Steps to Configure Security Management Server in Check Point

Configuring a security management server in Check Point is extremely important for managing and securing your network infrastructure. With the CheckPoint CCSE virtual lab, you can employ and examine security policies in a controlled environment very efficiently.

The implementation of such a system will strengthen the general security of the network by security management centralization and efficiency of threat prevention.

This post will give you a detailed overview of how to configure a Security Management Server(SMS) in Check Point. This is just a little section from our Check Point Training course, where we cover more tasks related to Check Point.

Install Security Management Server in Check Point

Here are some tasks that we need to do to install the security management server in Check Point.

Task

● Configure Security Management Server (SMS) With hostname firewall-server give IP-address to management interface  172.11.1.1/24 and took GUI from management interface with default  credential and did remaining configuration

● Basic understanding of the SMART Architecture of Checkpoint.

● Configure Security Gateway (SG) With hostname firewall-Gateway and give  IP-address to management interface 172.11.2.1/24 and took GUI from management interface with default credential and did remaining configuration.

● Configure IP- address for internal network and external network on the firewall – firewall-Gateway for internal-NW  interface eth1 172.11.3.1 and for external-NW eth2 172.11.4.1  through on CMD.

● Identify the operating system versions on SM and SG  and whether it’s an SM or SG.

Explanation

The checkpoint Security Management Architecture (SMART) is the core component of the checkpoint’s unified security architecture. SMART enables administrators to centrally configure, manage, monitor, and report on all security devices including endpoints from a single console (the Smart Dashboard)

The Checkpoint core system has the following components

● Smart Console

● Security Management Server

● Security Gateway

Smart Console

Smart Console is comprised of several clients used to manage the checkpoint security environment. One of these Smart Console clients is Smart Dashboard, which provides a single GUI interface for defining and managing multiple elements such as firewall security, VPNs, NAT, QoS, and VPN clients. and monitoring

Advance your career with Checkpoint CCSA Course!Enroll Today ! Get offers Live Training + Virtual LabExplore course

Security Management Server

Security Management Server stores and distributes security policies to multiple security gateways. These security policies are defined using Smart Dashboard and saved on the Security Management Server. The Security Management server maintains the Checkpoint database.

When policies are created or modified they are distributed to Security Gateways. Security is efficiently improved because security policies are always updated on all Security Gateways.

Security Gateway

Security Gateway is the firewall where firewall software is installed and fully inspected. Security policies are defined using Smart Dashboard and saved in the Security Management Server then inspection scripts are generated from policies and the inspection code is compiled from the inspection script then the inspection code is distributed to Security Gateways where it is installed which protects the network.

Configuration

Get the console access of firewall-server, open putty

and put username – admin and password-uninets@123

This system is for authorized use only.

login: admin

Password:

In order to configure your system, please access the Web UI and finish the First Time Wizard.

gw-0e6046>

The default shell of the CLI is called clish so now we are in clish mode here we can use

Now we have give hostname- firewall-server  IP-address to interface eth0 172.11.1.1/24

firewall-server> show interface eth0

state on

mac-addr 50:13:00:04:00:00 gw-0e6046>

gw-0e6046> set hostname firewall-server

255.0all-server> set interface eth0 ipv4-address 172.11.1.1 subnet-mask 255.255.255.0

firewall-server> save config

firewall-server> show interface eth0

type ethernet

link-state link up

mtu 1500

ipv4-address 172.11.1.1/24

CCSA Selfpaced course!Get CCSA Training videos + Virtual Lab  Explore course

Now we have to take the GUI of SM from the management interface ip-address  with username-admin and uninets@123 and open  any browser type https://172.11.1.1 and put the credential

and click on login and now we have click on next

here we we have to select the ios installation method

and we will choose the first option and click on next here if we want to change the IP address of interface and we can also provide default -gateway and click on next

here if we want to configure another interface we can configure it from here but it is optional and we will configure it later on according to the need

Here we can change the hostname and give domain-name and primary DNS and secondary DNS all details are optional so we not configuring it now we will configure it according to need

here we to configure time zone and time for device we have two methods one is manual and another is through NTP but here we don’t have any NTP server so we selected manual method and click on next  

Here we are configuring our IOS working we two options one is for act as a security gateway or security management and one is multi-domain server and its use for manage multiple security managements but we have one security management we will choose first and click on next

Deployment modes: 

1. Standalone Deployment: In this Security Management Server and the Security Gateway are installed on the same computer or appliance

2. Distributed Deployment: In this Security Gateway and the Security Management Server are installed on different computers or appliances

3. Standalone Full HA: This Security Management server and Security Gateway are each installed on one appliance, and two appliances work in High Availability mode.

4. Bridge Mode: In this mode Add a Security Gateway to an existing environment without changing IP Routing.

so here we are operating devices in distributed mode so we will select Security Management and click on the next

IF we want change our username & password from that tab and click on next

Here we select from which ip address.an admin can take gui of our device for security concerns or can took from any ip-address of device but as of now we are selecting any option and click on next

Now we just have to click on finish

This is final view of sm-installation once we finished correctly

SG -installation & configuration: 

Get the console access of firewall-Gateway, open putty

and put username – admin and password-uninets@123

This system is for authorized use only.

login: admin

Password:

In order to configure your system, please access the Web UI and finish the First Time Wizard.

login: admin

Password:

In order to configure your system, please access the Web UI and finish the First    Time Wizard.

gw-0e6046>  set hostname firewall-Gateway

firewall-Gateway>  set interface eth0 ipv4-address 172.11.2.1 subnet-mask 255.255.255.0

firewall-Gateway>  save config

firewall-Gateway>  show interface eth0

state on

mac-addr 50:13:00:03:00:00

type ethernet

link-state link up

mtu 1500

ipv4-address 172.11.2.1/24

firewall-Gateway>

Now we have taken GUI of SG from management interface ip-address with username-admin and uninets@123 and open any browser and type https://172.11.2.1 and put credential

and click on login

and we have click on next

and we will choose first option and click on next

here if we want change IP-address of interface and we can also provide default -gateway and click to next

Here we can change the hostname and give domain-name and primary DNS and secondary DNS all details are optional so we not configuring it now we will configure it according to need

here we to configure time zone and time for device we have two methods one is manual and another is through NTP but here we don’t have any NTP server so we selected manual method and click on next

Here we are configuring our IOS working we have two options one is for act as a security gateway or security management and one is multi-domain server and its use for manage multiple security management but we have one security management we will choose first and click on next

so here we are operating devices in distributed mode (As we discussed earlier) so we will select Security-Gateway and click on next

Here is asking for ip-gateway assignment to firewall from Dhcp but already give manual so we selecting here no and click on next

SIC is based on certificates. When our Security Management Server (SMS) is initially state, this is the initialization of the Internal Certificate The goal of initializing SIC/trust between an SMS and Security Gateway is to have the ICA create a certificate for the Security Gateway (FW-Cert) and assign it to the Security Gateway.

Once that is accomplished, all communication between the SMS and Security Gateway is authenticated and encrypted using a certificate exchange.

Now-click on to finish

IF configured properly then it’s our final view

Now we have assign ip address on internal and external interfaces

firewall-Gateway> set interface eth1 state on

firewall-Gateway set interface eth1 ipv4-address 172.11.3.1 subnet-mask 255.255.255.0

firewall-Gateway> show interface eth1

state on

mac-addr 50:13:00:03:00:01

type ethernet

link-state link up

mtu 1500

ipv4-address 172.11.3.1/24

firewall-Gateway>

Now we have to configure for external-NW eth2 172.11.4.1

firewall-Gateway> set interface eth1 state on

firewall-Gateway>  set interface eth1 ipv4-address 172.11.4.1  subnet-mask 255.255.255.0

firewall-Gateway> show interface eth1

state on

mac-addr 50:13:00:03:00:01

type ethernet

link-state link up

mtu 1500

ipv4-address 172.11.4.1/24

Verification

We have to verify operating system versions on SM and SG and whether it’s a SM or SG

firewall-Gateway> show version all

Product version Check Point Gaia R77.30

OS build 204

OS kernel version 2.6.18-92cp

OS edition 32-bit

Here we are checking that which module is running its SM OR SG

firewall-Gateway> fw stat

HOST      POLICY     DATE

localhost InitialPolicy 21Mar2017 18:26:22 :  [

firewall-Gateway>

Its have firewall module because in firewall module we have local host initial policy file in firewall only not in sm (security-manager)

now login into Security-manager

firewall-server> fw stat

Local host is not a FireWall-1 module

So it’s a SM security-manager) because local host found in SG or firewall module only

One of the steps to install Security Management Server in Check Point is a key point in your network's infrastructure security thus it gives way to a centralized control that is streamlined for policy enforcement and also threat prevention improved by.

Setting up Check Point's virtual lab gives you the chance to create a flexible and secure environment for practicing the configurations before pushing them to the live environment of your organization. Through the proper usage of these instruments, your enterprise may understand how to respond to cyber threats that are constantly modifying.

If you are interested in growing your knowledge in this industry, take a look at the Check Point CCSA course that provides a complete insight into Check Point environment management.

Among the different CCSE online training videos options you can choose from, various ones give free access to tutorials. They are resources that will enable you to sail through the process of becoming a certified Check Point Security Administrator.

You can also check out our other network security training courses to train in other network security technologies.