Expected Behavior and Known Limitations

Smart-1 Cloud is a Check Point service that delivers Check Point Security Management as part of Check Point's SaaS solution.

Smart-1 Cloud enables administrators to manage their security policies, network objects, and analyze logs similar to on-premises deployments from a web browser.

In some cases, there might be changes in behavior when comparing the cloud deployment to the on-premises deployment.

Below is a list of expected behavioral changes and current known limitations.

Supported Gateways and Versions

Type

Appliance Models

Software Version

Quantum Spark

2000

3000

R80.10 and higher

 

1500

R80.20.05 and higher

 

1600

1800

R80.20.25 and higher

R80.20.25 and higher

 

CloudGuard Edge

R80.20.05 and higher

Enterprise

4000

5000

6000

7000

12000

13000

15000

16000

21000

23000

R80.10 and higher

CloudGuard IaaS

CloudGuard IaaS Gateway

R80.20 and higher

 

Auto Scaling solutions

  • Azure VMSS

  • AWS ASG

  • GCP MIG

Other

Open Servers

R80.10 and higher

Roadmap - Suppport for VSX and Maestro.

General Management Capabilities

  • Multi-Domain Security Management

    • With Smart-1 Cloud, a customer can have multiple environments on the same Infinity Portal account registered under the same email address. This is the equivalent of managing multiple domains.

    • Switching between the different environments in the portal is easy. This is done by selecting the environment name from the drop down list at the top of the window.

    • Single Sign-On (SSO) to the environments - The login from the portal to the web SmartConsole uses the portal's credentials and allows SSO.

    • Sharing global objects, global policies and global rules between the environments is currently not supported.

  • Management Objects

    • The management object in Smart-1 Cloud is read-only and is cannot be seen in the gateways and servers view. It is visible in the object explorer in read-only.

    • Running actions on the management object is not required. As part of the service, backups of the environment run on a regular basis - every 12 hours.

    • SSH access to the Management machine is not possible, for actions that require SSH access contact support.

  • Management Login - Supported Methods

  • Two-Factor Authentication

    • For logging in to the Infinity Portal - Enable this option in Global Settings.

  • Managing Endpoint

    • Use the new Harmony Endpoint(also available in the Infinity Portal) to manage Endpoint clients.

  • Managing HA - In Smart-1 Cloud we aim for an availability of 99.9% up time, no additional HA solution is required.

  • Not Supported Features

    • Managing of VSX Gateways and VSX Clusters

    • Managing of Security Groups on Scalable Platforms (Maestro and Scalable Chassis)

    • SmartProvisioning

    • R80.40 SmartTasks feature

  • Management APIs that are not supported

    Note - Running these APIs may cause unwanted behavior.

    • run_script on the Management Server object

    • migrate-export-domain

    • put-file

    • SmartTasks

  • CloudGuard Edge

  • CloudGuard IaaS Auto Scaling Solutions

    • To configure Smart-1 Cloud to automatically provision CloudGuard IaaS Security Gateways, contact Check Point Support with the required autoprov commands to run on the Management Server.

    • To use the "vsec_lic_cli" tool to apply CloudGuard IaaS licenses, contact Check Point Support.

    • CME Automatic Hotfix Deployment is not supported.

    • Migration of an on-premises management database with CloudGuard IaaS Auto Scaling gateway is not supported. Issues may occur with the communication between Smart-1 Cloud and the existing CloudGuard IaaS Auto Scaling gateways. The connection of a CloudGuard IaaS Auto Scaling gateway as a new gateway is supported.

Logs & Monitor

  • Logs & Monitor SmartView

    • Use the Logs & Monitor view in SmartConsole

    • Use the Logs & Monitor view in the Infinity Portal

  • SmartEvent Views and Reports are supported per purchased license - activation is done automatically according to purchased license.

  • SmartEvent Policies are not supported. Consequently, it is not possible to define custom events or automatic reactions.

    Important - The SmartEvent Software Blades and Indexing mode checkboxes (in the Management Server object) should remain cleared - this is the expected behavior.

  • Possible latency of up to two minutes from the time the log was created by the gateway until it is visible in Logs & Monitor.

  • Export logs - Export logs to a SIEM vendor or to a syslog server is supported and requires a license. To configure the Log Exporter(sk122323) please contact support.

  • OPSEC and LEA are not supported

  • Free text search works only on a small list of fields. When searching, use a specific column's name.

    For example:

    • action: "Drop"

    • severity: "Critical"

  • Paging/Scrolling is limited to 20 pages.

  • Export logs to Excel CSV is limited to 1K records.

  • All filters are case sensitive in value, this includes action, type, and product.

  • To filter logs for only one value, when Blade/Product has several values, add wildcards before and after the Blade's name, such as "blade:*Firewall*"

  • Certain widgets in these Views and Reports might not work and return a "Failed to query" error:

    • Views - MTA Live Monitoring

    • Reports - GDPR Security Report, Security Checkup - Advanced

  • Threat Prevention Rule Base - Lower logs pane does not return results for Threat Prevention rule base. Instead, it returns "No matches found". To filter Threat Prevention logs, use the Logs view in Logs & Monitor.

  • Auto-refresh does not refresh the information.

  • Suggestions in Log view is not supported for some values.

  • Unable to search for a specific updatable object in logs.

  • Logs view > Edit profile - In some fields might cause "query failed" error - in this case, open a support ticket

  • Opening log file from Logs & Monitor is not supported.

Migration

To migrate a Security Management Server to Smart-1 Cloud, when moving from on-premises to Smart-1 Cloud, before you start review these requirements.

In some cases, you must change the configuration before or after the migration.

Important to know before starting:

  1. Migration is supported from version R80.20 and higher

  2. Reset SIC post the migration:

    1. Gateways running R80.40 Jumbo Hotfix Accumulator Take 89 or higher, do not need to reset SIC post the migration

    2. All others Gateways must reset the SIC on the gateway before initializing the communication from SmartConsole to the gateway

  3. Run the export command from within the /var/log directory

  4. Check you have enough disk space in the partition before starting

Configuration

Required Step

Gateway object with an unsupported appliances and or version

See the list of Supported Versions.

A Gateway belonging to an unsupported appliance or version are migrated, but cannot be connected to the Service.

Management High Availability

Disable.

Management Object Configuration

You cannot edit the Management object in Smart-1 Cloud.

During the import process these changes are made:

  • Remove NAT configuration

  • Remove Proxy configuration

  • Old network configuration is been ignored

Endpoint Manager

Before you run the export on the on-premises management, disable the Endpoint Policy Management Software Blade and install the database.

Consent flag - Automatically download Blade contracts and other important data

Enable: Flag is enabled by default during the import.

Central License

Regenerate a new license with this Management IP address: 100.64.0.52

Running scripts on the management objects

Disable.

Multi-Domain Server

Migration is supported only from Security Management Server.

To migrate a Domain to a Security Management Server, follow the instruction in sk156072 - Domain Migration in R80.x > section "Migrating from Domain Management Server to Security Management Server".

Standalone

Migrations is supported only from a Security Management Server.

Follow the instruction in sk154033 - How to migrate R80.x standalone management environment to a distributed environment.

Authentication methods: OS Password, SecurID, RADIUS, TACAS, API Key

Change the authentication method to a Check Point password. If the administration method was not changed before the import, log in with Web SmartConsole and change it.

Network objects using IP addresses from the subnet 100.64.0.0/24

Smart-1 Cloud is using this subnet, you must change the IP address to a different subnet.

Integrations with Other Services and 3rd Party Tools

  • Integrations of 3rd party tools and Smart-1 Cloud are supported with the use of the Management APIs.

  • Integration with 3rd party tools that use SSH access or OPSEC/LEA to the Management Server are not supported.

  • Known integrations not supported:

    • ThreatCloud Managed Security Service