Large-Scale Deployment Installation

Supported Security Management Versions

Large-scale deployment is supported in all centrally managed appliances.

Make sure your version supports LSM.

See the Release Notes for your version of the Security Management ServerClosed A dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

Large-scale Deployment Workflow

When you define a SmartLSM profile for a gateway or cluster in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. you can use SmartProvisioning to provision multiple gateways.

Workflow for large-scale deployments:

  1. Create the necessary SmartLSM Security Profiles for your deployment groups (gateways or clusters of gateways) in SmartConsole.

  2. Install the Security PolicyClosed A collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. in SmartConsole one these SmartLSM Security Profiles.

  3. Create the actual cluster or gateway objects in SmartProvisioning based on the SmartLSM Security Profiles defined in SmartConsole. For more details, see SmartProvisioning.

  4. Configure the relevant appliances with the First Time Configuration Wizard.

    Or

    Use a USB drive to quickly configure multiple appliances without the First Time Configuration Wizard. For more details, see Deploying from a USB Drive or SD Card.

  5. Manage the appliance settings in SmartProvisioning.

Defining a SmartLSM Gateway Profile for a Large-scale Deployment

SmartLSM lets you manage a large number of the Quantum Spark appliance gateways from one Security Management ServerClosed A Check Point Security Management Server or a Multi-Domain Security Management Server.. When you use a SmartLSM profile, you reduce the administrative overhead as you define the gateway properties and policy per profile. The SmartLSM profile is a logical object that contains the firewall and policy components.

Use SmartConsole to define a single SmartLSM Security Profile for the Quantum Spark appliance.

To define a single SmartLSM profile Quantum Spark appliance:

  1. Connect with SmartConsole to the Management Server.

  2. From the Objects menu, click More object types > LSM Profile > New Small Office Appliance Gateway.

    The SmartLSM Security Profile window opens.

  3. Define the SmartLSM Security Profile through the navigation tree in this window.

    To open the online help for each window, click Help.

  4. Click OK.

  5. Install the applicable Security Policy on the Gateway SmartLSM profile.

  6. Click Menu > SmartProvisioning. Continue the configuration in the SmartProvisioning GUI.

Defining a SmartLSM Appliance Cluster Profile

The SmartLSM Appliance ClusterClosed Two Quantum Spark Appliances connected to each other for High Availability. Profile is a logical object like the SmartLSM Appliance Gateway profile. It contains the firewall and policy components but also requires logical topology configuration.

The topology table in the SmartLSM Cluster Profile is a template for all SmartLSM clusters that is created with this profile. The SmartLSM Cluster Profile automatically assigns the configuration settings and security policies to the SmartLSM cluster.

The SmartLSM Cluster Profile and its topology are configured in SmartConsole. Then the SmartProvisioning GUI is used to connect and manage the appliances by the Security Management Server.

Before you do the procedure:

  • Prepare two appliances.

  • Configure matching internal interfaces with IP addresses in the same subnet. For example, if you use LAN1 on one of the appliances, you must use LAN1 on the second appliance.

  • Prepare the WAN interfaces on the same subnet.

  • Select a random IP address from the WAN and the Internal networks addresses pool to use as the Cluster Virtual IP.

To create a SmartLSM Cluster profile:

  1. Connect with SmartConsole to the Management Server.

  2. From the Objects menu, click More object types > LSM Profile > New Small Office Appliance Cluster.

    The SmartLSM Security Profile window opens.

  3. In General Properties, enter a Name for the profile (for example, ClusterProfile1).

  4. Select the Cluster Members tab and click Add to add the two Cluster Members to the profile.

  5. Select the Topology tab and click Edit to insert a template topology.

    For each SmartLSM cluster, you must define at least 3 networks:

    • External: one interface for each Cluster MemberClosed A Security Gateway that is part of a cluster. and shared virtual IP address

    • Internal: one interface for each Cluster Member and shared virtual IP address

    • Internal - Sync: one interface for each Cluster Member

      The network addresses (for example, 1.1.1.194) for each interface are not the actual addresses for your SmartLSM Cluster environment. Those are used for the template. The actual network addresses are modified in the next configuration step in the SmartProvisioning application.

      Important - The host octet for each member's interface address such as "59" for Member1 - WAN (for example, 1.1.1.59) must be its real host address and cannot be modified. Make sure to configure it correctly.

      The host octet for the Virtual IP addresses can be modified later.

  6. For each Virtual IP interface, double-click the text field to enter the interface name, Security Zone, network type, IP address, and Net Mask.

  7. For the Internal and Sync interfaces, select Network defined by the interface IP and Net Mask. Set Anti-Spoofing for each interface in the Anti-Spoofing tab. Keep the default settings in the Member Network tab.

  8. For each cluster member, double-click the Topology text field to enter the interface name, IP address, and Net Mask. For VLANs, make sure the member names use the actual physical interface names on the machines. Note that these are the same names that are shown in the appliance's WebUI, but replace the colon character ":" with a period character "."

    For example, if the WebUI shows LAN1:10, enter here LAN1.10

  9. Click Save and install policy on the Cluster Profile.

  10. Install the applicable Security Policy on the Cluster SmartLSM profile.

  11. Click Menu > SmartProvisioning. Continue the configuration in the SmartProvisioning GUI.

Deploying with SmartProvisioning

You can use SmartProvisioning to manage Quantum Spark appliance gateways with the SmartLSM profiles defined in SmartConsole. Configure these appliances using the First Time Configuration Wizard or a USB drive configuration file before you manage them with SmartProvisioning.

For more information about large-scale deployment using SmartProvisioning, see the SmartProvisioning Administration Guide for your Management Server version.