Support Center > Search Results > SecureKnowledge Details
ATRG: SmartProvisioning
Solution

Table of Contents

  • Overview
  • SmartProvisioning Architecture
  • SmartProvisioning Common Issues
  • SmartProvisioning Troubleshooting and Debugging

Overview

Check Point SmartProvisioning

SmartProvisioning lets you to manage many gateways from one Security Management Server or Multi-Domain Security Management. SmartProvisioning defines, manages, and provisions (remotely configures) large-scale deployments of Check Point gateways.

The SmartProvisioning management concept is based on profiles - a set of gateway properties and when relevant, a Security Policy. A profile can be assigned to multiple gateways. A profile defines most of the gateway properties for each Profile object instead of for each gateway.

Note: SmartProvisioning is not available for members of SmartLSM cluster.

Supported Features

SmartProvisioning provides the following features:

  • Central management of security policies, gateway provisioning, remote gateway boot, and DynamicObject value configurations
  • Automatic Profile Fetch for large deployment management and provisioning
  • All Firewall features supported by DAIP gateways, including DAIP and static IP address gateways
  • Easy creation and maintenance of VPN tunnels between SmartLSM Security Gateways and COgateways, including generation of IKE certificates for VPN, from third-party CA Servers or Check PointCA.
  • Automatic calculation of anti-spoofing information for SmartLSM Security Gateways
  • Tracking logs for gateways based on unique, static IDs; with local logging for reduced logging load
  • High level and in-depth status monitoring
  • Complete management of licenses and packages, Client Authentication, Session Authentication and User Authentication
  • Command Line Interface to manage SmartLSM Security Gateways
  • Support for Check Point 1100 Appliances and Security Gateway 80 devices

SmartProvisioning Objects

SmartProvisioning manages SmartLSM Security Gateways and enables provisioning management for Check Point gateways.

Gateways

SmartProvisioning manages and provisions different types of gateways.

  • SmartLSM Security Gateways: Remote gateways provide firewall security to local networks, while the security policies are managed from a central Security Management Server or Domain Management Server. By defining remote gateways through SmartLSM Security Profiles, a single system administrator or smaller team can manage the security of all your networks.
  • CO Gateways: Standard Security Gateways that act as central Corporate Office headquarters for the SmartLSM Security Gateways. The CO gateway is the hub of a Star VPN, where the satellites are SmartLSM Security Gateways. The CO gateway has a static IP address, ensuring continued communications with SmartLSM Security Gateways that have dynamic IP addresses.
  • Provisioned Gateways: SmartProvisioning can provision the Operating System and network settings of gateways, such as DNS, interface routing, providing more efficient management of large deployment sites.

Note: You cannot use SmartProvisioning with externally managed gateways.

Profiles

SmartProvisioning uses different types of profiles to manage and provision the gateways.

  • SmartLSM Security Profiles: A SmartLSM Security Profile defines a Check Point Security Policy and other security-based settings for a type of SmartLSM Security Gateway. Each SmartLSM Security Profile can hold the configuration of any number of actual SmartLSM Security Gateways. SmartLSM Security Gateways must have a SmartLSM Security Profile; however, these profiles are not relevant for CO gateways or Provisioned gateways. SmartLSM Security Profiles are defined and managed through Check Point SmartDashboard.
  • Provisioning Profiles: A Provisioning Profile defines specific settings for networking, device management, and the operating system. CO gateways, SmartLSM Security Gateways, and regular gateways may have Provisioning Profiles, if they are Check Point supported Security Gateways, Check Point 1100 Appliances, or UTM-1 Edge devices. Provisioning Profiles are defined and managed in SmartProvisioning. Defining options and features for Provisioning Profiles differ according to device platform.

Profile Fetching

All gateways managed by SmartProvisioning fetch their assigned profiles from the Security Management Server or Domain Management Server.

You define the SmartLSM Security Profiles in SmartDashboard, preparing the security policies on the Security Management Server or Domain Management Server.

You define Provisioning Profiles in SmartProvisioning, preparing the gateway settings in the SmartProvisioning database. Neither definition procedure pushes the profile to any specific gateway.

Managed gateways fetch their profiles periodically. Each gateway will fetch its security policy and Provisioning Profile, according to the timer that is defined in its Security Profile.

When a fetched profile differs from the previous profile, the gateway is updated with the changes. Updated Security Management Server/Domain Management Server security policies are automatically installed on SmartLSM Security Gateways, and gateways with Provisioning Profiles are updated with management changes.

In addition to the profile settings, the specific properties of the gateway are used to localize the profile changes for each gateway. Thus, one profile is able to update potentially hundreds and thousands of gateways, each acquiring the new common properties, while maintaining its own local settings.

VPNs and SmartLSM Security Gateways

This section explains how your SmartLSM Security Gateways in a virtual private network (VPN) secure communications within your organization.

SmartProvisioning supports the inclusion of SmartLSM Security Profile objects as members in Star VPN Communities (as satellites), and in Remote Access communities (as centers). When a Star VPN Community contains a SmartProvisioning SmartLSM Security Profile object as a satellite, the settings apply both to the Corporate Office (CO) gateway and to the SmartLSM Security Gateways.

A VPN tunnel can be established from a SmartLSM Security Gateway to a regular, static IP address CO gateway (similar to the way that DAIP gateways establish VPN tunnels to static IP gateways). A CO gateway recognizes and authenticates an incoming VPN tunnel as a tunnel from a SmartLSM Security Gateway, using the IKE Certificate of the SmartLSM Security Gateway. The CO gateway treats the peer SmartLSM Security Gateway as if it were a regular DAIP gateway, whose properties are defined by the SmartLSM Security Profile to which the SmartLSM Security Gateway is mapped. A CO gateway can also initiate a VPN tunnel to a SmartLSM Security Gateway.

You can establish VPN tunneling for SmartLSM-to-SmartLSM, or SmartLSM-to-other gateway configurations, through the CO gateway.

For additional information, refer to SmartProvisioning R77 Versions Administration Guide

SmartProvisioning Architecture

SmartProvisioning can manage WEB UI, Smart Update and SysConfig settings.

In a Profile, you can define backup, host name, Domain Name and DNS resolving.

Actions

Sometimes, administrators need to perform operations that are not part of a device's configuration.

One-time operations on a device or group of devices are called actions.

Actions include: backup, run script, install package, reboot, and so on.

An action's progress and result are shown in the status pane.

SmartProvisioning can get actual device settings, perform package actions (such as upgrade), stop/start the gateway, and push policy on the device. 

SmartProvisioning can run scripts or backup either via the Provisioning or on the device.

Architecture and Process Flow Diagrams

All managed devices fetch their assigned profiles from the centralized management server. If the fetched profile differs from the previous profile, the device is updated with the changes. This way, one profile is able to update potentially hundreds and thousands of devices, each acquiring the new common properties while maintaining its own local settings.

 

SmartProvisioning Common Issues

Handling SmartLSM Security Gateway Messages explains how to handle messages that may appear after you finish the wizard to add a Security Gateway or UTM SmartLSM Security Gateway, during the SmartProvisioning processing of the gateway object.

The following table provides links to SecureKnowledge articles that describe common issues:

Issue Description
sk101868: SmartProvisioning design flaw when editing Office Mode interface in Edge configuration
sk102526: Policy installation onto 1100 appliance from SmartProvisioning fails with "CPRID error #1" or "CPRID error #2"
sk106628: VPN tunnel with ROBO Gateway managed via SmartProvisioning can not be established after upgrading the Security Management Server
sk104838: SmartProvisioning 'Link speed/Duplex' configuration is not applied correctly to the provisioned device
sk98418: Dynamic Object 'LocalMachine_All_Interfaces' on ROBO gateway does not include all the interfaces that were configured in SmartProvisioning GUI
sk33473: Unable to reset VPN certificate for UTM-1 Edge object in SmartLSM / SmartProvisioning GUI
sk98547: Policy installation on Edge device in SmartProvisioning GUI fails with 'Trust is not established' error message
sk105140: SmartView Monitor shows wrong community for SmartProvisioned Edge devices
sk110536: 1100 device statuses are flapping in SmartProvisioning GUI
sk110265: Error when select new firmware on SmartProvisioning to upgrade SMB appliance
sk110513: Cannot select 1200R Firmware image in SmartProvisioning
sk110789: “CPRID –Fatal error on the peer gateway” error when pushing policy from SmartProvisioning GUI
sk109457: “SmartProvisioning profile change generates duplicated IP ranges

SmartProvisioning Troubleshooting and Debugging

Debugging Introduction

This section describes what to do if SmartProvisioning does not work as expected (for example, when configuration is not enforced on the device).

Note: Previously, SmartProvisioning was called SmartLSM.

Some Regular Troubleshooting Steps

  1. Make sure all processes of the Security Management and the device are running: cpwd_admin list / mdsstat (Note: mdsstat: This command utility gives detailed information on the status of the processes of the Multi-Domain Server and Domain Management Servers, the up/down status per process.)
  2. Check the connectivity between the device and the Security Management.
  3. Make sure SIC is initialized.
  4. For Edge connectivity, make sure the sms process is running on the Security Management server.
    Note: The sms is in charge of connectivity between the Security Management and the Edge appliance.

SmartProvisioning Troubleshooting

Step 1: Make sure the device settings are configured correctly:

  • SmartProvisioning is enabled
  • The topic is enabled and is configured properly for using Profile and Device settings. 
    • Profile:
    • Device:

Step 2: Make sure the device is not in Maintenance Mode:

  • Check the device object in SmartProvisioning:
  • Run PA_admin mode on the device (in Expert Mode).

Step 3: Compare the latest settings signature / last action ID on the Security Management and on the device.

  • Management – Settings signature:
    1. Open GuiDBedit.
    2. Select Large Scale Manager.
    3. Select the prv_configs table.
    4. Select the required object.
    5. Check the value of the field: settings_aggr /general /topic_data/signature
      (On the Gateway: cpstat PA)
      Note: The time is in Unix format - number of seconds.
  • Management – Last action ID:
    1. Open GuiDBedit.
    2. Select Large Scale Manager.
    3. Select the prv_action_targets table.
    4. Objects list - Check the latest suffix number of the required object.
  • To see the latest settings signature and last action ID received by the device, run the following on the device: 
  • If the settings signature on the device is higher than the signature on the Security Management, reset the settings signature on the device by running: PA_admin sign –s 
  • If the last action ID on the device is higher than the ID on the Security Management, reset the action ID on the device by running: PA_admin sign -a Note: Running PA_admin requires Expert permissions.

Step 4: Make sure the configured settings are kept properly on the Security Management server:

  1. Open GuiDBedit.
  2. Select Large Scale Manager.
  3. Select the prv_configs table.
  4. Select the required object.
  5. Make sure the configured settings are kept properly in Provisioning topics under: settings_aggr

Step 5: Make sure the device performs Heartbeat periodically, and gets the Provisioning settings from the Security Management:

  1. Turn on the debug prints of the cpd process on the device machine: cpd_admin debug on TDERROR_ALL_PROV=5 
  2. See the debug prints of the cpd process: tail -f $CPDIR/log/cpd.elg 
  3. Search for: >>>>> HB data: <<<<< This indicates that a Heartbeat was performed.
  4. SmartProvisioning GUI: Change the device settings or create a new action so the device will have a new configuration.
  5. In the debug prints of the cpd, search for the set with the Provisioning settings. For example:

Notes:

  • You can find the heartbeat settings on the Security Gateway in: $CPDIR/conf/provisioning_agent.conf 
  • When you see that the heartbeat is wrong, it usually means that there is a problem in Gateway-Management communication. 
  • Known Issue: The Security Gateway takes the Security Management IP from its Masters file, but if this does not exist, it checks who established SIC with it. If you reset SIC to the Security Management, the Security Gateway still goes to the old Security Management IP.
    To determine who established SIC with the Security Gateway:
    1. Go to $CPDIR/registry
    2. Run the command: grep ICAip *
    Workaround: Delete $FWDIR/database/smart-center-servers.properties

Related Solution(s):

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment