Greetings to all who continue to read the cycle about the new generation of NGFW Check Point of the SMB family (1500 series). IN we looked at the SMP solution (management portal for SMB gateways). Today I would like to talk about the Smart-1 Cloud portal, it positions itself as a solution based on SaaS Check Point, acts as a Management Server in the cloud, so it will be relevant for any NGFW Check Point. For those who have just joined us, let me remind you of the previously discussed topics: , , .
Let's highlight the main features of Smart-1 Cloud:
- A single centralized solution for managing your entire Check Point infrastructure (virtual and physical gateways of various levels).
- A common set of policies for all Blades simplifies administration processes (creating/editing rules for various tasks).
- Support for the profile approach when working with gateway settings. Responsible for the separation of access rights when working in the portal, where network administrators, audit specialists, etc. can simultaneously perform various tasks.
- Threat monitoring, which provides logs, viewing events in one place.
- Support for interaction via API. The user can implement automation processes, simplifying routine daily tasks.
- Web access. Removes restrictions regarding the support of individual operating systems, intuitive.
Those who are already familiar with Check Point solutions may notice that the main features presented are no different from a local dedicated Management Server in your infrastructure. In part, they will be right, but in the case of Smart-1 Cloud, the maintenance of the management server is provided by Check Point specialists. It includes: making backups, monitoring free space on media, fixing errors, installing the latest software versions. It also simplifies the process of migrating (transferring) settings.
Licensing
Before getting acquainted with the functionality of the cloud management solution, let's study licensing issues from the official .
Single Gateway Management:
The subscription depends on the selected management blades, in total there are 3 directions:
- management. 50 GB storage, 1 GB daily for logs.
- Management + SmartEvent. 100 GB storage, 3 GB daily for logs, report generation.
- Management + Compliance + SmartEvent. 100 GB storage, 3 GB daily for logs, report generation, settings recommendations from general information security practices.
*The choice depends on many factors: type of logs, number of users, traffic volumes.
There is also a subscription to manage 5 gateways. We will not dwell on this in detail - you can always get information from .
Launch of Smart-1 Cloud
Anyone can try the solution, for this you need to register in Infinity Portal, a cloud service from Check Point, where you can get trial access to the following areas:
- Cloud Protection (CloudGuard SaaS, CloudGuard Native);
- Network Protection (CloudGuard Connect, Smart-1 Cloud, Infinity SOC);
- endpoint protection (, SandBlast Agent Cloud Management, Sandblast Mobile).
We will log in with you in the system (registration is required for new users) and go to the Smart-1 Cloud solution:
You will be briefly told about the advantages of this solution (Infrastructure management, no installation required, updated automatically).
After filling in the fields, you will need to wait for the preparation of the formation of an account to enter the portal:
In case of a successful operation, you will receive registration information by e-mail (specified when entering the Infinity Portal), and you will also be redirected to the main page of Smart-1 Cloud.
As available portal tabs:
- Launch SmartConsole. Using the installed application on your PC, or use the web interface.
- Synchronization with the gateway object.
- Working with logs.
- Settings.
Synchronization with the gateway
Let's start with synchronizing the Security Gateway, for this you need to add it as an object. Go to tab Connect Gateway
You must enter a unique gateway name, you can add a comment to the object. Then press "Register".
A gateway object will appear, which will need to be synchronized with the Management Server by executing the CLI commands for the gateway:
- Make sure the gateway has the latest JHF (Jumbo Hotfix) installed.
- Set connection token: set security-gateway maas on auth-token
- Check the status of the sync tunnel:
MaaS Status: Enabled
MaaS Tunnel State: Up
MaaS domain-name:
Service-Identifier.maas.checkpoint.com
Gateway IP for MaaS Communication: 100.64.0.1
Once the services for Mass Tunnel have been brought up, you should proceed to set up a SIC connection between the gateway and the Smart-1 Cloud in the Smartconsole. In case of a successful operation, the gateway topology will be obtained, let's apply an example:
Thus, when using Smart-1 Cloud, the gateway connects to the βgrayβ network 10.64.0.1.
I will add that on our layout the gateway itself accesses the Internet using NAT, respectively, there is no public IP address on its interface, however, we can control it from the outside. This is another interesting feature of Smart-1 Cloud, thanks to which a separate management subnet is created with its own pool of IP addresses.
Conclusion
After you have successfully added a gateway for managing via Smart-1 Cloud, you get full access, just like in the Smart Console. On our layout, we launched the web version, in fact, this is a raised virtual machine with a running management client.
You can always learn more about the capabilities of the Smart Console and the architecture of Check Point in our author's .
That's all for today, we are waiting for the final article of the cycle, in which we will touch on the performance tuning capabilities of the SMB 1500 series family with Gaia 80.20 Embedded installed.
. Stay tuned (, , , , )
Source: habr.com