Small-scale Deployment Installation

In This Section: Small-scale Deployment Workflow Defining a Gateway Object Defining a Gateway Cluster Object Creating the Security Policy Setting Server IP Behind a 3rd Party NAT Device

This chapter contains procedures for defining a gateway or a gateway cluster. Do the procedures that match your requirements, then install the policy.

Small-scale Deployment Workflow

This is the suggested workflow for small-scale deployments:

1. Create the necessary gateway or cluster objects for your appliances in SmartDashboard.
2. Install the Security Policy in SmartDashboard.
3. Configure the relevant appliances with the First Time Configuration Wizard. Alternatively, you can use a USB drive to quickly configure many appliances without the First Time Configuration Wizard. For more details, see Deploying from a USB Drive.
4. Manage the appliance settings in SmartProvisioning for the gateway or cluster objects.

Defining a Gateway Object

You can use the SmartDashboard creation wizard to define a Check Point Appliance before or after you configure the appliance on site.

Options to define a gateway object:

• Management First - Define the gateway object in SmartDashboard before you configure and set up the actual appliance on site. This is commonly used for remotely deployed appliances or appliances that connect to the Security Management Server with a dynamic IP (assigned by a DHCP server or an ISP), as the IP is not known at the time of the configuration of the object in SmartDashboard. You can prepare a policy that the appliance pulls when it is configured.
• Gateway First – Configure and set up the Check Point Appliance first. It then tries to communicate with the Security Management Server (if this is configured) at 1 hour intervals. If there is connectivity with the gateway during object creation in SmartDashboard, the wizard can retrieve data from the gateway (such as topology), and then help in configuration.

To define a single gateway object:

1. Log in to SmartDashboard using your Security Management credentials.
2. From the Network Objects tree, right click Check Point and select Security Gateway.

   The Check Point Security Gateway Creation window opens.

3. Select Wizard Mode.

   The wizard opens to General Properties.

4. Enter a name for the Check Point Appliance object and select the hardware type for the hardware platform.

   If the appliance does not appear in the hardware list in the R77.30 SmartDashboard, see sk111292.

5. Set the Security Gateway Version to R77.20.
6. Select the Static IP address or Dynamic IP address to get the gateway's IP address.
7. Click Next.

To configure a static IP address:

1. In the Authentication section, select Initiate trusted communication securely by using a one-time password or Initiate trusted communication without authentication (less secure).
2. If you selected Initiate trusted communication securely by using a one-time password, enter a one-time password and confirm it. This password is only used to establish the initial trust. Once established, trust is based on security certificates.

   Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard.

3. In the Trusted Communication section, select Initiate trusted communication automatically when the Gateway connects to the Security Management server for the first time or Initiate trusted communication now.
4. Click Connect.

   A status window appears.

5. Click Next.

To configure a dynamic IP address:

1. In the Gateway Identifier section, select one identifier: Gateway name, MAC address or First to connect.
2. In the Authentication section, select Initiate trusted communication securely by using a one-time password or Initiate trusted communication without authentication (less secure).
3. If you select Initiate trusted communication securely by using a one-time password, enter a one-time password and confirm it. This password is only used for establishing the initial trust. Once established, trust is based on security certificates.

   Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard.

4. Click Next.

To configure the software blades:

In the Blade Activation page, select the software blades that you want to activate and configure.

To configure blades later:

1. Select Activate and configure software blades later.
2. Click Next.

To configure blades now:

1. Select Activate and configure software blades now.
2. Select the check boxes next to the blades you want to activate and configure.
3. Configure the required options:
   • NAT - the Hide internal networks behind the Gateway’s external IP checkbox is selected by default.
   • QoS - Set the inbound and outbound bandwidth rates.
   • IPSec VPN - Make sure that the VPN community has been predefined. If it is a star community, the Check Point Appliance is added as a satellite gateway. Select a VPN community that the Gateway participates in from the Participate in a site to site community list.
   • IPS - Select a profile from the Assign IPS Profile list or click Manage to create/edit an IPS profile.
   • User Awareness - Complete the wizard pages that open to define the User Awareness acquisition sources. In the Active Directory Servers page of the wizard, make sure to select only AD servers that your gateway works with.
4. Click Next.

To hide the VPN domain:

Select Hide VPN domain behind this gateway's external IP.

Select this option only if you want to hide all internal networks behind this gateway’s external IP. All outgoing traffic from networks behind this gateway to other sites that participate in VPN community will be encrypted.

With this option, connections that are initiated from other sites that are directed to hosts behind this gateway are not encrypted. If you need access to hosts behind this gateway, select other options (define VPN topology) or make sure all traffic from other sites is directed to this gateway's external IP and define corresponding NAT port-forwarding rules, such as: Translate the destination of incoming HTTP connections that are directed to this gateway's external IP to the IP address of a web server behind this gateway.

To create a new VPN domain group:

1. Make sure that the Create a new VPN domain option is selected.
2. In the Name field, enter a name for the group.
3. From the Available objects list, select the applicable objects and click Add. The objects are added to the VPN domain members list.

To select a predefined VPN domain:

1. Click Select an existing VPN domain.
2. From the VPN Domain list, select the domain.
3. Click Next.

   In the Installation Wizard Completion page, you see a summary of the configuration parameters you set.

4. If you want to configure more options of the Security Gateway, select Edit Gateway properties for further configuration.
5. Click Finish.

   The General Properties window of the newly defined object opens.