Increase security with total visibility and control of policy changes
Enhanced compliance and increased operational efficiency
Flexible and extensible Software Blade for simple, cost-effective deployment
Via the SmartDashboard graphical user interface, the SmartWorkflow Software Blade provides an intuitive and easy-to-use security management console to centrally manage the editing, reviewing, approving and auditing of policy changes.
Administrators have a constant need to make firewall changes. These changes are often done manually and hurriedly and can result in mis-configurations and duplication of rules. The SmartWorkflow Software Blade helps administrators track these changes in entities called sessions—logical units that contain a set of changes made within SmartDashboard. Administrators can track changes made to rule bases, network objects, security policies, users, administrators, groups, OPSEC applications, VPN communities and servers.
Changes made to rules and objects are easily viewed in SmartDashboard, enabling administrators to review the impact of the changes on the entire rule-base.
Figure 1: Easily view changes made to the rule base
Administrators can scroll through the changes in chronological order or they can generate a summary change report that provides a comprehensive picture of the changes that were made during the current session. Clicking on a link in the “name” column of the summary change report will generate a detailed list of how the specific object has changed, who changed it as well as the previous time it was modified and by whom.
Figure 2: Policy change summary report
SmartWorkflow adds an extra layer of security by requiring a manager’s approval before installing a changed security policy (the “four-eyes” principle). Authorized managers can either approve the session or request that modifications be made to the session.
In addition, SmartWorkflow can adapt to existing change management approval processes. It can be configured so that only managers can approve a change or the administrator can approve his own changes or, in the case of an emergency, it can be configured so that a policy can be installed without official approval and the appropriate password.
Prior to approving a session, a manager can review the security configuration change summary report and see the objects that were added, changed or deleted and compare these changes to the security policy that is currently installed. In addition, via the SmartDashboard “read-only” mode, managers can review the changes between any two sessions or they can view the changes of a single session.
SmartWorkflow enables administrators to track changes that have been made to objects, security policies and session events over an extended period of time. These changes are recorded in SmartView Tracker as audit logs.
The SmartWorkflow Software Blade is integrated into the Software Blade Architecture. It can be easily and rapidly activated on existing Check Point security management servers, saving time and reducing costs by leveraging existing security infrastructure.
|Session-based Policy Changes||Security policy changes are done in the context of a session|
|Notes can be added to sessions for clarification|
|Changes made within a session can be discarded|
|Sessions submitted for approval are “locked” for editing|
|Flexible Authorization||Role-based approval (“four eyes” principle)|
|Emergency bypass (requires password)|
|Policy Installation||Only approved policies can be installed|
|Installation email notification|
|Highlighting||Changes highlighted in Check Point SmartDashboard|
|List of changes in SmartDashboard|
|Reports||Report of session changes in HTML format|
|Reports can be saved/emailed/printed|
|Session Information Tracking||Session information pane with session info, notes and list of changes|
|Review changes in sequential order|
|Session Tracking||View all sessions created|
|View session changes|
|View session status (pending, approved, rejected, etc.)|
|Session Comparison||Compare changes between different sessions|
|Compare changes between installed session and an approved session|
|Comprehensive Auditing||Every step in session is logged (session creation, submission, approval/rejection, installation)|
|Every change created within a session generates an audit log|
|All session audit logs have a session ID for session filtering|
|All session audit logs contain change description: old/new value, session information, admin information|
|Session audit logs are sent to Check Point SmartView Tracker|
|All changes to objects generate an audit log|
|All changes to rules generate an audit log|
|Check Point Management Integration||Seamless integration with Check Point Network Policy Management|
|Check Point Multi-Domain Security Management (Provider-1) support|
|Track changes for CMAs|
|Track changes on global policy|
|Internet Protocol Version||IPv6 and IPv4|