Unified Access Policy for SASE and Network Security

This integration lets you manage SASE Internet Access policy and HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. policy directly from SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. By centralizing policy management, you ensure consistent policy enforcement across products, streamline governance for security policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., and consolidate operations into one trusted, management platform.

Prerequisites

• Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. version R82 with Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. Take 73 or higher.

• Active Check Point Portal tenant in the US and EU regions with Active SASE application.

• Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. must be connected to the Check Point Portal. See Connecting On-Premises Management Servers and Security Gateways to the Check Point Portal for more information.

• SASE SKU for Internet Access (for example: CP-SASE-IA-ESS*).

  To activate Internet Access on your tenant:

  1. Log in to the Check Point Portal.

  2. Navigate to Menu > Hybrid Mesh Network Security(Undefined variable: Vars_Other.tp_family_HMNS) > SASE > Internet Access > Access Policy.

  3. In the top-right corner, enable the Status button.

• Integration of Azure or Okta Identity Provider on both the Check Point Portal and SASE. See the SCIM documentation for configuration instructions.

Activating Unified Access Policy for SASE

Procedure

1. In SmartConsole, go to the Infinity Services view.

2. Go to the SASE card, and click Switch to Quantum.

   

3. In the Manage Internet Access using SmartConsole window that opens, click I Agree.

   

   The system creates a new policy package dedicated to SASE. The status of the SASE card changes to Internet Access policy is managed in SmartConsole

   

4. Go to the Security Policies view > Access Control. A new policy package named SASE Internet Access is created. It contains default rules for Internet Access and HTTPS Inspection.

   Important - Existing SASE policies are not imported to the Security Management Server and are overridden on the first policy installation in SmartConsole.

   

5. In the new SASE Internet Access policy package, create the required rules.

   

6. Click Install Policy, and from the drop-down menu select SASE Internet Access.

   

Notes: Program-based rules remain managed only in SASE. The rules of the new SASE Internet Access layer are also displayed in the Check Point Portal SASE application, but as read-only rules.

To share the SASE Internet Access and HTTPS Inspection Outbound Policy Layers across policy packages:

1. In your policy package, navigate to the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. where you want to add the Layer.

2. Click the Action column for that rule.

3. Select Inline Layer, and from the drop-down menu, select the applicable Layer to add.

Supported Policies and Objects

The SASE Internet Access policy package supports these objects:

• In the Network Security Internet Access policy Layer:

  • Identity Provider users and groups in the Source column (as part of an Access Role).

  • Check Point's URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. web categories

  • Custom URLs

  • Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. blade

• In the HTTPS Inspection Outbound Layer:

  • Identity Provider users and groups in the Source column (as part of an Access Role).

  • Web categories, domains, and IP addresses in the Destination column.

    For more information, see the SASE bypass policy configuration.

• Using of unsupported objects in SASE Internet Access policy package results in a validation error.

Mapping of Policy Component Display between Network Security and SASE

Network Security Access Control Policy Component	SASE equivalent	Network Security SASE IA Layer Equivalent
Access Control Policy	Internet Access	SASE Internet Access
HTTPS Inspection Policy	HTTPS Inspection	HTTPS Inspection Outbound Policy
Destination column	N/A	Displays the value Any
Services & Applications column	Destination column displays the service name	Destination column displays the service or application

Logs

Each security feature or module in SASE generates and manages its own logs. You can forward these logs from SASE to Events & AIOps for centralized monitoring and analysis.

Switching Back to SASE Management

To switch back to SASE management:

1. In SmartConsole, go to the Infinity Services view.

2. In the SASE card, click the 3 dots menu, and select Switch to Cloud Management.

After returning to SASE, the policy management seamlessly continues in SASE from the point where you last managed it in SmartConsole.