This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Djelo_Arnautali
Participant
‎2019-12-02 02:04 AM
Jump to solution

SMB 1470 centraly managed and management throught VPN

Hello,

i have in production 2 1470 SMB appliances that are locally managed. One 1470 is at  site A and the other one is at  site B. Both 1470 SMB are DAIP gateways and we are using NoIP DDNS.There is site-to-site VPN. The customer is imlementing Remote desktop service  for thin clients and wants to be able to implement firewall rules specific for a specific user and because with RDS the connection is comming always from the same IP adress i have to install MUH (Multi user agent) ond the RDS server. When the SMB appliance is managed locally there is no possibility to use the identity agents but for the centrally managed SMB the agents are supported based on the sk97751.  In this SK it is not clear if MUH agent is supported. I have few questions:

1. If i install Secure management R80.10 in site A can i import a configuration from a locally managed device to the SM server and if yes how?

2. When i connect SMB 1470 on site A with the SM R80.10 and configure the S2S VPN with  locally managed 1470 on site B how can i configure Firewall B to be managed by the SM that is on the siteA? If i change on the firewall B the option security management from local to central i presume it will clear all the configuration and i will lose the VPN and cut off myself from the fireall B. 

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2019-12-02 07:58 AM
In response to Djelo_Arnautali
Jump to solution

In the first releases, IA Agent was not supported by SMB at all - with R77.20.31, using the Agent started being supported by central managed SMBs. MUH Agent and Identity Collector are not supported at all on SMB.

When i change from local to central management, only settings available in WebGUI when using central management are retained, others - like VPN, TP or Access Policy settings will vanish, device network configuration and some other settings will be kept.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
3 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-12-02 03:35 AM
Jump to solution

In sk105380 - Check Point R77.20 for 600 / 700 / 1100 / 1200R / 1400 Appliance Known Limitations we read:

01481995

In centrally managed appliances, these user identifications methods are not supported (even though they appear in SmartDashboard):

  • Identity agent - supported in central management scenarios since R77.20.31.
    Refer to sk97751.
  • RADIUS accounting
  • Terminal servers

 

This is valid for R77.20.87 - for 80.20 SMB, you can find the same limitations in 

sk159772: Check Point R80.20 for 1500 Appliances Features and Known Limitations

Locally managed SMBs are not comparable to centrally managed SMBs, as the available rules and objects are only a subset of centrally managed rules. There is no possibility to export rules and objects from SMBs and import in SMS for central management. This is no real limitation as you would only have few rules on locally managed units.

Regarding VPN and switch to central management, i would suggest to exclude the management ports from VPN. Then you will be able to connect to site B over internet, enable SIC and do a policy install. As SIC communication is always encrypted, this does not make much difference from security viewpoint.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Djelo_Arnautali
Participant
‎2019-12-02 06:49 AM
In response to G_W_Albrecht
Jump to solution

So terminal servers (MUH) is not supported. I would love that SK's would be more precise and in this case when they say that identity agent is supported that they specify that MUH is not so you dont need to check on different places to have a complete picture.

What happens in the moment i change from local to central management? Does the gateway keeps the existing configuration until it receives the new policy from the secure management?

 
 
Thanks @G_W_Albrecht
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-12-02 07:58 AM
In response to Djelo_Arnautali
Jump to solution

In the first releases, IA Agent was not supported by SMB at all - with R77.20.31, using the Agent started being supported by central managed SMBs. MUH Agent and Identity Collector are not supported at all on SMB.

When i change from local to central management, only settings available in WebGUI when using central management are retained, others - like VPN, TP or Access Policy settings will vanish, device network configuration and some other settings will be kept.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events