General Capabilities

Smart-1 Cloud is a Check Point service that delivers Check Point Security Management as part of Check Point's SaaS solution.

Smart-1 Cloud enables administrators to manage their security policies, network objects, and logs analysis from a web browser, similar to on-premises deployments.

There may be behavioral differences between the cloud environment and the on-premises environment, which are listed below.

Management Capabilities

  • Multi-Domain Security Management

    • With Smart-1 Cloud, a customer can have multiple environments on the same Infinity Portal account registered with the same email address. This is the equivalent of managing multiple domains.

    • You can easily switch between different environments in the portal by selecting the environment name from the drop-down list at the top of the window.

    • Single Sign-On (SSO) to the environments - The login from the portal to the Streamed SmartConsole uses the portal's credentials and enables SSO.

  • Management Objects

    • The management object in Smart-1 Cloud is read-only and is not visible in the gateways and servers view. It can be seen in the object explorer in read-only mode.

    • Running actions on the management object is not required. As part of the service, environment backups run automatically every 12 hours.

  • Management Login - Supported Methods

  • Two-Factor Authentication

    • For Infinity Portal login, enable this option in Global Settings.

  • Managing Endpoint

    • Use the new Harmony Endpoint (also available in the Infinity Portal) to manage Endpoint clients.

  • Managing HA

    • In Smart-1 Cloud, the target is availability is 99.9% uptime; no additional HA solution is required.

  • CloudGuard Network Auto Scaling Solutions

    • If you use Smart-1 Cloud to manage Auto Scaling groups, you must manage the Security Gateways with their public IPs.

    • To configure Smart-1 Cloud to automatically provision CloudGuard Network Security Gateways, contact Check Point Support for the required autoprov commands to run on the Management Server.

    • To use the "vsec_lic_cli" tool to apply CloudGuard Network licenses, contact Check Point Support.

    • Connection of a CloudGuard Network Auto Scaling Security Gateway as a new gateway is supported.

Logs & Events

  • Logs Information.

    • Logs Information shows your tenant logs usage and entitled storage.

    • For how to optimize Smart-1 Cloud Logs, refer to sk181096.

    Note - Logs usage does not count the external exporters, for example:

  • Logs & Events SmartView.

    • Use the Logs & Monitor view in SmartConsole.

    • Use the Logs & Events view in the Infinity Portal.

  • Support for SmartEvent Views and Reports is automatically activated based on the purchased license.

  • There may be a maximum latency of two minutes from the time the gateway creates a log until it is visible in Logs & Events.

  • Free text search works only on a small list of fields. When you search, use a specific column's name.

    For example:

    • action: "Drop"

    • severity: "Critical"

  • Paging/Scrolling is limited to 20 pages.

  • Export logs to Excel CSV is limited to 10K records.

  • All filters are case sensitive in value, including action, type, and product.

  • To filter logs for only one value when Blade/Product has multiple values, add wildcards before and after the Blade's name, such as "blade:*Firewall*."

  • Threat Prevention Rule Base - Lower logs pane does not return results for Threat Prevention rule base. Instead, it returns "No matches found." To filter Threat Prevention logs, use the Logs view in Logs & Events.

  • Tufin: Hostname or LogID = Service Identifier (for logs from forward to SIEM configuration (Syslog)).

    You can find the Service Identifier in Settings > General.

  • Tufin's SecureTrack is supported to manage policies on Smart-1 Cloud.

Migration

When migrating a Security Management Server to Smart-1 Cloud from on-premises, review these requirements before starting.

In some cases, configuration changes are required before or after the migration.

Important to know before you start:

  1. Migration is supported from version R81.10 and higher.

  2. Reset SIC after migration:

    1. Gateways running R80.40 Jumbo Hotfix Accumulator Take 89 or higher do not require SIC reset after migration.

    2. All others Gateways must reset SIC on the gateway before initializing communication from SmartConsole to the gateway.

  3. Run the export command from inside the /var/log directory.

  4. Make sure you have sufficient disk space in the partition before you start.

Configuration

Required Step

Gateway object with an unsupported appliance or version

See the list of Supported Gateways and Versions.

A Gateway that belongs to an unsupported appliance or has an unsupported version is migrated but cannot be connected to the Service.
Management High Availability

Disable.

Management Object Configuration

You cannot edit the Management object in Smart-1 Cloud.

During the import process:

  • NAT configuration is removed.

  • Proxy configuration is removed.

  • Old network configuration is ignored.

Endpoint Manager

Before you run export on the on-premises Security Management Server, disable the Endpoint Policy Management Software Blade and install the database.

Consent flag - Automatically download Blade contracts and other important data

This flag is enabled by default during import.

Central License

Regenerate a new license with this Management IP address: 100.64.0.52.

Running scripts on the management objects

Disable.

Multi-Domain Server

Migration is supported only from a Security Management Server.

To migrate a Domain to a Security Management Server, follow the instruction in sk156072 - Domain Migration in R80.x > section "Migrating from Domain Management Server to Security Management Server."

Standalone

Migrations is supported only from a Security Management Server.

To migrate from Standalone to Distributed configuration before migrating to Smart-1 Cloud, follow the instruction in sk179444 - Migration from a Standalone environment to a Distributed environment.

Authentication methods: OS Password, SecurID, RADIUS, TACACS, API Key

Change the authentication method to a Check Point password. If the authentication method was not changed before the import, log in with Streamed SmartConsole and change it.

Network objects with IP addresses from the subnet 100.64.0.0/24. See details here.

Smart-1 Cloud uses this subnet. Change IP addresses to a different subnet.

Integrations with Other Services and Third-Party Tools

  • Integrations between third-party tools and Smart-1 Cloud are supported with the Management APIs.