Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alan_Camelo1
Contributor

Security Management and Gateway Same Host?

Hi All,

Has anyone ever installed the Security management server and Gateway on the same Host when doing the initial first time build?

I have a client where they don't have a server to install the Management Server on so initially want to build it on the same Gai boxes (6600's).

My main concern would be if you setup Cluster XL or VRRP for the Gateways how would it differentiate between the 2? I haven't set this up before in this way,but would like to hear any gotchas and experiences you may have?

 

Thanks in advance.

Alan

0 Kudos
12 Replies
G_W_Albrecht
Legend
Legend

Do not do it 😎 ! The most dreaded installation is the Fool Management HA Cluster 😉. Better use SMS in the Cloud if there is no hardware for a VM.

Alan_Camelo1
Contributor

 Thanks for your quick for your response, appreciated :-)! Have you used SMS in the cloud for Checkpoint management? any pointers much appreciated.

 

 

0 Kudos
G_W_Albrecht
Legend
Legend

Easy to try yourself - see https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Portal-Admin-Guide/T.... You can evaluate Smart-1 Cloud there as well as others.

Alan_Camelo1
Contributor

Thank you sir! How does this communicate with on premise Gair devices btw? obviously Internet access would need to be allowed but I'm not sure if that's possible initially.

0 Kudos
Sigbjorn
Advisor

Smart-1 Cloud only requires the gateway to have internet access. (https)

The gateway will establish a secure vpn tunnel to the smart-1 cloud service and run all management services in the tunnel. (No more need to worry about all the 1819x ports, and no inbound access required, so it even works behind NAT environments.)

0 Kudos
Alan_Camelo1
Contributor

Thanks Sigbjorn, So you have to do something different on the gateway if its on prem? I'm just interested on how it establishes its VPN tunnel to the smart-1 cloud, I just normally set everything up using cpconfig for the SIC etc. Are the Gateways running different versions of software to be Smart-1 enabled?

0 Kudos
PhoneBoy
Admin
Admin

Gateways just have to be running R80.10+.
We did a TechTalk on Smart-1 Cloud, see: https://community.checkpoint.com/t5/Smart-1-Cloud/Moving-Security-Management-to-the-Cloud-Video-Slid...

0 Kudos
Alan_Camelo1
Contributor

Thank you

0 Kudos
Luis_Dominguez1
Participant

Greetings,

Before making the jump to the Smart-1 Cloud, make sure you take into account any other apps/feeds provided by an on-prem SMS/MDS.  What I mean is do you have Splunk or Netskope or something similar that takes log info from the SMS/MDS?  If you do, your app may not be supported yet from a Cloud SMS/MDS.  If you don't have any dependencies like this, you're good to go.

Regards,

Luis

Alan_Camelo1
Contributor

Thanks Luis,

I was thinking about this and one of the main points would be where would the Gateways forward their logs to? by default the Management Server which is where in the cloud? or could you maybe forward logs to a different checkpoint Log Server. 

Cheers

Alan

0 Kudos
Luis_Dominguez1
Participant

Hi Alan,

We have an on-prem MDS, so we forward logs to our on-prem Netskope server.  We do the same thing for Splunk with the same architecture as Netskope.  If you have a similar need, but your SMS/MDS is in the Cloud, I think the solution is to use Log Exporter with the TLS capability at sk122323 .  Log Exporter is easy to set up though I don't use the SMS/MDS in the Cloud.

Regards,

Luis

0 Kudos
PhoneBoy
Admin
Admin

By default, gateways forward their logs to the management server unless differently configured.
In the case of Smart-1 Cloud, that means being forwarded to the cloud. 

0 Kudos