Unified Access Policy for Check Point SASE and Network Security

This integration lets you manage Check Point SASE Internet Access and HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. policies directly from SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. By centralizing policy management, you ensure consistent policy enforcement across products, streamline governance for security policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., and consolidate operations into one trusted, management platform.

Prerequisites

• Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. version R82 with Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. Take 73 or higher.

• Active Check Point Portal tenant in the US and EU regions with an active Check Point SASE application.

• The Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. must be connected to the Check Point Portal. See Connecting On-Premises Management Servers and Security Gateways to the Check Point Portal for more information.

• Check Point SASE SKU for Internet Access (for example: CP-Check Point SASE-IA-ESS*).

  To activate Internet Access on your tenant:

  1. Log in to the Check Point Portal.

  2. Navigate to Menu > Hybrid Mesh Network Security > SASE > Internet Access > Access Policy.

  3. In the top-right corner, enable the Status button.

• Integration of Azure or Okta Identity Provider on both the Check Point Portal and the Check Point SASE application. See the SCIM documentation for configuration instructions.

Supported Policies and Objects

The SASE Internet Access policy package supports these objects:

• In the Network Security Internet Access policy Layer:

  • Identity Provider users and groups in the Source column (as part of an Access Role).

  • Check Point's URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. web categories

  • Custom URLs

  • Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. blade

• In the HTTPS Inspection Outbound Layer:

  • Identity Provider users and groups in the Source column (as part of an Access Role).

  • Web categories, domains, and IP addresses in the Destination column.

    For more information, see theSASE bypass policy configuration.

• Using unsupported objects in the SASE Internet Access policy package results in a validation error.

Activating Unified Access Policy for Check Point SASE

Procedure

1. In SmartConsole, go to the Infinity Services view.

2. Go to the Harmony SASE card, and click Switch to Quantum.

   

3. In the Manage Internet Access using SmartConsole window that opens, click I Agree.

   

   The system creates a new policy package dedicated to SASE. The status of the Harmony SASE card changes to Internet Access policy is managed in SmartConsole

   

4. Go to the Security Policies view > Access Control. A new policy package named SASE Internet Access is created. It contains default rules for Internet Access and HTTPS Inspection.

   Important - Existing Check Point SASE policies are not imported to the Security Management Server and are overridden on the first policy installation in SmartConsole.

   

5. In the new SASE Internet Access policy package, create the required rules.

   

6. Click Install Policy, and from the drop-down menu select SASE Internet Access.

   

Notes: Program-based rules remain managed only in the Check Point SASE application. The rules of the new SASE Internet Access layer are also displayed in the Check Point SASE application, but as read-only rules.

To share the SASE Internet Access and HTTPS Inspection Outbound Policy Layers across policy packages:

1. In your policy package, navigate to the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. where you want to add the Layer.

2. Click the Action column for that rule.

3. Select Inline Layer, and from the drop-down menu, select the applicable Layer to add.

Mapping of Policy Component Display between Network Security and SASE

Network Security Access Control Policy Component	SASE equivalent	Network Security SASE IA Layer Equivalent
Access Control Policy	Internet Access	SASE Internet Access
HTTPS Inspection Policy	HTTPS Inspection	HTTPS Inspection Outbound Policy
Destination column	N/A	Displays the value Any
Services & Applications column	Destination column displays the service name	Destination column displays the service or application

Logs

Each security feature or module in Check Point SASE generates and manages its own logs. You can forward these logs from the Check Point SASE application to Events & AIOps for centralized monitoring and analysis.

Switching Back to Check Point SASE Management

To switch back to Check Point SASE management:

1. In SmartConsole, go to the Infinity Services view.

2. In the Harmony SASE card, click the 3 dots menu, and select Switch to Cloud Management.

After returning to Check Point SASE, the policy management seamlessly continues in Check Point SASE from the point where you last managed it in SmartConsole.