Download Complete PDF Send Feedback Print This Page

Synchronize Contents

Next

Introduction to SmartProvisioning

Related Topics

Check Point SmartProvisioning SmartConsole

Supported Features

SmartProvisioning Objects

Check Point SmartProvisioning SmartConsole

Check Point SmartProvisioning enables you to manage many gateways from a single Security Management Server or Multi-Domain Security Management Domain Management Server, with features to define, manage, and provision (remotely configure) large-scale deployments of Check Point gateways.

The SmartProvisioning management concept is based on profiles — a definitive set of gateway properties and when relevant, a Check Point Security Policy. Each profile may be assigned to multiple gateways and defines most of the gateway properties per Profile object instead of per physical gateway, reducing the administrative overhead.

Note - SmartProvisioning is not available for the members of SmartLSM cluster, even if the member gateway runs the SecurePlatform OS.

Supported Features

SmartProvisioning provides the following features:

  • Central management of security policies, gateway provisioning, remote gateway boot, and Dynamic Object value configurations
  • Automatic Profile Fetch for large deployment management and provisioning
  • All Firewall features supported by DAIP gateways, including DAIP and static IP address gateways
  • Easy creation and maintenance of VPN tunnels between SmartLSM Security Gateways and CO gateways, including generation of IKE certificates for VPN, from third-party CA Servers or Check Point CA.
  • Automatic calculation of anti-spoofing information for SmartLSM Security Gateways
  • Tracking logs for gateways based on unique, static IDs; with local logging for reduced logging load
  • High level and in-depth status monitoring
  • Complete management of licenses and packages, Client Authentication, Session Authentication and User Authentication
  • Command Line Interface to manage SmartLSM Security Gateways
  • Support for Security Gateway 80 devices.

SmartProvisioning Objects

SmartProvisioning manages SmartLSM Security Gateways and enables provisioning management for Check Point gateways.

Gateways

SmartProvisioning manages and provisions different types of gateways.

  • SmartLSM Security Gateways: Remote gateways provide firewall security to local networks, while the security policies are managed from a central Security Management Server or Domain Management Server. By defining remote gateways through SmartLSM Security Profiles, a single system administrator or smaller team can manage the security of all your networks.
  • CO Gateways: Standard Security Gateways that act as central Corporate Office headquarters for the SmartLSM Security Gateways. The CO gateway is the hub of a Star VPN, where the satellites are SmartLSM Security Gateways. The CO gateway has a static IP address, ensuring continued communications with SmartLSM Security Gateways that have dynamic IP addresses.
  • Provisioned Gateways: SmartProvisioning can provision the Operating System and network settings of gateways, such as DNS, interface routing, providing more efficient management of large deployment sites.

Profiles

SmartProvisioning uses different types of profiles to manage and provision the gateways.

  • SmartLSM Security Profiles: A SmartLSM Security Profile defines a Check Point Security Policy and other security-based settings for a type of SmartLSM Security Gateway. Each SmartLSM Security Profile can hold the configuration of any number of actual SmartLSM Security Gateways. SmartLSM Security Gateways must have a SmartLSM Security Profile; however, these profiles are not relevant for CO gateways or Provisioned gateways. SmartLSM Security Profiles are defined and managed through Check Point SmartDashboard.
  • Provisioning Profiles: A Provisioning Profile defines specific settings for networking, device management, and the operating system. CO gateways, SmartLSM Security Gateways, and regular gateways may have Provisioning Profiles, if they are UTM-1, Power-1, SecurePlatform, IPSO 6.2-Based IP appliances, or UTM-1 Edge devices. Provisioning Profiles are defined and managed in SmartProvisioning. Defining options and features for Provisioning Profiles differ according to device platform.

Profile Fetching

All gateways managed by SmartProvisioning fetch their assigned profiles from the Security Management Server or Domain Management Server. You define the SmartLSM Security Profiles on SmartDashboard, preparing the security policies on the Security Management Server or Domain Management Server. You define Provisioning Profiles on SmartProvisioning, preparing the gateway settings on the SmartProvisioning database. Neither definition procedure pushes the profile to any specific gateway.

Managed gateways fetch their profiles periodically. Each gateway randomly chooses a time slot within the fetch interval.

When a fetched profile differs from the previous profile, the gateway is updated with the changes. Updated Security Management Server/Domain Management Server security policies are automatically installed on SmartLSM Security Gateways, and gateways with Provisioning Profiles are updated with management changes.

In addition to the profile settings, the specific properties of the gateway are used to localize the profile changes for each gateway. Thus, one profile is able to update potentially hundreds and thousands of gateways, each acquiring the new common properties, while maintaining its own local settings.

VPNs and SmartLSM Security Gateways

This section explains how your SmartLSM Security Gateways in a virtual private network (VPN) secure communications within your organization.

SmartProvisioning supports the inclusion of SmartLSM Security Profile objects as members in Star VPN Communities (as satellites), and in Remote Access communities (as centers). When a Star VPN Community contains a SmartProvisioning SmartLSM Security Profile object as a satellite, the settings apply both to the Corporate Office (CO) gateway and to the SmartLSM Security Gateways.

A VPN tunnel can be established from a SmartLSM Security Gateway to a regular, static IP address CO gateway (similar to the way that DAIP gateways establish VPN tunnels to static IP gateways). A CO gateway recognizes and authenticates an incoming VPN tunnel as a tunnel from a SmartLSM Security Gateway, using the IKE Certificate of the SmartLSM Security Gateway. The CO gateway treats the peer SmartLSM Security Gateway as if it were a regular DAIP gateway, whose properties are defined by the SmartLSM Security Profile to which the SmartLSM Security Gateway is mapped. A CO gateway can also initiate a VPN tunnel to a SmartLSM Security Gateway.

You can establish VPN tunneling for SmartLSM-to-SmartLSM, or SmartLSM-to-other gateway configurations, through the CO gateway.

  
Top of Page ©2013 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print