I've found that SmartPortal gives you some options you may like. I had to work with Checkpoint to get it to run correctly though, because it doesn't work out of the box as recently as R65 HFA70 earlier this year, and I needed to get some patches coded up from CP to fix it. You may have the same issue with newer versions, and note that bug fixes don't all seem to get rolled up into the next HFA, either. Check with CP support to see if yours needs a fix as well.
I found (on R65 HFA70, again, but recently this year, so I expect other code versions may have shipped with the same brain damage as well) that it would work with a default (blank) security policy, or a couple of rules, but would never load any actual policies on production management stations I had in use. They told me anything from punctuation in my section headers, to my naming of objects could cause it to bomb on showing the policy. Basically, legit naming in the GUI was not necessarily handled correctly by the web interface seemed to be the issue. They eventually got me a fix that worked, and the policy loaded up fine after that. I personally like SmartPortal for some uses. Obviously it's not nearly as detailed as the GUI client, but I don't have to get them the client to install, and for some users, they don't know what they're looking at beyond the rules and log files anyway. The wrong people that I've given the full GUI client to ended up just playing with it and rummaging through all the menus, and opening tickets for "security problems" that were nothing more than their misunderstanding of what all the config options did. Never underestimate how much trouble a bored / untrained IT governance user or mid-level manager can get into with extra time on their hands and a full GUI with tons of things to check out. (I actually found some were trying to get enough familiarity through just playing in the GUI to lie about knowing Checkpoint on their resume for their next job, which generated far too many phone calls once that GUI was rolled out to them ;-) If you have a server admin who just wants to see what ports are allowed on their server, or check the logs (for themselves, without opening a ticket for the security team) to see that their traffic is making it through the firewall before they look at their application to find the real problem, I think it's great. And for clients that require WAY too many users to have read-only access to the firewall (a problem in itself, but not one I can politically fight), then the web SmartPortal is awesome, because with a little tweaking on the server side you can limit the total number of web daemons spawned, and then have no more than 3-4 users searching the logs at once, which keeps them from swamping your disk I/O and slowing you down during a problem (when it seems that _everyone_ with read-only access wants to jump in and give advice on what they think is going on). Basically SmartPortal is of no use to most real security engineers (and therefore, most people on this list), but it's exactly what's needed (and nothing more) for a subset of users that demand read-only access for a few basic needs. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Eugeniu Patrascu Sent: Thursday, December 23, 2010 06:24 To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Web visualization tool for R70 On Thu, Dec 23, 2010 at 14:03, a bv <vbavbal...@gmail.com> wrote: > Hi, > > I have a need for showing some internal auditors read only access to > my R70 SPLAT > box access for rule viewing . Since i have a problem with the > Smartportal module unable to show the main policy till finding out > the reason and fix this i want to use > Web visualization tool for R70 . But i wanna ask your best practices > for controlling and usage of > this tools html Giving them read-only access to smart dashboard is not good enough ? Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway. *************************************************************************** The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank You. **************************************************************************** Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway.
