Smart-1 Cloud Advanced Configuration

To support the communication between the Security Gateway and Smart-1 Cloud use these commands on the Security Gateway to establish the communication between the Security Gateway and the service. You can use these commands to see the communication status and disable the communication between the Security Gateway and the service.

Smart-1 Cloud Gateway Commands

Description

Gaia R81

Gaia R80.40

Gaia R80.30 and lower

Gaia Embedded

Opens the communication between the Security Gateway and the service.

This command creates a HTTPS tunnel between the Security Gateway and the Smart-1 Cloud service.

All communication between the Security Gateway and the Cloud management runs on top of this tunnel.

set security-gateway cloud-mgmt-service on auth-token <Auth-Token>

set security-gateway maas on auth-token <Auth-Token>

maas on --auth-token <Auth-Token>

  • connect maas auth-token <Auth-Token>

  • set maas mode enable

Shows the communication status with the service.

Show the status of the HTTPS tunnel between the Security Gateway and the service.

show security-gateway cloud-mgmt-service

show security-gateway maas

maas status

show maas

Run this command to disconnect the Security Gateway and stop the Smart-1 Cloud management.

set security-gateway cloud-mgmt-service off

set security-gateway maas off

maas off

set maas mode disable

How to Connect a Security Gateway behind a NAT/Proxy or 3rd Party Security Gateway

In Smart-1 Cloud, the Security Gateway opens a HTTPS tunnel to the service. A Secure Internal Communication (SIC) cannot be opened from Smart-1 Cloud environment to the Security Gateway until the tunnel is finished and works.

You must allow outbound HTTPS traffic to FQDN listed below to allow the communication between the Security Gateway and the service:

  • To your domain at Smart-1 Cloud:

    <Service-Identifier>.maas.checkpoint.com

  • For Smart-1 Cloud deployments in Europe:

    cloudinfra-gw.portal.checkpoint.com

  • For Smart-1 Cloud deployments in the United States:

    cloudinfra-gw-us.portal.checkpoint.com

  • For Smart-1 Cloud deployments in the APAC:

    https://cloudinfra-gw.ap.portal.checkpoint.com

How to Connect a Quantum Spark Appliance with a Dynamic IP

To connect a Quantum Spark Appliance with a Dynamic IP:

  1. In the Infinity Portal, connect the Security Gateways to the service.

  2. In SmartConsole, navigate to Gateways & Servers.

  3. Open the Security Gateway object > change the Hardware (below Platform) to the applicable model (for example, 1590 Appliances).

  4. Below General Properties > select the check box Dynamic Address.

  5. When the SmartConsole notification says "Changing the gateway to Dynamic Address will reset the portals on the gateway", click Yes.

  6. Click Yes when the SmartConsole notification says:

    "Selecting Dynamic Address option will remove your selection in the Check Point Software Blades list. Change Version to the latest, reset traditional mod IKE properties, reset VPN link selection properties and will remove NAT Definition."

  7. Initiate SIC > according to "First to connect".

  8. Publish the SmartConsole session.

  9. Open the Security Gateway object.

  10. Navigate to Topology.

  11. Manually add the "maas_tunnel" interface with the automatic generated Security Gateway IP address (100.64.0.X) and Net Mask (255.255.255.255):

  12. In the Quantum Spark Appliance's WebUI, click Security Management Server > Connect SIC Menu > Re-Enter SIC password (if it does not exist already) > Connect to Management Server.

  13. In the Quantum Spark Appliance's WebUI, click Fetch policy.

How to Configure the Query Settings in SmartConsole

  1. From the left navigation panel, click Logs & Monitor > Logs.

  2. To the right of the query field, click Options > ToolsQuery Settings.

  3. In the Query Settings window, configure the applicable settings.

  4. Click OK.

For more information, see the Logging and Monitoring Administration Guide for your version.

How to Connect a Local Active Directory to Smart-1 Cloud

Smart-1 Cloud customers that want to use their local AD server in their Identity Awareness configuration must configure the gateway as proxy for the cloud management.

To connect your local AD server to Smart-1 Cloud:

  1. In SmartConsole, navigate to the Objects Management tab.

  2. In the Server to connect to field, select the host object you created for this Domain Controller.

  3. Manually add the branch(es). Fetching branches is not supported, you need to add them manually.

    The branch name is the suffix of the Login DN that begins with DC=.

    Example:

    If the Login DN is: CN=John.Smith,CN=Userse,DC=mycompanyDC=com

    then the branch name is: DC=mycompanyDC=com

  4. Select Management Server needs proxy to reach AD server.

  5. In the Proxy through field, select the Security Gateway / Security Cluster that has a route to your AD server.

    Important - Notes about the Identity Awareness Gateway as Active Directory Proxy feature:

    • This feature works only with Microsoft Active Directory.

    • This feature supports only the user picker in the Access Role object.

      Other settings, such as Identity Awareness Configuration wizard, Client certificate, Legacy user picker, Fetch branches, Fetch fingerprint, and LDAP tree are not supported.

    • This feature works only with Security Gateway R80.20 and higher running Gaia OS.

    • This feature does not support Centrally Managed Quantum Spark appliances running Gaia Embedded OS (1800, 1600, 1500, 1400, 1200R, 1100).

    • This feature does not support DAIP gateways or Externally managed gateways.

    • Available communication types:

      • Clear - Communication between the Security Management Server and the Security Gateway is encrypted by SIC. However, the communication from the Security Gateway to the Active Directory server is not encrypted.

      • SSL - Active Directory domain controller needs to allow SSL.

    • Required Active Directory permissions for the account used to configure the Account Unit:

    • For user picker functionality, the account must have permission to perform LDAP queries.

      • For Security Gateway functionality - depends on the identity sources that are used on the Security Gateway.

      • To acquire identities using the Active Directory Query, without using domain admin credentials, refer to sk93938.

How to Configure Access to Security Gateway Gaia Portal

The IP address in the Security Gateway object represents the interface between the Security Gateway and the service.

This IP address is internal (private) and cannot be used on the Internet.

To allow access to the Security Gateway Gaia Portal:

  1. In SmartConsole, navigate to Gateways & Servers.

  2. Open the Security Gateway object.

  3. From the left tree, click Platform Portal.

  4. Change the primary URL to the Security Gateway IP address used for Gaia login.

  5. Publish the SmartConsole session.

  6. Install the Access Control policy.

Example:

The displayed Gateway IP address is the MaaS tunnel IP address.

Change the Platform Portal IP address to the Security Gateway IP address used for the Gaia login.

How to Configure Access from the Security Gateway's External IP Address to the Internal Asset Using Static NAT

In Smart-1 Cloud, the Security Gateway object's primary IP is used for the tunnel communication between the Security Gateway and the service in cloud. It is a virtual interface.

Consequently, the destination IP of this rule is actually a virtual tunnel IP address, and not the Security Gateway's physical external interface.

This screenshot shows the IP address in the tooltip:

To configure access from the Security Gateway's External IP address to the Internal Asset Using NAT Policy, a static rule in Smart-1 Cloud, you must create a dummy object with the physical IP of the Security Gateway. You then use it in the NAT rule.

In this screenshot, the Security Gateway object ("GW-183") was replaced with the dummy Host object ("GW_Ext_int") that contains the Security Gateway's physical IP address.

How to Configure IP Address Selection by Remote VPN Peer

There are several methods that can determine how remote peers resolve the IP address of the local Security Gateway.

Configure these settings in Security Gateway Properties > IPsec VPN > Link Selection.

In Smart-1 Cloud, the Security Gateway object's primary IP address is used for the tunnel communication between the Security Gateway and our service in cloud. It is a virtual interface.

Consequently, you cannot use the Main address option.

As an alternative, use one of these options to select an address from topology table:

Option 1:

Option: 2

Smart-1 Cloud Configuration for Site-to-Site VPN

When you configure a Site-to-Site VPN between two gateways, the VPN status may show as "down".

To resolve this issue, it is necessary to configure the topology of the maas_tunnel interface as" Internet (External)".

Note - This configuration is required only when you have Site-to-Site VPN between two Security Gateways (not clusters).

To configure a Site-to-Site VPN in SmartConsole:

  1. From the left navigation panel, click Gateways & Servers.

  2. Open the Security Gateway object.

  3. Navigate to Network Management.

  4. Select the maas_tunnel interface > click Edit.

  5. On the general page, click Modify.

  6. Select Override > Internet (External).

  7. Click OK.

  8. Repeat steps 2-7 for all Security Gateways in the Site-to-Site VPN.

  9. Install the Access Control policy on all applicable Security Gateways.

Example: