Single Management Object (SMO) and Policies

Single Management Object

Single Management ObjectClosed Single Security Gateway object in SmartConsole that represents a Security Group configured on Quantum Maestro Orchestrator. Acronym: SMO. (SMO) is a Check Point technology that manages the Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. as one large Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with one management IP address.

All management tasks are handled by one Security Group Member (the SMO Master), which updates all other Security Group Members.

All management tasks, such as Security Gateway configuration, policy installation, remote connections and logging are handled by the SMO master.

The Active Security Group Member with the lowest ID number is automatically assigned to be the SMO.

Use this command to identify the SMO and see how tasks are distributed on the Security Group Members (see Showing Hardware State (asg stat)).

Example output in a Single Site configuration:

[Expert@HostName-ch0x-0x:0]# asg stat -i tasks
--------------------------------------------------------------------------------
| Task (Task ID)    |                       Chassis 1                          |
--------------------------------------------------------------------------------
| SMO (0)           |                        1(local)                          |
| General (1)       |                        1(local)                          |
| LACP (2)          |                        1(local)                          |
| CH Monitor (3)    |                        1(local)                          |
| DR Manager (4)    |                        1(local)                          |
| UIPC (5)          |                        1(local)                          |
| Alert (6)         |                        1(local)                          |
--------------------------------------------------------------------------------
[Expert@HostName-ch0x-0x:0]#

Installing and Uninstalling Policies

Installing a Policy

To install a policy on the Security Group, click Install Policy in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. The policy installation process includes these steps:

  1. The Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. installs the policy on the SMO Master.

  2. The SMO Master copies the policy to all Security Group Members in the Security Group.

  3. Each Security Group Member in the Security Group installs the policy locally.

During the policy installation, each Security Group Member sends and receives policy status updates to and from the other Security Group Members in the Security Group. This is because the Security Group Members must install their policies in a synchronized manner.

Note - When creating a Security Group, its Security Group Members enforce an initial policy which allows only the implied rules necessary for management.

Uninstalling a Policy

Step Instructions

1

Connect over a serial port to the SMO in the Security Group.

2

Log in to the Gaia gClishClosed The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group..

3

Uninstall the policy:

> asg policy unload

Example:

> asg policy unload

You are about to perform unload policy on blades: all

Unloading policy from a virtual system will stop its monitoring by VS monitor (except VS 0).

To re-enable VS monitoring on the specified VS(s) you must run the following command on a single SGMClosed Role of a Security Appliance (Security Gateway Module). Part of the Security Group that contains the assigned Security Appliances. A Security Appliance in a Security Group has one IPv4 address and represents all assigned Security Appliances as one entity.: 'cpha_vsx_util monitor start <vs_ids>'. For example: 'cpha_vsx_util monitor start 1,3'

Must be executed via serial connection

Are you sure? (Y - yes, any other key - no) y

Note - You cannot uninstall policies from SmartConsole.

Working with Policies (asg policy)

Description

Use the asg policy command in GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish or the Expert mode to perform policy-related actions.

Syntax

asg policy -h

asg policy {verify | verify_amw} [-vs <VS_IDs>] [-a] [-v]

asg policy unload [--disable_pnotes] [-a]

asg policy unload --ip_forward

Best Practice - Run these commands over a serial connection to Security Group Members in the Security Group.

Parameters

Parameter

Description

-h

Shows the built-in help.

verify

Confirms that the correct policies are installed on all Security Group Members in the Security Group.

verify_amw

Confirms that the correct Anti-Malware policies are installed on all Security Group Members in the Security Group.

unload

Uninstalls the policy from the Security Group Members in the Security Group.

-vs <VS_IDs>

Shows verification results for each Virtual System.

<VS_IDs> can be:

  • No <VS_IDs> specified (default) - Applies to the context of the current Virtual System

  • One Virtual System

  • A comma-separated list of Virtual Systems (for example, 1,2,4,5)

  • A range of Virtual Systems (for example, 3-5)

  • all - Shows all Virtual Systems

Note - This parameter is only applicable in a VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. environment.

-v

Shows detailed verification results for Security Group Members in each Virtual System.

-a

Runs the verification on Security Group Members in both UP and DOWN states.

--disable_pnotes

Security Group Members stay in the UP state without an installed policy.

Important - If you omit this option, Security Group Members go into the DOWN state until the policy is installed again!

--ip_forward

Enables IP forwarding.

Below are some examples:

[Expert@MyChassis-ch01-01:0]# asg policy verify -v
+----------------------------------------------------------------------+
|Policy Verification                                                   |
+-------+-------------------+---------------+-----------------+--------+
|SGM    |Policy Name        |Policy Date    |Policy Signature |Status  |
+-------+-------------------+---------------+-----------------+--------+
|1_01   |Standard           |27Feb19 08:56  |e17c177f7        |Success |
+-------+-------------------+---------------+-----------------+--------+
 
+------------------------------------------------------------------------------+
|Summary                                                                       |
+------------------------------------------------------------------------------+
|Policy Verification completed successfully                                    |
+------------------------------------------------------------------------------+
[Expert@MyChassis-ch01-01:0]#
 
[Expert@MyChassis-ch01-01:0]# asg policy unload
You are about to perform unload policy on blades: all
All SGMs will be in DOWN state, beside local SGM. It is recommended to run the procedure
via serial connection
 
Are you sure? (Y - yes, any other key - no) y
 
Unload policy requires auditing
Enter your full name: John Doe
Enter reason for unload policy [Maintenance]:
WARNING: Unload policy on blades: all, User: John Doe, Reason: Maintenance
+-------------------------------+
|Unload policy                  |
+---------------+---------------+
|SGM            |Status         |
+---------------+---------------+
|1_3            |Success        |
+---------------+---------------+
|1_2            |Success        |
+---------------+---------------+
|1_1            |Success        |
+---------------+---------------+
|2_3            |Success        |
+---------------+---------------+
|2_2            |Success        |
+---------------+---------------+
|2_1            |Success        |
+---------------+---------------+
 
+------------------------------------------------------------------------------+
|Summary                                                                       |
+------------------------------------------------------------------------------+
|Unload policy completed successfully                                          |
+------------------------------------------------------------------------------+
[Expert@MyChassis-ch01-01:0]#