CP R81.10 CloudGuard Controller AdminGuide

26 June 2021
CLOUDGUARD
CONTROLLER
R81.10
Administration Guide
[Classification: Protected]
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the
latest functional improvements, stability fixes, security enhancements and protection against
new and evolving attacks.
Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page.
Check Point R81.10

For more about this release, see the R81.10 home page.
Latest Version of this Document in English

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.
CloudGuard Controller R81.10 Administration Guide | 2

Revision History
Date Description
26 June 2021 First release of this document

Table of Contents
Table of Contents
Introduction to CloudGuard Controller 7
Use Case 8
What's New in R81.10 CloudGuard Controller 10
Workflow for Deploying a CloudGuard Controller 11
Supported Security Gateways 11
Activating the Identity Awareness Software Blade 11
Integrating with Data Center Servers 15
Connecting to a Data Center Server 15
Data Center Query Objects 16
Creating Rules with Data Center Query Objects 18
How to Configure Data Center Query Objects in SmartConsole 18
Supported Data Centers 20
CloudGuard Controller for Amazon Web Services 20
Connecting to an Amazon Web Services Data Center Server 20
Amazon Web Services Objects 21
Importing AWS objects 21
Object Names 22
Imported Properties 22
Configuring Permissions for Amazon Web Services 23
Auto Scaling in Amazon Web Services 23
AWS STS Assume Role 23
Configuring the STS Assume Role 23
CloudGuard Controller for Cisco ACI 24
Prerequisites 24
Connecting to a Cisco ACI Data Center Server 25
Cisco ACI Objects 25
Objects 25
CloudGuard Controller for Cisco Identity Services Engine (ISE) 26
Prerequisites: 26
Connecting to a Cisco ISE Data Center 26
Cisco ISE Objects 27
Automatic Failover 27
CloudGuard Controller for Google Cloud Platform 27

Table of Contents
Configuring Permissions for Google Cloud Platform 27

GCP APIs 28
Connecting to a Google Cloud Platform Data Center 28
Google Cloud Platform Objects 28
Objects 28
Importing GCP objects 29
Object Names 29
Instance and Subnet use the following names: 29
CloudGuard Controller for Kubernetes 30
Adding Kubernetes to CloudGuard Controller 30
Prerequisite 30
Connecting to a Kubernetes Server 30
CloudGuard Controller for Microsoft Azure 31
Connecting to a Microsoft Azure Data Center Server 31
Microsoft Azure Objects 32
Objects 32
Auto Scaling in Microsoft Azure 34
CloudGuard Controller for Nuage Networks VSP 34
Connecting to a Nuage Data Center 34
Nuage Objects 34
Objects 34
CloudGuard Controller for OpenStack 36
Prerequisites 36
Connecting to an OpenStack Server 36
OpenStack Objects 37
Objects 37
CloudGuard Controller for VMware Servers 38
Connecting to a VMware Server 38
CloudGuard Controller for VMware NSX-T Management Server 38
Prerequisites 38
VMware NSX-T Objects 38

Table of Contents
Known Limitations 40
CloudGuard Controller for VMware vCenter 40
Prerequisites 40
CloudGuard Controller for VMware NSX-V Manager Server 40
VMware vCenter Objects 40
Objects 40
VMware NSX-V Objects 41
Objects 41
Threat Prevention Tagging for CloudGuard for NSX Gateway 42
Advanced Options 42
Threat Prevention Tagging Logs 43
CloudGuard Controller Monitoring 44
CloudGuard Controller Logs and Events 44
CloudGuard Controller Status 45
Creating a User Defined Event and Sending Alerts 46
Configuration Parameters 49
CloudGuard Central Licensing 50
License Pooling 50
License Distribution 51
Using the Central Licensing Utility with Existing Licenses 51
Managing CloudGuard Central Licenses 51
Adding a License 52
Removing a License 52
Viewing License Use 52
Running License Distribution 52
Configuring Automatic License Distribution for Security Gateways 53
Generating a Core Use Report 53

Introduction to CloudGuard Controller
Introduction to CloudGuard
Controller
A component of Check Point's Security Management Server, the CloudGuard Controller manages security
in public and on-premises environments with one unified management solution. The CloudGuard Controller
dynamically learns about objects and attributes in data centers, such as changes in subnets, security
groups, virtual machines, IP addresses ,and tags. After using the vendor’s API to establish a trust
relationship with a datacenter, CloudGuard Controller regularly polls the connected environments for
changes in objects and object attributes used in the Security Policy. Changes are automatically pushed to
the security gateway.
Item Description
1 CloudGuard Controller establishes a trusted relationship with the cloud environment.
2 With the use of the vendor's APIs, the CloudGuard Controller connects to the cloud
environment and regularly polls it for changes.
3 Changes in the cloud environment are sent to the CloudGuard Controller.
4 The CloudGuard Controller pushes updates to attributes and objects in the Security Policy
rules to Check Point Security Gateways.

Use Case
Dynamic environments such as public and on-premises data centers and clouds present a large challenge
to security professionals. The number of subnets, machines, and IP addresses changes quickly. The legacy
model of manual updates to the security policy and Security Gateways every two or three days is too slow
for such environments.
In most organizations, personnel from several different departments have permission to add or remove
assets in data centers. This kind of overlap creates a concern about the security and maintenance of assets
in the data center. The solution to manual updates is to protect the security and maintenance of the assets -
automatically. This is where the CloudGuard Controller comes in to assist. With the CloudGuard Controller,
the Security Operation Center (SOC) can configure the security policy to automatically detect changes in
data centers, and push these changes directly to the Gateway.
For example, an RnD team needed to add an RnD server and a separate RnD server for staging. This
required constant emails and service tickets between the server team and SOC team. To add or remove an
IP address, the server team had to open a ticket with with the Info sec team. Then the Info sec team had to
manually update the information. This process looks like this:
SRC DST Action
IP1 Internet Allow
IP2 Internet Allow
IP3 Internet Allow
IP4 Internet Allow
IP5 Internet Allow
The problem grows by each request from RnD to remove IPxx or add IPxx. With the possibility of
hundreds of IPs, the chance of error and frustration from the two teams is inevitable.
This is where the CloudGuard Controller comes in to help.
The CloudGuard Controller changes a static, manual process into a dynamic, automatic flow of data. The
two teams only have to use one tag. This one tag is representative of changes in the data center. Rather
than the manual, meticulous IP table, and the constant emails between the teams, the CloudGuard
Controller removes the dependency on a manual procedure. For example:
SRC DST Action
*department=rnd Internet Allow
* Note- department=rnd is the tag.

For more information, see "Data Center Query Objects" on page 16.
Check Point's CloudGuard Controller integrates with these virtual cloud environments:
n "CloudGuard Controller for Amazon Web Services" on page 20
n "CloudGuard Controller for Cisco ACI" on page 24
n "CloudGuard Controller for Cisco Identity Services Engine (ISE)" on page 26

n "CloudGuard Controller for Google Cloud Platform" on page 27

n "CloudGuard Controller for Kubernetes" on page 30
n "CloudGuard Controller for Microsoft Azure" on page 31
n "CloudGuard Controller for Nuage Networks VSP" on page 34
n " CloudGuard Controller for OpenStack" on page 36
n "CloudGuard Controller for VMware Servers" on page 38
o "CloudGuard Controller for VMware vCenter" on page 40
o "CloudGuard Controller for VMware NSX-V Manager Server" on page 40
n "CloudGuard Controller for VMware NSX-T Management Server" on page 38

What's New in R81.10 CloudGuard Controller
What's New in R81.10 CloudGuard

Controller
n Data Center Query Objects - A simplified procedure to create queries with the use of Data Center
Objects to represent multiple data centers in the Security Policy. It provides a better and easier
differentiation of responsibilities to manage data centers.
Use Cases
l Simplify the policy - Use one query object to represent data center objects from multiple data
centers. This eliminates the necessity for multiple rules.
l Simplify operations - Create the policy before data centers are set-up. This makes it easier to
differentiate responsibilities between security admins and DevOps teams.
l Powerful policies - Use logical operators to create a more sophisticated selection of data center
objects in the rule base.
n Support for New Data Centers
l Kubernetes Data Center – Added CloudGuard Controller support for Kubernetes Clusters.
Administrators can now create a Kubernetes-aware security policy for Kubernetes North-South
traffic.
l VMware vCenter, version 7
n In NAT policy, added support for Data Center objects in the Original Source and Original
Destination columns.
n CloudGuard Controller can use the system proxy for connections to all data centers.
n Cloud, a new object category in SmartConsole's Object Explorer, aggregates all data centers, data
center objects and data center queries into one category.

Workflow for Deploying a CloudGuard Controller
Workflow for Deploying a

CloudGuard Controller
CloudGuard Controller is a process that runs on the Check Point Security Management Server.
Important:
1. When you install R81.10 CloudGuard Controller, these files are overwritten with default
values:
n $MDS_FWDIR/conf/vsec.conf
n $MDS_FWDIR/conf/tagger_db.C
n $MDS_FWDIR/conf/AWS_regions.conf
2. Before you start the upgrade, back up all files that you changed.
Note - During the upgrade, CloudGuard Controller does not communicate with the Data
Center. Therefore, Data Center objects are not updated on the CloudGuard Controller
or the Security Gateways.
Supported Security Gateways

R81.10 CloudGuard Controller can manage these Security Gateways:
n R80.10 and higher
n R77.30
n R77.20
n Maestro Security Groups with R80.20SP and higher
n 40000 / 60000 Scalable Chassis with R80.20SP and higher
Important - To use the CloudGuard Controller with R77.20 and R77.30 Security
Gateways (with R77.30 Jumbo Hotfix Accumulator below Take 309), you must install
the CloudGuard Controller / vSEC Controller Enforcer Hotfix (see sk129152) on those
R77.20 and R77.30 Security Gateways.
Note - Support for Data Center Query Objects is from R80.10 and above.
Activating the Identity Awareness Software

Blade
To activate the Identity Awareness Software Blade:
Note - Do Step 1 only one time. Do steps 2,3, and 4 do for each Security Gateway that needs to enforce a
policy with CloudGuard Controller objects.

1. Connect with SmartConsole to the Management Server.

2. Create a Host object with the main IPv4 address 127.0.0.1 and click OK.
Example:
3. From the left navigation panel, click Gateways & Servers.

4. Double-click the Security Gateway object.
5. Enable the Identity Awareness Software Blade.
6. From the left tree, click Identity Awareness.
7. Enable the Identity Web API.
Example:

8. On the right side of the Identity Web API, click Settings.

9. In the Authorized Clients section:
a. Click the green [+]
b. Select the Host object with the IP address 127.0.0.1
c. Click OK


Integrating with Data Center Servers

Connecting to a Data Center Server
The Management Server connects to the Software-defined data center (SDDC) through the Data Center
server object on SmartConsole.
To create a connection to the Data Center:

1. In SmartConsole, create a new Data Center object in one of these ways:
n In the top left corner, click Objects menu > More object types > Cloud > Data Center >
applicable Data Center.
n In the top right corner, click Objects Pane > New > More > Cloud > Data Center > applicable
Data Center.
2. In the Enter Object Name field, enter a name.
3. Enter the connection and credentials information.
4. To establish a secure connection, click Test Connection.
If the certificate window opens, make sure the certificate and click Trust.
5. Click OK when the Connection Status changes to Connected.
If the status is not Connected, troubleshoot the issues before you continue.
6. Click OK.
7. Publish the SmartConsole session.
Notes:
n If the connection properties of a Data Center server changed (for example the credentials or the
URL), make sure to re-install the policy on all the security gateways which have objects from that
Data Center in their policy.
n If the Data Center Server's certificate was changed, then communication with the Data Center Server
fails.
To repair the issue:
1. Open the Data Center Server object in SmartConsole.
2. Click (again) Test Connection.
3. Accept the new certificate.

You can add Data Center objects and Data Center Query objects to the Source and/or Destination columns
of Access Control rules and Threat Prevention rules. In addition, Data Center objects (but not Data Center
queries) can be added to the NAT policy.
To add Data Center objects to an Access Control or Threat Prevention rule:

1. In SmartConsole, from the left navigation panel, click Security Policies.
2. At the top, click Access Control > Policy.
3. In the applicable rule, in the Source or Destination column, click + to add new items.
4. Click Import.
5. Select an existing Data Center object.
-or-
Click Data Centers > New Data Center > applicable Data Center.
6. Install the Access Control Policy.
Data Center Query Objects

With Data Center Query Objects, administrators can now create one Query Object based on attributes
across multiple data centers. This simplifies the work when administrators create policies for multiple rules,
because they only need to use one query object for data center objects from multiple data centers.
Furthermore, admins can create the policy even before they configure a data center in SmartConsole. This
makes it easier to separate responsibilities between security admins and others teams that possibly need to
create data centers in SmartConsole.
The new Query object is used in the same way as Data Center objects. As with Data Center Objects, when
the Data Center Query is added to the Rule base the CloudGuard Controller pulls the assets from all the
Data Centers in the query object and updates the gateway so.
Without Data
With Data Center Query
Center Query
1. Create the n Create Data Center Query objects and add them to the rule base before or
Data after you create Data Center account(s). Important - You cannot install policy
Center if there is only a Data Center Query but no Data Center object(s).
account(s). Create Data Center Query object with the All Data Centers option. The
2. Import advantage is that if new Data Center Servers are added later on, then rules in
objects the rule base with such Data Center Query object (with the ‘All Data Centers’
from each option) are automatically applied to assets in the new Data Centers Servers
Data without ,more actions in the rule base (must push policy after added the new
Center to Data Center Servers).
the Rule n One Data Center Query Object can use assets (objects) from more than one,
base. or all, Data Centers. This results in simpler security rules.
3. No choice n The Query is more complex and larger than what is possible in the security
for rule's logic.
complex o OR logic inside each query rule, use ";" between items
logic inside o AND logic between query rules
the rules.

Example 1: Data Center Query Object:

Applies to all current and future data centers.
This is the query logic:
n All assets from type instances OR Load Balancers
n AND
n Tagged with:
"server_type=prod_app"
OR
"server_type=prod_db"
Example 2: Rule Base

Earlier versions require you to use multiple tag objects for multiple accounts.
n Rules must be must be updated for every data center added.
n Rules cannot have the logic for only Instances or Load Balancers.

R81.10 uses Data Center Query objects:

n No need to update the rule when new data center(s) is added.
n Rule can include complex OR and AND operations to better the policy.
Note - Rule No. 1 is without Data Center Query, Rule No 2 is with Data Center Query.
Creating Rules with Data Center Query Objects

To add Data Center Query to a rule:
You can add a Data Center Query to the Source and/or Destination columns of Access Control rules and
Threat Prevention rules.
From the Rulebase, click + and it from the list of items.
-or-
Click the + button > New > Data Center Query.
How to Configure Data Center Query Objects in

SmartConsole
Step 1: Create a Data Center Query Object.
a. Go to SmartConsole > Cloud > Data Center Queries > New.
b. Add the applicable Data Center(s).
c. Configure the Query Rules to match the value used for Type, Name, and IP in the Import Data
Center window.
Type in Data Type in Data Center, such as Instance, Virtual Machine, Load Balancer, Subnet,
Center Availability Zone, and more.
Name in Data The asset's name

Center
IP address The asset's IP address
Customer tag Free text key and value
Note - All object IP addresses that match the query are updated on the Security Gateway.

d. Optional: To review the query, click Preview Query.

e. Click OK.
Step 2: Add the Data Center Query object from Step 1 to the Rule base.
Step 3: Install the policy on the Security Gateway.

Supported Data Centers

Data center supports connections with the use of the Gaia proxy. To configure this connection, in the
vsec.conf file, change the value of the "use SystemProxy" parameter from "false" to "true". See
"Configuration Parameters" on page 49.
Check Point integrates the CloudGuard Controller with these Data Centers:
n Amazon Web Services
n Cisco ACI
n Cisco ISE
n Google Cloud Platform (GCP)
n Kubernetes
n Microsoft Azure
n Nuage Networks VSP
n OpenStack
n VMware vCenter
n VMware NSX-T
n VMware NSX-V
CloudGuard Controller for Amazon Web

Services
The CloudGuard Controller integrates the Amazon Web Services (AWS) cloud with Check Point security.
Note - See the "AWS Data Center enhancements" in "What's New in R81.10 CloudGuard Controller" on
page 10.
Important - The CloudGuard Controller server clock must be synchronized with the
current, local time. Use of a NTP server is recommended. Time synchronization issues
can cause polling information from the cloud to fail.
Connecting to an Amazon Web Services Data Center

Server
To connect to an AWS Data Center Sever
n In the top left corner, click Objects menu > More object types > Server > Data Center > New
AWS.
n In the top right corner, click Objects Pane > New > More > Server > Data Center > AWS.


3. Select the applicable authentication method:
n User Authentication - Uses the Access keys to authenticate.
n Role Authentication - Uses the AWS IAM role to authenticate. This option requires the
Security Management Server to be deployed in AWS, and have an IAM Role.
4. If you select User Authentication, enter your Access key ID and Secret access key.
5. In the Region field, select the AWS region to which you want to connect.
6. Click Test Connection.
7. Click OK.
Amazon Web Services Objects

Objects:
Object Description
VPC Amazon Virtual Private Cloud enables you to launch resources into your Virtual
Network.
Availability A separate geographic area of a region.

Zone There are multiple locations with regions and availability zones worldwide.
Subnet All the IP addresses from the Network Interfaces related to this subnet.
Instance Virtual computing environments.
Tags Groups all the instances that have the same Tag Key and Tag Value.
Security Groups all the IP addresses and Security Groups from all objects associated with this
Group Security Group.
Load Load Balancer distributes incoming traffic across multiple targets such as EC2
Balancer Instances and IP addresses.
Only Application and Network Load Balancers are supported.
Importing AWS objects

Use one of these options to import AWS objects to your policy:
Import
Description
Option
Regions Import AWS VPCs, Load Balancers, Subnets or Instances from a certain region to your
Security Policy.

Import
Description
Option
Security Import all IP addresses that belong to a specific security group.

Groups The Security Group is used only as a container for the list of all IP addresses of Instances
that are attached to this group.
Tags Import all instances and Security Groups that have a specific Tag Key or Tag Value.
Notes:
n CloudGuard Controller saves the Tags with Key and no Value as: "Tag key=".
n CloudGuard Controller truncates leading and trailing spaces in Tag Keys and Tag Values.
n All changes in AWS are updated automatically with the Check Point Security Policy. Users with
permissions to change resource tags in AWS can change their access permissions.
Object Names
Object names are the same as those in the AWS console.
VPC, Subnet, Instance, and Security Group use the following names are named as follows:
Tag Name Object Name
Tag Name exists "<Object ID> (<Value of the Tag Name>)"
Tag Name does not exist "<Object ID>"
Tag Name is empty "<Object ID>"
Imported Properties
Imported
Description
Property
Name Resource name as shown in the AWS console. User can edit the name after importing
the object.
Name in Resource name as shown in the AWS console

Server
Type in Resource type

Server
IP Associated private and public IP addresses
Note CIDR for subnets and VPC objects
URI Object path
Tags Tags (Keys and Values) that are attached to the object

Configuring Permissions for Amazon Web Services

Minimal permissions for the User or Role
Item Value
Effect Allow
Actions n ec2:DescribeInstances
n ec2:DescribeNetworkInterfaces
n ec2:DescribeSubnets
n ec2:DescribeVpcs
n ec2:DescribeSecurityGroups
Resource All ("*")
For more information about Roles and the IAM policy, see Amazon Web Services documentation.
Auto Scaling in Amazon Web Services

The AWS Auto Scaling service with the Check Point Auto Scaling group can increase or decrease the
number of CloudGuard Gateways according to the current load.
CloudGuard Controller for AWS works with the Check Point Auto Scaling Group. The Check Point Security
Management Server updates Data Center objects automatically on the Check Point Auto Scaling group.
AWS STS Assume Role

AWS's Security Token Service (STS) Assume Role allows administrators to give access to AWS resources
across different AWS user accounts.
Use Case
This feature is especially helpful for CloudGuard Controlleradministrators who manage multiple data
centers.
Instead of the need for administrators to create multiple AWS user accounts and configure access
permissions to AWS resources for each account, the STS Assume Role, allows them to create the
necessary permissions once for use across multiple AWS accounts. For the CloudGuard Controller, this
means that it connects to a specific AWS account from a different AWS user account, which has the correct
credentials configured.
For more information, see Amazon's IAM documentation or watch a short video here.
Configuring the STS Assume Role

The CloudGuard ControllerAWS Data Center authentication supports STS Assume Role, in addition to user
and IAM authentication. Before R81.10, the only options for authentication were the Access key and Secret
access key or Role Authentication.
The new version R81.10 feature includes the addition of the STS Assume Role checkbox, which allow
Access key and Secret access key with or without STS Assume Role, or the option to do Role
Authentication with or without STS Assume Role.

To use the STS Assume Role in SmartConsole:

1. Create a new AWS Data Center in SmartConsole.
2. Select the authentication type (User or Role).
3. Select the checkbox STS Assume Role, and enter the Role and ID as defined in the creation of the
STS Assume Role.
CloudGuard Controller for Cisco ACI

CloudGuard Controller integrates the Cisco ACI fabric with Check Point security.
To learn more, see vSEC for ACI Managed by R80.10 Security Management Server Administration Guide
for R80.10.
Prerequisites
n Cisco ACI version 4.1 or lower.
n You must have a Cisco ACI user role with minimum read permissions for Tenant EPG.
Note - This role is sufficient for CloudGuard Controller functionality. More permissions may be
required for device package installation (CloudGuard for ACI).
n Enable Bridge Domain unicast routing to allow IP address learning for EPGs on the Cisco ACI.

n Define a subnet on the Bridge Domain to help the fabric maintain IP address learning tables. This
prevents time-outs on silent hosts that respond to periodic ARP requests.
n Before you do the upgrade on the Management Server, if you have a Cisco APIC server, keep only
one URL. After the upgrade, add the other URLs.
Connecting to a Cisco ACI Data Center Server

To connect to a Cisco ACI Data Center Server
n In the top left corner, click the k Objects menu > More object types > Server > Data Center >
New Cisco ACI.
n In the top right corner, click Objects Pane > New > More > Server > Data Center > Cisco ACI.
2. In the Enter Object Name field, enter the applicable name.
3. In the URLs field, enter the addresses of ACI Cluster Members. Multiple URLs allows support for
APIC cluster for redundancy.
Important:
n These addresses can be either HTTP or HTTPS, but not both.
n IP address mapping and updates are based on ACI fabric IP learning capabilities, which
requires enabling of unicast routing on the Bridge Domain containing the EPG.
4. In the Username field, enter your Cisco APIC server User ID.
When using Login Domains, use the following syntax:
apic:<domain>\<username>
5. In the Password field, enter the Cisco APIC server password.

7. Click OK.
Cisco ACI Objects

Objects
Object Description
Tenant A logical separator for customers, BU, groups, traffic, administrators, visibility, and
more.
Application Profile A container of logically related EPGs, their connections, and the policies that
define those connections.
End-Point Group A container for objects that require the same policy treatment.
(EPG) EPG examples : app tiers or services (usually, VLAN)

Object Description
L2 Out A bridged external network.
L2 External EPG An EPG that represents external bridged network endpoints.
CloudGuard Controller for Cisco Identity

Services Engine (ISE)
The CloudGuard Controller integrates Cisco ISE with Check Point security. It allows the use of TrustSec
security groups in the Security Policy according to the static IP-to-SGT mappings in ISE. The ISE server is
represented as the Data Center server in Check Point. It connects to the ISE administration nodes and
automatically retrieves object data. For redundancy, it is possible to provide both primary and secondary
ISE administration nodes.
The ISE External RESTful Services (ERS) API enables communication with ISE.
Prerequisites:
n Cisco ISE version 2.1
n An ISE administrator with the ERS-Operator or ERS-Admin group assignment
n ERS enabled on the ISE administration nodes
Connecting to a Cisco ISE Data Center

To connect to a Cisco ISE Data Center
Cisco ISE.
n In the top right corner, click Objects Pane > New > More > Server > Data Center > Cisco ISE.
3. In the Hostname(s) field, add the ISE administration Node(s) IP address or hostname.
4. In the Username field, enter the ISE administrator username.
5. In the Password field, enter the ISE administrator password.
7. Click OK.

Cisco ISE Objects

Object Description
Security Groups Groups of users, endpoints, and resources that share Access Control policies.
You define the Security Groups in Cisco ISE.
Automatic Failover
If there is a failure to communicate with the provided ISE administration nodes, CloudGuard Controller
enters a recovery mode. In recovery mode, it automatically try again to establish connection with the
administration nodes. Connection is attempted with the nodes based on the order they were entered.
Important - Make sure that the secondary node is correctly synchronized with the primary node. If not, the
IP-to-SGT data may not be up to date.
CloudGuard Controller for Google Cloud

Platform
The CloudGuard Controller integrates the Google Cloud Platform (GCP) with Check Point security.
Important - The CloudGuard Controller server clock must be synchronized with the
current, local time. Use of a NTP server is recommended. Time synchronization issues
can cause polling information from the cloud to fail.
Configuring Permissions for Google Cloud Platform

You must authenticate and connect to your Google Cloud Platform account to retrieve objects.
Authentication is done by GCP Service Account credentials.
The CloudGuard Controller retrieves objects from all projects, to which the Service Account has access.
You can use these authentication methods
Authentication Method Description
Service Account VM Uses the Service Account VM Instance to authenticate.

Instance Authentication This option requires the Security Management Server to be deployed in a
GCP, and run as a Service Account with the required permissions.
Service Account Key Uses the Service Account private key file to authenticate.
Authentication Use the GCP web console to create a Service Account Key JSON file.
Minimum permissions for the service account

The service account must have read permissions for all the relevant resources (example: viewer role).

n Networks
n Instances
n Subnetworks
GCP APIs
You must enable the Cloud Resource Manager API for the project to which the service account belongs.
The Compute Engine API must be enabled for all the projects to which the Service Account has access.
This is made from the GCP API Library.
Connecting to a Google Cloud Platform Data Center

To connect to a Google Cloud Platform Data Center
Google Cloud Platform.
n In the top right corner, click Objects Pane > New > More > Server > Data Center > Google
Cloud Platform.
n Service Account Key Authentication
n Service Account VM Instance Authentication
4. If you select Service Account Key Authentication, import the Service Account JSON file.
6. Click OK.
Google Cloud Platform Objects

Objects
Item Description
VPC Networks Your GCP VPC networks in the cloud
Subnet All the IP addresses from the network interfaces related to this subnet
Instance Virtual Machines instances
Tags Groups all the instances that have the same network tag

Importing GCP objects

Use Projects or Tags to import GCP objects to your policy:
Import Option Description
Projects Import VPC networks, subnets or instances from different project to your Security Policy
Tags Import all instances that have a specific network tag
Note - All changes in GCP are automatically updated with the Check Point Security Policy. Users with
permissions to change network tags in GCP can change their access permissions.
Object Names
Object names are the same as those in the GCP console.
Instance and Subnet use the following names:
Object Object Name
Instance "<Instance Name> (<Zone Name>)"
Subnet "<Subnet Name> (<Region Name>)"
Imported Properties
Imported
Description
Property
Name Resource name as shown in the GCP console. User can edit the name after
importing the object.
Name in server Resource name as shown in the GCP console
Type in server Resource type
IP Associated private and public IP addresses
Note For instances, the list of VPC networks to which the instance belongs
URI Object path
Tags Network tags attached to the object

CloudGuard Controller for Kubernetes

Adding Kubernetes to CloudGuard Controller
Check Point CloudGuard Controller now protects North-South inspection for increased Kubernetes security.
The new Container security component is available in native Kubernetes and managed Kubernetes services
such as Azure Kubernetes Service (AKS), Amazon EKS, Google Kubernetes Engine, and others.
Prerequisite
n K8s version 1.12 and above
Note - Island Mode (NATed IP address for Nodes) is not supported.
Connecting to a Kubernetes Server

Before you connect to SmartConsole, do these steps in Kubernetes:
1. Configure the settings in Kubernetes:
a. Create a service account for CloudGuard Controller that includes access to: endpoints, pods,
services, and nodes.
Example:
Run these "kubectl create" commands:
kubectl create serviceaccount cloudguard-controller

kubectl create clusterrole endpoint-reader --verb=get,list --
resource=endpoints
kubectl create clusterrolebinding allow-cloudguard-access-
endpoints --clusterrole=endpoint-reader --
serviceaccount=default:cloudguard-controller
kubectl create clusterrole pod-reader --verb=get,list --
resource=pods
kubectl create clusterrolebinding allow-cloudguard-access-pods --
clusterrole=pod-reader --serviceaccount=default:cloudguard-
controller
kubectl create clusterrole service-reader --verb=get,list --
resource=services
kubectl create clusterrolebinding allow-cloudguard-access-services
--clusterrole=service-reader --serviceaccount=default:cloudguard-
controller
kubectl create clusterrole node-reader --verb=get,list --
resource=nodes
kubectl create clusterrolebinding allow-cloudguard-access-nodes --
clusterrole=node-reader --serviceaccount=default:cloudguard-
controller
b. Get the Kubernetes URL:
kubectl cluster-info

c. Export the service account token to a Base64 encoded file.

Example:
kubectl get secret $(kubectl get serviceaccount cloudguard-

controller -o jsonpath="{.secrets[0].name}") -o jsonpath="
{.data.token}" | base64 --decode -w 0> token_file
2. Configure the settings in SmartConsole:

a. In SmartConsole, create a new Data Center object in one of these ways:
n In the top left corner, click Objects menu > More object types > Server > Data Center >
Kubernetes.
n In the top right corner, click Objects Pane > New > More > Server > Data Center >
Kubernetes.
b. Enter a name for the Data Center object.
c. Enter the Kubernetes URL (from Step 1-b).
d. Import the service account token file (from Step 1-c).
e. Click Test Connections and make sure that the connection works.
f. Click OK.
g. Publish the SmartConsole session.
CloudGuard Controller for Microsoft Azure

CloudGuard Controller integrates the Microsoft Azure cloud with Check Point security.
Note - See "Azure Data Center improvements" in "What's New in R81.10 CloudGuard Controller" on
page 10.
Important - The CloudGuard Controller server clock must be synchronized with the current, local time. Use
of a NTP server is recommended. Time synchronization issues can cause polling information from the cloud
to fail.
Connecting to a Microsoft Azure Data Center Server

To connect to a Microsoft Data Center Server
Microsoft Azure.
n In the top right corner, click Objects Pane > New > More > Server > Data Center > Microsoft
Azure.
n Service Principal - Uses the Service Principal to authenticate.
n Azure AD User Authentication - Uses the Azure AD User to authenticate.

If you select Service Principal Authentication (default):

n Enter your Application ID, Application Key, and Directory ID.
You can create the Service Principal in the Azure Portal, with the Azure PowerShell, or with the
Azure CLI.
If you select Azure AD User Authentication:
n Enter you Username and Password.
The minimum recommended permission is Reader.
You can assign the Reader permission in one of these ways:
n Assign to all Resource Groups, from which you want to pull an item
n Add the permission on a subscription level
You can assign the Reader permission in one of these ways
n Assign to all Resource Groups, from which you want to pull an item
n Add the permission on a subscription level
Note - If you do not have the necessary permissions, some of the functionality might not work.
5. Click OK.
6. Import objects from your Microsoft Azure server to your policy (for more about these objects, see the
next sections).
n Network by Subscriptions - Import VNETS, subnets, Virtual Machines or VMSSs.
n Network Security Groups (NSG) - Import all IP addresses that belong to a specific NSG.
The NSG is used only as a container for the list of all IP addresses (assigned to NICs and
subnets) that are attached to this group.
n Tags - Imports all the IP addresses of Virtual Machines and VMSSs that have specific tags and
values.
Note - All changes in Microsoft Azure are updated automatically with the Check Point Security Policy.
Users with permissions to change Resource Tags in Microsoft Azure can change their access
permissions.
7. Install the Access Control Policy.
Microsoft Azure Objects

Objects
Object Description
Subscription Helps you organize access to your cloud components.
Virtual Network Represents your Microsoft Azure Virtual Network (VNET) in the cloud.
Subnet A range of IP addresses in a VNET.

A VNET can be divided into many subnets.

Object Description
Virtual Machine Virtual computing environment.

(VM)
Virtual Machine Manages sets of Virtual Machines.

Scale Set
(VMSS)
Resource Group Holds the components of your subscription as a group.
Network Security NSGs contain a list of Access Control List (ACL) rules that allow or deny network
Group (NSG) traffic to the Virtual Machines instances in a Virtual Network.
NSGs can be associated with either subnets or individual Virtual Machine
instances in that subnet.
Load Balancer Load Balancer distributes incoming traffic that arrives into the Load Balancer's
frontend to backend pool instances, according to rules and health probes.
Tags Keys and values attached to the object.
Imported Properties
Imported
Description
Property
Name Name of the object and the object's Resource Group

Format is: obj_name (obj_resource_group_name)
The user can edit the name after importing the object.
Name in Name of the object and the object's Resource Group

server Format is: obj_name (obj_resource_group_name)
Type in Object type

server
IP address n Virtual Machines and VMSS: Public and Private IP addresses

n Load Balancers: Frontend IP addresses
n Subnets: VMs, VMSSs, and Internal Load Balancers Frontend IPs
n NSGs: VMSSs and Subnets IP addresses associated with this NSG
n Tags: VNETS, VMs, VMSSs and Load Balancers IP addresses associated with this
specific Tag Key or Tag Value
Note Contains the address prefixes for VNETs and subnets
URI Object path
Tags Keys and Values attached to the Object
Location Physical location in Microsoft Azure

Auto Scaling in Microsoft Azure

The Microsoft Azure Auto Scaling service with the Check Point Auto Scaling group can increase or decrease
the number of CloudGuard Gateways according to the current load.
CloudGuard Controller for Microsoft Azure can work with the Check Point Auto Scaling Group.
The Check Point Security Management Server can update Data Center objects automatically on the Check
Point Auto Scaling group.
CloudGuard Controller for Nuage Networks

VSP
The CloudGuard Controller integrates the Nuage cloud with Check Point security.
Connecting to a Nuage Data Center

To connect to a Nuage Data Center
Nuage.
n In the top right corner, click Objects Pane > New > More > Server > Data Center > Nuage.
3. In the Hostname field, enter the IP address or hostname of the Nuage server.
Important - The addresses can be either HTTP or HTTPS, but not both. The Nuage version is set by
default to 4.0 and the port to 8443.
4. In the Username field, enter your Nuage administrator username.
5. In the Organization field, enter your organization name or enterprise.
6. In the Password field, enter your Nuage administrator password.
8. Click OK.
Nuage Objects
Objects
Object Description
Enterprise A logical separator for customers, BU, groups, traffic, administrators, visibility, and
more.

Object Description
Domain A logical network that enables L2 and L3 communication among a set of Virtual
Machines.
Security A set of network endpoints that have to agree with the same Security Policies.
Zone
Policy Group Collections of vPorts and/or IP addresses that are used as building blocks for Security
Policies that include multiple endpoints.
Add one or more vPorts to a policy group using this interface.
A policy group can also represent one or more IP/MAC addresses that it learned from
external systems from BGP route advertisements based on origin.
Subnet Subnets are defined under a zone.

It is equivalent to an L2 broadcast Domain, which enables its endpoints to communicate
as if they were part of the same LAN.
Instance Virtual Machine.
vPort It is attached to a Virtual Machine or to a host and bridge interface.

It provides connectivity to BMS and VLANs.
It can be created or auto-discovered.
L2Domain An L2 Domain is a distributed logical switch that enables L2 communication.

An L2 Domain template can be started as often as required.
This creates functioning L2 Domains.
Network Organization-wide defined macros that can be used as a destination of a policy rule.
Macro For example, you can create a network that represents your internal Internet access.
You can then use it as a destination of a policy rule to drop any packet that arrives from
a particular port.
Network A collection of existing Network Macros.

Macro Group These groups can be used in Security Policies to create rules that match multiple
Network Macros.
Imported Properties
Imported Property Description
Name Resource name as shown in the Nuage console

User can edit the name after importing the object.
Name in Data Center Resource name as shown in the Nuage console
Type in Data Center Resource type
IP Associated IP address

Note n Instances - "Auto generated" description

n Domain - Comment on domain object inserted
in VSD
n Subnet - Subnet IP address in CIDR format
n Zone - Comment on zone object inserted in
VSD
n vPort - Auto-generated description
URI Object path
CloudGuard Controller for OpenStack

The CloudGuard Controller integrates the Check Point Security Management Server with OpenStack
Keystone. Authentication is done through OpenStack Keystone and network objects are updated from
OpenStack Neutron.
Prerequisites
n Version "Ussuri" or lower.
Connecting to an OpenStack Server

To connect to an OpenStack server
OpenStack.
n In the top right corner, click Objects Pane > New > More > Server > Data Center >
OpenStack.
3. In the Hostname field, enter the URL of your OpenStack server in this format (HTTP of HTTPS):
http://1.2.3.4:5000/<keystone_version>
https://1.2.3.4:5000/<keystone_version>
Example:
https://1.2.3.4:5000/v3
Note - If you do not know your keystone URL, run this command on the OpenStack server to find it:
openstack endpoint stone | grep publicurl
4. In the Username field, enter your username for the OpenStack server.
5. In the Password field, enter your password for the OpenStack server.


If the Certificate window opens, confirm the certificate and click Trust.
7. When the connection status changes to Connected, click OK.
If the status is not Connected, troubleshoot the issue before you continue.
8. Click OK.
Note - If it is necessary to log into an OpenStack Domain that is not your default Domain, use this format:
<OpenStack_domain_name>\<user_name>
OpenStack Objects
Objects
Object Description
Instances Virtual Machines in the cloud.
Security groups Sets of IP address filter rules for networking access.

They are applied to all instances in a project.
Subnet A block of IP addresses and associated configuration states.

Subnets are used to allocate IP addresses when new ports are created on a network.
Imported Properties
IP n VM - Virtual Machine's IP address

n Security Group - IP addresses of the Virtual Machines in
the group
n Subnets - IP addresses of the Virtual Machines in the
subnet
Note n Instances - Empty

n Security Group - Description of the group
n Subnet - IP address and mask of the subnet
URI Object path

CloudGuard Controller for VMware Servers

Connecting to a VMware Server
To connect to a VMware server
VMware vCenter, or New VMware NSX-V, or the New VMware NSX-T.
n In the top right corner, click Objects Pane > New > More > Server > Data Center > VMware
vCenter, or VMware NSX-V, or VMware NSX-T.
3. In the Hostname field, enter the IP address or hostname of your vCenter or NSX Manager server.
4. In the Username field, enter your VMware administrator username.
5. In the Password field, enter your VMware administrator password.
7. Click OK.
CloudGuard Controller for VMware NSX-T

Management Server
The CloudGuard Controller integrates the VMware NSX-T Management Server with Check Point security.
Prerequisites
n NSX-T version 2.5 or 3.0.
n You must have a VMware NSX-T username with the minimal permission of an Auditor (or higher) to
access the CloudGuard Controller.
Note - This role is sufficient for CloudGuard Controller functionality. More permissions may be
required for service registration (CloudGuard Gateway for NSX-T).
VMware NSX-T Objects

Object Description
Ns Group Enables a static or dynamic grouping based on objects such as Virtual Machines, vNICs,
vSphere clusters, logical switches, and so on.

Imported Properties
IP All the Ns Group IP addresses
Note Description value of a Ns Group
URI Object path

Known Limitations
n Logs for rules with VMware NSX-T Ns Groups will contain only the IP address. The logs will not
contain the instance name.
n VMware NSX-T object - No support for IP Set objects with ranges or CIDR block notations. There is
support for IP Set Objects representing one or more individual IP address (or addresses).
n It is recommended to install official VMware Tools on a Virtual Machine in order for the VMware NSX-
T Controller to successfully pool IP addresses. Install the VMware Tools for your specific version.
Alternatives for IP discovery without VMware Tools can be found in the VMware NSX-T
Administration Guide.
Note - Each have different limitations in practice.
CloudGuard Controller for VMware vCenter

Prerequisites
n VMware vCenter version 7.x or lower.
n You must have a VMware NSX-V user with Auditor (or higher) permission to access the CloudGuard
Controller. For NSX operations, it is necessary to have at minimum read-only permissions.
n The CloudGuard Controller integrates the VMware NSX Manager Server with Check Point security.
CloudGuard Controller for VMware NSX-V Manager Server

n The Check Point Data Center Server connects to the VMware NSX Manager Server and retrieves
object data.
n The CloudGuard Controller updates IP addresses and other object properties in the Data Center
Objects group.
n You must have a VMware NSX user with permission of an Auditor (or higher) to access the
CloudGuard Controller. All NSX permissions allow users to see everything, but allowed operations
depend on the NSX permission profile.
Note - This role is sufficient for CloudGuard Controller functionality. More permissions can be required for
service registration (CloudGuard Gateway for NSX).
VMware vCenter Objects

Objects
Object Description
Cluster A collection of ESXi hosts and associated Virtual Machines configured to work as a
unit.
Datacenter An aggregation of many object types required to work in a virtual infrastructure.

These include hosts, Virtual Machines, networks, and datastores.
Folder Lets you group similar objects.

Object Description
Host The physical computer where you install ESXi. All Virtual Machines run on a host.
Resource Compartmentalizes the host or cluster CPU and memory resources.

pool
Virtual A virtual computer environment where a guest operating system and associated
machine application software runs.
vSphere A packaging and managing application format. A vSphere vApp can contain multiple
vApp Virtual Machines.
Tags All the Virtual Machines tagged with the vCenter tag.
Note - This is supported with vCenter 6.5 and above.
Imported Properties
Imported
Description
Property
IP IP address or Hostname of vCenter Server.

You must install VMware Tools on each Virtual Machine to retrieve the IP addresses
for each computer.
Note VMware vCenter object notes.
URI Object path.
VMware NSX-V Objects

Objects
Object Description
Security Group Enables a static or dynamic grouping, based on objects such as Virtual Machines,
vNICs, vSphere clusters, logical switches, and so on.
Universal Enables defining a Security Group across VMware NSX managers.

Security Group Note - Import these objects separately for each VMware NSX manager.
Imported Properties
IP All the Security Group IP addresses
Note Description value of a Security Group
URI Object path

Threat Prevention Tagging for CloudGuard for NSX

Gateway
Threat Prevention Tagging automatically assigns Security Tags to Data Center objects based on Threat
Prevention analysis and group affiliation.
This enables the use of dynamic Security Groups in policy rules.
Enable Threat Prevention Tagging for Anti-Bot and Anti-Virus services to the CloudGuard for NSX Gateway.
When a threat from an infected Virtual Machine reaches the Security Gateway and is denied entry, it is
tagged as an infected Virtual Machine in the NSX Manager.
To activate Threat Prevention tagging

1. Connect to the command line on the CloudGuard for NSX Gateway.
2. Log in to Gaia Clish, or Expert mode.
3. Enable the tagging, run:
tagger_cli
4. Select Activate Cluster.
CloudGuard for NSX Clusters with active Anti-Bot and/or Anti-Virus Software Blades appear on them.
5. Select the Cluster.
Make sure Cluster activated successfully shows.
When it is activated, the Cluster automatically tags infected Virtual Machines in the NSX Manager Server.
These are the Security Tags:
n Default Anti-Bot Security Tag: Check_Point.BotFound
n Default Anti-Virus Security Tag: Check_Point.VirusFound
The Security Tags are created automatically in the NSX Management Server when the Cluster is activated.
When Security Tags are configured, you can create policy rules based on the Security Groups that contain
those tags.
Advanced Options
Use advanced menu options to configure the tags:
Option Description
Show Activated Lists the activated Clusters and the status of each CloudGuard for NSX Gateway.
gateways
Modify Anti-Bot Enables or disables the tagging for the Anti-Bot Software Blade and change the
Security Tag Security Tag.
Modify Anti- Enables or disables the tagging for the Anti-Virus Software Blade and change the
Virus Security Security Tag.
Tag

Option Description
Modify White IP Addresses listed in the White List are not tagged.
List Separate with spaces. Ranges are not accepted.
Create New Creates a new Security Tag in the NSX Manager Server.
Security Tag
Update Data When you add a new ESX to a Cluster, CloudGuard for NSX Gateway automatically
updates the Threat Prevention Tagging data within 15 minutes.
Select this option to update the data manually on the new CloudGuard for NSX
Gateway.
Threat Prevention Tagging Logs

In SmartConsole, in the Logs & Monitor view, see CloudGuard Tagging in the Blade column.
A list of messages and their descriptions:
Message Description
The Virtual Machine <VM ID> was tagged Threat Prevention tagging successfully tagged a
successfully with Security Tag '<Tag Name>' Virtual Machine due to malicious traffic.
in NSX <NSX IP Address>
The IP address <VM IP Address> appears An IP address appears twice in the ESX. Tagging this
twice in the ESX <ESX IP Address>. The prevents false positive tagging of Virtual Machines
infected Virtual Machine was not tagged with duplicate IP addresses in the ESX.
Failed to get data from the Data Center <Data Failed to get a Data Center object from the Security
Center IP Address> Management Server API.
Make sure that there is a trusted connection for
CloudGuard Controller.
Threat Prevention Tag is ignored because the Virtual Machine IP address is on the Whitelist and the
VM IP '<VM IP Address>' is on the White List Threat Prevention tag is ignored.

CloudGuard Controller Monitoring

CloudGuard Controller Logs and Events
To monitor the CloudGuard Controller, use any of these three options:
n Filter the logs in SmartConsole with this query syntax:
blade:"CloudGuard IaaS" AND severity:Critical
n Create a User Defined Event based on logs and severity, see "Creating a User Defined Event and
Sending Alerts" on page 46.
l Connect the Event to an Automatic Reaction such as emails or scripts.
See the R81.10 Logging and Monitoring Administration Guide > Section Automatic Reactions.
Log descriptions
Log Description
Mapping of Data Center server started CloudGuard Controller successfully

connected to the data center.
It starts to map the Data Center objects.
Mapping of Data Center server finished CloudGuard Controller successfully mapped

the Data Center objects.
It starts to monitor the Data Center changes.
Data center server objects were The Data Center object was successfully
successfully updated on gateway <Name> updated on the Security Gateway.
Message descriptions
Message Description Solution
Connectivity to Data Center Lost connection possibly due In the Data Center
server <DC info> lost. to connectivity issues. object, click Test
Connection.
Failed to update policy with data The install process completed --

center objects. Install policy correctly, but there is corrupt
again to resolve the issue. policy data in a data center
object.
Connectivity to data center Persistent connectivity issues Resolve connectivity

server <IP Address> lost. Objects between the Security issues.
imported from this data center Management Server and
server are no longer being CloudGuard Controller to the
updated. data center exist.

Message Description Solution
Failed to update data center CloudGuard Controller fails to n Make sure

server objects on gateway <Name update a Security Gateway. there is SIC
of Security Gateway Object>. If The may be no connectivity to between the
issue persists contact Check a Security Gateway. Security
Point Support. Gateway and
CloudGuard
Controller.
n Make sure to
enable the
Identity
Awareness
API on the
Security
Gateway.
Failed to generate data center There is a transfer fail of a Install the Access
server objects of new policy, policy to a Security Gateway. Control Policy again.
Security gateways are no longer
updated with the new data center
objects.
Failed to stop updates of data Data transmission to a Install the Access

center objects on the secondary Security Gateway from a Control Policy again.
management server. Secondary Security
Management Server stops.
Failed to start updates from CloudGuard Controller fails to Install the Access
previous standby domain. start update to Security Control Policy again.
Gateway.
It is possible that there is no
connectivity to a Security
Gateway.
Failed to stop updates of data CloudGuard Controller fails to Install the Access
center objects for deleted stop Domain enforcement Control Policy again.
domain. Contact Check Point when a Domain is deleted.
Support.
CloudGuard Controller Status

Options for checking the CloudGuard Controller status
Option Description
On the Management Follow these steps:

Server
1. Connect to the command line.
2. Run: cpstat vsec

Option Description
In SmartConsole Follow these steps:

1. From the left navigation panel, click Gateways & Servers..
2. Select your Management Server object.
3. At the bottom, from the Summary tab, click Device & License
Information > Device Status.
SNMP Traps See sk124532.
Creating a User Defined Event and Sending

Alerts
The CloudGuard Controller is very critical component for the security of an organization. If the CloudGuard
Controller loses connection with a data center, for some reason, then there are no updates to the Gateways.
This a serious situation for any security administrator. While admins can monitor the SmartConsole logs in
the office, there is also option to have critical CloudGuard Controller Events pushed to an administrator's
smartphone or email.
To create an User Defined Event:

1. Enable the SmartEvent, see the R81.10 Logging and Monitoring Administration Guide > Section
Deploying SmartEvent.
2. Go to the SmartEvent GUI.
3. From SmartEvent Policy tree, right-click Event policy.
The Event Definition wizard opens.
a. Step 1/6: In the Event Definition wizard window, below Create an event, select that is
completely new > click Next.
b. Step 2/6: In the Name field, enter a name for the Event.
From the Severity list, select a severity for the event > click Next.
c. Step 3/6: Select a single log > click Next.
d. Step 4/6: Click Add product > select the checkbox for CloudGuard IaaS > click Next.

e. Step 5/6: Below the Define the condition that specifies which {your event name} logs are
appropriate for this event:
i. Select Show more fields > Existing field.
The Select Log Fields window opens.
ii. Below Log Fields, select Severity > click OK.
iii. Below Available Log Fields, select Severity, click Add.
The Severity Filter window opens.
iv. Click Add, in the Value field enter the number '4' for the value (four is the highest,
referred to as "critical") > click OK.
v. Make sure that In the Event Definition wizard window, the right-side box now shows
Severity Equal {x} > click Next.
vi. Click Finish.

vii. To install the policy, click Yes.
Note - In the SmartEvent window that opens, click Yes to install the policy.
There is now a User Defined Event, in this example 'CloudGuard IaaS Critical', that you can
connect to Automatic Reaction which you create.
To create an Automatic Reaction Alert (Optional):

Use SmartEvent to send push notifications to your mobile device or email account. This allows you to get
notification even when your not in front of SmartConsole, and even when your are not in the office. In
SmartEvent this is called "Automatic Reaction."

For more information about how to edit an Event, see the R81.10 Logging and Monitoring Administration
Guide
4. From SmartEvent tree, right-click User Defined Events select the event.
5. In the top field, enter the parameters for detecting an Event.
Example, "Detect the event when at least 2 connections where detected over a period of 120
seconds".
6. Select the button to the right of the Automatic Reactions tab.
7. Select Add new > select Mail or External Script.
The Add Automatic Reaction window opens.
For more information about External scripts, see the R81.10 Logging and Monitoring Administration
Guide > Section Creating an External Script Automatic Reaction.
8. In the Name field, delete the default name and enter a different name, such 'CloudGuard IaaS alert
email'.
9. In the Command line field, enter the location of the script, such as "xx.sh".
10. Click Save > and then in the Automatic Reactions window click OK.
11. From the SmartEvent toolbar click the save icon > click Yes.
The new policy is now pushed.

Configuration Parameters
Configuration Parameters
The CloudGuard Controller uses configuration parameters that can be adjusted to your specific needs.
This section provides a list of the configuration parameters including their description, minimum and
maximum value, and the command to force the parameter's update.
CloudGuard Controller can be configured through various parameters in the vsec.conf file. See the
vsec.conf file for more information.
Locations of the vsec.conf file
n On a Security Management Server:
$FWDIR/conf/vsec.conf
n On a Multi-Domain Server:
$MDSDIR/conf/vsec.conf
Important - All configuration values are read from the vsec.conf file only when
CloudGuard Controller is loaded. If you change one of the parameters, you must restart
the CloudGuard Controller with the "vsec stop ; vsec start" commands.

CloudGuard Central Licensing

License Pooling
CloudGuard Central Licensing is a pooled license structure offered on the Check Point Security
Management Server and Multi-Domain Server.
With this feature, you can dynamically change the properties of licenses on your Security Gateway
architecture.
The license pool contains the licenses for each Security Gateway with its cores. A license is issued for each
CloudGuard Gateway, and the number of cores in a CloudGuard Gateway determines the necessary
license.
The central licensing feature provides

n One global license for as many CloudGuard Gateways as needed.
n Scaled-up performance on a CloudGuard Gateway with all its vCores.
n Movement of vCores from one CloudGuard Gateway to another.
n Movement of the CloudGuard Gateway between the public and private cloud.
Two modes for the Multi-Domain Server
Mode Description
System Default Mode generates a license for the IP address of the Multi-Domain Server.
Mode The license pool is on the Multi-Domain Server.
The licenses are attached to all of the CloudGuard Gateways that the Domain
Management Servers manage.
To use this mode, run:
vsec_lic_cli mode mds
Domain Domain Mode pools are managed on each individual Domain.

Mode Licenses are distributed to the CloudGuard Gateways that the Domain manages.
The license is generated with the IP address of the Domain, to which it belongs.
To use this mode, run:
vsec_lic_cli mode domain
Note:
To go to the context of a Domain Management Servers, run:
mdsenv <Name or IP Address of Domain Management Server>

License Distribution
Items
Item Description
Licenses that n Virtual security licenses for public and private clouds.
can be managed n Licenses with the same contract blade package.
in pools
Note - Licenses with different contract blades are in separate pools. The first license
pool that is created is configured as the default pool. The licenses from the default
pool are attached to CloudGuard Gateways.
Gateways that CloudGuard Gateways on the public and private cloud.

receive a license The supported Hypervisors in the private cloud are VMware ESXi, Hyper-V and
from the pool KVM.
The supported modules in the public cloud are AWS, Microsoft Azure, Google Cloud
Platform and vCloud Air.
Gateways that n New CloudGuard Gateways receive the license from the pool after policy
receive a license installation.
n Existing CloudGuard Gateways receive the license immediately after the
license is added.
Distribution CloudGuard licenses are attached from the license pool to CloudGuard Gateway.
The distribution procedure is permissive. Gateways are issued a license even when
the pool no longer has licenses available.
Using the Central Licensing Utility with Existing

Licenses
You can activate the new CloudGuard Central Licensing utility on Security Gateways that already have a
license. Licenses with the same Software Blades and contract expiration join together to make one pool. If
multiple pools are established, one of the pools is the default pool. Any license that is not part of the pool is
detached from all Security Gateways.
If you have a Multi-Domain Server, enable the central license utility on the Multi-Domain Server. Multi-
Domain Server automatically activates the central license utility on each Domain Management Server.
Best Practice - We recommend that you have only one type of pool. Therefore, licenses
with the same Software Blades and contract expiration are grouped together. Use the
central license utility to ensure that licenses are distributed correctly.
Managing CloudGuard Central Licenses

CloudGuard central license is disabled by default. When it is disabled, licenses are not distributed
automatically to new CloudGuard Gateways. But, existing licenses stay on the CloudGuard Gateways.

Operations
Operation CLI command
Enable the CloudGuard license vsec_lic_cli on
Disable the CloudGuard license vsec_lic_cli off
Manage the CloudGuard license pool vsec_lic_cli
The vsec_lic_cli tool is used exclusively to manage CloudGuard licenses, and other tools must not be
used at the same time. CloudGuard licenses that were already added with other tools, such as
SmartUpdate, are automatically added to the pools.
The CloudGuard License Manager Menu shows these options:
1. "Adding a License" below
2. "Removing a License" below
3. "Viewing License Use" below
4. "Running License Distribution" below
5. "Configuring Automatic License Distribution for Security Gateways" on the next page
6. "Generating a Core Use Report" on the next page
Adding a License
You can add a central license to the license pool with the IP address of a Security Management Server,
Multi-Domain Server or Domain Management Server.
The license is added to the pool to match the contract blade. Use the User Center to automatically match the
blade to the contract, or attach the contracts manually with SmartUpdate.
A license in a default pool is distributed to the CloudGuard Gateway as needed.
Removing a License
When you remove a license from the pool, it is also removed from all CloudGuard Gateways, which have the
license.
Viewing License Use

With the Central Licensing feature, you can see use details of the CloudGuard Gateways in the pool.
This information is available

n Quota of cores
n Unused cores
n Security Gateways licensed in the pool
Running License Distribution

Distribution of licenses to the CloudGuard Gateways is done automatically, one time a day.

To attach the license immediately, you can run the distribution manually.
You can monitor these changes on the CloudGuard Gateways and licenses
n New CloudGuard Gateways
n Core changes on existing CloudGuard Gateways
n Contract changes on existing licenses
After distribution of the licenses, a CloudGuard Gateway that did not have a license now has one.
Configuring Automatic License Distribution for Security

Gateways
You can enable or disable the CloudGuard Gateway from receiving a license automatically.
Generating a Core Use Report

You can generate a CSV file with an hourly core use report for each CloudGuard Gateway.

Check Point Copyright Notice
© 2021 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)
(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.

CP R81.10 CloudGuard Controller AdminGuide

Uploaded by

Copyright:

Available Formats

CP R81.10 CloudGuard Controller AdminGuide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CP R81.10 CloudGuard Controller AdminGuide

Uploaded by

Copyright:

Available Formats

What is the purpose of this document?

What is the purpose of this document?

What are some of the main data centers supported?

What are some of the main data centers supported?

26 June 2021

Check Point R81.10

Latest Version of this Document in English

CloudGuard Controller R81.10 Administration Guide | 2

26 June 2021 First release of this document

CloudGuard Controller R81.10 Administration Guide | 3

CloudGuard Controller R81.10 Administration Guide | 4

Configuring Permissions for Google Cloud Platform 27

CloudGuard Controller R81.10 Administration Guide | 5

CloudGuard Controller R81.10 Administration Guide | 6

1 CloudGuard Controller establishes a trusted relationship with the cloud environment.

3 Changes in the cloud environment are sent to the CloudGuard Controller.

CloudGuard Controller R81.10 Administration Guide | 7

SRC DST Action

IP1 Internet Allow

IP2 Internet Allow

IP3 Internet Allow

IP4 Internet Allow

IP5 Internet Allow

SRC DST Action

*department=rnd Internet Allow

* Note- department=rnd is the tag.

CloudGuard Controller R81.10 Administration Guide | 8

n "CloudGuard Controller for Google Cloud Platform" on page 27

CloudGuard Controller R81.10 Administration Guide | 9

What's New in R81.10 CloudGuard

CloudGuard Controller R81.10 Administration Guide | 10

Workflow for Deploying a

Supported Security Gateways

Activating the Identity Awareness Software

CloudGuard Controller R81.10 Administration Guide | 11

1. Connect with SmartConsole to the Management Server.

3. From the left navigation panel, click Gateways & Servers.

CloudGuard Controller R81.10 Administration Guide | 12

8. On the right side of the Identity Web API, click Settings.

CloudGuard Controller R81.10 Administration Guide | 13

CloudGuard Controller R81.10 Administration Guide | 14

Integrating with Data Center Servers

To create a connection to the Data Center:

CloudGuard Controller R81.10 Administration Guide | 15

To add Data Center objects to an Access Control or Threat Prevention rule:

Data Center Query Objects

CloudGuard Controller R81.10 Administration Guide | 16

Example 1: Data Center Query Object:

Example 2: Rule Base

CloudGuard Controller R81.10 Administration Guide | 17

R81.10 uses Data Center Query objects:

Creating Rules with Data Center Query Objects

How to Configure Data Center Query Objects in

Name in Data The asset's name

IP address The asset's IP address

Customer tag Free text key and value

CloudGuard Controller R81.10 Administration Guide | 18

d. Optional: To review the query, click Preview Query.

Step 3: Install the policy on the Security Gateway.

CloudGuard Controller R81.10 Administration Guide | 19