Check Point

Firewalls (Gateways, VE, VSX, Edge)

Access Requests

Manual target selection
Device object selection

Add Access

Risk Analysis
Designer
Provisioning
Provisioning in automatic step
Verifier
Authorization and documentation
Auto close

Remove Access

Verifier

Server Decommission

Impact Analysis, Verifier

Rule Recertification

Update metadata

Notes for Firewalls (Gateways, VE, VSX,):

  • Firewalls must be managed by CMA/SmartCenter. Additional interface and routing information is available when the gateway is monitored directly by SecureTrack.
  • For Access Requests in topology mode, when selecting a firewall that is not in the path for a Check Point device, Designer and Verifier fail and include a notification that the target is not in the path.

  • Automation tools do not use Application Control information.
  • Designer gives priority to service objects that have a default timeout set in the firewall.

Notes for Firewalls (Edge):

  • Edge devices are supported when managed by SmartCenter/Provider-1. Edge devices are not supported when managed by LSM.
  • Designer gives priority to service objects that have a default timeout set in the firewall.

Management Devices (CMA, SmartCenter)

Access Requests

Manual target selection
Device object selection
User Identity (LDAP groups in source)

Modify Group

Designer, Provisioning + Committing
Provisioning + Committing in automatic step
Create/modify group

Add Access

Risk Analysis
Designer, Provisioning + Committing
Provisioning + Committing in automatic step
Verifier, Authorization and documentation, Auto close

Remove Access

Verifier

Server Decommission

Impact Analysis
Designer
Provisioning + Committing
Verifier, Authorization and documentation

Clone Server Policy

Designer
Provisioning (or) Provisioning and Committing
Verifier

Rule Decommission

Designer
Provisioning + Committing
Provisioning + Committing in automatic step
Verifier, Authorization and documentation
Auto close

Rule Modification Provisioning + Committing
Provisioning + Committing in automatic step,

Rule Recertification

Update metadata

Notes for Management Devices (CMA, SmartCenter):

  • Access Requests in non topology mode support IPv6 objects, including Designer recommendations and Provisioning.

  • Access Requests: For CMA and SmartCenter devices running R80.10 and above, rule location customization includes the following options for adding new rules:

    • After an existing rule

    • Before an existing rule

    • As the last rule

  • Server Decommission 'Provisioning' and 'Authorization and documentation' is supported for CMA, SmartCenter running R80.

  • Modify Group field displays groups with mixed IPv4 and IPv6 objects when running on R80 and above.

    Operations on the included IPv6 objects (adding/deleting an existing object or creating a new object) are not supported.

  • Rule Decommission is supported for CMA, SmartCenter running R80.

  • Rule Modification is supported for CMAs and SmartCenters running R80.

  • Provisioning + Committing is supported for CMA, SmartCenter running R80.

  • Inline layers for R80 gateways are supported in SecureTrack.

  • Designer gives priority to service objects that have a default timeout set in the firewall.

Management Devices (MDS)

Modify Group

Designer
Provisioning
Provisioning + Committing in automatic step
Create/modify group

Server Decommission

Impact Analysis
Designer
Provisioning
Verifier

R80 and R80.10 also supports:
Designer
Provisioning
Authorization and documentation

Clone Server Policy

Designer
Provisioning (or) Provisioning and Committing
Verifier

Rule Recertification

Update metadata

Notes for Check Point Management Devices (MDS):

  • Modify Group field supports groups that contain IPv4 and/or IPv6 objects when running on R80 and above.

  • Server Decommission supports shared groups/global objects.

  • Designer gives priority to service objects that have a default timeout set in the firewall.