Creating Provisioning Profiles for Security Gateways

You can create ProvisioningClosed Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. Profiles in SmartProvisioningClosed Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM.. Each Provisioning Profile can automate the steps required to manage configurations of gateways that have the same operating system, hardware, and Check Point software version.

Before you begin this procedure, make sure that your administrator username has Write permissions for Provisioning Profiles (see Defining SmartProvisioning Administrators).

  1. In the tree in the main window, click Profiles.

    Profiles is shown in the work space.

  2. From the Launch Menu, select File > New > Provisioning Profile.

    The New Provisioning Profile Wizard opens.

  3. Enter a name for the profile.

  4. From the Select Type drop-down list, select the platform or operating system that this profile supports.

    Each Provisioning Profile can support only one operating system.

  5. Click Next.

  6. If you want to configure the settings of the Provisioning Profile now, select Edit Provisioning Profile properties after creation.

  7. Click Finish.

  8. Click Publish from the top toolbar.

Configuring Provisioning Profile Settings

A Provisioning Profile can provision any or all of the network configurations to the gateways. Each Provisioning Profile holds settings that are provisioned onto the gateways assigned to this profile. You can determine which settings are provisioned and which are set up locally.

For example, you can create a Provisioning Profile for a number of gateways that are in one branch office. They are on the same LAN, therefore you can provision their DNS servers with central management (configure once, set on all). However, this office has multiple domains, so you do not want the Provisioning Profile to determine their domain. You set the domain settings to local management.

  1. In the Profiles List, right-click a profile and select Edit Provisioning Profile.

    1. Select management settings for gateways that reference the profile:

      • Manage settings locally on the device: Each gateway that references this profile has its own settings, configured locally (not on SmartProvisioning). These settings cannot be overwritten by changes to the Provisioning Profile or to the SmartProvisioning gateway object. If you select this option, the Gateway window shows: settings are defined to be managed locally on the device.

      • Manage settings centrally from this application: Each gateway that references this profile gets its configuration for this setting from the Provisioning Profile or from the SmartProvisioning gateway object.

    2. If you selected to manage settings centrally, click Advanced.

      The Profile Settings window opens.

    3. Select an option for Overriding profile settings on device level is:

      • Allowed - You can override the profile settings with device-local settings, or with changes to these settings in the SmartProvisioning device window. You can also leave the profile settings as they are.

      • Denied - Each gateway takes the settings from the profile, with no option to override the profile settings.

      • Mandatory - Each gateway is managed without a Provisioning Profile.

    4. Provide the IP address of the First, Second, and Third DNS servers of the network.

    5. Click OK.

    1. Select management settings for gateways that reference the profile:

      • Manage settings locally on the device: Each gateway that references this profile has its own settings, configured locally (not on SmartProvisioning). These settings cannot be overwritten by changes to the Provisioning Profile or to the SmartProvisioning gateway object. If you select this option, the Gateway window shows: settings are defined to be managed locally on the device.

      • Manage settings centrally from this application: Each gateway that references this profile gets its configuration for this setting from the Provisioning Profile or from the SmartProvisioning gateway object.

      Best Practice - Central Host management is useful for gateways on the same LAN or network, such as Security Gateways with High Availability.

    2. If you selected to manage settings centrally, click Advanced.

      The Profile Settings window opens.

    3. Select an option for Overriding profile settings on device level is:

      • Allowed - You can override the profile settings with device-local settings, or with changes to these settings in the SmartProvisioning device window. You can also leave the profile settings as they are.

      • Denied - Each gateway takes the settings from the profile, with no option to override the profile settings.

      • Mandatory - Each gateway is managed without a Provisioning Profile.

    4. Click New.

    5. Enter the Host name and the IP address.

      Click OK to return to the Hosts tab.

    6. Repeat for all required hosts.

      Every gateway assigned to this Provisioning Profile will receive this Host list.

    1. Select management settings for gateways that reference the profile:

      • Manage settings locally on the device: Each gateway that references this profile has its own settings, configured locally (not on SmartProvisioning). These settings cannot be overwritten by changes to the Provisioning Profile or to the SmartProvisioning gateway object. If you select this option, the Gateway window shows: settings are defined to be managed locally on the device.

      • Manage settings centrally from this application: Each gateway that references this profile gets its configuration for this setting from the Provisioning Profile or from the SmartProvisioning gateway object.

      Best Practice - Central Domain Name management is useful for gateways that share a domain. This way, you only have to configure it once for all the gateways.

    2. If you selected to manage settings centrally, click Advanced.

      The Profile Settings window opens.

    3. Select an option for Overriding profile settings on device level is:

      • Allowed - You can override the profile settings with device-local settings, or with changes to these settings in the SmartProvisioning device window. You can also leave the profile settings as they are.

      • Denied - Each gateway takes the settings from the profile, with no option to override the profile settings.

      • Mandatory - Each gateway is managed without a Provisioning Profile

    4. Click OK.

    5. Enter the Domain Name.

    6. Click OK.

    1. Select management settings for gateways that reference the profile:

      • Manage settings locally on the device: Each gateway that references this profile has its own settings, configured locally (not on SmartProvisioning). These settings cannot be overwritten by changes to the Provisioning Profile or to the SmartProvisioning gateway object. If you select this option, the Gateway window shows: settings are defined to be managed locally on the device.

      • Manage settings centrally from this application: Each gateway that references this profile gets its configuration for this setting from the Provisioning Profile or from the SmartProvisioning gateway object.

    2. If you selected to manage settings centrally, click Advanced.

      The Profile Settings window opens.

    3. Select an option for Overriding profile settings on device level is:

      • Allowed - You can override the profile settings with device-local settings, or with changes to these settings in the SmartProvisioning device window. You can also leave the profile settings as they are.

      • Denied - Each gateway takes the settings from the profile, with no option to override the profile settings.

      • Mandatory - Each gateway is managed without a Provisioning Profile.

    4. Click OK.

    5. Select Enable Backup.

    6. In the Start at field, select the hour (on European 24-hour units) and minute for the backup to start.

    7. Select the backup frequency:

      • Select the day of the month radio button and select a date.

      • Select the weekdays radio button and select the required day.

    8. If you want the backup to include the log files, select Include Check point products log files in the backup.

      Such backups are generally much larger than without the logs, so clear this checkbox if you do not need the logs. Log files are not relevant for IP Appliances, so clear this checkbox for IPSO-Based gateways.

      You can configure backup to be stored on a different machine than the SmartProvisioning server. This option is relevant only if all gateways which are assigned to this Provisioning Profile are on the same network, with access to the server which stores the backups.

    9. If you want the backups to be saved on another server, click Backup Target.

      The Backup Target window opens.

    10. Select the server type to hold the backups, or select Locally on Device, which enables each gateway of this profile to hold its own backup file.

    11. Provide the IP address or Hostname of the selected server.

    12. For SCP servers, also provide the Username and Password.

    13. Click OK.

    Example for Backup schedule - If you want to make sure that all gateways are backed up with no downtime, you can create one Provisioning Profile that backs up primary gateways at midnight on the weekend and another Provisioning Profile that backs up secondary gateways at six in the morning on every fifth day of the month.

This table maps the profile settings selections to the Gateway window options:

Profile managed

Profile Override

Gateway Window Display and options

Locally

Not relevant

Settings are defined to be managed locally on the device.
To change this, refer to the attached Provisioning Profile profile_name.

(controls are unavailable)

Centrally

Override denied

Overriding profile settings is denied.
To change this, refer to the attached Provisioning Profile profile_name
(controls are Read-Only, configured by profile)

Centrally

Override allowed

Select override method:

  • Manage settings locally on the device: Local management. Override provisioning configurations with local settings.

  • Use profile settings: Enforce profile settings on this gateway.

  • Use the following settings: Manage these settings on this gateway individually with the values given here.

Centrally

Override mandatory

Overriding profile settings is mandatory: configure settings here.

To change this, refer to Provisioning Profile profile_name

(Each gateway is configured separately)

  • Manage settings locally on the device: Manage these settings on this gateway locally.

  • Use the following settings: Manage these settings on this gateway individually with the values given here.

For example, you set Hosts configuration to Central and Allowed. The Hosts tab on the gateway enables you to manage the Host List of a gateway if you:

  • Define the Host List locally on the device (even if it has an assigned Provisioning Profile)

  • Define Provision gateways with the Host List of the Provisioning Profile

  • Define a New Host List (in the Gateway window) that overrides the Provisioning Profile on this gateway

Warning - If you select Use the following settings and do not enter values for a specified topic, the current settings on the device are deleted.

Right-click a Provisioning Profile and select Edit Provisioning Profile.

The Security Gateway Provisioning Profile window opens, depending on the operating system for which you created the profile. The General tab is a Read-Only view of the Profile name and OS. You cannot change these profile properties after it is created.

The operating system of a Provisioning Profile determines which gateways you can assign to the profile.