Print Download PDF Send Feedback

Previous

Next

SmartProvisioning

In This Section:

Creating a Gateway

Creating a SmartLSM Appliance Cluster

Defining SmartLSM Gateways Using LSM CLI

Managing Device Settings

You can create a Security Gateway or cluster object out of SmartLSM profiles in SmartProvisioning.

You can also manage device settings such as Hotspot, RADIUS, and Internet options.

Creating a Gateway

Make sure you define a SmartLSM gateway profile in SmartDashboard before you create a gateway in SmartProvisioning.

To create a new gateway:

  1. Open SmartProvisioning.
  2. In the Devices page, right-click an empty row in the table and select New SmartLSM > Small Office Appliance Gateway.

    The SmartLSM Security Gateway General Properties page opens.

General Properties

  1. Enter a Name for the SmartLSM Security Gateway. It cannot contain spaces or non-alphanumeric characters.
  2. Enter an optional Comment that identifies the SmartLSM Security Gateway.
  3. Click Next.

More Information

  1. In SmartLSM gateway, select the firmware version of the installed Check Point Appliance.
  2. In Security Profile, select the relevant SmartLSM gateway profile that the SmartLSM Security Gateway is mapped to.
  3. In OS, select the operating system of the gateway. Make sure the selection fits the hardware type.
  4. In Enable Provisioning, select this checkbox to enable this gateway to be managed with provisioning configurations. For more information, see Managing Device Settings.
  5. In No Provisioning Profile, select this option if you want to enable provisioning but are not yet ready to assign a specific profile.
  6. In Provisioning Profile, select the provisioning profile to assign to this gateway, from the list of profiles created in SmartProvisioning.
  7. Click Next.

Communication Properties

In the Communication Properties page, you define an Activation Key that is used to set up Secure Internal Communication (SIC) Trust between the SmartLSM Security Gateway and the Security Management Server. This is the same key that you should enter in the one-time password field of the Security Management Server Authentication page of the Check Point Appliance First Time Configuration Wizard.

To generate a key automatically:

  1. Select Generate Activation Key automatically.
  2. Click Generate.

    The Generated Activation Key window opens.

  3. Click Accept.

    The two Activation Key fields show the new key in hidden text. You cannot view it in clear text again. If you click Cancel, the generated key is discarded.

To manually define an activation key:

  1. Select Activation Key.
  2. Enter your own key, a string of any length.
  3. In Confirm Activation Key, enter the key again. You cannot copy the text from the first field.

To clear the key, click Clear.

To initialize certification:

The SIC certificate must be shared between the Security Management Server and the SmartLSM Security Gateway. With this SmartLSM wizard, you create the key on the Security Management Server (the SIC certificate and the IKE certificate for the selected gateway are created when you finish this wizard). The certificate is pulled by the gateway when it first connects to the Security Management Server after it is configured with the Check Point Appliance First Time Configuration Wizard.

  1. If you know the IP address of the SmartLSM Security Gateway, select This machine currently uses this IP address, and enter the IP address.
  2. If you do not know the IP address of the SmartLSM Security Gateway, select I do not know the current IP address.
  3. Click Next.

VPN Properties

  1. Select how to create a VPN certificate:
    • For a CA certificate from the Internal Check Point CA, select I wish to create a VPN Certificate from the Internal CA.
    • For a CA certificate from a third party (for example, if your organization already has certificates from an external CA for other devices), clear this checkbox and request the certificate from the appropriate CA server.
  2. Click Next.

Finish

  1. Select Edit SmartLSM gateway properties after creation to work with the newly created object.
  2. Click Finish to complete the SmartLSM Security Gateway creation.

After the SmartLSM Security Gateway object is created:

To update the Corporate Office Gateway:

  1. Select Update Corporate Office Gateway from the toolbar.
  2. Select the Corporate Office Gateway from the list.

    It is important to update the Corporate Office Gateway whenever SmartLSM Security Gateways are added, deleted, or modified (such as the generation of a new IKE key, a Push Policy action, or a Push Dynamic Objects action).

Creating a SmartLSM Appliance Cluster

Make sure you have a SmartLSM cluster profile defined in SmartDashboard before you create a Small Office Appliance cluster in SmartProvisioning.

To create a new SmartLSM Security Cluster:

  1. Open SmartProvisioning.
  2. In the Devices page, right-click an empty row in the table, select New SmartLSM > Small Office Appliance Cluster.

    The SmartLSM Security Gateway General Properties page opens.

General Properties

  1. Enter a unique Cluster Name Prefix (Suffix is optional).

    The SmartLSM Security Cluster name is:
    <prefix>cluster<suffix>.

  2. In Cluster Main IP Address, enter the real external virtual IP address for your actual gateway cluster.
  3. Click Next.

Cluster Properties

  1. In Version, select the firmware version for the Check Point Appliance.
  2. In Security Profile, select the SmartLSM Cluster Profile that was created in SmartDashboard (in the example ClusterProfile1).
  3. In Enable Provisioning, select this checkbox to enable this gateway to be managed with provisioning configurations. For more information, see Managing Device Settings.
  4. In No Provisioning Profile, select this option if you want to enable provisioning but are not yet ready to assign a specific profile.
  5. In Provisioning Profile, select the provisioning profile to assign to this gateway, from the list of profiles created in SmartProvisioning.
  6. Click Next.

Cluster Names

The cluster members' names are shown with the configured prefix.

Click Next.

More Information

  1. Click Edit to override the settings of the template topology on each of the interfaces. For example, select WAN and click Edit.

    The interface window opens.

  2. In IP Address Override, enter the actual network IP address to override the template Network address.
  3. Click OK and do the above steps again for all the interfaces.
  4. Click Next.

Communication Properties

  1. Select a member and click Initialize. Enter the trusted communication (SIC) details and click OK.
  2. Do this step again for the second member.
  3. Click Next.

VPN Properties

  1. Select how to create a VPN certificate:
    • For a CA certificate from the Internal Check Point CA, select I wish to create a VPN Certificate from the Internal CA.
    • For a CA certificate from a third party (for example, if your organization already has certificates from an external CA for other devices), clear this checkbox and request the certificate from the appropriate CA server.
  2. Click Next.

Finish

  1. Click Finish. After the wizard finishes, wait until the SIC initialization completes. It can take a few minutes. When it completes, you see the cluster object and its two members.

    When you double-click the cluster object you can see that the topology is configured with the actual addresses.

  2. On each Check Point Appliance, open the WebUI Home > Security Management page and click Fetch Policy to manually pull the policy immediately. Alternatively, the appliance connects to the Security Management Server at predefined periodic intervals to pull the policy.

Defining SmartLSM Gateways Using LSM CLI

This is a sample SmartLSM CLI script that you can use to create a new gateway object and associate it with a SmartLSM profile. Optionally, you can also set a SIC password and initiate a SIC connection.

LSMcli <server> <user> <password> AddROBO CPSG80 <RoboName> <Profile> 
[-O=<ActivationKey> [-I=<IP>]] 






Parameter 



Description







<server>



The Security Management Server on which to create the gateway object







<user>



The username of the Security Management Server administrator







<password>



The password of the Security Management Server administrator







<RoboName>



The name for the new gateway object







<Profile>



Then name of the SmartLSM profile to associate with the gateway







<ActivationKey>



The SIC password







<IP>



The IP to use to initiate a SIC connection










Managing Device Settings


You can manage device settings directly on individual gateways or you can use a SmartProvisioning Profile to manage multiple gateways. For more information about provisioning profiles and creating them, see the SmartProvisioning Administration Guide.


These device settings are unique to the Check Point Appliance. They can be defined directly on the device or through the profile. Their tabs are:



Configuring Firmware


This section explains how to configure firmware installation settings for the provisioning profile for the Check Point Appliance. When you configure firmware settings on a Provisioning Profile, you give the configuration for all appliances that reference this profile.


Firmware configuration lets you replace the firmware on the Security Gateway. The Security Gateway version must match its SmartLSM profile's version as defined in SmartDashboard for correct policy behavior. As a result, after firmware upgrade, the SmartLSM profile is replaced with the default SmartLSM security profile.


In some instances, it may be necessary to define exceptions for the default SmartLSM security profile. For example, if you do not want all gateways to use the specified default SmartLSM profile after installation, you can customize different security profiles to replace known security profiles.


Let’s say you have a scenario with these details:


In this scenario, you add an exception that replaces the "GroupA_LSM" profile with the "GroupA_NewLSM" profile. 


You can install the firmware with one of these options:


To configure firmware installation settings on a Provisioning Profile:


  1. Open the Security Gateway Profile window, and select the Firmware tab.
  2. Select Manage firmware centrally from this application.
  3. Click Advanced. 
    The Profile Settings window is displayed.
    

  4. Select an override profile setting:
    • Allowed
    • Denied
    • Mandatory
    For more information about override profile settings, see Configuring Profile Settings.
    

  5. In Firmware image, click Select to select a firmware image that was uploaded through SmartUpdate.
  6. In Default SmartLSM Profile after installation, select the new SmartLSM profile of the Security Gateway (the Security Gateway version must match its SmartLSM profile's version as defined in SmartDashboard for correct policy behavior). The Security Gateway replaces its SmartLSM profile after successful firmware installation and only if the new firmware version is different from the version you have now.
  7. If necessary, click Exceptions to select a new SmartLSM profile for Security Gateways with a specified SmartLSM profile.
    • Add/Edit - Click Add or Edit to open the Exceptions window to define/change an exception for a SmartLSM profile replacement. SmartLSM profiles is not shown unless they are from a version higher than R71. 
      • Current SmartLSM Profile - Select a SmartLSM profile from the list. A SmartLSM profile is shown only if the version is not R71 and not the selected firmware version. Make sure you installed a policy for the SmartLSM profile in SmartDashboard.
      • SmartLSM Profile after installation - Select a SmartLSM profile that replaces the SmartLSM profile after the firmware image installation. A SmartLSM profile is shown only if the version is the same as the selected firmware version. Make sure you installed a policy for the SmartLSM profile in SmartDashboard.
    • Remove - Click to remove a SmartLSM profile exception setting.
  8. Select an option to install the firmware:
    1. Immediately - Downloads the firmware immediately but installs it in the next synchronization with a Security Gateway that references this profile.
    2. According to these time ranges - Select to use the Security Gateway time or local time.
      • Add/Edit - Click Add or Edit to open the Time Range window to define/change the weekdays and times for downloading and installing the firmware image. Select the days and times and click OK.
      • Remove - Select a range from the list and click Remove to delete a time range.
      • Download image immediately - Click this option to download the firmware image immediately but install the image during one of the set time ranges.
  9. Click Show profile settings - To see the settings of the Provisioning Profile that this gateway references.
  10. Click OK.


Configuring RADIUS 


You can configure the RADIUS server (Remote Authentication Dial In User Service) that provides authentication, authorization, and accounting for the Check Point Appliance gateways. When you configure RADIUS in the Provisioning Profile, you can configure it for all gateways that reference this profile. The RADIUS server must already be defined as a SmartDashboard object.


You can configure your appliance to contact more than one RADIUS server. If the first server in the list is unreachable, the next RADIUS server in the list is contacted for authentication. 


To configure RADIUS settings on a Provisioning Profile:


  1. Open the Security Gateway Profile window, and select the RADIUS tab.
  2. Select Manage RADIUS settings centrally from this application.
  3. Click Advanced. 
    The Profile Settings window opens.
    

  4. Select an override profile setting:
    • Allowed
    • Denied
    • Mandatory
    For more information about override profile settings, see Configuring Profile Settings.
    

  5. Select RADIUS is activated on device to enable RADIUS on the Check Point Appliance.
  6. Click Add to add RADIUS servers that were defined in SmartDashboard, select a RADIUS server from the list and click OK.
  7. To remove a server, select a server in the list and click Remove.
  8. Use Up and Down to set the priority to contact RADIUS servers.
  9. Click Allow administrators from specific RADIUS groups only (comma separated) to allow authentication from specified groups as defined on the RADIUS server. Only administrators that belong to those groups can get access.
  10. Click OK.


Configuring Hotspot


To configure hotspot settings on a Provisioning Profile:


  1. Open the Security Gateway Profile window, and select the Hotspot tab.
  2. Select Manage Hotspot settings centrally from this application.
  3. Click Advanced. The Profile Settings window is displayed.
  4. Select one of these override profile settings:
    • Allowed
    • Denied
    • Mandatory
    For more information about override profile settings, see Configuring Profile Settings.
    

  5. Select Hotspot is activated on device to activate the hotspot.
  6. Configure the fields:
    • Portal Title - Keep the default or enter a different title.
    • Portal message - Keep the default or enter a different message.
    • Terms of use - Select this checkbox to add an "I agree with the following terms and conditions" checkbox on the Hotspot portal page. Enter the terms and conditions text in the text box. When users click the "terms and conditions" link, the entered text is shown.
    • Require Authentication - To require user authentication, select the checkbox.
    • Allow users from specific group - Select to allow access to a specific user group and not all users. Enter the group's name in the text box.
  7. Click Apply.


Configuring a Configuration Script


To configure a configuration script on a Provisioning Profile:


  1. Open the Security Gateway Profile window, and select the Configuration Script tab.
  2. Select Manage Configuration Script centrally from this application.
  3. Click Advanced. 
    The Profile Settings window opens.
    

  4. Select one of these override profile settings:
    • Allowed
    • Denied
    • Mandatory
  5. In Configuration Script, enter a script to run on the Small Office Appliance gateway.
  6. Click Apply.


Configuring Profile Settings


For each set of configurations managed with a Provisioning Profile, you can decide which settings have preference: local (not provisioned) or central (from SmartProvisioning individual management or from Provisioning Profile).


To determine profile settings:


  1. In the Profiles List, right-click a profile and select Edit Provisioning Profile.
  2. In the Profile window, click any category tab (other than General).
  3. Select management settings for gateways that reference the profile:
    • Manage settings locally on the device: Each gateway that references this profile has its own settings, configured locally (not on SmartProvisioning). These settings cannot be overwritten by changes to the Provisioning Profile or to the SmartProvisioning gateway object. If you select this option, the Gateway window shows: settings are defined to be managed locally on the device.
    • Manage settings centrally from this application: Each gateway that references this profile gets its configuration for this setting from the Provisioning Profile or from the SmartProvisioning gateway object.
  4. If you selected to manage settings centrally, click Advanced.
    The Profile Settings window opens.
    

  5. Select an option for Overriding profile settings on device level is:
    • Allowed - You can override the profile settings with device-local settings, or with changes to these settings in the SmartProvisioning device window. You can also leave the profile settings as they are.
    • Denied - Each gateway takes the settings from the profile, with no option to override the profile settings.
    • Mandatory - Each gateway is managed without a Provisioning Profile.
  6. Click OK.
This table maps the profile settings selections to the Gateway window options:






Profile managed 



Profile Override



Gateway Window Display and options







Locally



Not relevant



Settings are defined to be managed locally on the device. 
To change this, refer to the attached Provisioning Profile profile_name.


(controls are unavailable)







Centrally



Override denied



Overriding profile settings is denied. 
To change this, refer to the attached Provisioning Profile profile_name
(controls are Read-Only, configured by profile)







Centrally



Override allowed



Select override method:


  • Manage settings locally on the device: Local management. Override provisioning configurations with local settings.
  • Use profile settings: Enforce profile settings on this gateway.
  • Use the following settings: Manage these settings on this gateway individually with the values given here.






Centrally



Override mandatory



Overriding profile settings is mandatory: configure settings here.


To change this, refer to Provisioning Profile profile_name


(Each gateway is configured separately)


  • Manage settings locally on the device: Manage these settings on this gateway locally.
  • Use the following settings: Manage these settings on this gateway individually with the values given here.







For example, if you set Hosts configuration to Central and Allowed: The Hosts tab on the gateway enables you to manage the Host List of a gateway if you:









Warning - If you select Use the following settings and do not enter values for a specified topic, the current settings on the device are deleted.











						










	22 February 2018
	
		© 2018 Check Point Software Technologies Ltd. All rights reserved.