Workflow for Upgrading and Installing CloudGuard
Upgrading and Installing CloudGuard
To upgrade or install the CloudGuard Gateway for NSX, open the systems listed here:
-
vSphere Web Client
-
SmartConsole
-
Console or SSH connection
For first time installation
If you are installing CloudGuard for the first time, make sure to install the latest build of the CPUSE Deployment Agent from sk92449. After you install CloudGuard, continue with Step 4.
Use the steps below as a guide for your system.
Step 1: Installing the CloudGuard Service Registration Hotfix on the Management Server
- Install the CloudGuard Service Registration Hotfix. See the corresponding section in sk114518.
Step 2: Upgrading the CloudGuard Service Registration Hotfix
You can upgrade from CloudGuard Service Registration v5 only.
Upgrading from v5 or v6
To upgrade from CloudGuard Service Registration v5 or v6:
Install the CloudGuard Service Registration v7.
The Check Point Management Server with the new CloudGuard Service Registration Hotfix re-attaches itself to an existing deployed CloudGuard Gateway. All services continue as they did before the upgrade.
Using CPUSE to Install the Management Server Hotfix
To install a Management Server Hotfix with CPUSE online:
|
Step |
Description |
|---|---|
| 1 | From a web browser on your computer, connect to the Gaia Portal on your Security Management Server or Multi-Domain Server. |
| 2 | From the left tree, go to Upgrades (CPUSE) > Status and Actions. |
| 3 |
On the top toolbar, click Showing Recommended packages and select All. If you do not see the Hotfix package, click Check For Updates. |
| 4 | Right-click the Hotfix package and select Verifier. |
| 5 |
Left-click the Hotfix package and click Install Update. CPUSE downloads the Hotfix package, and installation starts immediately. The Management Server reboots when the installation is complete. |
To install a Management ServerHotfix with CPUSE offline:
|
Step |
Description |
|---|---|
| 1 | Download this package from sk114518 to your computer. |
| 2 | With a web browser on your computer, connect to the Gaia Portal on your Security Management Server or Multi-Domain Server. |
| 3 | From the left tree, go to Upgrades (CPUSE) > Status and Actions. |
| 4 |
Select Import Package. The Import Package window opens. |
| 5 | Click Browse and select the Management Server Hotfix package. |
| 6 | Click Upload. |
| 7 | On the top toolbar, click Showing Recommended packages and select All. |
|
8 |
Right-click the Hotfix package and select Verifier. |
|
9 |
Left-click the Hotfix package and click Install Update. The installation starts immediately. The Management Server reboots automatically when the installation is complete. |
Uninstalling the Hotfix
Before you uninstall the Hotfix:
-
Make sure no service is deployed.
-
Make sure all services were removed from NSX, see Uninstalling the CloudGuard Gateway Service.
To uninstall a Hotfix from Security Management Server or Multi-Domain Server with CPUSE:
|
Step |
Description |
|---|---|
| 1 | With a web browser on your computer, connect to the Gaia Portal on your Security Management Server or Multi-Domain Server. |
| 2 | From the left tree, go to Upgrades (CPUSE) > Status and Actions. |
| 3 | On the top toolbar, click Showing Recommended packages and select All. |
| 4 | Left-click the Hotfix package. |
| 5 | Click Uninstall. |
Step 3: Upgrading the CloudGuard Gateway for NSX
You can upgrade the CloudGuard Gateway for NSX manually or with the CLI.
Before you start the upgrade, you have to enable the OVF files. See Step 5: Providing the URL OVF Path.
Notes:
-
Make sure:
-
There is connectivity between the OVF URL and the vCenter server and the Security Management Server or Multi-Domain Server
-
The OVF file is accessible from the Security Management Server or Multi-Domain Server
-
-
If you update the OVF URL now, it affects only the new service registration.
Important - Before the upgrade, make sure the service status in the vSphere web client is UP, or the upgrade fails.
Upgrading the CloudGuard Gateway with the CLI
To upgrade with the CLI:
|
Step |
Description |
|
|---|---|---|
| 1 | Connect to the command line on the Security Management Server or Multi-Domain Server. | |
| 2 | Log in to the Expert mode. | |
| 3 |
Run:
|
|
| 4 | SelectVMware Configuration > Manage Register Service > Upgrade Service > NSX. | |
| 5 | Select the Service you want to upgrade. | |
| 6 | Select the Cluster you want to upgrade. | |
| 7 |
To register the service with a default configuration, press y to accept the default settings. There are two options:
See below for details to register the service. |
|
|
8 |
Enter and confirm the default administrator password for the CloudGuard Gateway. |
|
|
9 |
Enter and confirm the SIC one-time password. |
|
|
10 |
Select the IP pool, if you had selected to assign the IP gateway address from the NSX IP pool. If your IP pool has no IP, you can change your selection, or create new IP pool. |
To register the service:
|
|
Description |
|---|---|
| Manual configuration |
|
| Tap device | See Configuring Tap/Monitor Mode |
| CloudGuard Gateway |
|
The upgrade is now in progress. The process takes some time. You can follow the progress on the Management Server's console.
When the installation is complete, you have to redirect the traffic to the new service.
To redirect traffic to the new service:
|
Step |
Description |
|---|---|
| 1 | Select VMware Configuration > Manage Register Service > Change Redirection Rules > NSX. |
| 2 | Select the old service. |
| 3 | Select the new service. |
Use the vSphere Web UI to confirm the new service is running, and then uninstall the old service.
Upgrading the CloudGuard Gateway Manually
To upgrade manually:
|
Step |
Description |
|---|---|
| 1 | Provide the OVF URL path and files. |
| 2 | Register a new CloudGuard Gateway service. |
| 3 | Deploy the new CloudGuard Gateway service. |
| 4 | In SmartConsole, install the Access Control Policy on the Check Point Gateway. |
| 5 | On the vSphere web UI, change the redirection policy from the old service to the new service. |
| 6 | Uninstall the old CloudGuard Gateway service. |
|
Best Practice:
Before you install the new CloudGuard Gateway, migrate all the Virtual Machines to another ESXi. There is less downtime when you upgrade. |
Step 4: Configuring the VMware Components
Before you start these procedures, install and configure the required VMware component. You can install more than one ESXi.
Adding the vCenter IP Address to the Runtime Settings
To use VMware, you must add the vCenter IP address to the Runtime Settings tab on the vCenter Server Setting page.
To add the vCenter IP address:
|
Step |
Description |
|---|---|
| 1 | In the vSphere Web Client, click vCenter > vCenter Servers and select the server. |
| 2 | Click Manage > Settings > General > Runtime settings. |
| 3 | Click vCenter Server managed address > Edit > Runtime settings. |
| 4 | In the Virtual Center Server managed address field, enter the vCenter server IP address. |
Preparing the ESXi Cluster for CloudGuard Service Deployment
The sections below describe how to configure an ESXi cluster.
Adding an ESXi to an ESXi Cluster
To add a new ESXi to a cluster:
|
Step |
Description |
|---|---|
| 1 | In the vSphere Web Client, right-click the ESXi cluster object and select Add Host. |
| 2 |
Configure the Agent VM setting for the new host. If there is CloudGuard Service deployed on the cluster, CloudGuard Gateway automatically installs on the new host. |
| 3 | If you do not use an IP address pool or Automatic Provisioning, manually activate the CloudGuard Gateway and then configure it. |
Configuring Agent VM Host Settings
To configure Agent VM settings for each ESXi server:
|
Step |
Description |
||
|---|---|---|---|
| 1 | In the vSphere Web Client, go to the ESXi server and select the Configure tab for each ESXi server. | ||
| 2 | Go to Agent VM settings > Edit. | ||
| 3 |
In the Agent VM Settings window, select the datastore to hold the files for the CloudGuard Gateway Service Virtual Machine.
|
||
| 4 |
In the Agent VM Settings window, select the Port Group network that connects to the CloudGuard Gateway Service VM by default. This Port Group is used for communication with the Security Management Server or Multi-Domain Server. |
||
| 5 | Install the NSX VIB on all hosts before you deploy it. |
To install the NSX VIB on all ESXi:
|
Step |
Description |
|---|---|
| 1 | Log in to the vSphere Web Client. |
| 2 | Select Networking and Security > Installation > Host Preparation. |
| 3 | Click Install for all clusters where you install NSX. |
Removing an ESXi Server from an ESXi Cluster
To remove a host from a cluster:
|
Step |
Description |
|---|---|
| 1 | In the vSphere Web Client, go to Hosts and Clusters. |
| 2 | Select the ESXi server and click Actions > Maintenance Mode > Enter Maintenance Mode. |
| 3 |
Move the ESXi server from the cluster to a Data Center. |
| 4 |
Select the host and click Actions > Exit Maintenance Mode. |
| 5 |
Reboot the ESXi server. If you did not enable Automatic Provisioning, remove the Cluster Member in SmartConsole. |
NSX Grouping Objects
With the Grouping feature, you can create custom containers and assign resources, such as Virtual Machines and network adapters, for CloudGuard Service protection. After a group is defined, you can add the group as source or destination to a firewall rule.
Creating a Security Group
To create a Security Group:
|
Step |
Description |
|---|---|
| 1 |
In the vSphere Web Client, go to Networking and Security > Service Composer > Security Groups. |
| 2 |
Click the New Security Group icon. The New Security Group wizard opens. |
| 3 | Enter a name and description for the new Security Group. |
| 4 | Click Next. |
| 5 |
Define dynamic memberships and objects. Select objects in the Select objects to include and Select objects to exclude pages. Objects that you select are always included in the Security Group, even if these objects do not match the dynamic membership specifications. Note - You can include other Security Groups in your new Security Group. |
Creating a CloudGuard Gateway IP Address Pool
|
|
Best Practice:
Create an IP address pool to automatically assign management interface IP addresses. |
To create an IP address pool:
|
Step |
Description |
|---|---|
| 1 | Log in to the vSphere Web Client. |
| 2 | Click Networking & Security > NSX Managers. |
| 3 |
In Name, click the NSX Manager. |
| 4 |
Click Manage. |
| 5 |
Click Grouping Objects > IP Pool. |
| 6 |
Click Add New IP Pool. |
|
7 |
Enter a name for the IP pool and its default gateway. |
|
8 |
Enter the primary and secondary DNS, DNS suffix and prefix length. |
|
9 |
Enter the IP address ranges to include in the pool. |
| 10 |
Click OK. |
Creating an IP Set
To create an IP Set:
|
Step |
Description |
|---|---|
| 1 |
Log in to the vSphere Web Client. |
| 2 |
Click Networking & Security > NSX Managers. |
| 3 |
In Name, click the NSX Manager. |
| 4 |
Click Grouping Objects > IP Sets. |
| 5 |
Click Add new IP Set (+). |
| 6 |
In the Add IP Addresses window, enter a name, description and IP address for the new Security Group. This IP address is redirected to the CloudGuard Gateway. |
| 7 |
Add the new IP Set to the Security Group. |
vMotion
vMotion lets you migrate active Virtual Machines between ESXi servers.
Configure network interfaces on source and target ESXi servers. Configure each ESXi server with at least one network interface for vMotion traffic. To secure data transfer, make sure only trusted parties access the vMotion network. Additional bandwidth significantly improves vMotion performance. When you migrate a Virtual Machine with vMotion without using shared storage, the virtual disk contents are also transferred over the network.
Configure the Virtual Networks on vMotion enabled ESXi server:
-
On each ESXi server, configure a VMkernel port group for vMotion.
-
Make sure the Virtual Machines can access the same subnets on source and destination ESXi server.
-
If you use standard switches for networking, make sure the Virtual Machine port group network labels are consistent across ESXi servers. During a vMotion migration, the vCenter server assigns Virtual Machines to port groups based on matching network labels.
-
If you use vSphere Distributed Switches for networking, make sure source and destination ESXi server are members of all vSphere Distributed Switches used by Virtual Machines.
For minimum impact on connectivity, applications, and security:
-
The VMware distributed firewall on the target ESXi server handles existing connections until they are closed or reset.
-
The CloudGuard service that runs on the target ESXi server secures new connections to and from the migrated Virtual Machine.
Important:
The HTTPS connection and the Control connection must be initialized again after vMotion. Initialize the sessions of existing connections that need a control channel, in addition to the data channel.
Step 5: Providing the URL OVF Path
Install the OVF files to configure the Security Gateway. The CloudGuard Gateway package includes these files:
-
<file_name>.ovf -
<file_name>.vmdk -
<file_name>.mf
After you download the OVF file, create the default file location. Step 3 below shows the default file location that Check Point recommends on the Security Management Server or Multi-Domain Server.
You can also save it to another file location that is more appropriate for your system.
To download the OVF files:
|
Step |
Description |
||
|---|---|---|---|
| 1 |
Extract the package and make sure it contains the OVF, VMDK, and MF files. |
||
| 2 |
Copy the files to the
|
||
| 3 |
Update the URL of the CloudGuard Gateway OVF. Set this URL to the file name with the |
If you receive an error message when you try to register service, the file could be in a different location. For more information, see Troubleshooting and Best Practices.
Use Case - Manually Selecting the OVF File Location
An administrator has a High Availability environment. He wants to store the SVM image on a distributed data store so his clients can have access to the files at any time.
After the administrator has downloaded the files, he can select the location of the folder.
To manually manage the OVF:
|
Step |
Description |
|
|---|---|---|
| 1 |
Connect to the command line on the Security Management Server or Multi-Domain Server. |
|
| 2 |
Log in to Gaia Clish or Expert mode. |
|
| 3 |
Run:
|
|
| 4 |
Select VMware Configuration > Change Global configuration > Manage Service OVFs. |
From this menu you can Add OVF, Delete OVF, and Change default OVF.
Step 6: Configuring the Management Server
Create Data Center objects in SmartConsole to connect to the NSX Manager and the vCenter server.
Before you create a Data Center object, do the following:
|
Step |
Description |
|
|---|---|---|
| 1 | Log in to Gaia Clish or Expert mode. | |
| 2 |
Run:
|
To create a Data Center Object:
|
Step |
Description |
|---|---|
| 1 |
Enter your NSX Manager or vCenter credentials and connection properties. |
| 2 |
Click Test Connection. If the server was not approved, a certificate window opens. Click Trust to confirm the certificate. |
| 3 |
When the connection status is Connected, click OK. Note - If the connection status is not connected, troubleshoot this issue before you continue. See Service Registration: Not connected to a known vCenter. |
Configuring the Security Management Server or Multi-Domain Server Properties
Log in to Expert Mode to run the command cloudguard_config
To configure the Security Management Server or Multi-Domain Server properties:
|
Step |
Description |
|
|---|---|---|
| 1 |
Make sure you are connected to the Data Center server. |
|
| 2 |
Connect to the command line on the Security Management Server or Multi-Domain Server. |
|
| 3 |
Log in to Gaia Clish or Expert mode. |
|
| 4 |
On a Multi-Domain Server, go to the context of each applicable Domain Management Server:
|
|
| 5 |
Run:
|
|
| 6 |
Select VMware Configuration. |
|
|
7 |
Enter y to accept the default settings or n to configure manually. |
|
|
8 |
Enter the Service Manager IP Address (IP Address of the Security Management Server or Multi-Domain Server that is routable from the NSX Manager). Note - In a Multi-Domain Server environment, enter the IP address of the applicable Domain Management Server. |
|
|
9 |
Enter the URL of the CloudGuard OVF file. When you upload the OVF to the Security Management Server or Multi-Domain Server, the default URL is defined as:
If you upload the OVF to a different location, enter the correct URL. |
|
| 10 |
To register the CloudGuard service now, enter y. To register at another time, enter n. |
Step 7: Registering a New CloudGuard Gateway Service
To register a new CloudGuard Gateway Service:
|
Step |
Description |
|
|---|---|---|
|
1 |
Make sure you are connected to the Data Center server. |
|
|
2 |
Connect to the command line on the Security Management Server or Multi-Domain Server. |
|
| 3 |
Log in to Gaia Clish or Expert mode. |
|
| 4 |
On a Multi-Domain Server only, go to the context of each applicable Domain Management Server:
|
|
| 5 |
Run:
|
|
| 6 |
Register the service - with a default configuration, or a manual configuration as described below |
To register the service with a default configuration:
|
Step |
Description |
|---|---|
| 1 |
Enter y for the default configuration, or n for manual configuration. |
| 2 |
Enter and confirm the default administrator password for the CloudGuard Gateway. |
| 3 |
Enter and confirm the SIC one-time password. |
| 4 |
Enter y to register the service. |
If this is the first registered service, select a management administrator and enter the correct password to continue. These credentials are given to the NSX Manager that uses the credentials as identification for all the operations done by the Security Management Server or Multi-Domain Server.
Make sure the administrator has Management API login permission.
In a Multi-Domain Server environment, make sure the administrator has permissions on the relevant domain for the Domain Management Server.
If you have to change the administrator, or if the administrator password has changed, update the credentials. Go to:
|
Step |
Description |
|
|---|---|---|
| 1 |
Log in to Gaia Clish or Expert mode. |
|
| 2 |
Run:
|
|
| 3 |
Select VMware configuration > Change Global Configuration > Service Manager Credentials. |
To register the service with a manual configuration:
|
Step |
Description |
|---|---|
| 1 |
Enter n for manual configuration. |
| 2 |
Select the OVF. |
| 3 |
Enter a Service Name. Note - The name must be unique and have less than 34 characters. The default name is Check Point CloudGuard Service. |
| 4 |
Select how you want to register the service.
|
| 5 |
Configure IPv6 Support (see Configuring IPv6 Support). |
| 6 |
Configure Failure Policy (for the Inspection Mode only). Fail close is the default policy and all packets are dropped. If you choose Fail open, all packets are accepted. The Failure Policy determines if packets are allowed or dropped when the ESXi kernel cannot communicate with the CloudGuard Gateway agent. This can occur when the CloudGuard Gateway is down, restarts, or has an unexpected error. You can change the policy later in Configuring IPv6 Support |
|
7 |
There are two options:
|
|
8 |
Enter and confirm the default administrator password for the CloudGuard Gateway. |
|
9 |
Enter and confirm the SIC one-time password. |
| 10 |
Enter y to register the service. |
Configuring Tap/Monitor Mode
When you register a service with the Tap/Monitor Mode, CloudGuard Gateway for NSX can listen to traffic that is redirected to it, without interfering with the traffic.
The original packets continue on their path through the network, and a duplicate packet is sent to the CloudGuard Gateway enabled with the Tap/Monitor Mode.
When to use this mode:
-
As a permanent part of your deployment to monitor the use of applications in your organization.
-
As an evaluation tool for the capabilities of the Application Control and IPS blades, before you decide to purchase them.
-
To create security check-up reports.
You can use Tap Mode combined with Threat Prevention Tagging to share security events with NSX Manager and achieve prevention, without deploying the solution inline.
Notes:
-
A CloudGuard Gateway for NSX deployed in this mode does not enforce Security Policy or perform any active operation, such as prevent/drop/reject. Therefore, you can use it only to evaluate the monitoring and detection capabilities of the software blades.
See sk101670 for the supported software blades > Section [2] Support for Security Gateway blades.
-
All duplicate packets that arrive at the monitor interface of the Security Gateway are terminated and are not forwarded.
See sk101670 for the Monitor Mode limitations > Section [5] Limitations (other than the Known Limitations for CloudGuard Gateway for NSX ).
Configuring IPv6 Support
If you want the service to support IPv6 traffic, select On.
Note - You can change this setting at any time. See the R80.10 Gaia Administration Guide - Chapter System Management - Section System Configuration.
If you want to optimize service, select y. If you selected to optimize:
-
The service can use all cores that are used to inspect IPv4, to inspect IPv6 also. If you do not choose to optimize, only a maximum of two cores are used to inspect IPv6 traffic.
On each CloudGuard Gateway, you can configure the number of IPv6 CoreXL FW instances to inspect IPv6 traffic.
Run
cpconfig, select Check Point CoreXL, and follow the on-screen instructions. -
Most of the traffic passing through the CloudGuard Gateway is IPv6 traffic.
Changing the Failure Policy
To change the failure policy:
|
Step |
Description |
|
|---|---|---|
| 1 |
Connect to the command line on the Security Management Server or Multi-Domain Server. |
|
| 2 |
Log in to Gaia Clish or Expert mode. |
|
| 3 |
On a Multi-Domain Server only, go to the context of each applicable Domain Management Server:
|
|
| 4 |
Run:
|
|
| 5 |
Select VMware Configuration > Manage Register Service > Change Failure Policy. |
|
| 6 |
Select the appropriate NSX Manager. |
|
| 7 |
Select the Check Point CloudGuard service. |
|
|
|
The Current Failure Policy shows. Enter y to change the policy, or n to keep it. |
Important:
The change of policy is reflected immediately on the service profile of each service, but is not reflected in the ESXi Rule Base.
To update the rules on ESXi, disable the redirection rules. When you disable the redirection rules, traffic no longer reaches the CloudGuard Gateway, and the traffic is not inspected until you enable the redirection rules again.
To change the failure policy on ESXi, disable the redirection rules and then enable them again.
Note:
This operation is disruptive to the CloudGuard Gateway operation and can cause connectivity issues with the connections that were started before the redirection is re-enabled.
Automatic Provisioning of CloudGuard Objects
Automatic Provisioning handles these actions on CloudGuard objects:
-
Creates CloudGuard objects (Clusters or Gateways) on the Security Management Server or Multi-Domain Server when it receives a notification from the NSX Server.
-
Automatically initializes SIC between the CloudGuard Gateway and the Security Management Server or Multi-Domain Server.
-
Installs the policy on new Security Gateways if the CloudGuard Cluster Object already has a policy.
To enable Automatic Provisioning:
|
Step |
Description |
|---|---|
| 1 |
When you register the service, follow the on-screen steps and confirm, to automatically create objects. See Step 7: Registering a New CloudGuard Gateway Service |
| 2 |
Deploy the CloudGuard Security Gateway with the vSphere Web Client. See Deploying CloudGuard Gateway. |
Uninstalling the CloudGuard Gateway Service
Important - Do not use this procedure for an upgrade.
Uninstall the CloudGuard Gateway service before you uninstall CloudGuard from the Security Management Server or Multi-Domain Server.
To uninstall the CloudGuard Gateway Service:
|
Step |
Description |
|
|---|---|---|
| 1 |
In the vSphere Web Client, go to Networking and Security > Service Composer > Security Policies. |
|
| 2 |
Select the policy. |
|
| 3 |
Click Actions > Delete. |
|
| 4 |
In the vSphere Web Client, go to Home > Networking and Security > Installation > Service Deployments. |
|
| 5 |
Select the service and click Delete service deployment (X). |
|
| 6 |
Connect to the command line on the Security Management Server or Multi-Domain Server. |
|
|
7 |
Log in to Gaia Clish or Expert mode. |
|
|
8 |
On a Multi-Domain Server only, go to the context of each applicable Domain Management Server:
|
|
|
9 |
Run:
|
|
|
10 |
Select VMware Configuration > Manage Registered Services > Remove Service. |
|
| 11 |
Select NSX and the services to delete from the list. |
Automatic Provisioning in SmartConsole
-
If you did not enable Automatic Provisioning, delete the cluster object.
-
If you did enable Automatic Provisioning, wait for the objects to be deleted from SmartConsole.
Note:
After you unregister all the services in a High Availability environment, run:
|
|
This stops the process on the Security Management Server or Multi-Domain Server, from which you did not remove the service.
Management High Availability Failover
Failover from an Active Management Server (Security Management Server or Multi-Domain Server) to the Standby Management Server is done manually. You must manually synchronize the Management Servers before and after failover. To learn more, see the section Synchronization Procedures in the relevant Security Management Administration Guide.
Note:
In a Multi-Domain Server environment, synchronize only the Domain Management Server that you change to Active. This must be done for every Domain Management Server that you change to Active.
To manually failover a Management Server:
|
Step |
Description |
|
|---|---|---|
| 1 |
In SmartConsole, go to Menu > Management High Availability. The High Availability Status window shows. |
|
| 2 |
Change the Active Management Server to Standby. |
|
| 3 |
Change the Standby Management Server to Active. |
|
| 4 |
Connect to the command line on the Security Management Server or Multi-Domain Server. |
|
| 5 |
Log in to Gaia Clish or Expert mode. |
|
| 6 |
On a Multi-Domain Server only, go to the context of each applicable Domain Management Server:
|
|
|
7 |
Run:
|
|
|
8 |
Select VMware Configuration > Change Global Parameters > Service Manager IP Address. |
|
|
9 |
Enter the new Management Server's IP address. This is the IP Address of the Security Management Server or Multi-Domain Server, which is routable from NSX. The NSX can now send notifications to the new Active Management Server. |
|
|
10 |
For each Domain Management Server, which already has the CloudGuard service deployed, run:
|
|
|
11 |
If the CloudGuard Gateway OVF URL is on your new Active Management Server:
You can set the new OVF as default, or manually choose it on registration. |
|
| 12 |
Repeat Steps 1 and 2 to synchronize the Management Servers. |
To learn more about failover, see the section Changing a Server to Active or Standby in the relevant Security Management Administration Guide
|
|
Best Practice:
In a Management High Availability environment, store the CloudGuard OVF files on a third-party web server. |
Note:
If you update the OVF URL now, it affects only future service registrations.
Step 8: Deploying and Configuring CloudGuard Security Gateway for NSX
Check Point CloudGuard Gateway enforces adaptive security across virtual environments. It applies advanced Threat Prevention to block threats inside the Data Center, and micro-segmentation for access control inside the virtual environment.
Deploying CloudGuard Gateway
After you complete service registration (see Step 7: Registering a New CloudGuard Gateway Service), you can deploy the CloudGuard Gateway with the vSphere Web Client.
Deploying the Service
This procedure uses an Agent VM (see Configuring Agent VM Host Settings), for an environment with a local datastore.
Before you begin:
-
Make sure you prepared the vCenter cluster before you deploy the service on it (see Preparing the ESXi Cluster for CloudGuard Service Deployment).
-
If you use an external datastore, make sure you know its details.
To deploy the service:
|
Step |
Description |
|---|---|
| 1 |
Select Installation > Service Deployments. |
| 2 |
Click New Service (+), and select the service you created (see Step 7: Registering a New CloudGuard Gateway Service). |
| 3 |
Select the cluster where the service is deployed. |
| 4 |
Select one of these as the SVM's datastore:
|
| 5 |
Select one of these management interface port groups:
|
| 6 |
If you enabled the Automatic IP Pool feature (see Step 7: Registering a New CloudGuard Gateway Service), or the Automatic Provisioning feature (see Automatic Provisioning of CloudGuard Objects).
|
| 7 |
Click Finish. |
The system copies the OVF to the vCenter, and deploys it to all ESXi hosts on the selected clusters.
See the Installation Status in the Service Deployments tab to monitor the progress of the deployment from the vSphere client.
If the Installation Status does not succeed:
-
Click Failed to see the reason for the failure.
-
Click Resolve to resolve the issues.
Note:
If the Enable Agent task shows an error with the message "Cannot complete the operation", you can safely ignore it. This is a known VMware limitation.
When installation completes, the CloudGuard Gateway automatically reboots.
Configuring NSX to Redirect Traffic to the CloudGuard Gateway
This procedure describes basic steps to configure a Security Group. See the VMware documentation for conceptual information, detailed procedures, and explanations of the different objects and options.
Configure the NSX security policy to redirect traffic to Check Point entities. Create rules in this policy, in pairs:
-
Rule for traffic from the Security Group (Source = Security Group)
-
Rule for traffic to the Security Group (Destination = Security Group)
Notes:
-
You can also configure redirection rules from Partner security services > Firewall.
-
Connections that are already open when the redirection starts, may be dropped.
Creating Security Policy
To create and apply a new Security Policy:
|
Step |
Description |
|---|---|
| 1 |
In the vSphere Web Client, click Networking and Security > Service Composer > Security Policies. |
| 2 |
Select the Create Security Policy icon. The New Security Policy wizard opens. |
| 3 |
Click Next until the Network Introspection Services page shows. |
| 4 |
Click the Add Network Introspection Service icon (+). |
| 5 |
Enter the <from_rule_name> and description. |
| 6 |
Select your Service Name and Profile that was created during registration. |
|
7 |
Set Destination to Any. |
|
8 |
Set Source to Policy's Security Groups > OK. |
|
9 |
Add a new rule: enter the <to_rule_name> and description. |
|
10 |
In the Network Introspection Services page, change the Source parameter to Any. The Destination parameter changes to Policy's Security Groups. |
|
11 |
Select your Service Name and Profile that was created during registration. |
|
12 |
Click OK > Finish. |
|
13 |
Select the new Security Policy and click Apply Policy. |
| 14 |
In the Apply Policy window, select the Security Group and click OK. Note:
Do not apply the security policy to more than one group that contains the same Virtual Machine. |
Excluding Virtual Machines from Distributed Firewall Protection
You can exclude a set of Virtual Machines from distributed firewall protection. For a Virtual Machine with multiple vNICs, all are excluded from firewall protection. NSX Manager and service Virtual Machines are automatically excluded from firewall protection.
To exclude Virtual Machines from distributed firewall protection:
|
Step |
Description |
|---|---|
| 1 |
Log in to the vSphere Web Client. |
| 2 |
Click Networking & Security. |
| 3 |
Click NSX Managers. |
| 4 |
In the Name column, click an NSX Manager. |
| 5 |
Click the Manage tab and then click the Exclusion List tab. |
| 6 |
Click Add (+), and type the name of the Virtual Machine you want to exclude. |
| 7 |
Click Add > OK. |
Preventing Traffic Redirection to the CloudGuard Service
To prevent traffic redirection to the CloudGuard service:
|
Step |
Description |
|---|---|
| 1 |
In the vSphere Web Client, open Networking & Security > Firewall. |
| 2 |
Click the Partner security services tab. |
| 3 |
If you want to add a rule, click Add rule (+) above the redirection rule. A new any-allow rule is added at the top of the section. |
| 4 |
In the Name of the new rule, click Edit, and enter a rule name. |
| 5 |
Enter the rule Source, Destination, and Service. |
| 6 |
In the Action of the new rule, click Edit.
|
| 7 |
NSX IP Mappings for Virtual Machines
NSX redirection policies based on Virtual Machine names or other dynamic attributes, require IP mapping of the Virtual Machines.
You can map IP addresses in different ways:
-
From version VMware NSX 6.2, use NSX SpoofGuard DHCP snooping or ARP snooping abilities. These features allow NSX to enforce IP address-based security rules on Virtual Machines with no VMware Tools installed. See sk109460.
-
Use an IP set to redirect traffic from a Virtual Machine without VMware tools. To redirect traffic for IP Sets, enable SpoofGuard and add the Inactive Virtual NIC IP address to the Approved IP list.
|
|
Best Practice:
To make sure that all traffic goes through CloudGuard Security Gateway, install VMware Tools on each Virtual Machine. Make sure that VMware Tools are running correctly. |
Note:
From NSX 6.4, you do not have to install VMware Tools to redirect traffic.
To enable SpoofGuard for the Port Group:
|
Step |
Description |
|---|---|
| 1 |
Open Home > Networking & Security. |
| 2 |
In the SpoofGuard panel, add a new policy or select an existing policy. |
| 3 |
In the Policy > Settings panel, enable SpoofGuard. |
| 4 |
In the Policy > Select Networks panel, click (+). |
| 5 |
Select the Port Group from the list. |
| 6 |
In the lower section of the SpoofGuard pane, select Inactive Virtual NICs from the View list. |
| 7 |
Select the Virtual NIC. |
|
8 |
Enter the Virtual NIC IP address in the Approved IP field. This creates a policy exception that enables traffic redirection to an approved IP address. |
Manually Creating CloudGuard Cluster Objects
This procedure is not necessary if you enabled Automatic Provisioning of CloudGuard objects.
Create a cluster object with CloudGuard Gateway members. Each CloudGuard Gateway gets the license attached to the cluster.
Step 1: Create a network object to represent the cluster:
|
Step |
Description |
|---|---|
| 1 |
Go to SmartConsole > Objects Explorer > More Object Types > Network Objects > Gateways and Servers > Cluster > New Cluster. |
| 2 |
Select Classic mode. |
| 3 |
In the Gateway Cluster properties, enter a Name for the cluster. |
| 4 |
Enter the cluster IP address. The cluster IP address is only used for the definition of the object. |
| 5 |
In General Properties > Network Security:
|
| 6 |
In the 3rd Party Configuration window, make sure Hide Cluster Members outgoing traffic behind Clusters IP address is not selected. |
| 7 |
In the Network Management [+] tab, make sure Enable Extended Cluster AntiSpoofing is not selected. |
|
8 |
In General Properties > Network Security tab, select Software Blades. |
Note:
Before you add a CloudGuard Gateway instance to the CloudGuard cluster:
-
Make sure that there is connectivity between the Cluster Member and the Security Management Server or Multi-Domain Server.
-
Resolve connectivity issues before you continue.
-
Make sure that you coordinate the Date, Time and Timezone settings between the Security Management Server or Multi-Domain Server and the CloudGuard Gateway.
Step 2: Add CloudGuard Gateway instances as Cluster Members:
|
Step |
Description |
|---|---|
| 1 |
From the Objects Explorer > in the Search box, type the name of your cluster. |
| 2 |
Double-click and the Gateway Cluster Properties window shows. |
| 3 |
Select Cluster Members > Add > New Cluster Member. |
| 4 |
In the Cluster Member Properties window in the General tab, enter a Name and IP address. |
| 5 |
Click Communication and enter the SIC internal communication password. |
| 6 |
Click Initialize and wait for the Trust state to change to Trust established. |
Step 3: Configure the topology of Cluster Members:
|
Step |
Description |
|---|---|
| 1 |
From the Objects Explorer > in the Search box, type the name of your cluster. |
| 2 |
Double-click and the Gateway Cluster Properties window shows. |
| 3 |
Select Network Management [+] > Get Interfaces |
| 4 |
Select Network Management [+] > Action > New Interface. |
| 5 |
In Object Name, enter: |
| 6 |
In General, change Network Type to Sync. |
| 7 |
In Members IPs, click Modify, and for each member, enter an IPv4 Address and Net Mask. This IP address is only used to create the cluster object. It is not the real IP address of the CloudGuard Gateway. |
|
8 |
Select Topology > Modify > Override.
|
Multi-Tenancy Support
CloudGuard supports multi-tenant protection on ESXi. That means it can protect multiple customers or organizations as well as departments or business units that share the same ESXi cluster.
Depending on the requirements, these solutions may provide multi-tenant protection:
-
Dedicated cluster for each tenant.
Each tenant's traffic is handled by a single service deployed on the cluster, enforcing the Security Policy that applies to the security groups for the specific tenant.
-
Tenants share the same cluster.
This solution requires a service registration for each tenant. Manage each tenant through a different service. To control the tenant traffic redirection, separate security groups have to be created for each tenant (see, Creating a Security Group).
To configure multiple services on a cluster:
|
Step |
Description |
|---|---|
| 1 |
Register a new service with a unique name that identifies the tenant, see Step 7: Registering a New CloudGuard Gateway Service |
| 2 |
Deploy the service on the required cluster, see Deploying CloudGuard Gateway A service instance is added to each host in the cluster. |
| 3 |
Create a new security group for the tenant. Include all objects that require protection, see Creating a Security Group |
| 4 |
Redirect each tenant's traffic through the designated service, see Requirements for VMware Tools |
Manual Activation of the CloudGuard Gateway
This procedure is not necessary if you configured the system for Automatic Provisioning of CloudGuard Objects or Automatic Assignment of IP addresses to CloudGuard Gateways.
To enable the Service Virtual Machine after installation:
|
Step |
Description |
|
|---|---|---|
| 1 |
Log in to each CloudGuard Gateway instance with a console and run these commands:
|
|
| 2 |
Configure the CloudGuard cluster and Gateway objects in SmartConsole. See Manually Creating CloudGuard Cluster Objects. |
CloudGuard for NSX Administration Guide