Check Point

Firewalls (Gateways, VE, VSX, Edge)

Access Requests
Manual target selection
Device object selection
Add Access
Risk Analysis
Designer
Provisioning
Provisioning in automatic step
Verifier
Authorization and documentation
Auto close
Remove Access
Verifier
Designer
Provisioning
Provisioning in automatic step
Auto close
Decommission Network Object
Impact Analysis, Verifier
Rule Recertification
Update metadata

Notes for Firewalls (Gateways, VE, VSX,):

  • Firewalls must be managed by CMA/SmartCenter. Additional interface and routing information is available when the gateway is monitored directly by SecureTrack.
  • For Access Requests in topology mode, when selecting a firewall that is not in the path for a Check Point device, Designer and Verifier fail and include a notification that the target is not in the path.

  • Automation tools do not use Application Control information.
  • Designer gives priority to service objects that have a default timeout set in the firewall.

Notes for Firewalls (Edge):

  • Edge devices are supported when managed by SmartCenter/Provider-1. Edge devices are not supported when managed by LSM.
  • Designer gives priority to service objects that have a default timeout set in the firewall.

Management Devices (CMA, SmartCenter)

Access Requests
Manual target selection
Device object selection
User Identity (LDAP groups in source)
Modify Group
Designer, Provisioning + Committing
Provisioning + Committing in automatic stepCreate/modify group
Add Access
Risk Analysis
Designer, Provisioning + Committing
Provisioning + Committing in automatic step
Verifier, Authorization and documentation, Auto close
Remove Access
Verifier
Designer
Provisioning
Provisioning in automatic step
Auto close
Decommission Network Object
Impact Analysis
Designer
Provisioning + Committing
Verifier, Authorization and documentation
Clone Network Object Policy
Designer
Provisioning (or) Provisioning and Committing
Verifier
Rule Decommission
DesignerProvisioning + Committing
Provisioning + Committing in automatic step
Verifier, Authorization and documentation
Auto close
Rule Modification
Provisioning + Committing
Provisioning + Committing in automatic step
Rule Recertification
Update metadata

Notes for Management Devices (CMA, SmartCenter):

  • In SecureChange, you can leverage automation tools, such as target selection, Verifier, and Designer to automate access requests that contain FQDNs.

  • In SecureTrack, there is visibility for FQDNs in security rules and change tracking, assessment, path analysis, and matching rules.

  • For CMA and SmartCenter devices running R80 and above, Access Requests support IPv6 objects, including Designer recommendations and Provisioning.

  • Access Requests: For CMA and SmartCenter devices running R80 and above, rule location customization includes the following options for adding new rules:

    • After an existing rule

    • Before an existing rule

    • As the last rule

  • Decommission Network Object 'Provisioning' and 'Authorization and documentation' is supported for CMA, SmartCenter running R80 and above.

  • Modify Group field displays groups with mixed IPv4 and IPv6 objects when running on R80 and above.

    Operations on the included IPv6 objects (adding/deleting an existing object or creating a new object) are not supported.

  • Rule Decommission is supported for CMA, SmartCenter running R80 and above.

  • Rule Modification is supported for CMAs and SmartCenters running R80 and above.

  • Provisioning + Committing is supported for CMA, SmartCenter running R80 and above.

  • Inline layers for R80 gateways are supported in all SecureChange workflows. (Special characters are not supported in inline-layer names.) Shared inline layers will not be modified by default in any SecureChange workflow. To change this behavior, please contact support.

  • Designer gives priority to service objects that have a default timeout set in the firewall.

Management Devices (MDS)

Modify Group
Designer
Provisioning
Provisioning + Committing in automatic step
Create/modify group
Decommission Network Object
Impact Analysis
Designer
Provisioning
Verifier

R80 and above also supports:

Designer
Provisioning
Authorization and documentation
Clone Network Object Policy
Designer
Provisioning (or) Provisioning and Committing
Verifier
Rule Recertification
Update metadata

Notes for Check Point Management Devices (MDS):

  • Modify Group field supports groups that contain IPv4 and/or IPv6 objects when running on R80 and above.

  • Decommission Network Object supports shared groups/global objects.

  • Designer gives priority to service objects that have a default timeout set in the firewall.