Check Point SmartWorkflow

The Check Point SmartWorkflow Software Blade provides a seamless and automated process for policy change management that helps administrators reduce errors and enhance compliance. Enforce a formal process for editing, reviewing, approving and auditing policy changes from a single console, for one-stop, total policy lifecycle management.

Benefits
Features
Model Specs
Data Sheets

Increase security with total visibility and control of policy changes

Automatic, formal process for tracking, approving and auditing policy changes
Flexible authorization conforms to established company approval processes
All policy changes are made from Check Point's unified SmartDashboard console

Enhanced compliance and increased operational efficiency

Stay compliant by maintaining visibility and control of constantly changing policy
Advanced auditing and reporting tracks the evolution of policy changes
Streamlined change management reduces errors and saves administrator time

Flexible and extensible Software Blade for simple, cost-effective deployment

Easy one-click activation on any Check Point security management server
Deploy SmartWorkflow within your existing security environment or infrastructure
Flexible Software Blade Architecture allows deployment without capital costs

Single-console for Total Security Change Management

Via the SmartDashboard graphical user interface, the SmartWorkflow Software Blade provides an intuitive and easy-to-use security management console to centrally manage the editing, reviewing, approving and auditing of policy changes.

Automated Security Change Management

Administrators have a constant need to make firewall changes. These changes are often done manually and hurriedly and can result in mis-configurations and duplication of rules. The SmartWorkflow Software Blade helps administrators track these changes in entities called sessions—logical units that contain a set of changes made within SmartDashboard. Administrators can track changes made to rule bases, network objects, security policies, users, administrators, groups, OPSEC applications, VPN communities and servers.

Visual Change Tracking and Reporting

Changes made to rules and objects are easily viewed in SmartDashboard, enabling administrators to review the impact of the changes on the entire rule-base.

view-rule-base-changes

Figure 1: Easily view changes made to the rule base

Administrators can scroll through the changes in chronological order or they can generate a summary change report that provides a comprehensive picture of the changes that were made during the current session. Clicking on a link in the “name” column of the summary change report will generate a detailed list of how the specific object has changed, who changed it as well as the previous time it was modified and by whom.

policy-change-report

Figure 2: Policy change summary report

Session Approval & Flexible Authorization

SmartWorkflow adds an extra layer of security by requiring a manager’s approval before installing a changed security policy (the “four-eyes” principle). Authorized managers can either approve the session or request that modifications be made to the session. In addition, SmartWorkflow can adapt to existing change management approval processes. It can be configured so that only managers can approve a change or the administrator can approve his own changes or, in the case of an emergency, it can be configured so that a policy can be installed without official approval and the appropriate password.

Policy Revisions and Baseline Comparisons

Prior to approving a session, a manager can review the security configuration change summary report and see the objects that were added, changed or deleted and compare these changes to the security policy that is currently installed. In addition, via the SmartDashboard “read-only” mode, managers can review the changes between any two sessions or they can view the changes of a single session.

Audit Trails

SmartWorkflow enables administrators to track changes that have been made to objects, security policies and session events over an extended period of time. These changes are recorded in SmartView Tracker as audit logs.

Integrated into Check Point Software Blade Architecture

The SmartWorkflow Software Blade is integrated into the Software Blade Architecture. It can be easily and rapidly activated on existing Check Point security management servers, saving time and reducing costs by leveraging existing security infrastructure.

Specifications

Feature	Detail
Session-based Policy Changes	Security policy changes are done in the context of a session Notes can be added to sessions for clarification Changes made within a session can be discarded Sessions submitted for approval are “locked” for editing
Flexible Authorization	Role-based approval (“four eyes” principle) Self-approval Emergency bypass (requires password)
Policy Installation	Only approved policies can be installed Installation email notification
Highlighting	Changes highlighted in Check Point SmartDashboard List of changes in SmartDashboard
Reports	Report of session changes in HTML format Reports can be saved/emailed/printed
Session Information Tracking	Session information pane with session info, notes and list of changes Review changes in sequential order
Session Tracking	View all sessions created View session changes View session status (pending, approved, rejected, etc.)
Session Comparison	Compare changes between different sessions Compare changes between installed session and an approved session
Comprehensive Auditing	Every step in session is logged (session creation, submission, approval/rejection, installation) Every change created within a session generates an audit log All session audit logs have a session ID for session filtering All session audit logs contain change description: old/new value, session information, admin information Session audit logs are sent to Check Point SmartView Tracker All changes to objects generate an audit log All changes to rules generate an audit log
Check Point Management Integration	Seamless integration with Check Point Network Policy Management Check Point Multi-Domain Security Management (Provider-1) support Track changes for CMAs Track changes on global policy

Data Sheets

Software Blade White Paper