Using the Settings

Use the Settings tab to learn how to use the Management APIs, set the administrator's password, or migrate an on-premises Security Management Server to Smart-1 Cloud.

General

It is possible to read information and send commands to the Check Point Management Server. Same as you create objects and Security Policies and deploy them in SmartConsole, you can do the same tasks with APIs.

Service Information:

  • Status: Shows the service status.

  • Service Identifier: Unique service identifier based on the prefix provided in the service creation. When you contact Check Point, you must use this service identifier.

  • Version: Security Management software version.

  • License Status: Active for customers who have purchased a Smart-1 Cloud license or a trial for customers who run in trial mode.

To update the period, it is required to keep the logs:

  1. On the Smart-1 Cloud home page, select Settings > General.

  2. Click Log Server Settings.

  3. In the DESIRED LOG RETENTION PERIOD enter number of months.

Logs are deleted after the defined period. If available storage cannot keep the desired log retention period, a notification is sent to your email.

API & SmartConsole

SmartConsole:

  • Web SmartConsole

  • Instructions for using Installed SmartConsole

  • Streamed SmartConsole

From the Smart-1 Cloud home page, select Settings > API & SmartConsole.

The Management API page shows the web request structure at this time.

To copy these details to a clipboard, click the clipboard button.

For more information, see Check Point Management API Reference.

  1. On the Smart-1 Cloud home page, select Settings > Advanced.

  2. Click Restart Service.

    The Restart Environment confirmation window opens.

  3. Click Restart Environment and follow the instruction on the screen.

  4. Click Restart.

Note - Restart Environment restarts the Smart-1 Cloud environment as equivalent to cpstop and cpstart in an on-premises management environment.

Migrate

You can migrate your self hosted Security Management to the Smart-1 Cloud environment.

Note - The migration operation overwrites tenant information (the migration process does not merge tenant information).

00:00: 00:05: Learn how to migrate to Smart One Cloud as self-hosted Security 00:09: Management that is connected to the Infinity Portal. 00:13: Open the Infinity Portal tenant that is connected to the self-hosted security 00:17: management. So let the management that you want to migrate and click the three. 00:21: Menu. 00:23: Click Run free migration verifier 00:27: It is important to note that if you already have Smart One Cloud environment in 00:31: this account, you have to delete it before the import. 00:35: After the pre upgrade verifier complete successfully click 00:39: the three. Menu button. 00:41: Click migrate to Smart One Cloud 00:44: Read the notification and click Start migration. 00:48: The migration process can take up to one hour and you can monitor the 00:52: progress in the portal. 00:58: The first step of the migration is completed continued to connect 01:02: the security gateways. 01:05: Click the plus icon in the Kinect gateways tab 01:09: To connect an existing Gateway select using existing Gateway object 01:13: and in the drop-down select the Gateway you want to connect? 01:18: Register the Gateway 01:21: Click connect Gateway in the security Gateway card 01:25: A window with the instructions to connect the Gateway opens copy 01:29: the command to run on the security Gateway. 01:33: Connect to the clich prompt on the security Gateway and run the command 01:37: you copied. 01:40: The security Gateway status changes to registration completed 01:44: go to the security policies tap to install a policy on the Gateway. 01:50: Any applicable policy screen click install policy? 01:55: Select the security gateway to install the policy on and 01:59: click install. 02:01: Wait for the policy installation to complete successfully. 02:05: Thank you for watching. 02:08:

Note - To connect Self-Hosted (on-premises) Security Management environment to Infinity Services:

  1. In SmartConsole, click Infinity Services.

  2. In the Connect to Infinity Portal to use Infinity Services section, click Get Started and follow the instructions.

For more information on how to connect an On-Premises Management Server to Infinity Portal, see sk177205.

Important - You can migrate a self-hosted Security Management environment to Smart-1 Cloud only if Smart-1 Cloud was not already created in this Infinity Portal tenant.

  1. Open the Infinity Portal tenant that is connected to the Self-Hosted Security Management environment.

  2. Select the self-hosted Security Management that you want to migrate.

  3. Click the three-dot menu, for example:

  4. To make sure you can migrate this Security Management to Smart-1 Cloud, select Run Pre-migrate verifier.

  5. Click Migrate to Smart-1 Cloud.

    Important - The migration process can take a while. You do not have access to the Smart-1 Cloud application during the import process.

    When the import finishes, an email is sent to you, and the service unlocks.

    Notes:

    • After migration of a Standalone environment, the Standalone is divided into Management and Security Gateway.

      Post-migration, you must perform the procedure in sk179444 - Migration from a Standalone environment to a Distributed environment.

      This change is permanent (Management and Gateway replace the Standalone.)

    • In a migration of Management High Availability environment to Smart-1 Cloud, after the migration you must remove the Secondary Management (Management High Availability is not supported with Smart-1 Cloud.)

    • Multi-Domain Security Management and Log Server are not supported.

  6. When the migration is complete successfully, in Smart-1 Cloud, navigate to Connect Gateway.

  7. Click the plus (+) icon below the existing Security Gateway, select the Gateway you want to connect and follow the on-screen instructions.

  8. For a Security Gateway that runs a version lower than R80.40 with Jumbo Hotfix Accumulator Take 89, you must reset the Secure Internal Communication (SIC) on the Gateway before initializing the communication from SmartConsole to the Security Gateway. For more information, refer to sk65764.

    Note - For Security Gateway/Security Management version R80.40 with Jumbo Hotfix Accumulator Take 89 and higher or Quantum Spark/Quantum Edge with version R80.20.40 and higher, it is not necessary to reset SIC on the Security Gateway.

You can import configurations from an on-premises Management Server to Smart-1 Cloud.

Migration to Smart-1 Cloud is supported starting from Security Management Server version R81.10.

To migrate an on-premises Security Management Server to Smart-1 Cloud:

  1. On the Smart-1 Cloud home page in the Infinity Portal, go to Settings > Migrate.

  2. Below Export Data, click Download to download the migration tools for migrating on-premises Security Management to Smart-1 Cloud.

  3. On the on-premises Security Management, run export.

  4. Below Import and Start, click Choose file to upload the export file.

  5. Click Upload & Start to start the migration process.

    Important - The migration process can take a while. During the import process, you do not have access to the Smart-1 Cloud application.

    When the import finishes, an email is sent to you and the service is unlocked.

  6. When the migration completes successfully, in Smart-1 Cloud navigate to Connect Gateway.

  7. Click the plus (+) icon below the existing Security Gateway, select the Security Gateway you want to connect and follow the on-screen instructions.

  8. For a Security Gateway that runs a version lower than R80.40 with Jumbo Hotfix Accumulator Take 89, you must reset the Secure Internal Communication (SIC) on the Gateway before initializing the communication from SmartConsole to the Security Gateway. For more information, refer to sk65764.

    Note - For Security Gateway/Security Management version R80.40 with Jumbo Hotfix Accumulator Take 89 and higher or Quantum Spark/Quantum Edge with version R80.20.40 and higher, it is not necessary to reset SIC on the Security Gateway.

Cloud Management Extension (CME) Configuration

Smart-1 Cloud lets administrators configure and directly show Cloud Management Extension (CME) status in the GUI.

CME enables cloud-native integration between Check Point CloudGuard Network solutions and Cloud platforms.

As a Service that runs on Smart-1 Cloud, it continuously monitors CloudGuard Network solutions deployed in Azure and Amazon Web Services (AWS) and synchronizes them.

Limitations:

  • The GUI does not support the Google Cloud Platform (GCP).

  • The GUI does not support the configuration of custom scripts on the Security Gateway.

How to enable CME in Smart-1 Cloud

  1. In the Quantum Smart-1 Cloud view in the Infinity portal, go to Settings > CME Configuration.

  2. In General Information, click CME Status, and it turns to On. The CME management name displays in the box below.

Add an account

  1. To add an account, click Accounts (Controllers).

  2. Click New. The Add Account window opens.

  3. Give the account a name.

  4. In the Vendor box, select AWS or Azure.

  5. Enter the parameters.

Parameters for AWS

Parameter

Description

Access Key

AWS Access Key ID.

Secret Key

AWS Secret Key.

Regions

The AWS regions in which the gateways are being deployed.

STS Role

The STS Role ARN of a role to assume.

STS External ID

An optional STS External ID to use when assuming a role in account.

Communities

List of VPN communities that the account can use.

VPN community is used for Transit Gateway Auto Scaling Group solution.

Scans

Enable auto-provisioning of the objects you select.

Sub-Accounts

Configure the sub-account properties. The sub-account name must be unique.

Enter Access Key Secret Key,STS Role, or STS External ID.

Parameters for Azure

Parameter

Description

Application ID

The service principal’s application ID in UUID format.

Client Secret

The service principal's client secret value.

Directory ID

The service principal's Directory ID in UUID format.
Subscription ID

The subscription ID where the VMSS resides in UUID format.

Add Security Gateway Configurations

  1. To add Security Gateway configuration, in the CME configuration page, click Gateway Configurations (Templates).

  2. Give the Gateway a Name.

  3. Select the applicable Account for the Gateway.

  4. Select the Gateway Version.

  5. Enter a One time password.

  6. In Access Control, select the policy to install on the Security Gateway.

  7. Select the checkbox near the Access Control and Threat Prevention blades you want to enable on the Security Gateway.

Advanced Configuration

To add support for AWS Transit Gateways, select the Transit Gateway checkbox.

For more information on AWS Transit Gateway, refer to CloudGuard Network for AWS Transit Gateway Deployment Guide.

Parameters for AWS Transit Gateway

Parameter

Description

VPN Community

A VPN Star community in which the VPN Gateway is the center.

TGW static routes

Enter network addresses (CIDR) separated by a comma to create a static route on each Gateway of the Transit Gateway auto-scaling group.

TGW spoke routes

Spoke CIDR is learned from the TGW over BGP and is re-advertised by the Gateways of the TGW auto-scaling group to the AWS TGW.

Use a comma to separate multiple values.

For more information on CME, see the Cloud Management Extension Administration Guide.

Forwarding Events to SIEM

Event Forwarding is an easy and secure procedure to export logs. You can forward data, logs, events, and saved applications data from a Check Point environment to a SIEM (Security Information and Event Management) provider, such as Splunk, QRadar, or ArcSight. These SIEM providers process large amounts of data and show it for analysis in created dashboards or sent notifications.

Forward to SIEM vs. Event Forwarding

Forward to SIEM and event forwarding are used to send event logs to a monitoring system.

Currently, event forwarding supports only Syslog format, while Forward to SIEM supports Syslog, Splunk, LEEF, Generic, LogRhythm and RSA formats.

Forward to SIEM configuration

To access the Forward to SIEM Configuration, from the Smart-1 Cloud home page, select Settings -> Forward to SIEM.

In the configuration page you see a table with forward to SIEM destinations, and information for the destination, such as status, encryption, name, target port, protocol and format.

Adding a new destination

To add a new destination, on the Forward to SIEM Configuration screen, click New.

Note - It is currently supported to add up to 3 destinations.

The Add Forwarding Destination window opens.

  • Destination name: Enter a unique name for the destination.

  • Destination Server: Enter IP address or FQDN.

    Note - The IP address must be public.

  • Destination Port: The destination port number.

  • Format: The destination log format. Can be Syslog, CEF, JSON, Splunk, LEEF, Generic, LogRhythm or RSA.

  • Protocol: The destination protocol, ca be either TLS over TCP, TCP or UDP

TLS/SSL over TCP Configuration

It is recommended to export logs over an encrypted connection using the TLS protocol. When using TLS, it is important to know that only mutual authentication is allowed. For mutual authentication, you need these two certificates:

  • CA certificate (in PEM format) that signed both the client (Smart-1 Cloud side) and server (SIEM side) certificates. The CA certificate can be self-sign certificate.

  • Client certificate.

Procedure:

  • Click the Client Certificate box to download the certificate request (csr).

    Note: Signing the request is done in your organization and is not part of Smart-1 Cloud services.

  • After you sign the request, click Browse below the Client Certificate box to upload the certificate.

    Important - In case some time has passed between making the certificate request and uploading the certificate, you can close the Add New Destination window, and in a later time open it again, fill all the details but do not click the Client Certificate box again, as this will create a new request.

    Just click Browse to upload the certificate and continue with the new destination creation.

  • Upload the Certificate Authority (CA) certificate.

Editing the destination

To edit the destination, on the Forward to SIEM Configuration screen select a destination and click Edit.

You can change any one of the destination properties, except the destination name.

Deleting a destination

To delete a destination, on the Forward to SIEM Configuration screen select a destination and click: Delete.

Write confirm in the deletion dialog box.

Start, stop or restart a destination

To start, stop or restart destination, on the Forward to SIEM Configuration screen select a destination or multiple destinations, click More Actions, and select the action you want to perform, and select Yes.

  • Stop - Stop sending logs to the destination

  • Start - Start sending logs to the destination

  • Restart - Restart sending logs to the destination

Troubleshooting

If no logs arrive to your SIEM, follow these steps:

Important - For information and updates on Smart-1 Cloud external FQDNs and their associated IP addresses, see sk182699.

  • Make sure that your Security Gateway does not block traffic from the Smart-1 Cloud public FQDN:

    • Ireland: eu-west-1.allowed-ips.checkpoint.com

    • London: eu-west-2.allowed-ips.checkpoint.com

    • N. Virginia: us-east-1.allowed-ips.checkpoint.com

    • Sydney: ap-southeast-2.allowed-ips.checkpoint.com

    • Mumbai: ap-south-1.allowed-ips.checkpoint.com

  • Check that all the details in the configuration are correct.

  • If you use TLS, make sure you are using the correct certificates.

  • Restart the destination.

If the issue persist, contact Check Point support and open a Service Request.