Configuring Plans

  1. In the left navigation tree, click Plans.

  2. From the top toolbar, click New.

  3. In the Create New Plan window, enter the applicable information:

    • Name

    • Optional: Description

  4. Click Next.

  5. Select the checkboxes for Services that the connected Quantum Spark Gateways need to use:

    Service

    Description

    Store gateway logs

    Enable cloud storage of security logs.

    Send periodic reports

    Enable periodic report sending to Gateway owners. These reports include security and network analysis.

    Firmware upgrades

    Support for firmware upgrades.

    Dynamic DNS

    Enable support for Dynamic DNS services.

    Send cloud notifications / Enable events

    Configure notification sending to recipients.

    Requires the Quantum Spark appliance to run the firmware R81.10.10 or higher.

    Enable assets data

    Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Enable internet monitoring

    Monitor Internet connections.

    Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Enable VPN monitoring

    Monitor VPN tunnels.

    Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Enable System monitoring

    Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

  6. Click Next.

  7. Select the checkboxes for the Software Blades that the connected Quantum Spark Gateways need to use:

    • Firewall

    • Application Control and URL Filtering

    • IPS

    • Traditional Anti-Virus

    • Anti-Spam

    • QoS

    • Remote Access VPN

    • Site to Site VPN

    • User Awareness

    • Anti-Virus

    • Anti-Bot

    • IoT Protection is enabled

      Note - Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    • SD-WAN

      Note - Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Note - Changing this configuration is possible only after the Plan is created.

  8. Click Finish.

  9. Click the plan name and configure all applicable settings.

  1. In the left navigation tree, click Plans.

  2. Click the plan name.

    The Plan Edit page opens.

  3. Configure the settings for the plan.

    Here you can configure these settings:

    • Enabled

      Important - If you disable a plan, you cannot configure Gateways to use it. You cannot disable a plan if it is assigned to Gateways.

    • Allow automatic gateway creation

    • Description

    Here you can see these settings:

    • Created

    • Last Modified

    • Registration key

    • Activation key

    Note - In the top right corner of each page, you can click Copy to Other Plans and select the applicable Plans.

    Configures these settings:

    Page

    Description and Procedure

    NTP

    Configures the NTP settings:

    1. Enable Manage in SMP.

    2. In the Primary NTP Server field, enter the IPv4 address or FQDN of the primary NTP server.

    3. In the Secondary NTP Server field, enter the IPv4 address or FQDN of the secondary NTP server

    4. In the Update Interval (minutes) field, enter the NTP update interval (default: 30, range: 1 - 999).

    5. In the NTP Authentication section, configure the shared secret settings.

    6. In the bottom right corner, click Save.

    Time Zone

    Configures the Time Zone:

    1. Enable Manage in SMP.

    2. In the Local Time Zone field, select the required timezone.

    3. If required, click the toggle Automatically adjust clock for daylight saving changes to enable it.

    4. In the bottom right corner, click Save.

    Scheduled Reboot

    Note - Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Configures the schedule for rebooting the Quantum Spark appliance:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    DNS

    Configures the DNS settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Administrators

    Configures the administrators:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Self-Serve Portal

    Note - Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Configures the allowed modules to manage:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Two Factor Authentication

    Configures the Two-Factor Authentication for all administrators:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Users

    Note - Requires the Quantum Spark appliance to run the firmware R81.10.05 and higher.

    Configures the local users.

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Local Network

    Configures the local network "pools" to manage local networks for specific interfaces:

    1. Configure the required settings.

    2. In the bottom right corner, click Save.

    Internet Monitoring Settings

    Note - Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Configures how to monitor the Internet connections (the probing destinations and the link parameters):

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Personalization

    Note - Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Configures:

    • The logo image for WebUI that appears:

      • On the login page

      • In the top right corner

    • The background color (the color theme) of the top section of WebUI

    • The branding name (the title) for WebUI that appears:

      • On the login page

      • In the top left corner

    Possible scenarios and workflows:

    1. Do not upload a logo to the Infinity Portal account.

    2. There is nothing else to do.

    1. Upload a logo to the Infinity Portal account.

    2. In the applicable Gateways:

      1. Click Unlocked to plan to override the settings configured in the assigned plan.

      2. Enable Manage in SMP.

      3. Enable Personalization.

      4. Optional: Select the Color theme.

      5. Optional: Configure the Title.

      6. Optional: Configure the Subtitle.

      7. Click Save in the bottom right corner of this page.

    1. Upload a logo to the Infinity Portal account.

    2. In the left navigation tree, click Plans.

    3. Edit the applicable plan.

    4. Open the section Device Settings.

    5. Click the Personalization page.

    6. Enable Manage in SMP.

    7. Enable Personalization.

    8. Optional: Select the Color theme.

    9. Optional: Configure the Title.

    10. Optional: Configure the Subtitle.

    11. Click Save in the bottom right corner of this page.

    12. In the left navigation tree, click Gateways.

    13. Edit the Gateways, on which you do not want to add the logo:

      1. Click Locked to plan to override the settings configured in the assigned plan.

      2. Enable Manage in SMP.

      3. Disable Personalization.

      4. Click Save in the bottom right corner of this page.

    1. Upload a logo to the Infinity Portal account.

    2. In the left navigation tree, click Plans.

    3. Edit the applicable plan.

    4. Open the section Device Settings.

    5. Click the Personalization page.

    6. Enable Manage in SMP.

    7. Enable Personalization.

    8. Optional: Select the Color theme.

    9. Optional: Configure the Title.

    10. Optional: Configure the Subtitle.

    11. Click Save in the bottom right corner of this page.

    Note - In the top right corner of each page, you can click Copy to Other Plans and select the applicable Plans.

    Configures the settings for the enabled Software Blades:

    Page

    Description and Procedure

    SD-WAN

    Note - Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Configures the SD-WAN settings:

    1. Enable Manage in SMP.

    2. Enable SD-WAN.

    3. Configure the applicable settings based on the Quantum SD-WAN Administration Guide.

    4. In the bottom right corner, click Save.

    Firewall

    Configures the Firewall settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Access Policy

    Important - Read the explanations and limitations in sk118035.

    Configures the Access Policy rules:

    1. Enable Manage in SMP.

    2. In the Outgoing access to the Internet section:

      1. Configure the required rules in the Pre local rules section.

      2. Configure the required rules in the Post local rules section.

      Note - The Quantum Spark Gateway enforces the rules in this order:

      1. "Pre local rules" configured in Quantum Spark Management (appear as read-only on the Quantum Spark Gateway)

      2. Local rules configured on the Quantum Spark Gateway

      3. "Post local rules" configured in Quantum Spark Management (appear as read-only on the Quantum Spark Gateway)

    3. In the Incoming, Internal and VPN traffic section:

      1. Configure the required rules in the Pre local rules section.

      2. Configure the required rules in the Post local rules section.

      Note - The Quantum Spark Gateway enforces the rules in this order:

      1. "Pre local rules" configured in Quantum Spark Management (appear as read-only on the Quantum Spark Gateway)

      2. Local rules configured on the Quantum Spark Gateway

      3. "Post local rules" configured in Quantum Spark Management (appear as read-only on the Quantum Spark Gateway)

    4. In the bottom right corner, click Save.

    IoT

    Note - Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Configures the IoT Policy settings:

    1. Enable Manage in SMP.

    2. Enable IoT Protection is enabled.

    3. Click Advanced policy settings > select the applicable option for DNS servers to trust > click Close.

    4. Select the applicable IoT Policy:

      1. Check Point Recommended IoT policy.

      2. Custom IoT Policy

        To add custom rule, click New and follow the wizard.

    5. In the bottom right corner, click Save.

    Applications and URLs

    Configures the Application Control and URL Filtering settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    IPS

    Configures the IPS settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Traditional Anti-Virus

    Configures the Traditional Anti-Virus settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Anti-Spam

    Configures the Anti-Spam settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    QoS

    Configures the QoS settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Remote Access

    Configures the Remote Access VPN settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Site to Site VPN

    Configures the Site to Site VPN settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    User Awareness

    Configures the User Awareness settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Anti-Virus

    Configures the Anti-Virus settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Anti-Bot

    Configures the Anti-Bot settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Threat Emulation

    Configures the Threat Emulation settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Threat Prevention

    Note - Applies only to Anti-Virus, Anti-Bot, and Threat Emulation on 1400 / 1200R / 1100 / 900 / 700 / 600 appliances.

    Configures the Threat Prevention settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Unified Threat Prevention

    Note - Applies only to Anti-Virus, Anti-Bot, IPS, and Threat Emulation on 2000 / 1900 / 1800 / 1600 / 1500 appliances.

    Configures the Unified Threat Prevention settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Threat Prevention Exceptions

    Configures the Threat Prevention Exceptions:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    SSL Inspection

    Configures the SSL Inspection settings:

    1. Enable Manage in SMP.

    2. Configure the required settings.

    3. In the bottom right corner, click Save.

    Note - In the top right corner of each page, you can click Copy to Other Plans and select the applicable Plans.

    Page 'Managed Services':

    Configures these settings on the connected Quantum Spark Gateways:

    Service

    Description

    Store gateway logs

    Storing the security logs in the cloud.

    Send periodic reports

    Sending periodic reports from the cloud to the configured Gateway owners.

    These reports contain security and network analysis.

    Firmware upgrades

    Support for firmware upgrades.

    Backup

    Support for periodic backups of the appliance settings.

    Dynamic DNS

    Support for Dynamic DNS services.

    Send cloud notifications / Enable events

    Sending of notifications to the configured recipients.

    Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Notes:

    • If you disabled the cloud notifications, and you wish to get events, review the notifications topic under: Services -> Notifications, and make sure that you have defined which notifications you wish to receive.

    • If you do not wish to receive any notification, disable all notifications and disable the Send to owner and Send to additional emails toggle switches.

    • To see the events, go to Logs & Events -> Events .

    Enable assets data

    Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Enable internet monitoring

    Support for monitoring the Internet connections.

    Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Enable VPN monitoring

    Support for monitoring the VPN tunnels.

    Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Enable System monitoring

    Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

    Page 'Firmware':

    Configures these settings on the connected Quantum Spark Gateways:

    • Which firmware to install

    • The firmware installation schedule

    Page 'Backup':

    Configures these settings on the connected Quantum Spark Gateways:

    • Where to store the backup

    • The backup schedule

    Page 'Reports':

    Configures these settings on the connected Quantum Spark Gateways:

    • Which reports to send

    • The report schedule

    Page 'Notifications':

    Configures these settings on the connected Quantum Spark Gateways:

    • For which events to generate an email with notification

    • To which recipients to send this email

    Note - In the top right corner of each page, you can click Copy to Other Plans and select the applicable Plans.

    Configures the VPN Communities, in which the connected Quantum Spark Gateways must participate.

    Note - In the top right corner of each page, you can click Copy to Other Plans and select the applicable Plans.

    Page 'Administrator Access':

    Configures the allowed source IP addresses for the Web (HTTPS) and SSH access to the connected Quantum Spark Gateways.

    Page 'Gateways Behind NAT':

    Configures the required NAT settings on the connected Quantum Spark Gateways if they connect to the Internet though a NAT device.

    Note - In the top right corner of each page, you can click Copy to Other Plans and select the applicable Plans.

    Configures scripts with Gaia Clish commands to be executed on the connected Quantum Spark Gateways.

  4. In the bottom right corner, click Save.

  1. In the left navigation tree, click Plans.

  2. In the top Search field, enter the applicable text to filter the plans by their name.

  3. From the top toolbar, click the funnel icon.

    In the filter panel on the right, enter the or select the applicable dates for Creation Date and Modification Date.

    To close this panel, click the funnel icon again.

  1. In the left navigation tree, click Plans.

  2. Select the Plan you want to clone.

  3. From the top toolbar, click Clone.

  4. In the Create New Plan window, configure a new name for the Plan:

    • Name

    • Optional: Description

  5. Click Finish.

  1. In the left navigation tree, click Plans.

  2. Select the checkboxes for the Plans you want to delete.

  3. From the top toolbar, click Delete Plan.

  4. When prompted, click OK to delete the Plan.

  1. In the left navigation tree, click Plans.

  2. Select the checkboxes for the Plans you want to export.

  3. From the top menu bar, click To Excel.

  4. After the file is created, in the bottom-left corner, click the down arrow and select Click to download.

    The file is downloaded to your Downloads folder.

Adding Gateways

  1. From the left navigation toolbar, click Gateways.

  2. Click New.

  3. Enter a Name or click Generate for a system generated name.

  4. For Type, select Small Office Appliance.

  5. Clear the check box for Managed by SMP to create this Gateway as an externally managed Gateway.

    Note - Externally managed Gateways are used only as a center of a star VPN community

  6. Select a Plan from the list. By default, the Gateway inherits its default settings from this plan.

  7. The Registration Key field shows an automatically generated Registration Key. You can enter a Registration Key pr click Generate to generate a new Registration Key.

  8. Optional: Enter a new name for Owner ID. Click Search to find an existing user or click New to create a new user.

  9. Complete the wizard instructions.

  10. Click Finish.

After the Gateway is created, the Gateway owner receives an email with an activation link and the registration key.

The activation key has three parts:

  • SMP IP Address / DNS

  • <Gateway Name, Service Domain>

  • Registration Key (first auto generated, then set by the owner)

If there is no object name, it appears as “-“ in the activation key. The object is automatically created and the name appears in the activation key when the Gateway tries to connect.

  1. From the left navigation toolbar, click Plans.

  2. Click a plan name. The Plan Edit page opens.

  3. Select Allow automatic gateway creation.

  4. Set or generate a Registration Key.

  5. Save.

  6. Gateways that use the on-screen Registration Key are automatically connected to the SMP and managed by this plan. There is no need to create a Gateway object (in the SMP) before the activation.

You can send the activation key to all the Gateways that you want to connect through this plan.

The email with the activation link also contains information on how to connect the Appliance:

  • If the Appliance is set up - When the Gateway owner clicks the link, the login window to the WebUI application opens. After the owner logs in, the Cloud Services page opens and shows the activation details. The owner confirms the details and establishes a connection with the SMP.

  • If the Appliance is not set up - When the Gateway owner clicks the link, it opens the First Time Configuration Wizard. After the wizard is completed, the Cloud Services page opens and shows the activation details. The owner confirms the details and establishes a connection with the SMP.

  • If Cloud Services is already activated in the Appliance - When the Gateway owner clicks the link, the login window opens. After the owner logs in, the Cloud Services page opens and shows the activation details. The owner selects one of these options:

    • Clear the current services provider settings and connect to the SMP with the new provider details.

    • Stay connected to the current services provider.

  • If the link does not work - The owner logs in to the WebUI > Home > Cloud Services page, manually enters the registration key sent in the email, and connects to the SMP. If the owner did not receive the email, the SMP administrator should send the activation key to the owner to enter it manually.

Important - When an Appliance is behind a NAT device, you must enable the Gateway to communicate with the Quantum Spark Management.

Adding a Cluster of Gateways

With SMP, you can manage Gateways that are part of a High Availability (HA) cluster as if they constitute a single "virtual" Gateway, even though they are in fact two actual Gateways. This way, you have one identical configuration for both Gateways, and avoid the risk of a contradiction between the Gateways' configurations.

When these two Gateways are part of an HA virtual Gateway, they are "invisible" and inaccessible on the SMP. All actions, such as being added to VPN communities, is possible only with the HA virtual Gateway.

The HA feature must be configured on the two Appliances locally, and cannot be configured from the SMP.

To configure HA on Appliances that are planned to be managed by SMP, the Appliances must be defined on the SMP and connected to it before you define the HA on the local Appliance (HA requires SIC configured on it, and the connection to SMP provides the SIC to the Appliance).

  1. From the left navigation toolbar, clickGateways > New.
    The Create New Gateway window opens.

  2. Enter a Name or click Generate for a system generated name.

  3. For Type, select Small Office HA.

  4. To manage the Gateway through a plan, select a Plan from the list. By default, the Gateway inherits its default settings from this plan.

  5. To assign Gateways to the HA, on creation:

    1. Enter a user name for Owner ID. Click Search to find an existing user or click New to create a new user.

    2. Enter the gateway name for Member 1 and Member 2. Click Search to find an existing gateway or click New to create a new Gateway.

    3. Complete the wizard instructions.

    4. Click Finish.

  6. To assign Gateways to the HA, on the HA statuss tab:

    1. Double click the gateway name. In the Gateway General tab, click HA Status.

    2. For each Member, click Add and select the gateway name, or enter the gateway name and click Save.

      Note - Gateways assigned to an HA do not appear in the list of Gateways on the Gateways tab.

When you configure the HA, you can only edit the HA object. The changes are applied to the Gateways assigned to this HA.:

  1. From the left navigation toolbar, click Gateways.

  2. Click the GatewayName.

    The Gateway Edit page opens.

3. Select a node to edit

Note - You can only delete an HA Gateway if there are no Gateways assigned to it.

Click the HA Gateway and click Delete.

Configuring Device Settings

The Device Settings page lets you configure these settings for Gateways or a plan:

  • NTP

  • Time Zone

  • DNS

  • Gateway Administrators

Note - The Device Settings page is available from the Gateways and Plans tabs.

NTP

Use an NTP server to configure the Quantum Spark Management to synchronize time settings for specified plans and Gateways.

Note - This feature is only supported on R77.20 and higher Gateways.

  1. From the left navigation toolbar, click Plans.

  2. Click the plan name.

    The Edit page opens.

  3. Click Device Settings > NTP.

  4. Select Manage in SMP.

  5. Enter the host name or IP address for the Primary NTP Serverand Secondary NTP Server.

  6. In Update Interval, enter the time interval in minutes that Quantum Spark Management contacts the NTP server to update the time settings.

  7. Optional - To configure the settings to authenticate to the NTP server, click NTP Authentication and enter the Shared Secret and Shared Secret Identifier.

  8. Click Save.

  1. From the left navigation toolbar, click Gateways.

  2. Click the gateway name.

    The Gateway Edit page opens.

  3. Click Device Settings > NTP.

  4. If the NTP settings are locked, click Unlock from plan.

  5. To stop remote management of the blade, clear Manage in SMP.

  6. Configure the NTP settings (see above).

  7. Click Save.

Gateway Administrators

The Gateway Administrators page lets you configure the administrator accounts that can log in to the local Gateway.

You must create at least one Gateway administrator with Read-Write permissions to manage these administrators in the SMP.

Note - The first Gateway administrator that you create automatically has Super Admin permissions and cannot be deleted

After you create a Gateway administrator, you cannot change the password. Instead, delete the administrator and create a new one.

When you use the SMP to manage Gateway administrators, the administrators on the local Appliance are deleted. If Gateway is no longer managed by the SMP, the Gateway administrators are saved on the local Appliance.

  1. From the left navigation toolbar, click Plans.

  2. Click the plan name.

    The Plan Edit page opens.

  3. Click Device Settings > Administrators.

  4. Select Manage in SMP.

  1. Click New.

    The Add Gateway Administrator window opens.

  2. Enter the Name and Password.

  3. Recommended: Enter an email address and phone number.

    Requires the Quantum Spark appliance to run the firmware R81.10.10 and higher.

  4. Select the Permission for the administrator.

  5. Click Finish.

  1. Select the administrator.

  2. Click Delete.

    A confirmation window opens.

  3. Click OK.

    The administrator is deleted.

  4. Click Save.

  1. From the left navigation toolbar, click Gateways.

  2. Click the Gateway name.

    The Gateway Edit page opens.

  3. Click Device Settings > Administrators.

  4. If the Gateway administrator settings are locked, click Unlock from plan.

  5. To stop remote management of the blade, clear Manage in SM.

  6. Configure the Gateway administrator settings (see above).

  7. Click Save.