Common Gateway Management

In This Section: Overview of Gateway Management Immediate Gateway Actions Editing Gateway Properties Executing Commands Converting Gateways to SmartLSM Security Gateways

Overview of Gateway Management

SmartProvisioning can manage SmartLSM Security Gateways, Provisioned Gateways, and CO gateways on Security Gateway devices of any supported platform and operating system.

This chapter explains concepts and procedures that are common to all SmartProvisioning managed gateways.

Before you begin, make sure that your administrator user name has Write permissions for SmartLSM Gateway Database.

Immediate Gateway Actions

At any point during configuration or management of a gateway, you can do a number of immediate actions on the gateway. Some actions are for Provisioned gateways only, some are applicable only for SmartLSM Security Gateways, and some only for SmartLSM Security Gateways on non-Edge devices.

Accessing Actions

This section describes how to use the features available from the Actions menu.

To open the Actions menu, do one of the following:

• From the main menu, click Actions.
• Right-click a Provisioning Profile and select Actions.
• Right-click a gateway and select Actions.
• In a Gateway window, click Actions.

Controlling Remote Gateways

You can manage remote gateways with SmartProvisioning. You can start, stop, and restart the Check Point Security Gateway services, and you can reboot devices. This is true for all types of SmartProvisioning gateways, except that you cannot stop or start the software of UTM-1 Edge devices (for SmartLSM and Provisioned gateways), only restart in one command.

Remote Actions on Check Point Services and Gateways

To:	On Gateway of Type	Select Actions
Stop Check Point services	Security Gateway	Stop Gateway
Start Check Point services	Security Gateway	Start Gateway
Restart Check Point services	Security Gateway UTM-1 Edge	Restart Gateway
Reboot device	Security Gateway UTM-1 Edge	Reboot Gateway

Updating Corporate Office Gateways

The CO gateway is the center of the Star VPN Community, in which SmartLSM Security Gateways are the satellites. It is important to update the CO gateway when SmartLSM Security Gateways are added, deleted, or modified (such as the generation of a new IKE key, a Push Policy action, or a Push Dynamic Objects action).

To update a CO gateway:

1. Click the Update Corporate Office Gateway toolbar button:
2. From the Corporate Office Gateway drop-down list, select the CO gateway.
3. Click OK.

After you create the SmartLSM Security Gateway object, update the Corporate Office Gateway. If the VPN option was selected in the VPN Properties page, the Certificate Authority issues a certificate to the appliance. This certificate is installed on the appliance the first time that the SmartLSM Security Gateway connects to the Security Management Server.

Deleting Gateway Objects

If you delete a SmartLSM Security Gateway as a SmartProvisioning object, this revokes all certificates of the gateway.

To delete a SmartLSM Security Gateway:

In the SmartProvisioning work space, right-click the gateway and select Delete SmartLSM Security Gateway.

You can delete provisioned gateways in SmartConsole.

Editing Gateway Properties

The edit window for gateways is different for each type, but is opened in the same way.

To open the Gateway window:

1. In the tree, click Devices.
2. Do one of these actions:
   • In the Devices work space, double-click the gateway you want to edit.
   • In the Devices work space, right-click the gateway and select Edit Gateway.
   • Click the Edit Gateway toolbar button.

   Note - Gateway windows for non-SmartLSM Security Gateways (without a SmartLSM Security Profile) show only the General tab, until you select Enable Provisioning. Then they show all tabs.

Gateway Comments

You can view the properties that define a gateway in the General tab of the Gateway window. You can also edit some of the properties.

• You cannot change the Name of the gateway after you add it to SmartProvisioning.
• The Comments field displays comments that were added when the gateway object was created in SmartConsole. If the gateway is a SmartLSM Security Gateway (UTM-1 Edge or a Security Gateway), you can edit the comments here. If the gateway is a Provisioned gateway or a CO gateway, this field is Read-Only.

Changing Assigned Provisioning Profile

You can manage SmartProvisioning gateways with Provisioning Profiles. At any time, you can change the Provisioning Profile that is assigned to a gateway.

To change the assigned Provisioning Profile:

1. Open the Gateway window and select the General tab.
2. Make sure the Enable Provisioning is selected.
3. Select Provisioning Profile, and select a profile from the drop-down list.
4. Click OK.

Configuring Interfaces

You can manage the interfaces of the individual gateway through SmartProvisioning. This is not available for Provisioning Profiles, because the interface configuration is different for each device.

Note - SmartLSM Security Gateways: In the gateway Topology page, if All IP addresses behind the gateway based on Topology information is selected, the VPN Domain is based on the interfaces configured in this procedure.

Changes to the interface configuration of a SmartLSM Security Gateway always affect its VPN Domain. This is true even if Provisioning is disabled or the Manage settings locally option is selected in the Interfaces page.

To add an interface to the gateway's configuration:

1. Click Actions > Get Actual Settings.

   Note - For IP Appliances:
   The interface configuration for these appliances is complex. To prevent mistakes, you must first select Get Actual Settings, to upload the existing interfaces. IP Appliance interfaces are available for management (add, edit, delete) only after this action is done.
   For other gateways, this step is optional.

2. In SmartProvisioning, open the Gateway window and select the Interfaces tab.
   • To manage the interfaces locally on the device, select Manage settings locally on the device. This way, changes in SmartProvisioning do not affect the device.
   • To configure interfaces through SmartProvisioning, which overrides the local settings, select Use the following settings.

   The configuration options are different for each device: Security Gateway, IP Appliance, Small Office Appliance, or UTM-1 Edge.

   If Use the following settings is selected, the Interface configuration options are available.

3. Click Add.

   A menu of interface types opens. Select an interface type. This menu is different for Security Gateways, Small Office Appliance, IP Appliances, and UTM-1 Edge devices. The window that opens is different for each selected interface.

4. Enter the required data and click OK.

To apply interface configuration changes:

1. The device is updated with new configurations on a time interval. To immediately apply these settings to the gateway, select Actions > Push Settings and Actions.
2. To update the CO gateway with the new VPN Domain, click on Update Corporate Office Gateway.

Executing Commands

You can run executables or shell commands on a managed Security Gateway with Custom Commands.

For example, if you want to check the connection between the SmartProvisioning console and a gateway, you can create a command that pings the selected gateway: Executable = ping; Parameter = <IP>. When you execute this command on a gateway, the terminal window of the console opens and runs the Ping command.

To prepare a custom command:

1. Select Manage > Custom Commands.
2. Click Add.

   The Add New Custom Command Window opens.

3. Provide a name for your command.
4. Provide the command or pathname of the executable.
5. If parameters are needed, provide them here.
6. If the parameters include the local IP address or host name, click Variables and select Object IP Address or Object Name.
7. Click OK.

   The new custom command is added to the Custom Commands list.

8. Select the commands that you want to use.

To execute a prepared custom command:

1. Right-click a gateway in the Devices work space.

   Custom Commands is added to the standard right-click menu.

2. Select Custom Commands and then the command that you want to execute.

Converting Gateways to SmartLSM Security Gateways

You can convert a Security Gateway or UTM-1 Edge gateway managed with SmartConsole to a SmartLSM Security Gateway managed with SmartProvisioning. You do not need to delete existing objects, or to create new ones, because the Check Point Suite handles object management automatically during the conversion. It also preserves relevant SIC certificates.

For example, when you acquire the SmartProvisioning license, you can convert SmartConsole-managed gateways to SmartLSM Security Gateways, and do not need to re-configure the gateway objects.

To convert a gateway to a SmartLSM Security Gateway:

1. In SmartConsole, create the SmartLSM Security Profile to associate with the new SmartLSM Security Gateway.
2. Install the relevant Security Policy on the SmartLSM Security Profile.
3. From the CLI, execute one of these commands:
   • Security Gateway: LSMcli <server> <user> <pswd> Convert Gateway VPN1 <Name> <Profile>
   • Small Office Appliance: LSMcli <server> <user> <pswd> Convert Gateway CPSG80 <Name> <Profile>
   • UTM-1 Edge: LSMcli <server> <user> <pswd> Convert Gateway VPN1Edge <Name> <Profile>
4. In SmartProvisioning, select Actions > Push Policy on the SmartLSM Security Gateway.
5. Update the CO gateway.