Managing Multiple-Autoscaling Solutions with One Security Management Server

Background:

Configurations on a Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. can have:

Multiple Controllers
Multiple Templates

Each controller can:

Represent single cloud environments (such as a single Azure Service Principal)
Manage multiple Check Point Autoscaling solutions with either one configuration template, or with multiple configuration templates

Each template:

Represents one Check Point security configuration for a new Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (such as policy name, active Software Blades, SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server., and more.).
When the autoprovision process detects a new Security Gateway instance, it uses the name of the template to determine the final Security Gateway configurations.

Configuration:

When you run the "autoprov_cfg <Cloud Environment Name>" command on your Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., it configures one Management Server with one controller and one template.

This setup lets you manage one cloud environment with one Check Point security configuration for all Check Point autoscaling solutions found on it.

Example of the "autoprov_cfg init" command to initialize the autoprovision configuration:

autoprov_cfg init "<Cloud-Name>" -mn "<Management-Name>" –tn "<Template-Name>" -otp "<SIC-key>" -ver R80.20 -po "<Policy-Name>" -cn "<Controller-Name>" -sb "<Azure-Subscription>" -at "<Tenant-ID>" -aci "<Client-ID>"-acs "<Client-Secret>"

Important - If you have an existing configuration, running the autoprov_cfg init command will override it.

To add one more auto-provisioned environment, use the autoprov_cfg add command instead of autoprov_cfg init.

You can manage multiple Check Point autoscaling solutions.

To manage multiple Check Point autoscaling solutions, you must add a controller to represent each cloud platform.

Example command that shows how to add a new controller:

autoprov_cfg add controller Azure -cn "<Name>" -sb "<Azure-Subscription>" [- en {AzureCloud,AzureChinaCloud,AzureUSGovernment}] -at "<Tenant-ID>" -aci "<Client-ID>" -acs "<Client-Secret>"

Important - Run this command for each new cloud environment, except the environment you used in the "autoprov_cfg init" command.

Note - Optional values, such as configuring <Controller Templates> (add and, or change credentials template to customer environments) in the CME configuration file. Each Controller has its own set of cloud environment credentials. Give a meaningful name to each environment to distinguish between them.

To edit the existing controller, run these commands:

autoprov_cfg set controller

autoprov_cfg delete controller

Note - To remove all the CloudGuard Network Security Gateways related to this controller, scale in the scale set to 0 instances, wait for CME to delete the matching gateway objects from the Security Management Server, and only afterward delete the controller.

To manage multiple autoscaling solutions with different security configurations:

For every different Check Point security configuration, add a new template to represent it.

To add a new template for each unique security configuration, use this command:

For example, for R81.20

autoprov_cfg add template -tn "<Other-Template-Name>" -otp "<SIC-key>" -ver R81.20 -po "<Other-Policy-Name>"

Notes:

Run this command for each template, except the template you used in the "autoprov_cfg init" command.
Before you scale out new Security Gateways, you must configure a Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. called <Other-Policy-Name> in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..
You can configure multiple autoscaling solution with a single template. For each autoscaling solution, enter the same values for the resource tags x-chkp-management and x-chkp-template.

To edit the existing template, run these commands:

autoprov_cfg set template

autoprov_cfg delete template

Notes:

Run the "autoprov_cfg –h" command for more information about uses and examples.

For example:

autoprov_cfg init Azure -h

autoprov_cfg add controller Azure -h

Run the "autoprov_cfg show" command to confirm your configuration.

If you followed the instructions in this guide correctly, then in Azure:

Each VMSS resource tag matches the <Management-Name> and the respective <Template-Name>.

x-chkp-management = <Management-Name>

x-chkp-template = {<Configuration-Template1-Name> | <Configuration-Template-Other-Name>} to which the VMSS is a subject

The subscription of the VMSS matches the Subscription ID in the respective controller.
The respective Controller Service Principal has a proper access role according to the Administration Guide.