CP R80.40 CloudGuard Controller AdminGuide

06 January 2020
CLOUDGUARD
CONTROLLER
R80.40
Administration Guide
[Classification: Protected]
Check Point Copyright Notice
© 2020 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed
under licensing restricting their use, copying, distribution, and decompilation. No part of this product or
related documentation may be reproduced in any form or by any means without prior written
authorization of Check Point. While every precaution has been taken in the preparation of this book,
Check Point assumes no responsibility for errors or omissions. This publication and features described
herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and
FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.
CloudGuard Controller R80.40 Administration Guide
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with
the latest functional improvements, stability fixes, security enhancements and protection
against new and evolving attacks.
Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page.
Check Point R80.40

For more about this release, see the R80.40 home page.
Latest Version of this Document

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.
Revision History
Date Description
06 January 2020 First release of this document
CloudGuard Controller R80.40 Administration Guide | 3

Table of Contents
Table of Contents
Check Point Copyright Notice 2
Important Information 3
Table of Contents 4
Introduction to CloudGuard Controller 7
What's New in R80.40 CloudGuard Controller 8
Workflow for Deploying CloudGuard Controller 9
Supported Security Gateways 9
Activating the Identity Awareness Software Blade 9
Activating Identity Awareness for Security Gateways R80.10 and above 10
Activating Identity Awareness for Security Gateways R77.20 and R77.30 10
Activating Identity Awareness for Scalable Platforms 40000/60000 12
Integrating with Data Center Servers 14
Connecting to a Data Center Server 14
Creating Rules with Data Center Objects 15
Check Point Management API 16
Supported Data Centers 16
CloudGuard Controller for Amazon Web Services 16
Connecting to an Amazon Web Services Data Center Server 16
Amazon Web Services Objects 17
Configuring Permissions for Amazon Web Services 19
Auto Scaling in Amazon Web Services 19
CloudGuard Controller for Microsoft Azure 20
Connecting to a Microsoft Azure Data Center Server 20
Microsoft Azure Objects 22
Auto Scaling in Microsoft Azure 23
CloudGuard Controller for Cisco ACI 23
Connecting to a Cisco ACI Data Center Server 24
Cisco ACI Objects 24

Table of Contents
CloudGuard Controller for Cisco's Identity Services Engine (ISE) 25
Connecting to a Cisco ISE Data Center 25

Cisco ISE Objects 26
Automatic Failover 26
CloudGuard Controller for Google Cloud Platform 26
Configuring Permissions for Google Cloud Platform 26
Connecting to a Google Cloud Platform Data Center 27
Google Cloud Platform Objects 28
CloudGuard Controller for Nuage Networks VSP 29
Connecting to a Nuage Data Center 29
Nuage Objects 30
CloudGuard Controller for OpenStack 32
Connecting to an OpenStack Server 32
OpenStack Objects 33
CloudGuard Controller for VMware Servers 34
Connecting to a VMware Server 34
CloudGuard Controller for VMware vCenter 35
CloudGuard Controller for VMware NSX-V Manager Server 35
VMware vCenter Objects 35
VMware NSX-V Objects 36
Threat Prevention Tagging for CloudGuard for NSX Gateway 36
Threat Prevention Tagging Logs 38
CloudGuard Controller for VMware NSX-T Management Server 39
VMware NSX-T Objects 39
Known Limitations 40
CloudGuard Controller Monitoring 41
CloudGuard Controller Logs 41
CloudGuard Controller Status 43
CloudGuard Central Licensing 44

Table of Contents
License Pooling 44
License Distribution 45
Using the Central Licensing Utility with Existing Licenses 45
Managing CloudGuard Central Licenses 46
Adding a License 46
Removing a License 46
Viewing License Usage 47
Running License Distribution 47
Configuring Automatic License Distribution for Security Gateways 47
Generating a Core Usage Report 47

Introduction to CloudGuard Controller
Introduction to CloudGuard Controller

Check Point's CloudGuard cloud security solution delivers advanced threat protection to private or
public cloud infrastructures. It controls and manages the security in both the physical and virtual
environments with one unified management solution. With trusted APIs, CloudGuard Controller
connects to the Software-Defined Data Center (SDDC), integrates the virtual cloud environment with
Check Point Security Gateways, and automatically updates the Security Policy. CloudGuard Controller
updates GUI, API, and Security Policy with new and changed appliances, computers, devices, and
IP addresses.
Deploy the Security Gateway in the public and private cloud for perimeter and lateral protection, and
industry-leading advanced Threat Prevention security. CloudGuard Gateways integrate seamlessly with
SDN solutions, such as VMware vCenter, VMware NSX, Cisco ACI, and Cisco ISE.
Check Point's CloudGuard Controller integrates with these virtual cloud environments:
l "CloudGuard Controller for Amazon Web Services" on page 16
l "CloudGuard Controller for Microsoft Azure " on page 20
l "CloudGuard Controller for Cisco ACI" on page 23
l "CloudGuard Controller for Cisco's Identity Services Engine (ISE)" on page 25
l "CloudGuard Controller for Google Cloud Platform " on page 26
l "CloudGuard Controller for Nuage Networks VSP" on page 29
l "CloudGuard Controller for OpenStack" on page 32
l "CloudGuard Controller for VMware Servers" on page 34
l "CloudGuard Controller for VMware NSX-T Management Server" on page 39
l "CloudGuard Controller for VMware NSX-T Management Server" on page 39

What's New in R80.40 CloudGuard Controller
What's New in R80.40 CloudGuard Controller

l Performance enhancements for connections to external Data Centers.
l Integration with VMware NSX-T.
l Support for additional API commands to create and edit Data Center Server objects.
l Improved logging and monitoring (see, "CloudGuard Controller Monitoring" on page 41)
AWS Data Center Enhancements:
l Load Balancer (ALB and NLB) objects are supported.
l Security Groups support the use of tags.
l Subnet and Security Group objects include IPs from all associated Network Interfaces.*
Azure Data Center Improvements:

l Load Balancer (Public and Internal) objects are supported.
l Load Balancers, Virtual Networks, and Network Security Groups support the use of tags.*
l Subnet objects include Frontend IPs of the Internal Load Balancers.*
*Note – After upgrade to R80.40, the Subnet and Security Group objects may include more IPs which
will be enforced by the Security Policy.

Workflow for Deploying CloudGuard Controller
Workflow for Deploying CloudGuard

Controller
CloudGuard Controller is a component of the R80.40 Security Management Server.
Important Information
1. When you install R80.40 CloudGuard Controller, these files are overwritten with default values:
l $MDS_FWDIR/conf/vsec.conf
l $MDS_FWDIR/conf/tagger_db.C
l $MDS_FWDIR/conf/AWS_regions.conf
2. Before you begin the upgrade, back up all files that you have changed.
3. Before you perform the upgrade on the Management Server, if you have a Cisco APIC server,
keep only one URL. After the upgrade, add the other URLs.
4. A Multi-Domain Server that contains imported Data Center objects in the Global Domain is not
supported in the upgrade to R80.40. You must remove objects from the Global Domain before
you install the upgrade.
Note - During the upgrade, CloudGuard Controller does not communicate with the Data Center.
Therefore, Data Center objects are not updated on the CloudGuard Controller or the Security Gateways.
Supported Security Gateways

CloudGuard Controller works with these Security Gateways:
l R80.10 and above
l R77.30
l R77.20
l 40000/60000 Scalable Platforms R76SP.50 (starting with R76SP.50 Jumbo Hotfix Accumulator
Take 20)
Important - To use the CloudGuard Controller with R77.20 and R77.30 Security
Gateways (with R77.30 Jumbo Hotfix Accumulator below Take 309), you must
install the CloudGuard Controller / vSEC Controller Enforcer Hotfix (see sk129152)
on those R77.20 and R77.30 Security Gateways.
Activating the Identity Awareness Software Blade

Procedure
1. Enable the Identity Awareness Software Blade
2. Enable the Identity Awareness API

3. Add the IP address 127.0.0.1 to the trusted clients list.
Activating Identity Awareness for Security Gateways R80.10 and above

Procedure
Step Description
1 In SmartConsole, from the left navigation panel, click Gateways & Servers.
2 Open the applicable Security Gateway object.
3 From the left tree, click General Properties.
4 On the Network Security tab, select the Identity Awareness Software Blade.
a. The Identity Awareness Configuration > Methods for Acquiring Identity

window opens.
b. If it is not needed, clear the AD Query.
c. Click Cancel.
5 Click Next > Finish.
6 From the left tree, click Identity Awareness.
7 Select Identity Web API.
8 Click Settings.
The Identity Web API Settings window opens.
9 From the Authorized Clients section, add a 127.0.0.1 host object.
10 In the Selected Client Secret, enter a secret word.

OR -
To generate a client secret, click Generate.
Click OK.
11 Install the Access Control Policy.
Activating Identity Awareness for Security Gateways R77.20 and R77.30

To work with Data Center objects, you must:
1. Enable the Identity Awareness Software Blade and select Terminal Servers as the identities
source.

2. Enable the communication between the CloudGuard Controller and the Identity Awareness
daemon on the Security Gateway.
To enable the Identity Awareness Software Blade
Step Description
The Identity Awareness Configuration > Methods for Acquiring Identity window
opens.
If it is not needed, clear the AD Query.
5 Select Terminal Servers > Next.

The Identity Awareness Configuration > Integration with Active Directory window
opens.
6 Select I do not wish to configure an Active Directory at this time.

The Identity Awareness Software Blade is activated by default.
8 Click OK.
To enable the communication between the CloudGuard Controller and the Identity Awareness daemon
on the Security Gateway
Step Description
1 Connect to the command line on each applicable Security Gateway.
2 Log in to Gaia Clish, or Expert mode.
3 Enable the Identity Awareness API:
pdp api enable
Note - On a VSX Gateway, run the command in the context of each applicable
Virtual System.

Activating Identity Awareness for Scalable Platforms 40000/60000

To work with Data Center objects, you must:
1. Enable the Identity Awareness Software Blade and select Terminal Servers as the identities
source.
2. Enable the communication between the CloudGuard Controller and the daemons on the Security
Gateway Modules.
To enable the Identity Awareness Software Blade
Step Description
The Identity Awareness Configuration > Methods for Acquiring Identity window
opens.
If it is not needed, clear the AD Query.
5 Select Terminal Servers > Next.

The Identity Awareness Configuration > Integration with Active Directory window
opens.
6 Select I do not wish to configure an Active Directory at this time.
The Identity Awareness Software Blade is activated by default.
8 Click OK.
To enable the communication between the CloudGuard Controller and the Identity Awareness daemons
on the Security Gateway Modules
Step Description
1 Connect to the command line on the Scalable Platform.

Step Description
3 Enable the Identity Awareness API:
g_all pdp api enable
Note - On a VSX Gateway, run the command in the context of each applicable
Virtual System.

Integrating with Data Center Servers

Connecting to a Data Center Server
The Management Server connects to the Software-defined data center (SDDC) through the Data Center
server object on SmartConsole.
To create a connection to the Data Center
Step Description
1 In SmartConsole, create a new Data Center object in one of these ways:

l In the top left corner, click Objects menu > More object types > Server > Data
Center > applicable Data Center.
OR -
l In the top right corner, click Objects Pane > New > More > Server > Data
Center > applicable Data Center.
2 In the Enter Object Name field, enter a name.
3 Enter the connection and credentials information.
4 To establish a secure connection, click Test Connection.

If the certificate window opens, confirm the certificate and click Trust.
5 When the Connection Status changes to Connected, Click OK.

If the status is not Connected, troubleshoot the issues before you continue.
6 Click OK.
7 Publish the SmartConsole session
Note - If the connection properties of any Data Center servers changed (for example the credentials or
the URL), make sure to install the Access Control Policy again.

Creating Rules with Data Center Objects

You can add Data Center objects to the Source and/or Destination columns of Access Control rules and
Threat Prevention rules.
To add Data Center objects to an Access Control rule
Step Description
1 In SmartConsole, from the left navigation panel, click Security Policies.
2 At the top, click Access Control > Policy.
3 In the applicable rule, in the Source or Destination column, click + to add new
items.
4 Click Import.
5 Select an existing Data Center object.

OR -
Click Data Centers > New Data Center > applicable Data Center.
To add Data Center objects to a Threat Prevention rule
Step Description
1 In SmartConsole, from the left navigation panel, click Security Policies.
2 At the top, click Threat Prevention > Policy.
3 In the applicable rule, in the Source or Destination column, click + to add new
items.
4 In the top right corner, click Import.
5 Select an existing Data Center object.

OR -
Click Data Centers > New Data Center > applicable Data Center.
6 Install the Threat Prevention Policy.

Check Point Management API

The Check Point Management API includes Data Center commands to add, delete, set, and show Data
Center Servers and their contents, and to show, delete, and import Data Center objects. Use the API to
automate Data Center security management and monitoring.
To change the API configuration and/or to learn more:
See Check Point Management API Reference.
Supported Data Centers

Check Point integrates the CloudGuard Controller with these Data Centers:
l Amazon Web Services (AWS)
l Cisco ACI
l Cisco ISE
l Google Cloud Platform (GCP)
l Microsoft Azure
l Nuage Networks
l OpenStack
l VMware vCenter
l VMware NSX-V
l VMware NSX-T
CloudGuard Controller for Amazon Web Services

The CloudGuard Controller integrates the Amazon Web Services (AWS) cloud with Check Point
security.
Note - See the "AWS Data Center enhancements" in "What's New in R80.40 CloudGuard Controller"
on page 8.
Important - The CloudGuard Controller server clock must be synchronized with the current,
local time. Use of a NTP server is recommended. Time synchronization issues can cause
polling information from the cloud to fail.
Connecting to an Amazon Web Services Data Center Server

To connect to an AWS Data Center Sever

Step Description

Center > New AWS.
OR -
Center > AWS.
3 Select the applicable authentication method:
l User Authentication - Use the Access keys to authenticate.

OR -
l Role Authentication - Uses the AWS IAM role to authenticate. This option
requires the Security Management Server to be deployed in AWS, and have
an IAM Role.
4 If you choose User Authentication, enter your Access key ID and Secret access
key.
5 In the Region field, select the AWS region to which you want to connect.
6 Click Test Connection.
7 Click OK.
8 Publish the SmartConsole session
Amazon Web Services Objects

Objects:
Object Description
VPC Amazon Virtual Private Cloud enables you to launch resources into your
Virtual Network.
Availability A separate geographic area of a region

Zone
There are multiple locations with regions and availability zones worldwide.
Subnet All the IP addresses from the Network Interfaces related to this subnet
Instance Virtual computing environments

Object Description
Tags Groups all the instances that have the same Tag Key and Tag Value
Security Groups all the IP addresses from all objects associated with this Security
Group Group
Load Load Balancers objects (Network Load Balancers and Application Load
Balancers Balancers)
Importing AWS objects

Use one of these options to import AWS objects to your policy:
Import
Description
Option
Regions Import AWS VPCs, Subnets or Instances from a certain region to your Security
Policy.
Security Import all IP addresses that belong to a specific security group.

Groups
The Security Group is used only as a container for the list of all IP addresses
of Instances that are attached to this group.
Tags Import all instances that have a specific Tag Key or Tag Value.
Notes:
l CloudGuard Controller saves the Tags with Key and no Value as: "Tag key="
l CloudGuard Controller truncates leading and trailing spaces in Tag Keys and Tag Values.
l All changes in AWS are updated automatically with the Check Point Security Policy. Users with
permissions to change resource tags in AWS can change their access permissions.
Object Names
Object names are the same as those in the AWS console.
VPC, Subnet, Instance, and Security Group are named as follows:
Tag Name Object Name
Tag Name exists "<Object ID> (<Value of the Tag Name>)"
Tag Name does not exist "<Object ID>"
Tag Name is empty "<Object ID>"

Imported Properties
Imported
Description
Property
Name Resource name as shown in the AWS console. User can edit the name after
importing the object.
Name in Resource name as shown in the AWS console

Server
Type in Resource type

Server
IP Associated private and public IP addresses
Note CIDR for subnets and VPC objects
URI Object path
Tags Tags (Keys and Values) that are attached to the object
Configuring Permissions for Amazon Web Services

Minimal permissions for the User or Role
Item Value
Effect Allow
Actions l ec2:DescribeInstances
l ec2:DescribeNetworkInterfaces
l ec2:DescribeSubnets
l ec2:DescribeVpcs
l ec2:DescribeSecurityGroups
Resource All ("*")
For more information about Roles and the IAM policy, see Amazon Web Services documentation.
Auto Scaling in Amazon Web Services
The AWS Auto Scaling service with the Check Point Auto Scaling group can increase or decrease the
number of CloudGuard Gateways according to the current load.

CloudGuard Controller for AWS works with the Check Point Auto Scaling Group. The Check Point
Security Management Server updates Data Center objects automatically on the Check Point Auto
Scaling group.
CloudGuard Controller for Microsoft Azure

CloudGuard Controller integrates the Microsoft Azure cloud with Check Point security.
Note - See "Azure Data Center improvements" in "What's New in R80.40 CloudGuard Controller" on
page 8.
Important - The CloudGuard Controller server clock must be synchronized with the current, local time.
Use of a NTP server is recommended. Time synchronization issues can cause polling information from
the cloud to fail.
Connecting to a Microsoft Azure Data Center Server
To connect to a Microsoft Data Center Server
Step Description

Center > New Microsoft Azure.
OR -
Center > Microsoft Azure.
2 In the Enter Object Name field, enter the applicable name.

Step Description

l Service Principal - Uses the Service Principal to authenticate.
OR -
l Azure AD User Authentication - Uses the Azure AD User to authenticate.
If you choose Service Principal Authentication (default):
l Enter your Application ID, Application Key, and Directory ID.
You can create the Service Principal in the Azure Portal, with the Azure
Powershell, or with the Azure CLI.
If you choose Azure AD User Authentication:

n Enter you Username and Password.
The minimum recommended permission is Reader.
You can assign the Reader permission in one of these ways
l Assign to all Resource Groups, from which you want to pull an item
l Add the permission on a subscription level
Note - If you have less permissions, some of the functionality might not work.
5 Click OK.
6 Import objects from your Microsoft Azure server to your policy (for more about these
objects, see the next sections).
l Network by Subscriptions - Import VNETS, subnets, Virtual Machines or
VMSSs.
l Network Security Groups (NSG) - Import all IP addresses that belong to a
specific NSG.
The NSG is used only as a container for the list of all IP addresses (assigned
to NICs and subnets) that are attached to this group.
l Tags - Imports all the IP addresses of Virtual Machines and VMSSs that have
specific tags and values.
Note - All changes in Microsoft Azure are updated automatically with the Check
Point Security Policy. Users with permissions to change Resource Tags in
Microsoft Azure can change their access permissions.

Microsoft Azure Objects
Objects
Object Description
Subscription Helps you organize access to your cloud components.
Virtual Network Represents your Microsoft Azure Virtual Network (VNET) in the cloud.
Subnet A range of IP addresses in a VNET.

A VNET can be divided into many subnets.
Virtual Machine Virtual computing environment.

(VM)
Virtual Machine Manages sets of Virtual Machines.

Scale Set
(VMSS)
Resource Group Holds the components of your subscription as a group.
Network NSGs contain a list of Access Control List (ACL) rules that allow or
Security Group deny network traffic to the Virtual Machines instances in a Virtual
(NSG) Network.
NSGs can be associated with either subnets or individual Virtual
Machines instances within that subnet.
Load Balancer Distributes incoming traffic that arrives into the Load Balancer's frontend
to backend pool instances, according to rules and health probes.
Imported Properties
Imported
Description
Property
Name Name of the object and the object's Resource Group

Format is: obj_name (obj_resource_group_name)
The user can edit the name after importing the object.
Name in Name of the object and the object's Resource Group

server
Format is: obj_name (obj_resource_group_name)
Type in Object type

server

Imported
Description
Property
IP Virtual Machines and VMSS: Public and Private IP addresses

address
Load Balancers: Frontend IP addresses
Subnets: VMs, VMSSs, and Internal Load Balancers Frontend IPs
NSGs: VMSSs and Subnets IP addresses associated with this NSG
Tags: VNETS, VMs, VMSSs and Load Balancers IP addresses associated
with this specific Tag Key or Tag Value
Note Contains the address prefixes for VNETs and subnets
URI Object path
Tags Keys and Values attached to the Object
Location Physical location in Microsoft Azure
Auto Scaling in Microsoft Azure

The Microsoft Azure Auto Scaling service with the Check Point Auto Scaling group can increase or
decrease the number of CloudGuard Gateways according to the current load.
CloudGuard Controller for Microsoft Azure can work with the Check Point Auto Scaling Group.
The Check Point Security Management Server can update Data Center objects automatically on the
Check Point Auto Scaling group.
CloudGuard Controller for Cisco ACI

CloudGuard Controller integrates the Cisco ACI fabric with Check Point security.
To learn more, see vSEC for ACI Managed by R80.10 Security Management Server Administration
Guide for R80.10.
Prerequisites
l Cisco ACI version 4.1 or lower.
l You must have a Cisco ACI user role with at least read permissions for Tenant EPG.
Note - This role is sufficient for CloudGuard Controller functionality. More permissions may be
required for device package installation (CloudGuard for ACI).
l Enable Bridge Domain unicast routing to allow IP address learning for EPGs on the Cisco ACI.
l Define a subnet on the Bridge Domain to help the fabric maintain IP address learning tables. This
prevents time-outs on silent hosts that respond to periodic ARP requests.

Connecting to a Cisco ACI Data Center Server
To connect to a Cisco ACI Data Center Server
Step Description

Center > New Cisco ACI.
OR -
Center > Cisco ACI.
3 In the URLs field, enter the addresses of ACI cluster members. Multiple URLs
allows support for APIC cluster for redundancy.
Important - These addresses can be either HTTP or HTTPS, but not both.
4 In the Username field, enter your Cisco APIC server User ID.

When using Login Domains, use the following syntax:
apic:<domain>\<username>
5 In the Password field, enter the Cisco APIC server password.
7 Click OK.
8 Publish the session.
Cisco ACI Objects

Cisco APIC objects include
Object Description
Tenant A logical separator for customers, BU, groups, traffic, administrators,

visibility, and more.
Application A container of logically related EPGs, their connections, and the policies
Profile that define those connections.

Object Description
End-Point A container for objects that require the same policy treatment.
Group (EPG)
EPG examples : app tiers or services (usually, VLAN)
L2 Out A bridged external network.
L2 External An EPG that represents external bridged network endpoints.

EPG
CloudGuard Controller for Cisco's Identity Services Engine (ISE)

The CloudGuard Controller integrates Cisco ISE with Check Point security. It allows the use of
TrustSec security groups in the Security Policy according to the static IP-to-SGT mappings in ISE. The
ISE server is represented as the Data Center server in Check Point. It connects to the ISE administration
nodes and automatically retrieves object data. For redundancy, it is possible to provide both primary and
secondary ISE administration nodes.
The ISE External RESTful Services (ERS) API enables communication with ISE.
Prerequisites
l Cisco ISE version 2.1
l An ISE administrator with the ERS-Operator or ERS-Admin group assignment
l ERS enabled on the ISE administration nodes
Connecting to a Cisco ISE Data Center
To connect to a Cisco ISE Data Center
Step Description

Center > New Cisco ISE.
OR -
Center > Cisco ISE.
3 In the Hostname(s) field, add the ISE administration Node(s) IP address or

hostname.
4 In the Username field, enter the ISE administrator username.

Step Description
5 In the Password field, enter the ISE administrator password.
7 Click OK.
Cisco ISE Objects
Object Description
Security Groups of users, endpoints, and resources that share Access Control
Groups policies.
You define the Security Groups in Cisco ISE.
Automatic Failover
If there is a failure to communicate with the provided ISE administration nodes, CloudGuard Controller
enters a recovery mode. In recovery mode, it will automatically attempt to re-establish connection with
the administration nodes. Connection is attempted with the nodes based on the order they were entered.
Important - Make sure that the secondary node is properly synchronized with the primary node.
Otherwise, the IP-to-SGT data may not be up to date.
CloudGuard Controller for Google Cloud Platform

The CloudGuard Controller integrates the Google Cloud Platform (GCP) with Check Point security.
Important - The CloudGuard Controller server clock must be synchronized with the current,
local time. Use of a NTP server is recommended. Time synchronization issues can cause
polling information from the cloud to fail.
Configuring Permissions for Google Cloud Platform

You must authenticate and connect to your Google Cloud Platform account to retrieve objects.
Authentication is done by GCP Service Account credentials.
The CloudGuard Controller retrieves objects from all projects, to which the Service Account has access.
You can use these authentication methods

Authentication
Description
Method
Service Account VM Uses the Service Account VM Instance to authenticate.

Instance
Authentication This option requires the Security Management Server to be
deployed in a GCP, and run as a Service Account with the required
permissions.
Service Account Uses the Service Account private key file to authenticate.
Key Authentication
Use the GCP web console to create a Service Account Key JSON
file.
Minimum permissions for the service account

The service account must have read permissions for all the relevant resources (example: viewer role).
l Networks
l Instances
l Subnetworks
GCP APIs
You must enable the Cloud Resource Manager API for the project to which the service account belongs.
The Compute Engine API must be enabled for all the projects to which the Service Account has access.
This is made from the GCP API Library.
Connecting to a Google Cloud Platform Data Center
To connect to a Google Cloud Platform Data Center
Step Description

Center > New Google Cloud Platform.
OR -
Center > Google Cloud Platform.

Step Description

l Service Account Key Authentication
OR -
l Service Account VM Instance Authentication
4 If you choose Service Account Key Authentication, import the Service Account
JSON file.
6 Click OK.
Google Cloud Platform Objects

Objects
Item Description
VPC Networks Your GCP VPC networks in the cloud
Subnet All the IP addresses from the network interfaces related to this subnet
Instance Virtual Machines instances
Tags Groups all the instances that have the same network tag
Importing GCP objects

Use Projects or Tags to import GCP objects to your policy:
Import
Description
Option
Projects Import VPC networks, subnets or instances from another project to your
Security Policy
Tags Import all instances that have a specific network tag
Note - All changes in GCP are automatically updated with the Check Point Security Policy. Users with
permissions to change network tags in GCP can change their access permissions.
Object Names

Object names are the same as those in the GCP console.
Instance and Subnet use the following names:
Object Object Name
Instance "<Instance Name> (<Zone Name>)"
Subnet "<Subnet Name> (<Region Name>)"
Imported Properties
Imported
Description
Property
Name Resource name as shown in the GCP console. User can edit the name
after importing the object.
Name in Resource name as shown in the GCP console

server
Type in Resource type

server
IP Associated private and public IP addresses
Note For instances, the list of VPC networks to which the instance belongs
URI Object path
Tags Network tags attached to the object
CloudGuard Controller for Nuage Networks VSP

The CloudGuard Controller integrates the Nuage cloud with Check Point security.
Connecting to a Nuage Data Center
To connect to a Nuage Data Center

Step Description

Center > New Nuage.
OR -
Center > Nuage.
3 In the Hostname field, enter the IP address or hostname of the Nuage server.
Important - The addresses can be either HTTP or HTTPS, but not both. The Nuage
version is set by default to 4.0 and the port to 8443.
4 In the Username field, enter your Nuage administrator username.
In the Organization field, enter your organization name or enterprise.
5 In the Password field, enter your Nuage administrator password.
7 Click OK.
Nuage Objects
Objects
Object Description
Enterprise A logical separator for customers, BU, groups, traffic, administrators, visibility,
and more.
Domain A logical network that enables L2 and L3 communication among a set of

Virtual Machines.
Security A set of network endpoints that have to agree with the same Security Policies.
Zone
Policy Collections of vPorts and/or IP addresses that are used as building blocks for
Group Security Policies that include multiple endpoints.
Add one or more vPorts to a policy group using this interface.

Object Description
A policy group can also represent one or more IP/MAC addresses that it
learned from external systems from BGP route advertisements based on
origin.
Subnet Subnets are defined under a zone.

It is equivalent to an L2 broadcast Domain, which enables its endpoints to
communicate as if they were part of the same LAN.
Instance Virtual Machine.
vPort It is attached to a Virtual Machine or to a host and bridge interface.
It provides connectivity to BMS and VLANs.

It can be created or auto-discovered.
L2Domain An L2 Domain is a distributed logical switch that enables L2 communication.

An L2 Domain template can be started as often as required.
This creates functioning L2 Domains.
Network Organization-wide defined macros that can be used as a destination of a

Macro policy rule.
For example, you can create a network that represents your internal Internet
access.
You can then use it as a destination of a policy rule to drop any packet that
arrives from a particular port.
Network A collection of existing Network Macros.

Macro
Group These groups can be used in Security Policies to create rules that match
multiple Network Macros.
Imported Properties
Imported Property Description
Name Resource name as shown in the Nuage console

User can edit the name after importing the object.
Name in Data Center Resource name as shown in the Nuage console
Type in Data Center Resource type

IP Associated IP address
Note l Instances - "Auto generated" description

l Domain - Comment on domain object inserted
in VSD
l Subnet - Subnet IP address in CIDR format
l Zone - Comment on zone object inserted in
VSD
l vPort - Auto-generated description
URI Object path
CloudGuard Controller for OpenStack

The CloudGuard Controller integrates the Check Point Security Management Server with OpenStack
Keystone. Authentication is done via OpenStack Keystone and network objects are updated from
OpenStack Neutron.
Connecting to an OpenStack Server
To connect to an OpenStack server
Step Description

Center > New OpenStack.
OR -
Center > OpenStack.

Step Description
3 In the Hostname field, enter the URL of your OpenStack server in this format:
http(s)://1.2.3.4:5000/<keystone_version>
Example:
https://1.2.3.4:5000/v3
Note - If you do not know your keystone URL, run this command on the OpenStack
server to find it:
openstack endpoint show keystone | grep publicurl
4 In the Username field, enter your username for the OpenStack server.
5 In the Password field, enter your password for the OpenStack server.

If the certificate window opens, confirm the certificate and click Trust.
7 When the connection status changes to Connected, Click OK.

If the status is not Connected, troubleshoot the issue before you continue.
8 Click OK.
Note - If you want to log into an OpenStack Domain that is not your default Domain, use this format:
<OpenStack_domain_name>\<user_name>
OpenStack Objects
Objects
Object Description
Instances Virtual Machines inside the cloud
Security Sets of IP address filter rules for networking access.

groups
They are applied to all instances within a project.
Subnet A block of IP addresses and associated configuration states

Subnets are used to allocate IP addresses when new ports are created on
a network.

Imported Properties
Imported
Description
Property
IP l VM - Virtual Machine's IP address

l Security Group - IP addresses of the Virtual Machines inside the
group
l Subnets - IP addresses of the Virtual Machines inside the
subnet
Note l Instances - Empty

l Security Group - Description of the group
l Subnet - IP address and mask of the subnet
URI Object path
CloudGuard Controller for VMware Servers

Connecting to a VMware Server
To connect to a VMware server
Step Description
Center > New VMware vCenter, or New VMware NSX-V, or the new VMware
NSX-T.
OR -
Center > VMware vCenter, or VMware NSX-V, or VMware NSX-T.
3 In the Hostname field, enter the IP address or hostname of your vCenter or NSX
Manager server.
4 In the Username field, enter your VMware administrator username.
5 In the Password field, enter your VMware administrator password.
7 Click OK.

Step Description
CloudGuard Controller for VMware vCenter

You must have a VMware NSX-V username with Auditor (or higher) permission to access the
CloudGuard Controller.
CloudGuard Controller for VMware NSX-V Manager Server
l The CloudGuard Controller integrates the VMware NSX Manager Server with Check Point
security.
l The Check Point Data Center Server connects to the VMware NSX Manager Server and retrieves
object data.
l The CloudGuard Controller updates IP addresses and other object properties in the Data Center
Objects group.
l You must have a VMware NSX username with permission of an Auditor or higher to access the
Note - This role is sufficient for CloudGuard Controller functionality. More permissions can be required
for service registration (CloudGuard Gateway for NSX).
VMware vCenter Objects
Objects
Object Description
Cluster A collection of ESXi hosts and associated Virtual Machines configured to

work as a unit.
Datacenter An aggregation of many object types required to work in a virtual

infrastructure.
These include hosts, Virtual Machines, networks, and datastores.
Folder Lets you group similar objects.
Host The physical computer where you install ESXi. All Virtual Machines run on a
host.
Resource Compartmentalizes the host or cluster CPU and memory resources.

pool
Virtual A virtual computer environment where a guest operating system and

machine associated application software runs.
vSphere A packaging and managing application format. A vSphere vApp can contain
vApp multiple Virtual Machines.

Object Description
Tags All the Virtual Machines tagged with the vCenter tag.
Note - This is supported with vCenter 6.5 and above.
Imported Properties
Imported
Description
Property
IP IP address or Hostname of vCenter Server

You must install VMware Tools on each Virtual Machine to retrieve the IP
addresses for each computer.
Note VMware vCenter object notes
URI Object path
VMware NSX-V Objects

Objects
Object Description
Security Enables a static or dynamic grouping, based on objects such as Virtual

Group Machines, vNICs, vSphere clusters, logical switches, and so on.
Universal Enables defining a Security Group across VMware NSX managers.

Security
Note - Import these objects separately for each VMware NSX manager.
Group
Imported Properties
IP All the Security Group IP addresses
Note Description value of a Security Group
URI Object path
Threat Prevention Tagging for CloudGuard for NSX Gateway

Threat Prevention Tagging:

Threat Prevention Tagging automatically assigns Security Tags to Data Center objects based on Threat
Prevention analysis and group affiliation.
This enables the use of dynamic Security Groups in policy rules.
Enable Threat Prevention Tagging for Anti-Bot and Anti-Virus services to the CloudGuard for NSX
Gateway.
When a threat from an infected Virtual Machine reaches the Security Gateway and is denied entry, it is
tagged as an infected Virtual Machine in the NSX Manager.
To activate Threat Prevention tagging
Step Description
1 Connect to the command line on the CloudGuard for NSX Gateway.
3 Enable the tagging by running:
tagger_cli
4 Select Activate Cluster.

CloudGuard for NSX Clusters with active Anti-Bot and/or Anti-Virus Software
Blades appear on them.
5 Select the Cluster.
Make sure Cluster activated successfully shows.
When it is activated, the Cluster automatically tags infected Virtual Machines in the NSX Manager
Server.
These are the Security Tags:
l Default Anti-Bot Security Tag: Check_Point.BotFound
l Default Anti-Virus Security Tag: Check_Point.VirusFound
The Security Tags are created automatically in the NSX Management Server when the Cluster is
activated.
When Security Tags are configured, you can create policy rules based on the Security Groups that
contain those tags.
Advanced options
Use advanced menu options to configure the tags:

Option Description
Show Lists the activated Clusters and the status of each CloudGuard for NSX
Activated Gateway.
gateways
Modify Anti- Enables or disables the tagging for the Anti-Bot Software Blade and
Bot Security change the Security Tag.
Tag
Modify Anti- Enables or disables the tagging for the Anti-Virus Software Blade and
Virus Security change the Security Tag.
Tag
Modify White IP Addresses listed in the White List are not tagged.
List
Separate with spaces. Ranges are not accepted.
Create New Creates a new Security Tag in the NSX Manager Server.
Security Tag
Update Data When you add a new ESX to a Cluster, CloudGuard for NSX Gateway
automatically updates the Threat Prevention Tagging data within 15
minutes.
Select this option to update the data manually on the new CloudGuard for
NSX Gateway.
Threat Prevention Tagging Logs
In SmartConsole, in the Logs & Monitor view, see CloudGuard Tagging in the Blade column.
A list of messages and their descriptions
Message Description
The Virtual Machine <VM ID> was Threat Prevention tagging successfully
tagged successfully with Security Tag tagged a Virtual Machine due to malicious
'<Tag Name>' in NSX <NSX IP traffic.
Address>
The IP address <VM IP Address> An IP address appears twice in the ESX.

appears twice in the ESX <ESX IP Tagging this prevents false positive tagging of
Address>. The infected Virtual Machine Virtual Machines with duplicate IP addresses
was not tagged in the ESX.

Message Description
Failed to get data from the Data Center Failed to get a Data Center object from the
<Data Center IP Address> Security Management Server API.
Check that there is a trusted connection for
Threat Prevention Tag is ignored Virtual Machine IP address is on the Whitelist

because the VM IP '<VM IP and the Threat Prevention tag is ignored.
Address>' is on the White List
CloudGuard Controller for VMware NSX-T Management Server

The CloudGuard Controller integrates the VMware NSX-T Management Server with Check Point
security.
You must have a VMware NSX-T username with the minimal permission of an Auditor (or higher) to
access the CloudGuard Controller.
Note - This role is sufficient for CloudGuard Controller functionality. More

permissions may be required for service registration (CloudGuard Gateway for NSX-
T).
VMware NSX-T Objects
Object Description
Ns Enables a static or dynamic grouping based on objects such as Virtual Machines,

Group vNICs, vSphere clusters, logical switches, and so on.
Imported Properties
IP All the Ns Group IP addresses
Note Description value of a Ns Group
URI Object path

Known Limitations
l Logs for rules with VMware NSX-T Ns Groups will contain only the IP address. The logs will
not contain the instance name.
l VMware NSX-T object - No support for IP Set objects with ranges or CIDR block notations.
There is support for IP Set Objects representing one or more individual IP address (or addresses).
l IT is recommended to install official VMware Tools on a Virtual Machine in order for the
VMware NSX-T Controller to successfully pool IP addresses. Install the VMware Tools for your
specific version. Alternatives for IP discovery without VMware Tools can be found in the
VMware NSX-T Administrative Guide. Note - Each have different limitations in practice.

CloudGuard Controller Monitoring

CloudGuard Controller Logs
To monitor CloudGuard Controller logs, use any of these three options:
l Filter the logs in SmartConsole using "blade:"CloudGuard IaaS".
l Create Events based on logs and severity.
l Connect the Event to a user defined Automatic Reaction such as emails or scripts. See the
Logging and Monitoring Administration Guide, "Automatic Reactions".
Log descriptions
Log Description
Mapping of Data Center server url CloudGuard Controller successfully

<URL> with user <User> started connected to the data center.
It starts to map the Data Center
objects.
Mapping of Data Center server url CloudGuard Controller successfully

<URL> with user <User> finished mapped the Data Center objects.
It starts to monitor the Data Center
changes.
Data center server objects were The Data Center object was
successfully updated on gateway successfully updated on the Security
<Name> Gateway.
Message Description Solution
Connection lost to Data Lost connection possibly In the Data

Center server url <URL> with due to connectivity issues. Center object,
user <User>. click Test
Connection.
Failed to update policy with The install process --

data center objects. Install completed correctly, but
policy again to resolve the there is corrupt policy data
issue. in a data center object.

Connectivity to data center Persistent connectivity Resolve

server <IP Address> lost. issues between the connectivity
Objects imported from this Security Management issues.
data center server are no Server and CloudGuard
longer being updated. Controller to the data
center exist.
Failed to update data center CloudGuard Controller l Make sure

server objects on gateway fails to update a Security there is SIC
<GW Name>. If issue persists Gateway. between the
contact Check Point Support. Security
The may be no Gateway
connectivity to a Security and
Gateway. CloudGuard
Controller.
l Make sure
to enable
the Identity
Awareness
API on the
Security
Gateway.
Failed to generate data There is a transfer fail of a Install the Access

center server objects of new policy to a Security Control Policy
policy, Security gateways are Gateway. again.
no longer updated with the
new data center objects.
Failed to stop updates of Data transmission to a Install the Access

data center objects on the Security Gateway from a Control Policy
secondary management server. Secondary Security again.
Management Server
stops.
Failed to start updates from CloudGuard Controller Install the Access

previous standby domain. fails to start updating a Control Policy
Security Gateway. again.
It is possible that there is
no connectivity to a
Security Gateway.
Failed to stop updates of CloudGuard Controller Install the Access

data center objects for fails to stop Domain Control Policy

deleted domain. Contact Check enforcement when a again.

Point Support. Domain is deleted.
CloudGuard Controller Status

Options for checking the CloudGuard Controller status
Option Description
On the Management Follow these steps:

Server
1. Connect to the command line.
2. Run: cpstat vsec
In SmartConsole Follow these steps:

1. From the left navigation panel, click Gateways & Servers.
2. Select your Management Server object.
3. At the bottom, from the Summary tab, click Device & License
Information > Device Status.
SNMP Traps See sk124532.

CloudGuard Central Licensing

License Pooling
CloudGuard Central Licensing is a pooled license structure offered on the Check Point Security
Management Server and Multi-Domain Server.
With this feature, you can dynamically change the properties of licenses on your Security Gateway
architecture.
The license pool contains the licenses for every Security Gateway with its cores. A license is issued for
each CloudGuard Gateway, and the number of cores in a CloudGuard Gateway determines the license
you require.
The central licensing feature provides
l One global license for as many CloudGuard Gateways as needed.
l Scaled-up performance on a CloudGuard Gateway with all its vCores.
l Movement of vCores from one CloudGuard Gateway to another.
l Movement of the CloudGuard Gateway between the public and private cloud.
There are two modes for the Multi-Domain Server
Mode Description
System Default Mode generates a license for the IP address of the Multi-Domain
Mode Server.
The license pool is on the Multi-Domain Server.
The licenses are attached to all of the CloudGuard Gateways that the Domain
Management Servers manage.
To use this mode, run:
vsec_lic_cli mode mds
Domain Domain Mode pools are managed on each individual Domain.

Mode
Licenses are distributed to the CloudGuard Gateways that the Domain
manages.
The license is generated with the IP address of the Domain, to which it
belongs.
To use this mode, run:
vsec_lic_cli mode domain

Note:
To go to the context of a Domain Management Servers, run:
mdsenv <Name or IP Address of Domain Management Server>
License Distribution
Items
Item Description
Licenses that l Virtual security licenses for public and private clouds.
can be
l Licenses with the same contract blade package.
managed in
pools Note - Licenses with different contract blades will be in separate pools.
The first license pool that is created is configured as the default pool. The
licenses from the default pool are attached to CloudGuard Gateways.
Gateways that CloudGuard Gateways on the public and private cloud.

receive a
license from The supported Hypervisors in the private cloud are VMware ESXi, Hyper-
the pool V and KVM.
The supported modules in the public cloud are AWS, Microsoft Azure,
Google Cloud Platform and vCloud Air.
Gateways that l New CloudGuard Gateways receive the license from the pool after
receive a policy installation.
license
l Existing CloudGuard Gateways receive the license immediately
after the license is added.
Distribution CloudGuard licenses are attached from the license pool to CloudGuard
Gateway.
The distribution procedure is permissive. Gateways will be issued a
license even when the pool no longer has licenses available.
Using the Central Licensing Utility with Existing Licenses

You can activate the new CloudGuard Central Licensing utility on Security Gateways that already have
a license. Licenses with the same Software Blades and contract expiration join together to make one
pool. If multiple pools are established, one of the pools is the default pool. Any license that is not part of
the pool is detached from all Security Gateways.
If you have a Multi-Domain Server, enable the central license utility on the Multi-Domain Server. Multi-
Domain Server automatically activates the central license utility on each Domain Management Server.

Best Practice - We recommend that you have only one type of pool. Therefore,
licenses with the same Software Blades and contract expiration are grouped together.
Use the central license utility to ensure that licenses are distributed correctly.
Managing CloudGuard Central Licenses

CloudGuard central license is disabled by default. When it is disabled, licenses are not distributed
automatically to new CloudGuard Gateways. Existing licenses, however, remain on the CloudGuard
Gateways.
Operations
Operation CLI command
Enable the CloudGuard license vsec_lic_cli on
Disable the CloudGuard license vsec_lic_cli off
Manage the CloudGuard license pool vsec_lic_cli
The vsec_lic_cli tool is exclusively for managing CloudGuard licenses, and other tools should
not be used at the same time. CloudGuard licenses that were already added with other tools, such as
SmartUpdate, are automatically added to the pools.
The CloudGuard License Manager Menu shows these options:
1. "Adding a License" below
2. "Removing a License" below
3. "Viewing License Usage" on the next page
4. "Running License Distribution" on the next page
5. "Configuring Automatic License Distribution for Security Gateways" on the next page
6. "Generating a Core Usage Report" on the next page
Adding a License
You can add a central license to the license pool with the IP address of a Security Management Server,
Multi-Domain Server or Domain Management Server.
The license is added to the pool to match the contract blade. Use the User Center to automatically match
the blade to the contract, or attach the contracts manually with SmartUpdate.
A license in a default pool will be distributed to the CloudGuard Gateway as needed.
Removing a License
When you remove a license from the pool, it is also removed from all CloudGuard Gateways, which
have the license.

Viewing License Usage

With the Central Licensing feature, you can see usage details of the CloudGuard Gateways in the pool.
This information is available
l Quota of cores
l Unused cores
l Security Gateways licensed in the pool
Running License Distribution

Distribution of licenses to the CloudGuard Gateways is done automatically, once a day.
If you need the license attached immediately, you can run the distribution manually.
You can monitor these changes on the CloudGuard Gateways and licenses
l New CloudGuard Gateways
l Core changes on existing CloudGuard Gateways
l Contract changes on existing licenses
After distribution of the licenses, a CloudGuard Gateway that did not have a license will now have one.
Configuring Automatic License Distribution for Security Gateways

You can enable or disable the CloudGuard Gateway from receiving a license automatically.
Generating a Core Usage Report

You can generate a CSV file with an hourly core usage report for each CloudGuard Gateway.

CP R80.40 CloudGuard Controller AdminGuide

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CP R80.40 CloudGuard Controller AdminGuide

Caricato da

Copyright:

Formati disponibili

06 January 2020

RESTRICTED RIGHTS LEGEND:

Check Point R80.40

Latest Version of this Document

06 January 2020 First release of this document

CloudGuard Controller R80.40 Administration Guide | 3

CloudGuard Controller R80.40 Administration Guide | 4

CloudGuard Controller for Cisco's Identity Services Engine (ISE) 25

Connecting to a Cisco ISE Data Center 25

CloudGuard Controller R80.40 Administration Guide | 5

CloudGuard Controller R80.40 Administration Guide | 6

Introduction to CloudGuard Controller

CloudGuard Controller R80.40 Administration Guide | 7

What's New in R80.40 CloudGuard Controller

Azure Data Center Improvements:

CloudGuard Controller R80.40 Administration Guide | 8

Workflow for Deploying CloudGuard

Supported Security Gateways

Activating the Identity Awareness Software Blade

CloudGuard Controller R80.40 Administration Guide | 9

3. Add the IP address 127.0.0.1 to the trusted clients list.

Activating Identity Awareness for Security Gateways R80.10 and above

2 Open the applicable Security Gateway object.

3 From the left tree, click General Properties.

a. The Identity Awareness Configuration > Methods for Acquiring Identity

5 Click Next > Finish.

6 From the left tree, click Identity Awareness.

7 Select Identity Web API.

The Identity Web API Settings window opens.

9 From the Authorized Clients section, add a 127.0.0.1 host object.

10 In the Selected Client Secret, enter a secret word.

11 Install the Access Control Policy.

Activating Identity Awareness for Security Gateways R77.20 and R77.30

CloudGuard Controller R80.40 Administration Guide | 10

2 Open the applicable Security Gateway object.

3 From the left tree, click General Properties.

5 Select Terminal Servers > Next.

6 Select I do not wish to configure an Active Directory at this time.

7 Click Next > Finish.

9 Install the Access Control Policy.

1 Connect to the command line on each applicable Security Gateway.

2 Log in to Gaia Clish, or Expert mode.

3 Enable the Identity Awareness API:

pdp api enable

CloudGuard Controller R80.40 Administration Guide | 11

Activating Identity Awareness for Scalable Platforms 40000/60000

2 Open the applicable Security Gateway object.

3 From the left tree, click General Properties.

5 Select Terminal Servers > Next.

6 Select I do not wish to configure an Active Directory at this time.

The Identity Awareness Software Blade is activated by default.

7 Click Next > Finish.

9 Install the Access Control Policy.

1 Connect to the command line on the Scalable Platform.

2 Log in to Gaia Clish, or Expert mode.

CloudGuard Controller R80.40 Administration Guide | 12

3 Enable the Identity Awareness API:

g_all pdp api enable

CloudGuard Controller R80.40 Administration Guide | 13

Integrating with Data Center Servers

1 In SmartConsole, create a new Data Center object in one of these ways:

2 In the Enter Object Name field, enter a name.

3 Enter the connection and credentials information.

4 To establish a secure connection, click Test Connection.