Use Case

In This Section:

This chapter describes an example scenario of a multiple gateway environment run by SmartProvisioning. This use case leads you through all the steps you must take to configure a SmartProvisioning environment. Note that this is an example scenario only which fits a particular environment. You can use SmartProvisioning to create any type of deployment which best fits your environment.

Scenario

A Bank has 1,000 ATMs and 300 hundred branches deployed in a certain country.

Each ATM is protected by a 1100 appliance gateway.
Each branch is protected by a 3200 appliance gateway.

The Bank administrator can define security profiles and provisioning profiles to manage the gateways efficiently.

Deployment Considerations

Number of Security Profiles

The Bank's ATMs transfer information to a main processing server. The route that needs to be secured is the route of each ATM to the ATM processing server. The needs of a branch are different. Each branch needs to transfer information to certain departments in the Bank's headquarters, like the Human Resources department, the Finance department and so on. Each branch also needs an external internet connection.

The ATM gateways and the Branch gateways therefore, must have different Security Policies. The Bank administrator must create 2 separate Security Profiles, one for the ATM gateways and one for the branch gateways.

VPN

All gateways, both the 1100 gateways and the 3200 gateway connect the information to the main gateway at the Bank's headquarters. To make sure that the connection between the gateways and the main gateway is secure, create a VPN community for the Bank's gateways. The VPN Community must be a star community. A Star VPN Community is a "hub and spoke" community in which there is a central gateway (a hub) creates tunnels only with the satellites (spokes). In our example, define the Bank Headquarters gateway as the CO gateway, and define the ATM Security Profile and the Branch Security Profile as the satellites.

Number of Provisioning Profiles

The decision of how many Provisioning Profiles to create can be the result of many factors. For example:

Type of device - A Provisioning Profile can support one type of device.
Geography - You can create a different Provisioning Profile for each geographic area. This way, the gateways can receive a faster response from the servers defined in the Provisioning Profile, such as the DNS or RADIUS servers.
Load on servers - To balance the load on the servers defined in the Provisioning Profile, such as the Host, DNS server, RADIUS server, or back up server, you can create multiple Provisioning Profiles. In each Provisioning Profile, define a different server for DNS, RADIUS and so on.

Therefore, we must create a separate Provisioning Profile for each set of gateways. In our example, we can create 2 provisioning profiles for each type of device.

Workflow for creating the SmartProvisioning environment

To manage the gateways with SmartProvisioning, you must take these steps:

Enable SmartProvisioning support on the Security Management Server.
Enable SmartProvisioning support on all Gaia Security Gateways which you wish to manage with SmartProvisioning.
Enable SmartProvisioning on the CO gateway.
Create a Security Profile for the gateways that protect the ATMs.
Create a Security Profile for the gateways that manage the branches.
Create a Star VPN Community.
Create Provisioning Profiles for the gateways that manage the ATMs.
Create Provisioning Profiles for the gateways that manage the branches.

Configuration

To enable SmartProvisioning support on the Security Management Server:

Obtain a license for SmartProvisioning, and add the license to the Security Management Server or Domain Management Server, with cpconfig or SmartUpdate.

You can also use the cplic command to add the license.

To enable SmartProvisioning support on a gateway:

From the CLI, run these commands in Expert mode:
LSMenabler -r on

cpstop

cpstart
Run cpconfig
Go to ROBO Interfaces and define an External interface.

Note - This procedure is not required for Small Office Appliance gateways.

To enable SmartProvisioning on the CO gateway:

On the Check Point Security Gateway, execute the command in Expert mode:
LSMenabler on

To create a Security Profile:

In SmartConsole, go to Menu > Manage policies and layers > Policies > New, create a Security Policy and save it.
Go to Menu > New Object > LSM Profile>:
- For the ATM gateways, select New Small Office Appliance Gateway.
- For the branches gateways, select New Check Point Appliance/Open Server Gateway.

In the SmartLSM Security Profile window, configure the settings for the SmartLSM Security Profile.

Type of Profile	Configuration
For the ATM Gateways	Configure these settings: In the General Properties tab, enable IPSec VPN. In the Platform section > Hardware, select 1100 Appliances. In the IPSec VPN tab, click Add to enter the VPN community in which the LSM Security Profile is a member. Optional: In the Fetch Policy tab: This page specifies the default Security Management Server from which to fetch the policy. Click Add to enter a different Security Management Server. In the Fetch policy from the Security Management Server section, there is a predefined schedule for fetching the policy. Click New to define a new schedule.
For the branch Gateways	Configure these settings: In the General Properties tab, enable IPSec VPN and IPS. In the IPSec VPN tab, click Add to enter the VPN community in which the LSM Security Profile is a member. Optional: In the Fetch Policy tab: This page specifies the default Security Management Server from which to fetch the policy. Click Add to enter a different Security Management Server. In a High Availability environment, click Add to add one or more Security Management Servers. In the Fetch policy from the Security Management Server section, there is a predefined schedule for fetching the policy. Click New to define a new schedule

Type of Profile

Configuration

For the ATM Gateways

Configure these settings:

In the General Properties tab, enable IPSec VPN.
In the Platform section > Hardware, select 1100 Appliances.
In the IPSec VPN tab, click Add to enter the VPN community in which the LSM Security Profile is a member.
Optional: In the Fetch Policy tab:
1. This page specifies the default Security Management Server from which to fetch the policy. Click Add to enter a different Security Management Server.
2. In the Fetch policy from the Security Management Server section, there is a predefined schedule for fetching the policy. Click New to define a new schedule.

For the branch Gateways

Configure these settings:

In the General Properties tab, enable IPSec VPN and IPS.
In the IPSec VPN tab, click Add to enter the VPN community in which the LSM Security Profile is a member.
Optional: In the Fetch Policy tab:
1. This page specifies the default Security Management Server from which to fetch the policy. Click Add to enter a different Security Management Server. In a High Availability environment, click Add to add one or more Security Management Servers.
2. In the Fetch policy from the Security Management Server section, there is a predefined schedule for fetching the policy. Click New to define a new schedule

Click OK.
Install the Security Policy on the SmartLSM Security Profile.
1. Click Install Policy.
  The Install Policy window opens.
2. Select the SmartLSM Security Profile object.
3. Click Install.
Open SmartProvisioning and add the SmartLSM Security Gateways. In the Finish page, make sure you select I wish to create a VPN Certificate from the Internal CA.

To create a star VPN community:

In SmartConsole, go to Security Policies > Access Control > Access Tools > VPN Communities.
Click New > Star Community.
In the Gateways tab:
1. Center Gateways, click the + sign and add the Headquarters from the drop-down list.
2. Satellite Gateways:
  1. click the + sign to add the ATM gateways Security Profile.
  2. Click the + sign again to add the branch gateways Security Profile.
In Security Policies > Access Control > Policy, create a Rule Base for the VPN Community.
Install the Access Control Policy on the CO Gateway.
Open SmartProvisioning, and in the toolbar click the Update Corporate Office Gateway button.

To Configure VPN Properties on the gateways:

In SmartProvisioning, double-click the gateway.
In the Topology tab, select All IP addresses behind the gateway based on interfaces information.
In the Interfaces tab, select Manage Settings on the Device.

To create a Provisioning Profile:

Open SmartProvisioning.
From the Launch Menu, select File > New > Provisioning Profile.
The New Provisioning Profile Wizard opens.
Enter a name for the profile.
From the Select Type drop-down list, select the platform or operating system to be supported by this profile:
- For the ATM gateway profile, select Small Office Appliance
- For the branch gateway profile, select Gaia
Each Provisioning Profile can support only one operating system.
Click Next.
If you want to configure the settings of the Provisioning Profile now, select Edit Provisioning Profile properties after creation.
Click Finish.

To configure the settings of a provisioning profile:

For each set of configurations managed with a Provisioning Profile, you can decide which settings have preference: local (not provisioned) or central (from SmartProvisioning individual management or from Provisioning Profile).

In the Profile window, click any category tab (other than General).
Select Manage settings centrally from this application: Each gateway assigned to this profile gets its configuration for this setting from the Provisioning Profile or from the SmartProvisioning gateway object.
Click Advanced.
The Profile Settings window opens.
Select Allowed. This means that you can override the profile settings with device-local settings, or with changes to these settings in the SmartProvisioning device window. You can also leave the profile settings as they are.
Click OK.
Configure the Settings for each tab.

For a more detailed explanation of the configuration options, see Configuring Profile Settings.