Configuring a Security Gateway Object in SmartConsole

A Chassis can work as a Security Gateway, or as a VSX Gateway.

This procedure describes the configuration of a Security Gateway in SmartConsole.

Note - There can be some variations in the wizard steps due to release updates. In these cases, follow the instructions on the screen.

Configuring a Security Gateway Object

Step

Instructions

1

Connect with SmartConsole to your Management Server.

2

From the left navigation panel, click Gateways & Servers.

3

Create a new Security Gateway object in one of these ways:

  • From the top toolbar, click the New () > Gateway.

  • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > New Gateway.

  • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Gateway.

4

In the Check Point Security Gateway Creation window, select Wizard Mode or Classic Mode.

This procedure describes the Wizard mode.

If you choose Classic Mode, make sure you set all the necessary configuration parameters.

5

On the General Properties page:

  1. In the Gateway name field, enter the applicable name for this Security Gateway object.

  2. In the Gateway platform field, select the correct chassis.

  3. In the Gateway IP address section, select the applicable option:

    • If you selected Static IP address, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Security Group's First Time Configuration Wizard.

      Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses.

    • If this Security Group receives its IP addresses from a DHCP server, click Cancel.

      Create a new Security Gateway object and in the Check Point Security Gateway Creation window, select Classic Mode.

  4. Click Next.

6

On the Trusted Communication page:

  1. Select the applicable option:

    • If you selected Initiate trusted communication now, enter the same Activation Key you entered during the Security Group's First Time Configuration Wizard.

    • If you selected Skip and initiate trusted communication later, make sure to follow Step 7.

  2. Click Next.

7

On the End page:

  1. Examine the Configuration Summary.

  2. Select Edit Gateway properties for further configuration.

  3. Click Finish.

Check Point Gateway properties window opens on the General Properties page.

8

If during the Wizard Mode, you selected Skip and initiate trusted communication later:

  1. The Secure Internal Communication field shows Uninitialized.

  2. Click Communication.

  3. In the Platform field, select Open server / Appliance.

  4. Enter the same Activation Key you entered during the Security Gateway's First Time Configuration Wizard.

  5. Click Initialize.

    Make sure the Certificate state field shows Established.

  6. Click OK.

9

On the General Properties page:

  • On the Network Security tab, enable the applicable Software Blades.

  • On the Threat Prevention tab, enable the applicable Software Blades.

10

In the navigation tree, select Topology.

Configure:

  • Topology of Interfaces as Internal or External.

  • Anti-Spoofing.

    Note- Only data and management interfaces show in the list.

11

Click OK

12

Publish the SmartConsole session.

13

Configure the applicable Security Policy for the Security Gateway in SmartConsole:

  1. From the left navigation panel, click Security Policies.

  2. Create a new policy and configure the applicable layers:

    1. At the top, click the + tab (or press CTRL T).

    2. On the Manage Policies tab, click Manage policies and layers.

    3. In the Manage policies and layers window, create a new policy and configure the applicable layers.

    4. Click Close.

    5. On the Manage Policies tab, click the new policy you created.

  3. Create the applicable Access Control rules.

  4. Install the Access Control Policy on the Security Gateway object.

  5. Create the applicable Threat Prevention rules.

  6. Install the Threat Prevention Policy on the Security Gateway object.

Confirming the Policy Installation

To make sure that the policy was installed successfully:

Step

Instructions

1

Connect to one of the SGMs over SSH or a serial console.

2

Run:

asg monitor

3

Make sure that the SGM status is "Enforcing Security" on the ACTIVE and STANDBY Standby Chassis.

Example:

4

Make sure the Policy Date matches the date and time the policy was installed.

Confirming the Security Gateway Software Configuration

To make sure the software configuration is correct:

Step

Instructions

1

Connect to one of the SGMs over SSH or a serial console.

2

Run:

asg diag

Use the command to collect and show diagnostic information about the system.

If there is a problem, fix it before using the system.