Check Point’s security management architecture (SMART) has always been the best in the market. Upon release of the new R80 security management the best got even better.
In earlier versions you had to install SmartConsole applications (SmartDashboard) in order to manage security policies. This is a tool which enables centralized management of different products and versions. However, it always required that you had to install the application on a computer which was defined as a GUI-client in the security management server. It was also possible to manage policies using the command line tool DBEDIT, but that’s quite complicated tool that could not be recommended for normal policy manipulation. It was usually used in migrations and other more complex activities. Also only one administrator could be connected at a time in write-mode to the security management server.
All the above mentioned limitations are gone in R80. It contains a lot of new features and even more to come in future versions. However, in this post I focus on different ways to manipulate security policies.
- Unified SmartConsole
This is the traditional way of creating rules. What is awesome is that you can do everything from the same console. SmartView Tracker is gone as a log viewer and replaced by SmartLog which is shown in the same SmartConsole window.
- SmartConsole CLI
This is a command line interface that can be opened directly from the SmartConsole. By giving simple commands like “add host…” you can create objects and policies. It’s also possible to add commands into a file and upload this file directly to the CLI when all commands are executed. Think about the case where you need to quicly spin up several security policies or create 5000 objects. All you need to do is to create a command file and run it.Ok, ok… This has been possible with DBEDIT as well in earlier versions, but let’s have a quick look why the new way is better. In the following example we create the same network object with DBEDIT and with R80 CLI. Let’s see the difference (I omit the login and update/publish commands as they are only done once for all commands):
create network Net_10.10.57.0
modify network_objects Net_10.10.57.0 ipaddr 10.10.57.0
modify network_objects Net_10.10.57.0 netmask 255.255.255.0
mgmt_cli add network name Net_10.10.57.0 subnet 10.10.57.0 mask-length 24 -s id.txt
Instead of three commands in DBEDIT, with R80 you give only one. As I said this is a bit simplified statement as the login and publish are missing, but I’m sure you get the point.
- GAIA CLI
From Gaia command line you can login to the management console (see the example below). Gaia management console is similar as the one in SmartrConsole. Each command starts with a keyword “mgmt” like “mgmt add host…”.R80Mgmt> mgmt login user admin
R80Mgmt> mgmt show networks
– uid: “0baad4de-7221-4578-b2b9-c3b78a759124”
name: “SMC User”
This small little tool is available on all R80 management servers and SmartConsole installations and allows you to access the management server from any Linux or Windows machine (in Windows the tool is called mgmt_cli.exe). You don’t have to install SmartConsole on the computer, it’s enough that you copy the mgmt_cli-tool (it doesn’t require any installation) from the existing installation to the computer you would like to use for accessing the management server. Only thing you need to do is to enable the API from the Management API Settings on R80 SmartConsole.
The only difference with the mgmt_cli and SmartConsole or Gaia CLI is that the authentication needs to be carried out every time. When you login into SmartConsole you give the user name and password, but with the mgmt_cli you will either need to give this information every time or a login-command which creates a session for you. See the example below.
The following is an example mgmt_cli -connection which logs into the system creating a session (the same id is used for every command) and then creates some host and network objects, policy package with one rule (clean up rule is there by default, but without logging, this example enables login for the clean up rule as well). Finally the config changes are published making them available for other admins as well and the session is ended with the logout -command.
mgmt_cli login user admin password vpn123 -m 192.168.80.254 > id.txt
mgmt_cli add host name h_12 ip-address 10.1.2.10 -s id.txt
mgmt_cli add host name h_13 ip-address 10.1.2.11 -s id.txt
mgmt_cli add host name h_14 ip-address 10.1.2.12 -s id.txt
mgmt_cli add host name h_15 ip-address 10.1.2.13 -s id.txt
mgmt_cli add host name h_16 ip-address 10.1.2.14 -s id.txt
mgmt_cli add host name h_17 ip-address 10.1.2.15 -s id.txt
mgmt_cli add host name h_18 ip-address 10.1.2.16 -s id.txt
mgmt_cli add host name h_19 ip-address 10.1.2.17 -s id.txt
mgmt_cli add host name h_20 ip-address 10.1.2.18 -s id.txt
mgmt_cli add network name n_test_net1 subnet 10.10.10.0 mask-length 24 -s id.txt
mgmt_cli add network name n_test_net2 subnet 192.168.192.0 mask-length 24 -s id.txt
mgmt_cli add network name n_test_net3 subnet 172.16.172.0 mask-length 24 -s id.txt
mgmt_cli add package access True threat-prevention True name Policy_Lari -s id.txt
mgmt_cli set access-rule layer “Policy_Lari Network” name “Cleanup rule” track “Log” -s id.txt
mgmt_cli add access-rule layer “Policy_Lari Network” position 1 name “Test Rule” source n_test_net1 destination h_12 service “ssh” action “Accept” track “Full Log” -s id.txt
mgmt_cli publish -s id.txt
mgmt_cli logout -s id.txt
- Web Services
You can create your own web app that simply uses HTTPS post to manipulate your security policies. This way you can integrate the security management to almost any web based ticketing system or similar.For more detailed information about the web services and usage examples visit the developers forum in R80 Exchange Point.