Large-scale Deployment Installation

Supported Security Management Versions

Large-scale deployment is supported in all centrally managed appliances.

Make sure your version supports LSM.

Large-scale Deployment Workflow

When you define a SmartLSM profile for a gateway or cluster in SmartDashboard you can use SmartProvisioning to provision multiple gateways.

Workflow for large-scale deployments:

  1. Create the necessary profiles for your deployment groups (gateways or clusters of gateways) in SmartDashboard.

  2. Install the Security Policy in SmartDashboard.

  3. Create the actual cluster or gateway objects in SmartProvisioning based on the SmartLSM profiles defined in SmartDashboard. For more details, see SmartProvisioning.

  4. Configure the relevant appliances with the First Time Configuration Wizard.

    Or

    Use a USB drive to quickly configure multiple appliances without the First Time Configuration Wizard. For more details, see Deploying from a USB Drive or SD Card.

  5. Manage the appliance settings in SmartProvisioning.

Defining a SmartLSM Gateway Profile for a Large-scale Deployment

SmartLSM lets you manage a large number of the Check Point appliance gateways from one Security Management Server. When you use a SmartLSM profile, you reduce the administrative overhead as you define the gateway properties and policy per profile. The SmartLSM profile is a logical object that contains the firewall and policy components.

Use SmartDashboard to define a single SmartLSM profile for the Check Point appliance.

To define a single SmartLSM profile Check Point appliance:

  1. Log in to SmartConsole with your Security Management credentials.

  2. Open the Security Policy that you want to enforce on the Check Point appliance SmartLSM Security Gateways.

  3. From the Network Objects tree, right-click Check Point and select SmartLSM Profile > Small Office Appliance Gateway.

    The SmartLSM Security Profile window opens.

  4. Define the SmartLSM security profile through the navigation tree in this window.

    To open the online help for each window, click Help.

  5. Click OK and then install the policy.

    Note - To activate SmartProvisioning functionality, you must install a security policy on the LSM profile.

  6. Continue in SmartProvisioning.

Defining a SmartLSM Appliance Cluster Profile

The SmartLSM Appliance Cluster Profile is a logical object like the SmartLSM Appliance Gateway profile. It contains the firewall and policy components but also requires logical topology configuration.

The topology table in the SmartLSM Cluster Profile is a template for all SmartLSM clusters that is created with this profile. The SmartLSM Cluster Profile automatically assigns the configuration settings and security policies to the SmartLSM cluster.

The SmartLSM Cluster Profile and its topology are configured in SmartConsole. Then the SmartProvisioning SmartConsole GUI is used to connect and manage the appliances by the Security Management Server.

Before you do the procedure:

  • Prepare two appliances.

  • Configure matching internal interfaces with IP addresses in the same subnet. For example, if you use LAN1 on one of the appliances, you must use LAN1 on the second appliance.

  • Prepare the WAN interfaces on the same subnet.

  • Select a random IP address from the WAN and the Internal networks addresses pool to use as the Cluster Virtual IP.

To create a SmartLSM Cluster profile:

  1. In the SmartDashboard menu > New, right-click Check Point > SmartLSM profile > Small Office Appliance Cluster.

  2. In General Properties, enter a Name for the profile (for example, ClusterProfile1).

  3. Select the Cluster Members tab and click Add to add the two cluster members to the profile.

  4. Select the Topology tab and click Edit to insert a template topology.

    For each SmartLSM cluster, you must define at least 3 networks:

    • External (one interface for each Cluster Member and shared virtual IP address)

    • Internal (one interface for each Cluster Member and shared virtual IP address)

    • Internal - Sync (one interface for each Cluster Member)

      The network addresses (for example, 1.1.1.194) for each interface are not the actual addresses for your SmartLSM Cluster environment. Those are used for the template. The actual network addresses are modified in the next configuration step in the SmartProvisioning application.

      Important - The host octet for each member's interface address such as "59" for Member1 - WAN (for example, 1.1.1.59) must be its real host address and cannot be modified. Make sure to configure it correctly.

      The host octet for the Virtual IP addresses can be modified later.

  5. For each Virtual IP interface, double-click the text field to enter the interface name, security zone, network type, IP address, and Net Mask.

  6. For the Internal and Sync interfaces, select Network defined by the interface IP and Net Mask. Set Anti-Spoofing for each interface in the Anti-Spoofing tab. Keep the default settings in the Member Network tab.

  7. For each cluster member, double-click the Topology text field to enter the interface name, IP address, and Net Mask. For VLANs, make sure the member names use the actual physical interface names on the machines. Note that these are the same names that are shown in the appliance’s WebUI, but replace the colon character ":" with a period character "."

    For example, if the WebUI shows LAN1:10, enter here LAN1.10

  8. Click Save and install policy on the Cluster Profile.

  9. Close SmartDashboard.

  10. Continue in SmartProvisioning.

Deploying with SmartProvisioning

You can use SmartProvisioning to manage Check Point appliance gateways with the SmartLSM profiles defined in SmartDashboard. Configure these appliances using the First Time Configuration Wizard or a USB drive configuration file before you manage them with SmartProvisioning.

For more information about large-scale deployment using SmartProvisioning, see the SmartProvisioning Administration Guide.

Installing a Security Policy

Use this procedure to prepare the policy for automatic installation when the gateway connects.

Note - If the Check Point appliance is physically set up and configured, when you successfully complete this step, the policy is pushed to the gateway. For a list of possible statuses, see Viewing the Policy Installation Status .

At the end of the Install Policy process, the policy status for a Check Point appliance that is not yet set up is "waiting for first connection." This implies that trusted communication is not yet established between the Security Management Server and the Check Point appliance. When the gateway connects, it establishes trust and attempts to install the policy automatically.

To install a security policy:

  1. Click Policy > Install from the menu.

    The Install Policy window opens.

  2. Select the installation targets - the Check Point appliance Security Gateways on which to install the policy and the policy components (such as Network Security or QoS).

    By default, all gateways that are managed by the Security Management Server are available for selection.

  3. In the Installation Mode section, select how the Security Policy should be installed:

    • On each selected gateway independently.

    • On all selected gateways, if it fails do not install on gateways of the same version.

  4. Click OK.

    The Installation Process window shows the status of the Network Security Policy for the selected target.

    Important - If the Check Point appliance object is defined by the appliance is not set up and it is in the "Waiting for first connection status", you see a message that says "Installation completed successfully". This means that the policy is successfully prepared for installation.

Continue tracking the status of the Security Policy installation with the Policy Installation and the status bar.

Viewing the Policy Installation Status

You can see the installation status of managed gateways with the status bar that shows at the bottom of the SmartDashboard window. The status bar shows how many gateways are in Pending or Failed mode.

  • Pending - gateways that are in the waiting for first connection status or are in the pending status (see below for detailed explanations).
  • Failed - gateways that have failed to install the policy.

The status bar is updated dynamically each time a gateway tries to install a policy or tries to connect to the Security Management Server. The results of these actions are also shown in SmartDashboard popup notification balloons when such events occur. You can configure these notifications.

To monitor the status of the last policy installed on each gateway, you can use the Policy Installation Status window.

The window has two sections. The top section shows a list of gateways and status details regarding the installed policy. You can use the filter fields to see only policies of interest and hide other details by defining the applicable criteria for each field. After you apply the filtering criteria, only entries that match the selected criteria are shown. If the system logs trusted communication (SIC) attempts from unknown gateways, a yellow status bar opens below the filter fields.

The bottom section shows details of a row you select in the gateway list (errors that occurred, the date the policy was prepared, verification warnings). If there is a yellow status bar, click Show details to show the details of unknown gateways that try to connect to the Security Management Server.

These are the different statuses in this window:

Icon

Policy Status

Description

Succeeded

Policy installation succeeded.

Succeeded

Policy installation succeeded but there are verification warnings.

Waiting for first connection

A Check Point appliance object is configured, but the gateway is not connected to the Security Management Server (initial trust is not established).

  • If a policy is prepared, it is pulled when the gateway is connected.
  • If a policy is not prepared, the Policy Type column shows "No Policy Prepared." When the gateway is first connected, only trust is established.

Waiting for first connection

Same as above, with warnings that attempts to establish trust failed or there are verification warnings.

Pending

The policy remains in the pending status until the gateway successfully connects to the Security Management Server and retrieves the policy. This status is shown only if there was at least one successful policy installation. For example, when the Security Management Server has problems connecting to the Gateway (the Gateway is unavailable for receiving communication, as in behind NAT).

Pending

Same as above but there are verification warnings.

Warning

Warning

Information

Information

Failed

Policy not installed due to a verification error.

Failed

Policy installation failed.

You can access the Policy Installation Status window in these ways:

  • From the menu bar - Click Policy > Policy Installation Status.

  • From the toolbar - Click the Policy Installation Status icon.

  • From the status bar - Click Failed or Pending. The contents of the Policy Installation Status window are shown filtered according to the link clicked.

  • From notification balloons - Click See Details in the balloon.