This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bernardes
Advisor
Advisor
‎2023-11-07 06:38 AM
Jump to solution

SMB Central Management Best Practices

Dear friends,

I would like to request assistance with a specific scenario. We have an environment where the customer has a Check Point cluster (26000) and an SMS (VM) in their main office.

We are starting a project where several 1500 (Spark) appliances will be installed at different points of presence.

These appliances need to be added to the SMS in the main office, meaning they will be configured as 'Central Management.' These appliances will be connected to the internet with dynamic IP, and the topology will look similar to the image below.

SPARK-TOPOLOGY.drawio.png

My question is as follows:

What is the best practice or Check Point's recommendation for this scenario?

Do I need a public IP for this SMS so that the appliances can connect?

Is there any Zero Touch Provisioning (ZTP) process?

I haven't found any clear documentation on this. Thanks for your help in advance.

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
MVP Gold
MVP Gold
‎2023-11-07 10:23 PM
In response to Bernardes
Jump to solution

@Bernardes these check is done by SIC. Connection of an unknown gateway to SMS has to be allowed to reach the SMS, but the gateway must "authenticate" to SMS via SIC. You configure a first time SIC- password on your remote gateway if you deploy this. After first connection SIC will be established and your SMS trusts your gateway, this is the same way how it works with your existing gateways. For you're gateways with dynamic IPs you can't filter based on IP addresses because they are unknown, you need some more "authentication". That's what's down via SIC.

Secure Internal Communication (SIC) 

View solution in original post

11 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-11-07 08:07 AM
Jump to solution

https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Centrally_Managed/EN/Content/Topics/Pr...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Bernardes
Advisor
Advisor
‎2023-11-07 03:12 PM
In response to G_W_Albrecht
Jump to solution

Hello, my friend @G_W_Albrecht , thank you for getting back to me. I had already come across this guide, but it's not clear regarding my specific needs.

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2023-11-07 11:43 AM
Jump to solution

You can use https://zerotouch.checkpoint.com/ for first time deployment. No need to do anything on the SMB gateway. You can prepare a configuration in the zerotouch portal including connection to your on premise SMS. 
Follow instructions in Zero Touch Cloud Service for Check Point Appliances 

And yes, you need a public IP for your SMS which is normally NATed on your gateway tho the internal IP of your SMS.

Bernardes
Advisor
Advisor
‎2023-11-07 03:13 PM
In response to Wolfgang
Jump to solution

Hello, my friend @Wolfgang , thank you for your help. So I will indeed need a public IP for the SMS, whether it's dedicated or NATed by the gateway, that was a doubt.

But regardless of the option I choose, how can I ensure that only the SMB appliances are allowed to connect to the SMS, given that it now has a public IP, and the appliances have dynamic IPs, making source-based control difficult? The guide doesn't clarify this, and I couldn't find any other useful documents.

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2023-11-07 10:23 PM
In response to Bernardes
Jump to solution

@Bernardes these check is done by SIC. Connection of an unknown gateway to SMS has to be allowed to reach the SMS, but the gateway must "authenticate" to SMS via SIC. You configure a first time SIC- password on your remote gateway if you deploy this. After first connection SIC will be established and your SMS trusts your gateway, this is the same way how it works with your existing gateways. For you're gateways with dynamic IPs you can't filter based on IP addresses because they are unknown, you need some more "authentication". That's what's down via SIC.

Secure Internal Communication (SIC) 

Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-11-07 10:32 PM
In response to Wolfgang
Jump to solution

Geo based enforcement could be a potential option to explore if you must restrict this somewhat.

There are examples shared previously here as relevant to VPN and implied rule enforcement that bare some similarities. 

CCSM R77/R80/ELITE
Bernardes
Advisor
Advisor
‎2023-11-08 07:03 AM
In response to Wolfgang
Jump to solution

Hello @Wolfgang , after establishing the SIC on the first connection, could I use a rule like the one below? Using the object that represents the SMB appliance as the source. Would this have any effect or would it make no difference?

rule-sms.png

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2023-11-08 07:23 AM
In response to Bernardes
Jump to solution

@Bernardes if you use the defaults ther's no need for such a rule. Control connections are allowed via global properties.

2023-11-08 16_06_43-Global Properties.png

Bernardes
Advisor
Advisor
‎2023-11-08 01:17 PM
In response to Wolfgang
Jump to solution

Hello @Wolfgang , I understand. Is there any other document besides the guide that provides more information about the deployment or that contains information regarding the public IP and control connections for SMB with Central Management?

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2023-11-08 09:35 PM
In response to Bernardes
Jump to solution

I think Dynamically Assigned IP Address (DAIP) Gateway FAQ answer your questions.

Bernardes
Advisor
Advisor
‎2023-11-09 04:43 AM
In response to Wolfgang
Jump to solution

Hello, thank you very much for your help! I believe I now have the necessary information to start the deployment.

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events