Session Flow for Administrators

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., administrators work with sessions. A session is created each time an administrator logs into SmartConsole. Changes made in the session are saved automatically. You can generate a changes report to show you all the changes made in a session. These changes are private and available only to the administrator. To avoid configuration conflicts, other administrators see a lock icon on objects and rules that are being edited in other sessions.

Administrators can publish or discard their private changes. To include private changes in the policy installation, you must publish your changes in the session. This is also true if you want to make your private changes available to other administrators. Unpublished changes from other sessions are not included in the policy installation.

Before you publish a session, we recommend that you give the session a name and add a brief description that documents the work process.

Publishing a Session

The validations pane in SmartConsole shows configuration error messages. Examples of errors are object names that are not unique, or the use of objects that are not valid in the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. Make sure you correct these errors before publishing.

To publish a SmartConsole session

On the SmartConsole toolbar, click Publish. When a session is published, a new database version is created and shows in the list of database revisions.

To add a name or description to a session

In the SmartConsole toolbar, click Session.

The Session Details window opens.
Enter a name for the database version.
Enter a description.
Click OK.

To discard a session

In the SmartConsole toolbar, click Discard.

Working in SmartConsole Session View

The Session view shows all unpublished sessions in the system. The view shows the sessions of the current administrator, sessions of other administrators and sessions from other applications. The columns in the view can be customized and show the session owner, name, description, connection mode, number of private changes, number of locks, application and other values.

To see session information, click Manage & Settings > Sessions > View Sessions.

Actions available to administrators on private sessions are determined by the Manage Sessions permission on their profile.

Administrators without the Manage Session permission can:

Administrators with the Manage Session Permission can:

Publish and discard their own sessions
See sessions opened by other administrators, the number the locks they have and number of changes they have made
Take over sessions created by applications, for example sessions created by the API command line tool

Publish and discard their own sessions
See sessions opened by other administrators, the number the locks they have and number changes they have made
Publish & Disconnect the private sessions of other administrators
Disconnect & Discard the private sessions of other administrators
Disconnect another administrator's private session
Take over sessions created by applications, for example sessions created by the API command line tool

Take over the private sessions of other administrators.

Note - If you want to keep changes made in your own private session, publish these changes before you take over the session of another administrator. If you do not publish your changes, you will lose them. When you take over, you disconnect the other administrator's SmartConsole session.

Publish & Disconnect the private sessions of other administrators. The action applies to both SmartConsole sessions and command line API sessions.
Disconnect the private session of other administrators
Discard & Disconnect the private session of other administrators

Viewing Changes Made in Private Sessions

You can generate a report to show you the changes made in a specific session, it can be your current session or a different one. Tracking the changes made in sessions lets you track and monitor the changes made, and troubleshoot bugs.

The change report only details changes in policy rules and common network objects. For more details, see: sk166435.

Note - There is inconsistency between the number of changes which appears in the session toolbar and the Revisions view.

Taking over locked objects from administrators with inactive sessions

If there are locked objects in SmartConsole by administrators with inactive sessions, but the relevant administrators are currently unavailable to log back in to SmartConsole and remove the lock, you can take over their sessions.

To take over inactive sessions of other administrators:

Log in to SmartConsole with a different administrator account.
Go to Manage & Settings > Sessions > View Sessions.
Right-click the relevant sessions of the administrator who owns the locked objects and select Take over.

You can now open the relevant object and publish or discard changes to remove the lock.

Administrators Working with Multiple Sessions

Administrators working with multiple sessions can open multiple additional private sessions without publishing changes made in the current private session.

Use Case

Suppose you are making changes in a private session and are asked to solve some immediate problem. The task involves making a change and publishing it. You do not wish to publish or discard your current private session.

You open a new private session, make the change required to resolve the issue, publish the change, then return to your previous private session.

To do this, you need to work with multiple sessions. To switch on multiple sessions, you need the Manage Sessions permission selected on your administrator profile.

To enable working in multiple sessions

Open the relevant permission profile.
Make sure the Manage Sessions permission is selected on the Management page.
Open SmartConsole > Manage & Settings View > Sessions > Advanced.
Select Each administrator can manage multiple SmartConsole sessions at the same time.
Publish the change.

When working with multiple sessions, you can:

Open and manage multiple sessions to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. using the same administrator account
Switch between the active session and previously saved sessions
Publish, discard and disconnect other sessions
Take over other sessions

The SmartConsole Session menu

After multiple sessions are enabled, the SmartConsole Session menu has these new options:

Option	Description
Edit sessions details	Lets you change the session name and description.
Create new session	In the current window Opens a new session in the current SmartConsole In a new window Opens a new session in a new SmartConsole
Recent	Shows a list of recent sessions. Selecting a session opens the session in the current SmartConsole
More	Opens the Open Session window that shows sessions that you previously created and saved. Sessions shown in this window are owned by the current administrator in the current domain. The Open Session > Actions menu has options to open a saved session in the current SmartConsole or open the session in a new SmartConsole.

The SmartConsole Session View

When multiple sessions are enabled, you can perform these additional actions:

Action	You can:
For sessions that you own	Discard and Disconnect Publish and Disconnect Disconnect Open an older session
For sessions owned by other administrators that have made private changes	Publish and Disconnect their changes Discard and Disconnect Disconnect Take over their changes
For sessions owned by other administrators that have not made private sessions	Disconnect Take over

Notes:

When you work in single session, you need to publish or discard your changes before you take over another session. In multiple sessions, you do not have to publish or discard your session before you take over the session of another administrator.
In multiple sessions, an administrator who connects from another desktop to an already connected session can still take over the connected session by default.

Switching between Multiple and Single Session

If the session management settings switch from multiple SmartConsole sessions to allow only a single SmartConsole session at a time:

Administrators can still publish, discard and open sessions that they own.
Cannot create new sessions until they have published or discarded all their unpublished sessions with private sessions
Cannot take over the sessions of other administrators or applications (for example sessions created with API commands in the mgmt_cli utility) until they have published or discarded all their previously saved private sessions.

Approval Cycle for Sessions (SmartWorkflow and Identity Provider)

Lets administrators approve changes in sessions made by other administrators.

Use Case

This feature gives you the option to review and approve configuration changes made by other administrators before publishing them. You can define which administrators must submit their changes for approval and which administrators are authorized to approve changes.

Configuration

Create a new permission profile for the Administrator "A" whose changes require approval
1. In SmartConsole, go to Manage & Settings > Permissions & Administrators > Permission Profiles > New Profile.
  
  The New Profile window opens.
2. In the Overview page ,select Read/Write All or Customized.
3. In the Management page, clear the Publish sessions without an approval option.
4. Configure the rest of the profile settings, and click OK and publish the changes.
Create a new administrator account for the Administrator "A" whose changes require approval:
1. In SmartConsole, go to Manage & Settings > Permissions & Administrators > Administrators > New Administrator.
  
  The New Profile window opens.
2. Configure the Administrator name and other properties, and in the Permission Profile field, select the profile you created for this administrator.
3. Click OK.
Create a new permission profile for the Administrator "B" who approves the changes"
1. In SmartConsole, go to Manage & Settings > Permissions & Administrators > Permission Profiles > New Profile.
  
  The New Profile window opens.
2. In the Overview page ,select Read/Write All or Customized.
3. In the Management page, select Approve/reject other sessions.
4. Configure the rest of the profile settings, and click OK.
Create a new administrator account for the Administrator "B" who approves the changes:
1. In SmartConsole, go to Manage & Settings > Permissions & Administrators > Administrators > New Administrator.
  
  The New Profile window opens.
2. Configure the Administrator name and other properties, and in the Permission Profile field, select the profile you created for this administrator.
3. Click OK and publish your changes.

To submit your changes for approval, in SmartConsole's top toolbar, click Submit Request

Note - If Administrator "A" tries to install policy before his changes are approved, a message shows up indicating the changes must be submitted for approval first.

Each time Administrator "A" makes changes in the SmartConsole configuration:

After Administrator "A" modifies a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in the Rule Base and clicks Submit, SmartConsole locks this rule for further changes and shows a padlock icon.

After Administrator "A" modifies an object and clicks Submit, SmartConsole locks this object for further changes. You can only view the object properties (right-click the object > View).

Note - To see the status of all sessions, go to Manage & Settings > Sessions > View Sessions.

Administrator "B" to reviews and approves the changes

Note - If you have sessions which are pending approval, a notification with the number of sessions pending approval appears next to the Manage & Settings tab and next to the View Sessions tab.

In SmartConsole, go to Manage & Settings > Sessions > View Sessions.
Right-click a session that is pending approval.
To review the changes, select Review change report from the drop-down menu.
After you reviewed the changes, right-click the sessions and select one of these options from the drop-down menu:
- To publish the session, select Approve. After the session is published, Administrator "A" can install policy.
- To return the session to the submitter to fix, select Reject. If you select this option, you return the session to Administrator "A". A window opens and you must provide the return justification.

Administrator "A" sees the notifications of the reviewed sessions in the Manage & Settings tab and the View Sessions tab.

To fix a session, click a session and select open session from the drop-down menu.

Notes:

To get email notifications about session updates, go to Manage & Settings > SmartTasks, and configure the applicable SmartTask (see SmartTasks).
To be able to save changes in the Database Tool or in SmartProvisioning Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM. , you must have permission to publish your changes without an approval. If the Publish sessions without an approval, option is cleared, you cannot save changes in the Database Tool or in SmartProvisioning.