Single Management Object and Policies

Single Management Object

Single Management Object (SMO) is a Check Point technology that manages the Security Group as one large Security Gateway with one management IP address.

One Security Group Member, the SMO Master, handles all management tasks, such as Security Gateway configuration, policy installation, remote connections, and logging

are handled. The SMO Master updates all other Security Group Members.

The Active Security Group Member with the lowest ID number is automatically assigned to be the SMO.

Use the "asg stat -i tasks" command to identify the SMO and see how tasks are distributed on the Security Group Members (see asg stat).

The SMO task runs on the Security Group Member #1, on which you ran this command (see the string "(local)").

[Expert@HostName-ch0x-0x:0]# asg stat -i tasks
--------------------------------------------------------------------------------
| Task (Task ID)    |                       Chassis 1                          |
--------------------------------------------------------------------------------
| SMO (0)           |                        1(local)                          |
| General (1)       |                        1(local)                          |
| LACP (2)          |                        1(local)                          |
| CH Monitor (3)    |                        1(local)                          |
| DR Manager (4)    |                        1(local)                          |
| UIPC (5)          |                        1(local)                          |
| Alert (6)         |                        1(local)                          |
--------------------------------------------------------------------------------
[Expert@HostName-ch0x-0x:0]#

The SMO task runs on Site #2 - on the Security Group Member #3, on which you ran this command (see the string "(local)").

[Expert@HostName-ch0x-0x:0]# asg stat -i tasks
--------------------------------------------------------------------------------
| Task (Task ID)     |        Chassis 1           |        Chassis 2           |
--------------------------------------------------------------------------------
| SMO (0)            |                            |         3(local)           |
| General (1)        |         2                  |         3(local)           |
| LACP (2)           |         2                  |         3(local)           |
| CH Monitor (3)     |         2                  |         3(local)           |
| DR Manager (4)     |                            |         3(local)           |
| UIPC (5)           |         2                  |         3(local)           |
| Alert (6)          |                            |         3(local)           |
--------------------------------------------------------------------------------
[Expert@HostName-ch0x-0x:0]#
[Expert@HostName-ch0x-0x:0]# member 2_4
Moving to member 2_4
... ...
[Expert@HostName-ch0x-0x:0]# asg stat -i tasks
--------------------------------------------------------------------------------
| Task (Task ID)     |        Chassis 1           |        Chassis 2           |
--------------------------------------------------------------------------------
| SMO (0)            |                            |         3                  |
| General (1)        |         2                  |         3                  |
| LACP (2)           |         2                  |         3                  |
| CH Monitor (3)     |         2                  |         3                  |
| DR Manager (4)     |                            |         3                  |
| UIPC (5)           |         2                  |         3                  |
| Alert (6)          |                            |         3                  |
--------------------------------------------------------------------------------
[Expert@HostName-ch0x-0x:0]#

Example output from all Security Group Members (in our example, there are two on each Site):

[Expert@HostName-ch0x-0x:0]# g_all asg stat -i tasks
1_01:
--------------------------------------------------------------------------------
| Task (Task ID)     |        Chassis 1           |        Chassis 2           |
--------------------------------------------------------------------------------
| SMO (0)            |         1(local)           |                            |
| General (1)        |         1(local)           |         1                  |
| LACP (2)           |         1(local)           |         1                  |
| CH Monitor (3)     |         1(local)           |         1                  |
| DR Manager (4)     |         1(local)           |                            |
| UIPC (5)           |         1(local)           |         1                  |
| Alert (6)          |         1(local)           |                            |
--------------------------------------------------------------------------------
 
1_02:
--------------------------------------------------------------------------------
| Task (Task ID)     |        Chassis 1           |        Chassis 2           |
--------------------------------------------------------------------------------
| SMO (0)            |         1                  |                            |
| General (1)        |         1                  |         1                  |
| LACP (2)           |         1                  |         1                  |
| CH Monitor (3)     |         1                  |         1                  |
| DR Manager (4)     |         1                  |                            |
| UIPC (5)           |         1                  |         1                  |
| Alert (6)          |         1                  |                            |
--------------------------------------------------------------------------------
 
2_01:
--------------------------------------------------------------------------------
| Task (Task ID)     |        Chassis 1           |        Chassis 2           |
--------------------------------------------------------------------------------
| SMO (0)            |         1                  |                            |
| General (1)        |         1                  |         1(local)           |
| LACP (2)           |         1                  |         1(local)           |
| CH Monitor (3)     |         1                  |         1(local)           |
| DR Manager (4)     |         1                  |                            |
| UIPC (5)           |         1                  |         1(local)           |
| Alert (6)          |         1                  |                            |
--------------------------------------------------------------------------------
 
2_02:
--------------------------------------------------------------------------------
| Task (Task ID)     |        Chassis 1           |        Chassis 2           |
--------------------------------------------------------------------------------
| SMO (0)            |         1                  |                            |
| General (1)        |         1                  |         1                  |
| LACP (2)           |         1                  |         1                  |
| CH Monitor (3)     |         1                  |         1                  |
| DR Manager (4)     |         1                  |                            |
| UIPC (5)           |         1                  |         1                  |
| Alert (6)          |         1                  |                            |
--------------------------------------------------------------------------------
[Expert@HostName-ch0x-0x:0]#

Installing and Uninstalling Policies

Installing a Policy

To install a policy on the Security Group, click Install Policy in SmartConsole.

The policy installation process includes these steps:

  1. The Management Server installs the policy on the SMO Master.

  2. The SMO Master copies the policy to all Security Group Members in the Security Group.

  3. Each Security Group Member in the Security Group installs the policy locally.

During the policy installation, each Security Group Member sends and receives policy status updates to and from the other Security Group Members in the Security Group. This is because the Security Group Members must install their policies in a synchronized manner.

Note - When you create a Security Group, its Security Group Members enforce an initial policy that allows only the implied rules necessary for management.

Uninstalling a Policy

Note - You cannot uninstall policies from a Security Group in SmartConsole.

Step

Instructions

1

Connect over a serial port to the SMO in the Security Group.

2

Log in to the Gaia gClish.

3

Uninstall the policy:

asg policy unload

Working with Policies (asg policy)

Description

Use the "asg policy" command in Gaia gClish or the Expert mode to perform policy-related actions.

Syntax

asg policy -h

asg policy {verify | verify_amw} [-vs <VS IDs>] [-a] [-v]

asg policy unload [--disable_pnotes] [-a]

asg policy unload --ip_forward

Best Practice - Run these commands over a serial connection to Security Group Members in the Security Group.

Parameters

Parameter

Description

-h

Shows the built-in help.

verify

Confirms that the correct policies are installed on all Security Group Members in the Security Group.

verify_amw

Confirms that the correct Anti-Malware policies are installed on all Security Group Members in the Security Group.

unload

Uninstalls the policy from all Security Group Members in the Security Group.

-vs <VS IDs>

Applies to the Legacy Virtual Systems as specified by the <VS IDs>.

<VS IDs> can be:

  • No <VS IDs> specified (default) - Applies to the context of the current Virtual System

  • One Virtual System

  • A comma-separated list of Virtual Systems (for example, 1,2,4,5)

  • A range of Virtual Systems (for example, 3-5)

  • all - Shows all Virtual Systems

This parameter is only applicable in a VSX environment.

-v

Shows detailed verification results for Security Group Members.

-a

Runs the verification on Security Group Members in both UP and DOWN states.

--disable_pnotes

Security Group Members stay in the state "UP" without an installed policy.

Important - If you omit this option, Security Group Members go into the DOWN state until the policy is installed again!

--ip_forward

Enables IP forwarding.

Examples

[Expert@HostName-ch0x-0x:0]# asg policy verify -v
+----------------------------------------------------------------------+
|Policy Verification                                                   |
+-------+-------------------+---------------+-----------------+--------+
|SGM    |Policy Name        |Policy Date    |Policy Signature |Status  |
+-------+-------------------+---------------+-----------------+--------+
|1_01   |Standard           |27Feb19 08:56  |e17c177f7        |Success |
+-------+-------------------+---------------+-----------------+--------+
|1_02   |Standard           |27Feb19 08:56  |e17c177f7        |Success |
+-------+-------------------+---------------+-----------------+--------+
 
+------------------------------------------------------------------------------+
|Summary                                                                       |
+------------------------------------------------------------------------------+
|Policy Verification completed successfully                                    |
+------------------------------------------------------------------------------+
[Expert@HostName-ch0x-0x:0]#
 
[Expert@HostName-ch0x-0x:0]# asg policy verify -vs all -v
+------------------------------------------------------------------------------+
|Policy Verification                                          |
+-------+-------+-------------------+---------------+-----------------+--------+
|VS     |SGM    |Policy Name        |Policy Date    |Policy Signature |Status  |
+-------+-------+-------------------+---------------+-----------------+--------+
|0      |1_01   |Standard           |27Feb19 08:56  |996eee5e6        |Success |
|       |1_03   |Standard           |27Feb19 08:56  |996eee5e6        |Success |
|       |1_04   |Standard           |27Feb19 08:56  |996eee5e6        |Success |
|       |1_05   |Standard           |27Feb19 08:56  |996eee5e6        |Success |
|       |1_06   |Standard           |27Feb19 08:56  |996eee5e6        |Success |
|       |1_11   |Standard           |27Feb19 08:56  |996eee5e6        |Success |
|       |1_12   |Standard           |27Feb19 08:56  |996eee5e6        |Success |
+-------+-------+-------------------+---------------+-----------------+--------+
|1      |1_01   |Standard           |27Nov12 13:03  |836fa2ec1        |Success |
|       |1_03   |Standard           |27Nov12 13:03  |836fa2ec1        |Success |
|       |1_04   |Standard           |27Nov12 13:03  |836fa2ec1        |Success |
|       |1_05   |Standard           |27Nov12 13:03  |836fa2ec1        |Success |
|       |1_06   |Standard           |27Nov12 13:03  |836fa2ec1        |Success |
|       |1_11   |Standard           |27Nov12 13:03  |836fa2ec1        |Success |
|       |1_12   |Standard           |27Nov12 13:03  |836fa2ec1        |Success |
+-------+-------+-------------------+---------------+-----------------+--------+
|2      |1_01   |Standard           |27Feb19 08:56  |10eef9ced        |Success |
|       |1_03   |Standard           |27Feb19 08:56  |10eef9ced        |Success |
|       |1_04   |Standard           |27Feb19 08:56  |10eef9ced        |Success |
|       |1_05   |Standard           |27Feb19 08:56  |10eef9ced        |Success |
|       |1_06   |Standard           |27Feb19 08:56  |10eef9ced        |Success |
|       |1_11   |Standard           |27Feb19 08:56  |10eef9ced        |Success |
|       |1_12   |Standard           |27Feb19 08:56  |10eef9ced        |Success |
+-------+-------+-------------------+---------------+-----------------+--------+

+------------------------------------------------------------------------------+
|Summary                                                                       |
+------------------------------------------------------------------------------+
|Policy Verification completed successfully                                    |
+------------------------------------------------------------------------------+
[Expert@HostName-ch0x-0x:0]#
 
[Expert@HostName-ch0x-0x:0]# asg policy unload
You are about to perform unload policy on blades: all
All SGMs will be in DOWN state, beside local SGM. It is recommended to run the procedure
via serial connection
 
Are you sure? (Y - yes, any other key - no) y
 
Unload policy requires auditing
Enter your full name: John Doe
Enter reason for unload policy [Maintenance]:
WARNING: Unload policy on blades: all, User: John Doe, Reason: Maintenance
+-------------------------------+
|Unload policy                  |
+---------------+---------------+
|SGM            |Status         |
+---------------+---------------+
|1_3            |Success        |
+---------------+---------------+
|1_2            |Success        |
+---------------+---------------+
|1_1            |Success        |
+---------------+---------------+
|2_3            |Success        |
+---------------+---------------+
|2_2            |Success        |
+---------------+---------------+
|2_1            |Success        |
+---------------+---------------+
 
+------------------------------------------------------------------------------+
|Summary                                                                       |
+------------------------------------------------------------------------------+
|Unload policy completed successfully                                          |
+------------------------------------------------------------------------------+
[Expert@HostName-ch0x-0x:0]#