Frequently Asked Questions about Smart-1 Cloud
-
General Information & Overview
-
What is my Smart-1 CloudManagement Server IP address?
In Smart-1 Cloud the Management Server holds an internal IP address, which is inaccessible from the outside.
Usually it is not necessary to know or use the Management IP address, but in some cases you are required to provide it.
Because the Management IP address is internal, it is the same for all deployments.
Therefore, when required to use the Management IP address, such as Central License, use this IP address: 100.64.0.52.
-
When is my Smart-1 Cloud environment upgraded after a new software version is released?
Several weeks after a new General Availability version is released, Smart-1 Cloud is upgraded and runs the new version for new environments.
Existing customer environments are upgraded gradually.
-
Do I receive a notification before an upgrade runs on my Smart-1 Cloud environment?
-
In Smart-1 Cloud, Check Point upgrades your Smart-1 Cloud environment.
A customer receives a notification two weeks before the upgrade occur.
Upgrades are done based on the region in which your Smart-1 Cloud environment is deployed (after local business hours).
-
Smart-1 Cloud sends notifications to the primary administrator as defined in your Infinity Portal account settings.
-
After a customer receives the notification for a planned upgrade, they can ask to reschedule.
A new upgrade window is then allocated for the customer, and a new notification is sent before the next planned upgrade.
A customer's upgrade does not effect other customers Smart-1 Cloud environment.
-
-
What are the Service Maintenance Windows?
The service runs pro-active monitoring on all production environments; in some cases, maintenance actions are required to provide stable operation.
All maintenance operations are done after usual work hours for each deployed region and in accordance with the regional maintenance windows.
For non-disrupted operations or operations with disruptions lasting up to 10 minutes, no notification is shared with the customer.
(This is done only during regular off-hours.)
There are rare cases, such as major version upgrades, in which the maintenance operation may take 1-2 hours. In such cases, an email notification is sent 10–14 days in advance, providing a range of 2–3 days in which the operation will take place (again, always within regional off-hours). The customer can reply to the email and request to reschedule to another range.
Regional maintenance windows:
-
APAC, India, EU and US - Every Sunday
-
EU/UK - weekdays - from 20:00 to 06:00 am CET
-
US - weekdays - from 20:00 to 06:00 am CST
-
IN - weekdays - from 20:00 to 06:00 am IST
-
APC - weekdays - from 20:00 to 06:00 am ACT (Australian Central Time)
-
-
How many gateways can you manage with Smart-1 Cloud?
Smart-1 Cloud can manage up to 400 Security Gateways.
-
-
Connectivity & Network Requirements
-
Which ports must be open on the Security Gateway?
You must allow outbound HTTPS traffic to FQDN listed below to allow the communication between the Security Gateway and the service:
-
To your domain at Smart-1 Cloud:
<Service-Identifier>.maas.checkpoint.com
-
For Smart-1 Cloud deployments in Europe:
cloudinfra-gw.portal.checkpoint.com
-
For Smart-1 Cloud deployments in the United States:
cloudinfra-gw-us.portal.checkpoint.com
-
For Smart-1 Cloud deployments in the APAC:
https://cloudinfra-gw.ap.portal.checkpoint.com
From version R80.40, an implied rule always allows this traffic in MaaS mode.
-
-
Which IP addresses the service uses to connect the Security Gateway to the Smart-1 Cloud?
When you register a new Gateway to the service, an IP address from one of these subnets is used for the secure tunnel between the Security Gateway and the Smart-1 Cloud:
-
100.64.0.0/16
-
100.70.0.0/16
-
100.71.0.0/16
-
100.100.0.0/16
-
100.101.0.0/16
Note - The virtual interface that is created on the Security Gateway uses this IP address as the primary IP address in the object that shows the Gateway in SmartConsole..
-
-
How do I configure a DAIP Security Gateway for Smart-1 Cloud?
-
If you are concerned about connectivity: Configure the tunnel IP address in the Security Gateway object to ensure reliable communication between the Security Management Server and the DAIP Security Gateway.
-
When configuring a new DAIP Security Gateway: During the SIC initialization sequence, enter the tunnel IP address as the Gateway IP address in the object.
-
-
-
Management & Administration
-
Migration & Deployment
-
Can I migrate only selected gateways to Smart-1 Cloud?
A full migration of the Security Management Server is required first. After migration, you can connect and manage only the desired gateways with Smart-1 Cloud, while others remain managed on-premises until ready for migration.
-
How do I cancel the service?
To cancel the service and migrate the management database to on-premises management:
-
Open a Service Request with Check Point Support and request the management database.
Note - Logs cannot be downloaded.
-
Change the IP address in the management object, the primary IP for Smart-1 Cloud.
-
If
*.def
files were modified, reapply the changes or request the files from Check Point Support. -
Reconfigure any special settings, such as using a Security Gateway as a proxy for LDAP.
-
On the Security Gateway, disconnect it from Smart-1 Cloud and run the
maas off
command.
-
-
What if I already have SmartConsole for a different on-premises management?
You can use the same SmartConsole to connect to both Smart-1 Cloud and on-premises environments.
-
-
Tools & Access
-
Does Smart-1 Cloud support APIs?
Yes. Enable and configure Management APIs in Settings > API & SmartConsole. For more information, see the Check Point Management API Reference.
-
How can I perform tasks that require SSH access to the machine?
All environment maintenance tasks are handled by the service. For tasks requiring SSH access, open a ticket with Check Point Support.
-
How can use the ICA Management Tool with Smart-1 Cloud?
For support of the ICA Management Tool contact Check Point Support.
-
-
Licensing & Features
-
I purchased a Smart-1 Cloud license. How do I apply it?
After purchase, Check Point contacts your sales representative for setup. For more information, see Smart-1 Cloud License.
If issues persist, contact Account Services to configure your account for production. Provide:
-
Infinity Portal account name
-
Smart-1 Cloud Service Identifier
-
User Center account
-
-
How do I add or attach a VPN license to Smart-1 Cloud?
Open a service request with Check Point Support.
-
Does Smart-1 Cloud support Compliance Blade?
Yes, the Compliance blade is supported and visible from the Streamed SmartConsole. For more details, see Log in to SmartConsole from Smart-1 Cloud.
-
Does Smart-1 Cloud support ElasticXL?
Yes, ElasticXL is supported starting from R82. It simplifies clustering by using a single management object with automatic configuration and software synchronization across all cluster members.
-
-
Version & Database Management
-
How can I revert the management database to an earlier version?
From R80.40, use SmartConsole or API to revert to a previous revision. To revert the entire management database to an earlier version, open a Service Request with Check Point Support.
Note - This action is irreversible.
-
How frequently are backups performed?
Backups are performed daily for the first ten days after environment deployment. After that, backups occur less frequently to optimize resources.
-
-
-
Licensing & Logging
How is log ingestion and retention handled?
Your Smart-1 Cloud license defines:
-
Maximum daily log ingestion rate
-
Log retention period (90 days standard; extended periods available for some SKUs)
Important - Purchase a license with a daily ingestion limit higher than your average log ingestion rate to prevent data loss and ensure uninterrupted logging.
Check usage with the Average Monthly Ingestion and Daily Log Ingestion graphs on the Infinity Events > Log Ingestion page. See sk181096 for logs optimization and
sk182394 for license SKU details.
-