Creating Security Policies for VPNs

To create a VPN tunnel from a SmartLSM Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to a CO gateway, create a Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. for this encrypted traffic. As in the basic Security Policy (see Guidelines for Basic SmartLSM Security Policies), use Dynamic Objects. This localizes the policy for each SmartLSM Security Gateway that references the SmartLSM Security Profile.

To create a VPN Security Policy for a SmartLSM Security Profile:

  1. Define a Star VPN Community.

    Configure all the relevant authentication and encryption properties for it. To learn more, see the R81 Site to Site VPN Administration Guide.

  2. Add the CO gateway as a Central Gateway.

    Make sure the CO gateway is configured with a static IP address.

  3. Add the SmartLSM Security Profile that represents the SmartLSM Security Gateways as a Satellite Gateway.

  4. Add rules that allow relevant VPN traffic.

Telnet Through VPN Traffic RuleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.. This rule allows encrypted telnet traffic that matches the community criteria.

Source

Destination

Service

VPN

Action

Install On

Any

Any

Any

Telnet

Community

Accept

Any

Any

  1. Add a rule to allow Push actions from SmartProvisioningClosed Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM.: allow FW1_CPRID service from the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or the Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. to LocalMachine.

  2. Install the Security Policy on the SmartLSM Security Profile object.

  3. Update the CO gateway with the new or changed SmartLSM Security Profiles. In SmartProvisioning, click Update Corporate Office Gateway.