SmartLSM Security Policies
Understanding Security Policies
A SmartLSM Security Gateway has a SmartLSM Security Profile (created in SmartDashboard), which fetches a Check Point Security Policy from the Security Management Server or Domain Management Server. This Security Policy determines the settings of the firewall.
Before you can add a SmartLSM Security Gateway to SmartProvisioning, the Security Policies must exist in SmartDashboard, and you must have at least one SmartLSM Security Profile that refers to a Security Policy for SmartLSM Security Gateways.
This section describes how to create a Security Policy for a SmartLSM Security Gateway to be managed by SmartProvisioning. We recommend that you define a separate Security Policy for every SmartLSM Security Profile. In the Installable Target field of the Security Policy, add only the SmartLSM Security Profile object.
For more about how to create Security Policies, see the R77 Security Management Administration Guide.
Configuring Default SmartLSM Security Profile
You can select a default profile to serve as the SmartLSM Security Gateway's profile. This SmartLSM Security Profile will be assigned to all new SmartLSM Security Gateways of the appropriate type (UTM-1 Edge or Security Gateway).
To configure a SmartLSM Security Gateway to reference a default SmartLSM Security Profiles:
- From SmartDashboard, select Policy > Global Properties.
The window opens.
- From the navigation tree, select .
- Select .
- From Default SmartLSM Security Profile, select a SmartLSM Security Profile that is the default profile for Security Gateways.
- From the Default UTM-1 Edge, select an existing UTM-1 Edge Security Profile that is the default profile for UTM-1 Edge appliances.
- Click OK and install the policy.
Guidelines for Basic SmartLSM Security Policies
The following procedure can be used as a guideline for creating a Security Policy for a SmartLSM Security Profile. The specific rules of the Security Policy depend on the needs of your environment and the requirements of the SmartLSM Security Gateways that will reference the SmartLSM Security Profile.
|
Note - The following procedure uses Dynamic Objects. For more details, see: Dynamic Objects.
|
To define a Security Policy for a SmartLSM Security Profile object:
- Use the LocalMachine dynamic object to represent any SmartLSM Security Gateway.
- Use the InternalNet, DMZnet and AuxiliaryNet dynamic objects to represent the respective networks, behind any SmartLSM Security Gateway.
- Add rules according to the needs of your organization and the requirements for the SmartLSM Security Gateways, using Dynamic Objects whenever possible.
Dynamic Objects make the SmartLSM Security Profile applicable to numerous gateways.
- To allow Push actions from SmartProvisioning, add a rule that allows an incoming FW1_CPRID service from the Security Management Server or Domain Management Server to LocalMachine.
- Install the Policy on the SmartLSM Security Profile object.
This action prepares the Security Policy on the Security Management Server or Domain Management Server to be fetched by the SmartLSM Security Gateways that reference this SmartLSM Security Profile.
Creating Security Policies for Management
You must specify explicit rules to allow management traffic between SmartLSM Security Gateways and the Security Management Server or Domain Management Server. These rules are part of the Security Policy installed on the gateway that protects the Security Management Server or Domain Management Server.
Because SmartLSM Security Gateways can have Dynamic IP addresses, you must use "ANY" to represent all possible SmartLSM Security Gateways addresses.
|
Note - For each rule listed in the table below, the Action is Accept. When the Source or Destination is Server, use your Security Management Server or Domain Management Server.
|
Rules for Traffic between SmartProvisioning Gateway and Management Server
Source
|
Destination
|
Service
|
Type of Allowed Traffic
|
Any
|
Server
|
FW1
|
Firewall control
|
Server
|
Any
|
FW1
|
Firewall control
|
Any
|
Server
|
CPD
|
CPD control
|
Server
|
Any
|
CPD
|
CPD control
|
Any
|
Server
|
FW1_ica_pull
|
Pulling certificates
|
Server
|
Any
|
FW1_ica_push
|
Pushing certificates
|
Server
|
Any
|
FW1_CPRID
|
Check Point Remote Installation Protocol, for Push actions
|
Any
|
Server
|
FW1_log
|
Logs
|
Server
|
Any
|
CPD_amon
|
Status monitoring
|
Creating Security Policies for VPNs
To create a VPN tunnel from a SmartLSM Security Gateway to a CO gateway, create a Security Policy for this encrypted traffic. As in the basic Security Policy, use Dynamic Objects. This localizes the policy for each SmartLSM Security Gateway that references the SmartLSM Security Profile.
To create a VPN Security Policy for a SmartLSM Security Profile:
- Define a Star VPN Community.
Configure all the relevant authentication and encryption properties for it. To learn more, see the R77 VPN Administration Guide.
- Add the CO gateway as a Central Gateway.
Make sure the CO gateway is configured with a static IP address.
- Add the SmartLSM Security Profile that represents the SmartLSM Security Gateways as a Satellite Gateway.
- Add rules that allow relevant VPN traffic.
Example: The following rule allows encrypted telnet traffic that matches the community criteria.
Example — Telnet Through VPN Traffic Rule
Source
|
Destination
|
Service
|
VPN
|
Action
|
Install On
|
Any
|
Any
|
Any
|
Telnet
|
Community
|
Accept
|
Any
|
Any
|
- Add a rule to allow Push actions from SmartProvisioning: allow FW1_CPRID service from the Security Management Server/Domain Management Server to LocalMachine.
- Install the Security Policy on the SmartLSM Security Profile object.
- Update the CO gateway with the new or changed SmartLSM Security Profiles. In SmartProvisioning, click Update Corporate Office Gateway.
Downloading to UTM-1 Edge Devices
SmartLSM Security Gateways on UTM-1 Edge devices can get security policies from the Security Management Server or Domain Management Server through the UTM-1 Edge Portal. You can use this option if, for some reason, SmartProvisioning is unable to fetch the SmartLSM Security Profile or unable to push the Security Policy.
To download a Security Policy to a SmartLSM Security Gateway from the UTM-1 Edge Portal:
- Log in from the UTM-1 Edge portal to my.firewall.
- Select Services > Accounts > Refresh, or select Services > Software Updates > Update Now.
- The UTM-1 Edge SmartLSM Security Gateway polls for updates, and downloads the latest Security Policy.
To verify a successful download:
- Log in from the UTM-1 Edge portal to my.firewall.
- Select Reports > Event Log.
- Find the following message:
Installed updated Security Policy (downloaded). - Select Setup > Tools > Diagnostics.
- Verify that the SmartLSM Security Profile in the Policy field is the UTM-1 Edge Profile that references the correct Security Policy.
|