Large-scale Deployment Installation
Supported Security Management Versions
Large-scale deployment is supported in all centrally managed appliances.
Make sure your version supports LSM. See the Release Notes for your Management Server version.
Large-scale Deployment Workflow
When you define a SmartLSM profile for a gateway or cluster in SmartConsole you can use SmartProvisioning to provision multiple gateways.
Workflow for large-scale deployments:
- 
                                                    Create the necessary SmartLSM Security Profiles for your deployment groups (gateways or clusters of gateways) in SmartConsole. 
- 
                                                    Install the Security Policy in SmartConsole one these SmartLSM Security Profiles. 
- 
                                                    Create the actual cluster or gateway objects in SmartProvisioning based on the SmartLSM Security Profiles defined in SmartConsole. For more details, see SmartProvisioning. 
- 
                                                    Configure the relevant appliances with the First Time Configuration Wizard. Or Use a USB drive to quickly configure multiple appliances without the First Time Configuration Wizard. For more details, see Deploying from a USB Drive or SD Card. 
- 
                                                    Manage the appliance settings in SmartProvisioning. 
Defining a SmartLSM Gateway Profile for a Large-scale Deployment
SmartLSM lets you manage a large number of the Check Point appliance gateways from one Security Management Server. When you use a SmartLSM profile, you reduce the administrative overhead as you define the gateway properties and policy per profile. The SmartLSM profile is a logical object that contains the firewall and policy components.
Use SmartConsole to define a single SmartLSM Security Profile for the Check Point appliance.
To define a single SmartLSM profile Check Point appliance:
- 
                                                    Connect with SmartConsole to the Management Server. 
- 
                                                    From the Objects menu, click More object types > LSM Profile > New Small Office Appliance Gateway. The SmartLSM Security Profile window opens. 
- 
                                                    Define the SmartLSM Security Profile through the navigation tree in this window. To open the online help for each window, click Help. 
- 
                                                    Click OK. 
- 
                                                    Install the applicable Security Policy on the Gateway SmartLSM profile. 
- 
                                                    Click > SmartProvisioning. Continue the configuration in the SmartProvisioning GUI. 
Defining a SmartLSM Appliance Cluster Profile
The SmartLSM Appliance Cluster Profile is a logical object like the SmartLSM Appliance Gateway profile. It contains the firewall and policy components but also requires logical topology configuration.
The topology table in the SmartLSM Cluster Profile is a template for all SmartLSM clusters that is created with this profile. The SmartLSM Cluster Profile automatically assigns the configuration settings and security policies to the SmartLSM cluster.
The SmartLSM Cluster Profile and its topology are configured in SmartConsole. Then the SmartProvisioning GUI is used to connect and manage the appliances by the Security Management Server.
Before you do the procedure:
- 
                                                    Prepare two appliances. 
- 
                                                    Configure matching internal interfaces with IP addresses in the same subnet. For example, if you use LAN1 on one of the appliances, you must use LAN1 on the second appliance. 
- 
                                                    Prepare the WAN interfaces on the same subnet. 
- 
                                                    Select a random IP address from the WAN and the Internal networks addresses pool to use as the Cluster Virtual IP. 
To create a SmartLSM Cluster profile:
- 
                                                Connect with SmartConsole to the Management Server. 
- 
                                                From the Objects menu, click More object types > LSM Profile > New Small Office Appliance Cluster. The SmartLSM Security Profile window opens. 
- 
                                                In General Properties, enter a Name for the profile (for example, ClusterProfile1).
- 
                                                Select the Cluster Members tab and click Add to add the two Cluster Members to the profile. 
- 
                                                Select the Topology tab and click Edit to insert a template topology. For each SmartLSM cluster, you must define at least 3 networks: - 
                                                        External: one interface for each Cluster Member and shared virtual IP address 
- 
                                                        Internal: one interface for each Cluster Member and shared virtual IP address 
- 
                                                        Internal - Sync: one interface for each Cluster Member The network addresses (for example, 1.1.1.194) for each interface are not the actual addresses for your SmartLSM Cluster environment. Those are used for the template. The actual network addresses are modified in the next configuration step in the SmartProvisioning application.  Important - The host octet for each member's interface address such as "59" for Member1 - WAN (for example, 1.1.1.59) must be its real host address and cannot be modified. Make sure to configure it correctly.The host octet for the Virtual IP addresses can be modified later. 
 
- 
                                                        
- 
                                                For each Virtual IP interface, double-click the text field to enter the interface name, Security Zone, network type, IP address, and Net Mask. 
- 
                                                For the Internal and Sync interfaces, select Network defined by the interface IP and Net Mask. Set Anti-Spoofing for each interface in the Anti-Spoofing tab. Keep the default settings in the Member Network tab. 
- 
                                                For each cluster member, double-click the Topology text field to enter the interface name, IP address, and Net Mask. For VLANs, make sure the member names use the actual physical interface names on the machines. Note that these are the same names that are shown in the appliance's WebUI, but replace the colon character ":" with a period character "." For example, if the WebUI shows LAN1:10, enter hereLAN1.10
- 
                                                Click Save and install policy on the Cluster Profile. 
- 
                                                Install the applicable Security Policy on the Cluster SmartLSM profile. 
- 
                                                Click > SmartProvisioning. Continue the configuration in the SmartProvisioning GUI. 
Deploying with SmartProvisioning
You can use SmartProvisioning to manage Check Point appliance gateways with the SmartLSM profiles defined in SmartConsole. Configure these appliances using the First Time Configuration Wizard or a USB drive configuration file before you manage them with SmartProvisioning.
For more information about large-scale deployment using SmartProvisioning, see the SmartProvisioning Administration Guide for your Management Server version.
Installing a Security Policy
Use this procedure to prepare the policy for automatic installation when the gateway connects.
Note - If the Check Point appliance is physically set up and configured, when you successfully complete this step, the policy is pushed to the gateway. For a list of possible statuses, see Viewing the Policy Installation Status.
At the end of the Install Policy process, the policy status for a Check Point appliance that is not yet set up is "waiting for first connection." This implies that trusted communication is not yet established between the Security Management Server and the Check Point appliance. When the gateway connects, it establishes trust and attempts to install the policy automatically.
To install a Security Policy in SmartProvisioning GUI:
- 
                                                Click Policy > Install from the menu. The Install Policy window opens. 
- 
                                                Select the installation targets - the Check Point appliance Security Gateways on which to install the policy and the policy components (such as Network Security or QoS). By default, all gateways that are managed by the Security Management Server are available for selection. 
- 
                                                In the Installation Mode section, select how the Security Policy should be installed: - 
                                                        On each selected gateway independently. 
- 
                                                        On all selected gateways, if it fails do not install on gateways of the same version. 
 
- 
                                                        
- 
                                                Click OK. The Installation Process window shows the status of the Network Security Policy for the selected target.   Important - If the Check Point appliance object is defined by the appliance is not set up and it is in the "Waiting for first connection status", you see a message that says "Installation completed successfully". This means that the policy is successfully prepared for installation. 
Continue tracking the status of the Security Policy installation with the Policy Installation and the status bar.
Viewing the Policy Installation Status
You can see the installation status of managed gateways with the status bar that shows at the bottom of the SmartConsole window. The status bar shows how many gateways are in Pending or Failed mode.
- 
                                                    Pending - gateways that are in the waiting for first connection status or are in the pending status (see below for detailed explanations). 
- 
                                                    Failed - gateways that have failed to install the policy. 
The status bar is updated dynamically each time a gateway tries to install a policy or tries to connect to the Security Management Server. The results of these actions are also shown in SmartConsole popup notification balloons when such events occur. You can configure these notifications.
To monitor the status of the last policy installed on each gateway, you can use the Policy Installation Status window.
The window has two sections. The top section shows a list of gateways and status details regarding the installed policy. You can use the filter fields to see only policies of interest and hide other details by defining the applicable criteria for each field. After you apply the filtering criteria, only entries that match the selected criteria are shown. If the system logs trusted communication (SIC) attempts from unknown gateways, a yellow status bar opens below the filter fields.
The bottom section shows details of a row you select in the gateway list (errors that occurred, the date the policy was prepared, verification warnings). If there is a yellow status bar, click Show details to show the details of unknown gateways that try to connect to the Security Management Server.
These are the different statuses in this window:
| Icon | Policy Status | Description | 
|---|---|---|
| 
                                                             | Succeeded | Policy installation succeeded. | 
| 
                                                             | Succeeded | Policy installation succeeded but there are verification warnings. | 
| 
                                                             | Waiting for first connection | A Check Point appliance object is configured, but the gateway is not connected to the Security Management Server (initial trust is not established). 
 | 
| 
                                                             | Waiting for first connection | Same as above, with warnings that attempts to establish trust failed or there are verification warnings. | 
| 
                                                             | Pending | The policy remains in the pending status until the gateway successfully connects to the Security Management Server and retrieves the policy. This status is shown only if there was at least one successful policy installation. For example, when the Security Management Server has problems connecting to the Gateway (the Gateway is unavailable for receiving communication, as in behind NAT). | 
| 
                                                             | Pending | Same as above but there are verification warnings. | 
| 
                                                             | Warning | Warning | 
| 
                                                             | Information | Information | 
| 
                                                             | Failed | Policy not installed due to a verification error. | 
| 
                                                             | Failed | Policy installation failed. | 
You can access the Policy Installation Status window in these ways:
- 
                                                    From the menu bar - Click Policy > Policy Installation Status. 
- 
                                                    From the toolbar - Click the Policy Installation Status icon. 
- 
                                                    From the status bar - Click Failed or Pending. The contents of the Policy Installation Status window are shown filtered according to the link clicked. 
- 
                                                    From notification balloons - Click See Details in the balloon. 
 
                                                         
                                                         
                                                         
                                                         
                                                         
                                                         
                                                         
                                                         
                                                        