Security Profiles for UTM-1 Edge SmartLSM Security Gateways

In This Section: Creating UTM-1 Edge SmartLSM Security Profiles Creating UTM-1 Edge SmartLSM Security Gateways in SmartProvisioning Handling New UTM-1 Edge SmartLSM Messages Customized UTM-1 Edge Configurations

Creating UTM-1 Edge SmartLSM Security Profiles

Features and maintenance for SmartLSM Security Gateways on UTM-1 Edge are different from similar procedures for SmartLSM Security Gateways on other hardware platforms.

You must assign a SmartLSM Security Profile to every SmartLSM Security Gateway. The Security Profile fetches a Check Point Security Policy from the Security Management Server or Domain Management Server. The Security Policy determines the settings of the firewall. Before you can add any SmartLSM Security Gateway to SmartProvisioning, prepare the SmartLSM Security Profiles in SmartConsole.

This procedure describes how to create a SmartLSM Security Profile for UTM-1 Edge SmartLSM Security Gateways.

To create a UTM-1 Edge SmartLSM Security Profile:

1. From the Global Toolbar, select New object > LSM Profile > New SmartLSM UTM-1 Edge Profile.

   The SmartLSM UTM-1 Edge Profile window opens.

2. Configure the SmartLSM Security Profile settings.
3. In SmartConsole, create the Security Policy for your UTM-1 Edge SmartLSM Security Gateways. For more information on how to create a Security Policy, see the R80.30 Security Management Administration Guide.
4. Install Policy on the SmartLSM UTM-1 Edge Profile.

   Note - The new profile is not available until the policy is installed.

Creating UTM-1 Edge SmartLSM Security Gateways in SmartProvisioning

This procedure describes how to add a UTM-1 Edge SmartLSM Security Gateway to the SmartProvisioning management.

Before you begin, you must have at least one SmartLSM Security Profile for UTM-1 Edge gateways.

To add a UTM-1 Edge SmartLSM Gateway to SmartProvisioning:

1. In the SmartProvisioning navigation tree, click Devices.
2. From the SmartProvisioning menu, select File > New > UTM-1 Edge Gateway. a wizard opens in a new window.
3. In the New UTM-1 Edge SmartLSM Gateway window, enter a name and optional comments.
4. Click Next.
5. In the More Information window, configure these settings:
   1. OS.
   2. Security Profile - Select a SmartLSM Security Profile created in SmartConsole.
   3. Enable Provisioning - Select Enable Provisioning or clear this option, if you are sure that Provisioning Profiles can have a negative impact on the gateway.
      • No Provisioning Profile - Select to leave the actual assignment of Provisioning Profile for later.
      • Provisioning Profile - Select a Provisioning Profile to assign to this gateway.

      Note - This option is disabled for platforms that do not support SmartProvisioning.

6. Click Next.
7. In the SmartLSM Security Gateway Communication Properties window, establish SIC Trust between the gateway and the management server with one of these methods:
   • Initiate trusted communication securely by using a registration key. Provide an eight-character string for the key. Enter it again in the Confirm registration key field.
   • Initiated trusted communication with an auto-generated registration key. Click Generate. The Generated Registration Key window opens, and shows the key in clear text. Save the key to enter it on the SmartLSM Security Gateway for SIC initialization, and click Accept.
8. Click Next.
9. Optional: In the Finished SmartLSM Security Gateway Wizard window:
   • If the gateway is part of a VPN, select I wish to create a VPN Certificate from the Internal CA. If the gateway is not part of a VPN community in SmartConsole, clear this option.
   • To edit or configure additional properties, select Edit SmartLSM Security Gateway properties after creation.
10. Click Finish.

Handling New UTM-1 Edge SmartLSM Messages

This section explains how to handle a message that appears after you finish the wizard to add a UTM-1 Edge SmartLSM Security Gateway, during the SmartProvisioning processing of the gateway object.

Registration Key is Missing

If you did not generate or select a Registration Key for SIC setup, a message opens:

'Registration Key' for the Gateway SIC setup is missing.
Do you want to continue?

Click Yes to let SmartProvisioning add the gateway now and handle the SIC setup later, or click No and then Back to the Communication Properties page.

To handle the SIC setup after the gateway is added:

1. Right-click the gateway in the work space and select Edit Gateway.
2. In the General tab > Secure Internal Communication, click New Key.
3. In the Registration Key window, click Generate Key. After the key is provided, click Set.
4. Click OK.

Customized UTM-1 Edge Configurations

You can view and edit a configuration script to configure settings that are not included in the WebUI. Any changes that you make to the configuration script are enforced when the UTM-1 Edge devices fetch their SmartProvisioning settings.

To define a configuration script for a UTM-1 Edge device:

1. In SmartProvisioning, go to Devices.
2. Open the UTM-1 Edge device object.
3. Go to the Configuration Script tab.
4. Add the commands.
5. Click OK.
6. Right-click in the UTM-1 Edge device object and select Actions > Push Policy.

To define a configuration script for a SmartLSM Security Profile:

1. In the SmartConsole, open the UTM-1 Edge SmartLSM Security Profile.
2. Go to Advanced.
3. Add the commands.
4. Click OK.
5. Install policy on the UTM-1 Edge SmartLSM Security Profile.

For the syntax in the configuration script, see the Embedded NGX CLI Reference Guide v8.2