Download Complete PDF Send Feedback Print This Page

Previous

Synchronize Contents

Next

SmartLSM Security Gateways

Related Topics

Creating Security Gateway SmartLSM Security Profiles

Adding SmartLSM Security Gateways

Handling SmartLSM Security Gateway Messages

Creating Security Gateway SmartLSM Security Profiles

A SmartLSM Security Gateway must have a SmartLSM Security Profile, which fetches a Check Point Security Policy from the Security Management Server or Domain Management Server. This Security Policy determines the settings of the firewall.

Before you can add a SmartLSM Security Gateway to SmartProvisioning, the SmartLSM Security Profiles and the Security Policies that they reference must exist in SmartDashboard.

This procedure describes how to create a SmartLSM Security Profile for Security Gateways or UTM-1 Edge Gateways. After you complete this, you can add the gateway objects to SmartProvisioning.

To create a Security Gateway SmartLSM Security Profile:

  1. Open SmartDashboard and log in.
  2. Open the Security Policy that you want to be enforced on the SmartLSM Security Gateways.
  3. Right-click the Network Objects tab and select New >SmartLSM Profile > Security Gateway.

    The SmartLSM Security Profile window opens.

  4. Define the SmartLSM Security Profile using the views of this window.

    To open the online help for each view of this window, click Help.

  5. Click OK and then install the policy.

Note - To activate SmartProvisioning functionality, a security policy must be installed on the gateway. Until the policy is installed, the new SmartProvisioning profile is not available.

Adding SmartLSM Security Gateways

This procedure describes how to add a SmartLSM Security Gateway to SmartProvisioning management.

Before you begin, you must have at least one SmartProvisioning SmartLSM Security Profile for Security Gateway gateways. See Creating Security Gateway SmartLSM Security Profiles for details.

To add a SmartLSM Security Gateway to SmartProvisioning management:

  1. In the tree, click Devices.
  2. Select File > New > SmartLSM Security Gateway.

    A wizard opens, taking you through the steps to define the SmartLSM Security Gateway.

  3. Provide a name for the SmartLSM Security Gateway and optional comments, and click Next.

    This name is for SmartProvisioning management purposes. It does not have to be the name of the gateway device; the name should be selected to ease management and recognition for users.

  4. In the More Information page, define the SmartLSM Security Gateway by its properties as follows:
    • SmartLSM Security Gateway: Select the version that is installed on the gateway.
    • Security Profile: Select a SmartLSM Security Profile object created in SmartDashboard.
    • OS: Select the Operating System of the gateway.
    • Enable Provisioning: Select to enable the assignment of Provisioning Profiles to this gateway. Clear this option if you are sure that this gateway should be managed in a unique way; if you are sure that Provisioning Profiles would not be useful in the management, or might be harmful to the operations, of this gateway.
    • No Provisioning Profile: Select to enable provisioning for this gateway, while leaving the actual assignment of Provisioning Profile for later.
    • Provisioning Profile: Select a Provisioning Profile to assign to this gateway. This option is available only if Enable Provisioning is selected.

    Note - If the Provisioning options are not available, check that you have created Provisioning Profiles in SmartProvisioning. You can add the gateway and create the profiles later.
    The Provisioning options are enabled when you have a Provisioning Profile of the appropriate operating system.
  5. Click Next.
  6. In the SmartLSM Security Gateway Communication Properties page, define an Activation Key.

    An activation key sets up a Secure Internal Communication (SIC) Trust between the SmartLSM Security Gateway and the Security Management Server or Domain Management Server. This is the same activation key that you provide in the SIC tab of the Check Point Configuration Tool (cpconfig) on the SmartLSM Security Gateway.

    Provide an activation key by doing one of the following:

    • Select Generate Activation Key automatically and click Generate. The Generated Activation Key window opens, displaying the key in clear text. Make note of the key (to enter it on the SmartLSM Security Gateway for SIC initialization) and then click Accept.
    • Select Activation Key and provide an eight-character string to be the key. Enter it again in the Confirm Activation Key field.
  7. If you know the IP address of this SmartLSM Security Gateway, select This machine currently uses this IP address and then provide the IP address in the field. If you can complete this step, the SIC certificate is pushed to the SmartLSM Security Gateway.

    If you do not know the IP address, you can select I do not know the current IP address. SmartProvisioning will pull the SIC certificate from the Security Management Server or Domain Management Server after you finish this wizard. See Complete the Initialization Process.

  8. Click Next.

    The VPN Properties page opens.

  9. If you want a CA certificate from the Internal Check Point CA, select the I wish to create a VPN Certificate from the Internal CA check box.

    If you want a CA certificate from a third-party (for example, if your organization already has certificates from an external CA for other devices), clear this check box and request the certificate from the appropriate CA server after you have completed this wizard.

  10. Click Next.
  11. If you want to continue configuring the gateway, select the Edit SmartLSM Security Gateway properties after creation check box.
  12. Click Finish.

Handling SmartLSM Security Gateway Messages

This section explains how to handle messages that may appear after you finish the wizard to add a Security Gateway or UTM SmartLSM Security Gateway, during the SmartProvisioning processing of the gateway object.

Opening Check Point Configuration Tool

The following sections may suggest that you open the Check Point Configuration tool to handle an issue.

To open the Check Point Configuration tool:

  • On a SecurePlatform, Linux, or Solaris gateway, run sysconfig to access a complete list of cpconfig options.
  • On a Windows-based gateway, click Start > Programs > Check Point > Check Point Configuration Tool.

Activation Key is Missing

If you did not generate or select an Activation Key for SIC setup during the wizard, a message appears:

'Activation Key' for the Gateway SIC setup is missing.
Do you want to continue?

Click Yes to define the gateway now and handle the SIC setup later; or click No and then Back to return to the Communication Properties page.

To handle the SIC setup after the gateway is added:

  1. Select the gateway in the work space and then select Edit > Edit Gateway.
  2. In the General tab, click Communication.

    The Communication window opens, providing the same fields as the Communication Properties page of the wizard.

  3. Generate or provide an Activation Key.
  4. Click Close to close the Communication window and then OK to close the Edit window.
  5. Open the Check Point Configuration tool on the SmartLSM Security Gateway and click Reset SIC.

Operation Timed Out

During the process of adding a new SmartLSM Security Gateway, SmartProvisioning connects between the Security Management Server/Domain Management Server and the SmartLSM Security Gateway, to match and initialize SIC and VPN certificates.

If a message appears indicating Operation Timed Out, the most common cause is that SmartProvisioning could not reach the Security Management Server/Domain Management Server or the SmartLSM Security Gateway. The gateway is still added to SmartProvisioning, but you should check the certificates status.

To view trust status:

  1. Double-click the gateway in the work space.

    The SmartLSM Security Gateway window opens

  2. In the General tab, click Communication.
  3. Check the value of Trust status. If the value is not Initialized, pull the SIC certificate from the Security Management Server or Domain Management Server.

Complete the Initialization Process

If you generated an Activation Key or provided an Activation Key file, but were not able to provide the IP address of the SmartLSM Security Gateway, a message appears:

To complete the initialization process, use the Check Point Configuration tool on the SmartLSM Security Gateway, to pull the certificate from the Security Management Server.

Note - If you are using Multi-Domain Security Management, this message says Domain Management Server, in place of Security Management Server.

To complete the initialization process:

  1. Click OK.
  2. Open the Check Point Configuration tool (cpconfig).
  3. According to the specific SIC or Communication options, reset and initialize the SIC with the Activation Key of the Security Management Server or Domain Management Server.
  4. Restart Check Point services on the SmartLSM Security Gateway.
  
Top of Page ©2013 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print