Managing Auto-Scale with One Multi-Domain Server

Automatic provisioning enables the management of Scale set gateways deployed in cloud environments by a Check Point Multi-Domain Server.

Multi-Domain Server in Public Cloud:

If the Multi-Domain Server is installed in the Public Cloud, refer to the relevant article:

Important Notes

  • The Security Multi-Domain Server login credentials must allow the script to access all the applicable Domain Management Servers.

  • One instance of the CME service is responsible for provision in all the Domain Management Servers.

  • For the autoprov_cfg commands to take effect, you must restart the CME service.

    Run this command in the Expert mode to restart the CME service:

    service cme restart

Use Case 1 - Working with a Single Domain in the Multi-Domain Server

Rather than a Security Management Server, a Single Domain Management Server (in the Multi-Domain Server) does the provisioning.

For this use case, you must specify the Domain of the Domain Management Server, run:

autoprov_cfg set management -d <DOMAIN-NAME>

Note - In the Multi-Domain Server, replace the <DOMAIN-NAME> with the name of the applicable Domain Management Server.

Use Case 2 - Working with Multiple Domains in the Multi-Domain Server and Multiple-Cloud Accounts

For this use case, it is assumed that for each Domain Management Server, there is a different dedicated cloud account.

The presumption is that, based on the given cloud credentials, each of the accounts returns a mutually exclusive set of objects. Different sets of credentials must not return the same instance. For example, if the two different cloud accounts return the same CloudGuard Network Security Gateway instance, the CME service tries to provision it two times - one time for each of the different cloud accounts.

For this use case, you must specify a Domain for each of the controllers used to connect to your cloud environments. (A controller contains configuration required to connect to a cloud environment, such as credentials, regions, or a subscription ID).

To specify a name for each controller, run:

autoprov_cfg set controller <CONTROLLER-TYPE/VENDOR> -cn <CONTROLLER-NAME> -cd <DOMAIN-NAME>

Notes:

  • Replace the <CONTROLLER-NAME> with the name of the controller used to connect to your cloud environment.

  • Replace the <DOMAIN-NAME> with the name of an existing Domain.

  • Multiple controllers can have the same <DOMAIN-NAME> value.

    This means that objects retrieved by the controllers, are configured in the same Domain.

The configuration and policy of a CloudGuard Network Security Gateway is determined by:

  • A configuration template that you can create and edit with the autoprov_cfg CLI configuration tool.

  • A tag on the instance or Virtual Machine with the configuration template name.

By default, any Security Gateway may be tagged with the name of any existing configuration template which is then provisioned with the parameters.

If particular templates must only be used by a specific Domain, you can run this command to enforce it:

autoprov_cfg set controller Azure -cn <CONTROLLER-NAME> -ct <CONFIGURATION-TEMPLATES-NAMES>

Notes:

  • Replace the <CONTROLLER-NAME> with the name of the controller (the one that you specified a Domain for).

  • Replace the <CONFIGURATION-TEMPLATES-NAMES> with a list of configuration template names that can be used by that specific Domain (for example, TEMPLATE1-NAME TEMPLATE2-NAME).

  • If you replace Domains for a controller, you must first scale out the new Security Gateways, and then remove the previous Security Gateways.

Use Case 3 - Working with Multiple Domains in the Multi-Domain Server and a Single Cloud Account

Sometimes the environment requires that all the cloud objects be managed by one cloud account, but the security management is divided across multiple Domains.

It is possible to configure multiple controllers with the same credentials, but specify a different Domain for each controller. As explained in the use case "Working with Multiple Domains in the Multi-Domain Server and Multiple Cloud Accounts", this causes multiple controllers to retrieve the same CloudGuard Network Security Gateway and to provision the same Security Gateway in multiple Domains.

The solution is to configure exclusive templates for each Domain Management Server. To avoid duplication of attributes shared by multiple configuration templates, it is possible to configure a prototype configuration template. Multiple exclusive configuration templates use this prototype configuration template.

These example commands specify a prototype configuration template with a Security Policy, Security Gateway version, and a SIC Activation Key.

Example that shows how to configure a exclusive template for each Management Domain Server.

autoprov_cfg add template -tn <BASE-CONFIGURATION-TEMPLATE-NAME> -po <POLICY-NAME> -ver <VERSION> -otp <SIC-ACTIVATION-KEY>

autoprov_cfg set template -tn <EXCLUSIVE-CONFIGURATION-TEMPLATE-NAME> -pr <BASE-CONFIGURATION-TEMPLATE-NAME>

Notes:

  • Replace the <BASE-CONFIGURATION-TEMPLATE-NAME> with a name to represent the prototype configuration template (for example, base-template).

  • Replace the <POLICY-NAME> with the name of a Security Policy to install on the Security Gateways (for example, Standard).

  • Replace the <VERSION> with the Check Point version on the Security Gateway (for example, R80.20).

  • Replace the <SIC-ACTIVATION-KEY> with the Secure Internal Communication (SIC) key.

  • Replace the <EXCLUSIVE-CONFIGURATION-TEMPLATE-NAME> with the name of the exclusive configuration template, which uses the prototype configuration template values. You must run the second command one time for each exclusive template.

After you configure a set of templates dedicated for each Domain Management Server, you can specify the templates for each controller as explained in the use case "Working with Multiple Domains in the Multi-Domain Server and Multiple Cloud Accounts". Each of the controllers, that share credentials, retrieves the same set of Security Gateways. But, the controllers skip the provisioning for the Security Gateways, of which the template tag does not match the configuration templates list enforced on the controller.

Global Policy on a Multi-Domain Server

This section applies if it necessary to use the Global Policy together with automatic provisioning.

When you deploy a new Security Gateway, it installs an internal restrictive access policy. This policy is intended to drop all traffic.

Any rules you configure in the Global Policy automatically conflict with the restrictive policy. As a result, the Global Policy installation fails.

It is possible to use a custom restrictive policy, which is manually excluded from the Global Policy Assignment -do these steps:

Step

Description

1

Create a Global Policy in the Global Domain:

  1. Connect with SmartConsole to the Multi-Domain Server.

  2. In the SmartConsole login window, select Global Domain.

  3. Create a Security Policy with the required rules.

  4. Publish the SmartConsole session.

2

Create a new restrictive policy in each Domain:

  1. Connect with SmartConsole to the Multi-Domain Server.

  2. In the SmartConsole login window, select the Domain.

  3. Create a restrictive Access Control Policy.

    Because this policy is for internal purposes, we recommend this rule:

    Source = *Any

    Destination = *Any

    Action = Drop

  4. Publish the SmartConsole session.

  5. Do Steps 2b-2d again for each Domain.

3

Do not include the restrictive policy created in Step 2:

  1. Connect with SmartConsole to the Multi-Domain Server.

  2. In SmartConsole login window, select the MDS.

  3. Go to Multi-Domain > Global Assignments.

  4. Under Access Control, select Advanced.

  5. Click Assign Global Access Control Policy to all domain policies except.

  6. Select the restrictive policy object you created in Step 2.

4

Set the newly created restrictive policy as the default restrictive policy:

  1. Connect to the command line on the Multi-Domain Server (on SSH or console).

  2. Log in to the Expert mode.

  3. For each Domain, set the name of the restrictive policy package you created in Step 2 as the default restrictive policy:

autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -rp <RESTRICTIVE-POLICY-PACKAGE-NAME>

Notes:

  • Replace the <CONFIGURATION-TEMPLATE-NAME> with the name of the applicable configuration template.

  • Replace the <RESTRICTIVE-POLICY-PACKAGE-NAME> with the name of the restrictive policy package you created in Step 2.

Autoprovision and Multi-Domain Log Server Configuration

This section applies if it necessary to add a Multi-Domain Log Server together with automatic provisioning.

Important - Before you can create a Domain Log Server, a Domain must have a minimum of one configured Domain Management Server.

To add a Domain Log Server:

  1. Stop the CME service.

    service cme stop

  2. Add a Domain Log Server.

  3. Start the CME service:

    service cme start

You can configure a template to forward the security logs from the Security Gateway to the applicable Domain Log Server:

autoprov_cfg set template <CONFIGURATION-TEMPLATE-NAME> -sl <SEND-LOGS-TO-DLS-NAME>

By default, alerts are not sent to the Domain Log Server.

You can configure a template to forward the security logs from the Security Gateway to the applicable Domain Backup Log Server:

autoprov_cfg set template <CONFIGURATION-TEMPLATE-NAME> -sbl <SEND- LOGS-TO-DBLS-NAME>

You can configure the template to forward the alerts also from the Security Gateway to the applicable Domain Log Server:

autoprov_cfg set template <CONFIGURATION-TEMPLATE-NAME> -sa <SEND-ALERTS-TO-DLS-NAME>

Notes:

  • Replace the <CONFIGURATION-TEMPLATE-NAME> with the name of the applicable configuration template.

  • Replace the <SEND-LOGS-TO-DLS-NAME>, <SEND-ALERTS-TO-DLS-NAME>, <SEND-LOGS-TO-DBLS-NAME> with the name of the Domain Log Server object as configured in SmartConsole.

  • Refer to the section for more details regarding Log Server settings.