PDA

View Full Version : Adding Checkpoint Applicance 4600 HA 2012 to Smartcenter



carrega
2012-11-19, 15:28
Dear All,

I have been working with Checkpoint and the Nokia IPSO combi for quite some time. When we were up for our renewal they offered me the 2012 Applicance line so we decided to buy the as the appeared to be 3 x faster that the same IPSO lines we normally purchase.
These new models GAIA R75.40 now come with a manegement port where you van manage the device through https on.

The problem I'm encountering is that the smartmanagement does not see the firewalls to add the sic initialisation.
Question now is do you have to add the sic through the management port or just in one of the interfaces of the firewall?

Please any help is much appreciated

Regards

Chris

Carsten
2012-11-19, 18:01
The SIC can be established on all interfaces, ideally the interface which is nearest to management.
We use the Mgmt interface with a cross cable for state sync only.

mcnallym
2012-11-20, 13:06
The Management Interface is just a label on the 4600 appliances.

You add the 4600 appliances into SmartCenter the same way as anyother appliance.

Run through the initial configuration wizard as normal in the WebUI
define an object with the name of each box, give it the IP facing the SmartCenter.
Ensure Network routing is inplace
Establish SIC from SmartCenter to Gateway.

No different to how did before.

carrega
2013-02-06, 17:26
The Management Interface is just a label on the 4600 appliances.

You add the 4600 appliances into SmartCenter the same way as anyother appliance.

Run through the initial configuration wizard as normal in the WebUI
define an object with the name of each box, give it the IP facing the SmartCenter.
Ensure Network routing is inplace
Establish SIC from SmartCenter to Gateway.

No different to how did before.

I have tried this numerous times, upgraded to 75.45 but still when adding the gateway it gives me a sic problem.
It says that it cannot connect to the gateway. Indeed I cannot ping the gateway, but I can connect to it fine through https and get the webui of the 4600. IS there something else i'm missing? Do I need to add a license first or something? Do I need to anable the manegement station to get access other than https on the 4600?

Any help would be muchu appreciated

Chris

mcnallym
2013-02-07, 03:35
Sometimes I have had to run the fw unloadlocal on the box attempting to SIC too.

However is not something that would normally expect to do.

carrega
2013-02-07, 09:52
Sometimes I have had to run the fw unloadlocal on the box attempting to SIC too.

However is not something that would normally expect to do.

mcnallym,

Thanks for that I will give it a try.. What is the best practice now as to connecting the management station to the firewall would that run over the MGMT port? do the firewalls then send their logs etc to the management over this connection?

Thanks

Chris

mcnallym
2013-02-07, 13:38
MGMT is just a label. It is the same as anyother interface on the box. It is used as the interface that the initial configuration of the IP on the box is attached too. In the same way as was Internal on the previous generation of UTM-1 Appliances. So apart from plugging your laptop into that interface to WebUI in to run the initial configuration wizard nothing special about the box.
You can even console into the box and configure a different interface with an IP and run the wizard through that.

Don't get hung up on the interface names as they are just that names.

Traffic from Gateway to Management leaves over the interface that is the correct route to the management server, which depends upon your network. When Gateway and Management Onsite then nice to have a dedicated Management Network, however once the Gateway is at a different location then will typically just come across the Internet or if have MPLS links possible across that instead.

Don't forget the Check Point Services are encrypted anyway .

Spawn
2013-02-07, 14:03
In Licensing/contracts:

whenever checkpoint adds your product in user center, i have observed they are registered on the MAC address of the MGMT port.

aah well you always have the central license deployment option.:p

Carsten
2013-02-07, 14:12
It is even possible to rename the Mgmt interface to something else, all others of course as well.

carrega
2013-02-07, 18:15
Thanks for all the help guys... I guess the intial wizard does not do what is it supposed to do.
Even the fw unload did not help. I went through the console and did a cpconfig and redid the SIC.
After that the firewall modules were reloaded and I could initiate the sic in a second:D

Another question what would you guys advise to use? Cluster XL or HA through VRRP?

Thanks you help is much appreciated.

Regards,

Chris

Carsten
2013-02-08, 02:03
We like VRRP better.

Spawn
2013-02-08, 05:13
second it, go VRRP :)