Configuring Security Groups in Gaia Portal

To start working in Gaia Portal:

Step

Instructions

With a web browser, connect to the Gaia Portal Web interface for the Check Point Gaia operating system. on the Quantum Maestro Orchestrator A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system. Synonyms: Orchestrator, Quantum Maestro Orchestrator, Maestro Hyperscale Orchestrator. Acronym: MHO.:

https://<IP Address of Orchestrator's MGMT Port>

Log in to the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Portal with these default credentials:

Username - admin
Password - admin

From the left navigation tree, click Orchestrator page.

The Topology section contains the table that shows:

Item	Description
Unassigned Gateways	All detected Security Appliances that are not part of configured Security Groups. Quantum Maestro Orchestrator listens on the ports and automatically detects the connected Security Appliances.
Topology	Configured Security Groups with their assigned Security Appliances and ports.
Unassigned Interfaces	All interfaces on Quantum Maestro Orchestrators that are not part of configured Security Groups.

Item

Description

Unassigned Gateways

All detected Security Appliances that are not part of configured Security Groups.

Quantum Maestro Orchestrator listens on the ports and automatically detects the connected Security Appliances.

Topology

Configured Security Groups with their assigned Security Appliances and ports.

Unassigned Interfaces

All interfaces on Quantum Maestro Orchestrators that are not part of configured Security Groups.

Notes:

Click Apply button to save the changes in Security Groups.
Click Refresh button to load the latest configuration. For example, when you work with two Quantum Maestro Orchestrators for redundancy, and you change the configuration on another Quantum Maestro Orchestrator.
You use the drag-and-drop action on the Security Appliance and port objects.
When you hover the mouse cursor over a Security Appliance object, the tooltip shows the Security Appliance ID in the Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected., Appliance Serial Number and the corresponding Downlink port.

Applicable configuration procedures are provided below.

Creating a New Security Group

Step

Instructions

In the Topology column, click the [+] on the left side of the Security Groups.

In the Topology column, right-click on the Security Groups and select New Security Group.

Enter the required Management interface settings.

Best Practice - Configure the First Time Wizard settings.

Click OK.

Click the [+] on the left side of the Security Groups and the new Security Group.

In the Unassigned Gateways column, select the applicable Security Appliances.

Important - You must assign at least one Security Appliance to the Security Group.

Note - To select multiple Security Appliances, press and hold the CTRL key and left-click the objects with the mouse cursor.

Drag-and-drop the selected Security Appliances from the Unassigned Gateways column to the Gateways section in the new Security Group.

In the Unassigned Interfaces column, select the applicable data and management interfaces.

Note - To select multiple interfaces, press and hold the CTRL key and left-click the objects with the mouse cursor.

Drag-and-drop the selected interfaces from the Unassigned Interfaces column to the Interfaces section in the new Security Group.

In the bottom left corner, click Apply.

Notes:

Every new Security Group you add, is called Security Group N, where the ordinal number N is assigned automatically starting from 1 (for example, if you already have "Security Group 1" and "Security Group 3", then the new Security Group is called "Security Group 2").
Every Security Group contains two sections:
- Gateways - contains the Check Point Security Gateways you assign to this Security Group.
- Interfaces - contains the Orchestrator's interfaces you assign to this Security Group.
You must make sure to assign the correct Security Gateways' interfaces to Security Groups.

Deleting a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	In the Topology column, right-click on the Security Group.
3	From the menu, click Delete Security Group. Important - There is no prompt to confirm.
4	In the bottom left corner, click Apply.

Adding the Network Configuration and First Time Wizard settings to a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	In the Topology column, right-click on the Security Group.
3	Click Set Security Group configuration.
4	In the Network settings section: In the IPv4 address field, enter the IPv4 address of the Security Group. All Security Appliances in this Security Group use this IPv4 address as their Gaia management IP address. You use this IPv4 address in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. when you configure the corresponding Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object. In the Subnet mask field, enter the applicable IPv4 subnet mask. All Security Appliances in this Security Group use this IPv4 subnet mask for their Gaia management IP address. You use this IPv4 subnet mask in SmartConsole when you configure the corresponding Security Gateway object. In the Default Gateway field, enter the applicable IPv4 address. All Security Appliances in this Security Group use this IPv4 address as their default gateway.
5	In the First Time Wizard settings section, configure the initial settings for Security Appliances assigned to this Security Group. Select Set FTW configuration. In the Host Name field, enter a hostname. In the Activation Key field, enter a one-time activation key (between 4 and 127 characters long). In the Confirm Activation Key field, enter the same one-time activation key again. Select Install as VSX, only if it is necessary to run all Security Appliances in this Security Group as VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateways.
6	Click OK.
7	In the bottom left corner, click Apply.

Warning - If you enable the Set FTW configuration option in an existing Security Group (in which you already ran the First Time Configuration Wizard), then the change applies only after you reset each Security Appliance in that Security Group to factory defaults.

Removing the Network Configuration and First Time Wizard settings from a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	In the Topology column, right-click on the Security Group.
3	From the menu, click Clear network configuration. Important - There is no prompt to confirm.
4	In the bottom left corner, click Apply.

Note - This configuration option is available only in the Gaia Portal.

Assigning Available Security Appliances to a Security Group

Best Practice:

Before you add Security Appliances to an existing Security Group, enable the SMO Image Cloning feature in the Security Group.

This feature automatically clones all the required software packages to the new Security Appliances.

Run in Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group. on the Security Group:

set smo image auto-clone state on

show smo image auto-clone state

After you added the Security Appliances, you must disable the SMO Image Cloning feature in the Security Group:

set smo image auto-clone state off

show smo image auto-clone state

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable Security Group.
3	In the Unassigned Gateways column, select the applicable Security Appliances. Note - To select multiple Security Appliances, press and hold the CTRL key and left-click the objects with the mouse cursor.
4	Drag-and-drop the selected Security Appliances from the Unassigned Gateways column to the Gateways section in the applicable Security Group. Note - If such operation is allowed, Gaia Portal shows a green plus icon. Otherwise, it shows a red blocking icon.
5	In the bottom left corner, click Apply.

Important:

You can assign only appliances of the same model to the same Security Group.
The Security Appliances must reboot after you assign them to a Security Group.

Best Practice for Dual Site - Assign the same number (as possible) of Security Appliances from each site to the Security Group. If a failover occurs between the sites, Security Appliances on the new Active site must be able to process all the traffic.

Removing One Security Appliance from a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable Security Group.
3	Click the [+] on the left side of the Gateways section.
4	Select the Security Appliance it is necessary to remove from the Security Group.
5	Right-click on the selected Security Appliance.
6	From the menu, click Detach Gateway. Important - There is no prompt to confirm.
7	In the bottom left corner, click Apply.

Important - The Security Appliance must perform a reset to factory defaults and reboot after you remove it from a Security Group. This is to make sure that no security configuration is left behind.

Removing All Security Appliances from a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable Security Group.
3	Left-click on the Gateways section to select it.
4	Right-click on the Gateways section.
5	From the menu, click Detach all Gateways.
6	In the bottom left corner, click Apply.

Important - The Security Appliances must perform a reset to factory defaults and reboot after you remove them from a Security Group. This is to make sure that no security configuration is left behind.

Note - This configuration option is available only in the Gaia Portal.

Moving Security Appliances from One Security Group to a Different Security Group

Best Practice:

Before you add Security Appliances to an existing Security Group, enable the SMO Image Cloning feature in the Security Group.

This feature automatically clones all the required software packages to the new Security Appliances.

Run in Gaia gClish on the Security Group:

set smo image auto-clone state on

show smo image auto-clone state

After you added the Security Appliances, you must disable the SMO Image Cloning feature in the Security Group:

set smo image auto-clone state off

show smo image auto-clone state

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable sourceSecurity Group.
3	Click the [+] on the left side of the applicable targetSecurity Group.
4	Select the applicable Security Appliances. Note - To select multiple Security Appliances, press and hold the CTRL key and left-click the objects with the mouse cursor.
5	Drag-and-drop the selected Security Appliances from the Gateways section of the source Security Group to the Gateways section of the target Security Group. Note - If such operation is allowed, Gaia Portal shows a green plus icon. Otherwise, it shows a red blocking icon.
6	In the bottom left corner, click Apply.

Important - The Security Appliance must perform a reset to factory defaults and reboot after you remove it from a Security Group. This is to make sure that no security configuration is left behind.

Note - This configuration option is available only in the Gaia Portal.

Assigning Interfaces to a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable Security Group.
3	In the Unassigned Interfaces column, select the applicable interfaces. Note - To select multiple interfaces, press and hold the CTRL key and left-click the objects with the mouse cursor.
4	Drag-and-drop the selected interfaces from the Unassigned Interfaces column to the Interfaces section in the applicable Security Group. Note - If such operation is allowed, Gaia Portal shows a green plus icon. Otherwise, it shows a red blocking icon.
5	In the bottom left corner, click Apply.

Removing One Interface from a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable Security Group.
3	Click the [+] on the left side of the Interfaces section.
4	Right-click on the applicable interface.
5	From the menu, click Detach Interface. Important - There is no prompt to confirm.
6	In the bottom left corner, click Apply.

Removing All Interfaces from a Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable Security Group.
3	Right-click on the Interfaces section.
4	From the menu, click Detach Security Group Interfaces. Important - There is no prompt to confirm.
5	In the bottom left corner, click Apply.

Note - This configuration option is available only in the Gaia Portal.

Moving Interfaces from One Security Group to a Different Security Group

Step	Instructions
1	In the Topology column, click the [+] on the left side of the Security Groups.
2	Click the [+] on the left side of the applicable sourceSecurity Group.
3	Click the [+] on the left side of the applicable targetSecurity Group.
4	Select the applicable interfaces. Note - To select multiple interfaces, press and hold the CTRL key and left-click the objects with the mouse cursor.
5	Drag-and-drop the selected interfaces from the Interfaces section of the sourceSecurity Group to the Interfaces section of the targetSecurity Group. Note - If such operation is allowed, Gaia Portal shows a green plus icon. Otherwise, it shows a red blocking icon.
6	In the bottom left corner, click Apply.

Note - This configuration option is available only in the Gaia Portal.

Adding VLAN Interfaces on Uplink Ports

If a Security Group must inspect VLAN traffic, you must configure VLAN interfaces on the applicable Uplink ports Interfaces on the Quantum Maestro Orchestrator used to connect to external and internal networks. Gaia operating system shows these interfaces in Gaia Portal and in Gaia Clish. SmartConsole shows these interfaces in the corresponding SMO Security Gateway object..

Step

Instructions

If you did not assign the Uplink port to the Security Group yet:

In the Unassigned Interfaces column, right-click on the Uplink port, on which it is necessary to add a VLAN.

If you already assigned the Uplink port to the Security Group:

In the Topology column, click the [+] on the left side of the Security Groups.
Click the [+] on the left side of the applicable Security Group.
Click the [+] on the left side of the Interfaces section.
Right-click on the Uplink port, on which it is necessary to add a VLAN.

From the menu, click Add VLAN.

In the VLAN ID field, enter or select the VLAN ID between 2 and 4094.

In the Member Of field, make sure to select the correct Uplink port.

Click OK.

The prompt appears:

In order to create VLAN <ID > for Port <Port ID> (<Interface Name>) it must be removed. Would you like to continue?

Click Yes.

In the bottom left corner, click Apply.

Removing VLAN Interfaces from Uplink Ports

Step	Instructions
1	In the Unassigned Interfaces column, right-click on the Uplink port with configured VLAN ID it is necessary to remove. If you did not assign the Uplink port to the Security Group yet: In the Unassigned Interfaces column, right-click on the Uplink port with configured VLAN ID it is necessary to remove. If you already assigned the Uplink port to the Security Group: In the Topology column, click the [+] on the left side of the Security Groups. Click the [+] on the left side of the applicable Security Group. Click the [+] on the left side of the Interfaces section. Right-click on the Uplink port with configured VLAN ID it is necessary to remove.
2	From the menu, click Remove VLAN. Important - There is no prompt to confirm.
3	In the bottom left corner, click Apply.

Step

Instructions

In the Unassigned Interfaces column, right-click on the Uplink port with configured VLAN ID it is necessary to remove.

If you did not assign the Uplink port to the Security Group yet:

In the Unassigned Interfaces column, right-click on the Uplink port with configured VLAN ID it is necessary to remove.

If you already assigned the Uplink port to the Security Group:

In the Topology column, click the [+] on the left side of the Security Groups.
Click the [+] on the left side of the applicable Security Group.
Click the [+] on the left side of the Interfaces section.
Right-click on the Uplink port with configured VLAN ID it is necessary to remove.

From the menu, click Remove VLAN.

Important - There is no prompt to confirm.

In the bottom left corner, click Apply.