Expected Behavior and Known Limitations
Smart-1 Cloud is a Check Point service that delivers Check Point Security Management as part of Check Point's SaaS solution.
Smart-1 Cloud enables administrators to manage their security policies, network objects, and logs analysis similar to on-premises deployments from a web browser.
In some cases, there may be changes in behavior when you compare the cloud environment to the on-premises environment.
Below is a list of expected behavioral changes and current known limitations.
General Management Capabilities
-
Multi-Domain Security Management
-
With Smart-1 Cloud, a customer can have multiple environments on the same Infinity Portal account registered with the same email address. This is the equivalent of managing multiple domains.
- Switching between the different environments in the portal is easy. This is done by selecting the environment name from the drop-down list at the top of the window.
-
Single Sign-On (SSO) to the environments - The login from the portal to the Streamed SmartConsole uses the portal's credentials and enables SSO.
-
It is currently not supported to share global objects, global policies and global rules between the environments.
-
-
Management Objects
-
The management object in Smart-1 Cloud is read-only and is not seen in the gateways and servers view. It is visible in the object explorer in read-only.
-
Running actions on the management object is not required. As part of the service, backups of the environment run on a regular basis - every 12 hours.
-
SSH access to the Management server is not possible, for actions that must have SSH access contact support.
-
-
Management Login - Supported Methods
-
Log into SmartConsole (use the infinity portal credentials), examine the available Infinity Portal login methods. See the Infinity Portal Administration Guide.
-
-
Two-Factor Authentication
-
For log in to the Infinity Portal - Enable this option in Global Settings.
-
-
Managing Endpoint
-
Use the new Harmony Endpoint (also available in the Infinity Portal) to manage Endpoint clients.
-
-
Managing HA - In Smart-1 Cloud the target is availability of 99.9% up time, no additional HA solution is required.
-
Not Supported Features
~~$ [GilF 09 Oct 2024],TP-16284, Stas M., updated FQDNs
-
Managing of VSX Gateways and VSX Clusters.
-
SmartProvisioning.
-
In SmartTasks, the Run Script feature is not supported. (Smart-1 Cloud supports Send Web Request and Send Mail only).
Note - To access the on-premises/cloud SMTP server, you must allow inbound traffic from Smart-1 Cloud FQDNs based on your region:
-
Ireland: eu-west-1.allowed-ips.checkpoint.com
-
London eu-west-2.allowed-ips.checkpoint.com
-
N. Virginia: us-east-1.allowed-ips.checkpoint.com
-
Sydney: ap-southeast-2.allowed-ips.checkpoint.com
-
Mumbai: ap-south-1.allowed-ips.checkpoint.com
-
-
Auto-complete of dynamic entities is not supported (for example, if you enter a source, destination, or service in the query bar, the popup suggestion bar stays empty).
-
Upgrading Quantum Spark Gateways from the CDT (Central Deployment Tool) is not supported.
-
SmartUpdate is not supported.
-
-
Management APIs that are not supported
Note - Running these APIs can cause unwanted behavior.
-
run_script
on the Management Server object -
migrate-export-domain
-
put-file
-
SmartTasks
-
-
CloudGuard Edge
-
CloudGuard Edge is supported with version R80.20.05 and higher.
Best Practice - We recommend to always upgrade your CloudGuard Edge appliance to the latest available version.
-
For more information, see:
-
-
CloudGuard Network Auto Scaling Solutions
-
If you use Smart-1 Cloud to manage Auto Scaling groups, you must manage the Security Gateways with their public IPs.
-
To configure Smart-1 Cloud to automatically provision CloudGuard Network Security Gateways, contact Check Point Support with the required
autoprov
commands to run on the Management Server. -
To use the "
vsec_lic_cli
" tool to apply CloudGuard Network licenses, contact Check Point Support. -
CME Automatic Hotfix Deployment is not supported.
-
Migration of an on-premises management database with CloudGuard Network Auto Scaling gateway is not supported. Issues can occur with the communication between Smart-1 Cloud and the existing CloudGuard Network Auto Scaling gateways. The connection of a CloudGuard Network Auto Scaling gateway as a new gateway is supported.
-
-
VPN
-
Automatic MEP Topology is not supported.
-
Logs & Events
-
Logs Information.
-
Logs Information shows your tenant logs usage and entitled storage.
-
For how to optimize Smart-1 Cloud Logs, refer to sk181096.
Note - Logs usage does not count the external exporters, for example:
-
-
Logs & Events SmartView.
-
Use the Logs & Monitor view in SmartConsole
-
Use the Logs & Events view in the Infinity Portal
-
-
The support of SmartEvent Views and Reports is for each purchased license - activation is done automatically based on the purchased license.
-
SmartEvent Policies are not supported. Consequently, it is not possible to configure custom events or automatic reactions.
Important - The SmartEvent Software Blades and Indexing mode checkboxes (in the Management Server object) must stay cleared - this is the expected behavior.
-
Possible latency of maximum two minutes from the time the gateway creates the log until it is visible in Logs & Events.
-
OPSEC and LEA are not supported.
-
Free text search works only on a small list of fields. When you search, use a specific column's name.
For example:
-
action: "Drop"
-
severity: "Critical"
-
-
Paging/Scrolling is limited to 20 pages.
-
Export logs to Excel CSV is limited to 10K records.
-
All filters are case sensitive in value, this includes action, type, and product.
-
To filter logs for only one value, when
Blade/Product
has some values, add wildcards before and after the Blade's name, such as "blade:*Firewall*
." -
Some widgets in these Views and Reports may not work and return a "
Failed to query
" error:-
Views - MTA Live Monitoring
-
Reports - GDPR Security Report, Security Checkup - Advanced
-
-
Threat Prevention Rule Base - Lower logs pane does not return results for Threat Prevention rule base. Instead, it returns "
No matches found
." To filter Threat Prevention logs, use the Logs view in Logs & Events. -
Auto-refresh does not refresh the information.
-
Suggestions in Log view is not supported for some values.
-
Cannot search for a specific updatable object in logs.
-
Logs view > Edit profile - In some fields might cause "
query failed
" error - in this case, open a support ticket. -
Opening log file from Logs & Events is not supported.
-
Tufin: Hostname or LogID = Service Identifier, (Logs from forward to SIEM configuration (Syslog)).
You can find the Service Identifier in Settings > General.
-
Tufin's SecureTrack is supported to manage policies on Smart-1 Cloud.
-
Blobs and packet captures are not supported with Smart-1 Cloud.
-
SmartView web access through the SmartConsole link is not supported.
To view logs you can use the embedded SmartView functionality in SmartConsole.
Migration
To migrate a Security Management Server to Smart-1 Cloud, when moving from on-premises to Smart-1 Cloud, before you start review these requirements.
In some cases, you must change the configuration before or after the migration.
Important to know before you start:
-
Migration is supported from version R81.10 and higher.
-
Reset SIC post the migration:
-
Gateways running R80.40 Jumbo Hotfix Accumulator Take 89 or higher, it is not necessary to reset SIC post the migration.
-
All others Gateways must reset the SIC on the gateway before you initialize the communication from SmartConsole to the gateway.
-
-
Run the export command from inside the
/var/log
directory. -
Make sure you have sufficient disk space in the partition before you start.
Configuration |
Required Step |
---|---|
Gateway object with an unsupported appliances and or version |
See the list of Supported Gateways and Versions. A Gateway that belongs to an unsupported appliance or version is migrated, but cannot be connected to the Service. |
Management High Availability |
Disable. |
Management Object Configuration |
You cannot edit the Management object in Smart-1 Cloud. During the import process these changes are made:
|
Endpoint Manager |
Before you run the export on the on-premises management, disable the Endpoint Policy Management Software Blade and install the database. |
Consent flag - Automatically download Blade contracts and other important data |
Enable: Flag is enabled by default during the import. |
Central License |
Regenerate a new license with this Management IP address: |
Running scripts on the management objects |
Disable. |
Multi-Domain Server |
Migration is supported only from Security Management Server. To migrate a Domain to a Security Management Server, follow the instruction in sk156072 - Domain Migration in R80.x > section "Migrating from Domain Management Server to Security Management Server." |
Standalone |
Migrations is supported only from a Security Management Server. If your need to migrate from Standalone configuration to Distributed configuration before the migrate to Smart-1 Cloud, follow the instruction in sk179444 - Migration from a Standalone environment to a Distributed environment. |
Authentication methods: OS Password, SecurID, RADIUS, TACACS, API Key |
Change the authentication method to a Check Point password. If the administration method was not changed before the import, log in with Streamed SmartConsole and change it. |
Network objects with IP addresses from the subnet |
Smart-1 Cloud uses this subnet, you must change the IP address to a different subnet. |
Limitation
Migration from pre-R81 Multi-Domain Management server to a Smart-1 Cloud server fails, for details refer to sk180650.
Integrations with Other Services and 3rd Party Tools
-
Integrations of 3rd party tools and Smart-1 Cloud are supported with the use of the Management APIs.
-
Integration with 3rd party tools that use SSH access or OPSEC/LEA to the Management Server are not supported.
-
Known integrations not supported:
-
ThreatCloud Managed Security Service
-