Professional Documents
Culture Documents
CP R81 CloudGuard Controller AdminGuide
CP R81 CloudGuard Controller AdminGuide
CLOUDGUARD
CONTROLLER
R81
Administration Guide
[Classification: Protected]
CloudGuard Controller R81 Administration Guide
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the
latest functional improvements, stability fixes, security enhancements and protection
against new and evolving attacks.
Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.
Revision History
Date Description
Table of Contents
Introduction to CloudGuard Controller 7
Use Case 8
What's New in R81 CloudGuard Controller 10
Workflow for Deploying CloudGuard Controller 11
Supported Security Gateways 11
Activating the Identity Awareness Software Blade 12
Integrating with Data Center Servers 15
Connecting to a Data Center Server 15
Data Center Query Objects 16
Creating Rules with Data Center Query Objects 19
How to Configure Data Center Query Objects in SmartConsole 19
Supported Data Centers 21
CloudGuard Controller for Amazon Web Services 21
Connecting to an Amazon Web Services Data Center Server 21
Amazon Web Services Objects 22
Importing AWS objects 22
Object Names 23
Imported Properties 23
Configuring Permissions for Amazon Web Services 24
Auto Scaling in Amazon Web Services 24
CloudGuard Controller for Cisco ACI 24
Prerequisites 24
Connecting to a Cisco ACI Data Center Server 25
Cisco ACI Objects 25
Objects 25
CloudGuard Controller for Cisco Identity Services Engine (ISE) 26
Prerequisites: 26
Connecting to a Cisco ISE Data Center 26
Cisco ISE Objects 26
Automatic Failover 27
Introduction to CloudGuard
Controller
A component of Check Point's Security Management Server, the CloudGuard Controller manages security
in public and on-premises environments with one unified management solution. The CloudGuard
Controller dynamically learns about objects and attributes in data centers, such as changes in subnets,
security groups, virtual machines, IP addresses ,and tags. After using the vendor’s API to establish a trust
relationship with a datacenter, CloudGuard Controller regularly polls the connected environments for
changes in objects and object attributes used in the Security Policy. Changes are automatically pushed to
the security gateway.
Item Description
2 With the use of the vendor's APIs, the CloudGuard Controller connects to the cloud environment
and regularly polls it for changes.
4 The CloudGuard Controller pushes updates to attributes and objects in the Security Policy rules
to Check Point Security Gateways.
Use Case
Dynamic environments such as public and on-premises data centers and clouds present a large challenge
to security professionals. The number of subnets, machines, and IP addresses changes quickly. The
legacy model of manual updates to the security policy and Security Gateways every two or three days is
too slow for such environments.
In most organizations, personnel from several different departments have permission to add or remove
assets in data centers. This kind of overlap creates a concern about the security and maintenance of
assets in the data center. The solution to manual updates is to protect the security and maintenance of the
assets - automatically. This is where the CloudGuard Controller comes in to assist. With the CloudGuard
Controller, the Security Operation Center (SOC) can configure the security policy to automatically detect
changes in data centers, and push these changes directly to the Gateway.
For example, an RnD team needed to add an RnD server and a separate RnD server for staging. This
required constant emails and service tickets between the server team and SOC team. To add or remove
an IP address, the server team had to open a ticket with with the Info sec team. Then the Info sec team had
to manually update the information. This process looks like this:
The problem grows by each request from RnD to remove IPxx or add IPxx. With the possibility of
hundreds of IPs, the chance of error and frustration from the two teams is inevitable.
This is where the CloudGuard Controller comes in to help.
The CloudGuard Controller changes a static, manual process into a dynamic, automatic flow of data. The
two teams only have to use one tag. This one tag is representative of changes in the data center. Rather
than the manual, meticulous IP table, and the constant emails between the teams, the CloudGuard
Controller removes the dependency on a manual procedure. For example:
Use Cases
o Simplify the policy - Use one query object to represent data center objects from multiple data
centers. This eliminates the necessity for multiple rules.
o Simplify operations - Create the policy before data centers are set-up. This makes it easier to
differentiate responsibilities between security admins and DevOps teams.
o Powerful policies - Use logical operators to create a more sophisticated selection of data
center objects in the rule base.
n Support for New Data Centers
o Kubernetes Data Center – Added CloudGuard Controller support for Kubernetes Clusters.
Administrators can now create a Kubernetes-aware security policy for Kubernetes North-
South traffic.
o VMware vCenter, version 7
n In NAT policy, added support for Data Center objects in the Original Source and Original
Destination columns.
n CloudGuard Controller can use the system proxy for connections to all data centers.
n Cloud, a new object category in SmartConsole's Object Explorer, aggregates all data centers, data
center objects and data center queries into one category.
Important - To use the CloudGuard Controller with R77.20 and R77.30 Security
Gateways (with R77.30 Jumbo Hotfix Accumulator below Take 309), you must install
the CloudGuard Controller / vSEC Controller Enforcer Hotfix (see sk129152) on
those R77.20 and R77.30 Security Gateways.
Note - Support for Data Center Query Objects is from R80.10 and above.
Steps 2,3, and 4 do for every Gateway that is to enforce a policy with CloudGuard Controller objects.
2. Enable the Identity Awareness Blade on the Gateway.
3. In the Identity Awareness settings, on the Gateway, enable the Identity Web API.
4. From the Settings , add the host with IP address 127.0.0.1 as a trusted client > Click OK.
You can add Data Center objects and Data Center Query objects to the Source and/or Destination
columns of Access Control rules and Threat Prevention rules. In addition, Data Center objects (but not
Data Center queries) can be added to the NAT policy.
Without Data
With Data Center Query
Center Query
1. Create n Create Data Center Query objects and add them to the rule base before or
the Data after you create Data Center account(s). Important - You cannot install policy if
Center there is only a Data Center Query but no Data Center object(s).
account Create Data Center Query object with the All Data Centers option. The
(s). advantage is that if new Data Center Servers are added later on, then rules in
2. Import the rule base with such Data Center Query object (with the ‘All Data Centers’
objects option) are automatically applied to assets in the new Data Centers Servers
from without ,more actions in the rule base (must push policy after added the new
each Data Center Servers).
Data n One Data Center Query Object can use assets (objects) from more than one,
Center or all, Data Centers. This results in simpler security rules.
to the n The Query is more complex and larger than what is possible in the security
Rule rule's logic.
base. o OR logic inside each query rule, use "," between items
3. No o AND logic between query rules, use "," between items
choice
for
complex
logic
inside
the
rules.
"server_type=prod_db"
Note - Rule No. 1 is without Data Center Query, Rule No 2 is with Data Center Query.
Note - All object IP addresses that match the query are updated on the Security Gateway.
d. Optional: To review the query, click Preview Query .
e. Click OK.
Step 2: Add the Data Center Query object from Step 1 to the Rule base.
Important - The CloudGuard Controller server clock must be synchronized with the
current, local time. Use of a NTP server is recommended. Time synchronization issues
can cause polling information from the cloud to fail.
Object Description
VPC Amazon Virtual Private Cloud enables you to launch resources into your Virtual
Network.
Subnet All the IP addresses from the Network Interfaces related to this subnet.
Tags Groups all the instances that have the same Tag Key and Tag Value.
Security Groups all the IP addresses and Security Groups from all objects associated with this
Group Security Group.
Load Load Balancer distributes incoming traffic across multiple targets such as EC2
Balancer Instances and IP addresses.
Only Application and Network Load Balancers are supported.
Import
Description
Option
Regions Import AWS VPCs, Load Balancers, Subnets or Instances from a certain region to your
Security Policy.
Import
Description
Option
Tags Import all instances and Security Groups that have a specific Tag Key or Tag Value.
Notes:
n CloudGuard Controller saves the Tags with Key and no Value as: "Tag key=".
n CloudGuard Controller truncates leading and trailing spaces in Tag Keys and Tag Values.
n All changes in AWS are updated automatically with the Check Point Security Policy. Users with
permissions to change resource tags in AWS can change their access permissions.
Object Names
Object names are the same as those in the AWS console.
VPC, Subnet, Instance, and Security Group use the following names are named as follows:
Imported Properties
Imported
Description
Property
Name Resource name as shown in the AWS console. User can edit the name after importing
the object.
Tags Tags (Keys and Values) that are attached to the object
Item Value
Effect Allow
Actions n ec2:DescribeInstances
n ec2:DescribeNetworkInterfaces
n ec2:DescribeSubnets
n ec2:DescribeVpcs
n ec2:DescribeSecurityGroups
For more information about Roles and the IAM policy, see Amazon Web Services documentation.
Prerequisites
n Cisco ACI version 4.1 or lower.
n You must have a Cisco ACI user role with minimum read permissions for Tenant EPG.
Note - This role is sufficient for CloudGuard Controller functionality. More permissions may be
required for device package installation (CloudGuard for ACI).
n Enable Bridge Domain unicast routing to allow IP address learning for EPGs on the Cisco ACI.
n Define a subnet on the Bridge Domain to help the fabric maintain IP address learning tables. This
prevents time-outs on silent hosts that respond to periodic ARP requests.
n Before you do the upgrade on the Management Server, if you have a Cisco APIC server, keep only
one URL. After the upgrade, add the other URLs.
apic:<domain>\<username>
Object Description
Tenant A logical separator for customers, BU, groups, traffic, administrators, visibility,
and more.
Application Profile A container of logically related EPGs, their connections, and the policies that
define those connections.
End-Point Group A container for objects that require the same policy treatment.
(EPG) EPG examples : app tiers or services (usually, VLAN)
Prerequisites:
n Cisco ISE version 2.1
n An ISE administrator with the ERS-Operator or ERS-Admin group assignment
n ERS enabled on the ISE administration nodes
Security Groups Groups of users, endpoints, and resources that share Access Control policies.
You define the Security Groups in Cisco ISE.
Automatic Failover
If there is a failure to communicate with the provided ISE administration nodes, CloudGuard Controller
enters a recovery mode. In recovery mode, it automatically try again to establish connection with the
administration nodes. Connection is attempted with the nodes based on the order they were entered.
Important - Make sure that the secondary node is correctly synchronized with the primary node. If not, the
IP-to-SGT data may not be up to date.
Important - The CloudGuard Controller server clock must be synchronized with the
current, local time. Use of a NTP server is recommended. Time synchronization issues
can cause polling information from the cloud to fail.
Service Account Key Uses the Service Account private key file to authenticate.
Authentication Use the GCP web console to create a Service Account Key JSON file.
GCP APIs
You must enable the Cloud Resource Manager API for the project to which the service account belongs.
The Compute Engine API must be enabled for all the projects to which the Service Account has access.
Item Description
Subnet All the IP addresses from the network interfaces related to this subnet
Tags Groups all the instances that have the same network tag
Import
Description
Option
Projects Import VPC networks, subnets or instances from different project to your Security
Policy
Note - All changes in GCP are automatically updated with the Check Point Security Policy. Users with
permissions to change network tags in GCP can change their access permissions.
Object Names
Object names are the same as those in the GCP console.
Imported Properties
Imported
Description
Property
Name Resource name as shown in the GCP console. User can edit the name after
importing the object.
Note For instances, the list of VPC networks to which the instance belongs
Prerequisite
n K8s version 1.12 and above
Note - Island Mode (NATed IP address for Nodes) is not supported.
kubectl cluster-info
Object Description
Virtual Network Represents your Microsoft Azure Virtual Network (VNET) in the cloud.
Object Description
Network Security NSGs contain a list of Access Control List (ACL) rules that allow or deny network
Group (NSG) traffic to the Virtual Machines instances in a Virtual Network.
NSGs can be associated with either subnets or individual Virtual Machine
instances in that subnet.
Load Balancer Load Balancer distributes incoming traffic that arrives into the Load Balancer's
frontend to backend pool instances, according to rules and health probes.
Imported Properties
Imported
Description
Property
Nuage Objects
Objects
Object Description
Enterprise A logical separator for customers, BU, groups, traffic, administrators, visibility, and
more.
Domain A logical network that enables L2 and L3 communication among a set of Virtual
Machines.
Security A set of network endpoints that have to agree with the same Security Policies.
Zone
Policy Collections of vPorts and/or IP addresses that are used as building blocks for Security
Group Policies that include multiple endpoints.
Add one or more vPorts to a policy group using this interface.
A policy group can also represent one or more IP/MAC addresses that it learned from
external systems from BGP route advertisements based on origin.
Object Description
Network Organization-wide defined macros that can be used as a destination of a policy rule.
Macro For example, you can create a network that represents your internal Internet access.
You can then use it as a destination of a policy rule to drop any packet that arrives from a
particular port.
Imported Properties
IP Associated IP address
Prerequisites
n Version "Ussuri" or lower.
http://1.2.3.4:5000/<keystone_version>
https://1.2.3.4:5000/<keystone_version>
Example:
https://1.2.3.4:5000/v3
Note - If you do not know your keystone URL, run this command on the OpenStack server to find it:
4. In the Username field, enter your username for the OpenStack server.
5. In the Password field, enter your password for the OpenStack server.
6. Click Test Connection.
If the Certificate window opens, confirm the certificate and click Trust.
7. When the connection status changes to Connected, click OK.
If the status is not Connected, troubleshoot the issue before you continue.
8. Click OK.
9. Publish the SmartConsole session.
Note - If it is necessary to log into an OpenStack Domain that is not your default Domain, use this format:
<OpenStack_domain_name>\<user_name>
OpenStack Objects
Objects
Object Description
Imported Properties
Prerequisites
n NSX-T version 2.5 or 3.0.
n You must have a VMware NSX-T username with the minimal permission of an Auditor (or higher) to
access the CloudGuard Controller.
Note - This role is sufficient for CloudGuard Controller functionality. More permissions may be
required for service registration (CloudGuard Gateway for NSX-T).
Ns Enables a static or dynamic grouping based on objects such as Virtual Machines, vNICs,
Group vSphere clusters, logical switches, and so on.
Imported Properties
Imported Property Description
Known Limitations
n Logs for rules with VMware NSX-T Ns Groups will contain only the IP address. The logs will not
contain the instance name.
n VMware NSX-T object - No support for IP Set objects with ranges or CIDR block notations. There is
support for IP Set Objects representing one or more individual IP address (or addresses).
n It is recommended to install official VMware Tools on a Virtual Machine in order for the VMware
NSX-T Controller to successfully pool IP addresses. Install the VMware Tools for your specific
version. Alternatives for IP discovery without VMware Tools can be found in the VMware NSX-T
Administration Guide.
Note - Each have different limitations in practice.
Object Description
Cluster A collection of ESXi hosts and associated Virtual Machines configured to work as a unit.
Object Description
Host The physical computer where you install ESXi. All Virtual Machines run on a host.
Virtual A virtual computer environment where a guest operating system and associated
machine application software runs.
vSphere A packaging and managing application format. A vSphere vApp can contain multiple
vApp Virtual Machines.
Tags All the Virtual Machines tagged with the vCenter tag.
Note - This is supported with vCenter 6.5 and above.
Imported Properties
Imported
Description
Property
Object Description
Security Group Enables a static or dynamic grouping, based on objects such as Virtual Machines,
vNICs, vSphere clusters, logical switches, and so on.
Imported Properties
tagger_cli
4. Select Activate Cluster.
CloudGuard for NSX Clusters with active Anti-Bot and/or Anti-Virus Software Blades appear on
them.
5. Select the Cluster.
Make sure Cluster activated successfully shows.
When it is activated, the Cluster automatically tags infected Virtual Machines in the NSX Manager Server.
These are the Security Tags:
n Default Anti-Bot Security Tag: Check_Point.BotFound
n Default Anti-Virus Security Tag: Check_Point.VirusFound
The Security Tags are created automatically in the NSX Management Server when the Cluster is activated.
When Security Tags are configured, you can create policy rules based on the Security Groups that contain
those tags.
Advanced Options
Use advanced menu options to configure the tags:
Option Description
Show Activated Lists the activated Clusters and the status of each CloudGuard for NSX Gateway.
gateways
Modify Anti-Bot Enables or disables the tagging for the Anti-Bot Software Blade and change the
Security Tag Security Tag.
Option Description
Modify Anti- Enables or disables the tagging for the Anti-Virus Software Blade and change the
Virus Security Security Tag.
Tag
Modify White IP Addresses listed in the White List are not tagged.
List Separate with spaces. Ranges are not accepted.
Create New Creates a new Security Tag in the NSX Manager Server.
Security Tag
Update Data When you add a new ESX to a Cluster, CloudGuard for NSX Gateway automatically
updates the Threat Prevention Tagging data within 15 minutes.
Select this option to update the data manually on the new CloudGuard for NSX
Gateway.
Message Description
The Virtual Machine <VM ID> was tagged Threat Prevention tagging successfully tagged a
successfully with Security Tag '<Tag Name>' Virtual Machine due to malicious traffic.
in NSX <NSX IP Address>
The IP address <VM IP Address> appears An IP address appears twice in the ESX. Tagging
twice in the ESX <ESX IP Address>. The this prevents false positive tagging of Virtual
infected Virtual Machine was not tagged Machines with duplicate IP addresses in the ESX.
Failed to get data from the Data Center <Data Failed to get a Data Center object from the Security
Center IP Address> Management Server API.
Make sure that there is a trusted connection for
CloudGuard Controller.
Threat Prevention Tag is ignored because the Virtual Machine IP address is on the Whitelist and
VM IP '<VM IP Address>' is on the White the Threat Prevention tag is ignored.
List
Log Description
Data center server objects were The Data Center object was successfully
successfully updated on gateway <Name> updated on the Security Gateway.
Connectivity to Data Center Lost connection possibly due In the Data Center
server <DC info> lost. to connectivity issues. object, click Test
Connection.
Failed to generate data center There is a transfer fail of a Install the Access
server objects of new policy, policy to a Security Gateway. Control Policy
Security gateways are no longer again.
updated with the new data center
objects.
Failed to start updates from CloudGuard Controller fails Install the Access
previous standby domain. to start update to Security Control Policy
Gateway. again.
It is possible that there is no
connectivity to a Security
Gateway.
Failed to stop updates of data CloudGuard Controller fails Install the Access
center objects for deleted to stop Domain enforcement Control Policy
domain. Contact Check Point when a Domain is deleted. again.
Support.
Option Description
Option Description
Configuration Parameters
The CloudGuard Controller uses configuration parameters that can be adjusted to your specific needs.
This section provides a list of the configuration parameters including their description, minimum and
maximum value, and the command to force the parameter's update.
CloudGuard Controller can be configured through various parameters in the vsec.conf file. See the
vsec.conf file for more information.
Locations of the vsec.conf file
n On a Security Management Server:
$FWDIR/conf/vsec.conf
n On a Multi-Domain Server:
$MDSDIR/conf/vsec.conf
Important - All configuration values are read from the vsec.conf file only when
CloudGuard Controller is loaded. If you change one of the parameters, you must
restart the CloudGuard Controller with the "vsec stop ; vsec start"
commands.
Mode Description
System Default Mode generates a license for the IP address of the Multi-Domain Server.
Mode The license pool is on the Multi-Domain Server.
The licenses are attached to all of the CloudGuard Gateways that the Domain
Management Servers manage.
To use this mode, run:
vsec_lic_cli mode mds
Note:
To go to the context of a Domain Management Servers, run:
License Distribution
Items
Item Description
Licenses that n Virtual security licenses for public and private clouds.
can be n Licenses with the same contract blade package.
managed in
pools Note - Licenses with different contract blades are in separate pools. The first license
pool that is created is configured as the default pool. The licenses from the default
pool are attached to CloudGuard Gateways.
Gateways that n New CloudGuard Gateways receive the license from the pool after policy
receive a installation.
license n Existing CloudGuard Gateways receive the license immediately after the
license is added.
Distribution CloudGuard licenses are attached from the license pool to CloudGuard Gateway.
The distribution procedure is permissive. Gateways are issued a license even when
the pool no longer has licenses available.
Best Practice - We recommend that you have only one type of pool. Therefore,
licenses with the same Software Blades and contract expiration are grouped together.
Use the central license utility to ensure that licenses are distributed correctly.
Operations
The vsec_lic_cli tool is used exclusively to manage CloudGuard licenses, and other tools must not be
used at the same time. CloudGuard licenses that were already added with other tools, such as
SmartUpdate, are automatically added to the pools.
The CloudGuard License Manager Menu shows these options:
1. "Adding a License" below
2. "Removing a License" below
3. "Viewing License Use" below
4. "Running License Distribution" on the next page
5. "Configuring Automatic License Distribution for Security Gateways" on the next page
6. "Generating a Core Use Report" on the next page
Adding a License
You can add a central license to the license pool with the IP address of a Security Management Server,
Multi-Domain Server or Domain Management Server.
The license is added to the pool to match the contract blade. Use the User Center to automatically match
the blade to the contract, or attach the contracts manually with SmartUpdate.
A license in a default pool is distributed to the CloudGuard Gateway as needed.
Removing a License
When you remove a license from the pool, it is also removed from all CloudGuard Gateways, which have
the license.
You can monitor these changes on the CloudGuard Gateways and licenses
n New CloudGuard Gateways
n Core changes on existing CloudGuard Gateways
n Contract changes on existing licenses
After distribution of the licenses, a CloudGuard Gateway that did not have a license now has one.
All rights reserved. This product and related documentation are protected by copyright and distributed
under licensing restricting their use, copying, distribution, and decompilation. No part of this product or
related documentation may be reproduced in any form or by any means without prior written authorization
of Check Point. While every precaution has been taken in the preparation of this book, Check Point
assumes no responsibility for errors or omissions. This publication and features described herein are
subject to change without notice.
TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.