Unified Access Policy for Harmony SASE and Quantum Management Server

This integration lets you manage Harmony SASE Internet Access policy and HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. policy directly from SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. By centralizing policy management, you ensure consistent policy enforcement across products, streamline governance for security policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., and consolidate operations into one trusted, management platform.

Prerequisites

Quantum Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. version R82 with Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. Take 73 or higher.
Active Check Point Portal tenant in the US and EU regions with Active Harmony SASE application.
Quantum Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. must be connected to the Check Point Portal. See Connecting On-Premises Management Servers and Security Gateways to the Check Point Portal for more information.
Harmony SASE SKU for Internet Access (for example: CP-SASE-IA-ESS*).

To activate Internet Access on your tenant:
1. Log in to the Check Point Portal.
2. Navigate to Menu > Harmony > SASE - Internet & Private Access.
3. Go to the Internet Access section, and enable the Status toggle button.
Integration of Azure or Okta Identity Provider on both the Check Point Portal and Harmony SASE. See the SCIM documentation for configuration instructions.

Activating Unified Access Policy for Harmony SASE

Procedure

In SmartConsole, go to the Infinity Services view.
Go to the Harmony SASE card, and click Switch to Quantum.
In the Manage Internet Access using SmartConsole window that opens, click I Agree.

The system creates a new policy package dedicated to Harmony SASE. The status of the Harmony SASE card changes to Internet Access policy is managed in SmartConsole

Go to the Security Policies view > Access Control. A new policy package named SASE Internet Access is created. It contains default rules for Internet Access and HTTPS Inspection.

Important -

Existing Harmony SASE policies are not imported to Quantum and are overridden on the first policy installation in SmartConsole.

In the new SASE Internet Access policy package, create the required rules.
Click Install Policy, and from the drop-down menu select SASE Internet Access.

Notes:

Program-based rules remain managed only in Harmony SASE.
The rules of the new SASE Internet Access layer are also displayed in the Check Point Portal Harmony SASE application, but as read-only rules.

To share the SASE Internet Access and HTTPS Inspection Outbound Policy Layers across policy packages:

In your policy package, navigate to the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. where you want to add the Layer.
Click the Action column for that rule.
Select Inline Layer, and from the drop-down menu, select the applicable Layer to add.

Supported Policies and Objects

The SASE Internet Access policy package supports these objects:

In the Quantum Internet Access policy Layer:
- Identity Provider users and groups in the Source column (as part of an Access Role).
- Check Point's URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. web categories
- Custom URLs
- Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. blade
In the HTTPS Inspection Outbound Layer:
- Identity Provider users and groups in the Source column (as part of an Access Role).
- Web categories, domains, and IP addresses in the Destination column.
  
  For more information, see theHarmony SASE bypass policy configuration.
Using of unsupported objects in SASE Internet Access policy package will result in a validation error.

Mapping of Policy Component Display between Harmony SASE and Quantum

Quantum Access Control Policy Component	Harmony SASE equivalent	Quantum SASE IA Layer Equivalent
Access Control Policy	Internet Access	SASE Internet Access
HTTPS Inspection Policy	HTTPS Inspection	HTTPS Inspection Outbound Policy
Destination column	N/A	Displays the value Any
Services & Applications column	Destination column displays the service name	Destination column Displays the service or application

Logs

Each security feature or module in Harmony SASE generates and manages its own logs. You can forward these logs from Harmony SASE to Infinity Events for centralized monitoring and analysis.

Switching Back to Harmony SASE Management

To switch back to Harmony SASE management:

In SmartConsole, go to the Infinity Services view.
In the Harmony SASE card, click the 3 dots menu, and select Switch to Cloud Management.

After returning to Harmony SASE, the policy management seamlessly continues in Harmony SASE from the point where you last managed it in Quantum.