WebUIs of Orchestrator and SMO, SmartConsole

00:00

So at this point, I have configured my orchestrator appliance by connecting to the

00:07

security gateway modules

00:10

two down link ports on the orchestrator. I also connected a serial console cable as well as an Ethernet consul. Cable

00:20

then used the serial consul to configure the Ethernet management consul.

00:27

A serial console, by the way, uses 9600 bod eight bits, no parity by default.

00:34

So here I have connected to the Web user interface of the orchestrator appliance and, ah, law again, default credentials are admin and admin.

00:47

The little wants you to change that the first time you log in. Note that the Web user interface for the orchestrator looks like pretty much any other guy, a Web user interface

00:59

except for the addition of this orchestrator menu entry. So when I click on that, you can see

01:06

that the orchestrator has connected to it.

01:08

Six security Gateway modules and

01:12

the Security Gateway modules

01:15

must be using a line card and Ethernet card that supports the Link layer. Discovery Protocol, L L. D P.

01:25

This link Layer Discovery Protocol is used to inform the orchestrator of what's plugged in to that down Lakeport,

01:34

and it includes as you can see information about the model of the

01:40

security gateway module Ah, and serial number

01:45

that, um,

01:46

network card, as I said, must support Linklater. Discovery Protocol must also support double villain to be compatible with the orchestrator.

01:55

So I have six unassigned

01:57

security gateway modules,

02:00

and I have many, many

02:01

unassigned interfaces available.

02:05

I want to create a security group.

02:07

A secure security group is a logical group

02:13

of

02:14

computing, and that would be the

02:16

security gateway, module, appliances and network. That would be the interfaces

02:22

logical group of compute and networking Resource is.

02:29

And,

02:30

as I briefly discussed, a security group is represented by a single management object

02:38

that presents the illusion that there's just one appliance.

02:44

And that illusion is presented by the

02:49

single management object host,

02:51

which by default is the first security gateway module added to the security group.

02:58

And the security group needs an I P address, which will be used to communicate with that single management object

03:06

for policy installs as well as Web user interface and secure shell command line interaction.

03:14

So I'm going to configure

03:17

I p address of this security group,

03:28

and I'm not going to configure default, Gateway because this will not be the external network.

03:34

I have the option of setting up the first time wizard on. It's convenient to do it here. When I'm creating the security group, though, I can come back in,

03:43

set the activation key and set the host name

03:46

at that time.

03:58

And here I can choose to create a V SX security group.

04:02

And when I go create the object in Smart

04:08

Consul to represent this security group in policy,

04:12

I need to know if it was created as a regular security group or as a V s ex security group, to know what kind of checkpoint object to select.

04:20

True

04:21

represent the security group.

04:26

So I've created the security group.

04:29

Note that, ah,

04:30

there are still no gateways or interfaces assigned to it. I have to assign them by dragging and dropping.

04:39

So

04:41

I would note that the Web user interface on the orchestrator is touchy about where you drag and drop, too.

04:48

I can't

04:49

dragon dropped there. It's not excepted. I have to drag and drop

04:56

to the correct gateways for

05:00

gateway objects and

05:01

interfaces for interfaces.

05:11

So at this point,

05:13

if I try to apply,

05:17

I'll be told you gotta have at least one management interface.

05:21

And again that management interface. It's It's distinct from the management interface for the orchestrator appliance itself,

05:30

that is, on the other end of the orchestrator appliance here. What we mean by management interface

05:38

is one of the ports

05:41

that

05:42

have been configured as management interfaces

05:46

instead of up link or down like in her face is,

05:49

and these

05:50

ports are used for communicating with the single management object.

05:58

So I'm going to assign interfaces.

06:01

There's a management interface. I'm also going to assign

06:05

some

06:08

interfaces for the security group

06:11

so that we can have an internal network and an external network as well as the management network.

06:17

At this point, I should be able to apply because in the security group I've configured I p address information. I've added gateways to the security group, and I've added at least one. You generally only have one management port and also some some other ports for the site traffic,

06:38

and when I click, apply will take a look at that and decided five fulfilled all the requirements,

06:45

and if I have,

06:46

then it will

06:48

choose the first security gateway in the list of gateways

06:55

as the single management object,

06:58

and it will send the configuration of this security group to that

07:03

single management object. It will be received

07:06

ultimately by all of the security gateway modules in this security group.

07:14

These security gateway modules will then restart

07:16

because their configuration has changed.

07:19

They now know about different network interfaces and so on.

07:25

So there's a brief period of time that you have tow weight after applying changes to the security group

07:31

for

07:32

ah, the security group to be ready, at least when you initially configure the security group

07:39

while I'm waiting for Thesiger management object

07:43

to become responsive after having

07:46

created this security group, I just wanted to know

07:48

that the security gateway modules, the Checkpoint firewall appliances are running a special version of the guy operating system.

08:00

It's called the scalable platform version denoted by an SP, so

08:05

you'll note that these appliances are actually running.

08:09

Ah version are 80.20 s p. Now in a future release, perhaps the

08:16

scalable platform features which handled the synchronization of configuration changes and so on

08:22

will be just merged into the regular already dot What have you product?

08:30

But

08:31

at least as of our a d 0.30 There still

08:33

two distinct

08:35

flavours versions of the operating system, and you need to make sure that you have scalable platform version,

08:43

uh, for use with the orchestrator.

08:48

So at this point, thes security group

08:50

has been created

08:52

and the single management object

08:56

is answering the security groups i p address,

09:01

which is in this demonstration. 1 72 25 1 61.1 55 And so I'm able to connect to the Web user interface

09:11

of the security group. I'm talking to the single management object.

09:18

Don't go ahead and sign in to the Web user interface.

09:33

And

09:33

one thing that I want to do while I'm in the Web user interface of the single management object

09:41

is configure. The network interfaces that way.

09:45

They're configuration can be imported into the smart consul security gateway object

09:52

when it fetches topology.

10:43

So

10:45

in this demonstration environment noted the link statuses, nobody will ignore that because

10:50

this is not, ah, production deployed

10:54

maestro environment.

10:58

So I've created the security group. I logged into the Web user interface of the single management object

11:07

and configured the

11:09

interfaces that will be used to,

11:13

except traffic from the internal network

11:18

apply security policy and then for the traffic out to the external network off to the Internet.

11:24

At this point,

11:26

I'm going to change the ah password for the admin user.

11:31

Uh, it's

11:33

currently the default of Ah,

11:35

admin and admin.

11:52

No. Said it to a different password.

12:01

So I I did that

12:03

so that later on in the command line interpreter, uh, I won't have to change it then.

12:11

Now that I have the single management object

12:13

configured with the interfaces assigned I P addresses

12:20

Next, I'm going to go to Smart Consul smart consul application and

12:26

create the object and established sick and use it in security policy.

12:33

I'm now ready to create a checkpoint object

12:39

to represent the security group that I created.

12:43

And

12:45

I'm using the Wizard. You don't have to. You can use the classical method.

12:54

So I'm going to name the Gateway

12:56

what I named the security group

12:58

Maestro SG and select that it's the maestro platform

13:18

and the I P address I signed with Security group. Now,

13:43

now those of you that have been paying attention the eagle eyed among you may notice that I p address and ports are a little bit different. It's because of this demonstration environment.

13:54

Um,

13:54

it was necessary for the demonstration.

13:58

But what we get is a checkpoint Gateway object that represents

14:03

the security group via that single management object, which answers at 1 70 to 31.1 in this environment.

14:13

And

14:13

the orchestrator is hiding the fact that there are multiple

14:18

security gateway modules

14:22

that are assigned to the security group will be handling traffic.

14:26

From the point of view of the management server and smart Dash or smart Consul,

14:30

it appears to be just one security gateway. And again, if I would have created the security group as a V s ex security group,

14:37

I would want to have created a V s ex gateway object instead of a checkpoint security get weight, object.

14:50

And now

14:50

I'm just going to install a very simple policy for demonstration purposes. I just used the cleanup rule and set the action to accept.

15:09

So

15:09

I explained before that

15:13

after the security group was created and the single management object host came up and was responsive connected to that

15:20

via the Web user interface, and I

15:24

set up the

15:26

interfaces that I had assigned to the security Groopman. I did that so that

15:31

when I established sick with the new security gateway object and it pulls over the topology of that gateway,

15:39

it had the interfaces pre defined.

15:46

So policy installation is proceeding.

15:54

And once policy installation has successfully completed, then

15:58

this security group will be available for use.

16:03

And

16:06

in the security gateway object that I created for simplicity sake during this demonstration, I only had the firewall blade

16:14

enabled.

16:15

And now that I have

16:18

installed my access control policy and if I want, I can go back in and

16:22

set up what other blades

16:26

that that I might want, including https inspection.