Table of Contents
Advertisement
Chapter 4
Configuring Firewall Devices
ASYMSSLCA. Indicates that the communications need to be authenticated and encrypted using an
•
asymmetric key cipher.
These access protocols are configured as follows:
Typically, the default values should be used unless your Check Point deployment includes CLMs.
Note
<service> auth_port <port_number>
•
This line is required in the
CPMI_SERVER. Two possible values exist for port_number: 0, which indicates an the server is
not listening for authenticated session requests, and the port number of an authenticated and/or
encrypted protocol. If the port_number value is 0, you must configure the server to listen for session
requests in CLEAR mode on a valid port using the <service> port <port_number> settings.
<service> auth_type <cipher>
•
The service value is either LEA_SERVER or CPMI_SERVER. Two possible values are supported
for cipher: sslca for authentication and encryption using a symmetric key cipher, or asym_sslca for
authentication and encryption using an asymmetric key cipher. If the auth_port setting is set to 0
(zero) for this service, then you do not need to specify the auth_type in the
can comment out this line.
<service> port <port_number>
•
This line is required in the
CPMI_SERVER. The value for port_number must match the port number on which the desired
network service listens. A port_number of 0 (zero) indicates that log server is not listening in
CLEAR mode.
If it is some other number, then any service can come pull the logs without authenticating. For
LEA_SERVER, you cannot use port 18184, as it is used for encrypted log communications. For
CPMI_SERVER, you cannot use port 18190. When CLEAR is enabled, authentication is disabled
for this port. Any host with access to the Check Point component at this port can pull logs. If you
chose to enable CLEAR, which is less expensive in terms of overall transaction costs, you define
policies that restrict access to the MARS Appliance and other know management hosts.
Prior to MARS 4.1 and when using Provider-1 or SiteManager-1 NG FP3 or NG AI (R55), you could
Note
not use SSLCA mode for log retrieval by the MARS Appliance. Instead, you were required to configure
each CMA and CLM to accept LEA session requests using CLEAR mode. It was unnecessary to
configure the LEA settings for the MLM.
The following example indicates that LEA is using ASYMSSLCA-based authentication connecting over
port 18184 (default), the traffic is encrypted via SSL, and the log server is not listening for requests in
cleartext.
LEA_SERVER auth_port
LEA_SERVER auth_type
LEA_SERVER port
The following example indicates that the log server is listening for requests in cleartext at port 18187.
Such requests will be serviced and the sessions will be neither authenticated nor encrypted.
LEA_SERVER port
Check Point uses the following default settings:
•
For LEA, SSLCA is the authentication method and communications occur over TCP 18184.
78-17020-01
file. The service value is either LEA_SERVEAR or
fwopsec.conf
file. The service value is either LEA_SERVER or
fwopsec.conf
18184
asym_sslca
0
18187
User Guide for Cisco Security MARS Local Controller
Check Point Devices
file. You
fwopsec.conf
4-33
Advertisement
Table of Contents
Troubleshooting
