This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
israelsc
Collaborator
Collaborator
2 weeks ago
Jump to solution

Disable Local firewall rules management on Spark Management GW // Firewalls rules and VPN migration

Hello everyone!

I have some questions about local firewall rules management when you manage a Quantum Spark Gateway with Spark Management (SMP) and questions about firewall rules migration-

I know that you can enable a "remote" management for firewall rules since Spark Management Portal to send these policies to the Spark Gateway and when you fetch configurations on Gateway, the Gateway deploy the new firewall rules on the rulebase.The problem I see here is that if you have admin credentials or a user with write permissions for the Quantum Spark Gateway, the administrator can modify or create their own firewall rules locally on the appliance.
Is it possible for firewall rules to be managed exclusively from the Spark Management Portal and block the creation of local rules? I understand that the Gateway works as “Locally Managed + Cloud Services,” but is there any way to block local management  of firewall rules?

The second question is about migrating firewall rules from an on-premises Security Management Server to Spark Management Portal.
The current environment is a Management Server with a Gaia R81.20 HA Cluster and 100+ Remote Quantum Sparks communicated through a Star Community VPN.
The firewall rules for this VPN are managed through a Policy Package and, as the central and remote firewalls are managed by the same Management Server, the VPN Certificate are issued by the ICA on the Management Server.
Is there a way to migrate the firewall rules from the Management Server Policy Package to Spark Management?
Same question for VPN certificates issued by the Management Server ICA: is it possible to migrate them to Spark Management?

I know these questions can be addressed with our SE, but at the same time, I would like to know if anyone has the answers to these questions, if anyone has had a similar experience, or if anyone could help me get oriented previously.

Greetings!

 

0 Kudos
1 Solution

Accepted Solutions
yahavb
Employee
Employee
a week ago
Jump to solution

Hi,

 

The access policy feature from Spark Management is unique and is by design co-managed with the local appliance. This means that the even if the policy is managed by Spark Management, it is not locked for editing on the local web UI. To ensure some admins will not be able to create rules, should be achieved with using specified roles. Consider looking into the self-serve portal feature that provides a web UI with only a small set of capabilities.

Regarding the migration of access rules from Smart-1, it is not possible at this time, moreover the access policy capabilities in Spark Management is more simplified comparing to Smart-1, which makes a migration impossible.

You can add external CA certificates to Spark Management to be distributed to the connected gateways under Settings -> Certificates. When a device is managed by Spark Management, the VPN certificate is automatically issued and maintained by Spark Management as long as the device remains connected to the service. This means that when configuring a VPN community where the center is managed by Smart-1, and the Spark gateways are managed by Spark Management, you will need to share the CA with each side. Where the center is usually configured as LSV.

I am also sharing an SK for how to setup a VPN community in Spark Management with an externally managed Check Point gateway: https://support.checkpoint.com/results/sk/sk177545

View solution in original post

2 Replies
PhoneBoy
Admin
Admin
2 weeks ago
Jump to solution

If the device is managed with a Smart-1 (either Cloud or on-premise), then you will not be able to create local firewall rules.
SMP does not block local rule creation.

There is also no automated way to convert between on-premise (or Cloud) Smart-1 and Spark management (local or SMP).

yahavb
Employee
Employee
a week ago
Jump to solution

Hi,

 

The access policy feature from Spark Management is unique and is by design co-managed with the local appliance. This means that the even if the policy is managed by Spark Management, it is not locked for editing on the local web UI. To ensure some admins will not be able to create rules, should be achieved with using specified roles. Consider looking into the self-serve portal feature that provides a web UI with only a small set of capabilities.

Regarding the migration of access rules from Smart-1, it is not possible at this time, moreover the access policy capabilities in Spark Management is more simplified comparing to Smart-1, which makes a migration impossible.

You can add external CA certificates to Spark Management to be distributed to the connected gateways under Settings -> Certificates. When a device is managed by Spark Management, the VPN certificate is automatically issued and maintained by Spark Management as long as the device remains connected to the service. This means that when configuring a VPN community where the center is managed by Smart-1, and the Spark gateways are managed by Spark Management, you will need to share the CA with each side. Where the center is usually configured as LSV.

I am also sharing an SK for how to setup a VPN community in Spark Management with an externally managed Check Point gateway: https://support.checkpoint.com/results/sk/sk177545

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events