This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dario_Ferroni
Participant
‎2018-12-11 03:18 AM

Difference between a Check Point Gateway Object and a Check Point Host Object

Hello community,

Some month ago we migrated our Security Management Servers and the dedicated Log Server from two R77.30 VMs to two R80.10 Smart-1s 3150, defining the second Smart-1 as Secondary-Standby Security Management Server & Primary Log Server.

Only now, we noted that actually the Primary Active is defined as Check Point Host Object, while the Secondary Standby as Check Point Gateway, but the Object Properties are exactly the same, i.e. the ones of a Management Server. The activity was performed by a PS Consultant.

Sure we now what the function of a Gateway is, but does anybody knows the difference difference between a Check Point Gateway Object and a Check Point Host Object? Is it here the case of a "human error" while importing the Secondary Standby as "Check Point Gateway Object"?

Thank you

Dario

5 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-12-11 04:12 AM

i have seen this before and also have no explanation - but you can only create a new SMS using the CheckPoint Host Object in R80.x0. I would assume that it does not matter which kind of CheckPoint object it is called as long as the selected blades do work as expected...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Danny
Champion Champion
Champion
‎2018-12-11 05:09 AM

A firewall management host should never be defined as a gateway. The difference is the topology check and IP address that is used for implied rules and the firewall gateways to talk to. Also IP / interface mismatch checks will be applied for each gateway object.

I have learned it the hard way. I had a management host that was configured as a gateway object. My job was to move the management to a new IP address, so I just opened the management object, changed the IP and saved. I updated the licenses within SmartUpdate and nothing worked anymore. What was the reason? I finally figured out that the management host was a gateway object and the old IP address was still configured within the topology settings of this object. So I deleted the topology settings, converted the gateway object to a management host object and everything was working well again. So if your management really just is a host with a single IP address and interface, configure it that way. For gateways a correct topology is key for stable firewall operation.

AlekseiShelepov
Advisor
‎2018-12-11 05:18 AM

I have this information in some of my "training" documents most probably from help documentation of R77.30 SmartDashboard and some AdminGuides.

Check Point Security Gateway object

a gateway with more than one interface on which Check Point Software Blades are installed. At least a firewall blade is installed, although other Check Point Software Blade such as QoS or Monitoring may also be installed). This gateway sits on the network that serves as an entry point to the LAN and is managed by the Security Management server. A Security Gateway is characterized as follows:

  • it has one or more Software Blades installed
  • where the IPSec VPN blade is installed, it requires a VPN license
  • it is a routing mechanism that is capable of IP forwarding
  • since it has more than one interface it can be used in order to implement anti-spoofing.

If the Security Gateway that you defined does not need to perform IP forwarding or anti-spoofing, you can convert it to a Check Point host.

 

Check Point Host object

a host with only one interface, on which Check Point software has been installed, and which is managed by the Security Management server.

A Check Point host is characterized as follows:

  • It has one or more Check Point Software Blades installed.
  • It is not a routing mechanism and is not capable of IP forwarding.
  • Since it only has one interface, its topology cannot be modified and therefore it cannot be used to implement Anti-spoofing.
  • It requires a SecureServer license and not a VPN license.

If you have defined a Check Point host and you are trying to use it to perform IP forwarding or anti-spoofing, you must convert it to a Security Gateway.

JozkoMrkvicka
Mentor
Mentor
‎2018-12-12 10:58 AM

from How to Configure Management HA :

To create the Secondary Security Management server:

  1. From the Menu, select Manage > Network Objects > Check Point > New > Host
Kind regards,
Jozko Mrkvicka
PhoneBoy
Admin
Admin
‎2018-12-14 09:02 PM

There was a time when Check Point sold a product called SecureServer where you could run the Check Point security gateway on a server.

I believe it was deprecated in the R5x/R6x timeframe, which explains the artifact Aleksei Shelepov‌ found in the documentation. Smiley Happy

In modern times, the only situation where you would have a Check Point manager defined as a "Check Point Gateway" is in the case of Full HA or Standalone configurations where they also have management functions.

Otherwise, I would expect them to be defined as a "Check Point Host" (even if they have multiple interfaces).

It's possible if this is set improperly, it could have some side effects down the road.

It's probably worth a TAC case to try and remediate this.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events