Best Practices for Smart-1 Cloud

Management APIs

You can use command-line tools and web services to read information and send commands to the Check Point Management Server. These tools let you perform the same tasks you would typically do in SmartConsole - such as creating objects, configuring Security Policy, and managing settings through the SmartConsole GUI.

Before you start, create an administrator account in SmartConsole, assign the required permission profile, and make sure it includes API permissions.

  • For this, open the Permission Profile, navigate to Management, and make sure Management API Login is enabled.

Two ways to connect with the management APIs in Smart-1 Cloud:

  1. Enter API commands with the "mgmt_cli" executable (available in Windows, Linux/Gaia).

  2. Send API commands on an HTTPS connection with web services.

Use the "mgmt_cli" tool with:

The mgmt_cli tool is installed as part of Gaia on all Security Gateways R80.10 and higher and you can use it in scripts running in the Expert mode.

The mgmt_cli.exe tool is installed as part of the SmartConsole installation, usually in: C:\Program Files (x86)\CheckPoint\SmartConsole\R8x.x\PROGRAM\)

You can copy and run it on a Windows computer.

For a full list of the mgmt_cli options, run "mgmt_cli". For more information about the mgmt_cli tool, see the Check Point Management API Reference.

Example:

The CLI requests the username and password.

mgmt_cli -m <Service_identifier>.maas.checkpoint.com --context <Connection Token>/web_api add host name host1 ip-address 192.0.2.101

Smart-1 Cloud APIs

Automate your Smart-1 Cloud operations with the use of REST APIs to run operations such as creating a new Smart-1 Cloud environment, registering a gateway, or getting the service information.

You can use the Management APIs to view and configure the Security Policy and objects in the Security Management.

These steps show how to add a new simple gateway through the Web API, with curl or Postman.

For your reference, the procedure do the same as this CLI command:

add simple-gateway name <name> ip-address <ip> hardware "1800 Appliances" allow-smb true one-time-password <otp> trust-settings.initiation-phase when_gateway_connects

  1. Open the Web SmartConsole.

  2. Navigate to Settings > API & SmartConsole.

  3. In the Management API section, click Generate.

    The Generate a new API key window opens.

  4. Copy the generated API key and click Close.

To send API requests to the Check Point Security Management Server, you must first log in and create a session. This step authenticates your identity and returns a session ID (sid) that you use in subsequent requests.

Using cURL

Define the base URL to simplify your commands (optional, depending on your shell):

Copy 
BASE_URL="https://<MAAS-HOST>/<DOMAIN-UID>/web_api"

Send a login request:

Copy 
curl --location "$tenant_URL/login" \
  --header 'Content-Type: application/json' \
  --data '{
    "api-key": "<API_KEY>"
  }'

Example

Copy 
curl --location 'https://prodenv-6d2dsfcyu6.maas.checkpoint.com/d933487b9-5d44-45bd-8451-62se7a2027f7/web_api/login' \
  --header 'Content-Type: application/json' \
  --data '{
    "api-key": "CL93********************"
  }'

Using Postman

Method/URL: POST https://<MAAS-HOST>/<DOMAIN-UID>/web_api/login

Headers: Content-Type: application/json

Body (raw, JSON):

Copy 
{"api-key": "<API_KEY>"}

Save the session ID (sid) from the response. Optionally, you can use this helper script in the Tests tab):

Copy 
const json = pm.response.json();
if (json.sid) {
  pm.environment.set('SID', json.sid);
}

After logging in and obtaining a session ID, you can add a simple gateway to the Check Point Management Server using the API.

Using cURL

Copy 
curl --location "$BASE_URL/add-simple-gateway" \
  --header 'Content-Type: application/json' \
  --header "X-chkp-sid: $SID" \
  --data '{
    "name": "<GATEWAY_NAME>",
    "ip-address": "<GATEWAY_IP>",
    "hardware": "1800 Appliances",
    "allow-smb": true,
    "one-time-password": "<OTP>",
    "trust-settings": {
      "initiation-phase": "when_gateway_connects"
    }
  }'

Example

Copy 
curl --location 'https://prodenv-6d2dsfcyu6.maas.checkpoint.com/d933487b9-5d44-45bd-8451-62se7a2027f7/web_api/add-simple-gateway' \
  --header 'Content-Type: application/json' \
  --header 'X-chkp-sid: TlS7FI7CRrw4055gZsSpueLxBV7Ju4foF1p6WtiZcCs' \
  --data '{
    "name" : "newsimplegw5",
    "ip-address" : "33.33.33.64",
    "hardware" : "1800 Appliances",
    "allow-smb" : true,
    "one-time-password" : "aaaa",
    "trust-settings": {
      "initiation-phase": "when_gateway_connects"
    }
  }'

Using Postman

Method/URL: POST https://<MAAS-HOST>/<DOMAIN-UID>/web_api/add-simple-gateway

Headers:

  • Content-Type: application/json

  • X-chkp-sid: {{SID}} (use the environment variable if saved in Step 2)

Body (raw, JSON):

Copy 
{
  "name": "<GATEWAY_NAME>",
  "ip-address": "<GATEWAY_IP>",
  "hardware": "1800 Appliances",
  "allow-smb": true,
  "one-time-password": "<OTP>",
  "trust-settings": {
    "initiation-phase": "when_gateway_connects"
    }
}

After adding or modifying objects using the API, you must publish the changes to apply them to the Check Point Management Server.

Using cURL

Copy 
curl --location "$BASE_URL/publish" \
  --header 'Content-Type: application/json' \
  --header "X-chkp-sid: $SID" \
  --data '{}'

Example

Copy 
curl --location 'https://prodenv-6d2dsfcyu6.maas.checkpoint.com/d933487b9-5d44-45bd-8451-62se7a2027f7/web_api/publish' \
--header 'Content-Type: application/json' \
--header 'X-chkp-sid: TlS7FI7CRrw4055gZsSpueLxBV7cCs' \
--data '{}'

Using Postman

Method/URL: POST https://<MAAS-HOST>/<DOMAIN-UID>/web_api/publish

Headers:

  • Content-Type: application/json

  • X-chkp-sid: {{SID}}

Body (raw, JSON):

Copy 
{}

For more information, see Check Point Management API Reference.

Streamed SmartConsole

Smart-1 Cloud supplies SmartConsole that runs on a web browser. The Streamed SmartConsole offers the full functionality of the Web SmartConsole, but it runs in a different information system environment.

Note - The Streamed SmartConsole includes a built-in timeout mechanism that ends the session after 15 minutes of inactivity or after two hours of continuous use, whichever occurs first.

How to upload or download files from SmartConsole:

  • Use this top toolbar:

  • You can save the files locally in My files. When it is necessary to upload files, use this toolbar:

  • Upload the files to a temporary folder in my files. Downloaded files are saved here. Use the folder icon, on the top toolbar, to download files to the local computer.

Note - Streamed SmartConsole is not supported in the United Arab Emirates (UAE). However, the Web SmartConsole and the locally installed SmartConsole are available.

IPS Updates

To fetch IPS Updates in Smart-1 Cloud, it is recommended to configure Smart-1 Cloud to download with Security Management Server and not with SmartConsole.

In Smart-1 Cloud, by default, your Management Environment has Internet connectivity.

This is the recommended configuration that results in better performance.

Automatic Updates

Refer to sk166056 to see the up-to-date list of Smart-1 Cloud Automatic Updates.

Smart-1 Cloud Licensing

Management License

In Smart-1 Cloud, the service manages licenses and enforces. Therefore, unlike the licenses for the on-premises Management Server, there is no need to apply or monitor the management licenses.

The service applies default licenses on the Management Server with the maximum capabilities. But services and capabilities entitlements are a direct reflection of your Smart-1 Cloud licenses.

Smart-1 Cloud License

A new Smart-1 Cloud account has a 30-day trial period by default, in which you can connect Security Gateways and examine the service.

If you want to continue to use the service after the trial period ends, contact Check Point Sales to purchase a license.

All Smart-1 Cloud functionality is available by default for trial accounts, but it does not include:

  • Compliance

  • Updates and upgrades to the latest version

  • Export of logs to a SIEM vendor

Note - Licenses in Smart-1 Cloud are additive. Make sure to allocate all licenses to the Check Point User Center account linked with the Infinity Portal account.

Activating a license

  1. In Smart-1 Cloud, go to Global Settings > Contracts.

  2. From the top-right, click Associated Accounts.

    The Managed Accounts window opens.

  3. Click Attach Account.

    The Attach Account window opens.

  4. Enter the User Center credentials and click Next.

  5. Select the license to apply and click Finish.

    Your license is shown on the Contracts page.

Notes:

  • If you already have a related account and want to add one more license, go to Global Settings > Contracts > Associated Accounts and use the sync option to update the license.

    In Smart-1 Cloud, the license status shows at this time: Active.

  • It can take up to 24 hours for the license status update to Active in Smart-1 Cloud.

    In the Trial status, there are no limitations to starting and using the service.

    If the status continues to show Trial, contact maas@checkpoint.com.

Smart-1 Cloud Administrator Roles

To add a new user to Smart-1 Cloud, refer to the Users section in the Infinity Portal Administration Guide.

Smart-1 Cloud Roles are equivalent to SmartConsole permission profiles:

Smart-1 Cloud Role SmartConsole Permission Profile

Description

Admin

Super User

Full Read/Write Permissions including managing administrators and sessions.

Submitter Administrator

Smart-1 Cloud Submitter Administrator

SmartConsole Read/Write permissions - Publishing of sessions requires approval.

Smart-1 Cloud Portal permission - Read Only permissions.

Read-Only

Read Only All

Full Read Permissions, no write.

Notes:

  • Smart-1 Cloud specific service roles are in addition to the global roles and do not override them.

  • Smart-1 Cloud Portal permission is relevant for CONNECT GATEWAYS and SETTINGS tabs.

  • Custom permission profiles in SmartConsole are always overridden by system profiles pushed by the Infinity Portal.

For more information about user management, refer to the Infinity Portal Administration Guide.