Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CLOUDGUARD
CONTROLLER
R80.40
Administration Guide
[Classification: Protected]
Check Point Copyright Notice
© 2020 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed
under licensing restricting their use, copying, distribution, and decompilation. No part of this product or
related documentation may be reproduced in any form or by any means without prior written
authorization of Check Point. While every precaution has been taken in the preparation of this book,
Check Point assumes no responsibility for errors or omissions. This publication and features described
herein are subject to change without notice.
TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.
CloudGuard Controller R80.40 Administration Guide
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with
the latest functional improvements, stability fixes, security enhancements and protection
against new and evolving attacks.
Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.
Revision History
Date Description
Table of Contents
Check Point Copyright Notice 2
Important Information 3
Table of Contents 4
Introduction to CloudGuard Controller 7
What's New in R80.40 CloudGuard Controller 8
Workflow for Deploying CloudGuard Controller 9
Supported Security Gateways 9
Activating the Identity Awareness Software Blade 9
Activating Identity Awareness for Security Gateways R80.10 and above 10
Activating Identity Awareness for Security Gateways R77.20 and R77.30 10
Activating Identity Awareness for Scalable Platforms 40000/60000 12
Integrating with Data Center Servers 14
Connecting to a Data Center Server 14
Creating Rules with Data Center Objects 15
Check Point Management API 16
Supported Data Centers 16
CloudGuard Controller for Amazon Web Services 16
Connecting to an Amazon Web Services Data Center Server 16
Amazon Web Services Objects 17
Configuring Permissions for Amazon Web Services 19
Auto Scaling in Amazon Web Services 19
CloudGuard Controller for Microsoft Azure 20
Connecting to a Microsoft Azure Data Center Server 20
Microsoft Azure Objects 22
Auto Scaling in Microsoft Azure 23
CloudGuard Controller for Cisco ACI 23
Connecting to a Cisco ACI Data Center Server 24
Cisco ACI Objects 24
License Pooling 44
License Distribution 45
Using the Central Licensing Utility with Existing Licenses 45
Managing CloudGuard Central Licenses 46
Adding a License 46
Removing a License 46
Viewing License Usage 47
Running License Distribution 47
Configuring Automatic License Distribution for Security Gateways 47
Generating a Core Usage Report 47
2. Before you begin the upgrade, back up all files that you have changed.
3. Before you perform the upgrade on the Management Server, if you have a Cisco APIC server,
keep only one URL. After the upgrade, add the other URLs.
4. A Multi-Domain Server that contains imported Data Center objects in the Global Domain is not
supported in the upgrade to R80.40. You must remove objects from the Global Domain before
you install the upgrade.
Note - During the upgrade, CloudGuard Controller does not communicate with the Data Center.
Therefore, Data Center objects are not updated on the CloudGuard Controller or the Security Gateways.
Important - To use the CloudGuard Controller with R77.20 and R77.30 Security
Gateways (with R77.30 Jumbo Hotfix Accumulator below Take 309), you must
install the CloudGuard Controller / vSEC Controller Enforcer Hotfix (see sk129152)
on those R77.20 and R77.30 Security Gateways.
Step Description
1 In SmartConsole, from the left navigation panel, click Gateways & Servers.
4 On the Network Security tab, select the Identity Awareness Software Blade.
8 Click Settings.
2. Enable the communication between the CloudGuard Controller and the Identity Awareness
daemon on the Security Gateway.
To enable the Identity Awareness Software Blade
Step Description
1 In SmartConsole, from the left navigation panel, click Gateways & Servers.
4 On the Network Security tab, select the Identity Awareness Software Blade.
The Identity Awareness Configuration > Methods for Acquiring Identity window
opens.
If it is not needed, clear the AD Query.
8 Click OK.
To enable the communication between the CloudGuard Controller and the Identity Awareness daemon
on the Security Gateway
Step Description
Note - On a VSX Gateway, run the command in the context of each applicable
Virtual System.
Step Description
1 In SmartConsole, from the left navigation panel, click Gateways & Servers.
4 On the Network Security tab, select the Identity Awareness Software Blade.
The Identity Awareness Configuration > Methods for Acquiring Identity window
opens.
If it is not needed, clear the AD Query.
8 Click OK.
To enable the communication between the CloudGuard Controller and the Identity Awareness daemons
on the Security Gateway Modules
Step Description
Step Description
Note - On a VSX Gateway, run the command in the context of each applicable
Virtual System.
Step Description
6 Click OK.
Note - If the connection properties of any Data Center servers changed (for example the credentials or
the URL), make sure to install the Access Control Policy again.
Step Description
3 In the applicable rule, in the Source or Destination column, click + to add new
items.
4 Click Import.
Step Description
3 In the applicable rule, in the Source or Destination column, click + to add new
items.
Important - The CloudGuard Controller server clock must be synchronized with the current,
local time. Use of a NTP server is recommended. Time synchronization issues can cause
polling information from the cloud to fail.
Step Description
4 If you choose User Authentication, enter your Access key ID and Secret access
key.
5 In the Region field, select the AWS region to which you want to connect.
7 Click OK.
Object Description
VPC Amazon Virtual Private Cloud enables you to launch resources into your
Virtual Network.
Subnet All the IP addresses from the Network Interfaces related to this subnet
Object Description
Tags Groups all the instances that have the same Tag Key and Tag Value
Security Groups all the IP addresses from all objects associated with this Security
Group Group
Load Load Balancers objects (Network Load Balancers and Application Load
Balancers Balancers)
Import
Description
Option
Regions Import AWS VPCs, Subnets or Instances from a certain region to your Security
Policy.
Tags Import all instances that have a specific Tag Key or Tag Value.
Notes:
l CloudGuard Controller saves the Tags with Key and no Value as: "Tag key="
l CloudGuard Controller truncates leading and trailing spaces in Tag Keys and Tag Values.
l All changes in AWS are updated automatically with the Check Point Security Policy. Users with
permissions to change resource tags in AWS can change their access permissions.
Object Names
Object names are the same as those in the AWS console.
VPC, Subnet, Instance, and Security Group are named as follows:
Imported Properties
Imported
Description
Property
Name Resource name as shown in the AWS console. User can edit the name after
importing the object.
Tags Tags (Keys and Values) that are attached to the object
Item Value
Effect Allow
Actions l ec2:DescribeInstances
l ec2:DescribeNetworkInterfaces
l ec2:DescribeSubnets
l ec2:DescribeVpcs
l ec2:DescribeSecurityGroups
For more information about Roles and the IAM policy, see Amazon Web Services documentation.
Auto Scaling in Amazon Web Services
The AWS Auto Scaling service with the Check Point Auto Scaling group can increase or decrease the
number of CloudGuard Gateways according to the current load.
CloudGuard Controller for AWS works with the Check Point Auto Scaling Group. The Check Point
Security Management Server updates Data Center objects automatically on the Check Point Auto
Scaling group.
Step Description
Step Description
5 Click OK.
6 Import objects from your Microsoft Azure server to your policy (for more about these
objects, see the next sections).
l Network by Subscriptions - Import VNETS, subnets, Virtual Machines or
VMSSs.
l Network Security Groups (NSG) - Import all IP addresses that belong to a
specific NSG.
The NSG is used only as a container for the list of all IP addresses (assigned
to NICs and subnets) that are attached to this group.
l Tags - Imports all the IP addresses of Virtual Machines and VMSSs that have
specific tags and values.
Note - All changes in Microsoft Azure are updated automatically with the Check
Point Security Policy. Users with permissions to change Resource Tags in
Microsoft Azure can change their access permissions.
Objects
Object Description
Virtual Network Represents your Microsoft Azure Virtual Network (VNET) in the cloud.
Network NSGs contain a list of Access Control List (ACL) rules that allow or
Security Group deny network traffic to the Virtual Machines instances in a Virtual
(NSG) Network.
NSGs can be associated with either subnets or individual Virtual
Machines instances within that subnet.
Load Balancer Distributes incoming traffic that arrives into the Load Balancer's frontend
to backend pool instances, according to rules and health probes.
Imported Properties
Imported
Description
Property
Imported
Description
Property
Step Description
3 In the URLs field, enter the addresses of ACI cluster members. Multiple URLs
allows support for APIC cluster for redundancy.
Important - These addresses can be either HTTP or HTTPS, but not both.
apic:<domain>\<username>
7 Click OK.
Object Description
Application A container of logically related EPGs, their connections, and the policies
Profile that define those connections.
Object Description
End-Point A container for objects that require the same policy treatment.
Group (EPG)
EPG examples : app tiers or services (usually, VLAN)
Step Description
Step Description
7 Click OK.
Object Description
Security Groups of users, endpoints, and resources that share Access Control
Groups policies.
You define the Security Groups in Cisco ISE.
Automatic Failover
If there is a failure to communicate with the provided ISE administration nodes, CloudGuard Controller
enters a recovery mode. In recovery mode, it will automatically attempt to re-establish connection with
the administration nodes. Connection is attempted with the nodes based on the order they were entered.
Important - Make sure that the secondary node is properly synchronized with the primary node.
Otherwise, the IP-to-SGT data may not be up to date.
Important - The CloudGuard Controller server clock must be synchronized with the current,
local time. Use of a NTP server is recommended. Time synchronization issues can cause
polling information from the cloud to fail.
Authentication
Description
Method
Service Account Uses the Service Account private key file to authenticate.
Key Authentication
Use the GCP web console to create a Service Account Key JSON
file.
Step Description
Step Description
4 If you choose Service Account Key Authentication, import the Service Account
JSON file.
6 Click OK.
Item Description
Subnet All the IP addresses from the network interfaces related to this subnet
Tags Groups all the instances that have the same network tag
Import
Description
Option
Projects Import VPC networks, subnets or instances from another project to your
Security Policy
Note - All changes in GCP are automatically updated with the Check Point Security Policy. Users with
permissions to change network tags in GCP can change their access permissions.
Object Names
Imported Properties
Imported
Description
Property
Name Resource name as shown in the GCP console. User can edit the name
after importing the object.
Note For instances, the list of VPC networks to which the instance belongs
Step Description
3 In the Hostname field, enter the IP address or hostname of the Nuage server.
Important - The addresses can be either HTTP or HTTPS, but not both. The Nuage
version is set by default to 4.0 and the port to 8443.
7 Click OK.
Nuage Objects
Objects
Object Description
Enterprise A logical separator for customers, BU, groups, traffic, administrators, visibility,
and more.
Security A set of network endpoints that have to agree with the same Security Policies.
Zone
Policy Collections of vPorts and/or IP addresses that are used as building blocks for
Group Security Policies that include multiple endpoints.
Add one or more vPorts to a policy group using this interface.
Object Description
A policy group can also represent one or more IP/MAC addresses that it
learned from external systems from BGP route advertisements based on
origin.
You can then use it as a destination of a policy rule to drop any packet that
arrives from a particular port.
Imported Properties
IP Associated IP address
Step Description
Step Description
3 In the Hostname field, enter the URL of your OpenStack server in this format:
http(s)://1.2.3.4:5000/<keystone_version>
Example:
https://1.2.3.4:5000/v3
Note - If you do not know your keystone URL, run this command on the OpenStack
server to find it:
4 In the Username field, enter your username for the OpenStack server.
5 In the Password field, enter your password for the OpenStack server.
8 Click OK.
Note - If you want to log into an OpenStack Domain that is not your default Domain, use this format:
<OpenStack_domain_name>\<user_name>
OpenStack Objects
Objects
Object Description
Imported Properties
Imported
Description
Property
Step Description
l In the top left corner, click Objects menu > More object types > Server > Data
Center > New VMware vCenter, or New VMware NSX-V, or the new VMware
NSX-T.
OR -
l In the top right corner, click Objects Pane > New > More > Server > Data
Center > VMware vCenter, or VMware NSX-V, or VMware NSX-T.
3 In the Hostname field, enter the IP address or hostname of your vCenter or NSX
Manager server.
7 Click OK.
Step Description
Object Description
Host The physical computer where you install ESXi. All Virtual Machines run on a
host.
vSphere A packaging and managing application format. A vSphere vApp can contain
vApp multiple Virtual Machines.
Object Description
Tags All the Virtual Machines tagged with the vCenter tag.
Note - This is supported with vCenter 6.5 and above.
Imported Properties
Imported
Description
Property
Object Description
Imported Properties
Threat Prevention Tagging automatically assigns Security Tags to Data Center objects based on Threat
Prevention analysis and group affiliation.
This enables the use of dynamic Security Groups in policy rules.
Enable Threat Prevention Tagging for Anti-Bot and Anti-Virus services to the CloudGuard for NSX
Gateway.
When a threat from an infected Virtual Machine reaches the Security Gateway and is denied entry, it is
tagged as an infected Virtual Machine in the NSX Manager.
To activate Threat Prevention tagging
Step Description
tagger_cli
When it is activated, the Cluster automatically tags infected Virtual Machines in the NSX Manager
Server.
These are the Security Tags:
l Default Anti-Bot Security Tag: Check_Point.BotFound
l Default Anti-Virus Security Tag: Check_Point.VirusFound
The Security Tags are created automatically in the NSX Management Server when the Cluster is
activated.
When Security Tags are configured, you can create policy rules based on the Security Groups that
contain those tags.
Advanced options
Use advanced menu options to configure the tags:
Option Description
Show Lists the activated Clusters and the status of each CloudGuard for NSX
Activated Gateway.
gateways
Modify Anti- Enables or disables the tagging for the Anti-Bot Software Blade and
Bot Security change the Security Tag.
Tag
Modify Anti- Enables or disables the tagging for the Anti-Virus Software Blade and
Virus Security change the Security Tag.
Tag
Modify White IP Addresses listed in the White List are not tagged.
List
Separate with spaces. Ranges are not accepted.
Create New Creates a new Security Tag in the NSX Manager Server.
Security Tag
Update Data When you add a new ESX to a Cluster, CloudGuard for NSX Gateway
automatically updates the Threat Prevention Tagging data within 15
minutes.
Select this option to update the data manually on the new CloudGuard for
NSX Gateway.
In SmartConsole, in the Logs & Monitor view, see CloudGuard Tagging in the Blade column.
A list of messages and their descriptions
Message Description
The Virtual Machine <VM ID> was Threat Prevention tagging successfully
tagged successfully with Security Tag tagged a Virtual Machine due to malicious
'<Tag Name>' in NSX <NSX IP traffic.
Address>
Message Description
Failed to get data from the Data Center Failed to get a Data Center object from the
<Data Center IP Address> Security Management Server API.
Check that there is a trusted connection for
CloudGuard Controller.
Object Description
Known Limitations
l Logs for rules with VMware NSX-T Ns Groups will contain only the IP address. The logs will
not contain the instance name.
l VMware NSX-T object - No support for IP Set objects with ranges or CIDR block notations.
There is support for IP Set Objects representing one or more individual IP address (or addresses).
l IT is recommended to install official VMware Tools on a Virtual Machine in order for the
VMware NSX-T Controller to successfully pool IP addresses. Install the VMware Tools for your
specific version. Alternatives for IP discovery without VMware Tools can be found in the
VMware NSX-T Administrative Guide. Note - Each have different limitations in practice.
Log Description
Data center server objects were The Data Center object was
successfully updated on gateway successfully updated on the Security
<Name> Gateway.
Option Description
Mode Description
System Default Mode generates a license for the IP address of the Multi-Domain
Mode Server.
The license pool is on the Multi-Domain Server.
The licenses are attached to all of the CloudGuard Gateways that the Domain
Management Servers manage.
To use this mode, run:
Note:
License Distribution
Items
Item Description
Licenses that l Virtual security licenses for public and private clouds.
can be
l Licenses with the same contract blade package.
managed in
pools Note - Licenses with different contract blades will be in separate pools.
The first license pool that is created is configured as the default pool. The
licenses from the default pool are attached to CloudGuard Gateways.
Gateways that l New CloudGuard Gateways receive the license from the pool after
receive a policy installation.
license
l Existing CloudGuard Gateways receive the license immediately
after the license is added.
Distribution CloudGuard licenses are attached from the license pool to CloudGuard
Gateway.
The distribution procedure is permissive. Gateways will be issued a
license even when the pool no longer has licenses available.
Best Practice - We recommend that you have only one type of pool. Therefore,
licenses with the same Software Blades and contract expiration are grouped together.
Use the central license utility to ensure that licenses are distributed correctly.
The vsec_lic_cli tool is exclusively for managing CloudGuard licenses, and other tools should
not be used at the same time. CloudGuard licenses that were already added with other tools, such as
SmartUpdate, are automatically added to the pools.
The CloudGuard License Manager Menu shows these options:
1. "Adding a License" below
2. "Removing a License" below
3. "Viewing License Usage" on the next page
4. "Running License Distribution" on the next page
5. "Configuring Automatic License Distribution for Security Gateways" on the next page
6. "Generating a Core Usage Report" on the next page
Adding a License
You can add a central license to the license pool with the IP address of a Security Management Server,
Multi-Domain Server or Domain Management Server.
The license is added to the pool to match the contract blade. Use the User Center to automatically match
the blade to the contract, or attach the contracts manually with SmartUpdate.
A license in a default pool will be distributed to the CloudGuard Gateway as needed.
Removing a License
When you remove a license from the pool, it is also removed from all CloudGuard Gateways, which
have the license.