SmartLSM Security Profiles

In This Section:

Understanding Security Profiles

A SmartLSM Security Gateway has a SmartLSM Security Profile (created in SmartConsole), which fetches a Check Point Security Policy from the Security Management Server or Domain Management Server. This Security Policy determines the settings of the firewall.

Before you can add a SmartLSM Security Gateway to SmartProvisioning, you must:

Configure a Security Policy in SmartConsole.
Have at least one SmartLSM Security Profile with an installed Security Policy.

This section describes how to create a Security Policy for a SmartLSM Security Gateway managed by SmartProvisioning.

Best Practice - We recommend that you define a separate Security Policy for every SmartLSM Security Profile. In the Installation Targets section of the Security Policy, add only the SmartLSM Security Profile object.

For more about how to create Security Policies, see the R80.30 Security Management Administration Guide.

Guidelines for Basic SmartLSM Security Policies

You can use this procedure as a guideline for the creation of a Security Policy for a SmartLSM Security Profile. The Security Policy rules depend on the needs of your environment and the requirements of the SmartLSM Security Gateways that reference the SmartLSM Security Profile.

Note - This procedure uses Dynamic Objects. For more details, see Dynamic Objects.

To define a Security Policy for a SmartLSM Security Profile object:

Use the LocalMachine dynamic object to represent any SmartLSM Security Gateway.
Use the InternalNet, DMZnet and AuxiliaryNet dynamic objects to represent the respective networks, behind any SmartLSM Security Gateway.
Add rules based on the needs of your organization and the requirements for the SmartLSM Security Gateways, with Dynamic Objects whenever possible.
Dynamic Objects make the SmartLSM Security Profile applicable to numerous gateways.
To allow Push actions from SmartProvisioning, add a rule that allows an incoming FW1_CPRID service from the Security Management Server or Domain Management Server to LocalMachine.
Install the Policy on the SmartLSM Security Profile object.
This action prepares the Security Policy on the Security Management Server or Domain Management Server to be fetched by the SmartLSM Security Gateways that reference this SmartLSM Security Profile.

Creating Security Policies for the Security Management Server and SmartLSM Security Gateways

You must define explicit rules to allow management traffic between SmartLSM Security Gateways and the Security Management Server or Domain Management Server. These rules are part of the Security Policy installed on the gateway that protects the Security Management Server or Domain Management Server.

Because SmartLSM Security Gateways can have Dynamic IP addresses, you must use "ANY" to represent all possible SmartLSM Security Gateways addresses.

Note - For each rule listed in the table below, the Action is Accept.
When the Source or Destination is Server, use your Security Management Server or Domain Management Server.

Rules for Traffic between SmartProvisioning Gateway and Management Server

Source	Destination	Service	Type of Allowed Traffic
Any	Server	FW1	Firewall control
Server	Any	FW1	Firewall control
Any	Server	CPD	CPD control
Server	Any	CPD	CPD control
Any	Server	FW1_ica_pull	Pulling certificates
Server	Any	FW1_ica_push	Pushing certificates
Server	Any	FW1_CPRID	Check Point Remote Installation Protocol, for Push actions
Any	Server	FW1_CPRID	Check Point Remote Installation Protocol. For firmware updates, from the Gateway to the Security Management Server
Any	Server	FW1_log	Logs
Server	Any	CPD_amon	Status monitoring
Any	Server	FW1_ica_services	IPsec VPN

Creating Security Policies for VPNs

To create a VPN tunnel from a SmartLSM Security Gateway to a CO gateway, create a Security Policy for this encrypted traffic. As in the basic Security Policy, use Dynamic Objects. This localizes the policy for each SmartLSM Security Gateway that references the SmartLSM Security Profile.

To create a VPN Security Policy for a SmartLSM Security Profile:

Define a Star VPN Community.
Configure all the relevant authentication and encryption properties for it. To learn more, see the R80.30 Site to Site VPN Administration Guide.
Add the CO gateway as a Central Gateway.
Make sure the CO gateway is configured with a static IP address.
Add the SmartLSM Security Profile that represents the SmartLSM Security Gateways as a Satellite Gateway.
Add rules that allow relevant VPN traffic.
Example: This rule allows encrypted telnet traffic that matches the community criteria.

Example — Telnet Through VPN Traffic Rule

Source	Destination	Service	VPN	Action	Install On	Any
Any	Any	Telnet	Community	Accept	Any	Any

Add a rule to allow Push actions from SmartProvisioning: allow FW1_CPRID service from the Security Management Server or the Domain Management Server to LocalMachine.
Install the Security Policy on the SmartLSM Security Profile object.
Update the CO gateway with the new or changed SmartLSM Security Profiles. In SmartProvisioning, click Update Corporate Office Gateway.

Downloading a Security Policy to UTM-1 Edge Devices

SmartLSM Security Gateways on UTM-1 Edge devices can get security policies from the Security Management Server or Domain Management Server through the UTM-1 Edge Portal. You can use this option if, for some reason, SmartProvisioning is unable to fetch the SmartLSM Security Profile or unable to push the Security Policy.

To download a Security Policy to a SmartLSM Security Gateway from the UTM-1 Edge Portal:

Log in from the UTM-1 Edge portal to my.firewall.
Select Services > Accounts > Refresh, or select Services > Software Updates > Update Now.
The UTM-1 Edge SmartLSM Security Gateway polls for updates, and downloads the latest Security Policy.

To verify a successful download:

Log in from the UTM-1 Edge portal to my.firewall.
Select Reports > Event Log.
Find this message:
Installed updated Security Policy (downloaded).
Select Setup > Tools > Diagnostics.
Verify that the SmartLSM Security Profile in the Policy field is the UTM-1 Edge Profile that references the correct Security Policy.