Follow Us !!

Monday 12 February 2018

SmartDashboard Configuration


Watch Video :-  https://youtu.be/IqYplva7cRk

The 41000 Security System can work as a Security Gateway or as a VSX Gateway. The Security Management Server must be R76 or higher.

Important - R76 SmartDashboard is not supported. You must download and install the updated SmartDashboard.
Do one of these procedures:
o        Configuring a Security Gateway.
o        Configuring a VSX Gateway.
Configuring a Security Gateway
This procedure explains how to configure a Security Gateway in SmartDashboard.

Note - The Check Point Security Gateway Creation Wizard is version dependent. The steps may vary slightly.
To configure a Security Gateway:
1.                  Open SmartDashboard.
2.                  Enter your credentials to connect to the Security Management Server.
3.                  Create the Check Point Security Gateway object.
In the Network Objects tree, right click and select New > Check Point > Security Gateway/Management
The Check Point Security Gateway Creation wizard opens.
4.                  Select Wizard Mode or Classic Mode.
This procedure describes Wizard mode. If you choose Classic Mode, make sure you set all the necessary configuration parameters.
5.                  In the General Properties screen, configure:
§     Gateway name
§     Gateway platform - Select 61000 Appliance.
§     Gateway IP address
6.                  Click Next.
7.                  In the Secure Internal Communication Initialization screen, enter the One-time password. This is the same as the Activation Key you entered during the initial setup.
8.                  Click Next.
9.                  View the Configuration Summary.
10.             Select Edit Gateway properties for further configuration.
11.             Click Finish.
The General Properties page of the 41000 Security System object opens.
12.             In the General Properties page, make sure the Version is correct.
13.             Enable the Firewall Software Blade. If required, enable other supported Software Blades.
14.             In the navigation tree, select Topology.
15.             Configure:
§     Interfaces as Internal or External
§     Anti-Spoofing.
Note: Only data and management interfaces are shown in the list.
16.             Click OK.
The Security Gateway object closes.
17.             Install the Policy.
Confirming the Security Gateway Software Configuration
To make sure that the policy was successfully installed:
1.                  Connect to the appliance (through SSH or the serial console).
2.                  Run asg monitor
3.                  Make sure that the status for SGMs is: Enforcing Security on the ACTIVE and STANDBY Chassis.
4.                  Make sure the Policy Date matches the time that the policy was installed.
To verify the configuration:
After configuring the Security Gateway and installing the policy, validate the configuration using the asg diag command. Use the command to collect and show diagnostic information about the system.
If there is a problem, fix it before using the system.
Configuring a VSX Gateway
The 41000 Security System can work as a Security Gateway or as a VSX Gateway.
This procedure shows how to configure a VSX Gateway in SmartDashboard.
Before creating the VSX Gateway
It is important to know how VSX works, and understand the VSX architecture and concepts. It is also important to understand how to deploy and configure your security environment using VSX virtual devices:
o        Virtual System
o        Virtual System in Bridge Mode
o        Virtual Router
o        Virtual Switch
To learn about how VSX works, architecture, concepts and virtual devices, see the VSX Administration Guide.
The VSX Gateway Wizard
This section explains how to create a new VSX Gateway using the VSX Gateway Wizard.
The VSX Gateway in this example has one Virtual System (VS0) and one dedicated management interface.
After you complete the VSX Gateway Wizard, you can change the VSX Gateway definition from SmartDashboard. For example, you can add Virtual Systems, add or delete interfaces, or configure existing interfaces to support VLANs.
Note -
1.                  You cannot enable IPv6 before you create and configure a new VSX Gateway. This can cause system instability. You must first create the new VSX Gateway and then enable and configure IPv6 using gclish.
2.                  The Check Point VSX Gateway Wizard is version dependent. The steps may vary slightly.
To start the VSX Gateway wizard:
1.                  Open SmartDashboard.
If you are using Multi-Domain Security Management, open SmartDashboard from the Domain Management Server of the VSX Gateway.
2.                  From the Network Objects tree, right-click Check Point and select VSX > Gateway.
The General Properties page of the VSX Gateway Wizard opens.
Defining VSX Gateway General Properties
Configure these parameters on the General Properties page.
o        VSX Gateway Name: Unique, alphanumeric for the VSX Gateway. The name cannot contain spaces or special characters except the underscore.
o        VSX Gateway IPv4 Address: Management interface IPv4 address
o        VSX Gateway IPv6 Address: Management interface IPv6 address
o        VSX Gateway Version: Select the VSX version installed on the VSX Gateway from the drop-down list.
Wizard Step 2: Selecting Virtual Systems Creation Templates
The Creation Templates page lets you provision predefined, default topology and routing definitions to Virtual Systems. This makes sure Virtual Systems are consistent and makes the definition process faster. You always have the option to override the default creation template when you create or change a Virtual System.
The Creation Templates are:
o        Shared Interface - Not supported for the 41000 Security System.
o        Separate Interfaces: Virtual Systems use their own separate internal and external interfaces. This template creates a Dedicated Management Interface (DMI) by default.
o        Custom Configuration: Define Virtual System, Virtual Router, Virtual Switch, and Interface configurations.
For this example, choose Custom configuration.
Establishing SIC Trust
Initialize Secure Internal Communication trust between the VSX Gateway and the management server. The gateway and server cannot communicate without Trust.
Initializing SIC Trust
When you create a VSX Gateway, you must enter the Activation Key that you defined in the installation wizard setup program. Enter and confirm the activation key and then click Initialize. If you enter the correct activation key, the Trust State changes to Trust established.
For more about SIC trust, see the R75.40VS Check Point VSX Administration Guide.
Wizard Step 4: Defining Physical Interfaces
In the VSX Gateway Interfaces window, you can define physical interfaces as VLAN trunks. The page shows the interfaces currently defined on the VSX Gateway.
To define an interface as a VLAN trunk, select VLAN Trunk for the interface.
You can define VLAN trunks later. For this example, choose Next.
Wizard Step 5: Virtual Network Device Configuration
If you chose the Custom Configuration option, the Virtual Network Device Configuration window opens.
The options in this window are not supported for the 41000 Security System.
Click Next.
Wizard Step 6: VSX Gateway Management
In the VSX Gateway Management window, define security policy rules that protect the VSX Gateway. This policy is installed automatically on the new VSX Gateway.
Note - This policy applies only to traffic destined for the VSX Gateway. Traffic destined for Virtual Systems, other virtual devices, external networks, and internal networks is not affected by this policy.
The security policy consists of predefined rules for these services:
o        UDP - SNMP requests
o        TCP - SSH traffic
o        ICMP - Echo-request (ping)
o        TCP - HTTPS traffic
To Modify the Gateway Security Policy
1.                  Allow: Select to pass traffic on the selected services. Clear this option to block traffic on this service. By default, all services are blocked.
For example, to be able to ping the gateway from the management server, allow ICMP echo-request traffic.
2.                  Source: Click the arrow and select a Source Object from the list.
The default value is *Any. Click New Source Object to define a new source.
You can modify the security policy rules that protect the VSX Gateway later.
Click Next.
Wizard Step 7: Completing the VSX Wizard
Click Next to continue and then click Finish to complete the VSX Gateway wizard.
This may take several minutes to complete.
If the process ends unsuccessfully, click View Report to see the error messages.
Confirming the VSX Gateway Software Configuration
To make sure that the policy was successfully installed:
1.                  Connect to the appliance (through SSH or the serial console).
2.                  Run asg monitor -vs all
3.                  Make sure that the status for SGMs is: Enforcing Security on the Active and Standby Chassis, for all Virtual Systems.
This shows the output for a dual Chassis VSX Gateway. Chassis 1 (Active) has 1 SGM in its Security Group.
--------------------------------------------------------------------------------
| Chassis 1                    ACTIVE                                          |
--------------------------------------------------------------------------------
| SGM     |  1   (local)         |  -                   |   -                  |
--------------------------------------------------------------------------------
| State   |  UP                  |  -                   |   -                  |
--------------------------------------------------------------------------------
| VS ID                                                                        |
--------------------------------------------------------------------------------
|   0     |  Enforcing Security  |  -                   |   -                  |
--------------------------------------------------------------------------------
You can now add more SGMs to the Security Group. Use the asg security_group tool.
Run asg monitor -vs all
After all SGMs are UP and enforcing Security, you can add Virtual Systems to the VSX Gateway.
Licensing and Registration
The 41000 Security System has an initial 180 day evaluation license. After the evaluation license expires, you must register the Chassis and generate a license.
Important - The 41000 Security System only supports local licensing. You must assign an IP address to the 41000 Security System.
Each Chassis has its own license. If you have dual Chassis system, you must generate two licenses. The license key is the 41000 Security System Certificate Key (CK).
To license and register the 41000 Security System
1.                  Open the User Center Registration page.
2.                  Search for the Certificate Key.
3.                  Generate a license based on the IP address of the SSM interface connected to your Security Management Server
Note - The 41000 Security System has a single Management IP address, in dual Chassis environments, the Active and Standby Chassis should be bound to the same IP address in the license. Generate two licenses and enter the same IP address in each license.
4.                  Install the license on the system.
§     If you use the cplic command, run it from gclish so that it applies to all SGMs.
§     If using SmartUpdate, install the Policy.
Basic Configuration Using gclish
Use the gclish shell for basic system configuration.
Virtual Context
To:
Run
Applicable Modes
Move to a different virtual context
# set virtual-system <vsid>
VSX Gateway
Interfaces
To:
Run
Applicable Modes
Set an IPv4 address on an interface
# set interface eth1-01 ipv4-address 192.0.20.10 mask-length 24
Security Gateway
Show the IPv4 interface address
# show interface eth1-01 ipv4-address
Security Gateway
VSX Gateway
Delete the IPv4 address from an interface
# delete interface eth1-01 ipv4-address
Security Gateway
Hostname
To:
Run
Applicable Modes
Set the hostname
# set hostname <security system name>
Each SGM gets its local identity as suffix. For example:
gcp-X1000-ch01-04
Security Gateway
VSX Gateway
Show the hostname
# show hostname
Security Gateway
VSX Gateway
Routes
To:
Run
Applicable Modes
Set a default route
# set static-route default nexthop gateway address 192.0.20.1 on
Security Gateway
Show the route table
# show route
Security Gateway
VSX Gateway
Bonds
To:
Run
Applicable Modes
Create a bond and assign an interface to it
# add bonding group 1000 interface eth2-03
Security Gateway
VSX Gateway
Show existing bonds
# show bonding groups
Security Gateway
VSX Gateway
VLANs
To:
Run
Applicable Modes
Add a VLAN interface
# add interface eth2-02 vlan 1023
Security Gateway
Show a VLAN interface
# show interface eth2-02 vlans
Security Gateway
VSX Gateway
Image Management (Snapshots)
To:
Run
Applicable Modes
Add a snapshot
# add snapshot <snapshot name> desc <description>
Security Gateway
VSX Gateway
Revert to a snapshot
# set snapshot revert <snapshot name>
Security Gateway
VSX Gateway
Show snapshots and monitor snapshot progress
# show snapshots
Security Gateway
VSX Gateway


No comments:

Post a Comment

How to set up and manage an FTP server on Windows 10

You can build your own private cloud to share and transfer files without restrictions using Windows 10's FTP server feature, and in this...