SmartDashboard, User

Monitor etc.

UserAuthority WebAccess

Plugin Performance - the number of http requests accepted and rejected.

Policy info - the name of the WebAccess policy and the last time that the policy

was updated.

UAS info - the name of the UA Server host, the IP Address and port number of

the UAG Server. The number of requests sent to the UA Server and the time it

took for the request to be handled.

Global UA WebAccess - the number of currently open sessions and the time

passed since the last session was opened.

Policy Server

The number of licensed users who are currently connected.

Log Server

Indicates whether or not the SmartCenter server is active and the number of licensed

users who are currently connected. The Log Server includes elaborate details about the

named connected client, including, then name of the administrator, managing the

selected Log Server, the host of the Log Server and the name of the database if it is

locked. The Log Server also indicates the type of application that can be tracked by the

Log Server.

Views about a Specific Gateway


29/72


Views about a Specific Gateway

SmartView Monitor - Gateways allows you to define views for specific gateways. From

within this view it is possible to access information about the following:

Monitor Tunnels - provides a list of Tunnels associated with the selected gateway.

Tunnels are secure links between VPN-1 Pro gateways that ensure secure

connections between an organizations gateways and an organizations gateways and

remote access clients.

The option of viewing a list of tunnels associated with a specific gateway enable you

to keep track of the tunnels normal function, so that possible malfunctions and

connectivity problems can be accessed and solved as soon as possible.

For additional information about Tunnels refer to the Monitoring Tunnelschapter.

Monitor Remote Users - provides a list of SecuRemote users currently logged

on to the specific Policy Servers. On the SmartView Monitor - Gateways interface

you will be able to view all the SecuRemote users currently logged on to specific

policy servers.

Monitor Traffic or Counters - provides information about monitored and

analyzed network traffic and network usage associated with the selected gateway.

You can generate fully detailed or summarized graphs and charts for all connections

intercepted and logged when monitoring traffic and for numerous rates and figures

when counting usage throughout the network.

For additional information about Traffic or Counter refer to the Monitoring

Traffic or Counters chapter.

Interfering Actions

After reviewing the status of certain Clients, in SmartView Monitor, you may decide to

take decisive action for a particular Client or Cluster Member, for instance:

Disconnect client - if you have the correct permissions, you can choose to

disconnect one or more of the connected SmartConsole clients.

Start/Stop Cluster member - All Cluster Members of a given Gateway Cluster can

be viewed via SmartView Monitor - Gateways. You can start or stop a selectedCluster Member.

Gateways Solution


30/72

30

Thresholds

For each kind of Check Point application there is a set of status parameters that can be

monitored. When the status of an application is changed or when an event has

occurred, predefined actions can be triggered. This is done by defining Thresholds (thatis, limits) and actions to be taken if these Thresholds are reached or exceeded. To

Define a Threshold refer to Defining a Threshold page 34

Alert Dialog

Alerts provide real-time information about vulnerabilities to computing systems and

how they can be eliminated.

Check Point alerts users to potential threats to the security of their systems and provides

information about how to avoid, minimize, or recover from the damage.

Alerts are sent by the VPN-1 Pro modules to the SmartCenter Server. The Smart

Center Server then forwards these alerts to the SmartView Monitor SmartConsole,

which is actively connected to the SmartCenter Server.

Alerts are sent in order to draw the administrators attention to problematic gateways,and are displayed in SmartView Monitor. These alerts are sent:

If certain rules or attributes, which are set to be tracked as alerts, are matched by

a passing connection,

If system events, also called System Alerts, are configured to trigger an alert

when various predefined thresholds are surpassed.

The administrator can define alerts to be sent for different gateways. These alerts are

sent under certain conditions, for example, if they have been defined for certainpolicies, or if they have been set for different properties. By default an alert is sent as a

pop up message to the administrators desktop when a new alert arrives to SmartView

Monitor.

Alerts can also be sent for certain predefined system events. If certain predefined

conditions are set, you can get an alert for certain critical situation updates. These are

called System Alerts. For example, if free disk space is less than 10%, or if a security

policy has been changed. System Alerts are characterized as follows:

defined per product. For instance you may define certain System Alerts for Unified

Package and other System Alerts for Check Point QoS.

they may be global or per gateway. This means that you can set global alert

parameters for all gateways in the system, or you can specify a particular action to

be taken on alert on the level of every Check Point gateway.

displayed and viewed via the same user-friendly window.

Alert Dialog


31/72


Configuring Gateway Views

The following pages contain a number of different sets of steps that will instruct you on

how to work with SmartView MonitorGateway views.

To obtain an explicit understanding about the fields, text boxes, drop-down lists, etc., in

each window refer to SmartView Monitor Online Help.

In This Section

Defining the Frequency at which Status Information is Fetched page 32

Start/Stop Cluster Member page 32Select and Run a Gateways View page 32

View In-Depth Information about a Specific Gateway page 32

Create a Custom Gateway View page 33

Edit a Predefined or Custom Gateway View page 33

Defining a Threshold page 34

Define Global Threshold Settings page 34

Delete a Custom Gateway View page 35

Copy a Gateway View page 35

Rename a Custom Gateway View page 35

Export a Custom Traffic or Counter View page 35



32/72

32

Defining the Frequency at which Status Information isFetched

Define the frequency at which status information will be gathered by the SmartCenter

Server from the Check Point gateways, and sent to SmartView Monitor. This is referredto as the Status Fetching Interval, and it is defined in the Gateways Properties window.

By default a status check takes place every 60 seconds.

Start/Stop Cluster Member

Select a specific Cluster Member of a given Gateway Cluster in the Gateway window,

right-click and selectStart

orStop

respectively.

Select and Run a Gateways View

When a Gateways view is run the results appear in the SmartView Monitor

SmartConsole. A Gateways view can be run.

from an existing view

by creating a new view

by changing an existing view

1 In the SmartView Monitor SmartConsole, click on an existing Gateway view.

The view results (that is, a list of all the available gateways) appears in the Results

View.

View In-Depth Information about a Specific Gateway

1 Run the Gateway view for which you would like to view information.

2 Right-click the specific gateway in the ResultsView.

3 Select Gateway Details.

The window that appears provides you with information about system

performance, licenses, High Availability, etc., for the selected gateway.

Create a Custom Gateway View


33/72


Create a Custom Gateway View

1 In the SmartView Monitor SmartConsole, select File > New > Gateways View.

The Dialog window appears.

2 Select the topics for which you would like to receive information in the Available

fields list and move them to the Show these fields in the grid list.

3 Click OK.

The results of the view appear in the SmartView Monitor console.

4 In the Gateways view that appears in the Custom branch of the Tree View type the

name of the new Gateways view.

Edit a Predefined or Custom Gateway View

Unlike a Custom view, the changes you make to a Predefined view cannot be saved. To

save the changes you must perform Save As and subsequently create a new view.

1 In the Custom branch of the Tree View select the Gateway view that you would like

to change.

2 Click the View Properties button in the toolbar directly above the ResultsView.

3 Make the required changes by adding or removing topics from the Show these

fields in the grid list.

4 Click OK.

The results of the view appear in the SmartView Monitor console.

5 To save these results of a Predefined view that has been changed, select the Save

View In Tree button in the toolbar directly above the ResultsView.

6 Enter a name for the new Gateways view and click Save.

The edited Gateways view will appear as a new view in the Custom branch of the

Tree View.

Note - If you are editing a Custom Gateway view the results (changes) are automatically

saved. If you are editing a Predefined Gateway view the results in the Results View are

not saved.


f


34/72

34

Defining a Threshold

1 In the Custom orPredefined branch of the Tree View run a Gateways view.

2 Select the gateway for which you would like to change one or more thresholds.3 Right-click and select Configure Thresholds.

4 In the System Alert area select Custom:

System Alert provides you with the following three options:

Same As Global applies the global threshold settings to the selected gateway.

Custom enables you to select specific thresholds for the selected gateway.

None removes all thresholds from the selected gateway.

5 Select the application whose threshold you would like to change and make the

necessary changes with the fields provided.

The Action column provides you with the following options:

none does not send an alert.

log sends a log entry to the database.

alert sends a pop window to your desktop.

mail sends a mail alert to your Inbox.

snmptrap sends a SNMP alert to the SNMP GUI.

useralert sends a customized alert in the manner that you configure.

6 Click the Save button to save your changes.

Define Global Threshold Settings

1 In the Custom orPredefined branch of the Tree View run a Gateways view.

2 Select the gateway for which you would like to change one or more thresholds.

3 Right-click and select Configure Thresholds.

4 Click the Global Settings button.

5 Select the application whose threshold you would like to change and make the

necessary changes with the fields provided.

Note - To configure these Action options go to SmartDashboard > Policy > Global

Properties > Log and Alert > Alert Commands.

Delete a Custom Gateway View

l k h b h d l h


35/72


6 Click the Save & Close button to save your changes and close the Global Threshold

Settings window.

7 Click the Save & Close button to save your changes and close the Threshold Settings

window.

Delete a Custom Gateway View

1 In the Custom branch of the Tree View select the Gateways view you would like to

delete.

2 Right click the selected view and select Delete.

3 Select Yes to delete the selected Custom view.

Copy a Gateway View

1 In the Custom orPredefined branch of the Tree View right-click the Gateways view

you would like to copy.

2 Select Copy.

3 Right click the Custom branch of the Tree View and select Paste.

A copy of the Predefined orCustom view appears under the Custom branch.

Rename a Custom Gateway View

1 In the Custom branch of the Tree View right-click the Gateways view whose name

you would like to change.2 Select Rename.

3 Type the new name and press Enter.

Export a Custom Traffic or Counter View

1 Right-click the Gateways view you would like to export.

2 Select Export Settings.

3 Select the directory in which you would like to save the exported view settings and

click Save. A file with an svm_setting extension is created.



36/72

36

4


37/72

37

CHAPTER 4

Monitoring Traffic orCounters

In This Chapter

Traffic or Counters Solution

SmartView Monitor provides you with the tools that enable you to be aware of traffic

associated with specific network activities, servers, clients, etc., and the status of

activities, hardware and software usage of different Check Point products in real-time.

Among other things, this knowledge will enable you to

block specific traffic when a threat is imposed assume instant control of traffic flow on a gateway

learn about how many tunnels are currently opened or about the rate of new

connections passing through the VPN-1 Pro gateway.

SmartView Monitor delivers a comprehensive solution for monitoring and analyzing

network traffic and network usage. You can generate fully detailed or summarized

graphs and charts for all connections intercepted and logged when monitoring trafficand for numerous rates and figures when counting usage throughout the network.

In This Section

Traffic or Counters Solution page 37

Traffic or Counters Configuration page 40

Traffic page 38

Counters page 39

Traffic or Counters Solution

Traffic


38/72

38

Traffic

Traffic Monitoring provides in-depth details on network traffic and activity. As a

network administrator you can generate traffic information to:

Analyze network traffic patterns.Network traffic patterns help administrators determine which services demand the

most network resources.

Audit and estimate costs of network use.

Monitoring traffic can provide information on how the use of network resources is

divided among corporate users and departments. Reports summarizing customer

use of services, bandwidth and time can provide a basis for estimating costs per user

or department.

Identify the departments and users that generate the most traffic and the times of

peak activity.

Detect and monitor suspicious activity. Network administrators can produce graphs

and charts documenting blocked traffic, alerts, rejected connections, or failed

authentication attempts in order to identify possible intrusion attempts.

A Traffic view can be created to monitor the Traffic types listed in the following table.TABLE 4-1 Traffic Types

TrafficType

Explanation

Services Displays the current status view about Services used through the selected gateway.

IPs/NetworkObjects

Displays the current status view about active IPs/Network Objects through the selected gateway.

SecurityRules

Displays the current status view about the most frequently used Security Rules.

The Name column in the legend states the rule number as previously configured in SmartDashboard.

Interfaces Displays the current status view about the Interfaces associated with the selected gateway.

Connections Displays the current status view about current connections initiated through the selected gateway.

Tunnels Displays the current status view about the Tunnels associated with the selected gateway and their usage.

Virtual LinkDisplays the current traffic status view between two gateways (for example, Bandwidth, Bandwidth Lossand Round Trip Time).

Packet SizeDistribution

Displays the current status view about packets according to the size of the packets.

QoS Displays the current traffic level for each QoS rule.

Counters

Traffic Legend Output


39/72

Chapter 4 Monitoring Traffic or Counters 39

Traffic Legend Output

The values that you see in the legend depend on the Traffic view you are running.

All units in the view results appear in configurable Intervals.

Counters

Monitoring Counters provides in-depth details about Check Point application usage

and activities. As a network administrator you can generate system status information

about:

Resource usage for the variety of components associated with the VPN-1 Pro

server. For example, the average use of real physical memory, the average percent ofCPU time used by user applications, free disk space, etc.

VPN-1 Pro performance statistics for a variety of firewall components. For

example, the average number of concurrent CVP sessions handled by the HTTP

security server, the number of concurrent IKE negotiations, the number of new

sessions handled by the SMTP security server, etc.

Detect and monitor suspicious activity. Network administrators can produce graphs

and charts documenting the number of alerts, rejected connections, or failedauthentication attempts in order to identify possible intrusion attempts.

Traffic or Counters Configuration



40/72

40


The following pages contain a number of different sets of steps that will instruct you on

how to configure Traffic or Counter views.

To obtain an explicit understanding about the fields, text boxes, drop-down lists, etc., in

each window refer to SmartView Monitor Online Help.

In This Section

Select and Run a Predefined or Custom Traffic or Counter View page 41

Create a New Traffic or Counters Results View page 41Create a Real-Time Custom Traffic or Counter View page 43

Create a History Traffic or Counter View page 44

Edit a Predefined Custom or Traffic View page 45

Edit a Custom Traffic or Counter View page 45

Copy a Traffic or Counter View page 46

Rename a Custom Traffic or Counter View page 46

Delete a Custom Traffic or Counter View page 46

Export a Custom Traffic or Counter View page 46

Recording a Traffic or Counter View page 47

Select and Run a Predefined or Custom Traffic or Counter View

Select and Run a Predefined or Custom Traffic or Counter


41/72


View

When a Traffic orCounter view is run the results appear in the SmartView Monitor

SmartConsole. A Traffic orCounter view can be run

from an existing view

by creating a new view

by changing an existing view

1 In the SmartView Monitor SmartConsole, select a Traffic orCounter view in the

Tree View and double click the Traffic orCounter view that you would like to run.

A list of available gateways appears.

2 Select the gateway for which you would like to run the selected Traffic orCounter

view.

3 Click OK.

The results of the selected view appear in the SmartView Monitor SmartConsole.

Create a New Traffic or Counters Results View

A View is the output that is displayed when changing an existing Custom/Predefined

view. The new View is not automatically saved in the Custom/Predefined branch of the

Tree View.

For example purposes, we will create a real-time Traffic view forServices.

1 Right-click the view you would like to change and selectProperties

. TheQuery

Properties window appears.

2 Select Real-Time.

Real-Time provides information about currently monitored traffic or counters.

Select History for previously logged information.

3 Select the topic about which you would like to create a Real-Time traffic view in

the drop-down list provided.

4 Select the Target of this Custom Traffic view.

The Target is the gateway for which you would like to monitor traffic.

Note - The remaining tabs in the Query Properties window change according to the type of

view you are creating and the selection you made in the Real-Time drop-down list.


5 Click the Monitor by Services tab.


42/72

42

6 Select the Services for which you would like to create a custom Traffic view.

7 Click the Filter tab and make the relevant selections.

8 Click the Settings tab and make the relevant selections.

9 Click

Save if your new view is based on an existing Custom view

Save As and type a new view name, if your new view is based on a Predefined

view.

The Select Gateway/Interface window appears.

10 Select the gateway or interface for which you would like to create/run this new

view.

11 Click OK. A Traffic view appears in the Custom branch of the Tree View.

When based on an existing Custom view, the new view properties will remain a

part of the specific Custom view.

When based on an existing Predefined view, the new view will become a newCustom view as described in step 9 above.

Create a Real-Time Custom Traffic or Counter View

Create a Real-Time Custom Traffic or Counter View


43/72


1 In the SmartView Monitor SmartConsole, click the Custom branch of the Tree

View.

For example purposes we will create a real-time Traffic view forServices.

2 Right click the Custom branch and select New Traffic View.

The Query Properties window appears.

3 Select Real-Time.

Real-Time provides information about currently monitored traffic or counters.

4 Select the topic about which you would like to create a Real-Time traffic view inthe drop-down list provided.

5 Select the Target of this Custom Traffic view.

The Target is the gateway or cluster for which you would like to monitor traffic.

6 Click the Monitor by Services tab.

7 Select the Services for which you would like to create a custom traffic view.

8 Click the Filter tab and make the relevant selections.

9 Click the Settings tab and make the relevant selections.

10 Click Save.


11 Select the gateway or interface for which you would like to create this new view.

12 Click OK.

13 Type the name of the new Custom view and press Enter.

Note - The remaining tabs in the Query Properties window change according to the type of

view you are creating and the selection you made in the Real-Time drop-down list.


Create a History Traffic or Counter View


44/72

44

1 In the SmartView Monitor SmartConsole, click the Custom branch of the Tree

View.

For example purposes we will create a real-time Traffic view forServices.

2 Right click the Custom branch and select New Traffic View.


3 Select History in the Type section.

History provides information about previously monitored traffic or counters.

4 Select the Target of this custom Traffic orCounter view.The Target is the gateway for which you would like to view previously monitored

traffic.

5 Click the Traffic History tab or the Counter tab, depending on the type of view you

are creating.

6 In the Time Frame drop-down list, select the period of time for which you would

like to view previously monitored traffic or counters.

7 In the remaining lists, select the topic for which you are interested in viewing

previously monitored information.

8 Click Save.

The Select Gateway window appears.

9 Select the gateway for which you would like to create this new view.10 Click OK.

11 Type the name of the new Custom view and press Enter.

Edit a Predefined Custom or Traffic View

Edit a Predefined Custom or Traffic View


45/72


You cannot change a Predefined view in the Predefined branch of the Tree View.

Therefore, when you change a Predefined views properties you will need to save the

view in the Custom branch of the Tree View in order to preserve those changes.

1 In the SmartView Monitor SmartConsole, right-click the Traffic orCounter view

that you would like to edit

2 Click Properties.


3 Make the necessary changes in the tabs provided and click Save As

The Save to Tree window appears.

4 Enter a name for the new Custom view.


5 Select the gateway for which you would like to create this new view.

6 Click OK.

The new view is run and can be viewed in the SmartView Monitor SmartConsole

and the changes will be preserved in a new view in the Custom branch of the Tree

View.

Edit a Custom Traffic or Counter View

1 In the SmartView Monitor SmartConsole, select the Custom branch of the Tree

View.

2 Right-click the Traffic orCounter view that you would like to edit

3 Click Properties.


4 Make the necessary chang

Checkpoint NGX Smart View Monitor User Guide

Documents

Transcript of Checkpoint NGX Smart View Monitor User Guide