Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Managing Security Gateways

In This Section:

Security Gateway Settings

Small Office Appliance Settings

Managing Software

Security Gateway Actions

Maintenance Mode

Security Gateway Settings

Some management configurations are common to all Security Gateways, Small Office Appliances, and UTM-1 Edge gateways that reference a Provisioning Profile, whether they are SmartLSM Security Gateways, CO gateways, or Provisioning-only gateways.

Before you begin, make sure that your administrator user name has Read/Write permissions for Managing Device Settings.

Scheduling Backups of Security Gateways

You can set up a schedule for backups of the individual Security Gateway, or view how it is managed with the assigned Provisioning Profile.

You can select to use SmartProvisioning to manage the backup settings, or configure on the local appliance or server.

To manage the backup schedule on the appliance or server:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the Backup tab.
  3. Click Manage settings locally on the device.
  4. Click OK.

To enable SmartProvisioning to manage the backup schedule:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the Backup tab.
  3. Click Use the following settings.

    The backup schedule settings are shown.

  4. Click Enable Backup.
  5. To see how the backup schedule is configured by the Provisioning Profile, select Show profile settings.

    The Provisioning Profile settings are shown.

  6. Define the schedule settings:
    • Start at: Set the hour and minute when the backup should start.
    • Recur every: Select either Day of the month and provide a date, or select the day(s) of the week, to set how many times a week or month, and on which days, the backup should occur.
  7. If you want the backup to include product log files, select the Include Check point products log files in the backup.

    Note: If disk space is a problem for the appliance or server, make sure that this option is cleared.

  8. If you want the backup file to be stored on a server other than the selected gateway, click Backup Target.

    The Backup Target window opens.

  9. Configure the IP address or hostname for the server where the backup file is stored.
  10. Click OK.

    The Backup Target window closes.

  11. Click OK.

Configuring DNS Servers

You can configure the DNS servers of the individual Security Gateway, or view how they are managed with the assigned Provisioning Profile.

You can select to use SmartProvisioning to manage the DNS settings, or configure on the local appliance or server.

To manage the DNS servers on the appliance or server:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the DNS tab.
  3. Click Manage settings locally on the device.
  4. Click OK.

To configure DNS servers with SmartProvisioning:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the DNS tab.
  3. Click Use the following settings.
  4. Enter the IP addresses of the First, Second, and Third DNS servers.

Configuring Hosts

You can set up the host list of the individual Security Gateway, or view how it is managed centrally with the assigned Provisioning Profile.

You can use SmartProvisioning to manage the host list, or configure on the local appliance or server.

To manage the host list on the appliance or server:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the Hosts tab.
  3. Click Manage settings locally on the device.
  4. Click OK.

To configure the host list with SmartProvisioning:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the Backup tab.
  3. Click Use the following settings.
  4. Click New.
  5. Provide the Host name and IP address.
  6. Click OK.

Configuring Domain

You can set up the domain of the individual Security Gateway, or view how it is managed centrally with the assigned Provisioning Profile.

You can select to use SmartProvisioning to manage the domain settings, or configure on the local appliance or server.

To manage the domain settings on the appliance or server:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the Domain Name tab.
  3. Click Manage settings locally on the device.
  4. Click OK.

To configure domain settings with SmartProvisioning:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the Domain Name tab.
  3. Click Use the following settings.
  4. Enter the Domain name.
  5. Click OK.

Configuring Host Name

You can see or change the host name of the individual Security Gateway in SmartProvisioning. You cannot use a Provisioning Profile to change the host name.

You can select to use SmartProvisioning to manage the host name settings, or configure on the local appliance or server.

To manage the host name on the appliance or server:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the Host Name tab.
  3. Click Manage settings locally on the device.
  4. Click OK.

To configure host name with SmartProvisioning:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the Host Name tab.
  3. Click Use the following settings.
  4. Enter the host name of the gateway.
  5. Click OK.

Configuring Routing for Security Gateways

You can manage the routing settings of individual Security Gateways through SmartProvisioning. You must configure the interfaces before the routes, because there are different types of routing configurations for different interfaces, depending on device. You cannot use a Provisioning Profile to configure routing settings.

You can select to use SmartProvisioning to manage the routing settings, or configure on the local appliance or server.

To manage the routing settings on the appliance or server:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the Routing tab.
  3. Click Manage settings locally on the device.
  4. Click OK.

To configure the routing settings with SmartProvisioning:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the Routing tab.
  3. Click Use the following settings.
  4. Click Add.

    A menu opens, displaying these options:

    • Net Route: Configure internal network routes.
    • Host Route: Configure access to a specified host.
    • Default Route: Configure the default route to access external destinations.
  5. Select a route type.

    A different Routing window opens for each type.

  6. Enter the data and click OK.

    There are different windows and options for different route types for SecurePlatform Security Gateways. If the gateway is an IP appliance, the windows offer other options.

    The IP Appliance alternative to Metric, is Next Hop Type:

    • Normal: Allow traffic to the gateway.
    • Reject: Block traffic where the gateway is the destination, and acknowledge.
    • Black Hole: Block traffic without acknowledging.

Configuring Net Route

  • Destination IP Address: Destination IP address for this route (for example, the IP address of the CO gateway or the Security Management Server/Domain Management Server).
  • Destination Mask: Net mask of the destination network.
  • Interface: Select a pre-configured interface for this route.
  • Gateway: IP address of the gateway providing access to this route.
  • Metric: Distance in hops to the destination. (This value should be as accurate as possible: too low a value may cause lost communications with looping; too high a value may cause security issues.)

Configuring Host Route

  • Destination IP Address: IP address of the destination host.
  • Interface: Select a pre-configured interface for this route.
  • Gateway: IP address of the gateway providing access to this host.
  • Metric: Distance in hops to the destination. If the host is on your local site, this should be a very low number; if the host is not behind routers, the metric should be zero.

Configuring Default Route

  • Gateway: IP address of the gateway providing access to the default external route.
  • Metric: Distance in hops to the gateway. (This value should be as accurate as possible: too low a value may cause lost communications with looping; too high a value may cause security issues.)

Small Office Appliance Settings

For more about the Small Office Appliance settings, see the Check Point 1100 Appliance Centrally Managed Administration Guide and Security Gateway 80 Administration Guide.

Configuring DNS

Configure the DNS server in the DNS tab.

To configure DNS:

  1. From the Devices window, double-click the Security Gateway 80.

    The Security Gateway window opens.

  2. Select the DNS tab.
  3. Select Use the following settings.

    The DNS settings open.

  4. To manually configure the IP addresses:
    1. Select Set DNS server configuration.
    2. Enter the IP addresses for each DNS server that is being used.
  5. To use the DNS server of the ISP provider, select Use DNS configurations provided by the active Internet connection.
  6. To use the Security Gateway 80 appliance as your default DNS proxy, select Enable DNS Proxy - resolves local DNS requests.
  7. Click OK.

Configuring Interfaces

Configure the Security Gateway 80 interfaces in the Interfaces tab in the Security Gateway window.

To configure the interfaces:

  1. From the Devices window, double-click the Security Gateway 80.

    The Security Gateway window opens.

  2. Select the Interfaces tab.
  3. Select Use the following settings.

    The interface settings open.

  4. Select the interface and click Edit.

    The Edit window opens.

  5. From the IP Assignment section, configure the IP address of the interface:
    1. Select Static IP.
    2. Enter the IP address and subnet mask for the interface.
  6. In Security Zone, select Wireless, DMS, External, or Internal.

    Security zone is a type of zone, created by a bridge to easily create segments, while maintaining IP addresses and router configurations. Security zones let you choose if to enable or not the firewall between segments.

  7. To configure the DHCP settings for the interface:
    1. In the DHCP section, select Enabled.
    2. In IP range, enter the range of IP addresses that can be assigned to the DHCP clients.
    3. In Exclude IP range, enter the range of IP addresses that are not assigned to the DHCP clients.
    4. To configure an IP Relay agent, select Relay.
    5. Enter the IP address for the IP Relay agent.
  8. To configure the advanced parameters for the interface:
    1. To assign a MAC address to the interface, select Override MAC Address.
    2. Enter the new MAC address value.
    3. From Link speed/Duplex, select the bandwidth for the interface.
  9. Click OK.

    The Edit window closes.

  10. To configure the MTU (Maximum Transmission Unit) for all the interfaces that are not part of the LAN switch:
    • In the Advanced section, enter the new MTU value.
  11. To enable the configured connection, select the interface and click Enable.

Adding a VLAN

You can add a new VLAN to a configured interface.

To create a VLAN (according to the IEEE 802.1q Standard) on one of the interfaces:

  1. From the Devices window, double-click the Security Gateway 80.

    The Security Gateway window opens.

  2. Select the Interfaces tab.
  3. Click New > New VLAN.

    The Add VLAN window opens.

    Add VLAN

  4. From Interface, select the interface to which the new VLAN is added.
  5. Enter these parameters from the new VLAN:
    • VLAN number
    • IP address
    • Subnet Mask
  6. To configure the DHCP settings for the new VLAN:
    1. From the DHCP section, select Enabled.
    2. In DHCP IP range, enter the range of IP addresses that can be assigned to the DHCP clients.
    3. In DHCP Exclude IP range, enter the range of IP addresses that are not assigned to the DHCP clients.
    4. To configure an IP Relay agent for the new VLAN, select Relay.
    5. Enter the IP address for the IP relay.
  7. Click OK.

    The new VLAN is added to the interface.

Configuring a LAN Switch

Configure the Security Gateway 80 as a LAN switch in the Interfaces tab in the Security Gateway window.

To configure LAN switch parameters:

  1. From the Devices window, double-click the Security Gateway 80.

    The Security Gateway window opens.

  2. Select the Interfaces tab.
  3. From the Switch section, click Activate.

    The Edit Switch window opens.

    Edit Switch

  4. In the IP Assignment section, enter IP address and Subnet Mask of the LAN switch.
  5. To add an interface to the LAN switch:
    1. In the Interfaces section, select an interface from the Available Interfaces list.
    2. Click Add.
  6. To configure the DHCP settings for the LAN switch:
    1. From the DHCP section, select Enabled.
    2. In DHCP IP range, enter the range of IP addresses that can be assigned to the DHCP clients.
    3. In DHCP Exclude IP range, enter the range of IP addresses that are not assigned to the DHCP clients.
    4. To configure an IP Relay agent for the new VLAN, select Relay.
    5. Enter the IP address for the IP Relay agent.
  7. To assign a MAC address to the interface, in the Advanced section select Override MAC Address and enter the MAC address.
  8. Click OK.

    The Edit Switch window closes and the switch is configured and activated.

  9. The Switch section allows you to manage the LAN switch.
    • To disable the interfaces in the LAN switch, clear Enable Interfaces.
    • To deactivate the LAN switch, click Deactivate.

    Note - When the LAN switch is deactivated, the settings of all interfaces in the LAN switch are erased.

  10. Click OK.

Configuring Internet Connection Types

You must configure a primary Internet connection, and you can configure a secondary one. When High Availability is activated, if there is a failover on the primary Internet connection, then the Security Gateway 80 starts using the secondary Internet connection.

These are the Internet connections:

  • Static IP - A fixed (non-dynamic) IP address.
  • DHCP - Dynamic Host Configuration Protocol (DHCP) automatically issues IP addresses within a specified range to devices on a network.
  • PPPoE - A network protocol for encapsulating Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly with DSL services where individual users connect to the DSL modem over Ethernet and in plain Metro Ethernet networks.
  • PPTP - The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
  • L2TP - Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy.

When you have enabled both Internet connections, you can configure High Availability to revert back to the primary Internet connection.

To configure High Availability:

  1. Select Revert to Primary connection when possible.
  2. Click OK.

Configuring a Static Internet Connection

You can configure an Internet connection with a static IP address.

To configure a static IP Internet connection:

  1. From the Devices window, double-click the Security Gateway 80 network object.

    The Security Gateway window opens.

  2. Select the Internet tab.
  3. Select Use the following settings. The Internet connection settings open.
  4. Configure the primary Internet connection type:
    1. Select Enable Primary Internet Connection.
    2. Select whether the primary Internet connection is on the WAN or DMZ.
    3. From Connection Type, select Static IP.
  5. Click Configure.

    The Primary Internet Configuration window for the Static IP Internet connection type opens.

    Primary Internet Configuration

  6. In the IP Settings section, enter these IP address parameters:
    • IP Address
    • Subnet Mask
    • Default Gateway
  7. In the DNS section, enter the IP addresses for the DNS servers.
  8. In the WAN Port Settings section, enter these interface settings:
    • To configure the MTU (Maximum Transmission Unit) for the Internet connection, enter the new MTU value.

    Note - For a DMZ interface, the MTU value is applied to all LAN ports.

    • To assign a MAC address to the Internet connection, select Override MAC Address and enter the MAC address.
    • To configure the bandwidth for the Internet connection, select the appropriate option from Link speed/Duplex.
  9. Click OK.

Configuring a DHCP Internet Connection

You can configure an Internet connection that uses DHCP to automatically assign IP addresses.

To configure a DHCP Internet connection:

  1. From the Devices window, double-click the Security Gateway 80 network object.

    The Security Gateway window opens.

  2. Select the Internet tab.
  3. Select Use the following settings. The Internet connection settings open.
  4. Configure the primary Internet connection type:
    1. Select Enable Primary Internet Connection.
    2. Select whether the primary Internet connection is on the WAN or DMZ.
    3. From Connection Type, select Obtain IP Address Automatically (DHCP).
  5. Click Configure.

    The Primary Internet Configuration window for the DHCP Internet connection type opens.

    DHCP Connection Type Settings

  6. In the WAN Port Settings section, enter these interface settings:
    • To configure the MTU (Maximum Transmission Unit) for the Internet connection, enter the new MTU value.

    Note - For a DMZ interface, the MTU value is applied to all LAN ports.

    • To assign a MAC address to the Internet connection, select Override MAC Address and enter the MAC address.
    • To configure the bandwidth for the Internet connection, select the appropriate option from Link speed/Duplex.
  7. Click OK.

Configuring a PPoE Internet Connection

You can configure an Internet connection that uses PPPoE protocol.

To configure a PPPoE Internet connection:

  1. From the Devices window, double-click the Security Gateway 80 network object.

    The Security Gateway window opens.

  2. Select the Internet tab.
  3. Select Use the following settings. The Internet connection settings open.
  4. Configure the primary Internet connection type:
    1. Select Enable Primary Internet Connection.
    2. Select whether the primary Internet connection is on the WAN or DMZ.
    3. From Connection Type, select Point-to-Point Protocol over Ethernet (PPPoE).
  5. Click Configure.

    The General tab of the Primary Internet Configuration window for the PPPoE Internet connection type opens.

  6. Enter these settings for your Internet Service Provider:
    • User Name
    • Password
  7. In the WAN Port Settings section, enter these interface settings:
    • To configure the MTU (Maximum Transmission Unit) for the Internet connection, enter the new MTU value.

    Note - For a DMZ interface, the MTU value is applied to all LAN ports.

    • To assign a MAC address to the Internet connection, select Override MAC Address and enter the MAC address.
    • To configure the bandwidth for the Internet connection, select the appropriate option from Link speed/Duplex.
  8. Click OK.
PPPoE Advanced Settings

You can configure the advanced settings for a PPoE Internet connection. The advanced settings allow you to configure:

  • IP settings for the tunnel
  • How the Internet connection is started and maintained

To configure PPPoE advanced settings:

  1. From the Primary Internet Configuration window for PPPoE, select Advanced.

    The Advanced PPPoE window opens.

    PPPoE - Advanced Settings

  2. In the Local Tunnel IP Assignment section, enter these settings for the PPPoE tunnel:
    • Obtain IP Address Automatically - The IP address for the PPPoE tunnel is automatically configured (default setting).
    • Use the Following IP Address - Enter the static IP address that is used for the PPPoE tunnel.
  3. In the Connection Method section, configure how the Security Gateway 80 uses the PPPoE Internet connection:
    • Auto Connect - The Security Gateway 80 automatically establishes a PPPoE connection to the Internet.
    • Connect on Demand - The Security Gateway 80 establishes a PPPoE connection to the Internet when required.
    • Disconnect Idle Time - Enter the number of maximum number of idle minutes before the PPPoE Internet connection is disconnected.
  4. In the Monitor Connections section, enter the PPPoE Echo requests settings:
    • Monitor Connection Status Every - Enter how often, in seconds, that PPPoE Echo requests are sent to the server.
    • Assume Connection is Down After - Enter the maximum number of failed PPPoE Echo requests before the PPPoE server is considered down.
  5. Click OK.

Configuring a PPTP or L2TP Internet Connection

You can configure an Internet connection that uses PPTP or L2TP protocol.

To configure a PPTP Internet connection:

  1. From the Devices window, double-click the Security Gateway 80 network object.

    The Security Gateway window opens.

  2. Select the Internet tab.
  3. Select Use the following settings. The Internet connection settings open.
  4. Configure the primary Internet connection type:
    1. Select Enable Primary Internet Connection.
    2. Select whether the primary Internet connection is on the WAN or DMZ.
    3. From Connection Type, select Point-to-Point Tunneling Protocol over Ethernet (PPTP) or Layer 2 Tunneling Protocol (L2TP).
  5. Click Configure.

    The General tab of the Primary Internet Configuration window for the Internet connection type opens.

  6. Enter these settings for your Internet Service Provider:
    • Server Host Name or IP Address
    • ISP User Name
    • ISP Password
  7. In the WAN Port Settings section, enter these interface settings:
    • To configure the MTU (Maximum Transmission Unit) for the Internet connection, enter the new MTU value.

    Note - For a DMZ interface, the MTU value is applied to all LAN ports.

    • To assign a MAC address to the Internet connection, select Override MAC Address and enter the MAC address.
    • To configure the bandwidth for the Internet connection, select the appropriate option from Link speed/Duplex.
  8. Click OK.
PPTP or L2TP Advanced Settings

You can configure the advanced settings for a PPTP or L2TP Internet connection. The advanced settings allow you to configure:

  • IP settings for the tunnel and the WAN
  • How the Internet connection is started and maintained

To configure PPTP or L2TP advanced settings:

  1. From the Primary Internet Configuration window for PPTP or L2TP, select Advanced.

    The Advanced settings open.

PPTP - Advanced Settings

  1. In the Local Tunnel IP Assignment section, enter the settings for the tunnel:
    • Obtain IP Address Automatically - The IP address for the tunnel is automatically configured (default setting).
    • Use the Following IP Address - Enter the static IP address that is used for the tunnel.
  2. In the WAN IP Assignment section, enter the IP address settings for the WAN:
    • Obtain IP Address Automatically - The IP address for the WAN is automatically configured (default setting).
    • Use the Following IP Address - Configure these settings for the WAN IP address:
      • IP Address
      • Subnet Mask
      • Default Gateway
  3. In the Connection Method section, configure how Security Gateway 80 uses the PPTP or L2TP Internet connection:
    • Auto Connect - Security Gateway 80 automatically establishes a PPTP or L2TP connection to the Internet.
    • Connect on Demand - Security Gateway 80 establishes a PPTP or L2TP connection to the Internet when required.
    • Disconnect Idle Time - Enter the number of maximum number of idle minutes before the PPTP or L2TP Internet connection is disconnected.
  4. In the Monitor Connections section, enter the Echo request settings:
    • Monitor Connection Status Every - Enter how often (in seconds) that Echo requests are sent to the server.
    • Assume Connection is Down After - Enter the maximum number of failed Echo requests before the server is considered down.
  5. Click OK.

Configuring a Bridge Connection

You can configure an Internet connection that is a bridge.

To configure a bridge connection:

  1. From the Devices window, double-click the Security Gateway 80 network object.

    The Security Gateway window opens.

  2. Select the Internet tab.
  3. Select Use the following settings. The Internet connection settings open.
  4. Configure the primary Internet connection type:
    1. Select Enable Primary Internet Connection.
    2. Select whether the primary Internet connection is on the WAN or DMZ.
    3. From Connection Type, select Bridge.
  5. Click Configure.

    The Primary Internet Configuration window for the bridge opens.

    Bridge Connection Type Settings

  6. From Assign Interface, select the interface that is being configured as a bridge.
  7. In the IP Settings section, enter these IP address parameters:
    • IP Address
    • Subnet Mask
    • Default Gateway
  8. In the DNS section, enter the IP addresses for the DNS servers.
  9. In the WAN Port Settings section, enter these interface settings:
    • To configure the MTU (Maximum Transmission Unit) for the Internet connection, enter the new MTU value.

    Note - For a DMZ interface, the MTU value is applied to all LAN ports.

    • To assign a MAC address to the Internet connection, select Override MAC Address and enter the MAC address.
    • To configure the bandwidth for the Internet connection, select the appropriate option from Link speed/Duplex.
  10. Click OK.

Configuring ICMP

You can configure the ICMP (Internet Control Message Protocol) settings for the Internet connection. You can specify servers that receive ICMP requests to monitor the status of the Internet connection. If you have enabled High Availability, then the Security Gateway 80 can activate the other Internet connection when necessary.

To configure the ICMP settings:

  1. From the Devices window, double-click the Security Gateway 80.

    The Security Gateway window opens.

  2. Select the Internet tab.
  3. From the required Internet connection, click Configure.

    The Internet Configuration window is opens.

  4. From the Advanced section, select Use ICMP to monitor connection status.
  5. Click Configure.

    The ICMP Settings window opens.

  6. To monitor a server:
    1. Click Add.
    2. Enter the host name or IP address of the server.
    3. Repeat these steps for all the servers that are being monitored.
    4. Select Send ICMP requests to the following servers.
  7. To monitor the default gateway, select Send ICMP requests to default gateway.
  8. Enter these ICMP connection monitoring settings:
    1. Interval Between - Enter the number of seconds between each ICMP request.
    2. Failover After - Enter the maximum number of failed ICMP requests. When High Availability is active, after an ICMP failover the other Internet connection becomes active.
    3. Resume Requests After - Enter the number of seconds after an ICMP failover that ICMP requests are resumed.
  9. Click OK.

Configuring Routing Settings

You must configure Security Gateway 80 interfaces before configuring the routing settings. The routing configurations are not the same for all interfaces.

You cannot add a default route from the Routing tab. The default route of the system is the same as the default gateway that is configured for the Internet connection. If Internet Connection High Availability is active, the default route automatically changes to the default gateway of the other Internet connection. When there is no active Internet connection and no default route is active, this message is displayed: Note: There is no default route since no Internet connection is enabled.

You can configure Security Gateway 80 to automatically select the interface or gateway that is used for a route. You cannot select the Automatic option for both the interface and the gateway.

Configuring a Network Route

You can use SmartProvisioning to configure network routes for Security Gateway 80. You should use a network route to configure routing for an internal network.

To configure a network route:

  1. In the Devices window, double-click the Security Gateway 80.

    The Security Gateway window opens.

  2. Select the Routing tab.
  3. Select Use the following settings.

    The Routing settings open.

  4. Click Add and select Network Route.

    The Routing window opens.

    Network Routing

  5. In Destination IP Address, enter the IP address of the network.
  6. In Destination Netmask, enter the netmask for the destination IP address.
  7. From Interface, select a configured interface for the route.
  8. In Gateway, enter the IP address of the gateway that provides access to the route.
  9. In Metric, enter number of hops to the destination.

    Note - This value should be accurate. A metric that is too low can cause lost communications because of looping. A metric that is too high can cause security issues.

  10. Click OK.

Configuring a Host Route

You can use SmartProvisioning to configure host routes for Security Gateway 80. A host route configures access to a specific host.

To configure a host route:

  1. In the Devices window, double-click the Security Gateway 80.

    The Security Gateway window opens.

  2. Select the Routing tab.
  3. Select Use the following settings.

    The Routing settings open.

  4. Click Add and select Host Route.

    The Routing window opens.

    Host Routing

  5. In Destination IP Address, enter the IP address of the host.
  6. From Interface, select a configured interface for the route.
  7. In Gateway, enter the IP address of the gateway that provides access to the host.
  8. In Metric, enter number of hops to the destination host.

    Note - If the host is on your local site, the metric should be a low number. If the host is not behind routers, the metric should be zero.

  9. Click OK.

Configuring Firmware Installation Settings

You can use SmartProvisioning to manage the firmware installation settings for Security Gateway 80.

You can select the firmware image to install on your Security Gateway. The firmware images that are shown in the list were uploaded through SmartUpdate. If firmware installation fails, the Security Gateway reverts to its state before installation. The list shows details of the firmware image. These include the Name, Vendor, Major Version, Minor Version, Build Number, and Description.

You can install the firmware with one of these options:

  • Immediately - Downloads and installs the firmware immediately after saving these settings in the next synchronization with a Security Gateway that references this profile.
  • According to time ranges - You can define download and installation time ranges for the firmware image. The download and installation time can be limited to a specified list of time ranges in the week. They will start at the nearest time range after firmware settings were applied. For example, if the firmware installation settings were applied on Sunday and there are two time ranges:
    • One range is set to Friday 00:00 to Saturday 00:00
    • One range is set to Wednesday 23:00 to Thursday 06:00

      The firmware will be installed between Wednesday 23:00 and Thursday 06:00.

      In the event that the Security Gateway did not succeed to download and/or install the firmware during the nearest time range, it will try again in the next time range.

To configure firmware installation settings:

  1. In the Devices window, double-click the Security Gateway 80.

    The Security Gateway window opens.

  2. Select the Firmware tab.
  3. Select Use the following settings.

    The Firmware settings open.

  4. In Firmware image, click Select to select a firmware image that has been uploaded through SmartUpdate.
  5. In SmartLSM Profile after installation, select a related SmartLSM profile from the list that can be installed for the selected firmware image and its supported versions.
  6. Select one of the options to install the firmware:
    1. Immediately
    2. According to these time ranges - Select to use the Security Gateway time or local time.
      • Add/Edit - Click Add or Edit to open the Time Range window to define/change the weekdays and times for downloading and installing the firmware image. Select the days and times and click OK.
      • Remove - Select a range from the list and click Remove to delete a time range.
      • Download image immediately - Click this option to download the firmware image immediately but install the image during one of the set time ranges.
  7. Click Show profile settings - to see the settings of the Provisioning Profile that this gateway references.
  8. Click OK.

Configuring a RADIUS Server

You can configure the RADIUS server (Remote Authentication Dial In User Service) that provides authentication, authorization, and accounting for Security Gateway 80 gateways. By configuring RADIUS in the Provisioning Profile, you can configure it once for all gateways that reference this profile. The RADIUS server must be already defined as a SmartDashboard object.

You can configure your appliance to contact more than one RADIUS server. If the first server in the list is unreachable, the next RADIUS server in the list is contacted to authenticate with. If the list is empty, the RADIUS option is turned off on the Security Gateway.

Note - This feature is supported for Small Office Appliances version R75.20 and higher.

To configure RADIUS:

  1. In the Devices window, double-click the Security Gateway 80.

    The Security Gateway window opens.

  2. Select the RADIUS tab.
  3. Select Use the following settings.
  4. Click Add to add RADIUS servers that have been defined in SmartDashboard, select a RADIUS server from the list and click OK.
  5. To remove a server, select a server in the list and click Remove.
  6. Use Up/Down to set the priority used for contacting RADIUS servers.
  7. Click Allow administrators from specific RADIUS groups only (comma separated) to allow authentication from specified groups as defined on the RADIUS server. Only administrators belonging to those groups can get access.
  8. Click OK.

Managing Software

You can manage the software installed on SmartLSM Security Gateways and standard Security Gateways. Package commands (from the Actions menu) and the Package toolbar buttons are available only when a non-Edge gateway is selected in a Devices work space.

These commands are not available for Small Office Appliances (version R75.20 and above) and UTM-1 Edge gateways.

  • To centrally manage the firmware of Small Office Appliances from version R75.20 and above, use the Firmware tab.
  • To manage the software of UTM-1 Edge devices, use the UTM-1 Edge portal (right-click > Launch UTM-1 Edge Portal).

Uploading Packages to the Repository

Upload Security Gateway software packages to the SmartProvisioning Package Repository on the Security Management Server or Domain Management Server.

To upload packages to the repository:

  1. Open SmartUpdate (Window > SmartUpdate).
  2. From the menu bar, select Packages > Add and select a source:
    • From Download Center: Have your user name and password for the Check Point Download/User Center ready. When your credentials are authenticated, the Get Packages from Download Center window opens, displaying the packages that are available to you. Select the ones you want and click Download.
    • From CD/DVD: Insert the CD or DVD with the package into the appliance or server. Browse to the DVD with the TGZ files that you are adding to the repository, and then click OK.
    • File: Browse to the TGZ files that you are adding to the repository, and then click OK. The software package is added to the Package Repository.

Viewing Installed Software

You can view the Check Point software packages installed on a gateway. Such packages include Security Gateway upgrades, Check Point Hotfixes that are relevant for the installed version, and Check Point HFAs.

To view the packages list on a gateway:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the Packages tab.

    The operating system of the gateway, and all installed Check Point packages are listed.

Verifying Pre-Install

Before installing a Check Point software package on a gateway, you can test whether the package is compatible with the selected gateway.

To verify package pre-installation:

  1. In the Devices work space, select a Security Gateway.
  2. From the menu bar, select Actions > Packages > Pre-Install Verifier.

    A message appears: Getting targets for install. Please wait...

    If there are packages in the Package Repository, the Verify Installation window opens.

  3. Select a listed package and click Verify.

    In Status View > Action Status, see the verification phases in the Details column:

    • Checks connection between gateway and Security Management Server or Domain Management Server.
    • Checks for sufficient disk space on the gateway.
    • Checks that the package is not already installed.
    • Checks compatibility of package with operating system and currently installed packages.

    If the package is verified for the selected gateway, the Status column shows Completed, and the Details column shows:

    '<package>' is compatible with installed packages

Upgrading Packages with SmartProvisioning

Use the Upgrade All Packages features to upgrade devices for a new version of the Security Gateway software.

To upgrade Check Point software on a gateway:

  1. In the work space, select the gateway.
  2. From the menu bar, select Actions > Packages > Upgrade All Packages.

    If there are packages in the Package Repository, installed packages are upgraded to the latest available version.

    If required packages are missing, they are listed in the Missing Packages window.

    Use SmartUpdate to add the missing packages, and then rerun Upgrade All Packages.

Distributing Packages with SmartProvisioning

Use the Distribute Packages feature to distribute Check Point Hotfixes and HFAs to the specific Security Gateways that can be enhanced by installing the package.

To install a Check Point package on a gateway:

  1. In the work space, select the Security Gateway.
  2. Verify that the package you want to distribute is available and appropriate for the selected gateway.
  3. From the menu bar, select Actions > Packages > Distribute Packages.

    A warning opens, explaining that using Distribute Packages, rather than Upgrade All, may lead to a mismatch between versions and malfunctions.

    To prevent this issue, make sure to use Distribute for Hotfix and HFA installation, not for upgrading to a new version.

  4. If you want to continue with this procedure, click OK.

    If there are packages in the Package Repository, the Distribute Package window opens.

  5. Select a package from the list.
  6. In the Choose action section, select an action:
    • Distribute and install packages: Download selected packages from the Package Repository and install them on the selected gateway.
    • Only distribute packages: Download selected packages from the Package Repository to the selected gateway, but do not install them yet.
    • Install previously distributed packages: Install packages that were previously distributed to the selected gateway.
  7. If you want the gateway to automatically reboot after the installation, if the installation requires this, select the Allow reboot if required check box.
  8. Select the Backup image for automatic revert check box (available only for Security Gateways). Clear this check box only if disk space is a real issue.

    Creating the image may take some time.

  9. If Change to a new profile after install is enabled, you must select an appropriate SmartLSM Security Profile for the gateway from the drop-down list.

    This field is enabled, and required, only if the change is necessary.

  10. Click Start.

Security Gateway Actions

You can execute immediate actions on SmartLSM Security Gateways and Security Gateway Provisioned gateways. You can run these actions on individual gateways, or on a SecurePlatform Provisioning Profile, effectively running the action on all gateways that reference this profile.

Before you begin, make sure that your administrator has permissions to Run Scripts.

Viewing Status of Remote Gateways

You can get an instant view of the status of a Security Gateway: traffic, interfaces, performance, CPU, memory, and so on.

To view status details of a selected gateway:

  1. Make sure an administrator is logged into the gateway.
  2. Select Actions > Get Status Details.

Running Scripts

You can execute complex gateway commands with your own scripts on any provisioned gateway. The Run Script feature is not available for UTM-1 Edge devices or UTM-1 Edge Provisioning Profiles.

Before you begin, make sure that your administrator has permissions for running scripts.

Running Scripts on Individual Gateways

To run a script on a single gateway:

  1. Right-click a [SmartLSM] Security Gateway and select Actions > Run Script.
  2. In the Run Script window, provide your script.
    • If you have the script in a file, select Load Script and then browse to the file.
    • You can type a script into the text box, or paste it in from another source.
  3. Click Run Script.

    The script is pushed to the gateway and runs immediately. See the Action Status tab of the Status pane to view the details of the push and execution.

    The Result pane displays the results of the script, 0 for success and other value for failure.

  4. To save the script to a file, click Save Script.

Running Scripts by Profiles

The Run Script feature lets you use a Security Gateway Provisioning Profile to run scripts on multiple gateways.

To run a script on all gateways of a Provisioning Profile:

  1. In the tree in the main window, select Profiles.
  2. Select an existing Provisioning Profile for UTM-1/Power-1/SecurePlatform and from the menu bar select Actions > Run Script.
  3. In the Run Script window, provide your script.
    • If you have the script in a file, select Load script and then browse to the file.
    • You can type a script into the text box, or paste it in from another source.
  4. Click Run Script. The script is pushed to all the gateways that use this profile.

    See the Action Status tab of the Status pane to view details of the push and execution.

    The Result pane displays the results of the script, 0 for success and other value for failure.

  5. To save the script to a file, click Save Script.

Immediate Backup of Security Gateways

You can create a backup image of Security Gateways and SmartLSM Security Gateways. You can do this with an Action command on a specific gateway, or on a Security Gateway Provisioning Profile to create a backup image of all gateways that reference this profile.

You can choose to store backups on the selected gateway, or on another backup server. If you choose another server, make sure you have the IP address or host name of that server, and if needed, a user name and password with Read/Write permissions.

Note - SmartProvisioning does not provide backup management for UTM-1 Edge devices or UTM-1 Edge Provisioning Profiles. UTM-1 Edge backups are managed through the UTM-1 Edge Portal (right-click > Launch UTM-1 Edge Portal), using the Export Tool. For more information, see the R75.40VS UTM-1 Edge Administration Guide.

To execute an immediate backup of a Security Gateway:

  1. Right-click a [SmartLSM] Security Gateway or UTM-1/Power-1/SecurePlatform Provisioning Profile and select Actions > Backup.
  2. If you want the backup to include Check Point logs, select the Include Check Point products log files in the backup check box.
  3. Provide details of the device on which the backup will be stored, or select Locally on device, if each device will hold its own backup file.
  4. Click OK.
  5. Select Actions > Push Settings and Actions.

    The backup is created and pushed to the gateway or defined server. See the documentation of the target's operating system for Restore Backup instructions.

Applying Changes

If you make a change to a Security Gateway Provisioning Profile, or use the Actions > Backup command, no change or action is immediately applied to the gateways.

Profile changes are applied to the gateways that reference them when the gateways fetch their profiles on interval. At this time, the gateways get the commands to pull the scripts from SmartProvisioning and execute them, or to create backup images.

However, profile changes and actions sometimes need to be applied immediately. For example, if you run a script that configures a new server behind a SmartLSM Security Gateway, you will want this configuration to be applied as quickly as possible, to include the server in the gateway's VPN with the CO gateway.

To apply profile changes and actions immediately:

Right-click the Provisioning Profile and select Actions > Push Settings and Actions.

Maintenance Mode

Security Gateways that reference a Provisioning Profile have a maintenance feature. Enable Maintenance Mode on a Security Gateway while testing changes to its object configuration or Provisioning Profile. In this mode, changes are pushed from the SmartProvisioning console to the Security Management Server or Domain Management Server, but they are not pushed to the gateway.

For example:

You have a SmartLSM Security Gateway on your SmartProvisioning management that has operational issues. The remote office where this SmartLSM Security Gateway sits is too far away for you to manage it yourself, so you ask the local system administrator to handle the issue.

However, you do not want the gateway to lose the configurations that you have already made to it from your central SmartProvisioning console. You enable Maintenance Mode on this gateway.

The local administrator fixes the issue. You disable Maintenance Mode, which switches the SmartLSM Security Gateway back to centralized configuration through the SmartProvisioning console.

Note - Disabling Maintenance Mode overrides any local changes with the central SmartProvisioning configurations. If the local administrator discovers that changes need to be made on this gateway, make sure you have the data before switching back.

To enable Maintenance Mode:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Select Maintenance Mode.
  3. Select Actions > Push Settings and Actions.

    Remember:

    • Changes to the Provisioning Profile do not affect the gateway as long as Maintenance Mode is selected.
    • If you clear the Maintenance Mode check box, all local changes are overridden by central configurations.
 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print