Infinity CHECK POINT 1100 Instruction Manual
6 November 2017
Administration Guide
CHECK POINT
1100/1200R/1400
APPLIANCES
CENTRALLY MANAGED
Models: L-50, L-50D, L-50W, L-50WD, L-61i, L-71,
L-71W, L-72, L-72W, L-72P
R77.20.70
Classification: [Protected]
© 2017 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our
trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html
for a list of relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date
with the latest functional improvements, stability fixes, security enhancements and
protection against new and evolving attacks.
Check Point R77.20.70
For more about this release, see the R77.20.70 home page
http://supportcontent.checkpoint.com/solutions?id=sk120473.
Latest Version of this Document
Download the latest version of this document
http://downloads.checkpoint.com/dc/download.htm?ID=57880.
To learn more, visit the Check Point Support Center
http://supportcenter.checkpoint.com.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
1100/1200R/1400 Appliances Centrally Managed R77.20.70 Administration Guide.
Revision History
Date
Description
06 November 2017 First release of this document
Contents
Important Information...................................................................................................3
Check Point 1100, 1200R, and 1400 Appliance Overview...............................................7
Installation ....................................................................................................................8
Setting Up the Check Point Appliance.......................................................................8
Connecting the Cables ..............................................................................................8
About the PoE............................................................................................................8
Deployment Types.....................................................................................................9
Predefining a Centrally Managed Deployment..........................................................9
Small-scale Deployment Installation......................................................................10
Small-scale Deployment Workflow ...............................................................................10
Defining a Gateway Object .............................................................................................10
Defining a Gateway Cluster Object.................................................................................13
Creating the Security Policy ..........................................................................................17
Setting Server IP Behind a 3rd Party NAT Device ..........................................................21
Large-scale Deployment Installation...................................................................... 22
Supported Security Management Versions....................................................................22
Large-scale Deployment Workflow ...............................................................................22
Defining a SmartLSM Gateway Profile for a Large-scale Deployment...........................23
Defining a SmartLSM Appliance Cluster Profile ............................................................23
Deploying with SmartProvisioning.................................................................................24
Installing a Security Policy ............................................................................................25
Viewing the Policy Installation Status............................................................................25
SmartProvisioning ......................................................................................................28
Creating a Gateway ................................................................................................. 28
General Properties ........................................................................................................28
More Information...........................................................................................................28
Communication Properties............................................................................................29
VPN Properties..............................................................................................................29
Finish.............................................................................................................................30
Creating a SmartLSM Appliance Cluster ................................................................ 30
General Properties ........................................................................................................30
Cluster Properties.........................................................................................................30
Cluster Names...............................................................................................................31
More Information...........................................................................................................31
Communication Properties............................................................................................31
VPN Properties..............................................................................................................31
Finish.............................................................................................................................31
Defining SmartLSM Gateways Using LSM CLI......................................................... 32
Managing Device Settings .......................................................................................32
Configuring Firmware ...................................................................................................32
Configuring RADIUS ......................................................................................................34
Configuring Hotspot.......................................................................................................35
Configuring a Configuration Script ................................................................................36
Configuring Profile Settings ..........................................................................................36
First Time Deployment Options...................................................................................38
Zero Touch Cloud Service ....................................................................................... 38
Deploying from a USB Drive or SD Card..................................................................39
Sample Configuration File .............................................................................................40
Preparing the Configuration Files .................................................................................40
Deploying the Configuration File - Initial Configuration.................................................40
Deploying the Configuration File - Existing Configuration .............................................41
Viewing Configuration Logs ...........................................................................................42
Troubleshooting Configuration Files .............................................................................42
Using the set property Command ..................................................................................43
Appliance Configuration..............................................................................................44
Introduction to the WebUI Application ....................................................................44
The Home Tab .........................................................................................................45
Viewing System Information ..........................................................................................45
Controlling and Monitoring Software Blades.................................................................45
Setting the Management Mode ......................................................................................46
Managing Licenses ........................................................................................................47
Viewing the Site Map .....................................................................................................48
Managing Active Computers ..........................................................................................48
Viewing Monitoring Data................................................................................................49
Viewing Reports.............................................................................................................51
Using System Tools .......................................................................................................53
Managing the Device ...............................................................................................55
Configuring Internet Connectivity ..................................................................................55
Configuring the Wireless Network ................................................................................58
Configuring the Local Network......................................................................................62
Configuring a Hotspot....................................................................................................70
Configuring the Routing Table.......................................................................................72
Configuring MAC Filtering .............................................................................................74
Configuring the DNS Server ..........................................................................................76
Configuring the Proxy Server ........................................................................................77
Backup, Restore, Upgrade, and Other System Operations.............................................77
Configuring Local and Remote System Administrators .................................................81
Configuring Administrator Access.................................................................................85
Managing Device Details................................................................................................87
Managing Date and Time ...............................................................................................87
Configuring DDNS and Access Services.........................................................................88
Using System Tools .......................................................................................................89
Managing Installed Certificates.....................................................................................90
Configuring High Availability .........................................................................................91
Configuring Advanced Settings......................................................................................91
Managing Users and Objects...................................................................................93
Configuring Local Users and User Groups.....................................................................93
Configuring Local and Remote System Administrators .................................................94
Managing Authentication Servers..................................................................................98
Managing System Services ..........................................................................................100
Managing Service Groups ............................................................................................101
Managing Network Objects..........................................................................................102
Managing URL Lists.....................................................................................................104
Logs and Monitoring ............................................................................................. 106
Viewing Security Logs..................................................................................................106
Viewing System Logs...................................................................................................107
Configuring External Log Servers ...............................................................................108
Managing Active Computers ........................................................................................108
Viewing Infected Hosts ................................................................................................108
Viewing VPN Tunnels...................................................................................................110
Viewing Active Connections .........................................................................................110
Viewing Monitoring Data..............................................................................................111
Viewing Reports...........................................................................................................111
Using System Tools .....................................................................................................111
SNMP...........................................................................................................................111
Advanced Configuration ............................................................................................ 113
Dynamic Routing ................................................................................................... 113
Upgrade Using a USB Drive................................................................................... 114
Upgrade Using an SD Card.................................................................................... 116
Boot Loader........................................................................................................... 117
Upgrade Using Boot Loader .................................................................................. 118
Restoring Factory Defaults ................................................................................... 119
Index.......................................................................................................................... 121
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70 | 7
CHAPT E R 1
Check Point 1100, 1200R, and 1400
Appliance Overview
Check Point 1100, 1200R, and 1400 appliances support the Check Point Software Blade
architecture and provide independent, modular and centrally managed security building blocks.
You can quickly enable and configure the Software Blades to meet your specific security needs.
These appliances run an embedded version of the Gaia operating system. It includes core
configuration elements such as clish interface, SNMPv2/3 and routing stack implementations. In
addition to the Gaia features, Embedded Gaia contains support for built-in network switches,
wireless networks, 4G/LTE Internet connectivity, multiple Internet connections (more than 2) in
High Availability or Load Sharing mode, Policy Based Routing, and DDNS support. Quick
deployment with USB is supported for all appliances, and with an SD card for the 1200R and 1400
appliances..
The Check Point 1200R appliance is a ruggedized appliance that delivers Next Generation Threat
Prevention for critical infrastructure and industrial control systems. This solid-state appliance is
specifically designed to secure SCADA (supervisory control and data acquisition) protocols and OT
(operational technology) equipment that operates under harsh environmental conditions. It
complies with industrial specifications IEEE 1613, IEC 61850-3, IEC 60068-2 for heat, vibration and
immunity to electromagnetic interference (EMI).
This guide describes all aspects that apply to central management mode. For more information on
local management, see the
1100/1200R/1400 Locally Managed Administration Guide
.
Note - Some topics only apply to specified appliances or models.
Appliance
Model
Appliance Homepage
1100 Wired, WiFi sk105379
http://supportcontent.checkpoint.com/solutions?id=sk
105379
1200R Wired
1430/1450 Wired, WiFi sk110985
http://supportcontent.checkpoint.com/solutions?id=sk
110985
1470/1490 Wired, WiFi, PoE Wired
For front and back panel details for each appliance, see the relevant
Getting Started Guide
.
Review these materials before doing the procedures in this guide:
•
R77.20.70 Release Notes
•Known Limitations
•Resolved Issues
•
Getting Started Guide
See the R77.20.70 home page http://supportcontent.checkpoint.com/solutions?id=sk120473.
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70 | 8
CHAPT E R 2
Installation
In This Section:
Setting Up the Check Point Appliance...........................................................................8
Connecting the Cables ...................................................................................................8
About the PoE .................................................................................................................8
Deployment Types ..........................................................................................................9
Predefining a Centrally Managed Deployment .............................................................9
Small-scale Deployment Installation ..........................................................................10
Large-scale Deployment Installation..........................................................................22
Setting Up the Check Point Appliance
1.
Remove the Check Point Appliance from the shipping carton and place it on a tabletop.
2.
Identity the network interface marked as LAN1. This interface is preconfigured with the IP
address 192.168.1.1.
Connecting the Cables
1.
Connect the power supply unit to the appliance and to a power outlet.
The appliance is turned on when the power supply unit is connected to an outlet.
For PoE model -PoE ports (13-16) deliver power to the end point when a standard 802.3af or
802.3at powered device is connected. Total power budget is 62W.
2.
The Power LED on the front panel lights up. This indicates that the appliance is turned on.
The Alert LED (called the Notice LED in the 1100 appliance) on the front panel starts to blink.
This indicates that the appliance is booting up.
When the Alert LED turns off, the appliance is ready for login.
3.
Connect the standard network cable to the LAN1 port on the appliance and to the network
adapter on your PC.
4.
Connect another standard network cable to the WAN port on the appliance and to the external
modem, external router, or network point.
About the PoE
The PoE wired model is in 1470/1490 appliances only.
The PoE switch is a type of PSE (Power Sourcing Equipment), and delivers power to the PD
(Powered Devices) end point. By default, the PoE port automatically provides power when a
compliant PD is connected. There are no specified management requirements.
The PoE standard model is fully supported. It is fully compliant with 802.3af (PoE) and 802.3at
(PoE+). All 4 ports support 802.3af. Due to power budget limitations, only 2 ports at a time support
802.3at.
Installation
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70 | 9
The total power dedicated for all PoE ports is 62W:
•802.3af maximum power delivery per port is 15.4W
•802.3at maximum power delivery per port is 31W
Deployment Types
There are two types of centrally managed deployments:
•Small-scale deployment - Where you configure between 1 and 25 Check Point Appliance
gateways using SmartDashboard. Then you can manage device settings from
SmartProvisioning.
•Large-scale deployment - Where you configure over 25 Check Point Appliance gateways using
a SmartLSM profile and SmartProvisioning or a configuration file that is stored on a USB drive.
For both deployment types, you must configure objects and other elements in SmartDashboard
and in SmartProvisioning.
Predefining a Centrally Managed Deployment
To manage the Check Point Appliance in a centrally managed deployment, you must install a
Security Management Server and SmartConsole clients that operate with the Check Point
Appliance.
The Check Point Appliance operates with Security Management Server versions R77.30 and
higher.
For installation instructions, see the version's Release Notes.
After you install the SmartConsole clients you can define the Check Point Appliance object in
SmartDashboard (in small-scale deployments) or create a SmartLSM profile (in large-scale
deployments) and prepare the security policy.
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70 | 10
CHAPT E R 3
Small-scale Deployment Installation
In This Section:
Small-scale Deployment Workflow .............................................................................10
Defining a Gateway Object............................................................................................10
Defining a Gateway Cluster Object ..............................................................................13
Creating the Security Policy.........................................................................................17
Setting Server IP Behind a 3rd Party NAT Device.......................................................21
This chapter contains procedures for defining a gateway or a gateway cluster. Do the procedures
that match your requirements, then install the policy.
Small-scale Deployment Workflow
This is the suggested workflow for small-scale deployments:
1.
Create the necessary gateway or cluster objects for your appliances in SmartDashboard.
2.
Install the Security Policy in SmartDashboard.
3.
Configure the relevant appliances with the First Time Configuration Wizard. Alternatively, you
can use a USB drive to quickly configure many appliances without the First Time Configuration
Wizard. For more details, see Deploying from a USB Drive.
4.
Manage the appliance settings in SmartProvisioning for the gateway or cluster objects.
Defining a Gateway Object
You can use the SmartDashboard creation wizard to define a Check Point Appliance before or after
you configure the appliance on site.
Options to define a gateway object:
•Management First - Define the gateway object in SmartDashboard before you configure and
set up the actual appliance on site. This is commonly used for remotely deployed appliances or
appliances that connect to the Security Management Server with a dynamic IP (assigned by a
DHCP server or an ISP), as the IP is not known at the time of the configuration of the object in
SmartDashboard. You can prepare a policy that the appliance pulls when it is configured.
•Gateway First – Configure and set up the Check Point Appliance first. It then tries to
communicate with the Security Management Server (if this is configured) at 1 hour intervals. If
there is connectivity with the gateway during object creation in SmartDashboard, the wizard
can retrieve data from the gateway (such as topology), and then help in configuration.
To define a single gateway object:
1.
Log in to SmartDashboard using your Security Management credentials.
2.
From the Network Objects tree, right click Check Point and select Security Gateway.
The Check Point Security Gateway Creation window opens.
3.
Select Wizard Mode.
The wizard opens to General Properties.
Installation
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70 | 11
4.
Enter a name for the Check Point Appliance object and select the hardware type for the
hardware platform.
If the appliance does not appear in the hardware list in the R77.30 SmartDashboard, see
sk111292 http://supportcontent.checkpoint.com/solutions?id=sk111292.
5.
Set the Security Gateway Version to R77.20.
6.
Select the Static IP address or Dynamic IP address to get the gateway's IP address.
7.
Click Next.
To configure a static IP address:
1.
In the Authentication section, select Initiate trusted communication securely by using a
one-time password or Initiate trusted communication without authentication (less secure).
2.
If you selected Initiate trusted communication securely by using a one-time password, enter
a one-time password and confirm it. This password is only used to establish the initial trust.
Once established, trust is based on security certificates.
Important - This password must be identical to the one-time password you define
for the appliance in the First Time Configuration Wizard.
3.
In the Trusted Communication section, select Initiate trusted communication automatically
when the Gateway connects to the Security Management server for the first time or Initiate
trusted communication now.
4.
Click Connect.
A status window appears.
5.
Click Next.
To configure a dynamic IP address:
1.
In the Gateway Identifier section, select one identifier: Gateway name, MAC address or First to
connect.
2.
In the Authentication section, select Initiate trusted communication securely by using a
one-time password or Initiate trusted communication without authentication (less secure).
3.
If you select Initiate trusted communication securely by using a one-time password, enter a
one-time password and confirm it. This password is only used for establishing the initial trust.
Once established, trust is based on security certificates.
Important - This password must be identical to the one-time password you define
for the appliance in the First Time Configuration Wizard.
4.
Click Next.
To configure the software blades:
In the Blade Activation page, select the software blades that you want to activate and configure.
To configure blades later:
1.
Select Activate and configure software blades later.
2.
Click Next.
Installation
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70 | 12
To configure blades now:
1.
Select Activate and configure software blades now.
2.
Select the check boxes next to the blades you want to activate and configure.
3.
Configure the required options:
•NAT - the Hide internal networks behind the Gateway’s external IP checkbox is selected
by default.
•QoS -Set the inbound and outbound bandwidth rates.
•IPSec VPN - Make sure that the VPN community has been predefined. If it is a star
community, the Check Point Appliance is added as a satellite gateway. Select a VPN
community that the Gateway participates in from the Participate in a site to site
community list.
•IPS - Select a profile from the Assign IPS Profile list or click Manage to create/edit an IPS
profile.
•User Awareness - Complete the wizard pages that open to define the User Awareness
acquisition sources. In the Active Directory Servers page of the wizard, make sure to select
only AD servers that your gateway works with.
4.
Click Next.
To hide the VPN domain:
Select Hide VPN domain behind this gateway's external IP.
Select this option only if you want to hide all internal networks behind this gateway’s external IP.
All outgoing traffic from networks behind this gateway to other sites that participate in VPN
community will be encrypted.
With this option, connections that are initiated from other sites that are directed to hosts behind
this gateway are not encrypted. If you need access to hosts behind this gateway, select other
options (define VPN topology) or make sure all traffic from other sites is directed to this gateway's
external IP and define corresponding NAT port-forwarding rules, such as: Translate the
destination of incoming HTTP connections that are directed to this gateway's external IP to the IP
address of a web server behind this gateway.
To create a new VPN domain group:
1.
Make sure that the Create a new VPN domain option is selected.
2.
In the Name field, enter a name for the group.
3.
From the Available objects list, select the applicable objects and click Add. The objects are
added to the VPN domain members list.
To select a predefined VPN domain:
1.
Click Select an existing VPN domain.
2.
From the VPN Domain list, select the domain.
3.
Click Next.
In the Installation Wizard Completion page, you see a summary of the configuration
parameters you set.
4.
If you want to configure more options of the Security Gateway, select Edit Gateway properties
for further configuration.
5.
Click Finish.
The General Properties window of the newly defined object opens.
Installation
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70 | 13
Defining a Gateway Cluster Object
A Check Point Appliance Security Gateway is a group of 2 members. Each represents a separate
Check Point Appliance which has High Availability software installed. ClusterXL is the Check Point
clustering solution. Third party OPSEC Certified clustering products are not supported.
High Availability
High Availability allows organizations to maintain a connection when there is a failure in a cluster
member. Only one machine is active (Active/Standby operation) in this configuration. Load sharing
is not supported on this appliance.
Prerequisites
During Cluster configuration, only a "Gateway First" installation path is supported. Therefore, you
must first configure the gateways with their actual IPs. Only afterward should you create the
cluster object in SmartDashboard or SmartProvisioning. The policy installation from the Security
Management Server alerts the gateways that they are configured as cluster members.
Before you define a Check Point Appliance cluster, make sure you defined all of the network
interfaces used for each of the Check Point Appliance gateways. The interfaces must be defined in
the same subnet. To verify definitions, access the WebUI of the appliance.
These actions are only required to work with the Cluster Wizard in SmartDashboard:
•Make sure a cable is connected between the two LAN2/SYNC ports of both appliances. You do
not need to assign them IPs as those are created automatically later. If you do assign them,
make sure the LAN2/SYNC interfaces use the same subnet.
You can use a different SYNC interface other than LAN2. For more information, see sk52500
http://supportcontent.checkpoint.com/solutions?id=sk52500 (you can use the Cluster Wizard in
SmartDashboard but you need to make further adjustments to the cluster object before policy
installation).
•The Cluster Wizard assumes that the WAN interface is part of the cluster. Make sure the WAN
interfaces in each of the gateways are configured with a static IP of a matching subnet.
•When you configure the appliances that are used in the cluster, make sure to set both of the
appliances with the same one-time password you used to authenticate and establish trusted
communication. Without this, you cannot use the Cluster Wizard in SmartDashboard and you
need to create the cluster object in Classic Mode.
Trusted communication without authentication is not supported on Check Point Appliance
cluster members.
Creating a Cluster for New Gateways
To create a cluster for new gateways:
•Set up and configure the Check Point Appliance gateways.
•Create and configure the cluster object in SmartDashboard that represents the gateways.
Installation
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70 | 14
Configuring the Check Point Appliance Gateways
See your Check Point Appliance
Getting Started Guide
for full instructions to set up and connect
the Check Point Appliance.
This is the general workflow:
1.
Connect your computer to the Check Point Appliance on its LAN1 interface.
2.
Configure your computer to get an IP address automatically.
3.
Open your Web browser, and connect to: http://my.firewall
When you configure two Check Point Appliance gateways from your web browser, connect only
one to a power source. Follow the instructions below to configure it and then disconnect it
from the power source. Then do the same for the second appliance and reboot it at the end.
If you do not follow these instructions, you cannot use the http://my.firewall URL correctly and
you need to connect with the gateway's actual IP address. (That IP address is initially
192.168.1.1 on LAN1 before you configure it with the Check Point Appliance).
After you configure and connect both appliances to a power source, install a policy and renew
the dynamic IP of the computer. You can then use http://my.firewall to access the active
member of the cluster.
4.
Follow the steps to configure the Check Point Appliance with the First Time Configuration
Wizard.
5.
On the appliance's local network, configure the cluster SYNC interface on the same subnet as
the SYNC interface of the second cluster member (use a cross Ethernet cable for SYNC
interface connection).
When you use the SmartDashboard cluster wizard, the LAN2 interface is the SYNC interface
between cluster members. You do not have to configure an IP on LAN2 at any stage of the
gateway side configuration. If you do not configure them, LAN2 SYNC interfaces are
automatically set to 10.231.149.1 and 10.231.149.2. To set a different SYNC interface (not
LAN2), see sk52500 http://supportcontent.checkpoint.com/solutions?id=sk52500.
Remember the one-time password. You need it to configure the cluster in SmartDashboard. It
must be the same on both clusters.
IP addresses must be configured on both cluster members before you open SmartDashboard
and run the Cluster configuration wizard. To configure IPs in interfaces other than WAN and
LAN1, do so in each gateway’s WebUI application with the Internet or Local Network pages.
Make sure that for each interface that is part of the cluster, you configure an IP in the same
subnet as the second cluster member.
Configuring the Cluster Object in SmartDashboard
To create a cluster for two new Check Point Appliance gateways:
1.
Log in to SmartDashboard with your Security Management credentials.
2.
From the Network Objects tree, right click Check Point and select Security Cluster > Small
Office Appliance.
The Check Point Security Gateway Cluster Creation dialog box opens.
3.
Select Wizard Mode.
The wizard opens to General Properties.
4.
Enter a name for the Check Point Appliance cluster.
5.
Click Next.
The wizard opens to Cluster Members.
Installation
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70 | 15
6.
In the First Member and Second Member sections, enter a Member name and Member IP
address.
If you want to check the communication and connectivity, clear the Define the second cluster
member now check box. This allows you to complete the wizard definitions for the first
member only.
7.
Enter and confirm the One-time password to establish initial trust.
When trust is established, it is based on security certificates. This password must be identical
to the same one-time password defined for both members in their appliances' First Time
Configuration Wizard or WebUI.
8.
Click Next.
The wizard opens to Cluster Interface Configuration.
When you configure the WAN interface, you cannot disable High Availability. (For other
configurations, edit the Cluster object later).
If the WAN interface was not defined, edit the Cluster object in SmartDashboard with the
wizard and select a correct main IP for the cluster object. (This IP is used, for example, in VPN
as one of the Link selection options).
9.
Enter a virtual IP Address and Net Mask for the cluster. The virtual IP is applied in the next
policy installation.
10.
Click Next.
11.
To enable High Availability on the interface, select the Enable High Availability on <name>
interface checkbox. <name> shows the network interface defined in the Check Point
Appliance.
12.
When High Availability is selected, enter a virtual IP Address and Net Mask for the cluster. The
virtual IP is applied in the next policy installation.
13.
Click Next.
14.
Repeat steps 12 - 14 for each defined interface.
15.
Click Finish or select Edit Cluster in Advanced mode to further configure the cluster.
Cluster Interface Configuration
In the Cluster Interface Configuration window, you define if a network interface on the Check Point
Appliance is part of the security gateway cluster. This window shows for each network interface
that was configured in the Check Point Appliance. The total number of interfaces configured for
the gateway shows in the window title. For example, if 3 interfaces are configured for the gateway,
a total of 3 windows require configuration. The first window displays (1 of 3 interfaces). The name
of the interface you are currently configuring shows in the Interface column.
Each network interface (on both members) has a unique IP address. If High Availability is enabled
on the interface, then the cluster requires an additional unique virtual IP address. This IP address
is visible to the network and ensures that failover events are transparent to all hosts in the
network.
When High Availability is not enabled, the interface is considered not-monitored private (it is not
cluster related).
You can configure High Availability for all network interfaces except for the WAN interface. By
default, the WAN interface is always part of the cluster. If you do not want the WAN interface to be
part of the cluster, double-click on the Check Point Appliance security gateway cluster object, and
select Topology node > Edit Topology.
Installation
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70 | 16
If the WAN interface was not defined, edit the Cluster object in SmartDashboard with the wizard
and select a correct main IP for the cluster object. (This IP is used, for example, in VPN as one of
the Link selection options).
The breadcrumb image at the top of the window shows you the interface you are currently
configuring. You do not configure the LAN2 interface as it is automatically configured by the
wizard and is used only for the SYNC interface. Make sure a cable is connected between the two
LAN2/SYNC ports of both appliances.
The image at the bottom of the page shows if the interface is set for High Availability. When you
configure High Availability, the physical IPs of both members meet at a point indicated by the
cluster's virtual IP address.
To configure more advanced options for interfaces:
1.
Click Edit Cluster in Advanced mode at the end of the wizard.
2.
Edit the topology of the cluster and make the necessary changes.
Converting an Existing Check Point Appliance to a Cluster
Do these procedures to convert an existing Check Point Appliance to a cluster.
Note - The procedures require some downtime.
Terms used:
•GW - the existing Check Point Appliance gateway object that has already established trust and
has an installed policy.
•Cluster - the new Check Point Appliance cluster object that you create.
•GW_2 - the new cluster member object that joins the existing gateway.
To configure the new appliance
GW_2
with the First Time Configuration Wizard:
1.
Make sure to configure the actual IP addresses and not the virtual IP addresses that are used
by the existing gateway GW.
2.
Clear the Enable switch on LAN ports checkbox.
If you do not do this, the default switch configuration is automatically removed during the
cluster's first policy installation, as it is not supported in a cluster configuration.
Note - It is more secure to remove the switch configuration before initial policy installation.
3.
Configure the LAN2 port (used for cluster synchronization) with an IP address that is in the
same network as the other cluster member. It is recommended to assign a static IP address
for the sync interface.
4.
Do not fetch the policy from the Security Management Server.
To create and configure the cluster in SmartDashboard:
1.
Use the wizard to create a new Check Point Appliance cluster.
2.
Define the IP address as the IP used by the existing gateway GW.
3.
Define the first member with GW_2's IP address.
Important - Do not define the second member using the wizard.
4.
Establish trusted communication.
Installation
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70 | 17
5.
Define all the IP addresses of the clustered interfaces. Use the existing gateway GW IP
address as the virtual IP of the cluster.
6.
At the end of the wizard, select the Edit the cluster in Advanced Mode checkbox.
7.
In Advanced Mode, enter all the relevant configuration settings from the GW to the cluster
object.
To reconfigure the existing Check Point Appliance:
1.
In the WebUI, go to the GW and connect to it.
2.
Reconfigure the IP addresses of the clustered interfaces with the actual IP addresses that is
used by the gateway as a member of the cluster.
Important - Downtime starts.
To configure the cluster in SmartDashboard:
1.
Change the main IP and the IPs that appear in the topology table of the GW object.
2.
Install policy on Cluster.
Important - Downtime ends. At this point, the cluster contains only one member, GW_2.
3.
Go to Cluster Members >Add >Add existing gateway and edit the Cluster object.
4.
If GW does not show in the list, press Help and make sure GW does not match any of the
categories that prevent it from being added to a cluster.
Note - Use the information on this Help page to determine if there are any configuration
settings you want to copy to the new Cluster object.
5.
Under the new GW object, click Topology > Get Topology to edit the topology of the Cluster
object.
6.
Install policy on Cluster.
Viewing Cluster Status in the WebUI
After you complete policy installation on the Check Point Appliance gateway and the gateway
works as a cluster member, you can view cluster status in the WebUI application (Device > High
Availability).
Creating the Security Policy
Working with Security Zone Objects
A security zone object is a logical object that represents the network behind a specified interface.
For example, an InternalZone object represents the internal network IPs behind all of the internal
gateway interfaces.
You can use security zone objects to create a generic Security Policy and reduce the amount of
rules necessary in the Rule Base. This Security Policy can be applied to numerous Check Point
Appliance gateways. Resolution of the security zone is done by the actual association on the Check
Point Appliance gateway object in SmartDashboard.
Installation
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70 | 18
Workflow
1.
Associate a security zone object with an interface on the gateway object.
2.
Use the security zone object in a rule.
3.
Install policy.
To associate a security zone object with an interface on the gateway object:
1.
In SmartDashboard, from the Network Objects tree, double-click a Check Point Appliance
gateway object.
2.
From Topology, select the applicable interface and click Edit.
The Interface Properties window opens.
3.
Select one of the predefined Security Zone options.
4.
If you want to create a new zone, click New, fill in the details and click OK.
5.
Click OK.
The Check Point Appliance Gateway General Properties is shown.
6.
Click OK.
To create a rule with a security zone:
After you associated a security zone object to the applicable interface on the gateway, you can use
it in a rule. To create a rule with a security zone, just add the security zone object to the Source or
Destination cell.
For example, to create a rule that allows internal users access to any external network, create a
rule with these fields:
Policy Field
Value
Source InternalZone
Destination ExternalZone
Action accept
Install On gateway object or SmartLSM profile
1.
Open the Firewall > Policy page.
2.
Use the Add Rule buttons to position the rule in the Rule Base.
3.
Enter a Name for the rule.
4.
In the Source field, right-click the +icon, click Network Objects, select InternalZone from the
list, and click OK.
5.
In the Destination field, right-click the +icon, click Network Objects, select ExternalZone
from the list, and click OK.
6.
In the Action field, select accept.
7.
Right-click the Install On field, select Add > Targets, and select the gateway object or
SmartLSM profile.
Installation
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70 | 19
Installing a Security Policy
Use this procedure to prepare the policy for automatic installation when the gateway connects.
Note - If the Check Point Appliance is physically set up and configured, when you successfully
complete this step, the policy is pushed to the gateway. For a list of possible statuses, see Viewing
the Policy Installation Status (on page 19).
At the end of the Install Policy process, the policy status for a Check Point Appliance that is not yet
set up is "waiting for first connection." This implies that trusted communication is not yet
established between the Security Management Server and the Check Point Appliance. When the
gateway connects it establishes trust and attempts to install the policy automatically.
To install a security policy:
1.
Click Policy > Install from the menu.
The Install Policy window opens.
2.
Select the installation targets - the Check Point Appliance Security Gateways on which to
install the policy and the policy components (such as Network Security or QoS).
By default, all gateways that are managed by the Security Management Server are available for
selection.
3.
In the Installation Mode section, select how the Security Policy should be installed:
•On each selected gateway independently
•On all selected gateways, if it fails do not install on gateways of the same version
4.
Click OK.
The Installation Process window shows the status of the Network Security Policy for the
selected target.
Important - If the Check Point Appliance object is defined by the appliance is not set up
and it is in the "Waiting for first connection status", you see a message that says
"Installation completed successfully". This means that the policy is successfully prepared
for installation.
Continue tracking the status of the Security Policy installation with the Policy Installation and
the status bar ("Viewing the Policy Installation Status" on page 19).
Viewing the Policy Installation Status
You can see the installation status of managed gateways with the status bar that shows at the
bottom of the SmartDashboard window. The status bar shows how many gateways are in Pending
or Failed mode.
•Pending - gateways that are in the waiting for first connection status or are in the pending
status (see below for detailed explanations).
•Failed - gateways that have failed to install the policy.
The status bar is updated dynamically each time a gateway tries to install a policy or tries to
connect to the Security Management Server. The results of these actions are also shown in
SmartDashboard popup notification balloons when such events occur. You can configure these
notifications.
To monitor the status of the last policy installed on each gateway, you can use the Policy
Installation Status window.
Installation
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70 | 20
The window has two sections. The top section shows a list of gateways and status details
regarding the installed policy. You can use the filter fields to see only policies of interest and hide
other details by defining the applicable criteria for each field. After you apply the filtering criteria,
only entries that match the selected criteria are shown. If the system logs trusted communication
(SIC) attempts from unknown gateways, a yellow status bar opens below the filter fields.
The bottom section shows details of a row you select in the gateway list (errors that occurred, the
date the policy was prepared, verification warnings). If there is a yellow status bar, click Show
details to show the details of unknown gateways that try to connect to the Security Management
Server.
These are the different statuses in this window:
Icon
Policy status
Description
Succeeded Policy installation succeeded.
Succeeded Policy installation succeeded but there are verification
warnings.
Waiting for first connection A Check Point Appliance object is configured, but the
gateway is not connected to the Security Management
Server (initial trust is not established).
•If a policy is prepared, it is pulled when the gateway is connected.
•If a policy
is not prepared
, the Policy Type column shows "No Policy
Prepared." When the gateway is first connected, only trust is
established.
Waiting for first connection Same as above, with warnings that attempts to establish
trust failed or there are verification warnings.
Pending The policy remains in the pending status until the gateway
successfully connects to the Security Management Server
and retrieves the policy. This status is shown only if there
was at least one successful policy installation.
For example, when the Security Management Server has
problems connecting to the Gateway (the Gateway is
unavailable for receiving communication, as in behind NAT).
Pending Same as above but there are verification warnings.
Warning Warning.
Information Information.
Failed Policy not installed due to a verification error.
Failed Policy installation failed.
This manual suits for next models
12
Table of contents
