Print Download PDF Send Feedback

Previous

Next

Managing SmartLSM Security Gateways

In This Section:

Immediate SmartLSM Security Gateway Actions

Common SmartLSM Security Gateway Configurations

Changing Assigned SmartLSM Security Profile

Managing SIC Trust

Tracking Details

Configuring Log Servers

SmartLSM Security Gateway Licenses

Configuring Topology for SmartLSM Security Gateways

Converting SmartLSM Security Gateways to SmartConsole-Managed Gateways

Managing Software

Security Gateway Actions

Maintenance Mode

Immediate SmartLSM Security Gateway Actions

At any point during the configuration or management of a SmartLSM Security Gateway, you can perform immediate actions on the gateway.

Applying Dynamic Object Values

SmartLSM Security Profiles implement a Security Policy, with rules for source/destination IP addresses, and localize these rules for each SmartLSM Security Gateway assigned to the profile. SmartProvisioning manages Dynamic Objects only for SmartLSM Security Gateways.

For example:

The Security Policy assigned to the SmartLSM Security Profile has a rule to drop traffic from IP addresses on a StormCenter. The Security Profile is assigned to ten SmartLSM Security Gateways. Some of the SmartLSM Security Gateways assigned to this profile must use one StormCenter site, and others use a different one. You do not have to create a new rule for each gateway. You can create one rule in the main policy, and use the CPDShield dynamic object to define the source (StormCenter list of IP addresses to block).

In SmartProvisioning, on each SmartLSM Security Gateway assigned to this profile, you resolve the CPDShield dynamic object to the real IP address of a StormCenter (double-click a SmartLSM Security Gateway and open Dynamic Objects > Add).

After you resolve the dynamic object to a real IP address value, it is not applied immediately to the selected SmartLSM Security Gateway. You can wait for the gateway to fetch its profile, but if you want the value to be applied immediately, you can push the resolved values of dynamic objects to the SmartLSM Security Gateway.

To apply new values to dynamic objects of a SmartLSM Security Gateway:

Right-click the gateway and select Actions > Push Dynamic Objects.

Getting Updated Security Policy

If you change the Security Policy assigned to a SmartLSM Security Profile in SmartConsole, and install it on gateways, it is not applied to SmartLSM Security Gateways. Each SmartLSM Security Gateway fetches its SmartLSM Security Profile on a different time interval, and then gets the updated Security Policy.

You can apply the changes immediately by pushing the policy on the SmartLSM Security Gateway. To do this, right-click the Security Gateway and Actions > Push Policy.

Common SmartLSM Security Gateway Configurations

This chapter explains management concepts and procedures that are common to all SmartLSM Security Gateways.

You must have Write permissions for SmartLSM Gateway Database.

The edit window is different for each type of SmartLSM Security Gateway, but is opened in the same ways.

To open the SmartLSM Security Gateway window:

  1. In the tree, click Devices.
  2. Do one of the these actions:
    • Click the Edit Gateway toolbar button.
    • In the Devices work space, double-click the gateway you want to edit.
    • In the Devices work space, right-click the gateway and select Edit Gateway.
    • From the Edit menu, when the gateway is selected in the work space, click Edit Gateway.

Changing Assigned SmartLSM Security Profile

You can change the SmartLSM Security Profile that you assign to a SmartLSM Security Gateway.

Note - If the assigned SmartLSM Security Profile was changed in SmartConsole, do this procedure to make sure that the changes are applied immediately.

To apply a change in SmartLSM Security Profile:

  1. In SmartConsole, edit the Security Policy as needed and install it on the SmartLSM Security Profile.
  2. In SmartProvisioning, open the Gateway window, and select the General tab.
  3. From the Security Profile drop-down list, select the SmartLSM Security Profile.
  4. Click Actions > Push Policy.

Managing SIC Trust

Getting New Registration Key for UTM-1 Edge Device

You can force a UTM-1 Edge SmartLSM Security Gateway to get a new SIC key, by generating a new Registration Key for the gateway.

To generate a new key:

  1. Double-click a UTM-1 Edge device.
  2. In the General tab, find the Secure Internal Communication > Registration Key field.
  3. Click New Key.
  4. Click Generate Key, and then click Set to set the new key.

Verifying SIC Trust on SmartLSM Security Gateways

You can view and edit the status of the Secure Internal Communication Trust between the Security Management Server or Domain Management Server and the SmartLSM Security Gateway. SIC Trust is established after a certificate is issued by the management server and delivered to the SmartLSM Security Gateway.

To check the SIC Trust of a SmartLSM Security Gateway:

  1. Double-click a SmartLSM Security Gateway.
  2. In the General tab, find the Secure Internal Communication > DN field.

    This is the SmartLSM Security Gateway's Distinguished Name (SIC name)

    syntax: CN=gw-name, O=Management-domain-name

    If it is empty, change the SIC certificate state.

  3. Click Communication.
  4. Check the value of the Certificate state field. This field shows the status of the SIC trust between this SmartLSM Security Gateway's and the Security Management Server or Domain Management Server.
    • Initialized: Indicates that the SmartLSM Security Gateway has a valid SIC certificate (it is possible that the Security Gateway is not connected).
    • Uninitialized: Indicates that the SmartLSM Security Gateway does not have a valid SIC certificate (because it was never initialized, or its certificate was revoked).

Initializing SIC Trust on SmartLSM Security Gateways

If the Certificate state is Uninitialized, and the IP address of the SmartLSM Gateways & Servers is entered, you can initialize the SIC trust now. Perform this procedure if the Generate button is available.

To initialize a SIC trust:

  1. Click Generate to generate a one-time password, or provide a one-time password.
  2. Click Initialize. A new SIC certificate is created for this SmartLSM Security Gateway, and its certificate state becomes Initialized.

Pulling SIC from Security Management Server

If no IP address is entered, you must pull the SIC certificate from the Security Management Server or Domain Management Server with the Check Point Configuration tool (cpconfig).

To initialize a SIC trust if the Security Management Server or Domain Management Server cannot find the gateway:

  1. Open cpconfig > Secure Internal Communication (SIC) on the Security Management Server or Domain Management Server and on the SmartLSM Security Gateway.
  2. Copy the SIC password.
  3. On the gateway, provide the password of the Security Management Server or Domain Management Server.
  4. Restart Check Point services on the gateway.

Resetting Trust on SmartLSM Security Gateways

You may want to reset an established SIC Trust if you replaced the gateway host machine, or if you lost the Activation Key.

From the time that you reset SIC until trust is re-established, the internal communications between the Check Point applications, the management server, and the managed devices is down. This procedure revokes the current certificate and provides a new one. Therefore, it is recommended that you continue only if you are sure that SIC must be reset. After you complete this procedure, quickly re-initialize SIC trust.

To reset a SIC trust:

  1. In the Communication window, click Reset

    A message asks for confirmation: Are you sure you want to reset SIC?

    If you reset the SIC certificate now (revoke current license and get a new one), internal communications between Check Point applications, Security Management Server/Domain Management Server, and managed devices can be adversely affected. Continue only if you are sure this must be done.

  2. If you are ready to reset SIC now, click Yes.
  3. On the SmartLSM Security Gateway, open the Check Point Configuration tool > Secure Internal Communication tab, and click Reset.
  4. Reboot the SmartLSM Security Gateway.

Tracking Details

The Details tab of the Gateway window for SmartLSM Security Gateways and UTM-1 Edge SmartLSM Security Gateways provides identification information for log tracking and cluster usage.

You can edit the ID of the gateway device and add detailed notes for easier network management.

Configuring Log Servers

When you create a SmartLSM Security Profile for Security Gateway gateways in SmartConsole, you can also configure the log servers. In SmartProvisioning you can edit the log server configuration. You can select different log servers for a selected gateway, but the servers must already be defined in SmartConsole.

To change log servers of SmartLSM Security Gateways:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the Advanced tab.
  3. Clear As defined in SmartLSM Profile.
  4. Select the log servers for this SmartLSM Security Gateway:
    • Send logs to: Select the primary log server for this gateway.
    • When unreachable, send logs to: Select the alternative log server.

Note - You configure the log servers for the UTM-1 Edge gateways through the UTM-1 Edge Portal > Setup > Logging. For more information about log servers, see the R75.40 UTM-1 Edge Administration Guide.

SmartLSM Security Gateway Licenses

You have a License Repository with the licenses that you acquired for your environment. You can manage the licenses of the SmartLSM Security Gateways through SmartProvisioning.

Uploading Licenses to the Repository

SmartLSM Security Gateway licenses are available for SmartProvisioning management if they are in the License Repository on the Security Management Server or Domain Management Server.

To upload licenses to the repository:

  1. Open SmartUpdate and go to Licenses and Contracts > Add License
  2. Select a source location.
  3. Browse to the file.
  4. Click Open.

    The license is added to the License Repository.

Attaching License to SmartLSM Security Gateways

To attach a license to a SmartLSM Security Gateway:

  1. Open the SmartLSM Security Gateway window, and select the Licenses tab.
  2. Click Add.

    A list shows with the licenses in your License Repository which are not attached to any gateway. If an original license is used on another SmartLSM Security Gateway, you will not see the corresponding upgraded license in the License Repository.

  3. Select the licenses to appear in this gateway's Licenses window. You can select more than one license at a time.
  4. Click OK. The license attached to this gateway is added to the Licenses list.
  5. In the Gateway window, click OK.

    The license operations, attachment or detachment, are performed immediately. The License Operation message appears:

    Attaching/Detaching Licenses. Please wait...

Attaching License to UTM-1 Edge SmartLSM Security Gateways

UTM-1 Edge devices have embedded licenses. To release features, you need the Product Key.

To attach a license to a UTM-1 Edge SmartLSM Security Gateway:

  1. Open the UTM-1 Edge SmartLSM Security Gateway window, and select the Licenses tab.
  2. Provide the Product Key.
  3. Click Show Product Description to see the features that are enabled by this license.

License State and Type

The state of the license depends on whether the license is associated with the Security Gateway in the License Repository, and whether the license is installed on the remote Security Gateway.

The type of license depends on the IP address enabled in the license. If the IP address is of this gateway, the license type is Local. If the IP address is of the Security Management Server or Domain Management Server, the license type is Central.

Handling License Attachment Issues

Configuring Topology for SmartLSM Security Gateways

You can manage the topology of SmartLSM Security Gateways through SmartProvisioning. View and change the internal and external interfaces of each gateway to fit its local environment.

To configure the topology of a SmartLSM Security Gateway:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the Topology tab.
  3. Select the option that best describes the VPN Domain of this SmartLSM Security Gateway:
    • Not defined: No VPN is defined for this gateway. To enable this Gateway to participate in a VPN, select a different option.
    • Only the external interfaces: The external IP addresses of the SmartLSM Security Gateway is the entire VPN domain. The CO gateway connects to the remote office nodes only through the SmartLSM Security Gateway. The nodes are usually connected and secured by NAT.
    • All IP Addresses behind the Gateway based on Topology information: SmartProvisioning automatically calculates the encryption domain based on the IP address and net mask of the SmartLSM Security Gateway's internal interfaces.
    • Automatically determined by the topology configured on the Edge device. The VPN domain of the gateway consists of all the IP addresses configured locally on the UTM-1 Edge device, regardless of the interface configuration of the Edge object. If you select this option, the OSPF feature of the CO gateway must dynamically learn the VPN domain of the UTM-1 Edge device.

      Note - This option is only available for UTM-1 Edge devices, and requires:

    1. Manual definition of VTIs on the device and CO gateway for the CO gateway to learn the VPN domain. The domain topology is stored on the Edge device, and not acquired through an install policy action or automatic update from the CO.
    2. OSPF feature of the CO gateway to dynamically learn the VPN domain of the UTM-1 Edge device.
    • Manually defined: You can define the VPN domain manually. The range table is enabled.

Manually Configuring a VPN Domain

Complex networks behind SmartLSM Security Gateways cannot be properly configured as VPN domains by the automatic calculation option (All IP Addresses behind the Gateway based on Topology information). If the SmartLSM Security Gateway topology consists of one type (Meshed or Star) and does not include subsequent firewalls, you may select the automatic option. Otherwise, it is recommended that you select Manually defined.

To manually configure a VPN domain:

  1. In the Topology tab, click Manually defined.
  2. Click Add.

    The IP Address Range Configuration window opens.

  3. Enter the range of IP addresses that define a network behind this gateway.
  4. Click OK.
  5. Repeat these steps and add IP address ranges for the VPNs that connect to the CO gateway.
  6. Select Actions > Push Policy.

    You are prompted to save the data and then SmartProvisioning validates the topology you defined.

    If successfully validated, the topology is immediately pushed to the gateway.

  7. Update the CO gateway.

    The IP addresses in this range are now part of the VPN domain that is secured by the SmartLSM Security Gateway and that tunnels to the CO gateway. To complete the VPN configurations, see Configuring VPNs on SmartLSM Security Gateways.

Converting SmartLSM Security Gateways to SmartConsole-Managed Gateways

You can convert a SmartLSM Security Gateway managed with SmartProvisioning to a Security Gateway managed with SmartConsole. For example, if a remote gateway has so many customized requirements that Profiles are ineffective, you can manage it as a separate gateway through SmartConsole.

There is no need to delete existing objects, or to create new ones, because the Check Point Suite manages objects automatically during the conversion. It also preserves SIC certificates.

To convert to a SmartConsole gateway:

  1. In the SmartProvisioning CLI, execute one of these commands (see Converting Gateways for details and more options).
    • Security Gateway: LSMcli <server> <user> <pswd> Convert ROBO VPN1 <Name>
    • UTM-1 Edge: LSMcli <server> <user> <pswd> Convert ROBO VPN1Edge <Name>
  2. Define the gateway interfaces.
  3. Update required VPN communities.
  4. Install Security Policies.
  5. Restart Check Point services.
  6. Update the CO gateway to which the SmartLSM Security Gateway was a satellite.

Managing Software

You can manage the software installed on SmartLSM Security Gateways and standard Security Gateways. The Package commands are available from the Actions menu and the Package toolbar buttons.

These commands are not available for Small Office Appliances and UTM-1 Edge gateways.

Uploading Packages to the Repository

Upload Security Gateway software packages to the SmartProvisioning Package Repository on the Security Management Server or Domain Management Server.

To upload packages to the repository:

  1. Open SmartUpdate: In SmartConsole, go to the global menu > manage licenses and packages.
  2. From the menu bar, select Packages > Add and select a source:
    • From Download Center: Enter your user name and password for the Check Point Download/User Center. When your credentials are authenticated, the Get Packages from Download Center window opens, which displays the packages that are available to you. Select the ones you want and click Download.
    • From CD/DVD: Insert the CD or DVD with the package into the appliance or server. Browse to the DVD with the TGZ files that you are adding to the repository, and then click OK.
    • File: Browse to the TGZ files that you are adding to the repository, and then click OK. The software package is added to the Package Repository.

Viewing Installed Software

You can view the Check Point software packages installed on a gateway. Such packages include Security Gateway upgrades, Check Point Hotfixes that are relevant for the installed version, and Check Point HFAs.

To view the packages list on a gateway:

  1. From the Devices pane, double-click the Security Gateway.

    The window opens and shows the General tab.

  2. Click the Packages tab.

    The operating system of the gateway, and all installed Check Point packages are listed.

Verifying Pre-Install

Before you install a Check Point software package on a gateway, you can test if the package is compatible with the selected gateway.

To verify package pre-installation:

  1. In the Devices work space, select a Security Gateway.
  2. From the menu bar, select Actions > Packages > Pre-Install Verifier.

    A message appears: Getting targets for install. Please wait...

    If there are packages in the Package Repository, the Verify Installation window opens.

  3. Select a listed package and click Verify.

    In the Status View > Action Status, see the verification phases in the Details column:

    • Checks connection between gateway and Security Management Server or Domain Management Server.
    • Checks for sufficient disk space on the gateway.
    • Checks that the package is not already installed.
    • Checks compatibility of package with operating system and currently installed packages.

    If the package is verified for the selected gateway, the Status column shows Completed, and the Details column shows:

    '<package>' is compatible with installed packages

Upgrading Packages with SmartProvisioning

Use the Upgrade to Management Version features to upgrade devices for a new version of the Security Gateway software.

To upgrade Check Point software on a gateway:

  1. In the work space, select the gateway.
  2. From the menu bar, select Actions > Packages > Upgrade to Management Version.

    If there are packages in the Package Repository, installed packages are upgraded to the latest available version.

    If required packages are missing, they are listed in the Missing Packages window.

    Use SmartUpdate to add the missing packages, and rerun Upgrade to Management Version.

Distributing Packages with SmartProvisioning

Use the Distribute Packages feature to distribute Check Point Hotfixes and HFAs to the Security Gateways that can be enhanced by installing the package.

To install a Check Point package on a gateway:

  1. In the work space, select the Security Gateway.
  2. Verify that the package you want to distribute is available and appropriate for the selected gateway.
  3. From the menu bar, select Actions > Packages > Distribute Packages.

    A warning opens, which explains that using Distribute Packages, rather than Upgrade All, may lead to a mismatch between versions and malfunctions.

    To prevent this issue, make sure to use Distribute for Hotfix and HFA installations, not for upgrading to a new version.

  4. If you want to continue with this procedure, click OK.

    If there are packages in the Package Repository, the Distribute Package window opens.

  5. Select a package from the list.
  6. In the Choose action section, select an action:
    • Distribute and install packages: Download selected packages from the Package Repository and install them on the selected gateway.
    • Only distribute packages: Download selected packages from the Package Repository to the selected gateway, but do not install them yet.
    • Install previously distributed packages: Install packages that were previously distributed to the selected gateway.
  7. If you want the gateway to automatically reboot after the installation, if the installation requires this, select Allow reboot if required.
  8. Select Backup image for automatic revert (available only for Security Gateways). Clear this option only if disk space is a real issue.

    The image creation can take some time.

  9. If Change to a new profile after install is enabled, you must select an appropriate SmartLSM Security Profile for the gateway from the drop-down list.

    This field is enabled, and required, only if the change is necessary.

  10. Click Start.

Security Gateway Actions

You can execute immediate actions on SmartLSM Security Gateways and Security Gateway Provisioned gateways. You can run these actions on individual gateways, or on a Provisioning Profile, which effectively runs the action on all gateways assigned to this profile.

Before you begin, make sure that your administrator has permissions to Run Scripts.

Viewing Status of Remote Gateways

You can get an instant view of the status of a Security Gateway: traffic, interfaces, performance, CPU, memory, and so on.

To view status details of a selected gateway:

  1. Make sure an administrator is logged into the gateway.
  2. Select Actions > Get Status Details.

Running Scripts

You can execute complex gateway commands with your own scripts on any provisioned gateway. The Run Script feature is not available for UTM-1 Edge devices or UTM-1 Edge Provisioning Profiles.

Before you begin, make sure that your administrator has permissions to run scripts.

Running Scripts on Individual Gateways

To run a script on a single gateway:

  1. Right-click a [SmartLSM] Security Gateway and select Actions > Run Script.
  2. In the Run Script window, provide your script.
    • If you have the script in a file, select Load Script and then browse to the file.
    • You can type a script into the text box, or paste it in from another source.
  3. Click Run Script.

    The script is pushed to the gateway and runs immediately. See the Action Status tab of the Status pane to view the details of the push and execution.

    The Result pane displays the results of the script, 0 for success and other value for failure.

  4. To save the script to a file, click Save Script.

Running Scripts by Profiles

The Run Script feature lets you use a Security Gateway Provisioning Profile to run scripts on multiple gateways.

To run a script on all gateways of a Provisioning Profile:

  1. In the tree in the main window, select Profiles.
  2. Select a Provisioning Profile and from the menu bar select Actions > Run Script.
  3. In the Run Script window, provide your script.
    • If you have the script in a file, select Load script and then browse to the file.
    • You can type a script into the text box, or paste it in from another source.
  4. Click Run Script. The script is pushed to all the gateways that use this profile.

    See the Action Status tab of the Status pane to view details of the push and execution.

    The Result pane displays the results of the script, 0 for success and other value for failure.

  5. To save the script to a file, click Save Script.

Immediate Backup of Security Gateways

You can create a backup image of Security Gateways and SmartLSM Security Gateways. You can do this with the Action command on the gateway, or use a Provisioning Profile to create a backup image on all gateways assigned to the profile.

You can select to store backups on the gateway, or on another backup server. If you select another server, make sure you have the IP address or host name of that server, and if needed, a user name and password with Read/Write permissions.

Note - SmartProvisioning does not provide backup management for UTM-1 Edge devices or UTM-1 Edge Provisioning Profiles. UTM-1 Edge backups are managed through the UTM-1 Edge Portal (right-click > Launch UTM-1 Edge Portal), using the Export Tool. For more information, see the R75.40 UTM-1 Edge Administration Guide.

To execute an immediate backup of a Security Gateway:

  1. Right-click a [SmartLSM] Security Gateway or a UTM-1/Power-1/SecurePlatform Provisioning Profile and select Actions > Backup.
  2. If you want the backup to include Check Point logs, select Include Check Point products log files in the backup.
  3. Provide details of the device on which the backup will be stored, or select Locally on device, to store the backup file on each device.
  4. Click OK.
  5. Select Actions > Push Settings and Actions.

    The backup is created and pushed to the gateway or defined server. See the documentation of the target's operating system for Restore Backup instructions.

Applying Changes

If you make a change to a Security Gateway Provisioning Profile, or use the Actions > Backup command, no change or action is immediately applied to the gateways.

Profile changes are applied to the gateways assigned to them when the gateways fetch their profiles on interval. At this time, the gateways get the commands to pull the scripts from SmartProvisioning and execute them, or to create backup images.

However, you sometimes need to apply profile changes and actions immediately. For example, if you run a script that configures a new server behind a SmartLSM Security Gateway, you want to apply this configuration as quickly as possible, to include the server in the gateway's VPN with the CO gateway.

To apply profile changes and actions immediately:

Right-click the Provisioning Profile and select Actions > Push Settings and Actions.

Maintenance Mode

Enable Maintenance Mode on a Security Gateway when you test changes to its object configuration or Provisioning Profile. In this mode, changes are pushed from the SmartProvisioning console to the Security Management Server or Domain Management Server, but they are not pushed to the gateway.

For example:

A SmartLSM Security Gateway on your SmartProvisioning management has operational issues. The SmartLSM Security Gateway is in a remote office which is too far away for you to manage yourself, so you ask the local system administrator to handle the issue.

However, you do not want the gateway to lose the configurations that you already made to it from your central SmartProvisioning console. Therefore, enable Maintenance Mode on this gateway.

The local administrator fixes the issue. You disable Maintenance Mode, which switches the SmartLSM Security Gateway back to centralized configuration through the SmartProvisioning console.

Note - When you disable Maintenance Mode, the central SmartProvisioning configurations override any local changes. If the local administrator discovers that changes need to be made on this gateway, make sure you have the data before you switch back.

To enable Maintenance Mode:

Right-click a Security Gateway, and select Actions > Turn on maintenance mode.

Notes:

16 February 2021
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2019 Check Point Software Technologies Ltd. All rights reserved.