Configuring SmartLSM Cluster Objects in SmartProvisioning

Before you define a SmartLSM clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. in SmartProvisioningClosed Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM., you must have an applicable SmartLSM Cluster Security Profile in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. (see Creating a SmartLSM Security Cluster Profile). Use SmartProvisioning to create and configure a SmartLSM cluster.

Note - Alternatively, you can use LSMcli commands (possibly, in a script) to define SmartLSM clusters, for example AddROBO VPN1Cluster". The LSMcli commands enable you to replace a part of Profile names, which is not possible when you use the SmartProvisioning interface.

  1. From the File menu, select New > Check Point Appliance/Open Server SmartLSM Cluster.

  2. Enter a Cluster Name Prefix or Suffix or both to add to the cluster Profile and member names.

  3. Enter the Cluster Main IP Address.

  4. Click Next.

  5. Select the SmartLSM Cluster Version and the SmartLSM Security Cluster Profile. Click Next.

  6. Verify the resulting names. Click Next.

    The More Information window opens. This window shows the interface topology defined on the Cluster Profile object in SmartConsole. The profile topology includes generic (template) IP addresses for any SmartLSM Cluster mapped to this profile. You can override the IP addresses in the list with new values for a specific SmartLSM Cluster.

  7. Select each interface and Edit it.

    The settings here override Profile settings.

  8. For each interface, define:

    • The Members' Network Override address (usually the same for all interfaces).

    • Members' interface Name Override (must match the name defined in the operating system)

    • The Cluster IP Address and Net Mask.

    • You can also override the IP address for each Cluster Member. For this option to show in the UI, you must set an environment variable in Windows. To do this, first you must close SmartConsole and SmartProvisioning. To set this environment variable, go to the Windows > Control Panel > System and Security > System > Advanced System Settings > at the bottom of the window, go to Environment Variables. In the User variable section, select New. In the New User Variable window that opens, enter these details:

      • Variable name: LSM_USING_IP_OVERRIDE

      • Variable value: 1

      After you set the environment variable, reopen SmartConsole and SmartProvisioning and define the IP overrides.

    For fields left empty, the values are taken from the Profile. You can define the overrides later on by editing the cluster object. You can also edit the cluster object to override interface topology.

  9. Click Next.

  10. Select each member, and Initialize SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. communication. The Communication window opens. SIC is initialized only when you complete the wizard.

    Note - Alternatively, you can do this later - edit the member object and, in the General tab, click Communication.

  11. Click Next.

    The Finished SmartLSM Security Cluster Wizard window opens.

    1. To create a VPN certificate for the cluster, select this option.

      The certificate is created only when you complete the wizard. You can later create VPN certificates for the individual cluster members - edit the member object and, in the VPN tab, click Generate.

    2. To configure additional cluster options (such as VPN settings or Dynamic Objects) after the SmartLSM cluster object is created, select this option and click Finish.

    SmartProvisioning creates the SmartLSM Cluster object and its members.

    Note - After a SmartLSM Cluster is defined and mapped to a Profile, do not add or remove a member or an interface. Do not change a cluster (virtual) interface name.

  12. To retrieve the policy for the first time, from the command line of each SmartLSM Cluster memberClosed Security Gateway that is part of a cluster., run:

    fw fetch_robo -n -f

Note - To edit the cluster properties, double-click the cluster object. To edit the properties of a cluster member, you can double-click the member object or go to the Cluster tab in the cluster properties window.