General Workflow

1. Configure the applicable Security Groups on the Quantum Maestro Orchestrators

   Note - Configure only one of the installed Quantum Maestro Orchestrators. The Quantum Maestro Orchestrators synchronize the configuration automatically with each other.

   Each Security Group must contain:

   1. One or more Security Appliances.

      Note - The Quantum Maestro Orchestrators automatically assign the corresponding Downlink ports Interfaces on the Quantum Maestro Orchestrator used to connect to Check Point Security Appliances. You use DAC cables, Fiber cables (with transceivers), or Breakout cables to connect between the Downlink ports and Security Appliances. The Check Point Management traffic (policy, logs, synchronization, and so on) co-exists with the data (user) traffic on the Downlink ports. Bandwidth is guaranteed for the Check Point Management traffic (portion of the downlink bandwidth). These ports form the system backplane (management, data plane, synchronization)..

   2. Applicable ports on the Quantum Maestro Orchestrators:

      • A dedicated Management port, which connects the Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. (for example, eth1-Mgmt1).

      • Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object., to which you connected the external traffic and internal traffic networks.

   You can configure Security Groups in:

   • Gaia Portal Web interface for the Check Point Gaia operating system. (see Configuring Security Groups in Gaia Portal).

   • Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). (see Configuring Security Groups in Gaia Clish).

   See Summary of Configuration Options.

   Perform these steps:

   Step	Instructions
   a	Create a new Security Group.
   b	Add the Network Configuration to the Security Group.
   c	Configure the First Time Wizard settings in the Security Group. Note - This First Time Wizard configures only a limited number of settings.
   d	Assign the available Security Appliances to the Security Group. Important: You can assign only supported Security Appliances to the same Security Group - see sk162373. Security Appliances assigned to the Security Group automatically reboot after you apply the configuration. Best Practice for Dual Site - Assign the same number (as possible) of Security Appliances from each site to the Security Group. If a failover occurs between the sites, Security Appliances on the new Active site must be able to process all the traffic.
   e	Assign the applicable Quantum Maestro Orchestrator A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO. ports to the Security Group (Uplink ports and a Management interface).

   Best Practice - Create a Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Backup on the Quantum Maestro Orchestrators to save the configuration. For more information, see the R81.10 Gaia Administration Guide > Chapter Maintenance > Section System Backup.

2. Configure the Gaia Operating System settings in the new Security Group

   See Step 2 - Configuring Gaia Settings of a Security Group.

   Best Practice - Create a Gaia Backup on the Security Group to save the configuration. For more information, see the R81.10 Gaia Administration Guide > Chapter Maintenance > Section System Backup.

3. Configure the settings in SmartConsole

   See Step 3 - Configuration in SmartConsole.

   • For a Security Group in Gateway mode:

     1. Create one Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

     2. Configure the applicable Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

     3. Install the Security Policy on the Security Gateway object.

   • For a Security Group in VSX mode:

     1. Create one VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. object.

     2. Create the objects of Virtual Systems.

     3. Configure the applicable Security Policies for the Virtual Systems.

     4. Install the Security Policies on the Virtual Systems.

4. Install licenses

   See Step 4 - License Installation.

5. Make sure the traffic passes as expected

   Initiate connections that must pass through this Security Group.

6. Configure special settings, if required

   See:

   • Step 5 - Special Configuration Scenarios

   • Configuring Security Group High Availability

   • Managing Security Groups

   • System Optimization

   • Deploying a Security Group in Monitor Mode

   • Deploying a Security Group in Bridge Mode

Watch the Demonstration Videos

Configuring a Security Group in Gaia Portal on the Orchestrator

Configuring a Security Gateway object in SmartConsole

Configuring a Security Group in VSX mode