Security Management behind NAT

The Security Management Server sometimes uses a private IP address (as listed in RFC 1918), or some other non-routable IP address, because of the lack of public IP addresses.

NAT (Static or Hide) for the Security Management Server IP address can be configured in one click, while still allowing connectivity with managed Security Gateways. All Security Gateways can be controlled from the Security Management Server, and logs can be sent to the Security Management Server. NAT can also be configured for a Management High Availability Deployment and configuration mode of two Check Point Management Servers, in which they automatically synchronize the management databases with each other. In this mode, one Management Server is Active, and the other is Standby. Acronyms: Management HA, MGMT HA. server and a Log Server Dedicated Check Point server that runs Check Point software to store and process logs..

Example:

1. From the left navigation panel, click Gateways & Servers.

2. Double-click the Security Management Server object.

3. From the left, click NAT.

4. Select Add Automatic Address Translation rules.

5. In the Translation method field, select Static.

6. Configure the applicable IP address.

   In our example - 192.168.55.1

7. Select the Security Gateway that must perform this NAT.

   In our example - the local Security Gateway that is directly connected to the Security Management Server.

8. Select Apply for Security Gateway control connections.

9. Click OK.

10. Install the Access Control Policy on the applicable Security Gateways.

1. Configure NAT for Control Connections on the Security Management Server as described above.

2. Configure the Security Management Server not to override the $FWDIR/conf/masters file on the remote Security Gateway / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members.

   Procedure

   1. Close all SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. windows connected to the Security Management Server.

   2. Connect with Database Tool (GuiDBEdit Tool) (see sk13009) to the applicable Security Management Server or Domain Management Server.

   3. In the top left section, click Table > Network Objects.

   4. In the top right section, click network_objects.

   5. In the right upper pane, select the object of the remote Security Gateway / Cluster.

   6. Press CTRL+F (or go to Search menu > Find) > paste define_logging_servers > click Find Next.

   7. In the lower pane, right-click the define_logging_servers > select Edit > select "false" > click OK.

   8. Save the changes (click File > Save All).

   9. Close the Database Tool (GuiDBEdit Tool).

3. Configure the required IP address in the $FWDIR/conf/masters file on the remote Security Gateway / Cluster Members.

   Procedure

   Note - In a Cluster, you must configure all the Cluster Members in the same way.

   1. Connect to the command line on the Security Gateway / each Cluster Member Security Gateway that is part of a cluster..

   2. Log in to the Expert mode.

   3. Back up the current file:

      cp -v $FWDIR/conf/masters{,_BKP}

   4. Edit the current file:

      vi $FWDIR/conf/masters

   5. In the [Policy] section and in the [Log Server] section, add a new line above the current line.

      In the new line, enter the NATed (external) IP address of the Security Management Server.

      Important - If the remote Security Gateway has to connect to the real IP address of the Security Management Server, you must also configure the SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. name of the Security Management Server. Copy it from the existing line: CN=cp_mgmt,O=<xxx>.checkpoint.com.<yyy>

   6. Save the changes in the file and exit the editor.

4. Install the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

   Procedure

   1. Connect with the SmartConsole to the Security Management Server.

   2. Install the Access Control Policy on the remote Security Gateway / Cluster.