Preparing the Security Gateway, each Cluster Member, Security Group

Step

Instructions

1

Select a designated physical interface for Mirror and Decrypt on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / each Cluster MemberClosed Security Gateway that is part of a cluster. / Scalable Platform Security GroupClosed A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

Important - On clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. members, you must select an interface with the same name (for example, eth3 on each cluster member).

2

Configure a dummy IP address on this designated physical interface.

Important - This IP address cannot collide with other IP addresses used in your environment. This IP address cannot belong to subnets used in your environment. Make sure to configure the correct subnet mask. After you enable traffic mirroring on this interface in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., all other traffic that is routed to this interface is dropped.

For instructions about configuring an IP address on a physical interface, see the R82 Gaia Administration Guide - Chapter Network Management - Section Network Interfaces - Section Physical Interfaces.

3

Configure the required Maximum Transmission Unit (MTU) on this designated physical interface.

MTU has to be the default 1500, or at least the maximum MTU value from other interfaces on the Security Gateway / Cluster Member / Security Group.

For instructions about configuring an MTU on a physical interface, see the R82 Gaia Administration Guide - Chapter Network Management - Section Network Interfaces - Section Physical Interfaces.

4

Important - On cluster members, you must configure this designated physical interface in the $FWDIR/conf/discntd.if file on each Cluster Member.

  1. Connect to the command line on each Cluster Member.

  2. Log in to the Expert mode.

  3. Create the $FWDIR/conf/discntd.if file:

    touch $FWDIR/conf/discntd.if

  4. Edit the $FWDIR/conf/discntd.if file in the Vi editor:

    vi $FWDIR/conf/discntd.if

  5. Write the name of the designated physical interface. After the interface name, you must press Enter.

    Note - Comments are not allowed in this file.

  6. Save the changes in the file and exit the editor.

Note - To apply the configuration from the file and make it persistent, install an Access Control Policy on the cluster object. You install the Access Control Policy later, after the required configuration steps in the SmartConsole.