Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Brad_Muller
Participant

SMB Dynamic IP Smart-1 Cloud Initial Connection with logging

CheckPoint Dynamic IP SMB Smart-1 Cloud Initial Connection

 

 

 

  • In portal add new gateway using real name of firewall
  • Click on 3 dots on top righthand corner of new firewall
  • Select “View instructions”
  • Use pull down and change to “Spark”
  • Copy Token
  • Under General tab click on “Dynamic IP” box
  • Answer yes to both prompts
  • Use pull  down to change Checkpoint appliance version to the correct model and version
  • Open topology tab
  • Under “Security Blades” select “Manually defined on the Security…..”
  • Create new interface
  • Name “maas_tunnel”
  • Set “Security Zone” to “ExternalZone” and change “Network type” to “External (leads to internet)”
  • Use the ip associated with the management service object in smartconsole (100.64.0.x mask 255.255.255.255)
  • Hit “Ok”
  • Under “Security Blades” select “Automatically calculated by the gateway…”
  • Under “IPSEC VPN Blade” select “User defined”
  • Create a “New” network for the encryption domain (This can be changed later)
  • Say “Ok” and “Publish”
  • In the Webui of the firewall select Home | Security Management
  • Select “Central” and then “Save” at the bottom right
  • Under Security Management Server select “Setup”
  • Check the “Security Management Server” box and then “next”
  • Paste the connection token into the box and hit “connect”
  • After it connects hit “next”
  • Put the secret in the boxes and hold
  • Go back to Smart-1 Console and edit the new firewall object
  • Select “Communication”
  • Put the secret in the boxes but DON’T hit “Ok”
  • Under “Identify appliance according to” make sure the firewall name is correct in the box (DO NOT SELECT “First to Connect”, you won’t be able to add multiple gateways that way)
  • Hit “Ok” and “Ok” again to close the object
  • Click on “Publish”
  • Go back to firewall Webui (you should still be in the initialize phase with the secrets in the boxes) Hit “next”
  • On this screen click “Connect”
  • Do not worry when it shows a failure for policy
  • Hit the “Save”  button on bottom righthand corner
  • Go back o Smart-1 console
  • Make sure you have the policy correct for mgmt rules and internet rules and NAT hide rules on networks.
  • Push policy
  • Go back to Webui under Home | Security Management
  • Under Security Policy select “Fetch Policy” and then “Save” on righthand bottom
  • HALLELUJAH you are done       .

 

***If you have trouble with communications at this point, SSH into the firewall and run “show maas” to make sure it is enabled and connected. You might have to reboot or call Check Point Support

 

ADDENDUM

 

To get logging to work

 

  • SSH into the firewall and run “ifconfig”
  • Copy down maas_tunnel IP
  • In portal go to settings and open SmartConsole in API
  • Goto Gateways and servers and open new firewall object
  • Open topology tab

 

  • Under “Security Blades” select “Manually defined on the Security…..”
  • Edit the maas_tunnel interface replacing the IPv4 address of the management IP with the IP of the gateway you copied from ifconfig
  • Under “Security Blades” select “Automatically calculated by the gateway…”
  • Click “OK”
  • Push Policy
  • After policy pushes reboot gateway
  • Verify logs are being received in portal
1 Reply
PhoneBoy
Admin
Admin

Thanks for sharing, I'm sure that'll be helpful to someone doing this.

0 Kudos
Upcoming Events

    CheckMates Events