Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Neck
Explorer

Deploying Remote Gateway

I need to deploy a new gateway in a remote office (Tulsa) and I am not sure how to connect it to the SMS in a different office (Dallas).  I assume I need to NAT my internal SMS so that it is publicly accessible, and I can establish SIC between the two and push a policy to the new gateway.  Is that the best way to do this?  What process do y’all follow when you deploy a new gateway in a remote office to get it up and running on your remote SMS?   I apologize if this is common knowledge or there is a guide somewhere.  I have been working with Check Point for years now, but we have always done standalone installs and I am finally able to do distributed deployments but scratching my head on how to connect the new gateway to the SMS once I get up to Tulsa.

TIA

Neck

0 Kudos
9 Replies
the_rock
Legend
Legend

You got it more less. The goal is for that gateway to be able to reach the management server, because without it, SIC can never work, therefore policy could never be installed either.

Andy

0 Kudos
JoSec
Collaborator

From my experience, you will NAT the SMS to a public IP like the_rock indicated and have the appropriate rules restricting inbound and outbound access to and form the remote gateways. You will also have to configure a local definition in the masters file( $FWDIR/conf/masters) on each remote gateway by adding the public IP of the management server so the gateway will know where to fetch policy and send logs.  You will most likely need to go into GuiDbedit for the management and make some manual changes to the remote gateway objects otherwise every time you push policy, your local definition will be overwritten. Open a ticket with TAC and have them walk you through the process.

0 Kudos
Bob_Zimmerman
Authority
Authority

If the NAT is done by a Check Point firewall managed by the management server you're NATing, you definitely shouldn't need to modify the masters file. Just check the "Apply for Security Gateway control connections" box on the management server's NAT page.

0 Kudos
JoSec
Collaborator

I looked at sk66381and I see the SK is applicable for R80.40, R81, R81.10, R81.20 gateways and good to know that this option exists instead modifying the masters file as required in the past. There are some caveats if using, so please read the SK notes if utilizing.

0 Kudos
Bob_Zimmerman
Authority
Authority

Just remembered the other common workaround: you can create a secondary SmartCenter object with a different name (e.g, the real management's name with a "-Public" suffix) and the public IP. Don't try to establish SIC. You just want an object to exist with management checked and with the public IP. That will cause the public IP to go into the masters file.

When the gateway tries to connect to the primary management, it will fail because it can't reach the private address, but it doesn't know this (as far as the gateway is concerned, maybe the primary suffered a failure and is shut down). When it tries to connect to the secondary management, it will be able to establish a TCP connection, and the certificate is signed by the certificate authority (since it *is* the certificate authority).

The downside is you will always have a red X in the Gateways & Servers status page, since the management won't ever be able to communicate with the fake object. The biggest benefit is it gives you a lot of control over which firewall talks to which management address, for logging and so on.

 

SmartCenter objects also have a topology table. Since they don't run the firewall kernel, I'm about 80% sure the table doesn't have any impact on the software running on the SmartCenter itself. It may be possible to add a fake interface there with the public address to get the address into the masters file.

 

Not sure if either of these options would work for a CMA.

CheckPointerXL
Advisor
Advisor

This is the survivor solution when you manage a lot of FW through internet. Edit master file is painful in such situations

You can use fake object for managment ("fetch policy" tab inside gateway/cluster object) or for logging ("log" tab)

 

 

Never tried solution to add interface with public ip... it works?

0 Kudos
the_rock
Legend
Legend

Thats true, I also think creating fake object for management might be better option.

Andy

0 Kudos
the_rock
Legend
Legend

I find that works 50% of the time, its hit and miss as they say.

Andy

0 Kudos
the_rock
Legend
Legend

Yes, @JoSec brought up an excellent point about masters file, you will need to do that, 100%. Below is sk you have to follow as well. 

Andy

https://support.checkpoint.com/results/sk/sk102712

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events