Introduction to SmartProvisioning

In This Section: Check Point SmartProvisioning Supported Features SmartProvisioning Objects

Check Point SmartProvisioning

SmartProvisioning lets you manage multiple gateways from one Security Management Server or Multi-Domain Security Management. SmartProvisioning defines, manages, and provisions (remotely configures) large-scale deployments of Check Point Security Gateways:

• SmartProvisioning helps you manage the load on the Security Gateways. The policy is not installed on all Security Gateways simultaneously, but the gateways fetch the policy at different time intervals.
• The SmartProvisioning management concept is based on profiles, which help you manage your gateways more efficiently. With these profiles, you can define the gateway settings once and then assign each profile to multiple gateways, as needed. For example, when you select which blades to enable in the LSM Profile, the selected blades are enabled on all gateways which are assigned to the Profile.

  SmartProvisioning supports two types of profiles: Security Profiles, which define the security settings, and Provisioning Profiles, which define the device settings. SmartProvisioning is efficient for use in large enterprises with many branch offices, where the branch offices have identical or similar characteristics. You can use a relatively small number of Security Profiles or Provisioning Profiles to manage a much larger number of gateways.

Note - SmartProvisioning is not available for members of SmartLSM cluster.

Supported Features

SmartProvisioning provides these features:

• Central management of security policies, gateway provisioning, remote gateway boot, and Dynamic Object value configurations
• Automatic Profile Fetch for large deployment management and provisioning
• All Firewall features supported by DAIP gateways, including DAIP and static IP address gateways
• Easy creation and maintenance of VPN tunnels between SmartLSM Security Gateways and CO gateways, including generation of IKE certificates for VPN, from third-party CA Servers or Check Point CA
• Automatic calculation of anti-spoofing information for SmartLSM Security Gateways
• Log tracking for gateways based on unique, static IDs; with local logging for reduced logging load
• High level and in-depth status monitoring
• Complete management of licenses and packages, Client Authentication, Session Authentication and User Authentication
• Command Line Interface to manage SmartLSM Security Gateways
• Support of Check Point 1100, 1200R and 1400 Appliances

SmartProvisioning Objects

SmartProvisioning manages SmartLSM Security Gateways and enables provisioning management for Check Point Security Gateways:

Gateways

SmartProvisioning manages and provisions different types of gateways.

• SmartLSM Security Gateways: Remote gateways which provide firewall security to local networks, and the security policies are managed from a central Security Management Server or Domain Management Server. When remote gateways are defined through SmartLSM Security Profiles, a single system administrator or a smaller team can manage the security of all your networks. You can assign a Provisioning Profile to SmartLSM Security Gateways to manage device settings.
• CO Gateways: Standard Security Gateways that act as central Corporate Office headquarters for the SmartLSM Security Gateways. The CO gateway is the hub of a Star VPN, and the satellites are SmartLSM Security Gateways. The SmartLSM Security Gateways are represented in the VPN Community object by the applicable Security Profile object. The CO gateway has a static IP address, which ensures continued communications with SmartLSM Security Gateways that have dynamic IP addresses.
• Provisioned Gateways: Non-SmartLSM gateways with an assigned provisioning profile. A provisioning profile defines the device settings, such as interfaces, routing and DNS.

  Note - You cannot use SmartProvisioning with externally managed gateways.

Profiles

SmartProvisioning uses different types of profiles to manage and provision the gateways:

• SmartLSM Security Profiles: Defines a Check Point Security Policy and other security-based settings for a type of SmartLSM Security Gateway. A SmartLSM Security Profile can hold the configuration for multiple SmartLSM Security Gateways. All SmartLSM Security Gateways must have a SmartLSM Security Profile. You configure and manage SmartLSM Security Profiles in SmartConsole.
• Provisioning Profiles: Defines the device settings. Among others, it sets the interfaces, routing and DNS settings. CO gateways, SmartLSM Security Gateways, and non-SmartLSM gateways can have Provisioning Profiles, if they are Check Point supported Security Gateways. You configure and manage the Provisioning Profiles in SmartProvisioning. Configuration options and features for Provisioning Profiles differ according to the device type.

Profile Fetching

All gateways managed by SmartProvisioning fetch their assigned profiles from the Security Management Server or Domain Management Server. Define the SmartLSM Security Profiles and Security Policies in SmartConsole. Define Provisioning Profiles in SmartProvisioning when you prepare the gateway settings on the SmartProvisioning database. The profile definition procedures do not push the profile to any specific gateway.

Managed gateways fetch their profiles periodically. Each gateway randomly selects a time slot within the fetch interval.

When a fetched profile differs from the previous profile, the gateway is updated with the changes. Updated Security Management Server or Domain Management Server security policies are automatically installed on SmartLSM Security Gateways, and gateways with Provisioning Profiles are updated with management changes.

In addition to the profile settings, the properties of the gateway are used to localize the profile changes for each gateway. One profile can update potentially thousands of gateways, each with the new common properties, while it maintains its own local settings.

VPNs and SmartLSM Security Gateways

This section explains how your SmartLSM Security Gateways in a virtual private network (VPN) secure communications within your organization.

SmartProvisioning supports the inclusion of SmartLSM Security Profiles as members in Star VPN Communities (as satellites). When a Star VPN Community contains a SmartLSM Security Profile as a satellite, the settings of the community apply both to the Corporate Office (CO) gateway and to the SmartLSM Security Gateways.

You can establish a VPN tunnel from a SmartLSM Security Gateway to a static IP address CO gateway (similar to the way that DAIP gateways establish VPN tunnels to static IP gateways). A CO gateway recognizes and authenticates an incoming VPN tunnel as a tunnel from a SmartLSM Security Gateway, with the IKE Certificate of the SmartLSM Security Gateway. The CO gateway treats the peer SmartLSM Security Gateway as if it were a DAIP gateway, whose properties are defined by the SmartLSM Security Profile to which the gateway is assigned. A CO gateway can also initiate a VPN tunnel to a SmartLSM Security Gateway.

You can establish a VPN tunnel for SmartLSM-to-SmartLSM, or SmartLSM-to-other gateway configurations, through the CO gateway.