Managing Gateways

In This Section:

Creating a New Security Gateway

A Security Gateway enforces security policies configured on the Security Management Server.

To install security policies on the Security Gateways, configure the gateway objects in SmartConsole.

To define a new Security Gateway object:

From the navigation toolbar, select Gateways & Servers.
Click New, and select Gateway.
The Check Point Security Gateway Creation window opens.
Click Classic Mode.
The Check Point Gateway properties window opens and shows the General Properties screen.
Enter the host Name and the IPv4 Address or IPv6 Address.
Click Communication.
The Trusted Communication window opens.
Select a Platform.
In the Authentication section, enter and confirm the One-time password.
If you selected Small Office Appliance platform, make sure Initiate trusted communication automatically when the Gateway connects to the Security Management Server for the first time is selected.
Click Initialize to establish trusted communication with the gateway.
If trust fails to establish, click OK to continue configuring the gateway.
Click OK.
The Get Topology Results window that opens, shows interfaces successfully configured on the gateway.
Click Close.
In the Platform section, select the Hardware, the Version, and the OS.
If trust is established between the server and the gateway, click Get to automatically retrieve the information from the gateway.
Select the Software Blades to enable on the Security Gateway.
For some of the Software Blades a first-time setup wizard will open. You can run the wizard now or later. For more on the setup wizards, see the relevant Administration Guide.

Manually Updating the Gateway Topology

As the network changes, you must update the gateway topology.

To update the gateway topology:

In SmartConsole, click Gateways & Servers.
Double-click the gateway object.
The gateway property window opens.
Click Network Management.
Click Get Interfaces.
A warning window asks if you want to overwrite the existing Topology and Anti-spoofing settings.
Click Yes.
The Get Topology Results window opens.
Click Accept.
Click OK.

Dynamically Updating the Topology

This feature is supported only for Security Gateways R77.20 and above. Once selected, the range of IP addresses behind the internal interface is automatically calculated every second (default value) without the need for the administrator to click Get Interfaces and install a policy.

To configure dynamic topology updates:

Open Gateway Properties > Network Management.
Select an interface and click Edit.
In the Topology section, click Modify.
In the Leads To section, select Network defined by routes.
Click OK.

This default update value is configured in SmartConsole > Preferences and set to one second. The value set here applies to all internal interfaces for all gateways in the domain.

To set the update value for a specific interface:

Open Gateway Properties > Network Management.
Select an interface and click Actions > Settings.
Select Use custom update time (seconds) and set the desired update time.
Click OK.

Dynamic Anti-Spoofing

When Anti-Spoofing is selected and you click Get interfaces, the Security Gateway generates a list of valid IP addresses based on the IP address and netmask of the interface and the routes assigned to the interface.

Anti-Spoofing drops packets with a source IP address that does not belong to the network behind the packet’s interface. For example, packets with an internal IP address that comes from an external interface.

When the Network defined by routes option is selected along with Perform Anti-Spoofing based on interface topology, you get Dynamic Anti-Spoofing. The valid IP addresses range is automatically calculated without the administrator having to do click Get Interfaces or install a policy.

Secure Internal Communication (SIC)

Check Point platforms and products authenticate each other through one of these Secure Internal Communication (SIC) methods:

Certificates.
Standards-based TLS 1.2 for the creation of secure channels.
3DES or AES128 for encryption.
Gateways above R71 use AES128 for SIC. If one of the gateways is below R71, the gateways use 3DES. The strongest common cypher is used.

SIC creates trusted connections between gateways, management servers and other Check Point components. Trust is required to install polices on gateways and to send logs between gateways and management servers.

Note - From R80.20 Jumbo Hotfix Accumulator Take 202, to see SIC errors, check the $CPDIR/log/sic_info.elg file on the Security Management Server and on the Security Gateway.

Initializing Trust

To establish the initial trust, a gateway and a Security Management Server use a one-time password. After the initial trust is established, further communication is based on security certificates.

Note - Make sure the clocks of the gateway and Security Management Server are synchronized, before you initialize trust between them. This is necessary for SIC to succeed. To set the time settings of the gateway and Security Management Server, go to the Gaia Portal > System Management > Time.

To initialize Trust:

In SmartConsole, open the gateway network object.
In the General Properties page of the gateway, click Communication.
In the Communication window, enter the Activation Key that you created during installation of the gateway.
Click Initialize.
The ICA signs and issues a certificate to the gateway.

Trust state is Initialized but not trusted. The Internal Certificate Authority (ICA) issues a certificate for the gateway, but does not yet deliver it.

The two communicating peers authenticate over SSL with the shared Activation Key. The certificate is downloaded securely and stored on the gateway. The Activation Key is deleted.

The gateway can communicate with Check Point hosts that have a security certificate signed by the same ICA.

SIC Status

After the gateway receives the certificate issued by the ICA, the SIC status shows if the Security Management Server can communicate securely with this gateway:

Communicating - The secure communication is established.
Unknown - There is no connection between the gateway and Security Management Server.
Not Communicating - The Security Management Server can contact the gateway, but cannot establish SIC. A message shows more information.

Trust State

If the Trust State is compromised (keys were leaked, certificates were lost) or objects changed (user leaves, open server upgraded to appliance), reset the Trust State. When you reset Trust, the SIC certificate is revoked.

The Certificate Revocation List (CRL) is updated for the serial number of the revoked certificate. The ICA signs the updated CRL and issues it to all gateways during the next SIC connection. If two gateways have different CRLs, they cannot authenticate.

In SmartConsole, open the General Properties window of the gateway.
Click Communication.
In the Trusted Communication window that opens, click Reset.
Install Policy on the gateways.
This deploys the updated CRL to all gateways. If you do not have a Rule Base (and therefore cannot install a policy), you can reset Trust on the gateways.

Important - Before a new trust can be established in SmartConsole, make sure the same one-time activation password is configured on the gateway.

Troubleshooting SIC

If SIC fails to Initialize:

Make sure there is connectivity between the gateway and Security Management Server.
Make sure that the Security Management Server and the gateway use the same SIC activation key (one-time password).
If the Security Management Server is behind a gateway, make sure there are rules that allow connections between the Security Management Server and the remote gateway. Make sure Anti-spoofing settings are correct.
Make sure the name and the IP address of the Security Management Server are in the /etc/hosts file on the gateway.
If the IP address of the Security Management Server mapped through static NAT by its local gateway, add the public IP address of the Security Management Server to the /etc/hosts file on the remote gateway. Make sure the IP address resolves to the server's hostname.
Make sure the date and the time settings of the operating systems are correct. If the Security Management Server and remote the gateway reside in different time zones, the remote gateway may have to wait for the certificate to become valid.
Remove the security policy on the gateway to let all the traffic through: In the command line interface of the gateway, type: fw unloadlocal
Try to establish SIC again.

Remote User access to resources and Mobile Access

If you install a certificate on a gateway that has the Mobile Access Software Blade already enabled, you must install the policy again. Otherwise, remote users will not be able to reach network resources.

To establish a new trust state for a gateway:

Open the command line interface on the gateway.
Enter: cpconfig
Enter the number for Secure Internal Communication and press Enter.
Enter y to confirm.
Enter and confirm the activation key.
When done, enter the number for Exit.
Wait for Check Point processes to stop and automatically restart.

In SmartConsole:

In the General Properties window of the gateway, click Communication.
In the Trusted Communication window, enter the one-time password (activation key) that you entered on the gateway.
Click Initialize.
Wait for the Certificate State field to show Trust established.
Click OK.

Understanding the Check Point Internal Certificate Authority (ICA)

The ICA (Internal Certificate Authority) is created on the Security Management Server when you configure it for the first time. The ICA issues certificates for authentication:

Secure Internal Communication (SIC) - Authenticates communication between Security Management Servers, and between gateways and Security Management Servers.
VPN certificates for gateways - Authentication between members of the VPN community, to create the VPN tunnel.
Users - For strong methods to authenticate user access according to authorization and permissions.

ICA Clients

In most cases, certificates are handled as part of the object configuration. To control the ICA and certificates in a more granular manner, you can use one of these ICA clients:

The Check Point configuration utility - This is the cpconfig CLI utility. One of the options creates the ICA, which issues a SIC certificate for the Security Management Server.
SmartConsole - SIC certificates for Security Gateways and administrators, VPN certificates, and user certificates.
ICA Management tool - VPN certificates for users and advanced ICA operations.

See audit logs of the ICA in SmartConsole Logs & Monitor > New Tab > Open Audit Logs View.

SIC Certificate Management

Manage SIC certificates in the

Communication tab of the gateway properties window.
ICA Management Tool.

Certificates have these configurable attributes:

Attributes	Default	Comments
validity	5 years
key size	2048 bits
KeyUsage	5	Digital Signature and Key encipherment
ExtendedKeyUsage	0 (no KeyUsage)	VPN certificates only

To learn more about key size values, see RSA key lengths.

Managing Software Blade Licenses

After an administrator runs the First Time Configuration Wizard on a Security Management Server, and the Security Management Server connects to the Internet, it automatically activates its license and synchronizes with the Check Point User Center. If the Security Management Server loses Internet connectivity before the license is activated, it tries again, on an interval.

If the administrator makes changes to Management Software Blade licenses of a Security Management Server in the Check Point User Center, these changes are automatically synchronized with that Security Management Server.

Notes:

Automatic activation is supported on Check Point appliances only.
Automatic synchronization is supported on all R80.20 servers.

To make sure that your environment is synchronized with the User Center, even when the Security Management Server is not connected to the Internet, we recommend that you configure a Check Point server with Internet connectivity as a proxy.

In SmartConsole, you can see this information for most Software Blade licenses:

License status
Alerts
Check Point User Center details

See the R80.20 Release Notes for a list of supported Software Blades

Configuring a Proxy gateway

To configure a proxy on a Check Point server:

On the Security Management Server, add these lines to $CPDIR/tmp/.CPprofile.sh:
- _cpprof_add HTTP_CLIENT_PROXY_SICNAME "<proxy server sic name>" 0 0
- _cpprof_add HTTP_CLIENT_PROXY_IP "<proxy server IP>" 0 0
Reboot the Security Management Server.

Viewing Licenses in SmartConsole

To view license information:

Step	Description
1	In SmartConsole, from the left navigation panel, click Gateways & Servers.
2	From the Columns drop-down list, select Licenses.

You can see these columns:

Column	Description
License Status	The general state of the Software Blade licenses: OK - All the blade licenses are valid. Not Activated - Blade licenses are not installed. This is only possible in the first 15 days after the establishment of the SIC with the Security Management Server. After the initial 15 days, the absence of licenses will result in the blade error message. Error with <number> blade(s) - The specified number of blade licenses are not installed or not valid. Warning with <number> blade(s) - The specified number of blade licenses have warnings. N/A - No available information.
CK	Unique Certificate Key of the license instance.
SKU	Catalog ID from the Check Point User Center.
Account ID	User's account ID.
Support Level	Check Point level of support.
Support Expiration	Date when the Check Point support contract expires.

To view license information for each Software Blade:

Step	Description
1	Select a Security Gateway or a Security Management Server.
2	In the Summary tab below, click the object's License Status (for example: OK). The Device & License Information window opens. It shows basic object information and License Status, license Expiration Date, and important quota information (in the Additional Info column) for each Software Blade. Notes: Quota information, quota-dependent license statuses, and blade information messages are only supported for R80. The tooltip of the SKU is the product name.

Step

Description

Select a Security Gateway or a Security Management Server.

In the Summary tab below, click the object's License Status (for example: OK).

The Device & License Information window opens. It shows basic object information and License Status, license Expiration Date, and important quota information (in the Additional Info column) for each Software Blade.

Notes:

Quota information, quota-dependent license statuses, and blade information messages are only supported for R80.
The tooltip of the SKU is the product name.

The possible values for the Software Blade License Status are:

Status	Description
Active	The Software Blade is active and the license is valid.
Available	The Software Blade is not active, but the license is valid.
No License	The Software Blade is active but the license is not valid.
Expired	The Software Blade is active, but the license expired.
About to Expire	The Software Blade is active, but the license will expire in thirty days (default) or less (7 days or less for an evaluation license).
Quota Exceeded	The Software Blade is active, and the license is valid, but the quota of related objects (gateways, files, virtual systems, and so on, depending on the blade) is exceeded.
Quota Warning	The Software Blade is active, and the license is valid, but the number of objects of this blade is 90% (default) or more of the licensed quota.
N/A	The license information is not available.