CME Structure and Configurations

These sections explains the main concepts of CME configuration.

CME Directories and Files

  • The CME is located in this directory on the Security Management or Multi-Domain Security Management Server:

    /opt/CPcme/

  • The configuration utility for autoscaling solutions (such as Azure VMSS, AWS ASG, and GCP MIG) can be executed by running this command in Expert mode:

    autoprov_cfg

    A more detailed description of autoprov_cfg is described in Using the autoprov_cfg Command Line Configuration Utility.

  • Command line configurations menu can be executed by running the this command in Expert mode:

    cme_menu

    For each CME feature that requires the CME Menu, see the specific instructions in the relevant chapter.

  • Configuration utility for AWS Transit Gateway:

    tgw_menu

    For a more detailed description of the tgw-menu features, see Configuring the tgw_menu.

About CME Service Commands

After a successful installation, CME runs the 'cme' service.

Function

Run this Command

Stop the service

service cme stop

Start the service

service cme start

Restart the service

service cme restart

Test the service

service cme test

Get the status of the service

service cme status

Locating the Configuration Files

To find the CME configuration files use one of these directories:

  • On a Security Management Server: $FWDIR/conf/

  • On a Multi-Domain Security Management Server: $MDSDIR/conf

The configuration files are synchronized between the primary and secondary server in a Management High Availability environment.

The CME Logs

The CME log files are:

  • Main CME Service log: /var/log/CPcme/cme.log*

  • CME command line menu log: /var/log/CPcme/cme_menu.log

Additional logs used by Check Point Support:

  • rest_infra.log

  • cme_api.log

  • gunicorn_server.log

  • diagnostics.log

See CME Log Collector.

CME Authentication

This section describes the necessary steps for CME authentication with different public cloud platforms.

AWS

Refer to sk130372 > 3. Creating an AWS IAM User and IAM Role section.

Azure

Create an Azure AD and Service Principal

With the Azure AD and Service Principal, the Check Point Security Management Server monitors the creation and status of the VMSS, so it can complete the provision of these gateways.

  1. Connect to portal.azure.com.

  2. Click Active Directory -> App registrations -> New registration.

  3. Create new registration:

    1. Select a meaningful Name.

    2. Supported account types - Select Single tenant.

    3. Redirect URL - Select Web, and type https://localhost/vmss-name - instead of: vmss-name. It can be any name.

    4. Click Register.

    5. Open Certificates and secrets pane -> click New secret key.

    6. Add the duration for the key.

    7. Backup the key. You cannot look at the key later. Save it now.

After you create the application, write down these values, for "Configure the Check Point Security Management Server"

  • Application ID

    client_id

  • Key value

    client_secret

  • Tenant ID

    tenant

  • Directory ID

Note - We recommend that you set the key to never expire.

Permissions:

Assign the Azure Active Directory application a minimum role of Reader to the VMSS and the VNET as explained here.

GCP

Create a Google Cloud Platform (GCP) Service Account

The GCP Service account is used by the Check Point Security Management Server to monitor the creation and state of the autoscaling Managed Instance Group. This allows the Management Server to complete the provisioning of these gateways.

To create a GCP service account:

  1. Go to https://cloud.google.com/iam/docs/creating-managing-service-accounts.

    Use these parameters:

    Name

    check-point-autoprovision

    Role

    Compute Engine \ Compute Viewer

  2. Click Create Key > JSON (as the key type). A .json file is downloaded to your computer).

    Note - This .json file is used later as the credentials file in CME Structure and Configurations.

Permissions:

"Compute viewer"

CME-Monitoring

CME is integrated with Check Point logs in order to improve logging and monitoring for CME.

Prerequisites

  • CME take 178 or higher installed on the Security Management Server or Multi-Domain Server. Run this command in Expert mode to verify the take:

    autoprov_cfg -v

  • Darwin take 51 or higher installed on the Security Management Server or Multi-Domain Server. Run this command in Expert mode to verify the take:

    autoupdatercli show | grep -A 6 Infra_AutoUpdate

To monitor CME logs, use one of these options:

  • Filter the logs in the SmartConsole with this query syntax: blade:"CME"

  • Configure Log Exporter to export all logs that belong to CME Blade.

    See Logging and Monitoring R81.10 Administration Guide > Log Exporter > Configuring Log Exporter in CLI > Log Exporter Advanced Configuration in CLI for more information.

    For example on how to export CME logs to Splunk log server, run in Expert mode:

    cp_log_export add name <exporter name> target-server <log server IP> target-port <log server port> protocol tcp format splunk filter-blade-in CME

Note - In Multi-Domain Server environment, logs are displayed with respect to the environment, which means the domain’s logs are displayed in the domain’s console.

Log description:

Category Description

General events

CME general information such as service start/stop and configuration changes (MDS global level only).

Autoscale-Group related events

Cloud account information such as scale-in/out success or failure.

Autoprovision process events

Provisioning information such as add/remove gateway instance success or failure.

Using the cme_menu Command Line Configuration Utility

  • The cme_menu is a command line based menu to configure CME components and features.

  • To start the menu, run cme_menu when logged into Expert mode on the Security Management or Multi-Domain Security Management Server.

  • Use the instructions in this guide to configure the CME with the cme_menu as needed.

Using the autoprov_cfg Command Line Configuration Utility

  • The autoprov_cfg is a command-line utility to configure autoscaling solutions, such as Azure VMSS, AWS ASG, and GCP MIG.

  • Refer to the specific solutions administration guide for specific information about how to use autoprov_cfg.

  • For instructions about how to use the autoprov_cfg, run:

    autoprov_cfg -h

  • Commands summary:

    Command Description

    init

    Initialize autoprovision with Management, a Configuration Template and a Controller (account) configuration

    show

    Show all or specific configuration settings

    add

    1. Add a new Configuration Template or a Controller

    2. Add a new configuration to the Management or to a Configuration Template or a Controller

    set

    Set values in an existing configuration of Management, Configuration Template or a Controller

    delete

    1. Delete a Configuration Template or a Controller

    2. Delete a configuration from the Management or from a Configuration Template or a Controller

    -v

    Show the version of CME

    -h

    Shows specific help documentation

  • Specific help documentation is available for each option that you select.

    For example, this command shows the available initialization parameters for AWS and their definition:

    autoprov_cfg init AWS -h

Delay

  • The delay parameter sets the sleep time between CME iterations.

  • The default delay value is 30 seconds.

  • To view the existing delay value, looks for the delay value in CME configuration:

    autoprov_cfg show all
  • To edit the delay configuration, run:

    autoprov_cfg set delay <NEW_TIME_IN_SEC>

Management

  • There is one Management configuration for CME.

  • The Management configuration applies to each controller, and each template.

    To view the existing Management configurations, run:

    autoprov_cfg show management

    To edit the management configurations, run:

    autoprov_cfg set management -h

General Parameters

Parameter Value

Description

-mn

MANAGEMENT-NAME

The name of this CME management configuration.

This name should match the management name configured for each deployed scale-set.

Note – This name is configurable and not related to CPM management name.

-d

DOMAIN:

The domain name or the domain UID that should manage CME.

This parameter is mandatory for MDS environments when one domain manages CME.

If more than one domain manages CME, you should remove this parameter and configure it in the controller part, as explained below in the controller section.

-cs

CUSTOM_MANAGEMENT_SCRIPT

A path of a script on the Management server that is executed on the Management Server in these scenarios:

  1. After the restrictive policy is installed, CME runs the custom script using ‘delete’ as args[0], and the gateway name as args[1]

  2. After that the policy configured in the Configuration Template is installed, CME runs the custom script using ‘add’ as args[0], and the Gateway name as args[1]

  3. After removing a Gateway, CME runs the custom script using ‘delete’ as args[0], and the Gateway name as args[1]

You can download an example of the Custom Management Script from here.

To add parameters to the script see CUSTOM_PARAMETERS in Configuration Templates (gateway-configurations) > General Parameters.

Controllers (accounts)

  • To connect to your cloud account and automatically provision Security Gateways deployed in the account, the Security Management Server needs cloud-specific information, such as credentials and regions.

    This information is associated with a controller in the automatic provisioning configuration.

  • To view the existing controllers used by the Management Server connected to the cloud environments, run:

    autoprov_cfg show controllers

  • To add a new controller to an existing automatic provisioning configuration, run:

    autoprov_cfg add controller -h

Important - Each controller in the configuration must have unique credentials, with the exception of the MDS configuration.

General Parameters

Parameter Value

Description

-cn

CONTROLLER-NAME

The name of the cloud environment controller. The name must be unique.

-dto

DELETION-TOLERANCE:

The number of cycles until a GW object in SmartConsole is deleted.

-ct

CONTROLLER TEMPLATES

An optional list of templates that are linked to this specific controller.

This parameter is mandatory for MDS environments with more than one domain configured.

e.g. TEMPLATE1-NAME TEMPLATE2-NAME

-cd

CONTROLLER DOMAIN

Specify the domain name or the domain UID that should manage this controller.

This parameter is mandatory for MDS environments with more than one domain configured.

Parameters for AWS only

Parameter Value

Description

-r

REGIONS

A comma-separated list of AWS regions, in which the gateways are being deployed. For example: eu-west-1,us-east-1,eu-central-1

-ak

AWS ACCESS KEY:

AWS Access Key ID

-sk

AWS SECRET KEY

AWS Secret Key

-iam

-

Use this flag to specify whether to use an IAM role profile

-fi

AWS CREDENTIALS FILE PATH

The path to a text file containing AWS credentials

-sr

STS ROLE

The STS Role ARN of a role to assume

-se

STS EXTERNAL ID

An optional STS External Id to use when assuming a role in account

-sn

SUB-CREDENTIALS NAME

Sub account name. The name must be unique

-sak

AWS SUB-CREDENTIALS ACCESS KEY

AWS Access Key ID for the sub account

-ssk

AWS SUB-CREDENTIALS SECRET KEY

AWS Secret Key for a sub account

-sfi

AWS SUB-CREDENTIALS FILE PATH

The path to a text file containing AWS credentials

for a sub account

-siam

-

Use this flag to specify whether to use an IAM role profile for a sub account

-ssr

AWS SUB-CREDENTIALS STS ROLE

STS Role ARN of a role to assume for a sub-account

-sse

AWS SUB-CREDENTIALS STS EXTERNAL ID

An optional STS External Id to use when assuming a role in this sub account

-com

COMMUNITIES

An optional comma-separated list of communities, which are allowed for VPN connections that this controller discovers. If this attribute is missing or its value is an empty list, it means that any community may be joined by VPN connections that belong to this controller. This is useful to

prevent automatic addition of VPN connections to a community based on the customer gateway public IP address

-sg

-

Use this flag to specify whether to enable the auto provisioning of gateways

-sv

-

Use this flag to specify whether to enable the auto provisioning of VPN objects

-slb

-

Use this flag to specify whether to enable the auto provisioning of load balancer Access and NAT rules

-ss

-

Use this flag to specify whether to enable scan subnets with Centralized GWLB solution

Parameters for Azure only

Parameter Value

Description

-sb

SUBSCRIPTION ID

The Azure subscription ID

-en

-:

An optional attribute that specifies Azure’s environment type.

The possible values are:

  • AzureCloud (default)

  • AzureChinaCloud

  • AzureGermanCloud

  • AzureUSGovernment

-at

TENANT ID

The Azure Active Directory tenant ID.

-aci

CLIENT ID

The service principal’s client ID value.

-acs

CLIENT SECRET

The service principal’s client secret value.

Parameters for NSX only

Parameter Value

Description

-nf

NSX FINGERPRINT

NSX-T manager fingerprint

-np

NSX MANAGER PASSWORD:

NSX-T manager password

-nu

NSX MANAGER USERNAME

NSX-T manager username

-nh

NSX MANAGER HOST

NSX-T manager host IP

-nsm

NSX SERVICE MANAGER PASSWORD

NSX service manager password

-nad

NSX AD AUTH

NSX-T manager ad auth

Parameters for Nutanix only

Parameter Value

Description

-nf

NUTANIX PRISM FINGERPRINT

Nutanix Prism fingerprint

-np

NUTANIX PRISM PASSWORD:

Nutanix Prism password

-nu

NUTANIX PRISM USERNAME

Nutanix Prism username

-nh

NUTANIX PRISM IP

Nutanix Prism IP

Parameters for GCP only

Parameter Value

Description

-proj

GCP-PROJECT

The GCP project in which you are deploying CloudGuard Security Gateways. For example, "ACME-Production".

-cr

GCP-SERVICE-ACCOUNT-KEY

Full path to GCP Service Account key file. The file should be located in $FWDIR/conf and should only have admin read permissions.

For example, $FWDIR/conf/ACME-Production13cebb.json.

Configuration Templates (gateway-configurations)

  • Information required to automatically provision Security Gateways, such as what policy to install and which Software Blades to enable, is placed in a configuration template in the automatic provisioning configuration.

  • To view existing configuration templates that can be applied on Security Gateways, run:

    autoprov_cfg show templates

  • To add a new configuration template to an existing automatic provisioning configuration, run the following command:

    autoprov_cfg add template -tn <CONFIGURATION-TEMPLATE-NAME> -otp <SIC-KEY> -ver <VERSION> -po <POLICY-NAME>

Supported Configuration Template parameters

Configuring Name Prefix for Provisioned Gateways

By default, each provisioned gateway starts with the Controller's name as a prefix.

  • To add the template name as a name prefix (that comes before the controller name), run:

    autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -pn ""

  • To add a unique name as a name prefix (that comes before the controller name), run:

    autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -pn <UNIQUE-NAME-PREFIX>

Note - Currently, the Automatic HF deployment does not support name-prefix.

Configuring Network Group

CME automatically creates and updates a network group object with all the provisioned scale-set instances in the Security Management/Multi-Domain Server.

Network group object naming convention in the Security Management/Multi-Domain Server by cloud providers:

  • AWS: CME_<CONTROLLER-NAME>--<SCALE-SET-NAME>

  • GCP: CME_<CONTROLLER-NAME>--<SCALE-SET-NAME>

  • Azure: CME_<CONTROLLER-NAME>--<SCALE-SET-NAME>--<RESOURCE-GROUP-NAME>

  • Nutanix: CME_<CONTROLLER-NAME>--<NETWORK-FUNCTION-PROVIDER>

  • NSX-T: CME_<CONTROLLER-NAME>--<REGISTERED-SERVICE-NAME>

You can use the Network Group object in these policies and policy columns:

  • Access Control rule columns:

    • Source

    • Destination

    • Install On

  • NAT rule columns:

    • Original Source

    • Original Destination

Notes:

  • If you use an empty network group object (a scale set has 0 instances) in Access Policy ("Install On" column), policy installation will fail.

  • CME creates only one unique network group object for each scale set.

Enabling and Disabling Software Blades

See Supported Configuration Template parameters for parameter information.

CME API

With CME Management API you can configure the CME utility.

For more information, see the CME API SwaggerHub documentation.

Prerequisites:

  • CME take 139 or higher installed on the Check Point Management Server.

  • Management API version 1.8 or higher installed on the Check Point Management Server (see the Check Point Management API Reference).

Configuring the tgw_menu

The Transit Gateway menu is a command-line based menu to configure the AWS Transit Gateway solution.

For more information, see the CloudGuard Network for AWS Transit Gateway R80.20 and Higher Deployment Guide.