SmartLSM Security Gateways
Creating SmartLSM Security Profiles
A SmartLSM Security Gateway must have a SmartLSM Security Profile, which fetches a Check Point Security Policy from the Security Management Server or Domain Management Server. This Security Policy determines the settings of the firewall.
Before you can add a SmartLSM Security Gateway to SmartProvisioning, the SmartLSM Security Profiles and the Security Policies that they reference must exist in SmartDashboard.
This procedure describes how to create a SmartLSM Security Profile for Security Gateways or UTM-1 Edge Gateways. After you complete this, you can add the gateway objects to SmartProvisioning.
To create a SmartLSM Security Profile:
- Open SmartDashboard and log in.
- Open the Security Policy that you want to be enforced on the SmartLSM Security Gateways.
- Right-click the Network Objects tab and select New > SmartLSM Profile > Check Point Appliance/Open Server Gateway, Small Office Appliance Gateway, or UTM-1 Edge Gateway.
The SmartLSM Security Profile window opens.
- Define the SmartLSM Security Profile using the views of this window.
To open the online help for each view of this window, click Help.
- Click OK and then install the policy.
|
Note - To activate SmartProvisioning, a security policy must be installed on the gateway.
|
Adding SmartLSM Security Gateways
This procedure describes how to add a SmartLSM Security Gateway to SmartProvisioning.
|
Note - To use SmartProvisioning for centrally provisioned settings, a security policy must be installed on the Security Gateway.
|
Before you begin, you must have at least one SmartLSM Security Profile for a Security Gateway.
To add a SmartLSM Security Gateway to SmartProvisioning:
- In the navigation tree, click Devices.
- Select File > New > Check Point Appliance/Open Server Gateway.
A wizard opens, taking you through the steps to define the SmartLSM Security Gateway.
- Provide a name for the SmartLSM Security Gateway and optional comments, and click Next.
This name is for SmartProvisioning management purposes. It does not have to be the name of the gateway device; the name should be selected to ease management and recognition for users.
- In the More Information page, define the SmartLSM Security Gateway by its properties as follows:
- Click Next.
- In the SmartLSM Security Gateway Communication Properties page, define an Activation Key.
An activation key sets up a Secure Internal Communication (SIC) Trust between the SmartLSM Security Gateway and the Security Management Server or Domain Management Server. This is the same activation key that you provide in the SIC tab of the Check Point Configuration Tool (cpconfig) on the SmartLSM Security Gateway.
Provide an activation key by doing one of the following:
- Select Generate Activation Key automatically and click Generate. The Generated Activation Key window opens, displaying the key in clear text. Make note of the key (to enter it on the SmartLSM Security Gateway for SIC initialization) and then click Accept.
- Select Activation Key and provide an eight-character string to be the key. Enter it again in the Confirm Activation Key field.
- If you know the IP address of this SmartLSM Security Gateway, select This machine currently uses this IP address and then provide the IP address in the field. If you can complete this step, the SIC certificate is pushed to the SmartLSM Security Gateway.
If you do not know the IP address, you can select I do not know the current IP address. SmartProvisioning will pull the SIC certificate from the Security Management Server or Domain Management Server after you finish this wizard.
- Click Next.
The VPN Properties page opens.
- If you want a CA certificate from the Internal Check Point CA, select the I wish to create a VPN Certificate from the Internal CA check box.
If you want a CA certificate from a third-party (for example, if your organization already has certificates from an external CA for other devices), clear this check box and request the certificate from the appropriate CA server after you have completed this wizard.
- Click Next.
- If you want to continue configuring the gateway, select the Edit SmartLSM Security Gateway properties after creation check box.
- Click Finish.
Handling SmartLSM Security Gateway Messages
This section explains how to handle messages that may appear after you finish the wizard to add a Security Gateway or UTM SmartLSM Security Gateway, during the SmartProvisioning processing of the gateway object.
Opening Check Point Configuration Tool
The following sections may suggest that you open the Check Point Configuration Tool to handle an issue.
To open the Check Point Configuration Tool:
- From the CLI on a Gaia, SecurePlatform, or Linux, or Security Gateway, run
cpconfig - On a Windows-based gateway, click Start > Programs > Check Point > Check Point Configuration Tool
Activation Key is Missing
If you did not generate or select an Activation Key for SIC setup during the wizard, a message appears:
'Activation Key' for the Gateway SIC setup is missing. Do you want to continue?
Click Yes to define the gateway now and handle the SIC setup later; or click No and then Back to return to the Communication Properties page.
To handle the SIC setup after the gateway is added:
- Select the gateway in the work space and then select Edit > Edit Gateway.
- In the General tab, click Communication.
The Communication window opens, providing the same fields as the Communication Properties page of the wizard.
- Generate or provide an Activation Key.
- Click Close to close the Communication window and then OK to close the Edit window.
- Open the Check Point Configuration tool on the SmartLSM Security Gateway and click Reset SIC.
Operation Timed Out
During the process of adding a new SmartLSM Security Gateway, SmartProvisioning connects between the Security Management Server/Domain Management Server and the SmartLSM Security Gateway, to match and initialize SIC and VPN certificates.
If a message appears indicating Operation Timed Out, the most common cause is that SmartProvisioning could not reach the Security Management Server/Domain Management Server or the SmartLSM Security Gateway. The gateway is still added to SmartProvisioning, but you should check the certificates status.
To view trust status:
- Double-click the gateway in the work space.
The SmartLSM Security Gateway window opens
- In the General tab, click Communication.
- Check the value of Trust status. If the value is not Initialized, pull the SIC certificate from the Security Management Server or Domain Management Server.
Complete the Initialization Process
If you generated an Activation Key or provided an Activation Key file, but were not able to provide the IP address of the SmartLSM Security Gateway, a message appears:
To complete the initialization process, use the Check Point Configuration tool on the SmartLSM Security Gateway, to pull the certificate from the Security Management Server.
|
Note - If you are using Multi-Domain Security Management, this message says Domain Management Server, in place of Security Management Server.
|
To complete the initialization process:
- Click OK.
- Open the Check Point Configuration tool (cpconfig).
- According to the specific SIC or Communication options, reset and initialize the SIC with the Activation Key of the Security Management Server or Domain Management Server.
- Restart Check Point services on the SmartLSM Security Gateway.
|
|