customer management instructions: check point vsec virtual ... · • network administrators must...

October 25, 2018 © 2018 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property.

AT&T FlexWare Applications: Customer Management Instructions Check Point vSEC Firewall Virtual Security

Customer Management Instructions: Check Point vSEC Virtual Security This guide is designed to help you understand the steps to launch your Check Point Check Point vSEC Firewall Virtual Security application.

AT&T Recommends

• Network administrators have a working knowledge of Check Point next-generation security appliance policy administration.

• Network administrators must thoroughly review the Check Point documentation and be familiar with the configuration options and details.

While AT&T is always available to assist, you are ultimately responsible for the configuration, administration, and policies on your Check Point vSEC Firewall Virtual Security application.

Service Launch Requirements

Begin by reviewing the Check Point vSEC Firewall Virtual Security documentation available on the Check Point website. This documentation provides detailed information on all aspects of Check Point vSEC Security Platform administration. You can find the documentation here:

vSEC Overview: https://www.checkpoint.com/products/vsec-virtual-edition/

Security Policy Management: https://www.checkpoint.com/products-solutions/security-management/policy- management/

NOTE: Information on the Check Point website is maintained by Check Point, which is solely responsible for the accuracy of the available documentation.

Version can be selected via links dependent on availability on the web page. Some guides may be only listed under major release if there are no changes. R80 should be selected when a reference to a specific release is required.

The following guides are especially recommended:

• ESG Security Management Whitepaper

• R80.10 Security Management Datasheet

https://www.checkpoint.com/products/vsec-virtual-edition/

http://www.checkpoint.com/products-solutions/security-management/policy-

http://www.checkpoint.com/products-solutions/security-management/policy-



Verify Configuration Settings and Policies In the Check Point VM GUI

NOTE: An AT&T Technician will be online with you to verify these settings as part of the Test and Turn Up (TTU) process.

The Check Point-VM GUI is accessed using a connected web browser. In your browser’s address bar, type:

https:/[yourmgmt_ip]/login

Replace [yourmgmt_ip] in the URL with the actual management IP you provided to the AT&T Lead Engineer during the initial data gathering consultation for your service.

Changing Your Admin Password

Your assigned AT&T Technician will supply a temporary admin password for initial access to the Check Point-VM GUI. This password should be changed immediately after accessing the GUI for the first time.

1. After logging in with your supplied credentials, navigate to User Management>Change my Password.

2. Type the old password, type a new password, and click OK.

3. You will be logged out of Check Point-VM GUI and a login prompt will appear for you to log back in.

Verifying Licensed Features

Verify that the Check Point-VM is licensed and, if you have purchased the Enhanced feature set, Next Gen features are active.

1. In the Check Point-VM GUI, navigate to Maintenance>Licenses.

2. Confirm that all ordered features have active licenses.

3. Confirm that all desired features are active.

Note: Notify your AT&T technician if you find features that are licensed incorrectly.

Configure a Test Policy

No default/test policy exists on the Check Point firewall. It is recommended you configure and test a policy. Once a policy is configured and tested, the Check Point-VM is operational. More restrictive alternate policies may be created to further secure your system if desired.



Additional Configuration Guidelines

• Regularly backup your vFirewall configuration. AT&T does not have access to your configuration and cannot perform standard backups of your vFirewall.

• If you need to add, remove, or change WAN IP addresses or VLANs on your Check Point-VM application, file an AT&T change order MACD first. Changes must be made to the AT&T FlexWare Device to support these changes. MACD orders are required for any change in your layer-2 topology settings.

• Rebooting your vFirewall is fine, but avoid hard shutdowns. If a hard shutdown of your vFirewall occurs, file a support ticket to have the vFirewall brought up manually by AT&T.

• Take care not to lose your admin password. AT&T does not have the ability to reset the admin password.

• Do not alter the RIP (routing information protocol) configuration. This is required for routing between the Check Point-VM and your AT&T managed router.

• NAT (network address translation) is enabled and uses an egress interface toward the internet. NAT is required for Internet connectivity.

• Be careful not to make configuration changes that may lock you out of your vFirewall.

• Do not issue any license command that may invalidate the Check Point throughput/feature license.

• AT&T can upgrade your vFirewall to the latest supported firmware version upon request via the support process. Do not upgrade/downgrade the firmware to a version not currently supported for the AT&T FlexWare Device.

General Customer Responsibilities:

• Check Point-VM Configuration and Policy Management: You will have access to the vFirewall through a WAN and LAN IP address when the vFirewall is turned-up. You can configure your vFirewall the same way you would configure a physical Check Point firewall. You may manage your vFirewall using Check Point Provider-1 or through the vFirewall’s GUI or CLI.

• vFirewall Monitoring and Reporting: As a network administrator, you are responsible for any Check Point-VM-specific health monitoring. The user interface provides a dashboard with statistics, and SNMP (simple network management protocol)/system logs (SYSLOG) monitoring can be setup to monitor your network management infrastructure.

Reports can be accessed through the Web UI. Log events can be forwarded to a customer provided SIM (service implementation manager) or to your organization’s instance of Check Point Provider-1 EMS.

• vFirewall Backup and Firmware Upgrades: As a network administrator, you are responsible for maintaining a backup of your vFirewall configuration. You are also responsible for scheduling firmware upgrades, but you must contact AT&T prior to any firmware upgrade to confirm the upgrade version is supported by the AT&T FlexWare Device offer.



• Ensure connectivity to Check Point for license and feature updates. These updates are automatically downloaded in real-time from the Check Point over the Internet. AT&T will verify that updates are working during turn-up as part of initial licensing and provisioning, but you should periodically check whether updates are working

AT&T Responsibilities:

• Initial Installation, Configuration, and Licensing of the vFirewall. AT&T will provision the Check Point-VM with the configuration you specified during your consultation sessions with your assigned AT&T Lead Engineer.

AT&T will do the networking and router configuration on the FlexWare Device to put the Check Point-VM in line of appropriate traffic on the FlexWare Device.

AT&T will handle the Check Point-VM licensing and provide a serial number to you in case direct support is needed from Check Point.

• Monitoring of the AT&T FlexWare Device. The state of the vFirewall VM (virtual machine) is only monitored for up/down status. AT&T will confirm that VM is in an up status at all times and restart, if necessary. The AT&T operations team can restart the vFirewall in consultation with you, if necessary.



How to Get Support

Support tickets are created with Check Point either through the Check Point Support web portal, over Live Chat with Check Point Support, or over the phone.

Before seeking support from Check Point, you must create a Check Point User Center account. If you encounter any issues with this process, please contact AT&T’s Global Customer Support Center at 1-844-736-3843.

To Create a User Center Account:

1. Click Sign up now at https://usercenter.checkpoint.com/usercenter/index.jsp

2. Create a User Profile with your information.

3. From the top menu bar, click the Assets/Info tab and click the Accounts option.

4. Click the Create Account button.

5. Select the purpose of the account, and click Next (if you select "Manage Products", you will be prompted to provide additional information before continuing).

6. Complete all required fields.

7. Click the Submit button.

Once your new Account has been created, you can locate your Account ID under the “Accounts” choice again. Please remember your User Name & Account ID for future requests.

Creating a Check Point Support Request Online

1. To create a Web service request, login to UserCenter, access the Support/Services tab and select Support Center.

https://usercenter.checkpoint.com/usercenter/index.jsp



2. Click Open a Service Request.

3. Select Technical issue and click Next.

4. Select an account from the dropdown list and click Next.

Note: The accounts in the drop-down box of the figure below are not AT&T Flexware accounts. You will see different AT&T FlexWare related accounts. If you do not find any account with products or services included in the drop down, please enter the VNF serial number in the device number section (This will be required the first time you create a ticket online). The system will check if the account or device number entered has a valid support contract.

Note: If you do not see any accounts in the drop-down box, refer to the instructions at the top of this document to follow the steps to create a User Center Account.



5. Complete the Service Request details:

Field Notes

Hardware Platform Select KVM

Operating System Select GAiA

Product Line Select CloudGuard

Product Name Select CG IaaS[vSec]: Private Cloud

Product Version Select R77.30

Issue Type Select the option that most closely matches the issue you’re experiencing.

Severity Check Point has defined severity definitions. See chart below.

Brief Summary Type a brief summary of the issue you’re experiencing.

Detailed Description Type a detailed description of the problem. In order for Check Point Technical Support to provide you with the optimum level of service, we suggest you provide at least the following information:

• A problem description

• Relevant background information (Has the configuration worked in the past? Is this a new configuration? Have any changes been made recently to the Check Point VNF or to the network?)

• A description and the results of your troubleshooting steps



Severity Level Impact Description

1 Critical An Error isolated to Software that causes the product to fail catastrophically ( e.g., major system impact, system down )

2 High An error isolated to Software that substantially degrades the performance of the product (e.g., moderate system impact, system hanging)

3 Medium An error isolated to Software that causes only a minor impact on the use of the product.

4 Low An anomaly in the licensed product which does not substantially restrict the use of the licensed product to perform necessary business functions.

6. Attach additional documents that could help the Technical Support team address your request. At the very least, Check Point will request your CPInfo file.

Other files that would be particularly useful:

• A network diagram with the IP addressing clearly indicated

• Screenshots

• Configuration file(s)

• Debug log(s)

Browse to and upload your files, and click Next to continue.

Note: File attachments are limited to 25MB.



7. You will have an opportunity to iniate a Live Chat session using the information you have just entered.

8. Additional contact information and methods of contact can be added. A Customer Reference Number (a number used by the customer to refer to the technical support case in their own ticketing system) can also be included. After reviewing the information, click Submit.

Once the process is completed, the SR number is displayed and an email is sent to the contact opening the SR. When a Partner opens an SR for an End User, an email notification is sent to the specified email address.



Creating a Check Point Service Request using Live Chat

The requirements for opening an Live Chat session are similar to the ones mentioned above for opening an Support Request via the Web interface.

1. To create a Live Chat session, login to UserCenter, access the Support/Services tab and select Support Center.



2. Click Live Chat.

3. On the Live Chat page, select the Support or Account Services option, type your Username and Password, and click Continue.

Complete the options on the Live Chat page and click Start Chat.



Field Notes

Support Preference Select Technical Support

Product Name Select Security Gateway

Device Number Type the MAC Address, Serial Number, or Product Key.

Creating a Check Point Service Request by Phone

A service request can also be opened via telephone:

• Americas TAC: +1-972-444-6600

• International TAC: +972-3-611-5100

The requirements for opening an service request are identical to the ones mentioned above for opening an service request via the Web interface.

Use the guidelines below when the phone prompts for choosing an option upon calling the TAC numbers:

Choose option 3 “For Support on Network Security Products” followed by option 1 for ‘New Service request’ and 2 if ‘calling for existing issue’.

You will be put in touch with a ‘live’ support advisor at which time, you should ask to be routed to CloudGuard IaaS Technical Support Group for a new SR.

For an existing issue, you should provide the existing SR number and you will be routed to the right technical support resource.



Accessing AT&T Support Resources

You can always access AT&T Support Resources at http://carecentral.att.com/attflexware.

Figure 1: Image showing the landing page of the AT&T Business Care Central website.

You will find Customer Care links to your support overview and information on how to speak to an AT&T agent. Additionally, Customer Management Instruction documents like this one are available in the Managing Your Solution section.

http://carecentral.att.com/attflexware

customer management instructions: check point vsec virtual ... · • network administrators must...

Documents