Management Mode

Management Mode allows you to choose the mode to manage Harmony Connect; Infinity Portal or SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Note - Management Mode is available only to tenants created from 01 October 2022.

Infinity Portal Mode

The Infinity Portal mode allows you manage all aspects of Harmony Connect through the Administrator Portal. This is the default mode.

Use Case

  • If you want a intuitive web user interface to manage all aspects of Harmony Connect.

  • If you are not familiar with the SmartConsole application.

SmartConsole Mode

The SmartConsole mode allows you manage certain aspects in Harmony Connect from the SmartConsole application. It provides enhanced granularity and advanced policy management features. The aspects in Harmony Connect you can manage from SmartConsole are:

  • Policy > Internet Access

  • Policy > Network Access

  • Policy > Threat Prevention > Profile

  • Policy > Threat Prevention > Exceptions

  • Policy > SSL Inspection

    Note - Selection of the SSL inspection level (Basic and Full) and management of certificates remains with Harmony Connect.

    Notes:

    • Selection of the SSL inspection level (Basic and Full) and management of certificates remains with Harmony Connect.

    • You cannot configure Internet and Network Access policies through Check Point Harmony Connect API.

  • Policy > Policy Revisions

Manage all the other aspects in the Harmony Connect Administrator Portal.

Caution:

  • If you activate the SmartConsole mode, you cannot revert to the Infinity Portal mode. You must create a new account for Harmony Connect in the Infinity Portal and configure it from the start.

  • Users and groups from the Identity Provider are not migrated to SmartConsole. You must manually add users and groups as access roles in SmartConsole.

Caution

  • If you activate the SmartConsole mode, you cannot revert to the Infinity Portal mode. You must create a new account for Harmony Connect in the Infinity Portal and configure it from the start.

  • Users and groups from the Identity Provider are not migrated to SmartConsole. You must manually add users and groups as access roles in SmartConsole.

Notes:

  • You cannot use an existing SmartConsole for this mode. The SmartConsole that supports this mode is available for download only from the Harmony ConnectAdministrator Portal.

  • The SmartConsole for Harmony Connect supports limited operations that are required to manage the aspects of Harmony Connect. All other operations are disabled.

  • The policies from the Harmony ConnectAdministrator Portal are not migrated to SmartConsole. After you activate SmartConsole, you must manually add the rules in the SmartConsole's Internet and Network Access layers or import the rules from another SmartConsole.

Notes -

  • You cannot use an existing SmartConsole for this mode. The SmartConsole that supports this mode is available for download only from the Harmony Connect Administrator Portal.

  • The SmartConsole for Harmony Connect supports limited operations that are required to manage the aspects of Harmony Connect. All other operations are disabled.

  • The policies from the Harmony Connect Administrator Portal are not migrated to SmartConsole. After you activate SmartConsole, you must manually add the rules in the SmartConsole's Internet and Network Access layers or import the rules from another SmartConsole.

Use Case

Use the SmartConsole mode if you are familiar with SmartConsole and prefer to use it to manage Harmony Connect.

Prerequisite

  • You must have Direct Access Admin or Direct Access Read-Only specific service roles.

  • If you want to add the same Internet Access and Network Access rules in Harmony Connect to SmartConsole, then take a screen shot of these rules. If you want to import policy rules from another SmartConsole to get started, ignore this prerequisite.

Activating the SmartConsole Mode

To activate the SmartConsole mode:

  1. Go to Settings > Management Mode, and click SmartConsole.

  2. Expand Main Benefits & Activation.

  3. Select I Understand that once I activate this mode, rolling back to manage my policy through the Infinity Portal will not be possible without removing and creating a new tenant.

  4. Click Active SmartConsole Mode.

    It takes several minutes to complete the activation. When the activation is complete:

    • A new unique login token appears in step 3 under Login using SmartConsole.

    • appears next to the functions migrated to SmartConsole.

  5. If you want to import policy rules from another SmartConsole to get started, see sk178748. Otherwise, skip this step.

Installing SmartConsole

To install SmartConsole:

  1. Go to Settings > Management Mode, and click SmartConsole.

  2. Expand Login using SmartConsole.

  3. Under step 1, click SmartConsole Installation.

    The system downloads the SmartConsole application.

  4. Double-click the downloaded application and follow the instructions on the wizard to complete the installation.

Logging into SmartConsole

To log into SmartConsole:

  1. Open SmartConsole.

    The login window appears.

  2. Click .

  3. Select Cloud and copy-paste the management connection token. To get the token:

    1. In the Harmony Connect Administrator Portal, go to Settings > Management Mode.

    2. Expand Login using SmartConsole.

    3. In step 3, click to copy the token.

  4. Click Infinity Login.

  5. Verify your login credentials:

    • If you are not logged in to the Infinity Portal, it directs you to the Infinity Portal login page to verify your login credentials. Log in to the Infinity Portal.

    • If you are already logged in to the Infinity Portal, a new web page opens and a prompt appears at the top of the page. Select the Always allow portal.checkpoint.com to open links of this type in the associated app checkbox and click Open Check Point SmartConsole.

    After you successfully verify your login credentials, you are redirected to SmartConsole. By default, SmartConsole opens the Internet Access and Network Access tabs.

Working with SmartConsole

The SmartConsole for Harmony Connect supports limited operations that are required to manage the aspects of Harmony Connect. The rest of the operations are disabled.

The supported operations are listed in the table. For more information on how to use these operations in SmartConsole, see SmartConsole R81.10 Help.

Supported Operations in SmartConsole

Menu/Objects

Item

Main SmartConsole menu

Global properties

Security Policies

Access Control > Policies

Note - We recommend to access the Internet Access and Network Access layers from the Manage Policies tab.

  1. Click + to open a new tab.

    The Manage Policies tab appears.

  2. Click Manage policies and layers.

    The Manage policies and layers window appears.

  3. In the left pane, expand Layers and click Access Control.

  4. In the table on the right, right-click Internet Access or Network Access, and click Open in a new tab.

Access Control > Policy > Access Tools> Updates

Threat Prevention > Autonomous Policy

Threat Prevention > Autonomous Policy > Autonomous Policy Tools > Indicators

  

Threat Prevention > Autonomous Policy > Autonomous Policy Tools > Updates > IPS

Note - Other updates are not supported.

  

Threat Prevention > Autonomous Policy > Autonomous Policy Tools > UserCheck

  

Threat Prevention > Exceptions

HTTPS Inspection > Policy

Shared Policies > Inspection Settings

Logs & Monitor

Favorites

Recent

Shared

Logs

Views

Reports

Tasks > Scheduled

Tasks > Archive

Manage & Settings

Blades

Network Objects

Network

Host

Address Range

Group

Note - Only Network Group and Group with Exclusions are supported.

Wildcard Object

Domain

Service Objects

TCP

UDP

RPC

DCE-RPC

ICMP Service

GTP

Compound TCP

Citrix TCP

Other Service

Services Groups

SCTP

Custom Application/Site Object

Application Site

User Category

Application/Site Group

Override Categorization

Data Type Object

Data Type

Data Type Group

More > Compound Data Type Group

More > Traditional Data Type Group

User/Identity Object

Access Role

Identity Tag

Time Object

Time

Time Group

Limit Object

-

Updatable Objects

-

Adding Rules

If you have not imported policies from other SmartConsole:

  • Refer to the screen shots of the policy rules from Harmony Connect and manually add the same rules in SmartConsole's Internet Access and Network Access layers.

  • Manually add new rules in SmartConsole's Internet Access and Network Access layers.

    For more information , see SmartConsole R81.10 Help.

Adding Users and Groups

Syncing Users and Groups Automatically from Identity Provider

SmartConsole automatically syncs the users and groups from the Identity Provider and lists them in the New Access Role window.

This is supported only if:

  • Your account's data residency is EU.

  • Your account has the Multi-IDP feature enabled (applies to all data residencies).

Notes

Adding Users and Groups Manually

To add users and groups manually:

  1. To add a new user, create a new Identity Tag and enter user's email address as the External Identifier.

  2. To add a new group, create a new Identity Tag and enter group name or group ID (depending on the Identity Provider) as the External Identifier.

    Identity Provider

    Group Identifier

    Microsoft AD FS

    		 Group GUID

    Microsoft Entra ID (formerly Azure AD)

    		 Group GUID

    OneLogin

    		 Group Name

    Okta

    		 Group Name

    Ping Identity

    		Group Name
    Generic As per the Identity Provider.

  3. Create a new access role with the above Identity Tag.

  4. Use the access role in the rule baseClosed All rules configured in a given Security Policy. Synonym: Rulebase..