Step 3 - Configuration in SmartConsole

  1. You can configure a Security Gateway object in SmartConsole in one of these modes - Wizard Mode, or Classic Mode:

    Step

    Instructions

    1

    Connect with the SmartConsole to the Security Management Server or Domain Management Server that should manage this Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Create a new Security Gateway object in one of these ways:

    • From the top toolbar, click New () > Gateway.

    • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > New Gateway.

    • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Gateway.

    4

    In the Check Point Security Gateway Creation window, click Wizard Mode.

    5

    On the General Properties page:

    1. In the Gateway name field, enter a name for this Security Gateway object.

    2. In the Gateway platform field, select Maestro.

    3. In the Gateway IP address section, enter the same IPv4 address that you configured for the Security Group on the Quantum Maestro OrchestratorClosed A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO..

    4. Click Next.

    6

    On the Trusted Communication page:

    1. Select Initiate trusted communication now, enter the same Activation Key you entered in the First Time Wizard settings of the Security Group on the Quantum Maestro Orchestrator.

    2. Click Next.

    7

    On the End page:

    1. Examine the Configuration Summary.

    2. Select Edit Gateway properties for further configuration.

    3. Click Finish.

    Check Point Gateway properties window opens on the General Properties page.

    8

    On the Network Security tab, enable the desired Software Blades.

    Important - Do not select anything on the Management tab.

    9

    Click OK.

    10

    Publish the SmartConsole session.

    Step

    Instructions

    1

    Connect with the SmartConsole to the Security Management Server or Domain Management Server that should manage this Security Group.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Create a new Security Gateway object in one of these ways:

    • From the top toolbar, click New () > Gateway.

    • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > New Gateway.

    • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Gateway.

    4

    In the Check Point Security Gateway Creation window, click Classic Mode.

    Check Point Gateway properties window opens on the General Properties page.

    5

    In the Name field, enter a name for this Security Gateway object.

    6

    In the IPv4 address and IPv6 address fields, enter the same IPv4 address that you configured for the Security Group on the Quantum Maestro Orchestrator.

    7

    Establish the Secure Internal Communication (SIC) between the Management Server and this Security Group:

    1. Near the Secure Internal Communication field, click Communication.

    2. In the Platform field, select Open server / Appliance.

    3. In the Activation Key field, enter the same Activation Key you entered in the First Time Wizard settings of the Security Group on the Quantum Maestro Orchestrator.

    4. Click Initialize.

    5. Click OK.

    8

    In the Platform section, select the correct options:

    1. In the Hardware field, select Maestro.

    2. In the Version field, select R80.20SP.

    3. In the OS field, select Gaia.

    9

    On the Network Security tab, enable the desired Software Blades.

    Important - Do not select anything on the Management tab.

    10

    Click OK.

    11

    Publish the SmartConsole session.

    For more information, see the R81.20 Security Management Administration Guide.

  2. Step

    Instructions

    1

    Connect with the SmartConsole to the Security Management Server or Domain Management Server that manages this Security Group.

    2

    From the left navigation panel, click Security Policies.

    3

    Create a new policy and configure the applicable layers:

    1. At the top, click the + tab (or press CTRL T).

    2. On the Manage Policies tab, click Manage policies and layers.

    3. In the Manage policies and layers window, create a new policy and configure the applicable layers.

    4. Click Close.

    5. On the Manage Policies tab, click the new policy you created.

    4

    Create the applicable Access Control Policy.

    6

    Create the applicable Threat Prevention Policy.

    7

    Publish the SmartConsole session.

    For more information, see:

  3. Step

    Instructions

    1

    Install the Access Control Policy on the Security Gateway object:

    1. Click Install Policy.

    2. In the Policy field, select the applicable policy for this Security Gateway object.

    3. Select only the Access Control Policy.

    4. Click Install.

    2

    Install the Threat Prevention Policy on the Security Gateway object:

    1. Click Install Policy.

    2. In the Policy field, select the applicable policy for this Security Gateway object.

    3. Select only the Threat Prevention Policy.

    4. Click Install.

Configuring a VSX Gateway object and its policies

Step

Instructions

1

Connect with the SmartConsole to the Security Management Server or Main Domain Management Server that should manage this Security Group.

2

From the left navigation panel, click Gateways & Servers.

3

Create a new VSX Gateway object in one of these ways:

  • From the top toolbar, click New () > VSX > Gateway.

  • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > VSX > New Gateway.

  • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > VSX > Gateway.

The VSX Gateway Wizard opens.

4

On the VSX Gateway General Properties (Specify the object's basic settings) page:

  1. In the Enter the VSX Gateway Name field, enter the desired name for this VSX Gateway object.

  2. In the Enter the VSX Gateway IPv4 field, enter the same IPv4 address that you configured on the Management Connection page of the VSX Gateway's First Time Configuration Wizard.

  3. In the Enter the VSX Gateway IPv6 field, enter the same IPv6 address that you configured on the Management Connection page of the VSX Gateway's First Time Configuration Wizard.

  4. In the Select the VSX Gateway Version field, select R80.20SP.

  5. Click Next.

5

On the Virtual Systems Creation Templates (Select the Creation Template most suitable for your VSX deployment) page:

  1. Select the applicable template.

  2. Click Next.

6

On the VSX Gateway General Properties (Secure Internal Communication) page:

  1. In the Activation Key field, enter the same Activation Key you entered in the First Time Wizard settings of the Security Group on the Quantum Maestro Orchestrator.

  2. In the Confirm Activation Key field, enter the same Activation Key again.

  3. Click Initialize.

  4. Click Next.

7

On the VSX Gateway Interfaces (Physical Interfaces Usage) page:

  1. Examine the list of the interfaces - it must show all the Uplink portsClosed Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. you assigned to this Security Group.

  2. If you plan to connect more than one Virtual System directly to the same Uplink port, you must select VLAN Trunk for that physical Uplink port.

  3. Click Next.

8

On the Virtual Network Device Configuration (Specify the object's basic settings) page:

  1. You can select Create a Virtual Network Device and configure the first desired Virtual System at this time (we recommend to do this later).

  2. Click Next.

9

On the VSX Gateway Management (Specify the management access rules) page:

  1. Examine the default access rules.

  2. Select the applicable default access rules.

  3. Configure the applicable source objects, if needed.

  4. Click Next.

Important - These access rules apply only to the VSX Gateway (context of VS0), which is not intended to pass any "production" traffic.

10

On the VSX Gateway Creation Finalization page:

  1. Click Finish and wait for the operation to finish.

  2. Click View Report for more information.

  3. Click Close.

11

Examine the VSX configuration:

  1. Connect to the command line on the Security Group.

  2. Log in to the Expert mode.

  3. Run:

    vsx stat -v

12

Open the VSX Gateway object.

13

On the General Properties page, click the Network Security tab.

14

Enable the desired Software Blades for the VSX Gateway object itself (context of VS0).

Refer to:

15

Click OK to push the updated VSX Configuration.

Click View Report for more information.

16

Examine the VSX configuration:

  1. Connect to the command line on the Security Group.

  2. Log in to the Expert mode.

  3. Run:

    vsx stat -v

17

Install policy on the VSX Gateway object:

  1. Click Install Policy.

  2. In the Policy field, select the default policy for this VSX Gateway object.

    This policy is called:

    <Name of VSX Gateway object>_VSX

  3. Click Install.

18

Examine the VSX configuration:

  1. Connect to the command line on the Security Group.

  2. Log in to the Expert mode.

  3. Run:

    vsx stat -v

Step

Instructions

1

Connect with the SmartConsole to the Security Management Server, or each Target Domain Management Server that should manage each Virtual System.

2

Configure the desired Virtual Systems on this Security Group.

3

Create the applicable Access Control Policy for these Virtual Systems.

4

Create the applicable Threat Prevention Policy for these Virtual Systems.

5

Publish the SmartConsole session.

6

Install the configured Security Policies on these Virtual Systems.

7

Install the Access Control Policy on these Virtual Systems:

  1. Click Install Policy.

  2. In the Policy field, select the applicable policy for the Virtual System object.

  3. Select only the Access Control Policy.

  4. Click Install.

8

Install the Threat Prevention Policy on these Virtual Systems:

  1. Click Install Policy.

  2. In the Policy field, select the applicable policy for the Virtual System object.

  3. Select only the Threat Prevention Policy.

  4. Click Install.

9

Examine the VSX configuration:

  1. Connect to the command line on the Security Group.

  2. Log in to the Expert mode.

  3. Run:

    vsx stat -v

For more information, see: