Using the Settings

Use the Settings tab to learn how to use Management APIs, set the administrator's password, or migrate an on-premises Security Management Server to Smart-1 Cloud.

General

Note - You can interact with the Security Management Server through APIs to perform the same tasks available in SmartConsole, such as creating objects, defining Security Policies, and deploying configurations.

Service Information:

  • Status: The current service status.

  • Service Identifier: The unique service identifier based on the prefix provided during the service creation. When you contact Check Point, you must use this service identifier.

  • Version: The current Security Management Server version.

  • License: Shows "active" for the purchased Smart-1 Cloud license or "trial" for the evaluation license.

  • Expires: Shows the number of days before license expiration.

API & SmartConsole

SmartConsole:

  • Web SmartConsole

  • Instructions for using Installed SmartConsole

  • Streamed SmartConsole

From the Smart-1 Cloud home page, select Settings > API & SmartConsole.

The Management API page shows the current web request structure.

To copy these details, click the clipboard button.

For additional information, see Check Point Management API Reference.

  1. On the Smart-1 Cloud home page, go to Settings > Advanced > Restart Service.

  2. Click Restart Environment.

    The Restart Environment Confirmation window opens.

  3. Follow the instruction on the screen.

  4. Click Restart.

Note - The Restart Environment function is equivalent to executing cpstop and cpstart commands in the on-premises management environment.

Migrate

You can migrate your self-hosted Security Management Server to the Smart-1 Cloud environment.

Note - The migration operation overwrites tenant information and does not merge existing tenant data.

00:00: 00:05: Learn how to migrate to Smart One Cloud as self-hosted Security 00:09: Management that is connected to the Infinity Portal. 00:13: Open the Infinity Portal tenant that is connected to the self-hosted security 00:17: management. So let the management that you want to migrate and click the three. 00:21: Menu. 00:23: Click Run free migration verifier 00:27: It is important to note that if you already have Smart One Cloud environment in 00:31: this account, you have to delete it before the import. 00:35: After the pre upgrade verifier complete successfully click 00:39: the three. Menu button. 00:41: Click migrate to Smart One Cloud 00:44: Read the notification and click Start migration. 00:48: The migration process can take up to one hour and you can monitor the 00:52: progress in the portal. 00:58: The first step of the migration is completed continued to connect 01:02: the security gateways. 01:05: Click the plus icon in the Kinect gateways tab 01:09: To connect an existing Gateway select using existing Gateway object 01:13: and in the drop-down select the Gateway you want to connect? 01:18: Register the Gateway 01:21: Click connect Gateway in the security Gateway card 01:25: A window with the instructions to connect the Gateway opens copy 01:29: the command to run on the security Gateway. 01:33: Connect to the clich prompt on the security Gateway and run the command 01:37: you copied. 01:40: The security Gateway status changes to registration completed 01:44: go to the security policies tap to install a policy on the Gateway. 01:50: Any applicable policy screen click install policy? 01:55: Select the security gateway to install the policy on and 01:59: click install. 02:01: Wait for the policy installation to complete successfully. 02:05: Thank you for watching. 02:08:

Note - To connect your Self-Hosted (on-premises) Security Management Server to Infinity Services:

  1. In SmartConsole, click Infinity Services.

  2. In the Connect to Infinity Portal to use Infinity Services section, click Get Started and follow the instructions.

For detailed instructions, see sk177205.

Important - You can migrate a Self-Hosted Security Management environment to Smart-1 Cloud only if Smart-1 Cloud has not been previously created in this Infinity Portal tenant.

  1. Open the Infinity Portal tenant connected to the Self-Hosted Security Management environment.

  2. Select the self-hosted Security Management Server you want to migrate.

  3. Click the three-dot menu:

  4. To make sure you can migrate this Security Management Server to Smart-1 Cloud, select Run Pre-migrate verifier.

  5. Click Migrate to Smart-1 Cloud.

    Important - The migration process may take considerable time. The Smart-1 Cloud application will be unavailable during import. You will receive an email notification when the process completes and the service becomes available.

    Notes:

    • After migrating a Standalone environment, it is divided into separate Security Management Server and Security Gateway components.

      Post-migration, you must follow the procedure described in sk179444 - Migration from a Standalone environment to a Distributed environment.

      This change is permanent. Security Management Server and Security Gateway replace the Standalone.

    • When migrating a Management High Availability environment to Smart-1 Cloud, you must remove the Secondary Management after migration (Management High Availability is not supported with Smart-1 Cloud).

    • Multi-Domain Security Management and Log Server are not supported.

  6. After successful migration, in Smart-1 Cloud, navigate to Connect Gateway.

  7. Click the plus (+) icon below the existing Security Gateway. Then select the Security Gateway you want to connect and follow the on-screen instructions.

  8. For a Security Gateway running a version lower than R80.40 with Jumbo Hotfix Accumulator Take 89, reset the Secure Internal Communication (SIC) before initializing communication from SmartConsole to the Security Gateway. For more information, see sk65764.

    Note - For Security Gateway/Security Management version R80.40 with Jumbo Hotfix Accumulator Take 89 and higher or Quantum Spark/Quantum Edge with version R80.20.40 and higher, SIC reset is not required on the Security Gateway.

You can import configurations from an on-premises Management Server to Smart-1 Cloud.

Migration to Smart-1 Cloud is supported starting from Security Management Server version R81.10.

To migrate an on-premises Security Management Server to Smart-1 Cloud:

  1. On the Smart-1 Cloud home page in Infinity Portal, go to Settings > Migrate.

  2. Below Export Data, click Download to download the migration tools.

  3. On the on-premises Security Management, run the export tool.

  4. Below Import and Start, click Choose file to upload the export file.

  5. Click Upload & Start to start the migration process.

    Important - The migration process may take considerable time. During import, the Smart-1 Cloud application will be unavailable. You will receive an email notification when the process completes and the service becomes available.

  6. After successful migration, in Smart-1 Cloud, navigate to Connect Gateway.

  7. Click the plus (+) icon below the existing Security Gateway. Then select the Security Gateway you want to connect and follow the on-screen instructions.

  8. For a Security Gateway running a version lower than R80.40 with Jumbo Hotfix Accumulator Take 89, reset the Secure Internal Communication (SIC) before initializing communication from SmartConsole to the Security Gateway. For more information, see sk65764.

    Note - For Security Gateway/Security Management version R80.40 with Jumbo Hotfix Accumulator Take 89 and higher or Quantum Spark/Quantum Edge with version R80.20.40 and higher, SIC reset is not required on the Security Gateway.

CloudGuard Network Configuration

Smart-1 Cloud lets administrators configure CloudGuard Network in the GUI.

Limitations:

  • The GUI does not support the Oracle Cloud Infrastructure (OCI).

How to enable CloudGuard Network in Smart-1 Cloud

In the Quantum Smart-1 Cloud view in the Infinity portal, go to Settings > Advanced > CloudGuard Network.

Add an account

  1. To add an account, on the corresponding cloud provider tile, click Add account.

    The CME Account window opens.

  2. Give the account a name.

  3. In the Platform drop-down list, select AWS, GCP, or Azure.

  4. Enter the parameters.

  5. Click OK to save the changes.

Parameters for AWS

Parameter

Description

Access Key ID

AWS Access Key ID. This parameter is mandatory.

Secret Access Key

AWS Secret Key. This parameter is mandatory.

Regions

The AWS regions in which the Security Gateways are being deployed.

STS Role

The Amazon Resource Name (ARN) of an IAM role to assume.

STS External ID

An optional STS External ID to use when assuming an IAM role in the account.

Scan Gateway Load Balancer subnets

Enable to scan Gateway Load Balancer subnets.

Synchronize VPN

Enable to synchronize VPN.

Sub Accounts

Add new sub accounts or configure properties of existing sub accounts. The sub-account name must be unique.

Enter STS Role or STS External ID.

Parameters for Azure

Parameter

Description

Application ID

The service principal’s application ID in UUID format.

Client Secret

The service principal's client secret value.

Directory ID

The service principal's Directory ID in UUID format.
Subscription ID

The subscription ID where the VMSS resides in UUID format.

Azure Environment

Select the environment in the drop-down list. The default value is "Azure Cloud".

Parameters for GCP

Parameter

Description

Service Account Key Authentication

Download a public service account key file in JSON format.

Add Security Gateway configuration template

  1. To add a Security Gateway configuration template to the account, on the corresponding cloud provider tile, click Add template.

    The CME Template window opens.

    Gateway Configuration Template window

  2. Give the Security Gateway configuration template a name.

  3. In the Gateway Settings section, in the Account drop-down list, select the applicable Account.

  4. Select the Security Gateway version.

  5. Enter a one-time password.

  6. Confirm the one-time password.

  7. On the Network Security and Threat Prevention tabs, select the checkboxes for the blades you want to enable on the Security Gateway.

  8. In the CME Attributes section, select the policy to install on the Security Gateway.

    Note - To add support for AWS Transit Gateways to the AWS account, configure the below parameters in the CME Attributes section.

    Parameters for AWS Transit Gateway

    Parameter

    Description

    VPN Domain

    A VPN Domain.

    VPN Community

    A VPN Star community where the VPN Gateway is the center.

    TGW Static Routes

    Enter network addresses (CIDR) to create a static route on each Gateway of the Transit Gateway auto-scaling group.

    TGW Static Spokes

    Spoke CIDR is learned from the TGW over BGP and is re-advertised by the Gateways of the TGW auto-scaling group to the AWS TGW.

    For more information on AWS Transit Gateway, refer to CloudGuard Network for AWS Transit Gateway Deployment Guide.

    Note - To add IPv6 support to the Azure account, select the IPv6 checkbox in the CME Attributes section.

  9. Provide the repository script name and parameters if necessary.

  10. In the Logs section, add log servers.

  11. Click OK to save the changes.

Forwarding Events to SIEM

Event forwarding is an easy and secure procedure to export logs. You can forward logs, events, and saved applications data from the Check Point environment to a Syslog server or a SIEM (Security Information and Event Management) provider such as Splunk, QRadar, or ArcSight. These SIEM providers process large amounts of data and then display it on dashboards for analysis or send notifications.

Forward to SIEM configuration

To access the Forward to SIEM Configuration, from the Smart-1 Cloud home page, select Settings > Advanced > Forward to SIEM.

In the configuration page you see a table with forward to SIEM destinations, and information for the destination, such as status, encryption, name, target port, protocol and format.

Adding a new destination

To add a new destination, on the Forward to SIEM Configuration screen, click New.

Note - It is currently supported to add up to 3 destinations.

The Add Forwarding Destination window opens.

  • Destination name: Enter a unique name for the destination.

  • Destination Server: Enter IP address or FQDN.

    Note - The IP address must be public.

  • Destination Port: The destination port number.

  • Format: The destination log format. Can be Syslog, CEF, JSON, Splunk, LEEF, Generic, LogRhythm, or RSA.

  • Protocol: The destination protocol, can be either TLS over TCP, TCP, or UDP

TLS/SSL over TCP Configuration

It is recommended to export logs over an encrypted connection using the TLS protocol. When using TLS, it is important to know that only mutual authentication is allowed. For mutual authentication, you need these two certificates:

  • The Certificate Authority (CA) certificate (in PEM format) that signs both the client (Smart-1 Cloud side) and the server (SIEM side) certificates. The CA certificate can be a self-signed certificate.

  • Client certificate.

Procedure:

  • Click the Client Certificate box to download the Client certificate sign request (cp_client.csr).

    Note - Signing the request is done in your organization and is not part of Smart-1 Cloud services.

  • After you sign the request, click Browse below the Client Certificate box to upload the signed certificate.

    Important - If it takes time to obtain the signed certificate for upload, you can close the Add Forwarding Destination window. Open it again later when you have the signed certificate, fill in all the details, and just click Browse to upload the certificate.

    You do not need to click the Client Certificate box again, because this will create a new sign request.

  • Upload the CA certificate.

Edit the destination

To edit the destination, on the Forward to SIEM page, select a destination and click Edit.

You can change all destination properties except for the destination name.

Delete the destination

To delete a destination, on the Forward to SIEM page, select a destination and click: Delete.

Write confirm in the deletion dialog box.

Start, stop, or restart the destination

To start, stop, or restart sending logs to the destination, on the Forward to SIEM page, select a destination, click More Actions, and select the action you want to perform:

  • Stop Forwarding - Stop sending logs to the destination

  • Start Forwarding - Start sending logs to the destination

  • Restart Forwarding - Restart sending logs to the destination

Troubleshooting

If no logs arrive to your SIEM, follow these steps:

Important - For information and updates on Smart-1 Cloud external FQDNs and their associated IP addresses, see sk182699.

  • Make sure that your Security Gateway does not block traffic from the Smart-1 Cloud public FQDN:

    • Ireland: eu-west-1.allowed-ips.checkpoint.com

    • London: eu-west-2.allowed-ips.checkpoint.com

    • N. Virginia: us-east-1.allowed-ips.checkpoint.com

    • Sydney: ap-southeast-2.allowed-ips.checkpoint.com

    • Mumbai: ap-south-1.allowed-ips.checkpoint.com

  • Check if all the details in the configuration are correct.

  • If you use TLS, make sure you are using the correct certificates.

  • Restart the destination.

If the issue persist, contact Check Point support and open a Service Request.