Professional Documents
Culture Documents
Cloudguard For NSX: Administration Guide
Cloudguard For NSX: Administration Guide
2019
Administration Guide
[Classification: Restricted]
Table of Contents
Table of Contents
Terms 5
Introduction to CloudGuard 8
Basic Deployment with Hypervisor mode 8
ESXi Host Security Considerations 9
Requirements for VMware Tools 9
Workflow for Upgrading and Installing CloudGuard 10
Upgrading and Installing CloudGuard 10
Step 1: Installing the CloudGuard Service Registration Hotfix on the Management Server 10
Step 2: Upgrading the CloudGuard Service Registration Hotfix 11
Upgrading from v5 or v6 11
Using CPUSE to Install the Management Server Hotfix 11
Uninstalling the Hotfix 12
Step 3: Upgrading the CloudGuard Gateway for NSX 12
Upgrading the CloudGuard Gateway with the CLI 13
Upgrading the CloudGuard Gateway Manually 15
Step 4: Configuring the VMware Components 15
Adding the vCenter IP Address to the Runtime Settings 15
Preparing the ESXi Cluster for CloudGuard Service Deployment 16
Adding an ESXi to an ESXi Cluster 16
Configuring Agent VM Host Settings 16
Removing an ESXi Server from an ESXi Cluster 17
NSX Grouping Objects 17
Creating a Security Group 17
Creating a CloudGuard Gateway IP Address Pool 18
Creating an IP Set 18
vMotion 19
Step 5: Providing the URL OVF Path 20
Use Case - Manually Selecting the OVF File Location 20
Step 6: Configuring the Management Server 21
Configuring the Security Management Server or Multi-Domain Server Properties 22
Terms
CloudGuard
Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage,
and security.
CloudGuard Gateway
Check Point Virtual Security Gateway that protects dynamic virtual environments with policy enforcement.
CloudGuard Gateway inspects traffic between Virtual Machines to enforce security, without changing the
Virtual Network topology.
Data Center
Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores.
They are collected in a group for secured remote storage, management, and distribution of data.
DRS
Data Resource Scheduler. Monitors resource use across resource pools and allocates resources between
Virtual Machines to maximize throughput.
ESXi
A VMware physical hypervisor server that hosts one or more Virtual Machines and other virtual objects. All
references to ESX are also relevant for ESXi unless specifically noted otherwise. Trademark of VMware,
Inc.
Management Server
A Check Point Security Management Server or a Multi-Domain Server.
NSX Manager
Basic network and security functionality for virtual computer environments. A VMware product family for
SDN of Virtual Machines on the cloud (previously known as vShield). Trademark of VMware, Inc.
OVF
Open Virtualization Format. Open standard (independent of processor architecture) for the distribution of
software that runs on Virtual Machines.
Port Group
Virtual Switch ports that share parameters, such as bandwidth limitations and VLAN tagging policies, and
through which Virtual Machines connect to Virtual Switches. Unless otherwise specified, this refers to both
regular port groups (on one ESXi host) and dvPGs (distributed virtual port groups, on multiple ESXi hosts).
REST API
Representational State Transfer Application Programming Interface. The NSX API, for communication
between the NSX Manager and the Service Manager.
SDDC
Software-Defined Data Center. Data Center infrastructure components that can be provisioned, operated,
and managed through an API for full automation.
SDN
Software-Defined Network. Virtualization of topology, traffic, and functionality.
Service Composer
A VMware NSX component that provisions and assigns network and security services to applications in a
virtual infrastructure.
Service Manager
Component that manages the communication between Check Point products, CloudGuard and the
VMware NSX, through the VMware REST API.
SVM
Service Virtual Machine. A Virtual Machine deployed as a service on the ESXi and as part of NSX network.
CloudGuard Gateway is an SVM.
vCenter Server
Centralized management tool for VMware vSphere. It manages many ESXi servers and VMs from different
ESXi servers, from one console application.
Virtual Network
Environment of logically connected Virtual Machines on an ESXi host.
vMotion
VMware technology for migration of active VMs between ESXi hosts.
vNIC
Virtual Network Interface Card. Software-based abstraction of a physical interface that supplies network
connectivity for Virtual Machines.
vSphere
VMware cloud computing virtualization operating system. The vSphere Web Client is the GUI to manage
Virtual Machines and their objects.
Introduction to CloudGuard
Check Point CloudGuard for VMware NSX delivers multi-layered defense to protect East-West traffic within
the VMware deployed Data Center. CloudGuard transparently enforces security at the hypervisor level
between Virtual Machines. It automatically quarantines infected Virtual Machines for remediation, and
provides comprehensive visibility into Virtual Network traffic trends and threats.
CloudGuard Gateway for NSX-V is automatically deployed as a service Virtual Machine in the VMware
virtual environment. It fully integrates with VMware NSX components. The CloudGuard Gateway secures
Data Center traffic between Virtual Machines across the Virtual Network.
CloudGuard Gateways inspect all traffic that goes to, from, or inside the protected Security Group.
2 NSX NSX Manager defines Security Groups and the redirection policy.
7 Data Center core The Data Center switching and routing infrastructure.
9 Check Point Management Check Point Management Server that is Software-Defined Data
Server Center aware.
CloudGuard Gateway for NSX requires NSX Administrator Permissions and a Read-only role
for the vCenter Server.
Step Procedure
"Step 1: Installing the CloudGuard Service Registration Hotfix on the Management Server" below
"Step 2: Upgrading the CloudGuard Service Registration Hotfix" on the next page
"Step 8: Deploying and Configuring CloudGuard Security Gateway for NSX " on page 30
Upgrading from v5 or v6
To upgrade from CloudGuard Service Registration v5 or v6:
Step Description
1 From a web browser on your computer, connect to the Gaia Portal on your Security
Management Server or Multi-Domain Server.
2 From the left tree, go to Upgrades (CPUSE) > Status and Actions.
3 On the top toolbar, click Showing Recommended packages and select All .
If you do not see the Hotfix package, click Check For Updates .
Step Description
2 With a web browser on your computer, connect to the Gaia Portal on your Security
Management Server or Multi-Domain Server.
Step Description
3 From the left tree, go to Upgrades (CPUSE) > Status and Actions.
6 Click Upload.
7 On the top toolbar, click Showing Recommended packages and select All.
Step Description
1 With a web browser on your computer, connect to the Gaia Portal on your Security
Management Server or Multi-Domain Server.
2 From the left tree, go to Upgrades (CPUSE) > Status and Actions.
3 On the top toolbar, click Showing Recommended packages and select All.
5 Click Uninstall.
Before you start the upgrade, you have to enable the OVF files. See "Step 5: Providing the URL OVF
Path" on page 20.
Notes:
n Make sure:
l There is connectivity between the OVF URL and the vCenter server and the Security
Management Server or Multi-Domain Server
l The OVF file is accessible from the Security Management Server or Multi-Domain Server
n If you update the OVF URL now, it affects only the new service registration.
Important - Before the upgrade, make sure the service status in the vSphere web client is UP, or the
upgrade fails.
Step Description
3 Run:
# cloudguard_config
4 SelectVMware Configuration > Manage Register Service > Upgrade Service >
NSX.
7 To register the service with a default configuration, press y to accept the default
settings.
There are two options:
n Enter y to automatically create the CloudGuard Gateway objects on the Security
Management Server or Multi-Domain Server and to automatically assign the IP
gateway address from the NSX IP pool.
n Enter n to manually create an object. Then, enter y to automatically assign to
CloudGuard Gateway an IP address from the NSX IP pool, or n, to set the IP
address manually.
See below for details to register the service.
8 Enter and confirm the default administrator password for the CloudGuard Gateway.
Step Description
10 Select the IP pool, if you had selected to assign the IP gateway address from the NSX IP
pool.
If your IP pool has no IP, you can change your selection, or create new IP pool.
Description
The upgrade is now in progress. The process takes some time. You can follow the progress on the
Management Server's console.
When the installation is complete, you have to redirect the traffic to the new service.
Step Description
1 Select VMware Configuration > Manage Register Service > Change Redirection
Rules > NSX.
Use the vSphere Web UI to confirm the new service is running, and then uninstall the old service.
Step Description
4 In SmartConsole, install the Access Control Policy on the Check Point Gateway.
5 On the vSphere web UI, change the redirection policy from the old service to the new
service.
Best Practice:
Before you install the new CloudGuard Gateway, migrate all the Virtual Machines to another ESXi.
There is less downtime when you upgrade.
Step Description
1 In the vSphere Web Client, click vCenter > vCenter Servers and select the server.
3 Click vCenter Server managed address > Edit > Runtime settings.
4 In the Virtual Center Server managed address field, enter the vCenter server IP
address.
Step Description
1 In the vSphere Web Client, right-click the ESXi cluster object and select Add Host.
3 If you do not use an IP address pool or Automatic Provisioning, manually activate the
CloudGuard Gateway and then configure it.
Step Description
1 In the vSphere Web Client, go to the ESXi server and select the Configure tab for each
ESXi server.
3 In the Agent VM Settings window, select the datastore to hold the files for the CloudGuard
Gateway Service Virtual Machine.
Best Practice:
Deploy the CloudGuard Gateway on ESXi server local storage and not on external
storage.
4 In the Agent VM Settings window, select the Port Group network that connects to the
CloudGuard Gateway Service VM by default.
This Port Group is used for communication with the Security Management Server or Multi-
Domain Server.
5 Install the NSX VIB on all hosts before you deploy it.
Step Description
Step Description
2 Select the ESXi server and click Actions > Maintenance Mode > Enter Maintenance
Mode.
4 Select the host and click Actions > Exit Maintenance Mode.
Step Description
1 In the vSphere Web Client, go to Networking and Security > Service Composer > Security
Groups .
Step Description
4 Click Next.
Step Description
4 Click Manage.
8 Enter the primary and secondary DNS, DNS suffix and prefix length.
10 Click OK.
Creating an IP Set
To create an IP Set:
Step Description
Step Description
6 In the Add IP Addresses window, enter a name, description and IP address for the
new Security Group.
This IP address is redirected to the CloudGuard Gateway.
vMotion
vMotion lets you migrate active Virtual Machines between ESXi servers.
Configure network interfaces on source and target ESXi servers. Configure each ESXi server with at least
one network interface for vMotion traffic. To secure data transfer, make sure only trusted parties access
the vMotion network. Additional bandwidth significantly improves vMotion performance. When you migrate
a Virtual Machine with vMotion without using shared storage, the virtual disk contents are also transferred
over the network.
Configure the Virtual Networks on vMotion enabled ESXi server:
n The VMware distributed firewall on the target ESXi server handles existing connections until they
are closed or reset.
n The CloudGuard service that runs on the target ESXi server secures new connections to and
from the migrated Virtual Machine.
Important:
The HTTPS connection and the Control connection must be initialized again after vMotion. Initialize the
sessions of existing connections that need a control channel, in addition to the data channel.
Step Description
1 Extract the package and make sure it contains the OVF, VMDK, and MF files.
2 Copy the files to the ve folder or select your own location. The default file location is:
Note - Make sure that you copy the files to the Multi-Domain Server and not to a
Domain Management Server.
n Third Party Server: You can copy the files to an HTTP server that can access the
vCenter server.
n Run the md5sum command to validate the integrity of the file you copied.
Best Practice:
3 Update the URL of the CloudGuard Gateway OVF. Set this URL to the file name with
the ovf extension. You can have multiple OVFs.
If you receive an error message when you try to register service, the file could be in a different location.
For more information, see "Troubleshooting and Best Practices" on page 41.
Step Description
3 Run:
cloudguard_config
4 Select VMware Configuration > Change Global configuration > Manage Service
OVFs .
From this menu you can Add OVF, Delete OVF, and Change default OVF.
Step Description
2 Run:
cloudguard on
Step Description
Step Description
5 Run:
cloudguard_config
8 Enter the Service Manager IP Address (IP Address of the Security Management Server
or Multi-Domain Server that is routable from the NSX Manager).
Note - In a Multi-Domain Server environment, enter the IP address of the applicable
Domain Management Server.
10 To register the CloudGuard service now, enter y . To register at another time, enter n.
Step Description
5 Run:
cloudguard_config
Step Description
2 Enter and confirm the default administrator password for the CloudGuard Gateway.
If this is the first registered service, select a management administrator and enter the correct password to
continue. These credentials are given to the NSX Manager that uses the credentials as identification for all
the operations done by the Security Management Server or Multi-Domain Server.
Make sure the administrator has Management API login permission.
In a Multi-Domain Server environment, make sure the administrator has permissions on the relevant
domain for the Domain Management Server.
If you have to change the administrator, or if the administrator password has changed, update the
credentials. Go to:
Step Description
2 Run:
cloudguard_config
3 Select VMware configuration > Change Global Configuration > Service Manager
Credentials .
Step Description
5 Configure IPv6 Support (see "Configuring IPv6 Support" on the next page).
Step Description
8 Enter and confirm the default administrator password for the CloudGuard Gateway.
n As a permanent part of your deployment to monitor the use of applications in your organization.
n As an evaluation tool for the capabilities of the Application Control and IPS blades, before you
decide to purchase them.
n To create security check-up reports.
You can use Tap Mode combined with Threat Prevention Tagging to share security events with NSX
Manager and achieve prevention, without deploying the solution inline.
Notes:
n A CloudGuard Gateway for NSX deployed in this mode does not enforce Security Policy or
perform any active operation, such as prevent/drop/reject. Therefore, you can use it only to
evaluate the monitoring and detection capabilities of the software blades.
See sk101670 for the supported software blades > Section [2] Support for Security Gateway
blades.
n All duplicate packets that arrive at the monitor interface of the Security Gateway are terminated
and are not forwarded.
See sk101670 for the Monitor Mode limitations > Section [5] Limitations (other than the Known
Limitations for CloudGuard Gateway for NSX ).
Run cpconfig, select Check Point CoreXL, and follow the on-screen instructions.
n Most of the traffic passing through the CloudGuard Gateway is IPv6 traffic.
Step Description
4 Run:
cloudguard_config
5 Select VMware Configuration > Manage Register Service > Change Failure
Policy .
The Current Failure Policy shows. Enter y to change the policy, or n to keep it.
Important:
The change of policy is reflected immediately on the service profile of each service, but is not
reflected in the ESXi Rule Base.
To update the rules on ESXi, disable the redirection rules. When you disable the redirection rules, traffic
no longer reaches the CloudGuard Gateway, and the traffic is not inspected until you enable the
redirection rules again.
To change the failure policy on ESXi, disable the redirection rules and then enable them again.
Note:
This operation is disruptive to the CloudGuard Gateway operation and can cause connectivity issues
with the connections that were started before the redirection is re-enabled.
n Creates CloudGuard objects (Clusters or Gateways) on the Security Management Server or Multi-
Domain Server when it receives a notification from the NSX Server.
n Automatically initializes SIC between the CloudGuard Gateway and the Security Management
Server or Multi-Domain Server.
n Installs the policy on new Security Gateways if the CloudGuard Cluster Object already has a policy.
To enable Automatic Provisioning:
Step Description
1 When you register the service, follow the on-screen steps and confirm, to automatically
create objects. See "Step 7: Registering a New CloudGuard Gateway Service" on
page 23
2 Deploy the CloudGuard Security Gateway with the vSphere Web Client. See
"Deploying CloudGuard Gateway" on page 30.
Step Description
1 In the vSphere Web Client, go to Networking and Security > Service Composer >
Security Policies .
4 In the vSphere Web Client, go to Home > Networking and Security > Installation >
Service Deployments .
Step Description
9 Run:
cloudguard_config
10 Select VMware Configuration > Manage Registered Services > Remove Service.
After you unregister all the services in a High Availability environment, run:
cpved off
This stops the process on the Security Management Server or Multi-Domain Server, from which you did
not remove the service.
In a Multi-Domain Server environment, synchronize only the Domain Management Server that you
change to Active. This must be done for every Domain Management Server that you change to Active.
Step Description
Step Description
7 Run:
cloudguard_config
8 Select VMware Configuration > Change Global Parameters > Service Manager IP
Address .
10 For each Domain Management Server, which already has the CloudGuard service
deployed, run:
cpved register
11 If the CloudGuard Gateway OVF URL is on your new Active Management Server:
a. Run:
cloudguard_config
b. Select VMware Configuration> Change Global Parameters > Manage Service
OVFs > Add OVF.
c. Enter the OVF URL in this format:
https://<IP_Address>:<Port>/ve/<OVF_File_Name>.ovf
You can set the new OVF as default, or manually choose it on registration.
To learn more about failover, see the section Changing a Server to Active or Standby in the relevant
Security Management Administration Guide
Best Practice:
Note:
If you update the OVF URL now, it affects only future service registrations.
n Make sure you prepared the vCenter cluster before you deploy the service on it (see "Preparing
the ESXi Cluster for CloudGuard Service Deployment" on page 16).
n If you use an external datastore, make sure you know its details.
Step Description
2 Click New Service (+ ), and select the service you created (see "Step 7: Registering
a New CloudGuard Gateway Service" on page 23).
Step Description
6 If you enabled the Automatic IP Pool feature (see "Step 7: Registering a New
CloudGuard Gateway Service" on page 23), or the Automatic Provisioning feature
(see "Automatic Provisioning of CloudGuard Objects" on page 26).
7 Click Finish.
The system copies the OVF to the vCenter, and deploys it to all ESXi hosts on the selected clusters.
See the Installation Status in the Service Deployments tab to monitor the progress of the deployment
from the vSphere client.
If the Installation Status does not succeed:
Note:
If the Enable Agent task shows an error with the message "Cannot complete the operation",
you can safely ignore it. This is a known VMware limitation.
n You can also configure redirection rules from Partner security services > Firewall .
n Connections that are already open when the redirection starts, may be dropped.
Step Description
1 In the vSphere Web Client, click Networking and Security > Service Composer >
Security Policies .
6 Select your Service Name and Profile that was created during registration.
10 In the Network Introspection Services page, change the Source parameter to Any .
The Destination parameter changes to Policy's Security Groups .
11 Select your Service Name and Profile that was created during registration.
14 In the Apply Policy window, select the Security Group and click OK.
Note:
Do not apply the security policy to more than one group that contains the same Virtual
Machine.
Step Description
5 Click the Manage tab and then click the Exclusion List tab.
6 Click Add (+), and type the name of the Virtual Machine you want to exclude.
Step Description
1 In the vSphere Web Client, open Networking & Security > Firewall .
3 If you want to add a rule, click Add rule (+) above the redirection rule.
A new any-allow rule is added at the top of the section.
4 In the Name of the new rule, click Edit, and enter a rule name.
n From version VMware NSX 6.2, use NSX SpoofGuard DHCP snooping or ARP snooping abilities.
These features allow NSX to enforce IP address-based security rules on Virtual Machines with no
VMware Tools installed. See sk109460.
n Use an IP set to redirect traffic from a Virtual Machine without VMware tools. To redirect traffic for
IP Sets, enable SpoofGuard and add the Inactive Virtual NIC IP address to the Approved IP list.
Best Practice:
To make sure that all traffic goes through CloudGuard Security Gateway, install
VMware Tools on each Virtual Machine. Make sure that VMware Tools are running
correctly.
Note:
From NSX 6.4, you do not have to install VMware Tools to redirect traffic.
Step Description
6 In the lower section of the SpoofGuard pane, select Inactive Virtual NICs from the
View list.
Step Description
1 Go to SmartConsole > Objects Explorer > More Object Types > Network Objects >
Gateways and Servers > Cluster > New Cluster.
a. Make sure that the ClusterXL and IPSec VPN Software Blades are deselected.
b. Change the version to R80.10.
6 In the 3rd Party Configuration window, make sure Hide Cluster Members outgoing
traffic behind Clusters IP address is not selected.
7 In the Network Management [+] tab, make sure Enable Extended Cluster
AntiSpoofing is not selected.
Note:
Step Description
1 From the Objects Explorer > in the Search box, type the name of your cluster.
4 In the Cluster Member Properties window in the General tab, enter a Name and IP
address .
Step Description
6 Click Initialize and wait for the Trust state to change to Trust established.
Step Description
1 From the Objects Explorer > in the Search box, type the name of your cluster.
7 In Members IPs , click Modify , and for each member, enter an IPv4 Address and Net
Mask .
This IP address is only used to create the cluster object. It is not the real IP address of
the CloudGuard Gateway.
Multi-Tenancy Support
CloudGuard supports multi-tenant protection on ESXi. That means it can protect multiple customers or
organizations as well as departments or business units that share the same ESXi cluster.
Depending on the requirements, these solutions may provide multi-tenant protection:
1. Dedicated cluster for each tenant.
Each tenant's traffic is handled by a single service deployed on the cluster, enforcing the Security
Policy that applies to the security groups for the specific tenant.
2. Tenants share the same cluster.
This solution requires a service registration for each tenant. Manage each tenant through a different
service. To control the tenant traffic redirection, separate security groups have to be created for
each tenant (see, "Creating a Security Group" on page 17).
Step Description
1 Register a new service with a unique name that identifies the tenant, see "Step 7:
Registering a New CloudGuard Gateway Service" on page 23
2 Deploy the service on the required cluster, see "Deploying CloudGuard Gateway" on
page 30
A service instance is added to each host in the cluster.
3 Create a new security group for the tenant. Include all objects that require protection,
see "Creating a Security Group" on page 17
4 Redirect each tenant's traffic through the designated service, see "Requirements for
VMware Tools" on page 9
Step Description
1 Log in to each CloudGuard Gateway instance with a console and run these
commands:
Step Description
3 In the Network Security tab, enable the Identity Awareness Software Blade.
The Identity Awareness Configuration window shows.
5 Select I do not wish to configure an Active Directory at this time > Next > Finish.
6 Go to the Identity Awareness tab. Select Identity Web API > Setting.
The Identity Awareness API Setting window shows.
7 Click Edit
11 Install policy.
Note - This is the profile that you use in the Threat Prevention Policy.
Step Description
Step Description
3 Click Threat Emulation> General > Inspect incoming and outgoing files .
4 Click OK.
Step Description
To license CloudGuard:
n Attach your CloudGuard license to the Security Management Server or Multi-Domain Server with
SmartUpdate.
To attach the license to a cluster with the cloudguard_config utility:
Step Description
3 Run:
cloudguard_config
This error shows when you select an NSX Security Gateway for Service Registration:
Solution
Make sure that the host name of the vCenter (which was registered to the NSX Manager) is used when
creating the vCenter Data Center object. If the names are different, then the CloudGuard CLI cannot
recognize the connection between the NSX Management Server and the vCenter Server.
Solution
Make sure that the NSX Manager and the Security Management Server or Multi-Domain Server can
communicate using port 443.
Solution
Solution
Make sure the OVF files can be reached from the vCenter Server.
Make sure you are using the correct OVF files.
1. In the VMware vSphere Web Client, navigate to Home > Networking and Security > Installation
> Service Deployments .
2. Click on Status in the Installation status column of the relevant service.
3. Click Resolve to power on the CloudGuard Gateway.
Cause
The NSX Manager Server failed to correctly communicate with the Check Point Security Management
Server or Multi-Domain Server.
Next steps:
Step Description
1 Make sure the Check Point Security Management Server or Multi-Domain Server is
powered on.
2 Make sure the Security Management Server or Multi-Domain Server process is up and
running:
3 Make sure the NSX Manager Server can communicate with the Security Management
Server or Multi-Domain Server using port 443. Communication to the Check Point
Security Management Server or Multi-Domain Server goes to port 443, and then is
redirected to port 8443. Port 8443 is used by the Security Management Server or Multi-
Domain Server process.
This error shows when there is a powered off CloudGuard Gateway Virtual Machine on one of the
hosts:
Solution:
Step Description
1 In the VMware vSphere Web Client, go to Home > Networking and Security >
Installation > Service Deployments .
Step Description
This error shows when there is an ESXi host server without a CloudGuard Gateway deployed on it:
Solution:
Step Description
1 In the VMware vSphere Web Client, open Home > Networking and Security >
Installation > Service Deployments .
Solution:
The CloudGuard Gateway cannot be deployed, due to missing host server configurations. Set Agent
VM settings. See "Configuring Agent VM Host Settings" on page 16.
If the Service VM agent is not deployed, follow these steps to re-initiate the deployment:
Step Description
1 In the VMware vSphere Web Client, open Home > Networking and Security >
Installation > Service Deployments .
After three failures, the auto provisioning feature stops trying to create objects in SmartConsole. Every
10 minutes all the deployed CloudGuard Gateways are matched with the NSX Manager database and
created or deleted.
This error shows:
Solution:
Step Description
2 Make sure the Security Management Server or Multi-Domain Server and the
CloudGuard Gateway have the same date, time, and timezone.
Run: show {timezone | time | date}
If they are not the same, run: set{timezone | time | date}