Managing Gateways

A Security Gateway enforces security policies configured on the Security Management Server.

Creating a New Security Gateway

A Security Gateway enforces security policies configured on the Security Management Server.

To install security policies on the Security Gateways, configure the gateway objects in SmartConsole.

To define a new Security Gateway object:

1. From the navigation toolbar, select Gateways & Servers.
2. Click New, and select Gateway.

   The Check Point Security Gateway Creation window opens.

3. Click Classic Mode.

   The Check Point Gateway properties window opens and shows the General Properties screen.

4. Enter the host Name and the IPv4 Address or IPv6 Address.
5. Click Communication.

   The Trusted Communication window opens.

6. Select a Platform.
7. In the Authentication section, enter and confirm the One-time password.

   If you selected Small Office Appliance platform, make sure Initiate trusted communication automatically when the Gateway connects to the Security Management Server for the first time is selected.

8. Click Initialize to establish trusted communication with the gateway.

   If trust fails to establish, click OK to continue configuring the gateway.

9. Click OK.
10. The Get Topology Results window that opens, shows interfaces successfully configured on the gateway.
11. Click Close.
12. In the Platform section, select the Hardware, the Version, and the OS.

    If trust is established between the server and the gateway, click Get to automatically retrieve the information from the gateway.

13. Select the Software Blades to enable on the Security Gateway.

    For some of the Software Blades a first-time setup wizard will open. You can run the wizard now or later. For more on the setup wizards, see the relevant Administration Guide.

Updating the Gateway Topology

As the network changes, you must update the gateway topology.

To update the gateway topology:

1. In SmartConsole, click Gateways & Servers.
2. Double-click the gateway object.

   The gateway property window opens.

3. Click Network Management.
4. Double-click an interface.
5. In the window that opens, under Topology, click Modify.
6. Click OK.

Secure Internal Communication (SIC)

Check Point platforms and products authenticate each other through one of these Secure Internal Communication (SIC) methods:

• Certificates.
• Standards-based TLS 1.2 for the creation of secure channels.
• 3DES or AES128 for encryption.

  Gateways above R71 use AES128 for SIC. If one of the gateways is below R71, the gateways use 3DES. The strongest common cypher is used.

SIC creates trusted connections between gateways, management servers and other Check Point components. Trust is required to install polices on gateways and to send logs between gateways and management servers.

Initializing Trust

To establish the initial trust, a gateway and a Security Management Server use a one-time password. After the initial trust is established, further communication is based on security certificates.

Note - Make sure the clocks of the gateway and Security Management Server are synchronized, before you initialize trust between them. This is necessary for SIC to succeed. To set the time settings of the gateway and Security Management Server, go to the Gaia Portal > System Management > Time.

To initialize Trust:

1. In SmartConsole, open the gateway network object.
2. In the General Properties page of the gateway, click Communication.
3. In the Communication window, enter the Activation Key that you created during installation of the gateway.
4. Click Initialize.

   The ICA signs and issues a certificate to the gateway.

   Trust state is Initialized but not trusted. The Internal Certificate Authority (ICA) issues a certificate for the gateway, but does not yet deliver it.

   The two communicating peers authenticate over SSL with the shared Activation Key. The certificate is downloaded securely and stored on the gateway. The Activation Key is deleted.

   The gateway can communicate with Check Point hosts that have a security certificate signed by the same ICA.

SIC Status

After the gateway receives the certificate issued by the ICA, the SIC status shows if the Security Management Server can communicate securely with this gateway:

• Communicating - The secure communication is established.
• Unknown - There is no connection between the gateway and Security Management Server.
• Not Communicating - The Security Management Server can contact the gateway, but cannot establish SIC. A message shows more information.

Trust State

If the Trust State is compromised (keys were leaked, certificates were lost) or objects changed (user leaves, open server upgraded to appliance), reset the Trust State. When you reset Trust, the SIC certificate is revoked.

The Certificate Revocation List (CRL) is updated for the serial number of the revoked certificate. The ICA signs the updated CRL and issues it to all gateways during the next SIC connection. If two gateways have different CRLs, they cannot authenticate.

1. In SmartConsole, open the General Properties window of the gateway.
2. Click Communication.
3. In the Trusted Communication window that opens, click Reset.
4. Install Policy on the gateways.

   This deploys the updated CRL to all gateways. If you do not have a Rule Base (and therefore cannot install a policy), you can reset Trust on the gateways.

   Important - Before a new trust can be established in SmartConsole, make sure the same one-time activation password is configured on the gateway.

To establish a new trust state for a gateway:

1. Open the command line interface on the gateway.
2. Enter: cpconfig
3. Enter the number for Secure Internal Communication and press Enter.
4. Enter y to confirm.
5. Enter and confirm the activation key.
6. When done, enter the number for Exit.
7. Wait for Check Point processes to stop and automatically restart.

In SmartConsole:

1. In the General Properties window of the gateway, click Communication.
2. In the Trusted Communication window, enter the one-time password (activation key) that you entered on the gateway.
3. Click Initialize.
4. Wait for the Certificate State field to show Trust established.
5. Click OK.

Troubleshooting SIC

If SIC fails to Initialize:

1. Make sure there is connectivity between the gateway and Security Management Server.
2. Make sure that the Security Management Server and the gateway use the same SIC activation key (one-time password).
3. If the Security Management Server is behind a gateway, make sure there are rules that allow connections between the Security Management Server and the remote gateway. Make sure Anti-spoofing settings are correct.
4. Make sure the name and the IP address of the Security Management Server are in the /etc/hosts file on the gateway.

   If the IP address of the Security Management Server mapped through static NAT by its local gateway, add the public IP address of the Security Management Server to the /etc/hosts file on the remote gateway. Make sure the IP address resolves to the server's hostname.

5. Make sure the date and the time settings of the operating systems are correct. If the Security Management Server and remote the gateway reside in different time zones, the remote gateway may have to wait for the certificate to become valid.
6. Remove the security policy on the gateway to let all the traffic through: In the command line interface of the gateway, type: fw unloadlocal
7. Try to establish SIC again.

Remote User access to resources and Mobile Access

If you install a certificate on a gateway that has the Mobile Access Software Blade already enabled, you must install the policy again. Otherwise, remote users will not be able to reach network resources.

Understanding the Check Point Internal Certificate Authority (ICA)

The ICA (Internal Certificate Authority) is created on the Security Management Server when you configure it for the first time. The ICA issues certificates for authentication:

• Secure Internal Communication (SIC) - Authenticates communication between Security Management Servers, and between gateways and Security Management Servers.
• VPN certificates for gateways - Authentication between members of the VPN community, to create the VPN tunnel.
• Users - For strong methods to authenticate user access according to authorization and permissions.

ICA Clients

In most cases, certificates are handled as part of the object configuration. To control the ICA and certificates in a more granular manner, you can use one of these ICA clients:

• The Check Point configuration utility - This is the cpconfig CLI utility. One of the options creates the ICA, which issues a SIC certificate for the Security Management Server.
• SmartConsole - SIC certificates for Security Gateways and administrators, VPN certificates, and user certificates.
• ICA Management tool - VPN certificates for users and advanced ICA operations.

See audit logs of the ICA in SmartConsole Logs & Monitor > New Tab > Open Audit Logs View.

SIC Certificate Management

Manage SIC certificates in the

• Communication tab of the gateway properties window.
• ICA Management Tool.

Certificates have these configurable attributes:

Attributes	Default	Comments
validity	5 years
key size	2048 bits
KeyUsage	5	Digital Signature and Key encipherment
ExtendedKeyUsage	0 (no KeyUsage)	VPN certificates only

To learn more about key size values, see RSA key lengths.