Creating Check Point Security Gateways in SmartProvisioning

This procedure describes how to add a Check Point Appliance/Open ServerClosed Physical computer manufactured and distributed by a company, other than Check Point. Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to SmartProvisioningClosed Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM..

Before you begin, you must have at least one SmartLSM Security Profile.

  1. In the navigation tree, click Devices.

  2. From the Launch Menu, select File > New > Check Point Appliance / Open Server Gateway.

    The wizard opens in a new window. Follow the steps to define the gateway.

  3. Enter a name for the gateway and optional comments. Click Next.

    This name is for SmartProvisioning management purposes and can be different from the name of the gateway device.

  4. In the More Information page, configure these settings:

    1. OS: Select the Operating System of the gateway.

    2. SmartLSM Gateway: Select the version that is installed on the gateway.

    3. Security Profile: Select a SmartLSM Security Profile object created in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

    4. Enable Provisioning: Select to assign an applicable ProvisioningClosed Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. Profile to this gateway.

      • No Provisioning Profile - Select to enable provisioning for this gateway, and leave the actual assignment of Provisioning Profile for later.

      • Provisioning Profile - Select a Provisioning Profile to assign to this gateway.

  5. Click Next.

  6. In the SmartLSM Security Gateway Communication Properties page, define an Activation Key in the Authentication section.

    An activation key sets up a Secure Internal Communication (SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) Trust between the Security Gateway and the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. This is the same activation key that you provide in the SIC tab of the Check Point Configuration Tool (cpconfig) on the Security Gateway.

    In the Authentication section, select one of these options:

    • Initiate trusted communication securely by using a one-time password.

      Enter a password, and then enter it again in the Confirm one-time password field.

    • Initiated trusted communication with an auto-generated one-time password.

      1. Click Generate.

        The Generated Activation Key window opens, and displays the key in clear text.

      2. Save the key so you can enter it on the Security Gateway for SIC initialization).

      3. Click Accept.

  7. In the Trusted Communication Initiation pane, select one of these options:

    • If you do not know the IP address of the SmartLSM Security Gateway, select Initiate trusted communication automatically when the Gateway connects to the Security Management Server for the first time.

    • If you know the IP address of this SmartLSM Security Gateway, select Initiate trusted communication now using the following IP address and enter the IP address in the field. When you complete this step, the SIC certificate is pushed to the Security Gateway.

  8. Click Next.

  9. If you want a CA certificate from the Internal Check Point CA, select I wish to create a VPN Certificate from the Internal CA.

    If you want a CA certificate from a third-party (for example, if your organization already has certificates from an external CA for other devices), clear this check box and request the certificate from the appropriate CA server after you complete the wizard.

  10. Optional: Select the Edit SmartLSM Security Gateway properties after creation.

  11. Click Finish.

  12. Click Publish from the top toolbar.