Support Center > Search Results > SecureKnowledge Details
Central Device Management for R77 versions Security Gateways running on Gaia OS
Solution

Table Of Contents

  • Overview
  • Enabling Central Device Management
  • Upgrading Security Gateway to R77 versions
  • Managing Clusters
  • Pushing Configuration Changes
  • List of Limitations
  • Related documentation
  • Related solutions

 

Overview

Central Device Management capabilities for Gaia Gateways are integrated into the R77 versions SmartDashboard.

A new Gateways View is available under the Firewall tab. The Gateways View allows performing several actions on R77.X Gaia gateways:

  • Run a script
  • Create a backup
  • Restore from backup
  • Open SSH session
  • Open Portal session
  • Push Settings To Device
  • Fetch Settings From Device

Action results are displayed in the Recent Tasks pane, located under the Gateways View.

The following Gaia OS features are configurable via the gateway's object editor:

  • Interface IP address
  • Static Routes
  • DNS, NTP and Proxy servers

 

Enabling Central Device Management

  • To enable the set of features in SmartDashboard:

    • SmartDashboard - go to Policy menu - click on Global Properties - click on SmartDashboard Customization.
    • In the Central Device Management section, select the Enable Central Device Management.
    • Click on OK to apply the settings.
    • Save the changes: go to File menu - click on Save.
    • Close the SmartDashboard.
    • Connect with SmartDashboard to Security Management Server / Domain Management Server.
    • You must fetch settings from all R77.X Gaia gateways.


  • To fetch settings from a Security Gateway:

    1. Go to Firewall tab.
    2. In the upper left pane, click on Gateways.
    3. Right-click on the the upgraded Security Gateway object - go to Maintenance menu - click on Fetch Settings from Device.
    4. Check the box to calculate topology.
    5. The settings fetched are:
      • Interfaces' IP addresses
      • Static Routes
      • DNS, NTP and Proxy settings
    6. Save the changes: go to File menu - click on Save.

 

Upgrading Security Gateway to R77 versions

After upgrading a Security Gateway machine to R77 versions, perform the following steps in SmartDashboard, so that the object shows the correct Topology, Routes, and Network Services settings:

  1. Go to Firewall tab.
  2. In the upper left pane, click on Gateways.
  3. Right-click on the upgraded Security Gateway object - go to Maintenance menu - click on Fetch Settings From Device.
  4. Save the changes: go to File menu - click on Save.

 

Managing Clusters

To enable Central Device Management actions on cluster objects:

  • Using Gaia Portal, configure a Gaia Cloning Group on all cluster members:
    • On first member choose "Create a new Gaia cluster"
    • On rest of the members choose "Join an existing Gaia cluster"
      For more information on the Cloning Group feature, refer to the R77 versions Gaia Administration Guide.
  • If not configured already, configure ClusterXL / VRRP cluster on each cluster member.
  • If not configured already, create the Cluster object in SmartDashboard.
  • Install policy onto cluster object.
  • Now, cluster is ready to receive Central Device Management actions.

 

Pushing Configuration Changes

Configuration changes are enforced on the gateway as part of policy installation. It is also possible to only push configuration changes (without installing the security policy):

  1. Go to Firewall tab.
  2. In the upper left pane, click on Gateways.
  3. Right-click on the Security Gateway object - go to Maintenance menu - click on Push Settings To Device.
  4. Save the changes: go to File menu - click on Save.

However, this option is less recommended. For instance, if changing an interface IP address, a full policy installation is required to make sure the FireWall security policy is also aligned with the Topology change.

If any of the centrally managed features is changed locally via Gaia Portal or Clish, a "Local Change Detected" indication is displayed in SmartDashboard's Gateways view.

The SmartDashboard administrator can fetch current machine's configuration:

  1. Go to Firewall tab.
  2. In the upper left pane, click on Gateways.
  3. Right-click on the Security Gateway object - go to Maintenance menu - click on Fetch Settings From Device.
  4. Save the changes: go to File menu - click on Save.

 

List of Limitations

  1. Supported Deployments

    • Central Device Management actions are only available for Security Gateways running Gaia OS R77.X and above.
      Note: Centrally Managed 1100 / 1200R appliances running Gaia Embedded OS are not supported.

    • Central Device Management actions can not be performed on StandAlone machine or Management Server machine.

    • If Management Server is either a StandAlone machine, or part of a Full HA cluster, then at least one policy installation on the Security Management Server is required for some of the Central Device Management actions to succeed.


  2. Managing Clusters

    • Gaia Cloning Group configuration is required to manage clusters (see "Managing Clusters" section above).

    • Synchronization between Gaia Cloning Group members requires TCP port 1129 to be allowed by the FireWall's security policy. An implied rule allows this communication between Gaia Cloning Group members.
      • Synchronization works after policy installation on cluster (or after "fw unloadlocal" or "cpstop").
      • Synchronization does not work when in Initial Policy is installed.


    • If using the SSL Tunneling IPS protection, it is required to either download IPS protections updates, or to configure an exception in the IPS protection to allow the port.

    • Synchronization between Gaia Cloning Group members does not work over IPv6.


  3. Gateway's Topology

    • The "Get Topology" button is no longer available under a gateway's topology. In order to fetch interfaces and topology:
      1. Go to Firewall tab.
      2. In the upper left pane, click on Gateways.
      3. Right-click on the Security Gateway object - go to Maintenance menu - click on Fetch Settings From Device.
      4. Save the changes: go to File menu - click on Save.


    • Interfaces cannot be added or deleted via the Security Gateway's topology.
      To add or delete an interface:
      1. Connect to Gaia Portal, or Clish.
      2. Added / delete the relevant interface.
        Note: If working in Clish, save the changes with save config command.
      3. Go to Firewall tab.
      4. In the upper left pane, click on Gateways.
      5. Right-click on the Security Gateway object - go to Maintenance menu - click on Fetch Settings From Device.
      6. Save the changes: go to File menu - click on Save.


  4. Network Services

    • Only one NTP server can be configured.


  5. Static Routes

    • Two or more same-network routes with different next-hop gateways are not supported. For example, two default routes with different gateway addresses are not supported.

    • The Fetch Settings From Device action fails ,if the Gaia Security Gateway has a static route without a next-hop gateway address defined (such routes are only shown in Gaia Portal).
      For this action to work, delete the static route from Gaia Portal.


  6. Backup / Restore

    • In SmartDashboard - Firewall tab - Gateways view, restoring a backup file from a remote server (FTP or SCP) fails due to a login issue. Contact Check Point Support for a solution.

    • When restoring from backup, user must supply the name of the backup file. It is recommended to either copy the backup file name from Recent Tasks tab in Gaia Portal once backup is done, or to use the Gaia Clish command "show backup logs".


  7. Scripts

    • Cannot run scripts that require user intervention. Open an SSH shell instead.


  8. Local vs. Central Configuration

    • Push Settings To Device and Policy Install operations send only the configuration changes and not the entire features configuration.

    • Resolving a configuration conflict:
      A configuration conflict arises when there are both implemented local configuration changes and central configuration changes. In such case, the gateway's status shows as "Device Settings Conflict" in the Gateways view.
      To resolve a configuration conflict:
      1. Go to Firewall tab.
      2. In the upper left pane, click on Gateways.
      3. Right-click on the Security Gateway object - go to Maintenance menu - click on Fetch Settings From Device.
      4. Re-apply the required changes.
      5. Save the changes: go to File menu - click on Save.
      6. Install policy.


  9. SmartDashboard Permissions

    • All Central Device Management actions are permitted to SmartDashboard administrators who have Full Read/Write permissions. However, the following actions are also available for administrators with Read/Write permissions on Objects Database:
      • Backup
      • Push Settings To Device
      • Fetch Settings From Device


  10. Audit Logs from Security Gateway

    • Audit logs are sent from Security Gateway to Management Server upon successful configuration of the following Gaia features:
      • interfaces
      • static routes
      • DNS
      • NTP
      • Proxy


    • Central Device Management actions themselves (such as pushing settings and running scripts) do not generate an audit log.

    • Audit logs are sent only after first policy installation.


  11. Open Shell

    • Open Shell does not work over IPv6

 

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment