Monday, March 28, 2016

Installing Checkpoint Gateway

Installing Security Management Server and Security Gateways

In This Section:
Check Point Gaia software runs on many platforms and pre-configured appliances. Installations differ by deployment option and platform.
During installation, an automatic check is done to makes sure that there is enough disk space for the installation.
For more about supported deployments, platforms, hardware requirements and operating systems, see the R77 Release NotesR77.10 Release NotesR77.20 Release Notes, and R77.30 Release Notes.
Note - You must install, configure and activate the TCP/IP network protocol before you run the installation program.

Installing Using Gaia Upgrades (CPUSE)

With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. The software update packages and full images are for major releases, minor releases and Hotfixes. All of the CPUSE processes are handled by the Deployment Agent daemon (DA).
Gaia automatically locates and shows the available software update packages and full images that are relevant to the Gaia operating system version installed on the computer, the computer's role (gateway, Security Management Server, standalone), and other specific properties. The images and packages can be downloaded from the Check Point Support center and installed.
Note - The Software Updates feature was renamed to Check Point Upgrade Service Engine (CPUSE) in R77.20.
For more about CPUSE, see the R77 Gaia Administration Guide.
Limitations when Installing Full Images
  • IP Appliances are not supported.
  • UTM-1 130 and UTM-1 270 are not supported.
Software Update Requirements
  • At least 4 GB free disk space in /var/log
  • Un-partitioned free disk space should be at least the size of root partition. To find out the:
    • Amount of un-partitioned free disk space run: pvs
    • Size of the root partition, run: df -h
To update the Gaia Software Updates agent:
  1. Make sure the proxy and the DNS server are configured.
  2. In the WebUI, go to Upgrades (CPUSE) > Status and Actions.
  3. Select GaiaSoftwareUpdatesAgent_<BUILD_NUMBER>.tgz
    Note – If upgrading from R75.40 and the archive GaiaSoftwareUpdatesAgent_<BUILD_NUMBER>.tgz does not show, see sk81680. For the latest build number, see the R77 Release Notes.
  4. Click Download.
    The package is downloaded from the Check Point Support Center.
  5. Click Install.
To install R77 using Upgrades (CPUSE) - WebUI:
  1. Click the Full Images tab.
  2. Select the R77 image.
  3. Click Download.
  4. To make sure the installation is allowed, click Actions > Verifier.
  5. Click OK.
    The Installation verified - Installation is allowed window shows. Verification is complete.
  6. Click Clean Install.
  7. Reboot.

Installing Standalone

In This Section
Standalone Deployment - The Security Management Server and the Security Gateway are installed on the same computer or appliance.
IUG_Standalone Deployment
Item
Description
1
Standalone computer
IUG_FW Icon
Security Gateway component
IUG_Blades ICON
Security Management Server component

Disk Partitions in a Gaia Clean Installation

In general, Gaia disk partitions in a clean installation are larger than SecurePlatform partitions.
On Check Point appliances, the size of the disk partitions is predefined. On Smart-1 50/150/3050/3150 appliances, you can modify the default disk partitions in the first 20 seconds of an installation. The non-interactive installation then continues.
When installing Gaia on an open server, these partitions have default sizes:
  • System-swap
  • System-root
  • Logs
  • Backup and upgrade
You can change the System-root and the Logs partition sizes. The storage size assigned for backup and upgrade is updated accordingly.
To see the size of the system-root and log partitions on an installed system, enter expert mode and run the df -h command.
For example:
>df -h
 
Filesystem                        Size  Used Avail Used%  Mounted on
/dev/mapper/vg_splat-lv_current   25G   3.4G  20G     15% /
/dev/sda1                         145M   19M  118M    14% /boot
tmpfs                             2.0G     0  2.0G    0%  /dev/shm
/dev/mapper/vg_splat-lv_log        40G  345M   37G    1%  /var/log
In this example, the system root partition has 25 GB of disk space, and 40 GB is assigned for logs.
Most of the remaining space on the disk is reserved for backup images and upgrade. To see the disk space assigned for backup images, connect to the Gaia WebUI and go to the Maintenance > Image Managementpage. On an Open Server, the available space shown in the Image Management page is less than the space you defined when installing Gaia. The difference between the two amounts is the space reserved for upgrades. The amount of reserved space equals the size of the system-root partition.
Note - The minimum recommended space in /var/log to support upgrade is 4 GB.

Installing Standalone on Appliances

You can configure these appliances as Standalone:
  • UTM-1
  • IP appliances
  • 2200 series
  • 4000 series
  • 12000 series
  • 13000 series
  • 21000 series
Before you configure an appliance as a Standalone (Check Point Security Gateway and Security Management Server in one), you must first install the latest version of R77 Gaia Operating System on it. To install the latest version of R77 on appliances running R77.20 or earlier version of Gaia, run a clean installation. On appliances running R77.30 or higher, revert to factory defaults.

Running a Clean Installation of Gaia

To install R77 Gaia on IP appliances:
See sk100686.
To install R77 Gaia on UTM-1 and 2012 series appliances:
  1. Download the Gaia Operation System ISO file from the Check Point Support Center onto your computer.
  2. Create one of these removable installation media:
    • DVD - burn the ISO file onto it
    • Removable USB device - see sk65205 to create it
  3. Connect a computer to the console port on the front of the appliance through the supplied DB9 serial cable.
  4. Connect to the appliance through a terminal emulation program, using these connection settings:
    1. The connection type - select or enter a serial port
    2. Define the serial port settings: 9600 BPS, 8 bits, no parity, 1 stop bit.
    3. From the Flow control list, select None.
  5. Connect the installation media to the USB port on the appliance.
    For installation from a DVD, connect an external DVD drive, and insert the DVD into it.
  6. Reboot the appliance.
    The appliance begins the boot process and status messages show in the terminal emulation window.
  7. Redirect boot sequence to the installation media:
    • For installation from a DVD - Press Enter within 90 seconds to boot from the installation media.
      Note - If more time elapses, the appliance boots from the hard drive.
    • For installation from a removable USB device - In the boot screen, enter serial at the boot prompt and press Enter.
    The R77 ISO file is installed on the appliance, and the version and build number show in the terminal emulation window and on the LCD screen.
  8. Reboot the appliance - press CTRL+C.
    The appliance reboots and shows the model number on the LCD screen.

Configuring a Standalone Appliance

You can configure a Check Point Standalone appliance using the Check Point First Time Configuration Wizard in one of these modes:
  • Standard - supported on all appliances running all R77 Gaia versions
  • Quick Setup - supported only on 2200, 4000, 12000, 13000 and 21000 series appliances running R77.30 or a later Gaia version
Gaia Quick Setup is suitable for quick deployment of preconfigured settings on Check Point appliances. You can use it in production environments, for Security Checkup analysis, and for demos. Quick Setup configures appliances as Check Point Standalone (Security Management Server and Security Gateway), with selected Software Blades preconfigured, and in monitor or in bridge mode. For more information, see sk102231.
To configure Check Point products on an appliance running Gaia Operating System, the administrator uses the IP address of the management interface on the appliance. The default is 192.168.1.1, but you can change it. If you change the management interface IP address, make sure it is on the same subnet as the management network, so that you can access the appliance from a remote computer over the network. You can change the management IP address before, during, or after running the First Time Configuration Wizard. If you change the management IP address during the First Time Configuration Wizard, the warning shows: Your IP address has been changed. In order to maintain the browser connection, the old IP address will be retained as a secondary IP address.
Note - On a UTM-1 appliance, the internal interface (INT) is used as the management interface.
To change the management IP address before running the First Time Configuration Wizard:
  1. Open a console connection to the appliance using the default management IP address.
  2. Log in using the default credentials:
    • username - admin
    • password - admin
  3. Run the show interfaces command to get the name of the management interface.
  4. In clish, run this command to set the management interface:
    set interface mgmt ipv4-address <IPv4 address> subnet-mask <mask>
  5. Run this command to configure the static route to the default gateway:
    set static-route default nexthop gateway address <ip address> on
Now, you can use the configured management IP address to connect through a browser with the WebUI and to run the First Time Configuration Wizard.
To change the management IP address after running the First Time Configuration Wizard:
  1. Open a browser connection to the default management IP address.
  2. In WebUI, go to Network Management > Network interfaces.
  3. In the Management Interface area, click Set Management Interface.
  4. The Management interface window shows which interface is configured as the management interface.
  5. In Interfaces table, select the management interface and click Edit.
  6. Change the IP address of the interface.
    Note - The connection will drop, because the settings of an interface the browser is currently connecting to are changed.
  7. Click OK.
To configure a Standalone appliance using First Time Configuration Wizard in the standard mode:
  1. Connect the appliance to the management network through the management interface (MGMT).
  2. On a computer that is connected to the management network, open a web browser to the management IP address on the appliance.
    The login page opens.
  3. Log in with the default credentials:
    • username - admin
    • password - admin
  4. Click Login.
    The First Time Configuration Wizard starts and the Welcome screen shows.
  5. Click Next.
  6. In the Setup section of Deployment Options view, select Continue with Gaia R77 configuration and click Next.
  7. Change the default administrator password and click Next.
  8. Configure the Management Connection settings:
    • IPv4 address and Subnet mask of the management interface
      Note - You can leave the IP address and the subnet mask unchanged. It is either the factory default address or the latest address that the administrator configured.
    • IPv4 address of the Default Gateway
    • Configure IPv6 (optional) -
      • Select On from the drop-down menu (by default, it is off)
      • Enter the IPv6 address and Subnet mask of the management interface
      • Enter the IPv6 address of the Default Gateway
  9. Click Next.
  10. Configure Connection to UserCenter settings (optional) - an additional interface for remote management:
    • Interface - select an interface on the appliance
    • Configure IPv4 -
      • Select On from the drop-down menu (by default, it is off)
      • Enter the IPv4 address and Subnet mask of the interface
    • Configure IPv6 -
      • Select On from the drop-down menu (by default, it is off)
      • Enter the IPv6 address and Subnet mask of the interface
  11. Click Next.
  12. Configure the Date and Time Settings in one of these ways:
    • Manually
    • Configure the NTP server - define the hostname and the IP address (IPv4 or IPv6)
  13. Click Next.
  14. In the Products window, select Security Gateway and Security Management
    If the unit is part of a cluster:
  15. Select the cluster type: ClusterXL or VRRP Cluster
    • Define the Management as PrimarySecondary, or Log Server/SmartEvent Only
    • Enter the Cluster Global ID - only on versions R77.30 and later
  16. Click Next.
  17. Define login credentials for the Security Management Server administrator account - Name and New Password
  18. Click Next.
  19. Define SmartConsole clients that can log in to the Security Management Server:
    • For This machine or Network - an IPv4 or an IPv6 address
    • Range of IPv4 addresses
  20. Click Next.
  21. On UTM-1 and 2012 models only -
    1. Get a license automatically from the UserCenter and activate it, or use the trial license.
    2. If there is a proxy server between the appliance and the Internet, enter its IP address and port.
    3. Click Next.
  22. Review the summary, make sure it is correct, and click Finish.
  23. On UTM-1 and 2012 models only, click Yes to start the configuration process.
    A progress bar tracks the configuration of each task.
  24. Click OK to finish the installation.
    If the Help Check Point Improve Upgrades (CPUSE) window shows, click Yes or No.
After Gaia R77.30 is installed on the appliance, you can also download the SmartConsole using the Gaia WebUI.
To download the SmartConsole:
  1. Open a web browser and connect to: https://<management_ip_address>
  2. In the Overview page of the WebUI, click Download Now!

When you configure a Standalone appliance in Quick Setup mode, these products settings are configured:
  • Security Gateway - in bridge or monitor mode
  • Security Management Server with these blades:
    • Firewall Software Blade - with Any-Any-Accept default policy and logging of a few common protocols
    • IPS Software Blade - set to inspect all traffic and has troubleshooting turned on by default
    • Application Control and URL Filtering Software Blades - each with Any-Any-Log policy, set to run in the background, and with fail-open mode turned on
    • Anti-Bot Software Blade
    • Anti-Virus Software Blade
    • Threat Emulation Software Blade - in ThreatCloud mode
    • SmartEvent Software Blade - with detect-only policy, set to scan all file types in both directions, and set to run in the background
      Note - Anti-Bot, Anti-Virus, and Threat Emulation are not installed on 2200 series appliances
To configure a Standalone appliance using First Time Configuration Wizard in the Quick Setup mode:
  1. Connect the appliance to the management network through the management interface (MGMT).
  2. On a computer that is connected to the management network, open a web browser to the management IP address on the appliance.
    The login page opens.
  3. Log in with the default credentials:
    • username - admin
    • password - admin
  4. Click Login.
    The First Time Configuration Wizard starts and the Welcome screen shows.
  5. Click Next.
  6. In the Setup section of Deployment Options view, select Quick Standalone setup of Gaia <latest_version> and click Next.
  7. In the Quick Setup window, configure settings in these sections:
    • Management - New IPv4 address and Subnet mask
      Note - You can leave the IP address and the subnet mask unchanged. It is either the factory default address or the latest address that the administrator configured.
    • Authentication - New Password (make sure to Confirm Password) for the Gaia OS and the Security Management Server admin account
    • Networking -
      • IPv4 Address (<int>) and Subnet mask (optional) of the additional interface for remote access
      • Default gateway - make sure it is in the same subnet as the Management IP address (if you use the new interface for management, the address of the default gateway must be in the same subnet as the address of the new interface)
      • DNS server IP address (optional)
      • Proxy server (optional) - select Proxy server and enter the Address and the Port number
      • Topology - select Monitor mode or Bridge mode
      • To verify connectivity, click Test Connectivity.
  8. Click Next.
  9. Review the summary, make sure it is correct, and click Finish.
    Note - In Quick Setup mode, date and time are automatically synchronized with those on the PC that is used to run the First Time Configuration Wizard.
After the First Time Configuration Wizard runs in Quick Setup mode, the latest R77 version of the Security Checkup is installed and can be used with R77.30 or a later version of SmartConsole.
If you want to convert the standalone appliance into a gateway only, and manage it with an existing Security Management Server, you can download and run this script on the appliance:
# /bin/standlone_to_gw_registry_update.sh $CPDIR/registry/HKLM_registry.data
Notes -
  • Quick Setup cannot be used to reconfigure Security Gateways of different versions
  • Quick Setup does not automatically activate the Standalone configuration products - the 15 days trial license is used until the products are activated
  • After the Quick Setup configuration runs, to activate Threat Emulation Software Blade, you must activate the Standalone on the appliance

Installing Standalone on Open Servers

A standalone deployment can be installed on any computer that meets the minimum requirements (see the Release Notes).
This procedure explains how to install the Gaia operating system on an open server. Then you configure the Standalone Check Point products.
To install Gaia on an open server:
  1. Start the computer using the installation media.
  2. When the first screen shows, select Install Gaia on the system and press Enter.
  3. You must press Enter in 60 seconds, or the computer will try to start from the hard drive. The timer countdown stops once you press Enter. There is no time limit for the subsequent steps.
  4. Press OK to continue with the installation.
  5. Select a keyboard language. English US is the default.
  6. Make sure the disk space allocation is appropriate for the environment.
  7. Enter and confirm the password for the admin account.
  8. Select the management interface (default = eth0).
  9. Configure the management IP address, net mask and default gateway. You can define the DHCP server on this interface.
  10. Select OK to format your hard drive and start the installation.
  11. Press reboot to complete the installation.
To configure Check Point products on Gaia, use the First Time Configuration Wizard. Configure the operating system and install the products in one wizard.
To configure standalone products on Gaia:
  1. Using your Web browser, go to the WebUI:
    https://<Gaia management IP address>
  2. In the Gaia Portal window, log in using the administrator name and password that you defined during the installation procedure.
  3. The WebUI shows the First Time Configuration Wizard. Click Next.
  4. Select Continue with configuration of Gaia R77.
  5. Click Next.
  6. Change the default administrator password.
  7. Click Next.
  8. Set an IPv4 and an IPv6 address for the management interface, or set one IP address (IPv4 or IPv6).
    If you change the management IP address, the new IP address is assigned to the interface. The old IP address is added as an alias and is used to maintain connectivity.
  9. Set the host name for the appliance.
    Optional:
    • Set the domain name, and IPv4 or IPv6 addresses for the DNS servers.
    • Set the IP Address and Port for a Proxy Server
  10. Click Next.
  11. Set the date and time manually, or enter the hostname, IPv4 address or IPv6 address of the NTP server.
    Click Next.
  12. Set the username and password for the Security Management Server administrator account and then click Next.
  13. Select Security Gateway and Security Management and then click Next.
  14. Define IP addresses from which SmartConsole clients can log in to the Security Management Server.
    • If you select This machine or Network, define an IPv4 or an IPv6 address.
    • You can also select a range of IPv4 addresses.
  15. Click Next.
  16. Get a license automatically from the UserCenter and activate it, or use the trial license.
    If there is a proxy server between the appliance and the Internet, enter its IP address and port.
  17. Click Next.
  18. Review the summary and, if correct, click Finish.
  19. To start the configuration process, click Yes.
    A progress bar tracks the configuration of each task.
  20. Click OK.
  21. If the Help Check Point Improve Upgrades (CPUSE) window shows, click Yes or No.
    After some minutes, you can use the WebUI to configure your standalone environment.
  22. If necessary, download SmartConsole from the Gaia WebUI.
    1. Open a connection from a browser to the WebUI: https://<management_ip_address>
    2. In the Overview page, click Download Now!
To configure a Gaia Secondary Security Management Server on a Standalone Open Server:
Use the same procedure as for the primary Security Management Server, with these changes:
  • In the Products page, define Security Management as Secondary.
  • In the Secure Internal Communication (SIC) page, define the Activation Key. Use this key to configure the secondary Security Management Server object in SmartDashboard.

Installing Security Management Server

In This Section
Distributed Deployment - The Security Gateway and the Security Management Server are installed on different computers.
IUG_Distributed Deployment
Item
Description
1
Security Management Server
2
Network connection
3
Security Gateway
IUG_FW Icon
Security Gateway component
IUG_Blades ICON
Security Management Server component
This section explains how to install the Security Management Server.

Disk Partitions in a Gaia Clean Installation

In general, Gaia disk partitions in a clean installation are larger than SecurePlatform partitions.
On Check Point appliances, the size of the disk partitions is predefined. On Smart-1 50/150/3050/3150 appliances, you can modify the default disk partitions in the first 20 seconds of an installation. The non-interactive installation then continues.
When installing Gaia on an open server, these partitions have default sizes:
  • System-swap
  • System-root
  • Logs
  • Backup and upgrade
You can change the System-root and the Logs partition sizes. The storage size assigned for backup and upgrade is updated accordingly.
To see the size of the system-root and log partitions on an installed system, enter expert mode and run the df -h command.
For example:
>df -h
 
Filesystem                        Size  Used Avail Used%  Mounted on
/dev/mapper/vg_splat-lv_current   25G   3.4G  20G     15% /
/dev/sda1                         145M   19M  118M    14% /boot
tmpfs                             2.0G     0  2.0G    0%  /dev/shm
/dev/mapper/vg_splat-lv_log        40G  345M   37G    1%  /var/log
In this example, the system root partition has 25 GB of disk space, and 40 GB is assigned for logs.
Most of the remaining space on the disk is reserved for backup images and upgrade. To see the disk space assigned for backup images, connect to the Gaia WebUI and go to the Maintenance > Image Managementpage. On an Open Server, the available space shown in the Image Management page is less than the space you defined when installing Gaia. The difference between the two amounts is the space reserved for upgrades. The amount of reserved space equals the size of the system-root partition.
Note - The minimum recommended space in /var/log to support upgrade is 4 GB.

Installing Security Management Server on Appliances

You can install a Security Management Server on Smart-1 appliances. For more about supported appliances, see the R77 Release Notes.
  1. Make sure that you have the correct ISO file.
  2. Install the Gaia or SecurePlatform operating system on Smart-1. See instructions in UTM-1 and 2012 Models.
  3. Smart-1 50 only: Smart-1 50 appliances have two images: Security Management Server and Multi-Domain Server. To select the Security Management Server image:
    1. While the appliance is restarting, open the terminal emulation program.
    2. When prompted, press any key to enter the boot menu.
    3. Select Reset to factory defaults - Security Management Server and press Enter.
    4. Type yes and press Enter.
    The Security Management Server image is selected for the appliance and then the appliance resets.
Install the Security Management Server using the First Time Configuration Wizard.
Note - The management IP address can be changed before or after running the First Time Configuration Wizard. This is useful if you must access the device over the network. Use the console connection to configure the management interface before connecting the Gaia appliance to the network. Once the management interface has this address, you can connect through a browser over the network and run the First Time Configuration Wizard.
To change the Management address before running the First Time Configuration Wizard:
  1. Open a console connection.
  2. Log in using the default username and password: admin and admin.
  3. Run the show interfaces command to get the name of the management interface.
  4. In clish, set the management interface using:
    set interface mgmt ipv4-address <IPv4 address> subnet-mask <mask>
  5. Set the static route to the default gateway using:
    set static-route default nexthop gateway address <ip address> on
  6. Through a browser, connect to the WebUI and run the First Time Configuration Wizard.
To change the management IP address after running the First Time Configuration Wizard:
  1. Open the WebUI.
  2. Open the Network Management > Network interfaces window.
  3. In the Management Interface area, click Set Management Interface.
  4. The Management interface window shows which interface is configured as the management interface.
  5. In Interfaces table, select the management interface and click Edit.
  6. Change the IP address of the interface.
    Note - you are about to change the settings of an interface the browser is currently connecting to.
  7. Click OK.
To start the First Time Configuration Wizard on Gaia:
  1. Connect the appliance to your management network through the management interface, which is marked MGMT.
    The management interface is preconfigured with the IP address 192.168.1.1. If you later change it through the Check Point WebUI, make sure that the new address is on the same subnet as the management network.
  2. Open a connection from a browser to the management IP address.
    The login page opens.
  3. Log in to the system with the default username and password: admin and admin
  4. Click Login.
    The First Time Configuration Wizard runs.
  5. Follow the instructions on the screen.
Note - Settings that you configure in the First Time Configuration Wizard, can be changed later in the WebUI, from an Internet browser go tohttps://<appliance_ip_address>
To configure Gaia Security Management on Smart-1 appliances:
  1. This step applies to R77.10 and higher. For other Gaia releases, configure these options in the Gaia WebUI, in the Image Management page and the (Upgrades (CPUSE)) page.
    In the Deployment Options page, select Continue with Gaia configurationOther options are:
    Clean install
    • Install a version from the Check Point Cloud.
    • Install from a USB device.
    Recovery
    • Automatic version recovery from the Check Point Cloud.
    • Import an existing snapshot.
    Click Next.
  2. In the Authentication Details page, change the default administrator password.
    Click Next.
  3. In the Management Connection page, set an IPv4 and an IPv6 address for the management interface, or set one IP address (IPv4 or IPv6).
    You can change the Management IP address. Gaia automatically creates a secondary interface to keep connectivity when the management interface is not available. After you complete the First Time Configuration Wizard, you can remove this interface in the Interface Management > Network Interfaces page.
  4. Optional: In the Connection to UserCenter page, configure an external interface to connect to the Check Point UserCenter. Use this connection to download a license and activate it. Alternatively, use the trial license. To connect to the UserCenter, you must also configure DNS and (if applicable) a Proxy Server, in the Device Information page of the Wizard.
  5. In the Device Information page, set the Host Name for the appliance.
    Optional:
    • Set the domain name, and IPv4 or IPv6 addresses for the DNS servers.
    • To connect to the UserCenter, set the IP Address and Port for a Proxy Server. Do this if you want to activate the appliance by downloading a license from the UserCenter.
    Click Next.
  6. In the Date and Time Settings page, set the date and time manually, or enter the hostname, IPv4 address or IPv6 address of the NTP server.
    Click Next.
  7. This step does not apply to R77.20 and higher or Smart-1 205/210/225/3050/3150: 
    In the Appliance Type page, select Smart-1 appliance.
    Click Next.
  8. In the Products page, select Security Management and Primary.
    For R77.10 and higher: Automatically download Blade Contracts and other important data. Check Point highly recommends that you select Automatic Downloads.
  9. In the Security Management Administrator page, define the name and password of an administrator that can connect to the Security Management Server using SmartConsole clients.
    Click Next.
  10. In the Security Management GUI Clients page, define IP addresses from which SmartConsole clients can log in to the Security Management Server.
    • If you select This machine or Network, define an IPv4 or an IPv6 address.
    • You can also select a range of IPv4 addresses.
    Click Next.
  11. In the Appliance Activation page, get a license automatically from the UserCenter and activate it, or use the 15 day trial license.
    Click Next.
  12. In the Summary page, review your choices
    Optional: Improve product experience by Sending Data to Check Point.
    Click Finish.
  13. To start the configuration, click Yes.
    A progress bar tracks the configuration of each task.
    Click OK.
    The Security Management Server is installed on the appliance.
  14. If necessary, download SmartConsole from the Gaia WebUI.
    1. Open a connection from a browser to the WebUI: https://<management_ip_address>
    2. In the Overview page, click Download Now!
To configure a Gaia secondary Security Management on Smart-1:
Use the same procedure as for the primary Security Management Server, with these changes:
  • In the Products page, define Security Management as Secondary.
  • In the Secure Internal Communication (SIC) page, define the Activation Key. Use this key to configure the secondary Security Management Server object in SmartDashboard.
To configure a dedicated server for SmartEvent on Smart-1 205/210/225/3050/3150
Use the same procedure as for the Security Management Server, with these changes in the First Time Configuration Wizard:
  • In the Products page, select Dedicated Server and SmartEvent.
  • In the Secure Internal Communication (SIC) page, define the Activation Key. Use this key to configure the dedicated server for SmartEvent object in SmartDashboard.

Installing Security Management Server on Open Servers

A Security Management Server can be installed on any computer that meets the minimum requirements listed in the Release Notes.
First install and configure the operating system, then install Check Point products.
This procedure explains how to install a Security Management Server in a distributed deployment after you install the operating system.
To configure a Security Management Server on Gaia:
  1. Using your Web browser, go the WebUI:
    https://<Gaia management IP address>
  2. In the Gaia Portal window, log in using the administrator name and password that you defined during the installation procedure.
  3. The WebUI shows the First Time Configuration Wizard. Click Next.
  4. Select Continue with configuration of Gaia R77.
  5. Click Next.
  6. Change the default administrator password.
  7. Click Next.
  8. Set an IPv4 and an IPv6 address for the management interface, or set one IP address (IPv4 or IPv6).
    If you change the management IP address, the new IP address is assigned to the interface. The old IP address is added as an alias and is used to maintain connectivity.
  9. Set the host name for the appliance.
    Optional:
    • Set the domain name, and IPv4 or IPv6 addresses for the DNS servers.
    • Set the IP Address and Port for a Proxy Server
  10. Click Next.
  11. Set the date and time manually, or enter the hostname, IPv4 address or IPv6 address of the NTP server.
    Click Next.
  12. Set the username and password for the Security Management Server administrator account and then click Next.
  13. Select Security Management and then click Next.
  14. Define IP addresses from which SmartConsole clients can log in to the Security Management Server.
    • If you select This machine or Network, define an IPv4 or an IPv6 address.
    • You can also select a range of IPv4 addresses.
  15. Click Next.
  16. Get a license automatically from the UserCenter and activate it, or use the trial license.
    If there is a proxy server between the appliance and the Internet, enter its IP address and port.
  17. Click Next.
  18. Review the summary and, if correct, click Finish.
  19. To start the configuration process, click Yes.
    A progress bar tracks the configuration of each task.
  20. Click OK.
  21. If the Help Check Point Improve Upgrades (CPUSE) window shows, click Yes or No.
  22. If necessary, download SmartConsole from the Gaia WebUI.
    1. Open a connection from a browser to the WebUI: https://<management_ip_address>
    2. In the Overview page, click Download Now!
To configure a Gaia Secondary Security Management Server:
Use the same procedure as for the primary Security Management Server, with these changes:
  • In the Products page, define Security Management as Secondary.
  • In the Secure Internal Communication (SIC) page, define the Activation Key. Use this key to configure the secondary Security Management Server object in SmartDashboard.

Installing Log Server

You can install a log server for a distributed deployment. Install the operating system and start to install the products as for a Security Management Server, but stop at the step where you select components.
To install a Log Server:
Do the steps to install a Security Management Server with these changes:
  • When selecting the products to install, select Security Management.
  • Define the Security Management as a Log Server.
  • In Windows: Do not select SmartEvent.

Installing Endpoint Security

In all non-standalone deployments, the Network Security Management Server can also be an Endpoint Security Management Server.
Installing Endpoint Security Servers
Use the installation instructions in this guide to install Security Management Servers. You can enable the Endpoint Security Management Server after the Security Management Server installation is completed. Endpoint Security E80.50 is installed with R77.
For R77 and R77.10 Security Management Servers, see the E80.50 Endpoint Security Administration Guide for more information.
For R77.20 Security Management Servers, see the Endpoint Security on R77.20 Management Administration Guide for more information.
To enable an Endpoint Security Management Server:
  1. Use the instructions in this guide to install a Security Management Server.
  2. In SmartDashboard, open the Security Management Server object.
  3. Enable the Endpoint Policy Management blade in the General Properties page.
  4. Select Policy > Install Database.
Check Point Cloud Services for Endpoint
After the Endpoint Security Management Server is enabled on the Security Management Server, these components communicate with the Check Point cloud services:
  • Endpoint Anti-Malware Software Blade – Downloads updates from the Check Point Malware Update Server.
    These updates are mandatory for the correct functioning of the Anti-Malware Software Blade. Preventing them causes severe security issues, because the blade does not operate with the latest malware information database.
  • Endpoint Anti-Malware Software Blade – Sends suspected malware to the Check Point ThreatCloud Server.
    These updates increase the accuracy of malware detection by Check Point Endpoint Security clients and Check Point Security Appliances. To turn them off, modify the Anti-Malware rule in the Organizational Security Policy in SmartEndpoint.
  • Endpoint Application Control Software Blade – Downloads information about classified known applications from the Check Point ThreatCloud Server and sends unknown applications for analysis.
    These updates are mandatory for the correct functioning of the Endpoint Application Control Software Blade. Without these updates, the blade is unable to classify malicious applications and automatically distinguish between them and non-malicious ones.
To enable an Endpoint Policy Server:
  1. Use the instructions in this guide to install a Log Server.
  2. Connect from SmartDashboard to the Endpoint Security Management Server and create a new Log Server object:
    1. In the Network Objects tree, right-click Check Point and select Security Gateway/Management.
    2. Enter a Name and IP address for the Log Server.
    3. Click Communication to create SIC with the Security Management Server.
    4. In the Management tab, select:
      • Endpoint Policy Management
      • Logging & Status
  3. Select Policy > Install Database.
When the Endpoint Policy Management blade is enabled, the SecurePlatform/Gaia WebUI port changes from 443 to 4434. If you disable the blade, the port changes back to 443.
Disk Space for Endpoint Security
We recommend that you have at least 10 GB available for Endpoint Security in the Root disk partition.
  • In Gaia and SecurePlatform, client packages and release files are stored under the Root partition.
  • In Windows, client packages and files are usually stored on the C drive.
The files include:
  • 4 GB - Security Management Server installation files.
  • 2 GB or more - Client files (each additional version of client packages requires 1GB of disk space).
  • 1 GB - Logs.
  • 1 GB - High Availability support (more can be required in large environments).

Note - To make future upgrades easier, we recommend that you use a larger disk size than necessary in this deployment.

Installing Security Gateway

In This Section
Distributed Deployment - The Security Gateway and the Security Management Server are installed on different computers.
IUG_Distributed Deployment
Item
Description
1
Security Management Server
2
Network connection
3
Security Gateway
IUG_FW Icon
Security Gateway component
IUG_Blades ICON
Security Management Server component
This section explains how to install the Security Gateway.

Installing Security Gateways on Appliances

You can install a Security Gateway on UTM-1 appliances, Power-1 appliances, certain 2012 Models, and IP appliances. The appliance operating system can be Gaia or SecurePlatform. For more about supported appliances, see the R77 Release Notes.

Installing Security Gateways on UTM-1, Power-1, and 2012 Models

After you install the Gaia or SecurePlatform operating system, install the Security Gateway.
To install the Security Gateway on Gaia appliances, use the First Time Configuration Wizard.
Note - The internal interface (INT) on a UTM-1 appliance is used as the management interface.
Note - The management IP address can be changed before or after running the First Time Configuration Wizard. This is useful if you must access the device over the network. Use the console connection to configure the management interface before connecting the Gaia appliance to the network. Once the management interface has this address, you can connect through a browser over the network and run the First Time Configuration Wizard.
To change the Management address before running the First Time Configuration Wizard:
  1. Open a console connection.
  2. Log in using the default username and password: admin and admin.
  3. Run the show interfaces command to get the name of the management interface.
  4. In clish, set the management interface using:
    set interface mgmt ipv4-address <IPv4 address> subnet-mask <mask>
  5. Set the static route to the default gateway using:
    set static-route default nexthop gateway address <ip address> on
  6. Through a browser, connect to the WebUI and run the First Time Configuration Wizard.
To change the management IP address after running the First Time Configuration Wizard:
  1. Open the WebUI.
  2. Open the Network Management > Network interfaces window.
  3. In the Management Interface area, click Set Management Interface.
  4. The Management interface window shows which interface is configured as the management interface.
  5. In Interfaces table, select the management interface and click Edit.
  6. Change the IP address of the interface.
    Note - you are about to change the settings of an interface the browser is currently connecting to.
  7. Click OK.
To start the First Time Configuration Wizard on Gaia:
  1. Connect a standard network cable to the appliance management interface and to your management network.
    • The management interface is marked MGMT.
    • This interface is preconfigured with the IP address 192.168.1.1
    Note - Make sure that the management interface on the computer is on the same network subnet as the appliance. For example: IP address 192.168.1.x and Netmask 255.255.255.0
    You can change the interface in the WebUI, after you complete the First Time Configuration Wizard.
  2. Open a connection from a browser to the management IP address.
    The login page opens.
  3. Log in to the system with the default username and password: admin and admin
  4. Click Login.
    The First Time Configuration Wizard runs.
  5. Follow the instructions on the screen.
Note - Settings that you configure in the First Time Configuration Wizard, can be changed later in the WebUI, from an Internet browser go tohttps://<appliance_ip_address>
To configure Gaia Security Gateway appliances:
  1. In the First Time Configuration Wizard, set the username and password for the administrator account and then click Next.
  2. Select Continue with configuration of Gaia R77.
  3. Click Next.
  4. Change the default administrator password.
  5. Click Next.
  6. Set an IPv4 and an IPv6 address for the management interface, or set one IP address (IPv4 or IPv6).
    If you change the management IP address, the new IP address is assigned to the interface. The old IP address is added as an alias and is used to maintain connectivity.
  7. Set the host name for the appliance.
    Optional:
    • Set the domain name, and IPv4 or IPv6 addresses for the DNS servers.
    • Set the IP Address and Port for a Proxy Server
  8. Click Next.
  9. Set the date and time manually, or enter the hostname, IPv4 address or IPv6 address of the NTP server.
    Click Next.
  10. Select Security Gateway and then click Next.
  11. Define the Secure Internal Communication (SIC) Activation Key that is used by the gateway object in SmartDashboard and then click Next.
    The Summary window shows the settings for the appliance.
  12. Click Finish.
    Gaia R77 is installed on the appliance.

Installing Security Gateways on IP Appliances

You can install the Gaia operating system and Check Point Security Gateway on IP appliances.
This is a clean installation. The IPSO and Check Point product configurations are not imported into Gaia.
To install the Operating System:
See: sk100686.
In the First Time Configuration Wizard:
  1. In the Welcome window, click Next.
  2. Change the default administrator password.
  3. Click Next.
  4. Set an IPv4 and an IPv6 address for the management interface, or set one IP address (IPv4 or IPv6).
    If you change the management IP address, the new IP address is assigned to the interface. The old IP address is added as an alias and is used to maintain connectivity.
  5. Set the host name for the appliance.
    Optional:
    • Set the domain name, and IPv4 or IPv6 addresses for the DNS servers.
    • Set the IP Address and Port for a Proxy Server
  6. Click Next.
  7. Configure the Date and Time Settings manually, or enter the hostname, IPv4 address or IPv6 address of the NTP server.
  8. Click Next.
  9. Select Security Gateway.
  10. Answer Yes or No to the DAIP question.
  11. Click Next.
  12. Enter the SIC Activation Key.
  13. Click Next.
  14. Get a license automatically from the UserCenter and activate it, or use the trial license.
    If there is a proxy server between the appliance and the Internet, enter its IP address and port.
  15. Click Next.
  16. Review the summary and, if correct, click Finish.
  17. To start the configuration process, click Yes.
    A progress bar tracks the configuration of each task.
  18. Click OK.

Configuring Security Gateways on Gaia

This procedure explains how to install a Security Gateway in a distributed deployment after you install the operating system.
To configure a Security Gateway on Gaia:
  1. Open a Web browser to the WebUI:
    https://<Gaia management IP address>
  2. In the Gaia Portal window, log in with the administrator name and password that you defined during installation.
  3. The WebUI shows the First Time Configuration Wizard. Click Next.
  4. Set the date and time manually, or enter the hostname, IPv4 address or IPv6 address of the NTP server and then click Next.
  5. Set the host name.
  6. Optional: Set the domain name, and IPv4 or IPv6 addresses for the DNS servers.
    Click Next.
  7. Make sure that the IPv4 and IPv6 addresses for the management interface are correct.
  8. Select Security Gateway.
  9. Optional: Configure these settings if the Security Gateway is a cluster member:
    • Select Unit is part of a cluster
    • Select ClusterXL or VRRP
    • Enter the Cluster Global ID
    • Select Primary or Secondary
    Click Next.
  10. Define the Secure Internal Communication (SIC) Activation Key that is used by the gateway object in SmartDashboard and then click Next.
    The Summary window shows the settings for the appliance.
  11. Click Finish.
    Gaia R77 is installed on the computer.

Installing VSX Gateways

A VSX Gateway can be installed on certain Check Point appliances. You can also install it on any computer that meets the minimum requirements (see the Release Notes). Install and configure the Gaia operating system for a Security Gateway. Then install Check Point products and use SmartDashboard to change the Security Gateway to a VSX Gateway. The Security Gateway becomes virtual (VSX) when the VSX object is defined in SmartDashboard. The basic installation procedure for a Security Gateway and a VSX Gateway is the same.
For VSX Gateways on a Crossbeam platform, you must convert the gateway to VSX before you create the VSX object in SmartDashboard. For more about converting to VSX on a Crossbeam platform, see the Crossbeam Administration Guide (password required).
To install a VSX Gateway:
  1. Install and configure the R77 ISO file on the VSX Gateway.
    The steps are different if the VSX Gateway is on an appliance or an Open Server.
    In the Products window, make sure to only select Security Gateway.
  2. For a VSX Gateway on a Crossbeam platform, convert the gateway to VSX.
  3. Open SmartDashboard.
  4. From the Network Objects tree, right-click Check Point and select VSX > Gateway.
  5. Complete the on-screen instructions.
  6. Install the necessary licenses on the VSX Gateway.

Converting Gateways to VSX Gateways

Use the VSX Gateway Conversion wizard in SmartDashboard to convert Gaia Security Gateways to VSX Gateways. You can convert one Security Gateway or all the members of a cluster to VSX. The settings of the Security Gateways are applied to the VSX Gateway (VS0). You can also use SmartDashboard to convert a VSX Gateway to a Security Gateway.
We recommend that you go to sk79260, before you use the Conversion wizard. You can only convert Security Gateways or clusters that use the Gaia operating system.
Note - The Security Gateway loses connectivity during the conversion process.

Converting a Security Gateway

SmartDashboard converts a Security Gateway or cluster to VSX. You can only complete the Conversion Wizard if the features and settings of the Security Gateway or cluster are compatible with VSX.
When the Conversion Process window is shown, you cannot cancel or close the Conversion Wizard.
To convert a Security Gateway:
  1. Open SmartDashboard.
  2. In the Network Objects tree, right-click the Security Gateway or cluster and select Convert to VSX.
  3. When the Welcome to the VSX Conversion window opens, click Next to continue.
  4. In the Compatibility Check window, click Next to continue.
    The compatibility check makes sure that the Security Gateway or cluster is compatible with VSX.
  5. In the Security Management Server Interface Sharing window, configure how interfaces are created for the new Virtual Systems and then click Convert.
  6. After the conversion process completes, click Finish.
    The Converting window shows as the management database is updated.
    Note - You cannot use SmartDashboard while the Converting window shows.

Checking Compatibility

The VSX Gateway Conversion Wizard cannot convert a Security Gateway or cluster that uses Software Blades or other features that VSX does not support. The wizard automatically checks for common compatibility problems with the Security Gateway. We recommend that you go to sk79260, to see a full list of limitations and compatibility problems.
If the Security Gateway is not compatible, the Compatibility Check window tells you the solution for each compatibility problem. Close the wizard, disable the unsupported features, and run the VSX Gateway Conversion Wizard again.

Completing the Conversion

Complete the Security Gateway to VSX Gateway Conversion Wizard. When you complete the wizard, the management database is updated with the new VSX Gateway object.
To complete the Conversion Wizard:
Click Finish. The Converting window is shown as the management database is updated.
Note - You cannot use SmartDashboard while the Converting window is shown.

Converting a VSX Gateway

SmartDashboard converts a VSX Gateway or cluster to a Security Gateway. You must remove all the Virtual Systems and other virtual devices from the VSX object before you can convert the VSX Gateway.
You cannot convert a VSX Gateway that uses a shared interface configuration to a Security Gateway.
To convert a VSX Gateway to a Security Gateway:
  1. Remove all the virtual devices from the VSX object.
    From the Network Objects tree, right-click each virtual device object and select Delete.
  2. Right-click the VSX Gateway or cluster and select Convert to Gateway.
    A confirmation window opens.
  3. Click Yes.
    The VSX Gateway is converted to a Security Gateway.
    Note - You cannot use SmartDashboard while the Converting window is shown.

Installing Full High Availability Appliances

In This Section
Standalone Full HA - Security Management Server and Security Gateway are each installed on one appliance, and two appliances work in High Availability mode. One is active, and one is standby.
IUG_Standalone Full HA Deployment
Item
Description
1
Primary appliance
2
Direct appliance to appliance connection
3
Backup appliance
IUG_FW Icon
Security Gateway component
IUG_Blades ICON
Security Management Server component
  • If the active member has a failure that affects the Security Management Server and the Security Gateway, they failover to the standby.
  • If the Security Management Server on the active member experiences a failure, only the Security Management Server fails over to the standby. The Security Gateway on the first member continues to function.
  • If the Security Gateway on the active member experiences a failure, only the Security Gateway fails over to the standby. The Security Management Server on the first member continues to function.
After you install the Gaia or SecurePlatform operating system, configure Standalone Full HA. First, configure each of the two standalone appliances with its First Time Configuration Wizard. Then configure the High Availability options in SmartDashboard.

Gaia Appliances

Some appliances have a dedicated SYNC interface that is used to synchronize with the other appliance. If there is no SYNC interface on the appliance, use the ETH1 interface.
Note - The internal interface (INT) on a UTM-1 appliance is used as the management interface.
To start the First Time Configuration Wizard on Gaia:
  1. Connect the appliance to your management network through the management interface, which is marked MGMT.
    The management interface is preconfigured with the IP address 192.168.1.1. If you later change it through the Check Point WebUI, make sure that the new address is on the same subnet as the management network.
  2. Open a connection from a browser to the management IP address.
    The login page opens.
  3. Log in to the system with the default username and password: admin and admin
  4. Click Login.
    The First Time Configuration Wizard runs.
  5. Follow the instructions on the screen.
Note - Settings that you configure in the First Time Configuration Wizard, can be changed later in the WebUI, from an Internet browser go tohttps://<appliance_ip_address>
To configure Gaia Full HA appliances:
  1. In the First Time Configuration Wizard, set the username and password for the administrator account and then click Next.
  2. Select Continue with configuration of Gaia R77.
  3. Click Next.
  4. Change the default administrator password.
  5. Click Next.
  6. Set an IPv4 and an IPv6 address for the management interface, or set one IP address (IPv4 or IPv6).
    If you change the management IP address, the new IP address is assigned to the interface. The old IP address is added as an alias and is used to maintain connectivity.
  7. Set the host name for the appliance.
    Optional:
    • Set the domain name, and IPv4 or IPv6 addresses for the DNS servers.
    • Set the IP Address and Port for a Proxy Server
  8. Click Next.
  9. Set the date and time manually, or enter the hostname, IPv4 address or IPv6 address of the NTP server.
    Click Next.
  10. Select Security Gateway and Security Management.
  11. Configure these Advanced settings:
    • Select Unit is part of a cluster
    • Select ClusterXL
    • Select Primary
    • Enter a value for Cluster Global ID
    Click Next.
  12. Set the username and password for the Security Management Server administrator account and then click Next.
  13. Define IP addresses from which SmartConsole clients can log in to the Security Management Server.
    • If you select This machine or Network, define an IPv4 or an IPv6 address.
    • You can also select a range of IPv4 addresses.
  14. Click Next.
  15. Get a license automatically from the UserCenter and activate it, or use the trial license.
    If there is a proxy server between the appliance and the Internet, enter its IP address and port.
  16. Click Next.
  17. Review the summary and, if correct, click Finish.
  18. To start the configuration process, click Yes.
    A progress bar tracks the configuration of each task.
  19. Click OK.
  20. If the Help Check Point Improve Upgrades (CPUSE) window shows, click Yes or No.
    Gaia R77 is installed on the appliance.
  21. Log in to the Gaia WebUI with the new management IP address that you entered in the First Time Configuration Wizard.
  22. Double-click the SYNC or eth1 interface and configure the settings. This interface is used to synchronize with the other appliance. Click Apply.
  23. Configure the settings for other interfaces that you are using.
  24. Use a cross-over cable to connect the SYNC or eth1 interfaces on the appliances.
  25. Do steps 1 - 15 again for the secondary appliance, with these changes:
    • Step 5 - It is not necessary to change the management IP address.
    • Step 7 - Select Secondary.
    • Define the Secure Internal Communication (SIC) Activation Key that is used by the gateway object in SmartDashboard and then click Next.
      This key is necessary to configure the appliances in SmartDashboard.
    • Step 14 - Use a different IP address for the SYNC or eth1 interface on the secondary appliance. Make sure that the primary and secondary appliances are on the same subnet.
  26. If necessary, download SmartConsole from the Gaia WebUI.
    1. Open a connection from a browser to the WebUI: https://<management_ip_address>
    2. In the Overview page, click Download Now!

Configuring Standalone Full High Availability

After you set up the appliances for Standalone Full High Availability, configure this deployment in SmartDashboard. You must configure both cluster members before you open the cluster configuration wizard in SmartDashboard.
The LAN1 interface serves as the SYNC interface between cluster members. If not configured, SYNC interfaces are automatically set to 10.231.149.1 and 10.231.149.2. If these addresses are already in use, their values can be manually adjusted. If you manually adjust the default IP SYNC addresses, verify that both reside on the same subnet.
Note - All interfaces in the cluster must have unique IP addresses. If the same IP address is used twice, policy installation will fail. A Load on gateway failed error message is displayed.
The cluster has a unique IP address, visible to the internal network. The unique Virtual IP address makes the cluster visible to the external network, and populates the network routing tables. Each member interface also has a unique IP address, for internal communication between the cluster members. These IP addresses are not in the routing tables.
To configure Standalone Full High Availability:
  1. Open SmartDashboard.
  2. Connect to the primary appliance and then click Approve to accept the fingerprint as valid.
    The Security Cluster wizard opens.
    Click Next.
  3. Enter the name of the Standalone Full High Availability configuration and then click Next.
  4. Configure the settings for the secondary appliance.
    1. In Secondary Member Name, enter the hostname.
    2. In Secondary Member Name IP Address, enter the IP address of the management interface.
    3. Enter and confirm the SIC activation key.
    Click Next.
  5. Configure the IP address of the paired interfaces on the appliances. Select one of these options:
    • Cluster Interface with Virtual IP - Enter a virtual IP address for the interface.
    • Cluster Sync Interface - Configure the interface as the synchronization interface for the appliances.
    • Non-Cluster Interface - Use the configured IP address of this interface.
    Click Next.
  6. Do step 5 again for all the interfaces.
  7. Click Finish.

Removing a Cluster Member

You can remove one of the two members of a cluster without deleting the cluster object. A cluster object can have only a primary member, as a placeholder, while you do maintenance on an appliance. You must remove the cluster member in the WebUI and in the CLI.
To remove a cluster member:
  1. Open the WebUI of the member to keep.
  2. Open Product Configuration > Cluster.
  3. Click Remove Peer.
    • If the current member is the primary member, the secondary member is deleted.
    • If the current member is the secondary member, the secondary member is promoted to primary. Then the peer is deleted.
    Services running on the appliance are restarted.
  4. On the appliance command line, run: cp_conf fullha disable
    This command changes back the primary cluster member to a standalone configuration.
  5. Reboot.
The former cluster object is now a locally managed gateway and Security Management Server.

Adding a New Appliance to a High Availability Cluster

You can add a standalone appliance to a cluster, after the High Availability cluster is defined. You can change which member is primary.
To add an existing appliance to a cluster:
  1. Open the WebUI of the appliance.
  2. On the Product ConfigurationCluster page, select Make this Appliance the primary member of a High Availability Cluster.
  3. Click Apply.
  4. Reboot the appliance.
  5. In SmartDashboard, open the object of the primary member.
    The first-time cluster configuration wizard opens.
  6. Complete the wizard to configure the secondary cluster member.
Troubleshooting network objects:
In SmartDashboard, the network object of the standalone appliance is converted to a cluster object. If the standalone appliance was in the Install On column of a rule, or in the Gateways list of an IPSec VPN community, the cluster object is updated automatically. For all other uses, you must manually change the standalone object to the cluster object. These changes can affect policies.
To see objects and rules that use the object to change:
  1. Right-click the standalone object and select Where Used.
  2. Select a line and click Go To.
  3. In the window that opens, replace the standalone object with the cluster object.
    If the Where Used line is a:
    • Host, Network, Group - Browse through the pages of the properties window that opens, until you find the object to change.
    • Policy (for example, dlp_policy) - Open the Gateways page of the Software Blade. Remove the standalone object. Add the cluster object.
  4. In Where Used Active Policies, see the rules that use the standalone object.
  5. Select each rule and click Go To.
  6. Edit those rules to use the cluster object.
Note - The icon in SmartDashboard changes to show new status of the appliance as a primary cluster member. The Name and UID of the object in the database stay the same.

Recommended Logging Options for High Availability

In High Availability, log files are not synchronized between the two cluster members. For this reason, we recommend that you configure the logs of the cluster.
To forward cluster logs to an external log server:
  1. Open the properties of the cluster object.
  2. Open Logs Additional Logging.
  3. Click Forward log files to Log Server, and select the Log Server.
  4. Select or define a time object for Log forwarding schedule.
    Or:
    Configure SmartEvent and SmartReporter with standard reports, to use only one of the cluster members as a source for log file correlation and consolidation.

Deploying Bridge Mode Security Gateways

If you install a new Security Gateway in a network and cannot change the IP routing scheme, use bridge mode. A Security Gateway in bridge mode is invisible to Layer-3 traffic. When authorized traffic arrives, the Security Gateway passes it to the next interface through bridging. This creates a Layer-2 relationship between two or more interfaces. Traffic that enters one interface exits the other interface. Bridging lets the Security Gateway inspect and forward traffic, without the original IP routing.
Before
After
Item
Description
1
Switch 1
2
Switch 2
3 before
Connection between switches, one IP address.
3 after
Security Gateway Firewall bridging Layer-2 traffic over the one IP address, with a subnet on each side using the same address.
Before configuring the bridge, install the Security Gateway.
To manage the gateway in bridge mode, it must have a separate, routed IP address. You must configure the bridged interfaces.
You can configure bridge mode in the Gaia WebUI or the CLI.
To configure a bridge interface in the WebUI:
  1. In the WebUI navigation tree, select Network Interfaces.
  2. Click Add > Bridge, or select an interface and click Edit.
    The Add (or EditBridge window opens.
  3. On the Bridge tab, enter or select a Bridge Group ID (unique integer between 1 and 1024).
  4. Select the interfaces from the Available Interfaces list and then click Add.
  5. Click the IPv4 or IPv6 tabs, and then enter the IP addresses and subnet.
    Or click Obtain IP Address automatically.
  6. Click OK.
To configure a bridge interface with the CLI:
  1. Run: add bridging group <Group Name> interface <physical interface name>
  2. Run again for each interface in the bridge.
  3. Run: save config
  4. Add a bridge interface IP address:
    • IPv4: set interface <Group Name> ipv4-address <IP> subnet-mask <Mask>
    • IPV6: set interface <Group Name> ipv6-address <IP> mask-length <Prefix>
  5. Run: save config

Installing Management High Availability

Management HA - A Primary and Secondary Security Management Server are configured. The databases of the Security Management Servers are synchronized, either manually or on a schedule, so they can back up one another. The administrator makes one Security Management Server Active and the other(s) Standby. If the Active Security Management Server is down, the administrator can make the Standby server Active.
IUG_Standalone Full HA Deployment
Item
Description
1
Primary Security Management Server
2
Direct or indirect Security Management Server to Security Management Server connection
3
Secondary Security Management Server
IUG_Blades ICON
Security Management Server component
You can configure Management High Availability between:
  • Smart-1 appliances.
  • Security Management Servers on open servers.
  • Security Management Servers on standalone open servers. However, there is no High Availability between the Security Gateways.
Prerequisites for Management High Availability
  • The Primary and Secondary Security Management Servers must:
    • Be installed using the same ISO, or upgraded in the same way.
    • Have the same Check Point version.
    • Have the same Hotfixes installed.
  • In a Management High Availability configuration, the SmartEvent and SmartReporter blades can be enabled on one or both management servers (or on a dedicated computer) but the databases are not synchronized. For more, see sk25164
Workflow for Installing and Configuring Management High Availability:
  1. Install and configure the primary Security Management Server:
    1. Open server only: Install the operating system (Gaia, SecurePlatform or Windows).
    2. Configure the primary Security Management Server:
      • Gaia: Use the First Time Configuration Wizard.
      • SecurePlatform: Use cpconfig.
      • Windows: when choosing installation options.
  2. Install and configure the secondary Security Management Server:
    1. Open server only: Install the operating system (Gaia, SecurePlatform or Windows).
    2. Configure the secondary Security Management Server:
      • Gaia: Use the First Time Configuration Wizard.
      • SecurePlatform: Use cpconfig.
      • Windows: when choosing installation options.
For instructions on installing and configuring the primary and secondary Security Management Server see the applicable section:
  • Installing Standalone on Open Servers
  • Installing Security Management Server on Appliances
  • Installing Security Management Server on Open Servers
To learn how to synchronize the databases of the Security Management Servers and make one Active and the other(s) Standby, see the R77 Security Management Administration Guide.

Installing SmartConsole Clients

The SmartDashboard and other SmartConsole applications are the GUI clients to manage the Security Management Server and Security Gateways.
For SmartConsole requirements, see the R77 Release Notes.
To install the SmartConsole clients on Windows platforms:
  1. Insert the R77 distribution media or download the SmartConsole application from the Support Center.
  2. If you are using the installation media, go to the Linux\linux\windows folder.
  3. Run the SmartConsole executable.
  4. Continue with the instructions on the screen.

Demo Mode

You can open the SmartDomain Manager in Demo mode. This mode does not require authentication or a connection to the Multi-Domain Server. Use the Demo mode to experiment with different objects, views, modes and features before you create a production system. The Demo mode includes several pre-configured sample Domains, Domain Management Servers, Security Gateways and policies.
Operations performed in Demo mode are stored in a local database. You can continue a Demo session from the point at which you left off in a previous session.

Logging in to SmartConsole

Connect to the Security Management Server from SmartConsole. Security Management Server authenticates the connection when you log in for the first time.
You can create a new certificate for future logins. For more about certificates, see the R77 Security Management Administration Guide.
To log in to SmartConsole clients:
  1. Open the SmartConsole from the Start menu.
  2. To log in to the Security Management Server:
    • To use a password, enter the Security Management Server host name or IP address. Then enter your administrator user name and password.
    • To use a certificate, enter the Security Management Server host name or IP address. Then click Certificate and select the certificate.
    To experiment with pre-configured sample objects, views, modes and features, select Demo mode.
  3. Optional: Enter a description of this session.
  4. Optional: Select Read Only. This option lets you connect to the Security Management Server while other administrators are connected. You cannot change settings in this mode.
  5. Click Login.
  6. If necessary, confirm the connection using the fingerprint generated during installation.
    You see this only the first time that you log in from a client computer.

Post-Installation Configuration

You can use the Check Point configuration tool (cpconfig) to configure settings after installation:
  • Licenses and Contracts: Add or delete licenses for the Security Management Server and Security Gateways.
  • Administrators: Define administrators with Security Management Server access permissions. These administrators must have Read/Write permissions to create the first security policy.
  • GUI Clients: Define client computers that can connect to the Security Management Server using SmartConsole clients.
  • Certificate Authority: Starts the Internal Certificate Authority, which allows makes connections between the Security Management Server and Gateways. For Windows, you must define the name of the ICA host. You can use the default name or define your own. The ICA name must be in the host name.domain format, for example, ica.checkpoint.com.
  • Fingerprint: Save the certificate fingerprint when you log in to SmartConsole clients for the first time.

Enabling IPv6 on Gaia

IPv6 is automatically enabled if you configure IPv6 addresses in the First Time Configuration Wizard.
If you did not do this, enable IPv6 in one of the following ways:
To enable IPv6 using clish:
# set ipv6-state on
# save config
# reboot
To enable IPv6 using the WebUI:
  1. In the WebUI navigation tree, select System Management > system Configuration.
  2. For IPv6 Support, select On.
  3. When prompted, select Yes to reboot.

Where to Go From Here

You have learned the basics necessary to get started. Your next step is to get more advanced knowledge of your Check Point software.
Documentation is available on your Check Point DVD and on the R77 home page.
For more technical information about Check Point products, go to the Check Point Support Center.

Uninstalling R77


To uninstall the release on Gaia appliances and open servers, use the built-in Backup and Restore functionality.