This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SecuRemote
Contributor
‎2021-02-23 06:31 PM

1500 Appliances Central Management Deployment

Hi

We are currently deploying 1500 appliances on the branch offices with a central management that is located on the head office. The 1500 appliances set with a dynamic external interfaces. Does someone have any idea on how to setup central management for the said appliances without a SmartProvisiong license?

Thank you in advance.

0 Kudos
15 Replies
PhoneBoy
Admin
Admin
‎2021-02-23 08:10 PM

There is a checkbox for Dynamic IP in the relevant gateway object that should be used in this case.
This does not require SmartProvisioning.

SecuRemote
Contributor
‎2021-02-25 05:09 PM
In response to PhoneBoy

Hi PhoneBoy,

Does this mean that the connection of the branch office gateways (1500 appliances) to the management server that is located on the head office can used a public IP address? What if the said dynamic IP changes frequently, do the management server learn the new IP address without initiating a re SIC on the management server?

Thank you.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-25 11:02 PM
In response to SecuRemote

The changing IP won't change the authentication with SIC, which happens using certificates.
The management server needs to have an externally reachable IP (can be via NAT).
The gateway "phones home" to the management when it is DAIP and would be sending logs to the management anyway.

0 Kudos
SecuRemote
Contributor
‎2021-02-28 05:28 PM
In response to PhoneBoy

Hi PhoneBoy,

Is there any way to still established SIC on the branch gateways even without requesting a bridge connection on the branch ISP? Since the said gateways are setup behind the ISP modem.

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-28 09:02 PM
In response to SecuRemote

Yes, this will work through NAT as the gateway initiates an outbound connection for this purpose.

0 Kudos
SecuRemote
Contributor
‎2021-02-28 09:28 PM
In response to PhoneBoy

Hi PhoneBoy,

Do you have any idea on how to established the SIC without requesting a bridge connection on the local ISP of the branch offices?

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-28 09:50 PM
In response to SecuRemote

As I said previously, the gateway can initiate an outbound connection for this purpose.
This will work with NAT.
You configure the gateway object as described here: https://sc1.checkpoint.com/documents/SMB_R80.20.20/AdminGuides/Centrally_Managed/EN/Topics/Small-sca... 
Then, in the First Time Wizard for the appliance, specify the public Management IP.

0 Kudos
SecuRemote
Contributor
‎2021-02-28 10:32 PM
In response to PhoneBoy

Hi PhoneBoy,

Does the gateway object automatically created on the SmartConsole even without SmartProvisioning if we used the Gateway first on the guide?

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-28 11:05 PM
In response to SecuRemote

You have to manually create the gateway object on the management as described in the guide.
SmartProvisioning is not involved at all. 

SecuRemote
Contributor
‎2021-03-02 12:35 AM
In response to PhoneBoy

Hi PhoneBoy,

Do you have any idea on how to established SIC on a 5100 appliance that is located to a branch office with a dynamically assigned public IP? The management server is located on the cetral office.

Thanks

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-03-02 01:32 AM
In response to SecuRemote

This is documented in Quantum Spark 1500, 1600 and 1800 Appliance Series R80.20.20 Centrally Managed Administration Guide p.14ff - i would suggest to read about establishing SIC first, then choose one of the methods explained there 8)

I have pointed out this document on 24.2., PhoneBoy again on 1.3. - i would suggest to start reading as your questions are broadly covered there ...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
PhoneBoy
Admin
Admin
‎2021-03-02 11:45 AM
In response to SecuRemote

Works more or less the same way as for SMB appliances: The gateway needs to be flagged as DAIP in the object.
In the case of a non-SMB gateway, SmartConsole will ask for the current public IP when establishing SIC.
See more here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Note that for a non-SMB gateway behind NAT, several ports may need to be forwarded on the NAT device.
See: https://community.checkpoint.com/t5/Security-Gateways/R80-x-Ports-Used-for-Communication-by-Various-... 

SecuRemote
Contributor
‎2021-03-03 04:50 PM
In response to PhoneBoy

This will be noted.

Thank you!

0 Kudos
_Val_
Admin
Admin
‎2021-02-24 04:07 AM

SmartProvisioning means you manage numerous GWs by setting multiple profiles. Without it, you still can manage DIAP GWs on per GW basis

G_W_Albrecht
Legend Legend
Legend
‎2021-02-24 04:29 AM

This is covered step by step in the Quantum Spark 1500, 1600 and 1800 Appliance Series R80.20.20 Centrally Managed Administration Guide p.14ff: Small-scale Deployment Installation.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top