CP R81 CloudGuard Controller AdminGuide

13 October 2020
CLOUDGUARD
CONTROLLER
R81
Administration Guide
[Classification: Protected]
CloudGuard Controller R81 Administration Guide
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the
latest functional improvements, stability fixes, security enhancements and protection
against new and evolving attacks.
Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page.
Check Point R81

For more about this release, see the R81 home page.
Latest Version of this Document in English

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.
CloudGuard Controller R81 Administration Guide | 2

CloudGuard Controller R81 Administration Guide
Revision History
Date Description
13 October 2020 First release of this document

Table of Contents
Table of Contents
Introduction to CloudGuard Controller 7
Use Case 8
What's New in R81 CloudGuard Controller 10
Workflow for Deploying CloudGuard Controller 11
Supported Security Gateways 11
Activating the Identity Awareness Software Blade 12
Integrating with Data Center Servers 15
Connecting to a Data Center Server 15
Data Center Query Objects 16
Creating Rules with Data Center Query Objects 19
How to Configure Data Center Query Objects in SmartConsole 19
Supported Data Centers 21
CloudGuard Controller for Amazon Web Services 21
Connecting to an Amazon Web Services Data Center Server 21
Amazon Web Services Objects 22
Importing AWS objects 22
Object Names 23
Imported Properties 23
Configuring Permissions for Amazon Web Services 24
Auto Scaling in Amazon Web Services 24
CloudGuard Controller for Cisco ACI 24
Prerequisites 24
Connecting to a Cisco ACI Data Center Server 25
Cisco ACI Objects 25
Objects 25
CloudGuard Controller for Cisco Identity Services Engine (ISE) 26
Prerequisites: 26
Connecting to a Cisco ISE Data Center 26
Cisco ISE Objects 26
Automatic Failover 27

Table of Contents
CloudGuard Controller for Google Cloud Platform 27

Configuring Permissions for Google Cloud Platform 27
GCP APIs 27
Connecting to a Google Cloud Platform Data Center 28
Google Cloud Platform Objects 28
Objects 28
Importing GCP objects 28
Object Names 29
Instance and Subnet use the following names: 29
CloudGuard Controller for Kubernetes 29
Adding Kubernetes to CloudGuard Controller 29
Prerequisite 29
Connecting to a Kubernetes Server 30
CloudGuard Controller for Microsoft Azure 31
Connecting to a Microsoft Azure Data Center Server 31
Microsoft Azure Objects 32
Objects 32
Auto Scaling in Microsoft Azure 33
CloudGuard Controller for Nuage Networks VSP 34
Connecting to a Nuage Data Center 34
Nuage Objects 34
Objects 34
CloudGuard Controller for OpenStack 36
Prerequisites 36
Connecting to an OpenStack Server 36
OpenStack Objects 37
Objects 37
CloudGuard Controller for VMware Servers 37
Connecting to a VMware Server 37

Table of Contents
CloudGuard Controller for VMware NSX-T Management Server 38

Prerequisites 38
VMware NSX-T Objects 38
Known Limitations 39
CloudGuard Controller for VMware vCenter 39
Prerequisites 39
CloudGuard Controller for VMware NSX-V Manager Server 39
VMware vCenter Objects 39
Objects 39
VMware NSX-V Objects 40
Objects 40
Threat Prevention Tagging for CloudGuard for NSX Gateway 41
Advanced Options 41
Threat Prevention Tagging Logs 42
CloudGuard Controller Monitoring 43
CloudGuard Controller Logs and Events 43
CloudGuard Controller Status 44
Configuration Parameters 46
CloudGuard Central Licensing 47
License Pooling 47
License Distribution 48
Using the Central Licensing Utility with Existing Licenses 48
Managing CloudGuard Central Licenses 48
Adding a License 49
Removing a License 49
Viewing License Use 49
Running License Distribution 50
Configuring Automatic License Distribution for Security Gateways 50
Generating a Core Use Report 50

Introduction to CloudGuard Controller
Introduction to CloudGuard
Controller
A component of Check Point's Security Management Server, the CloudGuard Controller manages security
in public and on-premises environments with one unified management solution. The CloudGuard
Controller dynamically learns about objects and attributes in data centers, such as changes in subnets,
security groups, virtual machines, IP addresses ,and tags. After using the vendor’s API to establish a trust
relationship with a datacenter, CloudGuard Controller regularly polls the connected environments for
changes in objects and object attributes used in the Security Policy. Changes are automatically pushed to
the security gateway.
Item Description
1 CloudGuard Controller establishes a trusted relationship with the cloud environment.
2 With the use of the vendor's APIs, the CloudGuard Controller connects to the cloud environment
and regularly polls it for changes.
3 Changes in the cloud environment are sent to the CloudGuard Controller.
4 The CloudGuard Controller pushes updates to attributes and objects in the Security Policy rules
to Check Point Security Gateways.

Use Case
Dynamic environments such as public and on-premises data centers and clouds present a large challenge
to security professionals. The number of subnets, machines, and IP addresses changes quickly. The
legacy model of manual updates to the security policy and Security Gateways every two or three days is
too slow for such environments.
In most organizations, personnel from several different departments have permission to add or remove
assets in data centers. This kind of overlap creates a concern about the security and maintenance of
assets in the data center. The solution to manual updates is to protect the security and maintenance of the
assets - automatically. This is where the CloudGuard Controller comes in to assist. With the CloudGuard
Controller, the Security Operation Center (SOC) can configure the security policy to automatically detect
changes in data centers, and push these changes directly to the Gateway.
For example, an RnD team needed to add an RnD server and a separate RnD server for staging. This
required constant emails and service tickets between the server team and SOC team. To add or remove
an IP address, the server team had to open a ticket with with the Info sec team. Then the Info sec team had
to manually update the information. This process looks like this:
SRC DST Action
IP1 Internet Allow
IP2 Internet Block
IP3 Internet Allow
IP4 Internet Allow
IP5 Internet Block
The problem grows by each request from RnD to remove IPxx or add IPxx. With the possibility of
hundreds of IPs, the chance of error and frustration from the two teams is inevitable.
This is where the CloudGuard Controller comes in to help.
The CloudGuard Controller changes a static, manual process into a dynamic, automatic flow of data. The
two teams only have to use one tag. This one tag is representative of changes in the data center. Rather
than the manual, meticulous IP table, and the constant emails between the teams, the CloudGuard
Controller removes the dependency on a manual procedure. For example:
SRC DST Action
*department=rnd Internet Allow
* Note- department=rnd is the tag.

For more information, see "Data Center Query Objects" on page 16.
Check Point's CloudGuard Controller integrates with these virtual cloud environments:
n "CloudGuard Controller for Amazon Web Services" on page 21
n "CloudGuard Controller for Cisco ACI" on page 24

n "CloudGuard Controller for Cisco Identity Services Engine (ISE)" on page 26

n "CloudGuard Controller for Google Cloud Platform" on page 27
n "CloudGuard Controller for Kubernetes" on page 29
n "CloudGuard Controller for Microsoft Azure" on page 31
n "CloudGuard Controller for Nuage Networks VSP" on page 34
n " CloudGuard Controller for OpenStack" on page 36
n "CloudGuard Controller for VMware Servers" on page 37
o "CloudGuard Controller for VMware vCenter" on page 39
o "CloudGuard Controller for VMware NSX-V Manager Server" on page 39
n "CloudGuard Controller for VMware NSX-T Management Server" on page 38

What's New in R81 CloudGuard Controller
What's New in R81 CloudGuard

Controller
n Data Center Query Objects - A simplified procedure to create queries with the use of Data Center
Objects to represent multiple data centers in the Security Policy. It provides a better and easier
differentiation of responsibilities to manage data centers.
Use Cases
o Simplify the policy - Use one query object to represent data center objects from multiple data
centers. This eliminates the necessity for multiple rules.
o Simplify operations - Create the policy before data centers are set-up. This makes it easier to
differentiate responsibilities between security admins and DevOps teams.
o Powerful policies - Use logical operators to create a more sophisticated selection of data
center objects in the rule base.
n Support for New Data Centers
o Kubernetes Data Center – Added CloudGuard Controller support for Kubernetes Clusters.
Administrators can now create a Kubernetes-aware security policy for Kubernetes North-
South traffic.
o VMware vCenter, version 7
n In NAT policy, added support for Data Center objects in the Original Source and Original
Destination columns.
n CloudGuard Controller can use the system proxy for connections to all data centers.
n Cloud, a new object category in SmartConsole's Object Explorer, aggregates all data centers, data
center objects and data center queries into one category.

Workflow for Deploying CloudGuard Controller
Workflow for Deploying CloudGuard

Controller
CloudGuard Controller is a process that runs on the Check Point Security Management Server.
Important Information
1. When you install R81 CloudGuard Controller, these files are overwritten with default values:
n $MDS_FWDIR/conf/vsec.conf
n $MDS_FWDIR/conf/tagger_db.C
n $MDS_FWDIR/conf/AWS_regions.conf
2. Before you start the upgrade, backup all files that you have changed.
Note - During the upgrade, CloudGuard Controller does not communicate with the Data Center.
Therefore, Data Center objects are not updated on the CloudGuard Controller or the Security Gateways.
Supported Security Gateways

CloudGuard Controller operates with these Security Gateways:
n R80.10 and above
n R77.30
n R77.20
n 60000/40000 Scalable Platforms R76SP.50 (starts with R76SP.50 Jumbo Hotfix Accumulator Take
20)
n Maestro Security Appliances R80.20SP and R80.30SP
Important - To use the CloudGuard Controller with R77.20 and R77.30 Security
Gateways (with R77.30 Jumbo Hotfix Accumulator below Take 309), you must install
the CloudGuard Controller / vSEC Controller Enforcer Hotfix (see sk129152) on
those R77.20 and R77.30 Security Gateways.
Note - Support for Data Center Query Objects is from R80.10 and above.

Activating the Identity Awareness Software

Blade
To activate the Identity Awareness Software Blade do these steps:
1. Create a simple host whose IPv4 address is 127.0.0.1 > Click OK. Note - Do this step only one
time.
Steps 2,3, and 4 do for every Gateway that is to enforce a policy with CloudGuard Controller objects.
2. Enable the Identity Awareness Blade on the Gateway.
3. In the Identity Awareness settings, on the Gateway, enable the Identity Web API.

4. From the Settings , add the host with IP address 127.0.0.1 as a trusted client > Click OK.


Integrating with Data Center Servers

Connecting to a Data Center Server
The Management Server connects to the Software-defined data center (SDDC) through the Data Center
server object on SmartConsole.
To create a connection to the Data Center:

1. In SmartConsole, create a new Data Center object in one of these ways:
n In the top left corner, click Objects menu > More object types > Cloud > Data Center >
applicable Data Center.
n In the top right corner, click Objects Pane > New > More > Cloud > Data Center > applicable
Data Center.
2. In the Enter Object Name field, enter a name.
3. Enter the connection and credentials information.
4. To establish a secure connection, click Test Connection.
If the certificate window opens, make sure the certificate and click Trust.
5. Click OK when the Connection Status changes to Connected.
If the status is not Connected, troubleshoot the issues before you continue.
6. Click OK.
7. Publish the SmartConsole session.
Notes:
n If the connection properties of a Data Center server changed (for example the credentials or the
URL), make sure to re-install the policy on all the security gateways which have objects from
that Data Center in their policy .
n If the Data Center Server's certificate was changed, then communication with the Data Center
Server fails.
To repair the issue:
1. Open the Data Center Server object in SmartConsole.
2. Click (again) Test Connection.
3. Accept the new certificate.

You can add Data Center objects and Data Center Query objects to the Source and/or Destination
columns of Access Control rules and Threat Prevention rules. In addition, Data Center objects (but not
Data Center queries) can be added to the NAT policy.
To add Data Center objects to an Access Control or Threat Prevention rule:

1. In SmartConsole, from the left navigation panel, click Security Policies .
2. At the top, click Access Control > Policy .
3. In the applicable rule, in the Source or Destination column, click + to add new items.
4. Click Import.
5. Select an existing Data Center object.
-or-
Click Data Centers > New Data Center > applicable Data Center.
6. Install the Access Control Policy.
Data Center Query Objects

With Data Center Query Objects, administrators can now create one Query Object based on attributes
across multiple data centers. This simplifies the work when administrators create policies for multiple rules,
because they only need to use one query object for data center objects from multiple data centers .
Furthermore, admins can create the policy even before they configure a data center in SmartConsole. This
makes it easier to separate responsibilities between security admins and others teams that possibly need
to create data centers in SmartConsole.
The new Query object is used in the same way as Data Center objects. As with Data Center Objects, when
the Data Center Query is added to the Rule base the CloudGuard Controller pulls the assets from all the
Data Centers in the query object and updates the gateway so.

Without Data
With Data Center Query
Center Query
1. Create n Create Data Center Query objects and add them to the rule base before or
the Data after you create Data Center account(s). Important - You cannot install policy if
Center there is only a Data Center Query but no Data Center object(s).
account Create Data Center Query object with the All Data Centers option. The
(s). advantage is that if new Data Center Servers are added later on, then rules in
2. Import the rule base with such Data Center Query object (with the ‘All Data Centers’
objects option) are automatically applied to assets in the new Data Centers Servers
from without ,more actions in the rule base (must push policy after added the new
each Data Center Servers).
Data n One Data Center Query Object can use assets (objects) from more than one,
Center or all, Data Centers. This results in simpler security rules.
to the n The Query is more complex and larger than what is possible in the security
Rule rule's logic.
base. o OR logic inside each query rule, use "," between items
3. No o AND logic between query rules, use "," between items
choice
for
complex
logic
inside
the
rules.
Example 1: Data Center Query Object:

Applies to all current and future data centers.
This is the query logic:
n All assets from type instances OR Load Balancers
n AND
n Tagged with:
"server_type=prod_app"
OR

"server_type=prod_db"
Example 2: Rule Base

Earlier versions require you to use multiple tag objects for multiple accounts.
n Rules must be must be updated for every data center added.
n Rules cannot have the logic for only Instances or Load Balancers.
R81 uses Data Center Query objects:

n No need to update the rule when new data center(s) is added.
n Rule can include complex OR and AND operations to better the policy.

Note - Rule No. 1 is without Data Center Query, Rule No 2 is with Data Center Query.
Creating Rules with Data Center Query Objects

To add Data Center Query to a rule:
You can add a Data Center Query to the Source and/or Destination columns of Access Control rules and
Threat Prevention rules.
From the Rulebase, click + and it from the list of items.
-or-
Click the + button > New > Data Center Query .
How to Configure Data Center Query Objects in

SmartConsole
Step 1: Create a Data Center Query Object.
a. Go to SmartConsole > Cloud > Data Center Queries > New.
b. Add the applicable Data Center(s).
c. Configure the Query Rules to match the value used for Type, Name, and IP in the Import Data
Center window.
Type in Data Type in Data Center, such as Instance, Virtual Machine, Load Balancer, Subnet,
Center Availability Zone, and more.
Name in Data The asset's name

Center
IP address The asset's IP address
Customer tag Free text key and value
Note - All object IP addresses that match the query are updated on the Security Gateway.
d. Optional: To review the query, click Preview Query .

e. Click OK.
Step 2: Add the Data Center Query object from Step 1 to the Rule base.
Step 3: Install the policy on the Security Gateway.

Supported Data Centers

Data center supports connections with the use of the Gaia proxy. To configure this connection, in the
vsec.conf file, change the value of the "use SystemProxy " parameter from "false" to "true". See
"Configuration Parameters" on page 46.
Check Point integrates the CloudGuard Controller with these Data Centers:
n Amazon Web Services
n Cisco ACI
n Cisco ISE
n Google Cloud Platform (GCP)
n Kubernetes
n Microsoft Azure
n Nuage Networks VSP
n OpenStack
n VMware vCenter
n VMware NSX-T
n VMware NSX-V
CloudGuard Controller for Amazon Web

Services
The CloudGuard Controller integrates the Amazon Web Services (AWS) cloud with Check Point security.
Note - See the "AWS Data Center enhancements" in "What's New in R81 CloudGuard Controller" on
page 10.
Important - The CloudGuard Controller server clock must be synchronized with the
current, local time. Use of a NTP server is recommended. Time synchronization issues
can cause polling information from the cloud to fail.
Connecting to an Amazon Web Services Data Center Server

To connect to an AWS Data Center Sever
n In the top left corner, click Objects menu > More object types > Server > Data Center > New
AWS.
n In the top right corner, click Objects Pane > New > More > Server > Data Center > AWS.

3. Select the applicable authentication method:

n User Authentication - Uses the Access keys to authenticate.
n Role Authentication - Uses the AWS IAM role to authenticate. This option requires the
Security Management Server to be deployed in AWS, and have an IAM Role.
4. If you select User Authentication, enter your Access key ID and Secret access key .
5. In the Region field, select the AWS region to which you want to connect.
6. Click Test Connection.
7. Click OK.
Amazon Web Services Objects

Objects:
Object Description
VPC Amazon Virtual Private Cloud enables you to launch resources into your Virtual
Network.
Availability A separate geographic area of a region.

Zone There are multiple locations with regions and availability zones worldwide.
Subnet All the IP addresses from the Network Interfaces related to this subnet.
Instance Virtual computing environments.
Tags Groups all the instances that have the same Tag Key and Tag Value.
Security Groups all the IP addresses and Security Groups from all objects associated with this
Group Security Group.
Load Load Balancer distributes incoming traffic across multiple targets such as EC2
Balancer Instances and IP addresses.
Only Application and Network Load Balancers are supported.
Importing AWS objects

Use one of these options to import AWS objects to your policy:
Import
Description
Option
Regions Import AWS VPCs, Load Balancers, Subnets or Instances from a certain region to your
Security Policy.
Security Import all IP addresses that belong to a specific security group.

Groups The Security Group is used only as a container for the list of all IP addresses of
Instances that are attached to this group.

Import
Description
Option
Tags Import all instances and Security Groups that have a specific Tag Key or Tag Value.
Notes:
n CloudGuard Controller saves the Tags with Key and no Value as: "Tag key=".
n CloudGuard Controller truncates leading and trailing spaces in Tag Keys and Tag Values.
n All changes in AWS are updated automatically with the Check Point Security Policy. Users with
permissions to change resource tags in AWS can change their access permissions.
Object Names
Object names are the same as those in the AWS console.
VPC, Subnet, Instance, and Security Group use the following names are named as follows:
Tag Name Object Name
Tag Name exists "<Object ID> (<Value of the Tag Name>)"
Tag Name does not exist "<Object ID>"
Tag Name is empty "<Object ID>"
Imported Properties
Imported
Description
Property
Name Resource name as shown in the AWS console. User can edit the name after importing
the object.
Name in Resource name as shown in the AWS console

Server
Type in Resource type

Server
IP Associated private and public IP addresses
Note CIDR for subnets and VPC objects
URI Object path
Tags Tags (Keys and Values) that are attached to the object

Configuring Permissions for Amazon Web Services

Minimal permissions for the User or Role
Item Value
Effect Allow
Actions n ec2:DescribeInstances
n ec2:DescribeNetworkInterfaces
n ec2:DescribeSubnets
n ec2:DescribeVpcs
n ec2:DescribeSecurityGroups
Resource All ("*")
For more information about Roles and the IAM policy, see Amazon Web Services documentation.
Auto Scaling in Amazon Web Services

The AWS Auto Scaling service with the Check Point Auto Scaling group can increase or decrease the
number of CloudGuard Gateways according to the current load.
CloudGuard Controller for AWS works with the Check Point Auto Scaling Group. The Check Point Security
Management Server updates Data Center objects automatically on the Check Point Auto Scaling group.
CloudGuard Controller for Cisco ACI

CloudGuard Controller integrates the Cisco ACI fabric with Check Point security.
To learn more, see vSEC for ACI Managed by R80.10 Security Management Server Administration
Guide for R80.10.
Prerequisites
n Cisco ACI version 4.1 or lower.
n You must have a Cisco ACI user role with minimum read permissions for Tenant EPG.
Note - This role is sufficient for CloudGuard Controller functionality. More permissions may be
required for device package installation (CloudGuard for ACI).
n Enable Bridge Domain unicast routing to allow IP address learning for EPGs on the Cisco ACI.
n Define a subnet on the Bridge Domain to help the fabric maintain IP address learning tables. This
prevents time-outs on silent hosts that respond to periodic ARP requests.
n Before you do the upgrade on the Management Server, if you have a Cisco APIC server, keep only
one URL. After the upgrade, add the other URLs.

Connecting to a Cisco ACI Data Center Server

To connect to a Cisco ACI Data Center Server
n In the top left corner, click the k Objects menu > More object types > Server > Data Center >
New Cisco ACI.
n In the top right corner, click Objects Pane > New > More > Server > Data Center > Cisco
ACI.
2. In the Enter Object Name field, enter the applicable name.
3. In the URLs field, enter the addresses of ACI Cluster Members. Multiple URLs allows support for
APIC />cluster for redundancy.
Important:
n These addresses can be either HTTP or HTTPS, but not both.
n IP address mapping and updates are based on ACI fabric IP learning capabilities, which
requires enabling of unicast routing on the Bridge Domain containing the EPG.
4. In the Username field, enter your Cisco APIC />server User ID.
When using Login Domains, use the following syntax:
apic:<domain>\<username>
5. In the Password field, enter the Cisco APIC />server password.

7. Click OK.
Cisco ACI Objects

Objects
Object Description
Tenant A logical separator for customers, BU, groups, traffic, administrators, visibility,
and more.
Application Profile A container of logically related EPGs, their connections, and the policies that
define those connections.
End-Point Group A container for objects that require the same policy treatment.
(EPG) EPG examples : app tiers or services (usually, VLAN)
L2 Out A bridged external network.
L2 External EPG An EPG that represents external bridged network endpoints.

CloudGuard Controller for Cisco Identity

Services Engine (ISE)
The CloudGuard Controller integrates Cisco ISE with Check Point security. It allows the use of TrustSec
security groups in the Security Policy according to the static IP-to-SGT mappings in ISE. The ISE server is
represented as the Data Center server in Check Point. It connects to the ISE administration nodes and
automatically retrieves object data. For redundancy, it is possible to provide both primary and secondary
ISE administration nodes.
The ISE External RESTful Services (ERS) API enables communication with ISE.
Prerequisites:
n Cisco ISE version 2.1
n An ISE administrator with the ERS-Operator or ERS-Admin group assignment
n ERS enabled on the ISE administration nodes
Connecting to a Cisco ISE Data Center

To connect to a Cisco ISE Data Center
Cisco ISE.
n In the top right corner, click Objects Pane > New > More > Server > Data Center > Cisco
ISE.
3. In the Hostname(s) field, add the ISE administration Node(s) IP address or hostname.
4. In the Username field, enter the ISE administrator username.
5. In the Password field, enter the ISE administrator password.
7. Click OK.
Cisco ISE Objects

Object Description
Security Groups Groups of users, endpoints, and resources that share Access Control policies.
You define the Security Groups in Cisco ISE.

Automatic Failover
If there is a failure to communicate with the provided ISE administration nodes, CloudGuard Controller
enters a recovery mode. In recovery mode, it automatically try again to establish connection with the
administration nodes. Connection is attempted with the nodes based on the order they were entered.
Important - Make sure that the secondary node is correctly synchronized with the primary node. If not, the
IP-to-SGT data may not be up to date.
CloudGuard Controller for Google Cloud

Platform
The CloudGuard Controller integrates the Google Cloud Platform (GCP) with Check Point security.
Important - The CloudGuard Controller server clock must be synchronized with the
current, local time. Use of a NTP server is recommended. Time synchronization issues
can cause polling information from the cloud to fail.
Configuring Permissions for Google Cloud Platform

You must authenticate and connect to your Google Cloud Platform account to retrieve objects.
Authentication is done by GCP Service Account credentials.
The CloudGuard Controller retrieves objects from all projects, to which the Service Account has access.
You can use these authentication methods
Authentication Method Description
Service Account VM Uses the Service Account VM Instance to authenticate.

Instance Authentication This option requires the Security Management Server to be deployed in a
GCP, and run as a Service Account with the required permissions.
Service Account Key Uses the Service Account private key file to authenticate.
Authentication Use the GCP web console to create a Service Account Key JSON file.
Minimum permissions for the service account

The service account must have read permissions for all the relevant resources (example: viewer role).
n Networks
n Instances
n Subnetworks
GCP APIs
You must enable the Cloud Resource Manager API for the project to which the service account belongs.
The Compute Engine API must be enabled for all the projects to which the Service Account has access.

This is made from the GCP API Library.
Connecting to a Google Cloud Platform Data Center

To connect to a Google Cloud Platform Data Center
Google Cloud Platform .
n In the top right corner, click Objects Pane > New > More > Server > Data Center > Google
Cloud Platform .
n Service Account Key Authentication
n Service Account VM Instance Authentication
4. If you select Service Account Key Authentication, import the Service Account JSON file.
6. Click OK.
Google Cloud Platform Objects

Objects
Item Description
VPC Networks Your GCP VPC networks in the cloud
Subnet All the IP addresses from the network interfaces related to this subnet
Instance Virtual Machines instances
Tags Groups all the instances that have the same network tag
Importing GCP objects

Use Projects or Tags to import GCP objects to your policy:
Import
Description
Option
Projects Import VPC networks, subnets or instances from different project to your Security
Policy
Tags Import all instances that have a specific network tag

Note - All changes in GCP are automatically updated with the Check Point Security Policy. Users with
permissions to change network tags in GCP can change their access permissions.
Object Names
Object names are the same as those in the GCP console.
Instance and Subnet use the following names:
Object Object Name
Instance "<Instance Name> (<Zone Name>)"
Subnet "<Subnet Name> (<Region Name>)"
Imported Properties
Imported
Description
Property
Name Resource name as shown in the GCP console. User can edit the name after
importing the object.
Name in Resource name as shown in the GCP console

server
Type in server Resource type
IP Associated private and public IP addresses
Note For instances, the list of VPC networks to which the instance belongs
URI Object path
Tags Network tags attached to the object
CloudGuard Controller for Kubernetes

Adding Kubernetes to CloudGuard Controller
Check Point CloudGuard Controller now protects North-South inspection for increased Kubernetes
security. The new Container security component is available in native Kubernetes and managed
Kubernetes services such as Azure Kubernetes Service (AKS), Amazon EKS, Google Kubernetes Engine,
and others.
Prerequisite
n K8s version 1.12 and above
Note - Island Mode (NATed IP address for Nodes) is not supported.

Connecting to a Kubernetes Server

Before you connect to SmartConsole, do these steps in Kubernetes:
1. Configure the settings in Kubernetes:
a. Create a service account for CloudGuard Controller that includes access to: endpoints, pods,
services, and nodes.
Example:
Run these "kubectl create" commands:
kubectl create serviceaccount cloudguard-controller

kubectl create clusterrole endpoint-reader --verb=get,list --
resource=endpoints
kubectl create clusterrolebinding allow-cloudguard-access-
endpoints --clusterrole=endpoint-reader --
serviceaccount=default:cloudguard-controller
kubectl create clusterrole pod-reader --verb=get,list --
resource=pods
pods --clusterrole=pod-reader --
kubectl create clusterrole service-reader --verb=get,list --
resource=services
services --clusterrole=service-reader --
kubectl create clusterrole node-reader --verb=get,list --
resource=nodes
nodes --clusterrole=node-reader --
b. Get the Kubernetes URL:
kubectl cluster-info
c. Export the service account token to a Base64 encoded file.

Example:
kubectl get secret $(kubectl get serviceaccount cloudguard-

controller -o jsonpath="{.secrets[0].name}") -o jsonpath="
{.data.token}" | base64 --decode -w 0> token_file
2. Configure the settings in SmartConsole:

a. In SmartConsole, create a new Data Center object in one of these ways:

n In the top left corner, click Objects menu > More object types > Server > Data Center
> Kubernetes .
n In the top right corner, click Objects Pane > New > More > Server > Data Center >
Kubernetes .
b. Enter a name for the Data Center object.
c. Enter the Kubernetes URL (from Step 1-b).
d. Import the service account token file (from Step 1-c).
e. Click Test Connections and make sure that the connection works.
f. Click OK.
g. Publish the SmartConsole session.
CloudGuard Controller for Microsoft Azure

CloudGuard Controller integrates the Microsoft Azure cloud with Check Point security.
Note - See "Azure Data Center improvements" in "What's New in R81 CloudGuard Controller" on
page 10.
Important - The CloudGuard Controller server clock must be synchronized with the current, local time. Use
of a NTP server is recommended. Time synchronization issues can cause polling information from the
cloud to fail.
Connecting to a Microsoft Azure Data Center Server

To connect to a Microsoft Data Center Server
Microsoft Azure.
n In the top right corner, click Objects Pane > New > More > Server > Data Center > Microsoft
Azure.
n Service Principal - Uses the Service Principal to authenticate.
n Azure AD User Authentication - Uses the Azure AD User to authenticate.
If you select Service Principal Authentication (default):
n Enter your Application ID, Application Key , and Directory ID.
You can create the Service Principal in the Azure Portal, with the Azure PowerShell, or with
the Azure CLI.
If you select Azure AD User Authentication:
n Enter you Username and Password.

The minimum recommended permission is Reader.

You can assign the Reader permission in one of these ways:
n Assign to all Resource Groups, from which you want to pull an item
n Add the permission on a subscription level
You can assign the Reader permission in one of these ways
n Assign to all Resource Groups, from which you want to pull an item
n Add the permission on a subscription level
Note - If you do not have the necessary permissions, some of the functionality might not work.
5. Click OK.
6. Import objects from your Microsoft Azure server to your policy (for more about these objects, see the
next sections).
n Network by Subscriptions - Import VNETS, subnets, Virtual Machines or VMSSs.
n Network Security Groups (NSG) - Import all IP addresses that belong to a specific NSG.
The NSG is used only as a container for the list of all IP addresses (assigned to NICs and
subnets) that are attached to this group.
n Tags - Imports all the IP addresses of Virtual Machines and VMSSs that have specific tags
and values.
Note - All changes in Microsoft Azure are updated automatically with the Check Point Security
Policy. Users with permissions to change Resource Tags in Microsoft Azure can change their
access permissions.
7. Install the Access Control Policy.
Microsoft Azure Objects

Objects
Object Description
Subscription Helps you organize access to your cloud components.
Virtual Network Represents your Microsoft Azure Virtual Network (VNET) in the cloud.
Subnet A range of IP addresses in a VNET.

A VNET can be divided into many subnets.
Virtual Machine Virtual computing environment.

(VM)
Virtual Machine Manages sets of Virtual Machines.

Scale Set
(VMSS)

Object Description
Resource Group Holds the components of your subscription as a group.
Network Security NSGs contain a list of Access Control List (ACL) rules that allow or deny network
Group (NSG) traffic to the Virtual Machines instances in a Virtual Network.
NSGs can be associated with either subnets or individual Virtual Machine
instances in that subnet.
Load Balancer Load Balancer distributes incoming traffic that arrives into the Load Balancer's
frontend to backend pool instances, according to rules and health probes.
Imported Properties
Imported
Description
Property
Name Name of the object and the object's Resource Group

Format is: obj_name (obj_resource_group_name)
The user can edit the name after importing the object.
Name in Name of the object and the object's Resource Group

server Format is: obj_name (obj_resource_group_name)
Type in Object type

server
IP address n Virtual Machines and VMSS: Public and Private IP addresses

n Load Balancers: Frontend IP addresses
n Subnets: VMs, VMSSs, and Internal Load Balancers Frontend IPs
n NSGs: VMSSs and Subnets IP addresses associated with this NSG
n Tags: VNETS, VMs, VMSSs and Load Balancers IP addresses associated with
this specific Tag Key or Tag Value
Note Contains the address prefixes for VNETs and subnets
URI Object path
Tags Keys and Values attached to the Object
Location Physical location in Microsoft Azure
Auto Scaling in Microsoft Azure

The Microsoft Azure Auto Scaling service with the Check Point Auto Scaling group can increase or
decrease the number of CloudGuard Gateways according to the current load.
CloudGuard Controller for Microsoft Azure can work with the Check Point Auto Scaling Group.
The Check Point Security Management Server can update Data Center objects automatically on the Check
Point Auto Scaling group.

CloudGuard Controller for Nuage Networks VSP

The CloudGuard Controller integrates the Nuage cloud with Check Point security.
Connecting to a Nuage Data Center

To connect to a Nuage Data Center
Nuage.
n In the top right corner, click Objects Pane > New > More > Server > Data Center > Nuage.
3. In the Hostname field, enter the IP address or hostname of the Nuage server.
Important - The addresses can be either HTTP or HTTPS, but not both. The Nuage version is set by
default to 4.0 and the port to 8443.
4. In the Username field, enter your Nuage administrator username.
5. In the Organization field, enter your organization name or enterprise.
6. In the Password field, enter your Nuage administrator password.
8. Click OK.
Nuage Objects
Objects
Object Description
Enterprise A logical separator for customers, BU, groups, traffic, administrators, visibility, and
more.
Domain A logical network that enables L2 and L3 communication among a set of Virtual
Machines.
Security A set of network endpoints that have to agree with the same Security Policies.
Zone
Policy Collections of vPorts and/or IP addresses that are used as building blocks for Security
Group Policies that include multiple endpoints.
Add one or more vPorts to a policy group using this interface.
A policy group can also represent one or more IP/MAC addresses that it learned from
external systems from BGP route advertisements based on origin.

Object Description
Subnet Subnets are defined under a zone.

It is equivalent to an L2 broadcast Domain, which enables its endpoints to communicate
as if they were part of the same LAN.
Instance Virtual Machine.
vPort It is attached to a Virtual Machine or to a host and bridge interface.

It provides connectivity to BMS and VLANs.
It can be created or auto-discovered.
L2Domain An L2 Domain is a distributed logical switch that enables L2 communication.

An L2 Domain template can be started as often as required.
This creates functioning L2 Domains.
Network Organization-wide defined macros that can be used as a destination of a policy rule.
Macro For example, you can create a network that represents your internal Internet access.
You can then use it as a destination of a policy rule to drop any packet that arrives from a
particular port.
Network A collection of existing Network Macros.

Macro These groups can be used in Security Policies to create rules that match multiple
Group Network Macros.
Imported Properties
Imported Property Description
Name Resource name as shown in the Nuage console

User can edit the name after importing the object.
Name in Data Center Resource name as shown in the Nuage console
Type in Data Center Resource type
IP Associated IP address
Note n Instances - "Auto generated" description

n Domain - Comment on domain object inserted
in VSD
n Subnet - Subnet IP address in CIDR format
n Zone - Comment on zone object inserted in
VSD
n vPort - Auto-generated description
URI Object path

CloudGuard Controller for OpenStack

The CloudGuard Controller integrates the Check Point Security Management Server with OpenStack
Keystone. Authentication is done through OpenStack Keystone and network objects are updated from
OpenStack Neutron.
Prerequisites
n Version "Ussuri" or lower.
Connecting to an OpenStack Server

To connect to an OpenStack server
OpenStack .
n In the top right corner, click Objects Pane > New > More > Server > Data Center >
OpenStack .
3. In the Hostname field, enter the URL of your OpenStack server in this format (HTTP of HTTPS):
http://1.2.3.4:5000/<keystone_version>
https://1.2.3.4:5000/<keystone_version>
Example:
https://1.2.3.4:5000/v3
Note - If you do not know your keystone URL, run this command on the OpenStack server to find it:
openstack endpoint stone | grep publicurl
4. In the Username field, enter your username for the OpenStack server.
5. In the Password field, enter your password for the OpenStack server.
If the Certificate window opens, confirm the certificate and click Trust.
7. When the connection status changes to Connected, click OK.
If the status is not Connected, troubleshoot the issue before you continue.
8. Click OK.
Note - If it is necessary to log into an OpenStack Domain that is not your default Domain, use this format:
<OpenStack_domain_name>\<user_name>

OpenStack Objects
Objects
Object Description
Instances Virtual Machines in the cloud.
Security Sets of IP address filter rules for networking access.

groups They are applied to all instances in a project.
Subnet A block of IP addresses and associated configuration states.

Subnets are used to allocate IP addresses when new ports are created on a
network.
Imported Properties
IP n VM - Virtual Machine's IP address

n Security Group - IP addresses of the Virtual Machines in the
group
n Subnets - IP addresses of the Virtual Machines in the subnet
Note n Instances - Empty

n Security Group - Description of the group
n Subnet - IP address and mask of the subnet
URI Object path
CloudGuard Controller for VMware Servers

Connecting to a VMware Server
To connect to a VMware server
VMware vCenter, or New VMware NSX-V, or the New VMware NSX-T.
n In the top right corner, click Objects Pane > New > More > Server > Data Center > VMware
vCenter, or VMware NSX-V, or VMware NSX-T.
3. In the Hostname field, enter the IP address or hostname of your vCenter or NSX Manager server.
4. In the Username field, enter your VMware administrator username.

5. In the Password field, enter your VMware administrator password.

7. Click OK.
CloudGuard Controller for VMware NSX-T

Management Server
The CloudGuard Controller integrates the VMware NSX-T Management Server with Check Point security.
Prerequisites
n NSX-T version 2.5 or 3.0.
n You must have a VMware NSX-T username with the minimal permission of an Auditor (or higher) to
access the CloudGuard Controller.
Note - This role is sufficient for CloudGuard Controller functionality. More permissions may be
required for service registration (CloudGuard Gateway for NSX-T).
VMware NSX-T Objects

Object Description
Ns Enables a static or dynamic grouping based on objects such as Virtual Machines, vNICs,
Group vSphere clusters, logical switches, and so on.
Imported Properties
IP All the Ns Group IP addresses
Note Description value of a Ns Group
URI Object path

Known Limitations
n Logs for rules with VMware NSX-T Ns Groups will contain only the IP address. The logs will not
contain the instance name.
n VMware NSX-T object - No support for IP Set objects with ranges or CIDR block notations. There is
support for IP Set Objects representing one or more individual IP address (or addresses).
n It is recommended to install official VMware Tools on a Virtual Machine in order for the VMware
NSX-T Controller to successfully pool IP addresses. Install the VMware Tools for your specific
version. Alternatives for IP discovery without VMware Tools can be found in the VMware NSX-T
Administration Guide.
Note - Each have different limitations in practice.
CloudGuard Controller for VMware vCenter

Prerequisites
n VMware vCenter version 7.x or lower.
n You must have a VMware NSX-V username with Auditor (or higher) permission to access the
CloudGuard Controller.
n The CloudGuard Controller integrates the VMware NSX Manager Server with Check Point security.
CloudGuard Controller for VMware NSX-V Manager Server

n The Check Point Data Center Server connects to the VMware NSX Manager Server and retrieves
object data.
n The CloudGuard Controller updates IP addresses and other object properties in the Data Center
Objects group.
n You must have a VMware NSX username with permission of an Auditor or higher to access the
Note - This role is sufficient for CloudGuard Controller functionality. More permissions can be required for
service registration (CloudGuard Gateway for NSX).
VMware vCenter Objects

Objects
Object Description
Cluster A collection of ESXi hosts and associated Virtual Machines configured to work as a unit.
Datacenter An aggregation of many object types required to work in a virtual infrastructure.

These include hosts, Virtual Machines, networks, and datastores.
Folder Lets you group similar objects.

Object Description
Host The physical computer where you install ESXi. All Virtual Machines run on a host.
Resource Compartmentalizes the host or cluster CPU and memory resources.

pool
Virtual A virtual computer environment where a guest operating system and associated
machine application software runs.
vSphere A packaging and managing application format. A vSphere vApp can contain multiple
vApp Virtual Machines.
Tags All the Virtual Machines tagged with the vCenter tag.
Note - This is supported with vCenter 6.5 and above.
Imported Properties
Imported
Description
Property
IP IP address or Hostname of vCenter Server.

You must install VMware Tools on each Virtual Machine to retrieve the IP addresses
for each computer.
Note VMware vCenter object notes.
URI Object path.
VMware NSX-V Objects

Objects
Object Description
Security Group Enables a static or dynamic grouping, based on objects such as Virtual Machines,
vNICs, vSphere clusters, logical switches, and so on.
Universal Enables defining a Security Group across VMware NSX managers.

Security Group Note - Import these objects separately for each VMware NSX manager.
Imported Properties
IP All the Security Group IP addresses
Note Description value of a Security Group
URI Object path

Threat Prevention Tagging for CloudGuard for NSX

Gateway
Threat Prevention Tagging automatically assigns Security Tags to Data Center objects based on Threat
Prevention analysis and group affiliation.
This enables the use of dynamic Security Groups in policy rules.
Enable Threat Prevention Tagging for Anti-Bot and Anti-Virus services to the CloudGuard for NSX
Gateway.
When a threat from an infected Virtual Machine reaches the Security Gateway and is denied entry, it is
tagged as an infected Virtual Machine in the NSX Manager.
To activate Threat Prevention tagging

1. Connect to the command line on the CloudGuard for NSX Gateway.
2. Log in to Gaia Clish, or Expert mode.
3. Enable the tagging, run:
tagger_cli
4. Select Activate Cluster.
CloudGuard for NSX Clusters with active Anti-Bot and/or Anti-Virus Software Blades appear on
them.
5. Select the Cluster.
Make sure Cluster activated successfully shows.
When it is activated, the Cluster automatically tags infected Virtual Machines in the NSX Manager Server.
These are the Security Tags:
n Default Anti-Bot Security Tag: Check_Point.BotFound
n Default Anti-Virus Security Tag: Check_Point.VirusFound
The Security Tags are created automatically in the NSX Management Server when the Cluster is activated.
When Security Tags are configured, you can create policy rules based on the Security Groups that contain
those tags.
Advanced Options
Use advanced menu options to configure the tags:
Option Description
Show Activated Lists the activated Clusters and the status of each CloudGuard for NSX Gateway.
gateways
Modify Anti-Bot Enables or disables the tagging for the Anti-Bot Software Blade and change the
Security Tag Security Tag.

Option Description
Modify Anti- Enables or disables the tagging for the Anti-Virus Software Blade and change the
Virus Security Security Tag.
Tag
Modify White IP Addresses listed in the White List are not tagged.
List Separate with spaces. Ranges are not accepted.
Create New Creates a new Security Tag in the NSX Manager Server.
Security Tag
Update Data When you add a new ESX to a Cluster, CloudGuard for NSX Gateway automatically
updates the Threat Prevention Tagging data within 15 minutes.
Select this option to update the data manually on the new CloudGuard for NSX
Gateway.
Threat Prevention Tagging Logs

In SmartConsole, in the Logs & Monitor view, see CloudGuard Tagging in the Blade column.
A list of messages and their descriptions:
Message Description
The Virtual Machine <VM ID> was tagged Threat Prevention tagging successfully tagged a
successfully with Security Tag '<Tag Name>' Virtual Machine due to malicious traffic.
in NSX <NSX IP Address>
The IP address <VM IP Address> appears An IP address appears twice in the ESX. Tagging
twice in the ESX <ESX IP Address>. The this prevents false positive tagging of Virtual
infected Virtual Machine was not tagged Machines with duplicate IP addresses in the ESX.
Failed to get data from the Data Center <Data Failed to get a Data Center object from the Security
Center IP Address> Management Server API.
Make sure that there is a trusted connection for
Threat Prevention Tag is ignored because the Virtual Machine IP address is on the Whitelist and
VM IP '<VM IP Address>' is on the White the Threat Prevention tag is ignored.
List

CloudGuard Controller Monitoring

CloudGuard Controller Logs and Events
To monitor the CloudGuard Controller, use any of these three options:
n Filter the logs in SmartConsole with this query syntax:
o To see all the logs, use: "CloudGuard IaaS"
o To see only errors, use: blade:"CloudGuard IaaS" AND Severity:Critical
n Create Events based on logs and severity.
n Connect the Event to a user defined Automatic Reaction such as emails or scripts.
See the R81 Logging and Monitoring Administration Guide > Section Automatic Reactions.
Log descriptions
Log Description
Mapping of Data Center server started CloudGuard Controller successfully

connected to the data center.
It starts to map the Data Center objects.
Mapping of Data Center server finished CloudGuard Controller successfully

mapped the Data Center objects.
It starts to monitor the Data Center
changes.
Data center server objects were The Data Center object was successfully
successfully updated on gateway <Name> updated on the Security Gateway.
Message Description Solution
Connectivity to Data Center Lost connection possibly due In the Data Center
server <DC info> lost. to connectivity issues. object, click Test
Connection.
Failed to update policy with data The install process --

center objects. Install policy completed correctly, but
again to resolve the issue. there is corrupt policy data in
a data center object.
Connectivity to data center Persistent connectivity issues Resolve

server <IP Address> lost. Objects between the Security connectivity
imported from this data center Management Server and issues.
server are no longer being CloudGuard Controller to the
updated. data center exist.

Message Description Solution
Failed to update data center CloudGuard Controller fails n Make sure

server objects on gateway <Name to update a Security there is SIC
of Security Gateway Object>. If Gateway. between the
issue persists contact Check The may be no connectivity Security
Point Support. to a Security Gateway. Gateway
and
CloudGuard
Controller.
n Make sure
to enable
the Identity
Awareness
API on the
Security
Gateway.
Failed to generate data center There is a transfer fail of a Install the Access
server objects of new policy, policy to a Security Gateway. Control Policy
Security gateways are no longer again.
updated with the new data center
objects.
Failed to stop updates of data Data transmission to a Install the Access

center objects on the secondary Security Gateway from a Control Policy
management server. Secondary Security again.
Management Server stops.
Failed to start updates from CloudGuard Controller fails Install the Access
previous standby domain. to start update to Security Control Policy
Gateway. again.
It is possible that there is no
connectivity to a Security
Gateway.
Failed to stop updates of data CloudGuard Controller fails Install the Access
center objects for deleted to stop Domain enforcement Control Policy
domain. Contact Check Point when a Domain is deleted. again.
Support.
CloudGuard Controller Status

Options for checking the CloudGuard Controller status
Option Description
On the Management Follow these steps:

Server
1. Connect to the command line.
2. Run: cpstat vsec

Option Description
In SmartConsole Follow these steps:
1. From the left navigation panel, click Gateways & Servers ..

2. Select your Management Server object.
3. At the bottom, from the Summary tab, click Device & License
Information > Device Status .
SNMP Traps See sk124532.

Configuration Parameters
Configuration Parameters
The CloudGuard Controller uses configuration parameters that can be adjusted to your specific needs.
This section provides a list of the configuration parameters including their description, minimum and
maximum value, and the command to force the parameter's update.
CloudGuard Controller can be configured through various parameters in the vsec.conf file. See the
vsec.conf file for more information.
Locations of the vsec.conf file
n On a Security Management Server:
$FWDIR/conf/vsec.conf
n On a Multi-Domain Server:
$MDSDIR/conf/vsec.conf
Important - All configuration values are read from the vsec.conf file only when
CloudGuard Controller is loaded. If you change one of the parameters, you must
restart the CloudGuard Controller with the "vsec stop ; vsec start"
commands.

CloudGuard Central Licensing

License Pooling
CloudGuard Central Licensing is a pooled license structure offered on the Check Point Security
Management Server and Multi-Domain Server.
With this feature, you can dynamically change the properties of licenses on your Security Gateway
architecture.
The license pool contains the licenses for each Security Gateway with its cores. A license is issued for each
CloudGuard Gateway, and the number of cores in a CloudGuard Gateway determines the necessary
license.
The central licensing feature provides

n One global license for as many CloudGuard Gateways as needed.
n Scaled-up performance on a CloudGuard Gateway with all its vCores.
n Movement of vCores from one CloudGuard Gateway to another.
n Movement of the CloudGuard Gateway between the public and private cloud.
Two modes for the Multi-Domain Server
Mode Description
System Default Mode generates a license for the IP address of the Multi-Domain Server.
Mode The license pool is on the Multi-Domain Server.
The licenses are attached to all of the CloudGuard Gateways that the Domain
Management Servers manage.
To use this mode, run:
vsec_lic_cli mode mds
Domain Domain Mode pools are managed on each individual Domain.

Mode Licenses are distributed to the CloudGuard Gateways that the Domain manages.
The license is generated with the IP address of the Domain, to which it belongs.
To use this mode, run:
vsec_lic_cli mode domain
Note:
To go to the context of a Domain Management Servers, run:
mdsenv <Name or IP Address of Domain Management Server>

License Distribution
Items
Item Description
Licenses that n Virtual security licenses for public and private clouds.
can be n Licenses with the same contract blade package.
managed in
pools Note - Licenses with different contract blades are in separate pools. The first license
pool that is created is configured as the default pool. The licenses from the default
pool are attached to CloudGuard Gateways.
Gateways that CloudGuard Gateways on the public and private cloud.

receive a The supported Hypervisors in the private cloud are VMware ESXi, Hyper-V and
license from the KVM.
pool The supported modules in the public cloud are AWS, Microsoft Azure, Google Cloud
Platform and vCloud Air.
Gateways that n New CloudGuard Gateways receive the license from the pool after policy
receive a installation.
license n Existing CloudGuard Gateways receive the license immediately after the
license is added.
Distribution CloudGuard licenses are attached from the license pool to CloudGuard Gateway.
The distribution procedure is permissive. Gateways are issued a license even when
the pool no longer has licenses available.
Using the Central Licensing Utility with Existing

Licenses
You can activate the new CloudGuard Central Licensing utility on Security Gateways that already have a
license. Licenses with the same Software Blades and contract expiration join together to make one pool. If
multiple pools are established, one of the pools is the default pool. Any license that is not part of the pool is
detached from all Security Gateways.
If you have a Multi-Domain Server, enable the central license utility on the Multi-Domain Server. Multi-
Domain Server automatically activates the central license utility on each Domain Management Server.
Best Practice - We recommend that you have only one type of pool. Therefore,
licenses with the same Software Blades and contract expiration are grouped together.
Use the central license utility to ensure that licenses are distributed correctly.
Managing CloudGuard Central Licenses

CloudGuard central license is disabled by default. When it is disabled, licenses are not distributed
automatically to new CloudGuard Gateways. But, existing licenses stay on the CloudGuard Gateways.

Operations
Operation CLI command
Enable the CloudGuard license vsec_lic_cli on
Disable the CloudGuard license vsec_lic_cli off
Manage the CloudGuard license pool vsec_lic_cli
The vsec_lic_cli tool is used exclusively to manage CloudGuard licenses, and other tools must not be
used at the same time. CloudGuard licenses that were already added with other tools, such as
SmartUpdate, are automatically added to the pools.
The CloudGuard License Manager Menu shows these options:
1. "Adding a License" below
2. "Removing a License" below
3. "Viewing License Use" below
4. "Running License Distribution" on the next page
5. "Configuring Automatic License Distribution for Security Gateways" on the next page
6. "Generating a Core Use Report" on the next page
Adding a License
You can add a central license to the license pool with the IP address of a Security Management Server,
Multi-Domain Server or Domain Management Server.
The license is added to the pool to match the contract blade. Use the User Center to automatically match
the blade to the contract, or attach the contracts manually with SmartUpdate.
A license in a default pool is distributed to the CloudGuard Gateway as needed.
Removing a License
When you remove a license from the pool, it is also removed from all CloudGuard Gateways, which have
the license.
Viewing License Use

With the Central Licensing feature, you can see use details of the CloudGuard Gateways in the pool.
This information is available

n Quota of cores
n Unused cores
n Security Gateways licensed in the pool

Running License Distribution

Distribution of licenses to the CloudGuard Gateways is done automatically, one time a day.
To attach the license immediately, you can run the distribution manually.
You can monitor these changes on the CloudGuard Gateways and licenses
n New CloudGuard Gateways
n Core changes on existing CloudGuard Gateways
n Contract changes on existing licenses
After distribution of the licenses, a CloudGuard Gateway that did not have a license now has one.
Configuring Automatic License Distribution for Security

Gateways
You can enable or disable the CloudGuard Gateway from receiving a license automatically.
Generating a Core Use Report

You can generate a CSV file with an hourly core use report for each CloudGuard Gateway.

Check Point Copyright Notice
© 2020 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed
under licensing restricting their use, copying, distribution, and decompilation. No part of this product or
related documentation may be reproduced in any form or by any means without prior written authorization
of Check Point. While every precaution has been taken in the preparation of this book, Check Point
assumes no responsibility for errors or omissions. This publication and features described herein are
subject to change without notice.
RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)
(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.

CP R81 CloudGuard Controller AdminGuide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CP R81 CloudGuard Controller AdminGuide

Uploaded by

Copyright:

Available Formats

13 October 2020

Check Point R81

Latest Version of this Document in English

CloudGuard Controller R81 Administration Guide | 2

13 October 2020 First release of this document

CloudGuard Controller R81 Administration Guide | 3

CloudGuard Controller R81 Administration Guide | 4

CloudGuard Controller for Google Cloud Platform 27

CloudGuard Controller R81 Administration Guide | 5

CloudGuard Controller for VMware NSX-T Management Server 38

CloudGuard Controller R81 Administration Guide | 6

1 CloudGuard Controller establishes a trusted relationship with the cloud environment.

3 Changes in the cloud environment are sent to the CloudGuard Controller.

CloudGuard Controller R81 Administration Guide | 7

SRC DST Action

IP1 Internet Allow

IP2 Internet Block

IP3 Internet Allow

IP4 Internet Allow

IP5 Internet Block

SRC DST Action

*department=rnd Internet Allow

* Note- department=rnd is the tag.

CloudGuard Controller R81 Administration Guide | 8

n "CloudGuard Controller for Cisco Identity Services Engine (ISE)" on page 26

CloudGuard Controller R81 Administration Guide | 9

What's New in R81 CloudGuard

CloudGuard Controller R81 Administration Guide | 10

Workflow for Deploying CloudGuard

Supported Security Gateways

CloudGuard Controller R81 Administration Guide | 11

Activating the Identity Awareness Software

CloudGuard Controller R81 Administration Guide | 12

CloudGuard Controller R81 Administration Guide | 13

CloudGuard Controller R81 Administration Guide | 14

Integrating with Data Center Servers

To create a connection to the Data Center:

CloudGuard Controller R81 Administration Guide | 15

To add Data Center objects to an Access Control or Threat Prevention rule:

Data Center Query Objects

CloudGuard Controller R81 Administration Guide | 16

Example 1: Data Center Query Object:

CloudGuard Controller R81 Administration Guide | 17

Example 2: Rule Base

R81 uses Data Center Query objects:

CloudGuard Controller R81 Administration Guide | 18

Creating Rules with Data Center Query Objects

How to Configure Data Center Query Objects in

Name in Data The asset's name

IP address The asset's IP address

Customer tag Free text key and value

CloudGuard Controller R81 Administration Guide | 19

Step 3: Install the policy on the Security Gateway.

CloudGuard Controller R81 Administration Guide | 20

Supported Data Centers

CloudGuard Controller for Amazon Web

Connecting to an Amazon Web Services Data Center Server

CloudGuard Controller R81 Administration Guide | 21

3. Select the applicable authentication method:

Amazon Web Services Objects

Availability A separate geographic area of a region.

Instance Virtual computing environments.

Importing AWS objects

Security Import all IP addresses that belong to a specific security group.