Configuring Provisioning Profile Settings
Each Provisioning
Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. Profile holds settings that are provisioned onto the gateways assigned to this profile. This section describes the general properties of a Provisioning Profile and the configurations that are common to all devices.
For each set of configurations managed with a Provisioning Profile, you can decide which settings have preference: local (not provisioned) or central (from SmartProvisioning Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM. individual management or from Provisioning Profile).
Configuring a Provisioning Profile Settings
-
In the Profiles List, right-click a profile and select Edit Provisioning Profile.
-
In the Profile window, click any category tab (other than General).
-
Select management settings for gateways that reference the profile:
-
Manage settings locally on the device: Each gateway that references this profile has its own settings, configured locally (not on SmartProvisioning). These settings cannot be overwritten by changes to the Provisioning Profile or to the SmartProvisioning gateway object. If you select this option, the Gateway window shows: settings are defined to be managed locally on the device.
-
Manage settings centrally from this application: Each gateway that references this profile gets its configuration for this setting from the Provisioning Profile or from the SmartProvisioning gateway object.
-
-
If you selected to manage settings centrally, click Advanced.
The Profile Settings window opens.
-
Select an option for Overriding profile settings on device level is:
-
Allowed - You can override the profile settings with device-local settings, or with changes to these settings in the SmartProvisioning device window. You can also leave the profile settings as they are.
-
Denied - Each gateway takes the settings from the profile, with no option to override the profile settings.
-
Mandatory - Each gateway is managed without a Provisioning Profile.
-
-
Click OK.
This table maps the profile settings selections to the Gateway window options:
|
Profile managed |
Profile Override |
Gateway Window Display and options |
|---|---|---|
|
Locally |
Not relevant |
Settings are defined to be managed locally on the device.
(controls are unavailable) |
|
Centrally |
Override denied |
Overriding profile settings is denied.
|
|
Centrally |
Override allowed |
Select override method:
|
|
Centrally |
Override mandatory |
Overriding profile settings is mandatory: configure settings here. To change this, refer to Provisioning Profile profile_name (Each gateway is configured separately)
|
For example, you set Hosts configuration to Central and Allowed. The Hosts tab on the gateway enables you to manage the Host List of a gateway if you:
-
Define the Host List locally on the device (even if it has an assigned Provisioning Profile)
-
Define Provision gateways with the Host List of the Provisioning Profile
-
Define a New Host List (in the Gateway window) that overrides the Provisioning Profile on this gateway
|
|
Warning - If you select Use the following settings and do not enter values for a specified topic, the current settings on the device are deleted. |
Viewing General Properties of Provisioning Profiles
Right-click a Provisioning Profile and select Edit Provisioning Profile.
The Security Gateway Provisioning Profile window opens, depending on the operating system for which you created the profile. The General tab is a Read-Only view of the Profile name and OS. You cannot change these profile properties after it is created.
The operating system of a Provisioning Profile determines which gateways you can assign to the profile.