Configuring Topology for SmartLSM Security Gateways

You can manage the topology of SmartLSM Security Gateways through SmartProvisioningClosed Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM.. View and change the internal and external interfaces of each gateway to fit its local environment.

  1. From the Devices pane, double-click the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

    The window opens and shows the General tab.

  2. Click the Topology tab.

  3. Select the option that best describes the VPN Domain of this SmartLSM Security Gateway:

    • Not defined - No VPN is defined for this gateway. To enable this Gateway to participate in a VPN, select a different option.

    • Only the external interfaces - The external IP addresses of the SmartLSM Security Gateway is the entire VPN domain. The CO gateway connects to the remote office nodes only through the SmartLSM Security Gateway. The nodes are usually connected and secured by NAT.

    • All IP Addresses behind the Gateway based on Topology information -SmartProvisioning automatically calculates the encryption domain based on the IP address and net mask of the SmartLSM Security Gateway's internal interfaces.

    • Manually defined: You can define the VPN domain manually. The range table is enabled.

Complex networks behind SmartLSM Security Gateways cannot be properly configured as VPN domains by the automatic calculation option (All IP Addresses behind the Gateway based on Topology information). If the SmartLSM Security Gateway topology consists of one type (Meshed or Star) and does not include subsequent firewalls, you may select the automatic option. Otherwise, it is recommended that you select Manually defined.

To manually configure a VPN domain:

  1. In the Topology tab, click Manually defined.

  2. Click Add.

    The IP Address Range Configuration window opens.

  3. Enter the range of IP addresses that define a network behind this gateway.

  4. Click OK.

  5. Repeat these steps and add IP address ranges for the VPNs that connect to the CO gateway.

  6. Select Actions > Push Policy.

    You are prompted to save the data and then SmartProvisioning validates the topology you defined.

    If successfully validated, the topology is immediately pushed to the gateway.

  7. Update the CO gateway.

    The IP addresses in this range are now part of the VPN domain that is secured by the SmartLSM Security Gateway and that tunnels to the CO gateway. To complete the VPN configurations, see Configuring VPNs on SmartLSM Security Gateways.