Best Practices

Management APIs

It is possible to read information and to send commands to the Check Point Management Server. In an equivalent procedure to creation of objects, Security Policy configuration, and use of the SmartConsole GUI, it is possible to do the same tasks with command line tools and web services.

Before you start, create an administrator in SmartConsole, give it the required permission profile, and make sure the permission profile has API permissions enabled:

Open the Permission Profile, navigate to Management, make sure Management API Login is enabled.

Two ways to connect with the management APIs in Smart-1 Cloud:

  1. Enter API commands with the "mgmt_cli" executable (available in Windows, Linux/Gaia).

  2. Send API commands on a HTTPS connection with web services.

Use the "mgmt_cli" tool with:

The mgmt_cli tool is installed as part of Gaia on all Security Gateways R80.10 and higher and you can use it in scripts running in the Expert mode.

The mgmt_cli.exe tool is installed as part of the SmartConsole installation, usually in: C:\Program Files (x86)\CheckPoint\SmartConsole\R8x.x\PROGRAM\)

You can copy and run it on a Windows computer.

For a full list of the mgmt_cli options, run "mgmt_cli". For more information about the mgmt_cli tool, see the Check Point Management API Reference.

Example:

The CLI requests username and password.

mgmt_cli -m <Service_identifier>.maas.checkpoint.com --context <Connection Token>/web_api add host name host1 ip-address 192.0.2.101

Smart-1 Cloud APIs

Automate your Smart-1 Cloud operations with the use of REST APIs to run operations such as create new Smart-1 Cloud environment, register a gateway, and get the service information.

To configure and show the Security Policy and objects in the Security Management use the Management APIs.

For more information, see Check Point Management API Reference.

The Streamed SmartConsole

Smart-1 Cloud supplies SmartConsole that runs on a web Browser. The Streamed SmartConsole has the full functionality as the Windows SmartConsole. But it runs in a different I/S.

Note - The Streamed SmartConsole has a built-in timeout mechanism which expires after 15 minutes of idle operation and, or after two hours. After the session expires, you need to log in again.

How to upload or download files from SmartConsole:

  • Use this top toolbar:

  • You can save the files locally in My files. When it is necessary to upload files, use this toolbar:

  • Upload the files to a temporary folder in my files. Downloaded files are saved here. Use the folder icon, on the top toolbar, to download files to the local computer.

IPS Updates

To fetch IPS Updates in Smart-1 Cloud, it is recommended to configure Smart-1 Cloud to download with Security Management Server and not with SmartConsole.

In Smart-1 Cloud, by default, your Management Environment has Internet connectivity.

This is the recommended configuration that results in better performance.

Smart-1 Cloud Licensing

The Management License

In Smart-1 Cloud, the service does the management licenses and enforcement.

Therefore, unlike the licenses for the on-premises Management Server, there is no need to apply or monitor the management licenses.

The service applies default licenses on the Management Server with the maximum capabilities.

But services and capabilities entitlements are a direct reflection of your Smart-1 Cloud licenses.

Smart-1 Cloud License

A new Smart-1 Cloud account has a 30-day trial period by default in which you can connect Security Gateways and examine the service.

If you want to continue to use the service after the trial period ends, contact Check Point Sales to purchase a license.

All Smart-1 Cloud functionality is available by default for trial accounts, but it does not include:

  • Compliance

  • Updates and upgrades to the latest version

  • Export of logs to a SIEM vendor

Note - Licenses in Smart-1 Cloud are additive. Make sure to allocate all licenses to the Check Point User Center account linked with the Infinity Portal account.

Activating a license

  1. In Smart-1 Cloud, go to Global Settings > Contracts.

  2. From the top-right, click Associated Accounts.

    The Managed Accounts window opens.

  3. Click Attach Account.

    The Attach Account window opens.

  4. Enter the User Center credentials > click Next.

  5. Select the license to apply > click Finish.

    Your license is shown in the Contracts page.

Notes:

  • If you already have a related account and want to add one more license, go to Global Settings > Contracts > Associated Accounts and use the sync option to update the license.

    In Smart-1 Cloud, the license status shows at this time: Active.

  • It can take up to 24 hours for the license status to update to Active in Smart-1 Cloud.

    In the 'Trial' status there are no limitations to start and use the service.

    If the status continue to show Trial, contact maas@checkpoint.com.

Smart-1 Cloud Administrator Roles

To add a new user to Smart-1 Cloud, refer to the Users section in Infinity Portal Administration Guide.

Smart-1 Cloud Roles are equivalent to SmartConsole permission profiles:

Smart-1 Cloud Role SmartConsole Permission Profile

Description

Admin

Super User

Full Read/Write Permissions including managing administrators and sessions.

Submitter Administrator

Smart-1 Cloud Submitter Administrator

SmartConsole Read/Write permissions - Publishing of sessions requires approval.

Smart-1 Cloud Portal permission - Read Only permissions.

Read-Only

Read Only All

Full Read Permissions, no write.

Notes:

  • Smart-1 Cloud specific service roles are in addition to the global roles and do not override them.

  • Smart-1 Cloud Portal permission is relevant for CONNECT GATEWAYS and SETTINGS tabs.

For more information about user management, refer to the Infinity Portal Administration Guide.