Instructions for an End-Customer

Prerequisites

See sk184795 > Section "Prerequisites" > "Prerequisites for an End-Customer".

Step 1 - Configure the Host Server

  1. Make sure the Host Server does not use the network 192.168.100.x / 30 that is reserved for the DPU:

    1. Make sure that none of the Host Server interfaces are assigned an IP address from this network.

    2. Make sure there is no static route on the Host Server to this network.

    For more information, refer to the section "Virtual Ethernet Interface" in the NVIDIA BlueField-3 DPU documentation.

  2. In the Host Server, install one or more BlueField-3 (DPU) cards.

  3. On the Host Server, install the required DOCA OFED version.

  4. On the DPU, install the required BFB version.

Step 2 - Configure the DPU (AIFF Security Gateway)

  1. On the Multi-Domain Security Management Server, get the environment variables and their values for your Domain.

    Get this file from the Data Center Provider from the Multi-Domain Security Management Server for your Domain:

    /home/admin/MDSMS/<Name of Domain>/domain.json

  2. Copy these variables and their values from the "domain.json" file you received from the Data Center Provider:

    • domain_ip

    • mgmt_server_fingerprint

    • mgmt_api_key

    • domain_name

    • aicp_policy_name

    We recommend saving them aside for now. You use these parameters later during the installation of the AIFF Security Gateway (the "install.sh" script).

  3. Get the Check Point AIFF package for the DPU:

    1. From sk184795 > section "Downloads", download the AI Factory Firewall package for the BlueField-3 DPU to your computer.

    2. Copy this AIFF package from your computer to the DPU.

      Follow one of these options:

      See Configuration of Out-of-Band Management Network.

      1. Configure an IP address on the "oob_net0" interface of the DPU.

        Make sure a computer with an SSH client and SCP client can reach this IP address.

      2. With the SSH client, connect from your computer to the IP address you configured on the "oob_net0" interface.

        ssh <IP Address>

        The default credentials are:

        • Username - ubuntu

        • Password - ubuntu

      3. On the DPU, create some directory for the AIFF package.

        For example:

        mkdir -v /var/log/AIFF

      4. With an SCP client, connect from your computer to the IP address you configured on the "oob_net0" interface.

        The default credentials are:

        • Username - ubuntu

        • Password - ubuntu

      5. Copy the AIFF package from your computer to the DPU to the new directory "/var/log/AIFF".

      For more information, refer to the NVIDIA BlueField Platform Software Troubleshooting Guide.

      1. Connect with an SCP client to one of the Host Server interfaces.

      2. Copy the AIFF package from your computer to the Host Server to some directory.

      3. With a built-in SCP client, copy the AIFF package from the Host Server to the DPU to the new directory "/var/log/AIFF":

        scp -v /var/log/AIFF/<Name of package> ubuntu@192.168.100.2:/var/log/AIFF/

        The default credentials are:

        • Username - ubuntu

        • Password - ubuntu

  4. On the DPU, install the AIFF package:

    1. Go to the directory with the AIFF package:

      cd /var/log/AIFF/

    2. Assign the 'execute' permission to the scripts:

      sudo chmod +x AIFFctl

      sudo chmod +x deploy.sh

    3. Start the installation:

      ./AIFFctl install

      Notes:

      • The "AIFFctl" script:

        1. Verifies the environment prerequisites.

        2. Prompts the user for the required installation parameters. See the prompts below.

        3. Configures the internal networking of the BlueField-3, such that all of the required traffic passes through the Check Point Security Gateway.

        4. Starts the AIFF Security Gateway Container.

        5. If you chose to use the Zero Touch installation, the script also:

          1. Creates the Security Gateway object.

          2. Connects the Security Gateway object to the Domain.

          3. Installs the Security Policy whose name is specified in the parameter "aicp_policy_name" in the "domain.json" file.

      • The "AIFFctl" script saves all the entered configuration values in this file:

        /etc/gwac/bf_standalone.conf

        If you run the "AIFFctl" script again, it can automatically use these saved values to fill in the prompts.

        This makes repeated deployments faster and consistent.

      The "AIFFctl" script is interactive and prompts for all required values:

      1. Host interface 0:

      2. Host interface 1:

      3. DHCP for management network (y/n):

        If you entered "n":

        Gateway's management IP address:

        Gateway's management prefix length (0-32):

        Gateway's default gateway:

      4. Zero Touch provisioning (y/n):

        • If you entered "n":

          Enter Initial SIC key:

        • If you entered "y":

          Management server IP: (enter the value of "domain_ip" from the "domain.json" file for your Domain)

          Management API key: (enter the value of "mgmt_api_key" from the "domain.json" file for your Domain)

          Server fingerprint: (enter the value of "mgmt_server_fingerprint" from the "domain.json" file for your Domain)

          Domain name: (enter the value of "domain_name" from the "domain.json" file for your Domain)

          Policy name: (enter the value of "aicp_policy_name" from the "domain.json" file for your Domain)

    4. Wait for the installation script to finish.

      Note - This setup can take a few minutes, and it mostly runs in the background.

    5. Load the AIFF images:

      sudo ctr -n k8s.io images import aicp.tar

    6. Load the device-plugin images:

      sudo ctr -n k8s.io images import dp.tar

    7. Run the deployment script:

      sudo ./deploy.sh --image=jess_t464_gwac_main-55-999000099 --gwac_cores=6 --gwac_fw_instances=2 --timezone="Etc/GMT" --network_conf=lab

      Note - To pass traffic through the Host Server, use "--network_conf=host".

    8. Connect with SmartConsole to the applicable Domain.

      If a Data Center Provider created the Domain for you, the Data Center Provider must provide the credentials for this Domain.

    9. From the left navigation panel, click Gateways & Servers.

      The AIFF Security Gateway object must appear.

      Example:

Step 3 - Configure the Kubernetes Connection

Follow the R82.10 CloudGuard Controller Administration Guide > Chapter "Supported Data Centers" > Section "CloudGuard Controller for Kubernetes":

  1. Configure the applicable settings in Kubernetes.

  2. In SmartConsole connected to the applicable Domain, configure the Kubernetes object.

  3. Import objects from the Kubernetes: right-click the Data Center object and click Import.

  4. Install the Access Control Policy on the AIFF Security Gateway.

Step 4 - Install Policy

Best Practice - Create the Access Control rules using your Data Center objects.

To install a policy on a specific AIFF Security Gateway:

  1. Connect with SmartConsole to the Domain.

    If a Data Center Provider created the Domain, the Data Center Provider must provide the credentials for the Domain.

  2. Click Install Policy.

  3. Select Access Control.

  4. Select Threat Prevention.

  5. In the panel with the installation targets, select the Group-Policy-Controller object for any AIFF Security Gateways, on which you need to install this policy.

  6. Click Install.

Note - To see the current policy name on a specific AIFF Security Gateway:

  1. With an SSH client, connect to the IP address of the AIFF Security Gateway (as you see in SmartConsole).

  2. Log in.

  3. Run: cpstat fw -f policy

  4. At the top of the output, refer to the row "Policy name".