Small-scale Deployment Installation

This chapter contains procedures for defining a gateway on a gateway cluster in SmartConsole.

Do the procedures that match your requirements, then install the policy.

Defining a Gateway Object

Options to define a gateway object:

  • Management First

    Define the gateway object in SmartConsole before you configure and set up the actual appliance on site. This is commonly used for remotely deployed appliances or appliances that connect to the Security Management Server with a dynamic IP address (assigned by a DHCP server or an ISP), as the IP address is not known at the time of the configuration of the object in SmartConsole. You can prepare a policy that the appliance pulls when it is configured.

    Workflow:

    1. In SmartConsole:

      1. Create the required objects and configure the required settings:

        Before you enable the IPSec VPN Software Blade, you must configure the VPN community and optionally, a VPN domain.

      2. Create the necessary gateway or cluster objects for your appliances.

      3. Install the Security Policy on the gateway object.

    2. Configure the appliance with the First Time Configuration Wizard.

      Alternatively, you can use a USB drive to quickly configure many appliances without the First Time Configuration Wizard.

      For more details, see Deploying from a USB Drive or SD Card.

    3. In SmartProvisioning, manage the gateway object settings.

  • Gateway First

    Configure and set up the appliance first. It then tries to communicate with the Security Management Server (if this is configured) at 1 hour intervals. If there is connectivity with the gateway during object creation in SmartConsole, the wizard can retrieve data from the gateway (such as topology), and then help in configuration.

    Workflow:

    1. Configure the relevant appliances with the First Time Configuration Wizard.

      Alternatively, you can use a USB drive to quickly configure many appliances without the First Time Configuration Wizard.

      For more details, see Deploying from a USB Drive or SD Card.

    2. In SmartConsole:

      1. Create the required objects and configure the required settings:

        Before you enable the IPSec VPN Software Blade, you must configure the VPN community and optionally, a VPN domain.

      2. Create the necessary gateway or cluster objects for your appliances.

      3. Install the Security Policy on the gateway object.

    3. In SmartProvisioning, manage the gateway object settings.

To define a single gateway object:

  1. Connect with SmartConsole to the Security Management Server.

  2. From the Objects menu, click More object types > Network Object > Gateways and Servers > New Gateway.

    The Check Point Security Gateway Creation window opens.

  3. Click Wizard Mode.

  4. On the General Properties page:

    1. In the Gateway name field, enter a name for the Security Gateway object.

    2. In the Gateway platform field, select the correct appliance series for the Quantum Spark appliance.

    3. The Version field automatically shows R80.20.

    4. In the Platform Type field, select the correct appliance type for the Quantum Spark appliance.

    5. Configure the IP address for the Quantum Spark appliance in one of these ways:

      • Select Static IP address and enter the IP address.

      • Select Dynamic IP address to get the gateway's IP address from a DHCP server.

    6. Click Next.

  5. On the Trusted Communication page, configure how the Security Management Server and the Quantum Spark appliance authenticate each other and click Next:

    • If on the previous General Properties page you selected Static IP address:

      1. In the Authentication section, select Initiate trusted communication securely by using a one-time password or Initiate trusted communication without authentication (less secure).

      2. If you selected Initiate trusted communication securely by using a one-time password, enter a one-time password and confirm it.

        This password is only used to establish the initial trust. After it is established, trust is based on security certificates.

        Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard.

      3. In the Trusted Communication section, select Initiate trusted communication automatically when the Gateway connects to the Security Management server for the first time or Initiate trusted communication now.

      4. Click Connect.

        A status window appears.

    • If on the previous General Properties page you selected Dynamic IP address:

      1. In the Gateway Identifier section, select one identifier: Gateway name, MAC address, or First to connect.

      2. In the Authentication section, select Initiate trusted communication securely by using a one-time password or Initiate trusted communication without authentication (less secure).

      3. If you selected Initiate trusted communication securely by using a one-time password, enter a one-time password and confirm it.

        This password is only used for establishing the initial trust. After it is established, trust is based on security certificates.

        Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard.

  6. On the Blade Activation page, select Activate and configure software blades now or Activate and configure software blades later.

    If you selected Activate and configure software blades now:

    1. Select the check boxes next to the Software Blades you want to activate.

    2. Click Next.

  7. On the Blade Configuration page, configure the required options and click Next:

    Note - This page appears only if on the previous Blade Activation page you selected Activate and configure software blades now.

    • NAT - The Hide internal networks behind the Gateway's external IP checkbox is selected by default.

    • IPSec VPN - In the Participate in a site to site community field, select a VPN community that this gateway participates in (you must create this VPN community before you start the wizard). If it is a star community, this gateway becomes a VPN satellite gateway.

    • QoS - Select the applicable inbound and outbound bandwidth rates.

  8. On the VPN Domain page, configure the VPN Encryption Domain settings and click Next:

    Note - This page appears only if on the previous Blade Activation page you selected the IPSec VPN Software Blade.

    Available options:

    • Hide VPN domain behind this gateway's external IP

      Select this option only if you want to hide all internal networks behind this gateway's external IP. All outgoing traffic from networks behind this gateway to other sites that participate in VPN community is encrypted.

      With this option, connections that are initiated from other sites that are directed to hosts behind this gateway are not encrypted. If you need access to hosts behind this gateway, select other options (define VPN topology) or make sure all traffic from other sites is directed to this gateway's external IP address and define corresponding NAT port-forwarding rules, such as: translate the destination of incoming HTTP connections that are directed to this gateway's external IP address to the IP address of a web server behind this gateway.

    • Create a new VPN domain

      1. In the Name field, enter a name for the group.

      2. From the Available objects list, select the applicable objects and click Add. The objects are added to the VPN domain members list.

        Note - To select multiple separate objects, press and hold the Ctrl key while you click them. To select multiple adjacent objects, press and hold the Shift key while you click the first and the last of them.

    • Select an existing VPN domain

      You must create this VPN domain before you start the wizard.

  9. On the Installation Wizard Completion page:

    You see a summary of the configuration parameters you set.

    If you want to configure more options of the Security Gateway, select Edit Gateway properties for further configuration.

    Click Finish.

  10. The General Properties window of the newly defined object opens.

    Configure the applicable settings and click OK.

  11. Install the Security Policy on the gateway object.

Defining a Gateway Cluster Object

A Quantum Spark appliance Security Gateway cluster is a group of two members. Each represents a separate Quantum Spark appliance which has High Availability software installed. ClusterXL is the Check Point clustering solution. Third party OPSEC Certified clustering products are not supported.

High Availability

High Availability allows organizations to maintain a connection when there is a failure in a cluster member. Only one machine is active (Active/Standby operation) in this configuration. Load sharing is not supported on this appliance.

Prerequisites

You must first configure and set up the two gateways with their actual IP addresses. Only afterward you can create the cluster object in SmartConsole or SmartProvisioning. The policy installation from the Security Management Server alerts the gateways that they are configured as cluster members.

Workflow

  1. Do not connect the two Quantum Spark appliances to the power source.

  2. Connect the required cables.

  3. On the first appliance:

    1. Turn it on.

    2. Configure it with the First Time Configuration Wizard.

    3. Reboot it.

    4. Shut it down.

    Note - If you do not follow these instructions, you cannot use the https://my.firewall URL correctly and you need to connect with the gateway's actual IP address. (That IP address is initially 192.168.1.1 on LAN1 before you change it on the Quantum Spark appliance).

  4. On the second appliance:

    1. Turn it on.

    2. Configure it with the First Time Configuration Wizard.

    3. Reboot it.

  5. Turn on the first appliance.

  6. In SmartConsole:

    1. Configure the cluster object.

    2. Install the Security Policy on the cluster object.

  7. In SmartProvisioning, manage the appliance settings for the cluster object.

Creating a Cluster for New Gateways

Note - See your Quantum Spark appliance Getting Started Guide for full instructions to set up and connect the Quantum Spark appliance.

The configuration procedure consists of two parts:

  1. Initial configuration of two new Quantum Spark appliance gateways

  2. Creating and configuring a cluster object

Part 1 - Initial configuration of two new Quantum Spark appliance gateways:

  1. Do not connect the two Quantum Spark appliances to the power source.

  2. Connect the required cables to the two Quantum Spark appliances and between them.

  3. Connect the first Quantum Spark appliance to the power source and turn it on.

  4. Connect your computer to the first Quantum Spark appliance to the LAN1 interface.

  5. Configure your computer to get an IP address automatically.

  6. With a web browser on your computer connect to: https://my.firewall

  7. Follow the steps to configure the first Quantum Spark appliance with the First Time Configuration Wizard.

    Important:

    • The WAN interface:

      When you create the cluster object in SmartConsole in Wizard Mode, it assumes that the WAN interface is part of the cluster.

      Make sure the WAN interfaces on the two appliances are configured with a static IP address of a matching subnet.

    • The cluster SYNC interface:

      • Use an Ethernet cross-cable to connect SYNC interfaces on the two appliances.

      • By default, the LAN2 interfaces are used for cluster synchronization.

      • It is not necessary to configure an IP address on the LAN2 interface at any stage of the gateway side configuration.

        If you do not configure an IP address on the LAN2 interface, the IP addresses of the SYNC interfaces are automatically set to 10.231.149.1 and 10.231.149.2.

      • If you manually configure IP addresses on the SYNC interfaces, you must configure these IP addresses to be on the same subnet.

      • You can use a different SYNC interface other than LAN2. For more information, see sk52500.

    • To configure IP addresses on interfaces other than WAN and LAN1, do so in each gateway's WebUI - on the Internet or Local Network pages. Make sure that for each interface that is part of the cluster, you configure an IP address in the same subnet as the peer cluster member.

    • One-time password:

      • Remember this one-time password. You need it to configure the cluster object in SmartConsole.

      • The one-time password must be the same on the two cluster members to create the cluster object in Wizard Mode.

      • If the one-time password is not the same on the two cluster members, you must create the cluster object in Classic Mode.

  8. Reboot the first Quantum Spark appliance.

  9. Shut down the first Quantum Spark appliance.

  10. Connect the second Quantum Spark appliance to the power source and turn it on.

  11. Connect your computer to the second Quantum Spark appliance to the LAN1 interface.

  12. Renew the dynamic IP address on your computer.

  13. With a web browser on your computer connect to: https://my.firewall

  14. Follow the steps to configure the second Quantum Spark appliance with the First Time Configuration Wizard.

    Important:

    • The WAN interface:

      When you create the cluster object in SmartConsole in Wizard Mode, it assumes that the WAN interface is part of the cluster.

      Make sure the WAN interfaces on the two appliances are configured with a static IP address of a matching subnet.

    • The cluster SYNC interface:

      • Use an Ethernet cross-cable to connect SYNC interfaces on the two appliances.

      • By default, the LAN2 interfaces are used for cluster synchronization.

      • It is not necessary to configure an IP address on the LAN2 interface at any stage of the gateway side configuration.

        If you do not configure an IP address on the LAN2 interface, the IP addresses of the SYNC interfaces are automatically set to 10.231.149.1 and 10.231.149.2.

      • If you manually configure IP addresses on the SYNC interfaces, you must configure these IP addresses to be on the same subnet.

      • You can use a different SYNC interface other than LAN2. For more information, see sk52500.

    • To configure IP addresses on interfaces other than WAN and LAN1, do so in each gateway's WebUI - on the Internet or Local Network pages. Make sure that for each interface that is part of the cluster, you configure an IP address in the same subnet as the peer cluster member.

    • One-time password:

      • Remember this one-time password. You need it to configure the cluster object in SmartConsole.

      • The one-time password must be the same on the two cluster members to create the cluster object in Wizard Mode.

      • If the one-time password is not the same on the two cluster members, you must create the cluster object in Classic Mode.

  15. Reboot the second Quantum Spark appliance.

  16. Turn on the first Quantum Spark appliance (connect it to the power source).

Part 2 - Creating and configuring a cluster object

  1. Connect with SmartConsole to the Security Management Server.

  2. From the Objects menu, click More object types > Network Object > Gateways and Servers > New Small Office Cluster.

    The Check Point Security Gateway Cluster Creation window opens.

  3. Click Wizard Mode.

  4. On the Cluster General Properties page:

    1. In the Cluster name field, enter a name for the Cluster object.

    2. In the Hardware field, select the correct appliance series for the Quantum Spark appliance.

    3. Click Next.

  5. On the Cluster Members page:

    • In the First Member section:

      1. In the Member name field, enter a name for the first Cluster Member object.

      2. In the Member IPv4 address field, enter the IPv4 address for the first Cluster Member object. By default, this must be the IPv4 address assigned to the WAN interface.

    • In the Second Member section:

      1. Clear the Define the second cluster member now check box only if you want to check the communication and connectivity.

        This allows you to complete the wizard definitions for the first cluster member only.

      2. In the Member name field, enter a name for the second Cluster Member object.

      3. In the Member IPv4 address field, enter the IPv4 address for the second Cluster Member object. By default, this must be the IPv4 address assigned to the WAN interface.

    • In the Secure Internal Communication section:

      In the Password field, enter the same one-time password you entered in the First Time Configuration Wizard on each appliance.

      Click Next.

      The wizard establishes trust between the Security Management Server and the appliances.

      Note - After trust is established, it is based on security certificates.

  6. On the Cluster Interface Configuration page, define if a network interface on the Quantum Spark appliance is part of the cluster:

    This window appears for each network interface that was configured on the Quantum Spark appliance.

    The total number of interfaces configured for the gateway appears in the window title. For example, if 3 interfaces are configured for the gateway, a total of 3 windows require configuration. The breadcrumb image at the top of the window shows you the interface you are currently configuring. The name of the interface you are currently configuring appears in the Interface column. The image at the bottom of the page shows if the interface is set for High Availability. When you configure High Availability, the physical IP addresses of both Cluster Members meet at a point indicated by the cluster's virtual IP address.

    Each network interface (on both Cluster Members) has a unique IP address.

    When High Availability is enabled on the interface, then the cluster requires an additional unique virtual IP address. This virtual IP address is visible to the network and ensures that cluster failover events are transparent to all hosts on the network.

    When High Availability is disabled on the interface, the interface is considered non-monitored private (not part of the cluster configuration).

    You can configure High Availability for all network interfaces except for the WAN interface. By default, the WAN interface is always part of the cluster. If you do not want the WAN interface to be part of the cluster, edit the Cluster object in SmartConsole after you complete the wizard.

    If the WAN interface was not defined, edit the Cluster object in SmartConsole and select a correct main IP address for the cluster object. (This IP address is used, for example, in VPN as one of the Link Selection options).

    You do not configure the LAN2 interface as it is automatically configured by the wizard and is used only for the SYNC interface. Make sure a cable is connected between the two LAN2/SYNC ports of both appliances.

    Note - The LAN2/SYNC interface supports only IPv4 addresses.

    Configuration:

    1. Enter a virtual IP Address and Net Mask for the cluster. The virtual IP address is applied in the next policy installation.

    2. Click Next.

    3. To enable High Availability on the interface, select the Enable High Availability on <name> interface checkbox.

      The <name> shows the network interface defined in the Quantum Spark appliance.

      When High Availability is selected, enter a virtual IP Address and Net Mask for the cluster. The virtual IP address is applied in the next policy installation.

    4. Click Next.

    5. Repeat the above steps for each defined interface.

    6. Click Next.

  7. On the Installation Wizard Completion page:

    You see a summary of the configuration parameters you set.

    If you want to configure more settings in the Cluster object, select Edit Cluster in Advanced mode.

    Click Finish.

  8. The General Properties window of the newly defined object opens.

    Configure the applicable settings and click OK.

  9. Install the Security Policy on the cluster object.

  10. Renew the dynamic IP address on the computer connected to a one of the Cluster Members.

    You can then use https://my.firewall to access the Active Cluster Member.

Converting an Existing Quantum Spark Appliance to a Cluster

Do these procedures to convert an existing Quantum Spark Appliance to a cluster.

Note - The procedures require some downtime.

Terms used:

  • GW - The existing Quantum Spark Appliance gateway object that has already established trust and has an installed policy.

  • Cluster - The new Quantum Spark Appliance cluster object that you create.

  • GW_2 - The new cluster member object that joins the existing gateway.

To configure the new appliance GW_2 with the First Time Configuration Wizard:

  1. Make sure to configure the actual IP addresses and not the virtual IP addresses that are used by the existing gateway GW.

  2. Clear the Enable switch on LAN ports checkbox.

    If you do not do this, the default switch configuration is automatically removed during the cluster's first policy installation, as it is not supported in a cluster configuration.

    Note - It is more secure to remove the switch configuration before initial policy installation.

  3. Configure the LAN2 port (used for cluster synchronization) with an IP address that is in the same network as the other cluster member.

    It is recommended to assign a static IP address for the sync interface.

  4. Do not fetch the policy from the Security Management Server.

To create and configure the cluster in SmartConsole:

  1. Use the wizard to create a new Quantum Spark appliance cluster.

  2. Define the IP address as the IP address used by the existing gateway GW.

  3. Define the first member with GW_2's IP address.

    Important - Do not define the second cluster member using the wizard.

  4. Establish trusted communication.

  5. Define all the IP addresses of the clustered interfaces.

    Use the existing gateway GW IP address as the virtual IP address of the cluster.

  6. At the end of the wizard, select the Edit the cluster in Advanced Mode checkbox.

  7. In Advanced Mode, enter all the applicable configuration settings from the GW to the cluster object.

To reconfigure the existing Quantum Spark appliance:

  1. In the WebUI, go to the GW and connect to it.

  2. Reconfigure the IP addresses of the clustered interfaces with the actual IP addresses that is used by the gateway as a member of the cluster.

    Important - Downtime starts.

To configure the cluster in SmartConsole:

  1. Change the main IP address and the IP addresses that appear in the topology table of the GW object.

  2. Install policy on Cluster.

    Important - Downtime ends. At this point, the cluster contains only one member, GW_2.

  3. Go to Cluster Members > Add > Add existing gateway and edit the Cluster object.

  4. If GW does not show in the list, press Help and make sure GW does not match any of the categories that prevent it from being added to a cluster.

    Note - Use the information on this Help page to determine if there are any configuration settings you want to copy to the new Cluster object.

  5. Under the new GW object, click Topology > Get Topology to edit the topology of the Cluster object.

  6. Install policy on the cluster object.

Viewing Cluster Status in the WebUI

After you complete policy installation on the Quantum Spark appliance gateway and the gateway works as a cluster member, you can view cluster status in the WebUI application (Device > High Availability).

Creating the Security Policy

R80.20 and higher versions supports ordered layers and inline layers for a policy, which is a set of rules that the gateway enforces on incoming and outgoing traffic. You can build a Rule Base with layers, each layer with its own set of security rules. Layers are inspected in the order in which they are defined, which gives control over the Rule Base flow and precedence of security functionality. If an "Accept" action is done in a layer, inspection continues in the next layer.

Sub-policies are sets of rules that you attach to specific rules. If the rule is matched, inspection continues in the sub-policy attached to the rule. If the rule is not matched, the sub-policy is skipped. For example, a sub-policy can manage a network segment or branch office.

Policy layers and sub-policies can be managed by specific administrators, according to their permission profiles.

Working with Security Zone Objects

A security zone object is a logical object that represents the network behind a specified interface. For example, an InternalZone object represents the internal network IP addresses behind all of the internal gateway interfaces.

You can use security zone objects to create a generic Security Policy and reduce the amount of rules necessary in the Rule Base. This Security Policy can be applied to numerous Check Point gateways. Resolution of the Security Zone is done by the actual association on the Check Point appliance gateway object in SmartConsole.

Workflow

  1. Associate a Security Zone object with an interface in the gateway object.

  2. Use the Security Zone object in a rule.

  3. Install policy.

To associate a Security Zone object with an interface in the gateway object:

  1. From the left navigation panel, click Gateways & Servers.

  2. Double-click a Check Point appliance gateway object.

  3. From Topology, select the applicable interface and click Edit.

  4. In the Security Zone field, select one of the predefined Security Zones.

  5. Optional - If you want to create a new Security Zone, click New, enter the details, and click OK.

  6. Click OK to close the Interface Properties window.

  7. Click OK to close the object window.

To create a rule with a Security Zone:

After you associated a security zone object to the applicable interface on the gateway, you can use it in a rule. To create a rule with a security zone, just add the security zone object to the Source or Destination cell.

For example, to create a rule that allows internal users access to any external network, create a rule with these fields:

Policy Field

Value

Source

InternalZone

Destination

ExternalZone

Action

Accept

Install On

One of these:

  • Gateway or Cluster object

  • SmartLSM Security Profile object

  1. From the left navigation panel, click Security Policies.

  2. In the top section, click Access Control > Policy.

  3. Use the Add Rule buttons to position the rule in the Rule Base.

  4. Click in the Name column of the new rule and enter the applicable text.

  5. In the Source column of the new rule, click the + icon and select InternalZone from the list.

  6. In the Destination column of the new rule, click the + icon and select ExternalZone from the list.

  7. In the Action column of the new rule, select Accept.

  8. In the Install On column of the new rule, click the + icon and select the applicable object.

  9. Publish the SmartConsole session.

Installing a Security Policy

Use this procedure to prepare the policy for automatic installation when the gateway connects.

Note - If the Quantum Spark appliance is physically set up and configured, when you successfully complete this step, the policy is pushed to the gateway. For a list of possible statuses, see Viewing the Policy Installation Status.

At the end of the Install Policy process, the policy status for a Quantum Spark appliance that is not yet set up is "Waiting for first connection". This implies that trusted communication is not yet established between the Security Management Server and the Quantum Spark appliance. When the gateway connects it establishes trust and attempts to install the policy automatically.

To install a Security Policy in SmartProvisioning GUI:

  1. Click Policy > Install from the menu.

    The Install Policy window opens.

  2. Select the installation targets - the Quantum Spark appliance Security Gateways on which to install the policy and the policy components (such as Network Security or QoS).

    By default, all gateways that are managed by the Security Management Server are available for selection.

  3. In the Installation Mode section, select how the Security Policy should be installed:

    • On each selected gateway independently - For an appliance in the Management First deployment mode, only this option should be used.

    • On all selected gateways, if it fails do not install on gateways of the same version

  4. Click OK.

    Important - If the Quantum Spark appliance object that is defined by the appliance is not set up and is in Waiting for first connection status, you see this message: Installation completed successfully. This means that the policy is successfully prepared for installation.

Continue tracking the status of the Security Policy installation with the Policy Installation and the status bar.

Viewing the Policy Installation Status

You can see the installation status of managed gateways with the status bar that shows at the bottom of the SmartConsole window. The status bar shows how many gateways are in Pending or Failed mode.

  • Pending - gateways that are in the waiting for first connection status or are in the pending status (see below for detailed explanations).

  • Failed - gateways that have failed to install the policy.

The status bar is updated dynamically each time a gateway tries to install a policy or tries to connect to the Security Management Server. The results of these actions are also shown in SmartConsole popup notification balloons when such events occur. You can configure these notifications.

To monitor the status of the last policy installed on each gateway, you can use the Policy Installation Status window.

The window has two sections. The top section shows a list of gateways and status details regarding the installed policy. You can use the filter fields to see only policies of interest and hide other details by defining the applicable criteria for each field. After you apply the filtering criteria, only entries that match the selected criteria are shown. If the system logs trusted communication (SIC) attempts from unknown gateways, a yellow status bar opens below the filter fields.

The bottom section shows details of a row you select in the gateway list (errors that occurred, the date the policy was prepared, verification warnings). If there is a yellow status bar, click Show details to show the details of unknown gateways that try to connect to the Security Management Server.

Table: Policy Installation Statuses

Icon

Policy Status

Description

Succeeded

Policy installation succeeded.

Succeeded

Policy installation succeeded but there are verification warnings.

Waiting for first connection

A Quantum Spark appliance object is configured, but the gateway is not connected to the Security Management Server (initial trust is not established).

  • If a policy is prepared, it is pulled when the gateway is connected.

  • If a policy is not prepared, the Policy Type column shows "No Policy Prepared." When the gateway is first connected, only trust is established.

Waiting for first connection

Same as above, with warnings that attempts to establish trust failed or there are verification warnings.

Pending

The policy remains in the pending status until the gateway successfully connects to the Security Management Server and retrieves the policy. This status is shown only if there was at least one successful policy installation. For example, when the Security Management Server has problems connecting to the Gateway (the Gateway is unavailable for receiving communication, as in behind NAT).

Pending

Same as above but there are verification warnings.

Warning

Warning

Information

Information

Failed

Policy not installed due to a verification error.

Failed

Policy installation failed.

You can access the Policy Installation Status window in these ways:

  • From the menu bar - Click Policy > Policy Installation Status.

  • From the toolbar - Click the Policy Installation Status icon.

  • From the status bar - Click Failed or Pending. The contents of the Policy Installation Status window are shown filtered according to the link clicked.

  • From notification balloons - Click See Details in the balloon.

Setting Server IP Address Behind a 3rd Party NAT Device

When you use the Management First deployment scenario, the policy is prepared to be fetched by appliances when they are configured.

During each appliance's first time configuration, the routeable IP address of the Security Management Server is manually configured to create a first connection.

When SIC is established between the appliance and Security Management Server, the policy is fetched for the first time. Then, an automatic mechanism calculates the routeable IP address of the Security Management Server for the periodic policy fetch attempts. However, if the Security Management Server is located behind a 3rd party NAT device, the automatic mechanism fails.

In such cases, you can manually determine the routeable IP address of the Security Management Server, not only for the first connection. You can request that the appliance always attempt a connection with a manually configured IP address. You can configure this from the First Time Configuration Wizard - Security Management Server Connection page (select Always use this IP address and enter the IP address) or from the WebUI Home > Security Management page.