The Access Control Policy of Check Point's CloudGuard Connect can be managed either via:
- Infinity Portal
Users who manage both on-premises Gateways and branch offices can use SmartConsole to:
- Consolidate their security configuration in one application.
- Use the same network objects in all policies.
- Automate actions across cloud and on-premises using the same Security Management API.
Enable the feature from the Infinity Portal
1. Navigate to Settings > SmartConsole.
2. Check Manage Access Control Policy from SmartConsole.
Prepare an API Key
Your on-premises Security Management Server will connect securely to your account at the Check Point Infinity Portal using an API Key.
1. In the Infinity Portal, navigate to Global Settings > API Keys.
2. Create a new API Key.
3. Make sure that Module is set to CloudGuard Connect.
An API Key consists of a Client ID and a Secret Key. Both will be used in the next step.
Install the Install Cloud Policy component on your on-premises Security Management Server
After enabling the feature, you will be able to download a component for your on-premises Security Management Server.
Note: This component is version-independent and, therefore, can be installed on any security management or multi-domain management server of version R80.20 and above.
Note: For SmartCloud users, this step can be achieved through a support ticket.
Upload that component to your Security Management Server. It is important that you save it directly under the folder $MDS_FWDIR
1. Extract that component by running: tar xvzf install-cloud-policy.tar.gz
2. Set read and execute permissions for the extracted folder.
3. Navigate to the extracted folder and run: ./config-install-cloud-policy.sh
This script will ask you to provide your Infinity Portal user and password, so that changes made at your on-premises Security Management Server will get deployed at your Infinity Portal account.
The script will also ask you to provide the one policy package at your Security Management Server that represents all your branch offices. This will ensure that administrators do not mistakenly install the wrong policy in the cloud. Note that the policy package does not need to exist at the time of running the script. Administrators who attempt to install a policy package with a name different from the name specified here will get an error message.
You can re-run this script later if your Infinity Portal user name, password, or branch office security policy package name change.
The script completes by running a connectivity check with Infinity Portal. If the connectivity check succeeds, then it signals that Install Cloud Policy add-on has been activated.
Add a SmartConsole Extension
Note: Each administrator needs to repeat this step.
1. Open SmartConsole and navigate to Manage & Settings > Preferences.
2. Scroll down to SmartConsole Extensions.
Add the Install Cloud Policy extension to SmartConsole by clicking the + button and typing this manifest URL: https://cloud-policy-extension.s3.eu-central-1.amazonaws.com/install-cloud-policy.json
Confirm the addition of this extension.
A pop-up window indicates that the extension was added successfully to SmartConsole and that a new button should appear at the toolbar of each Access Control security policy.
How to install your branch office policy from SmartConsole to the cloud
Navigate to Security Policies.
Open the one policy that represents your branch offices. You should see a new button called Install Cloud Policy.
Clicking Install Cloud Policy will send your security policy from your on-premises Security Management Server to the Check Point cloud.
Note: You will be requested to approve this operation twice. Click OK on the 2 consecutive pop-up windows that request approval.
You can track its progress by clicking the Check Status button on the Install Cloud Policy pop-up window.
Note: Clicking Check Status will ask you to approve this operation. Click OK on the pop-up window.
Note: The task notification at the bottom-left corner of SmartConsole only indicates that an Install Cloud Policy has started. When the task completes, it does not mean that the policy installation completed.
Currently, the only way to know whether a policy installation in the cloud is completed is by clicking Refresh Status on the Install Cloud Policy pop-up window and waiting for a status update that says Install Policy Completed.
Attempts to run Install Cloud Policy on a policy that has a name different from the name that was configured on your Security Management Server (see "Install the Install Cloud Policy component on your server" will fail, and will not modify the policy for your branch offices.
How to test connectivity from your on-premises Security Management Server to Infinity Portal
After installing the Install Cloud Policy component on your server (see above), you can navigate to the folder where you extracted this component and run this script:
If an error message shows up, re-configure the connection parameters by running: ./config-install-cloud-policy.sh (as detailed in the "Install Cloud Policy component on your server" section above).
- You can only manage your Access Control Policy from either Infinity Portal or from SmartConsole, but not from both.
- Reverting to managing your Access Control Policy from Infinity Portal will set the policy back to the last version that was configured in the Infinity Portal.
- R80.20 Management Server and above is required.
- This feature assumes that the Security Management Server has connectivity to the Internet over HTTPS.
- Install On column is not supported.
- Hit Count will not be reflected in SmartConsole.
- Content Awareness blade is not supported.
- Enabling XFF on an Access Layer is not supported.
- Layers: Inline layers are fully supported, Ordered Layers are not supported.
- The following objects are not supported:
- Dynamic Objects
- Any Gateway or server objects: Gateways, Clusters, VSX Gateways, VSX Clusters, Interoperable Devices, Logical Servers
- Access Roles
- Wildcard Objects (support should be added during Q3)
- Updatable Objects (support should be added during Q3)
- VPN Communities
- All rules whose action is set to block will have the default UserCheck Blocked page. Customizing the UserCheck object or changing it from Block to Ask or Inform, is not supported.
- Changing the Track options is fully supported, except for the setting to generate session logs to firewall-only connections.
- The Security Management API call for install-policy does not support installing the policy in the cloud. Instead, the following script can be used: ./$MDS_FWDIR/install-cloud-policy/export_policy.sh <policy package name>