4 hours 44 minutes
Hello and welcome to check Point Jump Start
where we will look at deploying the checkpoint security management solution.
More than that, What is the security management server? What what does it do?
We'll talk about secure internal communication,
is used whenever any checkpoint component
communicates with any other checkpoint component across a network.
This is enabled by an internal certificate authority
that is automatically created and set up
on the management server.
We'll also take a quick look at the checkpoint operating system DIA
and the Web user interface that guy it provides to an administrator
to configure the device as well as update and maintain the operating system.
We'll also look at Smart Console, which is a Windows gooey application
that the administrator uses to manage the checkpoint configuration.
of a management server
in the checkpoint Security Management architecture er
it's a three tiered architecture,
and the administrator
interacts with the smart consul gooey to create security policy, update security policy and so on.
Administrator then instructs the smart consul application to communicate the changes to the security policy to the management server.
The management server is sort of the keys to the kingdom. It has the complete and authoritative copy
of your security policy of your checkpoint configuration.
And then, when instructed, the security management server
will send the current
probably updated security policy
installation target, which is each security gateway that this policy needs to be sent to
security gateways. By default, send log data
to the management server
and then, ah,
larger deployment. You may want to offload the overhead of processing log data from your management server.
There are options to allow you to do that
in order for the checkpoint components. In this three tiered architecture to communicate,
secure internal communication is used, and this is much like
TLS or SSL
that we're familiar with. From https. Going to secure websites
to cure internal communication uses certificates
the pier, the other end of the network connection
to ensure that it's the correct
Pierre and not an impostor.
Also, encryption provides
and there are other protections being applied here, such as integrity checks
must have secure internal communication, set up and working correctly.
policy installation to occur for
log transfer from the security gateway to the management server to occur,
it depends on the version of Checkpoint that you're using. Current versions of Checkpoint
have moved to
TLS and are using modern encryption algorithms such as the advance encryption standard.
older legacy checkpoint deployments. They may still be using Triple Dez,
which, though very dated,
is generally regarded as
But we should think about upgrading.
So secure Internal communications uses certificates just like https uses certificates, except that both ends of the conversation
authenticate their identity using a certificate.
And so for this toe happen,
certificates must be digitally signed by a trusted certificate authority
and in a checkpoint deployment.
Trusted Certificate Authority is an internal certificate authority that
on the management server when the management server was first initialized.
So the management server will handle
digitally signing the certificates that it's issuing
two new checkpoint security gateways that you're deploying or other checkpoint products
that you're deploying on your network. It also, by default,
generates digital signatures for VPN,
including site to site I P sec VPN connections, so that the VPN peers can authenticate each other,
but also remote access. Phoebe in connection. So an individual
with a laptop
who needs toe have secure communications to headquarters to get to say
their email server
the security gateway they're communicating with is the trusted peer.
the internal certificate authority can also authenticate the remote user
using certificate based
to ensure that they are who they claim to be.
Now the checkpoint product
is delivered as an appliance. The appliance is running something very similar to Red Hat Enterprise. Lennox's, based on Lennox and it's called Gaia
Guy is the operating system that checkpoint products run on.
Kaya provides a command line interface that simplifies the administration of your checkpoint device.
even better is the Web user interface, the Web User Interface is
and https Web browser website
And in the top left, you can see the view mode drop down menu with Advanced selected their two modes in which to view
the Web user interface Advanced currently is selected. Basic just
hides some of the less frequently used menu items, so the menu on the left hand side
is shorter and easier to navigate,
and you can switch between basic and advanced at any time.
I talked about the three tier architecture,
and at the
top of that is the smart consul application. This is a Windows
the security administrator uses to
create and manage security policies, but also to monitor what's going on with your checkpoint deployment.
You could be notified of software updates that are available and install those.
You will also use smart console to add new security gateways and other checkpoint
And in a very large deployment if you have the multi domain management server feature,
smart console seamlessly works with
multi domain management.
That's beyond the scope of this course
inside of Smart Consul.
On the left hand side, there's
four major views or or tabs.
Then, at the very top left corner, there's a main menu that allows you to access additional functionality and smart council.
Next to that under three
over three is theon Objects. Menu allows you to create, manage,
delete and find search for objects that are used in your rules
to determine if a connection matches the rule
At four is the install policy button,
you would click on that button when it is time to deploy your updated security policy to selected security gateways.
When you make changes to your security policy in Smart Consul,
they are not effective until you have successfully installed policy
above number five. The session details menu allows you to see details about the current administrator session logged into Smart Consul,
changes that have been made or whether or not changes have been made
over. On the right hand side with six
is ah, configurable view this case objects are being viewed
that provides another way of interacting with objects, creating,
modifying and deleting objects
at the bottom. The management activity bar shows the current administrator who's logged in at the very bottom right. You can see that it's CP Admin, and this administrator currently has no unpublished changes pending. And we'll talk about publishing
can also see the I P address or host name of the management server that this administrators connected to
over on the bottom left,
you can see the status of tasks such as policy installation
that have been performed, and in this example, two of those tasks were not successful.
So we can click that message and get more information about
what wasn't successful on why that
and finally in the left hand side at eight,
we can access
command line functions from Smart Consul,
including Checkpoints Application Programming interface, which allows you to script operations
perhaps might be just too tedious or labor intensive in the gooey.
So in Smart Consul, on the left hand side, there are four major views,
and we've selected the 1st 1 gateways and servers.
There's also security policies, logs and monitor
and manage and settings.
In this gateway and servers view,
you get an overview of your checkpoint deployment all of the checkpoint products
this management server is managing,
and at the bottom you can see a dash SMS. That's the management server itself. It knows about itself.
And then there's above that. A gateway cluster, which is not a physical appliance. Instead, it's a cluster object that represents
your high availability cluster that you've deployed. That high availability cluster is implemented by two individual security gateway appliances,
a gateway 01 and a gateway zero to
on the left side, you can see the status column, which gives a quick indication as to the health of each checkpoint device.
the management server has a warning. That's the Yellow Triangle, whereas
a gateway 01 has a critical issue. That's the
circle with an extra it
a gateway zero to has a warning. But the cluster itself
displays the status of the most severe warning of any cluster member. So, given a warning and a critical issue,
it's going to display that there is a critical issue. And if you select
one of the checkpoint devices listed in this status display
at the bottom of this smart consul window, you will get additional information
that device. So in this case,
on a Gateway 01
we can see that it's
I p addresses. Stand out. One don't want up to the current policy package that has been installed on this security. Gateway is named based connectivity test, and that was installed on the date shown
and under license status. If you click on that will bring up a screen that tells you apparently, what's wrong with four software blades, which will discuss
on a gateways their A one
and over to the right a little bit. If you click on device and license information,
you get more information, which you can drill down
up at number two is a
search field where you can find a specific, say, security gateway
by name or by I p address,
but provides a quick way of locating in a very complicated checkpoint deployment. Many, many hosts the specific coast that you want toe to interact with.
In the security policies tab,
you have one or mawr tabs, and in this case, only one tab is really displayed. This
tabs labeled standard.
That's the name of a policy package which will talk about.
And that's the default policy package that's created when you deploy your management server.
This standard policy package contains both access control policy and threat prevention policy. We've highlighted
one of the access control policies, and you can see that that policy consists of one rule,
and it's named the clean Up a room. We'll talk about the cleanup rule a little bit.
The cleanup rule is a best practice rule. That
checkpoint automatically adds to
new policy packages.
The cleanup rule
always matches all of the matching columns. Such a source and destination and services
are set to any or the equivalent of any.
when we evaluate your rules,
if we get to the cleanup rule, it will always match
in the way that checkpoint evaluates rules is it starts at the first rule. Rule number one does it match? If so, I'll do what that rule says. Then I'll stop evaluating the rules in this layer, and we'll talk about that. If a dozen match will go to rule number two, does it match? And we'll keep doing that until we find a rule that matches
function of the cleanup rule is to be the very last rule in your policy.
before the cleanup rule is encountered, we had to evaluate
and not match all of your other rules.
The cleanup rule should always match, so it's the last stop,
and its action should be to drop traffic.
provides a default. Deny security policy.
If we don't have a rule, it matches that
explicitly allows a connection,
then we will drop through all of our rules till we get to the cleanup rule. That rule will always match, and so it will deny dropped the connection
and you can't see it. But over on the right past, the action column is a track column.
Best practices. The track column should be set toe log connections that have matched the cleanup rule.
Because if you get to the cleanup, a rule that implies that
you did not match any of the rules above,
which really means that the traffic that
match the cleanup rule was unanticipated,
be right rules for So this would be traffic that we weren't expecting.
And it's useful to know, Are we getting traffic that we weren't expecting?
And in order to know that you have to log the rule,
talk about logging in another module.
Also number three. You can see a couple of buttons toe ad rules. We can add a rule at the top of our
rule set. We can have a rule at the bottom, or if we've selected a rule, we can add a rule above it or below it.
And then in four, you can see additional tools. Some of these may open up a related gooey application
to control whatever functionality you've selected.
Then on the left hand side, if we select the logs and monitor tab again, our logs and monitor view again, we get tabs.
In this case, there are three tabs displayed and the one that selected is General overview
and this General Overview Tabs actually
showing you information from,
ah feature a product named Smart Event. Smart Event
incoming security logs from your gateways, but also from other things, such as Microsoft servers or network infrastructure,
and does event analysis to determine. Okay, the logs I'm seeing.
Is there something significant here? Something a human should be aware of?
Smart event makes really easy to prioritize your attention.
events are categorized by severity, critical, high all the way down to very low severity,
and so you would typically react first to the critical severity event.
Also, smart event will tell you
what specific types of attacks or malware
got through your policy
because you matched a rule that said, Allow or you don't have some functionality enabled that would have stopped it. This is something we recognized, but it got through
the Logs Tab, which isn't selected here, shows you firewall logs and we'll talk about that
in a future module
and then on the left hand side. The Manage and Settings view
the list of checkpoint administrators, and you can see that there's five displayed here
with the 1st 1 admin selected the admin administrators actually special. It's
when you're management server is initialized.
And then you would launch Smart Consul and authenticate as the admin administrator,
and four additional administrators have been created. Walter, Saul, Jesse and Skyler
can be assigned to different administrator permission profiles. And in this case, everyone has been assigned the Super User Profile, which has reading right access everything.
But the principle of lease privilege says you should give Onley the access on Lee, the permissions
or an individual administrator to do their job duties and nothing more.
So, for instance, Skylar, maybe a help desk technician
who doesn't need to be able to modify your security policy. They just need to be able to look at logs, and that's it.
So you can create an administrator permission profile
or say help desk technicians that limits their access to read Onley views of your logs. Nothing more.
In addition to the smart consul gooey application, which is your main interface
into the checkpoint
there are also other related
Windows applications that are installed
with smart consul
that handle more specialized things, such as the smart Event client, which allows you to configure this smart event product,
configure event policy. What should cause an event to be logged in? What should we not bother with
smart view monitor, which allows you to see
is going on on. Ah, Security Gateway in real time with detail. For instance. What sort of traffic
is my security gateway processing?
https? Is it Windows file sharing?
It also allows you to see
which users are remotely VP end into the security gateway. Where they coming from?
What client are they using?
Smart Dashboard is sort of the legacy predecessor to smart Consul,
and as such,
it is still invoked by smart consul toe handle some functionality
that is either considered legacy or that smart consul doesn't implement, such as configuring https inspection policy.
intercept int decrypt https traffic and when should it? Not
now, when you log in to smart Consul,
you are authenticating
as a checkpoint administrator.
There is one
built in default administrator account with by default to user name admin
and in production, you're not gonna have all of your firewall administrators logging into the same account
principle of lease privilege and other security concerns
mean that as a best practice, you should have individual accounts for each checkpoint administrator.
And those accounts are assigned permission profiles,
which limit their privileges to just what they need to do their job.
a given checkpoint administrator may not require
the privilege of changing other checkpoint administrators passwords,
so a permission profile could be applied. That doesn't
when you log in to smart consul as an administrator, a session is created, and that session tracks
what you have done. Thus, for
if for some reason you are disconnected from the management server,
smart consul will tell you, and it will exit.
But if you reconnect
and log in as the same checkpoint administrator, you can resume that session. And so all changes
that you have made thus far will still be there.
On the other hand, if you say, leave yourself logged in
with your Checkpoint administrator account on your
it's Evening Europe home, and something arises that you have to sign in.
So you start up your work laptop
and connect via smart dashboard over the VPN
to the management server as the same checkpoint administrator it will tell you there's already an administrator with an existing session who's currently connected,
and you can take over that session disconnecting the administrator who's logged in from your
Or you can
log in, read only or abort the connection
each checkpoint administrator can Onley be
logged in once. Only have one session.
On the other hand,
if you have multiple checkpoint administrators defined,
those administrators can all have their own session,
and they can all be making changes simultaneously
on the top
screenshot here, the D M Z Rule
has a pencil icon.
What that indicates is
logged into that display. Dan, in this example,
has made some change to the D. M Z rule.
And so the pencil icon means that you have an unpublished change here.
Other administrators who were looking at the same part of Smart Consul
they will see ah, padlock icon
at the D. M zero. The D M Z rule cannot be edited by them
because it's locked for edits by the first administrator who made a change in this case, Dan.
Now, when Dan publishes his changes,
other administrators will see those changes. So for instance, in this example, Dan changed the action of the D M Z rule
from dropped to accept, and Dan could see that because, well, it was done in his session.
But since Dan hasn't yet published that change,
other administrators such as Mike
we'll see the original
status of the rule. In this case, it has an action of drop,
and they will see a padlock icon, which means somebody else is working on this rule, but they haven't published it.
That's a significant feature that are 80 added the ability to have multiple read right
administrators logged in simultaneously.
I'll demonstrate how to install
a management server and
download and install Smart Consul
and then log in to the management server via Smart Consul.
So in this scenario,
I have a brand new management server appliance
has not yet been configured except
it has an I P address.
And it has
operating system administrator credentials
using the default built in
operating system administrator
I'm now going to open up the Web user interface
and note. I get
an https warning here
that the certificate authority is invalid.
And that's not surprising considering that I'm talking to an https Web server
on Lenox host
that just initialized itself. So it created its own certificate authority, unrelated
the internal certificate authority that Checkpoint management server software creates.
This is just a Web server,
and the Web server certificate. Authorities signed the digital certificate for this https Web server,
but I don't know that certificate authority. So I get this https warning,
and I'm going to do what
pretty much every user does and just
click through the warning.
But I would say a best practice in production is you do not want to routinely be doing sensitive administration
over untrusted https connections. It's unlikely that you're talking to
a man in the middle or or other malicious actor who is attempting, for instance, to steal your user name and password.
why not be sure? So you might want to look into either
Adding the appliance
Web Server Certificate Authority is a trusted certificate authority, which is
easy enough to do or having your Web server certificates on your appliances digitally signed.
I a trusted certificate authorities such as, perhaps maybe your active directory
something that your Web browsers
do all of that is beyond the scope of this jump start training
is mentioned. It is something you might consider.
So when I first installed this management server appliance,
as I said, I used the built in administrator account, the default administrator account that it presents,
and I set a password.
actually there is very little password complexity checking done. It does want you to choose a reasonably secure password,
and here I'm using an eight character password with both
letters and numbers and even some punctuation.
But still eight characters is kind of short.
You may want to choose a more secure password,
so this management server appliance
has been installed. It has an operating system,
but it has not yet had the first time wizard
when I log in to the Web user interface, it's going to require that
I go through this first time configuration wizard.
no, I'm installing the are 80 dot dirty version of the checkpoint product,
and I'm going to click through some of these options.
So now it wants me to configure the management connection to management interface that I'll be using to manage this
management server and I'm just going to take all of the defaults these defaults come from. When I first installed the operating system on this appliance,
I gave it
an I P address a sub net mask and told it Which network interface to use
now here with the host name.
Choose wisely. You don't want tohave to ever change this host name. It's certainly possible, but it's something of a pain to do so
and so I'm just going to use an example. Host. Name a SMS.
You'll see that
throughout the checkpoint training material. If you attend our
CCS a checkpoint certified Security Administrator course, which I strongly recommend,
you'll see a dash SMS used there.
Domain name is optional that's used for DNS.
What we do need DNS servers.
So I'm gonna type in a couple
just one, I think.
And if you have a Web proxy that must be used to get out to the Internet, you can configure that here.
Best practice would be toe. Use the network time protocol NTP
and set the time zone correctly. This is a trap. If you're in the United States, for instance, the time zone looks like it's right, but it's actually the time zone for central Canada.
I'm going to go ahead and for this demonstration, set the time manually, and we'll call this time good
going to go ahead and choose the time zone appropriate for me. It doesn't really matter that much
where you are. Just choose the time zone for where you are That way. The times are all correct.
Now, here on a management server, I have to tell it, Are you going to be just a regular management server
or a multi domain server?
Multi domain servers
allow a large
organization or ah,
hosting company or what have you.
essentially virtual management servers for their customers.
One for company A one for Company B one for companies. See
that are all running on the same physical appliance
than company. A. Can have their administrators
log into there
a virtual management server
and manage their appliances so it can company being company C.
If you don't know what I'm talking about, you're not using multi domain. If you are using multi domain,
I'm not going to go into the details of multi domain.
But most of what I demonstrate is still applicable
and starting with our 80
you have to
have the correct operating system or the type of appliance this is gonna be in. If you purchase a checkpoint appliance, don't worry about it. It's already done.
I'm not actually using a checkpoint appliance. I'm using a virtual machine, so called open server.
And so I had to download the are 80.30 management installation image, which is distinct from the R a d 0.30 security gateway image.
Because of that, security gateway is not an option here.
Also, since this is not a security gateway, clustering is not relevant.
I have to define this management server as one of three choices Primary secondary or log server smart of it.
Unless you already have a management server, you'll always want to use the default. Primary
secondary is when you want to do so. Called management. High availability where you have
to management servers. Only one is read. Write only one is active at a time.
if one of your management server suffers, say, a hard drive failure,
you don't lose everything
because it automatically replicates changes that you make to the primary or active management server.
Do a secondary management server.
Well, I don't have any management servers deployed at this point, so I'm going to stay with the default
then a check box here automatically download blade contracts and other important data. We're just gonna leave that
then for the checkpoint level configuration. Let me let me just
backtrack a little bit.
Checkpoint has two levels of configuration bit
Once you wrap your mind around it, you can work with it. There's operating system level configurations such as the i P address of a network interface routes that you've defined,
and there are operating system level users.
So when I signed into this Web user interface, I signed in as the operating system level user admin
with the password for that operating system level admin.
But this screen is asking me is we need to create that
default checkpoint administrator
built in that sometimes referred to administrator
by default here, I can just use the operating system administrator, user name
and password, which is convenient. Now. I don't have two different admin accounts, perhaps two different passwords. If I ever want to change
password for the admin account, don't have to worry about doing it in two places.
When I sign in to the management server using
I will use my checkpoint administrator credentials, but
it lets them be the same as the operating system administrator credentials,
which is convenient. But if I don't want to do that, that I can use a different user name with unique
Also, we can restrict which I P addresses can log in to the management server. Using the gooey clients such as Smart Consul
and Best Practice would be to restrict
the list of I P addresses to at least a sub net.
You can also just give a specific range of I P addresses when I 2.168 dot 1.12 through 17
for the ease of this demonstration,
going to ignore best practice and say any I P address.
Now your management servers should be behind a security gateway, and your security gateway should not be allowing, say, the Internet to connect
to your management servers. I p address.
This is another layer of security, and we like having multiple layers of security in case one layer is breached.
this product, this device that I'm going to be installing is going to be installed as a management server. A primary management server.
There's another check box here improved product experience by sending data to checkpoint.
if you want more information, you can click on the provided link.
But this allows checkpoint to track, for instance, issues that are happening.
I'm just gonna go ahead and leave that checked and click finish.
I get prompted to make sure I want to continue with the first time wizard configuration. I do,
and it will run. I'll go ahead and pause while this configuration runs its course.
So the first time wizard has successfully completed
the management server is
ready for use.
This were a security gateway. It would have to restart the operating system,
but, um, management server doesn't need to do that.
So now the first time wizard being completed,
we'll get the regular Web user interface.
again you can see the
you mo dropped down here.
If we change it to basic really just hides.
It is not completely finished loading, so I'm just gonna let it completely finish loading.
All right. It was just sort of slow to load the basic view because it's a virtual machine.
But you can see that the left hand menu has
shrunk, not as many things listed.
So what is listed are the most usual things that an administrator would need to access.
Switch it back to the
full advanced view,
but it reload the Web page.
And then we'll talk a little bit about some of the functionality that the Web user interface provides,
so you can manage the network hardware on the appliance
and on a management server. There's not usually a whole lot to manage. Management server typically has a management interface,
that's already set up
so that you can access the Web user interface in the first place.
One thing I'm going to do, just for my ease of use is here under system management session.
The Web user interface will automatically time out after 10 minutes of no activity, and I'm just going to ramp that up to some unreasonable value.
And if I log in to the command line interface of the guy operating system,
that too has a time out defaulting toe. 10 minutes. I'm gonna set that to something completely unreasonable as well. In production in the real world. You would not do this. He would choose a more sensible in activity time out.
Maybe 10 or 15 minutes isn't long enough, so we'll set it to 30 minutes or an hour. But
multiple days is probably not reasonable.
You need to apply your changes
for them to be effective. And so what we can apply just did was send my changes as essentially
to this guy, a host, the management server,
and it applied. My changes through the CLI
saved the changes. So they're permanent.
My changes air now in production and their permanent. They'll survive a reboot
and also configure users. And in this example,
on a brand new server, there are two administrators by default,
admin account and the monitor account. The monitor account is actually
the admin account
assigned to it
roles this is role based access control
determine what privileges
an account has.
Onley the privileges assigned to the admin role, which, as it turns out, is all privileges but again, principle of lease privilege.
I have an application or an employee who needs to be able to log into either the CLI or the Web user interface of a checkpoint host.
They don't need all privileges. I can create a role
defines what that
administrator can dio.
I define the role that I create the administrator account for that employees,
and I assigned the administrator role to that account.
Now, some things here great out because this is the built in admin account, which
you're not allowed to mess with.
One thing that I can mess with is the show.
By default, the administrator account is given what
checkpoint calls the Cle show command line interpreter shell.
And this is a restricted shell that,
among other things, doesn't really do file pass. It allows you to do the administration be the CLI,
but for a lot of things. I want regular command line access
so you can change the shell of the administrator account to be the standard linen show bash the born Again show.
You can also create an additional account, a new account, a sign at the admin role and give that account
bash as it show.
Third option is in Cle Shell. There's an expert mode command in a few type expert in Cle show
it will prompt for a password and then, once successful, will just give you a bash show. And if you exit out of the bath shell, you're back in cle show. That's another option.
Ah, this no log in here at the bottom is one way to disable an account.
Another thing I wanted to point out here under upgrades
is CP. Use CPI use is fairly recent
addition. The Checkpoint Upgrade service engine
allows a checkpoint host like this management server to reach out to checkpoint servers
and discover if there are any patches or hot fixes or new operating system versions
that are available that are appropriate for this host. And if so, they'll be listed here.
You can configure the behavior to not automatically go out and check instead. Check when I tell you to.
It will not install
updates until you tell it to. With one exception
by default updates
to the CPI use
module itself are automatically installed as their encountered,
and you can disable that if you want to. But best practice is allow that to happen, and CP use will always be the latest version.
So the default is we're not gonna download. We're not gonna install anything. You can tell CP use. It's OK to download, but you do not install
and that sometimes useful That way you don't the wait for the download to complete
next. I want to install Smart Consul. I could download Smart Consul from Checkpoints website.
It's also available here in the Web User interface.
I'll just do that.
I'm gonna go ahead and pause while the download is running, because that will take a bit. This is a big execute herbal
and will continue as soon as it's done.
At this point, the smart console execute herbal file has been downloaded
from the management server to my Windows desktop.
Not a small files 450 meg or so
and I started the installer.
And as part of the start up process of the installer,
it's detected that there are several prerequisites that I do not currently have installed.
That's pretty common,
so I'm going to go ahead and allow the installer to run
and then we'll resume.
So Smart Consul has successfully installed all the prerequisites and then the application suite itself,
and I told it
to continue launching.
So now it's presenting me with a long in screen. And so I have to provide the user name of the checkpoint administrator, and I'm using the built in admin
password for that administrator account
and the first time also have to provide the I P address or host name of your management server.
Now, when I click log in
Smart Consul, initiate a sick connection
to the management server.
Smart console doesn't have a certificate at this point, so it will use the password to authenticate
pause while I'm waiting for my virtual machine, too.
The smart console has successfully connected to the management server.
The management server provides
a certificate for its side of sick,
but at this point it's signed by the internal certificate authority that exists on the management server, which my smart consul application
doesn't know about.
So I'm prompted to verify the fingerprint, which is a set of short words that are derived from the digital values of the certificate authority
and what one would do
would be you would
log in to the sea ally of the management server
bring up the fingerprint of the certificate authority and compare is what I'm seeing on the management server, the same string of words that I'm seeing here.
That's the old school way of verifying the certificate fingerprint.
With our 80 you can sign into the management servers Web user interface
and the certificate authority
fingerprint is available there on the left hand side menu
management server only.
So this point Smart Council has successfully launched for the first time,
and it brings up a what's new window,
which you can dismiss.
But you can also get back
by clicking down here on what's new.
that concludes the demonstration for setting up a management server.
So in this module we talked about management
and Checkpoint's security management architecture, which again has three tears. The
Smart Consul application, which communicates with
a security management server
and that security management server in turn installs security policy
on your security gateways. Your firewalls when instructed,
and all of this is accomplished over secure internal communication,
well secure communications between any two checkpoint devices across the network.
Secure internal communication relies on the internal certificate authority
that is created on your management server.
We also looked at Guiana. The checkpoint operating system briefly and the Web user interface
that guy have provides toe. Make it easier to administrate your guy on operating system
and Smart Consul, the
Windows gooey application that allows you to administer your checkpoint configuration.
Thank you very much for attending this module of jump start training.