Support Center > Search Results > SecureKnowledge Details
How to manage the Access Control Policy of Harmony Connect from SmartConsole Technical Level
Solution

Important: Changes made after March 24, 2021

Customers who have been using SmartConsole to manage their Harmony Connect security policy prior to March 24, 2021 must re-install the Install Cloud Policy component at their on-prem security management servers.
  • Navigate to Infinity Portal and go to Harmony Connect > Settings > On-Prem Management
  • Download the updated version of Install Cloud Policy component
  • Repeat the step Install the Install Cloud Policy component on your on-premises Security Management Server below. Running this step replaces the existing configuration and there is no need to "uninstall" a component. 

We apologize for this inconvenience.


Background

The Access Control Policy of Check Point's Harmony Connect for branch offices can be managed either via:

  • Infinity Portal
  • SmartConsole

Users who manage both on-premises Gateways and branch offices can use SmartConsole to:

  • Consolidate their security configuration in one application. 
  • Use the same network objects in all policies.
  • Automate actions across cloud and on-premises using the same Security Management API.

Procedure

Enable the feature from the Infinity Portal

  1. Navigate to Settings > On-Prem Management.
  2. Toggle Manage Internet Access Policy from SmartConsole to the ON position.

Prepare an API Key

Your on-premises Security Management Server has to connect securely to your account on the Check Point Infinity Portal using an API Key.

  1. In the Infinity Portal, navigate to Global Settings > API Keys.
  2. Create a new API Key.
  3. Set the Service to Connect.
  4. Optionally, set the expiration date and provide a meaningful description. 

An API Key consists of a Client ID and a Secret Key. Both are used in the next step.

Install the Install Cloud Policy component on your on-premises Security Management Server

After enabling the feature, you will be able to download a component for your on-premises Security Management Server. 

Note: This component is version-independent and, therefore, can be installed on any security management server of version R80.20 and above.

Upload that component to your Security Management Server. It is important that you save it directly under the folder $FWDIR 

1. Extract that component by running: tar xvzf install-cloud-policy.tar.gz

2. Set read and execute permissions for the extracted folder.

3. Navigate to the extracted folder and run: ./config-install-cloud-policy.sh

This script will ask you to provide your Infinity Portal API Key, so that changes made at your on-premises Security Management Server will get deployed at your Infinity Portal account. 

The script will also ask you to provide the one policy package at your Security Management Server that represents all your branch offices. This will ensure that administrators do not mistakenly install the wrong policy in the cloud. Note that the policy package does not need to exist at the time of running the script. Administrators who attempt to install a policy package with a name different from the name specified here will get an error message. 

The script completes by assuring the integration has been set.
You can re-run this script later if your Infinity Portal API Key has changed, or if your branch office security policy package name has changed. Re-running ./config-install-cloud-policy.sh replaces the existing configuration and there is no need to "uninstall" the component.

Note: In case the default Management API port was changed, you need to configure the environment variable “MGMT_CLI_PORT” with the value of the new Management API port. 

Add a SmartConsole Extension

Note: Each administrator needs to repeat this step.

1. Open SmartConsole and navigate to Manage & Settings > Preferences.

2. Scroll down to SmartConsole Extensions.

Add the Install Cloud Policy extension to SmartConsole by clicking the + button and typing this manifest URL: https://cloud-policy-extension.s3.eu-central-1.amazonaws.com/install-cloud-policy.json

Confirm the addition of this extension.

A pop-up window indicates that the extension was added successfully to SmartConsole and that a new button should appear at the toolbar of each Access Control security policy.

How to install your branch office policy from SmartConsole to the cloud

Navigate to Security Policies.

Open the one policy that represents your branch offices. You should see a new button called Install Cloud Policy.

Clicking Install Cloud Policy will send your security policy from your on-premises Security Management Server to the Check Point cloud. 

Note: You will be requested to approve this operation twice. Click OK on the 2 consecutive pop-up windows that request approval.

You can track its progress by clicking the Check Status button on the Install Cloud Policy pop-up window.

Note: Clicking Check Status will ask you to approve this operation. Click OK on the pop-up window.

Note: The task notification at the bottom-left corner of SmartConsole only indicates that an Install Cloud Policy has started. When the task completes, it does not mean that the policy installation completed.

Currently, the only way to know whether a policy installation in the cloud is completed is by clicking Refresh Status on the Install Cloud Policy pop-up window and waiting for a status update that says Install Policy Completed.

Attempts to run Install Cloud Policy on a policy that has a name different from the name that was configured on your Security Management Server (see "Install the Install Cloud Policy component on your server" will fail, and will not modify the policy for your branch offices.

Known Limitations

  • Multi-Domain environments are currently not supported.
  • SmartConsole managed from Quantum Smart-1 Cloud is not supported.
  • This solution supports securing branch offices going to the Internet. Securing remote users using Harmony Connect App is not supported. Securing branch offices or remote users going to corporate applications is not supported.
  • You can only manage your Internet Access Policy from either Infinity Portal or from SmartConsole, but not from both.
  • Reverting to managing your Internet Access Policy from Infinity Portal will set the policy back to the last version that was configured in the Infinity Portal.
  • R80.20 Management Server and above is required.
  • This feature assumes that the Security Management Server has connectivity to the Internet over HTTPS.
  • Install On column is not supported.
  • Hit Count will not be reflected in SmartConsole.
  • SmartConsole Extension will not work if logging to the SmartConsole with the machine FQDN instead of IP.
  • Content Awareness blade is not supported.
  • Enabling XFF on an Access Layer is not supported.
  • Layers: Inline layers are fully supported, Ordered Layers are not supported.
  • The following objects are not supported:
    • Dynamic Objects
    • Any Gateway or server objects: Gateways, Clusters, VSX Gateways, VSX Clusters, Interoperable Devices, Logical Servers
    • Access Roles
    • VPN Communities
  • All rules whose action is set to block will have the default UserCheck Blocked page. Customizing the UserCheck object or changing it from Block to Ask or Inform, is not supported.
  • Changing the Track options is fully supported, except for the setting to generate session logs to firewall-only connections.
  • The Security Management API call for install-policy does not support installing the policy in the cloud. Instead, the following script can be used: ./$MDS_FWDIR/install-cloud-policy/export_policy.sh <policy package name>
  • Security Management Servers in which the port for running the Security Management API was changed from its default is currently not supported.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment