Check Point

Management Devices (CMA, Smart Center, Smart-1 Cloud)

Dashboard Widgets

General (General overview of the system)

Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)

USP Compliance (The number of rules with violations, according to their severity level)

Audit (The number of rules with expired access or will have access expire within the next month)

Recent Changes (Rules and devices with changes in the past 30 days)

Browsers

Rule Viewer (see Rule Viewer)

Object Lookup (See Object Lookup)

USP Viewer (see USP Viewer)

USP Alert Manager Viewer (see USP Alerts Manager)

USP Exceptions Viewer (see USP Exceptions)

Changes (see Change Browser)

Cleanup (see Cleanup Browser)

Device Viewer (see Device Viewer)

Change Management

Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Full Accountability (Details of the revision, including who made the revision and when)

Display IPv6 objects

Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)

Change Window (see View and Update a Change Window)

Real-time Monitoring (Regularly automatically fetches policy information from the device)

Create SecureChange ticket from Rule Viewer for:
  • Rule Decommission (Removes selected rules from supported devices)

  • Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)

Automatic Policy Generation (APG) (Analyzes firewall logs to determine actual business practices, and creates an optimized rulebase that limits traffic allowance to traffic actually used in the organization)

Topology

Static Topology

Dynamic Topology

Calculate impact of NAT rules

Calculate impact of VPN policies

IPv6 routes

Path analysis with IPv6 addresses in source and destination

Notes for Management Devices

  • The Baseline Settings Compliance report is deprecated.

  • Unattached network objects do not recognize host in opsec.

  • Inline layers are supported for gateways. (Special characters are not supported in inline-layer names.)

  • Partial support of Check Point CloudGuard integration with Azure.

  • After an upgrade, the revision may appear as modified in Compare Revisions:

    • Section headers may be shown as deleted and added.

    • The revision shows legacy user access as a modified field on the revision although no change was done.

    • Generate Report changes are not accurate.

  • Supports the Last Hit field for both security rules and NAT rules.

  • Supports UDP and TLS/SSL over TCP.

Additional Notes for Smart-1 Cloud

  • To receive topology data on the gateways, contact Check Point support with this sk: https://support.checkpoint.com/results/sk/sk95064.

  • IPv6 is not supported in the topology map.

  • Currently, Smart-1 Cloud does not monitor VSX/VS devices.

  • Check Point Smart-1 Cloud devices can be monitored only by the TOS Central Server and not by a remote collector.

  • Use the TLS/SSL over TCP or UDP option for the Protocol when defining the Forwarding Destination in Check Point:

Management Devices (MDS)

Dashboard Widgets

General (General overview of the system)

Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)

USP Compliance (The number of rules with violations, according to their severity level)

Audit (The number of rules with expired access or will have access expire within the next month)

Recent Changes (Rules and devices with changes in the past 30 days)

Browsers

Rule Viewer (see Rule Viewer)

Object Lookup (See Object Lookup)

USP Viewer (see USP Viewer)

USP Alert Manager Viewer (see USP Alerts Manager)

USP Exceptions Viewer (see USP Exceptions)

Cleanup (see Cleanup Browser)

Device Viewer (see Device Viewer)

Change Management

Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Full Accountability (Details of the revision, including who made the revision and when)

Display IPv6 objects

Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)

Change Window (see View and Update a Change Window)

Real-time Monitoring (Regularly automatically fetches policy information from the device)

Create SecureChange ticket from Rule Viewer for:
  • Rule Decommission (Removes selected rules from supported devices)

  • Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)

  • Rule Recertification(Used to document and verify the need for a rule)

Automatic Policy Generation (APG) (Analyzes firewall logs to determine actual business practices, and creates an optimized rulebase that limits traffic allowance to traffic actually used in the organization)

Topology

Static Topology

Dynamic Topology

Calculate impact of VPN policies

Notes for MDS

  • Partial support of Check Point CloudGuard integration with Azure

  • Supports the Last Hit field for both security rules and NAT rules.