Management Mode
Management Mode allows you to choose the mode to manage Harmony Connect; Infinity Portal or SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..
|
Note - Management Mode is available only to tenants created from 01 October 2022. |
Infinity Portal Mode
The Infinity Portal mode allows you manage all aspects of Harmony Connect through the Administrator Portal. This is the default mode.
Use Case
-
If you want a intuitive web user interface to manage all aspects of Harmony Connect.
-
If you are not familiar with the SmartConsole application.
SmartConsole Mode
The SmartConsole mode allows you manage certain aspects in Harmony Connect from the SmartConsole application. It provides enhanced granularity and advanced policy management features. The aspects in Harmony Connect you can manage from SmartConsole are:
-
Policy > Internet Access
-
Policy > Network Access
-
Policy > Threat Prevention > Profile
-
Policy > Threat Prevention > Exceptions
-
Policy > SSL Inspection
Note - Selection of the SSL inspection level (Basic and Full) and management of certificates remains with Harmony Connect.
Notes:
-
Selection of the SSL inspection level (Basic and Full) and management of certificates remains with Harmony Connect.
-
You cannot configure Internet and Network Access policies through Check Point Harmony Connect API.
-
-
Policy > Policy Revisions
Manage all the other aspects in the Harmony Connect Administrator Portal.
|
Caution:
|
Caution
-
If you activate the SmartConsole mode, you cannot revert to the Infinity Portal mode. You must create a new account for Harmony Connect in the Infinity Portal and configure it from the start.
-
Users and groups from the Identity Provider are not migrated to SmartConsole. You must manually add users and groups as access roles in SmartConsole.
|
Notes:
|
Notes -
-
You cannot use an existing SmartConsole for this mode. The SmartConsole that supports this mode is available for download only from the Harmony Connect Administrator Portal.
-
The SmartConsole for Harmony Connect supports limited operations that are required to manage the aspects of Harmony Connect. All other operations are disabled.
-
The policies from the Harmony Connect Administrator Portal are not migrated to SmartConsole. After you activate SmartConsole, you must manually add the rules in the SmartConsole's Internet and Network Access layers or import the rules from another SmartConsole.
Use Case
Use the SmartConsole mode if you are familiar with SmartConsole and prefer to use it to manage Harmony Connect.
Prerequisite
-
You must have Direct Access Admin or Direct Access Read-Only specific service roles.
-
If you want to add the same Internet Access and Network Access rules in Harmony Connect to SmartConsole, then take a screen shot of these rules. If you want to import policy rules from another SmartConsole to get started, ignore this prerequisite.
Activating the SmartConsole Mode
To activate the SmartConsole mode:
-
Go to Settings > Management Mode, and click SmartConsole.
-
Expand Main Benefits & Activation.
-
Select I Understand that once I activate this mode, rolling back to manage my policy through the Infinity Portal will not be possible without removing and creating a new tenant.
-
Click Active SmartConsole Mode.
It takes several minutes to complete the activation. When the activation is complete:
-
A new unique login token appears in step 3 under Login using SmartConsole.
-
appears next to the functions migrated to SmartConsole.
-
-
If you want to import policy rules from another SmartConsole to get started, see sk178748. Otherwise, skip this step.
Installing SmartConsole
To install SmartConsole:
-
Go to Settings > Management Mode, and click SmartConsole.
-
Expand Login using SmartConsole.
-
Under step 1, click SmartConsole Installation.
The system downloads the SmartConsole application.
-
Double-click the downloaded application and follow the instructions on the wizard to complete the installation.
Logging into SmartConsole
To log into SmartConsole:
-
Open SmartConsole.
The login window appears.
-
Click .
-
Select Cloud and copy-paste the management connection token. To get the token:
-
In the Harmony Connect Administrator Portal, go to Settings > Management Mode.
-
Expand Login using SmartConsole.
-
In step 3, click to copy the token.
-
-
Click Infinity Login.
-
Verify your login credentials:
-
If you are not logged in to the Infinity Portal, it directs you to the Infinity Portal login page to verify your login credentials. Log in to the Infinity Portal.
-
If you are already logged in to the Infinity Portal, a new web page opens and a prompt appears at the top of the page. Select the Always allow portal.checkpoint.com to open links of this type in the associated app checkbox and click Open Check Point SmartConsole.
After you successfully verify your login credentials, you are redirected to SmartConsole. By default, SmartConsole opens the Internet Access and Network Access tabs.
-
Working with SmartConsole
The SmartConsole for Harmony Connect supports limited operations that are required to manage the aspects of Harmony Connect. The rest of the operations are disabled.
The supported operations are listed in the table. For more information on how to use these operations in SmartConsole, see SmartConsole R81.10 Help.
Supported Operations in SmartConsole |
|
---|---|
Menu/Objects |
Item |
Main SmartConsole menu |
Global properties |
Security Policies |
Access Control > Policies Note - We recommend to access the Internet Access and Network Access layers from the Manage Policies tab.
|
Access Control > Policy > Access Tools> Updates |
|
Threat Prevention > Autonomous Policy |
|
Threat Prevention > Autonomous Policy > Autonomous Policy Tools > Indicators |
|
Threat Prevention > Autonomous Policy > Autonomous Policy Tools > Updates > IPS Note - Other updates are not supported. |
|
Threat Prevention > Autonomous Policy > Autonomous Policy Tools > UserCheck |
|
Threat Prevention > Exceptions |
|
HTTPS Inspection > Policy |
|
Shared Policies > Inspection Settings |
|
Logs & Monitor |
Favorites |
Recent |
|
Shared |
|
Logs |
|
Views |
|
Reports |
|
Tasks > Scheduled |
|
Tasks > Archive |
|
Manage & Settings |
Blades |
Network Objects |
Network |
Host |
|
Address Range |
|
Group Note - Only Network Group and Group with Exclusions are supported. |
|
Wildcard Object |
|
Domain |
|
Service Objects |
TCP |
UDP |
|
RPC |
|
DCE-RPC |
|
ICMP Service |
|
GTP |
|
Compound TCP |
|
Citrix TCP |
|
Other Service |
|
Services Groups |
|
SCTP |
|
Custom Application/Site Object |
Application Site |
User Category |
|
Application/Site Group |
|
Override Categorization |
|
Data Type Object |
Data Type |
Data Type Group |
|
More > Compound Data Type Group |
|
More > Traditional Data Type Group |
|
User/Identity Object |
Access Role |
Identity Tag |
|
Time Object |
Time |
Time Group |
|
Limit Object |
- |
Updatable Objects |
- |
Adding Rules
If you have not imported policies from other SmartConsole:
-
Refer to the screen shots of the policy rules from Harmony Connect and manually add the same rules in SmartConsole's Internet Access and Network Access layers.
-
Manually add new rules in SmartConsole's Internet Access and Network Access layers.
For more information , see SmartConsole R81.10 Help.
Adding Users and Groups
Syncing Users and Groups Automatically from Identity Provider
SmartConsole automatically syncs the users and groups from the Identity Provider and lists them in the New Access Role window.
This is supported only if:
-
Your account's data residency is EU.
-
Your account has the Multi-IDP feature enabled (applies to all data residencies).
|
Notes
|
Adding Users and Groups Manually
To add users and groups manually:
-
To add a new user, create a new Identity Tag and enter user's email address as the External Identifier.
-
To add a new group, create a new Identity Tag and enter group name or group ID (depending on the Identity Provider) as the External Identifier.
Identity Provider
Group Identifier
Microsoft AD FS
Group GUID Microsoft Entra ID (formerly Azure AD)
Group GUID OneLogin
Group Name Okta
Group Name Ping Identity
Group Name Generic As per the Identity Provider. -
Create a new access role with the above Identity Tag.
-
Use the access role in the rule base All rules configured in a given Security Policy. Synonym: Rulebase..