Quick Start Guide for AI Factory Firewall

Note - This procedure contains the instructions only for the latest version of the AI Factory Firewall package.

This is a quick procedure for deploying Check Point AI Factory Firewall (AIFF) on NVIDIA BlueField-3.

For complete procedures, see Instructions for a Data Center Provider and Instructions for an End-Customer.

This quick procedure assumes:

1. You are familiar with NVIDIA BlueField-3.

2. Your Host Server runs the Ubuntu operating system.

3. You are familiar with installing and configuring a Check Point Management Server.

4. You are familiar with installing and configuring a Check Point Security Gateway.

Procedure:

1. On the Host Server - Install DOCA OFED.

   Note - Skip this step if the required DOCA OFED version is already installed on your Host Server.

   See sk184795 > Section "Prerequisites" > "Prerequisites for a Data Center Provider" > row "Host Server with BlueField-3".

2. On the Host Server - Enable and Start RShim.

   Run these commands on the Host Server:

   sudo systemctl enable rshim

   sudo systemctl start rshim

   sudo systemctl status rshim

   Expected output:

   active (running)

3. On the Host Server - Configure the Transmit Message FIFO (tmfifo) Networking.

   Run these commands on the Host Server:

   1. Edit the "netplan" script:

      sudo nano /etc/netplan/50-cloud-init.yaml

      Keep the existing Host Server configuration as-is and make sure the configuration contains this section:

      tmfifo_net0: addresses: - 192.168.100.1/30 dhcp4: false

   2. Save the changes in the file and exit the editor.

   3. Apply the configuration:

      sudo netplan apply

   4. Verify the configuration:

      ip addr show tmfifo_net0

      Expected output:

      host tmfifo_net0 is 192.168.100.1/30

4. On the Host Server - Flash a BlueField Bundle (BFB) to the DPU.

   Note - Skip this step if the required BFB version is already installed and configured on the DPU.

   See sk184795 > Section "Prerequisites" > "Prerequisites for a Data Center Provider" > row "Host Server with BlueField-3".

5. On the Host Server - Connect over SSH to BlueField-3 (over 'tmfifo').

   1. With the built-in SSH client, connect from the Host Server to BlueField-3:

      ssh 192.168.100.2

      The default credentials are:

      • Username - ubuntu

      • Password - ubuntu

   2. After the first SSH login, follow the instructions on the screen.

      Important - After changing the password, the SSH session disconnects automatically. Log in again with the new password.

6. On the BlueField-3 - Configure Networking.

   1. Disable the "cloud-init" network configuration:

      echo 'network: {config: disabled}' | sudo tee /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg > /dev/null

   2. Edit the BlueField-3 "netplan" script according to your environment:

      sudo nano /etc/netplan/50-cloud-init.yaml

      Example script:

      network: version: 2 renderer: NetworkManager bridges: oob_bridge0: interfaces: - oob_net0 addresses: # This IP address is for direct SSH connection # to the MGMT interface of the BF-3 DPU - X.X.X.X/Y dhcp4: false nameservers: addresses: # These IP addresses are your DNS servers (nameservers) - X.X.X.X - X.X.X.X routes: - metric: 1025 to: 0.0.0.0/0 # This IP address is your default gateway via: X.X.X.X ethernets: oob_net0: dhcp4: false tmfifo_net0: addresses: - 192.168.100.2/30 dhcp4: false

   3. Apply the "netplan" configuration:

      sudo netplan apply

   4. Configure the date and time in this format (in the UTC timezone):

      sudo date -s "<YYYY-MM-DD HH:MM:SS>"

   5. Writes the current system time to the hardware clock:

      sudo hwclock -w

7. Configure the Check Point Management Server and Group Policy Controller (GPC).

   1. Use an existing Management Server (or install a new one with one of the supported versions).

      See sk184795 > Section "Prerequisites" > "Prerequisites for a Data Center Provider":

      • The row " Security Management Server (SMS)".

      • The row "Multi-Domain Security Management Server (MDSMS)".

   2. Install a valid Check Point license.

   3. If you are working with a Multi-Domain Security Management Server:

      Optional: In SmartConsole, provision at least one IP address.

      You can perform this optional step later with the "config_MDS.py script".

      Preferably, in the same network as the IP address of the Multi-Domain Security Management Server.

      1. Connect with SmartConsole to the MDS context.

      2. Click the Multi Domain view.

      3. Click the Domains page.

      4. In the header row, right-click the Multi-Domain Server > click Edit.

      5. Click the Multi Domain page.

      6. Refer to the IP Range section.

      Note - Both IP addresses are hosted on the same Multi-Domain Security Management Server.

   4. From sk184795 > section "Downloads", download the AI Factory Firewall package for a Management Server to your computer.

   5. Connect to the command line on the Management Server.

   6. Log in.

   7. If the default shell is Gaia Clish, then go to the Expert mode:

      expert

   8. Create the directory for the required scripts:

      mkdir /home/admin/MDM

   9. Copy this AIFF package from your computer to the Management Server to the directory "/home/admin/MDM/".

   10. Extract the archive package:

       cd /home/admin/MDM

       tar xvfz <Name of Archive Package>

   11. If you are working with a Multi-Domain Security Management Server:

       Configure a pool of IPv4 addresses for new Domains that manage AIFF Security Gateways:

       python3 config_MDS.py [–-ip_range="<Start IPv4 Address> – <End IPv4 Address>"]

       Note - If you already have an IP Range defined, then make sure there are enough IP addresses available for your AIFF domains and do not use the parameter "–-ip_range". To configure an IP Range, connect with SmartConsole to the MDS context > click the Multi Domain view > click the Domains page > in the header row, right-click the Multi-Domain Server > click Edit > click the Multi Domain page > refer to the IP Range section.

       Example:

       python3 config_MDS.py -–ip_range="192.168.10.20 – 192.168.10.50"

   12. Install and configure a new Group Policy Controller (GPC).

       See sk184795 > Section "Prerequisites" > "Prerequisites for a Data Center Provider" > row Group Policy Controller (GPC).

   13. On the Management Server, configure a new Domain and connect it to the Group Policy Controller (GPC).

       If you do not want to configure the Global AIFF policy, then also specify the parameter "–-no_global_policy".

       1. On a Security Management Server, run:

          python3 createDomain.py --standalone --gw_ip="<IPv4 Address of GPC>" --gw_sic_pass="<SIC Activation Key for GPC>" [--no_global_policy]

       2. On a Multi-Domain Security Management Server, run:

          python3 createDomain.py --name="<Name of New Domain>" --gw_ip="<IPv4 Address of GPC>" --gw_sic_pass="<SIC Activation Key for GPC>" [--no_global_policy]

   14. On the Management Server, inspect the Domain configuration (you use these values in the next steps):

       cat ./<Name of Domain>/zero_touch_parameters.json

8. On the BlueField-3 - Deploy AI Factory Firewall.

   1. From sk184795 > section "Downloads", download the AI Factory Firewall package for the BlueField-3 DPU to your computer.

   2. With an SCP client, copy this AIFF package from your computer to the DPU to some directory (for example, create the directory "/var/log/AIFF").

      You can copy the package in one of these ways:

      • From your computer through the BlueField-3 Out-of-band Management - directly to the DPU.

      • From your computer through the regular Host Server interface and then from the Host Server to the DPU.

   3. With an SSH client, connect to the DPU.

   4. Go to the directory with the AIFF package:

      cd /var/log/AIFF/

   5. Assign the 'execute' permission to the scripts:

      sudo chmod +x AIFFctl

   6. Start the installation:

      ./AIFFctl install

   7. The script is interactive and prompts for all required values:

      Note - The script saves all entered configuration values in the "/etc/gwac/bf_standalone.conf" file. If you run the AIFFctl script again, it can automatically use these saved values to fill in the prompts. This makes repeated deployments faster and consistent.

      1. Host interface 0:

      2. Host interface 1:

      3. DHCP for management network (y/n):

         If you entered "n":

         • AIFF static IP address:

         • AIFF static IP prefix length (0-32): AIFF

         • Default gateway IP address:

      4. Zero Touch provisioning (y/n):

         Important - Remember your choice.

         • If you entered "n" (meaning, use an on-premises Management Server):

           Enter Initial SIC key:

           Important - Write down this key and keep it safe.

         • If you entered "y" (meaning, use Zero Touch deployment):

           • Management server IP:

             Enter the value of "domain_ip" from the "zero_touch_parameters.json" file for your Domain

           • Management API key:

             Enter the value of "mgmt_api_key" from the "zero_touch_parameters.json" file for your Domain

           • Server fingerprint:

             Enter the value of "mgmt_server_fingerprint" from the "zero_touch_parameters.json" file for your Domain

           • Domain name:

             Enter the value of "domain_name" from the "zero_touch_parameters.json" file for your Domain

           • Policy name:

             Enter the value of "aicp_policy_name" from the "zero_touch_parameters.json" file for your Domain

           • Use default blade configuration? [...] (y/n):

             • If you entered "n":

               Activate blade '[blade-name]'? (y/n):

               Enter "y" or "n" to activate or disable the Software Blade specified in "[blade-name]".

   8. Connect with SmartConsole to the applicable Domain.

   9. From the left navigation panel, click Gateways & Servers.

      The AIFF Security Gateway object must appear.

      Example: