Generic Workflow for HSM

This section contains generic workflows for an HSM environment.

Workflow for Configuring a Check Point Security Gateway to Work with HSM

Follow the steps below on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members / Scalable Platform Security GroupClosed A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. that must work with an HSM.

Note - Instructions for specific HSM vendors are located in the corresponding sections.

Workflow for Configuring an HSM Client Workstation

HSM Client workstation is an external computer, on which you install the HSM Client software of your HSM vendor.

HSM Client workstation can run on Windows, Linux, or other operating system, as required by the HSM vendor.

You use the HSM Client workstation to:

  • Create a CA Certificate on the HSM Server.

    Check Point Security Gateways / Cluster Members / Security Groups use this CA Certificate for HTTPS Inspection when it needs to store and access SSL keys on the HSM Server.

  • Manage keys for a fake certificate created by the Check Point Security Gateway / Cluster Members / Security Group.

Important - You must get the HSM Client package from the HSM vendor.