Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

Quantum Spark FAQ April 2023

This FAQ was assembled from the SMB Masters sessions we've done previously.

Table of Contents

SmartAccel

Can I find SmartAccel on the latest version of firmware?

Yes, SmartAccel is available starting with R81.10.05 firmware, which you can download from sk179797.

Any plans to make HTTPS Inspection and SmartAccel work together?

Yes, we are exploring this.

Can we add custom services under SmartAccel?

Custom services are currently not supported. We are exploring this for the future.

Are SmartAccel, the HTTPS Inspection enhancements, and Google Authenticator supported in Centrally Managed mode?

These features are supported in QUANTUM SPARK Local Management only

SmartAccel gives you better performance. What’s the downside?

SmartAccel is applied on commonly used trusted domains with high bandwidth and enabled by default on Locally Managed gateways. There is no expected downside.

 

SD-WAN

It was mentioned that the Quantum SPARK pro devices support two 5G SIM cards. Can we use both SIM cards together with SD-WAN capabilities?

QUANTUM SPARK supports traffic load sharing between multiple WAN interfaces.
• LTE is considered a WAN interface.
• LTE does not support load sharing between 2 SIM cards.

For High Scalability Enterprise customers, does Maestro/Quantum support SDWAN?

QUANTUM SPARK supports SDWAN for Centrally Managed (enterprise) devices. QUANTUM SPARK SDWAN for Local Management (for SMBs) is a work in progress.

Does SD-WAN support VPN tunnels 3rd party peers?

SD-WAN supports VPN against Check Point peers only.

Does SD-WAN for QUANTUM SPARK devices require you to have Smart-1? Or can it be enabled and configured directly with QUANTUM SPARK Management?

QUANTUM SPARK SD-WAN can be managed with Smart-1 or Smart-1 Cloud. QUANTUM SPARK SD-WAN with Infinity SMP is a work in progress.

Does SD-WAN allow us to route traffic to different routes on 1500 appliances? We can currently route all traffic to Harmony Connect via a 1590 VPN branch office but streaming services do not work. An option would be to route streaming straight out to the Internet but this is currently not supported.

SD-WAN allows you to make your routing conditional upon the application. Therefore, you can set a rule that streaming, Zoom, Teams, etc. should not be routed to the VPN but rather directly.

How many WAN interfaces can be used simultaneously when using SD-WAN?

QUANTUM SPARK was tested with up to 5 WAN interfaces.

How will Quantum SD-WAN be licensed?

While the exact details are not yet finalized, it is expected to be an add-on license based on the gateway's base price.

SD-WAN is a major selling point for other vendors where it is included. Check Point should think about this without asking for a fee.

Some of our competitors include SD-WAN for free, but we believe our feature set is more complete and able to manage and deploy across multiple appliances via Central Management.

 

New Hardware

Why is there no 5G version of the 1575 appliance?

1575 is a new platform with more threat prevention throughout and stronger LTE connectivity (compared to the 1570). The 1595 supports the necessary throughput to fully support 5G speeds. 

Is 5G available globally with any telecom in any country for the 1595 model?

In most countries, it should work out of the box. Specific Telcos will require certification.

Are all these newer appliance models shipping today (1575, 1595, etc.)? If not, when will they be available?

The 1500 Pro wireless and WiFi6 models are shipping today. The 5G version is expected to be available soon. The V1R Slim model is also planned to be available soon.

What is FONIC?

Fail Open NIC. It allows traffic to be bypassed if the hardware/software/power fails. FONIC is relevant only in L2 / Bridge topology. We plan to introduce FONIC in the coming 1595R model.

 

IoT

Is a third party IOT discovery engine e.g. like an Armis also needed to work with the current IOT Protect blade if you have a very large IOT environment?

No. Assets discovery is included in Check Point technology.

Does IoT include IoT and OT devices?

IoT discovery and enforcement mainly focuses on Smart Office assets.

Is IoT Protect available on QUANTUM SPARK?

Yes

 

Infinity Portal / SMP

SMP Management in the Infinity Portal - does it require a license per gateway on top of Security Licenses?

Infinity SMP Management is provided free for Quantum SPARK appliances.

Using SMP has no extra cost for SMB appliances with a valid subscription. Will that change when SMP transitions to another platform?

There are presently no plans to change this when SMP management moves to the Infinity Portal.

Will Infinity QUANTUM SPARK replace the SMP Portal? And if so, how will the migration process work?

Infinity QUANTUM SPARK management will ultimately replace SMP. We will have a documented process closer to the release date.

Security Management Server (SMS) managed vs SMP Managed - QUANTUM SPARK Appliances: Which supports more features?

SMS/Smart-1 Cloud are enterprise grade and can manage all Check Point gateways.
Infinity SMP are targeted for the SMB market for Telco / MSSPs, which allows you to manage and monitor Quantum SPARK gateways on a large scale.

In general, do you advise managing SMB gateways from a central Security Management Server or Infinity Portal?

SMS/Smart-1 Cloud are enterprise grade and can manage all Check Point gateways.
Infinity SMP are targeted for the SMB market for Telco / MSSPs and allow you to manage and monitor Quantum SPARK gateways on a large scale.

 

HTTPS Inspection

SSL inspection for locally managed appliances – best practice SK - sk180929

How does the gateway determine the Device Type in SSL inspection? What happens if the Randomization feature is activated?

Asset type is determined by asset network hints. Randomization is only applicable for Mobile devices, which are not the default assets for SSL inspection.

Is the "SSL Inspection by Device Type" feature available in Central Management?

No, "SSL inspection by device type” is supported only in Locally Managed Quantum SPARK appliances.

Is there HTTPS Inspection for inbound connections?

Not currently planned. If you feel this feature is needed, please request an RFE.

How many of the applications require you to decrypt SSL to correctly identify the application?

We don't track the precise number of applications that require HTTPS Inspection to be correctly identified. That said, it is common for Google and Microsoft services to require HTTPS Inspection in order to differentiate between various services they offer. 

 

VPN Remote Access / Multifactor Authentication

SMS authentication for VPN RA: What are the conditions for external SMS providers / is this managed by Check Point? Do I need a special subscription?

Check Point provides SMS service for QUANTUM SPARK gateways, Worldwide, at no charge. No registration is needed. This feature is available starting from R81.10.05.

Is Two-Factor Authentication only available for SMS and email or can we use the MFA app?

Google Authenticator is planned soon and is already available for EA. Microsoft Authenticator is being considered for future releases.

What about SAML Authentication (e.g. for Azure AD)?

Not at this time, but we are considering this and other methods for future releases.

 

Clustering

Is the passive node accessible?

Yes. Passive node (Standby Member) is accessible for management purposes, the same as Quantum Cluster.

Is Scope local already available in R81.10.05?

Yes, “single routable IP for clustering” (Scope local) is supported in version R81.10.05 and higher.

Are syncing policy capabilities and cluster IP with different private physical IP only supported in Local Management?

These features are also supported with Central Management.

Are there any plans for ClusterXL Load Sharing (Active/Active) on QUANTUM SPARK?

Currently, it is not planned.

Is it possible to balance traffic load through two or 3 WAN interfaces with QUANTUM SPARK? What about a cluster environment?

QUANTUM SPARK supports traffic load sharing between multiple WAN interfaces.

Logs and Monitoring

For monitoring, are there plans to implement this with Skyline?

Yes, this is planned for a future release.

Is it planned to enhance reporting on Locally Managed Quantum SPARK appliances? For example, to monitor real time bandwidth on specific interfaces in WebUI?

Yes, this is planned for future release.

Can we save Logs on QUANTUM SPARK Entry Appliances for 6 months?

This can be achieved when managed by Infinity SMP.

Can we send logs to a Syslog server?

Yes

 

Quantum Edge

Is a new version of Quantum Edge running R81 code coming soon?

This is not planned.

Will there be an update of the VMware image to test the SMB software in our own lab environment?

Quantum Edge images support up to R80.20 code base appliances. If you wish to have VNF images for self-tests, please contact TAC: https://help.checkpoint.com

Are there any plans to support something like Maestro with SMBs

No.

Do you have any future plans with Quantum Edge?

No.

 

General

If a business is categorized SMB but their architecture is bigger than 100 users, which appliance would you recommend?

As there is some overlap between SMB and enterprise gateways in terms of the number of users that are supported, the choice to use one or the other depends on the precise requirements.

PaYG has no minimum number of users, but is there a minimum duration?

There is no minimum duration for PaYG.

Was the limitation on SG1800 (1x 1GbE copper/fiber WAN2 (*future) & 1x 1GbE Management port (*future)) lifted?

Second WAN limitation on the 1600/1800 is still valid. However, you can assign the LAN ports as WAN ports using the Flexiport feature.

Is LDAP Proxy, to use Active Directory integration, supported when managed on Smart-1 Cloud?

This is already supported in QUANTUM SPARK firmware R81.10.00. For Smart-1, you need to upgrade to R81.20.

Is it planned to integrate QUANTUM SPARK appliances with Identity Collector?

This is already supported in the latest firmware.

Are R80.20.xx firmware versions still being developed?

Security fixes are merged into R80.20.x. New features are developed in R81.10.x.

Is Gaia Embedded on Open Server supported?

No.

 

Roadmap

Is there an ETA for GRE support on SMB appliances?

GRE is a work in progress and is already in EA.

When is R81.10.10 expected to be available?

EA is expected in Q3.

Is MAP-E supported for IPv6?

It's on the roadmap.

Are there any plans to use Gaia operating system on SMB devices instead of using Embedded Gaia?

Gaia Embedded and Gaia are different operating systems. We are constantly working to align Gaia Embedded devices with Gaia code and commands.

Can we export a report on the queries for zero hit rules?

This is supported with Central Management. For Local Management, this is on the roadmap.

What are the plans to enable WAN2 on the 1800?

This is not planned. For additional WAN interfaces, LAN ports can be assigned as WAN. The planned 2000 Appliance will provide 4x10 SFP that can be used as LAN or WAN.

Will the QUANTUM SPARK appliances ever be able to use the Terminal Server Agent (MUH)?

This is not planned.

Will Embedded Gaia become available on, say, a 3800 appliance?

No.

Are there any plans to add dedicated Wi-Fi access points for QUANTUM SPARK or the overall Quantum series?

This is under discussion.

Will we see Power over Ethernet again?

This is not planned.

Are there any plans to finally remove SNX limitation which can be used only with the IE browser?

Yes, we are looking for other solutions.

1 Reply
the_rock
Legend
Legend

Nice!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events