This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alan_Camelo1
Contributor
‎2020-10-02 12:57 AM

Security Management and Gateway Same Host?

Hi All,

Has anyone ever installed the Security management server and Gateway on the same Host when doing the initial first time build?

I have a client where they don't have a server to install the Management Server on so initially want to build it on the same Gai boxes (6600's).

My main concern would be if you setup Cluster XL or VRRP for the Gateways how would it differentiate between the 2? I haven't set this up before in this way,but would like to hear any gotchas and experiences you may have?

 

Thanks in advance.

Alan

0 Kudos
12 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-10-02 01:51 AM

Do not do it 8) ! The most dreaded installation is the Fool Management HA Cluster 😉. Better use SMS in the Cloud if there is no hardware for a VM.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Alan_Camelo1
Contributor
‎2020-10-02 02:01 AM
In response to G_W_Albrecht

 Thanks for your quick for your response, appreciated :-)! Have you used SMS in the cloud for Checkpoint management? any pointers much appreciated.

 

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-10-02 02:35 AM
In response to Alan_Camelo1

Easy to try yourself - see https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Portal-Admin-Guide/T.... You can evaluate Smart-1 Cloud there as well as others.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Alan_Camelo1
Contributor
‎2020-10-02 02:52 AM
In response to G_W_Albrecht

Thank you sir! How does this communicate with on premise Gair devices btw? obviously Internet access would need to be allowed but I'm not sure if that's possible initially.

0 Kudos
Sigbjorn
Advisor
Advisor
‎2020-10-02 05:32 AM
In response to Alan_Camelo1

Smart-1 Cloud only requires the gateway to have internet access. (https)

The gateway will establish a secure vpn tunnel to the smart-1 cloud service and run all management services in the tunnel. (No more need to worry about all the 1819x ports, and no inbound access required, so it even works behind NAT environments.)

Alan_Camelo1
Contributor
‎2020-10-02 07:28 AM
In response to Sigbjorn

Thanks Sigbjorn, So you have to do something different on the gateway if its on prem? I'm just interested on how it establishes its VPN tunnel to the smart-1 cloud, I just normally set everything up using cpconfig for the SIC etc. Are the Gateways running different versions of software to be Smart-1 enabled?

0 Kudos
PhoneBoy
Admin
Admin
‎2020-10-02 08:29 AM
In response to Alan_Camelo1

Gateways just have to be running R80.10+.
We did a TechTalk on Smart-1 Cloud, see: https://community.checkpoint.com/t5/Smart-1-Cloud/Moving-Security-Management-to-the-Cloud-Video-Slid...

0 Kudos
Alan_Camelo1
Contributor
‎2020-10-02 09:00 AM
In response to PhoneBoy

Thank you

0 Kudos
Luis_Dominguez1
Participant
‎2020-10-05 06:59 AM
In response to Alan_Camelo1

Greetings,

Before making the jump to the Smart-1 Cloud, make sure you take into account any other apps/feeds provided by an on-prem SMS/MDS.  What I mean is do you have Splunk or Netskope or something similar that takes log info from the SMS/MDS?  If you do, your app may not be supported yet from a Cloud SMS/MDS.  If you don't have any dependencies like this, you're good to go.

Regards,

Luis

Alan_Camelo1
Contributor
‎2020-10-05 09:02 AM
In response to Luis_Dominguez1

Thanks Luis,

I was thinking about this and one of the main points would be where would the Gateways forward their logs to? by default the Management Server which is where in the cloud? or could you maybe forward logs to a different checkpoint Log Server. 

Cheers

Alan

0 Kudos
Luis_Dominguez1
Participant
‎2020-10-05 09:23 AM
In response to Alan_Camelo1

Hi Alan,

We have an on-prem MDS, so we forward logs to our on-prem Netskope server.  We do the same thing for Splunk with the same architecture as Netskope.  If you have a similar need, but your SMS/MDS is in the Cloud, I think the solution is to use Log Exporter with the TLS capability at sk122323 .  Log Exporter is easy to set up though I don't use the SMS/MDS in the Cloud.

Regards,

Luis

0 Kudos
PhoneBoy
Admin
Admin
‎2020-10-05 03:18 PM
In response to Alan_Camelo1

By default, gateways forward their logs to the management server unless differently configured.
In the case of Smart-1 Cloud, that means being forwarded to the cloud. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events