topic Re: SMB Masters #2 - EMEA and APAC - Video and Materials in Spark Firewall (SMB)

SMB Masters #2 - EMEA and APAC - Video and Materials

_Val_ — Wed, 19 Apr 2023 08:52:59 GMT

Hi and thanks to all who joined our "SMB Masters #2 - EMEA and APAC" session today.

Here is the video recording of the session:

The slides we used, and also the latest SMB flyer are also attached.

Edited Q&A transcript is below.

What happened in SMB Masters #1 Is there a video? 😊

Yes, see: https://community.checkpoint.com/t5/SMB-Gateways-Spark/Quantum-Spark-Masters-Sept-2022-Video-Slides-and-Q-amp-A/m-p/156748#M7360

Is this SmartAccel on the latest version of firmware?

Hi, yes it's in the R81.10.05 firmware which can be downloaded now.

Any plans to make HTTPS Inspection and SmartAccel don't work together?

We are investigating this for a future release.

How does it determine Device Type in SSL inspection? What happens if Randomization is activated?

We have a device recognition feature that know to classify devices according to MAC address and other characteristics.

Is the "SSL Inspection by Device Type" feature available in Central Management?

Not at this time

HTTPS Inspection for inbound connection?

Not supported yet

Are we able to add custom services under SmartAccel in the future?

....

Will there also be SAML Authentication for Quantum Spark?

Currently no concrete plans. Please reach out to your Check Point office if this feature is required.

SMS authentication for VPN: What are conditions for SMS providers / is it managed by Check Point, is there special subscription?

It is a Check Point managed service. As of R81.10.05, it is available for all countries.

Cluster - is the passive node accessible?

Hi Martin, yes the passive node is accessible for management purposes. Access would be via the IP address configured on the interface not the VIP.

Is Identity Awareness (with Identity Collector) supported on centrally managed appliances?

Yes

Cluster Scope local already available in R81.10.05 ?

Yes

live answered

Any roadmap for advance access policy configuration for power user? Current way of creating access policy is cumbersome where we need to travel back and forth to create group for services/objects.

live answered

Did I see SD-WAN only for Centrally Managed? Is locally managed coming soon?

Locally managed SDWAN capabilities is expected as part of R81.10.10.

Is IoT Protect available on Spark?

Yes, currently only Centrally Managed. We're working on SMP and Locally Managed.

What is the maximum number of tunnels that can be configured on SD-WAN?

live answered

Who should we contact to join EA for PAYG?

You can contact me at avig@checkpoint.com

PaYG...no minimum user, but is there minimum duration? 1 day? week? month? year?

live answered

For two factor authentication is only available for sms and email or can we use mfa app?

We are adding support for Google Authenticator in R81.10.10.

What is FONIC?

Fail Open NIC. When there is an hardware problem, or a software freeze, or even power failure, the WAN port and LAN port will be connected (like short wired), which will keep the connectivity up.

Would like to check if the limitation on SG1800 (1x 1GbE copper/fiber WAN2 (future) & 1x 1GbE Management port (future)) has been lifted?

Second WAN limitation on the 1600/1800 is still valid. You do, however, can use the LAN ports as WAN ports using the Flexiport feature.

Please tell me the supported IPV6 Method

live answered.
MAP-E method for IPv6 is on the roadmap

Does IoT include IIoT and OT devices?

The devices that would be discovered are devices that you can find in offices and enterprises.

When is R81.10.10 expected to be available?

EA is expected end of April 2023, with release expected in Q3 2023. If you're interested in participating in the EA, please contact amiray@checkpoint.com

Is Active/Active for cluster in roadmap?

Not currently planned.

Any plan to use Gaia on SMB devices instead using Embedded Gaia?

Not planned at the moment. However, we are planning to unify some of the functionality differences between the two. If you have specific requests, please work with your local Check Point office.

SD-WAN supports VPN tunnels? With 3rd party peers?

Yes, but not with third parties at this time.

Any API for local managed devices on the roadmap?

Yes.

live answered

SMS Managed vs SMP Managed - Spark Appliance, which supports more features?

SMS/Smart-1 cloud provides a number of options for policy configuration, Identity Awareness etc. that isn't available in SMP. However SMP provides templates and cloud based appliance backup. I don't think its as easy as one is better than the other, but more of which is most appropriate for the use case.

Do you have any future plans with Quantum Edge?

At the moment, we are not planning future Quantum Edge releases. However, we are interested in specific use cases for it.

Is there roadmap to have Reverse Proxy for the SMB appliances?

live answered

Can we save Logs on Spark Entry Appliances for 6 months?

The 1800 includes 256gb SSD storage. On other models, you can add an MicroSD card (if supported).

Infinity SMP managed - is it require license per gateway on top of Security Licenses?

No.

Re: SMB Masters #2 - EMEA and APAC - Video and Materials

Y_A — Tue, 09 May 2023 08:32:31 GMT

Hello, I believe you mention that scopelocal feature is now available on R81.10.05 for quantum spark appliances, any guidance on how to go about configuring this?

Re: SMB Masters #2 - EMEA and APAC - Video and Materials

Amir_Ayalon — Tue, 09 May 2023 09:02:07 GMT

Configuring the Routing Table

The Device > Routing page shows routing tables with the routes added on your appliance.

On this page:

You can add or edit routes and configure manual routing rules. You cannot edit system defined routes.
You can specify routes for and associate IP addresses with selected VPN tunnels. To add, delete, and modify the IP addresses, use dynamic routing protocols.

For every route:

Table Columns

Description

Destination

The route rule applies only to traffic whose destination matches the destination IP address/network.

Source

IPv4 only. The route rule applies only to traffic whose source matches the source IP address/network.

Service

IPv4 only. The route rule applies only to traffic whose service matches the service IP protocol and ports or service group.

Next Hop

The next hop gateway for this route, with these options:

Specified IP address of the next hop gateway.
Specified Internet connection from the connections configured in the appliance.
Specified VPN Tunnel Interface (VTI).

Metric

Determines the priority of the route. If multiple routes to the same destination exist, the route with the lowest metric is selected.

Scope Local

Use this setting on a Cluster Member when the cluster virtual IPv4 address is in a different subnet than the IPv4 address of a physical interface. Now the Cluster Member can accept static routes on the subnet of the cluster virtual IPv4 address.

Protocol

Type of route. Can be Static, Directly connected, BGP, OSPF, and so on.

Rank

A numeric value used to determine which protocol has a higher priority (the lower the value, the higher the priority).

Static routes have a constant rank of 60 (cannot be changed).

Note - You can configure this parameter only in Gaia Clish.

To add a new static route (IPv4 addresses):

In Device > Routing, above the Routing Table, click New.

The New Routing Rule window opens with this message:

Traffic from any source to any destination that belongs to any service should be routed through the next hop.

Click next hop and select an option in the new window that opens:

IP Address - Enter the IP address.
Internet connection - Select an internet connection.
VPN Tunnel (VTI) - Select the VPN Tunnel.

Click OK.

Click any source and select an option in the new window that opens:

Any
Specified IP address - Enter the IP Address and Mask

Click any destination and select an option in the new window that opens:

Any
Specified IP address - Enter the IP Address and Mask

Click OK.

Click any service and select a service name or enter a service name in the search field. You can create a new service or service group.

Note - Static routes are not supported for service-based routes using VTI (VPN).

Optional - Enter a comment.

Enter a Metric between 0 and 100. The default is 0.

To enable Scope Local, select the checkbox.

Click Apply.

To configure a default route:

Go to Device > Local Network page.

Select an interface and click Edit.

The Edit window opens in the Configuration tab.

Click the DHCP Server options tab.

In the Default Gateway section, do one of these:

Click Use this gateway's IP address as the default gateway.
Select Use the following IP address and enter an IP address.

Click Apply.

To edit a default route:

In Device > Internet, click the Internet connection.

Click Edit.

The Edit Internet Connection window opens in the Configuration tab.

Set the Default gateway (next hop) to a different IP address.

Click Apply.

When no default route is active, this message shows: "Note - No default route is configured. Internet connections might be down or not configured."

For Internet Connection High Availability, the default route changes automatically on failover (based on the active Internet connection).

When a network interface is disabled, all routes that lead to it show as inactive in the routing page. A route automatically becomes active when the interface is enabled. Traffic for an inactive route is routed based on active routing rules (usually to the default route).

The edit, delete, enable, and disable options (on the Device > Local Network page) are only available for manually defined routing rules created on this page. You cannot edit, delete, enable, and disable routing rules created by the operating system for directly attached networks or rules defined by the dynamic routing protocol.

To edit an existing route:

Select the route and click Edit.

To delete an existing route:

Select the route and click Delete.

To enable or disable an existing route:

Select the route and click Enable or Disable.

Re: SMB Masters #2 - EMEA and APAC - Video and Materials

Y_A — Tue, 09 May 2023 09:09:26 GMT

Thank you very much! We will try this.

topic Re: SMB Masters #2 - EMEA and APAC - Video and Materials in Spark Firewall (SMB)

SMB Masters #2 - EMEA and APAC - Video and Materials

What happened in SMB Masters #1 Is there a video? 😊

Is this SmartAccel on the latest version of firmware?

Any plans to make HTTPS Inspection and SmartAccel don't work together?

How does it determine Device Type in SSL inspection? What happens if Randomization is activated?

Is the "SSL Inspection by Device Type" feature available in Central Management?

HTTPS Inspection for inbound connection?

Are we able to add custom services under SmartAccel in the future?

Will there also be SAML Authentication for Quantum Spark?

SMS authentication for VPN: What are conditions for SMS providers / is it managed by Check Point, is there special subscription?

Cluster - is the passive node accessible?

Is Identity Awareness (with Identity Collector) supported on centrally managed appliances?

Cluster Scope local already available in R81.10.05 ?

Any roadmap for advance access policy configuration for power user? Current way of creating access policy is cumbersome where we need to travel back and forth to create group for services/objects.

Did I see SD-WAN only for Centrally Managed? Is locally managed coming soon?

Is IoT Protect available on Spark?

What is the maximum number of tunnels that can be configured on SD-WAN?

Who should we contact to join EA for PAYG?

PaYG...no minimum user, but is there minimum duration? 1 day? week? month? year?

For two factor authentication is only available for sms and email or can we use mfa app?

What is FONIC?

Would like to check if the limitation on SG1800 (1x 1GbE copper/fiber WAN2 (*future) & 1x 1GbE Management port (*future)) has been lifted?

Please tell me the supported IPV6 Method

Does IoT include IIoT and OT devices?

When is R81.10.10 expected to be available?

Is Active/Active for cluster in roadmap?

Any plan to use Gaia on SMB devices instead using Embedded Gaia?

SD-WAN supports VPN tunnels? With 3rd party peers?

Any API for local managed devices on the roadmap?

SMS Managed vs SMP Managed - Spark Appliance, which supports more features?

Do you have any future plans with Quantum Edge?

Is there roadmap to have Reverse Proxy for the SMB appliances?

live answeredCan we save Logs on Spark Entry Appliances for 6 months?

Infinity SMP managed - is it require license per gateway on top of Security Licenses?

Re: SMB Masters #2 - EMEA and APAC - Video and Materials

Re: SMB Masters #2 - EMEA and APAC - Video and Materials

Re: SMB Masters #2 - EMEA and APAC - Video and Materials

Would like to check if the limitation on SG1800 (1x 1GbE copper/fiber WAN2 (future) & 1x 1GbE Management port (future)) has been lifted?

live answered

Can we save Logs on Spark Entry Appliances for 6 months?