Configuring Security Groups in Gaia Portal

This section provides the configuration instructions for Gaia Portal Web interface for the Check Point Gaia operating system..

To start working in Gaia Portal on the Quantum Maestro Orchestrator:

Step

Instructions

With a web browser, connect to the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Portal on the Quantum Maestro Orchestrator A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO.:

https://<IP Address of Orchestrator's MGMT Port>

Username - admin
Password - admin

Best Practice - Change the default password as soon as possible. See the R81.10 Gaia Administration Guide > Chapter User Management > Section Change My Password.

From the left navigation tree, click Orchestrator page.

The Topology section contains the table that shows these sections (from left to right):

Item	Description
Unassigned Gateways	All detected Security Appliances that are not part of configured Security Groups. Quantum Maestro Orchestrator listens on the ports and automatically detects the connected Security Appliances.
Topology	Configured Security Groups with their assigned Security Appliances and ports.
Unassigned Interfaces	All interfaces on Quantum Maestro Orchestrators that are not part of configured Security Groups.

Item

Description

Unassigned Gateways

All detected Security Appliances that are not part of configured Security Groups.

Quantum Maestro Orchestrator listens on the ports and automatically detects the connected Security Appliances.

Topology

Configured Security Groups with their assigned Security Appliances and ports.

Unassigned Interfaces

All interfaces on Quantum Maestro Orchestrators that are not part of configured Security Groups.

Notes:

Click the Apply button to save the changes in Security Groups.
Click the Refresh button to load the latest configuration. For example, when you work with two Quantum Maestro Orchestrators for redundancy, and you change the configuration on another Quantum Maestro Orchestrator.
You use the drag-and-drop action on the Security Appliance and port objects.
When you hover the mouse cursor over a Security Appliance object, the tooltip shows the Security Appliance ID in the Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected., Appliance Serial Number, and the corresponding Downlink port.

Applicable configuration procedures are provided below.

See Workflow for Configuring Security Groups.

Creating a New Security Group

Watch the Demonstration Video

Step

Instructions

In the Topology column, click the [+] on the left side of the Security Groups.

In the Topology column, right-click on the Security Groups and select New Security Group.

Enter the required Management interface settings.

Best Practice - Configure the First Time Wizard settings.

Click OK.

Click the [+] on the left side of the Security Groups and the new Security Group.

In the Unassigned Gateways column, select the applicable Security Appliances.

Important - You must assign at least one Security Appliance to the Security Group.

Notes:

You can assign only supported Security Appliances to the same Security Group - see sk162373.
You must disable SMO Image Cloning in the Security Group before you assign to this Security Group an appliance of a different model than the other assigned appliances (Known Limitation PMTR-71298).
To select multiple Security Appliances, press and hold the CTRL key and left-click the objects with the mouse cursor.

Drag-and-drop the selected Security Appliances from the Unassigned Gateways column to the Gateways section in the new Security Group.

In the Unassigned Interfaces column, select the applicable data and management interfaces.

Note - To select multiple interfaces, press and hold the CTRL key and left-click the objects with the mouse cursor.

Drag-and-drop the selected interfaces from the Unassigned Interfaces column to the Interfaces section in the new Security Group.

In the bottom left corner, click Apply.

Important - Security Appliances assigned to the Security Group automatically reboot after you apply the configuration.

Notes:

Every new Security Group you add, is called Security Group N, where the ordinal number N is assigned automatically starting from 1 (for example, if you already have "Security Group 1" and "Security Group 3", then the new Security Group is called "Security Group 2").
Every Security Group contains two sections:
- Gateways - contains the Check Point Security Gateways you assign to this Security Group.
- Interfaces - contains the Orchestrator's interfaces you assign to this Security Group.
You must make sure to assign the correct Security Gateways' interfaces to Security Groups.

Deleting a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	In the Topology column, right-click on the Security Group.
3	From the menu, click Delete Security Group. Important - There is no prompt to confirm.
4	In the bottom left corner, click Apply.

Adding the Network Configuration and First Time Wizard settings to a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	In the Topology column, right-click on the Security Group.
3	Click Set Security Group configuration.
4	In the Network settings section: In the IPv4 address field, enter the IPv4 address of the Security Group. All Security Appliances in this Security Group use this IPv4 address as their Gaia management IP address. You use this IPv4 address in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. when you configure the corresponding Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object. In the Subnet mask field, enter the applicable IPv4 subnet mask. All Security Appliances in this Security Group use this IPv4 subnet mask for their Gaia management IP address. You use this IPv4 subnet mask in SmartConsole when you configure the corresponding Security Gateway object. In the Default Gateway field, enter the applicable IPv4 address. All Security Appliances in this Security Group use this IPv4 address as their default gateway.
5	In the First Time Wizard settings section, configure the initial settings for Security Appliances assigned to this Security Group. Select Set FTW configuration. In the Host Name field, enter a hostname. Select Configure Admin Password: In the Admin Password field, enter the Expert mode password. In the Confirm Admin Password field, enter the same Expert mode password key again. In the SIC Password field, enter a one-time activation key (between 4 and 127 characters long). You use this activation key in SmartConsole when you create the corresponding Security Gateway object. In the Confirm SIC Password field, enter the same one-time activation key again. Select Install as VSX, only if it is necessary to run all Security Appliances in this Security Group as VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateways.
6	Click OK.
7	In the bottom left corner, click Apply.

Warning - If you enable the Set FTW configuration option in an existing Security Group (in which you already ran the First Time Configuration Wizard), then the change applies only after you reset each Security Appliance in that Security Group to factory defaults.

Removing the Network Configuration and First Time Wizard settings from a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	In the Topology column, right-click on the Security Group.
3	From the menu, click Clear network configuration. Important - There is no prompt to confirm.
4	In the bottom left corner, click Apply.

Note - This configuration option is available only in the Gaia Portal.

Assigning Available Security Appliances to a Security Group

Best Practice:

Before you add Security Appliances to an existing Security Group, enable the SMO Image Cloning feature in the Security Group.

This feature automatically clones all the required software packages to the new Security Appliances.

Run in Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group. on the Security Group:

set smo image auto-clone state on

show smo image auto-clone state

After you added the Security Appliances, you must disable the SMO Image Cloning feature in the Security Group:

set smo image auto-clone state off

show smo image auto-clone state

Step

Instructions

In the Topology column, click the [+] on the left side of the Security Groups.

Click the [+] on the left side of the applicable Security Group.

In the Unassigned Gateways column, select the applicable Security Appliances.

Note - To select multiple Security Appliances, press and hold the CTRL key and left-click the objects with the mouse cursor.

Drag-and-drop the selected Security Appliances from the Unassigned Gateways column to the Gateways section in the applicable Security Group.

Note - If such operation is allowed, Gaia Portal shows a green plus icon. Otherwise, it shows a red blocking icon.

In the bottom left corner, click Apply.

Important:

You can assign only supported Security Appliances to the same Security Group - see sk162373.
You must disable SMO Image Cloning in the Security Group before you assign to this Security Group an appliance of a different model than the other assigned appliances (Known Limitation PMTR-71298).
Security Appliances assigned to the Security Group automatically reboot after you apply the configuration.

Best Practice for Dual Site - Assign the same number (as possible) of Security Appliances from each site to the Security Group. If a failover occurs between the sites, Security Appliances on the new Active site must be able to process all the traffic.

Removing One Security Appliance from a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable Security Group.
3	Click the [+] on the left side of the Gateways section.
4	Select the Security Appliance it is necessary to remove from the Security Group.
5	Right-click on the selected Security Appliance.
6	From the menu, click Detach Gateway. Important - There is no prompt to confirm.
7	In the bottom left corner, click Apply.

Important - The Security Appliance must perform a reset to factory defaults and reboot after you remove it from a Security Group. This is to make sure that no security configuration is left behind.

Removing All Security Appliances from a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable Security Group.
3	Left-click on the Gateways section to select it.
4	Right-click on the Gateways section.
5	From the menu, click Detach all Gateways.
6	In the bottom left corner, click Apply.

Important - The Security Appliances must perform a reset to factory defaults and reboot after you remove them from a Security Group. This is to make sure that no security configuration is left behind.

Note - This configuration option is available only in the Gaia Portal.

Moving Security Appliances from One Security Group to a Different Security Group

Best Practice:

Before you add Security Appliances to an existing Security Group, enable the SMO Image Cloning feature in the Security Group.

This feature automatically clones all the required software packages to the new Security Appliances.

Run in Gaia gClish on the Security Group:

set smo image auto-clone state on

show smo image auto-clone state

After you added the Security Appliances, you must disable the SMO Image Cloning feature in the Security Group:

set smo image auto-clone state off

show smo image auto-clone state

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable source Security Group.
3	Click the [+] on the left side of the applicable target Security Group.
4	Select the applicable Security Appliances. Note - To select multiple Security Appliances, press and hold the CTRL key and left-click the objects with the mouse cursor.
5	Drag-and-drop the selected Security Appliances from the Gateways section of the source Security Group to the Gateways section of the target Security Group. Note - If such operation is allowed, Gaia Portal shows a green plus icon. Otherwise, it shows a red blocking icon.
6	In the bottom left corner, click Apply.

Important - The Security Appliance must perform a reset to factory defaults and reboot after you remove it from a Security Group. This is to make sure that no security configuration is left behind.

Note - This configuration option is available only in the Gaia Portal.

Assigning Interfaces to a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable Security Group.
3	In the Unassigned Interfaces column, select the applicable interfaces. Note - To select multiple interfaces, press and hold the CTRL key and left-click the objects with the mouse cursor.
4	Drag-and-drop the selected interfaces from the Unassigned Interfaces column to the Interfaces section in the applicable Security Group. Note - If such operation is allowed, Gaia Portal shows a green plus icon. Otherwise, it shows a red blocking icon.
5	In the bottom left corner, click Apply.

Removing One Interface from a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable Security Group.
3	Click the [+] on the left side of the Interfaces section.
4	Right-click on the applicable interface.
5	From the menu, click Detach Interface. Important - There is no prompt to confirm.
6	In the bottom left corner, click Apply.

Removing All Interfaces from a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable Security Group.
3	Right-click on the Interfaces section.
4	From the menu, click Detach Security Group Interfaces. Important - There is no prompt to confirm.
5	In the bottom left corner, click Apply.

Note - This configuration option is available only in the Gaia Portal.

Moving Interfaces from One Security Group to a Different Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable source Security Group.
3	Click the [+] on the left side of the applicable target Security Group.
4	Select the applicable interfaces. Note - To select multiple interfaces, press and hold the CTRL key and left-click the objects with the mouse cursor.
5	Drag-and-drop the selected interfaces from the Interfaces section of the source Security Group to the Interfaces section of the target Security Group. Note - If such operation is allowed, Gaia Portal shows a green plus icon. Otherwise, it shows a red blocking icon.
6	In the bottom left corner, click Apply.

Note - This configuration option is available only in the Gaia Portal.

Viewing VLAN Interfaces on Uplink Ports

See Configuring VLAN Interfaces on Uplink Ports.

Step	Instructions
1	On the Orchestrator page, in the Topology section, expand Security Groups.
2	Expand your Security Group.
3	Expand Interfaces.
4	Put the mouse cursor on an interface. VLAN information appears in the tooltip.

Note - If this is a Dual Site deployment, and the Security Group contains Security Appliances that are located only at one of the sites (for example, Site 2), then the tooltip that shows VLAN interfaces appears only in Gaia Portal of the Orchestrator (for example, on Site 2) that is located at the same site as Security Appliances.