As this is a Check Point extension you will need to write a mail to: extensions@checkpoint.com 

The extension is publicly hosted to make it easier for customers to use without needing a web server to host it.

If you prefer to host it internally, you can of course do so. All the files are accessible just like the ".json" file.
For example:

https://extensions.checkpoint.com/changes-report/index.html

We would be very glad to get customer feedback on this extension. Let us know if it's helpful for you!

Note that it's recommended to have the latest R80.30 JHF installed on your server. There are some fixes there for edge cases that can affect the report.

Note #2: in R81, this capability will be out-of-the-box without having to manually add the extension. In R80.30 / R80.40, we are providing it as an extension so that earlier releases can enjoy it.

Hi Tomer,

thanks a lot Tomer.

Its a very helpful extension, glad to hear that this feature will be integrated with smartconsole..👏

Regards

Sudip

Hi Tomer, is there documentation on implementing this extension on-prem?

Thanks,

Dave

Right. Even when you uncheck this in Global Properties then SmartConsole Extensions can still send data to Google for all kind of Check Point analytics. Let's see if this gets fixed in R81 as I was told yesterday that this code is included in R81 EA as it is. But also many other Check Point tools, like the What's new page, that opens when you installed a new SmartConsole for the first time, talk to Google.

@Danny, @Sven_Glock , thank you for sharing your concerns. We are open to get the feedback, and this is a good example of how the direct contact with the community is valuable.

Short answer: we will modify the extension so that it won't access Google without explicit permission

Long answer:

Many web applications and sites use Google Analytics to gather usage information. It's a very easy way to gain insights to what regions your users are coming from, what features they use and how. It doesn't share personal information or the actual values that were inputted.

The SmartConsole extensions are external to the application and can even be developed by 3rd parties. Therefore, they can access external sites / APIs without the limitations imposed on SmartConsole.

That said, we understand that if an extension is provided by Check Point, there is an expectation that we will check if sharing usage information was approved. 

As a first step, we will remove the reporting to Google Analytics. We will double-check the code in R81 to make sure it's not there and also update (in 1-2 weeks) the extension that we host publicly. If you use it from our URL, it will be updated automatically.

As a second step, we will develop a REST API that can be used to check if the Management has approved sharing usage information. Then our extensions (and even 3rd party extensions) can use this API to make the decision according to the user's choice. It's important to emphasize that with 3rd party extensions, the responsibility for doing this is on the developer of the extension.

In regards of SmartConsole extension, I need to insert URL which is publicly available (on internet).

Where exactly I need to have internet access? On workstation where I have installed SmartConsole, or on Management system (MDS) ?

Are there any plans to have Extensions working even without internet access ? Like installing offline or something like that...

I will not install any extention which will gather some information (like Google Analytics).

The SmartConsole application needs to access the URL (not the MDS).

Note that we are hosting the extension files in the cloud for convenience. They are open source, so you can download them and host them locally on your web server. In that case, you won't need internet access.

Regarding the Google Analytics, in the coming couple of weeks we plan to update the extensions code to stop sending the data.

Thanks @Tomer_Noy  for the quick positive response! 🙂 Can you please update this threat once new release with fixed google communication is GA?

Updating that we have removed the Google Analytics reporting code from our Changes Report extension (https://extensions.checkpoint.com/changes-report/extension.json).

This is updated in our GitHub open source and in the publicly hosted version in the link.

As always, we welcome feedback and would love to hear if this extension is useful for you in production.

Google Analytics got removed. However, these Google resources are still used and downloaded from Google everytime the SmartConsole Extension is accessed:

• Google Fonts > https://extensions.checkpoint.com/changes-report/static/css/main.d660d57d.chunk.css
• Google Cloud Storage > https://extensions.checkpoint.com/changes-report/static/js/main.c520889e.chunk.js
• Google Workbox > https://extensions.checkpoint.com/changes-report/service-worker.js

Hmmm...

These are just links to static content (fonts, a Check Point logo image and a js file). No customer information is passed.

Nevertheless, let me discuss it with the relevant R&D team and we'll see what should be done.

The latest Changes Report extension should be "Google-free" now 😀

Check it out and enjoy!

As always, let us know if you have feedback (good or bad). Also, use-cases or stories on how you use this will be much appreciated.

The related screen shot in sk166435 still shows the use of Google resources.

The screenshot in the SK was not updated.

If you install the extension from the link, it will not show those external resources anymore.

Also SmartConsole What's New that opens automatically upon every SmartConsole installation and your Tailored Safe extension use Google Analytics and Tag Manager.

The Changes Report will show you the changes in your current session before you publish.

If you want to see changes between published sessions, go to the Revisions page (under Manage & Settings), select the desired revision and click the "Changes" button.

The more intuitive way to see all changes since last policy install is:

• Click on policy installation
• Select policy to install
• Click on the link below "Total Changes from last installation..."
• In the next window select the oldest revision
• Click on "Changes"
• Select "Compare to current version"

I have installed the extension in r80.40 take 78 and the "change" button is now available in all the sections that it is supposed to be.
Now when I click the change button in any section I get a white screen prompted and in about 20 or 30 secs I get a err message saying "Loading Error: ERR_CONNECTION_TIMED_OUT"
Is there any special connectivity required for this extension to work?

Weird, I don't see any external connection when I click "changes" but I see there are loads of tcp connections to localhost in the manager.
I don't know why this extension fails in my environment.

Are you trying this extension with Demo Mode, or your own Management server?

Sorry, I have just noticed that the Smartconsole was trying to access to the manager using the GAIA default proxy configuration.
I have set UseDefaultWebProxy=true following sk166932 and it is sorted now

C:\Program Files (x86)\CheckPoint\SmartConsole\R80.40\PROGRAM\SmartConsole.exe.config

I would say that it makes more sense for UseDefaultWebProxy to set to true by default, but anyway it is okay.

My Security Manager has two nics with two different ips to get more redundancy. It works great. If one nic goes down I can connect with smartconsole to the other ip and I have no problem to make changes in the other gateways through the secondary nic.

The only problem is this "changes" extension. I get the following error "Error: Unable to retrieve read-only session" when the primary card/ip is down (this is the ip configured in Smartconsole for the manager and also the official ip for the licenses).

Looking at sk166932, it seems that this is expected if the ip configured in Smartconsole for the mgmt object differs from the ip you are accessing to.
It seems that the checkpoint extension system doesn't support two nics/2ips.

Is there anything it can be done to support this configuration?
I would love to have a VPC/LACP and only one IP over the two NICs but I can't do it at the moment.

Connectivity: To configure interface redundancy it is best practice to set up an interface bond and use one single IP address.

Security: Your security management should be a management host running at one specific host IP address that is directly segmented and protected by your security gateways. Configuring a secondary interface means you maintain a management gateway and not a management host which is not recommended.

License: You already figured it out by now, right?

Web Extensions: These and many other management functions rely on your managements' main IP address, so don't change it and put it on an interface bond instead.

Connectivity: To configure interface redundancy it is best practice to set up an interface bond and use one single IP address.

- Agree, I would love to do it but I can't at the moment. We are connecting the Manager to two switch/routers in HA. Unfortunately they don't run VPC, so we need two different IP networks to support this configuration in HA.

Security: Your security management should be a management host running at one specific host IP address that is directly segmented and protected by your security gateways. Configuring a secondary interface means you maintain a management gateway and not a management host which is not recommended.
- Totally agree. But yeah, both NICs are in the same security zone, so it is a host with two NICS, with two default routes. So no security concerns.

License: You already figured it out by now, right?
- Good question, but I have tested it and I don't see any problem when the licensed IP is down (I am testing with temporary licenses though). I think the GAIA is happy as long as the IP is configured even if the NIC is down.

Web Extensions: These and many other management functions rely on your managements' main IP address, so don't change it and put it on an interface bond instead.

- For all these reason it would be nice if the Security Manager Extensions could support a manager with two IPs. I think that the Smartconsole and the standard SMS actually supports two ips but not the Security Manager Extensions.

I am trying it in the management server, not in demo mode.