Smart-1 Cloud Advanced Configuration

Use these commands on the Security Gateway to see the communication status and clear the communication between the Security Gateway and the Smart-1 Cloud service.

Smart-1 Cloud Gateway Commands

Description

Gaia R81 and higher

Gaia R80.40

Gaia R80.30 and lower

Gaia Embedded

Opens the communication between the Security Gateway and the service.

This command creates a HTTPS tunnel between the Security Gateway and the Smart-1 Cloud service.

All communication between the Security Gateway and the Cloud management runs on top of this tunnel.

set security-gateway cloud-mgmt-service on auth-token <Auth-Token>

set security-gateway maas on auth-token <Auth-Token>

maas on --auth-token <Auth-Token>

  • connect maas auth-token <Auth-Token>

  • set maas mode enable

Shows the communication status with the service.

Show the status of the HTTPS tunnel between the Security Gateway and the service.

show security-gateway cloud-mgmt-service

show security-gateway maas

maas status

show maas

Run this command to disconnect the Security Gateway and stop the Smart-1 Cloud management.

set security-gateway cloud-mgmt-service off

set security-gateway maas off

maas off

set maas mode disable

How to Connect a Security Gateway behind a NAT/Proxy or 3rd Party Security Gateway

In Smart-1 Cloud, the Security Gateway opens a HTTPS tunnel to the service. Smart-1 Cloud can open A Secure Internal Communication (SIC) to the Security Gateway when the tunnel is finished and operational.

You must allow outbound HTTPS traffic to FQDN listed below to allow the communication between the Security Gateway and the service:

  • To your domain at Smart-1 Cloud:

    <Service-Identifier>.maas.checkpoint.com

  • For Smart-1 Cloud deployments in Europe:

    cloudinfra-gw.portal.checkpoint.com

  • For Smart-1 Cloud deployments in the United States:

    cloudinfra-gw-us.portal.checkpoint.com

  • For Smart-1 Cloud deployments in the APAC:

    https://cloudinfra-gw.ap.portal.checkpoint.com

How to Connect a Quantum Spark Appliance with a Dynamic IP

To connect a Quantum Spark Appliance with a Dynamic IP:

  1. In the Infinity Portal, connect the Security Gateways to the service.

  2. In SmartConsole, navigate to Gateways & Servers.

  3. Open the Security Gateway object > change the Hardware (below Platform) to the applicable model (for example, 1590 Appliances).

  4. Below General Properties > select the check box Dynamic Address.

  5. When the SmartConsole notification says "Changing the gateway to Dynamic Address will reset the portals on the gateway", click Yes.

  6. Click Yes when the SmartConsole notification says:

    "Selecting Dynamic Address option will remove your selection in the Check Point Software Blades list. Change Version to the latest, reset traditional mod IKE properties, reset VPN link selection properties and will remove NAT Definition."

  7. Start SIC > based on "First to connect."

  8. Publish the SmartConsole session.

  9. Open the Security Gateway object.

  10. Navigate to Topology.

  11. Manually add the "maas_tunnel" interface with the automatic generated Security Gateway IP address (100.64.0.X) and Net Mask (255.255.255.255):

  12. In the Quantum Spark Appliance's WebUI, click Security Management Server > Connect SIC Menu > Re-Enter SIC password (if it does not exist already) > Connect to Management Server.

  13. In the Quantum Spark Appliance's WebUI, click Fetch policy.

How to Configure the Query Settings in SmartConsole

  1. From the left navigation panel, click Logs & Monitor > Logs.

  2. To the right of the query field, click Options > Tools > Query Settings.

  3. In the Query Settings window, configure the applicable settings.

  4. Click OK.

For more information, see the Logging and Monitoring Administration Guide for your version.

How to Connect a Local Active Directory to Smart-1 Cloud

Smart-1 Cloud customers that want to use their local AD server in their Identity Awareness configuration must configure the gateway as proxy for the cloud management.

To connect your local AD server to Smart-1 Cloud:

  1. In the Streamed SmartConsole > Objects window on the right click New > Host, and create a host for your Domain Controller.

  2. Create LDAP Account Unit: Click New > More > User/Identity > LDAP Account Unit.

  3. On the LDAP Account Unit Servers tab, add a LDAP server.

  4. On the Object Management tab > Server to connect field > Select the host object you created for the Domain Controller.

  5. Manually add the branch(es).

    Fetching branches is not supported, it is necessary to add them manually.

    The branch name is the suffix of the Login DN that begins with DC=.

    Example:

    If the Login DN is: CN=John.Smith,CN=Users,DC=mycompany,DC=com

    then the branch name is: DC=mycompany,DC=com

  6. Select Management Server needs proxy to reach AD server.

  7. In the Proxy through field, select the Security Gateway / Security Cluster that has a route to your AD server.

    Important - Notes about the Identity Awareness Gateway as Active Directory Proxy feature:

    • This feature operates only with Microsoft Active Directory.

    • This feature supports only the user picker in the Access Role object.

      Other settings, such as Identity Awareness Configuration wizard, Client certificate, Legacy user picker, Fetch branches, Fetch fingerprint, and LDAP tree are not supported.

    • This feature operates only with Security Gateway R80.20 and higher running Gaia OS.

    • This feature operates only with Quantum Spark appliances R80.20.00 and higher running Gaia Embedded OS (see the Quantum Spark Appliances Centrally Managed Administration Guide for your version (2000 models, 19000 models, 1800 models, 1600 models, 1500 models)).

    • This feature does not support DAIP gateways or Externally managed gateways.

    • Available communication types:

      • Clear - Communication between the Security Management Server and the Security Gateway is encrypted by SIC. But the communication from the Security Gateway to the Active Directory server is not encrypted.

      • SSL - Active Directory domain controller needs to allow SSL.

    • Required Active Directory permissions for the account used to configure the Account Unit:

    • For user picker functionality, the account must have permission to do LDAP queries.

      • For Security Gateway functionality - depends on the identity sources that are used on the Security Gateway.

      • To get identities with the Active Directory Query, without use of domain admin credentials, refer to sk93938.

How to Configure Access to Security Gateway Gaia Portal

The IP address in the Security Gateway object represents the interface between the Security Gateway and the service.

This IP address is internal (private) and you cannot use it on the Internet.

Note - If a Security Gateway object is created with a static IP address, access to the Security Gateway Gaia Portal is allowed without any change.

To allow access to the Security Gateway Gaia Portal:

  1. In SmartConsole, navigate to Gateways & Servers.

  2. Open the Security Gateway object.

  3. From the left tree, click Platform Portal.

  4. Change the primary URL to the Security Gateway IP address used for Gaia login.

  5. Publish the SmartConsole session.

  6. Install the Access Control policy.

Example:

The displayed Gateway IP address is the MaaS tunnel IP address.

Change the Platform Portal IP address to the Security Gateway IP address used for the Gaia login.

How to Configure Access from the Security Gateway External IP Address to the Internal Asset with Static NAT

Smart-1 Cloud uses the Security Gateway object's primary IP address for the tunnel communication between the Security Gateway and the service in cloud. It is a virtual interface.

Note - When configuring NAT rules, standard settings are available if the Security Gateway object is created with a static IP address.

Consequently, the destination IP address of this rule is actually a virtual tunnel IP address, and not the Security Gateway's physical external interface.

This screenshot shows the IP address in the tooltip:

To configure access from the Security Gateway's External IP address to the Internal Asset with NAT Policy, a static rule in Smart-1 Cloud, you must create a dummy object with the physical IP address of the Security Gateway. You then use it in the NAT rule.

In this screenshot, the dummy Host object ("GW_Ext_int") that contains the Security Gateway's physical IP address, replaces the Security Gateway object ("GW-183").

How to Configure IP Address Selection by Remote VPN Peer

There are some methods that can determine how remote peers resolve the IP address of the local Security Gateway.

Configure these settings in Security Gateway Properties > IPsec VPN > Link Selection.

Note - If you create the Security Gateway object with a static IP address and not with the tunnel IP, link selection is not required. You can use the standard settings for VPN configuration on the Security Gateway.

We recommend configuring in Smart-1 Cloud a static IP address in the Security Gateway object for VPN configuration.

Smart-1 Cloud uses the Security Gateway object's primary IP address for the tunnel communication between the Security Gateway and our service in cloud. It is a virtual interface.

Consequently, you cannot use the Main address option.

As an alternative, use one of these options to select an address from topology table:

Option 1:

Option: 2

Smart-1 Cloud Configuration for Site-to-Site VPN

When you configure a Site-to-Site VPN between two gateways, the VPN status can show as "down".

To resolve this issue, it is necessary to configure the topology of the maas_tunnel interface as" Internet (External)."

Note - You require this configuration only when you have Site-to-Site VPN between two Security Gateways (not clusters).

To configure a Site-to-Site VPN in SmartConsole:

  1. From the left navigation panel, click Gateways & Servers.

  2. Open the Security Gateway object.

  3. Navigate to Network Management.

  4. Select the maas_tunnel interface > click Edit.

  5. On the general page, click Modify.

  6. Select Override > Internet (External).

  7. Click OK.

  8. Run steps 2-7 again for all Security Gateways in the Site-to-Site VPN.

  9. Install the Access Control policy on all applicable Security Gateways.

Example: