6. NGFW for small businesses. Smart-1 Cloud

Greetings to everyone who continues to read the cycle about the new generation of NGFW Check Point SMB family (1500 series). In part 5, we reviewed the SMP (Management Portal for SMB Gateways) solution. Today I would like to talk about the Smart-1 Cloud portal, it positions itself as a SaaS Check Point solution, plays the role of a Management Server in the cloud, so it will be relevant for any NGFW Check Point. For those who have just joined us, let me remind you of the previously discussed topics: initialization and configuration, organization of wireless traffic (WiFi and LTE), VPN.

Let’s highlight the main features of Smart-1 Cloud:

  1. One centralized solution for managing your entire Check Point infrastructure (virtual and physical gateways of various levels).
  2. A common set of policies for all Blades allows to simplify the administration processes (creating / editing rules for various tasks).
  3. Support for a profile approach when working with gateway settings. Responsible for the separation of access rights when working in the portal, where network administrators, audit specialists, etc. can simultaneously perform various tasks.
  4. Threat monitoring, which provides logs, viewing events in one place.
  5. Support for interaction through the API. The user can implement automation processes, simplifying routine daily tasks.
  6. Web access. Removes OS support restrictions, intuitive.

Those who are already familiar with Check Point solutions may notice that the main features presented do not differ from a local dedicated Management Server in your infrastructure. They will be partly right, but in the case of Smart-1 Cloud, the management server is maintained by Check Point specialists. It includes: removing backups, monitoring free space on media, fixing errors, installing the latest software versions. It also simplifies the process of migration (transfer) settings.

Licensing

Before getting acquainted with the functionality of the cloud management solution, let’s study licensing issues from the official DataSheet

Single gateway management:

The subscription depends on the selected control blades, there are 3 directions in total:

  1. Management. Storage in 50 GB, daily for 1 GB logs.
  2. Management + SmartEvent. Storage 100 GB, daily for logs 3 GB, report generation.
  3. Management + Compliance + SmartEvent. Storage of 100 GB, daily under logs 3 GB, generation of reports, recommendations on settings from general information security practices.

* The choice depends on many factors: type of logs, number of users, traffic volume.

There is also a subscription to manage 5 gateways. We will not dwell on this in detail – you can always get information from DataSheet

Smart-1 Cloud launch

Anyone can try the solution, for this you need to register in the Infinity Portal – a cloud service from Check Point, in which you can get trial access to the following areas:

  • Cloud Protection (CloudGuard SaaS, CloudGuard Native);
  • Network Protection (CloudGuard Connect, Smart-1 Cloud, Infinity SOC);
  • Endpoint Protection (Sandblast Agent Management Platform, SandBlast Agent Cloud Management, Sandblast Mobile).

We will log in with you in the system (registration is required for new users) and go to the Smart-1 Cloud solution:

You will be briefly told about the advantages of this solution (Infrastructure management, no installation required, updates automatically).

After filling in the fields, you will need to wait for the preparation of the formation of an account to enter the portal:

In case of a successful operation, you will receive registration information by email (specified when entering the Infinity Portal), and you will also be redirected to the Smart-1 Cloud home page.

As available portal tabs:

  1. Launching SmartConsole. Using the installed application on your PC, or use the web interface.
  2. Synchronization with the gateway object.
  3. Working with logs.
  4. Settings.

Synchronization with the gateway

Let’s start by synchronizing the Security Gateway by adding it as an object. Go to the tab “Connect Gateway”

You must enter a unique name for the gateway, you can add a comment to the object. Then press “Register”

A gateway object will appear, which will need to be synchronized with the Management Server by executing CLI commands for the gateway:

  1. Make sure the latest JHF (Jumbo Hotfix) is installed on the gateway.
  2. Set connection token: set security-gateway maas on auth-token
  3. Check the status of the sync tunnel:
    MaaS Status: Enabled
    MaaS Tunnel State: Up
    MaaS domain-name:
    Service-Identifier.maas.checkpoint.com
    Gateway IP for MaaS Communication: 100.64.0.1

After the services for the Mass Tunnel have been raised, you should proceed to establish the SIC connection between the gateway and Smart-1 Cloud in the Smartconsole. If the operation is successful, the gateway topology will be obtained, let’s attach an example:

Thus, when using Smart-1 Cloud, the gateway is connected to the gray network 10.64.0.1.

I will add that in our layout the gateway itself connects to the Internet using NAT, respectively, there is no public IP address on its interface, however, we can control it from the outside. This is another interesting feature of Smart-1 Cloud, which creates a separate management subnet with its own pool of IP addresses.

Conclusion

Once you have successfully added a gateway for Smart-1 Cloud management, you have full access just like in the Smart Console. On our mockup, we launched the web version, in fact, it is a lifted virtual machine with the management client running.

You can always learn more about the Smart Console capabilities and the Check Point architecture in our copyright course

That’s all for today, we are waiting for the final article of the cycle, in which we will touch on the performance tuning capabilities of the SMB 1500 series family with Gaia 80.20 Embedded installed.

A large selection of materials on Check Point from TS Solution. Stay tuned (Telegram, Facebook, VK, TS Solution Blog, Yandex Zen)

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *