Integrity XML Policy File Reference

Transcription

1 Integrity XML Policy File Reference A Reference to XML Policy Elements and Attributes

2 Preface This document describes the elements and attributes contained in the Check Point Integrity client XML Policy file. About Zone Labs, LLC. Zone Labs, a Check Point company (Nasdaq: CHKP), is one of the most trusted brands in Internet security. Zone Labs is a leading creator of endpoint security solutions protecting millions of PCs and the valuable, personally-identifiable information on those PCs, from hackers, spyware and data theft. The company's award-winning endpoint security product line is deployed in global enterprises, small businesses and consumers' homes, protecting them from Internet-borne threats. Check Point Integrity is an endpoint security management platform that protects corporate data and productivity. The ZoneAlarm family of products is among the most popular and successful Internet security products available today while IMsecure Pro offers comprehensive security for instant messaging. Please visit for more information. Integrity XML Policy File Reference i

3 Editor's Notes: 2005 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, SecureClient, SecureKnowledge, SecurePlatform, SecurRemote, SecurServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, TrueVector, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, Web Intelligence, ZoneAlarm, Zone Alarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726 and 6,496,935 and may be protected by other U.S. Patents, foreign patents, or pending applications End Boilerplate This product includes software developed by the Apache Software Foundation This product includes software developed by the Apache Software Foundation Integrity XML Policy File Reference ii

4 Contents Chapter 1 Introducing XML-based Configuration Introducing XML Policy Files... 1 Using Command Line Switches... 1 Comparing Parameter-based and XML-based Policies... 1 Viewing XML Policies... 2 Migrating to XML Policies... 2 Converting from Configuration to XML Policies... 2 Using This Document... 3 Use of XPath Statements in this Document... 3 Abbreviating XPath Parent Elements with //... 4 Use of Nesting-level Values in this Document... 4 XML Element Description Tables... 4 XYZ Element Name in Heading... 4 Typographic Conventions... 6 Alphabetization... 6 Line Breaks... 6 Hyphenation... 7 Boolean Attributes and Equivalent Values... 7 XML and Case Sensitivity... 7 Chapter 2 Overview of the Check Point XML Policy Nesting Level 1 ZoneLabsSettings... 8 Nesting Level 2 Rulesets and Settings... 8 XML Policy Rule Sets... 9 The //ruleset[@name=startupruleset] Element... 9 The //ruleset[@name=runningruleset] Element Running Rule Set Functional Categories Default System Policy Settings for Integrity Advanced Server Sample Default Settings File Chapter 3 The alerts Functional Category Overview of alerts Structure Specifying General Alert Behavior The alerts Element Specifying Alert Logging and Suppression The logging Element The suppression Element Integrity XML Policy File Reference iii

5 Chapter 4 The applications Functional Category Overview of application Structure Specifying applications Networking Behaviors Application-specific Networking Child-elements Scope of Program-specific Rule Elements Specifying Higher-level applications Elements The //applications Element The //applications/default Element The //applications/program Element The //applications/module Element The //program/protocols Element The //protocols/protocol Element The //protocols/protocolrange Element The //program/firewall/rules/rule Element The //rule/execute Element Specifying applications Network Entities The daytimerange Network-entity Element The ethernetaddress Network-entity Element The flag Network-entity Element The group Network-entity Element The ipaddress Network-entity Element The iprange Network-entity Element The ipsubnet Network-entity Element The port Network-entity Element The portpair Network-entity Element The portrange Network-entity Element The protocol Network-entity Element The protocolrange Network-entity Element The socket Network-entity Element Understanding XML Policy Sockets Socket Elements and the Control Center The type Network-entity Element Chapter 5 The customsecurity Functional Category Overview of customsecurity Structure Specifying High and Medium Security Behaviors Specifying customsecurity Security The highsecurity Element The mediumsecurity Element Allowing or Blocking Individual Protocols The //highsecurity/allow Element The //MediumSecurity/block Element Specifying UPD and TCP Port Numbers Integrity XML Policy File Reference iv

6 Chapter 6 The configuration Functional Category Overview of configuration Structure The configuration Element User Interface Control Attributes The systemtrayicon Attribute and Display of Alert Boxes Specifying autoconfig Settings The autoconfig Element Specifying autouploadlog Settings The autouploadlog Element Specifying cachecleaner Settings The cachecleaner Element The browseroptions Element The //cachecleaner/keepcookies/site Child Element The systemoptions Element Specifying ics Settings The ics Element The client Element The gateway Element Specifying lockupredirect Settings The lockupredirect Element Chapter 7 The Functional Category Overview of Structure Specifying Security Behaviors The attachments Element The outboundmail Element The quarantine Element Specifying Attachment Types The file Element Adding Custom Attachment Types Chapter 8 The enforcement Functional Category Overview of enforcement Structure Creating file and registry Elements Using Integrity Server The rule Element Required rule Attributes Specifying Rule Child Elements Constructing Valid registry and file Child Elements The //enforcement/rule/file Child Element Integrity XML Policy File Reference v

7 The //enforcement/rule/registry Child Element Chapter 9 The firewall and fwrestricted Functional Categories Overview of firewall Structure Restricted Rules (fwrestricted) The groups and rules Categories Overview of firewall/expert/groups XML Policy Structure Overview of firewall/expert/rules/rule XML Policy Structure Scope of Program-specific Rule Elements Specifying Firewall Groups The addressgroup Element The ipsubprotoflaggroup Element The iptypegroup Element The portgroup Element The protocolgroup Element The socketsgroup Element The timegroup Element Specifying Firewall Rules The //firewall/expert/rules/rule Element The //rule/execute Element The //firewall/logging Element Specifying firewall Network Entities Overview of applications Traffic Types Overview of Network-entity Types The daytimerange Network-entity Element The ethernetaddress Network-entity Element The flag Network-entity Element The group Network-entity Element The ipaddress Network-entity Element The iprange Network-entity Element The ipsubnet Network-entity Element The port Network-entity Element The portpair Network-entity Element The portrange Network-entity Element The protocol Network-entity Element The protocolrange Network-entity Element The socket Network-entity Element Understanding XML Policy Sockets Socket Elements and the Control Center The type Network-entity Element Chapter 10 The general Functional Category Overview of general Structure Specifying general Security Behaviors Integrity XML Policy File Reference vi

8 The autolock Element The autovpn Element The detectednetworks Element The fwoptions Element The security Element Chapter 11 The integrity Functional Category Overview of integrity Structure Specifying General integrity Behaviors Specifying Integrity Connection Behaviors The connection Attribute Transient Mode Connections to Integrity Server Loading Updated connection Element Settings Chapter 12 The policy_info Functional Category Overview of policy_info Structure Specifying policy_info Settings The policy_info Element Chapter 13 The preferences Functional Category Overview of preferences Structure Specifying preferences Options The preferences Element Chapter 14 The webcontent Functional Category Overview of webcontent Structure The privacy Child Element Scope of privacy and sites Child Elements The filtering Child Element Cerberian Web Content Categories Specifying General privacy Behaviors The //webcontent/privacy Element Specifying Privacy-entity Elements The advertisements Element Integrity XML Policy File Reference vii

9 The cookies Element The mobilecode Element The tracking Element Specifying Site-specific Privacy Settings The sites Element The sites/site Element Specifying Web Filtering The filtering Element The category Element Chapter 15 The zones Functional Category Overview of zones Structure Specifying Zone Network Entities Specifying Zone Security Specifying zones Network Entities The host Element The ipaddr Element The iprange Element The ipsubnet Element Index of XML Policy Attributes Index Integrity XML Policy File Reference viii

10 Chapter 1 Introducing XML-based Configuration This document describes the XML Policy used to define configuration and security settings for Integrity client, product versions 4.0 and later. Introducing XML Policy Files The earliest versions of the Check Point Integrity client product family included the ability to save and import configuration and security settings in text-based configuration files. Check Point later expanded and adapted the configuration file mechanism to support the deployment of configuration and security settings from Integrity Server in the form of enterprise security policies. Most recently, Check Point implemented an XML-based format for XML Policy files. XML Policies provide greater flexibility as Check Point adds and updates its product family s features. Using Command Line Switches All installation command line and operational command line switches support XML Policy files. For a detailed summary of the Integrity Client command line switches, see the Integrity Client Management Guide. Comparing Parameter-based and XML-based Policies Check Point XML Policies contain a hierarchical series of elements and associated attributes. The older style configuration or policy files contain sections, parameters, and variables. Consider the following XML Policy file excerpt that specifies firewall options. <?xml version="1.0"?> <ZoneLabsSettings version="1.0"> <ruleset name="runningruleset" start="afterstartup" stop="onshutdown"> <general> <fwoptions blockfragments="false" blockprotovpn="false" allowprotomisc="false" arpprotection="false" enablespoofprotection="false" debugmode="false" nofwlock="false" debugflags="0" maxfilesize="0" FWDebugRegistry="false"/> </general> </ruleset> </ZoneLabsSettings> Integrity XML Policy File Reference 1

11 Chapter 1 Introducing XML-based Configuration The following excerpt shows the way the same functionality is defined in an older style configuration file. [FWOptions] BlockFragments=No BlockProtoVPN=No AllowProtoMisc=No EnableArpProtection=No Viewing XML Policies XML Policies have a nested hierarchy that is more complex than old style configuration files. Simple text editors, such as Notepad, do not provide any insight into the hierarchy and organization of nested XML. Fortunately a variety of free or inexpensive editors designed specifically for use with XML can help an administrator navigate a hierarchy of nested elements and attributes. Migrating to XML Policies New Check Point Integrity client product features and functions will only be implemented in the newer XML Policy format. The Integrity client 6.) and higher, do not support INI policies or configuration files. Converting from Configuration to XML Policies There is no explicit mechanism for converting old style configuration policies to XML Policies. However, because older style configuration files can be read by Integrity client 5.0 and earlier, it is possible to use the -config operational command line parameter to read a given configuration file s settings, then use Integrity client to save the settings in XML format in one of two ways: In Integrity Desktop, in the Overview panel s Preferences tab, use the Backup and Restore Security Settings feature to save an XML Policy file. In Integrity Flex or Integrity Agent, in the Policies panel s Policies tab, select a policy then press CTRL-ALT-Double-click to display a text file containing XML Policy elements and attributes. Note, however, that neither of these techniques perform a parameter-by-parameter conversion. Some settings are not exported by Integrity client into configuration or XML Policy files. Integrity XML Policy File Reference 2

12 Chapter 1 Introducing XML-based Configuration Using This Document This document uses the following three methods to present the sometimes complex relationships between the nested elements and attributes contained in a Check Point XML policy instance: XPath statements Nesting-level values XML element descriptions The following sections describe each of these methods in detail. Use of XPath Statements in this Document One of the problems associated with viewing nested XML element statements is identifying where a given element and its attributes reside in the XML instance s nested hierarchy. The World Wide Web Consortium, or W3C, has defined the XML Path Language, referred to as XPath, as a way of identifying specific parts, referred to as nodes, of a given XML instance. Visit the W3C Web site at for detailed information about XPath. This document uses simple but syntactically valid XPath statements to identify where in a Check Point XML Policy instance a nested element or attribute resides. Consider the following Check Point XML Policy excerpt. <?xml version="1.0"?> <ZoneLabsSettings version="1.0"> <ruleset name="runningruleset" start="afterstartup" stop="onshutdown"> In the preceding example, the ruleset element s name attribute specifies a runningruleset. The following XPath statement identifies this element-attribute pair, and its location in the XML Policy hierarchy, as follows: /ZoneLabsSettings/ruleset[@name="runningruleset"] Similarly, the following XPath statement identifies an integrity child element that is contained within a runningruleset parent element: /ZoneLabsSettings/ruleset[@name="runningruleset"]/integrity Other XML Policy elements are even more deeply nested. The following XPath statement identifies the location of an ipaddress element located at nesting-level 9 of an XML Policy instance (line break added for readability): /ZoneLabsSettings/ruleset[@name="runningruleset"]/ applications/program/firewall/rules/rule/destination/ipaddress Because some elements and attributes are so deeply nested, and the resulting XPath statements so lengthy, this document uses the XPath abbreviation // to represent multiple parent elements. Integrity XML Policy File Reference 3

13 Chapter 1 Introducing XML-based Configuration Abbreviating XPath Parent Elements with // To avoid repeating long XPath statements, this document uses the XPath abbreviation // to represent multiple parent elements. Whenever this document uses this notation it will be of the form: //ImmediateParent/ContextElement ImmediateParent element identifies the context element s immediate parent in the next XML Policy hierarchy. ContextElement identifies the context element, which is the element being discussed in that particular section of the document. For example, the following illustrates the full XPath statement for the protocols element: /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/program/protocols In the section of this document that describes the protocols element, the XPath statement is abbreviated as: //program/protocols The // abbreviation represents the parent elements /ZoneLabsSettings/ ruleset[@name="runningruleset"]/applications. Use of Nesting-level Values in this Document XPath statements also refer to the nesting level of a given element. In the second example in the preceding section, the integrity element occupies nesting level 3; in the third example, ipaddress occupies nesting level 9. This document refers to an element s nesting level to help clarify that element s relationship to parent and child elements in the Check Point XML Policy. XML Element Description Tables The XPath and nesting-level notations described in the preceding two sections are combined in an XML element description table. An XML element description table provides a concise overview of an XML Policy element, the element s attributes, and any next-level child elements. The following illustrates the general form of an XML element description: Beginning of an example XML element description XYZ Element Name in Heading Brief overview of xyz element s function. Integrity XML Policy File Reference 4

14 Chapter 1 Introducing XML-based Configuration The following table lists the xyz element s attributes. /ZoneLabsSettings/XPath/statement/XYZ attribute1 Attribute Brief description of the attribute1 s function. attribute2 Brief description of attribute2 s function. Level n Child Elements childelement1 childelement2 Type, Values and Description datatype1 Additional descriptive content. value1, value2, value3 (default value is underlined) datatype2 Additional descriptive content. Cross-reference to childelement1 Cross-reference to childelement2 value1, value2, value3 (default value is underlined) End of an example XML element description A description of a Check Point XML Policy element consists of: A heading introducing the element s description and containing the element name An introductory overview of the element s function A table containing the following: The XPath statement identifying the elements location in the XML Policy hierarchy An alphabetical description of the element s attributes and accompanying descriptions of the attributes An alphabetical list of the child elements at the next (deeper) nesting level of the XML Policy hierarchy Note that attributes and child elements are listed in alphabetical order for ease of reference. Elements and attributes do not appear in alphabetical order in a Check Point XML Policy instance. Integrity XML Policy File Reference 5

15 Chapter 1 Introducing XML-based Configuration Typographic Conventions This document uses style conventions specified by the Microsoft Manual of Style 1. The following table lists the primary style elements defined by guide. Element Name Description Parameter Bold Identifies a specific parameter or command. Code Code Identifies a specific XML Policy element or attribute. { } Braces Indicates a set of choices from which the user must choose. OR choice. Unlike a logical OR, in a configuration parameter statement the pipe symbol separates two mutually exclusive choices. When used in this context, the user types one of the choices, not the symbol. arguments Italic Specifies a variable name or other information the user must provide, such as a path and file name. Ellipsis Indicates that multiple arguments are repeated in a parameter statement. The user types only the information, not the ellipsis ( ). [options] Brackets In configuration file parameter statements, brackets indicate optional items. When used to list options, brackets indicates that the user types only the information within the brackets, not the brackets. Alphabetization This document lists XML elements and attributes in alphabetical order whenever possible. Alphabetization enables elements and attributes to be more easily located. Elements and attributes do not appear in alphabetical order in a Check Point XML Policy instance. Moreover, at this time the Check Point XML Schema does not contain or enforce sequence-dependent attribute definitions. Line Breaks In this document, some XML statements may be too long to fit onto a single line. When examples are too long to fit on a single line, line breaks are added; line breaks may also be added to improve the readability of long parameter statements. 1.Microsoft. Microsoft Manual of Style, 2nd Edition. Microsoft Press, May ISBN Integrity XML Policy File Reference 6

16 Chapter 1 Introducing XML-based Configuration Whenever line breaks are added, any additional lines are indented. The following example illustrates XML element statements to which line breaks and indentation have been added. Whenever the presence of extra line breaks is not obvious, the lines containing the extra line breaks are preceded by the statement (line breaks added for readability). Hyphenation /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts <alerts show="high" moreinfohideip="obscure" logevents="true" logprogramalerts="off" displaysystemtrayalert="true"> <logging enabled="true" archive="10" delimiter="tab" file="any file" netbiosbroadcast="false" netbiosnameout="false" recentconnection="false" nonsyntcp="false" routed="false" loopback="false" fragments="false" nonip="false" otherip="false" blockedapp="false" lockviolation="false" mailsafequarantine="false" clearcurrentvalues="true" newprograms="false" changedprograms="false" repeatprograms="false" serverprograms="false" newprogramcomponents="false" changedprogramcomponents="false"/> Unnecessary hyphens are never added into XML element or attribute examples: Hyphens appear in XML element or attribute examples only when the hyphens are required as part of the XML. Boolean Attributes and Equivalent Values Many of the Check Point XML Policy attributes are. Boolean means that the attribute has two states, typically true or false. This document uses the values true and false for all entries. However, for ease of use, and to retain compatibility with older style configuration file syntax, the XML Schema for the Check Point XML Policy specifies the following value as logically equivalent: true, yes, allow, on, and 1 (one, not lower-case l ) false, no, disallow, off, and 0 (zero, not upper-case O ) XML and Case Sensitivity Check Point XML Policy elements and attributes are not case sensitive. In a Check Point XML Policy instance timedownloaded is identical to TimeDownloaded and timedownloaded. Integrity XML Policy File Reference 7

17 Chapter 2 Overview of the Check Point XML Policy A Check Point XML policy consists of up to nine hierarchically nested levels. This chapter provides an overview of the topmost levels of an XML Policy and explains where to locate descriptions of more deeply nested XML Policy elements. If you are using Integrity Advanced Server, some policy settings described in this document do not apply. For information, see Default System Policy Settings for Integrity Advanced Server, on page 11. Nesting Level 1 ZoneLabsSettings The ZoneLabsSettings element defines the highest ( level 1 ) nesting level of the XML Policy. The ZoneLabsSettings element does not contain any user-configurable attributes: The ZoneLabsSettings single attribute version is automatically specified at the time the XML Policy is saved or exported as equal to 1.0. Because the ZoneLabsSettings element does not contain any user-configurable attributes, it functions as a container element. Container elements: Do not contain user-configurable attributes Do contain one or more child elements Child elements by definition occupy more deeply nested levels of the XML Policy hierarchy. Nesting Level 2 Rulesets and Settings Rulesets and other general functional categories begin to appear in nesting level 2 of a Check Point XML Policy. Nesting level 2 of a Check Point XML policy defines five categories of general functionality: /ZoneLabsSettings/policyinfo /ZoneLabsSettings/ruleset[@name="startupruleset"] /ZoneLabsSettings/ruleset[@name="runningruleset"] /ZoneLabsSettings/configuration /ZoneLabsSettings/preferences Of these five level-2 elements, the running ruleset (name="runningruleset") contains the largest number of functional categories and child elements. The following section provides an overview of these functional categories. Integrity XML Policy File Reference 8

18 Chapter 2 Overview of the Check Point XML Policy XML Policy Rule Sets The Check Point XML Policy contains two rulesets: The startup rule set (name="startupruleset") contains security settings that are enforced while Integrity client starts up. The running rule set (name="runningruleset") contains security settings that are enforced during normal operation of Integrity client. This document focuses primarily on the running rule set s functional categories, elements, and attributes. The startup ruleset is briefly described in this chapter for reference purposes only. The //ruleset[@name=startupruleset] Element The ruleset element contains a name attribute that identifies whether the ruleset s child elements belong to a startup ruleset or a running ruleset. The startup rule set (name="startupruleset") contains security settings that are enforced while Integrity client starts up. The running rule set (name="runningruleset") contains security settings that are enforced during normal operation of Integrity client. Neither startup nor running ruleset attributes are user configurable: ruleset elements are automatically specified by Integrity Server or Integrity client whenever an XML Policy is exported or saved. The following table lists the automatically generated values of a startup ruleset s elements. /ZoneLabsSettings/ruleset{@name=startupruleset] Attribute name Defines all child elements of the ruleset as belonging to a startup ruleset. start Specifies that the startup ruleset be processed when Integrity client starts. stop Specifies that the startup ruleset stop being processed after shut down of Integrity client. Level 3 Child Elements Not applicable Displayed value: Not user configurable. Displayed value: Not user configurable. Displayed value: Not user configurable. Type, Values and Description enumeration Automatically set to startupruleset. enumeration Automatically set to onstartup. enumeration Automatically set to afterstartup. Because startup rulesets are not user configurable, Check Point Integrity client products do not place a startup ruleset s child elements in a saved or exported XML Policy instance. Integrity XML Policy File Reference 9

19 Chapter 2 Overview of the Check Point XML Policy The //ruleset[@name=runningruleset] Element The ruleset element contains a name attribute that identifies whether the ruleset s child elements belong to a startup ruleset or a running ruleset. The startup rule set (name="startupruleset") contains security settings that are enforced while Integrity client starts up. The running rule set (name="runningruleset") contains security settings that are enforced during normal operation of Integrity client. Neither startup nor running ruleset attributes are user configurable: ruleset attributes are automatically specified by Integrity Server or Integrity client when an XML Policy is exported or saved. Running ruleset child elements, on the other hand, are user configurable. More specifically, the runningruleset contains 12 level-3 child elements that correspond to functional categories within the Check Point XML Policy. The following table lists the automatically generated values of a running ruleset s attributes. /ZoneLabsSettings/ruleset{@name=runningruleset] name Attribute Type, Values and Description (Sheet 1 of 2) Defines all child elements of the ruleset as belonging to a running ruleset. start Specifies that the running ruleset be processed during normal product operation. stop Displayed value: Not user configurable. Displayed value: Not user configurable. enumeration Automatically set to runningruleset. enumeration Automatically set to afterstartup. enumeration Specifies that the running Displayed value: Automatically set to onshutdown. ruleset stop being processed when Integrity client stops Not user configurable. running. Level 3 Child Elements (listed alphabetically) alerts The alerts functional category is described on page 15. applications The applications functional category is described on page 25. configuration The configuration functional category is described on page 65. customsecurity The customsecurity functional category is described on page 56. The functional category is described on page 90. enforcement The enforcement functional category is described on page 97. firewall The firewall functional category is described on page 103. general The general functional category is described on page 128. integrity The integrity functional category is described on page 137. policy_info The policy_info functional category is described on page 143. Integrity XML Policy File Reference 10

20 Chapter 2 Overview of the Check Point XML Policy /ZoneLabsSettings/ruleset{@name=runningruleset] (continued) Attribute Type, Values and Description (Sheet 2 of 2) preferences The preferences functional category is described on page 150. webcontent The webcontent functional category is described on page 152. zones The zones functional category is described on page 166. Running Rule Set Functional Categories As shown in the table in the preceding section, the Check Point XML Policy s runningruleset contains 12 level-3 child elements. These level-3 child elements correspond to XML Policy functional categories. The XML Policy s functional categories in turn correspond roughly to the functional divisions of the Integrity client Control Center (Graphical User Interface). The following chapters in this document describe each of the XML Policy s functional categories in detail. Default System Policy Settings for Integrity Advanced Server In Integrity Advanced Server, some client behaviors that are controled by enterprise policy settings in Integrity Server 4.x or 5.x are controlled as system variables. The two most notable examples of this are heartbeat frequency and log upload frequency. In Integrity Advanced Server, these settings are established the system file default-systempolicy-settings.xml, and inserted in each individual policy when it is downloaded by a client. A commented sample file is included below for reference. Sample Default Settings File <?xml version= 1.0?> <ZoneLabsSettings > <!-- version= 1 xmlns= xmlns:ml= xmlns:xsi= Integrity XML Policy File Reference 11

21 Chapter 2 Overview of the Check Point XML Policy The settings in this file are merged into all policies deployed from Integrity Advanced Server in all domains. They control the following client behavoirs: *Location of the sandbox server, heartbeat server and log upload server *client heartbat interval *Log upload interval an retry interval *Min/max event counts/ages for log upload to occur --> <!-- Establish the location of the sandbox server to which non-compliant endpoints are restricted --> <policy_info customalerturltext= ${connections.externalhostname}/sandbox/%did%/comply /> <ruleset name= runningruleset start= afterstartup stop= onshutdown > <!-- Establish the interval at which clients will upload program observation data. QUESTION:WHAT DOES PROGRAMOBSERVATION PARAM DO? --> <integrity observationinterval= 3600 programobservation= 0 > <!-- Enable client heartbeats and establish URL hearbeats are sent to. --> <heartbeatserver enabled= true URL= zspudp:// ${connections.externalhostname}:${connections.heartbeatport} > <!-- Integrity XML Policy File Reference 12

22 Chapter 2 Overview of the Check Point XML Policy Window of time at which to attempt heartbeat (after connection)in seconds. In this example, heartbeat every 15 minutes +/- seconds 30 --> <interval period= 900 variance= 30 /> </heartbeatserver><!-- Enable client log uploads and establish URL logs are sent to --> <loguploadserver enabled= true URL= > <!-- Window of time at which to attempt upload (after connection) in seconds. In this example, upload every hour +/- 30 seconds. --> <interval period= 3600 variance= 30 /> <!-- Window of time at which to retry upload (after failure) in seconds. In this example, if the connection fails, retry every 15 minutes and try 3 time in a row --> <retry wait= 900 attempts= 3 /> <!-- What to exclude from upload --> <content> <!-- Integrity XML Policy File Reference 13

23 Chapter 2 Overview of the Check Point XML Policy Min/max age/count of events. Upload if you at least 10 events or any event is older than 5 days, but don t upload more than 50 events. --> <events mincount= 10 maxcount= 50 maxage= /> </content> </loguploadserver> <policyaskserver enabled= true URL= ${connections.externalhostname}/ask/ /> </integrity> </ruleset> </ZoneLabsSettings> Integrity XML Policy File Reference 14

24 Chapter 3 The alerts Functional Category This chapter describes the alerts functional category of the Check Point XML Policy. The alerts functional category specifies how Integrity client informs the user and records its activities as it protects the end-point computer. This chapter contains the following sections: Overview of alerts Structure, in the following section, describes the organization of the alerts functional category s structure and child elements. Specifying General Alert Behavior, on page 16, describes the attributes that specify general alerts logging and notification behaviors. Specifying Alert Logging and Suppression, on page 17, describes the attributes specify specific alert logging and notification behaviors. Overview of alerts Structure The alerts element appears at nesting level 3 of a Check Point XML Policy. The following XPath statement illustrates the location of the alerts element. /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts The Check Point XML Policy divides the alerts functional category into two nesting-level 4 child elements: logging and suppression. The following XPath statements illustrate the placement of the trusted and internet child elements: /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts/logging /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts/suppression The following illustrates the general structure of the alert functional category /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts <alerts show="high" moreinfohideip="obscure" logevents="true" logprogramalerts="off" DisplaySystemTrayAlert="true"> <logging enabled="true" archive="10" delimiter="tab" file="any file" netbiosbroadcast="false" netbiosnameout="false" recentconnection="false" nonsyntcp="false" routed="false" loopback="false" fragments="false" nonip="false" otherip="false" blockedapp="false" lockviolation="false" mailsafequarantine="false" clearcurrentvalues="true" newprograms="false" changedprograms="false" repeatprograms="false" serverprograms="false" newprogramcomponents="false" changedprogramcomponents="false"/> <suppression netbiosbroadcast="false" netbiosnameout="false" recentconnection="false" nonsyntcp="false" routed="false" loopback="false" fragments="false" nonip="false" otherip="false" blockedapp="false" lockviolation="false" mailsafequarantine="false" clearcurrentvalues="true"/> </alerts> The remaining sections in this chapter describe the alert functional category s general and specify controls over logging and notification (suppression) behaviors. Integrity XML Policy File Reference 15

25 Chapter 3 The alerts Functional Category Specifying General Alert Behavior The alerts element defines general alert notification and logging behaviors. The following section describes the alerts elements attributes. The alerts Element The alerts element specifies what events produce alert boxes ( pop-ups ). The following table lists the alerts element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts Attribute Type, Values and Description (Sheet 1 of 2) DisplaySystemTrayAlert Enable flashing of the Integrity client System Tray icon. logevents Enable logging of events. logprogramalerts Enable logging of program alerts. Specify the displaysystemtrayalert attribute equal to true to provide an alternative method of visually alerting the user other than alert boxes. Specify the logevents attribute equal to true to enable the logging of events. enumeration low, medium, high Use the logprogramalerts attribute to specify what level of program alerts to log. High logs all program alerts Medium logs high-rated program alerts Low logs no program alerts moreinfohideip Conceal all or part of the endpoint computer s IP address enumeration yes, no, obscure Use the moreinfohideip attribute to conceal all or part of the end-point computer s IP address when transmitting information to Check Point. Yes directs Integrity client to hide the computer s IP address when applicable No directs Integrity client to show the end-point computer s complete IP address Obscure directs Integrity client to obscure the last octet of the computer s IP address Integrity XML Policy File Reference 16

26 Chapter 3 The alerts Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts (continued) show Specify what level of alerts are displayed. Level 4 Child Elements logging Attribute Type, Values and Description (Sheet 2 of 2) enumeration high, medium, off Use the show attribute to specify what level of alerts result in alert boxes (pop-ups). The values of the show attribute correspond to the three choices available in the Alerts & Logs panel s Main tab. The logging child element is described in the following section. suppression The suppression child element is described on page 22. Specifying Alert Logging and Suppression The alerts functional category contains two child elements: The logging element specifies what sorts of events and alerts Integrity client stores in its event log The suppression element specifies what sorts of events and alerts Integrity client displays or conceals ( suppresses ) The following sections describe the logging and suppression elements in detail. The logging Element The logging element specifies what sorts of events Integrity client stores in its secure database. Use the archive attribute, described in the table below, to periodically write the events from the secure database to a sequentially named text file. The structure of values for specific alert types in the logging element is somewhat counterintuitive. False means do not suppress log entries; that is, create a log entry. Therefore: Netbiosbroadast=false will create a log entry for blocked netbios broadcasts. Integrity XML Policy File Reference 17

27 Chapter 3 The alerts Functional Category The following table lists the logging element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts/logging Attribute Type, Values and Description (Sheet 1 of 5) archive Specify how frequently to archive logged events. integer integer number of days Use the archive interval to specify how often Integrity client writes events contained in its secure database to a sequentially named text file. Integrity client by default: Stores archived log files in: C:\WINDOWS\Internet Logs\ Names archived log files as: ZALogYYYY.MM.DD.txt where YYYY.MM.DD is the date in ISO format of year, month and day Use the delimiter and file attributes, described later in this table, to specify non-default file and path names, and specify how archived log data is delimited. blockedapp Suppress logging of blocked applications. changedprogramcomponents Suppress logging of changed program components. changedprograms Suppress logging of Specify the blockedapp attribute equal to false to create a log entry whenever Integrity client blocks an application. The enabled attribute, described later in this table, must be equal to true to enable the blockedapp attribute. Specify the changedprogramcomponents attribute equal to false to create a log entry whenever Integrity client detects a a change program component. The enabled attribute, described later in this table, must be equal to true to enable the changedprogramcomponents attribute. Specify the changedprogram attribute equal to false to create a log entry whenever Integrity client detected a changed program file. The enabled attribute, described later in this table, must be equal to true to enable the changedprogram attribute. Integrity XML Policy File Reference 18

28 Chapter 3 The alerts Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts/logging (continued) Attribute Type, Values and Description (Sheet 2 of 5) clearcurrentvalues Clear existing log entries before writing new ones. delimiter Specify how archived log data is delimited. enabled Enable event logging. file Specify whereto store archived log file data. fragments Suppress logging of blocked packet fragments. Specify the clearcurrentvalues attribute equal to true to clear existing alert log entries before using new logging element settings. The clearcurrentvalues attribute allows event log entries that were acquired using an earlier set of criteria to be purged before acquiring log entries using new criteria. The enabled attribute, described later in this table, must be equal to true to enable the changedprogramcomponents attribute. enumeration tab, comma, semicolon Use the delimiter attribute to specify how Integrity client delimits log data when it writes the data to a text-based archive file. Use the archive and file attributes, described elsewhere in this table, to control how frequently Integrity client archives log data, and the location of the text-based archive files. The enabled attribute, described in the following table entry, must be equal to true to enable the changedprogramcomponents attribute. Specify the enabled attribute equal to true to enable event logging. The enabled attribute must be true to enable the other logging attributes described in this table. formatted string String formatted as valid Windows path name and file name specifier. Use the file attribute to specify where Integrity client stores archived log data. Use the archive and delimiter attributes, described earlier in this table, to control how frequently Integrity client archives log data, and how Integrity client delimits archived data. The enabled attribute, described in the preceding table entry, must be equal to true to enable the fragments attribute. Specify the fragments attribute equal to false to create a log entry whenever Integrity client blocks a fragmented IP packet. The enabled attribute, described earlier in this table, must be equal to true to enable the fragments attribute. Integrity XML Policy File Reference 19

29 Chapter 3 The alerts Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts/logging (continued) Attribute Type, Values and Description (Sheet 3 of 5) lockviolation Suppress logging of Internet Lock violations. loopback Suppress logging of blocked loopback packets. mailsafequarantine Suppress logging of MailSafe violations. netbiosbroadcast Suppress logging of netbiosnameout Suppress logging of blocked outbound NETBIOS packets. newprogramcomponents Suppress logging of blocked new program components. Specify the lockviolation attribute to false to create a log entry whenever Integrity client detects a program trying to violate Internet Block. The enabled attribute, described earlier in this table, must be equal to true to enable the lockviolation attribute. Specify the loopback attribute equal to false to create a log entry whenever Integrity client blocks loopback packets. The enabled attribute, described earlier in this table, must be equal to true to enable the loopback attribute. Specify the mailsafequarantine attribute equal to false to create a log entry whenever Integrity client detects a MailSafe violation The enabled attribute, described earlier in this table, must be equal to true to enable the mailsafequarantine attribute. Specify the netbiosbroadcast attribute equal to false to create a log entry whenever Integrity client blocks a NETBIOS broadcast packet. The enabled attribute, described earlier in this table, must be equal to true to enable the netbiosbroadcast attribute. Specify the netbiosnameout attribute equal to false to create a log entry whenever Integrity client blocks outbound NETBIOS packets. The enabled attribute, described earlier in this table, must be equal to true to enable the netbiosnameout attribute. Specify the newprogramcomponents attribute equal to false to create a log entry whenever Integrity client blocks a new ( unknown ) program component. The enabled attribute, described earlier in this table, must be equal to true to enable the newprogramcomponents attribute. Integrity XML Policy File Reference 20

30 Chapter 3 The alerts Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts/logging (continued) Attribute Type, Values and Description (Sheet 4 of 5) newprograms Suppress logging of blocked new programs. nonip Suppress logging of blocked packets that are not IP packets. nonsyntcp Suppress logging of blocked non-sync TCP packets. otherip Suppress logging of other types of IP packets. recentconnection Suppress logging of blocked packets for recent connections. repeatprograms Suppress logging of repeat program requests. Specify newprograms attribute equal to false to create a log entry whenever Integrity client blocks a new ( unknown ) program. The enabled attribute, described earlier in this table, must be equal to true to enable the newprograms attribute. Specify the nonip attribute equal to false to create a log entry whenever Integrity Client blocks packets that are not IP packets. The enabled attribute, described earlier in this table, must be equal to true to enable the nonip attribute. Specify the nonsyntcp attribute equal to false to create a log entry whenever Integrity client blocks TCP packets that are not SYN (sync) packets. The enabled attribute, described earlier in this table, must be equal to true to enable the nonsyntcp attribute. Specify the optherip attribute equal to false to create a log entry whenever Integrity client blocks an IP packet not otherwise specified by other attributes described in this table. The enabled attribute, described earlier in this table, must be equal to true to enable the otherip attribute. Specify the recentconnection attribute equal to false to create a log entry whenever Integrity client blocks a packet destined for a program that was recently granted network access. The enabled attribute, described earlier in this table, must be equal to true to enable the recentconnection attribute. Specify the repeatprogram attribute equal to false to create a log entry whenever Integrity client detects a known program make a new network access request. The enabled attribute, described earlier in this table, must be equal to true to enable the repeatprogram attribute. Integrity XML Policy File Reference 21

31 Chapter 3 The alerts Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts/logging (continued) Attribute Type, Values and Description (Sheet 5 of 5) routed Suppress logging when routed packets are blocked. serverprograms Suppress logging of blocked server requests. Level 5 Child Elements None Specify the routed attribute equal to false to create a log entry whenever Integrity client blocks a routed packet. The enabled attribute, described earlier in this table, must be equal to true to enable the routed attribute. Specify the serverprogram attribute equal to false to create a log entry whenever Integrity client blocks a requests service from a program on the end-point computer. The enabled attribute, described earlier in this table, must be equal to true to enable the serverprogram attribute. The logging element contains no child elements. The suppression Element Suppression does not mean that Integrity client protective firewall activity is in any way diminished. Within the context of Integrity client alerts, suppression describes how Integrity client suppresses notifying the end-point computer s user of certain types of events. More specifically, the suppression element identifies for which events Integrity client displays or suppresses alert boxes ( pop-ups ). The following table lists the suppression element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts/suppression Attribute Type, Values and Description (Sheet 1 of 3) blockedapp Suppress blocked application alerts clearcurrentvalues Clear existing settings before using new ones. Specify the blockedapp attribute equal to true to suppress the display of an alert box ( popup ) whenever Integrity client blocks an application. Specify the clearcurrentvalues attribute equal to true to clear current suppression element settings before loading new ones from an updated security policy. Integrity XML Policy File Reference 22

32 Chapter 3 The alerts Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts/suppression (continued) Attribute Type, Values and Description (Sheet 2 of 3) fragments Suppress packet fragment alerts. lockviolation Suppress Internet Lock violation alerts. loopback Suppress blocked loopback packet alerts. mailsafequarantine Suppress MailSafe quarantine alerts. netbiosbroadcast Suppress NETBIOS broadcast packet alerts. netbiosnameout Suppress NETBIOS name request packet alerts. nonip Suppress alerts for non-ip packets. nonsyntcp Suppress alerts for TCP non- SYNC packets. Specify the fragments attribute equal to true to suppress the display of an alert box ( popup ) whenever Integrity client detects an IP packet fragment. Specify the lockviolation attribute equal to true to suppress the display of an alert box ( popup ) whenever Integrity client detects a program attempting to bypass an active Internet Lock. Specify the blockedapp attribute equal to true to suppress the display of an alert box ( popup ) whenever Integrity client blocks a loopback packet. Specify the mailsafequarantine attribute equal to true to suppress the display of an alert box ( popup ) whenever Integrity client detects a MailSafe quarantine violation. Specify the netbiosbroadcast attribute equal to true to suppress the display of an alert box ( popup ) whenever Integrity client blocks a NETBIOS broadcast packet. Specify the Set the netbiosnameout attribute equal to true to suppress the display of an alert box ( popup ) whenever Integrity client blocks a NETBIOS name request packet. Specify the nonip attribute equal to true to suppress the display of an alert box ( popup ) whenever Integrity client blocks a packet that is not IP. Specify the nonsyntcp attribute equal to true to suppress the display of an alert box ( popup ) whenever Integrity client blocks a non-sync TCP packet. Integrity XML Policy File Reference 23

33 Chapter 3 The alerts Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/alerts/suppression (continued) Attribute Type, Values and Description (Sheet 3 of 3) otherip Suppress alerts for IP packet types not specified by other suppression attributes. recentconnection Suppress alerts from recent connections. routed Suppress routed packet alerts. Level 5 Child Elements None Specify the otherip attribute equal to true to suppress the display of an alert box ( popup ) whenever Integrity client blocks an IP packet not otherwise specified by the other attributes in this table. Specify the recentconnection attribute equal to true to suppress the display of an alert box ( popup ) whenever Integrity client blocks a recent connection from connecting to the network. Specify the routed attribute equal to true to suppress the display of an alert box ( popup ) whenever Integrity client blocks a routed packet. The suppression element contains no child elements. Integrity XML Policy File Reference 24

34 Chapter 4 The applications Functional Category This chapter describes the applications functional category of the Check Point XML Policy. The applications functional category contains specifies rules for specific programs ( applications ) and program components running on the end-point computer. This chapter contains the following sections: Overview of application Structure, in the following section, provides an orientation to the overall composition of the applications functional category s XML elements. Specifying Higher-level applications Elements, on page 27, describes the applications category s higher-level elements. These higher-level elements contain attributes that apply to all applications child elements. Specifying applications Network Entities, on page 42, describes the network-entity elements that define the networking and protocol blocking security behaviors assigned to an individual program. Overview of application Structure The applications element appears at nesting level 3 of a Check Point XML Policy. The following XPath statement illustrates the location of the applications parent element. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications In addition to elements that control general program security behaviors, the applications element contains up to 9 levels of child elements. Specifying applications Networking Behaviors The applications element contains one or more program child elements. The program element in turn contains the path attribute, described on page 34, that specifies an individual program that runs on the end-point computer. Within the applications functional section, rule child elements specify the security behavior the rule set for the specified program. More specifically, within the rule parent element nesting levels 8 and 9 specify the types of network traffic and protocols a specific program has access to. This following sections describe the structure of the applications child elements that specify the networking security elements and attributes associated with a specific program. Integrity XML Policy File Reference 25

35 Chapter 4 The applications Functional Category Application-specific Networking Child-elements The following XPath statement illustrates the parent-element hierarchy that contains the applications element s traffic and protocol elements and attributes (line break added for readability): /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/traffictype/networkentity In the preceding XPath statement: traffictype represents one of 8 types of traffic type container elements networkentity represents one of 14 network-entity child elements The following illustrates the general structure of the traffic and network entities parent-child elements: /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/program/firewall/rules/rule <traffictype1> <networkentity01 attributes /> <networkentity02 attributes /> up to 8 different networkentity elements, depending on traffic type <traffictype1/ <traffictype2> <networkentity01 attributes /> <networkentity02 attributes /> up to 8 different networkentity elements, depending on traffic type </traffictype2> up to 8 differrent traffictype and networkentity element constructs </rule> </rules> </firewall> </program> </applications> remaining XML Policy funtional sections Scope of Program-specific Rule Elements Certain attributes of any rule elements specified within the applications parent element also appear in the firewall functional category s rule definitions. (See See Chapter 9, The firewall and fwrestricted Functional Categories, for more information about firewall rules). This is because even though a rule is defined as program-specific, Integrity client manages rules as logical entities that can be assigned to multiple programs. The remaining sections in this chapter describe the applications functional section s elements and attributes in detail. Integrity XML Policy File Reference 26

36 Chapter 4 The applications Functional Category Specifying Higher-level applications Elements The rest of this chapter lists the child elements and attributes contained in the applications functional section of a Check Point XML Policy. Upper (least deeply nested) level elements are described in the following sections Network traffic type and network entity child elements are described under Specifying applications Network Entities, on page 42 The next section begins by describing the topmost element in the applications functional category. The //applications Element The applications element specifies the following categories of information and settings: Mouse or keyboard spoofing protections General program and program module protection The following table lists the applications element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications Attribute Type, Values and Description (Sheet 1 of 5) alertonblock Generate an alert when a program is denied access. authexempt Exempt programs from password protection. ask Request program permissions from Integrity Server. Specify the alertonblock attribute equal to true to display an alert box whenever Integrity client blocks a program from accessing the network. Settings in the alerts functional category described in Chapter 3 beginning on page 25, also affect the operation of alertonblock. Specify the authexempt attribute equal to true to exempt program settings from password protection. Use the authexempt attribute to allow Program panel settings to be changed without specifying an existing user-level or installation level password. string client, server This value is outdated and should always be specified as server. Specify the ask attribute equal to server to ask the server for program permissions information. Specify the ask attribute equal to client to ask the user for program permissions (unless using Integrity Agent). Integrity XML Policy File Reference 27

37 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications (continued) Attribute Type, Values and Description (Sheet 2 of 5) askonlisten Display an alert box at the time a program starts running as a server. askpa Authorize the client to use Zone Labs Program Advisor service for program permissions if the client can not connect to Integrity Server. askuser Display an alert box to ask the user to provide program permission. clearoldentries Remove existing program entries from the list of Local_Zone entries before adding new ones componentcontrol Validate program components. disablednsprotect Disable DNS Protection. Specify the askonlisten attribute equal to true to display a Server Permissions alert box at the time a program on the end-point computer starts running as a server Process. Specifying askonlisten to false defers the display of the alert box until the server attempts to accept the first incoming connection request. Specify the askpa attribute equal to true to allow the client to get program permissions from Zone Labs Program Advisor service, if the client cannot connect to Integrity Server. Specify the askuser attribute equal to true to ask the user for permission (unless using Integrity Agent) to use a program. Specifying askuser to true overrides the ask attribute when it is set to client. Specify the clearoldentries attribute equal to true to permanently delete existing Local_Zone entries before reading new entries from an updated configuration or XML Policy file. Specify the componentcontrol attribute equal to true to have Integrity client validate program components (.dll filename extension) in addition to programs (.exe filename extension). Specify the disablednsprotect attribute equal to true to disable client DNS query protection. This setting only applies to clients on NT-based systems (NT, 2000, XP). By default, Integrity client versions 3.7 and later prevent unauthorized programs from making DNS queries without user permission via an alert. Disabling DNS protection allows DNS queries to proceed without user notification. Integrity XML Policy File Reference 28

38 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications (continued) Attribute Type, Values and Description (Sheet 3 of 5) disableadvprogprotect Disable Advanced Program Protection. disablekeyboard MouseProtection Disable keyboard and mouse protection. disableparentcheck Disable Advanced Program Control. disableprocprotect Disable process protection. enableopenprocess Not implemented in Integrity client 4.x. Specify the disableadvprogprotect attribute equal to true to verify that any network request originating from a program (.exe filename extension) has been initiated by a parent program possessing the necessary network access permission level. Specify the DisableKeyboardMouseProtection attribute equal to true to disable the Integrity client mouse and keyboard protection. By default, Integrity client versions 3.7 and later prevent unauthorized programs from simulating a computer s mouse or keyboard. In some cases mouse and keyboard protection may interfere with normal computer operation. Check Point recommends that disablekeyboardmouseprotection be specified equal to true only in response to problems with mouse or keyboard usage. NOTE: In the Integrity Desktop and Integrity Flex user interfaces, DisableKeyboardMouseProtection is set to Yes by clearing the Protect the <product name> client control in the Overview Preferences tab. Specify the disableparentcheck attribute equal to true to prevent a malicious program from improperly using a trusted resource. When a program file (.exe file name extension) attempts to use another program to access the network, Parent Check verifies that the program originating the request has the necessary level of network access permission. Specify the disableprocprotect attribute equal to true to verify that any network request originating from a module (.dll filename extension) has been initiated by a parent program possessing the necessary network access permission level. The enableopenprocess attribute is not implemented in Integrity client 4.x. Do not specify a value for the enableopenprocess attribute. Integrity XML Policy File Reference 29

39 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications (continued) Attribute Type, Values and Description (Sheet 4 of 5) disablesendmessageprotect Disable DDE Protection. enablesetwindowshook Not implemented in Integrity client 4.x. moduletracking Validate modules in addition to programs. programdisplay Disable program module tracking. securitylevel Set default security level. Specify the disablesendmessageprotect attribute equal to true to disable client protection for using the shell to open URLs. This setting only applies to clients on NT-based systems (NT, 2000, XP). By default, Integrity client versions 3.7 and later prevent unauthorized programs from opening URLs using the shell via DDE messaging. Disabling DDE protection allows shell URL requests to proceed without user notification. The enablesetwindowshook attribute is not implemented in Integrity client 4.x. Do not specify a value for the enablesetwindowshook attribute. Specify the moduletracking attribute equal to true to validate program modules (.dll file name extension) in addition to programs. enumeration displayall, displayafteruse, custom Use the programdisplay attribute to control whether Integrity client includes programs that have not yet been run in the list of programs in the Program Control panel s Programs tab. displayall includes all programs that are listed in an XML Policy in the list displayafteruse includes only programs that have been run at least one time in the list custom uses the value of each program s hidebeforeuse attribute to determine the criteria for including or excluding the program enumeration low, medium, high, max Use the securitylevel attribute to set the default security level applied to unrecognized programs. Integrity XML Policy File Reference 30

40 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications (continued) tempallowrequiresauth Require the user-level password before giving programs one-time access to the Internet Zone. useonlychecksums Use only checksums to validate programs. Level 4 Child Element default Attribute Type, Values and Description (Sheet 5 of 5) Specify the tempallowrequiresauth attribute equal to true to require the user-level password before granting programs one-time access to the Internet Zone. The tempallowrequiresauth attribute: Requires that a user-level password be previously set Applies only to new or repeat programs that have not already been granted permanent Internet Zone access permission. Specific zone and server permissions are managed by the applications element s default child element, described Specify the useonlychecksums attribute equal to true to use only the MD5 checksum, and note the program s file name, to validate programs. Do not manually type the useonlychecksum attribute into an XML Policy file. The useonlychecksum attribute is transmitted by Integrity Server but not stored by Integrity client. The default element is described in the following section. program The program element is described on page 32. protocols the protocols element is described on page 37. The //applications/default Element The default element specifies Integrity client s default program access behavior. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/default Attribute Type, Values and Description (Sheet 1 of 2) allowinternet Allow programs to request data from the Internet Zone by default. allowinternetserver Allow programs to act as a server to requests from the Internet Zone. enumeration allow, disallow, ask Use the allowinternet attribute to specify the default blocking behavior for unrecognized programs that attempt to request services from Internet Zone network entities. enumeration allow, disallow, ask Use the allowinternetsever attribute to specify the default blocking behavior for unrecognized programs that attempt to act as a server to requests originating from Internet Zone network entities. Integrity XML Policy File Reference 31

41 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/default (continued) Attribute Type, Values and Description (Sheet 2 of 2) allowtrusted Allow programs to request data from the Trusted Zone by default. allowtrustedserver Allow programs to act as a server to requests from the Trusted Zone. Level 5 Child Element None enumeration allow, disallow, ask Use the allowtrusted attribute to specify the default blocking behavior for unrecognized programs that attempt to request services from Trusted Zone network entities. enumeration allow, disallow, ask Use the allowtrustedserver attribute to specify the default blocking behavior for unrecognized programs that attempt to act as a server to requests originating from Trusted Zone network entities. The default element does not contain any child elements. The //applications/program Element The program element specifies security settings for the Windows program identified by the path attribute described on page 34. Typically a Check Point XML Policy contains multiple program elements. The following table lists the program element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/program Attribute Type, Values and Description (Sheet 1 of 4) action Specify how to process a newly identified program s database entry. allowinternet Allow a program to request data from the Internet Zone. Enumeration add, delete, modify Use the action attribute to specify what action take when Integrity client recognizes a new program. Actions are: add the program to the list of known programs contained in Integrity client s database delete the existing program and add the new program to the database modify (update) the existing program s database entry enumeration allow, disallow, ask Use the allowinternet attribute to specify the blocking behavior for a specific program that attempts to request services from an Internet Zone network entity. Use the path attribute, described later in this table, to identify the specific program. Integrity XML Policy File Reference 32

42 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/program (continued) Attribute Type, Values and Description (Sheet 2 of 4) allowinternetserver Allow a program to act as a server to requests from the Internet Zone. allowtrusted Allow a program to request data from the Trusted Zone. allowtrustedserver Allow a program to act as a server to requests from the Trusted Zone. checksum Specifies the MD5-style checksum of a program. ctflt Enable content filtering. hidebeforeuse Don t list programs until they are used. enumeration allow, disallow, ask Use the allowinternetserver attribute to specify the blocking behavior for a specific program that attempts to act as a server to requests originating from Trusted Zone network entities. Use the path attribute, described later in this table, to identify the specific program. enumeration allow, disallow, ask Use the allowtrusted attribute to specify the blocking behavior for a specific program that attempts to request services from a Trusted Zone network entity. Use the path attribute, described later in this table, to identify the specific program. enumeration allow, disallow, ask Use the allowtrustedserver attribute to specify the blocking behavior for a specific program that attempts to act as a server to requests originating from Trusted Zone network entities. Use the path attribute, described later in this table, to identify the specific program. Displayed values: Formatted string. Generally automatically supplied. String formatted as: "([a-f] \d){8}-([a-f] \d){8}-([a-f] \d){8}-([a-f] \d){8}" Generally, the checksum value for a program that has been recognized by Integrity Server or Integrity client is automatically provided as the value for that program s checksum element.. Displayed values:. Read only. Specify the ctflt attribute equal to true to enable Content Filtering (ctflt) performed in conjunction with Cerberian Web filtering servers. The ctflt attribute is read-only (disabled) in Integrity client. Specify the hidebeforeuse attribute equal to true to prevent a program that has not yet been run from appearing in the Program Control panel s Programs tab list of programs. The value of hidebeforeuse is inspected by the //application element s programdisplay attribute, described on page 30. Integrity XML Policy File Reference 33

43 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/program (continued) Attribute Type, Values and Description (Sheet 3 of 4) modulecheck Enable checking of modules used by programs. omp Apply outbound protection. passlock Enable a program to bypass Internet Lock. path Specify the location of a program. Specify the modulecheck attribute equal to true to enable the validation of subordinate modules (.dll filename extension) used by programs (.exe filename extension). Specify the omp attribute equal to true to enable outbound protection for a specific program. Outbound protection controls the rate at which a given program is allowed to originate outbound messages. Specify the passlock attribute equal to true to enable a specific program to continue to access the Internet even if Integrity client s Pass Lock feature has been activated. When activated, Integrity client s Pass Lock feature normally blocks all network traffic to and from the end-point computer. The passlock attribute allows the specified program to continue to access the network while Internet Lock is active. Formatted string. Valid path name and file name to a Windows program. Use the path attribute to specify the full path name and file name of a Windows program. For example: path="c:\program Files\Opera\Opera.exe" Use the remaining program attributes to specify the security settings for the program specified by the path attribute. pathnameonly Specify that a program changes frequently. privacy Enable the Privacy group of features for a program. Specify the pathnameonly element equal to true to indicate that the program changes frequently. When programs change frequently, the program s checksum also changes. The pathnameonly attribute provides a means of informing Integrity client that the program should be validated by its location on disk rather than by its full MD5 checksum. Specify the privacy attribute equal to true to enable program-specific privacy settings for the program specified by the path variable, described earlier in this table. Integrity XML Policy File Reference 34

44 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/program (continued) Attribute Type, Values and Description (Sheet 4 of 4) SendMailPermission Allow a program to originate e- mail. skimpchecksum Specifies an abridged MD5- style checksum for a program. trustedparent Specify whether a program can use other programs to access the network. enumeration. allow, disallow, ask Use the SendMailPermission attribute to allow a specific program to originate . Displayed value: Formatted string. Generally automatically supplied. String formatted as: "([a-f] \d){8}-([a-f] \d){8}-([a-f] \d){8}-([a-f] \d){8}" Use the skimpchecksum attribute to provide a way of validating programs that change frequently. Generally, the checksum value for a program that has been recognized by Integrity Server or Integrity client is automatically provided as the value for that program s checksum element. See the description of checksum earlier in this table. enumeration allow, disallow, ask. Default values are: allow if network or server permissions specified by the allowinternet, allowtrusted, allowinternetserver, or allow TrustedSever, parameter equals allow. disallow for all other values of network server permissions. Use the trustedparent attribute to allow or disallow a program to use other programs to connect to the network. Identifying a program as a trusted parent process allows that program to use other programs and processes to access network resources. Level 5 Child Elements protocols The protocols element is described on Page 37. /firewall/rules/rule The rule element is described on page 40. Integrity XML Policy File Reference 35

45 Chapter 4 The applications Functional Category The //applications/module Element The module element specifies security settings for the program module identified by the path attribute described on page 34. Typically a Check Point XML Policy contains multiple module elements. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/module checksum Attribute Specifies the MD5-style checksum of a program. description Display a brief description of the module. path Specify the location of a program. Displayed values: Type, Values and Description Formatted string. Generally automatically supplied. String formatted as: "([a-f] \d){8}-([a-f] \d){8}-([a-f] \d){8}-([a-f] \d){8}" Generally, the checksum value for a program that has been recognized by Integrity Server or Integrity client is automatically provided as the value for that program s checksum element. Displayed values: Read-only string. Automatically supplied. Automatically copied from the module s embedded description information. Integrity client automatically acquires the description embedded in the module file and copies it into the description attribute. Formatted string. Valid path name and file name to a Windows program. Use the path attribute to specify a Windows program. For example: path="c:\winnt\system32comctl32.dll" Use the remaining program attributes to specify the security settings for the program specified by the path element. permission Specify the modules permission level. enumeration. allow, disallow, ask Use the path attribute to specify a Windows program. For example: path="c:\program Files\Opera\Opera.exe" Use the remaining program attributes to specify the security settings for the program specified by the path element. skimpchecksum Specifies an abridged MD5- style checksum for a program. Level 5 Child Elements None Displayed value: Formatted string. Generally automatically supplied. String formatted as: "([a-f] \d){8}-([a-f] \d){8}-([a-f] \d){8}-([a-f] \d){8}" The skimpchecksum provides a way of validating programs that change frequently. Generally, the checksum value for a program that has been recognized by Integrity Server or Integrity client is automatically provided as the value for that program s checksum element. See the description of checksum earlier in this table. The module element contains no child elements. Integrity XML Policy File Reference 36

46 Chapter 4 The applications Functional Category The //program/protocols Element The protocols element specifies general protocol blocking behaviors for the program specified by the //program[@path= programpathandname ] attribute. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/program/protocols allow Attribute Specify protocol blocking behavior for child elements. Level 6 Child Elements protocol Type, Values and Description enumeration only, all, allexcept Set the blocking behavior - only, all, allexcept - for one or more protocol or protocolrange child elements. Any protocol or protocolrange child elements contained in a particular block protocols as specified by their protocols parent element s allow attribute. The protocol element is described in the following section. protocolrange The protocolrange element is described on page page 39. The //protocols/protocol Element The protocol element specifies a particular protocol and its operation type. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/program/protocols/protocol Attribute Type, Values and Description (Sheet 1 of 2) operation Specify whether to include or exclude a particular protocol. enumeration eq (equal), neq (not equal) Specify the operation attribute equal to eq to apply the rule when the protocol matches the protocol specified by the protocol attribute, described in the following table entry. The inclusion or exclusion of the protocols specified by the protocol child element is determined by the protocols parent element s allow attribute described in the preceding table. Integrity XML Policy File Reference 37

47 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/program/protocols/protocol (continued) Attribute Type, Values and Description (Sheet 2 of 2) protocol Specify a protocol to process. Level 7 Child Elements None enumeration The following protocols identifiers: IP_AH IP_ALL (All IP subtypes) IP_CAST (Multicast and broadcast) IP_ESP IP_EVERY (Every IP subprotocol) IP_GRE IP_ICMP IP_IGMP IP_IXMP (Both ICMP and IGMP) IP_SKIP IP_TCP IP_TCP_UDP (Both TCP and UDP) IP_UDP IP_UDP_TCP (Same as IP_TCP_UPD) IP_VPN (All VPN protocols: ESP, AH, GRE, and SKIP) Use the protocol attribute to specify the protocol to process. The inclusion or exclusion of the protocols specified by the protocol child element is determined by the protocols parent element s allow attribute described on page 37. The protocol element does not contain any child elements. Integrity XML Policy File Reference 38

48 Chapter 4 The applications Functional Category The //protocols/protocolrange Element The protocolrange element specifies blocking behaviors for range of IP protocol numbers. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/protocols/protocolrange operation Attribute Specify whether the protocols specified are inside or outside of the protocol range. protocol Identify the beginning protocol type in a range of protocols. Type, Values and Description enumeration in, notin Specify the operation attribute equal to eq to apply the rule when the protocol matches all the IP subprotocol numbers in the range defined by the protocol and toprotocol attributes, listed elsewhere in this table. The inclusion or exclusion of the protocols specified by the protocolrange child element is also determined by the protocols parent element s allow attribute described on page 37. integer The following six protocol numbers: Protocol Number 51 AH 50 ESP 47 GRE User specified Other 27 RDP 57 SKIP Protocol Name Protocol numbers are defined by the Internet Assigned Numbers Authority (IANA). See the IANA Web site for more information. toporotocol Identify the ending protocol type in a range of protocols. Level 7 Child Elements None The protocolrange element s protocol attribute identifies the beginning protocol type in a protocol range. The inclusion or exclusion of the protocols specified by the protocolrange child element is determined by the protocols parent element s allow attribute described on page 37. integer See the recognized values for the protocol attribute description, immediately above. The protocolrange element s protocol attribute identifies the ending protocol type in a the protocol range. The inclusion or exclusion of the protocols specified by the protocolrange child element is determined by the protocols parent element s allow attribute described on page 37. The protocolrange element does not contain any child elements. Integrity XML Policy File Reference 39

49 Chapter 4 The applications Functional Category The //program/firewall/rules/rule Element As described at the beginning of this chapter, the applications functional section of a Check Point XML Policy specifies rules for specific programs running on the end-point computer. Program-specific rules are defined in one or more rule elements. The following XPath statement illustrates the placement of a rule element within its firewall and rules parent elements: /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/program/firewall/rules/rule The rule element contains a given program-specific rule set. The rule element: Specifies general rule behaviors for all child elements Functions as a parent element for up to 9 network-entity child elements The following table lists the rule element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/program/firewall/rules/rule name Attribute Specify the name of the rule. rulestack Identify the rulestack of the rule. Currently read-only. relativeposition Identify the position of the rule within the rule stack. Readonly in the running ruleset. enable Enable the rule element. Level 8 Child Elements execute bidirectional destination ipsubprotoflags iptypes nondirectional protocols source times Type, Values and Description String. Free-form name, 15 characters maximum. Use the rule element s name attribute to name the rule. Read-only enumeration. hard. The rulestack attribute must be equal to hard. Displayed value: Read-only enumeration first. In a running ruleset, Integrity client ignores the relativeposition attribute. Specify the enable attribute equal to true to enable the rule element. The enable attribute defaults to true if not specified. Described in the following section For a description of all network-entity child elements see Specifying applications Network Entities, on page 42. Integrity XML Policy File Reference 40

50 Chapter 4 The applications Functional Category The //rule/execute Element The execute element specifies the actions and logging level for a specific rule. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications/program/firewall /rules/rule/execute action Attribute Specify how to process a newly detected program s database entry. alert Alert the client when the condition is met. log Specify where logged entries are stored. loglevel Specify a program-specific logging level. Level 4 Child Elements None Type, Values and Description Enumeration add, delete, modify Use the action attribute to specify what action take when Integrity client recognizes a new program. Actions are: add the program to the list of known programs contained in Integrity client s database delete the existing program and add the new program to the database modify (update) the existing program s database entry enumeration client, false Specify the alert attribute equal to client to display a firewall alert box when Integrity client detects the conditions specified for this rule. enumeration logdb (Integrity client 4.x does not recognize log="file") Use the log attribute to specify where Integrity client stores logged events. Integrity client recognizes only log="logdb": logdb stores logged events in Internet Logs\username.ldb, where username is the active user account on the end-point computer (In consumer-level clients, file stores logged events in Internet Logs\fwpktlog.txt) integer 0 to 13, inclusive. Use the loglevel attribute to specify a program-specific level of event logging. Program-specific logging of network entity events is performed only when the value of the loglevel attribute is less than or equal to that of the firewall functional category s logging attribute described on page 112. The execute element does not contain any child elements. Integrity XML Policy File Reference 41

51 Chapter 4 The applications Functional Category Specifying applications Network Entities A Check Point XML Policy contains up to 8 traffic-type elements. Each traffic-type element in turn contains up to 8 network-entity child elements. The following table lists: The 8 traffic-type elements that may be contained in the applications functional section of a particular Check Point XML Policy instance The 8 network-entity child elements contained in a given traffic-type parent element The page number containing the XML element description table for the network-entity child element /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/traffictype/networkentity Traffic Type Element Network Entity Child Element Page Number bidirectional ethernetaddress 43 destination group 46 ipaddress 46 iprange 47 ipsubnet 48 port 49 portrange 50 socket 52 destination child elements are identical with those of bidirectional, listed above. ipsubprotoflags flag 44 iptypes type 54 nondirectional portpair 49 protocols protocol 51 source protocolrange 52 source child elements are identical with those of bidirectional, listed earlier in this table. times daytimerange 43 Same page numbers as the bidirectional child elements listed above. Same page numbers as the bidirectional child elements listed earlier. A Check Point XML Policy contains up to 14 network-entity elements. The following sections lists each of the elements and their attributes in alphabetical order Integrity XML Policy File Reference 42

52 Chapter 4 The applications Functional Category The daytimerange Network-entity Element The daytimerange element specifies the days and times Integrity client starts and stops enforcing a custom program rule. /ZoneLabsSettingsLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/times/daytimerange Attribute day1 through day7, inclusive Specify the day or days to apply a rule. Type, Values and Description enumeration SUNDAY, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, ALL Use the dayn attribute to specify individual days. The following illustrates the general form of the dayn attribute statement: <daytimerange day1= MONDAY day2= WEDNESDAY /> Specify the day attribute equal to ALL to specify all days. time Specify the time to begin applying a rule. totime Specify the time to stop applying a rule. Level 10 Child Elements None Formatted string. Time as hh:mm in 24-hour format. Use the time attribute to specify the time to start enforcing the rule. The value of the time attribute must be earlier than the totime attribute, described in the following table entry. Formatted string. Time as hh:mm in 24-hour format. Use the totime attribute to specify the time to stop enforcing the rule. The value of the time attribute must be later than the time attribute, described in the preceding table entry. The daytimerange element does not contain any child elements. The ethernetaddress Network-entity Element The ethernetaddress element: Specifies a Media Access Control (MAC) address and operation Can be contained in the source, destination, and bidirectional parent elements Integrity XML Policy File Reference 43

53 Chapter 4 The applications Functional Category The following table lists the ethernet element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/traffictype/ethernetaddress address Attribute Specify a MAC address. operation Specify the condition for applying the enthernetaddress rule. Level 10 Child Elements None Type, Values and Description Formatted string String formatted as MAC address of the form "12-3d-34-5d-56-ef" Use the address attribute to specify a network entity s Media Access Control ( MAC ) address. enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when the MAC address matches the value of the address attribute, described in the preceding table entry. The ethernetaddress element does not contain any child elements. The flag Network-entity Element The flag element specifies which protocol-specific flags are accepted or blocked. The following table lists the flag element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/ipsubprotoflags/flag Attribute Type, Values and Description (Sheet 1 of 2) notpresent Specify a protocol-specific flag that should not be detected in the named protocol. enumeration The following seven flag mnemonics: Flag Mnemonic Description TCP_FLAG_ACK Acknowledgement TCP_FLAG_ALL All flags in this group TCP_FLAG_FIN Final TCP_FLAG_PSH Push TCP_FLAG_RST Reset TCP_FLAG_SYN Synchronization TCP_FLAG_URG Urgent. Use the notpresent attribute to specify that the rule be triggered if a TCP flag is not detected in the IP subprotocol. Integrity XML Policy File Reference 44

54 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/ipsubprotoflags/flag (continued) Attribute Type, Values and Description (Sheet 2 of 2) present Specify a protocol-specific flag that should be detected in the named protocol. protocol Specify a named protocol. Level 10 Child Elements None enumeration Same flags as listed for the notpresent attribute, described in the preceding table entry. Use the notpresent attribute to specify that the rule be triggered if a TCP flag is detected in the IP subprotocol. enumeration The following protocols identifiers: IP_AH IP_ALL (All IP subtypes) IP_CAST (Multicast and broadcast) IP_ESP IP_EVERY (Every IP subprotocol) IP_GRE IP_ICMP IP_IGMP IP_IXMP (Both ICMP and IGMP) IP_SKIP IP_TCP IP_TCP_UDP (Both TCP and UDP) IP_UDP IP_UDP_TCP (Same as IP_TCP_UPD) IP_VPN (All VPN protocols: ESP, AH, GRE, and SKIP) Use the protocol attribute to specify the protocol to process as part of the program s rule. The flag element does not contain any child elements. Integrity XML Policy File Reference 45

55 Chapter 4 The applications Functional Category The group Network-entity Element The group element: Specifies a group name and type Can be contained in the source, destination, and bidirectional parent elements The following table lists the group element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/traffictype/group name Attribute Group identifier. Type, Values and Description String Free-form string, maximum of 14 characters. Use the group element s name attribute to specify the logical name of the group. The name element also appears in the global rules definitions at (line break added for readability): type Identify a group as type address. Level 10 Child Elements None /ZoneLabsSettings/ruleset[@name="runningruleset"]/ firewall/expert/groups/ruletype[@name=name Def] In the preceding example RuleType identifies the rule type and Name Def identifies the rule s name. Read-only enumeration Displayed value: address. Not user specifiable. Integrity client sets the group element s type attribute to address. The group element does not contain any child elements. The ipaddress Network-entity Element The ipaddress element: Specifies an IP address Can be contained in the source, destination, and bidirectional parent elements The following table lists the ipaddress element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/traffictype/ipaddress Attribute Type, Values and Description (Sheet 1 of 2) address Specifies an IP address. Formatted string String formatted as IP address. Use the address attribute to specify the IP address to process as part of the program s rule. Integrity XML Policy File Reference 46

56 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/traffictype/ipaddress (continued) Attribute Type, Values and Description (Sheet 2 of 2) operation Specify the condition for applying the rule. protocol Specify a named protocol. Level 10 Child Elements None Enumeration eq, neq Specify the operation attribute equal to true to apply the rule when the IP address matches the address specified by the address attribute, described in the preceding table entry. Enumeration Same as listed under protocol, on page 45. Specify the protocol to process for the program s rule. The ipaddress element does not contain any child elements. The iprange Network-entity Element The iprange element: Specifies a range of IP addresses Can be contained in the source, destination, and bidirectional parent elements The following table lists the iprange element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/traffictype/iprange Attribute Type, Values and Description (Sheet 1 of 2) address Specify the first address in a range of IP addresses. operation Specify the condition for applying the rule. protocol Specify a named protocol. Formatted string String formatted as IP address. Use the address attribute to specify the first IP address in the range of IP addresses. Enumeration eq, neq Specify the operation equal to eq to apply the rule when an IP address is within the range specified by the address and toaddress attributes, described elsewhere in this table. Enumeration Same as listed under protocol, on page 45. Specify the protocol to process for the program s rule. Integrity XML Policy File Reference 47

57 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/traffictype/iprange (continued) Attribute Type, Values and Description (Sheet 2 of 2) toaddress Specify the last address in a range of IP addresses. Level 10 Child Elements None Formatted string String formatted as IP address. Use the toaddress attribute to specify the last IP address in the range of IP addresses. The iprange element does not contain any child elements. The ipsubnet Network-entity Element The ipsubnet element: Specifies an IP subnetwork and subnet mask Can be contained in the source, destination, and bidirectional parent elements The following table lists the ipsubnet element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/traffictype/ipsubnet address Attribute Specify the first address in a range of IP addresses. mask Specify an IP mask. operation Specify the condition for applying the rule. protocol Specify a named protocol. Level 10 Child Elements None Type, Values and Description Formatted string String formatted as IP address. Use the address attribute to specify the IP address of the IP subnet. Formatted string String formatted as IP subnet mask. Use the mask attribute to specify the subnet mask of the subnet specified by the address attribute. Enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when an IP address is within the address range specified by the address and toaddress attributes, described elsewhere in this table. Enumeration Same as listed under protocol, on page 45. Specify the protocol to process for the program s rule. The ipsubnet element does not contain any child elements. Integrity XML Policy File Reference 48

58 Chapter 4 The applications Functional Category The port Network-entity Element The port element: Specifies a port Can be contained in the source, destination, and bidirectional parent elements The following table lists the port element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/traffictype/port operation Attribute Specify the condition for applying the rule. port Specify a port number portprotocol Specify a protocol type. Level 10 Child Elements None Type, Values and Description Enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when a port number matches the port specified by the port attribute, described in the following table entry. integer Valid IP port number Use the port element s port attribute to specify the port to process as part of the rule. Enumeration or integer. Port protocol mnemonic or number. The portprotocol attribute recognizes two methods of specifying a protocol. A protocol number as listed under protocol, on page 39 A protocol mnemonic as listed under protocol, on page 45 The port element does not contain any child elements. The portpair Network-entity Element The portpair element specifies a source and destination pair of ports. The following table lists the portpair element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/nondirectional/portpair Attribute Type, Values and Description (Sheet 1 of 2) dstport Specify a destination port. integer Valid IP port number. Use the dstport attribute to specify the destination port of the port pair defined by the corresponding srcport. Integrity XML Policy File Reference 49

59 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/nondirectional/portpair (continued) Attribute Type, Values and Description (Sheet 2 of 2) portprotocol Specify a protocol type. srcport Specify the source port. Level 10 Child Elements None Enumeration or integer. Port protocol mnemonic or number. The portprotocol attribute recognizes two methods of specifying a protocol. A protocol number as listed under protocol, on page 39 A protocol mnemonic as listed under protocol, on page 45 integer Valid IP port number Use the srcport attribute to specify the destination port of the port pair defined by the corresponding dstport. The portpair element does not contain any child elements. The portrange Network-entity Element The portrange element: Specifies a range of network ports Can be contained in the source, destination, and bidirectional parent elements The following table lists the portrange element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/traffictype/portrange Attribute Type, Values and Description (Sheet 1 of 2) operation Specify the condition for applying the rule. port Specify the first port in a port range. Enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when the port is within the range specified by the port and toport attributes, described elsewhere in this table. integer Valid port number. Use the portrange element s port attribute to specify the beginning port in a port range. Integrity XML Policy File Reference 50

60 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/traffictype/portrange (continued) Attribute Type, Values and Description (Sheet 2 of 2) protocol Specify a protocol. toport Specify the last port in a port range. Level 10 Child Elements None Enumeration or integer. Port protocol mnemonic or number. Use the protocol attribute to specify the protocol to process as part of the rule. The protocol attribute recognizes two methods of specifying a protocol. A protocol number as listed under protocol, on page 39 A protocol mnemonic as listed under protocol, on page 45 integer Valid port number. Use the portrange element s toport attribute to specify the ending port in a port range. The iprange element does not contain any child elements. The protocol Network-entity Element The protocol element specifies a named or numbered protocol. The following table lists the protocol element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/protocols/protocolpair operation Attribute Specify the condition for applying the rule. protocol Specify a protocol. Level 10 Child Elements None Type, Values and Description Enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when a protocol matches the protocol specified by the protocol attribute, described in the following table entry. Enumeration or integer. Port protocol mnemonic or number. Use the protocol attribute to specify the protocol to process as part of the rule. The protocol attribute recognizes two methods of specifying a protocol. A protocol number as listed under protocol, on page 39 A protocol mnemonic as listed under protocol, on page 45 The protocolpair element does not contain any child elements. Integrity XML Policy File Reference 51

61 Chapter 4 The applications Functional Category The protocolrange Network-entity Element The protocolrange element specifies a range of numeric or named protocols. The following table lists the protocolrange element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/protocols/protocolrange operation Attribute Specify the condition for applying the rule. protocol Specify the beginning protocol in a range of protocols. toprotocol Specify the beginning protocol in a range of protocols. Level 10 Child Elements None Type, Values and Description Enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when the specified port is within the range specified by the protocol and toprotocol attributes, described elsewhere in this table. Enumeration or integer. Port protocol mnemonic or number. In a protocolrange element, use the protocol attribute to specify the first protocol in the protocol range. The protocol attribute recognizes two methods of specifying a protocol. A protocol number as listed under protocol, on page 39 A protocol mnemonic as listed under protocol, on page 45 Enumeration or integer. Port protocol mnemonic or number. In a protocolrange element, use the toprotocol attribute to specify the last protocol in the protocol range. The toprotocol attribute recognizes two methods of specifying a protocol. A protocol number as listed under protocol, on page 39 A protocol mnemonic as listed under protocol, on page 45 The protocolrange element does not contain any child elements. The socket Network-entity Element The socket element: Combines the behaviors of the ipaddress and port network-entity elements into a single network-entity element Can be contained in the source, destination, and bidirectional parent elements Integrity XML Policy File Reference 52

62 Chapter 4 The applications Functional Category Understanding XML Policy Sockets Use XML Policy sockets to combine the behaviors of the ipaddress and port network-entity elements into a single network-entity element. For example, the socket element combines following two XML element statements <TrafficType> <ipaddress address=" " operation="eq" protocol="ip_tcp" /> <port port="80" protocol="ip_tcp" operation="eq" /> </TrafficType> into the following single-line XML element statement: <TrafficType> <socket address=" protocol="ip_tcp" port="80" operation="eq" /> </TrafficType> Socket Elements and the Control Center The socket XML Policy element can only be specified within an XML Policy instance: The Integrity client Control Center does not contain a mechanism for directly specifying socket network entities. The following table lists the socket element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/traffictype/socket Attribute Type, Values and Description (Sheet 1 of 2) address Specify a socket IP address. operation Specify the condition for applying the rule. port Specify a socket port number. Formatted string String formatted as valid IP address. Use the address attribute to specify the IP address portion of the socket element. Enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when the protocol matches the protocol specified by the protocol attribute, described in the following table entry. integer Valid IP port number Use the port element s port attribute to specify the port to process as part of the rule. Integrity XML Policy File Reference 53

63 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/traffictype/socket (continued) Attribute Type, Values and Description (Sheet 2 of 2) protocol Specify the socket s protocol type. Level 10 Child Elements None Enumeration or integer. Port protocol mnemonic or number. The portprotocol attribute recognizes two methods of specifying a protocol. A protocol number as listed under protocol, on page 39 A protocol mnemonic as listed under protocol, on page 45 The socket element does not contain any child elements. The type Network-entity Element The type element specifies the type of ICMP message to process as part of the rule. The following table lists the type element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/iptypes/type Attribute Type, Values and Description (Sheet 1 of 2) operation Specify the condition for applying the rule. protocol Specify a protocol. Enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when a protocol matches the protocol specified by the protocol attribute, described in the following table entry. Enumeration or integer. Port protocol mnemonic or number. Use the protocol attribute to specify the protocol to process as part of the rule. The protocol attribute recognizes two methods of specifying a protocol. A protocol number as listed under protocol, on page 39 A protocol mnemonic as listed under protocol, on page 45 Integrity XML Policy File Reference 54

64 Chapter 4 The applications Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/applications /program/firewall/rules/rule/iptypes/type (continued) Attribute Type, Values and Description (Sheet 2 of 2) type Specify an ICMP message type. Level 10 Child Elements None enumeration The following ICMP message types: DST_UNREACHABLE ECH_REQ ECHO_REPLY INFO_REPLY INFO_REQUEST MASK_REPLY MASK_REQUEST PARAM_PROBLEM REDIRECT ROUTERADVERT ROUTERSOLICIT SRC_QUENCH TIME_EXCEEDED TIMESTAMP TIMESTAMP_REPLY Use the iptype element s type attribute to specify the type of ICMP message to process as part of the rule. The type element does not contain any child elements. Integrity XML Policy File Reference 55

65 Chapter 5 The customsecurity Functional Category This chapter describes the customsecurity functional category of the Check Point XML Policy. The customsecurity functional category contains attributes and child elements that specify rules for newly detected programs ( applications ) and program components on the end-point computer. This chapter contains the following sections: Overview of customsecurity Structure, in the following section, provides an orientation to the overall composition of the customsecurity functional category s XML elements. Specifying customsecurity Security, on page 57, describes the highsecurity and mediumsecurity elements that determine basic protocol security behavior. Allowing or Blocking Individual Protocols, on page 59, describes how to use the allow and block elements to specify protocol security behaviors on a protocol-by-protocol basis. Specifying UPD and TCP Port Numbers, on page 62, describes how to specify UDP and TCP port numbers. Overview of customsecurity Structure The customsecurity element appears at nesting level 3 of a Check Point XML Policy. The following XPath statement illustrates the location of the customsecurity element. /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity The Check Point XML Policy divides the customsecurity functional category into two nestinglevel 4 child elements: trusted and internet. The following XPath statements illustrate the placement of the trusted and internet child elements: /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity/trusted /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity/internet Specifying High and Medium Security Behaviors The trusted and internet elements correspond to the Trusted Zone and Internet Zone that appear on the Integrity client Control Center. Within the customsecurity parent-element, the trusted and internet child elements are symmetrically constructed: the child-elements are identical in both. Integrity XML Policy File Reference 56

66 Chapter 5 The customsecurity Functional Category The following illustrates the symmetrical structure of the customsecurity functional category s trusted and internet child elements. /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity <trusted internet> <highsecurity initialvalues="current"> <allow DNSOut="false" DHCPOut="false" cast="false" pingin="false" othericmpin="false" pingout="false" othericmpout="false" IGMPIn="false" IGMPOut="false"> <incoming> <protocol type="ip_udp" port=" " enabled="true"/> <protocol type="ip_tcp" port=" " enabled="true"/> </incoming> <outgoing> <protocol type="ip_udp" port=" " enabled="true"/> <protocol type="ip_tcp" port=" " enabled="true"/> </outgoing> </allow> </highsecurity> <mediumsecurity initialvalues="default"> <block netbiosin="true" netbiosout="true" DNSOut="false" DHCPOut="false" cast="false" pingin="false" othericmpin="false" pingout="false" othericmpout="false" IGMPIn="false" IGMPOut="false"> <incoming> <protocol type="ip_udp" port=" " enabled="true"/> <protocol type="ip_tcp" port=" " enabled="true"/> </incoming> <outgoing> <protocol type="ip_udp" port=" " enabled="true"/> <protocol type="ip_tcp" port=" " enabled="true"/> </outgoing> </block> </mediumsecurity> </trusted internet> In the preceding example, the pseudo-element construction <trusted internet> indicates that in the Check Point XML Policy both trusted and internet child elements are identically named and structured: The XML Policy child elements are fully symmetrical for both zones. The remaining sections in this chapter describe the customsecurity functional section s security, allow, block, and protocol child elements. Specifying customsecurity Security Both the trusted and internet zone parent elements contain two types of security child elements: highsecurity and mediumsecurity. The following XPath statements illustrate the placement of the two security elements (line break added). /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity /zonetype/highsecurity Integrity XML Policy File Reference 57

67 Chapter 5 The customsecurity Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity /zonetype/mediumsecurity The following sections describe both of the security elements. The highsecurity Element The highsecurity element specifies the default security value applied to a particular CustomSecurity zone when that zone s Zone Security slider is set to high, medium, or off. The following table lists the highsecurity attribute. /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity /zonetype/highsecurity initialvalues Attribute Specify the initial security value. Level 4 Child Elements allow Type, Values and Description enumeration current, default, off. These values correlate to the High, Medium, and Off settings available on the Main tab of the Control Center s Firewall panel. Use the highsecurity element s initialvalue to specify the default security level applied for: The zone specified by the ZoneType parent element and The setting of that zone s Zone Security slider located on the Main tab of the Control Center s Firewall panel For a description of the allow child element see The //highsecurity/allow Element, on page 59. The mediumsecurity Element The mediumsecurity element specifies the default security value applied to a particular CustomSecurity zone when that zone s Zone Security slider is set to high, medium, or off. Integrity XML Policy File Reference 58

68 Chapter 5 The customsecurity Functional Category The following table lists the mediumsecurity attribute. /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity /zonetype/mediumsecurity initialvalues Attribute Specify the initial security value. Level 4 Child Elements block Type, Values and Description enumeration current, default, off. These values correlate to the High, Medium, and Off settings available on the Main tab of the Control Center s Firewall panel. Use the highsecurity element s initialvalue to specify the default security level applied for: The zone specified by the ZoneType parent element and The setting of that zone s Zone Security slider located on the Main tab of the Control Center s Firewall panel For a description of the allow child element see The //MediumSecurity/ block Element, on page 61. Allowing or Blocking Individual Protocols Within the customsecurity functional category, a Check Point XML Policy instance divides default protocol handling capabilities into two sub-categories: //highsecurity/allow provides a means of specifying on a protocol-by-protocol basis what protocols to allow by default //mediumsecurity/block provides a means of specifying on a protocol-by-protocol basis what protocols to block by default Use these two sub-categories to customize the default protocol blocking behaviors that are applied when the Zone Security slider located on the Main tab of the control Center s Firewall panel is set to High or Medium. The following sections describe the allow and block elements. The //highsecurity/allow Element The allow element is always the child of a highsecurity parent element. Use the allow element to specify on a protocol-by-protocol basis the types of packets to allow when the Zone Security slider located on the Main tab of the Control Center s Firewall panel is set to High. Note that only the allow element s cast attribute is true by default. Integrity XML Policy File Reference 59

69 Chapter 5 The customsecurity Functional Category The following table lists the //highsecurity/allow attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity /zonetype/highsecurity/allow Attribute Type, Values and Description (Sheet 1 of 2) cast Allow multicast protocols. DHCPOut Allow outbound DHCP packets. DNSOut Allow outbound DNS packets. IGMPIn Allow inbound IGMP packets. IGMPOut Allow outbound IGMP packets. othericmpin Allow miscellaneous inbound ICMP packets. othericmpout Allow miscellaneous outbound ICMP packets. pingin Allow inbound ping packets. pingout Allow outbound ping packets. Specify the cast attribute equal to true to allow multicast / broadcast protocols. Specify the DHCPOut attribute equal to true to allow outbound DHCP packets. Specify the DNSout attribute equal to true to allow outbound DNS packets. Specify the IGMPin attribute equal to true to allow inbound IGMP packets. Specify the IGMPout attribute equal to true to allow outbound IGMP packets. Specify the othericmpin attribute equal to true to allow miscellaneous inbound ICMP packets. Specify the othericmpout attribute equal to true to allow miscellaneous outbound ICMP packets. Specify the pingin attribute equal to true to allow inbound ping packets. Specify the pingout attribute equal to true to allow outbound ping packets. Integrity XML Policy File Reference 60

70 Chapter 5 The customsecurity Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity /zonetype/highsecurity/allow (continued) Attribute Type, Values and Description (Sheet 2 of 2) Level 7 Child Elements incoming outgoing The incoming and outgoing elements are described in Specifying UPD and TCP Port Numbers, on page 62. The //MediumSecurity/block Element The block element is always the child of a mediumsecurity parent element. Use the block element to specify on a protocol-by-protocol basis the types of packets to block when the Zone Security slider located on the Main tab of the Control Center s Firewall panel is set to Medium. The following table lists the //mediumsecurity/block attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity /zonetype/mediumsecurity/block Attribute Type, Values and Description (Sheet 1 of 2) cast Allow multicast protocols. DHCPOut Allow outbound DHCP packets. DNSOut Allow outbound DNS packets. IGMPIn Allow inbound IGMP packets. IGMPOut Allow outbound IGMP packets. NETBIOSIn Allow inbound NETBIOS packets. Specify the cast attribute equal to true to block multicast / broadcast protocols. Specify the DHCPOut attribute equal to true to block outbound DHCP packets. Specify the DNSOUT attribute equal to true to block outbound DNS packets. Specify the IGMPIn attribute equal to true to block inbound IGMP packets. Specify the IGMPOut attribute equal to true to block outbound IGMP packets. Specify the NETBIOSIn attribute equal to true to block inbound NETBIOS packets. Integrity XML Policy File Reference 61

71 Chapter 5 The customsecurity Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity /zonetype/mediumsecurity/block (continued) Attribute Type, Values and Description (Sheet 2 of 2) NETBIOSOut Allow outbound NETBIOS packets. othericmpin Allow miscellaneous inbound ICMP packets. othericmpout Allow miscellaneous outbound ICMP packets. pingin Allow inbound ping packets. pingout Allow outbound ping packets. Level 7 Child Elements incoming outgoing Specify the NETBIOSOut attribute equal to true to block outbound NETBIOS packets. Specify the othericmpin attribute equal to true to block miscellaneous inbound ICMP packets. Specify the othericmpout attribute equal to true to block miscellaneous outbound ICMP packets. Specify the pingin attribute equal to true to block inbound ping packets. Specify the pingout attribute equal to true to block outbound ping packets. The incoming and outgoing elements are described in Specifying UPD and TCP Port Numbers, in the following section. Specifying UPD and TCP Port Numbers Specifying the blocking behavior for UPD and TCP protocols require that port numbers be specified in addition to protocol identifiers. The Check Point XML Policy includes the protocol child element to enable specifying port numbers or port ranges for UPD and TCP packets. The following illustrates the general form of the customsecurity functional category s protocol child elements. /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity /zonetype/securitylevel/allow block/ <incoming> <protocol type="ip_udp" port=" " enabled="true"/> <protocol type="ip_tcp" port=" " enabled="true"/> </incoming> Integrity XML Policy File Reference 62

72 Chapter 5 The customsecurity Functional Category <outgoing> <protocol type="ip_udp" port=" " enabled="true"/> <protocol type="ip_tcp" port=" " enabled="true"/> </outgoing> Closing element tags In the preceding example: zonetype specifies either the trusted or internet zones securitylevel specifies high or medium allow block specifies the default behavior for the specified security level If the security level is high, an allow child element must follow it If the security level is medium, a block child element must follow it The incoming and outgoing elements specify whether the protocol child element applies to inbound or outbound UPD or TCP packets. The following table lists the protocol element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity /zonetype/securitylevel/allow block/protocol Attribute Type, Values and Description (Sheet 1 of 2) enabled Enable the custom protocol behavior (blocking or allowing). Specify the enabled attribute equal to true to enable the custom security behavior specified by the highsecurity or mediumsecurity parent element. port Specify a port or range of ports. Formatted string Individual port number or port range. Use the port attribute to specify an individual port number or a range of ports. Specify an individual port number as an integer. For example, port= 139. Specify non-contiguous individual port numbers as comma-separated integers. For example, port= 139, 141, 143 Specify a contiguous range of port numbers as two hyphen separated integers. For example, port= When specifying multiple ports or a range or ports, be sure to construct the attribute from lower-numbered ports to higher-numbered ports. For example: port= is not a valid port attribute specification port= is a valid port attribute specification Integrity XML Policy File Reference 63

73 Chapter 5 The customsecurity Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity /zonetype/securitylevel/allow block/protocol (continued) Attribute Type, Values and Description (Sheet 2 of 2) type Specify the UDP or TCP protocol. Level 4 Child Elements None enumeration IP_TCP, IP_UDP Use the type attribute to specify whether the protocol blocking behavior applies to the TCP or UPD protocol. The protocol element contains no child elements. Integrity XML Policy File Reference 64

74 Chapter 6 The configuration Functional Category This chapter describes the configuration functional category of the Check Point XML Policy. The configuration functional category contains specifies general Integrity client configuration settings. This chapter contains the following sections: Overview of configuration Structure, in the following section, provides an orientation to the overall composition of the configuration functional category s XML elements. Specifying autoconfig Settings, on page 74, describes elements and attributes that control automatic, periodic downloading of configuration or XML Policy files. Specifying autouploadlog Settings, on page 76, describes elements and attributes that control automatic, periodic uploading of archived log files. Specifying cachecleaner Settings, on page 79, describes elements and attributes that specify the automatic removal of unwanted Web browsing artifacts. Specifying ics Settings, on page 85, describes the elements and attributes that control Internet Connection Sharing / Network Address Translation (ICS / NAT) alert processing. Specifying lockupredirect Settings, on page 87, describes the element and attributes that control where Integrity client directs users that experience firewall problems. Overview of configuration Structure The configuration element appears at nesting level 2 of a Check Point XML Policy. The following XPath statement illustrates the location of the configuration element. /ZoneLabsSettings/configuration The Check Point XML Policy divides the configuration functional category into five nestinglevel 3 child elements. The following illustrates the general structure of the configuration functional category, as well as the placement of the section s child elements. /ZoneLabsSettings/configuration <configuration checkforupdate="true" autorestart="true" disablefirewallaa="false" disableprogramaa="false" disablecheckforupdate="false" disablechangeregistration="false" systemtrayicon="yes" systemtrayclick="no" allowshutdown="false" disablechangelicense="true" supporturl=" shutdownmessage="error report" warnonlyenterprise="false" alwaysactive="true" enforceonlyenterprise="true" exclusivetrustedzone="true" preventshutdownwhenactive="false" tvdebugflags="0x30" tvlogsessioncount="500" displaylicensenumber="no" displaylicensetext="free form text up to 256 characters" displayregistrationtext="free form text up to 256 characters" disablesystemeventlogging="true" hidedefaultbuttons="true" checkforupdatefrequency="1500" checkforupdatebyweb="true"> Integrity XML Policy File Reference 65

75 Chapter 6 The configuration Functional Category <ics enable="true"> <client gatewayaddress=" " forwardalerts="true"/> <gateway address=" " suppressforwardedalerts="true" restricttoza="true"/> </ics> <lockupredirect enable="yes" server="zonelabs.com" port="100"/> <autoconfig autocheck="true" source="machine.company.com" frequency="boot" timeout="60" retries="3" retryinterval="3" lastdownloadtime="invalid date"/> <autouploadlog enabled="true" host="machine.company.com" frequency="boot" action="archive" timeout="60" retries="3" retryinterval="3"/> <cachecleaner autocleandays="14" autoclean="off" cleaniecookies="yes" cleannetscapecookies="no"> <keepcookies> <site URL=" browser="netscape"/> <site URL=" browser="ie"/> <site URL=" browser="msn"/> </keepcookies> <browseroptions browser="netscape" cache="keep" URLHistory="clean" autocompleteforms="keep" autocompletepasswords="clean" indexfiles="keep" typedurls="clean" mailtrash="keep" formsdata="clean"/> <browseroptions browser="ie" cache="clean" URLHistory="keep" autocompleteforms="clean" autocompletepasswords="keep" indexfiles="clean" typedurls="keep" mailtrash="clean" formsdata="clean"/> <systemoptions dochistory="keep" recyclebin="clean" tempdirectory="keep" findhistory="keep" scandisk="clean" mediaplayer="clean" runhistory="clean"/> </cachecleaner> </configuration> The configuration Element The configuration element: Specifies user interface, license key, and registration data behaviors Functions as a container element for five level-3 child elements Integrity XML Policy File Reference 66

76 Chapter 6 The configuration Functional Category The following table lists the configuration element s attributes. /ZoneLabsSettings/configuration Attribute Type, Values and Description (Sheet 1 of 7) allowshutdown Allow users to shut down Integrity client Specify the allowshutdown attribute equal to true to allow end users to shut down Integrity Client from the System Tray or Start menu. If the allowshutdown is equal to false, Integrity client: Disables the System Tray Icon s Shutdown Check Point Integrity menu item alwaysactive Always enforce an enterprise security policy. autorestart Automatically restart Integrity client after a failure. checkforupdate Periodically check for updated versions of Integrity client. Disables the Run Check Point Integrity Flex at startup check box located in the Overview panel s Preferences tab See User Interface Control Attributes, on page 73, for a description of the interactions between the allowshutdown, showminimized, systemtrayclick, and systemtrayicon attributes. Specify the alwaysactive attribute equal to true to keep an enterprise policy in force when Integrity client is disconnected from Integrity Server. if alwaysactive is equal to false, Integrity client uses the personal policy when Integrity client is disconnected from Integrity Server. Specify the autorestart attribute equal to true to automatically restart Integrity client without prompting after a system failure. The autorestart attribute does not have a Control Center counterpart. Specify the checkforupdate attribute equal to true to have Integrity client periodically check for updated versions. The user-level CheckForUpdate attributes is overridden by the value of the enterprise-level DisableCheckForUpdate element described later in this table. Use the CheckForUpdateFrequency attribute, described later in this table, to specify how often to check for updates. Use the checkforupdatebyweb attribute, described in the following table entry, to open a Web browser if the update check fails. Integrity XML Policy File Reference 67

77 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration (continued) Attribute Type, Values and Description (Sheet 2 of 7) checkforupdatebyweb Automatically open the check for update URL. checkforupdatefrequency Specify how frequently to check for updates. disablechangelicense Prevent the Control Center from changing the product license key. disablechangeregistration Prevent the Control Center from changing the product registration information. disablecheckforupdate Periodically check for updated versions of Integrity client. disablefirewallaa Suppress display of the Alert Advisor portion of firewall alert boxes. disableprogramaa Suppress display of the Alert Advisor portion of program alert boxes. Specify the checkforupdatebyweb attribute equal to true to open a Web browser to the check-for-update URL if the initial check for update fails. See also the checkforupdate attribute, described in the preceding table entry. integer Integer number of days Use the checkforupdatefrequency attribute to specify how frequently, in days, to check for updated versions of Integrity client. The user-level CheckforUpdate attribute, described earlier in this table, or the enterprise-level disablecheckforupdate attribute, described later in this table, must be true to enable the checkforupdatefrequency attribute. Specify the disablechangelicense attribute equal to true to prevent the use of the Integrity client Control Center to change the product license key. Specify the disablechangeregistration attribute equal to true to prevent the use of the Integrity client Control Center to change product registration information. Specify the disablecheckforupdate attribute equal to true to have Integrity client periodically check for updated versions. Use the CheckForUpdateFrequency attribute, described earlier in this table, to specify how often to check for updates. The enterprise-level disablecheckforupdate element overrides the userlevel checkforupdate attribute described earlier in this table. Specify the disablefirewallaa attribute equal to true to remove the Alert Advisor s for more information text and button from alert boxes created by firewall alerts. Specify the disableprogramaa attribute equal to true to remove the Alert Advisor s for more information text and button from alert boxes created by program alerts. Integrity XML Policy File Reference 68

78 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration (continued) Attribute Type, Values and Description (Sheet 3 of 7) disablesystemeventlogging Suppress logging of system events. displaylicensenumber Allow the Control Center to display the product s license key. displaylicensetext Allow the Control Center to display the License key area. displayregistrationtext Allow the Control Center to display product registration information. enforceonlyenterprise Disable policy arbitration. errorloguploaddirectory Specify error log upload destination. Specify the disablesystemeventlogging attribute equal to true to disable logging of all system events. Specify the displaylicensenumber attribute equal to true to enable Control Center display of Integrity client s license key. Use the displaylicensetext attribute, described in the following table entry, to completely suppress the display of the Licensing Information area on the Overview panel s Product Info tab. Specify the displaylcensetext attribute equal to true to enable the Control Center to display of the license key area on the Overview panel s Product Info tab. Use the displaylicensenumber attribute, described in the preceding table entry, to suppress only the display of the product licensing key. Specify the displayregistrationtext attribute equal to true to display Integrity client s registration data on the Overview panel s Product Info tab. Specify the enforceonlyenterprise attribute equal to true to enforce only the Enterprise security policy. If enforceonlyenterprise is true, Integrity client no longer arbitrates the settings of the personal and Enterprise security policies. Formatted string URL and pathname to destination for uploaded alert log information. Use the errorloguploaddirectory attribute equal to specify a target computer and folder to receive error logs regardless of the LockUpRedirect element s attributes, described on page 88. The ErrorLogUploadDirectory attribute overrides any LockUpRedirect attributes: If ErrorLogUploadDirectory is specified, Integrity client always uploads alert log data to that destination regardless of the lockupredirect element s settings. Integrity XML Policy File Reference 69

79 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration (continued) exclusivelocalzone Limit network access to enterprise Trusted Zone entries. hidedefaultbuttons Remove the Reset to default button from the Control Center. loadatstartup Load Integrity client when the computer starts up. preventshutdownwhenactive Prevent shutdown when an Enterprise security policy is being enforced. shutdownmessage Display a message when the user shuts down Integrity client. supporttext supporttext2 Attribute Type, Values and Description (Sheet 4 of 7) Add a text description to a support URL. Specify the exclusivetrustedzone attribute equal to true override a personal security policy s Trusted Zone with the Enterprise security policy s Trusted Zone. Specify the hidedefaultbuttons attribute equal to true to remove all Reset to default buttons from the Control Center user interface. Specify the loadatstartup attribute equal to true to start Integrity client when the computer starts up. Specify the preventshutdownwhenactive attribute equal to true to prevent shutdown of Integrity client when an Enterprise security policy is active. String Free-form text string. Specify the shutdownmessage attribute to display a custom message whenever the user attempts to shut down Integrity client. Use the allowshutdown attribute, described on page 67, to prevent an end-user from shutting down Integrity client. Custom shutdown messages are stored in the Integrity client database: if the database is deleted as part of uninstall or upgrade, the custom shutdown message is lost. String Free-form text string. Use the supporttext or supporttext2 attributes to display a custom message when directing a Integrity client user to the corporate support site. The two separate support text messages allow primary and secondary support text messages to be used in conjunction with the primary and secondary supporturl / SupportURL2 attributes described in the following table entry. Integrity XML Policy File Reference 70

80 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration (continued) Attribute Type, Values and Description (Sheet 5 of 7) supporturl supporturl2 Specify the location of a corporate support site. Formatted string. String formatted as valid corporate support URL Use the supporturl and supporturl2 attributes equal to specify the URLs of primary and secondary corporate support site. The two separate support URL attributes allow primary and secondary support sites to be defined. See also the supporttext / supporttext2 attributes in the preceding table entry. The examples below apply to either supporturl or supporturl2. Integrity client users who are not in compliance with current enterprise security requirements, such as a specific version of Integrity client, are automatically connected to one of two Web pages: If the supporturl attribute is not specified, Integrity client connects the end-point computer to the Check Point support page at (line break added for readability): /store/content/company/corpsales/zapidoverview.jsp If the supporturl attribute specifies a URL or IP address, then Integrity client is connected to the specified address. The following illustrates the general form of supporturl (line breaks added for readability): <configure SupportURL= IP Addr.}/sandbox/index.htm > The only portion of the supporturl parameter that is user specifiable is the URL or IP address variable: Integrity client automatically appends the correct reason and language-country codes to the supporturl statement. Integrity client automatically appends a reason and language-country code to the URL. The general form of the automatically appended variable string is: {URL IP Address} /index.html?reason=support&locale=language Code To clear a previously specified value for supporturl, specify supporturl with no URL or IP address information. The following example illustrates clearing the existing value of supporturl: <configuration other attributes supporturl="" > Integrity Server 2.2 recognizes four default language-country codes: en-us for U.S. English de-de for German fr-fr for French ja-jp for Japanese See also the SupportText attribute in the preceding table entry. Integrity XML Policy File Reference 71

81 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration (continued) Attribute Type, Values and Description (Sheet 6 of 7) systemtrayclick Enable the end-user to use the Integrity client Control Center. systemtrayicon Suppress display of the Integrity client Control Center. tvdebugflags Do not specify unless directed to by Check Point. tvlogsessioncount Do not specify unless directed to by Check Point. Specify the systemtrayclick attribute equal to true to enable end-user access to the Integrity client Control Center. The systemtrayclick: attribute: Is supplied by Integrity Server as part of an enterprise security policy Can not be configured by an end-user Is generally used only for instances of Integrity Agent If systemtrayclick is equal to false, and network connectivity to the client computer is not available, then Integrity client settings can not be changed: the computer may become unmanageable. See User Interface Control Attributes, on page 73, for a description of the interactions between the allowshutdown, showminimized, systemtrayclick, and systemtrayicon attributes. Specify the systemtrayicon attribute equal to true to display the Integrity client Control Center (graphical user interface). If the systemtrayicon equals false, Integrity client: Completely suppresses the display of the Control Center. Completely suppresses the display of the Integrity client icon in the Windows System Tray. Does not suppress the display of Alert boxes. The systemtrayicon attribute: Is automatically supplied by Integrity Server as part of an enterprise security policy Can not be configured by an end-user. See User Interface Control Attributes, on page 73, for a description of the interactions between the allowshutdown, showminimized, systemtrayclick, and systemtrayicon attributes. Specify the tvdebugflags attribute equal to true only as directed by Check Point Technical Support. Specify the tvlogsessioncount attribute equal to true only as directed by Check Point Technical Support. Integrity XML Policy File Reference 72

82 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration (continued) warnonlyenterprise Warn the user when an enterprise security policy disables a personal security policy. Level 3 Child Elements autoconfig Attribute Type, Values and Description (Sheet 7 of 7) Specify the warnonlyenterprise attribute equal to true to display a warning when an enterprise security policy disables a personal security policy. The autoconfig element is described in the following section. autouploadlog The autouploadlog element is described on page 74. cachecleaner The cachecleaner element is described on page 79. ics The ics element is described on page 85. lockupredirect The lockupredirect element is described on page 87. User Interface Control Attributes The configure element contains three of the four parameters that control the Integrity client user interface: the preferences element s showminimized attribute, described on page 151, also affects Control Center behavior. The following table lists the four parameters that affect Control Center display and operation, and their interactions. Parameter Start Control Center as Icon in System Tray Prevent Shutdown of Integrity client? Prevent Open or Close of Control Center? Completely Conceal Control Center? Comments showminimized If ShowMinimized equals true, when Integrity client starts the Control Center is kept closed; the user must double-click the Integrity Icon in the Windows System Tray to open the Control Center. allowshutdown Also controllable with Control Center s Run at startup check box. systemtrayclick Use in conjunction with showminimized to hide the Control Center but display the Integrity client icon in the Windows System Tray. systemtrayicon Completely suppresses both the Control Center and the System Tray icon: No user interface elements are available. Integrity XML Policy File Reference 73

83 Chapter 6 The configuration Functional Category The systemtrayicon Attribute and Display of Alert Boxes As described in the preceding table, the systemtrayicon attribute completely suppresses all user interface elements. The systemtrayicon attribute does not, however, prevent the display of alert boxes. Specifying autoconfig Settings Use the autoconfig element to have Integrity Desktop periodically download ( pull ) XML Policy or configuration files from a Web server. While Integrity Agent and Integrity Flex operate best when centrally managed by Integrity Server, they also have the ability to use the AutoConfig feature to download policy files from a Web server. The autoconfig Element The autoconfig element contains attributes that specify The Web server that contains configuration files to download ( pull ) The frequency at which to download or configuration files The date and time of the last successful download of an XML Policy or configuration file The following table lists the autoconfig element s attributes. /ZoneLabsSettings/configuration/autoconfig Attribute Type, Values and Description (Sheet 1 of 3) autocheck Enable periodic downloading of configuration files. frequency Specify how often to download an XML Policy or configuration file. Specify the autocheck attribute equal to true to enable the automatic, periodic downloading of configuration files from a Web server. The autocheck element must be true to enable the other autoconfig attributes described in this table. integer boot, daily, weekly, integer number of minutes. Use the frequency attribute to specify how often to seek a new configuration file at the address specified by the source parameter, described later in this table. Any integer value is interpreted as the number of minutes. Integrity client can not check for an updated configuration file more frequently than the end-point computer is re-booted. The autocheck element, described earlier in this table, must be true to enable the frequency attribute. Integrity XML Policy File Reference 74

84 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration/autoconfig (continued) Attribute Type, Values and Description (Sheet 2 of 3) lastdownloadtime Read-only time of last successful download. retries Specify how many times to retry a failed a download. retryinterval Specify how long to wait between unsuccessful download attempts. source Specify the source of configuration or XML Policy files. Displayed value: Read-only formatted string. String formatted as yyyy-mm-dd_hh:mm:ss Integrity Desktop automatically updates the value of the lastdownloadtime attribute at the time a successful download has completed. The autocheck element, described earlier in this table, must be true to enable the updating of the lastdownloadtime attribute. integer Integer number of retry attempts. Use the retries attribute to specify how many times Integrity Desktop will attempt to complete an unsuccessful download. The retries attribute operates in conjunction with the retryinterval attribute described in the following attribute table entry, and the timeout attribute, described later in this table. The autocheck element, described earlier in this table, must be true to enable the retries attribute. integer Integer number of seconds. Use the retryintervalo attribute to specify how many seconds to wait between unsuccessful download attempts. The retryinterval attribute operates in conjunction with the retries attribute described in the preceding table entry, and the timeout attribute described later in this table. The autocheck element, described earlier in this table, must be true to enable the retryinterval attribute. Formatted string Valid URL or IP address of a Web server plus the /pathname/policy.xml pathname specifier. Use the source attribute to specify the location of the Web server and the location on disk on that Web server containing configuration or XML Policy files. The autocheck element, described earlier in this table, must be true to enable the source attribute. Integrity XML Policy File Reference 75

85 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration/autoconfig (continued) Attribute Type, Values and Description (Sheet 3 of 3) timeout Specify how long to wait before abandoning an unsuccessful download attempt. integer Integer number of seconds. Use the retries attribute to specify how many seconds Integrity Desktop will wait before abandoning a download attempt. The timeout attribute operates in conjunction with the retries attribute, and the retryinterval attribute, both described earlier in this table. The autocheck element, described earlier in this table, must be true to enable the timeout attribute. Level 4 Child Elements None The autoconfig element contains no child elements. Specifying autouploadlog Settings Use the autoupload element to have Integrity Desktop periodically upload archived lot files to a Microsoft IIS server (no other type of server is supported at this time) While Integrity Agent and Integrity Flex operate best when centrally managed by Integrity Server, they also have the ability to use the AutoUploadLog feature to periodically upload log information. See The logging Element, on page 17, for a description of the XML Policy element and attributes used to specify periodic archiving of alert data. The autouploadlog Element The autouploadlog element contains attributes that specify: The Microsoft IIS server that contains configuration files to download ( pull ) The frequency at which to download or configuration files The date and time of the last successful download of an XML Policy or configuration file Integrity XML Policy File Reference 76

86 Chapter 6 The configuration Functional Category The following table lists the autouploadlog element s attributes. /ZoneLabsSettings/configuration/autouploadlog Attribute Type, Values and Description (Sheet 1 of 3) action Archive or delete previously uploaded alert log files. enable Enable periodic uploading or archived log files. frequency Specify how often to upload archived log files. enumeration archive, delete, off Use the action attribute to specify what Integrity client does with archived alert logs that have been successfully uploaded. archive retains previously uploaded log files on the end-point computer s hard disk delete deletes previously uploaded log files from the end-point computer s hard disk off performs no action on previously uploaded log files Specify the enable attribute equal to true to enable the automatic, periodic uploading of archived log files to a Microsoft IIS server. The enable element must be true to enable the other autouploadlog attributes described in this table. integer boot, daily, weekly, integer number of minutes. Use the frequency attribute to specify how often Integrity Desktop uploads archived log files to the Windows IIS server specified by the host parameter, described in the following table entry. Any integer value is interpreted as the number of minutes. Integrity client can not upload archived log files more frequently than the end-point computer is re-booted. The enable element, described earlier in the preceding table entry, must be true to enable the frequency attribute. Integrity XML Policy File Reference 77

87 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration/autouploadlog (continued) Attribute Type, Values and Description (Sheet 2 of 3) host Specify the location of the Windows IIS Server and IDLogUpload.asp Active Server Page. Formatted string Valid pointer to the IDLogUpload.asp Active Server Page. Use the host attribute to specify the URL or IP address of the Windows IIS server to receive uploaded log files. For example: In the preceding example: Either http or https (secure transfer mode) are valid transfer modes. The path name \inetpubs\wwwroot\ is the Check Point-standard path name. If a different path name is specified, you must update the RemoteRelativeDirectory variable in the IDLogUpload.asp Active Server Page to reflect the new path. The last variable in the host attribute must be the name of the Active Server Page IDLogUpload.asp. The enable element, described earlier in this table, must be true to enable the host attribute. retries Specify how many times to attempt an upload. retryinterval Specify how long to wait between unsuccessful upload attempts. integer Integer number of retry attempts. Use the retries attribute to specify how many times Integrity Desktop will attempt to complete an unsuccessful upload. The retries attribute operates in conjunction with the retryinterval attribute described in the following attribute table entry, and the timeout attribute, described later in this table. The enable element, described earlier in this table, must be true to enable the retries attribute. integer Integer number of seconds. Use the retryinterval attribute to specify how many seconds to wait between unsuccessful upload attempts. The retryinterval attribute operates in conjunction with the retries attribute described in the preceding table entry, and the timeout attribute described later in this table. The enable element, described earlier in this table, must be true to enable the retryinterval attribute. Integrity XML Policy File Reference 78

88 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration/autouploadlog (continued) Attribute Type, Values and Description (Sheet 3 of 3) timeout Specify how long to wait before abandoning an unsuccessful upload attempt. integer Integer number of seconds. Use the retries attribute to specify how many seconds Integrity Desktop will wait before abandoning an upload attempt. The timeout attribute operates in conjunction with the retries attribute, and the retryinterval attribute, both described earlier in this table. The enable element, described earlier in this table, must be true to enable the timeout attribute. Level 4 Child Elements None The autouploadlog element contains no child elements. Specifying cachecleaner Settings The cachecleaner element and its child elements provide a means of periodically cleaning browsing artifacts, such as cookies, URL histories, and forms data, from the end-point computer s hard disk. The Check Point XML Policy divides the cachecleaner functionality into three primary categories of elements or child elements: The cachecleaner element, described in the following section The browseroptions child element, described on page 81 The //keepcookies/site child elements, described on page 83 The systemoption child element, described on page 84 The cachecleaner Element The cachecleaner element: Specifies general cache cleaning behaviors Functions as a container element for the browseroptions, keepcookies/site, and systemoptions child elements Integrity XML Policy File Reference 79

89 Chapter 6 The configuration Functional Category The following table lists the cachecleaner element s attributes. /ZoneLabsSettings/configuration/cacheCleaner autoclean Attribute Enable automatic cache cleaning. autocleandays Specify automatic cache cleaning frequency. cleaniecookies Clean Internet Explorer cookies. cleannetscapecookies Clean Netscape Navigator cookies. Level 4 Child Elements browseroptions Type, Values and Description Specify the autoclean attribute to true to enable automatic, periodic cleaning of browsing artifacts. The autoclean attribute must be true to enable the other cache cleaner attributes described in this table. integer Integer number of days. Use the autocleandays attribute to specify how often the automatic, periodic cleaning of browsing artifacts occurs. The autoclean attribute, described in the preceding attribute table entry, must be true to enable the autocleandays attribute. Specify the cleaniecookies attribute equal to true to delete the contents of Internet Explorer s cookie cache. The autoclean attribute, described earlier in this table, must be true to enable the cleaniecookies attribute. Specify the cleannetscapecookies attribute equal to true to delete the contents of Netscape Navigator s cookie cache. The autoclean attribute, described earlier in this table, must be true to enable the cleannetscapecookies attribute. The browseroptions element is described in the following section. keepcookies The keepcookies element is described on page 83. systemoptions The systemoptions element is described on page 84. Integrity XML Policy File Reference 80

90 Chapter 6 The configuration Functional Category The browseroptions Element Use the browseroptions element to specify browser-specific cache cleaning options. The following images illustrate the differences between the options available for the Microsoft Internet Explorer / Microsoft Network and Netscape Navigator browsers. Internet Explorer cache cleaner options Netscape Navigator cache cleaner options The following table lists the browseroptions element s attributes. The table also identifies whether the attribute applies to Internet Explorer ( IE ) or Netscape Navigator ( NN ) /ZoneLabsSettings/configuration/browserOptions autocompleteforms Attribute Type, Values and Description (Sheet 1 of 3) IE NN Clean information typed into forms. autocompletepasswords Clean saved passwords. enumeration clean, keep Specify the autocompleteforms attribute equal to clean to delete data used to complete Web forms. The autocompletepasswords attribute is enabled when the browser attribute, described later in this table, specifies Internet Explorer. enumeration clean, keep Specify the autocompletepasswords attribute equal to clean to delete passwords entered into Web dialog boxes. The autocompletepasswords attribute is enabled when the browser attribute, described in the following attribute table entry, specifies Internet Explorer. Integrity XML Policy File Reference 81

91 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration/browserOptions (continued) browser Attribute Type, Values and Description (Sheet 2 of 3) IE NN Specify the type of Web browser enumeration IE, Netscape, MSN, all The MSN and all specifiers do not have corresponding Control Center controls. Use the browser attribute to specify which browsers Microsoft Internet Explorer, Internet Explorer for Microsoft Network (MSN), Netscape Navigator, or all are managed by the browseroptions element. The value of the browser option enables or disables the other attributes described in this table. Integrity client 4.x operates identically on MSN and IE browsers. cache Clean stored content and images. formsdata Clean information typed into forms. indexfiles Clean index.dat files mailtrash Clean Navigator s Trash folder. enumeration clean, keep Specify the cache attribute equal to clean to delete HTML content and related images stored in the Web browsers cache. The cache attribute is enabled when the browser attribute, described in the preceding table entry, specifies either Internet Explorer or Netscape Navigator. enumeration clean, keep Specify the formsdata attribute equal to clean to delete data used to complete Web forms. The formsdata attribute is enabled when the browser attribute, described earlier in this table, specifies Netscape Navigator. enumeration clean, keep Specify the indexfiles attribute equal to clean to delete stored index.dat files. The indexfiles attribute is enabled when the browser attribute, described earlier in this table, specifies Internet Explorer. enumeration clean, keep Specify the mailtrash attribute equal to clean to delete the contents of Netscape Navigator s Trash folder. The mailtrash attribute is enabled when the browser attribute, described earlier in this table, specifies Netscape Navigator. Integrity XML Policy File Reference 82

92 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration/browserOptions (continued) Attribute Type, Values and Description (Sheet 3 of 3) IE NN typedurls Clean the typed URLs history. URLHistory Clean the browsed URLs history. Level 4 Child Elements None enumeration clean, keep Specify the typedurls attribute equal to clean to delete the history of URLs typed into Internet Explorer s location bar. The typedurls attribute is enabled when the browser attribute, described earlier in this table, specifies Internet Explorer. enumeration clean, keep Specify the URLHistory attribute equal to clean delete the history of browsed URLs. The URLHistory attribute is enabled when the browser attribute, described earlier in this table, specifies either Internet Explorer or Netscape Navigator. The browseroptions element contains no child elements. The //cachecleaner/keepcookies/site Child Element The cachecleaner functional category provides a means of excluding specific Web sites or IP address from cache cleaning. The following illustrates the general form of the keepcookies parent element and site child elements. <keepcookies> <site URL=" browser="netscape"/> <site URL=" browser="ie"/> <site URL=" browser="msn"/> </keepcookies> The keepcookies element serves as a container element for one or more site child elements. Each site element in turn specifies a Web site or IP address for which cookies are retained during cache cleaning. The following table lists the site element s attributes. /ZoneLabsSettings/configuration/cacheCleaner/keepCookies/site Attribute Type, Values and Description (Sheet 1 of 2) browser Specify a Web browser. enumeration IE, Netscape Use the browser attribute to specify whether the site attribute applies to the Internet Explorer or Netscape Navigator cookie cache. Integrity XML Policy File Reference 83

93 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration/cacheCleaner/keepCookies/site (continued) Attribute Type, Values and Description (Sheet 2 of 2) URL Specify a URL or IP address. Level 5 Child Elements None Formatted string. String formatted as valid URL or IP address. Use the URL attribute to specify the URL or IP address of a site for which cookies are retained during cache cleaning. The site element contains no child elements. The systemoptions Element The systemoptions element specifies cache cleaning behaviors for the Windows Operating system. The following table lists the systemoptions element s attributes. /ZoneLabsSettings/configuration/cacheCleaner/systemOptions Attribute Type, Values and Description (Sheet 1 of 2) dochistory Clean the Windows Document History folder. findhistory Clean the Windows Find Files history. mediaplayer Clean the Microsoft Media Player s cache and history folders. recyclebin Clean the Windows Recycle Bin. runhistory Clean the Windows Run history. scandisk Clean the Windows Scandisk file fragments. enumeration clean, keep Specify the dochistory attribute equal to clean to delete the contents of the Windows Document History folder. enumeration clean, keep Specify the findhistory attribute equal to clean to delete the contents of the Windows Find files history. enumeration clean, keep Specify the mediaplayer attribute equal to clean to delete the contents of the Windows Media Player s cache folder and history. enumeration clean, keep Specify the recyclebin attribute equal to clean to delete the contents of the Windows Recycle Bin. enumeration clean, keep Specify the runhistory attribute equal to clean to delete the contents of the Windows Run history. enumeration clean, keep Specify the scandisk attribute equal to clean to delete Scan Disk fragments. Integrity XML Policy File Reference 84

94 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration/cacheCleaner/systemOptions (continued) Attribute Type, Values and Description (Sheet 2 of 2) tempdirectory Clean the Windows Temp folder. Level 5 Child Elements None enumeration clean, keep Specify the dochistory attribute to clean to delete the contents of the Windows Temp (temporary files) folder. The systemoptions element contains no child elements. Specifying ics Settings The ics element specifies Internet Connection Sharing / Network Address Translation (ICS / NAT) security behaviors. Internet Connection Sharing allows simple networking between end-point computers running Microsoft Windows. Integrity client provides a mechanism for selectively creating and forwarding alerts generated from end-point computers operating as an ICS gateway or client. The Check Point XML Policy contains three elements that control ICS security behaviors: The ics element specifies whether the endpoint computer is part of an ICS network and functions as a container element for the client and gateway child elements. The client element specifies the IP address of the client computer as well as the alertforwarding behavior of that computer The gateway child element specifies the IP address of the gateway computer as well as the alert-forwarding behavior of that computer The following sections describe each of the ICS elements and attributes. The ics Element The ics element: Specifies whether the end-point computer is part of an ICS network Functions as a container element for the client and gateway elements Integrity XML Policy File Reference 85

95 Chapter 6 The configuration Functional Category The following table lists the ics element s attributes. /ZoneLabsSettings/configuration/ics Attribute enable Specify whether the end-point computer is part of an ICS network. Level 4 Child Elements client Type, Values and Description Specify the enable attribute equal to true to identify the end-point computer as part of an ICS network. The enable attribute must be true to enable the client and gateway child elements described in the following sections. The client element is described in the following section. gateway The gateway element is describe on page 87. The client Element The client element specifies settings for ICS network client computers. The following table lists the client element s attributes. /ZoneLabsSettings/configuration/ics/client forwardalerts Attribute Forward ICS client computer alerts. gatewayaddress Specify the IP address of the client s ICS gateway computer. Level 5 Child Elements None Type, Values and Description On an ICS/NAT client computer, specify the forwardalerts attribute equal to true to have alerts forwarded to that ICS network s gateway computer. If the computer is a client of an ICS/NAT gateway and The forwardalerts is equal to true then The client computer instance of Integrity client forwards alerts to that ICS network s gateway computer. The ics element s enable attribute, described in the preceding section, must be true to enable the forwardalerts attribute. Formatted string Valid IP address of an ICS network gateway computer. Use the gatewayaddress attribute to specify the IP address of the ICS gateway computer that services this client. The ics element s enable attribute, described in the preceding section, must be true to enable the gatewayaddress attribute. The client element contains no child elements. Integrity XML Policy File Reference 86

96 Chapter 6 The configuration Functional Category The gateway Element The gateway element specifies settings for the ICS network s gateway computer. The following table lists the gateway element s attributes. /ZoneLabsSettings/configuration/ics/gateway address Attribute Specify the IP address of the ICS gateway computer. restricttoza Create alerts only for computers running Integrity client. suppressforwardedalerts Do not display alerts originating from ICS client computers. Level 5 Child Elements None Type, Values and Description Formatted string Valid IP address of the ICS network s gateway computer. Use the Address attribute to specify the ICS gateway computer s IP address. The ics element s enable attribute, described on page 86, must be true to enable the adress attribute. Specify the restricttoza equal to true to create alerts only for clients running Integrity client software. The ics element s enable attribute, described on page 86, must be true to enable the restgrictdtoza attribute. On an ICS/NAT gateway computer, specify the suppressforwardalerts equal to true to suppress the display of client-originated alerts on the ICS gateway computer. If the computer is an ICS/NAT gateway and The suppressforwardalerts attribute is equal to true then Then the ICS gateway computer does not display alerts forwarded to it from ICS client computers. The ics element s enable attribute, described on page 86, must be true to enable the client attribute. The gateway element contains no child elements. Specifying lockupredirect Settings In certain rare instances, Integrity client prevents an end-point computer from further operation until the TrueVector firewall has been reset. Integrity XML Policy File Reference 87

97 Chapter 6 The configuration Functional Category Integrity client contains the address of a Check Point Web page that users see if this situation occurs. The lockupredirect element and attributes allows you to specify a nondefault address. This allows corporate users to receive a customized support page instead of the default Check Point page. The following section describes the lockupredirect element and its attributes. The lockupredirect Element Use the lockupredirect element to specify a non-default corporate support URL. The following table lists the lockupredirect element s attributes. /ZoneLabsSettings/configuration/lockupRedirect Attribute Type, Values and Description (Sheet 1 of 2) enable Enable lockup redirect functionality. port Specify the lockup redirect server s port number. Default equals false for Integrity client Default equals true for consumer-level products Specify the enable attribute equal to true to have Integrity client redirect locked users to either: The default server of lockup.zonelabs.com An administrator-specified server Which server a locked user is redirected to depends on the value of the server parameter, described later in this table. The enable parameter must be true to enable the other lockupredirect attributes described in this table. integer Valid lockup server port number. Use the port attribute to specify the port number on the lockup server specified by the server attribute, described in the following attribute table entry. The enable parameter, described in the preceding attribute table entry, must be true to enable the port attribute. Integrity XML Policy File Reference 88

98 Chapter 6 The configuration Functional Category /ZoneLabsSettings/configuration/lockupRedirect (continued) Attribute Type, Values and Description (Sheet 2 of 2) server Specify the lockup redirect server s IP address. Formatted string Valid IP address of a corporate support server. Default equals lockup.zonelabs.com. Use the server attribute to specify the URL or IP address of a corporate help page or site for locked users. Omit the server parameter, or specify server equal to Default, to automatically direct a locked user to the default Check Point lockup page on the Internet at lockup.zonelabs.com. Specify server as a URL or IP Address to automatically direct a locked user to an custom, administrator-specified page on the corporate Intranet. The enable parameter, described earlier in this table, must be true to enable the server attribute. Level 5 Child Elements None The lockupredirect element contains no child elements. Integrity XML Policy File Reference 89

99 Chapter 7 The Functional Category This chapter describes the functional category of the Check Point XML Policy. The functional category specifies how Integrity client protects the end-point computer from potentially harmful attachments. This chapter contains the following sections: Overview of Structure, in the following section, provides an orientation to the overall composition of the functional category s XML elements. Specifying Security Behaviors, on page 90, describes the elements that control the general operation of Integrity client s Protection feature. Specifying Attachment Types, on page 94, lists Integrity client s 44 default extension types and illustrates how to add new or custom attachment type definitions. Overview of Structure The element appears at nesting level 3 of a Check Point XML Policy. The following XPath statement illustrates the location of the element. /ZoneLabsSettings/ruleset[@name="runningruleset"]/ The following illustrates the general structure of the functional section. /ZoneLabsSettings/ruleset[@name="runningruleset"]/ <attachments keepsettings="default" mainswitch="false" alertonquarantine="yes"> <quarantine active="not used" alert="false"> <file extension="adp" description="ms-dos Application" active="true"/> 44 default attachment types plus any user-defined types <file extension="wsh" description="windows Scripting Host Settings File" active="true"/> </quarantine> </attachments> </ > remaining XML Policy elements and attributes The following sections in this section describe the child elements and attributes contained in the functional category. Specifying Security Behaviors The attachments, outboundmail, and quarantine elements control the overall operation of Integrity client s Protection feature. The following sections list each of these element s attributes. Integrity XML Policy File Reference 90

100 Chapter 7 The Functional Category The attachments Element The attachments element: Specifies general Integrity client Protection behavior Functions as a parent element for the quarantine element The following table lists the attachments element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/ /attachments Attribute alertonquarantine Generate an alert whenever an attachment has been quarantined. keepsettings Retain or discard existing e- mail settings when an updated security policy is loaded. mainswitch Enable Protection. Level 5 Child Elements Type, Values and Description Specify the alertonquarantine attribute equal to true to generate an alert whenever Integrity client quarantines an attachment. enumeration all, default, none Use the keepsettings attribute to specify how existing definitions are managed when Integrity client loads a new configuration or policy file. keepsettings recognizes three values: all directs Integrity client to append new MailSafe definitions to those already defined in the MailSafe section. default directs Integrity client to re-initialize the MailSafe section with default MailSafe definitions, then append any new MailSafe definitions to the list of defaults. none directs Integrity client to completely clear all existing MailSafe definitions, then re-write the MailSafe section with any new MailSafe definitions. Specify the mainswitch attribute equal to true to enable Integrity client s Protection feature. quarantine The quarantine element is described on page 93. The outboundmail Element Integrity client s Outbound Protection feature prevents user-specified programs from originating outbound s. Outbound s can be blocked based on the quantity of outbound s in a given interval or by addressee. The XML Policy s outboundmail element specifies the Integrity client Outbound Protection feature s blocking and protection behaviors. Integrity XML Policy File Reference 91

101 Chapter 7 The Functional Category The following table lists the outboundmail element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/ /outboundMail Attribute Type, Values and Description (Sheet 1 of 2) authorizedsenders Specify programs authorized to originate outbound . Formatted string List of addresses authorized to originate outbound messages. Use the authorizedsenders attribute to list addresses that are allowed to originate outbound from the end-point computer. The following illustrates the general form of the authorizedsenders attribute: authorizedsenders="name01@domainname.com,name02@domainname" The recipientenabled attribute and the ompenable attribute, both described later in this table, must be equal to true to enable the authorizedsenders attribute. interval Specify the duration of outbound protection interval. mailenabled Limit the number of outbound s. maxmailsent Specify a maximum permissible number of outbound mail messages. integer Integer number of seconds. Use the interval attribute to specify the number of seconds during which a maximum number of outbound messages can be sent. The interval attribute operates in conjunction with the maxmailsent attribute, described later in this table, to limit the maximum number (maxmailsent) of outbound s that can be sent within a specified number of seconds (interval). Correct operation of this feature requires that both attributes be specified. The ompenable attribute, described later in this table, must be equal to true to enable the interval attribute. Specify the mailenabled attribute equal to true to restrict the number of outbound s that can be originated during a specified interval. The maxrecipients attribute and the ompenable attribute, both described later in this table, must be equal to true to enable the mailenabled attribute. Integer Integer number of outbound messages. Use the maxmailsent attribute to specify limit the maximum number (maxmailsent) of outbound s that can be sent within a specified number of seconds (interval). Correct operation of this feature requires that both the maxmailsent and the interval attribute, described earlier in this table be specified. The ompenable attribute, described later in this table, must be equal to true to enable the maxmailsent attribute. Integrity XML Policy File Reference 92

102 Chapter 7 The Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/ /outboundMail (continued) Attribute Type, Values and Description (Sheet 2 of 2) maxrecipients Specify a maximum permissible number of outbound mail recipients. ompenabled Enable Outbound Mail Protection. recipientenabled Limit the number of addressees in an . senderenabled Limit outbound to authorized originators. Level 5 Child Elements None Integer Integer number of message addressees. Use the maxrecipients attribute to specify the maximum number of addressees allowed in an outbound message. The recipientenabled attribute, described later in this table, and the ompenable attribute, described in the following table entry, must both be equal to true to enable the maxrecipients attribute. Specify the ompenabled attribute equal to true to enable Integrity client s Outbound Protection feature. The ompenabled attribute must be equal to true to enable the other Outbound Protection attributes described in this table. Specify the recipientenabled attribute equal to true to limit the number of addresses (recipients) contained in a single outbound message to that specified by the maxrecipients attribute, described earlier in this table. The ompenabled attribute, described in the preceding table entry, must be equal to true to enable the recipientenabled attribute. Specify the senderenabled attribute equal to true to limit the originators of to those specified by the authorizedsenders attribute, described earlier in this table. The ompenabled attribute, described earlier in this table, must be equal to true to enable the senderenabled attribute. The outboundmail element does not contain any child elements. The quarantine Element The quarantine element s attributes may appear in a Check Point XML Policy but are not currently implemented. The quarantine element is listed here for reference purposes only. The quarantine element: Specifies Protection quarantine behavior Functions as a parent element for one or more file elements Integrity XML Policy File Reference 93

103 Chapter 7 The Functional Category The following table lists the quarantine element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/ /attachments/quarantine active Attribute Not currently used. alert Enable quarantine alerts. Level 5 Child Elements file Type, Values and Description The active attribute is not currently used. Specify the alert attribute equal to true to display an alert when Integrity client quarantines an attachment. Described in the following section. Specifying Attachment Types Integrity client s Protection feature provides individualized control over specific attachment types. The key to Integrity client s file-by-file control is the functional category s file element. The following section describes the placement and use of the file element in detail. The file Element The file element specifies individual attachment types. The following illustrates the general format of a file element. /ZoneLabsSettings/ruleset[@name="runningruleset"]/ <attachments attachments attributes /> <quarantine quarantine attributes /> <file extension="ext" description="free-form description of extension" /> </quarantine> </attachments> </ > ext specifies a three-character filename extension of the attachment Free-form description of extension describes the attachment type Integrity XML Policy File Reference 94

104 Chapter 7 The Functional Category The following table lists the default extension types recognized by Integrity client. /ZoneLabsSettings/ruleset[@name="runningruleset"]/ /attachments/quarantine/file File Extension File Type Description File Extension ade Microsoft Access Project Extension mht Web Archive File Type Description adp Microsoft Access Project msc Microsoft Common Console Document asx Microsoft Visual Foxpro Table msi Windows Installer Package bas Visual Basic Class Module msp Windows Installer Patch bat Windows Batch File mst Visual Test Source chm Windows HTML Help File nch Outlook Express Folder cmd Windows NT Command Script pcd Photo CD Image com MS-DOS Application pif Shortcut to MS-DOS Program cpl Windows Control Panel Extension prf Microsoft Outlook Profile Settings crt Security Certificate reg Windows Registry Entries dbx Microsoft Visual Foxpro Table scf Windows Explorer Command exe Program File scr Windows Screen Saver hlp Windows Help File sct Windows Script Component hta HMTL Application shb Shell Scrap Object inf Setup Information shs Shell Scrap Object ins Internet Communication Settings url Internet Shortcut isp Internet Communication Settings vb VBScript js JavaScript vbe VBScript Encoded Script jse JavaScript Encoded Script vbs VBScript Script lnk Windows Shortcut wms Windows Media Sking mda Microsoft Access Add-in wsc Windows Script Component mdb Microsoft Access Application wsf Windows Script File mde Microsoft Access MDE Database wsh Windows Scripting Host mdz Microsoft Access Wizard Template Integrity XML Policy File Reference 95

105 Chapter 7 The Functional Category Adding Custom Attachment Types In addition to the default types listed above, the Check Point XML Policy allows userspecified file elements to create new attachment types. Integrity XML Policy File Reference 96

106 Chapter 8 The enforcement Functional Category This chapter describes the enforcement functional category of the Check Point XML Policy. The enforcement functional category: Specifies enforcement firewall and protocol blocking behaviors Correlates to Integrity Server s Advanced Cooperative Enforcement (ACE) feature This chapter contains the following sections: Overview of enforcement Structure, in the following section, provides an overview of the structure of the enforcement functional category s XML elements. Creating file and registry Elements, on page 98, describes the rule element that specifies the general operation of a unique user-created rule. Specifying Rule Child Elements, on page 99, describes the file and registry child elements that specify the exact operation of a unique user-created rule. Overview of enforcement Structure The enforcement element appears at nesting level 3 of a Check Point XML Policy. The following XPath statement illustrates the location of the element. /ZoneLabsSettings/ruleset[@name="runningruleset"]/enforcement The following illustrates the enforcement structure of the enforcement functional section. /ZoneLabsSettings/ruleset[@name="runningruleset"]/enforcement <rule name="registry key only" os="windows 2000" action="prohibit"> <registry key="hkey_local_machine" value=""/> </rule> <rule name="registry key and value" os="windows NT" action="require"> <registry key="hkey_local_machine\software\zonelabs\oem" value="1102"/> </rule> <rule name="file always running" os="windows 98" action="prohibit"> <file name="klez.exe" location="" minvers="1.0" maxvers="2.0" checksum="765aadf3-0aafb45d-dda34cf ffc" daysold="12"/> </rule> </enforcement> The preceding example illustrates that the enforcement functional category consists of a series of rule definitions. Each rule definition in turn contains a child element that specifies the type of rule. The following sections describe the construction of rule and rule child elements. Integrity XML Policy File Reference 97

107 Chapter 8 The enforcement Functional Category Creating file and registry Elements The enforcement functional category consists of rule/[file registry] pairs: Each rule element specifies the rule s general behavior Each file or registry child element specifies the rule s specific behavior The next section describes the rule element in detail. Using Integrity Server The enforcement functional category correlates to Integrity Server s Advanced Cooperative Enforcement (ACE) feature. The Integrity client Control Center does not contain elements that correspond to enforcement elements or attributes. The rule Element The rule element allows or prohibits network access if the end-point computer running the XML Policy matches specified criteria. Required rule Attributes When specifying a rule element, all attributes action, name, and os must be specified. The following table lists the rule element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/enforcement/rule Attribute Type, Values and Description (Sheet 1 of 2) action Specify whether to permit or block network access. name Specify a name for the rule. Special. Prohibit, Require. Specify the action attribute equal to Require to allow or block network access as follows: If the action attribute equals Require, all conditions specified in file or registry child element(s), described under Specifying Rule Child Elements, on page 99, must be met (logical AND) to enable the endpoint computer to access the network If the action attribute equals Prohibit, only one condition specified in file or registry child element(s), described under Specifying Rule Child Elements, on page 99, must be met (logical OR) to prohibit the endpoint computer from accessing the network Integrity client requires that any rule element include a valid action attribute. String Free-form name for the rule, Use the name attribute to specify a free-form name for the rule. Integrity client requires that any rule element include a valid name attribute. Integrity XML Policy File Reference 98

108 Chapter 8 The enforcement Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/enforcement/rule (continued) Attribute Type, Values and Description (Sheet 2 of 2) os Specify the operating system ( os ) for the rule Level 5 Child Elements file registry enumeration The following versions of Windows: Windows 2000 Windows 2003 Windows 95 Windows 98 Windows 9x/ME Windows ME Windows NT Windows NT/2000/XP Windows XP Use the os attribute to specify the version of the Windows operating system that must be running on the end-point computer. Integrity client requires that any rule element include a valid os attribute. Both the file and registry child element types are described in the following section. Specifying Rule Child Elements The enforcement functional category s rule element recognizes two types of child elements: registry child element file child element Both of these child elements have rigorous rules governing where they can be used and how they must be specified. The following sections describe the rules for correctly specifying the rule and registry child elements. Constructing Valid registry and file Child Elements The rule element can contain one of three following child element constructions: One registry child element One file child element One registry child element and one file child element Integrity XML Policy File Reference 99

109 Chapter 8 The enforcement Functional Category If a rule element contains both a registry and a file child element, then the elements must occur in registry-child order. The following illustrates the proper construction of a rule element that contains both and file child elements. /ZoneLabsSettings/ruleset[@name="runningruleset"]/enforcement <rule name="file and Registry" os="windows 2000" action="require"> <registry key="hkey_local_machine\software\zonelabs\oem" value="1102"/> <file name="iclient.exe" location="" minvers="3.5" maxvers="4.5" checksum="765aadf3-0aafb45d-dda34cf ffc" daysold="12"/> </rule> </enforcement> The following section describes the construction of a file child element. The registry element is described beginning on page 101. The //enforcement/rule/file Child Element The file element specifies a rule pertaining to a specific file. The file rule provides the following levels of control over a specific named file: File checksum must match File modified date must be less than a specified number of days File must be located on a specified path File must have a version number within a specified range File must always be running Specific conditions apply to file path and file name specifications. These conditions are described in detail in the following table of the file element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/enforcement/rule/file Attribute Type, Values and Description (Sheet 1 of 2) checksum Specify a file checksum. daysold Specify file age. Formatted string. String formatted as valid checksum of the form "([a-f] \d){8}-([a-f] \d){8}-([a-f] \d){8}-([a-f] \d){8}" Use the checksum attribute to specify the checksum of the file specified by the name attribute, described later in this table. Within a given rule element, the checksum attribute is optional. integer Integer number of days. Use the daysold attribute to specify the maximum number of days between the current date and the file s last modified date. The file s last modified date must have occurred in fewer days than the value of daysold. Within a given rule element, the daysold attribute is optional. Integrity XML Policy File Reference 100

110 Chapter 8 The enforcement Functional Category /ZoneLabsSettings/ruleset[@name="runningruleset"]/enforcement/rule/file (continued) Attribute Type, Values and Description (Sheet 2 of 2) location Specify a file path name. maxvers Identify maximum (most recent) file version. minvers Identify minimum (oldest) file version. name Specify a file name or indicate that the f Level 6 Child Elements None Formatted string. Valid Windows path name specifier. Use the location attribute to specify the location of the file. The location attribute interacts with the name attribute, described later in this table: If the location element is null (""), it specifies that the file specified by the name attribute is always running. Within a given rule element, the checksum attribute is required. formatted string String formatted as file version number. Use the maxvers attribute to specify the most recent acceptable version of the file specified by the name attribute. Within a given rule element, the maxvers and minvers attributes are optional. If used, the maxvers attribute must be used in conjunction with the minvers attribute described in the following attribute table entry. formatted string String formatted as file version number. Use the minvers attribute to specify the oldest acceptable version of the file specified by the name attribute. Within a given rule element, the minvers and maxvers attributes are optional. If used, the minvers attribute must be used in conjunction with the maxvers attribute described in the preceding attribute table entry. Formatted string String formatted as valid Windows file name and extension. Use the name attribute to specify a specific file. The location attribute, described earlier in this table, interacts with the name attribute: If the location element is null (""), it specifies that the file specified by the name attribute is always running. Within a given rule element, the name attribute is required. The file element contains no child elements. The //enforcement/rule/registry Child Element The registry element specifies a rule pertaining to a Windows registry key. Integrity XML Policy File Reference 101

111 Chapter 8 The enforcement Functional Category The following table lists the registry element s child attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/enforcement/rule/registry Attribute Type, Values and Description key Formatted string. Specify a registry key. String formatted as valid Windows Registry key. Use the key attribute to specify a Windows registry key. For example: HKEY_LOCAL_MACHINE\SOFTWARE\ZoneLabs\OEM Within a given registry element, the key attribute is required. value Specify a registry key value. Level 6Child Elements None Formatted string String formatted as valid Windows Registry value. Use the value attribute to specify a specific file. The location attribute, described earlier in this table, interacts with the name attribute: If the location element is null (""), it specifies that the file specified by the name attribute is always running. Within a given registry element, the value attribute is optional. If a value attribute is specified, it must be accompanied by a key attribute, described in the preceding attribute table entry. The registry element contains no child elements. Integrity XML Policy File Reference 102

112 Chapter 9 The firewall and fwrestricted Functional Categories This chapter describes the firewall functional category of the Check Point XML Policy. This chapter contains the following sections: Overview of firewall Structure, in the following section, provides an orientation to the overall composition of the firewall functional category s XML elements. Specifying Firewall Groups, on page 106, describes the elements and attributes used to specify special rules for groups of network entities. Specifying Firewall Rules, on page 109, describes the elements and attributes used to specify general firewall behaviors. Specifying firewall Network Entities, on page 113, describes the network-entity elements that define the networking and protocol blocking security behaviors assigned to a firewall group or rule. Overview of firewall Structure The firewall element appears at nesting level 3 of a Check Point XML Policy; from a practical perspective the firewall/expert container element pair defines the firewall functional category. The following XPath statement illustrates the location of the firewall/expert container element pair. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert The Check Point XML Policy divides the firewall functional category into two nesting-level 5 child elements: groups and rules. The following XPath statements illustrate the placement of the /firewall/expert container elements as well as the groups and rules elements: /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert/groups /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert/rules The groups and rules elements provide two different ways to organize and specify network security behaviors. Restricted Rules (fwrestricted) The fwrestricted element contains the same sub-elements as the expert element; that is, elements that allow the configuration of classic firewall rules. To manipulate restricted rules, use the reference information for the expert element presented below. Integrity XML Policy File Reference 103

113 Chapter 9 The firewall and fwrestricted Functional Categories The groups and rules Categories The firewall functional category consists of two functional categories: groups and rules. The following XPath statement illustrates the general form of the group parent-element hierarchy (line break added). /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /groups/grouptype/traffictype/networkentity The following XPath statement illustrates the general form of the rule parent-element hierarchy (line break added). /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/traffictype/networkentity Although the hierarchical organization of both of these categories is slightly different, both categories ultimately contain networking child elements. In the preceding XPath statements: traffictype represents one of 8 types of traffic type container elements networkentity represents one of 14 network-entity child elements The following sections illustrate the general form of both the groups and rules sections of a Check Point XML Policy instance. Overview of firewall/expert/groups XML Policy Structure The following illustrates the general structure of the group element s traffic and network parent-child elements: /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert/groups <grouptype1 name=1st_groupname> <traffictype1> <networkentity01 attributes /> <networkentity02 attributes /> up to 8 different networkentity elements, depending on traffic type </traffictype1> </grouptype1> <grouptype2 name=2nd_groupname> <traffictype2> <networkentity01 attributes /> <networkentity02 attributes /> up to 8 different networkentity elements, depending on traffic type </traffictype2> </grouptype2> up to 7 differrent grouptype, traffictype, and networkentity element constructs </groups> </expert> </firewall> remaining XML Policy funtional sections Integrity XML Policy File Reference 104

114 Chapter 9 The firewall and fwrestricted Functional Categories Overview of firewall/expert/rules/rule XML Policy Structure The following illustrates the general structure of the rule element s traffic and network parent-child elements: /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert/rules/rule <traffictype1> <networkentity01 attributes /> <networkentity02 attributes /> up to 8 different networkentity elements, depending on traffic type <traffictype1/ <traffictype2> <networkentity01 attributes /> <networkentity02 attributes /> up to 8 different networkentity elements, depending on traffic type </traffictype2> up to 8 differrent traffictype and networkentity element constructs </rule> </rules> </expert> </firewall> remaining XML Policy funtional sections Scope of Program-specific Rule Elements Certain attributes of any rule elements specified within the applications parent element, described in Chapter 4 on page 103, also appear in the firewall functional category s rule definitions. This is because even though a rule is defined as program-specific, Integrity client manages rules as logical entities that can be assigned to multiple programs. The following sections in this chapter describe the firewall functional category s child elements and attributes: The following section describes the firewall functional category s group elements and attributes Specifying Firewall Rules, on page 109, lists the firewall functional category s rule elements and attributes. Integrity XML Policy File Reference 105

115 Chapter 9 The firewall and fwrestricted Functional Categories Specifying Firewall Groups There are seven types of firewall groups. The following table lists the seven group types and the page in this chapter where that group type s attributes are described. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert/groups/GroupType GroupType Element The following sections describe each of the groups and their attributes. The addressgroup Element The addressgroup element: Description addressgroup Specifies a group of IP address or IP address ranges. 106 ipsubprotoflaggroup Specifies a group of IP subprotocols. 106 iptypegroup Specifies a group of IP protocol behavior types. 107 portgroup Specifies a group of IP ports. 107 protocolgroup Specifies a group of IP protocols. 108 socketsgroup Specifies a group of IP address / IP Port pairs. 108 timegroup Specifies a group of dates and times. 109 Specifies a group of IP address or IP address ranges Contains one or more network-entity child elements The following table lists the addressgroup attribute. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall /expert/groups/addressgroup name Attribute Specify the name of the group. Level 7 Child Elements nondirectional Type, Values and Description String Free-form string, 15 characters maximum Use the name attribute to specify a name for the group. Page Number Integrity client uses the name to manage group behavior throughout the XML Policy instance in which appears. For a description of protocol-specific child elements see Specifying firewall Network Entities, on page 113. The ipsubprotoflaggroup Element The ipsubprotoflaggroup element: Specifies a group of IP subprotocols Integrity XML Policy File Reference 106

116 Chapter 9 The firewall and fwrestricted Functional Categories Contains one or more network-entity child elements The following table lists the ipsubprotoflaggroup attribute. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall /expert/groups/ipsubprotoflaggroup name Attribute Specify the name of the group. Level 7 Child Elements ipsubprotoflags Type, Values and Description String Free-form string, 15 characters maximum Use the name attribute to specify a name for the group. Integrity client uses the name to manage group behavior throughout the XML Policy instance in which appears. For a description of protocol-specific child elements see Specifying firewall Network Entities, on page 113. The iptypegroup Element The iptypegroup element: Specifies a group of IP protocol behavior types Contains one or more network-entity child elements The following table lists the iptypegroup attribute. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall /expert/groups/iptypegroup name Attribute Specify the name of the group. Level 7 Child Elements iptypes Type, Values and Description String Free-form string, 15 characters maximum Use the name attribute to specify a name for the group. Integrity client uses the name to manage group behavior throughout the XML Policy instance in which appears. For a description of protocol-specific child elements see Specifying firewall Network Entities, on page 113. The portgroup Element The portgroup element: Specifies a group of IP ports Contains one or more network-entity child elements Integrity XML Policy File Reference 107

117 Chapter 9 The firewall and fwrestricted Functional Categories The following table lists the portgroup attribute. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall /expert/groups/portgroup name Attribute Specify the name of the group. Level 7 Child Elements nondirectional Type, Values and Description String Free-form string, 15 characters maximum Use the name attribute to specify a name for the group. Integrity client uses the name to manage group behavior throughout the XML Policy instance in which appears. For a description of protocol-specific child elements see Specifying firewall Network Entities, on page 113. The protocolgroup Element The protocolgroup element: Specifies a group of IP protocols Contains one or more network-entity child elements The following table lists the protocolgroup attribute. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall /expert/groups/protocolgroup name Attribute Specify the name of the group. Level 7 Child Elements protocols Type, Values and Description String Free-form string, 15 characters maximum Use the name attribute to specify a name for the group. Integrity client uses the name to manage group behavior throughout the XML Policy instance in which appears. For a description of protocol-specific child elements see Specifying firewall Network Entities, on page 113. The socketsgroup Element The socketsgroup element: Specifies a group of IP address / IP port pairs Contains one or more network-entity child elements Integrity XML Policy File Reference 108

118 Chapter 9 The firewall and fwrestricted Functional Categories The following table lists the socketsgroup attribute. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall /expert/groups/socketsgroup name Attribute Specify the name of the group. Level 7 Child Elements nondirectional Type, Values and Description String Free-form string, 15 characters maximum Use the name attribute to specify a name for the group. Integrity client uses the name to manage group behavior throughout the XML Policy instance in which appears. For a description of protocol-specific child elements see Specifying firewall Network Entities, on page 113. The timegroup Element The timegroup element: Specifies a group of dates and times Contains one or more network-entity child elements The following table lists the timegroup attribute. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall /expert/groups/timegroup name Attribute Specify the name of the group. Level 7 Child Elements times Type, Values and Description String Free-form string, 15 characters maximum Use the name attribute to specify a name for the group. Integrity client uses the name to manage group behavior throughout the XML Policy instance in which appears. For a description of protocol-specific child elements see Specifying firewall Network Entities, on page 113. This concludes this chapter s description of group-specific elements. The following section describes the organization of the firewall functional category s rule child elements. Specifying Firewall Rules As described at the beginning of this chapter, the firewall functional section of a Check Point XML Policy specifies rules for newly identified programs running on the end-point computer. Integrity XML Policy File Reference 109

119 Chapter 9 The firewall and fwrestricted Functional Categories General program rules are defined in one or more rule elements. The following XPath statement illustrates the placement of a rule element within its expert and rules parent elements: /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert/rules/rule The rule element contains the rule set that Integrity client applies to programs that have not yet been identified to the applications functional section described in Chapter 4, beginning on page The rule element: Specifies general rule behaviors for all child elements Functions as a parent element for up to 9 network-entity child elements The following sections describe the //firewall/expert/rules/rule element and attributes. Integrity XML Policy File Reference 110

120 Chapter 9 The firewall and fwrestricted Functional Categories The //firewall/expert/rules/rule Element The rule element: Specifies attributes for all rule child elements Functions as a parent element for up to 9 network-entity child elements The following table lists the rule element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert/rules/rule name Attribute Specify the name of the rule. rulestack Identify the rulestack of the rule. Currently read-only. relativeposition Identify the position of the rule within the rule stack. Readonly in the running ruleset. enable Enable the rule element. Level 8 Child Elements execute bidirectional destination ipsubprotoflags iptypes nondirectional protocols source times Type, Values and Description String. Free-form name, 16 characters maximum. Use the rule element s name attribute to specify a name the rule. Displayed value: Read-only enumeration. hard. The rulestack attribute must be equal to hard. Displayed value: Read-only enumeration first. In a running ruleset, Integrity client ignores the relativeposition attribute. Specify the enable attribute equal to true to enable the rule element. The enable attribute defaults to true if not specified. Described in the following section For a description of protocol-specific child elements see Specifying firewall Network Entities, on page 113. Integrity XML Policy File Reference 111

121 Chapter 9 The firewall and fwrestricted Functional Categories The //rule/execute Element The execute element specifies the actions and logging level for a specific rule. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert/rules/rule/execute action Attribute Specify the action to take when a rule executes. log Specify where logged entries are stored. Type, Values and Description Enumeration accept, drop Use the action attribute to specify what action to take when Integrity client executes an expert rule. Recognized actions are: accept allow the communication drop block the communication enumeration logdb (log="file" is not recognized by Integrity client) Use the log attribute to specify where Integrity client stores logged events. file stores logged events in Internet Logs\fwpktlog.txt logdb stores logged events in Internet Logs\username.ldb, where username is the active user account on the end-point computer Integrity client recognizes only log="logdb". loglevel Specify the categories of information to log. Level 7 Child Elements None integer 0 to 13, inclusive. Use the loglevel attribute to specify a program-specific level of event logging and notification. Program-specific logging of network entity events is performed only when the value of the loglevel attribute is less than or equal to that of the logging element s filelevel attribute described in the following section. The execute element does not contain any child elements. The //firewall/logging Element In the firewall functional category, the //firewall/logging element specifies the global logging level. Integrity XML Policy File Reference 112

122 Chapter 9 The firewall and fwrestricted Functional Categories The following table lists the logging element s attribute. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/logging filelevel Attribute Specify the global logging level. Level 5 Child Elements none Type, Values and Description integer 0 to 8, inclusive. Use the filelevel attribute to specify the global logging level applied to programs for which a specific rule has not been created. For a given program s rule, the execute element s logllevel attribute must be less than or equal to filelevel for a given event to be logged. See the The //rule/execute Element, on page 112, for more information. The logging element does not contain any child elements. The remaining sections in this chapter describe the firewall functional section s networkentity elements and attributes. Specifying firewall Network Entities As described at the beginning of this chapter, the Check Point XML Policy divides the firewall functional category into two nesting-level 5 child elements: groups and rules. Both groups and rules parent elements contain traffic-type and network-entity child elements. The following sections describe the traffic-type and network-entity elements and attributes in detail. Overview of applications Traffic Types A Check Point XML Policy contains up to 8 traffic-type elements. Each traffic-type element in turn contains up to 8 network-entity child elements. The following table lists: The 8 traffic-type elements that may be contained in the applications functional section of a particular Check Point XML Policy instance The 8 network-entity child elements contained in a given traffic-type parent element Integrity XML Policy File Reference 113

123 Chapter 9 The firewall and fwrestricted Functional Categories The page number containing the XML element description table for the network-entity child element /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/traffictype/networkentity Traffic Type Element Network Entity Child Element Page Number bidirectional ethernetaddress 115 destination group 117 ipaddress 118 iprange 119 ipsubnet 120 port 120 portrange 122 socket 125 destination child elements are identical with those of bidirectional, listed above. ipsubprotoflags flag 116 iptypes type 126 nondirectional portpair 121 protocols protocol 123 source protocolrange 124 source child elements are identical with those of bidirectional, listed earlier in this table. times daytimerange 115 Same page numbers as the bidirectional child elements listed above. Same page numbers as the bidirectional child elements listed earlier. Overview of Network-entity Types A Check Point XML Policy contains up to 14 network-entity elements. The following sections lists each of the elements and their attributes in alphabetical order Integrity XML Policy File Reference 114

124 Chapter 9 The firewall and fwrestricted Functional Categories The daytimerange Network-entity Element The daytimerange element specifies the days and times a custom program rule will be applied. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/times/daytimerange Attribute day1 through day7, inclusive Specify the day or days to apply a rule. Type, Values and Description enumeration SUNDAY, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, ALL Use the dayn attribute to specify individual days to enforce the rule. The following illustrates the general form of the dayn attribute statement: <daytimerange day1= MONDAY day2= WEDNESDAY /> Use the dayn= ALL to specify all days. time Specify the time to begin applying a rule. totime Specify the time to stop applying a rule. Level 10 Child Elements None Formatted string. Time as hh:mm in 24-hour format. Use the time attribute to specify the time to start enforcing a rule. The value of the time attribute must be earlier than the totime attribute, described in the following table entry. Formatted string. Time as hh:mm in 24-hour format. Use the totime attribute to specify the time to stop enforcing a rule. The value of the totime attribute must be later than time attribute, described in the preceding table entry. The daytimerange element does not contain any child elements. The ethernetaddress Network-entity Element The ethernetaddress element: Specifies a Media Access Control (MAC) address and operation Can be contained in the source, destination, and bidirectional parent elements Integrity XML Policy File Reference 115

125 Chapter 9 The firewall and fwrestricted Functional Categories The following table lists the ethernet element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/traffictype/ethernetaddress address Attribute Specify a MAC address. operation Specify the condition for applying the enthernetaddress rule. Level 10 Child Elements None Type, Values and Description Formatted string String formatted as valid MAC address of the form "12-3d-34-5d-56-ef" In an ethernet element, use the address attribute to specify the network entity s Media Access Control (MAC) address. enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when the MAC address matches the MAC address specified in the address attribute, described in the preceding table entry. The ethernetaddress element does not contain any child elements. The flag Network-entity Element The flag element specifies which protocol-specific flags are accepted or blocked. The following table lists the flag element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/ipsubprotoflags/flag Attribute Type, Values and Description (Sheet 1 of 2) notpresent Specify a protocol-specific flag that should not be detected in the named protocol. enumeration The following seven flag mnemonics: Flag Mnemonic Description TCP_FLAG_ACK Acknowledgement TCP_FLAG_ALL All flags in this group TCP_FLAG_FIN Final TCP_FLAG_PSH Push TCP_FLAG_RST Reset TCP_FLAG_SYN Synchronization TCP_FLAG_URG Urgent. Use the notpresent attribute to specify that the rule be triggered when a particular type of TCP flag is not detected in the IP subprotocol. Integrity XML Policy File Reference 116

126 Chapter 9 The firewall and fwrestricted Functional Categories /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/ipsubprotoflags/flag (continued) Attribute Type, Values and Description (Sheet 2 of 2) present Specify a protocol-specific flag that should be detected in the named protocol. protocol Specify a named protocol. Level 10 Child Elements None enumeration Same flags as listed for the notpresent attribute, described in the preceding table entry. Use the notpresent attribute to specify that the rule be triggered when a TCP flag is detected in the IP subprotocol. enumeration The following protocols identifiers: IP_AH IP_ALL (All IP subtypes) IP_CAST (Multicast and broadcast) IP_ESP IP_EVERY (Every IP subprotocol) IP_GRE IP_ICMP IP_IGMP IP_IXMP (Both ICMP and IGMP) IP_SKIP IP_TCP IP_TCP_UDP (Both TCP and UDP) IP_UDP IP_UDP_TCP (Same as IP_TCP_UPD) IP_VPN (All VPN protocols: ESP, AH, GRE, and SKIP) Use the protocol attribute to specify the protocol to process as part of the program s rule. The flag element does not contain any child elements. The group Network-entity Element The group element: Specifies a group name and type Can be contained in the source, destination, and bidirectional parent elements Integrity XML Policy File Reference 117

127 Chapter 9 The firewall and fwrestricted Functional Categories The following table lists the group element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/traffictype/group name Attribute Group identifier. Type, Values and Description String Free-form string, maximum of 14 characters. Use the name attribute to specify the name of the group. The value of the name element also appears in the global rules definitions at (line break added for readability): /ZoneLabsSettings/ruleset[@name="runningruleset"]/ firewall/expert/groups/ruletype[@name=name Def] In the preceding XPath statement, RuleType identifies the rule type and Name Def identifies the rule s name. type Identify a group as type address. Level 10 Child Elements None Displayed value: Read-only enumeration address. Not user specifiable. Integrity client automatically sets the group element s type attribute to address. The group element does not contain any child elements. The ipaddress Network-entity Element The ipaddress element: Specifies an IP address Can be contained in the source, destination, and bidirectional parent elements The following table lists the ipaddress element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/traffictype/ipaddress Attribute Type, Values and Description (Sheet 1 of 2) address Specifies an IP address. operation Specify the condition for applying the rule. Formatted string String formatted as IP address. Use the address attribute to specify the IP address to process as part of the program s rule. Enumeration eq, neq Specify the operation attribute to eq to apply the rule when the IP address matches the address specified by the address attribute, described in the preceding table entry. Integrity XML Policy File Reference 118

128 Chapter 9 The firewall and fwrestricted Functional Categories /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/traffictype/ipaddress (continued) Attribute Type, Values and Description (Sheet 2 of 2) protocol Specify a named protocol. Level 10 Child Elements None Enumeration Same as listed under protocol, on page 117. Use the protocol attribute to specify the protocol to process as part of the program s rule. The ipaddress element does not contain any child elements. The iprange Network-entity Element The iprange element: Specifies a range of IP addresses Can be contained in the source, destination, and bidirectional parent elements The following table lists the iprange element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/traffictype/iprange address Attribute Specify the first address in a range of IP addresses. operation Specify the condition for applying the rule. protocol Specify a named protocol. toaddress Specify the last address in a range of IP addresses. Level 10 Child Elements None Type, Values and Description Formatted string String formatted as IP address. In an iprange element, Use the address attribute to specify the first IP address in the range of IP addresses. Enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when an IP address is within the address range specified by the address and toaddress attributes, described in the preceding table entry. Enumeration Same as listed under protocol, on page 117. Use the protocol attribute to specify the protocol to process as part of the program s rule. Formatted string String formatted as IP address. Use the toaddress attribute to specify the last IP address in the range of IP addresses. The iprange element does not contain any child elements. Integrity XML Policy File Reference 119

129 Chapter 9 The firewall and fwrestricted Functional Categories The ipsubnet Network-entity Element The ipsubnet element: Specifies an IP subnetwork and subnet mask Can be contained in the source, destination, and bidirectional parent elements The following table lists the ipsubnet element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/traffictype/ipsubnet address Attribute Specify the first address in a range of IP addresses. mask Specify an IP mask. operation Specify the condition for applying the rule. protocol Specify a named protocol. Level 10 Child Elements None Type, Values and Description Formatted string String formatted as IP address. Use the address attribute to specify the IP address of the subnet. Formatted string String formatted as IP subnet mask. Use the mask attribute to specify the subnet mask of the subnet specified by the address attribute. Enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when an IP address is within the address range specified by the address and toaddress attributes, described earlier in this table. Enumeration Same as listed under protocol, on page 117. Use the protocol attribute to specify the protocol to process as part of the program s rule. The ipsubnet element does not contain any child elements. The port Network-entity Element The port element: Specifies a port Can be contained in the source, destination, and bidirectional parent elements Integrity XML Policy File Reference 120

130 Chapter 9 The firewall and fwrestricted Functional Categories The following table lists the port element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/traffictype/port operation Attribute Specify the condition for applying the rule. port Specify a port number portprotocol Specify a protocol type. Level 10 Child Elements None Type, Values and Description Enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when a port number matches the port specified by the port attribute, described in the following table entry. integer Valid IP port number Use the port element s port attribute to specify the port to process as part of the rule. Enumeration or integer. Port protocol mnemonic or number. Use the portprotocol attribute to specify a port element s protocol. The portprotocol attribute recognizes two methods of specifying a protocol. A protocol number as listed under protocol, on page 124 A protocol mnemonic as listed under protocol, on page 117 The port element does not contain any child elements. The portpair Network-entity Element The portpair element specifies a source and destination pair of ports. The following table lists the portpair element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/nondirectional/portpair Attribute Type, Values and Description (Sheet 1 of 2) dstport Specify a destination port. integer Valid IP port number. Use the dstport attribute to specify the destination port of the port pair defined by the corresponding srcport. Integrity XML Policy File Reference 121

131 Chapter 9 The firewall and fwrestricted Functional Categories /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/nondirectional/portpair (continued) Attribute Type, Values and Description (Sheet 2 of 2) portprotocol Specify a protocol type. srcport Specify the source port. Level 10 Child Elements None Enumeration or integer. Port protocol mnemonic or number. Use the portprotocol attribute to specify a port element s protocol. The portprotocol attribute recognizes two methods of specifying a protocol. A protocol number as listed under protocol, on page 124 A protocol mnemonic as listed under protocol, on page 117 integer Valid IP port number Use the srcport attribute to specify the destination port of the port pair defined by the corresponding dstport. The portpair element does not contain any child elements. The portrange Network-entity Element The portrange element: Specifies a range of network ports Can be contained in the source, destination, and bidirectional parent elements The following table lists the portrange element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/traffictype/portrange Attribute Type, Values and Description (Sheet 1 of 2) operation Specify the condition for applying the rule. port Specify the first port in a port range. Enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when the specified port is within the range specified by the port and toport attributes, described later in this table. integer Valid port number. Use the portrange element s port attribute to specify the beginning port in a port range. Integrity XML Policy File Reference 122

132 Chapter 9 The firewall and fwrestricted Functional Categories /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/traffictype/portrange (continued) Attribute Type, Values and Description (Sheet 2 of 2) protocol Specify a protocol. toport Specify the last port in a port range. Level 10 Child Elements None Enumeration or integer. Port protocol mnemonic or number. Use the protocol attribute to specify the protocol to process as part of the rule. The protocol attribute recognizes two methods of specifying a protocol. A protocol number as listed under protocol, on page 124 A protocol mnemonic as listed under protocol, on page 117 integer Valid port number. Use the portrange element s toport attribute to specify the ending port in a port range. The iprange element does not contain any child elements. The protocol Network-entity Element The protocol element specifies a named or numbered protocol. The following table lists the protocol element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/protocols/protocolpair operation Attribute Specify the condition for applying the rule. protocol Specify a protocol. Level 10 Child Elements None Type, Values and Description Enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when the protocol matches the value of the protocol attribute, described in the following table entry. Enumeration or integer. Port protocol mnemonic or number. Use the protocol attribute to specify the protocol to process as part of the rule. The protocol attribute recognizes two methods of specifying a protocol. A protocol number as listed under protocol, on page 124 A protocol mnemonic as listed under protocol, on page 117 The protocolpair element does not contain any child elements. Integrity XML Policy File Reference 123

133 Chapter 9 The firewall and fwrestricted Functional Categories The protocolrange Network-entity Element The protocolrange element specifies a range of numeric or named protocols. The following table lists the protocolrange element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/protocols/protocolrange operation Attribute Specify the condition for applying the rule. protocol Specify the beginning protocol in a range of protocols. Type, Values and Description Enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when the port is within the range specified by the protocol and toprotocol attributes, above. integer The following six protocol numbers: Protocol Number 51 AH 50 ESP 47 GRE User specified Other 27 RDP 57 SKIP Protocol Name Protocol numbers are defined by the Internet Assigned Numbers Authority (IANA). See the IANA Web site for more information. toprotocol Specify the end protocol in a range of protocols. Level 10 Child Elements None Use the protocol attribute to specify the beginning protocol type in a protocol range. The inclusion or exclusion of the protocols specified by the protocolrange child element is determined by the //program/protocols element s allow attribute described on page 37. Enumeration or integer. Port protocol mnemonic or number. Use the toprotocol attribute to specify the last protocol in the protocol range. The toprotocol attribute recognizes two methods of specifying a protocol. A protocol number as described in the protocol attribute in the preceding attribute table entry. A protocol mnemonic as listed under protocol, on page 117 The protocolrange element does not contain any child elements. Integrity XML Policy File Reference 124

134 Chapter 9 The firewall and fwrestricted Functional Categories The socket Network-entity Element The socket element: Combines the behaviors of the ipaddress and port network-entity elements into a single network-entity element Can be contained in the source, destination, and bidirectional parent elements Understanding XML Policy Sockets Use XML Policy sockets to combine the behaviors of the ipaddress and port network-entity elements into a single network-entity element. For example, the socket element combines the following two XML element statements <TrafficType> <ipaddress address=" " operation="eq" protocol="ip_tcp" /> <port port="80" protocol="ip_tcp" operation="eq" /> </TrafficType> into the following single-line XML element statement: <TrafficType> <socket address=" protocol="ip_tcp" port="80" operation="eq" /> </TrafficType> Socket Elements and the Control Center The socket XML Policy element can only be specified within an XML Policy instance: The Integrity client Control Center does not contain a mechanism for directly specifying socket network entities. The following table lists the socket element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/traffictype/socket Attribute Type, Values and Description (Sheet 1 of 2) address Specify a socket IP address. operation Specify the condition for applying the rule. port Specify a socket port number. Formatted string String formatted as valid IP address. Use the address attribute to specify the socket element s IP address. Enumeration eq, neq Specify the operation attribute equal to eq to apply the rule when a protocol matches the value of the protocol attribute, described later in this table. integer Valid IP port number Use the port element s port attribute to specify the port to process as part of the rule. Integrity XML Policy File Reference 125

135 Chapter 9 The firewall and fwrestricted Functional Categories /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/traffictype/socket (continued) Attribute Type, Values and Description (Sheet 2 of 2) protocol Specify the socket s protocol type. Level 10 Child Elements None Enumeration or integer. Port protocol mnemonic or number. The portprotocol attribute recognizes two methods of specifying a protocol. A protocol number as listed under protocol, on page 124 A protocol mnemonic as listed under protocol, on page 117 The socket element does not contain any child elements. The type Network-entity Element The type element specifies the type of ICMP message to process as part of the rule. The following table lists the type element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/iptypes/type Attribute Type, Values and Description (Sheet 1 of 2) operation Specify the condition for applying the rule. protocol Specify a protocol. Enumeration eq, neq Specify the operation attribute to eq to apply the rule when the protocol matches the value of the protocol attribute, described in the following table entry. Enumeration or integer. Port protocol mnemonic or number. Use the protocol attribute to specify the protocol to process as part of the rule. The protocol attribute recognizes two methods of specifying a protocol. A protocol number as listed under protocol, on page 124 A protocol mnemonic as listed under protocol, on page 117 Integrity XML Policy File Reference 126

136 Chapter 9 The firewall and fwrestricted Functional Categories /ZoneLabsSettings/ruleset[@name="runningruleset"]/firewall/expert /rules/rule/iptypes/type (continued) Attribute Type, Values and Description (Sheet 2 of 2) type Specify an ICMP message type. Level 10 Child Elements None enumeration The following ICMP message types: DST_UNREACHABLE ECH_REQ ECHO_REPLY INFO_REPLY INFO_REQUEST MASK_REPLY MASK_REQUEST PARAM_PROBLEM REDIRECT ROUTERADVERT ROUTERSOLICIT SRC_QUENCH TIME_EXCEEDED TIMESTAMP TIMESTAMP_REPLY Use the iptype element s type attribute to specify the type of ICMP message to process as part of the rule. The type element does not contain any child elements. Integrity XML Policy File Reference 127

137 Chapter 10 The general Functional Category This chapter describes the general functional category of the Check Point XML Policy. The general functional category specifies general firewall and protocol blocking behaviors. This chapter contains the following sections: Overview of general Structure, in the following section, provides an overview of the structure of the general functional category s XML elements. Specifying general Security Behaviors, on page 128, describes the element, child elements, and attributes used to specify general security behaviors. Overview of general Structure The general element appears at nesting level 3 of a Check Point XML Policy. The following XPath statement illustrates the location of the element. /ZoneLabsSettings/ruleset[@name="runningruleset"]/general The following illustrates the general structure of the general functional section. /ZoneLabsSettings/ruleset[@name="runningruleset"]/general <general> <detectednetworks status="ask" reset="false"/> <security trusted="medium" internet="low" blocktrustedservers="false" blockinternetservers="false" startup="low" getewayenforcement="true"/> <fwoptions blockfragments="false" blockprotovpn="false" allowprotomisc="true" enablearpprotection="true" enablespoofprotection="true" debugmode="true" nofwlock="true" debugflags="0x100" maxfilesize="1234"/> <autolock enabled="false" engage="screensaver" lockmode="normal" alertonviolation="showandcancel"/> <autovpn refreshtime="60" throttletime="30" zonerefresh="600"/> </general> The preceding example illustrates that the general functional category consists of five child elements. The following sections describe each of these child elements in detail. Specifying general Security Behaviors The general functional category consists of the following five child elements: autolock specifies if and when Integrity client automatically activates its Internet Lock feature autovpn specifies settings for Integrity client to automatically detect and configure required settings for VPN access. Integrity XML Policy File Reference 128

138 Chapter 10 The general Functional Category detectednetworks specifies how Integrity client manages newly detected network entities fwoptions specifies default firewall blocking behaviors security specifies default network blocking behaviors The following sections described each of these general functional category child elements in detail. The attachments and quarantine elements control the overall operation of Integrity client s E- mail Protection feature. The following sections list each of these element attributes. The autolock Element The autolock element specifies if and when Integrity client automatically activates its Internet Lock feature. Enterprise security policy settings do not disable the Internet Lock and Stop buttons. Only the autolock settings in a personal security are used by Integrity Client. The following tables lists the autolock element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/general/autolock Attribute Type, Values and Description (Sheet 1 of 2) alertonviolation Generate an alert for Internet Lock violations. enabled Enable Internet Lock functionality. engage Specify criteria for engaging Internet Lock. enumeration. Cancel, ShowAndCancel Specify the alertonviolation attribute equal to ShowandCancel to have Integrity client display an alert whenever a program attempts to violate an active Internet Lock. Specify the enable attribute equal to true to enable Internet Lock capability. Integrity client s Internet Lock blocks all network communications to and from the end-point computer. Individual programs can bypass an active Internet Lock by specifying that program s passlock attribute, described on page 34, equal to true. See also the lockmode attribute, described later in this table. integer Integer number of minutes, ScreenSaver, false Use the engage attribute to specify when Internet Lock is automatically engaged. The engage attribute accepts three values: Specify the engage attribute equal to an integer to activate Internet Lock after that many minutes of user inactivity Specify the engage attribute equal to ScreenSaver to activate Internet Lock whenever the end-point computer s screen save runs Specify the engage attribute equal to false to disable automatic activation of Internet Lock Integrity XML Policy File Reference 129

139 Chapter 10 The general Functional Category (continued) Attribute Type, Values and Description (Sheet 2 of 2) lockmode Enable pass-lock programs. enumeration Emergency, Normal LockMode specifies how Automatic Internet lock behaves after it has been activated: Emergency stops all Internet access, including those that have their passlock attribute set to true. See page 34 for a description of the applications functional category s passlock attribute. Normal blocks Internet access for all programs except those that have pass lock enabled. See also the enabled attribute, described earlier in this table. Level 5 Child Elements None The autolock element contains no child elements. Integrity XML Policy File Reference 130

140 Chapter 10 The general Functional Category The autovpn Element The autovpn element specifies Integrity client VPN Auto-config settings. Do not modify the value of autovpn attributes unless directed to do so by Check Point. The following tables lists the autovpn element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/general/autoVPN Attribute Type, Values and Description (Sheet 1 of 2) refreshtime Specify configuration refresh interval. throttletime Defer VPN client software alerts. zonerefresh Specify IP address refresh interval. integer Displayed values: Integer number of seconds. Default is 30. The refreshtime attribute specifies how frequently Integrity client reloads VPN configuration information. 0 turns the Automatic VPN Configuration feature off. Increasing the value from the default of 30 will make the client respond more slowly to VPN configuration changes, but otherwise should not cause any problems. integer Displayed values: Integer number of seconds. Default is 30 The throttletime attribute defers network alerts for VPN connections. Some VPN client software applications can attempt to connect immediately to a destination point on startup. If the VPN client software has not already been assigned sufficient network access permission, each connection attempt causes Integrity Client to display an unauthorized connection attempt alert box. The throttletime attribute defers the display of alerts for VPN client connections. This allows the user the time necessary to assign the VPN client software the network permission level necessary to initiate outbound VPN connection through the Integrity Client firewall before alerts are generated. The only risk involved in increasing the value substantially is that the user might not see a necessary VPN alert. integer Displayed values: Integer number of seconds, Default is The zonerefresh attribute specifies how frequently Integrity client reloads VPN destination addresses via DNS lookup. Decreasing this value will increase DNS traffic on your network. Integrity XML Policy File Reference 131

141 Chapter 10 The general Functional Category (continued) Attribute Type, Values and Description (Sheet 2 of 2) allowmsconfig Specify whether automatic VPN configuration is allowed allowciscoconfig Specify whether automatic VPN configuration is allowed for Cisco VPNs. allowudpcheck Specifies whether automatic VPN configuration checks the destination port to identify VPN traffic. Displayed values: 0 automatic configuration is disabled, or non-zero automatic configuration is enabled. Default is 1. Default is 0 for Windows 9x; 1 for WinNT. Disable autoconfig ony to troubleshoot specific issues related to Windows 9x operating systems. This is intended for use primarily in consumer products. Displayed values: 0 automatic configuration is disabled, or non-zero automatic configuration is enabled. Default is 1. Disable autoconfig ony to troubleshoot specific issues related to Cisco VPNs. This is intended for use primarily in consumer products. Displayed values: 0 automatic configuration is disabled, or non-zero automatic configuration is enabled. Default is 0. Check confirms detination port is between and 62524, or IKE. Integrity XML Policy File Reference 132

142 Chapter 10 The general Functional Category The detectednetworks Element The detectednetworks element specifies how Integrity client manages newly detected network entities. The following tables lists the detectednetworks element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/general/detectedNetworks reset Attribute Reset default new network behavior to default. status Specify default new network behavior. Level 5 Child Elements Type, Values and Description Specify the reset element attribute equal to true to reset the default behavior for newly detected networks to its default value. If reset is equal to true, it overrides the status attribute described in the following attribute table entry. enumeration allow, ask, disallow Use the status attribute to specify how to process newly detected network entities: allow assigns the newly detected network entity to the Trusted Zone ask asks the user which zone Trusted or Internet to assign the newly detected network entity disallow assigns the newly detected network entity to the Internet Zone If reset is equal to true, it overrides the status attribute described in the following attribute table entry. None The detectednetworks element contains no child elements. The fwoptions Element The fwoptions element specifies default firewall blocking behaviors. The following tables lists the fwoptions element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/general/fwoptions Attribute Type, Values and Description (Sheet 1 of 3) allowprotomisc Allow miscellaneous protocols. Specify the allowprotomisc attribute equal to true to allow miscellaneous protocols to pass through Integrity client s firewall. Integrity XML Policy File Reference 133

143 Chapter 10 The general Functional Category (continued) Attribute Type, Values and Description (Sheet 2 of 3) blockfragments Block packet fragments blockprotovpn Block VPN protocols. debugflags Specify TrueVector debug flags. debugmode Enable debug mode. Specify the blockframgements attribute equal to true to prevent IP packet fragments from passing through Integrity client s firewall. Specify the blockprotovpn attribute equal to true to prevent VPN protocols from passing through Integrity client s firewall. Formatted string Hexadecimal value. The debugflags attribute is for use by Check Point development or technical support. Do not specify a value for debugflags unless directed to do so by Check Point. The debugmode attribute is for use by Check Point development or technical support. Do not specify a value for debugmode unless directed to do so by Check Point. enablearpprotection Block ARP packets. enablespoofprotection Block packets with spoofed source address maxfilesize Specify the maximum file size of the fwpktlog.txt file. Specify the enablearprotection attribute equal to true to prevent Address Resolution Protocol. (ARP) packets from passing through Integrity client s firewall. Specify the enablespoofprotection attribute equal to true to block packets containing a false ( spoofed ) local or loopback source address. integer Integer kilobytes (KB). Use the maxfilesize attribute to specify the maximum permissible size of the fwpktlog.txt file that records packet monitoring and blocking actions during startup of Integrity client. Integrity XML Policy File Reference 134

144 Chapter 10 The general Functional Category (continued) Attribute Type, Values and Description (Sheet 3 of 3) nofwlock Change firewall security levels when Internet Lock is activated. Level 5 Child Elements None Specify the nofwlock attribute equal to true to disable enhanced firewall protection when Integrity client s Internet Lock feature has been activated. Normally, when Internet lock activates Integrity client sets both Local and Internet Zone security levels to High. If nofwlock is equal to true, engaging Internet Lock does not effect firewall security settings. The fwoptions element contains no child elements. The security Element The security element specifies default network blocking behaviors. The following tables lists the security element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/general/security Attribute Type, Values and Description (Sheet 1 of 2) blockinternetservers Define how requests to programs from the Internet are treated. blocktrustedservers Define how requests to programs from the Trusted Zone are treated. getewayenforcement Enable Linksys router CMP enforcement. internet Specify how requests from programs to the Internet are treated startup Specify startup security level. Specify the blockinternetservers attribute equal to true to block by default any requests from the Internet Zone to have programs on the end-point computer to act as servers (provide data or services). Specify the blockinternetservers attribute equal to true to block by default any requests from the Trusted Zone to have programs on the end-point computer to act as servers (provide data or services). Set the gatewayenforcement attribute equal to true to enable support for Linksys router s Client Monitoring Protocol (CMP). enumeration high, medium, off Use the internet attribute to specify the default security level for the Internet Zone. enumeration high, medium, off Use the startup attribute to specify the security level applied when Integrity client starts and before loading security settings from a policy. Integrity XML Policy File Reference 135

145 Chapter 10 The general Functional Category (continued) Attribute Type, Values and Description (Sheet 2 of 2) trusted Specify how requests from programs to the Trusted Zone are treated Level 5 Child Elements None enumeration high, medium, off Use the trusted attribute to specify the default security level for the Trusted Zone. The security element contains no child elements. Integrity XML Policy File Reference 136

146 Chapter 11 The integrity Functional Category This chapter describes the integrity functional category of the Check Point XML Policy. The integrity functional category specifies how Integrity client connects to an Integrity Server. This chapter contains the following sections: Overview of integrity Structure, in the following section, provides an orientation to the overall composition of the integrity functional category s XML elements. Specifying General integrity Behaviors, on page 137, describes the integrity attributes that control program observation. Specifying Integrity Connection Behaviors, on page 139, describes the child element and attributes that specify connections to Integrity Server. Overview of integrity Structure The integrity element appears at nesting level 3 of a Check Point XML Policy. The following XPath statement illustrates the location of the customsecurity element. /ZoneLabsSettings/ruleset[@name="runningruleset"]/integrity The following illustrates the general structure of the integrity functional section. /ZoneLabsSettings/ruleset[@name="runningruleset"]/integrity <integrity observationinterval="0" programobservation="0" integritymaster="ia"> <connection name="is1" host="is.company.com" trigger="always" port="5054" vpnhost="vpn.company.com" vpnport="80" connectionid="123" delaytime="10" AuthType="NTLogin"/> </integrity> The following sections in this section describe the child elements and attributes contained in the integrity functional category. Specifying General integrity Behaviors The integrity element specifies general program observation behaviors. Integrity XML Policy File Reference 137

147 Chapter 11 The integrity Functional Category The following table lists the integrity element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/integrity Attribute observationinterval Specify a program observation interval. programobservation Specify program categories to observe. Level 4 Child Elements Type, Values and Description integer Integer number of seconds. Default is 600. Use the observationinterval attribute to specify the number of seconds Integrity client records program activity before writing the accumulated observation results from Integrity client s database to a text-based log file. The programs observed during this interval are specified by the programobservation attribute, described in the following table entry. integer Hex Value 0x0000 0x0001 0x0002 0x0004 0x0010 0x0020 0x0040 0x0080 0x0100 0x0200 0x0400 0xFFFF Use the programobservation attribute to specify the program categories for Integrity client to observe. Logically OR values to combine categories Observation Category Disable program observation. Not used. Not used. Log all programs, including those that do not access a network. Log the number of bytes sent and received by programs. Log URLs visited or served by programs. Log IP addresses visited or served by programs. Log ports visited or served by programs. Log protocols used by programs. Log miscellaneous network activity. Log all program modules. Log all types of observation information. Integrity client writes accumulated observation results from its database to a text-based log file stored in the Integrity client folder at the interval specified by observationinterval, described in the preceding attribute table entry. connection The connection attribute is described in the following section. Integrity XML Policy File Reference 138

148 Chapter 11 The integrity Functional Category Specifying Integrity Connection Behaviors The integrity functional category s connection attribute completely specifies a connection between Integrity client and Integrity Server. The integrity and connection elements and attributes operate only in conjunction with Integrity Server. The following section describes the connection attribute in detail. The connection Attribute The connection element completely specifies a single connection to a specific Integrity Server. If you are using Integrity with a compatible VPN gateway device (such as a Cisco 30xx), you do not need to configure the connection attribute: The client program for that gateway provides Integrity Flex (or Integrity Agent) with the IP address of an Integrity Server. The following table lists the connection element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/integrity/Connection Attribute Type, Values and Description (Sheet 1 of 3) AuthType Specify the Integrity Server login authorization type. connectionid Specify the connection s logical identifier. enumeration NovellLDAP, NTLogin, ADSLDAP Use the AuthType attribute to specify the login method the network uses to authenticate users. NTLogin is the default authorization type. Formatted string. Varies depending on other settings. See the description below. Use the connectionid attribute to specify the logical identifier of a connection to Integrity Server. The connectionid attribute interacts with the trigger attribute, described later in this table. If the trigger type is always, and connectionid is not specified, then connectionid defaults to INTEGRITY_TRIGGER_ALWAYS. If the trigger type is latch, and connectionid is not specified, then connectionid defaults to the triggering IP address and port number separated by a colon. For example : If a client computer s trigger parameter is always or latch, and you later modify that client s trigger, then policy arbitration problems may occur. To avoid this, specify a value for connectionid. Integrity XML Policy File Reference 139

149 Chapter 11 The integrity Functional Category (continued) Attribute Type, Values and Description (Sheet 2 of 3) delaytime Specify a disconnect interval. host Specify Integrity Server s IP address. name Specify a name for the XML Policy instance. port Specify Integrity Server s listening port. reconnectinterval Shorten the reconnect delay interval. integer Integer number of minutes. Use the delaytime attribute to specify how long Integrity client can be disconnected from Integrity Server before changing connection mode. Disconnecting from Integrity Server causes Integrity client to perform policy enforcement and policy arbitration differently than when it is connected to Integrity Server. See the entry for trigger, described later in this table, for more information about the use of the delaytime attribute. If value equals -1, the Integrity client never checks the connection state (that is connected or disconnected); therefore, once a connection to Integrity Server is established, the Integrity client does not switch back to the personal policy. Formatted string. String formatted as valid IP address or URL. Use the host attribute to specify the IP address or URL of this connection element s Integrity Server. String Free-form name for the XML Policy instance. Use the name attribute to specify a free-form name for this XML Policy instance. The value of the name attribute appears in the Policies panel s list of list of security policies. Integer Integer port number. Default is Use the AuthType attribute to specify Integer Integer number of seconds. The default value of -1 is equivalent to 180 seconds. Values less than 10 are interpreted as minutes Values greater than 10 are interpreted as seconds Use the reconnectinterval to specify the interval at which Integrity Flex or Integrity Agent attempts to connect to Integrity Server. Normally, when Integrity Flex or Integrity Agent starts (typically at system startup), it attempts to connect to Integrity Server. If Integrity Server is unavailable, IF / IA suspend operation for 3 minutes, at which time they make a new attempt to connect. Use the reconnectinterval attribute to manually shorten the interval between reconnect attempts. Integrity XML Policy File Reference 140

150 Chapter 11 The integrity Functional Category (continued) Attribute Type, Values and Description (Sheet 3 of 3) trigger Specify the type of connection to Integrity Server. vpnhost Specify the IP address of a VPN concentrator. vpnport Specify a VPN concentrator s listen port. Level 5 Child Elements None enumeration always, latch, port, default Use the trigger attribute to specify how Integrity client manages a connection to Integrity Server. default is a read-only trigger type specifier that is automatically supplied by a compatible VPN gateway device. Do not manually type the default parameter into a configuration file. latch triggers a connection to Integrity Server when a VPN gateway session is created. The always trigger type provides two modes of operation: immediate and delayed. Immediate is the default mode for the always trigger type. Immediate mode applies the always attribute immediately and continues to use the enterprise security policy even if Integrity Client disconnects from Integrity Server. Delayed specifies under what conditions Integrity Client applies an enterprise security policy. If Integrity Client disconnects from Integrity for the number of minutes specified by the delaytime attribute, Integrity Client uses only the computer s personal security policy until the connection to Integrity Server is reestablished Formatted string. Valid IP address of a VPN concentrator. Use the vpnhost attribute to specify the IP address of a VPN concentrator for the network running Integrity Server. integer Valid VPN concentrator port. Use the vpnport attribute to specify the port number where a VPN concentrator for the network running Integrity Server listens for incoming connection requests. The connection element contains no child elements. Transient Mode Connections to Integrity Server Integrity Server 4.5 supports transient mode connections to Integrity clients. Transient mode connections are active only for short periods during each heartbeat interval. If an Integrity client loses its connection to Integrity Server, and the trigger attribute equals always and the delaytime is non-zero, then Integrity client will not detect the loss of connection until the next hearbeat interval. This means: A policy deployed from Integrity Server will not be received by Integrity client until the next heartbeat interval. Integrity XML Policy File Reference 141

151 Chapter 11 The integrity Functional Category Information displayed by the Integrity Client Control Center will not reflect current status, such as enterprise policy status, until the next heartbeat interval. Loading Updated connection Element Settings Use the operational command line switch -config to reload a policy containing updated elements and attributes. Integrity XML Policy File Reference 142

152 Chapter 12 The policy_info Functional Category This chapter describes the policy_info functional category of the Check Point XML Policy. The policy_info functional category specifies how Integrity client protects the end-point computer from potentially harmful attachments. This chapter contains the following sections: Overview of policy_info Structure, in the following section, provides an orientation to the overall composition of the policy_info functional category s XML elements. Specifying policy_info Settings, on page 144, describes the policy_info elements that control the general interaction between Integrity client and Integrity Server. If you are using Integrity Advanced Server, some policy settings described in this document do not apply. For information, see Default System Policy Settings for Integrity Advanced Server, on page 11. Overview of policy_info Structure The policy_info element appears at nesting level 2of a Check Point XML Policy. The following XPath statement illustrates the location of the policy_info element. /ZoneLabsSettings/ruleset[@name="runningruleset"]/policy_info The following illustrates the general structure of the policy_info functional section. /ZoneLabsSettings/policy_info <policy_info author="super Administrator" description="low security. Users can increase security." policyname="mypolicy" version="1.x" filename="c:\winnt\system32" heartbeat="120" timemodified='"timemodified"' timedownloaded="120" reportantivirus='" This is Anti Virus Report"' customalert="true" customalerttext="this is custom alert Text" customalerturl="true" customalerturltext=" customalerturlname="this is Custom Alert URL Name" customalerturlappendprog="true" reconnectinterval="10" reconnectcount="5" alertflags="10" logflags="9"> <update policyname="mypolicy" description="low security. Users can increase security." author="super Administrator"/> <update policyname="mypolicy" description="high security. Users can reduce security." author="non Administrator"/> <policy_info> The following sections in this section describe the child elements and attributes contained in the policy_info functional category. Integrity XML Policy File Reference 143

153 Chapter 12 The policy_info Functional Category Specifying policy_info Settings The policy_info functional category provides two primary levels The policy_info Element The policy_info element: Specifies the overall operation of Integrity client-to-integrity Server connectivity and interoperation Functions as a container element for the update element The following table lists the policy_info element s attributes. /ZoneLabsSettings/policy_info Attribute Type, Values and Description (Sheet 1 of 6) alertflags Specify which category of events generate alert boxes ( pop-ups ). Formatted string String formatted as a hexadecimal value per the following table inset. Value Event Category 0x0000 0x0001 0x0002 0x0004 0x0008 0x0010 0x0020 0xFFFF No client computer events generate alerts. Firewall events. Program events. MailSafe events. Enforcement events. Connectivity events. Policy update events. All events generate popup alerts. Logically OR values to combine event categories. Use the alertflags attribute to specify what categories of events generate an alert box. logflags values are: Specified (typed into an XML Policy file) in hexadecimal Read (displayed when viewed) in decimal alwaysactive Enforce the enterprise security policy at all times. Specify the alwaysactive attribute equal to true to continue to enforce the end-point computer s enterprise security policy when Integrity client is disconnected from Integrity Server. Integrity XML Policy File Reference 144

154 Chapter 12 The policy_info Functional Category /ZoneLabsSettings/policy_info (continued) Attribute Type, Values and Description (Sheet 2 of 6) author Identify this XML Policy instance s author. customalert Enable custom alerts group of attributes. customalerttext Specify a custom alert s description. customalerturl Enable a custom alert URL. customalerturlappendprog Append a program name to the custom alert s URL. customalerturlname Specify a descriptive name for the custom alert s URL. string Free-form text string. Use the author attribute to specify the author of the XML Policy instance. Specify the customalert attribute equal to true to enable the custom alert group of attributes, listed in the following table entries. Use the custom alert group of attributes to add company-specific information to the alert boxes displayed by Integrity client. string Free-form string. Use the customalerttext attribute to specify a text-based description to appear on the custom alert. The customalert attribute, described in the preceding table entry, must be true to enable the customalerttext attribute. Specify the customalerturl attribute equal to true to enable the custom alert URL group of attributes. The customalert attribute, described earlier in this table, must be true to enable the customalerturl attribute. String formatted as valid Windows path name and program file name. Set the customalerturlappendprog attribute equal to true to append the name of the program associated with the alert to be appended to the custom alert URL. The customalert attribute, described earlier in this table, must be true to enable the customalerturlappendprog attribute. string Free-form text string. Use the customalertname attribute to assign a text-based name to the custom alert s URL; use the customalerturltext attribute, described in this table, to specify the URL. The customalerturl attribute, described in this table, must be true to enable the customalerturlname attribute. Integrity XML Policy File Reference 145

155 Chapter 12 The policy_info Functional Category /ZoneLabsSettings/policy_info (continued) Attribute Type, Values and Description (Sheet 3 of 6) customalerturltext Specify a description of the custom alert. description Describe the XML Policy instance. heartbeat Specify the heartbeat interval. Formatted string. String formatted as valid URL. Use the customalerturltext attribute to specify a URL, such as a corporate support or assistance site, to appear in the custom alert box. The customalerturl attribute, described in this table, must be true to enable the customalerturltext attribute. string Free-form text string. Use the description attribute to describe the XML Policy instance. In Integrity Server s Policy Studio, in the Name & Notes tab, use the Notes about this policy text entry area to type a description. integer Integer number of seconds. The following table inset lists the heartbeat intervals produced by the option buttons contained in Policy Studio s Client Settings tab. Option Button High Option 2 Option 3 Option 4 Low Interval in Seconds (Minutes) 60 (1 minute) 300 (5 minutes) 900 (15 minutes) 1800 (30 minutes) 3600 (60 minutes) Use the heartbeat attribute to specify the number of seconds between heartbeat messages transmitted from Integrity client to Integrity Server. In networks containing large numbers of Integrity clients, specify less frequent heartbeat exchanges to reduce network loading. Integrity XML Policy File Reference 146

156 Chapter 12 The policy_info Functional Category /ZoneLabsSettings/policy_info (continued) Attribute Type, Values and Description (Sheet 4 of 6) logflags Specify which category of events are logged. Formatted string. String formatted as a hexadecimal value per the following table inset. Value 0x0000 0x0001 0x0002 0x0004 0x0008 0x0010 0x0020 0xFFFF Event Category No client events are logged. Firewall events. Program events. MailSafe events. Enforcement events. Not used. Not used. All events are logged. Logically OR values to combine event categories. Use the logflags attribute to specify what categories of events Integrity client records in its event log. logflags values are: Specified (typed into an XML Policy file) in hexadecimal Read (displayed when viewed) in decimal policyname Specify the name of the policy. preventshutdownwhenactive Prevent the shutdown of Integrity client when an enterprise policy is active. reconnectcount Specify how many times to attempt to connect to Integrity Server. string Free-form name of the XML Policy instance. Use the policyname attribute to specify the name of the XML Policy instance. Integrity Server identifies policies by policy name Integrity client displays the policy name in the Policies panel s Main tab Specify the preventshutdownwhenactive attribute equal to true to prevent the shutdown of Integrity client when an Enterprise security policy is active. integer Integer number of connection attempts. Use the reconnectcount attribute to specify how many times after an unsuccessful connection attempt Integrity client should attempt to connect to Integrity Server. Use the reconnectinterval, described in the following table entry, to specify the number of seconds between each connection attempt. Integrity XML Policy File Reference 147

157 Chapter 12 The policy_info Functional Category /ZoneLabsSettings/policy_info (continued) Attribute Type, Values and Description (Sheet 5 of 6) reconnectinterval Specify the interval between connection attempts. reportantivirus Identifies anti-virus program recognized by Integrity Server timeconnectattempt Displays the last time Integrity Server attempted to connect. timeconnected Displays the last time Integrity Server connected. timedownloaded Displays the time of the first successful download of an enterprise security policy. timemodified Displays the time of the most recent download of an enterprise security policy. version Specify the version of this XML Policy instance. integer Integer number of seconds. Use the reconnectcount attribute to specify how many times after an unsuccessful connection attempt Integrity client should attempt to connect to Integrity Server. Use the reconnectinterval attribute, described in the preceding table entry, to specify how many times to attempt to establish a connection. Displayed values: Read-only string. One of three anti-virus program identifiers: mcaffee.vs trend.pcc symantec.nav Use Integrity Server s policy studio to identify the anti-virus software required on end-point computers. Integrity Server then automatically inserts the correct value of the reportantivirus attribute into the enterprise security policy. Displayed value: Read-only formatted string. String formatted as yyyy-mm-dd hh:mm:ss Integrity Server automatically writes into the timeconnectattempt attribute the date and time of its last attempt to connect to this instance of Integrity client. Displayed value: Read-only formatted string. String formatted as yyyy-mm-dd hh:mm:ss Integrity Server automatically writes into the timeconnected attribute the date and time of its last successful connection to this instance of Integrity client. Displayed value: Read-only formatted string. String formatted as yyyy-mm-dd hh:mm:ss Integrity Server automatically writes into the timedownloaded attribute the date and time when this XML Policy instance was first deployed Displayed value: Read-only formatted string. String formatted as yyyy-mm-dd hh:mm:ss Integrity Server automatically writes into the timemodified attribute the date and time when the XML Policy instance of this name was last updated. Formatted string. String formatted as version number. Use the version attribute to identify the version a given type of XML Policy instance. Integrity XML Policy File Reference 148

158 Chapter 12 The policy_info Functional Category /ZoneLabsSettings/policy_info (continued) Attribute Type, Values and Description (Sheet 6 of 6) warnonlyenterprise Specify the version of this XML Policy instance. Formatted string. String formatted as version number. Use the version attribute to identify the version a given type of XML Policy instance. Integrity XML Policy File Reference 149

159 Chapter 13 The preferences Functional Category This chapter describes the preferences functional category of the Check Point XML Policy. The preferences functional category specifies how Integrity client protects the end-point computer from potentially harmful attachments. This chapter contains the following sections: Overview of preferences Structure, in the following section, provides an orientation to the overall composition of the preferences functional category s XML elements. Specifying preferences Options, on page 150, describes the preferences element s attributes. Overview of preferences Structure The preferences element appears at nesting level 2of a Check Point XML Policy. The following XPath statement illustrates the location of the preferences element. /ZoneLabsSettings/preferences The following illustrates the general structure of the preferences functional section. /ZoneLabsSettings/preferences <preferences ontop="false" showtoolbar="true" transmitdialogs="true" showminimized="false" programwizard="true"/> The following sections in this section describe the child elements and attributes contained in the preferences functional category. Specifying preferences Options The preferences functional category specifies general Control Center behaviors. The preferences Element The following table lists the preferences element s attributes. Integrity XML Policy File Reference 150

160 Chapter 13 The preferences Functional Category The following table lists the preferences element s attributes. /ZoneLabsSettings/preferences ontop Attribute Display Integrity client during Internet activity. programwizard Display the Program Wizard panel. showminimized Minimize Integrity client when starting. showtoolbar Deprecated toolbar setting: Do not use. transmitdialogs Warn before transmitting information to Check Point. Level 3 Child Elements None Type, Values and Description Specify the ontop attribute equal to true to display Integrity client on top of other applications whenever Internet activity occurs. Specify the programwizard attribute equal to true to display the Program Wizard button on the main tab of the Programs panel. Specify the showminimized attribute equal to true to display only the Integrity icon in the Windows system tray when Integrity client starts. The Control Center policy export utility does not include ShowMinimized in an exported XML Policy. The showtoolbar attribute equal is not used in Integrity client 4.x. Specify the transmitdialogs attribute equal to true to display a warning dialog before sending information to Check Point Web sites, such as those used by Alert Advisor, or product registration. The transmitdialogs attribute corresponds to the Overview panel s Preferences tab Alert me with a pop-up before I make contact check box. The preferences element contains no child elements. Integrity XML Policy File Reference 151

161 Chapter 14 The webcontent Functional Category This chapter describes the webcontent functional category of the Check Point XML Policy. The webcontent functional category specifies both general and program-specific blocking of undesirable Web content. This chapter contains the following sections: Overview of webcontent Structure, in the following section, provides an orientation to the overall composition of the customsecurity functional category s XML elements. Specifying General privacy Behaviors, on page 154, describes how to specify general privacy behaviors. Specifying Site-specific Privacy Settings, on page 161, describes how to specify privacy settings for individual Web sites. Specifying Web Filtering, on page 163, describes Web filtering. Web filtering is not part of Integrity client this chapter provides information about Web filtering for reference purposes only. Overview of webcontent Structure The webcontent element appears at nesting level 3 of a Check Point XML Policy. The following XPath statement illustrates the location of the webcontent element. /ZoneLabsSettings/ruleset[@name="runningruleset"]/webcontent The Check Point XML Policy divides the webcontent functional category into two nestinglevel 4 child elements: privacy and filtering. The following XPath statements illustrate the placement of the privacy and filtering child elements: /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity/privacy /ZoneLabsSettings/ruleset[@name="runningruleset"]/customSecurity/filtering The following sections provide an overview of both of these elements. The privacy Child Element The privacy element specifies how Integrity client blocks advertisements, scripts, and embedded objects contained in HTML pages.the following illustrates the general structure of the webcontent functional section s privacy child element. /ZoneLabsSettings/ruleset[@name="runningruleset"]/webcontent <privacy unblinktext="false" privacyadvisor="true"> <tracking disablewebbugs="true" removereferrerheader="false" removeuseragentheader="true"/> <mobilecode scripts="allow" JavaScript="allow" mime="allow" embeddedobects="allow" mimetypes="mime Types"/> <advertisements animation="allow" banner="allow" bannerreplacement="nothing"/> Integrity XML Policy File Reference 152

162 Chapter 14 The webcontent Functional Category <cookies session="allow" persistent="allow" persistentexpire="xdays thirdpartypersistent="allow" thirdpartypersistentexpire="immediately" thirdpartypersistentexpiredays="0" outgoing="allow"/> <sites clearoldentries="true"> <site name=" <mobilecode mobilecode attributes /> <cookies session= cookies attributes /> </site> <site name="additionalsitedefinition"> site-specific privacy elements </site> </sites> </privacy> Scope of privacy and sites Child Elements In the preceding example, the privacy parent element contains four types of content privacyentity child elements: advertisements specifies advertising content such as banner ads, pop-ups, and blinking text cookies specifies content that is written by the user s Web browser to the end-point computers hard disk drive mobilecode specifies scripts, such as JavaScript of VBScript tracking elements, such as web bugs, designed by the content provider to track the Web browsing patterns of the person viewing the content As children of the privacy element, the content children elements specify default privacy behavior. These same four child elements also appear within //sites/site parent elements. When content elements appear as children of sites elements, the content elements specify non-default, site-specific privacy behavior. The filtering Child Element The filtering element specifies the criteria used to filter the content contained in HTML pages. Web filtering is available only in Zone Alarm Pro with Web Filtering. Because Web filtering appears in XML Policies generated by Integrity client, this chapter includes a discussion of Web filtering for reference purposes. Integrity XML Policy File Reference 153

163 Chapter 14 The webcontent Functional Category The following illustrates the general structure of the webcontent functional section s filtering child element. /ZoneLabsSettings/ruleset[@name="runningruleset"]/webcontent <filtering enable="true" DRTREnable="false" blockontimeout="true" timeout="200" DRTRTimeout="200"> <category key="abortion" block="true"/> <category key="abortion" block="true"/> </filtering> Cerberian Web Content Categories In the preceding example, The category element s key attribute specifies a category defined and managed by the Cerberian Corporation. Cerberian monitors and characterizes Internet content. Zone Alarm Pro (but not Integrity client) uses Cerberian s ratings to block or allow ( filter ) HTML content. The remaining sections in this chapter describe the customsecurity functional section s security, allow, block, and protocol child elements. Specifying General privacy Behaviors Use the //webcontent/privacy element, along with one or more privacy-entity child elements, to completely specify general privacy behavior. The //webcontent/privacy Element is described in the following section Privacy-entity elements are described beginning on page The privacy features are for use with Integrity Desktop only. The //webcontent/privacy Element The //webcontent/privacy element Specifies general privacy behaviors Functions as a container element for privacy-entity child elements The following table lists the privacy element s attributes. /ZoneLabsSettings/ruleset[@name="runningruleset"]/webcontent/privacy Attribute Type, Values and Description (Sheet 1 of 2) blockbackgroundsounds Block sounds embedded in HTML pages from playing. Specify the blockbackgroundsounds attribute equal to true to suppress the playing of sound files embedded in content. Integrity XML Policy File Reference 154

164 Chapter 14 The webcontent Functional Category (continued) Attribute Type, Values and Description (Sheet 2 of 2) equivhosts Specify hosts that are equivalent for purposes of default privacy settings. Formatted string String formatted as multiple URLs. Use the equivhosts attribute to assign multiple hosts the same group of privacy settings. The following illustrates the general form of the equivhosts element: <privacy equivhosts="site01.com, site02.com, siten.org /> privacyadvisor Enable the Privacy Advisor alert box. Specify the privacyadvisor attribute equal to true to display an alert box (shown at the right) each time Integrity client s privacy features block content. unblinktext Prevent text from blinking. Level 5 Child Elements advertisements cookies mobilecode tracking sites Specify the unblinktext attribute equal to true to suppress the blinking of HTML text. All five of the privacy-entity child elements are described in the following section. Specifying Privacy-entity Elements A Check Point XML Policy contains up to four privacy-entity child elements: advertisements specifies advertising content such as banner ads, pop-ups, and blinking text cookies specifies content that is written by the user s Web browser to the end-point computers hard disk drive mobilecode specifies scripts, such as JavaScript of VBScript tracking elements, such as web bugs, designed by the content provider to track the Web browsing patterns of the person viewing the content The following sections describe each of these privacy-entity elements and their attributes in detail. Integrity XML Policy File Reference 155