Skip to content Skip to sidebar Skip to footer
Home / Checkpoint You Can Only Connect in Read Only Mode

Checkpoint You Can Only Connect in Read Only Mode

Post a Comment

Administrator Management

Multi-Domain Security Direction Administrators utilize SmartDomain Manager and SmartConsole clients to manage the Multi-Domain Security Management deployment. Each administrator has permissions to manage dissimilar aspects of the environment.

Creating or Changing an Administrator Account

This procedure lets yous add a new ambassador account or change an existing administrator account.

To add a new ambassador account:

  1. In the SmartDomain Managing director, go to the view.
  2. Right-click an empty area in the pane.
    The window opens.
  3. Go on to configure administrator properties as necessary.

To edit an existing new administrator account:

  1. In the SmartDomain Manager, go to the view.
  2. Double-click an existing administrator in the Administrators pane.
    The window opens.
  3. Continue to configure ambassador backdrop as necessary.

Ambassador - General Properties

The administrator general properties include basic information such every bit the ambassador name, type and the ambassador expiration date.

To configure administrator general properties:

  1. In the or window, become to the pane.
  2. Enter a unique .
    The ambassador name cannot comprise spaces or special characters.
  3. Select if this administrator tin can see but not alter settings in the Global SmartDashboard.
  4. Optionally, add an electronic mail address or comment to this administrator definition.

Selecting an Administrator Type

Multi-Domain Security Management uses different administrator types, each with a different scope of administrative authority. This table shows the different ambassador types:

Ambassador

Permissions

Manages the Multi-Domain Security Management deployment, including all Domains, Multi-Domain Servers, Domain Management Servers, and ambassador accounts.

Multi-Domain superusers can do these tasks for Multi-Domain Servers:

  • Add together, edit or delete Multi-Domain Servers and Multi-Domain Log Servers.
  • Allow or block admission the SmartDomain Manager.

Manages networks for all Domains using the SmartDomain Director and SmartConsole clients. Domain superusers tin can create, edit and delete Domains besides as meet all Domain network objects.

Domain superusers can manage Global Managers, Domain Managers and administrators. They cannot configure the Multi-Domain Server surround or manage Multi-Domain Superusers.

Manages global policies, global objects and specified Domain networks. Global managers tin run across data or do deportment according to their permissions profile settings.

Global managers can manage Domain Managers and administrators. Global managers can simply run across network objects in their assigned Domains. They cannot create new Domains.

Manages specified Domain networks. Domain managers can employ SmartConsole clients to see information or do actions co-ordinate to their permissions profile settings.

Domain Managers tin manage administrators. They cannot access the Global SmartDashboard to manage global objects and global policies.

Do non have permissions to manage Multi-Domain Security Management or employ the SmartDomain Director. None administrators tin can manage specified Domain networks, using the SmartConsole clients.

To select an administrator type:

  1. In the or window, get to the pane.
  2. Select to prevent this ambassador from changing global properties.
  3. Select an administrator type.

Configuring the Expiration Date

You tin can assign an expiration appointment to each administrator account. After this expiration appointment, the administrator cannot:

  • Log in to the SmartDomain Director,
  • Practise actions in the Multi-Domain Security Management environment.
  • Utilise the SmartConsole clients.

Annotation - Multi-Domain Security Management account expiration has no effect on operating system administrators. Operating system administrators, which are different from Multi-Domain Security Direction administrators, can ever access the Multi-Domain Server command line.

Multi-Domain Security Management includes tools for managing expiration dates and warning administrators of impending expirations. Administrators can manage expiration dates for other administrators with a lower level administrator type. Typically, Multi-Domain Security Management or Domain superusers exercise these management tasks.

To configure the expiration date:

  1. In the or window, get to the pane.
  2. Do one of these steps to set the expiration date:
    • Select and then select an expiration date using the calendar command.

      OR

    • Select to forbid this ambassador account from expiring.

    Y'all tin configure the default expiration dates that appear in this window in the Multi-Domain Security Management window.

Configuring Authentication

All administrators must authenticate to log in to the SmartDomain Manager and manage the Multi-Domain Security Management deployment. Select and configure an authentication method for this administrator.

To select and configure the hallmark method:

  1. In the SmartDomain Manager, create a new administrator or double-click an existing administrator.
  2. In the or window, become to the pane.
  3. Select and configure i of these hallmark methods:
    • Undefined - Administrators are not authenticated or are authenticated past a certificate created in the Certificates pane.
    • SecurID - Administrators enter a quondam password as displayed on the SecurID smart carte.
    • Check Signal Password - Administrators enter the Check Bespeak products password.
      Enter and ostend the password.
    • OS Countersign - Administrators authenticate using their operating system countersign.
    • RADIUS - Administrators authenticate by a password divers on the specified RADIUS server.
    • TACACS - Administrators authenticate by a countersign defined on the specified TACACS server.

Configuring Certificates

You lot tin can create a certificate that let administrators connect to the Multi-Domain Server and Domain Management Servers. You can also revoke an existing document.

To create a certificate:

  1. In SmartDomain Managing director, create a new ambassador or double-click an existing administrator.
  2. In the or window, go to the pane.
  3. Click .
  4. In the message box, click to continue.
  5. Enter and confirm the certificate password.
  6. Save the certificate.

To revoke an existing certificate:

  1. In SmartDomain Manager, create a new ambassador or double-click an existing administrator.
  2. In the or window, go to the pane.
  3. Click .
  4. In the message box, click to confirm.

Entering Ambassador Properties - Flow

The Ambassador Properties pane contains optional information, typically contact information or other descriptive data. Administrators with applicable permissions (typically superusers) define the fields that show in the Administrator Backdrop pane.

To enter administrator properties data:

  1. In SmartDomain Manager, create a new ambassador or double-click an existing administrator.
  2. In the or window, become to the pane.
  3. Enter information in the property fields as necessary.

Deleting an Administrator

To delete an administrator:

  1. In the SmartDomain Manager, go to the pane.
  2. Correct-click an existing administrator and then select .
  3. Click Yes in the confirmation window.

Defining Administrator Properties

The Ambassador Backdrop pane includes optional information fields, typically contact information or other descriptive data. Administrators, with applicable permissions, ascertain the fields that show in the Ambassador Properties pane.

To ascertain the fields that testify in the Ambassador Properties pane:

  1. Select from the SmartDomain Managing director menu.
  2. Become to the pane.
  3. Do one or more of these actions:
    • To add a new belongings field, click so enter the field name in the pop-up window.
    • To delete a property field, select an existing field and then click .
    • To modify a property field proper name, click and then enter a new field proper noun.
    • To alter the brandish order of a property field, select a field and and then click the or arrow to movement information technology.

Defining Administrator Groups - Flow

Ambassador groups are related collections of administrator accounts. This lets you lot manage and do operations on many administrators simultaneously.

Creating a New Grouping

To create a new administrator pick group:

  1. In the SmartDomain Director, select .
  2. In the window, click .
  3. In the window, enter a unique group proper noun.
    Group names cannot contain spaces or special characters.
  4. Select administrators from the list so click .
    The administrators show in the listing.

Changing or Deleting a Group

To change an administrator pick grouping:

  1. In the SmartDomain Manager, select .
  2. In the window, select a group and then click .
  3. Select administrators from the listing and so click .
    The administrators evidence in the list.

To delete an ambassador selection group:

  1. In the SmartDomain Manager, select .
  2. In the window, select a grouping and click .
  3. In the confirmation window, click .

Managing Administrator Account Expiration

You can assign an expiration date to each administrator. After this expiration engagement, the ambassador cannot log in to the SmartConsole clients or practise actions in the Security Management Server environment.

Note - Business relationship expiration has no issue on operating system administrators. Operating system administrators are different from administrators defined in SmartDomain Manager and can keep access the command line.

SmartDomain Director includes tools for managing expiration dates and alert administrators of impending expirations.

Working with Expiration Warnings

At that place are dissimilar methods to give warnings that administrator accounts will expire in a brusk time or take already expired. This section gives explanations for these warnings and procedures for correcting the effect.

Log In Alarm

This warning message opens afterward you log in to the SmartDomain Manager if your administrator account is well-nigh to expire.

Speak to the ambassador responsible for managing your administrator business relationship to update the expiration date. If you have the applicable permissions, yous can change the expiration date in your own account.

The administrator tin disable this warning bulletin past selecting the option. She can re-enable the alert by selecting administrator expiration warning from the SmartDomain Manager menu.

Using the Expired Accounts Window

Theshows all administrator accounts that have expired or are near their expiration engagement. If there are administrators in this status, the link shows in the SmartDomain Managing director condition bar.

To apply the window, you must activate this characteristic in the Administrator Global Backdrop pane in the window. By default, the window is activated.

To open the Accounts window, click the link.

These icons show the current status of each business relationship.

Icon

Description

Business relationship is active.

Account volition expire soon.

Account has expired.

Expiration alert ignored.

By default, the window is enabled.

To disable the window, select the selection. Alternatively, you can select from the Pick bar and then select > from the menu.

To re-enable the window, select from the Selection bar and and so select > from the bill of fare.

To alter the expiration appointment from this window:

  1. Select an administrator business relationship and then click .
  2. In the window, do 1 of these steps to change the expiration date:
    • Select then select an expiration appointment from the calendar command.

      OR

    • Select to prevent this administrator account from expiring.

To modify administrator business relationship settings, select an administrator and then click .

To deactivate expiration warnings for one administrator business relationship, select the account and and then click .

To conciliate expiration warnings for all ambassador accounts, do the procedure for setting default expiration parameters.

Add or Change Administrator Window Warning

This warning shows in the administrator Full general Properties pane if the account is nearly to expire. Brand sure that the expiration engagement is right and update if necessary.

Configuring Default Expiration Settings

The default expiration settings show when yous ascertain a new ambassador account. These settings include:

  • The default expiration date.
  • The number of days earlier expiration that warnings show after log in.
  • The number of days before expiration that the ambassador account shows in the window.

To configure the default expiration parameters:

  1. In the SmartDomain Manager, select .
  2. In the window, select .
  3. In the window, set the expiration date using ane of these options:
    • - Select if this ambassador account does non expire.
    • - Select and and then click the pointer on the text box. Select the expiration date using the calendar control.
    • - Select and enter the number of days (from today) before this account expires.
  4. Select to show an expiration alarm bulletin when an administrator logs in. Enter the number of days before expiration that a warning shows.
  5. Select to activate the due south link. This link opens thewindow.
  6. Select to let these administrators create or change other administrator accounts. Global and Domain managers must have the permission profile assigned to them to exist able to edit an administrator with a lower permission level. For example:
    • A Global Managing director can edit a Domain Director and None administrators.
    • A Domain Director tin can only edit None administrators.

Working with Permission Profiles

A permissions profile is a predefined set of SmartConsole administrative permissions that you assign to administrators and Domains. This characteristic lets y'all manage complex, granular permissions for many administrators with one definition. Permission profiles do not apply to SmartDomain Director activities.

When you assign an administrator account to a domain, you lot must assign a permissions profile. You lot can assign a predefined permissions profile or you tin create a unique, Domain-specific permissions profile for the administrator.

Administrators with applicable permissions can create and manage permissions profiles. By default, simply superusers tin can create or configure permissions profiles. You can change the global properties to permit global and Domain managers create and configure permission profiles for their assigned Domains.

Multi-Domain Security Management includes default permissions profiles:

  • - Administrators cannot use SmartConsole applications to see or configure settings.
  • - Administrators tin use SmartConsole only to come across information. They cannot configure settings.
  • - Administrators can use SmartConsole applications to come across and configure all settings.
  • - Administrators tin can use SmartConsole applications to see and configure all settings with the exception of DLP.

You tin assign one of the default permissions profiles to any administrator and domain.

Configuring Permissions

This section includes procedures for creating, changing and deleting permission profiles. Administrators with the applicable permissions can create, edit or delete permissions profiles.

To create or change a permissions profile:

  1. Select the icon > > .
  2. In the window, click or select an existing .
  3. In the window, configure permissions profile settings.

    Note - You lot can also create a new permissions profile while assigning a profile to an administrator in a Domain.

To delete an existing permissions profile:

  1. In SmartDashboard, select > .
  2. In the window, click .
  3. Click to confirm.

To configure permissions contour settings:

  1. In the section, select i of these options:
    • - Permissions to employ SmartConsole applications and the Direction Portal to connect a Domain Management Server.
    • - Permissions to connect to a Domain Management Server merely with the Management Portal.
  2. In the department, select one of these options:
    • - Full access to all Bank check Point products.
    • - Permissions to:
      • Meet all fields of DLP logs in SmartView Tracker.
      • See incident messages and captured data. User emails can be read if they violate corporate Data Loss Prevention rules.
      • Send or discard quarantined user emails from SmartView Tracker. With the option you tin can assign a subset of these permissions equally necessary. For instance, administrators tin see the field content in DLP logs but not see the actual content of incidents.
    • - Read-simply access to all Check Point products.
    • - Configure admission to specified Check Signal products and select the access type for each production or blade.

Configuring Customized Permissions

If yous select , yous can define permissions for each Security Management Server resources (object, Policy and feature) separately. The resources show on four unlike panes in the window. Each pane contains a list of related resources.

To configure customized permissions:

  1. In the section, select and and then click .
  2. Select a pane in the window:
    • - Security Policy, blades and features
    • - Monitoring and logging options
    • - SmartEvent and SmartReporter features
    • - SmartProvisioning features and scripting
    • - Endpoint Security Policy direction and Endpoint Security client deployment and management.
  3. Set permissions for the resources:
    • To prevent an administrator from seeing or configuring a resource, articulate its checkbox.
    • To let the administrator encounter a resource (just not change information technology), select its checkbox and so select .
    • To let the ambassador meet and configure a resource, select its checkbox and so select .

Notes:

  • You cannot prevent administrators from seeing some resources. These resource options are disabled.
  • Some resource do not have permission selections. You lot can only select or clear them.

Managing Permission Profiles

Past default, only Global and Domain superusers can create and configure permissions profiles. You can optionally permit Global and Domain managers create and configure permissions profiles. Administrators with None permissions cannot manage permission profiles.

To let Global and Domain administrators manage permissions profiles:

  1. Select > properties from the SmartDomain Manager menu.
  2. In the window, select .
  3. In the pane, select the option.

To See the Latest Changes to Permissions Profiles

To see data about the latest changes to a permissions profile:

  1. In the SmartDomain Manager, select (in the Pick Bar) > > .
  2. Select a permissions profile.
  3. In the window, click > .
    The window opens.

    This window shows:

    • Appointment of the last change
    • Administrator who made the change
    • GUI client used to make the change

Seeing Administrators Using a Permissions Profile

To come across which administrators are using a permissions profile:

  1. In SmartDomain Manager, select (in the Selection bar)> > .
  2. Select a permissions profile.
  3. In the window, click > .
    The window opens.

Merging Identical Permissions Profiles

It is a security best exercise to remove identical permissions profiles and to keep the number of permissions profiles to a minimum. This makes the maintenance of permissions profiles easier.

Multi-Domain Security Direction lets you find identical permissions profiles and merge them into one profile.

To notice and merge identical permissions profiles:

  1. In the SmartDomain Manager, select .
  2. Select > from the menu.
  3. Select a permissions contour.
  4. Click and then select .
  5. Click or
    • If the selected contour or profiles are identical to a default profile, they automatically merge with the default profile. Indistinguishable profiles are deleted.
    • If the selected contour or profiles are not identical to a default profile, they automatically merge with the selected contour. Duplicate profiles are deleted.
    • If y'all select the option, enter a profile name (or accept the default name). The selected contour or profiles merge with the proper noun yous entered. Duplicate profiles are deleted.

Note - You cannot merge a default profile with an ambassador-divers contour. If you endeavour to practice this, an error message shows.

Showing Connected Administrators

In the view, you tin come across all administrators currently continued to Multi-Domain Security Direction. To show connected administrators data, select in the SmartDomain Manager Selection bar.

This data shows in the pane:

  • - Type of GUI Client connected to the SmartDomain Manager.
  • - Domain that the administrator connects to.
  • - Ambassador proper noun.
  • - Blazon of GUI customer that the administrator is using.
  • - GUI customer IP address or DNS host name.
  • - Date and time that the ambassador logged in.
  • - Database condition:
    • - The administrator is using SmartDashboard and has exclusive access permissions to the Domain Management Server. The database is locked.
    • - The administrator is using SmartDashboard with access permissions or is using a different GUI client.
  • - Status of requests to disconnect a GUI client:
    • - Disconnection asking is being processed. This status shows only to the user who is disconnecting.
    • - Shows the date and time when the GUI customer is to be disconnected.
    • - Request to cancel a disconnection request. The disconnection asking tin occur upwardly to 60 minutes from the current time. Administrators tin can only disconnect connections for other administrators.

gagnonthisity1943.blogspot.com

Source: https://sc1.checkpoint.com/documents/R77/CP_R77_Multi-DomainSecurityManagement_WebAdminGuide/15612.htm

Post a Comment for "Checkpoint You Can Only Connect in Read Only Mode"