Using Profiles to Provision Gateways

In This Section: Provisioning Overview Creating Provisioning Profiles Configuring Provisioning Profile Settings Security Gateway Provisioning UTM-1 Edge Gateway Provisioning Assigning Provisioning Profiles to Gateways

Provisioning Overview

With SmartProvisioning, you can use a Provisioning Profile to configure the same settings on similar devices. A Provisioning Profile can provision any or all of the network configurations. You can determine which settings are provisioned and which are set up locally.

After you created a Provisioning Profile, assign it to the applicable gateways. When each gateway device fetches its Provisioning Profile, the device's configuration is updated with the settings in the profile.

For example, you can create a Provisioning Profile for a number of gateways that are in one branch office. They are on the same LAN, therefore you can provision their DNS servers with central management (configure once, set on all). However, this office has multiple domains, so you do not want the Provisioning Profile to determine their domain. You set the Domain settings to local management.

Provisioning Profiles function similarly to SmartLSM Security Profiles. The main differences between Provisioning Profiles and SmartLSM Security Profiles are described in this table:

Provisioning Profiles and SmartLSM Security Profiles

	Provisioning Profile	SmartLSM Security Profile
Provides	Central management of servers, network, and so on, of Check Point gateways	Installation of Security Policy for SmartLSM Security Gateways
Necessary for	No gateway	SmartLSM Security Gateways
Managed by	SmartProvisioning	SmartConsole

Gateways that are provisioning-enabled have more management features, such as multiple automatic backups.

Creating Provisioning Profiles

You can create Provisioning Profiles in SmartProvisioning. Each Provisioning Profile can automate the steps required to manage configurations of gateways that have the same operating system, hardware, and Check Point software version.

Before you begin this procedure, make sure that your administrator username has Write permissions for Provisioning Profiles.

To create a Provisioning Profile:

1. In the tree in the main window, click Profiles.

   Profiles is shown in the work space.

2. From the Launch Menu, select File > New > Provisioning Profile.

   The New Provisioning Profile Wizard opens.

3. Enter a name for the profile.
4. From the Select Type drop-down list, select the platform or operating system that this profile supports.

   Each Provisioning Profile can support only one operating system.

5. Click Next.
6. If you want to configure the settings of the Provisioning Profile now, select Edit Provisioning Profile properties after creation.
7. Click Finish.

Configuring Provisioning Profile Settings

Each Provisioning Profile holds settings that are provisioned onto the gateways assigned to this profile. This section describes the general properties of a Provisioning Profile and the configurations that are common to all devices.

For each set of configurations managed with a Provisioning Profile, you can decide which settings have preference: local (not provisioned) or central (from SmartProvisioning individual management or from Provisioning Profile).

To configure the settings of a Provisioning Profile:

1. In the Profiles List, right-click a profile and select Edit Provisioning Profile.
2. In the Profile window, click any category tab (other than General).
3. Select management settings for gateways that reference the profile:
   • Manage settings locally on the device: Each gateway that references this profile has its own settings, configured locally (not on SmartProvisioning). These settings cannot be overwritten by changes to the Provisioning Profile or to the SmartProvisioning gateway object. If you select this option, the Gateway window shows: settings are defined to be managed locally on the device.
   • Manage settings centrally from this application: Each gateway that references this profile gets its configuration for this setting from the Provisioning Profile or from the SmartProvisioning gateway object.
4. If you selected to manage settings centrally, click Advanced.

   The Profile Settings window opens.

5. Select an option for Overriding profile settings on device level is:
   • Allowed - You can override the profile settings with device-local settings, or with changes to these settings in the SmartProvisioning device window. You can also leave the profile settings as they are.
   • Denied - Each gateway takes the settings from the profile, with no option to override the profile settings.
   • Mandatory - Each gateway is managed without a Provisioning Profile.
6. Click OK.

This table maps the profile settings selections to the Gateway window options:

Profile managed	Profile Override	Gateway Window Display and options
Locally	Not relevant	Settings are defined to be managed locally on the device. To change this, refer to the attached Provisioning Profile profile_name. (controls are unavailable)
Centrally	Override denied	Overriding profile settings is denied. To change this, refer to the attached Provisioning Profile profile_name (controls are Read-Only, configured by profile)
Centrally	Override allowed	Select override method: Manage settings locally on the device: Local management. Override provisioning configurations with local settings. Use profile settings: Enforce profile settings on this gateway. Use the following settings: Manage these settings on this gateway individually with the values given here.
Centrally	Override mandatory	Overriding profile settings is mandatory: configure settings here. To change this, refer to Provisioning Profile profile_name (Each gateway is configured separately) Manage settings locally on the device: Manage these settings on this gateway locally. Use the following settings: Manage these settings on this gateway individually with the values given here.

For example, if you set Hosts configuration to Central and Allowed: The Hosts tab on the gateway enables you to manage the Host List of a gateway if you:

• Define the Host List locally on the device (even if it has an assigned Provisioning Profile)
• Provision gateways with the Host List of the Provisioning Profile
• Define a New Host List (in the Gateway window) that overrides the Provisioning Profile on this gateway

Warning - If you select Use the following settings and do not enter values for a specified topic, the current settings on the device are deleted.

Viewing General Properties of Provisioning Profiles

To view the general properties of a provisioning profile:

Right-click a Provisioning Profile and select Edit Provisioning Profile.

The UTM-1 Edge Provisioning Profile window or the Security Gateway Provisioning Profile window opens, depending on the operating system for which you created the profile. The General tab is a Read-Only view of the Profile name and OS. You cannot change these profile properties after it is created.

The operating system of a Provisioning Profile determines which gateways you can assign to the profile.

Security Gateway Provisioning

This section explains the provisioning configurations that are available to Security Gateways.

A Provisioning Profile can provision any or all of the network configurations. You can determine which settings are provisioned and which are set up locally.

For example, you can create a Provisioning Profile for a number of gateways that are in one branch office. They are on the same LAN, therefore you can provision their DNS servers with central management (configure once, set on all). However, this office has multiple domains, so you do not want the Provisioning Profile to determine their domain. You set the Domain settings to local management.

Configuring DNS for in a Provisioning Profile

You can configure DNS servers on a Provisioning Profile, which provides the configuration to all gateways assigned to this profile.

To configure DNS servers on a Provisioning Profile:

1. Open the Security Gateway Profile window, and select the DNS tab.
2. If you select central management, click the Advanced to set the central management options.
3. Provide the IP address of the First, Second, and Third DNS servers of the network.

Configuring DNS in a Provisioning Profile for Small Office Appliances

This section explains how to configure the DNS server Provisioning Profile for Small Office Appliances. You can configure DNS servers on a Provisioning Profile, which will provide the configuration for all Small Office Appliances assigned to this profile.

To configure DNS servers on a Provisioning Profile:

1. Open the Security Gateway Provisioning Profile window, and select the DNS tab.
2. Select Manage DNS settings centrally from this application.
3. Click Advanced. The Profile Settings window is displayed.
4. Select one of these override profile settings:
   • Allowed
   • Denied
   • Mandatory

   For more information about override profile settings, see Configuring Profile Settings.

5. To manually configure the IP address for the DNS servers:
   1. Select Set DNS server configuration.
   2. Enter the IP addresses for the DNS servers.
6. To automatically configure the IP address for the DNS server, select Use DNS configurations provided by the active Internet connection.
7. To use the Small Office Appliance as your default DNS proxy, select Enable DNS Proxy - resolves local DNS requests.

Configuring Firmware in a Provisioning Profile for Small Office Appliances

This section explains how to configure firmware installation settings for the provisioning profile for Small Office Appliances. When you configure firmware settings on a Provisioning Profile, you give the configuration for all Small Office Appliances assigned to this profile.

The Security Gateway version must match its SmartLSM profile's version as defined in SmartConsole for correct policy behavior. In some instances, it is necessary to define exceptions for the default SmartLSM security profile that replaces the security profiles you have now, after installation of the firmware image. For example, if you do not want all gateways to use the specified default SmartLSM profile after installation, you can customize different security profiles to replace known security profiles.

Let’s say you have this scenario:

• The default SmartLSM profile after installation is configured to use a SmartLSM profile called "NewLSM".
• After firmware installation, you want the "NewLSM" profile to be installed on all Security Gateways except for gateways that currently use the "GroupA_LSM" profile.
• You want to replace the "GroupA_LSM" profile with a profile called "GroupA_NewLSM".

In such a scenario, you add an exception that replaces the "GroupA_LSM" profile with the "GroupA_NewLSM" profile.

You can install the firmware with one of these options:

• Immediately - Downloads and installs the firmware immediately after you save these settings in the next synchronization with a Security Gateway assigned to this profile.
• According to time ranges - You can define download and installation time ranges for the firmware image. You can limit the download and installation time to a specified list of time ranges in the week. They start at the nearest time range after firmware settings are applied. For example, if the firmware installation settings are applied on Sunday and there are two time ranges:
  • One range is set to Friday 00:00 to Saturday 00:00
  • One range is set to Wednesday 23:00 to Thursday 06:00

    The firmware will be installed between Wednesday 23:00 and Thursday 06:00.

    If the Security Gateway does not succeed to download or install the firmware during the nearest time range, it tries again in the next time range.

To configure firmware installation settings on a Provisioning Profile:

1. Open the Security Gateway Profile window, and select the Firmware tab.
2. Select Manage firmware centrally from this application.
3. Click Advanced. The Profile Settings window is displayed.
4. Select one of these override profile settings:
   • Allowed
   • Denied
   • Mandatory

   For more information about override profile settings, see Configuring Profile Settings.

5. In Firmware image, click Select to select a firmware image that was uploaded through SmartUpdate.
6. In Default SmartLSM Profile after installation, select the new SmartLSM profile of the Security Gateway (the Security Gateway version must match its SmartLSM profile's version as defined in SmartConsole for correct policy behavior). The Security Gateway will replace its SmartLSM profile after successful firmware installation and only if the new firmware version is different from the version you have now.
7. If necessary, click Exceptions to select a new SmartLSM profile for Security Gateways with a specified SmartLSM profile.
   • Add/Edit - Click Add or Edit to open the Exceptions window to define or change an exception for a SmartLSM profile replacement.
     • Current SmartLSM Profile - Select a SmartLSM profile from the list. Make sure you installed policy for the SmartLSM profile in SmartConsole.
     • SmartLSM Profile after installation - Select a SmartLSM profile to replace the SmartLSM profile after the firmware image installation. A SmartLSM profile is shown only if the version is the same as the selected firmware version. Make sure you installed policy for the SmartLSM profile in SmartConsole.
   • Remove - Click to remove a SmartLSM profile exception setting.
8. Select one of these options to install the firmware:
   1. Immediately
   2. According to these time ranges - Select to use the Security Gateway time or local time.
      • Add/Edit - Click Add or Edit to open the Time Range window to define or change the weekdays and times for download and installation of the firmware image. Select the days and times and click OK.
      • Remove - Select a range from the list and click Remove to delete a time range.
      • Download image immediately - Click this option to download the firmware image immediately but install the image during one of the set time ranges.
9. Click Show profile settings - to see the settings of the Provisioning Profile that this gateway references.
10. Click OK.

Configuring Hosts in a Provisioning Profile

You can configure hosts on a Provisioning Profile, which provides the configuration to all gateways assigned to this profile. This is especially useful for gateways on the same LAN or network, such as Security Gateways with HA.

To configure hosts on a Provisioning Profile:

1. Open the Security Gateway Provisioning Profile window, and select the Hosts tab.
2. If you select central management, click Advanced to set the central management options.
3. Click OK to return to the Hosts tab.
4. Click New.
5. Enter the Host name and the IP address, and click OK to return to the Hosts tab.
6. Repeat for all required hosts.

   Every gateway assigned to this Provisioning Profile receives this Host list.

Configuring Domain Name in a Provisioning Profile

You can configure the domain on a Provisioning Profile, which provides the configuration to all gateways assigned to this profile. This is useful for gateways that share a domain because you only have to configure it once for all the gateways.

To configure the domain on a Provisioning Profile:

1. Open the Security Gateway Provisioning Profile window, and select the Domain Name tab.
2. If you select central management, click Advanced to set the central management options.
3. Click OK to return to the Domain Name tab.
4. Enter the Domain Name.

Configuring Backup Schedule

You can set all gateways assigned to this Provisioning Profile to be backed up on a schedule. When each gateway in turn fetches the Provisioning Profile, its backup is created.

For example, if you want to make sure that all gateways are backed up with no downtime, you can create one Provisioning Profile that backs up primary gateways at midnight on the weekend and another Provisioning Profile that backs up secondary gateways at six in the morning on every fifth day of the month.

To configure backup settings of a Provisioning Profile:

1. Open the Security Gateway Provisioning Profile window, and select the Backup tab.
2. If you select central management, click Advanced to set the central management options. See Configuring Settings for Provisioning for more information.
3. Select Enable Backup.
4. In the Start at field, select the hour (on European 24-hour units) and minute for the backup to start.
5. Select the backup frequency:
   • Select the day of the month radio button and select a date.
   • Select the weekdays radio button and select the required day.
6. If you want the backup to include the log files, select Include Check point products log files in the backup.

   Such backups are generally much larger than without the logs, so clear this checkbox if you do not need the logs. Log files are not relevant for IP Appliances, so clear this checkbox for IPSO-Based gateways.

   You can configure backup to be stored on a different machine than the SmartProvisioning server. This option is relevant only if all gateways which are assigned to this Provisioning Profile are on the same network, with access to the server which stores the backups.

7. If you want the backups to be saved on another server, click Backup Target.

   The Backup Target window opens.

8. Select the server type to hold the backups, or select Locally on Device, which enables each gateway of this profile to hold its own backup file.
9. Provide the IP address or Hostname of the selected server.
10. For SCP servers, also provide the Username and Password.
11. Click OK.

UTM-1 Edge Gateway Provisioning

Some provisioning options are available only to UTM-1 Edge devices. Because UTM-1 Edge devices are embedded with Check Point products and configurations, some management options are handled differently than for non-Edge devices.

A Provisioning Profile can provision any or all of the network configurations. You can determine that one group of settings is provisioned and another set up locally. See Configuring Profile Settings.

Configuring Date and Time in a Provisioning Profile for UTM-1 Edge Gateways

You can synchronize all your UTM-1 Edge devices.

To configure the date and time in a Provisioning Profile:

1. Open the UTM-1 Edge Profile window, and select the Date and Time tab.
2. If you select central management, click Advanced to set central management options. See Configuring Settings for Provisioning for more information.
3. If you select an option that uses the profile settings, decide how the gateway clock is synchronized:
   • If you want gateways of this profile to synchronize their date and time with a specific NTP server, select the Use Network Time Protocol (NTP) to synchronize the clock check box.
   • If you want gateways of this profile to synchronize their date and time with the Security Management Server/Domain Management Server, clear this check box and click OK. Gateways of this profile will be synchronized when they fetch their Provisioning Profile.
4. If you select Use Network Time Protocol (NTP) to synchronize the clock, provide the IP address or host name of the NTP server.

   If available, provide the IP address and name of a secondary NTP server.

5. From the Time Zone drop-down list, select the time zone of the NTP server.

Configuring Routing in a Provisioning Profile for UTM-1 Edge Gateways

You can configure the Routing table of a UTM-1 Edge gateway through the Provisioning Profile or locally.

To configure routing by provisioning:

1. Open the UTM-1 Edge Profile window, and select the Routing tab.
2. If you select central management, click Advanced to set central management options.
3. If you selected an option that uses the profile settings, click Add in the Routing Table section.
4. Provide the Source Settings, or leave Any Source selected:
   • Source Network: Source IP address (for example, this gateway's IP address, or the IP address of a source behind the gateway).
   • Source Mask: Net mask of the source network.
5. Provide the Destination Settings, or leave Any Destination selected:
   • Destination Network: Destination IP address for this route (for example, the IP address of the CO gateway or the Security Management Server/Domain Management Server).
   • Destination Mask: Net mask of the destination network.
6. Select the defining options:
   • Service: Select ANY or a specific service to be allowed along with route.
   • Next Hop IP or Network: Select a pre-defined network or provide the IP address of the closest router or default gateway.
   • Metric: Specify the distance in hops to the destination.
7. Click OK.
8. Configure all the routes that you want in this table.

Configuring HotSpot for a Provisioning Profile for UTM-1 Edge Gateways

You can configure a HotSpot in a Provisioning Profile, to provision the same HotSpot on all gateways that reference the profile. If your gateway provides wireless connectivity, a HotSpot provides improved remote internet access.

Note - Some HotSpots use RADIUS servers for Authentication, Authorization, and Accounting. If this is true of yours, be sure to configure the RADIUS in the Provisioning Profile; see Configuring RADIUS for Provisioning

To configure a HotSpot for Provisioning:

1. Open the UTM-1 Edge Profile window, and select the HotSpot tab.
2. If you select central management, click Advanced to set the central management options. See Configuring Settings for Provisioning for more information.
3. Provide a HotSpot Title.
4. In the HotSpot Terms field, specify the terms for valid access or End-User License.

   This can include: time limits, number of users, warnings which indicate that only known clients are allowed, and any other term that is relevant for your users and according to your organization's policy.

5. Select the appropriate options:
   • HotSpot is password-protected: Select this option if users must provide the HotSpot password.
   • Allow a user to login from more than one computer at the same time: This option is available only if a password is required. If not, the gateway does not need to recognize multiple logins of the same user account.
   • Use HTTPS: Select this option to allow access only with secured HTTP.
   • After login, redirect to URL: Provide the URL of the Web page that users see after successful login through the HotSpot.
6. Click OK.

Configuring RADIUS in a Provisioning Profile for UTM-1 Edge Gateways

You can configure the RADIUS server (Remote Authentication Dial In User Service) that provides authentication, authorization, and accounting for your gateways. You can configure RADIUS in the provisioning profile once for all gateways that reference this profile. The RADIUS server or group must already be defined as a SmartConsole object.

To configure RADIUS in a Provisioning Profile:

1. Open the UTM-1 Edge Profile window, and select the RADIUS tab.
2. If you select central management, click Advanced to set the central management options. See Configuring Settings for Provisioning for more information.
3. In the Primary RADIUS Server list, select the RADIUS server that is the primary RADIUS server of the gateways assigned to this Provisioning Profile.
4. In the Secondary RADIUS Server list, select the RADIUS server that is the secondary RADIUS server of the gateways.

   Note - The RADIUS Servers lists show all the servers that are defined in SmartConsole as RADIUS servers.

5. To configure the RADIUS server permissions, click Advanced.
6. From the Administrator Level drop-down list, select the administrator permissions for the RADIUS server (this is the same administrator for the gateways assigned to the profile):
   • Read Write
   • Read Only
   • Users Manager
   • No Access
7. Select user permissions on the network of gateways assigned to this Provisioning Profile, with authentication from the RADIUS server:
   • VPN Remote Access: Allows access to the VPN from a remote station, with authentication through the RADIUS server.
   • Web Filtering Override: Allows authenticated users to see Web sites which are otherwise blocked by the RADIUS server configurations.
   • HotSpot access: Allows users access to the RADIUS server, and therefore to the protected environment, from wireless HotSpot connections.
   • Remote Desktop Access: Allows users to access desktops inside the protected environment from a remote station.

Assigning Provisioning Profiles to Gateways

After you create a Provisioning Profile, you can assign gateways to be automatically managed by this profile. Make sure that the gateway fits the operating system and software version of the Provisioning Profile.

To assign a Provisioning Profile to a gateway:

1. In the tree in the main window, click Devices.

   The Devices work space appears in the work space.

2. Double-click a gateway.

   The Gateway window opens, with the General settings displayed.

3. Make sure Enable Provisioning is selected.
4. Select Provisioning Profile.
5. From the drop-down menu, select the required Provisioning Profile, or click New and create a new Provisioning Profile.