SAFEsuite and Checkpoint CommunicationsEngineering Tech Note
TERMS
SCA - Safelink Checkpoint Agent
CMM - Checkpoint Management Module
CFM - Checkpoint Firewall Module
Assumptions
All of the following scenarios assume that the SCA and the CMM are on the same subnet. If they are not, port 256 will need to be allowed to talk with any source port thru the router/firewall between subnets in addition to port 49250 for the SAFEsuite Decisions application. They also assume that Checkpoint is already installed and functioning properly.
Authenticated Connections
SCA and CMM on same solaris machine
Install SAFElink agent.
Edit the /etc/rc3.d/S98SAFElink script to include the following lines in the beginning of the script (between the last comment and the killproc function):
#this path should point to the Checkpoint installation OR
#the path to the conf directory where fwopsec.conf is contained.
FWDIR=/opt/CKPfw
export FWDIR
Restart the agentservice
/etc/rc3.d/S98SAFElink stop
/etc/rc3.d/S98SAFElink start
Copy the opsec_putkey.solarissparc to the SAFElink install directory.
Run $FWDIR/bin/fw putkey CMMIPADDRESS
Enter the secret key as prompted.
Run /opt/ISS/SAFElink/opsec_putkey.solarissparc CMMIPADDRESS.
Enter the same secret key entered above.
You should receive the following message:
OPSEC: Received new control security key from CMMIPADDRESS
Authentication with CMMIPADDRESS initialized
At this point you should be able to configure a new agent and job from the SAFElink console and load data.
SCA and CMM on same NT machine
Install the SAFElink agent.
Open the system control panel applet and select environment.
Select any variable in the system variables window.
Clear the text in the variable box and enter FWDIR.
Clear the text in the value box and enter c:\winnt\fw.
Click set.
NOTE: Since the firewall is already functioning on this machine, this should have already been done.
Verify that the variable has been set properly by opening a NEW command prompt and typing “echo %FWDIR%”
Restart the Agent service.
Run %FWDIR%\bin\fw putkey CMMIPADDRESS
Enter the secret key as prompted.
Run c:\program files\iss\SAFElink\opsec_putkey CMMIPADDRESS.
Enter the same secret key entered above.
You should receive the following message:
OPSEC: Received new control security key from CMMIPADDRESS
Authentication with CMMIPADDRESS initialized
At this point you should be able to configure a new agent and job from the SAFElink console and load data.
SCA on NT and CMM on solaris
Install the SAFElink agent.
Create a directory called conf in the agent installation directory (c:\program files\iss\safesuite decisions\agent)
Copy the fwopsec.conf file from the CMM machine to the directory created above.
Edit the file and add the following line directly below the lea_server line:
lea_server ip CMMIPADDRESS
Open the system control panel applet and select environment.
Select any variable in the system variables window.
Clear the text in the variable box and enter FWDIR.
Clear the text in the value box and enter c:\program files\iss\safesuite decisions\agent.
Click set.
Verify that the variable has been set properly by opening a NEW command prompt and typing “echo %FWDIR%”
Restart the Agent service.
On the CMM machine, type the command $FWDIR/bin/fw putkey SCAIPADDRESS
Enter the secret key as prompted.
On the SCA machine, type the command opsec_putkey CMMIPADDRESS
Enter the same secret key entered above.
You should receive the following message:
OPSEC: Received new control security key from CMMIPADDRESS
Authentication with CMMIPADDRESS initialized
At this point you should be able to configure a new agent and job from the SAFElink console and load data.
SCA on Solaris and CMM on NT
Install SAFElink agent.
Create a directory called conf in the agent installation directory (/opt/ISS/SAFElink).
Copy the fwopsec.conf file from the CMM machine to the directory created above.
Edit the file and add the following line directly below the lea_server line:
lea_server ip CMMIPADDRESS
Edit the /etc/rc3.d/S98SAFElink script to include the following lines in the beginning of the script (between the last comment and the killproc function):
#this path should point to the Checkpoint installation OR
#the path to the conf directory where fwopsec.conf is contained.
FWDIR=/opt/ISS/SAFElink
export FWDIR
Restart the agentservice
/etc/rc3.d/S98SAFElink stop
/etc/rc3.d/S98SAFElink start
Copy the opsec_putkey.solarissparc to the SAFElink install directory.
On the CMM machine run %FWDIR%\bin\fw putkey SCAIPADDRESS
Enter the secret key as prompted.
On the SCA machine run /opt/ISS/SAFElink/opsec_putkey.solarissparc CMMIPADDRESS.
Enter the same secret key entered above.
You should receive the following message:
OPSEC: Received new control security key from CMMIPADDRESS
Authentication with CMMIPADDRESS initialized
At this point you should be able to configure a new agent and job from the SAFElink console and load data.
Non-authenticated Connections
All steps will be the same except you may skip any steps that refer to opsec_putkey, opsec_putkey.solarissparc and fw putkey.
Tuesday, February 10, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment