Read an Excerpt

Introduction
Once you have the VPN-1/FireWall-1 software installed and configured, then you are ready to log into the graphical user interface and start composing your objects and rule bases. In this chapter I will walk you through all the options you have for creating various objects and show you some of the nice features that you can utilize in the policy editor to manipulate your rules. I will show you how to access the firewall's implied rules, and explain the global properties that affect every security policy you create. It's important to know why your firewall is allowing pings, if you have not explicitly defined them in your rule base.

After paying a lot of attention to your policy options, I will then show you how to access your firewall logs and system status. The Track options you choose in your policy will affect the outcome of your logs. You may choose to log some rules and not others. I will also describe ways to make certain selections in your Log Viewer so that you can view only logs for a specific source IP address, or logs for a specific user. The Check Point Log Viewer has a really high quality interface, and is easy to understand.

Managing Objects
Managing objects is probably the thing you'll be doing most often as a firewall administrator. Luckily for you, Check Point has made this task much easier than you might think. While there is still a lot of information needed to set the foundation for your rule base, you needn't put forth a great deal of effort to get that information into a useable format. Your first task is to log into the FireWall-1 GUI management client. On a Windows system, simply start the Policy Editor or your GUI client bydouble-clicking its icon. On a Unix system such as Solaris or AIX, execute the fwpolicy command found in $FWDIR/bin. You'll be presented with a login window, as displayed in Figure 3.1. Note that if this is the initial connection from a GUI client, FireWall-1 will present the management server fingerprint. This is used as a security measure to enable you to validate the identity of that management server.

Once you have logged into the GUI, you'll see a lot of information. Don't worry; you can easily customize this default view to show you just what you need. You can also add or subtract from this view as needed. A couple of changes have been made from previous versions of the policy editor. Figure 3.1 shows you the new default view.

Figure 3.1 Policy Editor

The windowpanes are called (from left moving clockwise) the Objects Tree, Rule Base, Objects List, and Topology Map. You can toggle which one is displayed by selecting View from the Policy Editor menu, as displayed in Figure 3.2.

Figure 3.2 View Selection

The Objects Tree gives you a concise and orderly view of the defined objects of each available type. If your boss asks what networks are defined, here's the place that will give you the quickest answer. Next is the rule base. This enables you to instantly sum up the totality of what your firewall is enforcing, but it also enables you to quickly view NAT, QoS,f and Desktop Security rule information. Below the rule base you'll find the Objects List, which presents a little more detail than the Objects Tree about your defined objects.

The final pane in this window is our "belle of the ball," as it were. New in FireWall-1 NG (assuming you've purchased the Visual Policy Editor) is the Topology Map. This gives you a handsome network map showing the interconnections of all your defined objects. Figure 3.3 shows that pane enlarged to full screen.

Figure 3.3 Topology Map

The neat thing is that this map is completely interactive. You can rearrange the placement of the objects and even query them for information, and alter their configuration.