In This Section: |
A Security Gateway enforces security policies configured on the Security Management Server.
To install security policies on the Security Gateways, configure the gateway objects in SmartConsole.
To define a new Security Gateway object:
The Check Point Security Gateway Creation window opens.
The Check Point Gateway properties window opens and shows the General Properties screen.
The Trusted Communication window opens.
If you selected Small Office Appliance platform, make sure Initiate trusted communication automatically when the Gateway connects to the Security Management Server for the first time is selected.
If trust fails to establish, click OK to continue configuring the gateway.
If trust is established between the server and the gateway, click Get to automatically retrieve the information from the gateway.
For some of the Software Blades a first-time setup wizard will open. You can run the wizard now or later. For more on the setup wizards, see the relevant Administration Guide.
As the network changes, you must update the gateway topology.
To update the gateway topology:
The gateway property window opens.
A warning window asks if you want to overwrite the existing Topology and Anti-spoofing settings.
This feature is supported only for Security Gateways R77.20 and above. Once selected, the range of IP addresses behind the internal interface is automatically calculated every second (default value) without the need for the administrator to click Get Interfaces and install a policy.
To configure dynamic topology updates:
This default update value is configured in SmartConsole > Preferences and set to one second. The value set here applies to all internal interfaces for all gateways in the domain.
To set the update value for a specific interface:
Dynamic Anti-Spoofing
When Anti-Spoofing is selected and you click Get interfaces, the Security Gateway generates a list of valid IP addresses based on the IP address and netmask of the interface and the routes assigned to the interface.
Anti-Spoofing drops packets with a source IP address that does not belong to the network behind the packet’s interface. For example, packets with an internal IP address that comes from an external interface.
When the Network defined by routes option is selected along with Perform Anti-Spoofing based on interface topology, you get Dynamic Anti-Spoofing. The valid IP addresses range is automatically calculated without the administrator having to do click Get Interfaces or install a policy.
Check Point platforms and products authenticate each other through one of these Secure Internal Communication (SIC) methods:
Gateways above R71 use AES128 for SIC. If one of the gateways is below R71, the gateways use 3DES. The strongest common cypher is used.
SIC creates trusted connections between gateways, management servers and other Check Point components. Trust is required to install polices on gateways and to send logs between gateways and management servers.
Note - From R80.20 Jumbo Hotfix Accumulator Take 202, to see SIC errors, check the $CPDIR/log/sic_info.elg file on the Security Management Server and on the Security Gateway.
To establish the initial trust, a gateway and a Security Management Server use a one-time password. After the initial trust is established, further communication is based on security certificates.
Note - Make sure the clocks of the gateway and Security Management Server are synchronized, before you initialize trust between them. This is necessary for SIC to succeed. To set the time settings of the gateway and Security Management Server, go to the Gaia Portal > System Management > Time.
To initialize Trust:
The ICA signs and issues a certificate to the gateway.
Trust state is Initialized but not trusted. The Internal Certificate Authority (ICA) issues a certificate for the gateway, but does not yet deliver it.
The two communicating peers authenticate over SSL with the shared Activation Key. The certificate is downloaded securely and stored on the gateway. The Activation Key is deleted.
The gateway can communicate with Check Point hosts that have a security certificate signed by the same ICA.
After the gateway receives the certificate issued by the ICA, the SIC status shows if the Security Management Server can communicate securely with this gateway:
If the Trust State is compromised (keys were leaked, certificates were lost) or objects changed (user leaves, open server upgraded to appliance), reset the Trust State. When you reset Trust, the SIC certificate is revoked.
The Certificate Revocation List (CRL) is updated for the serial number of the revoked certificate. The ICA signs the updated CRL and issues it to all gateways during the next SIC connection. If two gateways have different CRLs, they cannot authenticate.
This deploys the updated CRL to all gateways. If you do not have a Rule Base (and therefore cannot install a policy), you can reset Trust on the gateways.
Important - Before a new trust can be established in SmartConsole, make sure the same one-time activation password is configured on the gateway.
If SIC fails to Initialize:
/etc/hosts
file on the gateway.If the IP address of the Security Management Server mapped through static NAT by its local gateway, add the public IP address of the Security Management Server to the /etc/hosts
file on the remote gateway. Make sure the IP address resolves to the server's hostname.
fw unloadlocal
Remote User access to resources and Mobile Access
If you install a certificate on a gateway that has the Mobile Access Software Blade already enabled, you must install the policy again. Otherwise, remote users will not be able to reach network resources.
To establish a new trust state for a gateway:
In SmartConsole:
The ICA (Internal Certificate Authority) is created on the Security Management Server when you configure it for the first time. The ICA issues certificates for authentication:
In most cases, certificates are handled as part of the object configuration. To control the ICA and certificates in a more granular manner, you can use one of these ICA clients:
cpconfig
CLI utility. One of the options creates the ICA, which issues a SIC certificate for the Security Management Server.See audit logs of the ICA in SmartConsole Logs & Monitor > New Tab > Open Audit Logs View.
Manage SIC certificates in the
Certificates have these configurable attributes:
Attributes |
Default |
Comments |
---|---|---|
validity |
5 years |
|
key size |
2048 bits |
|
KeyUsage |
5 |
Digital Signature and Key encipherment |
ExtendedKeyUsage |
0 (no KeyUsage) |
VPN certificates only |
To learn more about key size values, see RSA key lengths.
After an administrator runs the First Time Configuration Wizard on a Security Management Server, and the Security Management Server connects to the Internet, it automatically activates its license and synchronizes with the Check Point User Center. If the Security Management Server loses Internet connectivity before the license is activated, it tries again, on an interval.
If the administrator makes changes to Management Software Blade licenses of a Security Management Server in the Check Point User Center, these changes are automatically synchronized with that Security Management Server.
Notes:
To make sure that your environment is synchronized with the User Center, even when the Security Management Server is not connected to the Internet, we recommend that you configure a Check Point server with Internet connectivity as a proxy.
In SmartConsole, you can see this information for most Software Blade licenses:
See the R80.20 Release Notes for a list of supported Software Blades
To configure a proxy on a Check Point server:
CPDIR/tmp/.CPprofile.sh
:cpprof_add HTTP_CLIENT_PROXY_SICNAME "<proxy server sic name>" 0 0
_cpprof_add HTTP_CLIENT_PROXY_IP "<proxy server IP>" 0 0
To view license information:
Step |
Description |
---|---|
1 |
In SmartConsole, from the left navigation panel, click Gateways & Servers. |
2 |
From the Columns drop-down list, select Licenses. |
You can see these columns:
Column |
Description |
---|---|
License Status |
The general state of the Software Blade licenses:
|
CK |
Unique Certificate Key of the license instance. |
SKU |
Catalog ID from the Check Point User Center. |
Account ID |
User's account ID. |
Support Level |
Check Point level of support. |
Support Expiration |
Date when the Check Point support contract expires. |
To view license information for each Software Blade:
Step |
Description |
---|---|
1 |
Select a Security Gateway or a Security Management Server. |
2 |
In the Summary tab below, click the object's License Status (for example: OK). The Device & License Information window opens. It shows basic object information and License Status, license Expiration Date, and important quota information (in the Additional Info column) for each Software Blade. Notes:
|
The possible values for the Software Blade License Status are:
Status |
Description |
---|---|
Active |
The Software Blade is active and the license is valid. |
Available |
The Software Blade is not active, but the license is valid. |
No License |
The Software Blade is active but the license is not valid. |
Expired |
The Software Blade is active, but the license expired. |
About to Expire |
The Software Blade is active, but the license will expire in thirty days (default) or less (7 days or less for an evaluation license). |
Quota Exceeded |
The Software Blade is active, and the license is valid, but the quota of related objects (gateways, files, virtual systems, and so on, depending on the blade) is exceeded. |
Quota Warning |
The Software Blade is active, and the license is valid, but the number of objects of this blade is 90% (default) or more of the licensed quota. |
N/A |
The license information is not available. |