Frequently Asked Questions about Smart-1 Cloud
-
General Information & Overview
-
What is my Smart-1 Cloud Management Server IP address?
In Smart-1 Cloud, the Management Server holds an internal IP address, which is inaccessible from the outside. Usually, it is not necessary to know or use the Management IP address, but in some cases, you are required to provide it.
Because the Management IP address is internal, it is the same for all deployments. Therefore, when required to use the Management IP address, such as Central License, use this IP address: 100.64.0.52.
-
When does Smart-1 Cloud apply new software versions?
After a new General Availability (GA) version is released, Smart-1 Cloud begins using it for newly created environments within several weeks.
Existing customer environments are upgraded gradually over time.
-
Will I be notified before a Smart-1 Cloud upgrade?
Yes. Smart-1 Cloud sends a notification two weeks before a scheduled upgrade.
Upgrades are performed by Check Point after local business hours, based on the region where your Smart-1 Cloud environment is deployed. Notifications are sent to the primary administrator listed in your Infinity Portal account settings.
After receiving the upgrade notification, you can ask to reschedule. If approved, you'll be assigned a new upgrade window and receive a new notification before the rescheduled upgrade.
Each upgrade is isolated to your environment and does not affect other customers.
-
What are the Service Maintenance Windows?
The service continuously monitors all production environments to ensure stable operation. When maintenance is required, it is scheduled outside regular working hours for each region, in accordance with local maintenance windows.
Routine maintenance that is either non-disruptive or causes service interruptions of up to 10 minutes does not trigger customer notifications. These operations are always performed during off-hours.
In rare cases — such as major version upgrades — maintenance may last 1–2 hours. In such cases, customers receive an email notification 10–14 days in advance. The email specifies a 2–3 day window during which the maintenance will occur, always within regional off-hours. Customers may reply to the email to request rescheduling to a different time range.
Regional maintenance windows:
-
APAC, India, EU and US - Every Sunday
-
EU/UK - weekdays - from 20:00 to 06:00 am CET
-
US - weekdays - from 20:00 to 06:00 am CST
-
IN - weekdays - from 20:00 to 06:00 am IST
-
APC - weekdays - from 20:00 to 06:00 am ACT (Australian Central Time)
-
-
How many gateways can you manage with Smart-1 Cloud?
Smart-1 Cloud can manage up to 400 Security Gateways.
-
-
Connectivity & Network Requirements
-
Which ports must be open on the Security Gateway?
You must allow outbound HTTPS traffic to FQDN listed below to allow the communication between the Security Gateway and the service:
-
To your domain at Smart-1 Cloud:
<Service-Identifier>.maas.checkpoint.com
-
For Smart-1 Cloud deployments in Europe:
cloudinfra-gw.portal.checkpoint.com
-
For Smart-1 Cloud deployments in the United States:
cloudinfra-gw-us.portal.checkpoint.com
-
For Smart-1 Cloud deployments in the APAC:
https://cloudinfra-gw.ap.portal.checkpoint.com
From version R80.40, an implied rule always allows this traffic in MaaS mode.
-
-
Which IP addresses the service uses to connect the Security Gateway to the Smart-1 Cloud?
When you register a new Gateway to the service, an IP address from one of these subnets is used for the secure tunnel between the Security Gateway and the Smart-1 Cloud:
-
100.64.0.0/16
-
100.70.0.0/16
-
100.71.0.0/16
-
100.100.0.0/16
-
100.101.0.0/16
Note - The virtual interface that is created on the Security Gateway uses this IP address as the primary IP address in the object that shows the Gateway in SmartConsole..
-
-
How do I configure a DAIP Security Gateway for Smart-1 Cloud?
-
If you are concerned about connectivity: Configure the tunnel IP address in the Security Gateway object to ensure reliable communication between the Security Management Server and the DAIP Security Gateway.
-
When configuring a new DAIP Security Gateway: During the SIC initialization sequence, enter the tunnel IP address as the Gateway IP address in the object.
-
-
-
Management & Administration
-
Migration & Deployment
-
Can I migrate only selected gateways to Smart-1 Cloud?
A full migration of the Security Management Server is required first. After migration, you can connect and manage only the desired gateways with Smart-1 Cloud, while others remain managed on-premises until ready for migration.
-
How do I cancel the service?
To cancel the service and migrate the management database to on-premises management:
-
Open a Service Request with Check Point Support and request the management database.
Note - Logs cannot be downloaded.
-
Change the IP address in the management object, the primary IP for Smart-1 Cloud.
-
If
*.def
files were modified, reapply the changes or request the files from Check Point Support. -
Reconfigure any special settings, such as using a Security Gateway as a proxy for LDAP.
-
On the Security Gateway, disconnect it from Smart-1 Cloud and run the
maas off
command.
-
-
What if I already have SmartConsole for a different on-premises management?
You can use the same SmartConsole to connect to both Smart-1 Cloud and on-premises environments.
-
-
Tools & Access
-
Does Smart-1 Cloud support APIs?
Yes. Enable and configure Management APIs in Settings > API & SmartConsole. For more information, see the Check Point Management API Reference.
-
How can I perform tasks that require SSH access to the machine?
All environment maintenance tasks are handled by the service. For tasks requiring SSH access, open a ticket with Check Point Support.
-
How can use the ICA Management Tool with Smart-1 Cloud?
For support of the ICA Management Tool contact Check Point Support.
-
-
Licensing & Features
-
I purchased a Smart-1 Cloud license. How do I apply it?
After purchase, Check Point contacts your sales representative for setup. For more information, see Smart-1 Cloud License.
If issues persist, contact Account Services to configure your account for production. Provide:
-
Infinity Portal account name
-
Smart-1 Cloud Service Identifier
-
User Center account
-
-
How do I add or attach a VPN license to Smart-1 Cloud?
Open a service request with Check Point Support.
-
Does Smart-1 Cloud support Compliance Blade?
Yes, the Compliance blade is supported and visible from the Streamed SmartConsole. For more details, see Log in to SmartConsole from Smart-1 Cloud.
-
Does Smart-1 Cloud support ElasticXL?
Yes, ElasticXL is supported starting from R82. It simplifies clustering by using a single management object with automatic configuration and software synchronization across all cluster members.
-
-
Version & Database Management
-
How can I revert the management database to an earlier version?
From R80.40, use SmartConsole or API to revert to a previous revision. To revert the entire management database to an earlier version, open a Service Request with Check Point Support.
Note - This action is irreversible.
-
How frequently are backups performed?
Backups are performed daily for the first ten days after environment deployment. After that, backups occur less frequently to optimize resources.
-
-
-
Licensing & Logging
How is log ingestion and retention handled?
Your Smart-1 Cloud license defines:
-
Maximum daily log ingestion rate
-
Log retention period (90 days standard; extended periods available for some SKUs)
Important - Purchase a license with a daily ingestion limit higher than your average log ingestion rate to prevent data loss and ensure uninterrupted logging.
Check usage with the Average Monthly Ingestion and Daily Log Ingestion graphs on the Infinity Events > Log Ingestion page. See sk181096 for logs optimization and sk182394 for license SKU details.
Can I integrate on-premises Check Point Log Servers or SmartEvent Servers with Smart-1 Cloud?
No. Smart-1 Cloud is a Software-as-a-Service (SaaS) solution and does not support integration with on-premises Check Point Log or SmartEvent Servers.
In Smart-1 Cloud, logs from Security Gateways are sent directly to the cloud, where they are processed, stored, and displayed in Infinity Events.
This cloud-native architecture eliminates the need for on-premises Log or SmartEvent Servers.
-