topic Re: SMB 1470 centraly managed and management throught VPN in Spark Firewall (SMB)

SMB 1470 centraly managed and management throught VPN

Djelo_Arnautali — Mon, 02 Dec 2019 10:04:28 GMT

Hello,

i have in production 2 1470 SMB appliances that are locally managed. One 1470 is at site A and the other one is at site B. Both 1470 SMB are DAIP gateways and we are using NoIP DDNS.There is site-to-site VPN. The customer is imlementing Remote desktop service for thin clients and wants to be able to implement firewall rules specific for a specific user and because with RDS the connection is comming always from the same IP adress i have to install MUH (Multi user agent) ond the RDS server. When the SMB appliance is managed locally there is no possibility to use the identity agents but for the centrally managed SMB the agents are supported based on the sk97751. In this SK it is not clear if MUH agent is supported. I have few questions:

1. If i install Secure management R80.10 in site A can i import a configuration from a locally managed device to the SM server and if yes how?

2. When i connect SMB 1470 on site A with the SM R80.10 and configure the S2S VPN with locally managed 1470 on site B how can i configure Firewall B to be managed by the SM that is on the siteA? If i change on the firewall B the option security management from local to central i presume it will clear all the configuration and i will lose the VPN and cut off myself from the fireall B.

Re: SMB 1470 centraly managed and management throught VPN

G_W_Albrecht — Mon, 02 Dec 2019 12:14:21 GMT

In sk105380 - Check Point R77.20 for 600 / 700 / 1100 / 1200R / 1400 Appliance Known Limitations we read:

01481995

In centrally managed appliances, these user identifications methods are not supported (even though they appear in SmartDashboard):

Identity agent - supported in central management scenarios since R77.20.31.
Refer to sk97751.
RADIUS accounting
Terminal servers

This is valid for R77.20.87 - for 80.20 SMB, you can find the same limitations in

sk159772: Check Point R80.20 for 1500 Appliances Features and Known Limitations

Locally managed SMBs are not comparable to centrally managed SMBs, as the available rules and objects are only a subset of centrally managed rules. There is no possibility to export rules and objects from SMBs and import in SMS for central management. This is no real limitation as you would only have few rules on locally managed units.

Regarding VPN and switch to central management, i would suggest to exclude the management ports from VPN. Then you will be able to connect to site B over internet, enable SIC and do a policy install. As SIC communication is always encrypted, this does not make much difference from security viewpoint.

Re: SMB 1470 centraly managed and management throught VPN

Djelo_Arnautali — Mon, 02 Dec 2019 14:49:47 GMT

So terminal servers (MUH) is not supported. I would love that SK's would be more precise and in this case when they say that identity agent is supported that they specify that MUH is not so you dont need to check on different places to have a complete picture.

What happens in the moment i change from local to central management? Does the gateway keeps the existing configuration until it receives the new policy from the secure management?

Re: SMB 1470 centraly managed and management throught VPN

G_W_Albrecht — Mon, 02 Dec 2019 15:58:27 GMT

In the first releases, IA Agent was not supported by SMB at all - with R77.20.31, using the Agent started being supported by central managed SMBs. MUH Agent and Identity Collector are not supported at all on SMB.

When i change from local to central management, only settings available in WebGUI when using central management are retained, others - like VPN, TP or Access Policy settings will vanish, device network configuration and some other settings will be kept.