Support Center > Search Results > SecureKnowledge Details
Check Point Capsule Cloud
Solution

Table of Contents:

  • Introduction
  • What's New in Check Point Capsule Cloud (02 Dec 2015)
  • What's New in Previous Releases
  • Requirements
    • Supported Roaming Clients
    • Supported Security Gateways
    • Supported Active Directory
    • Required Ports
    • Capsule Cloud Utilities
      • Single Sign On
      • AD Synchronization
      • Log Transport
  • Documentation
  • Known Limitations
    • Cloud Portal
    • Site to Site VPN (Device in the Cloud)
    • Windows Clients
    • Mac OS X Clients
    • iOS and Android Clients
    • Active Directory Synchronizer and SSO Authenticator
  • Revision History

 

Introduction

Welcome to Check Point Capsule Cloud (https://cloud.checkpoint.com).

The Check Point Cloud refers to a number of Check Point Security Gateways maintained at various locations around the world.

  • For Small Companies and Individual Users

    The Capsule cloud offers security as a service without the overhead of maintaining a physical gateway. For example, a small company of ten employees may wish to protect its user's laptops. This can be done easily using Cloud.

    • The designated system administrator registers to the Cloud Portal, and adds the email addresses of all the other employees.

    • Each employee receives an email with a link to download the Cloud Connector depending on the Operating system (PC, Mac).

    • After installing the connector, the PC, or Mac is secured by a basic policy. No further configuration is required by the employee. All traffic to and from the Internet is inspected for a variety of threats.


  • For Corporate Enterprises

    Cloud helps enterprises protect roaming users (laptops) when they are outside the secured office environment. By tunneling all roaming user traffic to a firewall-in-the-cloud for security inspection, security is extended beyond the immediate enterprise.

    Capsule Cloud includes these services:

    • URL Filtering
    • Anti-Virus
    • Anti-Bot
    • Threat Emulation
    • IPS
    • HTTPS Inspection

If you already deploy a Check Point Security Gateway, Cloud expands the number of blades available and offloads roaming user traffic to the cloud.

Check Point Cloud tunnels the traffic initiated by the client to the cloud service. In addition to Capsule Cloud, it is recommended to enable personal firewall on protected computers in order to block undesired incoming connections from excluded and local networks.

 

What's New in Check Point Capsule Cloud (March 2019)

  • Support DNS Method - Administrator can set (in the client profile) the DNS Method the client will use.
  • New report filter - Administrator can generate a report with hours filter. 

 

What's New in Previous Releases

Show / Hide the information

  • What's New in Check Point Capsule Cloud (January 2019)

    • New Report type "User Disconnection" allows you to get report of the user that disconnects and their reasons.
    • Performance improvements to Portal access. 


  • What's New in Check Point Capsule Cloud (September 2018)

    • Better messages when install policy failed from central management.
    • Improve client stability. 


  • What's New in Check Point Capsule Cloud (June 2018)

    • Enable client to exclude domain from the VPN. 


  • What's New in Check Point Capsule Cloud (02 Dec  2015)

    • Performance improvements to Portal access
    • Ability to delete administrative users or the entire Capsule Cloud account (go to "Settings" - "Delete Account") 


  • What's New in Check Point Capsule Cloud (19 Oct 2015)

    • "Logs & Reports" tab - "Report Scheduling" (you can now schedule reports to be sent on a regular basis, on network activity and threats detected and prevented on your network)
    • "Downloads" tab - New versions of the AD Sync and SSO utilities
    • Improved connectivity through the Cloud data centers


  • What's New in Check Point Capsule Cloud 1.7.0

    • New audit logs for the LTA object instance
    • Report scheduling - ability to generate daily/weekly activity PDF reports and send then to e-mail
    • Windows client - stability improvements and bug fixes
    • SSO agent utility - stability improvements and bug fixes


  • What's New in Check Point Capsule Cloud 1.6.0

    • Stability improvements


  • What's New in Check Point Capsule Cloud 1.5.0

    • Stability improvements


  • What's New in Check Point Capsule Cloud 1.4.0

    • Improved HTTPS Inspection interface - Select Advanced Management or Central Management. When in Central Management, SmartDashboard rules show in the Cloud Portal.
    • Users and Offices can be included in policy rules, and do not need to be in User Groups.
    • Improved Cloud Portal login page on mobile devices.
    • Resolved: Logs are not displayed correctly in Internet Explorer 9.
    • Capsule Cloud Gateway status overview shows in the Cloud Portal login page.
    • New API commands: getofficeID, getOfficeInfo, addOfficeToGroup


  • What's New in Check Point Capsule Cloud 1.3.0

    • The "Capsule Cloud client" is now called "Capsule Connect".
    • Add a User Center account to Capsule Cloud to activate a license.
    • "User Groups" are now called "Groups" and can include Offices.
    • Updated script names and instructions for Capsule Cloud utilities.
    • The Android "NULL registration" bug is resolved.


  • What's New in Check Point Capsule Cloud 1.2.0

    • Capsule Cloud API - The default method is "POST". The "GET" method is not supported.
    • Log Transport, Single Sign On and AD Synchronization utilities can each run as services on Windows.
    • The connection status for mobile devices shows in 'Users & Offices' tab > 'Users' > 'Device Status' column.
    • A new checkbox for AD Synchronization to choose if new users get a registration e-mail.
    • Improved security.
    • Resolved issues.


  • What's New in Check Point Capsule Cloud 1.1.0

    • Multiple users are supported on each Windows computer - each user has a different e-mail address and registers to Capsule Cloud with a different registration code. Users cannot be logged in at the same time.
    • Improved workflow for adding an Office Gateway to Capsule Cloud.
    • Improved Log Transport configuration.

 

Requirements

  • Supported Roaming Clients

    Cloud supports these roaming endpoint clients:

    • Windows Clients

      Windows OS Editions Architecture
      10 all 32-bit / 64-bit
      8.1 Enterprise, Pro 32-bit / 64-bit
      8 Enterprise, Pro 32-bit / 64-bit
      7 Enterprise, Prof, Ultimate, with or without SP1 32-bit / 64-bit
      Vista Enterprise, SP1 or higher 32-bit / 64-bit


    • Mac OS X Clients

      Mac OS X Releases Architecture
      10.12 all 32-bit / 64-bit
      10.11 10.11, 10.11.1 32-bit / 64-bit
      10.10 10.10, 10.10.1, 10.10.2, 10.10.3, 10.10.4, 10.10.5 32-bit / 64-bit
      10.9 10.9.5 32-bit / 64-bit


  • Supported Security Gateways

    Check Point Security Gateways supported for Central Management:

    • Version R70 and higher
    • 600 / 1100 series appliances with OS version updated after January 1, 2014


  • Required Ports

    To use Cloud, one of these ports must be available from the client:

    • TCP port 443
    • UDP port 500 (IPsec) or UDP port 4500 (IPsec)


  • Capsule Cloud Utilities

    All utilities (Single Sign On, AD Synchronization, and Log Transport) have these hardware and software requirements. Each utility has its own requirements as well.

    • Hardware Requirements

      Hardware Minimum Recommended *
      Processors 1 2
      Memory 1 GB 4 GB
      Disk Space 20 GB 40 GB
      * Recommended hardware allows running multiple agents.

    • Software Requirements

      Supported Operating Systems:

      • Gaia
      • Linux - CentOS (Red Hat), Ubuntu (Debian)
      • Windows - 7 or higher, Server 2003 or higher


    • .NET Requirements

      To run a Capsule Cloud utility as a service on Windows OS, .NET Framework 4 or higher is required.

    • Single Sign On

      Software / Feature Requirement
      Active Directory Active Directory Domain Controller on Windows Server 2003, 2008, 2012.
      Java Oracle v1.7 release 79
      Required Ports
      • TCP port 443 - HTTPS to Capsule Cloud (can be behind proxy)
      • TCP port 389 - LDAP connection to Active Directory
      • TCP port 88 - Kerberos authentication to Active Directory


    • AD Synchronization

      Software / Feature Requirement
      Active Directory Active Directory Domain Controller on Windows Server 2003, 2008, 2012.
      Java v1.7 or higher
      Required Ports
      • TCP port 443 - HTTPS to Capsule Cloud (can be behind proxy)
      • TCP port 389 - LDAP connection to Active Directory


    • Log Transport

      Software / Feature Requirement
      Check Point versions All Check Point Log servers or Security Management Servers with Logging enabled, version R75.40 and higher.
      Java v1.7 or higher
      Required Ports
      • TCP port 443 - HTTPS to Capsule Cloud (can be behind proxy)
      • TCP port 18187 - ELA to the designated Log Server
      • TCP port 18210 - "Pull Cert" to the designated Log Server (or perform opsec_pull_cert manually)

 

Documentation

 

Known Limitations

This section contains the known limitations for this release.

ID Symptoms
Cloud Portal
01207775 HTTPS Inspection traffic is logged, even if logging is disabled.
01195543

If you move to another tab while editing a rule in the Advanced Policy tab, the application selector window stays open. When you click on the Advanced Policy tab again, an error shows.

Workaround: Select the Advanced Policy tab again.
01205887 After you make changes to Other Blocked Categories or Other Allowed Categories in Basic Policy Mode, the policy installs automatically before you click Apply.
01322573 Browsing to the Cloud Portal from mobile browsers is not supported.
01295441 After a new HTTPS Inspection Exceptions policy is applied, it can take up to five page refreshes for an end-user to see the change in a site certificate.

Workaround:

  • Close and re-open the browser
  • Refresh the page multiple times
01144504 Sometimes when sites are blocked based on the security policy, an incorrect message is shown.
01391670 In countries where the regulation prohibits the usage of torrent (DMCA) Cloud blocks torrent. We can allow the use of the Torrent with a dedicated IP address pending user signature on a waver form. Contact Check Point support if this is necessary.
01464564

When running Internet Explorer 10 or 11, press F12 and set the Document Mode to "Standards" or "Quirks", instead of "Internet Explorer 9 standards". This prevents GUI issues.

Do this before you log in to the Cloud portal. If you are already logged in and you change the Document Mode, you will be logged out of the portal.
Site to Site VPN (Device in the Cloud)
- Not supported in this release (as of 19 Oct 2015).
Windows Clients
- On Windows 10, Device Guard feature is not supported and should be disabled (as of 29 May 2017).
01099659 If you configure a proxy on the Cloud Connector computer, the Cloud Connector cannot reach Cloud.
01148207 If the DNS server for the computer is configured manually, DNS resolving does not work.
01159170 If Endpoint Security VPN is installed on the same computer as the Cloud Connector, and TCP over port 443 or UDP over port 4500 is blocked by a firewall rule, then the Cloud Connector cannot connect to the Cloud.
01215878 In Chrome and Firefox browsers, if you right-click a link and select Save As to download a malicious file, a block page that contains the malware file's name is downloaded. The block page does not open automatically. If you rename the downloaded file with the extension .htm or .html and open it in your browser, a block page opens.
01208661 If you a browse to an HTTPS site that is blocked in the policy, the site is blocked, but the "Blocked" message does not open.
01519938 Multiple users on the same computer cannot be connected to Capsule Cloud at the same time. One user who is logged in to Windows can be connected to Capsule Cloud. All other users must be logged off of Windows.
01207171 In Windows 7 and 8, User Access Control (UAC) prevents the UI client service from collecting the log script to write log files to the designated folder (%temp% or c:\programs).
Mac OS X Clients
01377483 Upgrading the Cloud Connector App on Mac OS X clients can take longer than expected.
iOS and Android Clients
- Not supported in this release (19 Oct 2015).
Active Directory Synchronizer and SSO Authenticator
01286064 If you are running two instances of the Synchronizer, they do not share data. Therefore, if there is a group in Node A that has users in Node B, the users are not added to the group.

 

Revision History

Date Description
29 May 2017
  • Added Windows 10.
  • Added Mac OS X 10.12.
10 Dec 2015
  • Updated the Check Point Capsule Cloud from release of 19 Oct 2015 to release of 02 Dec 2015.
17 Nov 2015
  • Updated the Check Point Capsule Cloud from v1.7.0 to release of 19 Oct 2015.
20 Aug 2015
  • Updated the Check Point Capsule Cloud from v1.6.0 to v1.7.0.
13 Aug 2015
  • Updated the Check Point Capsule Cloud from v1.4.0 to v1.6.0.
06 June 2015
  • Updated the Check Point Capsule Cloud from v1.3.0 to v1.4.0.
17 Feb 2015
  • Updated the Check Point Capsule Cloud from v1.2.0 to v1.3.0.
08 Jan 2015
  • Updated the Check Point Capsule Cloud from v1.1.0 to v1.2.0.
  • Updated the list of Supported Gateways for Offices.
  • Updated the Log Transport Requirements.
  • Added the Capsule Cloud Utility Requirements.
  • Added the Single Sign On Requirements .
  • Added the AD Synchronization Requirements.
23 Dec 2014
  • Removed version number from the SK title (for the latest version of this product, refer to "Version" field).
22 Dec 2014
  • Updated the Check Point Capsule Cloud from v1.0.0 to v1.1.0.
  • Updated the list of Known Limitations.
  • Added sub-section "Supported Gateways for Offices" in the section "Requirements" - "Supported Roaming Clients".
26 Nov 2014
  • Added requirements for Log Transport.
30 Oct 2014
  • First release of this document.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment