Expected Behavior and Known Limitations

Smart-1 Cloud is a Check Point service that delivers Check Point Security Management as part of Check Point's SaaS solution.

Smart-1 Cloud enables administrators to manage their security policies, network objects, and logs analysis similar to on-premises deployments from a web browser.

In some cases, there may be changes in behavior when you compare the cloud environment to the on-premises environment.

Below is a list of expected behavioral changes and current known limitations.

General Management Capabilities

  • Multi-Domain Security Management

    • With Smart-1 Cloud, a customer can have multiple environments on the same Infinity Portal account registered with the same email address. This is the equivalent of managing multiple domains.

    • Switching between the different environments in the portal is easy. This is done by selecting the environment name from the drop-down list at the top of the window.

    • Single Sign-On (SSO) to the environments - The login from the portal to the Streamed SmartConsole uses the portal's credentials and enables SSO.

    • It is currently not supported to share global objects, global policies and global rules between the environments.

  • Management Objects

    • The management object in Smart-1 Cloud is read-only and is not seen in the gateways and servers view. It is visible in the object explorer in read-only.

    • Running actions on the management object is not required. As part of the service, backups of the environment run on a regular basis - every 12 hours.

    • SSH access to the Management server is not possible, for actions that must have SSH access contact support.

  • Management Login - Supported Methods

  • Two-Factor Authentication

    • For log in to the Infinity Portal - Enable this option in Global Settings.

  • Managing Endpoint

    • Use the new Harmony Endpoint (also available in the Infinity Portal) to manage Endpoint clients.

  • Managing HA - In Smart-1 Cloud the target is availability of 99.9% up time, no additional HA solution is required.

  • Not Supported Features

    • Managing of VSX Gateways and VSX Clusters.

    • SmartProvisioning.

    • In SmartTasks, the Run Script feature is not supported. (Smart-1 Cloud supports Send Web Request and Send Mail only).

      Important - For information and updates on Smart-1 Cloud external FQDNs and their associated IP addresses, see sk182699.


      Note - To access the on-premises/cloud SMTP server, you must allow inbound traffic from Smart-1 Cloud FQDNs based on your region:

      • Ireland: eu-west-1.allowed-ips.checkpoint.com

      • London eu-west-2.allowed-ips.checkpoint.com

      • N. Virginia: us-east-1.allowed-ips.checkpoint.com

      • Sydney: ap-southeast-2.allowed-ips.checkpoint.com

      • Mumbai: ap-south-1.allowed-ips.checkpoint.com

    • Auto-complete of dynamic entities is not supported (for example, if you enter a source, destination, or service in the query bar, the popup suggestion bar stays empty).

    • Upgrading Quantum Spark Gateways from the CDT (Central Deployment Tool) is not supported.

    • SmartUpdate is not supported.

  • Management APIs that are not supported

    Note - Running these APIs can cause unwanted behavior.

    • run_script on the Management Server object

    • migrate-export-domain

    • put-file

    • SmartTasks

  • CloudGuard Edge

  • CloudGuard Network Auto Scaling Solutions

    • If you use Smart-1 Cloud to manage Auto Scaling groups, you must manage the Security Gateways with their public IPs.

    • To configure Smart-1 Cloud to automatically provision CloudGuard Network Security Gateways, contact Check Point Support with the required autoprov commands to run on the Management Server.

    • To use the "vsec_lic_cli" tool to apply CloudGuard Network licenses, contact Check Point Support.

    • CME Automatic Hotfix Deployment is not supported.

    • Migration of an on-premises management database with CloudGuard Network Auto Scaling gateway is not supported. Issues can occur with the communication between Smart-1 Cloud and the existing CloudGuard Network Auto Scaling gateways. The connection of a CloudGuard Network Auto Scaling gateway as a new gateway is supported.

  • VPN

    • Automatic MEP Topology is not supported.

Logs & Events

  • Logs Information.

    • Logs Information shows your tenant logs usage and entitled storage.

    • For how to optimize Smart-1 Cloud Logs, refer to sk181096.

    Note - Logs usage does not count the external exporters, for example:

  • Logs & Events SmartView.

    • Use the Logs & Monitor view in SmartConsole

    • Use the Logs & Events view in the Infinity Portal

  • The support of SmartEvent Views and Reports is for each purchased license - activation is done automatically based on the purchased license.

  • SmartEvent Policies are not supported. Consequently, it is not possible to configure custom events or automatic reactions.

    Important - The checkboxes for SmartEvent Software Blades are automatically selected if the user has a corresponding license which is functioning as intended.

  • Possible latency of maximum two minutes from the time the gateway creates the log until it is visible in Logs & Events.

  • OPSEC and LEA are not supported.

  • Free text search works only on a small list of fields. When you search, use a specific column's name.

    For example:

    • action: "Drop"

    • severity: "Critical"

  • Paging/Scrolling is limited to 20 pages.

  • Export logs to Excel CSV is limited to 10K records.

  • All filters are case sensitive in value, this includes action, type, and product.

  • To filter logs for only one value, when Blade/Product has some values, add wildcards before and after the Blade's name, such as "blade:*Firewall*."

  • Some widgets in these Views and Reports may not work and return a "Failed to query" error:

    • Views - MTA Live Monitoring

    • Reports - GDPR Security Report, Security Checkup - Advanced

  • Threat Prevention Rule Base - Lower logs pane does not return results for Threat Prevention rule base. Instead, it returns "No matches found." To filter Threat Prevention logs, use the Logs view in Logs & Events.

  • Auto-refresh does not refresh the information.

  • Suggestions in Log view is not supported for some values.

  • Cannot search for a specific updatable object in logs.

  • Logs view > Edit profile - In some fields might cause "query failed" error - in this case, open a support ticket.

  • Opening log file from Logs & Events is not supported.

  • Tufin: Hostname or LogID = Service Identifier, (Logs from forward to SIEM configuration (Syslog)).

    You can find the Service Identifier in Settings > General.

  • Tufin's SecureTrack is supported to manage policies on Smart-1 Cloud.

  • Blobs and packet captures are not supported with Smart-1 Cloud.

  • SmartView web access through the SmartConsole link is not supported.

    To view logs you can use the embedded SmartView functionality in SmartConsole.

Migration

To migrate a Security Management Server to Smart-1 Cloud, when moving from on-premises to Smart-1 Cloud, before you start review these requirements.

In some cases, you must change the configuration before or after the migration.

Important to know before you start:

  1. Migration is supported from version R81.10 and higher.

  2. Reset SIC post the migration:

    1. Gateways running R80.40 Jumbo Hotfix Accumulator Take 89 or higher, it is not necessary to reset SIC post the migration.

    2. All others Gateways must reset the SIC on the gateway before you initialize the communication from SmartConsole to the gateway.

  3. Run the export command from inside the /var/log directory.

  4. Make sure you have sufficient disk space in the partition before you start.

Configuration

Required Step

Gateway object with an unsupported appliances and or version

See the list of Supported Gateways and Versions.

A Gateway that belongs to an unsupported appliance or version is migrated, but cannot be connected to the Service.

Management High Availability

Disable.

Management Object Configuration

You cannot edit the Management object in Smart-1 Cloud.

During the import process these changes are made:

  • Remove NAT configuration

  • Remove Proxy configuration

  • It ignores old network configuration

Endpoint Manager

Before you run the export on the on-premises management, disable the Endpoint Policy Management Software Blade and install the database.

Consent flag - Automatically download Blade contracts and other important data

Enable: Flag is enabled by default during the import.

Central License

Regenerate a new license with this Management IP address: 100.64.0.52

Running scripts on the management objects

Disable.

Multi-Domain Server

Migration is supported only from Security Management Server.

To migrate a Domain to a Security Management Server, follow the instruction in sk156072 - Domain Migration in R80.x > section "Migrating from Domain Management Server to Security Management Server."

Standalone

Migrations is supported only from a Security Management Server.

If your need to migrate from Standalone configuration to Distributed configuration before the migrate to Smart-1 Cloud, follow the instruction in sk179444 - Migration from a Standalone environment to a Distributed environment.

Authentication methods: OS Password, SecurID, RADIUS, TACACS, API Key

Change the authentication method to a Check Point password. If the administration method was not changed before the import, log in with Streamed SmartConsole and change it.

Network objects with IP addresses from the subnet 100.64.0.0/24. See details here.

Smart-1 Cloud uses this subnet, you must change the IP address to a different subnet.

Limitation:

Migration from pre-R81 Multi-Domain Management server to a Smart-1 Cloud server fails, for details refer to sk180650.

Integrations with Other Services and 3rd Party Tools

  • Integrations of 3rd party tools and Smart-1 Cloud are supported with the use of the Management APIs.

  • Integration with 3rd party tools that use SSH access or OPSEC/LEA to the Management Server are not supported.

  • Known integrations not supported:

    • ThreatCloud Managed Security Service