About this guide

The Security Management Portal (SMP), with its intuitive web-based user interface, enables managed service providers to provision security efficiently for small businesses. With a robust architecture that scales to manage up to 10,000 Check Point Small Business appliances, the SMP easily keeps pace with your security-as-a-service business.

Authors and contributors

This document is

• created by Antoinette Hodes a.k.a. @hodesa 
• edited by @Aviv_Abramovich 
• adapted for CP4B by @_Val_ 

Documentation

The SMP includes an Administration Guide. Context sensitive on-line help is available in the Web User Interface.

The platform

Security Management Portal

No one understands security better than Check Point. That is why the Check Point Security Management Portal can provide unparalleled protection for your network assets. The service has a highly scalable and configurable structure – whether you have a single location with a few employees or multiple locations with hundreds of employees, you are covered. The Check Point Cloud Hosted Security Management Portal (SMP) is a fully-hosted, large scale central management and service (SaaS) provisioning platform. 

The Security Management Portal leverage enterprise-grade protection for small to medium businesses and comes for free with one 1500 series Appliance. Check Point offers you to ability to manage more than one 1500 series Appliance with SMP extensions starting at $1,030 for 10 Appliances.

• Single platform to manage multiple customers – With the multi-domain functionality you can easily manage hundreds of customer environments from one interface. Providing unified management, monitoring and analysis with extensive logging and reporting. 
• Easy, powerful and intuitive web interface – Access the SMP with your browser and the tree structure will show all functionalities and features in one overview. The cloud-based interface allows access from anywhere. 
• Reduced operational and maintenance cost – Low operational overhead with Zero-Touch deployment and scheduled reporting. With granular and role-based administration.
• Robust architecture and scalable deployment – Manage up 30,000 SMB gateways in a single set-up. Simplified, group-based security provisioning using Plans. Designed for help desk and support center environments.

More information is available at https://www.checkpoint.com/products/security-management-portal/.

Cloud Services | Overview

Check Point offers several unique, sophisticated cloud services for management of the SMB gateways.

1. Zero Touch, ZT – Check Point’s hands of configuration solution
2. Security Management Portal, SMP – Check Point’s unified management for SMB gateways
3. Reach My Device, RMD – Access the SMB gateway managed by the SMP via shell or WebUI
4. Software Blades and license – Update service for all functionalities and licenses
5. Firmware upgrade – Upgrade service for SMB gateways managed by the SMP
6. SandBlast Threat Cloud – Check Point’s Sandboxing, Zero Day protection
7. PRO Support – Check Point’s proactive support (optional service)

Cloud Services | Security Management Portal, SM

The Security Management Portal simplifies the deployment and maintenance of Check Point SMB gateways using group-based management tools. Administrators define multiple service plans, each consisting of a template that defines the plan’s expiration date, gateway properties, VPN settings, as well as additional services such as Anti-Virus protection and content filtering. Plans can be associated with an unlimited number of SMB gateways which inherit all of that plan’s properties. Specific aspects can be overridden if required. When the administrator updates the plan, the changes are automatically applied to all associated gateways.

The cloud-managed service, Security Management Portal, SMP you can manage the security policy, firmware upgrades (gradual and remote scheduled), Cyber Views and periodic backups. Key benefits of the SMP:

• Easy initial setup
• Protected with the latest Check Point security
• Detailed security and network usage reports
• Safe and simple device replacement process

Below is a screenshot that shows the customer view and the features.

1. Click on Home -> Overview -> Cloud Services. Notice the options for managing the 1500 Appliance.

2. When a customer is registered an email is sent with instructions how configuring the Cloud Service connection.

For Internet Service Providers (ISPs) and Managed Service Providers (MSPs) the cloud-managed service offers an interface to manage and support thousands of their customers easily and intuitively. This includes security policy management, firmware upgrades, automatic backups, periodic reports and VPN community support which is essential when using these appliances in the retail sector. Key benefits of the service to ISPs and MSPs are;

• Cloud based, mutli-tenant, central management
• Designed for managed service providers on any scale
• Supports management of 10,000 small business appliances from a single console
• Provides ISPs and MSPs with value-add and upsell opportunities

A demo site of the cloud managed interface is available. Ask your Check Point contact to provide access to the demo. Highlights of the interface are shown below for your convenience.

1. When administrators login to the site, they’re presented with an overview of the managed devices.

2. Click on Home -> Map. A map is displayed of the managed devices. Click on Gateways to see a overview of all managed devices, the device owner and the plan assigned to the device.

3. Click on Home -> Gateways. And notice the fields. It will tell you the gateway name, description, how to access the gateway, MAC address, owner, gateway type, running firmware and assigned plan.

4. Click on Home -> Plans to see what services are covered in the different plans.

5. Click on Home -> Communities. Notice that it’s possible to set up VPNs for managed appliances. The SMP is offering a feature called “externally managed gateway”. This for VPN purposes only. All brands are supported.
   1.      Add the external gateway object to SMP
   2.      Define the VPN community and select member type “normal member”
   3.      Define the internal networks, the encryption domains
   4.      Import in the SMP the external gateway certificate, X.509 certificate

6. Click on Service Domain -> Settings. Here you can set notifications, logging options and DNS settings.

7. Click on Service Domain -> Roles. Notice that different roles.

8. Click on Gateway Logs -> Logs. Here admins can monitor and investigate incidents. The search bar is a “Google-like” search engine that help sort the logs.

9. Double click on the log. The log card shows useful information on that specific transaction.

Request a new Domain

1. Browse to the SMP. https://smbmgmtservice.checkpoint.com/SMC/index.jsp
2. Click on “new Domain Request”

3. Fill in the requested fields and click submit.

4. You will receive the Domain details via email.

Cloud Services | Zero Touch

• The Zero Touch Cloud service allows users to easily manage the initial deployment of Security Gateways. The administrator applies the initial deployment configuration for the gateways in the Zero Touch portal (or API service). When a gateway is connected to the internet for the first time, it fetches the settings automatically. The settings from the Zero Touch server replace the First Time Configuration Wizard. Zero Touch Cloud service is based REST API, all actions are available through API calls. Zero Touch is a free cloud service. You need to login with your User Center credentials.

1. Login to https://zerotouch.checkpoint.com

Create a template. Template -> New -> Small Office Gateway

2. Define the desired settings.

3. Attach your SMB gateway to the Internet and claim your gateway.

Note | If you are using ADSL/VDSL you need to configure the PPPoE settings first. For this we offer One Touch. You can addd the PPPoE configuration to USB stick and and let the gateway boot from the USB stick. This will start the autoconf.clish

4. If your device is not in the list you can run an inventory.

Cloud Services | Pro Support

Check Point PRO Support is a proactive, protective and a professional service. Check Point PRO Support combines security expertise and machine intelligence to monitor your security gateways daily and identify points of failure before they occur. When a severe issue is detected, a Check Point PRO expert proactively contacts you to help resolve the issue and prevent service downtime. Check Point PRO also provides you with a comprehensive report, delivering an overview of your overall security, diagnostics and actionable insights.

More information at sk121072

Cloud Services | Reach My Device, RMD

Check Point Reach My Device, RMD is service for customers allowing access to SMB gateways which are situated behind a NAT device, i.e. router. RMD provides a shell and WebUI access.

SMP | Service Domain settings

Under the Service Domain Settings you can set the configuration that holds domain specific configurations. Configure the domain to meet your requirements. You can configure your Time Zone, a Syslog Server, DNS settings, Mail Settings, Firmware, X.509 Certificates, Notifications, Alerts, Two step authentication, API access and RADIUS authentication.

1. Set the relevant Time Zone for your domain.    

   

   Enable strong authentication with 2FA, Two factor authentication is available a Service Domain level. If you configure “enable two step authentication” it will enable MFA for all service domain users.
2. Click Service Domain -> Settings -> Two step authentication
3. Click the checkbox
4. Follow the steps send to you via email

Configure API Access if you wish integrate.

5. Select source type and click finish.

You might want to configure RADIUS authentication for centralized Authentication, Authorization, and Accounting.

6. Fill in the required fields and test your connectivity. Save the configuration after successful completion.

SMP | Plan, gateway activation

The SMP serves 3 activation methods for connecting the security gateway to the SMP.

1. SMP IP address & DNS
2. Gateway name & Service Domain
3. Automatic gateway creation and works with an activation key (first auto generated and then set by the owner). Default automatically created gateways will receive a name based on their MAC address. To set a specific name, replace the dash (“-“) before the plan name with the desired gateway name. Click on Home -> Plans -> Gateway Activation and generate the activation key and save.

Copy the activation key into your 1500 Appliances.

The 1500 Appliances will contact the SMP and fetch the configuration in 3 steps.

Notice: if enrolment fails, check and enable if needed RMD, Reach My Device.

SMP | Plan, device settings

Under the devices settings you can define the NTP servers, DNS servers and gateway administrators. All gateways assigned to this plan will inherit these settings. Notice the NTP security.

SMP | Plan Security Software Blades

Application Control and URL Filtering

We offer the feature to block other undesired applications from the predefined list.

SSL Inspection

With the SMP you manage exceptions and bypass rules, define what SSL logs needs to generated and bypass policies. With CLI you add custom bypass rules.

Unified Threat Prevention

For the 1500 series Appliance we are supporting the Unified Threat Prevention. The policy is applicable for Anti-Virus, Anti-Bot, IPS and Threat Emulation.

SMP | Plan CLI Scripts

To automate specific configuration settings the SMP support CLI scripts. In this example we will enable SafeSearch. This configuration setting is normally done locally on the 1500 Appliance itself. However via CLI scripting we push this configuration to 1500 appliance managed by the SMP.

1. Click Home -> Plans -> Your Plan -> CLI Scripts
2. Add the CLI command to enable SafeSearch

set application-control-engine-settings advanced-settings enforce-safe-search true

3. Save the configuration

SMP | Cyber Views

With the SOC like feature Cyber Views you can track security incidents, infected hosts, follow attack trends with time line and much more. It will give a clear overview of the current state of your network with a single overview. Cyber Views is embedded in the SMP. And a great tool for a SOC. It will inform you about:

1. Infected Hosts
2. Prevented Attacks
3. Detected Attacks
4. Attack trends

All information is clickable and allows you to jump to the event or detailed log information.

Below an example of infected hosts with the SMP domain.

Or track the detected attacks.

SMP | Reporting

The SMP offers extensive and tailored, scheduled reporting. Report on a regular base to your customers with a dedicated customized report.

The SMP can provide a report of the Service Domain itself. Providing valuable insight on your domain with:

1. Gateway overview
2. User overview
3. License Expiration details
4. Gateways
5. Users
6. Plans

Click on Overview -> Generate Report

See the difference between reports from the gateway and plan. You can create a fully customized report for your customer with own logo.

1. Click on Service Domain -> Settings -> Notifications and notice the different options
2. Click on Gateway reports and customize.
   1. Select the appropriate language
   2. Complete message (with report as an attachment)
   3. Preface text (to an embedded report)
   4. Company details

3. SandBlast Threat Emulation can be found in the reporting (daily, weekly or monthly). But you can also find it your User Center. Under the Threat Emulation license.

Below report will appear. Informing you how many were scanned, emulated and found malicious.

SMP | G

ateway Logging

The SMP gateway logs will allow to investigate events occurring on your network. The SMP offers Gateway Logs, System Logs and Activity Logs. You can easily look for source, source port, destination, interface, blade and much more.

Jump to the log card for detailed information of the event by clicking on the event.

SMP | Notifications

Receive email notifications of your SMP domain. The email notifications will alert you about Security Incidents, Networking Events and Operational Events.

Click on Home -> Plans -> Your plan -> Services -> Notifications. And notice the available options.

Click on Notification Recipients to configure who will receive those alerts.

SMP | Alerting

Beside the notifications you can also configure custom alerts that meets your requirement.

1. Click on Service Domain -> Settings -> Custom Alerts
2. Click New and click the relevant alert, i.e. gateway deleted

SMP | Periodic backup

Check Point recommends to regular backup your environment. Click on Home -> Plans -> Services -> Periodic Backup. Notice the schedule. To automate this process you might want to consider a CLI script performing this task.

Example: backup settings to tftp server <serverIP> <filename>] [file-encryption {off|on password <pass>}] [backup-policy {on|off}] [add-comment <comment>]

SMP | Firmware upgrades

The SMP offers several options to upgrade your environment. This will make your life as administrator so much easier. The following options are available:

• Specific version (hardware depended)
• Check Point latest
• Managed locally on the device
• Gradual Upgrade

Notice that you need to set a schedule for the upgrade service.

Click on Plans -> Select your plan -> Services -> Firmware.

SMP | User management

New users with different permissions (based on their defined role) can easily be added to the SMP.

1. Click Home -> Users -> New

2. Create the new user and the desired role
    
3. Set the permissions and restrictions

API | Security Management Portal

• The SMP supports the use of API’s (Application Programming Interface) to automate and orchestrate daily or recurring tasks.
• The SMP API adds a new way to read information and to send commands to the SMP server

• The SMP includes a Web-based API that conforms to the SOAP/XML standard. You can use the SMP API to integrate external systems with the SMP
• Examples of uses for this API include synchronization with billing systems, integration with existing customer service applications, and creation of a custom Self Provisioning Portal
• The SMP API can be used with applications written in any programming language that supports SOAP Web services, including Java, C#, Perl, and most other modern programming languages
  • More information is available at https://sc1.checkpoint.com/documents/latest/SmpAPIs/index.html#introduction~v1%20

API | Zero Touch

The Zero Touch Portal supports the use of API’s to automate initial deployments. The Zero Touch Cloud Service allows users to easily manage the initial deployment of their Small and Medium Business SMB gateways.

More information is available at

sk116136 Orchestrated Rollout of LSM Centrally Managed 1100/1200R/1400 SMB Appliances - Demo Kit

sk116375 Zero Touch Cloud Service for Gaia OS and Gaia Embedded SMB appliances