Previous topic

Next topic

Parent topic

Locate in Contents

Adding Check Point R80.x CMA Devices

You must configure the Check Point servers in the following order: Provider-1 MDS, Provider-1 CMAs, SmartCenter servers (SMCs), and Log Servers (CLMs).

After you upgrade a monitored Check Point CMA device to R80.x, you must upgrade the device in SecureTrack to use Check Point R80.x support.

To manage a CMA device in SecureTrack, enable the API software blade for your MDS device.


To enable a CMA device to monitor the system configuration and performance of a gateway, enable Firewall OS Monitoring.

You will need to complete the following prerequisite steps to add Check Point CMA devices to SecureTrack:

  1. Configure the Check Point server for OPSEC communication with SecureTrack.
  2. Configure the Check Point device to use your SecureTrack server as a GUI client.

    The SecureTrack server is displayed in a revision in the GUI client column.

  3. For Check Point R80.x devices, create a user with the Domain Manager profile who has the Read Only All Permission Profile configured for All Global Domains.
  4. Create a Check Point user with Rest API Access to retrieve revisions:
    1. SecureTrack uses Check Point APIs to connect to (and monitor) Check Point R80.x devices. A user with the SmartCenter Manager or Domain Manager profile who has the Read Only All Permission Profile configured for All Global Domains with the required collection access via the Check Point APIs can retrieve revisions for the device. On an SMC or a CMA:

    2. To maintain the password you defined for the Check Point user with REST API access, in Set Password, uncheck User must change password on next login.

Monitor a Check Point Device

To configure SecureTrack to monitor the policy revisions of a Check Point device:

  1. In Settings > Monitoring, select Manage Devices:

    Add Devices

  2. In Start monitoring a new device, select the appropriate device type:

    Add SmartCenter

  3. Configure the device settings:

    New CP CMA stage 1

    Depending on the Check Point server type, some or all of the following options will appear:

  4. Click Next.
  5. Configure OPSEC Secure Internal Communication (SIC):

    New CP CMA stage 2

  6. Click Next.
  7. In the OPSEC Settings:

    1. Select Custom.
    2. Configure the LEA Authentication fields:
      • Authentication Mode - Some options require you to enter an SL or FWN1 Secret Key in the Authentication Keys section and Establish Authentication Key.
      • Port
    3. Configure the CPMI Authentication fields:
      • Authentication Mode - (For CMA devices asym sslca)
      • Port
    4. For a CMA version FP3 device, select Backward compatibility for Provider-1 FP3.
      1. Enter the credentials of a Provider-1 Administrator.
      2. Enter the DN of the MDS.
  8. Click Next.
  9. For a Check Point CMA R80.x device, configure the Management API.
  10. In the Monitoring Settings, do one of the following:

  11. Click Next.
  12. You can test the communication with the Check Point server by clicking Test Connectivity:

    New CP CMA stage 5

  13. Click Save.

    The Check Point device is shown in the Device Configuration list.

    If you use non-standard LEA authentication, see this technical note.

  14. If you have a secondary Check Point management server, configure SecureTrack to communicate with the secondary server in the event of a failover.

Define an Internet Object

To customize the device object that represents the Internet, see Define Internet Object.

Enabling Check Point CMA Devices for Topology

To obtain topology information for VSX virtual devices, SecureTrack must also monitor the CMA management server that manages the physical VSX box. To ensure that topology information is being retrieved, verify that the relevant CMA is monitored by SecureTrack.

In the following example, the vsx_cluster is managed by the Domain47 CMA. To properly monitor this cluster and retrieve its topology information, you must verify that Domain47 has also been added to SecureTrack.