UserAuthority · Chapter 14 545
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.
Q: Where can I install UserAuthority Server?
A: UserAuthority Server can be installed on Check Point FireWall-1 enforcement modules and/or it can be installed on Windows domain controllers (Windows 2000 or NT 4).
Q: Where can I install the WebAccess module?
A: The WebAccess module can be installed on multiple Microsoft IIS version 4 or ver-sion 5 Web servers.There is a beta version of the WebAccess module for the Apache Web server on Linux.
Q: Where can I install the UserAuthority SecureAgent?
A: The UserAuthority SecureAgent can be installed on the desktop PC of your users who authenticate to your windows domain (where the domain controller has the UserAuthority Server installed).
Q: Why can’t I see the WebAccess tab in the SmartDashboard GUI?
A: This is not enabled by default.You need to click Policy | Global Properties | Smart Dashboard Customization.At the bottom of the window is a check box for Display Web Access view, which needs to be checked.
Q: How do I install a policy to the WebAccess module? It does not show up when I attempt to install the FireWall-1 Security policy or if I try to install the User Database.
A: You can only install the WebAccess policy from the WebAccess tab screen in the SmartDashboard GUI. Right-click the WebSites icon and then select Install.You can install to a speciﬁc WebAccess module only if you right-click the speciﬁc object and click Install.
Q: When I conﬁgure SSO to a WebAccess module and log in using the SecureAgent on a desktop host and authenticate against the PDC, then use a browser to access
546 Chapter 14 · UserAuthority
the WebAccess server, the WebAccess server fails to identify my user ID.Why? My WebAccess server does not identify my user ID, although I’m sure I have UserAuthority working correctly on my domain controller and ﬁrewall.What could be the problem?
A: A common cause of this problem is that the connection to the WebAccess server is being address-translated—either by the ﬁrewall module or by another host between yourself and the WebAccess server.Using a proxy to access the Web server will have a similar effect.You need to avoid NAT and proxying on the connections to the WebAccess server.If you must use a proxy,WAM can interpret an HTTP header that identiﬁes the original source IP address of the client,if your proxy supports that.
Q: Can I use SecureClient as a remote user and achieve SSO?
A: Yes.When you authenticate using SecureClient, you will register with the UAS on the ﬁrewall enforcement module that your secure client module authenticated against, and then the WebAccess server can query the module to see if you have authenticated (or if not, the ﬁrewall module you authenticated against can use chaining to query other ﬁrewall modules).
Q: We have personal ﬁrewalls on our internal PCs.Will this cause a problem for UA SecureAgent?
A: Yes. SecureAgent must be able to receive queries from the domain controller UAS, UDP port 19194.Your personal ﬁrewall must be conﬁgurable to allow this trafﬁc. Note that Check Point SecureClient version 4.1 cannot be conﬁgured to this level of granularity, so it is not suitable for use with SecureAgent if the SecureClient policy is blocking incoming connections to the client. SecureClient NG allows ﬁnely granular polices so is fully compatible.
Q: We are running a gateway cluster. Can we run UAS on the cluster members?
A: Yes, UAS can be run on a cluster. However, the cluster mechanism will not syn-chronize the UACM databases between the members. Check Point supplies a utility called db_sync that will update cluster members.The synchronization must be scheduled manually by the administrator.
Solutions in this chapter:
Using fw monitor
;Solutions Fast Track
;Frequently Asked Questions
548 Chapter 15 · Firewall Troubleshooting
Trafﬁc is not ﬂowing, the phone is ringing, and you are scrambling to ﬁgure out why. As the administrator of your ﬁrewall, you have a large selection of tools at your disposal. There are also a number of tools that you should have close in the event of trouble.
SmartView Monitor, SmartView Tracker, a local network sniffer—you should know how to use all of the tools possible to ensure you can troubleshoot the problems that you will no doubt face.We review the Check Point tools and some third-party tools that we recommend that you have in your arsenal.
Check Point has provided the SmartView Tracker so that you can view the trafﬁc as it ﬂows through the ﬁrewall.This should be the ﬁrst line of troubleshooting your ﬁre-wall. SmartView Monitor allows you to view interfaces and links in real time. Immediate trafﬁc ﬂow analysis is available to determine how the system is functioning. Along with these tools, Check Point provides command-line utilities that expose the FireWall-1 Kernel statistics,VPN and encryption, and other performance metrics.
Check Point also has other tools that will allow the more technical personnel to perform fw monitor functions. Fw monitor is a command-line facility that allows you to analyze the trafﬁc ﬂowing through your ﬁrewall on a systematic basis.We review the best methods of using this utility, and how it can provide insight as to where your ﬁre-wall may not be functioning as you expect.
Typically the ﬁrst thing you’ll want to do when analyzing ﬁrewall behavior is to log in to the SmartView Tracker and watch the trafﬁc as it ﬂows through your ﬁrewall.This tool is installed along with the other Check Point SMART Clients on an NG FP3 Windows workstation or server by default. If you are running a pre-FP3 management module, this same tool will be named Log Viewer.
The FP3 SmartView Tracker provides a new view into the FireWall-1 logs, with three modes accessible via tabs (Log,Active, and Audit).As shown in Figure 15.1, you also have several options in a drop-down menu format within each view for cus-tomizing and searching the log records that are displayed.The nicest feature about the FP3 interface is the modular views, where you can have multiple instances of the logs open within the Tracker frame by selecting File | Open In New Window and selecting the ﬁlename you wish to open.
You can make certain selections within the SmartView Tracker to limit the log records viewable, which can help you to isolate certain trafﬁc and more effectively troubleshoot your ﬁrewall.There are a number of predeﬁned selection criteria that you can choose
Firewall Troubleshooting · Chapter 15 549
from in the menu display on the left.The default is to show All Records, but you can also choose to view only FireWall-1,VPN-1, or FloodGate-1 trafﬁc for instance by simply right-clicking on the name and choosing Open.You can determine exactly what is being ﬁltered by looking for a green icon next to the column where the ﬁlter is applied. For example, the FireWall-1 predeﬁned ﬁlter sets the Product column to SmartDefense and VPN-1 & FireWall-1 only; the VPN-1 ﬁlter sets the Encryption Scheme column to IKE and FWZ; and the FloodGate-1 ﬁlter sets the Product column to FloodGate-1 only.
Figure 15.1 SmartView Tracker Log View
If you would prefer to create your own ﬁlters, each of the columns in the frame that displays the logs has a ﬁlter option, which you can activate by simply right-clicking on the column and selecting Edit Filter. See Figure 15.2 for an example of the service ﬁlter window in which we have selected SMTP as the protocol we hope to scan for in the logs.To do this, follow these steps:
1. Log in to SmartView Tracker.
2. Ensure that All Records are displayed.
3. Right-click on the column labeled Service and choose Edit Filter.
4. Type in smtp in the selection window on the right-hand side, or scroll down to the service you wish to choose in the list.
5. Click Add.You can add as many services as you want to see in the logs to this window.
6. Click OK.
nguon tai.lieu . vn