Introduction to SmartProvisioning
Check Point SmartProvisioning
SmartProvisioning lets you to manage many gateways from one Security Management Server or Multi-Domain Security Management. SmartProvisioning defines, manages, and provisions (remotely configures) large-scale deployments of Check Point gateways.
The SmartProvisioning management concept is based on profiles — a set of gateway properties and when relevant, a Security Policy. A profile can be assigned to multiple gateways. A profile defines most of the gateway properties for each Profile object instead of for each gateway.
|
Note - SmartProvisioning is not available for members of SmartLSM cluster.
|
Supported Features
SmartProvisioning provides the following features:
- Central management of security policies, gateway provisioning, remote gateway boot, and Dynamic Object value configurations
- Automatic Profile Fetch for large deployment management and provisioning
- All Firewall features supported by DAIP gateways, including DAIP and static IP address gateways
- Easy creation and maintenance of VPN tunnels between SmartLSM Security Gateways and CO gateways, including generation of IKE certificates for VPN, from third-party CA Servers or Check Point CA.
- Automatic calculation of anti-spoofing information for SmartLSM Security Gateways
- Tracking logs for gateways based on unique, static IDs; with local logging for reduced logging load
- High level and in-depth status monitoring
- Complete management of licenses and packages, Client Authentication, Session Authentication and User Authentication
- Command Line Interface to manage SmartLSM Security Gateways
- Support for Check Point 1100 Appliances and Security Gateway 80 devices
SmartProvisioning Objects
SmartProvisioning manages SmartLSM Security Gateways and enables provisioning management for Check Point gateways.
Gateways
SmartProvisioning manages and provisions different types of gateways.
- SmartLSM Security Gateways: Remote gateways provide firewall security to local networks, while the security policies are managed from a central Security Management Server or Domain Management Server. By defining remote gateways through SmartLSM Security Profiles, a single system administrator or smaller team can manage the security of all your networks.
- CO Gateways: Standard Security Gateways that act as central Corporate Office headquarters for the SmartLSM Security Gateways. The CO gateway is the hub of a Star VPN, where the satellites are SmartLSM Security Gateways. The CO gateway has a static IP address, ensuring continued communications with SmartLSM Security Gateways that have dynamic IP addresses.
- Provisioned Gateways: SmartProvisioning can provision the Operating System and network settings of gateways, such as DNS, interface routing, providing more efficient management of large deployment sites.
|
Note - You cannot use SmartProvisioning with externally managed gateways.
|
Profiles
SmartProvisioning uses different types of profiles to manage and provision the gateways.
- SmartLSM Security Profiles: A SmartLSM Security Profile defines a Check Point Security Policy and other security-based settings for a type of SmartLSM Security Gateway. Each SmartLSM Security Profile can hold the configuration of any number of actual SmartLSM Security Gateways. SmartLSM Security Gateways must have a SmartLSM Security Profile; however, these profiles are not relevant for CO gateways or Provisioned gateways. SmartLSM Security Profiles are defined and managed through Check Point SmartDashboard.
- Provisioning Profiles: A Provisioning Profile defines specific settings for networking, device management, and the operating system. CO gateways, SmartLSM Security Gateways, and regular gateways may have Provisioning Profiles, if they are Check Point supported Security Gateways, Check Point 1100 Appliances, or UTM-1 Edge devices. Provisioning Profiles are defined and managed in SmartProvisioning. Defining options and features for Provisioning Profiles differ according to device platform.
Profile Fetching
All gateways managed by SmartProvisioning fetch their assigned profiles from the Security Management Server or Domain Management Server. You define the SmartLSM Security Profiles on SmartDashboard, preparing the security policies on the Security Management Server or Domain Management Server. You define Provisioning Profiles on SmartProvisioning, preparing the gateway settings on the SmartProvisioning database. Neither definition procedure pushes the profile to any specific gateway.
Managed gateways fetch their profiles periodically. Each gateway randomly chooses a time slot within the fetch interval.
When a fetched profile differs from the previous profile, the gateway is updated with the changes. Updated Security Management Server/Domain Management Server security policies are automatically installed on SmartLSM Security Gateways, and gateways with Provisioning Profiles are updated with management changes.
In addition to the profile settings, the specific properties of the gateway are used to localize the profile changes for each gateway. Thus, one profile is able to update potentially hundreds and thousands of gateways, each acquiring the new common properties, while maintaining its own local settings.
VPNs and SmartLSM Security Gateways
This section explains how your SmartLSM Security Gateways in a virtual private network (VPN) secure communications within your organization.
SmartProvisioning supports the inclusion of SmartLSM Security Profile objects as members in Star VPN Communities (as satellites), and in Remote Access communities (as centers). When a Star VPN Community contains a SmartProvisioning SmartLSM Security Profile object as a satellite, the settings apply both to the Corporate Office (CO) gateway and to the SmartLSM Security Gateways.
A VPN tunnel can be established from a SmartLSM Security Gateway to a regular, static IP address CO gateway (similar to the way that DAIP gateways establish VPN tunnels to static IP gateways). A CO gateway recognizes and authenticates an incoming VPN tunnel as a tunnel from a SmartLSM Security Gateway, using the IKE Certificate of the SmartLSM Security Gateway. The CO gateway treats the peer SmartLSM Security Gateway as if it were a regular DAIP gateway, whose properties are defined by the SmartLSM Security Profile to which the SmartLSM Security Gateway is mapped. A CO gateway can also initiate a VPN tunnel to a SmartLSM Security Gateway.
You can establish VPN tunneling for SmartLSM-to-SmartLSM, or SmartLSM-to-other gateway configurations, through the CO gateway.
|
|