Use Case

This chapter describes an example scenario of a multiple gateway environment run by SmartProvisioningClosed Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM.. This use case leads you through all the steps you must take to configure a SmartProvisioning environment. Note that this is an example scenario only which fits a particular environment. You can use SmartProvisioning to create any type of deployment which best fits your environment.

Use Case Scenario

A Bank has 1,000 ATMs and 300 branches deployed in a certain country.

  • Each ATM is protected by a 1100 appliance gateway.

  • Each branch is protected by a 3200 appliance gateway.

The Bank administrator can define security profiles and provisioning profiles to manage the gateways efficiently.

Deployment Considerations

The Bank's ATMs transfer information to a main processing server. The route that needs to be secured is the route of each ATM to the ATM processing server. The needs of a branch are different. Each branch needs to transfer information to certain departments in the Bank's headquarters, like the Human Resources department, the Finance department and so on. Each branch also needs an external internet connection.

The ATM gateways and the Branch gateways therefore, must have different Security PoliciesClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.. The Bank administrator must create 2 separate Security Profiles, one for the ATM gateways and one for the branch gateways.

VPN

All gateways, both the 1100 and the 3200, connect the information to the main Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. at the Bank's headquarters. To make sure that the connection between the gateways and the main Security Gateway is secure, create a VPN community for the Bank's gateways. The VPN Community must be a star community. A Star VPN Community is a "hub and spoke" community, in which there is a central Security Gateway (a hub) creates tunnels only with the satellites (spokes). In our example, define the Bank Headquarters gateway as the CO Security Gateway, and define the ATM Security Profile and the Branch Security Profile as the satellites.

Number of Provisioning Profiles

The decision of how many ProvisioningClosed Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. Profiles to create can be the result of many factors. For example:

  • Type of device - A Provisioning Profile can support one type of device.

  • Geography - You can create a different Provisioning Profile for each geographic area. This way, the gateways can receive a faster response from the servers defined in the Provisioning Profile, such as the DNS or RADIUS servers.

  • Load on servers - To balance the load on the servers defined in the Provisioning Profile, such as the Host, DNS server, RADIUS server, or backup server, you can create multiple Provisioning Profiles. In each Provisioning Profile, define a different server for DNS, RADIUS and so on.

Therefore, we must create a separate Provisioning Profile for each set of gateways. In our example, we can create 2 provisioning profiles for each type of device.

Workflow for Creating the SmartProvisioning Environment

  1. Enable SmartProvisioning support on the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

  2. Enable SmartProvisioning support on all GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Security Gateways, which you wish to manage with SmartProvisioning.

  3. Enable SmartProvisioning on the CO gateway.

  4. Create a Security Profile for the gateways that protect the ATMs.

  5. Create a Security Profile for the gateways that manage the branches.

  6. Create a Star VPN Community.

  7. Create Provisioning Profiles for the gateways that manage the ATMs.

  8. Create Provisioning Profiles for the gateways that manage the branches.

Use Case Configuration

Obtain a license for SmartProvisioning, and add the license to the Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or Domain Management Server, with cpconfig or SmartUpdateClosed Legacy Check Point GUI client used to manage licenses and contracts in a Check Point environment..

You can also use the cplic command to add the license.

  1. From the CLI, run these commands in the Expert mode:

    LSMenabler -r on

    cpstop

    cpstart

  2. Run:

    cpconfig

  3. Go to ROBO Interfaces and define an External interface.

Note - This procedure is not required for Small Office Appliances.

On the Check Point Security Gateway, execute this command in the Expert mode:

LSMenabler on

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Menu > Manage policies and layers > Policies > New, create a Security Policy and save it.

  2. Go to Menu > New Object > LSM Profile>:

    • For the ATM gateways, select New Small Office Appliance Gateway.

    • For the branches gateways, select New Check Point Appliance/Open Server Gateway.

  3. In the SmartLSM Security Profile window, configure the settings for the SmartLSM Security Profile.

    Type of Profile

    Configuration

    For the ATM Gateways

    Configure these settings:

    1. In the General Properties tab, enable IPSec VPN.

    2. In the Platform section > Hardware, select 1100 Appliances.

    3. In the IPSec VPN tab, click Add to enter the VPN community in which the LSM Security Profile is a member.

    4. Optional: In the Fetch Policy tab:

      1. This page specifies the default Security Management Server from which to fetch the policy. Click Add to enter a different Security Management Server.

      2. In the Fetch policy from the Security Management Server section, there is a predefined schedule for fetching the policy. Click New to define a new schedule.

    For the branch Gateways

    Configure these settings:

    1. In the General Properties tab, enable IPsec VPN and IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System)..

    2. In the IPSec VPN tab, click Add to enter the VPN community in which the LSM Security Profile is a member.

    3. Optional: In the Fetch Policy tab:

      1. This page specifies the default Security Management Server from which to fetch the policy. Click Add to enter a different Security Management Server. In a High Availability environment, click Add to add one or more Security Management Servers.

      2. In the Fetch policy from the Security Management Server section, there is a predefined schedule for fetching the policy. Click New to define a new schedule

  4. Click OK.

  5. Install the Security Policy on the SmartLSM Security Profile.

    1. Click Install Policy.

    2. Select the SmartLSM Security Profile object.

    3. Click Install.

  6. Frin the Menu, open SmartProvisioning and add the SmartLSM Security Gateways (see Security Profiles for Check Point Appliance Security Gateways).

    In the Finish page, make sure you select I wish to create a VPN Certificate from the Internal CA.

  1. In SmartConsole, go to Security Policies > Access Control > Access Tools > VPN Communities.

  2. Click New > Star Community.

  3. In the Gateways tab:

    1. Center Gateways, click the + sign and add the Headquarters from the drop-down list.

    2. Satellite Gateways:

      1. Click the + sign to add the ATM gateways Security Profile.

      2. Click the + sign again to add the branch gateways Security Profile.

  4. In Security Policies > Access Control > Policy, create a Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. for the VPN Community.

  5. Install the Access Control Policy on the CO Gateway.

  6. Open SmartProvisioning, and in the toolbar click the Update Corporate Office Gateway button.

  1. In SmartProvisioning, double-click the Security Gateway.

  2. In the Topology tab, select All IP addresses behind the gateway based on interfaces information.

  3. In the Interfaces tab, select Manage Settings on the Device.

  1. Open SmartProvisioning.

  2. From the Launch Menu, select File > New > Provisioning Profile.

    The New Provisioning Profile Wizard opens.

  3. Enter a name for the profile.

  4. From the Select Type drop-down list, select the platform or operating system to be supported by this profile:

    • For the ATM gateway profile, select Small Office Appliance

    • For the branch gateway profile, select Gaia

    Each Provisioning Profile can support only one operating system.

  5. Click Next.

  6. If you want to configure the settings of the Provisioning Profile now, select Edit Provisioning Profile properties after creation.

  7. Click Finish.

For each set of configurations managed with a Provisioning Profile, you can decide which settings have preference: local (not provisioned) or central (from SmartProvisioning individual management or from Provisioning Profile).

  1. In the Profile window, click any category tab (other than General).

  2. Select Manage settings centrally from this application: Each gateway assigned to this profile gets its configuration for this setting from the Provisioning Profile or from the SmartProvisioning gateway object.

  3. Click Advanced.

    The Profile Settings window opens.

  4. Select Allowed. This means that you can override the profile settings with device-local settings, or with changes to these settings in the SmartProvisioning device window. You can also leave the profile settings as they are.

  5. Click OK.

  6. Configure the Settings for each tab.

For a more detailed explanation of the configuration options. See Configuring Provisioning Profile Settings for more information.