Security Group

To be part of a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., a Security Gateway ModuleClosed A hardware component on a 60000 / 40000 Appliance (Chassis) that operates as a physical Security Gateway. A Chassis contains many Security Gateway Modules that work together as a single, high performance Security Gateway or VSX Gateway. Acronym: SGM. (SGM) must belong to a Security GroupClosed A logical group of Security Gateway Modules that provides Active/Active cluster functionality. A Security Group can contain one or more Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway..

Note - You must run the applicable commands in Gaia gClishClosed The name of the global command line shell in Check Point Gaia operating system for Security Gateway Modules. Commands you run in this shell apply to all Security Gateway Module in the Security Group. of the applicable Security Group.

Viewing SGMs in a Security Group

Syntax

show smo security-group

Adding SGMs to a Security Group

Best Practice - To add new SGMs to an existing Security Group:

  1. Enable the SMOClosed See "SMO". Image Cloning feature in the Security Group.

    This feature automatically clones all the required software packages to the new SGMs.

    Run in GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish on the Security Group:

    set smo image auto-clone state on

    show smo image auto-clone state

  2. Add the new SGMs to the existing Security Group:

    add smo security-group <SGM IDs>

  3. Make sure the Security Group is configured correctly (run the command exactly as it appears below):

    show smo verifiers print name Security_Group

  4. To optimize connection distribution among the SGMs, update the Security Group with the correct number of the SGMs.

    See Configuring the SGM Range.

  5. Disable the SMO Image Cloning feature in the Security Group.

    Run in Gaia gClish on the Security Group:

    set smo image auto-clone state off

    show smo image auto-clone state

Syntax

add smo security-group <SGM IDs>

Parameters

Parameter

Description

<SGM IDs>

Applies to Security Group Members as specified by the <SGM IDs>.

<SGM IDs> can be:

  • No <SGM IDs> specified, or all

    Applies to all Security Group Members and all Chassis

  • One Security Group Member (for example, 1_1)

  • A comma-separated list of Security Group Members (for example, 1_1,1_4)

  • A range of Security Group Members (for example, 1_1-1_4)

  • In Dual Chassis, one Chassis (chassis1, or chassis2)

  • In Dual Chassis, the Active Chassis (chassis_active)

Example

[Global] MyChassis-ch01-01 > add smo security-group 1_1-1_3,2_1-2_3

Deleting SGMs from a Security Group

Syntax

Important - Before you remove an SGM from the Security Gateway, make sure that is it in the DOWN state.

All SGMs that are assigned to the current Security Group and are not part of the new Security Group, must be in the DOWN state.

Otherwise, the command fails.

delete smo security-group <SGM IDs>

Best Practice - After you delete SGMs from an existing Security Group:

  1. Make sure the Security Group is configured correctly (run the command exactly as it appears below):

    show smo verifiers print name Security_Group

  2. To optimize connection distribution among the SGMs, update the Security Group with the correct number of the SGMs.

    See Configuring the SGM Range.

Parameters

Parameter

Description

<SGM IDs>

Applies to Security Group Members as specified by the <SGM IDs>.

<SGM IDs> can be:

  • No <SGM IDs> specified, or all

    Applies to all Security Group Members and all Chassis

  • One Security Group Member (for example, 1_1)

  • A comma-separated list of Security Group Members (for example, 1_1,1_4)

  • A range of Security Group Members (for example, 1_1-1_4)

  • In Dual Chassis, one Chassis (chassis1, or chassis2)

  • In Dual Chassis, the Active Chassis (chassis_active)

Example

[Global] MyChassis-ch01-01 > delete smo security-group 1_1-1_3,2_1-2_3