Check Point Zero Touch For Begginers

Hi Mates, 

I want to talk about a solution that exists in the Check Point ecosystem which I explored more deeply last year during a project: Check Point Zero Touch.

It is a relatively simple solution, but not very well known. I have completed several Check Point certifications, and I only discovered this solution when I was evaluating it for a real project.

I am attaching a PDF showing how to configure Zero Touch, including detailed descriptions and screenshots to make the configuration easier to understand and follow.

I also recommend reading the Zero Touch Administration Guide, as it provides very detailed and valuable information.

Hi Mates, 

I want to talk about a solution that exists in the Check Point ecosystem which I explored more deeply last year during a project: Check Point Zero Touch.

It is a relatively simple solution, but not very well known. I have completed several Check Point certifications, and I only discovered this solution when I was evaluating it for a real project.

I am attaching a PDF showing how to configure Zero Touch, including detailed descriptions and screenshots to make the configuration easier to understand and follow.

Introduction Check Point Zero Touch.

I want to talk about a solution that exists in the Check Point ecosystem which I explored more deeply last year during a project: Check Point Zero Touch.

It is a relatively simple solution, but not very well known. I have completed several Check Point certifications, and I only discovered this solution when I was evaluating it for a real project.

Zero Touch Portal

Link to access the Zero Touch portal:

https://zerotouch.checkpoint.com

What is Check Point Zero Touch?

Zero Touch allows a Check Point firewall to automatically retrieve its configuration from the cloud as soon as it is connected to the Internet for the first time.

If the firewall receives a public IP address via a DHCP server, it will automatically reach the Zero Touch service and download its configuration without any additional action.

If the firewall cannot obtain Internet access via DHCP, the administrator is allowed to run the First Time Configuration Wizard on the firewall and configure basic Internet connectivity. Once Internet access is available, the firewall will then be able to connect to the Zero Touch server and retrieve its configuration.

The configuration obtained via Zero Touch replaces the First Time Configuration Wizard.

After a Quantum Spark firewall successfully connects to Zero Touch, downloads, and applies the configuration, it will not connect to the Zero Touch Cloud service again.

Zero Touch Templates support two types of templates:

• Small Office Gateway Template
  • For Quantum Spark SMB appliances
• Gaia Gateway Template
  • For enterprise gateways
    

Prerequisites

• The firewall must be associated with a User Center account that has access to the Zero Touch portal
• Zero Touch does not require a dedicated license. The service is available for eligible Quantum Security Gateways and Quantum Spark appliances associated with a valid Check Point User Center account.”
• You must be an administrator of the User Center account where the devices are registered
• The firewall must be new or reset to factory defaults
• The firewall must be directly connected to the Internet (connections via proxy servers are not supported)

Limitations

• Scalable platforms such as Maestro, Scalable Chassis, and ElasticXL are not supported
• SandBlast Threat Emulation Appliances (TE100X, 250X, 250XN, 1000X, 2000X, 2000XN) are not supported

Creating Configurations in Zero Touch

After logging in, create a Template.

This template will be associated with a gateway next on Inventory.

Small Office Gateway Template

The inicial configurations for this template: 

• Name
• Comments
• Set Appliance Management Mode
  • Locally managed
  • Centrally manged
• Under construction
  • Select this checkbox to prevent the template download until you decide the configuration is final
• Time Zone
•  Use NTP CKP
• Administrator Access

Cloud Services:

• Rech My device Settings
  • Select this checkbox to allow the remote connect to the Security Gateway when it is behind a NAT device that changes its public IP address
• SMP Activation Settings
  • IP address or DNS name
  • Service domain
  • Registration Key
  • Automatically create the Security Gateway in the SMP
  • Plan name
  • Ignore SMP certificate verification

CLISH Script

Here you can put the clish commands in the SMB format.

GAIA Gateway Template

Here the template for enterprise gateways

Settings:

• Template name
• Comments
• Under construction
• Cluster member
  • Select this checkbox if the security gateway is a member of a cluster
• Automatically download Blade Contracts and other important data
• Identification Key
  • The Identification Key is configured on the gateway to identify the appliance unambiguously.

Version Settings

It is usually not updated with the latest recommended software versions.

Configure admin and password for Gaia administration.
NTP, and SIC (Secure Internal Communication) for SMS or any management connection

Figure 7 - gaia gateway template

Management Interface:

• IPv4 address
  • Specifies the IPv4 address for the Gaia management interface on the security gateway
• Subnet mask
  • Specifies the IPv4 subnet mask for the Gaia Management Interface on the Security Gateway
• Default Gateway
  • Specifies the IPv4 default gateway on the Security Gateway
• IPv6 configs are similar with IPv4
• DNS
  • Primary DNS
  • Secondary
  • Tertiary
• Proxy Server
• Proxy Port

Figure 8 - Gaia template management

Figure 9 -  gaia gateway template clish

Inventory

In the Inventory, we can see all firewalls associated with our User Center account. From there, we link a template to a firewall. This action of linking a template to a firewall is called “CLAIM”.

Figure 10 - Inventory

Selected gateway will allow select a template.

After the firewall is claimed, it will appear under Claimed Gateways, where you can see various information about the status of the claimed firewall.

Figure 12 - claimed gateways informations

From this section, you also have a shortcut to view and edit the template associated with the firewall.

On Gateway First Time Wizard

It is important to highlight that some actions must be performed in the First Time Configuration Wizard of the firewall so it can successfully connect to the Zero Touch service.

Part 2 – Quantum Security Gateway

Note: This is a separate action that can be performed by another user at the remote site.

1. Connect to the Gaia Portal on the deployed Quantum Security Gateway.
2. Enter your Gaia login credentials.
3. The Gaia First Time Configuration Wizard starts.
4. On the Deployment Options page, select Install from Check Point Cloud and click Next.
5. On the Connect to Check Point Cloud page, enter the network settings that allow Internet connectivity and click Next.
6. On the Cloud Service Selection page, select Pull appliance configuration.
7. In the Identification Key field, enter the Zero Touch Identification Key configured in the Zero Touch template and click Next.

At this point, the deployment procedure starts.

 



I also recommend reading the Zero Touch Administration Guide, as it provides very detailed and valuable information.

This guide will help beginners as well as advanced professionals who are not familiar with the Zero Touch solution.

If you have already used Zero Touch in your projects, feel free to share your experience with us.

I hope this helps someone.

Best regards,