Single Management Object (SMO) and Policies

Single Management Object

Single Management Object Single Security Gateway object in SmartConsole that represents a Security Group configured on Quantum Maestro Orchestrator. Acronym: SMO. (SMO) is a Check Point technology that manages the Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. as one large Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with one management IP address.

One Security Group Member, the SMO Master, handles all management tasks, such as Security Gateway configuration, policy installation, remote connections, and logging

are handled. The SMO Master updates all other Security Group Members.

The Active Security Group Member with the lowest ID number is automatically assigned to be the SMO.

Use the "asg stat -i tasks" command to identify the SMO and see how tasks are distributed on the Security Group Members (see Showing Hardware State (asg stat)).

Example output in a Dual Site configuration

The SMO task runs on Site #2 - on the Security Group Member #3, on which you ran this command (see the string "(local)").

[Expert@MyChassis-ch0x-0x:0]# asg stat -i tasks

--------------------------------------------------------------------------------

| Task (Task ID)     |        Chassis 1           |        Chassis 2           |

--------------------------------------------------------------------------------

| SMO (0)            |                            |         3(local)           |

| General (1)        |         2                  |         3(local)           |

| LACP (2)           |         2                  |         3(local)           |

| CH Monitor (3)     |         2                  |         3(local)           |

| DR Manager (4)     |                            |         3(local)           |

| UIPC (5)           |         2                  |         3(local)           |

| Alert (6)          |                            |         3(local)           |

--------------------------------------------------------------------------------

[Expert@MyChassis-ch0x-0x:0]#

[Expert@MyChassis-ch0x-0x:0]# member 2_4

Moving to member 2_4

... ...

[Expert@MyChassis-ch0x-0x:0]# asg stat -i tasks

--------------------------------------------------------------------------------

| Task (Task ID)     |        Chassis 1           |        Chassis 2           |

--------------------------------------------------------------------------------

| SMO (0)            |                            |         3                  |

| General (1)        |         2                  |         3                  |

| LACP (2)           |         2                  |         3                  |

| CH Monitor (3)     |         2                  |         3                  |

| DR Manager (4)     |                            |         3                  |

| UIPC (5)           |         2                  |         3                  |

| Alert (6)          |                            |         3                  |

--------------------------------------------------------------------------------

[Expert@MyChassis-ch0x-0x:0]#

Example output from all Security Group Members (in our example, there are two on each Site):

[Expert@MyChassis-ch0x-0x:0]# g_all asg stat -i tasks

1_01:

--------------------------------------------------------------------------------

| Task (Task ID)     |        Chassis 1           |        Chassis 2           |

--------------------------------------------------------------------------------

| SMO (0)            |         1(local)           |                            |

| General (1)        |         1(local)           |         1                  |

| LACP (2)           |         1(local)           |         1                  |

| CH Monitor (3)     |         1(local)           |         1                  |

| DR Manager (4)     |         1(local)           |                            |

| UIPC (5)           |         1(local)           |         1                  |

| Alert (6)          |         1(local)           |                            |

--------------------------------------------------------------------------------

1_02:

--------------------------------------------------------------------------------

| Task (Task ID)     |        Chassis 1           |        Chassis 2           |

--------------------------------------------------------------------------------

| SMO (0)            |         1                  |                            |

| General (1)        |         1                  |         1                  |

| LACP (2)           |         1                  |         1                  |

| CH Monitor (3)     |         1                  |         1                  |

| DR Manager (4)     |         1                  |                            |

| UIPC (5)           |         1                  |         1                  |

| Alert (6)          |         1                  |                            |

--------------------------------------------------------------------------------

2_01:

--------------------------------------------------------------------------------

| Task (Task ID)     |        Chassis 1           |        Chassis 2           |

--------------------------------------------------------------------------------

| SMO (0)            |         1                  |                            |

| General (1)        |         1                  |         1(local)           |

| LACP (2)           |         1                  |         1(local)           |

| CH Monitor (3)     |         1                  |         1(local)           |

| DR Manager (4)     |         1                  |                            |

| UIPC (5)           |         1                  |         1(local)           |

| Alert (6)          |         1                  |                            |

--------------------------------------------------------------------------------

2_02:

--------------------------------------------------------------------------------

| Task (Task ID)     |        Chassis 1           |        Chassis 2           |

--------------------------------------------------------------------------------

| SMO (0)            |         1                  |                            |

| General (1)        |         1                  |         1                  |

| LACP (2)           |         1                  |         1                  |

| CH Monitor (3)     |         1                  |         1                  |

| DR Manager (4)     |         1                  |                            |

| UIPC (5)           |         1                  |         1                  |

| Alert (6)          |         1                  |                            |

--------------------------------------------------------------------------------

[Expert@MyChassis-ch0x-0x:0]#

Installing and Uninstalling Policies

Installing a Policy

To install a policy on the Security Group, click Install Policy in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

The policy installation process includes these steps:

The Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. installs the policy on the SMO Master.
The SMO Master copies the policy to all Security Group Members in the Security Group.
Each Security Group Member in the Security Group installs the policy locally.

During the policy installation, each Security Group Member sends and receives policy status updates to and from the other Security Group Members in the Security Group. This is because the Security Group Members must install their policies in a synchronized manner.

Note - When you create a Security Group, its Security Group Members enforce an initial policy that allows only the implied rules necessary for management.

Uninstalling a Policy

Note - You cannot uninstall policies from a Security Group in SmartConsole.

Step

Instructions

Connect over a serial port to the SMO in the Security Group.

Log in to the Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group..

Uninstall the policy:

asg policy unload

Working with Policies (asg policy)

Description

Use the "asg policy" command in Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish or the Expert mode to perform policy-related actions.

Syntax

asg policy -h

asg policy {verify | verify_amw} [-vs <VS IDs>] [-a] [-v]

asg policy unload [--disable_pnotes] [-a]

asg policy unload --ip_forward

Best Practice - Run these commands over a serial connection to Security Group Members in the Security Group.

Parameters

Parameter

Description

-h

Shows the built-in help.

verify

Confirms that the correct policies are installed on all Security Group Members in the Security Group.

verify_amw

Confirms that the correct Anti-Malware policies are installed on all Security Group Members in the Security Group.

unload

Uninstalls the policy from all Security Group Members in the Security Group.

-vs <VS IDs>

Applies to Virtual Systems as specified by the <VS IDs>.

<VS IDs> can be:

No <VS IDs> specified (default) - Applies to the context of the current Virtual System
One Virtual System
A comma-separated list of Virtual Systems (for example, 1,2,4,5)
A range of Virtual Systems (for example, 3-5)
all - Shows all Virtual Systems

This parameter is only applicable in a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. environment.

-v

Shows detailed verification results for Security Group Members.

-a

Runs the verification on Security Group Members in both UP and DOWN states.

--disable_pnotes

Security Group Members stay in the UP state without an installed policy.

Important - If you omit this option, Security Group Members go into the DOWN state until the policy is installed again!

--ip_forward

Enables IP forwarding.

Examples

Example 2 - Detailed verification results for for each Virtual System on Security Group Members

[Expert@MyChassis-ch0x-0x:0]# asg policy verify -vs all -v

+------------------------------------------------------------------------------+
|Policy Verification                                          |
+-------+-------+-------------------+---------------+-----------------+--------+
|VS     |SGM    |Policy Name        |Policy Date    |Policy Signature |Status  |
+-------+-------+-------------------+---------------+-----------------+--------+
|0      |1_01   |Standard           |27Feb19 08:56  |996eee5e6        |Success |
|       |1_03   |Standard           |27Feb19 08:56  |996eee5e6        |Success |
|       |1_04   |Standard           |27Feb19 08:56  |996eee5e6        |Success |
|       |1_05   |Standard           |27Feb19 08:56  |996eee5e6        |Success |
|       |1_06   |Standard           |27Feb19 08:56  |996eee5e6        |Success |
|       |1_11   |Standard           |27Feb19 08:56  |996eee5e6        |Success |
|       |1_12   |Standard           |27Feb19 08:56  |996eee5e6        |Success |
+-------+-------+-------------------+---------------+-----------------+--------+
|1      |1_01   |Standard           |27Nov12 13:03  |836fa2ec1        |Success |
|       |1_03   |Standard           |27Nov12 13:03  |836fa2ec1        |Success |
|       |1_04   |Standard           |27Nov12 13:03  |836fa2ec1        |Success |
|       |1_05   |Standard           |27Nov12 13:03  |836fa2ec1        |Success |
|       |1_06   |Standard           |27Nov12 13:03  |836fa2ec1        |Success |
|       |1_11   |Standard           |27Nov12 13:03  |836fa2ec1        |Success |
|       |1_12   |Standard           |27Nov12 13:03  |836fa2ec1        |Success |
+-------+-------+-------------------+---------------+-----------------+--------+
|2      |1_01   |Standard           |27Feb19 08:56  |10eef9ced        |Success |
|       |1_03   |Standard           |27Feb19 08:56  |10eef9ced        |Success |
|       |1_04   |Standard           |27Feb19 08:56  |10eef9ced        |Success |
|       |1_05   |Standard           |27Feb19 08:56  |10eef9ced        |Success |
|       |1_06   |Standard           |27Feb19 08:56  |10eef9ced        |Success |
|       |1_11   |Standard           |27Feb19 08:56  |10eef9ced        |Success |
|       |1_12   |Standard           |27Feb19 08:56  |10eef9ced        |Success |

+-------+-------+-------------------+---------------+-----------------+--------+

+------------------------------------------------------------------------------+
|Summary                                                                       |
+------------------------------------------------------------------------------+
|Policy Verification completed successfully                                    |
+------------------------------------------------------------------------------+
[Expert@MyChassis-ch0x-0x:0]#