Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Managing UTM-1 Edge Gateways

In This Section:

UTM-1 Edge Portal

UTM-1 Edge Ports

UTM-1 Edge Gateway Provisioned Settings

UTM-1 Edge Portal

UTM-1 Edge gateways, SmartLSM and Provisioning, have some configurations that are managed through the UTM-1 Edge Portal. SmartProvisioning provides you with access to these configurations through the Gateway window, and for some sets of configurations, with UTM-1 Edge Provisioning Profiles.

To access the UTM-1 Edge Portal:

  1. In a Devices work space, right-click a UTM-1 Edge device
  2. Select Launch UTM-1 Edge Portal.

    Your default browser opens to the Web User Interface of UTM-1 Edge management.

For more information on UTM-1 Edge configuration, see the R75.40VS UTM-1 Edge Administration Guide.

UTM-1 Edge Ports

The UTM-1 Edge Portal Web UI has a Ports tab. In this tab you configure the physical ports of the selected UTM-1 Edge device, configuring valid use for different ports. For example, you can assign a LAN port to be used for a LAN network or a VLAN network. You can assign a RS232 port for a dial-up modem or for a serial console.

You can edit port usage through SmartProvisioning. This is available to UTM-1 Edge SmartLSM Security Gateways and to UTM-1 Edge Provisioning gateways. SmartProvisioning settings affect the device, only if the device topology is set to All IP addresses behind the gateway based on Interfaces information.

To manage UTM-1 Edge device ports:

  1. From the Devices pane, double-click the UTM-1 Edge gateway.

    The window opens and shows the General tab.

  2. Click the Ports tab.
  3. Decide if you want to manage the ports of the selected UTM-1 Edge device from SmartProvisioning, or if you want to make sure that local configurations are used.
    • Manage settings locally on the device: Disable SmartProvisioning management of the physical ports of the UTM-1 Edge device and enforce local management.
    • Use the following settings: Configure port settings of the UTM-1 Edge device here. When local administrators access the Ports tab of the UTM-1 Edge Portal, they can edit these settings and add more ports for configuration.

    If you select Use the following settings, the table and Edit button are enabled.

  4. Select a port from the list and click Edit.

    You cannot add port assignments from SmartProvisioning. This should be done locally, to prevent configurations of ports that are not actually on the device.

    The window that opens depends on the type of port you selected, and on the options that were set on the UTM-1 Edge Portal.

    For example, if a local administrator set a LAN port to have no settings for port security, when you click Edit on the LAN port, the security setting will be disabled.

    If the local administrator had enabled Port Security to enforce 802.1x authentication, you could disable this temporarily (until the local administrator changes it back) and set a quarantine network for clients that failed authentication.

UTM-1 Edge Gateway Provisioned Settings

Some management configurations are common to all UTM-1 Edge gateways that reference a Provisioning Profile, whether they are SmartLSM, CO, or Provisioning-only.

You can manage the provisioned settings if the Profile Settings are set for central management and you want to use the Use the following settings option. See Configuring Settings for Provisioning to learn more about local and central management of gateways from Provisioning Profiles.

Before you begin, make sure that your administrator has Read/Write permissions for Managing Device Settings (see Defining SmartProvisioning Administrators).

Synchronizing Date and Time on UTM-1 Edge Devices

You can configure the date and time of the individual UTM-1 Edge gateway, synchronizing it with a specified Network Time Protocol server, or view how it is managed centrally with a Provisioning Profile.

To configure date and time on a UTM-1 Edge gateway:

  1. From the Devices pane, double-click the UTM-1 Edge gateway.

    The window opens and shows the General tab.

  2. Click the Date and Time tab.
  3. Select one of these options:
    • If the gateway is assigned to a Provisioning Profile, to use the profile settings select Use profile settings
    • If you do not use SmartProvisioning to manage the date and time settings, select Manage settings locally on the device
    • If you use SmartProvisioning to manage the date and time settings, select Use the following settings
  4. Select the Show profile settings to see how the synchronization is configured by the Provisioning Profile.
  5. Clear Use Network Time Protocol (NTP) to synchronize the clock to synchronize this gateway to the clock of the Security Management Server or Domain Management Server.
  6. If you select the Use Network Time Protocol (NTP) to synchronize the clock, enter these settings:
    • Enter the IP address of the Primary NTP Server, and if available, the Secondary NTP Server
    • Select the Time Zone
  7. Click OK.

    The changes you made here will affect the selected gateway, overriding the settings configured for the gateway by the referenced Provisioning Profile.

  8. To apply these settings to the gateway, select Actions > Push Policy.

Configuring Routing for UTM-1 Edge Gateways

You can manage the valid routes of the individual gateway, or view how they are managed centrally with a Provisioning Profile.

To add a route to the gateway's routing table:

  1. From the Devices pane, double-click the UTM-1 Edge gateway.

    The window opens and shows the General tab.

  2. Click the Routing tab.
    • If the gateway has an assigned Provisioning Profile, select Use profile settings to leave the profile configuration as-is. (If the gateway does not have a Provisioning Profile, this option is not available.)
    • If you want to manage the settings on the device, preventing changes in SmartProvisioning from affecting the device, select Manage settings locally on the device.
    • If you want to configure settings through SmartProvisioning, overriding the profile and the local settings, select Use the following settings.

    If Use the following settings is selected, the Routing table and controls are available.

  3. Click Add.
  4. Provide the required data to configure the new route on the selected gateway:
    • Source IP: Source IP address (for example, this gateway's IP address; or the IP address of a source behind the gateway).
    • Source Mask: Net mask of the source network.
    • Destination IP Address: Destination IP address for this route (for example, the IP address of the CO gateway or the Security Management Server or Domain Management Server).
    • Destination Netmask: Net mask of the destination network.
    • Service: From the drop-down list, select ANY or a specific service that is to be allowed along with route.
    • Next Hop IP or network: IP address of the closest router or default gateway.
    • Metric: Distance in hops to the destination. Make sure this is as accurate as possible, to avoid looped or dropped traffic.
  5. Click OK.

    The changes made here will affect the selected gateway, overriding the settings configured for the gateway by the referenced Provisioning Profile.

    To apply these settings to the gateway, select Actions > Push Policy.

Configuring RADIUS Server for SmartProvisioning Gateways

You can view and change the RADIUS server configuration for any connected gateway.

To configure a RADIUS server on a gateway:

  1. From the Devices pane, double-click the UTM-1 Edge gateway.

    The window opens and shows the General tab.

  2. Click the RADIUS tab.
  3. Select one of these options:
    • If the gateway is assigned to a Provisioning Profile, to use the profile settings select Use profile settings
    • If you do not use SmartProvisioning to manage the RADIUS server settings, select Manage settings locally on the device
    • If you use SmartProvisioning to manage the RADIUS server settings, select Use the following settings
  4. Select the servers that you want to be the RADIUS servers of this gateway.
  5. If you want to configure the RADIUS server permissions, click Advanced.
  6. From the Administrator Level drop-down list, select the permissions that an administrator on this gateway will have on the RADIUS server.
  7. Select the permissions that you want to assign to users on the network of this gateway, with authentication from the RADIUS server:
    • VPN Remote Access: Select to allow access to the VPN from a remote station, authenticating through the RADIUS server.
    • Web Filtering Override: Select to allow authenticated users to see Web sites that would otherwise be blocked by the RADIUS server configurations.
    • HotSpot access: Select to allow users access to the RADIUS server, and thus to the protected environment, from wireless HotSpot connections.
    • Remote Desktop Access: Select to allow users to access desktops inside the protected environment from a remote station.
  8. Click OK.

    The changes made here will affect the selected gateway, overriding the settings configured for the gateway by the referenced Provisioning Profile.

    To apply these settings to the gateway, select Actions > Push Policy.

Configuring HotSpot for SmartProvisioning Gateways

You can configure a HotSpot for wireless access of the individual UTM-1 Edge gateway, or view how it is managed centrally with a Provisioning Profile.

To configure a HotSpot on a UTM-1 Edge gateway:

  1. From the Devices pane, double-click the UTM-1 Edge gateway.

    The window opens and shows the General tab.

  2. Click the HotSpot tab.
  3. Select one of these options:
    • If the gateway is assigned to a Provisioning Profile, to use the profile settings select Use profile settings
    • If you do not use SmartProvisioning to manage the HotSpot settings, select Manage settings locally on the device
    • If you use SmartProvisioning to manage the HotSpot settings, select Use the following settings
  4. Select the Show profile settings to see how the HotSpot is configured by the Provisioning Profile and to be sure that an individual schedule for this gateway is necessary.
  5. Provide the HotSpot Title, which appears as the name of the login window.
  6. In the HotSpot Terms field, specify your organization's terms of use and policies.
  7. If the user should have a valid user name and password to access the HotSpot, select the HotSpot is password-protected check box.
  8. If the password check box is selected, you can select the Allow a user to login from more than one computer at the same time check box; or clear this check box to ensure that any user account is used only once for a login session.
  9. If the HotSpot can be reached only over a secure Internet connection with HTTPS, select the Use HTTPS check box.
  10. In the After login, redirect to URL field, provide the URL that users of this HotSpot should reach after login. For example, this could be the welcome page of your company site, or the home page of your company intranet.
  11. Click OK.

    The changes made here will affect the selected gateway, overriding the settings configured for the gateway by the referenced Provisioning Profile. To apply these settings to the gateway, select Actions > Push Policy.

 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print