Traffic Enforcement in Servers Subnets with CME
As displayed in the illustration above, the Centralized GWLB architecture includes a Security VPC containing Check Point GWLB Security Gateways and a Server VPC containing customer Servers/Applications.
The Cloud Management Extension (CME) monitors routes within the Server's VPC on AWS
Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. and configures the necessary SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. rules to enforce application traffic to go only through the GWLB Endpoint.
The monitored routes include:
-
Routes from the Internet (IGW) to Servers subnets
-
Routes from Servers subnets to the Internet (IGW)
The GWLB Endpoint sends all traffic to and from the Server subnets to the Check Point GWLB for inspection. The CME automatically create SmartConsole rules by monitoring defined Tags on the subnets.
This feature is supported only for the Centralized GWLB architecture.
Enabling Subnets Scanning with CME API
With CME API, you can configure the CME to use Subnets Scanning.
API Documentation:
-
SwaggerHub: CME API
-
Postman Collection: CME API Postman collection
Prerequisites:
-
CME Take 303 or higher installed on the Security Management Server
Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.. -
Management API version 1.8 or higher installed on the Security Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. (see the Check Point Management API Reference). -
To scan IPv6 subnets, the GWLB must be configured to support IPv6 (seeIPv6 Traffic Inspection Configuration for GWLB for more information)
To enable Subnets Scanning on the Security Management Server:
-
For a new AWS Account:
Send a POST request:
POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.3.1/accounts/aws/
Request body parameters:
Parameter Name
Description
regionsA comma-separated list of AWS regions where the Security Gateways are deployed.
scan_subnetsSet to "
true" to scan subnets with AWS GWLB.scan_subnet_6Set to "
true" to scan IPv6 subnets with AWS GWLB. (Requires thescan_subnetsparameter to be set to "true".)This operation returns
"status-code": 200. -
For the existing AWS Account:
Send a PUT request:
PUT https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.X/accounts/aws/<Account_Name>
Request body parameters:
Parameter Name
Description
NameA unique account name in CME for identification.
scan_subnetsSet to "
true" to scan subnets with AWS GWLB.scan_subnet_6Set to "
true" to scan IPv6 subnets with AWS GWLB. (Requires thescan_subnetsparameter to be set to "true".)This operation returns
"status-code": 200.
Configuring Server Subnets Tags for SmartConsole Rules
Customers can configure SmartConsole rules with tags on the server's subnets (see Step 7: Post Deployment - Tag Subnets for Inspection for more information).
Two tags must be set:
-
x-chkp-gwlb-inbound -
x-chkp-gwlb-outbound
As values of these tags, a list of comma-separated CIDRs is used. It defines the allowed sources and destinations in SmartConsole rules. These rules are installed only on the GWLB Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. group.
Example:
-
x-chkp-gwlb-inbound: 0.0.0.0/0,2222:aaaa:bbbb::/64- this tag enables automatic creation of an inbound rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. from any IPv4 address and only one specific IPv6 address (2222:aaaa:bbbb::/64). -
x-chkp-gwlb-outbound: ::/0- this tag enables automatic creation of an outbound rule to any IPv6 address.