Overview of Cloud Management Extension (CME)

CME is a utility that runs on Check Point's Security Management Server and Multi-Domain Servers running Gaia OS. CME allows cloud native integration between Check Point CloudGuard IaaS solutions and Cloud platforms.

As a Service that runs on Check Point Management Servers, it continuously monitors CloudGuard IaaS solutions deployed in various cloud vendors and synchronizes them with the Security Management Server.

Supported Solutions and Features

Note - CME supports Check Point Management Server versions R80.20 and higher.

CME configuration file

The CME configuration file has three fields which are detailed in the CME Structure and Configurations section:

  1. Controllers - Cloud accounts for communication with a specific cloud provider. These include the parameters necessary to connect with your cloud application.

  2. Management - Parameters of the Check Point Management Server.

  3. Templates - The individual scale sets configured in the account.

Scale In and Scale Out Events

Scale sets automatically increase the number of VM instances as application demand increases (Scale Out), and reduce the number of VM instances as demand decreases (Scale In).

CME continually scans, and on each iteration, the load dictates if a scale-out or a scale-in event occurs, or if CME detects a demand that is not too high or too low for the current size of the set, there is no change.

Scale In

A scale in event occurs as a result of a decrease in the current load. When a scale in event triggers, CME designates one or more gateways as candidates for termination. The External Load Balancer stops forwarding new connections to these gateways, and Autoscale ends them. CME detects that these CloudGuard IaaS Security Gateways are stopped and automatically deletes these gateways from the Check Point Security Management Server's database.

Scale Out

A scale out event occurs if the current load increases. When a scale out event is triggered:

  • Azure Autoscale launches one or more new instances of the Check Point CloudGuard IaaS Security Gateways.

  • The new instances of CloudGuard IaaS Security Gateways automatically run the Check Point First Time Configuration Wizard and then reboot.

During the scale out, CME detects that new instances of CloudGuard IaaS Security Gateways launched. CME waits until the CloudGuard IaaS Security Gateways complete to deploy and then automatically:

  • Initializes a Secure Internal Communication (SIC) channel with these CloudGuard IaaS Security Gateways.

  • Installs a Security Policy on these CloudGuard IaaS Security Gateways.

After the Security Policy installation, these CloudGuard IaaS Security Gateways start to respond to health probes. The Load Balancer then starts to forward new connections to them. The newly created CloudGuard IaaS Security Gateways report their status and send logs to CME.