Infinity CHECK POINT 1100 Administration Manual page 33

In some instances, it may be necessary to define exceptions for the default SmartLSM security
profile. For example, if you do not want all gateways to use the specified default SmartLSM profile
after installation, you can customize different security profiles to replace known security profiles.
Let's say you have a scenario with these details:
• The default SmartLSM profile after installation is configured to use a SmartLSM profile called
"NewLSM".
• After firmware installation, you want the "NewLSM" profile installed on all Security Gateways
except for gateways that currently use the "GroupA_LSM" profile.
•
You want to replace the "GroupA_LSM" profile with a profile called "GroupA_NewLSM".
In this scenario, you add an exception that replaces the "GroupA_LSM" profile with the
"GroupA_NewLSM" profile.
You can install the firmware with one of these options:
• Immediately - Installs the firmware in two steps:
•
Downloads the firmware immediately during the next synchronization with a Security
Gateway that references this profile.
•
Installs the firmware when the download completes.
• According to time ranges - You can define download and installation time ranges for the
firmware image. The download and installation time can be limited to a specified list of time
ranges in the week. They start at the nearest time range after firmware settings were applied.
You can also define that the download takes place immediately as above and only installation is
based on specified time ranges. For example, if the firmware installation settings were applied
on Sunday and there are two time ranges:
• One range is set to Friday 00:00 to Saturday 00:00
•
One range is set to Wednesday 23:00 to Thursday 06:00
The firmware is installed between Wednesday 23:00 and Thursday 06:00.
If the Security Gateway did not succeed to download and/or install the firmware during the
nearest time range, it tries again in the next time range.
To configure firmware installation settings on a Provisioning Profile:
1. Open the Security Gateway Profile window, and select the Firmware tab.
2. Select Manage firmware centrally from this application.
3. Click Advanced.
The Profile Settings window is displayed.
4. Select an override profile setting:
• Allowed
Denied
•
• Mandatory
For more information about override profile settings, see Configuring Profile Settings (on page
36).
5. In Firmware image, click Select to select a firmware image that was uploaded through
SmartUpdate.
6. In Default SmartLSM Profile after installation, select the new SmartLSM profile of the
Security Gateway (the Security Gateway version must match its SmartLSM profile's version as
defined in SmartDashboard for correct policy behavior). The Security Gateway replaces its
Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70
SmartProvisioning
| 33