Connecting Gateways and Clusters in Smart-1 Cloud

Connecting on-premises Security Gateway or CloudGuard Network Security Gateway

  1. From the left navigation panel, click Gateways & Servers.

  2. Click the New icon or a button and select Gateway....

    The Check Point Gateway properties window opens.

  3. Fill in the required fields for the Check Point Security Gateway:

    1. Enter name - The name for the Security Gateway.

    2. IP Address

      • Automatic IPv4 address: The Security Gateway's IP address is set to an internal IP address used for cloud communication over an outbound tunnel.

      • Custom IPv4 address: Configure a static IP address if it is not an SD-WAN Gateway.

      You can configure the Security Gateway object in Smart-1 Cloud with a static IP address as the primary IP address (in the same way you configure a Security Gateway from an on-premises Security Management Server).

      When you configure the Security Gateway object with a Tunnel IP address, management traffic, control connections, and Smart-1 Cloud tenant communications use this main static IP address through the maas_tunnel interface.

      Note - We recommend using a static IP address when available, unless configuring an SD-WAN Gateway.

      This simplifies configuration for features such as UserCheck, NAT rules, and VPN configuration.

  4. In the Device section, click Connect.

    The Connect Device window opens.

  5. In the Security Gateway section, select Appliance/Open Server.

  6. Connect to the CLI on the Security Gateway. In Clish, run the provided command to set the authentication token. The initial connection status is Pending connection. After the Security Gateway connects to Smart-1 Cloud, the status changes to Connected.

  7. To establish Secure Internal Communication (SIC) between the Security Gateway and Smart-1 Cloud, enter the one-time password you set on the Security Gateway.

  8. Click Next and wait until the Security Gateway connection process finishes. Then close the Connect Device window.

  9. Click OK.

To connect an existing Security Gateway to Smart-1 Cloud:

  1. After migration is complete, click Connect Gateways.

  2. Go to Gateways & Servers, select the gateway you want to connect, and click Edit. The Check Point Gateway properties window opens.

  3. In the Device section, click Connect.

  4. In the Connect Device wizard window that opens, under Security Gateway, select Appliance/Open server.

  5. Follow instructions in the wizard for Connecting your Gateway:

    1. Open the CLI on the Security Gateway.

    2. In Clish, run the command shown in the wizard to set the authentication token.

      The gateway status initially shows Pending connection. When the gateway connects successfully to Smart-1 Cloud, the status changes to Connected.

    3. Click Next.

  6. Publish the changes.

If you have an existing Security Gateway object configured with a Tunnel IP address, follow these steps to change it to a static IP address:

  1. Edit the Security Gateway object in SmartConsole:

    1. Open Web SmartConsole or Streamed SmartConsole.

    2. Change the IP address in the Security Gateway object properties to a static IP address.

    3. Click OK.

    4. To test SIC communication, open the Security Gateway object again and click Test Communication in the Options menu.

Important - To regenerate the token, follow these steps:

  1. Double-click the Security Gateway which connection token you need to reset.

  2. Click Options > Reset communication.

  3. Select Reset the connection token.

  4. Click Yes.

Connecting a Cluster

  1. From the left navigation panel, click Gateways & Servers.

  2. Click the New icon or a button and select Cluster....

    The Check Point Cluster window opens.

    Note - Web SmartConsole supports configuration of a Security Gateway/Cluster object for Gaia OS versions R80.10 and higher.

  3. Fill in the required fields:

    • Enter Name: The Cluster name.

    • IP address: The Cluster VIP IP address.

  4. Click Add... next to Member ID 1.

    The Check Point Cluster Member window opens.

    1. Enter the name and IP address of Member ID 1.

      Notes:

      • Automatic IPv4 address: The Security Gateway's IP address is set to an internal IP address used for cloud communication over an outbound tunnel.

      • Custom IPv4 address: Configure a static IP address if it is not an SD-WAN Gateway.

    2. Click Connect in the Secure Internal Communication section.

      The Connect Device window opens.

    3. In the Security Gateway section, select the Cluster Gateway type.

    4. Follow the on-screen instructions to connect the Cluster member to the Smart-1 Cloud management.

    5. When the Connection Status changes to Connected, click Next.

    6. To establish Secure Internal Communication (SIC) between the Cluster member and Smart-1 Cloud, enter the one-time password you set on the Cluster member.

    7. Click Next and wait until the Cluster member connection process finishes. Then close the Connect Device window.

  5. Click Add... next to Member ID 2.

    Follow steps 4.a-4.g again for this member.

  6. Navigate to the Network Management tab.

  7. Click Get Interfaces > Get Interfaces With Topology.

  8. Click the MaaS Tunnel interface, and in General > Network Type section, select Private.

  9. On the same MaaS Tunnel settings page, in Advanced > Monitoring section, make sure the Monitored Interface checkbox is cleared.

  10. Finalize the topology definitions for the cluster.

  11. Install the policy.

  1. From the left navigation panel, click Gateways & Servers.

  2. Click the New icon or a button and select Cluster....

    The Check Point Cluster window opens.

    Note - Web SmartConsole supports configuration of a Security Gateway/Cluster object for Gaia OS versions R80.10 and higher.

  3. Fill in the required fields:

    • Enter Name: The Cluster name.

    • IP address: The Cluster VIP IP address.

  4. Click Add... next to Member ID 1.

    The Check Point Cluster Member window opens.

    1. Enter the name and IP address of Member ID 1.

      Note:

      • Automatic IPv4 address: The Security Gateway's IP address is set to an internal IP address used for cloud communication over an outbound tunnel.

      • Custom IPv4 address: Configure a static IP address if it is not an SD-WAN Gateway.

    2. Click Connect below the Secure Internal Communication.

      The Connect Device window opens.

    3. Select Appliance/Open Server in the Cluster Gateway type.

    4. Copy the Token from the Connect Device screen.

  5. Click Add... next to Member ID 2.

    Follow steps 4.a-4.d again for this member.

  6. In the Security Cluster deployment template:

    1. Paste the Tokens you copied from the Smart-1 Cloud portal for each member into the appropriate fields.

    2. Fill in all remaining fields in the template and start the deployment.

    3. When the CloudGuard Network Security Gateway deployment completes:

      1. A tunnel is established between the Security Gateway and the Smart-1 Cloud.

      2. The status of the Security Gateway changes to Pending trust (SIC) establishment.

  7. In SmartConsole or Streamed SmartConsole:

    Follow the administration guide specific to your deployed solution to configure the Cluster object and Cluster members in SmartConsole.

    Notes:

    • When you enter the Cluster Virtual IP address, do not use IP addresses from these subnets:

      • 100.64.x.x

      • 100.70.x.x

      • 100.71.x.x

      • 100.100.x.x

      • 100.101.x.x

    • When you add cluster members to the cluster object, use the existing members created in step 1.

This step is required after the cluster's migration to Smart-1 Cloud. For more information, see Migrate.

  1. After migration is complete, click Connect Gateways.

  2. Go to Gateways & Servers, select the gateway you want to connect, and click Edit.

  3. In the Device section, click Connect.

  4. In the Connect Device wizard window that opens, under Security Gateway, select Appliance/Open server.

  5. Follow instructions in the wizard for Connecting your Gateway:

    1. Open the CLI on the Security Gateway.

    2. In Clish, run the command shown in the wizard to set the authentication token.

      The gateway status initially shows Pending connection. When the gateway connects successfully to Smart-1 Cloud, the status changes to Connected.

    3. Click Next.

  6. Publish the changes.

Onboarding a new Quantum appliance using Zero Touch deployment

Follow these steps to deploy a new appliance in Zero Touch mode and configure it as a Security Gateway or Cluster Member.

  1. Remove your new appliance from the shipping carton, connect the power cable, and turn on the appliance.

  2. Wait for the light on one of the network interface ports to start blinking, then:

    • If you have a DHCP server:

      Connect the network cable to the blinking interface port.

      Make sure this connection leads to the environment with a working DHCP server.

    • If you do not have a DHCP server:

      Configure an interface with the appropriate networking settings:

      1. Connect to the command line on the appliance.

      2. In Expert mode, disable Zero Touch DHCP:

        /opt/CPzetc/bin/zetc_setlaunch 0

      3. In Gaia Clish, configure the IP address:

        set interface <Name of Interface> on

        set interface <Name of Interface> ipv4-address <IPv4 Address> mask-length <Subnet Mask Length>

      4. In Gaia Clish, configure the default route:

        set static-route default nexthop gateway address 192.168.1.254 off

        set static-route default nexthop gateway address <IPv4 Address> on

      5. In Gaia Clish, configure DNS servers:

        set dns primary <IPv4 Address>

        set dns secondary <IPv4 Address>

        set dns tertiary <IPv4 Address>

      6. In Gaia Clish, save the configuration:

        save config

      7. Plug the network cable into the configured interface port.

  3. Go to the Connect Gateways page in the Smart-1 Cloud portal.

  4. Wait for your appliance to appear (this typically takes 2-3 minutes).

    Note - If your appliance does not appear, check the Service and Contract page.

  5. Click on your appliance's card, enter the required information, and click OK.

    To replace an existing Security Gateway, click the arrow next to the Configure Device button.

  6. Follow the on-screen instructions in the portal.

  7. After the card status changes to Registration completed, you can configure your new Security Gateway in SmartConsole.

Connecting a Quantum Spark Appliance

To connect Quantum Spark appliance to Smart-1 Cloud, follow these steps:

  1. From the left navigation panel, click Gateways & Servers.

  2. Click the New icon or a button and select Gateway... or Cluster....

    The Check Point Gateway properties window opens.

  3. Fill in the required fields for the Check Point Security Gateway:

    1. Enter name - The name for the Security Gateway.

    2. IP Address

      • Automatic IPv4 address: The Security Gateway's IP address is set to an internal IP address used for cloud communication over an outbound tunnel.

      • Custom IPv4 address: Configure a static IP address if it is not an SD-WAN Gateway.

      You can configure the Security Gateway object in Smart-1 Cloud with a static IP address as the primary IP address (in the same way you configure a Security Gateway from an on-premises Security Management Server).

      When you configure the Security Gateway object with a Tunnel IP address, management traffic, control connections, and Smart-1 Cloud tenant communications use this main static IP address through the maas_tunnel interface.

      Note - We recommend assigning a static IP address when possible, except when configuring an SD-WAN Gateway.

      This simplifies configuration for features such as UserCheck, NAT rules, and VPN configuration.

  4. Click Connect in the Device field.

    The Connect Device window opens.

  5. In the Security Gateway section, select Quantum Spark.

  6. In the Connection preference section, select "Prepare the object now, connect the Security Gateway later". Click Next.

  7. To establish trust between the Security Gateway and Smart-1 Cloud, configure the one-time password and enter it later on the Security Gateway. Click Next

  8. Copy the authentication token to paste it later in the Security Management Server setup. Then close the Connect Device window.

  9. Click OK.

  10. Connect to the Quantum Spark WebUI, navigate to the Security Management tab, and click Setup.

  11. Select the Use Security Management service checkbox and click Next.

  12. Click Use the Infinity Portal to generate a new authentication token and paste the token. Click Connect.

  13. Wait for the status to change to Connected successfully to the Security Management Server, then click Next.

  14. Set the one-time password and click Next:

    Important - Do not select the Initiate trusted communication without authentication option. Connecting an SMB device to Smart-1 Cloud without using the SIC password is not supported.

  15. Check Connect to the Security Management Server now and click Connect.

    Note - This message appears:

    Security Policy Installation: Trust is established with the Security Management Server. However, unable to fetch the Security Policy from the Management Server

    After the trust is established, you can continue with the process.

  16. Click Finish.

  17. Connect to the Smart-1 Cloud WebUI.

  18. In Gateways & Servers, double-click the Quantum Spark device that was configured earlier. The device properties window opens.

  19. Under Network Management, select General.

  20. In the Interfaces menu, select Get Interfaces with Topology.

  21. Once it is done, publish the changes and install the policy.

To connect a Quantum Spark Cluster appliance to Smart-1 Cloud, follow these steps:

1. Open Web SmartConsole.

2. From the left navigation panel, click Gateways & Servers.

3. Click the New icon and select Cluster....

4. The Check Point Cluster window opens.

Note - The Web SmartConsole supports configuration of Security Gateway/Cluster objects on Gaia OS versions R80.10 and higher.

  1. Enter these details:

    1. Name: Cluster name.

    2. IP Address: Cluster Virtual IP (VIP) address.

  2. Click Add... next to Member ID 1.

  1. In the Check Point Cluster Member window, enter the name and IP address of Member ID 1.

    Notes:

    • Automatic IPv4 address: The Security Gateway's IP address is set to an internal IP address used for cloud communication over an outbound tunnel.

    • Custom IPv4 address: Configure a static IP address if it is not an SD-WAN Gateway.

  2. Click Connect in the Secure Internal Communication section.

    The Connect Device window opens.

  3. In the Security Gateway section, select Quantum Spark.

  4. Save the Security Management Token displayed for the next step.

  1. On Quantum Spark WebUI (Member 1):

    1. Navigate to the Security Management tab.

    2. Click Setup.

  2. Select Use Security Management Services.

  3. Paste the token you saved in Step 3 and click Connect.

  4. Wait for the message of a successful connection and click Next.

  5. Set a one-time password and click Next.

  6. Select Connect to the Security Management Server Later and click Finish.

  7. Back in Web SmartConsole:

    1. Confirm that connection status is Connected.

    2. Click Next and then OK.

  1. Click Add... next to Member ID 2.

  2. In the Check Point Cluster Member window, enter the name and IP address of Member 2.

    Notes:

    • Automatic IPv4 address: The Security Gateway's IP address is set to an internal IP address used for cloud communication over an outbound tunnel.

    • Custom IPv4 address: Configure a static IP address if it is not an SD-WAN Gateway.

  3. Under Secure Internal Communication, click Connect.

  4. In the Connect Device window:

    1. Under Security Gateway, select Quantum Spark.

    2. Save the token shown.

  1. On Quantum Spark WebUI (Member 2):

    1. Navigate to the Security Management tab.

    2. Click Setup.

  2. Select Use Security Management Services.

  3. Paste the token you saved in Step 5 and click Connect.

  4. Wait for the message of a successful connection and click Next.

  5. Set a one-time password as for Member 1 and click Next.

  6. Select Connect to the Security Management Server Later and click Finish.

  7. In Web SmartConsole, verify that connection status is Connected.

  8. Click Next and then OK.

  1. Open SmartConsole (desktop version).

  2. Open the Cluster Object created earlier.

  3. Under Cluster Members:

    1. Select Member 1, click Communication, and enter the one-time password set earlier in Step 4.

    2. Repeat for Member 2.

  4. Go to the Topology section:

    1. Click Edit Topology.

    2. Click GET to fetch all interfaces and topology for both members.

  5. Define the first Sync interface, then click OK.

  6. Publish the changes.

Connecting an SMB Cluster

To connect an existing SMB Cluster to Smart-1 Cloud after its migration, follow these steps:

  1. In Smart-1 Cloud, go to Gateways & Servers, select the cluster you want to connect, and click Edit.

  2. The Check Point Cluster window opens with the existing cluster configuration.

  3. In the Device section, edit the existing cluster members.

  1. From the Options menu, select the member name and click Edit Member.

  2. In the Check Point Cluster Member window, in the Secure Internal Communication section, click Connect.

  3. In the Connect Device wizard window that opens, under Security Gateway, select Quantum Spark.

  4. Copy the token and save it separately.

  1. Follow the on-screen instructions to configure the Quantum Spark Gateway.

  1. Connect to your Quantum Spark Appliance WebUI.

  2. Open Home > Security Management page.

  3. Under Security Management Server, click Advanced and then click Reinitialize Trusted Communication. A warning message appears.

  4. Click Yes.

  5. Click Setup. The Security Management Server Configuration Wizard opens.

  6. Select Use Security Management Service and then click Next.

  7. Below Authentication Token, paste the token you saved in Step 2-4 and click Connect.

  8. When the status changes to Connected, click Next.

  9. Create a one-time password (SIC):

    1. Select Initiate trusted communication by using a one-time password.

    2. Enter the password.

    3. Confirm the password.

    4. Click Next.

  10. Select Connect to the Security Management Server later and click Finish.

  1. Get back to the Connect Device wizard in Smart-1 Cloud and wait until the connection status changes to Connected.

  2. Click Next

  3. Read the message and click Close.

  4. In the Check Point Cluster Member window, click OK.

The preliminary configuration of the Member 1 is completed.

  1. Repeat steps 2, 3, and 4 for Member 2 - Edit Member, Configure Quantum Spark Gateway, and Connect Member.

  2. Make sure the preliminary configuration of the Member 2 is completed the same way as for Member 1.

  1. Open Web SmartConsole.

  2. Edit the SMB Cluster created earlier.

  3. In the Gateway Cluster Properties window, select Cluster Members:

    1. Select Member 1, click Edit and click then Communication. The Communication window opens with password details disabled.

    2. Click Reset and then Yes to confirm.

    3. Enter the one-time password set earlier for Member 1.

    4. Click Initialize.

    5. When Trust state changes to Trust established, click Close.

  4. Repeat the previous step for Member 2.

  5. Go to the Topology section:

    1. Click Edit Topology.

    2. Click GET and select All Members' Interfaces with Topology to fetch all interfaces and topology for both members.

    3. Click Yes to confirm.

  6. Make sure both interfaces are synchronized and click OK.

  7. Publish and install the policy to complete the setup.

To verify the results, make sure the connection is established on your Quantum Spark Appliance.

  1. In your Quantum Spark Appliance WebUI, open Home > Security Management page.

  2. Under Security Policy, click Fetch Policy.

  3. A confirmation message appears when the application fetches the policy.

Connecting a Maestro Security Group

Important - This procedure supports only Maestro Security Groups that run R81.10 and higher versions.

  • Smart-1 Cloud does not support Maestro Security Groups in the VSX mode.

  • The SMO Image Cloning is not supported if the Security Group R81.10 and higher contains different appliance models.

  • DAIP is not supported.

  • Automatic IP not supported with Maestro Security Group.

  1. On the Maestro Orchestrator, configure the required Security Group - in Gaia Portal or Gaia Clish.

    See the Quantum Maestro Getting Started Guide and the Maestro Administration Guide for your version.

    Important - Write down the IP address of the Security Group. You must configure it later in Smart-1 Cloud.

  2. Install the required Hotfixes on the Security Group: For details, refer to sk181495.

  3. Connect to the Smart-1 Cloud Portal.

    See Getting Started with Smart-1 Cloud.

  4. Add the Security Group as a new Security Gateway object:

    From the left navigation panel, click Gateways & Servers.

  5. Click the New icon and select Gateway.

    The Check Point Gateway properties window opens.

  6. Fill in the required fields for the Check Point Security Gateway:

    1. Enter name - The name for the Security Gateway.

    2. IP Address - In the IP address field, enter the IP address of the Security Group as you configured it on the Maestro Orchestrator (this is the IP address assigned to the Mgmt interface of the Security Group).

  7. Click Connect in the Device field.

    The Connect Device window opens.

  8. In the Security Gateway type drop-down, select Appliance/Open Server.

    1. Follow the on-screen instructions to connect your Security Group. The connection status is Pending connection, and when the Security Group connects to Smart-1 Cloud, the status change to Connected.

  9. Click Next to close the Connect Device window.

  10. Click OK.

  • Before you add a new Security Group Member to the Security Group that is connected to Smart-1 Cloud (while the "maas_tunnel" is active and working), you must install the required Hotfixes on that Security Group Member.

  • To examine the status of the Smart-1 Cloud connection on all Security Group Members:

    • In Gaia gClish:

      1. Connect to the command line on the Security Group.

      2. If your default shell is the Expert mode, go to Gaia gClish:

        gclish

      3. Run:

        show security-gateway cloud-mgmt-service

    • In the Expert mode:

      1. Connect to the command line on the Security Group.

      2. If your default shell is Gaia gClish, go to the Expert mode:

        expert

      3. Run:

        maas status

  • To disable the Smart-1 Cloud connection on the Security Group:

    • In Gaia gClish:

      1. Connect to the command line on the Security Group.

      2. If your default shell is the Expert mode, go to Gaia gClish:

        gclish

      3. Run:

        set security-gateway cloud-mgmt-service off

    • In the Expert mode:

      1. Connect to the command line on the Security Group.

      2. If your default shell is Gaia gClish, go to the Expert mode:

        expert

      3. Run:

        maas off

  • To enable the Smart-1 Cloud connection on the Security Group again:

    • In Gaia gClish:

      1. Connect to the command line on the Security Group.

      2. If your default shell is the Expert mode, go to Gaia gClish:

        gclish

      3. Run:

        set security-gateway cloud-mgmt-service on

    • In the Expert mode:

      1. Connect to the command line on the Security Group.

      2. If your default shell is Gaia gClish, go to the Expert mode:

        expert

      3. Run:

        maas on