1 Add an access rule in the firewall to allow the Skybox View Collector to use the services required for the collection process.
Note: This is only necessary if the connection between the Skybox View Collector and the FireWall-1 management host is blocked by the firewall.
Figure 6: Tasks: FireWall-1 - Access rule for SBV Collector Use the following parameters for the access rule:
Source: Skybox View Collector
Destination: FireWall-1 management host
Services: FW1_ica_pull (TCP/18210), CPMI (TCP/18190) 2 Install the FireWall-1 policy.
Check Point FireWall-1 CPMI collection tasks (FireWall-1)
Firewalls – Check Point FireWall-1 CPMI Collection tasks retrieve configuration data from Check Point FireWall-1 management systems and add the data to the current model. (To retrieve configuration data from Check Point Provider-1 CMAs, see Check Point FireWall-1 CPMI collection tasks (Provider-1)
(see page 56).) For VSX (virtual systems) firewalls, configuration data for all the virtual firewalls is retrieved.
Skybox View version 7.0.600 51 Note: You must create a separate CPMI collection task for each FireWall-1 management system.
Task parameters
The parameters that control Firewalls – Check Point FireWall-1 CPMI Collection tasks when collecting data from FireWall-1 management systems are described in the following table.
Parameter Description
Basic tab
Management The IP address of the FireWall-1 management system.
Note: You must provide the IP address, not the asset name.
Initialize
Certificate issue
date • <Empty>: The connection to the management system is not initialized
• <Timestamp>: The timestamp of the authentication certificate
used to authenticate the connection
To retrieve an authentication certificate, click Initialize Certificate to
open the Initialize Certificate dialog box (see page 52).
Authentication
Method • Device: Use the authentication credentials provided here.
• Cyber-Ark: Retrieve authentication credentials from Cyber-Ark.
(To use this option, you must configure Cyber-Ark (see page
16).)
Username This field is displayed only if Method = Device.
The user name of the administrator created for the task (see
Configuring FireWall-1 management systems for data collection
(on page 45)).
Password This field is displayed only if Method = Device.
The administrator’s password.
Safe This field is displayed only if Method = Cyber-Ark.
The name of the Cyber-Ark safe that contains the administrator authentication credential object.
Object This field is displayed only if Method = Cyber-Ark.
The name of the Cyber-Ark object that contains the administrator name and password.
Collection
Collect Active Policy Specifies whether to collect the active policy. The active policy is
the policy (rulebase) currently installed on the firewall.
Rulebase This field is disabled if Collect Active Policy is selected.
The name of the policy to collect.
• If you know the name of the policy, type it.
• Click Fetch to retrieve a list of available policies from the
management system.
Modules List A comma-separated (or semicolon-separated) list of the names of
specific FireWall-1 Enforcement Modules to collect.
SIC Name (Read only) The DN of the management system.
Skybox View displays the value in the authentication certificate it retrieved when you initialized the connection.
Skybox View version 7.0.600 52
Parameter Description
Advanced tab
Location Hint The location of the FireWall-1 management system.
Note: Use this parameter when different locations use the same set
of IP addresses, so that two management systems at different locations can have the same IP address.
OPSEC Application The name given to the OPSEC application when it was configured
for Skybox View (see Configuring FireWall-1 management
systems for data collection (on page 45)).
Skybox View displays the name that you provided when you initialized the connection.
SIC Name from MDS
You must leave this checkbox cleared when collecting data from a
FireWall-1 management system.
Do not Merge Specifies whether to collect device configuration data but not
merge it into the model. The configuration data is saved under
<Skybox_View_Home>/data/collector/temp/. Secondary
Management
The IP address of the standby FireWall-1 management system.
Note: You must provide the IP address, not the asset name.
Certificate issue
date • <Empty>: The connection to the standby management system is not initialized
• <Timestamp>: The timestamp of the authentication certificate
used to authenticate the connection
To retrieve an authentication certificate, click Initialize Certificate to
open the Initialize Certificate dialog box (see page 52).
Username The user name of the administrator on the standby management
system created for the task (see Configuring FireWall-1
management systems for data collection (on page 45)).
Password The administrator’s password.
SIC Name (Read only) The DN of the standby management system.
Skybox View displays the value in the authentication certificate it retrieved when you initialized the connection.
Initialize Certificate dialog box
The Initialize Certificate dialog box parameters are described in the following table. Parameter Description
Use existing certificate
Use the authentication certificate that Skybox View retrieved previously from the OPSEC application.
OPSEC Application The name given to the OPSEC application when it was configured
for Skybox View (see Configuring FireWall-1 management
systems (on page 45)).
Date The date of the authentication certificate.
Retrieve new certificate
Retrieve a new authentication certificate from the OPSEC application.
OPSEC Application The name given to the OPSEC application when it was configured
for Skybox View (see Configuring FireWall-1 management
systems (on page 45)).
Activation Key The activation key created in SmartDashboard when configuring
Skybox View version 7.0.600 53
Parameter Description
systems (on page 45)).