cloudguard controller administration guide r80

11 July 2019

Administration Guide

CLOUDGUARD CONTROLLER

R80.30

Prot

ecte

d

CHAPTE R 1

2019 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page https://www.checkpoint.com/copyright/ for a list of our trademarks.

Refer to the Third Party copyright notices https://www.checkpoint.com/about-us/third-party-trademarks-and-copyrights/ for a list of relevant copyrights and third-party licenses.

https://www.checkpoint.com/copyright/

https://www.checkpoint.com/about-us/third-party-trademarks-and-copyrights/

Important Information

Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Certifications

For third party independent certification of Check Point products, see the Check Point Certifications page https://www.checkpoint.com/products-solutions/certified-check-point-solutions/.

Check Point R80.30

For more about this release, see the R80.30 home page http://supportcontent.checkpoint.com/solutions?id=sk144293.

Latest Version of this Document

Open the latest version of this document in a Web browser https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_CloudGuard_Controller_AdminGuide/html_frameset.htm.

Download the latest version of this document in PDF format http://downloads.checkpoint.com/dc/download.htm?ID=82104.

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments mailto:[email protected]?subject=Feedback on CloudGuard Controller R80.30 Administration Guide.

Revision History

Date Description

10 July 2019 Added R80.30 to “Supported”

23 March 2019 First release of this document

https://www.checkpoint.com/products-solutions/certified-check-point-solutions/

http://supportcontent.checkpoint.com/solutions?id=sk144293

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_CloudGuard_Controller_AdminGuide/html_frameset.htm

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_CloudGuard_Controller_AdminGuide/html_frameset.htm

http://downloads.checkpoint.com/dc/download.htm?ID=82104

mailto:[email protected]?subject=Feedback%20on%20CloudGuard%20Controller%20R80.30%20Administration%20Guide

mailto:[email protected]?subject=Feedback%20on%20CloudGuard%20Controller%20R80.30%20Administration%20Guide

Contents Important Information ................................................................................................... 3 Terms ............................................................................................................................ 5 R80.30 CloudGuard Controller ...................................................................................... 8 Workflow for Deploying CloudGuard Controller ........................................................... 9 Installing the CloudGuard Controller .......................................................................... 10

Prerequisites for Upgrading vSEC Controller to R80.30 ......................................... 10 Enabling CloudGuard Controller ............................................................................. 10 Supported Security Gateways ................................................................................. 11 Activating the Identity Awareness Software Blade ................................................. 11

Activating Identity Awareness for R80.10 and above Gateway ....................................... 12 Activating Identity Awareness for R77.30 and R77.20 Gateways .................................... 12 Activating Identity Awareness for Scalable Platforms 40000/60000 .............................. 13

vSEC Central Licensing ............................................................................................... 15 License Pooling ....................................................................................................... 15 License Distribution ................................................................................................ 16 Using the Central Licensing Utility with Existing Licenses ..................................... 16 Managing CloudGuard Central Licenses ................................................................. 16

Adding a License ........................................................................................................... 17 Removing a License ....................................................................................................... 17 Viewing License Usage .................................................................................................. 17 Running License Distribution ........................................................................................ 17 Configuring Automatic License Distribution for Security Gateways ............................... 18 Generating a Core Usage Report ................................................................................... 18

Integrating with Data Center Servers ......................................................................... 19 Connecting to a Data Center Server ........................................................................ 19 Creating Rules with Data Center Objects ................................................................ 19 Check Point Management API ................................................................................. 20 Supported Data Centers .......................................................................................... 22

CloudGuard Controller for Amazon Web Services ......................................................... 23 CloudGuard Controller for Microsoft Azure ................................................................... 26 CloudGuard Controller for Cisco ACI ............................................................................. 29 CloudGuard Controller for Cisco ISE ............................................................................. 31 CloudGuard Controller for Google Cloud Platform ........................................................ 33 CloudGuard Controller for Nuage Networks VSP .......................................................... 36 CloudGuard Controller for OpenStack ........................................................................... 38 CloudGuard Controller for VMware Servers .................................................................. 40

CloudGuard Controller Monitoring ............................................................................. 44 Messages ................................................................................................................ 44 Status ...................................................................................................................... 44 Traffic Logs ............................................................................................................. 45

CloudGuard Controller Troubleshooting ..................................................................... 46 CloudGuard Controller Troubleshooting................................................................. 46 CloudGuard Data is Deleted Unpredictably on CloudGuard Security Gateway ........ 47

Terms ARM

Microsoft Azure Resource Manager. Technology to administer assets using Resource Group.

AWS

Amazon Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services.

AWS Region

In AWS, a geographic area to place resources. Each region has multiple, isolated locations known as Availability Zones.

AWS VPC

AWS Virtual Private Cloud. A private cloud that exists in the public cloud of Amazon. It is isolated from other Virtual Networks in the AWS cloud.

Cisco ACI

Cisco Application Centric Infrastructure. Comprehensive SDN architecture, policy-based automation solution for increased scalability through a distributed enforcement system with greater network visibility. Trademark of Cisco.

Cisco APIC

Cisco Application Policy Infrastructure Controller. Automation and management point for the Cisco ACI fabric. It centralizes access to fabric information, optimizes the application lifecycle for scale and performance, and supports flexible application provisioning across physical and virtual resources.

CloudGuard Controller

Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security.

CloudGuard Gateway

Check Point Virtual Security Gateway that protects dynamic virtual environments with policy enforcement. CloudGuard Gateway inspects traffic between Virtual Machines to enforce security, without changing the Virtual Network topology.

Contract

In Cisco ACI SDN, a policy between Endpoint Groups (EPGs), with one EPG providing and one EPG consuming, to virtualize a physical network cable connection.

Data Center

Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data.

ESXi

A VMware physical hypervisor server that hosts one or more Virtual Machines and other virtual objects. All references to ESX are also relevant for ESXi unless specifically noted otherwise. Trademark of VMware, Inc.

GCP

Google Cloud Platform (GCP) is a suite of products and services that includes hosting, cloud computing, database services and more.

GCP Project

GCP Projects form the basis for creating, enabling, and using all Cloud Platform services. This includes managing APIs, enabling billing, adding and removing collaborators, and managing permissions for Cloud Platform resources.

GCP Regions and Zones

A region is a specific geographical location where you can run resources. Each region has one or more zones.

GCP VPC Network

A Virtual Private Cloud is a global private isolated Virtual Network partition that

provides managed networking functionality for your GCP resources.

Microsoft Azure

Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft.

NSX Manager

Basic network and security functionality for virtual computer environments. A VMware product family for SDN of Virtual Machines on the cloud (previously known as vShield). Trademark of VMware, Inc.

OpenStack

An open source cloud-computing infrastructure for service providers and enterprises. It includes modules for administration, storage, networking and Virtual Machine deployment and control.

Private Network (L3)

Separates routing instances, and can be used as an administrator separation.

Resource Group for Microsoft Azure

Object used in ARM to monitor, control access, provision and manage billing for collections of assets that are required to run an application, or used by a client or company department.

SDDC

Software-Defined Data Center. Data Center infrastructure components that can be provisioned, operated, and managed through an API for full automation.

SDN

Software-Defined Network. Virtualization of topology, traffic, and functionality.

Security Group for AWS

Acts as a virtual firewall that controls the traffic for one or more instances in AWS. Security Groups are associated with network interfaces.

Security Group for NSX

A collection of virtual objects that defines the Distributed Firewall protection policy in VMware NSX.

Service Graph

Ordered set of function nodes between terminals, which identifies network service functions required by an application. Required for CloudGuard integration.

Service Manager

Component that manages the communication between Check Point products, CloudGuard Controller and the VMware NSX, through the VMware REST API.

Tenant for ACI

Group of users, to isolate access to resources in Cisco ACI. Also known as project.

vCenter Server

Centralized management tool for VMware vSphere. It manages many ESX servers and Virtual Machines from different ESX servers, from one console application.

Virtual Network

Environment of logically connected Virtual Machines on an ESX host.

vNIC

Virtual Network Interface Card. Software-based abstraction of a physical interface that supplies network connectivity for Virtual Machines.

vSphere

VMware cloud computing virtualization operating system. The vSphere Web Client is the GUI to manage Virtual Machines and their objects.

VSX

Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the

same functionality as their physical counterparts.

VSX Virtual System

VSX Virtual Device with the functionality of a physical Security Gateway with all supported Software Blades.

CloudGuard Controller Administration Guide R80.30 | 8

CHAPTE R 2

R80.30 CloudGuard Controller CloudGuard cloud security solution delivers advanced threat protection to private or public cloud infrastructures. It controls and manages the security in both the physical and virtual environments with one unified management solution. With trusted APIs, CloudGuard Controller connects to the Software-Defined Data Center (SDDC) and integrates the virtual cloud environment with Check Point Security Gateways. CloudGuard Controller automatically updates the security policy on security logs. It updates GUI, API, and security logs with new and changed appliances, computers, devices, and addresses.

Check Point Security Gateways run on Virtual Machines. Deploy the Security Gateway in the public and private cloud for perimeter and lateral protection, and industry-leading advanced threat prevention security. CloudGuard Gateways integrate seamlessly with SDN solutions, such as VMware vCenter, VMware NSX, Cisco ACI and Cisco ISE.

CloudGuard Controller integrates with these virtual cloud environments:

• Amazon Web Services (AWS)

• Cisco ACI

• Cisco ISE

• Google Cloud Platform (GCP)

• Microsoft Azure

• Nuage Networks VSP

• OpenStack

• VMware vCenter

• VMware NSX


CHAPTE R 3

Workflow for Deploying CloudGuard Controller

CloudGuard Controller is a component of the R80.30 Security Management Server. Make sure you have the most up to date CloudGuard Controller. Some steps below may be necessary to enable CloudGuard Controller to communicate with your Data Center.

Step 1: Install or upgrade to R80.30, which includes CloudGuard Controller (on page 10).

Step 2: Upgrade Security Gateways (on page 11) (if necessary).

Step 3: Activate the Identity Awareness Software Blade (on page 11).

Step 4: Enable CloudGuard Controller (on page 10).

Step 5: Integrate with Data Centers (on page 19).


CHAPTE R 4

Installing the CloudGuard Controller In This Section:

Prerequisites for Upgrading vSEC Controller to R80.30 ............................................ 10

Enabling CloudGuard Controller ................................................................................. 10

Supported Security Gateways ...................................................................................... 11

Activating the Identity Awareness Software Blade ..................................................... 11

If you do not have CloudGuard Controller, install R80.30 or upgrade the vSEC Controller from an earlier version.

See the R80.30 Installation and Upgrade Guide https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Installation_and_Upgrade_Guide/html_frameset.htm.

Prerequisites for Upgrading vSEC Controller to R80.30 Important Information:

1. When you install R80.30 CloudGuard Controller, these files are overwritten with default values:

• $MDS_FWDIR/conf/vsec.conf

• $MDS_FWDIR/conf/tagger_db.C

• $MDS_FWDIR/conf/AWS_regions.conf

2. Before you begin the upgrade, back up all files that you have changed.

3. Before you perform the upgrade on the Management Server, if you have a Cisco APIC server, keep only one URL. After the upgrade, add the other URLs.

4. A Multi-Domain Server that contains imported Data Center objects in the Global Domain is not supported in the upgrade to R80.30. You must remove objects from the Global Domain before you install the upgrade.

Note - During the upgrade, CloudGuard Controller does not communicate with the Data Center. Therefore, Data Center objects are not updated on the CloudGuard Controller or the Security Gateways.

Enabling CloudGuard Controller In the R80.30 Security Management Server, the CloudGuard Controller is disabled by default.

Note - On the Management Servers in High Availability deployment, perform these steps on both Management Servers.

To enable the CloudGuard Controller on the Management Server:

Step Description

1 Connect to the command line on the Management Server.

2 Log in to Gaia Clish, or Expert mode.

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Installation_and_Upgrade_Guide/html_frameset.htm

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Installation_and_Upgrade_Guide/html_frameset.htm

Installing the CloudGuard Controller


Step Description

3 On a Multi-Domain Server, go to the main MDS context: mdsenv

4 Enable the CloudGuard Controller: cloudguard on

The output shows: CloudGuard IaaS turned on successfully

To disable the CloudGuard Controller on the Management Server:

Step Description



3 On a Multi-Domain Server, go to the main MDS context: mdsenv

4 Enable the CloudGuard Controller: cloudguard off

Command prompts you: Are you sure? [y/n: y to turn off, n to ignore]

After you confirm, the output shows: CloudGuard IaaS turned off successfully

Note - When you disable CloudGuard Controller, CloudGuard Controller functionality does not work.

Supported Security Gateways CloudGuard Controller works with these Security Gateways:

• R80.30

• R80.20

• R80.10

• R77.30

• R77.20

• 40000/60000 Scalable Platforms R76SP.50 (starting with Jumbo Hotfix Accumulator Take 20)

Important - To use the CloudGuard Controller with R77.20 and R77.30 Security Gateways (R77.30 with Jumbo Hotfix Accumulator below Take 309), you must install the CloudGuard Controller / vSEC Controller Enforcer Hotfix on those R77.20 and R77.30 Security Gateways. See sk129152 http://supportcontent.checkpoint.com/solutions?id=sk129152.

Activating the Identity Awareness Software Blade For a Security Gateway to work with Data Center objects:

1. Enable the Identity Awareness Software Blade




2. Enable the Identity Awareness API

3. Add the IP address 127.0.0.1 to the trusted clients list.

Activating Identity Awareness for R80.10 and above Gateway Step Description

1 In SmartConsole, from the left navigation panel, click Gateways & Servers.

2 Open the applicable Security Gateway object.

3 From the left tree, click General Properties.

4 On the Network Security tab, select the Identity Awareness Software Blade.

The Identity Awareness Configuration > Methods for Acquiring Identity window opens.

Clear the AD Query, if it is not necessary.

5 Select I do not wish to configure an Active Directory at this time.

The Identity Awareness Software Blade is activated by default.

6 Click Next > Finish.

7 From the left tree, click Identity Awareness.

8 Select Identity Web API.

9 Click Settings.

The Identity Web API Settings window opens.

10 From the Authorized Clients section, add the 127.0.0.1 host object.

11 In the Selected Client Secret, enter a secret word.

Press Generate to create the client secret.

Click OK.

12 Install the Access Control Policy.

Activating Identity Awareness for R77.30 and R77.20 Gateways To work with Data Center objects, you must:

1. Enable the Identity Awareness Software Blade and select Terminal Servers as the identities source.

2. Enable the communication between the CloudGuard Controller and the Identity Awareness daemon on the Security Gateway.

To enable Identity Awareness Software Blade:

Step Description



3 From the left tree, click General Properties.






Step Description

5 Select Terminal Servers > Next. The Identity Awareness Configuration > Integration with Active Directory window opens.




8 Click OK.


To enable the communication between the CloudGuard Controller and the Identity Awareness daemon on the Security Gateway:

Step Description

1 Connect to the command line on each applicable Security Gateway.


3 Enable the Identity Awareness API: pdp api enable

Note: On a VSX Gateway, run the command in the context of each applicable Virtual System.

Activating Identity Awareness for Scalable Platforms 40000/60000 To work with Data Center objects, you must:

1. Enable the Identity Awareness Software Blade and select Terminal Servers as the identities source.

2. Enable the communication between the CloudGuard Controller and the Identity Awareness daemons on the Security Gateway Modules.

To enable Identity Awareness Software Blade:

Step Description



3 From the left tree, click the General Properties.




5 Select Terminal Servers > Next. The Identity Awareness Configuration > Integration with Active Directory window opens.






Step Description

8 Click OK.


To enable the communication between the CloudGuard Controller and the Identity Awareness daemons on the Security Gateway Modules:

Step Description

1 Connect to the command line on the Scalable Platform.


3 Enable the Identity Awareness API: g_all pdp api enable

Note: On a VSX Gateway, run the command in the context of each applicable Virtual System.


CHAPTE R 5

vSEC Central Licensing In This Section:

License Pooling ............................................................................................................. 15

License Distribution ..................................................................................................... 16

Using the Central Licensing Utility with Existing Licenses ........................................ 16

Managing CloudGuard Central Licenses ..................................................................... 16

License Pooling CloudGuard Central Licensing is a pooled license structure offered on the Check Point Security Management Server and Multi-Domain Server.

With this feature, you can dynamically change the properties of licenses on your Security Gateway architecture.

The license pool contains the licenses for every Security Gateway with its cores. A license is issued for each CloudGuard Gateway, and the number of cores in a CloudGuard Gateway determines the license you require.

The central licensing feature provides:

• One global license for as many CloudGuard Gateways as needed.

• Scaled-up performance on a CloudGuard Gateway with all its vCores.

• Movement of vCores from one CloudGuard Gateway to another.

• Movement of the CloudGuard Gateway between the public and private cloud.

There are two modes for the Multi-Domain Server:

Mode Description

System Mode Default Mode generates a license for the IP address of the Multi-Domain Server.

The license pool is on the Multi-Domain Server.

The licenses are attached to all of the CloudGuard Gateways that the Domain Management Servers manage.

To use this mode, run: vsec_lic_cli mode mds

Domain Mode Domain Mode pools are managed on each individual Domain.

Licenses are distributed to the CloudGuard Gateways that the Domain manages.

The license is generated with the IP address of the Domain, to which it belongs.

To use this mode, run: vsec_lic_cli mode domain

Note - To go to the context of a Domain Management Server, run: mdsenv <Name or IP Address of Domain Management Server>

vSEC Central Licensing


License Distribution Item Description

Licenses that can be managed in pools

• Virtual security licenses for public and private clouds.

• Licenses with the same contract blade package.

Note - Licenses with different contract blades will be in separate pools. The first license pool that is created is configured as the default pool. The licenses from the default pool are attached to CloudGuard Gateways.

Gateways that receive a license from the pool

CloudGuard Gateways on the public and private cloud.

The supported Hypervisors in the private cloud are VMware ESXi, Hyper-V and KVM.

The supported modules in the public cloud are AWS, Microsoft Azure, Google Cloud Platform and vCloud Air.

Gateways that receive a license

• New CloudGuard Gateways receive the license from the pool after policy installation.

• Existing CloudGuard Gateways receive the license immediately after the license is added.

Distribution CloudGuard licenses are attached from the license pool to CloudGuard Gateway.

The distribution procedure is permissive. Gateways will be issued a license even when the pool no longer has licenses available.

Using the Central Licensing Utility with Existing Licenses

You can activate the new CloudGuard Central Licensing utility on Security Gateways that already have a license. Licenses with the same Software Blades and contract expiration join together to make one pool. If multiple pools are established, one of the pools is the default pool. Any license that is not part of the pool is detached from all Security Gateways.

If you have a Multi-Domain Server, enable the central license utility on the Multi-Domain Server. Multi-Domain Server automatically activates the central license utility on each Domain Management Server.

Best Practice - We recommend that you have only one type of pool. Therefore, licenses with the same Software Blades and contract expiration are grouped together. Use the central license utility to ensure that licenses are distributed correctly.

Managing CloudGuard Central Licenses CloudGuard central license is disabled by default. When it is disabled, licenses are not distributed automatically to new CloudGuard Gateways. Existing licenses, however, remain on the CloudGuard Gateways.

Operation CLI command

Enable the CloudGuard license vsec_lic_cli on



Operation CLI command

Disable the CloudGuard license vsec_lic_cli off

Manage the CloudGuard license pool vsec_lic_cli

The vsec_lic_cli tool is exclusively for managing CloudGuard licenses, and other tools should not be used at the same time. CloudGuard licenses that were already added with other tools, such as SmartUpdate, are automatically added to the pools.

The vSEC License Manager Menu shows these options:

1. Add a license (on page 17)

2. Remove a license (on page 17)

3. View license usage (on page 17)

4. Run license distribution (on page 17)

5. Configure automatic license distribution (on page 18)

6. Generate a core usage report (on page 18)

Adding a License You can add a central license to the license pool with the IP address of a Security Management Server, Multi-Domain Server or Domain Management Server.

The license is added to the pool to match the contract blade. Use the User Center https://usercenter.checkpoint.com to automatically match the blade to the contract, or attach the contracts manually with SmartUpdate.

A license in a default pool will be distributed to the CloudGuard Gateway as needed.

Removing a License When you remove a license from the pool, it is also removed from all CloudGuard Gateways, which have the license.

Viewing License Usage With the Central Licensing feature, you can see usage details of the CloudGuard Gateways in the pool.

This information is available:

• Quota of cores

• Unused cores

• Security Gateways licensed in the pool

Running License Distribution Distribution of licenses to the CloudGuard Gateways is done automatically, once a day.

If you need the license attached immediately, you can run the distribution manually.

You can monitor these changes on the CloudGuard Gateways and licenses:

• New CloudGuard Gateways

• Core changes on existing CloudGuard Gateways

https://usercenter.checkpoint.com/



• Contract changes on existing licenses

After distribution of the licenses, a CloudGuard Gateway that did not have a license will now have one.

Configuring Automatic License Distribution for Security Gateways You can enable or disable the CloudGuard Gateway from receiving a license automatically.

Generating a Core Usage Report You can generate a CSV file with an hourly core usage report for each CloudGuard Gateway.


CHAPTE R 6

Integrating with Data Center Servers In This Section:

Connecting to a Data Center Server ............................................................................ 19

Creating Rules with Data Center Objects .................................................................... 19

Check Point Management API ..................................................................................... 20

Supported Data Centers ............................................................................................... 22

Connecting to a Data Center Server The Management Server connects to the SDDC through the Data Center server object on SmartConsole.

To create a connection to a Data Center:

Step Description

1 In SmartConsole, create a new Data Center object in one of these ways:

• In the top left corner, click Objects menu > More object types > Server > Data Center >applicable Data Center

• In the top right corner, click Objects Pane > New > More > Server > Data Center >applicable Data Center.

2 In the Enter Object Name field, enter the desired name.

3 Enter the connection and credentials information.

4 Click Test Connection to establish a secure connection.

If the certificate window opens, confirm the certificate and click Trust.

5 When the Connection Status changes to Connected, click OK.

If the status is not Connected, troubleshoot the issues before you continue.

6 Click OK.

7 Publish the session.

Note - If the connection properties of a Data Center server changed (for example the credentials or the URL), make sure to re-install the policy on all the Security Gateways which have objects from that Data Center in their policy.

Creating Rules with Data Center Objects Define Security Policy with rules that include the Data Center objects.

Important - If the Management Server is not connected to the Data Center server, the Data Center objects do not import. To make sure the servers are connected, open the Data Center Server object in SmartConsole and examine the Status field. It must show Connected.

You can add Data Center objects to the Source and Destination columns of Access Control rules and Threat Prevention rules.

Integrating with Data Center Servers


Note - Data Center objects that you import to the Security Policy are designed for well-defined groups of machines (EPGs, Virtual Machines, and so on).

To add Data Center objects to an Access Control rule:

Step Description

1 In SmartConsole, from the left navigation panel, click Security Policies.

2 At the top, click Access Control > Policy.

3 In the applicable rule, in the Source or Destination column, click + to add new items.

4 Click Import.

5 Select an existing Data Center object, or click Data Centers > New Data Center > applicable Data Center.


To add Data Center objects to a Threat Prevention rule:

Step Description

1 In SmartConsole, from the left navigation panel, click Security Policies.

2 At the top, click Threat Prevention > Policy.

3 In the applicable rule, in the Source or Destination column, click + to add new items.

4 In the top right corner, click Import.

5 Select an existing Data Center object, or click Data Centers > New Data Center > applicable Data Center.

6 Install the Threat Prevention Policy.

Check Point Management API The Check Point Management API includes Data Center commands to show Data Center Servers and their contents, and to show, delete, and import Data Center objects. Use the API to automate Data Center security management and monitoring.

There are different interfaces for the Management API:

• SmartConsole Command Line window (bottom left corner)

• mgmt_cli tool (built-in on the Management Server, and SmartConsole Client)

• Gaia Clish on the Management Server

• Web services on the Management Server (over HTTPS)

Work with API documentation specific to the Data Centers.

To work with API on a Security Management Server:

Step Description

1 In SmartConsole, from the left navigation panel, click Manage & Settings.

2 From the left tree, click Blades.

3 In the Management API section, click Advanced Settings.



Step Description

4 In the Access Settings section, select All IP Addresses and click OK.

5 Connect to the command line on the Security Management Server.


7 Restart the API server: api restart

Output must show: Stopping API... API stopped successfully. Starting API... API started successfully.

8 In your web browser, connect to:

https://<Main IP Address of Security Management Server>/api_docs

Note: If you enabled the Endpoint Policy Management Software Blade, then connect to:

https://<Main IP Address of Security Management Server>:4434/api_docs

To work with API on a Multi-Domain Server:

Step Description

1 Connect with SmartConsole to the main MDS context.

2 In SmartConsole, from the left navigation panel, click Multi Domain.

3 From the left tree, click Blades.

4 In the Management API section, click Advanced Settings.

5 In the Access Settings section, select All IP Addresses and click OK.

6 Connect to the command line on the Multi-Domain Server.


8 Restart the API server: api restart

Output must show: Stopping API... API stopped successfully. Starting API... API started successfully.

9 In your web browser, connect to:

https://<Main IP Address of Multi-Domain Server>/api_docs

To change the API configuration and to learn more:

See the API documentation https://sc1.checkpoint.com/documents/latest/APIs/index.html.

https://sc1.checkpoint.com/documents/latest/APIs/index.html



Supported Data Centers Check Point integrates the CloudGuard Controller with these Data Centers:

• Amazon Web Services (on page 23)

• Cisco ACI (on page 29)

• Cisco ISE (on page 31)

• Google Cloud Platform (on page 33)

• Microsoft Azure (on page 26)

• Nuage Networks (on page 36)

• OpenStack (on page 38)

• VMware vCenter (on page 40)

• VMware NSX (on page 40)



CloudGuard Controller for Amazon Web Services The CloudGuard Controller integrates the Amazon Web Services (AWS) cloud with Check Point security.

The Check Point Data Center Server connects to the AWS cloud and retrieves object data.

The CloudGuard Controller updates IP addresses and other object properties in the Data Center Objects group.

Connecting to an Amazon Web Services Data Center Server

Step Description


• In the top left corner, click Objects menu > More object types > Server > Data Center > New AWS.

• In the top right corner, click Objects Pane > New > More > Server > Data Center > AWS.


3 Select the applicable authentication method:

• User Authentication

• Role Authentication

4 If you choose User Authentication, enter your Access key ID and Secret access key.

5 In the Region field, select the AWS region, to which you want to connect.

6 Click Test Connection.

7 Click OK.


Amazon Web Services Objects

Objects

Object Description

VPC Amazon Virtual Private Cloud enables you to launch resources into your Virtual Network.

Availability Zone A separate geographic area of a region.

There are multiple locations with regions and availability zones worldwide.

Subnet All the IP addresses from the Network Interfaces related to this subnet.

Instance Virtual computing environments.

Tags Groups all the instances that have the same Tag Key and Tag Value.

Security Group Groups all the IP addresses from all the Instances associated with this Security Group.



Importing AWS objects

Use one of these options to import AWS objects to your policy:

Import Option Description

Regions Import AWS VPCs, subnets or instances from a certain region to your security policy.

Security Groups Import all IP addresses that belong to a specific security group.

The Security Group is used only as a container for the list of all IP addresses of Instances that are attached to this group.

Tags Import all instances that have a specific Tag Key or Tag Value.

Notes:

• CloudGuard Controller saves the Tags with Key and no Value as: "Tag key="

• CloudGuard Controller truncates leading and trailing spaces in Tag Keys and Tag Values.

• All changes in AWS are updated automatically with the Check Point Security Policy. Users with permissions to change resource tags in AWS may be able to change their access permissions.

Object Names

Object names are the same as those in the AWS console.

VPC, Subnet, Instance, and Security Group are named as follows:

Tag Name Object Name

Tag Name exists "<Object ID> (<Value of the Tag Name>)"

Tag Name does not exist

"<Object ID>"

Tag Name is empty "<Object ID>"

Imported Properties

Imported Property Description

Name Resource name as shown in the AWS console. User can edit the name after importing the object.

Name in Server Resource name as shown in the AWS console.

Type in Server Resource type.

IP Associated private and public IP addresses.

Note CIDR for subnets and VPC objects.

URI Object path.

Tags Tags (Keys and Values) that are attached to the object.



Configuring Permissions for Amazon Web Services

AWS Authentication

Authentication Method

Description

User Authentication

Uses Access Key ID and Secret Access Key credentials.

Role Authentication

Uses the AWS IAM role. You can use this option only when Security Management is deployed in AWS.

Minimal permissions for the User or Role

Item Value

Effect Allow

Actions • ec2:DescribeInstances

• ec2:DescribeNetworkInterfaces

• ec2:DescribeSubnets

• ec2:DescribeVpcs

• ec2:DescribeSecurityGroups

Resource All ("*")

For more information about Roles and the IAM policy, see Amazon Web Services documentation http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html.

Auto Scaling in Amazon Web Services The AWS Auto Scaling service with the Check Point Auto Scaling group can increase or decrease the number of CloudGuard Gateways according to the current load.

CloudGuard Controller for AWS works with the Check Point Auto Scaling Group. The Check Point Security Management Server updates Data Center objects automatically on the Check Point Auto Scaling group.

Enable the Identity Awareness Software Blade as explained in Auto Scaling in AWS (Amazon Web Services), sk112575 http://supportcontent.checkpoint.com/solutions?id=sk112575, Section 5-E - Enabling additional Software Blades.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html




CloudGuard Controller for Microsoft Azure CloudGuard Controller integrates the Microsoft Azure cloud with Check Point security.

The Check Point Data Center Server connects to the Microsoft Azure cloud and retrieves object data.


Connecting to a Microsoft Azure Data Center Server

Step Description


• In the top left corner, click Objects menu > More object types > Server > Data Center > New Microsoft Azure.

• In the top right corner, click Objects Pane > New > More > Server > Data Center > Microsoft Azure.



• Service Principal

• Azure AD User Authentication

If you choose Service Principal (default):

a) In the Application ID field, enter your Service Principal application ID in the UUID format.

b) In the Application Key field, enter the Service Principal secret.

c) In the Directory ID field, enter the Tenant ID from the Service Principal in the UUID format.

You can create the Service Principal in the Azure Portal, with the Azure Powershell, or with the Azure CLI.

If you choose Azure AD User Authentication:

a) In the Username field, enter the Microsoft Azure credential in the format <username>@<domain>.

The account type needed is a work or school account.

b) In the Password field, enter the password for your Microsoft Azure account.

The minimum recommended permission is Reader.

You can assign the Reader permission in one of these ways:

• Assign to all Resource Groups, from which you want to pull an item

• Add the permission on a subscription level

Note - If you have less permissions, some of the functionality might not work.


5 Click OK.



Step Description

6 Import objects from your Microsoft Azure server to your policy (for more about these objects, see the next sections).

• Network by Subscriptions - Import VNETS, subnets, Virtual Machines or VMSSs.

• Network Security Groups (NSG) - Import all IP addresses that belong to a specific NSG.

The NSG is used only as a container for the list of all IP addresses (assigned to NICs and subnets) that are attached to this group.

• Tags - Imports all the IP addresses of Virtual Machines and VMSSs that have specific tags and values.

Note - All changes in Microsoft Azure are updated automatically with the Check Point security policy. Users with permissions to change Resource Tags in Microsoft Azure may be able to change their access permissions.


Microsoft Azure Objects

Objects

Object Description

Subscription Helps you organize access to your cloud components.

Virtual Network Represents your Microsoft Azure Virtual Network (VNET) in the cloud.

Subnet A range of IP addresses in a VNET.

A VNET can be divided into many subnets.

Virtual Machine (VM) Virtual computing environment.

Virtual Machine Scale Set (VMSS)

Manages sets of Virtual Machines.

Resource Group Holds the components of your subscription as a group.

Network Security Group (NSG) NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to the Virtual Machines instances in a Virtual Network.

NSGs can be associated with either subnets or individual Virtual Machines instances within that subnet.

Imported Properties


Name Name of the object and of the object Resource Group.

Format is: obj_name (obj_resource_group_name)

The user can edit the name after importing the object.

Name in server Name of the object and of the object Resource Group.

Format is: obj_name (obj_resource_group_name)

Type in server Object type.




IP address Virtual Machines or VMSS IP addresses.

In the case of subnets, NSGs or Tags, the field contains a list of all the IP addresses in the container.

Note Contains the address prefixes for VNETs and subnets.

URI Object path.

Tags Keys and Values attached to the Object.

Location Physical location in Microsoft Azure.

Auto Scaling in Microsoft Azure The Microsoft Azure Auto Scaling service with the Check Point Auto Scaling group can increase or decrease the number of CloudGuard Gateways according to the current load.

CloudGuard Controller for Microsoft Azure can work with the Check Point Auto Scaling Group.

The Check Point Security Management Server can update Data Center objects automatically on the Check Point Auto Scaling group.

Enable the Identity Awareness Software Blade as explained in Auto Scaling in Microsoft Azure, sk115533 http://supportcontent.checkpoint.com/solutions?id=sk115533, Section 6-A - Enabling additional Software Blades.




CloudGuard Controller for Cisco ACI CloudGuard Controller integrates the Cisco ACI fabric with Check Point security.

The Check Point Data Center Server connects to the ACI fabric and retrieves object data.

The CloudGuard Controller updates IP addresses and other object properties in the Data Center Objects group. It supports the connection to an APIC cluster for redundancy.

To learn more, see vSEC for ACI Managed by R80.10 Security Management Server Administration Guide for R80.10 http://downloads.checkpoint.com/dc/download.htm?ID=55408.

Prerequisites:

• You must have a Cisco ACI user role with at least read permissions for Tenant EPG.

Note - This role is sufficient for CloudGuard Controller functionality. More permissions may be required for device package installation (CloudGuard for ACI).

• Enable Bridge Domain unicast routing to allow IP address learning for EPGs on the Cisco APIC.

• Define a subnet on the Bridge Domain to help the fabric maintain IP address learning tables. This prevents time-outs on silent hosts that respond to periodic ARP requests.

Connecting to a Cisco ACI APIC Data Center Server

Step Description


• In the top left corner, click Objects menu > More object types > Server > Data Center > New Cisco APIC.

• In the top right corner, click Objects Pane > New > More > Server > Data Center > Cisco APIC.


3 In the URLs field, enter the addresses of APIC cluster members, delimited with a semicolon (;).

Important - These addresses can be HTTP or HTTPS, but not mixed.

4 In the Username field, enter your APIC service username.

If you use login domains for APIC authentication, the username format is:

apic:<domain>\<username>

5 In the Password field, enter your APIC password.


7 Click OK.


Cisco APIC Objects

Object Description

Tenant A logical separator for customers, BU, groups, traffic, administrators, visibility, and more.




Object Description

Application Profile A container of logically related EPGs, their connections, and the policies that define those connections.

End-Point Group (EPG) A container for objects that require the same policy treatment.

Examples of these are app tiers or services (usually, VLAN).

L2 Out A bridged external network.

L2 External EPG An EPG that represents external bridged network endpoints.



CloudGuard Controller for Cisco ISE The CloudGuard Controller integrates Cisco ISE with Check Point security. It allows the use of TrustSec security groups in the security policy according to the static IP-to-SGT mappings in ISE. The ISE server is represented as the Data Center server in Check Point. It connects to the ISE administration nodes and automatically retrieves SGs. For redundancy, it is possible to provide both primary and secondary ISE administration nodes.

The ISE External RESTful Services (ERS) API enables communication with ISE.

Prerequisites:

• Cisco ISE version 2.1

• An ISE administrator with the ERS-Operator or ERS-Admin group assignment

• ERS enabled on the ISE administration nodes

Connecting to a Cisco ISE Data Center

Step Description


• In the top left corner, click Objects menu > More object types > Server > Data Center > New Cisco ISE.

• In the top right corner, click Objects Pane > New > More > Server > Data Center > Cisco ISE.


3 In the Hostname(s) field, add the IP address or hostname of your ISE administration nodes.

4 In the Username field, enter the username of your ISE administrator with the necessary credentials.

5 In the Password field, enter your ISE administrator password.


7 Click OK.


Cisco ISE Objects

Object Description

Security Groups Groups of users, endpoints, and resources that share access control policies.

You define the Security Groups in Cisco ISE.



Automatic Failover If there is a failure to communicate with the ISE administration nodes that were provided, CloudGuard Controller enters a recovery mode. In recovery mode, it will automatically attempt to re-establish connection with the administration nodes. Connection is attempted with the nodes based on the order they were entered.

Important - Make sure that the secondary node is properly synchronized with the primary node. Otherwise, the IP-to-SGT data may not be up to date.



CloudGuard Controller for Google Cloud Platform The CloudGuard Controller integrates the Google Cloud Platform (GCP) with Check Point security.

The Check Point Data Center Server connects to the GCP and retrieves object data.


Configuring Permissions for Google Cloud Platform You must authenticate and connect to your Google Cloud Platform account to retrieve objects.

Authentication is done by GCP Service Account credentials.

The CloudGuard Controller retrieves objects from all projects, to which the Service Account has access.

You can use these authentication methods:

Authentication Method Description

Service Account VM Instance Authentication

Use this option when the Security Management Server runs in a GCP VM instance, which runs as a service account with the required permissions.

Service Account Key Authentication Use this option to authenticate with a Service Account private key file.

Use the GCP web console to create a key for the service account, in a JSON format.

Minimum permissions for the service account

The service account must have read permissions for all the relevant resources (example: viewer role).

• Networks

• Instances

• Subnetworks

GCP APIs

You must enable the Cloud Resource Manager API for the project, to which the service account belongs.

The Compute Engine API must be enabled for all the projects, to which the Service Account has access.

This is made from the GCP API Library.



Connecting to a Google Cloud Platform Data Center

Step Description


• In the top left corner, click Objects menu > More object types > Server > Data Center > New Google Cloud Platform.

• In the top right corner, click Objects Pane > New > More > Server > Data Center > Google Cloud Platform.

In the Enter Object Name field, enter the desired name.


• Service Account Key Authentication

• Service Account VM Instance Authentication

3 If you choose Service Account Key Authentication, import the Service Account JSON file.

Click Test Connection.

4 Click OK.

Publish the session.

Google Cloud Platform Objects

Objects

Item Description

VPC Networks Your GCP VPC networks in the cloud.

Subnet All the IP addresses from the network interfaces related to this subnet.

Instance Virtual Machines instances.

Tags Groups all the instances that have the same network tag.

Importing GCP objects

Use Projects or Tags to import GCP objects to your policy:

Import Option Description

Projects Import VPC networks, subnets or instances from another project to your Security Policy.

Tags Import all instances that have a specific network tag.

Note - All changes in GCP are automatically updated with the Check Point Security Policy. Users with permissions to change network tags in GCP, may be able to change their access permissions.

Object Names

Object names are the same as those in the GCP console.

Instance and Subnet are named as follows:

Object Object Name

Instance "<Instance Name> (<Zone Name>)"



Object Object Name

Subnet "<Subnet Name> (<Region Name>)"

Imported Properties


Name Resource name as shown in the GCP console. User can edit the name after importing the object.

Name in server Resource name as shown in the GCP console.

Type in server Resource type.

IP Associated private and public IP addresses.

Note For instances, the list of VPC networks, to which the instance belongs.

URI Object path.

Tags Network tags that are attached to the object.



CloudGuard Controller for Nuage Networks VSP The CloudGuard Controller integrates the Nuage cloud with Check Point security.

The Check Point Data Center Server connects to the Nuage cloud and retrieves object data.


Connecting to a Nuage Data Center

Step Description


• In the top left corner, click Objects menu > More object types > Server > Data Center > New Nuage.

• In the top right corner, click Objects Pane > New > More > Server > Data Center > Nuage.


3 In the Hostname field, enter the IP address or hostname of your Nuage VSD server.

Note - The addresses can be HTTP or HTTPS, but not both. The Nuage version is set by default to 4.0 and the port to 8443.

4 In the Username field, enter your Nuage administrator username.

In the Organization field, enter your organization name or enterprise.

5 In the Password field, enter your Nuage administrator password.


7 Click OK.


Nuage Objects

Objects

Object Description

Enterprise A logical separator for customers, BU, groups, traffic, administrators, visibility, and more.

Domain A logical network that enables L2 and L3 communication among a set of Virtual Machines.

Security Zone A set of network endpoints that have to agree with the same security policies.

Policy Group Collections of vPorts and/or IP addresses that are used as building blocks for security policies that include multiple endpoints.

Add one or more vPorts to a policy group using this interface.

A policy group can also represent one or more IP/MAC addresses that it learned from external systems from BGP route advertisements based on origin.



Object Description

Subnet Subnets are defined under a zone.

It is equivalent to an L2 broadcast domain, which enables its endpoints to communicate as if they were part of the same LAN.

Instance Virtual Machine.

vPort It is attached to a Virtual Machine or to a host and bridge interface.

It provides connectivity to BMS and VLANs.

It can be created or auto-discovered.

L2Domain An L2 Domain is a distributed logical switch that enables L2 communication.

An L2 Domain template can be started as often as required.

This creates functioning L2 Domains.

Network Macro Organization-wide defined macros that can be used as a destination of a policy rule.

For example, you can create a network that represents your internal Internet access.

You can then use it as a destination of a policy rule to drop any packet that is arrives from a particular port.

Network Macro Group A collection of existing Network Macros.

These groups can be used in Security Policies to create rules that match multiple Network Macros.

Imported Properties


Name Resource name as shown in the Nuage console.

User can edit the name after importing the object.

Name in Data Center Resource name as shown in the Nuage console.

Type in Data Center Resource type.

IP Associated IP address.

Note • Instances - "Auto generated" description.

• Domain - Comment on domain object inserted in VSD.

• Subnet - Subnet IP address in CIDR format.

• Zone - Comment on zone object inserted in VSD.

• vPort - Auto-generated description.

URI Object path.



CloudGuard Controller for OpenStack The CloudGuard Controller integrates the Check Point Security Management Server with OpenStack Keystone.

The Check Point Data Center server connects to OpenStack and retrieves network object data from OpenStack Neutron.

Connecting to an OpenStack Server

Step Description


• In the top left corner, click Objects menu > More object types > Server > Data Center > New OpenStack.

• In the top right corner, click Objects Pane > New > More > Server > Data Center > OpenStack.


3 In the Hostname field, enter the URL of your OpenStack server in this format:

http(s)://1.2.3.4:5000/<keystone_version>

Example: https://1.2.3.4:5000/v2.0

Note - If you do not know your keystone URL, run this command on the OpenStack server to find it: openstack endpoint show keystone | grep publicurl

4 In the Username field, enter your username for the OpenStack server.

5 In the Password field, enter your password for the OpenStack server.


If the certificate window opens, confirm the certificate and click Trust.

7 When the connection status changes to Connected, click OK.

If the status is not Connected, troubleshoot the issue before you continue.

8 Click OK.


Note - If you want to log into an OpenStack domain that is not your default domain, use this format: <OpenStack_domain_name>/<user_name>



OpenStack Objects

Objects

Object Description

Instances Virtual Machines inside the cloud.

Security groups Sets of IP address filter rules for networking access.

They are applied to all instances within a project.

Subnet A block of IP addresses and associated configuration states.

Subnets are used to allocate IP addresses when new ports are created on a network.

Imported Properties


IP • VM - Virtual Machine's IP address

• Security Group - IP addresses of the Virtual Machines inside the group

• Subnets - IP addresses of the Virtual Machines inside the subnet

Note • Instances - Empty

• Security Group - Description of the group

• Subnet - IP address and mask of the subnet

URI Object path



CloudGuard Controller for VMware Servers

Connecting to a VMware Server

Step Description


• In the top left corner, click Objects menu > More object types > Server > Data Center > New VMware vCenter, or New VMware NSX.

• In the top right corner, click Objects Pane > New > More > Server > Data Center > VMware vCenter, or VMware NSX.


3 In the Hostname field, enter the IP address or hostname of your vCenter or NSX Manager server.

4 In the Username field, enter your VMware administrator username.

5 In the Password field, enter your VMware administrator password.


7 Click OK.


CloudGuard Controller for VMware vCenter The Check Point Data Center Server connects to the VMware vCenter and retrieves object data.

The CloudGuard Controller updates IP addresses and other object properties in the Data Center Objects.

You must have a VMware vCenter username with at least Read-Only permissions.

CloudGuard Controller for VMware NSX Manager Server The CloudGuard Controller integrates the VMware NSX Manager Server with Check Point security.

The Check Point Data Center Server connects to the VMware NSX Manager Server and retrieves object data.


You must have a VMware NSX username with permission of an Auditor or greater to access the CloudGuard Controller.

Note - This role is sufficient for CloudGuard Controller functionality. More permissions can be required for service registration (vSEC Gateway for NSX).



VMware vCenter Objects

Objects

Object Description

Cluster A collection of ESXi hosts and associated Virtual Machines configured to work as a unit.

Datacenter An aggregation of many object types required to work in a virtual infrastructure.

These include hosts, Virtual Machines, networks, and datastores.

Folder Lets you group similar objects.

Host The physical computer where you install ESXi. All Virtual Machines run on a host.

Resource pool Compartmentalizes the host or cluster CPU and memory resources.

Virtual machine A virtual computer environment where a guest operating system and associated application software runs.

vSphere vApp A packaging and managing application format. A vSphere vApp can contain multiple Virtual Machines.

Tags All the Virtual Machines tagged with the vCenter tag.

Note - This is supported with vCenter 6.5 and above.

Imported Properties


IP IP address or Hostname of vCenter Server.

You must install VMware Tools on each Virtual Machine to retrieve the IP addresses for each computer.

Note VMware vCenter object notes.

URI Object path.

VMware NSX Objects

Objects

Object Description

Security Group Enables a static or dynamic grouping, based on objects such as Virtual Machines, vNICs, vSphere clusters, logical switches, and so on.

Universal Security Group

Enables defining a Security Group across VMware NSX managers.

Note - Import these objects separately for each VMware NSX manager.

Imported Properties


IP All the Security Group IP addresses

Note Description value of a Security Group




URI Object path

Threat Prevention Tagging for CloudGuard for NSX Gateway

Threat Prevention Tagging:

Threat Prevention Tagging automatically assigns Security Tags to Data Center objects based on Threat Prevention analysis and group affiliation.

This enables the usage of dynamic Security Groups in policy rules.

Enable Threat Prevention Tagging for Anti-Bot and Anti-Virus services to the CloudGuard for NSX Gateway.

When a threat from an infected Virtual Machine reaches the Security Gateway and is denied entry, it is tagged as an infected Virtual Machine in the NSX Manager.

To apply Threat Prevention Tagging, deploy the CloudGuard Gateway for NSX service and enable Threat Prevention on the CloudGuard for NSX. See vSEC for NSX Managed by the R80.10 Security Management Server Administration Guide http://downloads.checkpoint.com/dc/download.htm?ID=60744.

To activate Threat Prevention tagging:

Step Description

1 Connect to the command line on the CloudGuard for NSX Gateway.


3 Enable the tagging. Run: tagger_cli

4 Select Activate Cluster.

CloudGuard for NSX Clusters with active Anti-Bot and/or Anti-Virus Software Blades on them appear.

5 Select the Cluster.

Make sure Cluster activated successfully shows.

When it is activated, the Cluster automatically tags infected Virtual Machines in the NSX Manager Server. The Security Tags are:

• Default Anti-Bot Security Tag: Check_Point.BotFound

• Default Anti-Virus Security Tag: Check_Point.VirusFound

The Security Tags are created automatically in the NSX Manager Server when the Cluster is activated.

When Security Tags are configured, you can create policy rules based on the Security Groups that contain those tags.




Advanced options:

Use advanced menu options to configure the tags.

Option Description

Show Activated gateways Lists the activated Clusters and the status of each CloudGuard for NSX Gateway.

Modify Anti-Bot Security Tag Enables or disables the tagging for the Anti-Bot Software Blade and change the Security Tag.

Modify Anti-Virus Security Tag Enables or disables the tagging for the Anti-Virus Software Blade and change the Security Tag.

Modify White List IP Addresses listed in the White List are not tagged.

Separate with spaces. Ranges are not accepted.

Create New Security Tag Creates a new Security Tag in the NSX Manager Server.

Update Data When you add a new ESX to a Cluster, CloudGuard for NSX Gateway automatically updates the Threat Prevention Tagging data within 15 minutes.

Select this option to update the data manually on the new CloudGuard for NSX Gateway.

Threat Prevention Tagging Logs

In SmartConsole, in the Logs & Monitor view, see CloudGuard Tagging in the Blade column.

Message Description

The Virtual Machine <VM ID> was tagged successfully with Security Tag '<Tag Name>' in NSX <NSX IP Address>

Threat Prevention tagging successfully tagged a Virtual Machine due to malicious traffic.

The IP address <VM IP Address> appears twice in the ESX <ESX IP Address>. The infected Virtual Machine was not tagged

An IP address appears twice in the ESX.

Tagging this prevents false positive tagging of Virtual Machines with duplicate IP addresses in the ESX.

Failed to get data from the Data Center <Data Center IP Address>

Failed to get a Data Center object from the R80.30 Security Management Server API.

Check that there is a trusted connection for CloudGuard Controller.

Threat Prevention Tag is ignored because the VM IP '<VM IP Address>' is on the White List

Virtual Machine IP address is on the Whitelist and the Threat Prevention tag is ignored.


CHAPTE R 7

CloudGuard Controller Monitoring In This Section:

Messages ...................................................................................................................... 44

Status ............................................................................................................................ 44

Traffic Logs ................................................................................................................... 44

Messages Message Description Mapping of Data Center server url <URL> with user <User> started

CloudGuard Controller successfully connected to the data center.

It starts to map the Data Center objects.

Mapping of Data Center server url <URL> with user <User> finished

CloudGuard Controller successfully mapped the Data Center objects.

It starts to monitor the Data Center changes.

Data center server objects were successfully updated on gateway <Name>

The Data Center object was successfully updated on the Security Gateway.

Status You have these options to confirm, if there is Data Center connectivity and if the Security Gateway enforces Data Center objects:

Option Description

On the Management Server Follow these steps:

1. Connect to the command line.

2. Run: cpstat vsec

In SmartConsole Follow these steps:

1. From the left navigation panel, click Gateways & Servers.

2. Select your Management Server object.

3. At the bottom, from the Summary tab, click Device & License Information -> Device Status.

CloudGuard Controller Monitoring


Traffic Logs You can see CloudGuard Controller logs as traffic logs in the SmartConsole Logs & Monitor tab.

• When a data center object matches a rule, CloudGuard Controller puts the object name, the Source or Destination fields, (not the IP address), in the log details.

• If an object from a higher level in the hierarchy is in the rule base, CloudGuard uses the lowest possible object in the log that matches the IP address.


CHAPTE R 8

CloudGuard Controller Troubleshooting In This Section:

CloudGuard Controller Troubleshooting ..................................................................... 46

CloudGuard Data is Deleted Unpredictably on CloudGuard Security Gateway ......... 47

CloudGuard Controller Troubleshooting Below are some messages you may see in SmartConsole:

Message Description Solution Connection lost to Data Center server url <URL> with user <User>

Lost connection possibly due to connectivity issues.

In the Data Center object, click Test Connection.

Failed to update policy with data center objects. Install policy again to resolve the issue

The install process completed correctly, but there is corrupt policy data in a data center object.

Connectivity to data center server <IP Address> lost. Objects imported from this data center server are no longer being updated

Persistent connectivity issues between the Security Management Server and CloudGuard Controller to the data center exist.

Resolve connectivity issues.

Failed to update data center server objects on gateway <GW Name>. If issue persists contact Check Point Support.

CloudGuard Controller fails to update a Security Gateway.

The may be no connectivity to a Security Gateway.

• Make sure there is SIC between the Security Gateway and CloudGuard Controller.

• Make sure to enable the Identity Awareness API on the Security Gateway.

Failed to generate data center server objects of new policy, Security gateways are no longer updated with the new data center objects

There is a transfer fail of a policy to a Security Gateway.

Install the Access Control Policy again.

CloudGuard Controller Troubleshooting


Message Description Solution Failed to stop updates of data center objects on the secondary management server

Data transmission to a Security Gateway from a Secondary Security Management Server stops.


Failed to start updates from previous standby domain

CloudGuard Controller fails to start updating a Security Gateway.

It is possible that there is no connectivity to a Security Gateway.


Failed to stop updates of data center objects for deleted domain. Contact Check Point Support

CloudGuard Controller fails to stop Domain enforcement when a Domain is deleted.


CloudGuard Data is Deleted Unpredictably on CloudGuard Security Gateway

Symptom

CloudGuard data is deleted unpredictably on the CloudGuard Security Gateway.

Root Cause

The CloudGuard Security Gateway is not synchronized with CloudGuard Controller data.

Solution

Reset the CloudGuard Controller state on the Security Gateway:

Step Description


Log in to the Gaia Clish, or Expert mode.

2 Run: vsec_controller_cli

3 Select:

Resend enforcement data to gateway

4 Select the Security Gateway to reset.

Note - If data is not synchronized after reset, contact your Check Point partner, or Check Point Support.

cloudguard controller administration guide r80

Documents