Security Profiles for Check Point Appliance Security Gateways

In This Section: Creating SmartLSM Security Profiles Creating Check Point Security Gateways in SmartProvisioning Handling SmartLSM Security Gateway Messages

Creating SmartLSM Security Profiles

A SmartLSM Security Gateway must have a SmartLSM Security Profile, which fetches a Check Point Security Policy from the Security Management Server or Domain Management Server. This Security Policy determines the settings of the firewall.

Before you can add a SmartLSM Security Gateway to SmartProvisioning, you must create the Security Policies and Security Profiles for them in SmartConsole.

This procedure describes how to create a SmartLSM Security Profile for Security Gateways. After you create a Security Profile, you can assign the gateway objects to it.

To create a SmartLSM Security Profile:

1. In SmartConsole, go to Menu > Manage policies and layers > Policies > New.
2. Create a Security Policy and save it.
3. In the Global Toolbar, go to New Object > LSM Profile, and select the type of profile you wish to create.

   The SmartLSM Security Profile window opens.

4. Configure the Profile properties.

   To open the online help for each view of this window, click Help.

   Note - In a High Availability environment, click Add > the Add Masters window opens. From the Available Management Stations column, select all servers and click Add. Then click OK.

5. Click OK.
6. Install Policy on the LSM Security Profile you created.
   1. Click Install Policy.

      The Install Policy window opens.

   2. Select the SmartLSM Security Profile object.
   3. Click Install.

      Do these steps again for each SmartLSM Security Profile. Make a new profile for each type of appliance or server.

Creating Check Point Security Gateways in SmartProvisioning

This procedure describes how to add a Check Point Appliance/Open Server Security Gateway to SmartProvisioning.

Before you begin, you must have at least one SmartLSM Security Profile.

To add a SmartLSM Security Gateway to SmartProvisioning:

1. In the navigation tree, click Devices.
2. From the Launch Menu, select File > New > Check Point Appliance/Open Server Gateway.

   The wizard opens in a new window. Follow the steps to define the gateway.

3. Enter a name for the gateway and optional comments, and click Next.

   This name is for SmartProvisioning management purposes and can be different from the name of the gateway device.

4. In the More Information page, configure these settings:
   1. OS: Select the Operating System of the gateway.
   2. SmartLSM Gateway: Select the version that is installed on the gateway.
   3. Security Profile: Select a SmartLSM Security Profile object created in SmartConsole.
   4. Enable Provisioning: Select to assign Provisioning Profiles to this gateway.

      Clear this option if you are sure that Provisioning Profiles can have a negative impact on the gateway.

      • No Provisioning Profile: Select to enable provisioning for this gateway, and leave the actual assignment of Provisioning Profile for later.
      • Provisioning Profile: Select a Provisioning Profile to assign to this gateway.
5. Click Next.
6. In the SmartLSM Security Gateway Communication Properties page, define an Activation Key in the Authentication pane.

   An activation key sets up a Secure Internal Communication (SIC) Trust between the Security Gateway and the Security Management Server or Domain Management Server. This is the same activation key that you provide in the SIC tab of the Check Point Configuration Tool (cpconfig) on the Security Gateway.

   Use one of these options to provide an activation key:

   • Initiate trusted communication securely by using a one-time password. Enter a password, and then enter it again in the Confirm one-time password field.
   • Initiated trusted communication with an auto-generated one-time password. Click Generate. The Generated Activation Key window opens, and displays the key in clear text. Save the key so you can enter it on the Security Gateway for SIC initialization) and click Accept.
7. In the Trusted Communication Initiation pane, select one of these options:
   • Initiate trusted communication automatically when the Gateway connects to the Security Management Server for the first time.
   • If you know the IP address of this SmartLSM Security Gateway, select Initiate trusted communication now using the following IP address and enter the IP address in the field. When you complete this step, the SIC certificate is pushed to the Security Gateway.
8. Click Next.
9. If you want a CA certificate from the Internal Check Point CA, select I wish to create a VPN Certificate from the Internal CA.

   If you want a CA certificate from a third-party (for example, if your organization already has certificates from an external CA for other devices), clear this check box and request the certificate from the appropriate CA server after you complete the wizard.

10. To continue the gateway configuration, select the Edit SmartLSM Security Gateway properties after creation.
11. Click Finish.

Handling SmartLSM Security Gateway Messages

This section explains how to handle messages that may appear after you finish the wizard to add a Check Point Appliance/Open Server or UTM Security Gateway, during the SmartProvisioning processing of the gateway object.

Activation Key is Missing

If you did not generate or select an Activation Key for SIC setup during the wizard, a message appears:

'Activation Key' for the Gateway SIC setup is missing.
Do you want to continue?

Click Yes to define the gateway now and handle the SIC setup later; or click No and then Back to return to the Communication Properties page.

To handle the SIC setup after the gateway is added:

1. Right-click the required gateway Edit Gateway.
2. In the General tab > Secure Internal Communication, click Communication.

   The Communication window opens, with the same fields as the Communication Properties page of the wizard.

3. Generate or provide an Activation Key.
4. Click Close to close the Communication window and then click OK.
5. Open the Check Point Configuration tool on the Security Gateway and click Reset SIC.

Operation Timed Out

When you add a new SmartLSM Security Gateway, SmartProvisioning connects between the Security Management Server or Domain Management Server and the SmartLSM Security Gateway, to match and initialize SIC and VPN certificates.

If the Operation Timed Out message shows, the most common cause is that SmartProvisioning cannot reach the Security Management Server or Domain Management Server or the SmartLSM Security Gateway. The gateway is still added to SmartProvisioning, but you must check the certificates status.

To view trust status:

1. Double-click the gateway in the work space.

   The SmartLSM Security Gateway window opens

2. In the General tab > Secure Internal Communication, click Communication.
3. Check the value of Certificate state. If the value is not Initialized, pull the SIC certificate from the Security Management Server or Domain Management Server.

Complete the Initialization Process

If you generated an Activation Key or provided an Activation Key file, but were not able to provide the IP address of the SmartLSM Security Gateway, this message shows:

To complete the initialization process, use the Check Point Configuration tool on the SmartLSM Security Gateway, to pull the certificate from the Security Management Server.

Note - For Multi-Domain Security Management, this message says Domain Management Server, in place of Security Management Server.

To complete the initialization process:

1. Click OK.
2. Open the Check Point Configuration tool (cpconfig):

   From the CLI on a Gaia, SecurePlatform, or Linux based Security Gateway, run cpconfig

3. According to the specific SIC or Communication options, reset and initialize the SIC with the Activation Key of the Security Management Server or Domain Management Server.
4. Restart Check Point services on the SmartLSM Security Gateway.