Managing Device Settings

You can manage device settings directly on individual gateways or you can use a SmartProvisioning Profile to manage multiple gateways. For more information about provisioning profiles and creating them, see the SmartProvisioning Administration Guide for your Management ServerClosed A Check Point Security Management Server or a Multi-Domain Security Management Server. version.

These device settings are unique to the Check Point appliance. They can be defined directly on the device or through the profile. Their tabs are:

Configuring Firmware

This section explains how to configure firmware installation settings for the provisioning profile for the Check Point appliance. When you configure firmware settings in a Provisioning Profile, you give the configuration for all appliances that reference this profile.

Firmware configuration lets you replace the firmware on the Security GatewayClosed A dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. The Security Gateway version must match its SmartLSM profile's version as defined in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. for correct policy behavior. As a result, after firmware upgrade, the SmartLSM profile is replaced with the default SmartLSM security profile.

In some instances, it may be necessary to define exceptions for the default SmartLSM security profile. For example, if you do not want all gateways to use the specified default SmartLSM profile after installation, you can customize different security profiles to replace known security profiles.

Example scenario:

  • The default SmartLSM profile after installation is configured to use a SmartLSM profile called "NewLSM".

  • After firmware installation, you want the "NewLSM" profile installed on all Security Gateways except for gateways that currently use the "GroupA_LSM" profile.

  • You want to replace the "GroupA_LSM" profile with a profile called "GroupA_NewLSM".

In this scenario, you add an exception that replaces the "GroupA_LSM" profile with the "GroupA_NewLSM" profile.

You can install the firmware with one of these options:

  • Immediately - Installs the firmware in two steps:

    • Downloads the firmware immediately during the next synchronization with a Security Gateway that references this profile.

    • Installs the firmware when the download completes.

  • According to time ranges - You can define download and installation time ranges for the firmware image. The download and installation time can be limited to a specified list of time ranges in the week. They start at the nearest time range after firmware settings were applied. You can also define that the download takes place immediately as above and only installation is based on specified time ranges. For example, if the firmware installation settings were applied on Sunday and there are two time ranges:

    • One range is set to Friday 00:00 to Saturday 00:00

    • One range is set to Wednesday 23:00 to Thursday 06:00

      The firmware is installed between Wednesday 23:00 and Thursday 06:00.

      If the Security Gateway did not succeed to download and/or install the firmware during the nearest time range, it tries again in the next time range.

To configure firmware installation settings in a Provisioning Profile:

  1. Open the Security Gateway Profile window, and select the Firmware tab.

  2. Select Manage firmware centrally from this application.

  3. Click Advanced.

    The Profile Settings window is displayed.

  4. Select an override profile setting:

    • Allowed

    • Denied

    • Mandatory

      For more information about override profile settings, see Configuring RADIUS below.

  5. In Firmware image, click Select to select a firmware image that was uploaded through SmartUpdate.

  6. In Default SmartLSM Profile after installation, select the new SmartLSM profile of the Security Gateway (the Security Gateway version must match its SmartLSM profile's version as defined in SmartConsole for correct policy behavior). The Security Gateway replaces its SmartLSM profile after successful firmware installation and only if the new firmware version is different from the version you have now.

  7. If necessary, click Exceptions to select a new SmartLSM profile for Security Gateways with a specified SmartLSM profile.

    • Add/Edit - Click Add or Edit to open the Exceptions window to define/change an exception for a SmartLSM profile replacement. SmartLSM profiles is not shown unless they are from a version higher than R71.

      • Current SmartLSM Profile - Select a SmartLSM profile from the list. A SmartLSM profile is shown only if the version is not R71 and not the selected firmware version. Make sure you installed a policy for the SmartLSM profile in SmartConsole.

      • SmartLSM Profile after installation - Select a SmartLSM profile that replaces the SmartLSM profile after the firmware image installation. A SmartLSM profile is shown only if the version is the same as the selected firmware version. Make sure you installed a policy for the SmartLSM profile in SmartConsole.

    • Remove - Click to remove a SmartLSM profile exception setting.

  8. Select an option to install the firmware:

    • Immediately - Downloads the firmware immediately but installs it in the next synchronization with a Security Gateway that references this profile.

    • According to these time ranges - Select to use the Security Gateway time or local time.

      • Add/Edit - Click Add or Edit to open the Time Range window to define/change the weekdays and times for downloading and installing the firmware image. Select the days and times and click OK.

      • Remove - Select a range from the list and click Remove to delete a time range.

      • Download image immediately - Click this option to download the firmware image immediately but install the image during one of the set time ranges.

  9. Click Show profile settings - To see the settings of the Provisioning Profile that this gateway references.

  10. Click OK.

Configuring RADIUS

You can configure the RADIUS server (Remote Authentication Dial In User Service) that provides authentication, authorization, and accounting for the Check Point appliance gateways. When you configure RADIUS in the Provisioning Profile, you can configure it for all gateways that reference this profile. The RADIUS server must already be defined as a SmartConsole object.

You can configure your appliance to contact more than one RADIUS server. If the first server in the list is unreachable, the next RADIUS server in the list is contacted for authentication.

To configure RADIUS settings in a Provisioning Profile:

  1. Open the Security Gateway Profile window, and select the RADIUS tab.

    1. Select Manage RADIUS settings centrally from this application.

    2. Click Advanced.

      The Profile Settings window opens.

    3. Select an override profile setting:

      • Allowed

      • Denied

      • Mandatory

  2. Select RADIUS is activated on device to enable RADIUS on the Check Point appliance.

  3. Click Add to add RADIUS servers that were defined in SmartConsole, select a RADIUS server from the list and click OK.

  4. To remove a server, select a server in the list and click Remove.

  5. Use Up and Down to set the priority to contact RADIUS servers.

  6. Click Allow administrators from specific RADIUS groups only (comma separated) to allow authentication from specified groups as defined on the RADIUS server. Only administrators that belong to those groups can get access.

  7. Click OK.

Configuring Hotspot

To configure hotspot settings in a Provisioning Profile:

  1. Open the Security Gateway Profile window, and select the Hotspot tab.

  2. Select Manage Hotspot settings centrally from this application.

  3. Click Advanced. The Profile Settings window appears.

  4. Select one of these override profile settings:

    • Allowed

    • Denied

    • Mandatory

  5. Select Hotspot is activated on device to activate the hotspot.

  6. Configure the fields:

    • Portal Title - Keep the default or enter a different title.

    • Portal message - Keep the default or enter a different message.

    • Terms of use - Select this checkbox to add an "I agree with the following terms and conditions" checkbox on the Hotspot portal page. Enter the terms and conditions text in the text box. When users click the "terms and conditions" link, the entered text is shown.

    • Require Authentication - To require user authentication, select the checkbox.

    • Allow users from specific group - Select to allow access to a specific user group and not all users. Enter the group's name in the text box.

  7. Click Apply

Configuring a Configuration Script

To configure a configuration script in a Provisioning Profile:

  1. Open the Security Gateway Profile window, and select the Configuration Script tab.

  2. Select Manage Configuration Script centrally from this application.

  3. Click Advanced.

    The Profile Settings window opens.

  4. Select one of these override profile settings:

    • Allowed

    • Denied

    • Mandatory

  5. In Configuration Script, enter a script to run on the Small Office Appliance gateway.

  6. Click Apply

Configuring a Provisioning Profile

For each set of configurations managed with a Provisioning Profile, you can decide which settings have preference: local (not provisioned) or central (from SmartProvisioning individual management or from Provisioning Profile).

To configure the settings of a Provisioning Profile:

  1. In the Profiles List, right-click a profile and select Edit Provisioning Profile.

  2. In the Profile window, click any category tab (other than General).

  3. Select management settings for gateways that reference the profile:

    • Manage settings locally on the device: Each gateway that references this profile has its own settings, configured locally (not in SmartProvisioning GUI). These settings cannot be overwritten by changes to the Provisioning Profile or to the SmartProvisioning gateway object. If you select this option, the Gateway window appears: settings are defined to be managed locally on the device.

    • Manage settings centrally from this application: Each gateway that references this profile gets its configuration for this setting from the Provisioning Profile or from the SmartProvisioning gateway object.

  4. If you selected to manage settings centrally, click Advanced.

    The Profile Settings window opens.

  5. Select an option for Overriding profile settings on device level is:

    • Allowed - You can override the profile settings with device-local settings, or with changes to these settings in the SmartProvisioning device window. You can also leave the profile settings as they are.

    • Denied - Each gateway takes the settings from the profile, with no option to override the profile settings.

    • Mandatory - Each gateway is managed without a Provisioning Profile.

  6. Click OK.

Profile Managed

Profile Override

Gateway Window Display and options

Locally

Not relevant

Settings are defined to be managed locally on the device.

To change this, refer to the attached Provisioning Profile profile_name

(controls are unavailable)

Centrally

Override denied

Overriding profile settings is denied.

To change this, refer to the attached Provisioning Profile profile_name

(controls are Read-Only, configured by profile)

Centrally

Override allowed

Select override method:

  • Manage settings locally on the device - Local management. Override provisioning configurations with local settings.

  • Use profile settings - Enforce profile settings on this gateway.

  • Use the following settings - Manage these settings on the this gateway individually with the values given here.

Centrally

Override mandatory

Override profile settings is mandatory: configure settings here.

To change this, refer to Provisioning Profile profile_name

(Each gateway is configured separately)

  • Manage settings locally on the device - Mange these settings on this gateway locally.

  • Use the following settings - Manage these settings on this gateway individually with the values given here.

For example, if you set Hosts configuration to Central and Allowed, the Hosts tab on the gateway enables you to manage the Host List of a gateway if you:

  • Define the Host List locally on the device (even if it has an assigned Provisioning Profile)

  • Provision gateways with the Host List of the Provisioning Profile

  • Define a New Host List (in the Gateway window) that overrides the Provisioning Profile on this gateway

Warning - If you select Use the following settings and do not enter values for a specified topic, the current settings on the device are deleted.