On This Page
Check Point
Firewalls (Gateways, VE, VSX, Edge)
- Access Requests
- Manual target selection
- Device object selection
- Add Access
- Risk Analysis
- Designer
- Provisioning
- Provisioning in automatic step
- Verifier
- Authorization and documentation
- Auto close
- Remove Access
- Verifier
- Designer
- Provisioning
- Provisioning in automatic step
- Auto close
- Decommission Network Object
- Impact Analysis, Verifier
- Rule Recertification
- Update metadata
Notes for Firewalls (Gateways, VE, VSX,):
- Firewalls must be managed by CMA/SmartCenter. Additional interface and routing information is available when the gateway is monitored directly by SecureTrack.
-
For Access Requests in topology mode, when selecting a firewall that is not in the path for a Check Point device, Designer and Verifier fail and include a notification that the target is not in the path.
- Automation tools do not use Application Control information.
- Designer gives priority to service objects that have a default timeout set in the firewall.
Notes for Firewalls (Edge):
- Edge devices are supported when managed by SmartCenter/Provider-1. Edge devices are not supported when managed by LSM.
- Designer gives priority to service objects that have a default timeout set in the firewall.
Management Devices (CMA, SmartCenter)
- Access Requests
- Manual target selection
- Device object selection
- User Identity (LDAP groups in source)
- Modify Group
- Designer, Provisioning + Committing
- Provisioning + Committing in automatic stepCreate/modify group
- Add Access
- Risk Analysis
- Designer, Provisioning + Committing
- Provisioning + Committing in automatic step
- Verifier, Authorization and documentation, Auto close
- Remove Access
- Verifier
- Designer
- Provisioning
- Provisioning in automatic step
- Auto close
- Decommission Network Object
- Impact Analysis
- Designer
- Provisioning + Committing
- Verifier, Authorization and documentation
- Clone Network Object Policy
- Designer
- Provisioning (or) Provisioning and Committing
- Verifier
- Rule Decommission
- DesignerProvisioning + Committing
- Provisioning + Committing in automatic step
- Verifier, Authorization and documentation
- Auto close
- Rule Modification
- Provisioning + Committing
- Provisioning + Committing in automatic step
- Rule Recertification
- Update metadata
Notes for Management Devices (CMA, SmartCenter):
-
In SecureChange, you can leverage automation tools, such as target selection, Verifier, and Designer to automate access requests that contain FQDNs.
-
In SecureTrack, there is visibility for FQDNs in security rules and change tracking, assessment, path analysis, and matching rules.
-
For CMA and SmartCenter devices running R80 and above, Access Requests support IPv6 objects, including Designer recommendations and Provisioning.
-
Access Requests: For CMA and SmartCenter devices running R80 and above, rule location customization includes the following options for adding new rules:
-
After an existing rule
-
Before an existing rule
-
As the last rule
-
-
Decommission Network Object 'Provisioning' and 'Authorization and documentation' is supported for CMA, SmartCenter running R80 and above.
-
Modify Group field displays groups with mixed IPv4 and IPv6 objects when running on R80 and above.
Operations on the included IPv6 objects (adding/deleting an existing object or creating a new object) are not supported.
-
Rule Decommission is supported for CMA, SmartCenter running R80 and above.
-
Rule Modification is supported for CMAs and SmartCenters running R80 and above.
-
Provisioning + Committing is supported for CMA, SmartCenter running R80 and above.
-
Inline layers for R80 gateways are supported in all SecureChange workflows. (Special characters are not supported in inline-layer names.) Shared inline layers will not be modified by default in any SecureChange workflow. To change this behavior, please contact support.
- Designer gives priority to service objects that have a default timeout set in the firewall.
Management Devices (MDS)
- Modify Group
- Designer
- Provisioning
- Provisioning + Committing in automatic step
- Create/modify group
- Decommission Network Object
- Impact Analysis
- Designer
- Provisioning
- Verifier
-
R80 and above also supports:
- Designer
- Provisioning
- Authorization and documentation
- Clone Network Object Policy
- Designer
- Provisioning (or) Provisioning and Committing
- Verifier
- Rule Recertification
- Update metadata
Notes for Check Point Management Devices (MDS):
-
Modify Group field supports groups that contain IPv4 and/or IPv6 objects when running on R80 and above.
-
Decommission Network Object supports shared groups/global objects.
- Designer gives priority to service objects that have a default timeout set in the firewall.