Using the Settings

Use the Settings tab to learn how to use the Management APIs, set the administrator's password, or migrate an on-premises Security Management Server to Smart-1 Cloud.


It is possible to read information and send commands to the Check Point Management Server. Same as you create objects and Security Policies and deploy them in SmartConsole, you can do the same tasks with APIs.

Service Information:

  • Status: Shows the service status.

  • Service Identifier: Unique service identifier based on the prefix provided in the service creation. When you contact Check Point, you must use this service identifier.

  • Version: Security Management software version.

  • License Status: Active for customers who have purchased a Smart-1 Cloud license or a trial for customers who run in trial mode.

API & SmartConsole


  • Web SmartConsole

  • Instructions for using Installed SmartConsole

  • Streamed SmartConsole


You can migrate your self hosted Security Management to the Smart-1 Cloud environment.

Note - The migration operation overwrites tenant information (the migration process does not merge tenant information).

Cloud Management Extension (CME) Configuration

Smart-1 Cloud lets administrators configure and directly show Cloud Management Extension (CME) status in the GUI.

CME enables cloud-native integration between Check Point CloudGuard Network solutions and Cloud platforms.

As a Service that runs on Smart-1 Cloud, it continuously monitors CloudGuard Network solutions deployed in Azure and Amazon Web Services (AWS) and synchronizes them.


  • The GUI does not support the Google Cloud Platform (GCP).

  • The GUI does not support the configuration of custom scripts on the Security Gateway.

How to enable CME in Smart-1 Cloud

  1. In the Quantum Smart-1 Cloud view in the Infinity portal, go to Settings > CME Configuration.

  2. In General Information, click CME Status, and it turns to On. The CME management name displays in the box below.

Add an account

  1. To add an account, click Accounts (Controllers).

  2. Click New. The Add Account window opens.

  3. Give the account a name.

  4. In the Vendor box, select AWS or Azure.

  5. Enter the parameters.

Parameters for AWS



Access Key

AWS Access Key ID.

Secret Key

AWS Secret Key.


The AWS regions in which the gateways are being deployed.

STS Role

The STS Role ARN of a role to assume.

STS External ID

An optional STS External ID to use when assuming a role in account.


List of VPN communities that the account can use.

VPN community is used for Transit Gateway Auto Scaling Group solution.


Enable auto-provisioning of the objects you select.


Configure the sub-account properties. The sub-account name must be unique.

Enter Access Key Secret Key,STS Role, or STS External ID.

Parameters for Azure



Application ID

The service principal’s application ID in UUID format.

Client Secret

The service principal's client secret value.

Directory ID

The service principal's Directory ID in UUID format.

Subscription ID

The subscription ID where the VMSS resides in UUID format.

Add Security Gateway Configurations

  1. To add Security Gateway configuration, in the CME configuration page, click Gateway Configurations (Templates).

  2. Give the Gateway a Name.

  3. Select the applicable Account for the Gateway.

  4. Select the Gateway Version.

  5. Enter a One time password.

  6. In Access Control, select the policy to install on the Security Gateway.

  7. Select the checkbox near the Access Control and Threat Prevention blades you want to enable on the Security Gateway.

Advanced Configuration

To add support for AWS Transit Gateways, select the Transit Gateway checkbox.

For more information on AWS Transit Gateway, refer to CloudGuard Network for AWS Transit Gateway Deployment Guide.

Parameters for AWS Transit Gateway



VPN Community

A VPN Star community in which the VPN Gateway is the center.

TGW static routes

Enter network addresses (CIDR) separated by a comma to create a static route on each Gateway of the Transit Gateway auto-scaling group.

TGW spoke routes

Spoke CIDR is learned from the TGW over BGP and is re-advertised by the Gateways of the TGW auto-scaling group to the AWS TGW.

Use a comma to separate multiple values.

For more information on CME, see the Cloud Management Extension Administration Guide.

Forwarding Events to SIEM

Event Forwarding is an easy and secure procedure to export logs. You can forward data, logs, events, and saved applications data from a Check Point environment to a SIEM (Security Information and Event Management) provider, such as Splunk, QRadar, or ArcSight. These SIEM providers process large amounts of data and show it for analysis in created dashboards or sent notifications.

Forward to SIEM vs. Event Forwarding

Forward to SIEM and event forwarding are used to send event logs to a monitoring system.

Currently, event forwarding supports only Syslog format, while Forward to SIEM supports Syslog, Splunk, LEEF, Generic, LogRhythm and RSA formats.

Forward to SIEM configuration

To access the Forward to SIEM Configuration, from the Smart-1 Cloud home page, select Settings -> Forward to SIEM.

In the configuration page you see a table with forward to SIEM destinations, and information for the destination, such as status, encryption, name, target port, protocol and format.

Adding a new destination

To add a new destination, on the Forward to SIEM Configuration screen, click New.

Note - It is currently supported to add up to 3 destinations.

The Add Forwarding Destination window opens.

  • Destination name: Enter a unique name for the destination.

  • Destination Server: Enter IP address or FQDN.

    Note - The IP address must be public.

  • Destination Port: The destination port number.

  • Format: The destination log format. Can be Syslog, CEF, JSON, Splunk, LEEF, Generic, LogRhythm or RSA.

  • Protocol: The destination protocol, ca be either TLS over TCP, TCP or UDP

TLS/SSL over TCP Configuration

It is recommended to export logs over an encrypted connection using the TLS protocol. When using TLS, it is important to know that only mutual authentication is allowed. For mutual authentication, you need these two certificates:

  • CA certificate (in PEM format) that signed both the client (Smart-1 Cloud side) and server (SIEM side) certificates. The CA certificate can be self-sign certificate.

  • Client certificate.


  • Click the Client Certificate box to download the certificate request (csr).

    Note: Signing the request is done in your organization and is not part of Smart-1 Cloud services.

  • After you sign the request, click Browse below the Client Certificate box to upload the certificate.

    Important - In case some time has passed between making the certificate request and uploading the certificate, you can close the Add New Destination window, and in a later time open it again, fill all the details but do not click the Client Certificate box again, as this will create a new request.

    Just click Browse to upload the certificate and continue with the new destination creation.

  • Upload the Certificate Authority (CA) certificate.

Editing the destination

To edit the destination, on the Forward to SIEM Configuration screen select a destination and click Edit.

You can change any one of the destination properties, except the destination name.

Deleting a destination

To delete a destination, on the Forward to SIEM Configuration screen select a destination and click: Delete.

Write confirm in the deletion dialog box.

Start, stop or restart a destination

To start, stop or restart destination, on the Forward to SIEM Configuration screen select a destination or multiple destinations, click More Actions, and select the action you want to perform, and select Yes.

  • Stop - Stop sending logs to the destination

  • Start - Start sending logs to the destination

  • Restart - Restart sending logs to the destination


If no logs arrive to your SIEM, follow these steps:

  • Make sure that your Security Gateway does not block traffic from the Smart-1 Cloud. public FQDN:




  • Check that all the details in the configuration are correct.

  • If you use TLS, make sure you are using the correct certificates.

  • Restart the destination.

If the issue persist, contact Check Point support and open a Service Request.