Using the Settings

Use the Settings tab to learn how to use the Management APIs, set the administrator's password, or migrate an on-premises Security Management Server to Smart-1 Cloud.

General

It is possible to read information and send commands to the Check Point Management Server. Same as you create objects and Security Policies and deploy them in SmartConsole, you can do the same tasks with APIs.

From the Smart-1 Cloud home page, select Settings > General.

The Management API page shows the web request structure at this time.

To copy these details to a clipboard, click on the clipboard button.

For more information, see Check Point Management API Reference.

To update the period, it is required to keep the logs:

  1. On the Smart-1 Cloud home page, select Settings > General.

  2. Click on Log Server Settings.

  3. In the DESIRED LOG RETENTION PERIOD enter number of months.

Logs are deleted after the defined period. If available storage cannot keep the desired log retention period, a notification is sent to your email.

  1. On the Smart-1 Cloud home page, select Settings > General.

  2. Below Management Administration, click Restart Service.

    The Restart Environment Confirmation window opens.

  3. Follow the instruction on the Restart Service Confirmation window.

  4. Click Restart.

Migrate

Note - The migration operation overwrites tenant information (the migration process does not merge tenant information).

Smart-1 Cloud lets administrators to import configurations from an on-premises Management Server to Smart-1 Cloud.

Migration to Smart-1 Cloud is only supported from the Security Management Server R80.20 and higher.

To migrate an on-premises Security Management Server to Smart-1 Cloud:

  1. On the Smart-1 Cloud home page, select Settings > Migrate.

  2. Download the migration tool. If you want to migrate an on-premises Security Management to the cloud, use the migration tools provided in the portal.

  3. On the on-premises Security Management, run export.

  4. Upload the export file to the portal.

    Important - The migration process may take a while. During the import process, you do not have access to the Smart-1 Cloud application.

    When the import finishes, an email is sent to you and the service is unlocked.

  5. When the migration completes successfully, in Smart-1 Cloud navigate to Connect Gateway.

  6. Click the plus + below the existing gateway and select the gateway you want to connect and follow the instructions.

  7. Starting from R80.40 Jumbo Hotfix Accumulator Take 89, it s not necessary to reset SIC on your Security Gateways. Make sure all these conditions are met and install the policy before starting the export procedure:

    • Management Server must have version R80.40 Jumbo Hotfix Accumulator Take 89 or higher installed.

    • Quantum Security Gateways must have version R80.40 Jumbo Hotfix Accumulator Take 89 or higher installed.

    • Quantum Spark and Quantum Edge Gateways must have version R80.20.40 or higher installed.

    For Security Gateways that run lower versions, you must reset the SIC on the gateway before initializing the communication from SmartConsole to the Security Gateway (learn more how to reset SIC on the Security Gateway from sk65764).

Cloud Management Extension (CME) Configuration

Smart-1 Cloud lets administrators configure and directly show Cloud Management Extension (CME) status in the GUI.

CME enables cloud-native integration between Check Point CloudGuard Network solutions and Cloud platforms.

As a Service that runs on Smart-1 Cloud, it continuously monitors CloudGuard Network solutions deployed in Azure and Amazon Web Services (AWS) and synchronizes them.

Limitations:

  • The GUI does not support the Google Cloud Platform (GCP).

  • The GUI does not support the configuration of custom scripts on the Security Gateway.

How to enable CME in Smart-1 Cloud

  1. In the Quantum Smart-1 Cloud view in the Infinity portal, go to Settings > CME Configuration.

  2. In General Information, click on CME Status, and it turns to On. The CME management name displays in the box below.

Add an account

  1. To add an account, click Accounts (Controllers).

  2. Click New. The Add Account window opens.

  3. Give the account a name.

  4. In the Vendor box, select AWS or Azure.

  5. Enter the parameters.

Parameters for AWS

Parameter

Description

Access Key

AWS Access Key ID.

Secret Key

AWS Secret Key.

Regions

The AWS regions in which the gateways are being deployed.

STS Role

The STS Role ARN of a role to assume.

STS External ID

An optional STS External ID to use when assuming a role in account.

Communities

List of VPN communities that the account can use.

VPN community is used for Transit Gateway Auto Scaling Group solution.

Scans

Enable auto-provisioning of the objects you select.

Sub-Accounts

Configure the sub-account properties. The sub-account name must be unique.

Enter Access Key Secret Key,STS Role, or STS External ID.

Parameters for Azure

Parameter

Description

Application ID

The service principal’s application ID in UUID format.

Client Secret

The service principal's client secret value.

Directory ID

The service principal's Directory ID in UUID format.
Subscription ID

The subscription ID where the VMSS resides in UUID format.

Add Security Gateway Configurations

  1. To add Security Gateway configuration, in the CME configuration page, click Gateway Configurations (Templates).

  2. Give the Gateway a Name.

  3. Select the applicable Account for the Gateway.

  4. Select the Gateway Version.

  5. Enter a One time password.

  6. In Access Control, select the policy to install on the Security Gateway.

  7. Select the checkbox near the Access Control and Threat Prevention blades you want to enable on the Security Gateway.

Advanced Configuration

To add support for AWS Transit Gateways, select the Transit Gateway checkbox.

For more information on AWS Transit Gateway, refer to CloudGuard Network for AWS Transit Gateway Deployment Guide.

Parameters for AWS Transit Gateway

Parameter

Description

VPN Community

A VPN Star community in which the VPN Gateway is the center.

TGW static routes

Enter network addresses (CIDR) separated by a comma to create a static route on each Gateway of the Transit Gateway auto-scaling group.

TGW spoke routes

Spoke CIDR is learned from the TGW over BGP and is re-advertised by the Gateways of the TGW auto-scaling group to the AWS TGW.

Use a comma to separate multiple values.

For more information on CME, see the Cloud Management Extension Administration Guide.

Forwarding Events to SIEM

Event Forwarding is an easy and secure procedure to export logs. You can forward data, logs, events, and saved applications data from a Check Point environment to a SIEM (Security Information and Event Management) provider, such as Splunk, QRadar, or ArcSight. These SIEM providers process large amounts of data and show it for analysis in created dashboards or sent notifications.

Forward to SIEM vs. Event Forwarding

Forward to SIEM and event forwarding are used to send event logs to a monitoring system.

Currently, event forwarding supports only Syslog format, while Forward to SIEM supports Syslog, Splunk, LEEF, Generic, LogRhythm and RSA formats.

Forward to SIEM configuration

To access the Forward to SIEM Configuration, from the Smart-1 Cloud home page, select Settings -> Forward to SIEM.

In the configuration page you see a table with forward to SIEM destinations, and information for the destination, such as status, encryption, name, target port, protocol and format.

Adding a new destination

To add a new destination, on the Forward to SIEM Configuration screen, click New.

Note - It is currently supported to add up to 3 destinations.

The Add Forwarding Destination window opens.

  • Destination name: Enter a unique name for the destination.

  • Destination Server: Enter IP address or FQDN.

    Note - The IP address must be public.

  • Destination Port: The destination port number.

  • Format: The destination log format. Can be Syslog, CEF, JSON, Splunk, LEEF, Generic, LogRhythm or RSA.

  • Protocol: The destination protocol, ca be either TLS over TCP, TCP or UDP

TLS/SSL over TCP Configuration

It is recommended to export logs over an encrypted connection using the TLS protocol. When using TLS, it is important to know that only mutual authentication is allowed. For mutual authentication, you need these two certificates:

  • CA certificate (in PEM format) that signed both the client (Smart-1 Cloud side) and server (SIEM side) certificates. The CA certificate can be self-sign certificate.

  • Client certificate.

Procedure:

  • Click the Client Certificate box to download the certificate request (csr).

    Note: Signing the request is done in your organization and is not part of Smart-1 Cloud services.

  • After you sign the request, click on Browse below the Client Certificate box to upload the certificate.

    Important - In case some time has passed between making the certificate request and uploading the certificate, you can close the Add New Destination window, and in a later time open it again, fill all the details but do not click the Client Certificate box again, as this will create a new request.

    Just click on Browse to upload the certificate and continue with the new destination creation.

  • Upload the Certificate Authority (CA) certificate.

Editing the destination

To edit the destination, on the Forward to SIEM Configuration screen select a destination and click Edit.

You can change any one of the destination properties, except the destination name.

Deleting a destination

To delete a destination, on the Forward to SIEM Configuration screen select a destination and click: Delete.

Write confirm in the deletion dialog box.

Start, stop or restart a destination

To start, stop or restart destination, on the Forward to SIEM Configuration screen select a destination or multiple destinations, click on More Actions, and select the action you want to perform, and select Yes.

  • Stop - Stop sending logs to the destination

  • Start - Start sending logs to the destination

  • Restart - Restart sending logs to the destination

Troubleshooting

If no logs arrive to your SIEM, follow these steps:

  • Make sure that your Security Gateway does not block traffic from the Smart-1 Cloud. public FQDN:

    • eu-west-1.g04.checkpoint.com

    • us-east-1.g04.checkpoint.com

    • ap-southeast-2.g04.checkpoint.com

  • Check that all the details in the configuration are correct.

  • If you use TLS, make sure you are using the correct certificates.

  • Restart the destination.

If the issue persist, contact Check Point support and open a Service Request.