The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Setting up the ICA Management Tool
Security Management, Multi-Domain Management
Platform / Model
Table of Contents:
Setting up the ICA Management Tool connection
Enabling the ICA Management Tool on the Security Management Server
Importing the User Certificate on the Client
Accessing the ICA Management Tool
(1) Setting up the ICA Management Tool connection (creating a Certificate user)
Connect with SmartConsole to Security Management Server / Domain Management Server.
For R80.x, go to Permissions & Administrators - Administrators
For R7x, go to Manage menu - click on Users and Administrators....
Click on New... button - select Administrator....
On General Properties pane:
In the Login Name field - enter the user login name (e.g., John_Smith)
In the Expiration Date field - verify that the date is set to a valid future date
In the Permissions Profile field - select a profile that grants Read/Write All permissions (create such profile, if needed)
On Certificates pane:
Click on the Generate and save button.
A dialog box with the following message will be displayed: Check Point SmartDashboard The generation of the certificate for the user cannot be undone, unless you click Revoke. Ok to continue?
Click on OK.
In the Enter Password dialog box, enter the desired user password.
Confirm the user password.
Click on OK.
In the dialog box Save Certificate File As, select the desired location to save the certificate file.
Verify the user login name (e.g., John_Smith) is displayed in the File Name field.
Verify that "Certificate Files (*.p12)" is selected in the Save as type drop-down list.
Click on Save.
Observe the information in the "DN" field, which should look something like this: CN=John_Smith,OU=users,O=saturn.detroit.com.k7ekvo
A password is required to protect the sensitive data contained in the certificate file. The certificate file contains the private key. Once the certificate is issued, save it to a file and supply the administrator with this file and the password. The certificate can then be used for authentication when logging in with a SmartConsole to the Security Management server.
Click on OK to close the Administrator Properties window.
In the Users and Administrators window, click on Actions... button - select Install....
Click on Close.
In SmartDashboard, go to File menu - click on Save.
Transfer the saved *.p12 file (e.g., John_Smith.p12) to the Client that is connecting to the ICA Management Tool.
(2) Enabling the ICA Management Tool on the Security Management Server / Domain Management Server
Connect to command line on Security Management Server / Multi-Domain Security Management Server.
Log in to Expert mode.
On Multi-Domain Security Management Server, switch to the context of the relevant Domain Management Server:
[Expert@HostName:0]# mdsenv <Name of Domain Management Server>
Enable the ICA Management Tool using the "Administrator DN" created in Part 1 above:
[Expert@HostName:0]# cpca_client set_mgmt_tool on -a "<Administrator DN>"
cpca_client set_mgmt_tool on -a "CN=John_Smith,OU=users,O=saturn.detroit.com.k7ekvo"
Output should show:
Successfully set the management tool.
The authorized administrators:
The authorized users:
Once the ICA Management Tool is started, the Security Management Server / Domain Management Server will be listening on TCP port 18265 (Check Point predefined service FW1_ica_mgmt_tools).
Having port 18265 open is not a vulnerability. The Management Tool Portal is secured and protected by SSL. In addition, only authorized administrators are allowed to access it using a certificate.