Instructions for an End-Customer

1. Make sure the Host Server does not use the network 192.168.100.x / 30 that is reserved for the DPU:

   1. Make sure that none of the Host Server interfaces are assigned an IP address from this network.

   2. Make sure there is no static route on the Host Server to this network.

   For more information, refer to the section "Virtual Ethernet Interface" in the NVIDIA BlueField-3 DPU documentation.

2. In the Host Server, install one or more BlueField-3 (DPU) cards.

3. On the Host Server, install the required DOCA OFED version.

4. On the DPU, install the required BFB version.

1. On the Multi-Domain Security Management Server, get the environment variables and their values for your Domain.

   Get this file from the Data Center Provider from the Multi-Domain Security Management Server for your Domain:

   /home/admin/MDSMS/<Name of Domain>/domain.json

2. Copy these variables and their values from the "domain.json" file you received from the Data Center Provider:

   • domain_ip

   • mgmt_server_fingerprint

   • mgmt_api_key

   • domain_name

   • aicp_policy_name

   We recommend saving them aside for now. You use these parameters later during the installation of the AIFF Security Gateway (the "install.sh" script).

3. Get the Check Point AIFF package for the DPU:

   1. From sk184795 > section "Downloads", download the AI Factory Firewall package for the BlueField-3 DPU to your computer.

   2. Copy this AIFF package from your computer to the DPU.

      Follow one of these options:

      Option 1 - Through the BlueField-3 Out-of-band Management

      See Configuration of Out-of-Band Management Network.

      1. Configure an IP address on the "oob_net0" interface of the DPU.

         Make sure a computer with an SSH client and SCP client can reach this IP address.

      2. With the SSH client, connect from your computer to the IP address you configured on the "oob_net0" interface.

         ssh <IP Address>

         The default credentials are:

         • Username - ubuntu

         • Password - ubuntu

      3. On the DPU, create some directory for the AIFF package.

         For example:

         mkdir -v /var/log/AIFF

      4. With an SCP client, connect from your computer to the IP address you configured on the "oob_net0" interface.

         The default credentials are:

         • Username - ubuntu

         • Password - ubuntu

      5. Copy the AIFF package from your computer to the DPU to the new directory "/var/log/AIFF".

      For more information, refer to the NVIDIA BlueField Platform Software Troubleshooting Guide.

      Option 2 - Through the regular Host Server interface

      1. Connect with an SCP client to one of the Host Server interfaces.

      2. Copy the AIFF package from your computer to the Host Server to some directory.

      3. With a built-in SCP client, copy the AIFF package from the Host Server to the DPU to the new directory "/var/log/AIFF":

         scp -v /var/log/AIFF/<Name of package> ubuntu@192.168.100.2:/var/log/AIFF/

         The default credentials are:

         • Username - ubuntu

         • Password - ubuntu

4. On the DPU, install the AIFF package:

   1. Go to the directory with the AIFF package:

      cd /var/log/AIFF/

   2. Assign the 'execute' permission to the scripts:

      sudo chmod +x AIFFctl

   3. Start the installation:

      ./AIFFctl install

      Notes: The "AIFFctl" script: Verifies the environment prerequisites. Prompts the user for the required installation parameters. See the prompts below. Configures the internal networking of the BlueField-3, such that all of the required traffic passes through the Check Point Security Gateway. Starts the AIFF Security Gateway Container. If you chose to use the Zero Touch installation, the script also: Creates the Security Gateway object. Connects the Security Gateway object to the Domain. Installs the Security Policy whose name is specified in the parameter "aicp_policy_name" in the "domain.json" file. The "AIFFctl" script saves all the entered configuration values in this file: /etc/gwac/bf_standalone.conf If you run the "AIFFctl" script again, it can automatically use these saved values to fill in the prompts. This makes repeated deployments faster and consistent.

      The "AIFFctl" script is interactive and prompts for all required values:

      1. Host interface 0:

         Use the default "pf0hpf" for entire workload protection for channel 0.

         Otherwise, use the relevant Host Server Virtual Function (for example, "pf0vf0") for specific workload protection. In this case, the script prompts you to enter the "Host Interface 0 destination IP", which is the IP address of the specific workload that uses this Virtual Function.

         See Example Diagrams of the Intra-DPU Network.

      2. Host interface 1:

         Use the default "pf1hpf" for entire workload protection for channel 1.

         Otherwise, use the relevant Host Server Virtual Function (for example, "pf1vf0") for specific workload protection. In this case, the script prompts you to enter the "Host Interface 1 destination IP", which is the IP address of the specific workload that uses this Virtual Function.

         See Example Diagrams of the Intra-DPU Network.

      3. DHCP for management network (y/n):

         If you entered "n":

         Gateway's management IP address:

         Gateway's management prefix length (0-32):

         Gateway's default gateway:

      4. Zero Touch provisioning (y/n):

         • If you entered "n":

           Enter Initial SIC key:

         • If you entered "y":

           Management server IP: (enter the value of "domain_ip" from the "domain.json" file for your Domain)

           Management API key: (enter the value of "mgmt_api_key" from the "domain.json" file for your Domain)

           Server fingerprint: (enter the value of "mgmt_server_fingerprint" from the "domain.json" file for your Domain)

           Domain name: (enter the value of "domain_name" from the "domain.json" file for your Domain)

           Policy name: (enter the value of "aicp_policy_name" from the "domain.json" file for your Domain)

   4. Wait for the installation script to finish.

      Note - This setup can take a few minutes, and it mostly runs in the background.

   5. Load the AIFF images:

      sudo ctr -n k8s.io images import aicp.tar

   6. Load the device-plugin images:

      sudo ctr -n k8s.io images import dp.tar

   7. Connect with SmartConsole to the applicable Domain.

      If a Data Center Provider created the Domain for you, the Data Center Provider must provide the credentials for this Domain.

   8. From the left navigation panel, click Gateways & Servers.

      The AIFF Security Gateway object must appear.

      Example:

      

To install a policy on a specific AIFF Security Gateway:

1. Connect with SmartConsole to the Domain.

   If a Data Center Provider created the Domain, the Data Center Provider must provide the credentials for the Domain.

2. Click Install Policy.

3. Select Access Control.

4. Select Threat Prevention.

5. In the panel with the installation targets, select the Group-Policy-Controller object for any AIFF Security Gateways, on which you need to install this policy.

6. Click Install.