Introduction

The sample configuration is based on a setup with the following topology:

Security Management server
192.168.2.50/24
|
|
192.168.2.1/24
Security Gateway
204.32.38.102/24
|
|
204.32.38.105/24
UTM-1 Edge
192.168.10.1/24
|
|
192.168.10.100/24
UTM-1 Edge Web Portal

Make sure the current libsw file version is the same or higher than the UTM-1 Edge firmware version. You can see the current libsw version in the /libsw/version.txt file. See sk31448 for more information about libsw files update.

Procedure

1. Create the UTM-1 Edge Network Object.

   In SmartDashboard:

   1. Open the Objects Tree by selecting View → Objects Tree.
      Note: Skip this step if the Objects Tree is already displayed in SmartDashboard.
      
      
   2. In the Objects Tree window, select the Network Objects tab (the leftmost tab).
      
      
   3. In the Network Objects tab, right click on the Network Objects.
      
      
   4. Select New Check Point → UTM-1 Edge/Embedded Gateway.
      
      
   5. In the UTM-1 Edge/Embedded Gateway dialog box, select the General Properties branch from the left pane.
      
      
   6. Configure the General Properties page as follows:
      
      Name: enter the Name_of_Edge_Gateway_object
      IP Address: 204.32.38.38.105
      Dynamic Address: clear (not mandatory)
      VPN Enabled: checked (Connects as Site-To-Site Gateway)
      Type: Select your choice, same as the Edge hardware you have. For example, UTM-1 Edge X Series
      Externally Managed Gateway: clear
      
      
   7. Click on the 'Edit' button next to the 'Registration Key' field.
      
      
   8. In the 'Edit Registration Key' dialog, click on 'Generate Registration Key'.
      
      
   9. Copy and save the generated key.
      
      
   10. Click 'Set'.
       
       
   11. In the UTM-1 Edge/Embedded Gateway dialog box, click on 'OK'.
       
       
   12. A dialog box will show this message:
       
       "Check Point SmartDashboard
       This node is defined as VPN installed, an internal CA certificate will be created now".
       
       Click 'OK'.
       
       
   13. A dialog box will show this message:
       
       "Check Point SmartDashboard
       Certificate operation succeeded".
       
       
   14. Click 'OK' in the UTM-1 Edge/Embedded Gateway dialog box.
       
       
   15. Click 'Save'.
   
   
   
2. Configure Static NAT for the Security Management server to enable the UTM-1 Edge to connect to the Security Management server via the Internet.

   In SmartDashboard:

   1. Select 'Policy' → 'Global Properties'.
      
      
   2. In the Global Properties dialog box, select the 'NAT - Network Address Translation' branch from the left pane.
      
      
   3. In the NAT - Network Address Translation page, select these options in the Automatic NAT rules section:
      
      
      • Allow bi-directional NAT
        
        
      • Translate destination on client side
        
        
      • Automatic ARP configuration
      
      
      
   4. Click 'OK' in the 'Global Properties' dialog box.
      
      
   5. Select 'Manage' → 'Network Objects'.
      
      
   6. In the 'Network Objects' dialog box, select the network object representing the Security Management server from the network objects list.
      
      
   7. Click 'Edit'.
      
      
   8. In the 'Check Point Host' dialog box, select the NAT branch from the left pane.
      
      
   9. Configure the NAT page as follows:
      
      Add Automatic Address Translation rules: selected
      Translation method: Static
      Translate to IP Address: 204.32.38.110
      Install on Gateway: Security Gateway
      Apply for VPN-1 Pro/Express control connections: selected
   
   
   
3. Create a rule to allow the UTM-1 Edge to connect to the Security Management server.

   If a Security Gateway is located between the Security Management server and the UTM-1 Edge, or if it is running on the same machine as the Security Management server, a rule should be created in order to allow the UTM-1 Edge to connect to the Security Management server.

   In SmartDashboard:

   1. Create this rule at the top of the Rule Base:
      
      

      NO.	SOURCE	DESTINATION	VPN	SERVICE	ACTION	TRACK	INSTALL ON	TIME
      1	Edge Gateway object	Security Management Server object	Any	SWTP_SMS SWTP_Gateway	Accept	Log	Security Gateway	Any

      
      
      
   2. Install the Security Policy on the security gateway.
   
   
   
4. Create rules for the UTM-1 Edge and install the security policy for the UTM-1 Edge object.
   
   
5. Connect to the SmartCenter server from the UTM-1 Edge

   On the UTM-1 Edge Web Portal:

   1. Select the 'Services' menu from the left pane.
      
      
   2. On the 'Accounts' tab, click on the 'Connect'.
      
      
   3. In the Service Center dialog box, check the 'Connect to a Service Center' box.
      
      
   4. In the 'Specified IP' field, enter the Static NATed IP address of the SmartCenter server (i.e., 204.32.38.110).
      
      
   5. Click 'Next'.
      
      
   6. In the Service Center Login dialog:
      
      
      • Gateway ID: enter the Name_of_Edge_Gateway_object
      • Registration Key: enter the registration key that was generated in SmartDashboard
      
      
      
   7. Click 'Next'.
      
      
   8. In the Confirmation dialog box, click 'Next'.
      
      
   9. In the Done dialog box, click 'Finish'.

 

How to verify that the policy was properly fetched from the Security Management server

In the UTM-1 Edge GUI:

1. Select the 'Setup' menu option from the left pane.
   
   
2. Select the 'Tools' tab.
   
   
3. Click on the 'Diagnostics'.
   
   
4. Scroll the Diagnostics window to the bottom
   
   
5. In the 'Item' column, look for the 'Policy' line.
   
   
6. In the 'Policy' line, verify that the name of the installed security policy (e.g., Standard) appears properly in the 'Name' column.