Xem mẫu

UserAuthority · Chapter 14 545 Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. Q: Where can I install UserAuthority Server? A: UserAuthority Server can be installed on Check Point FireWall-1 enforcement modules and/or it can be installed on Windows domain controllers (Windows 2000 or NT 4). Q: Where can I install the WebAccess module? A: The WebAccess module can be installed on multiple Microsoft IIS version 4 or ver-sion 5 Web servers.There is a beta version of the WebAccess module for the Apache Web server on Linux. Q: Where can I install the UserAuthority SecureAgent? A: The UserAuthority SecureAgent can be installed on the desktop PC of your users who authenticate to your windows domain (where the domain controller has the UserAuthority Server installed). Q: Why can’t I see the WebAccess tab in the SmartDashboard GUI? A: This is not enabled by default.You need to click Policy | Global Properties | Smart Dashboard Customization.At the bottom of the window is a check box for Display Web Access view, which needs to be checked. Q: How do I install a policy to the WebAccess module? It does not show up when I attempt to install the FireWall-1 Security policy or if I try to install the User Database. A: You can only install the WebAccess policy from the WebAccess tab screen in the SmartDashboard GUI. Right-click the WebSites icon and then select Install.You can install to a specific WebAccess module only if you right-click the specific object and click Install. Q: When I configure SSO to a WebAccess module and log in using the SecureAgent on a desktop host and authenticate against the PDC, then use a browser to access www.syngress.com 546 Chapter 14 · UserAuthority the WebAccess server, the WebAccess server fails to identify my user ID.Why? My WebAccess server does not identify my user ID, although I’m sure I have UserAuthority working correctly on my domain controller and firewall.What could be the problem? A: A common cause of this problem is that the connection to the WebAccess server is being address-translated—either by the firewall module or by another host between yourself and the WebAccess server.Using a proxy to access the Web server will have a similar effect.You need to avoid NAT and proxying on the connections to the WebAccess server.If you must use a proxy,WAM can interpret an HTTP header that identifies the original source IP address of the client,if your proxy supports that. Q: Can I use SecureClient as a remote user and achieve SSO? A: Yes.When you authenticate using SecureClient, you will register with the UAS on the firewall enforcement module that your secure client module authenticated against, and then the WebAccess server can query the module to see if you have authenticated (or if not, the firewall module you authenticated against can use chaining to query other firewall modules). Q: We have personal firewalls on our internal PCs.Will this cause a problem for UA SecureAgent? A: Yes. SecureAgent must be able to receive queries from the domain controller UAS, UDP port 19194.Your personal firewall must be configurable to allow this traffic. Note that Check Point SecureClient version 4.1 cannot be configured to this level of granularity, so it is not suitable for use with SecureAgent if the SecureClient policy is blocking incoming connections to the client. SecureClient NG allows finely granular polices so is fully compatible. Q: We are running a gateway cluster. Can we run UAS on the cluster members? A: Yes, UAS can be run on a cluster. However, the cluster mechanism will not syn-chronize the UACM databases between the members. Check Point supplies a utility called db_sync that will update cluster members.The synchronization must be scheduled manually by the administrator. www.syngress.com Chapter 15 Firewall Troubleshooting Solutions in this chapter: SmartView Tracker SmartView Monitor Using fw monitor Other Tools ;Summary ;Solutions Fast Track ;Frequently Asked Questions 547 548 Chapter 15 · Firewall Troubleshooting Introduction Traffic is not flowing, the phone is ringing, and you are scrambling to figure out why. As the administrator of your firewall, you have a large selection of tools at your disposal. There are also a number of tools that you should have close in the event of trouble. SmartView Monitor, SmartView Tracker, a local network sniffer—you should know how to use all of the tools possible to ensure you can troubleshoot the problems that you will no doubt face.We review the Check Point tools and some third-party tools that we recommend that you have in your arsenal. Check Point has provided the SmartView Tracker so that you can view the traffic as it flows through the firewall.This should be the first line of troubleshooting your fire-wall. SmartView Monitor allows you to view interfaces and links in real time. Immediate traffic flow analysis is available to determine how the system is functioning. Along with these tools, Check Point provides command-line utilities that expose the FireWall-1 Kernel statistics,VPN and encryption, and other performance metrics. Check Point also has other tools that will allow the more technical personnel to perform fw monitor functions. Fw monitor is a command-line facility that allows you to analyze the traffic flowing through your firewall on a systematic basis.We review the best methods of using this utility, and how it can provide insight as to where your fire-wall may not be functioning as you expect. SmartView Tracker Typically the first thing you’ll want to do when analyzing firewall behavior is to log in to the SmartView Tracker and watch the traffic as it flows through your firewall.This tool is installed along with the other Check Point SMART Clients on an NG FP3 Windows workstation or server by default. If you are running a pre-FP3 management module, this same tool will be named Log Viewer. The FP3 SmartView Tracker provides a new view into the FireWall-1 logs, with three modes accessible via tabs (Log,Active, and Audit).As shown in Figure 15.1, you also have several options in a drop-down menu format within each view for cus-tomizing and searching the log records that are displayed.The nicest feature about the FP3 interface is the modular views, where you can have multiple instances of the logs open within the Tracker frame by selecting File | Open In New Window and selecting the filename you wish to open. Filtering Traffic You can make certain selections within the SmartView Tracker to limit the log records viewable, which can help you to isolate certain traffic and more effectively troubleshoot your firewall.There are a number of predefined selection criteria that you can choose www.syngress.com Firewall Troubleshooting · Chapter 15 549 from in the menu display on the left.The default is to show All Records, but you can also choose to view only FireWall-1,VPN-1, or FloodGate-1 traffic for instance by simply right-clicking on the name and choosing Open.You can determine exactly what is being filtered by looking for a green icon next to the column where the filter is applied. For example, the FireWall-1 predefined filter sets the Product column to SmartDefense and VPN-1 & FireWall-1 only; the VPN-1 filter sets the Encryption Scheme column to IKE and FWZ; and the FloodGate-1 filter sets the Product column to FloodGate-1 only. Figure 15.1 SmartView Tracker Log View If you would prefer to create your own filters, each of the columns in the frame that displays the logs has a filter option, which you can activate by simply right-clicking on the column and selecting Edit Filter. See Figure 15.2 for an example of the service filter window in which we have selected SMTP as the protocol we hope to scan for in the logs.To do this, follow these steps: 1. Log in to SmartView Tracker. 2. Ensure that All Records are displayed. 3. Right-click on the column labeled Service and choose Edit Filter. 4. Type in smtp in the selection window on the right-hand side, or scroll down to the service you wish to choose in the list. 5. Click Add.You can add as many services as you want to see in the logs to this window. 6. Click OK. www.syngress.com ... - tailieumienphi.vn
nguon tai.lieu . vn