Provisioning Settings for Security Gateways

This section describes how to configure the Provisioning Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. settings that are common to all the Security Gateways assigned with a Provisioning Profile.

Before you begin, make sure that your administrator user name has Write permissions for SmartLSM Gateway Database (see Defining SmartProvisioning Administrators).

Scheduling Backups of Security Gateways
You can set up a schedule for backups of the individual Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., or view how it is managed with the assigned Provisioning Profile.

You can select to use SmartProvisioning Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM. to manage the backup settings, or configure on the local appliance or server.

Manage the backup schedule on the appliance or server
1. From the Devices pane, double-click the Security Gateway.
  
  The window opens and shows the General tab.
2. Click the Backup tab.
3. Click Manage settings locally on the device.
4. Click OK.
Configuring DNS Servers
You can configure the DNS servers of the individual Security Gateway, or view how they are managed with the assigned Provisioning Profile.

You can select to use SmartProvisioning to manage the DNS settings, or configure on the local appliance or server.
Configure DNS servers with SmartProvisioning
From the Devices pane, double-click the Security Gateway.

The window opens and shows the General tab.

Click the DNS tab.

Click Use the following settings.

Enter the IP addresses of the First, Second, and Third DNS servers.
Manage the DNS servers on the appliance or server
From the Devices pane, double-click the Security Gateway.

The window opens and shows the General tab.

Click the DNS tab.

Click Manage settings locally on the device.

Click OK.
Configuring Hosts
You can set up the host list of the individual Security Gateway, or view how it is managed centrally with the assigned Provisioning Profile.

You can use SmartProvisioning to manage the host list, or configure it on the local appliance or server.
Configure the host list with SmartProvisioning
From the Devices pane, double-click the Security Gateway.

The window opens and shows the General tab.

Click the Hosts tab.

Click Use the following settings.

Click New.

Provide the Hostname and IP address.

Click OK.
Manage the host list on the appliance or server
From the Devices pane, double-click the Security Gateway.

The window opens and shows the General tab.

Click the Hosts tab.

Click Manage settings locally on the device.

Click OK.
Configuring Domain
You can set up the domain of the individual Security Gateway, or view how it is managed centrally with the assigned Provisioning Profile.

You can select to use SmartProvisioning to manage the domain settings, or configure on the local appliance or server.
Configure domain settings with SmartProvisioning
From the Devices pane, double-click the Security Gateway.

The window opens and shows the General tab.

Click the Domain Name tab.

Click Use the following settings.

Enter the Domain name.

Click OK.
Manage the domain settings on the appliance or server
From the Devices pane, double-click the Security Gateway.

The window opens and shows the General tab.

Click the Domain Name tab.

Click Manage settings locally on the device.

Click OK.
Configuring Host Name
You can see or change the host name of the individual Security Gateway in SmartProvisioning. You cannot use a Provisioning Profile to change the host name.

You can select to use SmartProvisioning to manage the host name settings, or configure on the local appliance or server.
Configure host name with SmartProvisioning
From the Devices pane, double-click the Security Gateway.

The window opens and shows the General tab.

Click the Host Name tab.

Click Use the following settings.

Enter the Hostname of the gateway.

Click OK.
Manage the host name on the appliance or server
From the Devices pane, double-click the Security Gateway.

The window opens and shows the General tab.

Click the Host Name tab.

Click Manage settings locally on the device.

Click OK.
Configuring Routing for Security Gateways
You can configure the routing settings of individual Security Gateways in the Devices pane in SmartProvisioning. You cannot configure these settings in a Provisioning Profile. You must configure the interfaces before the routes, because there are different types of routing configurations for different interfaces.

You can also configure the routing settings on the local appliance or server.
Configuring and Managing the routing settings with SmartProvisioning
Configure the routing settings with SmartProvisioning

From the Devices pane, double-click the Security Gateway.

The window opens and shows the General tab.

Click the Routing tab.

Click Use the following settings.

Click Add.

Select a route type:

Network Route - Configure internal network routes (see Configuring Network Route).

Host Route - Configure access to a specific host. (see Configuring Host Route).

Default Route - Configure the default route to access external destinations (see Configuring Default Route).

A different Routing window opens for each type.

Enter the data.

Click OK.

Some of the options are different for different appliances.

Manage the routing settings on the appliance or server

From the Devices pane, double-click the Security Gateway.

The window opens and shows the General tab.

Click the Routing tab.

Click Manage settings locally on the device.

Click OK.
Configuring Network Route
Configure these settings for the internal network routes:

Destination IP Address - Destination IP address for this route (for example, the IP address of the CO Security Gateway or the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server./Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.).

Destination Netmask - Net mask of the destination network.

Interface - Select a pre-configured interface for this route.

Gateway - IP address of the Security Gateway, which provides access to this route (for the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gateways also assign a priority).

Next Hop Type - For Gaia and the IP Appliances:

Normal - Allow traffic to the Security Gateway.

Reject - Block traffic where the gateway is the destination, and acknowledge.

Black Hole - Block traffic without acknowledgment.
Configuring Host Route
Configure these settings for host routes:

Destination IP Address - IP address of the destination host.

Interface - Select a pre-configured interface for this route.

Gateway - IP address of the gateway providing access to this host.

Metric - Distance in hops to the destination. If the host is on your local site, this must be a very low number. If the host is not behind routers, the metric must be zero.
Configuring Default Route
Configure these settings for default routes to external destinations:

Gateway - IP address of the gateway providing access to the default external route.

Metric - Distance in hops to the gateway (this value must be as accurate as possible: too low a value can cause lost communications with looping; too high a value may cause security issues). You can define only one default route per gateway.