Small-scale Deployment Installation

This chapter contains procedures for defining a gateway on a gateway cluster. Do the procedures that match your requirements, then install the policy.

Small-scale Deployment Workflow

This is the suggested workflow for small-scale deployments:

  1. Create the necessary gateway or cluster objects for your appliances in SmartConsole.

  2. Install the Security Policy in SmartConsole.

  3. Configure the relevant appliances with the First Time Configuration Wizard. Alternatively, you can use a USB drive to quickly configure many appliances without the First Time Configuration Wizard. For more details, see Deploying from a USB Drive.

  4. Manage the appliance settings in SmartProvisioning for the gateway or cluster objects.

Defining a Gateway Object

Options to define a gateway object:

  • Management First - Define the gateway object in SmartConsole before you configure and set up the actual appliance on site. This is commonly used for remotely deployed appliances or appliances that connect to the Security Management Server with a dynamic IP (assigned by a DHCP server or an ISP), as the IP is not known at the time of the configuration of the object in SmartConsole. You can prepare a policy that the appliance pulls when it is configured.

  • Gateway First – Configure and set up the appliance first. It then tries to communicate with the Security Management Server (if this is configured) at 1 hour intervals. If there is connectivity with the gateway during object creation in SmartConsole, the wizard can retrieve data from the gateway (such as topology), and then help in configuration.

To define a single gateway object:

  1. Log in to SmartConsole using your Security Management credentials.

  2. From the Network Objects tree, right click Check Point and select Security Gateway.

    The Check Point Security Gateway Creation window opens.

  3. Select Wizard Mode.

    The wizard opens to General Properties.

  4. Enter a name for the Check Point appliance object and select the hardware type for the hardware platform.

  5. Set the Security Gateway Version to R80.20.

  6. Select the Static IP address or Dynamic IP address to get the gateway's IP address.

  7. Click Next.

To configure a static IP address:

  1. In the Authentication section, select Initiate trusted communication securely by using a one-time password or Initiate trusted communication without authentication (less secure).

  2. If you selected Initiate trusted communication securely by using a one-time password, enter a one-time password and confirm it. This password is only used to establish the initial trust. After it is established, trust is based on security certificates.

    Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard.

  3. In the Trusted Communication section, select Initiate trusted communication automatically when the Gateway connects to the Security Management server for the first time or Initiate trusted communication now.

  4. Click Connect.

    A status window appears.

  5. Click Next.

To configure a dynamic IP address:

  1. In the Gateway Identifier section, select one identifier: Gateway name, MAC address or First to connect.

  2. In the Authentication section, select Initiate trusted communication securely by using a one-time password or Initiate trusted communication without authentication (less secure).

  3. If you select Initiate trusted communication securely by using a one-time password, enter a one-time password and confirm it. This password is only used for establishing the initial trust. Once established, trust is based on security certificates.

    Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard.

  4. Click Next.

To configure the software blades:

In the Blade Activation page, select the software blades that you want to activate and configure.

To configure blades later:

  1. Select Activate and configure software blades later.

  2. Click Next.

To configure blades now:

  1. Select Activate and configure software blades now.

  2. Select the check boxes next to the blades you want to activate and configure.

  3. Configure the required options:

    • NAT - the Hide internal networks behind the Gateway’s external IP checkbox is selected by default.

    • QoS - Set the inbound and outbound bandwidth rates.

    • IPSec VPN - Make sure that the VPN community has been predefined. If it is a star community, the Check Point appliance is added as a satellite gateway. Select a VPN community that the Gateway participates in from the Participate in a site to site community list.

    • IPS - Select a profile from the Assign IPS Profile list or click Manage to create/edit an IPS profile.

    • User Awareness - Complete the wizard pages that open to define the User Awareness acquisition sources. In the Active Directory Servers page of the wizard, make sure to select only AD servers that your gateway works with.

  4. Click Next.

To hide the VPN domain:

Select Hide VPN domain behind this gateway's external IP.

Select this option only if you want to hide all internal networks behind this gateway’s external IP. All outgoing traffic from networks behind this gateway to other sites that participate in VPN community will be encrypted.

With this option, connections that are initiated from other sites that are directed to hosts behind this gateway are not encrypted. If you need access to hosts behind this gateway, select other options (define VPN topology) or make sure all traffic from other sites is directed to this gateway's external IP and define corresponding NAT port-forwarding rules, such as: Translate the destination of incoming HTTP connections that are directed to this gateway's external IP to the IP address of a web server behind this gateway.

To create a new VPN domain group:

  1. Make sure that the Create a new VPN domain option is selected.

  2. In the Name field, enter a name for the group.

  3. From the Available objects list, select the applicable objects and click Add. The objects are added to the VPN domain members list.

To select a predefined VPN domain:

  1. Click Select an existing VPN domain.

  2. From the VPN Domain list, select the domain.

  3. Click Next.

    In the Installation Wizard Completion page, you see a summary of the configuration parameters you set.

  4. If you want to configure more options of the Security Gateway, select Edit Gateway properties for further configuration.

  5. Click Finish.

    The General Properties window of the newly defined object opens.

Defining a Gateway Cluster Object

A Check Point appliance Security Gateway cluster is a group of 2 members. Each represents a separate Check Point appliance which has High Availability software installed. ClusterXL is the Check Point clustering solution. Third party OPSEC Certified clustering products are not supported.

High Availability

High Availability allows organizations to maintain a connection when there is a failure in a cluster member. Only one machine is active (Active/Standby operation) in this configuration. Load sharing is not supported on this appliance.

Prerequisites

During Cluster configuration, only a "Gateway First" installation path is supported. Therefore, you must first configure the gateways with their actual IPs. Only afterward should you create the cluster object in SmartConsole or SmartProvisioning. The policy installation from the Security Management Server alerts the gateways that they are configured as cluster members.

Before you define a Check Point appliance cluster, make sure you defined all of the network interfaces used for each of the Check Point appliance gateways. The interfaces must be defined in the same subnet. To verify definitions, access the WebUI of the appliance.

These actions are only required to work with the Cluster Wizard in SmartConsole:

  • Make sure a cable is connected between the two LAN2/SYNC ports of both appliances. You do not need to assign them IPs as those are created automatically later. If you do assign them, make sure the LAN2/SYNC interfaces use the same subnet.

    You can use a different SYNC interface other than LAN2. For more information, see sk52500 (you can use the Cluster Wizard in SmartConsole but you need to make further adjustments to the cluster object before policy installation).

  • The Cluster Wizard assumes that the WAN interface is part of the cluster. Make sure the WAN interfaces in each of the gateways are configured with a static IP of a matching subnet.

  • When you configure the appliances that are used in the cluster, make sure to set both of the appliances with the same one-time password you used to authenticate and establish trusted communication. Without this, you cannot use the Cluster Wizard in SmartConsole and you need to create the cluster object in Classic Mode.

    Trusted communication without authentication is not supported on Check Point appliance cluster members.

Creating a Cluster for New Gateways

To create a cluster for new gateways:

  • Set up and configure the Check Point appliance gateways.

  • Create and configure the cluster object in SmartConsole that represents the gateways.

Configuring the Check Point Appliance Gateways

See your Check Point appliance Getting Started Guide for full instructions to set up and connect the Check Point appliance.

This is the general workflow:

  1. Connect your computer to the Check Point appliance on its LAN1 interface.

  2. Configure your computer to get an IP address automatically.

  3. Open your Web browser, and connect to: https://my.firewall

    When you configure two Check Point appliance gateways from your web browser, connect only one to a power source. Follow the instructions below to configure it and then disconnect it from the power source. Then do the same for the second appliance and reboot it at the end.

    If you do not follow these instructions, you cannot use the https://my.firewall URL correctly and you need to connect with the gateway's actual IP address. (That IP address is initially 192.168.1.1 on LAN1 before you configure it with the Check Point appliance).

    After you configure and connect both appliances to a power source, install a policy and renew the dynamic IP of the computer. You can then use http://my.firewall to access the active member of the cluster.

  4. Follow the steps to configure the Check Point appliance with the First Time Configuration Wizard.

  5. On the appliance's local network, configure the cluster SYNC interface on the same subnet as the SYNC interface of the second cluster member (use a cross Ethernet cable for SYNC interface connection).

    When you use the SmartConsole cluster wizard, the LAN2 interface is the SYNC interface between cluster members. You do not have to configure an IP on LAN2 at any stage of the gateway side configuration. If you do not configure them, LAN2 SYNC interfaces are automatically set to 10.231.149.1 and 10.231.149.2. To set a different SYNC interface (not LAN2), see sk52500.

    Remember the one-time password. You need it to configure the cluster in SmartConsole. It must be the same on both clusters.

    IP addresses must be configured on both cluster members before you open SmartConsole and run the Cluster configuration wizard. To configure IPs in interfaces other than WAN and LAN1, do so in each gateway’s WebUI application with the Internet or Local Network pages. Make sure that for each interface that is part of the cluster, you configure an IP in the same subnet as the second cluster member.

Configuring the Cluster Object in SmartConsole

To create a cluster for two new Check Point appliance gateways:

  1. Log in to SmartConsole with your Security Management credentials.

  2. From the new SmartConsole menu > New, right click Check Point and select Security Cluster > Small Office Appliance.

    The Check Point Security Gateway Cluster Creation dialog box opens.

  3. Select Wizard Mode.

    The wizard opens to General Properties.

  4. Enter a name for the Check Point appliance cluster.

  5. Click Next.

    The wizard opens to Cluster Members.

  6. In the First Member and Second Member sections, enter a Member name and Member IP address.

    If you want to check the communication and connectivity, clear the Define the second cluster member now check box. This allows you to complete the wizard definitions for the first member only.

  7. Enter and confirm the One-time password to establish initial trust.

    When trust is established, it is based on security certificates. This password must be identical to the same one-time password defined for both members in their appliances' First Time Configuration Wizard or WebUI.

  8. Click Next.

    The wizard opens to Cluster Interface Configuration.

    When you configure the WAN interface, you cannot disable High Availability. (For other configurations, edit the Cluster object later).

    If the WAN interface was not defined, edit the Cluster object in SmartConsole with the wizard and select a correct main IP for the cluster object. (This IP is used, for example, in VPN as one of the Link selection options).

  9. Enter a virtual IP Address and Net Mask for the cluster. The virtual IP is applied in the next policy installation.

  10. Click Next.

  11. To enable High Availability on the interface, select the Enable High Availability on <name> interface checkbox. <name> shows the network interface defined in the Check Point appliance.

  12. When High Availability is selected, enter a virtual IP Address and Net Mask for the cluster. The virtual IP is applied in the next policy installation.

  13. Click Next.

  14. Repeat steps 12 - 14 for each defined interface.

  15. Click Finish or select Edit Cluster in Advanced mode to further configure the cluster.

Cluster Interface Configuration

In the Cluster Interface Configuration window, you define if a network interface on the Check Point appliance is part of the security gateway cluster. This window shows for each network interface that was configured in the Check Point appliance. The total number of interfaces configured for the gateway shows in the window title. For example, if 3 interfaces are configured for the gateway, a total of 3 windows require configuration. The first window displays (1 of 3 interfaces). The name of the interface you are currently configuring shows in the Interface column.

Each network interface (on both members) has a unique IP address. If High Availability is enabled on the interface, then the cluster requires an additional unique virtual IP address. This IP address is visible to the network and ensures that failover events are transparent to all hosts in the network.

When High Availability is not enabled, the interface is considered not-monitored private (it is not cluster related).

You can configure High Availability for all network interfaces except for the WAN interface. By default, the WAN interface is always part of the cluster. If you do not want the WAN interface to be part of the cluster, double-click on the Check Point appliance security gateway cluster object, and select Topology node > Edit Topology.

If the WAN interface was not defined, edit the Cluster object in SmartConsole with the wizard and select a correct main IP for the cluster object. (This IP is used, for example, in VPN as one of the Link selection options).

The breadcrumb image at the top of the window shows you the interface you are currently configuring. You do not configure the LAN2 interface as it is automatically configured by the wizard and is used only for the SYNC interface. Make sure a cable is connected between the two LAN2/SYNC ports of both appliances.

Note - SYNC interface is only supported with IPv4 addresses.

The image at the bottom of the page shows if the interface is set for High Availability. When you configure High Availability, the physical IPs of both members meet at a point indicated by the cluster's virtual IP address.

To configure more advanced options for interfaces:

  1. Click Edit Cluster in Advanced mode at the end of the wizard.

  2. Edit the topology of the cluster and make the necessary changes.

    Note - Cluster in bridge in Active/Standby mode is supported in 1400 appliances.

Converting an Existing Check Point Appliance to a Cluster

Do these procedures to convert an existing Check Point Appliance to a cluster.

Note - The procedures require some downtime.

Terms used:

  • GW - The existing Check Point Appliance gateway object that has already established trust and has an installed policy.

  • Cluster - The new Check Point Appliance cluster object that you create.

  • GW_2 - The new cluster member object that joins the existing gateway.

To configure the new appliance GW_2 with the First Time Configuration Wizard:

  1. Make sure to configure the actual IP addresses and not the virtual IP addresses that are used by the existing gateway GW.

  2. Clear the Enable switch on LAN ports checkbox.

    If you do not do this, the default switch configuration is automatically removed during the cluster's first policy installation, as it is not supported in a cluster configuration.

    Note - It is more secure to remove the switch configuration before initial policy installation.

  3. Configure the LAN2 port (used for cluster synchronization) with an IP address that is in the same network as the other cluster member. It is recommended to assign a static IP address for the sync interface.

  4. Do not fetch the policy from the Security Management Server.

To create and configure the cluster in SmartConsole:

  1. Use the wizard to create a new Check Point appliance cluster.

  2. Define the IP address as the IP used by the existing gateway GW.

  3. Define the first member with GW_2's IP address.

    Important - Do not define the second member using the wizard.

  4. Establish trusted communication.

  5. Define all the IP addresses of the clustered interfaces. Use the existing gateway GW IP address as the virtual IP of the cluster.

  6. At the end of the wizard, select the Edit the cluster in Advanced Mode checkbox.

  7. In Advanced Mode, enter all the relevant configuration settings from the GW to the cluster object.

To reconfigure the existing Check Point appliance:

  1. In the WebUI, go to the GW and connect to it.

  2. Reconfigure the IP addresses of the clustered interfaces with the actual IP addresses that is used by the gateway as a member of the cluster.

    Important - Downtime starts.

To configure the cluster in SmartConsole:

  1. Change the main IP and the IPs that appear in the topology table of the GW object.

  2. Install policy on Cluster.

    Important - Downtime ends. At this point, the cluster contains only one member, GW_2.

  3. Go to Cluster Members > Add > Add existing gateway and edit the Cluster object.

  4. If GW does not show in the list, press Help and make sure GW does not match any of the categories that prevent it from being added to a cluster.

    Note - Use the information on this Help page to determine if there are any configuration settings you want to copy to the new Cluster object.

  5. Under the new GW object, click Topology > Get Topology to edit the topology of the Cluster object.

  6. Install policy on Cluster.

Viewing Cluster Status in the WebUI

After you complete policy installation on the Check Point appliance gateway and the gateway works as a cluster member, you can view cluster status in the WebUI application (Device > High Availability).

Creating the Security Policy

R80.20.00 and higher versions supports ordered layers and inline layers for a policy, which is a set of rules that the gateway enforces on incoming and outgoing traffic. You can build a Rule Base with layers, each layer with its own set of security rules. Layers are inspected in the order in which they are defined, which gives control over the Rule Base flow and precedence of security functionality. If an "Accept" action is done in a layer, inspection continues in the next layer.

Sub-policies are sets of rules that you attach to specific rules. If the rule is matched, inspection continues in the sub-policy attached to the rule. If the rule is not matched, the sub-policy is skipped. For example, a sub-policy can manage a network segment or branch office.

Policy layers and sub-policies can be managed by specific administrators, according to their permission profiles.

Working with Security Zone Objects

A security zone object is a logical object that represents the network behind a specified interface. For example, an InternalZone object represents the internal network IPs behind all of the internal gateway interfaces.

You can use security zone objects to create a generic Security Policy and reduce the amount of rules necessary in the Rule Base. This Security Policy can be applied to numerous Check Point gateways. Resolution of the security zone is done by the actual association on the Check Point appliance gateway object in SmartConsole.

Workflow

  1. Associate a security zone object with an interface on the gateway object.

  2. Use the security zone object in a rule.

  3. Install policy.

To associate a security zone object with an interface on the gateway object:

  1. In SmartConsole, from the Network Objects tree, double-click a Check Point appliance gateway object.

  2. From Topology, select the applicable interface and click Edit.

    The Interface Properties window opens.

  3. Select one of the predefined Security Zone options.

  4. Optional - If you want to create a new zone, click New, enter the details and click OK.

  5. Click OK.

    The Check Point Appliance Gateway General Properties is shown.

  6. Click OK.

To create a rule with a security zone:

After you associated a security zone object to the applicable interface on the gateway, you can use it in a rule. To create a rule with a security zone, just add the security zone object to the Source or Destination cell.

For example, to create a rule that allows internal users access to any external network, create a rule with these fields:

Policy Field

Value

Source

InternalZone

Destination

ExternalZone

Action

accept

Install On

gateway object or SmartLSM profile

  1. Open the Firewall > Policy page.

  2. Use the Add Rule buttons to position the rule in the Rule Base.

  3. Enter a Name for the rule.

  4. In the Source field, right-click the + icon, click Network Objects, select InternalZone from the list, and click OK.

  5. In the Destination field, right-click the + icon, click Network Objects, select ExternalZone from the list, and click OK.

  6. In the Action field, select accept.

  7. Right-click the Install On field, select Add > Targets, and select the gateway > object or SmartLSM profile.

Installing a Security Policy

Use this procedure to prepare the policy for automatic installation when the gateway connects.

Note - If the Check Point appliance is physically set up and configured, when you successfully complete this step, the policy is pushed to the gateway. For a list of possible statuses, see Viewing the Policy Installation Status.

At the end of the Install Policy process, the policy status for a Check Point appliance that is not yet set up is "waiting for first connection." This implies that trusted communication is not yet established between the Security Management Server and the Check Point appliance. When the gateway connects it establishes trust and attempts to install the policy automatically.

To install a security policy:

  1. Click Policy > Install from the menu.

    The Install Policy window opens.

  2. Select the installation targets - the Check Point appliance SecuritySecurity Gateways on which to install the policy and the policy components (such as Network Security or QoS).

    By default, all gateways that are managed by the Security Management Server are available for selection.

  3. In the Installation Mode section, select how the Security Policy should be installed:

    • On each selected gateway independently - For an appliance in the Management First deployment mode, only this option should be used.

    • On all selected gateways, if it fails do not install on gateways of the same version

  4. Click OK.

    Important - If the Check Point appliance object is defined by the appliance is not set up and it is in the "Waiting for first connection status", you see a message that says "Installation completed successfully". This means that the policy is successfully prepared for installation.

Continue tracking the status of the Security Policy installation with the Policy Installation and the status bar.

Viewing the Policy Installation Status

You can see the installation status of managed gateways with the status bar that shows at the bottom of the SmartConsole window. The status bar shows how many gateways are in Pending or Failed mode.

  • Pending - gateways that are in the waiting for first connection status or are in the pending status (see below for detailed explanations).

  • Failed - gateways that have failed to install the policy.

The status bar is updated dynamically each time a gateway tries to install a policy or tries to connect to the Security Management Server. The results of these actions are also shown in SmartConsole popup notification balloons when such events occur. You can configure these notifications.

To monitor the status of the last policy installed on each gateway, you can use the Policy Installation Status window.

The window has two sections. The top section shows a list of gateways and status details regarding the installed policy. You can use the filter fields to see only policies of interest and hide other details by defining the applicable criteria for each field. After you apply the filtering criteria, only entries that match the selected criteria are shown. If the system logs trusted communication (SIC) attempts from unknown gateways, a yellow status bar opens below the filter fields.

The bottom section shows details of a row you select in the gateway list (errors that occurred, the date the policy was prepared, verification warnings). If there is a yellow status bar, click Show details to show the details of unknown gateways that try to connect to the Security Management Server.

These are the different statuses in this window:

Icon

Policy Status

Description

Succeeded

Policy installation succeeded.

Succeeded

Policy installation succeeded but there are verification warnings.

Waiting for first connection

A Check Point appliance object is configured, but the gateway is not connected to the Security Management Server (initial trust is not established).

  • If a policy is prepared, it is pulled when the gateway is connected.
  • If a policy is not prepared, the Policy Type column shows "No Policy Prepared." When the gateway is first connected, only trust is established.

Waiting for first connection

Same as above, with warnings that attempts to establish trust failed or there are verification warnings.

Pending

The policy remains in the pending status until the gateway successfully connects to the Security Management Server and retrieves the policy. This status is shown only if there was at least one successful policy installation. For example, when the Security Management Server has problems connecting to the Gateway (the Gateway is unavailable for receiving communication, as in behind NAT).

Pending

Same as above but there are verification warnings.

Warning

Warning

Information

Information

Failed

Policy not installed due to a verification error.

Failed

Policy installation failed.

You can access the Policy Installation Status window in these ways:

  • From the menu bar - Click Policy > Policy Installation Status.

  • From the toolbar - Click the Policy Installation Status icon.

  • From the status bar - Click Failed or Pending. The contents of the Policy Installation Status window are shown filtered according to the link clicked.

  • From notification balloons - Click See Details in the balloon.

Setting Server IP Behind a 3rd Party NAT Device

When you use the Management First deployment scenario, the policy is prepared to be fetched by appliances when they are configured.

During each appliance’s first time configuration, the routeable IP address of the Security Management Server is manually configured to create a first connection.

When SIC is established between the appliance and Security Management Server, the policy is fetched for the first time. Then, an automatic mechanism calculates the routeable IP address of the Security Management Server for the periodic policy fetch attempts. However, if the Security Management Server is located behind a 3rd party NAT device, the automatic mechanism fails.

In such cases, you can manually determine the routeable IP address of the Security Management Server, not only for the first connection. You can request that the appliance always attempt a connection with a manually configured IP address. You can configure this from the First Time Configuration Wizard - Security Management Server Connection page (select Always use this IP address and enter the IP address) or from the WebUI Home > Security Management page.