Connecting Gateways and Clusters

Connecting on-premises Security Gateway or CloudGuard Network Security Gateway

  1. From the left navigation panel, click Gateways & Servers.

  2. Click the New icon or a button and select Gateway....

    The Check Point Gateway properties window opens.

  3. Fill in the required fields for the Check Point Security Gateway:

    1. Enter name - The name for the Security Gateway.

    2. IP Address

      • Automatic IPv4 address: The Security Gateway's IP address is set to an internal IP address used for cloud communication over an outbound tunnel.

      • Custom IPv4 address: Configure a static IP address if it is not an SD-WAN Gateway.

      You can configure the Security Gateway object in Smart-1 Cloud with a static IP address as the primary IP address (in the same way you configure a Security Gateway from an on-premises Security Management Server).

      When you configure the Security Gateway object with a Tunnel IP address, management traffic, control connections, and Smart-1 Cloud tenant communications use this main static IP address through the maas_tunnel interface.

      Note - We recommend using a static IP address when available, unless configuring an SD-WAN Gateway.

      This simplifies configuration for features such as UserCheck, NAT rules, and VPN configuration.

  4. In the Device section, click Connect.

    The Connect Device window opens.

  5. In the Security Gateway section, select Appliance/Open Server.

  6. Connect to the CLI on the Security Gateway. In Clish, run the provided command to set the authentication token. The initial connection status is Pending connection. After the Security Gateway connects to Smart-1 Cloud, the status changes to Connected.

  7. To establish Secure Internal Communication (SIC) between the Security Gateway and Smart-1 Cloud, enter the one-time password you set on the Security Gateway.

  8. Click Next and wait until the Security Gateway connection process finishes. Then close the Connect Device window.

  9. Click OK.

If you have an existing Security Gateway object configured with a Tunnel IP address, follow these steps to change it to a static IP address:

  1. Edit the Security Gateway object in SmartConsole:

    1. Open SmartConsole or Streamed SmartConsole.

    2. Change the IP address in the Security Gateway object properties to a static IP address.

    3. Click OK.

    4. Open the Security Gateway object again and click Test SIC Status to test SIC communication.

  2. Click Register.

    This creates a new Security Gateway object in Smart-1 Cloud with the name you entered.

  3. Click Connect Gateway.

    • For an on-premises Security Gateway, follow the on-screen instructions to complete the connection.

      Note - Connecting a new Security Gateway involves two steps:

      1. Connect the Security Gateway to the service by performing the required steps on the Security Gateway as instructed. When completed, the status in the portal shows Pending SIC.

      2. Connect the Security Management Server to the Security Gateway by logging into SmartConsole and establishing SIC between the Security Management Server and Security Gateway. When complete, the portal shows Registration complete.

    • For a CloudGuard Network Security Gateway:

      1. Copy the Token from the Connect Gateway screen.

      2. In the Security Gateway deployment template:

        1. Paste the Token into the appropriate field.

        2. Complete all other required fields and start the deployment.

        3. When Security Gateway deployment completes:

          1. A tunnel is established between the Security Gateway and Smart-1 Cloud.

          2. The Security Gateway status changes to Pending trust (SIC) establishment.

      3. Connect to SmartConsole, open the new Security Gateway object, initialize SIC, and publish the session.

        Note - Connecting CloudGuard Security Gateway is supported across all major public cloud providers (AWS, Azure, GCP).

Connecting a Cluster

  1. From the left navigation panel, click Gateways & Servers.

  2. Click the New icon or a button and select Cluster....

    The Check Point Cluster window opens.

    Note - Web SmartConsole supports configuration of a Security Gateway/Cluster object for Gaia OS versions R80.10 and higher.

  3. Fill in the required fields:

    • Enter Name: The Cluster name.

    • IP address: The Cluster VIP IP address.

  4. Click Add... next to Member ID 1.

    The Check Point Cluster Member window opens.

    1. Enter the name and IP address of Member ID 1.

      Notes:

      • Automatic IPv4 address: The Security Gateway's IP address is set to an internal IP address used for cloud communication over an outbound tunnel.

      • Custom IPv4 address: Configure a static IP address if it is not an SD-WAN Gateway.

    2. Click Connectin the Secure Internal Communication section.

      The Connect Device window opens.

    3. In the Security Gateway section, select the Cluster Gateway type.

    4. Follow the on-screen instructions to connect the Cluster member to the Smart-1 Cloud management.

    5. When the Connection Status changes to Connected, click Next.

    6. To establish Secure Internal Communication (SIC) between the Cluster member and Smart-1 Cloud, enter the one-time password you set on the Cluster member.

    7. Click Next and wait until the Cluster member connection process finishes. Then close the Connect Device window.

  5. Click Add... next to Member ID 2.

    Follow steps 4.a-4.g again for this member.

  6. Navigate to the Network Management tab.

  7. Click Get Interfaces > Get Interfaces With Topology.

  8. Click the MaaS Tunnel interface, and in General > Network Type section, select Private.

  9. On the same MaaS Tunnel settings page, in Advanced > Monitoring section, make sure the Monitored Interface checkbox is cleared.

  10. Finalize the topology definitions for the cluster.

  11. Install the policy.

  1. From the left navigation panel, click Gateways & Servers.

  2. Click the New icon or a button and select Cluster....

    The Check Point Cluster window opens.

    Note - Web SmartConsole supports configuration of a Security Gateway/Cluster object for Gaia OS versions R80.10 and higher.

  3. Fill in the required fields:

    • Enter Name: The Cluster name.

    • IP address: The Cluster VIP IP address.

  4. Click Add... next to Member ID 1.

    The Check Point Cluster Member window opens.

    1. Enter the name and IP address of Member ID 1.

      Note:

      • Automatic IPv4 address: The Security Gateway's IP address is set to an internal IP address used for cloud communication over an outbound tunnel.

      • Custom IPv4 address: Configure a static IP address if it is not an SD-WAN Gateway.

    2. Click Connect below the Secure Internal Communication.

      The Connect Device window opens.

    3. Select Appliance/Open Server in the Cluster Gateway type.

    4. Copy the Token from the Connect Device screen.

  5. Click Add... next to Member ID 2.

    Follow steps 4.a-4.d again for this member.

  6. In the Security Cluster deployment template:

    1. Paste the Tokens you copied from the Smart-1 Cloud portal for each member into the appropriate fields.

    2. Fill in all remaining fields in the template and start the deployment.

    3. When the CloudGuard Network Security Gateway deployment completes:

      1. A tunnel is established between the Security Gateway and the Smart-1 Cloud.

      2. The status of the Security Gateway changes to Pending trust (SIC) establishment.

  7. In SmartConsole or Streamed SmartConsole:

    Follow the administration guide specific to your deployed solution to configure the Cluster object and Cluster members in SmartConsole.

    Notes:

    • When you enter the Cluster Virtual IP address, do not use IP addresses from these subnets:

      • 100.64.x.x

      • 100.70.x.x

      • 100.71.x.x

      • 100.100.x.x

      • 100.101.x.x

    • When you add cluster members to the cluster object, use the existing members created in step 1.

Onboarding a new Quantum appliance using Zero Touch deployment

Follow these steps to deploy a new appliance in Zero Touch mode and configure it as a Security Gateway or Cluster Member.

  1. Remove your new appliance from the shipping carton, connect the power cable, and turn on the appliance.

  2. Wait for the light on one of the network interface ports to start blinking, then:

    • If you have a DHCP server:

      Connect the network cable to the blinking interface port.

      Make sure this connection leads to the environment with a working DHCP server.

    • If you do not have a DHCP server:

      Configure an interface with the appropriate networking settings:

      1. Connect to the command line on the appliance.

      2. In Expert mode, disable Zero Touch DHCP:

        /opt/CPzetc/bin/zetc_setlaunch 0

      3. In Gaia Clish, configure the IP address:

        set interface <Name of Interface> on

        set interface <Name of Interface> ipv4-address <IPv4 Address> mask-length <Subnet Mask Length>

      4. In Gaia Clish, configure the default route:

        set static-route default nexthop gateway address 192.168.1.254 off

        set static-route default nexthop gateway address <IPv4 Address> on

      5. In Gaia Clish, configure DNS servers:

        set dns primary <IPv4 Address>

        set dns secondary <IPv4 Address>

        set dns tertiary <IPv4 Address>

      6. In Gaia Clish, save the configuration:

        save config

      7. Plug the network cable into the configured interface port.

  3. Go to the Connect Gateways page in the Smart-1 Cloud portal.

  4. Wait for your appliance to appear (this typically takes 2-3 minutes).

    Note - If your appliance does not appear, check the Service and Contract page.

  5. Click on your appliance's card, enter the required information, and click OK.

    To replace an existing Security Gateway, click the arrow next to the Configure Device button.

  6. Follow the on-screen instructions in the portal.

  7. After the card status changes to Registration completed, you can configure your new Security Gateway in SmartConsole.

Connecting a Quantum Spark Appliance

To connect Quantum Spark appliance to Smart-1 Cloud, follow these steps:

  1. From the left navigation panel, click Gateways & Servers.

  2. Click the New icon or a button and select Gateway... or Cluster....

    The Check Point Gateway properties window opens.

  3. Fill in the required fields for the Check Point Security Gateway:

    1. Enter name - The name for the Security Gateway.

    2. IP Address

      • Automatic IPv4 address: The Security Gateway's IP address is set to an internal IP address used for cloud communication over an outbound tunnel.

      • Custom IPv4 address: Configure a static IP address if it is not an SD-WAN Gateway.

      You can configure the Security Gateway object in Smart-1 Cloud with a static IP address as the primary IP address (in the same way you configure a Security Gateway from an on-premises Security Management Server).

      When you configure the Security Gateway object with a Tunnel IP address, management traffic, control connections, and Smart-1 Cloud tenant communications use this main static IP address through the maas_tunnel interface.

      Note - We recommend using a static IP address when available, unless configuring an SD-WAN Gateway.

      This simplifies configuration for features such as UserCheck, NAT rules, and VPN configuration.

  4. Click Connect in the Device field.

    The Connect Device window opens.

  5. In the Security Gateway section, select Quantum Spark.

  6. In the Connection preference section, select "Prepare the object now, connect the Security Gateway later". Click Next.

  7. To establish trust between the Security Gateway and Smart-1 Cloud, configure the one-time password and enter it later on the Security Gateway. Click Next

  8. Copy the authentication token to paste it later in the Security Management Server setup. Then close the Connect Device window.

  9. Click OK.

  10. Connect to the Quantum Spark WebUI, navigate to the Security Management tab, and click Setup.

  11. Select the Use Security Management service checkbox and click Next.

  12. Click Use the Infinity Portal to generate a new authentication token and paste the token. Click Connect

  13. Wait for the status to change to Connected successfully to the Security Management Server, then click Next.

  14. Set the one-time password and click Next:

  15. Check Connect to the Security Management Server Later and click Finish.

  16. Connect to the Smart-1 Cloud WebUI.

  17. In Gateways & Servers, double-click the Quantum Spark device that was configured earlier. The device properties window opens.

  18. Under Network Management, select General.

  19. In the Interfaces menu, select Get Interfaces with Topology.

  20. Once it is done, publish the changes and install the policy.

Connecting a Maestro Security Group

Important - This procedure supports only Maestro Security Groups that run R81.10 and higher versions.

  • Smart-1 Cloud does not support Maestro Security Groups in the VSX mode.

  • The SMO Image Cloning is not supported if the Security Group R81.10 and higher contains different appliance models.

  • DAIP is not supported.

  • Automatic IP not supported with Maestro Security Group.

  1. On the Maestro Orchestrator, configure the required Security Group - in Gaia Portal or Gaia Clish.

    See the Quantum Maestro Getting Started Guide and the Maestro Administration Guide for your version.

    Important - Write down the IP address of the Security Group. You must configure it later in Smart-1 Cloud.

  2. Install the required Hotfixes on the Security Group: For details, refer to sk181495.

  3. Connect to the Smart-1 Cloud Portal.

    See Getting Started with Smart-1 Cloud.

  4. Add the Security Group as a new Security Gateway object:

    From the left navigation panel, click Gateways & Servers.

  5. Click the New icon and select Gateway.

    The Check Point Gateway properties window opens.

  6. Fill in the required fields for the Check Point Security Gateway:

    1. Enter name - The name for the Security Gateway.

    2. IP Address - In the IP address field, enter the IP address of the Security Group as you configured it on the Maestro Orchestrator (this is the IP address assigned to the Mgmt interface of the Security Group).

  7. Click Connect in the Device field.

    The Connect Device window opens.

  8. In the Security Gateway type drop-down, select Appliance/Open Server.

    1. Follow the on-screen instructions to connect your Security Group. The connection status is Pending connection, and when the Security Group connects to Smart-1 Cloud, the status change to Connected.

  9. Click Next to close the Connect Device window.

  10. Click OK.

  • Before you add a newSecurity Group Member to the Security Group that is connected to Smart-1 Cloud (while the "maas_tunnel" is active and working), you must install the required Hotfixes on that Security Group Member.

  • To examine the status of the Smart-1 Cloud connection on all Security Group Members:

    • In Gaia gClish:

      1. Connect to the command line on the Security Group.

      2. If your default shell is the Expert mode, go to Gaia gClish:

        gclish

      3. Run:

        show security-gateway cloud-mgmt-service

    • In the Expert mode:

      1. Connect to the command line on the Security Group.

      2. If your default shell is Gaia gClish, go to the Expert mode:

        expert

      3. Run:

        maas status

  • To disable the Smart-1 Cloud connection on the Security Group:

    • In Gaia gClish:

      1. Connect to the command line on the Security Group.

      2. If your default shell is the Expert mode, go to Gaia gClish:

        gclish

      3. Run:

        set security-gateway cloud-mgmt-service off

    • In the Expert mode:

      1. Connect to the command line on the Security Group.

      2. If your default shell is Gaia gClish, go to the Expert mode:

        expert

      3. Run:

        maas off

  • To enable the Smart-1 Cloud connection on the Security Group again:

    • In Gaia gClish:

      1. Connect to the command line on the Security Group.

      2. If your default shell is the Expert mode, go to Gaia gClish:

        gclish

      3. Run:

        set security-gateway cloud-mgmt-service on

    • In the Expert mode:

      1. Connect to the command line on the Security Group.

      2. If your default shell is Gaia gClish, go to the Expert mode:

        expert

      3. Run:

        maas on