Single Management Object and Policies

Single Management Object

Single Management Object (SMO) is a Check Point technology that manages the Security Group as one large Security Gateway with one management IP address.

One Security Group Member, the SMO Master, handles all management tasks, such as Security Gateway configuration, policy installation, remote connections, and logging

are handled. The SMO Master updates all other Security Group Members.

The Active Security Group Member with the lowest ID number is automatically assigned to be the SMO.

Use the "asg stat -i tasks" command to identify the SMO and see how tasks are distributed on the Security Group Members (see asg stat).

The SMO task runs on the Security Group Member #1, on which you ran this command (see the string "(local)").

[Expert@SG-s01-01:0]# asg stat -i tasks
--------------------------------------------------------------------------------
| Task (Task ID)    |                       Chassis 1                          |
--------------------------------------------------------------------------------
| SMO (0)           |                        1(local)                          |
| General (1)       |                        1(local)                          |
| LACP (2)          |                        1(local)                          |
| CH Monitor (3)    |                        1(local)                          |
| DR Manager (4)    |                        1(local)                          |
| UIPC (5)          |                        1(local)                          |
| Alert (6)         |                        1(local)                          |
--------------------------------------------------------------------------------
[Expert@SG-s01-01:0]#

The SMO task runs on Site #2 - on the Security Group Member #3, on which you ran this command (see the string "(local)").

[Expert@SG-s01-01:0]# asg stat -i tasks
--------------------------------------------------------------------------------
| Task (Task ID)     |        Chassis 1           |        Chassis 2           |
--------------------------------------------------------------------------------
| SMO (0)            |                            |         3(local)           |
| General (1)        |         2                  |         3(local)           |
| LACP (2)           |         2                  |         3(local)           |
| CH Monitor (3)     |         2                  |         3(local)           |
| DR Manager (4)     |                            |         3(local)           |
| UIPC (5)           |         2                  |         3(local)           |
| Alert (6)          |                            |         3(local)           |
--------------------------------------------------------------------------------
[Expert@SG-s01-01:0]#
[Expert@SG-s01-01:0]# member 2_4
Moving to member 2_4
... ...
[Expert@SG-s01-01:0]# asg stat -i tasks
--------------------------------------------------------------------------------
| Task (Task ID)     |        Chassis 1           |        Chassis 2           |
--------------------------------------------------------------------------------
| SMO (0)            |                            |         3                  |
| General (1)        |         2                  |         3                  |
| LACP (2)           |         2                  |         3                  |
| CH Monitor (3)     |         2                  |         3                  |
| DR Manager (4)     |                            |         3                  |
| UIPC (5)           |         2                  |         3                  |
| Alert (6)          |                            |         3                  |
--------------------------------------------------------------------------------
[Expert@SG-s01-01:0]#

Example output from all Security Group Members (in our example, there are two on each Site):

[Expert@SG-s01-01:0]# g_all asg stat -i tasks
1_01:
--------------------------------------------------------------------------------
| Task (Task ID)     |        Chassis 1           |        Chassis 2           |
--------------------------------------------------------------------------------
| SMO (0)            |         1(local)           |                            |
| General (1)        |         1(local)           |         1                  |
| LACP (2)           |         1(local)           |         1                  |
| CH Monitor (3)     |         1(local)           |         1                  |
| DR Manager (4)     |         1(local)           |                            |
| UIPC (5)           |         1(local)           |         1                  |
| Alert (6)          |         1(local)           |                            |
--------------------------------------------------------------------------------

1_02:
--------------------------------------------------------------------------------
| Task (Task ID)     |        Chassis 1           |        Chassis 2           |
--------------------------------------------------------------------------------
| SMO (0)            |         1                  |                            |
| General (1)        |         1                  |         1                  |
| LACP (2)           |         1                  |         1                  |
| CH Monitor (3)     |         1                  |         1                  |
| DR Manager (4)     |         1                  |                            |
| UIPC (5)           |         1                  |         1                  |
| Alert (6)          |         1                  |                            |
--------------------------------------------------------------------------------

2_01:
--------------------------------------------------------------------------------
| Task (Task ID)     |        Chassis 1           |        Chassis 2           |
--------------------------------------------------------------------------------
| SMO (0)            |         1                  |                            |
| General (1)        |         1                  |         1(local)           |
| LACP (2)           |         1                  |         1(local)           |
| CH Monitor (3)     |         1                  |         1(local)           |
| DR Manager (4)     |         1                  |                            |
| UIPC (5)           |         1                  |         1(local)           |
| Alert (6)          |         1                  |                            |
--------------------------------------------------------------------------------

2_02:
--------------------------------------------------------------------------------
| Task (Task ID)     |        Chassis 1           |        Chassis 2           |
--------------------------------------------------------------------------------
| SMO (0)            |         1                  |                            |
| General (1)        |         1                  |         1                  |
| LACP (2)           |         1                  |         1                  |
| CH Monitor (3)     |         1                  |         1                  |
| DR Manager (4)     |         1                  |                            |
| UIPC (5)           |         1                  |         1                  |
| Alert (6)          |         1                  |                            |
--------------------------------------------------------------------------------
[Expert@SG-s01-01:0]#

Installing and Uninstalling Policies

Installing a Policy

To install a policy on the Security Group, click Install Policy in SmartConsole.

The policy installation process includes these steps:

  1. The Management Server installs the policy on the SMO Master.

  2. The SMO Master copies the policy to all Security Group Members in the Security Group.

  3. Each Security Group Member in the Security Group installs the policy locally.

During the policy installation, each Security Group Member sends and receives policy status updates to and from the other Security Group Members in the Security Group. This is because the Security Group Members must install their policies in a synchronized manner.

Note - When you create a Security Group, its Security Group Members enforce an initial policy that allows only the implied rules necessary for management.

Uninstalling a Policy

Note - You cannot uninstall policies from a Security Group in SmartConsole.

Step

Instructions

1

Connect over a serial port to the SMO in the Security Group.

2

Log in to the Gaia gClish.

3

Uninstall the policy:

asg policy unload

Working with Policies in CLI

See asg_policy.