topic Re: SMB Central Management Best Practices in Spark Firewall (SMB)

SMB Central Management Best Practices

Bernardes — Tue, 07 Nov 2023 14:38:30 GMT

Dear friends,

I would like to request assistance with a specific scenario. We have an environment where the customer has a Check Point cluster (26000) and an SMS (VM) in their main office.

We are starting a project where several 1500 (Spark) appliances will be installed at different points of presence.

These appliances need to be added to the SMS in the main office, meaning they will be configured as 'Central Management.' These appliances will be connected to the internet with dynamic IP, and the topology will look similar to the image below.

My question is as follows:

What is the best practice or Check Point's recommendation for this scenario?

Do I need a public IP for this SMS so that the appliances can connect?

Is there any Zero Touch Provisioning (ZTP) process?

I haven't found any clear documentation on this. Thanks for your help in advance.

Re: SMB Central Management Best Practices

G_W_Albrecht — Tue, 07 Nov 2023 16:07:22 GMT

https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Centrally_Managed/EN/Content/Topics/Predefining-Centrally-Managed-Deployment.htm

Re: SMB Central Management Best Practices

Wolfgang — Tue, 07 Nov 2023 19:43:27 GMT

You can use https://zerotouch.checkpoint.com/ for first time deployment. No need to do anything on the SMB gateway. You can prepare a configuration in the zerotouch portal including connection to your on premise SMS.
Follow instructions in Zero Touch Cloud Service for Check Point Appliances

And yes, you need a public IP for your SMS which is normally NATed on your gateway tho the internal IP of your SMS.

Re: SMB Central Management Best Practices

Bernardes — Tue, 07 Nov 2023 23:12:47 GMT

Hello, my friend @G_W_Albrecht , thank you for getting back to me. I had already come across this guide, but it's not clear regarding my specific needs.

Re: SMB Central Management Best Practices

Bernardes — Tue, 07 Nov 2023 23:13:27 GMT

Hello, my friend @Wolfgang , thank you for your help. So I will indeed need a public IP for the SMS, whether it's dedicated or NATed by the gateway, that was a doubt.

But regardless of the option I choose, how can I ensure that only the SMB appliances are allowed to connect to the SMS, given that it now has a public IP, and the appliances have dynamic IPs, making source-based control difficult? The guide doesn't clarify this, and I couldn't find any other useful documents.

Re: SMB Central Management Best Practices

Wolfgang — Wed, 08 Nov 2023 06:23:21 GMT

@Bernardes these check is done by SIC. Connection of an unknown gateway to SMS has to be allowed to reach the SMS, but the gateway must "authenticate" to SMS via SIC. You configure a first time SIC- password on your remote gateway if you deploy this. After first connection SIC will be established and your SMS trusts your gateway, this is the same way how it works with your existing gateways. For you're gateways with dynamic IPs you can't filter based on IP addresses because they are unknown, you need some more "authentication". That's what's down via SIC.

Secure Internal Communication (SIC)

Re: SMB Central Management Best Practices

Chris_Atkinson — Wed, 08 Nov 2023 06:32:05 GMT

Geo based enforcement could be a potential option to explore if you must restrict this somewhat.

There are examples shared previously here as relevant to VPN and implied rule enforcement that bare some similarities.

Re: SMB Central Management Best Practices

Bernardes — Wed, 08 Nov 2023 15:03:14 GMT

Hello @Wolfgang , after establishing the SIC on the first connection, could I use a rule like the one below? Using the object that represents the SMB appliance as the source. Would this have any effect or would it make no difference?

Re: SMB Central Management Best Practices

Wolfgang — Wed, 08 Nov 2023 15:23:52 GMT

@Bernardes if you use the defaults ther's no need for such a rule. Control connections are allowed via global properties.

Re: SMB Central Management Best Practices

Bernardes — Wed, 08 Nov 2023 21:17:24 GMT

Hello @Wolfgang , I understand. Is there any other document besides the guide that provides more information about the deployment or that contains information regarding the public IP and control connections for SMB with Central Management?

Re: SMB Central Management Best Practices

Wolfgang — Thu, 09 Nov 2023 05:35:02 GMT

I think Dynamically Assigned IP Address (DAIP) Gateway FAQ answer your questions.

Re: SMB Central Management Best Practices

Bernardes — Thu, 09 Nov 2023 12:43:51 GMT

Hello, thank you very much for your help! I believe I now have the necessary information to start the deployment.