Enabling SmartProvisioning
Managing SmartProvisioning Components
SmartProvisioning is an integral part of the Security Management or the Domain Management Server.
To use SmartProvisioning on the Security Management Server or the Domain Management Server, you must obtain and add a SmartProvisioning license to the Security Management Server or Domain Management Server.
Enabling of SmartProvisioning includes configuration of:
- SmartLSM Security Gateways
- Corporate Office Gateways
- Provisioned Gateways
- SmartProvisioning GUI
Activating SmartProvisioning
SmartProvisioning is an integral part of the Security Management Server or Domain Management Server.
To enable SmartProvisioning on the Security Management Server:
- Obtain a SmartProvisioning license. This license is required to activate SmartProvisioning functionality.
- Add the license to the Security Management Server or Domain Management Server, with cpconfig or SmartUpdate.
You can also use the cplic command to add the license.
- For Domain Management Server, enable SmartProvisioning and run the command
LSMenabler on .This message is displayed: Check Point services should be restarted. Restart now (y/n) [y] ?
- Enter to restart the Check Point services.
To verify that SmartProvisioning is enabled:
- Connect to the Security Management Server or to the Domain Management Server using SmartDashboard.
- Edit the Security Management object.
- In the General Properties page of the Security Management object, in the Software Blades section, Management tab, ensure Provisioning is selected. It is selected if the license for SmartProvisioning is installed.
Preparing SecurePlatform Gateways
Preparing SecurePlatform SmartLSM Security Gateways
SmartLSM Security Gateway is a Check Point gateway that has an assigned SmartLSM Security Profile. SmartLSM Security Gateways may, or may not, be enabled for provisioning.
To prepare a SmartLSM Security Gateway:
- Make sure that Check Point Security Gateway R60 or higher is installed.
- Execute these CLI commands:
LSMenabler -r on
cpstop
cpstart
- Open the Check Point Configuration Tool (cpconfig) on the gateway to the page and define an interface.
- Decide whether you want this gateway to be provisioned or not. If this gateway should support provisioning, install SmartProvisioning with the SmartProvisioning Wizard (see SmartProvisioning Wizard - Getting Started).
After completing installation of SmartProvisioning on gateways and the Security Management Server or Domain Management Server, open SmartDashboard and create a Security Policy and SmartLSM Security Profile required by SmartLSM Security Gateways.
To prepare the SmartLSM Security Gateway required objects:
- In SmartDashboard select , create a Security Policy and save it.
- In the tree, right-click and select or .
- In the window, configure the SmartLSM Security Profile, and then click .
- Install the Security Policy on the SmartLSM Security Profile: Select. In the window, select the SmartLSM Security Profile object as an .
- Click .
Repeat for each SmartLSM Security Profile that you want. If you want to manage gateways of different types (UTM-1 Edge or Security Gateway), you will need a SmartLSM Security Profile for each type.
- Close SmartDashboard.
- Open SmartProvisioning and add the SmartLSM SecurePlatform gateways. See SmartLSM Security Gateways - Getting Started.
Preparing CO Gateways
A Corporate Office (CO) gateway represents the center of a Star VPN, in which the satellites are SmartLSM Security Gateways. The CO gateway may, or may not, be enabled for provisioning.
To prepare a CO gateway:
- On the Check Point Security Gateway, execute the command:
LSMenabler on - Open SmartDashboard and do the following:
- In the VPN tab, right click and select New Community > Star.
- In the Star Community Properties window, select Center Gateways and add the CO gateway.
- In Satellite Gateways, add SmartLSM Security Profiles as required.
- Close SmartDashboard.
- In SmartProvisioning, right-click the CO gateway and select Update selected CO Gateway.
Preparing SecurePlatform Gateways
To prepare a SecurePlatform gateway for provisioning:
- Ensure that R65 HFA 40 or later is installed.
If the R65 gateways are not ready to be provisioned, you must manually add the HFA 40 (or later) package for SecurePlatform to the SmartUpdate repository on the Security Management Server or Domain Management Server.
- Install SmartProvisioning using the SmartProvisioning Wizard.
Preparing UTM-1 Edge Gateways
A UTM-1 Edge gateway is a Check Point device. It may be a SmartLSM Security Gateway, with an assigned SmartLSM Security Profile, or it may be enabled for Provisioning, or both. Each UTM-1 Edge device is configured with Safe @ or Edge Firmware. Consult with Technical Support for the firmware version needed to support SmartProvisioning.
Configure SmartProvisioning to recognize the firmware of a UTM-1 Edge gateway.
To configure firmware:
- In a Devices work space, right-click a UTM-1 Edge gateway and select Edit Gateway.
- In the UTM-1 Edge [SmartLSM] Gateway window, select the Firmware tab.
- Select the option that describes this UTM-1 Edge SmartLSM Security Gateway.
- Use default: Firmware defined as Default in SmartUpdate.
- Use SmartLSM Security Gateway's installed firmware: Firmware currently installed on a UTM-1 Edge SmartLSM Security Gateway.
- Use the following firmware: Firmware to be uploaded (with SmartUpdate) to the UTM-1 Edge gateway.
Installing SmartProvisioning SmartConsole
After you enable the SmartProvisioning on the Security Management Server or Multi-Domain Server, the SmartProvisioning SmartConsole is provided automatically.
- From the Start menu, select Programs > Check Point SmartConsole > SmartProvisioning.
- When logging in, provide the IP address of the SmartProvisioning Security Management Server or the Domain Management Server.
|
|