Common Gateway Management
Overview of Managing Gateways
SmartProvisioning can manage SmartLSM Security Gateways, Provisioned Gateways, and CO gateways on UTM-1 Edge devices or Security Gateway devices; on any supported platform and operating system.
Configurations for these different types of gateways sometimes differ. This chapter explains concepts and procedures that are common to all SmartProvisioning managed gateways.
Before you begin, make sure that your administrator user name has Read/Write permissions for Managing Device Settings.
Adding Gateways to SmartProvisioning
Gateways are added to SmartProvisioning through the device configuration. The following is true of all Power-1, UTM-1, and UTM-1 Edge gateways.
- You add SmartLSM Security Gateways to SmartProvisioning management when you configure the Check Point Security Gateway to enable SmartLSM configuration. After installing the gateway software, execute the command: LSMenabler -r
Gateways are recognized as CO gateways, and managed by SmartProvisioning, after you create a Star VPN in SmartDashboard and define this gateway as the central gateway.
If a SmartLSM or CO gateway has the SmartProvisioning enabled, it can also be provisioned.
- Gateways are managed by SmartProvisioning when the Provisioning blade is enabled on the Security Management Server. You can attach a Provisioning Profile to this gateway, and thereby have access to provisioning features — automated installations and configurations — for this gateway and simultaneously with the other gateways that reference this profile.
Opening the Gateway Window
The edit window for gateways is different for each type, but is opened in the same way.
To open the Gateway window:
- In the tree, click .
- Do one of the following:
- In the work space, double-click the gateway you want to edit.
- In the work space, right-click the gateway and select .
- Click the toolbar button.
|
Note - Gateway windows for non-SmartLSM Security Gateways (without a SmartLSM Security Profile) show only the tab, until you select . Then they show all tabs.
|
Immediate Gateway Actions
At any point while configuring or managing a gateway you can perform a number of immediate actions on the gateway. Some actions are for Provisioned gateways only, some are relevant only for SmartLSM Security Gateways, and some only for SmartLSM Security Gateways on non-Edge devices.
Accessing Actions
This section describes how to use the features available from the Actions menu.
To open the Actions menu, do one of the following:
- From the main menu, click Actions.
- Right-click a Provisioning Profile and select Actions.
- Right-click a gateway and select Actions.
- In a Gateway window, click Actions.
Remotely Controlling Gateways
You can manage remote gateways using SmartProvisioning. You can start, stop, and restart the Check Point Security Gateway services, and you can reboot devices. This is relevant for all types of SmartProvisioning gateways, except that the software of UTM-1 Edge devices (for SmartLSM and Provisioned gateways) cannot be stopped or started, only restarted in one command.
Remote Actions on Check Point Services and Gateways
To:
|
On Gateway of Type
|
Select Actions > Maintenance
|
Stop Check Point services
|
Security Gateway
|
Stop Gateway
|
Start Check Point services
|
Security Gateway
|
Start Gateway
|
Restart Check Point services
|
Security Gateway
UTM-1 Edge
|
Restart Gateway
|
Reboot device
|
Security Gateway
UTM-1 Edge
|
Reboot Gateway
|
Updating Corporate Office Gateways
It is important that the CO gateway be updated whenever SmartLSM Security Gateways are added, deleted, or modified (such as the generation of a new IKE key, a Push Policy action, or a Push Dynamic Objects action). The CO gateway is the center of the Star VPN, in which SmartLSM Security Gateways are the satellites.
To update a CO gateway:
- Click the Update CO Gateway toolbar button:
 - From the Corporate Office Gateway drop-down list, select the CO gateway that is the center of the SmartLSM Security Gateway's Star VPN.
- Click OK.
Deleting Gateway Objects
You can remove a SmartLSM Security Gateway as a SmartProvisioning object. This revokes all certificates of the gateway.
To delete a SmartLSM Security Gateway:
- In the work space, select the gateway.
- Select Edit > Delete SmartLSM Security Gateway.
Provisioned gateways can be deleted in SmartDashboard.
Editing Gateway Properties
Gateway Comments
You can view the properties that define a gateway in the General tab of the Gateway window. Some of the properties can also be edited.
- The Name of this gateway cannot be changed after you add it to SmartProvisioning.
- The Comments field displays comments that were added when the gateway object was created in SmartDashboard. If the gateway is a SmartLSM Security Gateway (either UTM-1 Edge or Security Gateway), you can edit the comments here. If the gateway is a Provisioned gateway or CO gateway, this field is Read-Only.
Changing Assigned Provisioning Profile
SmartProvisioning gateways may be managed with Provisioning Profiles. At any time, you can change the Provisioning Profile that is assigned to a gateway.
To change the assigned Provisioning Profile:
- Open the Gateway window and select the General tab.
- Make sure the Enable Provisioning check box is selected.
- Select Provisioning Profile, and select a profile from the drop-down list.
- Click OK.
Configuring Interfaces
You can manage the interfaces of the individual gateway through SmartProvisioning. Of course, this is not available for Provisioning Profiles. It must be different for each device.
|
Note - SmartLSM Security Gateways: If All IP addresses behind the gateway based on Topology information is selected in the gateway Topology page, the VPN Domain is based on the Interfaces configured in this procedure.
Changes to the Interface Configuration of a SmartLSM Security Gateway always affect its VPN Domain. This is true even if Provisioning is disabled or the Manage settings locally option is selected.
|
To add an interface to the gateway's configuration:
- Do Actions > Get Actual Settings.
|
Note - For IP Appliances:
The interface configuration for these appliances is complex. To prevent mistakes, you must first do Get Actual Settings, to upload the existing interfaces. IP Appliance interfaces are available for management (add, edit, delete) only after this action is done.
For other gateways, this step is optional.
|
- In SmartProvisioning, open the Gateway window and select the Interfaces tab.
- To manage the interfaces locally on the device, preventing changes in SmartProvisioning from affecting the device, select Manage settings locally on the device.
- To configure interfaces through SmartProvisioning, overriding the local settings, select Use the following settings.
The controls are different according to machine type: SecurePlatform gateway, IP Appliance, or UTM-1 Edge device.
If Use the following settings is selected, the Interface controls are available.
- Click Add.
A menu of interface types opens. Select an interface type. This menu is different for SecurePlatform gateways, IP Appliances, and UTM-1 Edge devices. The window that opens is different for each selected interface.
- Enter the required data and click OK.
To apply interface configuration changes:
- The device is updated with new configurations on a time interval. To immediately apply these settings to the gateway, do Actions > Push Settings and Actions.
- To update the CO gateway with the new VPN Domain, do Update Corporate Office.
Executing Commands
You can run executables or shell commands on a managed gateway with Custom Commands.
For example, if you want to check the connection between the SmartProvisioning console and a gateway, you can create a command that pings the selected gateway: Executable = ping; Parameter = <IP>. When you execute this command on a gateway, the terminal window of the console opens and runs the Ping command.
To prepare a custom command:
- Select Manage > Custom Commands.
- Click Add.
The Add New Custom Command Window opens.
- Provide a name for your command.
- Provide the command or pathname of the executable.
- If parameters are needed, provide them here.
- If the parameters include the local IP address or host name, click Variables and select Object IP Address or Object Name.
- Click OK.
The new custom command is added to the Custom Commands list.
- Select the commands that you want to be used.
To execute a prepared custom command:
- Right-click a gateway in a Devices work space.
Custom Commands is added to the standard right-click menu.
- Select Custom Commands and then the command that you want to execute.
Converting Gateways to SmartLSM Security Gateways
You can convert a Security Gateway or UTM-1 Edge gateway managed with SmartDashboard to a SmartLSM Security Gateway managed with SmartProvisioning. There is no need to delete existing objects, or to create new ones, because the Check Point Suite handles object management automatically during the conversion. It also preserves relevant SIC certificates.
For example, when you acquire the SmartProvisioning license, you can convert relevant Check Point gateways to SmartLSM Security Gateways, without having to re-configure the gateway objects.
To convert to a SmartLSM Security Gateway:
- In SmartDashboard, create the SmartProvisioning SmartLSM Security Profile to be associated with the new SmartLSM Security Gateway.
- Install the relevant Security Policy on the SmartProvisioning SmartLSM Security Profile.
- In the SmartProvisioning CLI, execute one of the following commands (see Converting Gateways for details and more options).
- Security Gateway: LSMcli <server> <user> <pswd> Convert Gateway VPN1 <Name> <Profile>
- UTM-1 Edge: LSMcli <server> <user> <pswd> Convert Gateway VPN1Edge <Name> <Profile>
- In SmartProvisioning, select Actions > Push Policy on the SmartLSM Security Gateway.
- Update the CO gateway.
|
|
