Managing SmartLSM Security Gateways

Immediate SmartLSM Security Gateway Actions

At any point while configuring or managing a SmartLSM Security Gateway you can perform immediate actions on the gateway.

Applying Dynamic Object Values

SmartLSM Security Profiles can bring a Security Policy, with rules for source/destination IP addresses, and localize these rules for each SmartLSM Security Gateway that references the profile. See Dynamic Objects to learn more about dynamic objects. Dynamic objects are managed in SmartProvisioning only for SmartLSM Security Gateways.

For example:

The Security Policy that is fetched by a SmartLSM Security Profile has a rule to drop traffic from IP addresses on a StormCenter. This one profile is referenced by ten SmartLSM Security Gateways: some of the SmartLSM Security Gateways that reference this profile should use one StormCenter site; others should use a different one. You do not have to create a new rule for each gateway. You create one rule in the main policy, and use the CPDShield dynamic object to define the source (StormCenter list of IP addresses to block).

In SmartProvisioning, on each SmartLSM Security Gateway that references this profile, you resolve the CPDShield dynamic object to the real IP address of a StormCenter (double-click a SmartLSM Security Gateway and open Dynamic Objects > Add).

After you have resolved the dynamic object to a real IP address value, it is not applied immediately to the selected SmartLSM Security Gateway. You can wait for the gateway to fetch its profile, but if you want the value to be applied immediately, you can push the resolved values of dynamic objects to the SmartLSM Security Gateway.

To apply new values to dynamic objects of a SmartLSM Security Gateway:

Select Actions > Push Dynamic Objects.

Getting Updated Security Policy

If you change the Security Policy in SmartDashboard that is used by a SmartLSM Security Profile, including installing it on gateways, it is not applied to SmartLSM Security Gateways. Each SmartLSM Security Gateway fetches its SmartLSM Security Profile on interval, and then gets the updated Security Policy.

You can apply the changes immediately by pushing the policy onto the SmartLSM Security Gateway by selecting Actions > Push Policy.

Common SmartLSM Security Gateway Configurations

Configurations for these different types of SmartLSM Security Gateways sometimes differ, but this chapter explains management concepts and procedures that are common to all SmartLSM Security Gateways.

The administrator must have Read/Write permissions for managing device settings.

The edit window for gateways is different for each type of SmartLSM Security Gateway, but is opened in the same ways.

To open the SmartLSM Security Gateway window:

1. In the tree, click Devices.
2. Do one of the following:
   • Click the Edit Gateway toolbar button.
   • In the Devices work space, double-click the gateway you want to edit.
   • In the Devices work space, right-click the gateway and select Edit Gateway.
   • From the Edit menu, when the gateway is selected in the work space, click Edit Gateway.

Changing Assigned SmartLSM Security Profile

You can change the SmartLSM Security Profile that you assign to a SmartLSM Security Gateway.

To apply a change in SmartLSM Security Profile:

1. In SmartDashboard, edit the Security Policy as needed and install it on the SmartLSM Security Profile.
2. In SmartProvisioning, open the Gateway window, and select the General tab.
3. From the Security Profile drop-down list, select the SmartLSM Security Profile.
4. Select Actions > Push Policy.

Managing SIC Trust

Getting New Registration Key for UTM-1 Edge Device

You can force a UTM-1 Edge SmartLSM Security Gateway to get a new SIC key, by generating a new Registration Key for the gateway.

To generate a new key:

1. Double-click a UTM-1 Edge device.
2. In the General tab, find the Secure Internal Communication > Registration Key field.
3. Click New Key.
4. Click Generate Key, and then click Set to set the new key.

Verifying SIC Trust on SmartLSM Security Gateways

You can view and edit the status of the Secure Internal Communication Trust between the management server (Security Management Server or Domain Management Server) and the SmartLSM Security Gateway. SIC Trust is established after a certificate has been issued by the management server and delivered to the SmartLSM Security Gateway.

To check the SIC Trust of a SmartLSM Security Gateway:

1. Double-click a SmartLSM Security Gateway.
2. In the General tab, find the Secure Internal Communication > DN field.

   This is the SmartLSM Security Gateway's Distinguished Name (SIC name)

   syntax: CN=gw-name, O=Management-domain-name

   If it is empty, you should change the SIC Trust State.

3. Click Communication.
4. Check the value of the Trust State field, which indicates the status of this SmartLSM Security Gateway's SIC Trust with the Security Management Server or Domain Management Server.
   • Initialized: Indicates that the SmartLSM Security Gateway has a valid SIC certificate (it is possible that the Security Gateway is not connected).
   • Uninitialized: Indicates that the SmartLSM Security Gateway does not have a valid SIC certificate (because it was never initialized, or its certificate was revoked).

Initializing SIC Trust on SmartLSM Security Gateways

If Trust State is Uninitialized, and the IP address field has the IP address of the SmartLSM Security Gateway, you can initialize the SIC trust now. Perform this procedure if the Generate button is available.

To initialize a SIC trust:

1. Click Generate to generate an Activation Key, or select Activation Key to provide one that you have from the Security Management Server or Domain Management Server.
2. Click Initialize. A new SIC certificate is created for this SmartLSM Security Gateway, and its trust state becomes Initialized.

Pulling SIC from Security Management Server

If the IP address field is empty, you must pull the SIC certificate from the Security Management Server or Domain Management Server using the Check Point Configuration tool (cpconfig).

To initialize a SIC trust if the Security Management Server or Domain Management Server cannot find the gateway:

1. Open cpconfig > Secure Internal Communication (SIC) on the Security Management Server or Domain Management Server and on the SmartLSM Security Gateway.
2. Copy the SIC password.
3. On the gateway, provide the Activation Key of the Security Management Server or Domain Management Server.
4. Restart Check Point services on the gateway.

Resetting Trust on SmartLSM Security Gateways

You may want to reset an established SIC Trust if you have replaced the gateway host machine, or if you have lost the Activation Key.

From the time that you reset SIC, up to the second that trust is re-established, internal communications between Check Point applications, the management server, and managed devices is down. This procedure actually revokes the current certificate and provides a new one. Thus, it is recommended that you continue only if you are sure that SIC should be reset, and after this procedure, you should quickly re-initialize SIC trust.

To reset a SIC trust:

1. In the Communication window, click Reset

   A message asks for confirmation: Are you sure you want to reset SIC?

   If you reset the SIC certificate now (revoke current license and get a new one), internal communications between Check Point applications, Security Management Server/Domain Management Server, and managed devices might be adversely affected. Continue only if you are sure this must be done.

2. If you are ready to reset SIC now, click Yes.
3. On the SmartLSM Security Gateway, open the Check Point Configuration tool > Secure Internal Communication tab, and click Reset.
4. Reboot the SmartLSM Security Gateway.

Tracking Details

The Details tab of the Gateway window for SmartLSM Security Gateways and UTM-1 Edge SmartLSM Security Gateways provides identification information for log tracking and cluster usage.

You can edit the ID by which the actual device of the gateway is known and add detailed notes for easier network management.

• SmartLSM ID: Unique ID, in the form of an IP address, per-SmartLSM Security Gateway. When the SmartLSM Security Gateway send logs to a Log Server, the logs are stored by Origin IP, which is this SmartLSM ID. This allows consistent tracking of the SmartLSM Security Gateway's logs, even if its external IP address changes. This ID cannot be edited.
• Device ID (Security Gateway) or MAC Address (UTM-1 Edge): Often used to hold a SmartLSM Security Gateway's MAC address, this field accepts free text. Use this field to note the machine ID, in whatever format is best for the environment and the SmartLSM Security Gateway.
• Domain Details: Often used to hold environment details of the SmartLSM site, which can be especially useful if the SmartProvisioning administrators are not personally familiar with the remote office.
• Participates in UTM-1 Edge cluster (available for UTM-1 Edge only).

Configuring Log Servers

When you create a SmartLSM Security Profile for Security Gateway gateways in SmartDashboard, you can also configure the log servers. In SmartProvisioning you can edit the log server configuration. You can select different log servers for a selected gateway; but the servers must already be defined in SmartDashboard.

To change log servers of SmartLSM Security Gateways:

1. From the Devices pane, double-click the Security Gateway.

   The window opens and shows the General tab.

2. Click the Advanced tab.
3. Clear the As defined in SmartLSM Profile check box.
4. Select the servers which should hold the logs for this SmartLSM Security Gateway:
   • Send logs to: Select the primary log server for this gateway.
   • When unreachable, send logs to: Select the alternative log server.

SmartLSM Security Gateway Licenses

You have a License Repository with the licenses that you acquired for your environment. You can manage the licenses of SmartLSM Security Gateways through SmartProvisioning.

Uploading Licenses to the Repository

SmartLSM Security Gateway licenses are available for SmartProvisioning management if they are in the License Repository on the Security Management Server or Domain Management Server.

To upload licenses to the repository:

1. Open SmartUpdate: Window > SmartUpdate > Licenses and Contracts
2. Click Licenses & Contracts > Add License and then select a source location.
3. Browse to the file.
4. Click Open.

   The license is added to the License Repository.

Attaching License to SmartLSM Security Gateways

To attach a license to a SmartLSM Security Gateway:

1. Open the SmartLSM Security Gateway window, and select the Licenses tab.
2. Click Add.

   The displayed licenses are those that are in your License Repository but currently are unattached to any gateway. If an original license is in use on another SmartLSM Security Gateway, you will not see the corresponding upgraded license displayed in the License Repository.

3. Select the licenses that you want to appear in this gateway's Licenses window. You can select more than one license at a time.
4. Click OK. The license attached to this gateway is added to the Licenses list.
5. In the Gateway window, click OK.

   The license operations, either attaching or detaching are performed immediately. The License Operation message appears:

   Attaching/Detaching Licenses. Please wait...

Attaching License to UTM-1 Edge SmartLSM Security Gateways

UTM-1 Edge devices have embedded licenses. To release features, you need the Product Key.

To attach a license to a UTM-1 Edge SmartLSM Security Gateway:

1. Open the UTM-1 Edge SmartLSM Security Gateway window, and select the Licenses tab.
2. Provide the Product Key.
3. Click Show Product Description to see the features that are enabled by this license.

License State and Type

The State of the license depends on whether the license is associated with the Security Gateway in the License Repository, and whether the license is installed on the remote Security Gateway.

• Unattached: Not associated with the Security Gateway in the License Repository, and not installed on the remote Security Gateway.
• Engaged: Associated with the Security Gateway in the License Repository, but not installed on the remote Security Gateway.
• Attached: Associated with the Security Gateway in the License Repository, and installed on the remote Security Gateway.

The type of license depends on the IP address enabled in the license. If the IP address is of this gateway, the license type is Local. If the IP address is of the Security Management Server or Domain Management Server, the license type is Central.

Handling License Attachment Issues

• If there are unattached licenses that belong to the SmartLSM Security Gateway, a message is displayed in the Licenses tab. In general, this situation occurs after you have finished running the License Upgrade Tool. Click Add these licenses to the list. The upgraded and unattached licenses are disabled.
• To remove an existing license from the Licenses list, select it and click Remove. The license will be detached from the SmartLSM Security Gateway after you click OK.
• You cannot have an upgrade license attached to a SmartLSM Security Gateway while the corresponding original license is detached and exists in the License Repository.
• If you try to remove the original license from the gateway, while the upgrade license is listed, you will receive a warning that if you proceed, both licenses will be removed. If you click OK, both licenses are removed from the gateway.
• If you try to remove the upgrade license from the gateway, while the original license is listed, you will receive a notification stating that you may either remove the upgrade license alone, or both licenses.
• If both the original and the upgrade license are in the License Repository, and you attempt to add the upgrade license to the gateway, you will receive a notification stating that if you proceed, both licenses will be added to the gateway.

Configuring SmartLSM Security Gateway Topology

You can manage the topology of SmartLSM Security Gateways through SmartProvisioning, viewing and changing the internal and external interfaces of each gateway to fit its local environment.

To configure the topology of a SmartLSM Security Gateway:

1. From the Devices pane, double-click the Security Gateway.

   The window opens and shows the General tab.

2. Click the Topology tab.
3. Select the option that best describes the topology of this SmartLSM Security Gateway:
   • Not defined: No VPN is defined for this gateway. To enable this Gateway to participate in a VPN, select a different option. Select this option if this device is not a gateway for a network.
   • Only the external interfaces: The external IP addresses of the SmartLSM Security Gateway is the entire VPN domain. The CO gateway connects to the remote office nodes only through the SmartLSM Security Gateway. The nodes are usually connected and secured by NAT.
   • All IP Addresses behind the Gateway based on Topology information: SmartProvisioning automatically calculates the encryption domain based on the IP address and net mask of the SmartLSM Security Gateway's internal interfaces.
   • Automatically determined by the topology configured on the Edge device. The VPN domain of the gateway consists of all the IP addresses configured locally on the UTM-1 Edge device, regardless of the interface configuration of the Edge object. Selecting this option requires the OSPF feature of the CO gateway to dynamically learn the VPN domain of the UTM-1 Edge device.

     Note - This option is only available for UTM-1 Edge devices, and requires: Manual definition of VTIs on the device and CO gateway for the CO gateway to learn the VPN domain. The domain topology is stored on the Edge device, and not acquired through an install policy action or automatic update from the CO. OSPF feature of the CO gateway to dynamically learn the VPN domain of the UTM-1 Edge device.

   • Manually defined: You can define the VPN domain manually. The range table is enabled.

Manually Configuring a VPN Domain

Complex networks behind SmartLSM Security Gateways cannot be properly configured as VPN domains by the automatic calculation option (All IP Addresses behind the Gateway based on Topology information). If the SmartLSM Security Gateway topology consists of one type (Meshed or Star) and does not include subsequent firewalls, you may select the automatic option. Otherwise, it is recommended that you select Manually defined.

To manually configure a VPN domain:

1. In the Topology tab, click Manually defined.
2. Click Add.

   The IP Address Range Configuration window opens.

3. Enter the range of IP addresses that define a network behind this gateway.
4. Click OK.
5. Repeat these steps and add IP address ranges for the VPNs that connect to the CO gateway.
6. Select Actions > Push Policy.

   You are prompted to save the data and then SmartProvisioning validates the topology you have defined.

   If successfully validated, the topology is immediately pushed to the gateway.

7. Update the CO gateway.

   The IP addresses in this range are now part of the VPN domain that is secured by the SmartLSM Security Gateway and that tunnels to the CO gateway. To complete the VPN configurations, see Configuring VPNs on SmartLSM Security Gateways.

Configuring the Automatic VPN Domain Option for UTM-1 Edge

The topology of the VPN domain can be determined automatically on the UTM-1 Edge device.

• When the automatic option is configured, the VPN domain of the gateway consists of all the IP addresses configured locally on the UTM-1 Edge device, regardless of the interface configuration of the Edge object.
• Selecting this option requires the OSPF feature of the CO gateway to dynamically learn the VPN domain of the UTM-1 Edge device.

Converting SmartLSM Security Gateways to Gateways

You can convert a SmartLSM Security Gateway managed with SmartProvisioning to a Security Gateway or UTM-1 Edge gateway managed with SmartDashboard. There is no need to delete existing objects, nor to create new ones, because the Check Point Suite handles object management automatically during the conversion. It also preserves relevant SIC certificates.

For example, if a remote gateway has so many customized requirements that Profiles are ineffective, you can manage it as a separate gateway through SmartDashboard.

To convert to a SmartDashboard gateway:

1. In the SmartProvisioning CLI, execute one of the following commands (see Converting Gateways for details and more options).
   • Security Gateway: LSMcli <server> <user> <pswd> Convert ROBO VPN1 <Name>
   • UTM-1 Edge: LSMcli <server> <user> <pswd> Convert ROBO VPN1Edge <Name>
2. Define the gateway interfaces.
3. Update relevant VPN communities.
4. Install Security Policies.
5. Restart Check Point services.
6. Update the CO gateway to which the SmartLSM Security Gateway was a satellite.