Configuring a Security Gateway Object in SmartConsole

A Chassis can work as a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., or as a VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0..

This procedure describes the configuration of a Security Gateway in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Note - There can be some variations in the wizard steps due to release updates. In these cases, follow the instructions on the screen.

Configuring a Security Gateway Object

Step	Instructions
1	Connect with SmartConsole to your Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
2	From the left navigation panel, click Gateways & Servers.
3	Create a new Security Gateway object in one of these ways: From the top toolbar, click the New () > Gateway. In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > New Gateway. In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Gateway.
4	In the Check Point Security Gateway Creation window, select Wizard Mode or Classic Mode. This procedure describes the Wizard mode. If you choose Classic Mode, make sure you set all the necessary configuration parameters.
5	On the General Properties page: In the Gateway name field, enter the applicable name for this Security Gateway object. In the Gateway platform field, select the correct chassis. In the Gateway IP address section, select the applicable option: If you selected Static IP address, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Security Group A logical group of Security Gateway Modules that provides Active/Active cluster functionality. A Security Group can contain one or more Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway.'s First Time Configuration Wizard. Make sure the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. can connect to these IP addresses. If this Security Group receives its IP addresses from a DHCP server, click Cancel. Create a new Security Gateway object and in the Check Point Security Gateway Creation window, select Classic Mode. Click Next.
6	On the Trusted Communication page: Select the applicable option: If you selected Initiate trusted communication now, enter the same Activation Key you entered during the Security Group's First Time Configuration Wizard. If you selected Skip and initiate trusted communication later, make sure to follow Step 7. Click Next.
7	On the End page: Examine the Configuration Summary. Select Edit Gateway properties for further configuration. Click Finish. Check Point Gateway properties window opens on the General Properties page.
8	If during the Wizard Mode, you selected Skip and initiate trusted communication later: The Secure Internal Communication field shows `Uninitialized`. Click Communication. In the Platform field, select Open server / Appliance. Enter the same Activation Key you entered during the Security Gateway's First Time Configuration Wizard. Click Initialize. Make sure the Certificate state field shows `Established`. Click OK.
9	On the General Properties page: On the Network Security tab, enable the applicable Software Blades. On the Threat Prevention tab, enable the applicable Software Blades.
10	In the navigation tree, select Topology. Configure: Topology of Interfaces as Internal or External. Anti-Spoofing. Note- Only data and management interfaces show in the list.
11	Click OK
12	Publish the SmartConsole session.
13	Configure the applicable Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. for the Security Gateway in SmartConsole: From the left navigation panel, click Security Policies. Create a new policy and configure the applicable layers: At the top, click the + tab (or press CTRL T). On the Manage Policies tab, click Manage policies and layers. In the Manage policies and layers window, create a new policy and configure the applicable layers. Click Close. On the Manage Policies tab, click the new policy you created. Create the applicable Access Control rules. Install the Access Control Policy on the Security Gateway object. Create the applicable Threat Prevention rules. Install the Threat Prevention Policy on the Security Gateway object.

Confirming the Policy Installation

To make sure that the policy was installed successfully:

Step

Instructions

Connect to one of the SGMs over SSH or a serial console.

Run:

asg monitor

Make sure that the SGM status is "Enforcing Security" on the ACTIVE and STANDBY Standby Chassis.

Example:

Make sure the Policy Date matches the date and time the policy was installed.

Confirming the Security Gateway Software Configuration

To make sure the software configuration is correct:

Step

Instructions

Connect to one of the SGMs over SSH or a serial console.

Run:

asg diag

Use the command to collect and show diagnostic information about the system.

If there is a problem, fix it before using the system.