Configuration in SmartConsole

  1. You can configure a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. in one of these modes - Wizard Mode, or Classic Mode:

    Step

    Instructions

    1

    Connect with the SmartConsole to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that should manage this Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Create a new Security Gateway object in one of these ways:

    • From the top toolbar, click the New () > Gateway.

    • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > New Gateway.

    • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Gateway.

    4

    In the Check Point Security Gateway Creation window, click Wizard Mode.

    5

    On the General Properties page:

    1. In the Gateway name field, enter a name for this Security Gateway object.

    2. In the Gateway platform field, select Maestro.

    3. In the Gateway IP address section, enter the same IPv4 address that you configured for the Security Group on the Quantum Maestro OrchestratorClosed A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO..

    4. Click Next.

    6

    On the Trusted Communication page:

    1. Select Initiate trusted communication now, enter the same Activation Key you entered in the First Time Wizard settings of the Security Group on the Quantum Maestro Orchestrator.

    2. Click Next.

    7

    On the End page:

    1. Examine the Configuration Summary.

    2. Select Edit Gateway properties for further configuration.

    3. Click Finish.

    Check Point Gateway properties window opens on the General Properties page.

    8

    On the Network Security tab, enable the desired Software Blades.

    Important - Do not select anything on the Management tab.

    9

    Click OK.

    10

    Publish the SmartConsole session.

    Step

    Instructions

    1

    Connect with the SmartConsole to the Security Management Server or Domain Management Server that should manage this Security Group.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Create a new Security Gateway object in one of these ways:

    • From the top toolbar, click the New () > Gateway.

    • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > New Gateway.

    • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Gateway.

    4

    In the Check Point Security Gateway Creation window, click Classic Mode.

    Check Point Gateway properties window opens on the General Properties page.

    5

    In the Name field, enter a name for this Security Gateway object.

    6

    In the IPv4 address and IPv6 address fields, enter the same IPv4 address that you configured for the Security Group on the Quantum Maestro Orchestrator.

    7

    Establish the Secure Internal Communication (SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) between the Management Server and this Security Group:

    1. Near the Secure Internal Communication field, click Communication.

    2. In the Platform field, select Open server / Appliance.

    3. In the Activation Key field, enter the same Activation Key you entered in the First Time Wizard settings of the Security Group on the Quantum Maestro Orchestrator.

    4. Click Initialize.

    5. Click OK.

    8

    In the Platform section, select the correct options:

    1. In the Hardware field, select Maestro.

    2. In the Version field, select R80.20SP.

    3. In the OS field, select Gaia.

    9

    On the Network Security tab, enable the desired Software Blades.

    Important - Do not select anything on the Management tab.

    10

    Click OK.

    11

    Publish the SmartConsole session.

    For more information, see the R81 Security Management Administration Guide.

  2. Step

    Instructions

    1

    Connect with the SmartConsole to the Security Management Server or Domain Management Server that manages this Security Group.

    2

    From the left navigation panel, click Security Policies.

    3

    Create a new policy and configure the applicable layers:

    1. At the top, click the + tab (or press CTRL T).

    2. On the Manage Policies tab, click Manage policies and layers.

    3. In the Manage policies and layers window, create a new policy and configure the applicable layers.

    4. Click Close.

    5. On the Manage Policies tab, click the new policy you created.

    4

    Create the applicable Access Control Policy.

    6

    Create the applicable Threat Prevention Policy.

    7

    Publish the SmartConsole session.

    For more information, see:

  3. Step

    Instructions

    1

    Install the Access Control Policy on the Security Gateway object:

    1. Click Install Policy.

    2. In the Policy field, select the applicable policy for this Security Gateway object.

    3. Select only the Access Control Policy.

    4. Click Install.

    2

    Install the Threat Prevention Policy on the Security Gateway object:

    1. Click Install Policy.

    2. In the Policy field, select the applicable policy for this Security Gateway object.

    3. Select only the Threat Prevention Policy.

    4. Click Install.

  1. Step

    Instructions

    1

    Connect with the SmartConsole to the Security Management Server or Main Domain Management Server that should manage this Security Group.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Create a new VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. object in one of these ways:

    • From the top toolbar, click the New () > VSX > Gateway.

    • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > VSX > New Gateway.

    • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > VSX > Gateway.

    The VSX Gateway Wizard opens.

    4

    On the VSX Gateway General Properties (Specify the object's basic settings) page:

    1. In the Enter the VSX Gateway Name field, enter the desired name for this VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway object.

    2. In the Enter the VSX Gateway IPv4 field, enter the same IPv4 address that you configured on the Management Connection page of the VSX Gateway's First Time Configuration Wizard.

    3. In the Enter the VSX Gateway IPv6 field, enter the same IPv6 address that you configured on the Management Connection page of the VSX Gateway's First Time Configuration Wizard.

    4. In the Select the VSX Gateway Version field, select R80.20SP.

    5. Click Next.

    5

    On the Virtual Systems Creation Templates (Select the Creation Template most suitable for your VSX deployment) page:

    1. Select the applicable template.

    2. Click Next.

    6

    On the VSX Gateway General Properties (Secure Internal Communication) page:

    1. In the Activation Key field, enter the same Activation Key you entered in the First Time Wizard settings of the Security Group on the Quantum Maestro Orchestrator.

    2. In the Confirm Activation Key field, enter the same Activation Key again.

    3. Click Initialize.

    4. Click Next.

    7

    On the VSX Gateway Interfaces (Physical Interfaces Usage) page:

    1. Examine the list of the interfaces - it must show all the Uplink portsClosed Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object. you assigned to this Security Group.

    2. If you plan to connect more than one Virtual System directly to the same Uplink port, you must select VLAN Trunk for that physical Uplink port.

    3. Click Next.

    8

    On the Virtual Network Device Configuration (Specify the object's basic settings) page:

    1. You can select Create a Virtual Network Device and configure the first desired Virtual System at this time (we recommend to do this later).

    2. Click Next.

    9

    On the VSX Gateway Management (Specify the management access rules) page:

    1. Examine the default access rules.

    2. Select the applicable default access rules.

    3. Configure the applicable source objects, if needed.

    4. Click Next.

    Important - These access rules apply only to the VSX Gateway (context of VS0), which is not intended to pass any "production" traffic.

    10

    On the VSX Gateway Creation Finalization page:

    1. Click Finish and wait for the operation to finish.

    2. Click View Report for more information.

    3. Click Close.

    11

    Examine the VSX configuration:

    1. Connect to the command line on the Security Group.

    2. Log in to the Expert mode.

    3. Run:

      vsx stat -v

    12

    Open the VSX Gateway object.

    13

    On the General Properties page, click the Network Security tab.

    14

    Enable the desired Software Blades for the VSX Gateway object itself (context of VS0).

    Refer to:

    15

    Click OK to push the updated VSX Configuration.

    Click View Report for more information.

    16

    Examine the VSX configuration:

    1. Connect to the command line on the Security Group.

    2. Log in to the Expert mode.

    3. Run:

      vsx stat -v

    17

    Install policy on the VSX Gateway object:

    1. Click Install Policy.

    2. In the Policy field, select the default policy for this VSX Gateway object.

      This policy is called:

      <Name of VSX Gateway object>_VSX

    3. Click Install.

    18

    Examine the VSX configuration:

    1. Connect to the command line on the Security Group.

    2. Log in to the Expert mode.

    3. Run:

      vsx stat -v

  2. Step

    Instructions

    1

    Connect with the SmartConsole to the Security Management Server, or each Target Domain Management Server that should manage each Virtual System.

    2

    Configure the desired Virtual Systems on this Security Group.

    3

    Create the applicable Access Control Policy for these Virtual Systems.

    4

    Create the applicable Threat Prevention Policy for these Virtual Systems.

    5

    Publish the SmartConsole session.

    6

    Install the configured Security PoliciesClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on these Virtual Systems.

    7

    Install the Access Control Policy on these Virtual Systems:

    1. Click Install Policy.

    2. In the Policy field, select the applicable policy for the Virtual System object.

    3. Select only the Access Control Policy.

    4. Click Install.

    8

    Install the Threat Prevention Policy on these Virtual Systems:

    1. Click Install Policy.

    2. In the Policy field, select the applicable policy for the Virtual System object.

    3. Select only the Threat Prevention Policy.

    4. Click Install.

    9

    Examine the VSX configuration:

    1. Connect to the command line on the Security Group.

    2. Log in to the Expert mode.

    3. Run:

      vsx stat -v

For more information, see: