Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bernardes
Advisor
Advisor
Jump to solution

SMB Central Management Best Practices

Dear friends,

I would like to request assistance with a specific scenario. We have an environment where the customer has a Check Point cluster (26000) and an SMS (VM) in their main office.

We are starting a project where several 1500 (Spark) appliances will be installed at different points of presence.

These appliances need to be added to the SMS in the main office, meaning they will be configured as 'Central Management.' These appliances will be connected to the internet with dynamic IP, and the topology will look similar to the image below.

SPARK-TOPOLOGY.drawio.png

My question is as follows:

What is the best practice or Check Point's recommendation for this scenario?

Do I need a public IP for this SMS so that the appliances can connect?

Is there any Zero Touch Provisioning (ZTP) process?

I haven't found any clear documentation on this. Thanks for your help in advance.

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority

@Bernardes these check is done by SIC. Connection of an unknown gateway to SMS has to be allowed to reach the SMS, but the gateway must "authenticate" to SMS via SIC. You configure a first time SIC- password on your remote gateway if you deploy this. After first connection SIC will be established and your SMS trusts your gateway, this is the same way how it works with your existing gateways. For you're gateways with dynamic IPs you can't filter based on IP addresses because they are unknown, you need some more "authentication". That's what's down via SIC.

Secure Internal Communication (SIC) 

View solution in original post

11 Replies
G_W_Albrecht
Legend Legend
Legend
Bernardes
Advisor
Advisor

Hello, my friend @G_W_Albrecht , thank you for getting back to me. I had already come across this guide, but it's not clear regarding my specific needs.

0 Kudos
Wolfgang
Authority
Authority

You can use https://zerotouch.checkpoint.com/ for first time deployment. No need to do anything on the SMB gateway. You can prepare a configuration in the zerotouch portal including connection to your on premise SMS. 
Follow instructions in Zero Touch Cloud Service for Check Point Appliances 

And yes, you need a public IP for your SMS which is normally NATed on your gateway tho the internal IP of your SMS.

Bernardes
Advisor
Advisor

Hello, my friend @Wolfgang , thank you for your help. So I will indeed need a public IP for the SMS, whether it's dedicated or NATed by the gateway, that was a doubt.

But regardless of the option I choose, how can I ensure that only the SMB appliances are allowed to connect to the SMS, given that it now has a public IP, and the appliances have dynamic IPs, making source-based control difficult? The guide doesn't clarify this, and I couldn't find any other useful documents.

0 Kudos
Wolfgang
Authority
Authority

@Bernardes these check is done by SIC. Connection of an unknown gateway to SMS has to be allowed to reach the SMS, but the gateway must "authenticate" to SMS via SIC. You configure a first time SIC- password on your remote gateway if you deploy this. After first connection SIC will be established and your SMS trusts your gateway, this is the same way how it works with your existing gateways. For you're gateways with dynamic IPs you can't filter based on IP addresses because they are unknown, you need some more "authentication". That's what's down via SIC.

Secure Internal Communication (SIC) 

Chris_Atkinson
Employee Employee
Employee

Geo based enforcement could be a potential option to explore if you must restrict this somewhat.

There are examples shared previously here as relevant to VPN and implied rule enforcement that bare some similarities. 

CCSM R77/R80/ELITE
Bernardes
Advisor
Advisor

Hello @Wolfgang , after establishing the SIC on the first connection, could I use a rule like the one below? Using the object that represents the SMB appliance as the source. Would this have any effect or would it make no difference?

rule-sms.png

0 Kudos
Wolfgang
Authority
Authority

@Bernardes if you use the defaults ther's no need for such a rule. Control connections are allowed via global properties.

2023-11-08 16_06_43-Global Properties.png

Bernardes
Advisor
Advisor

Hello @Wolfgang , I understand. Is there any other document besides the guide that provides more information about the deployment or that contains information regarding the public IP and control connections for SMB with Central Management?

0 Kudos
Wolfgang
Authority
Authority

I think Dynamically Assigned IP Address (DAIP) Gateway FAQ answer your questions.

Bernardes
Advisor
Advisor

Hello, thank you very much for your help! I believe I now have the necessary information to start the deployment.

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events