Watch Video :- https://youtu.be/IqYplva7cRk
The 41000 Security System
can work as a Security Gateway or as a VSX Gateway. The Security Management
Server must be R76 or higher.
Important - R76
SmartDashboard is not supported. You must download and install the updated
SmartDashboard.
|
Do one of these procedures:
o
Configuring a Security Gateway.
o
Configuring a VSX Gateway.
This procedure explains how
to configure a Security Gateway in SmartDashboard.
Note - The Check Point
Security Gateway Creation Wizard is version dependent. The steps may vary
slightly.
|
To configure a Security Gateway:
1.
Open SmartDashboard.
2.
Enter your credentials to connect to the Security Management
Server.
3.
Create the Check Point Security Gateway object.
In the Network Objects
tree, right click and select New > Check Point > Security
Gateway/Management
The Check Point
Security Gateway Creation wizard opens.
4.
Select Wizard Mode or Classic Mode.
This procedure
describes Wizard mode. If you choose Classic Mode, make
sure you set all the necessary configuration parameters.
5.
In the General Properties screen, configure:
§
Gateway name
§
Gateway platform - Select 61000 Appliance.
§
Gateway IP address
6.
Click Next.
7.
In the Secure Internal Communication Initialization screen,
enter the One-time password. This is the same as the Activation Key you entered during
the initial setup.
8.
Click Next.
9.
View the Configuration Summary.
10.
Select Edit Gateway properties for further configuration.
11.
Click Finish.
The General
Properties page of the 41000 Security System object opens.
12.
In the General Properties page, make sure
the Version is correct.
13.
Enable the Firewall Software Blade. If required, enable
other supported Software Blades.
14.
In the navigation tree, select Topology.
15.
Configure:
§
Interfaces as Internal or External
§
Anti-Spoofing.
Note: Only data and management
interfaces are shown in the list.
16.
Click OK.
The Security Gateway object
closes.
17.
Install the Policy.
To make sure that the policy was
successfully installed:
1.
Connect to the appliance (through SSH or the serial console).
2.
Run asg monitor
3.
Make sure that the status for SGMs is: Enforcing Security on the ACTIVE and STANDBY
Chassis.
4.
Make sure the Policy Date matches the time that the policy was
installed.
To verify the configuration:
After configuring the
Security Gateway and installing the policy, validate the configuration using
the asg diag command. Use the command to
collect and show diagnostic information about the system.
If there is a problem, fix
it before using the system.
The 41000 Security System
can work as a Security Gateway or as a VSX Gateway.
This procedure shows how to
configure a VSX Gateway in SmartDashboard.
Before creating the VSX Gateway
It is important to know how
VSX works, and understand the VSX architecture and concepts. It is also
important to understand how to deploy and configure your security environment
using VSX virtual devices:
o
Virtual System
o
Virtual System in Bridge Mode
o
Virtual Router
o
Virtual Switch
To learn about how VSX
works, architecture, concepts and virtual devices, see the VSX Administration Guide.
The VSX Gateway Wizard
This section explains how
to create a new VSX Gateway using the VSX Gateway Wizard.
The VSX Gateway in this
example has one Virtual System (VS0) and one dedicated management interface.
After you complete the VSX
Gateway Wizard, you can change the VSX Gateway definition from SmartDashboard.
For example, you can add Virtual Systems, add or delete interfaces, or
configure existing interfaces to support VLANs.
Note -
1.
You cannot enable IPv6 before you create and configure a new VSX
Gateway. This can cause system instability. You must first create the new VSX
Gateway and then enable and configure IPv6 using gclish.
2.
The Check Point VSX Gateway Wizard is version dependent. The
steps may vary slightly.
|
To start the VSX Gateway wizard:
1.
Open SmartDashboard.
If you are using
Multi-Domain Security Management, open SmartDashboard from the Domain
Management Server of the VSX Gateway.
2.
From the Network Objects tree, right-click Check
Point and select VSX > Gateway.
The General
Properties page of the VSX Gateway Wizard opens.
Configure these parameters
on the General Properties page.
o
VSX Gateway Name: Unique, alphanumeric for the VSX Gateway. The
name cannot contain spaces or special characters except the underscore.
o
VSX Gateway IPv4 Address: Management interface IPv4 address
o
VSX Gateway IPv6 Address: Management interface IPv6 address
o
VSX Gateway Version: Select the VSX version installed on the VSX
Gateway from the drop-down list.
The Creation Templates page lets you
provision predefined, default topology and routing definitions to Virtual
Systems. This makes sure Virtual Systems are consistent and makes the
definition process faster. You always have the option to override the default
creation template when you create or change a Virtual System.
The Creation Templates are:
o
Shared Interface - Not supported for the 41000 Security System.
o
Separate Interfaces: Virtual Systems use their own separate
internal and external interfaces. This template creates a Dedicated Management
Interface (DMI) by default.
o
Custom Configuration: Define Virtual System, Virtual Router,
Virtual Switch, and Interface configurations.
For this example,
choose Custom configuration.
Initialize Secure Internal
Communication trust between the VSX Gateway and the management server. The gateway
and server cannot communicate without Trust.
When you create a VSX
Gateway, you must enter the Activation Key that you defined in the installation wizard setup program.
Enter and confirm the activation key and then click Initialize. If you enter the correct
activation key, the Trust State changes to Trust established.
For more about SIC trust,
see the R75.40VS Check Point VSX Administration Guide.
In the VSX Gateway Interfaces window, you can
define physical interfaces as VLAN trunks. The page shows the interfaces
currently defined on the VSX Gateway.
To define an interface as a
VLAN trunk, select VLAN Trunk for the interface.
You can define VLAN trunks
later. For this example, choose Next.
If you chose the Custom
Configuration option, the Virtual Network Device Configuration window
opens.
The options in this window
are not supported for the 41000 Security System.
Click Next.
In the VSX Gateway Management window, define
security policy rules that protect the VSX Gateway. This policy is installed
automatically on the new VSX Gateway.
Note - This policy
applies only to traffic destined for the VSX Gateway. Traffic destined
for Virtual Systems, other virtual devices, external networks, and internal
networks is not affected by this policy.
|
The security policy
consists of predefined rules for these services:
o
UDP - SNMP requests
o
TCP - SSH traffic
o
ICMP - Echo-request (ping)
o
TCP - HTTPS traffic
To Modify the Gateway Security Policy
1.
Allow: Select to pass traffic on the selected services. Clear this
option to block traffic on this service. By default, all services are blocked.
For example, to be able to
ping the gateway from the management server, allow ICMP echo-request traffic.
2.
Source: Click the arrow and select a Source Object from
the list.
The default value is *Any.
Click New Source Object to define a new source.
You can modify the security
policy rules that protect the VSX Gateway later.
Click Next.
Click Next to continue and then
click Finish to complete the VSX Gateway wizard.
This may take several
minutes to complete.
If the process ends
unsuccessfully, click View Report to see the error messages.
To make sure that the policy was
successfully installed:
1.
Connect to the appliance (through SSH or the serial console).
2.
Run asg monitor -vs all
3.
Make sure that the status for SGMs is: Enforcing Security on the Active and Standby
Chassis, for all Virtual Systems.
This shows the output for a
dual Chassis VSX Gateway. Chassis 1 (Active) has 1 SGM in its Security Group.
--------------------------------------------------------------------------------
| Chassis 1 ACTIVE |
--------------------------------------------------------------------------------
| SGM | 1
(local) | - | - |
--------------------------------------------------------------------------------
| State | UP | - | - |
--------------------------------------------------------------------------------
| VS ID |
--------------------------------------------------------------------------------
| 0 |
Enforcing Security | - | - |
--------------------------------------------------------------------------------
|
You can now add more SGMs
to the Security Group. Use the asg security_group tool.
Run asg monitor -vs all
After all SGMs are UP and
enforcing Security, you can add Virtual Systems to the VSX Gateway.
The 41000 Security System
has an initial 180 day evaluation license. After the evaluation license
expires, you must register the Chassis and generate a license.
Important - The 41000
Security System only supports local licensing. You must assign an IP address
to the 41000 Security System.
|
Each Chassis has its own
license. If you have dual Chassis system, you must generate two licenses. The
license key is the 41000 Security System Certificate Key (CK).
To license and register the 41000
Security System
1.
Open the User Center Registration page.
2.
Search for the Certificate Key.
3.
Generate a license based on the IP address of the SSM interface
connected to your Security Management Server
Note - The 41000
Security System has a single Management IP address, in dual Chassis
environments, the Active and Standby Chassis should be bound to the same IP
address in the license. Generate two licenses and enter the same IP address
in each license.
|
4.
Install the license on the system.
§
If you use the cplic command, run it from gclish so that it applies to
all SGMs.
§
If using SmartUpdate, install the Policy.
Use the gclish shell for basic
system configuration.
Virtual Context
To:
|
Run
|
Applicable Modes
|
Move to a different
virtual context
|
# set virtual-system
<vsid>
|
VSX Gateway
|
Interfaces
To:
|
Run
|
Applicable Modes
|
Set an IPv4 address on an
interface
|
# set interface eth1-01
ipv4-address 192.0.20.10 mask-length 24
|
Security Gateway
|
Show the IPv4 interface
address
|
# show interface eth1-01
ipv4-address
|
Security Gateway
VSX Gateway
|
Delete the IPv4 address
from an interface
|
# delete interface eth1-01
ipv4-address
|
Security Gateway
|
Hostname
To:
|
Run
|
Applicable Modes
|
Set the hostname
|
# set hostname <security
system name>
Each SGM gets its local
identity as suffix. For example:
gcp-X1000-ch01-04 |
Security Gateway
VSX Gateway
|
Show the hostname
|
# show hostname
|
Security Gateway
VSX Gateway
|
Routes
To:
|
Run
|
Applicable Modes
|
Set a default route
|
# set static-route default
nexthop gateway address 192.0.20.1 on
|
Security Gateway
|
Show the route table
|
# show route
|
Security Gateway
VSX Gateway
|
Bonds
To:
|
Run
|
Applicable Modes
|
|
Create a bond and assign
an interface to it
|
# add bonding group 1000
interface eth2-03
|
Security Gateway
VSX Gateway
|
|
Show existing bonds
|
# show bonding groups
|
Security Gateway
VSX Gateway
|
|
VLANs
To:
|
Run
|
Applicable Modes
|
Add a VLAN interface
|
# add interface eth2-02 vlan
1023
|
Security Gateway
|
Show a VLAN interface
|
# show interface eth2-02
vlans
|
Security Gateway
VSX Gateway
|
To:
|
Run
|
Applicable Modes
|
Add a snapshot
|
# add snapshot <snapshot
name> desc <description>
|
Security Gateway
VSX Gateway
|
Revert to a snapshot
|
# set snapshot revert
<snapshot name>
|
Security Gateway
VSX Gateway
|
Show snapshots and
monitor snapshot progress
|
# show snapshots
|
Security Gateway
VSX Gateway
|
No comments:
Post a Comment