Expected Behavior and Known Limitations

Smart-1 Cloud is a Check Point service that delivers Check Point Security Management as part of Check Point's SaaS solution.

Smart-1 Cloud enables administrators to manage their security policies, network objects, and logs analysis similar to on-premises deployments from a web browser.

In some cases, there may be changes in behavior when you compare the cloud environment to the on-premises environment.

Below is a list of expected behavioral changes and current known limitations.

General Management Capabilities

  • Multi-Domain Security Management

    • With Smart-1 Cloud, a customer can have multiple environments on the same Infinity Portal account registered with the same email address. This is the equivalent of managing multiple domains.

    • Switching between the different environments in the portal is easy. This is done by selecting the environment name from the drop down list at the top of the window.

    • (Undefined variable: Vars_BladesFeatures.tp_sso) (SSO) to the environments - The login from the portal to the web SmartConsole uses the portal's credentials and enables SSO.

    • It is currently not supported to share global objects, global policies and global rules between the environments.

  • Management Objects

    • The management object in Smart-1 Cloud is read-only and is not seen in the gateways and servers view. It is visible in the object explorer in read-only.

    • Running actions on the management object is not required. As part of the service, backups of the environment run on a regular basis - every 12 hours.

    • SSH access to the Management server is not possible, for actions that must have SSH access contact support.

  • Management Login - Supported Methods

  • Two-Factor Authentication

    • For log in to the Infinity Portal - Enable this option in Global Settings.

  • Managing Endpoint

    • Use the new Harmony Endpoint(also available in the Infinity Portal) to manage Endpoint clients.

  • Managing HA - In Smart-1 Cloud the target is availability of 99.9% up time, no additional HA solution is required.

  • Not Supported Features

    • Managing of VSX Gateways and VSX Clusters.

    • Managing of Security Groups on Scalable Platforms (Maestro and Scalable Chassis).

    • SmartProvisioning.

    • R80.40 SmartTasks feature.

  • Management APIs that are not supported

    Note - Running these APIs can cause unwanted behavior.

    • run_script on the Management Server object

    • migrate-export-domain

    • put-file

    • SmartTasks

  • CloudGuard Edge

  • CloudGuard IaaS Auto Scaling Solutions

    • To configure Smart-1 Cloud to automatically provision CloudGuard IaaS Security Gateways, contact Check Point Support with the required autoprov commands to run on the Management Server.

    • To use the "vsec_lic_cli" tool to apply CloudGuard IaaS licenses, contact Check Point Support.

    • CME Automatic Hotfix Deployment is not supported.

    • Migration of an on-premises management database with CloudGuard IaaS Auto Scaling gateway is not supported. Issues can occur with the communication between Smart-1 Cloud and the existing CloudGuard IaaS Auto Scaling gateways. The connection of a CloudGuard IaaS Auto Scaling gateway as a new gateway is supported.

Logs & Monitor

  • Logs & Monitor SmartView

    • Use the Logs & Monitor view in SmartConsole

    • Use the Logs & Monitor view in the Infinity Portal

  • The support of SmartEvent Views and Reports is for each purchased license - activation is done automatically based on the purchased license.

  • SmartEvent Policies are not supported. Consequently, it is not possible to configure custom events or automatic reactions.

    Important - The SmartEvent Software Blades and Indexing mode checkboxes (in the Management Server object) must stay cleared - this is the expected behavior.

  • Possible latency of maximum two minutes from the time the gateway creates the log until it is visible in Logs & Monitor.

  • Export logs - Export logs to a SIEM vendor or to a syslog server is supported and requires a license. To configure the Log Exporter(sk122323) contact support.

  • OPSEC and LEA are not supported.

  • Free text search works only on a small list of fields. When you search, use a specific column's name.

    For example:

    • action: "Drop"

    • severity: "Critical"

  • Paging/Scrolling is limited to 20 pages.

  • Export logs to Excel CSV is limited to 1K records.

  • All filters are case sensitive in value, this includes action, type, and product.

  • To filter logs for only one value, when Blade/Product has some values, add wildcards before and after the Blade's name, such as "blade:*Firewall*."

  • Some widgets in these Views and Reports may not work and return a "Failed to query" error:

    • Views - MTA Live Monitoring

    • Reports - GDPR Security Report, Security Checkup - Advanced

  • Threat Prevention Rule Base - Lower logs pane does not return results for Threat Prevention rule base. Instead, it returns "No matches found." To filter Threat Prevention logs, use the Logs view in Logs & Monitor.

  • Auto-refresh does not refresh the information.

  • Suggestions in Log view is not supported for some values.

  • Cannot search for a specific updatable object in logs.

  • Logs view > Edit profile - In some fields might cause "query failed" error - in this case, open a support ticket.

  • Opening log file from Logs & Monitor is not supported.

Migration

To migrate a Security Management Server to Smart-1 Cloud, when moving from on-premises to Smart-1 Cloud, before you start review these requirements.

In some cases, you must change the configuration before or after the migration.

Important to know before you start:

  1. Migration is supported from version R80.20 and higher.

  2. Reset SIC post the migration:

    1. Gateways running R80.40 Jumbo Hotfix Accumulator Take 89 or higher, it is not necessary to reset SIC post the migration.

    2. All others Gateways must reset the SIC on the gateway before you initialize the communication from SmartConsole to the gateway.

  3. Run the export command from inside the /var/log directory.

  4. Make sure you have sufficient disk space in the partition before you start.

Configuration

Required Step

Gateway object with an unsupported appliances and or version

See the list of Supported Gateways and Versions.

A Gateway that belongs to an unsupported appliance or version is migrated, but cannot be connected to the Service.

Management High Availability

Disable.

Management Object Configuration

You cannot edit the Management object in Smart-1 Cloud.

During the import process these changes are made:

  • Remove NAT configuration

  • Remove Proxy configuration

  • It ignores old network configuration

Endpoint Manager

Before you run the export on the on-premises management, disable the Endpoint Policy Management Software Blade and install the database.

Consent flag - Automatically download Blade contracts and other important data

Enable: Flag is enabled by default during the import.

Central License

Regenerate a new license with this Management IP address: 100.64.0.52

Running scripts on the management objects

Disable.

Multi-Domain Server

Migration is supported only from Security Management Server.

To migrate a Domain to a Security Management Server, follow the instruction in sk156072 - Domain Migration in R80.x > section "Migrating from Domain Management Server to Security Management Server."

Standalone

Migrations is supported only from a Security Management Server.

Follow the instruction in sk154033 - How to migrate R80.x standalone management environment to a distributed environment.

Authentication methods: OS Password, SecurID, RADIUS, TACACS, API Key

Change the authentication method to a Check Point password. If the administration method was not changed before the import, log in with Web SmartConsole and change it.

Network objects with IP addresses from the subnet 100.64.0.0/24

Smart-1 Cloud uses this subnet, you must change the IP address to a different subnet.

Integrations with Other Services and 3rd Party Tools

  • Integrations of 3rd party tools and Smart-1 Cloud are supported with the use of the Management APIs.

  • Integration with 3rd party tools that use SSH access or OPSEC/LEA to the Management Server are not supported.

  • Known integrations not supported:

    • ThreatCloud Managed Security Service