VPN-1 Edge managed by centralised management

[venkypai]

Hi ,
Has anybody tried to Manage Checkpoint Edge box from a centralised management. Below is the procedure followed -
Can anybody help me to manage Checkpoint edge box from centrallised box

On VPN-Edge Device: (Firmware is > 5.*.*.*)
- Clicked on connect to service center
- Gave the IP address of NGX management.
In the next screen it is asking for
- gateway ID and registration key
and able to connect.

ON NGX Mgmt: Mgmt communicates to Edge device on the internal Interface.
There is a stand alone Firewall used to monitor the communication between Mgmt and VPN edge. -
- Created VPN-1 Edge/Embedded gateway with IP address and Registration key.
- we have defined Internal IP address on the management.
It is observed that the IP address defined in the general properties is taken as WAN interface in the topology. We are not allowed to change as LAN interface.
- After installing the policy we are not able see any logs on the standalone Firewall (independent) which is installed between VPN-Edge and centralised management. we can see only https logs which is used for managing VPN-Edge.
- Not able to see any logs on the centralised management
- We can see successful installation of policy on the centralised management.
- I can't see any new policy on the VPN edge(logged in through web browser)


I have gone through the document "Checkpoint VPN-1 Edge/Embedded Management Solution", creating and working with VPN-1 Edge /Embedded objects for smartCenter.
In point number 2 document talks about profile (Page 21)

[Sergej]

CheckPoint promising a big improvements in Embedded NGX management (and full v6 support) in NGX_R61. If you not hurry you can wait for release. I think it can take about 2-4-6 weeks until release.

[chillyjim]

Quote:

Originally Posted by Sergej

CheckPoint promising a big improvements in Embedded NGX management (and full v6 support) in NGX_R61. If you not hurry you can wait for release. I think it can take about 2-4-6 weeks until release.

It's still scheduled for the end of March and yes the new SMS server works better (read it always starts).

[chillyjim]

Quote:

Originally Posted by venkypai

In point number 2 document talks about profile (Page 21)

Profiles are gone as of NGX R60.

Try upgrading your Edge box to 6.0.53 firmware.

[petegdr]

Once you do the initial connection to the management server public IP address, the Edge box tends to send future traffic to the the private IP address of the management server. Of course this doesn't work to well.

In the edge security policy add a NAT rule:

any -> private-managment change to any -> public-management.

After you puch this policy, you will have to reconnect the edge box manualy so it will download the new policy.

HTH,
Pete

[Sergej]

I found an article very actual to Safe@ users. Something about libsaw files. Looks like it always good to keep them up to date.

http://secureknowledge.checkpoint.co....do?id=sk31448
http://secureknowledge.checkpoint.co....do?id=sk31534

[chillyjim]

Quote:

Originally Posted by Sergej

I found an article very actual to Safe@ users. Something about libsaw files. Looks like it always good to keep them up to date.

http://secureknowledge.checkpoint.co....do?id=sk31448
http://secureknowledge.checkpoint.co....do?id=sk31534

Yes it is extreemley important to keep "libsw" up to date or wierd things break.

BTW 6.0.53 is current firmware and its libsw should ship with R61

[RayPesek]

Hi Jim,

Profiles are gone in NGX? So how do you manage the Edge boxes now?

Ray

[kva.kva]

Quote:

Profiles are gone in NGX? So how do you manage the Edge boxes now?

NGX doesn't have Edge profiles. Now you only need to add object VPN-1 edge object. After that you can work with this object like with module object, for example.

[phatgreenbuds]

I am currently managing 200+ of these little boxes with another 200 on their way out to the field soon. We have worked pretty extensivly with the developers to work out many of the issues we encountered as we deployed the first 200.

"ON NGX Mgmt: Mgmt communicates to Edge device on the internal Interface.
There is a stand alone Firewall used to monitor the communication between Mgmt and VPN edge. -"

This statement is pretty confusing...i first assume that in your management station you have defined the edge with the same internal IP as you have in the internal interface and you can route to it with no issues. If you are routing to it through the external interface then yes you will see some issues like you are seeing here (not sure i understand the point of having the stand alone firewall in the middle of this other then a point of confusion for your network). We found that when manageing the edge via the private interface we often could not connect to the service center. This was due to the edge being defined by its private address but the manager was seeing it as a box with the public address. The work around for this was to define it in the manager as a dynamic address and after that it worked fine. If you have the backend connectivity to the manager from the edge then this is not your problem. So really what we need here is a better understanding of your topology.