Installing the CloudGuard Gateway

To upgrade or install the CloudGuard Gateway for NSX-T, open these connections:

  • vSphere Web Client

  • NSX-T manager

  • SmartConsole

  • Console or SSH connections

Make sure you have the latest build of the CPUSE Deployment Agent. After you install CloudGuard, continue with Step 2.

Use the steps below as a guide for your system:

Step Description

1

Install the CloudGuard Service Registration Hotfix on Management (see Step 1: Installing the CME Bundle on the Management Server).

2

Configure the VMware components (see Step 2: Configuring the NSX-T Components).

3

Provide the OVF URL path (see Step 3: Providing the URL OVF Path).

4

Configure the CloudGuard Management Server Properties (see Step 4: Configuring the Management Server).

5

Register the CloudGuard Gateway Service (see Step 5: Registering a New CloudGuard Gateway Service).

6

Deploy and Configure CloudGuard Security Gateway for NSX (see Step 6: Deploying and Configuring CloudGuard Security Gateway for NSX).

Step 1: Installing the CME Bundle on the Management Server

The Cloud Management Extension (CME) is a utility that runs on Check Point Security Management Servers and Multi-Domain Security Management Servers.

CME can be installed on Security Management Servers and Multi-Domain Security Management Servers deployed in cloud platforms or on-premises.

Important - To keep CME up-to-date with Automatic Updates. To get CME with Automatic Updates please remove any CME installation made through CPUSE and refer to Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent for detailed installation instructions.

Prerequisites

  • CME requires a Jumbo Hotfix Accumulator installed with the minimum version:

    • R80.10 - Jumbo Hotfix Accumulator Take 249

    • R80.20 - Jumbo Hotfix Accumulator Take 117

    • R80.30 - Jumbo Hotfix Accumulator Take 71

To install the CME utility:

  1. Go to sk157492.

  2. Download the latest CME package for your Management Server version.

  3. Follow the Installation Instructions in the SK to install CME.

Step 2: Configuring the NSX-T Components

Before you start these procedures, install and configure the required VMware component. You can install more than one ESXi.

Preparing the ESXi Cluster for CloudGuard Service Deployment

CloudGuard services deployed on hosts provide granular control over East-West network traffic. The services allow guest VM traffic to flow through the security implementation without changing the original topology. To prepare hosts to participate in NSX-T, you must install NSX-T kernel modules on ESXi hosts. This allows you to build the NSX-T control-plane and management-plane fabric. NSX-T kernel modules packaged in VIB files run in the hypervisor kernel and provide services such as distributed routing, distributed firewall and bridging capabilities.

To install the NSX-T Kernel Modules on ESXi:

  1. Log in to the NSX-T manager Web Client.

  2. Select System > Fabric > Nodes > Host Transport Nodes.

  3. From the Managed By drop-down list, choose a vCenter.

  4. Select the cluster on which you want to install the NSX VIB, and then click CONFIGURE NSX. The Configure NSX window opens.

  5. In Select Deployment Profile, from the drop-down list, choose the relevant profile you created earlier for your ESXi.

  6. Click Save. The VIB is automatically installed on the cluster ESXi.

Notes:

  • To create a new profile, click Create New Transport Node Profile. An Add Transport Node Profile opens. Enter the necessary information, and then click Add.

  • In the NSX-T Data Center deployment, make sure that an overlay transport zone and overlay-backed logical switches exists. See the NSX-T Data Center Requirements for East-West Traffic for additional requirements.

For more information about the configuration of the deployment profile, refer to VMware NSX-T Data Center Product Documentation.

NSX NSGroup Objects

With the Grouping feature, you can create custom containers and assign resources, such as virtual machines and network adapters for CloudGuard service protection. After a group is defined, you can add the group as source or destination to a redirection rule.

Creating a NSGroup

To create a NSGroup in NSX-T 2.5:

  1. From the NSX-T manager Web Client's menu bar, select Advanced Networking & Security.

  2. In the sub-menu, select Inventory > Groups > Groups.

  3. Click the + Add icon. The Add New NSGroup window opens.

    1. In the General tab, enter a name and description for the new NSGroup.

    2. Add objects in the Membership Criteria and Member tabs.

    Objects that you select are always included in the NSGroup, even if these objects do not match the dynamic membership specifications.

To create a NSGroup in NSX-T 3.0 and higher:

  1. In the sub-menu, select Inventory > Groups > Groups.

  2. Click the + Add icon. The Add New NSGroup window opens.

    1. In the General tab, enter a name and description for the new NSGroup.

    2. Add objects in the Membership Criteria and Member tabs.

    Objects that you select are always included in the NSGroup, even if these objects do not match the dynamic membership specifications.

Note - You can include other NSGroups in your new NSGroup.

Creating a CloudGuard Gateway IP Address Pool

To create a CloudGuard Gateway IP address pool in NSX-T 2.5:

  1. Log in to the NSX-T manager Web Client.

  2. From the NSX-T manager Web Client's menu bar, select Advanced Networking & Security.

  3. In the submenu, select Inventory > Groups > IP Pools.

  4. Click the + Add icon. The Add New IP Pool window opens.

  5. Enter a Name and Description for the IP pool.

  6. Enter the IP address range to include in the pool, Subnets mask and its default gateway, and then click Add.

To create a CloudGuard Gateway IP address pool in NSX-T 3.0 and higher:

  1. Log in to the NSX-T manager Web Client.

  2. From the NSX-T manager Web Client's menu bar, select Networking in Manager mode.

  3. In the submenu, select IP Management > IP Address Pools.

  4. Click the + Add icon. The Add New IP Pool window opens.

  5. Enter a Name and Description for the IP pool.

  6. Enter the IP address range to include in the pool, Subnets mask (CIDR) and its default gateway, and click Add.

  7. The IP pool is used when the East-West service is deployed.

    Example:

Step 3: Providing the URL OVF Path

Install the OVF files to configure the Security Gateway. The CloudGuard Gateway package includes these files:

  • <file_name>.ovf

  • <file_name>.vmdk

  • <file_name>.mf

  • <file_name>.cert

After you download the OVF file, put the files on a HTTP server only.

Downloading the OVF Files

To download the OVF files:

  1. Download the TGZ package. Refer to sk139213 for download link.

  2. Extract the package and make sure it contains the OVF, VMDK, cert and MF files.

  3. Copy the files to your own location.

  4. Add the URL of the CloudGuard gateway OVF while you register new service. Set this URL to the file name with the .ovf extension. Note - For each service, you can use a different OVF.

Step 4: Configuring the Management Server

Configuring the CloudGuard Management Server Properties

Log in with SSH to the Management Server in Expert Mode and run the command:

cme_menu

Configure the CloudGuard Management Server Properties. The controller is the NSX-T manager. Before you can create new service, it is necessary to add the controller (NSX-T manager) to your environment.

To register a new controller

Step Description

1

Select VMware > NSX-T > Manage NSX-T Controller > Add NSX-T Controller.

2

Enter the Host IP which is the NSX-T manager IP. When the thumbprint of the server shows, verify it. You can get the thumbprint from the NSX-T manager CLI. Log in as admin, and then run:

get certificate API thumbprint

3

Enter the Controller Name. This name must be unique for each controller on the management.

4

Enter the Controller User Name (this is the same user name used to log in to the NSX-T manager). The user name must contain only English chars, numbers and "_".

5

Enter the Controller User Password, and then confirm (this is the same password used to log in into the NSX-T manager).

Password requirements:

  • Be at least 8 characters in length.

  • Contain both upper and lowercase alphabetic characters (A-Z, a-z).

  • Have at least one numerical character (0-9).

  • Have at least one special character (~!@#$%^&*()_-+=).

6

If this is Multi-Domain Server environment, select the domain.

7

To confirm the controller is connected select Show NSX controller and confirm your NSX-T controller status is connected.

If it necessary to change the user name and password for the controller, go to:

VMware > NSX-T > Manage NSX-T Controller > Update NSX-T Controller User.

Step 5: Registering a New CloudGuard Gateway Service

Log in with SSH to the management in Expert Mode and run:

cme_menu

After you created the controller, you can now register the new service.

To register a new service:

  1. Select VMware > NSX-T > Register New Service.

  2. Select Attachment Point: East-West or North-South.

    1. For East-West service, enter the URL path for the OVF.

    2. For North-South service:

      1. Select which Tier you want to deploy your service on– Tier 0 or Tier 1.

      2. Choose Failure Policy.

      3. Enter the URL path for the OVF.

  3. Select the NSX-T controller.

  4. Enter and then confirm the SIC one-time password for the gateway to be deployed in the NSX-T manager web client.

  5. Enter and then confirm the admin password for the gateway that you want to deploy in the NSX-T manager web client.

The service is now available for deployment on the NSX-T manager web client.

Failure Policy

Failure Policy in East-West Services:

The failure policy for East-West services is determined while redirecting the traffic to the service from the

NSX-T manger web Client. You can change it in the NSX-T web client.

Failure Policy in North-South Services:

The failure policy for North-South services is determined when you deploy the service from the NSX-T manger web Client.

Important - After installation, you cannot change the failure policy.

Automatic Provisioning of CloudGuard Objects (East-West Only)

In East-West deployment, Automatic Provisioning handles these actions on CloudGuard objects:

  • Creates CloudGuard objects on the CloudGuard Management Server when the gateway is ready.
  • Automatically initializes SIC between the CloudGuard Gateway and the CloudGuard Management Server.
  • Configures Identity Awareness on the CloudGuard Gateway.
  • Installs Standard policy on new Security Gateways. Note - After the policy installation is complete, then you can install a different policy on the gateway from the SmartConsole.

To enable Automatic Provisioning:

After you create a new controller the service autoprovision starts automatically.

To see the service status, run:

service cme status

To disable Automatic Provisioning:

If you want to stop the autoprovision service, run:

service cme stop

Uninstalling the CloudGuard Gateway

Important - Do not use this procedure to upgrade the CloudGuard Service Registration Hotfix.

Uninstall the CloudGuard Gateway service before you uninstall CloudGuard from the CloudGuard Management Server.

To uninstall the CloudGuard Gateway Service in East-West:

  1. Log in to the NSX-T manager web client.

  2. Select Security > Network Introspection (E-W) > Rules, and then remove all the rules that apply to the service that you want to delete.

  3. Select Service Chain, and then remove the service chain that relates to the service to be deleted.

  4. Select Service profile, and then remove the service profile that relates to the service to be deleted.

  5. Select System > Service Deployments > Deployment, and then click on the service to be deleted > select Delete.

  6. Connect to the management CLI, and then run the CME menu (cme_menu).

  7. Select VMware > NSX-T > Manage Registered Service > Remove Service, and then select the service to be deleted.

To uninstall the CloudGuard Gateway Service in North-South in NSX-T 2.5:

  1. Log in to the NSX-T manager web client.

  2. Select Advanced Network & Security > Partner Services > Service Instances.

  3. Select the service that you want to delete.

  4. Click on undeploy. To confirm, select undeploy.

To uninstall the CloudGuard Gateway Service in North-South in NSX-T 3.0 and higher:

  1. Log in to the NSX-T manager web client.

  2. From the Advanced UI (manager) tab, select Security > Partner Services > Service Instances).

  3. Select the service that you want to delete.

  4. Click on undeploy. To confirm, select undeploy.

Automatic Provisioning in SmartConsole

  • If you did not enable Automatic Provisioning, delete the gateway manually.

  • If you did enable Automatic Provisioning, wait for the objects to be deleted from SmartConsole.

High Availability Failover

Failover from an Active Management Server (Security Management Server or Multi-Domain Server) to the Standby Management Server is done manually. You must manually synchronize the Management Servers before and after failover. To learn more, see the Synchronization Procedures section in the R81 Security Management Server Administration Guide.

Note - In a Multi-Domain Server environment, synchronize only the Domain Management Server that you changed to Active. It is necessary to do this for every Domain Management Server that was changed to Active.

To manually failover a Security Management Portal:

  1. In SmartConsole, select Menu > Management High Availability. The High Availability Status window opens.

  2. Change the Active Management Server to Standby.

  3. Change the Standby Management Server to Active.

  4. Select VMware > NSX-T > Manage Registered Service > Update Service Manager IP for HA.

  5. Select the controller.

  6. Enter the old Security Management Server or Multi-Domain Server IP address

  7. Enter the new Security Management Server or Multi-Domain Server IP address. This is the IP Address of the Security Management Server or Domain Log Server (you can route this IP address from the NSX). The NSX can now send notifications to the new Active Management Server.

  8. Repeat Steps 1 and 2 to synchronize the Management Servers.

To learn more about failover, see the Changing a Server to Active or Standby section in the R81 Security Management Server Administration Guide.

Best Practice - In a High Availability environment, store the CloudGuard OVF files on a third-party web server.

Step 6: Deploying and Configuring CloudGuard Security Gateway for NSX

Check Point CloudGuard Gateway enforces adaptive security across virtual environments. It applies advanced Threat Prevention to block threats inside the Data Center, and micro-segmentation for access control inside the virtual environment.

Deploying CloudGuard Gateway

After you complete the service registration (see Step 5: Registering a New CloudGuard Gateway Service), you can deploy the CloudGuard Gateway with the vSphere Web Client.

Before you begin:

To deploy the Service in East-West:

  1. Log in to the NSX-T manager web client.

  2. Select System > Service Deployments > Deployment.

  3. Select the created service and click Deploy Service.

  4. Enter the Service Deployment Name.

  5. Select the Compute Manager.

  6. Select the Cluster on which to deploy the service.

  7. Select Data Store.

  8. Select the Network. For eth0, select Network Type static IP pool.

  9. Select the Service Segment plus icon. Note - For each Transport Zone there is only one segment.

  10. Select Deployment Specification.

  11. Select the Deployment Template "CheckPoint_template".

    Note - You can change the SIC and the admin password given in the service registration. It is necessary to provide a new SIC in base64 and the admin password hash.

  12. Select a Deployment Type:

    • Host Based - a Gateway is deployed on each ESX in the chosen cluster.

    • Clustered - You need to select a Host (ESX) to deploy the service on, and a clustered deployment count - which is the number of Gateways to be deployed.

  13. Click Save, the service is deployed.

Notes:

  • In the Service Instances tab, you can monitor the status of the deployment. Once the status is UP, then you can configure the gateway in SmartConsole.

  • The system copies the OVF to the vCenter, and then deploys it on the ESXi host on the selected clusters.

  • See the Deployment Status in the Service Instances tab to monitor the progress of the deployment from the NSX-T manager web client.

Important - If the Installation Status does not succeed, then click Failed to see the reason for the failure.

To deploy the service in North-South in NSX-T 2.5:

  1. Log in to the NSX-T manager web client > Advanced Networking & Security - OR - Security.

  2. Click Deploy.

  3. Enter an instance name (the description is Optional).

  4. Click on the Partner Service field > select Check Point CloudGuard for NSX-T service.

  5. Select the Deployment Specification esx-01a.corp.local.

  6. Select a logical router (only routers that do not have Service Insertion configured are displayed).

  7. Click Next.

  8. Click on the Compute Manager field and select a compute manager.

  9. Click on the Cluster field and select a cluster.

  10. Click on the Datastore field and select a datastore.

  11. Select a Deployment Mode.

    Standalone / High Availability

  12. Select a Failure Policy. Select either Allow or Block. These options specify the default action when the Service VM does not function.

    Allow - The traffic passes without inspection.

    Block - All traffic is dropped.

  13. Enter the IP address of the VM (for High Availability enter the network configuration for both VMs).

  14. Enter the default Gateway for the VM's IP address.

  15. Enter the subnet mask for the VM's IP address.

  16. Click Next.

  17. Click Finish.

To deploy the service in North-South in NSX-T 3.0 and higher:

  1. Log in to the NSX-T manager web client > select Security, in the Advanced UI (manager) tab, select Partner Services > Service Instances.

  2. Click Deploy.

  3. Enter an instance name (the description is Optional).

  4. Click on the Partner Service field > select Check Point CloudGuard for NSX-T service.

  5. Select the Deployment Specification esx-01a.corp.local.

  6. Select a logical router (only routers that do not have Service Insertion configured are displayed).

  7. Click Next.

  8. Click on the Compute Manager field and select a compute manager.

  9. Click on the Cluster field and select a cluster.

  10. Click on the Datastore field and select a datastore

  11. Select a Deployment Mode.

    Standalone / High Availability

  12. Select a Failure Policy. Select either Allow or Block. These options specify the default action when the Service VM does not function.

    Allow - The traffic passes without inspection.

    Block - All traffic is dropped.

  13. Enter the IP address of the VM (for High Availability enter the network configuration for both VMs).

  14. Enter the default Gateway for the VM's IP address.

  15. Enter the subnet mask for the VM's IP address.

  16. Click Next.

  17. Click Finish.

Configuring NSX to Redirect Traffic to the CloudGuard Gateway

This procedure describes basic steps to configure the redirection rules. See Creating Redirection Rules. For more information, see the VMware documentation for conceptual information, detailed procedures, and explanations of the different objects and options.

After you successfully deployed a service in your environment, for the traffic to be inspected by the deployed service (Check Point Gateway), it is necessary to enable the redirection rules.

Note - IPv6 is currently not supported for CloudGuard Gateway for NSX-T 2.4.x. Make sure to not redirect IPv6 traffic to the CloudGuard Gateway.

Configuring Traffic Redirection in East-West

Creating a Service Profile

A Service Profile is an instance of a CloudGuard vendor template.

To create a new Service Profile in NSX-T 2.5:

  1. Select Security > Network Introspection (E-W)Service Profiles.

  2. Select the service to create a profile for, and then click Add Service Profile.

  3. Enter the Service Profile Name.

  4. Select the vendor template. The vendors were already created in the service registration. Their purpose is to expose protection levels in the policies.

To create a new Service Profile in NSX-T 3.0 and higher:

  1. Select Security > select Network Introspection Settings for NSX-T 3.0 Service Profiles.

  2. Select the service to create a profile for, and then click Add Service Profile.

  3. Enter the Service Profile Name.

  4. Select the vendor template. The vendors were already created in the service registration. Their purpose is to expose protection levels in the policies.

Creating a Service Chain

A service chain is a logical sequence of service profiles defined by the network administrator.

To create a new Service Chain:

  1. Select Security > Network Introspection (E-W) - OR - Network Introspection Settings > SERVICE CHAINS > ADD CHAIN.

  2. Enter service chain Name. This field cannot stay empty.

  3. Enter a Description of the Service Chain.

  4. Select a Service Segment.

  5. Set the Forward Path with the service profile you created before. Note - You can have more than one service profile in the forward path.

  6. Select a Failure policy.

  7. Click SAVE.

Creating Redirection Rules

You can now define the redirection rule that sends the specified traffic to the CloudGuard Gateway:

  1. Select Security > Network Introspection (E-W) > RULES > Add policy. A Policy section is similar to the Security Policy section. Each section belongs to a single Service Chain. But multiple sections can belong to the same Service Chain. The rules in this section define which traffic is, or is not redirected to the chain.

  2. Important - Some features, as in HTTPS Inspection, require you to disable the stateful inspection of the packets by the VMware firewall (DFW).

    To configure a Stateful Firewall policy:

    1. Click Add Policy.

    2. From the toolbar, click the settings icon.

    3. Change Stateful to No.

  3. Select to which Service Chain the policy is redirected to, and then click Add Rule.

    1. Choose a name for the rule.

    2. Choose a Traffic Source. It can be NSgroups, VM, IP and more.

  4. Select a Traffic Destination. It can be NSgroups, VM, IP and more.

  5. Select on which policy it is applied to (the DFW or any groups already created).

  6. Make sure the check box is green. To apply the changes, click Publish.

You can now define the redirection rule that sends the specified traffic to the CloudGuard Gateway.

Step Description

1

Select Security > Network Introspection (E-W) > RULES > Add policy. A Policy section is similar to the Security Policy section. Each section belongs to a single Service Chain. But multiple sections can belong to the same Service Chain. The rules in this section define which traffic is, or is not redirected to the chain.

1.A

Important - Some features, as in HTTPS Inspection, require you to disable the stateful inspection of the packets by the VMware firewall (DFW).

To configure a Stateful Firewall policy:

  1. Click Add Policy.

  1. From the toolbar, click the settings icon.

  2. Change Stateful to No.

2

Select to which Service Chain the policy is redirected to, and then click Add Rule.

  1. Choose a name for the rule.

  2. Choose a Traffic Source. It can be NSgroups, VM, IP and more.

3

Select a Traffic Destination. It can be NSgroups, VM, IP and more.

4

Select on which policy it is applied to (the DFW or any groups already created).

5

Make sure the check box is green. To apply the changes, click Publish.

Configuring Traffic Redirection in North-South

Note - You must allow BFD packets to pass through the Security Gateway for correct functionality of North/South traffic redirection.

Add a rule allowing BFD packets to the Security Management policy.

To configure traffic redirection in NSX-T 2.5:

  1. From Advanced Networking & Security.

  2. Go to the Traffic Redirection tab.

  3. Next, add a section. A section is collection of one or more firewalls.

    To add a section, select an existing section and then click Add Section.

    1. Click Add Section Above or Add Section Below.

    2. A new section is created.
      • The traffic type to be redirected is set to L3 Redirect.

      • The service type is Stateless.

      • The Applied To field is associated to a Tier-0 logical router that is configured on the host.

      After you define rules, the Rules field is auto-populated.

  4. To keep configuration details on the section, click Publish.

  5. To add a rule in that section, select the section and then click Add Rule.

  6. In the rule row, enter these details:

    • Enter a name for the rule.

    • Enter the source and destination of L3 traffic. The partner service VM introspects traffic that flows in from the source before redirecting it to the destination VM.

    • In the Applied To field, select the uplink of Tier-0 router.

    • In the Action field, select Redirect if traffic needs to be introspected by the service VMs. Or select Don't Redirect if traffic does not need to be introspected for North-South introspection.

  7. Each rule can be individually enabled. After you enable a rule, it is applied to the traffic that matches the rule.

  8. To configure the traffic direction and to enable logging, click Advanced Settings.

  9. At the end of a section that contains rules, click Publish to keep the rules in the section or click Revert to cancel the operation.

To configure traffic redirection in NSX-T 3.0 and higher:

  1. From the Advanced UI (manager) tab, select Security) > Partner Services > click on the service that needs the traffic redirection configured.

  2. Go to the Traffic Redirection tab.

  3. Next, add a section. A section is collection of one or more firewalls.

    To add a section, select an existing section and then click Add Section.

    1. Click Add Section Above or Add Section Below.

    2. A new section is created.
      • The traffic type to be redirected is set to L3 Redirect.

      • The service type is Stateless.

      • The Applied To field is associated to a Tier-0 logical router that is configured on the host.

      After you define rules, the Rules field is auto-populated.

  4. To keep configuration details on the section, click Publish.

  5. To add a rule in that section, select the section and then click Add Rule.

  6. In the rule row, enter these details:

    • Enter a name for the rule.

    • Enter the source and destination of L3 traffic. The partner service VM introspects traffic that flows in from the source before redirecting it to the destination VM.

    • In the Applied To field, select the uplink of Tier-0 router.

    • In the Action field, select Redirect if traffic needs to be introspected by the service VMs. Or select Don't Redirect if traffic does not need to be introspected for North-South introspection.

  7. Each rule can be individually enabled. After you enable a rule, it is applied to the traffic that matches the rule.

  8. To configure the traffic direction and to enable logging, click Advanced Settings.

  9. At the end of a section that contains rules, click Publish to keep the rules in the section or click Revert to cancel the operation.

Adding redirection rules in NSX-T 2.5:

  1. Go to Security > North South Firewall > Network Introspection (N-S).

    A policy section is similar to a firewall section in that you define rules that determine how traffics flows.

  2. Set Redirection To, to the service instance that is registered with NSX-T to perform network introspection of traffic that flows between source and destination entities.

  3. To add a policy, click Publish.

  4. Click the vertical ellipsis on a section and click Add Rule.

  5. To add a group by definition of membership criteria, static members, IP/MAC addresses, or active directory groups, edit the Source field. Membership criteria can be defined from one of these types: Virtual Machine, Logical Switch, Logical Port, and IP Set. You can select static members from one of these categories: Group, Segment, Segment Port, Virtual Network Interface, or Virtual Machine.

  6. Click Save.

  7. To add a destination group, edit the Destination field.

  8. In the Applied To field, you can do one of these:

    • Select DFW to apply the rule to all virtual NICs attached to the logical switch.

    • Select VM groups to apply the rule on virtual NICs of member VMs of the group. Members can be selected from a static list or based on dynamic criteria. The supported NSX-T Data Center objects are: Virtual Machine, Logical Switch, Logical Port, IP Set, and more.

  9. In the Action field:

    Select Redirect to redirect traffic along the service instance.

    OR -

    To not apply network introspection on the traffic, select Do Not Redirect.

  10. Click Publish.

  11. To revert to a published rule, select the rule and then click Revert.

  12. To add a policy, click + Add Policy.

  13. To clone a policy or a rule, select the policy or rule and then click Clone.

  14. To enable a rule, enable the Enable/Disable icon or select the rule and then from the menu click Enable > Enable Rule.

  15. After a rule is enabled or disabled, click Publish to enforce the rule.

Adding redirection rules in NSX-T 3.0 and higher:

  1. Go to Security > Network Introspection (N-S).

    A policy section is similar to a firewall section in that you define rules that determine how traffics flows.

  2. Set Redirection To, to the service instance that is registered with NSX-T to perform network introspection of traffic that flows between source and destination entities.

  3. To add a policy, click Publish.

  4. Click the vertical ellipsis on a section and click Add Rule.

  5. To add a group by definition of membership criteria, static members, IP/MAC addresses, or active directory groups, edit the Source field. Membership criteria can be defined from one of these types: Virtual Machine, Logical Switch, Logical Port, and IP Set. You can select static members from one of these categories: Group, Segment, Segment Port, Virtual Network Interface, or Virtual Machine.

  6. Click Save.

  7. To add a destination group, edit the Destination field.

  8. In the Applied To field, you can do one of these:

    • Select DFW to apply the rule to all virtual NICs attached to the logical switch.

    • Select VM groups to apply the rule on virtual NICs of member VMs of the group. Members can be selected from a static list or based on dynamic criteria. The supported NSX-T Data Center objects are: Virtual Machine, Logical Switch, Logical Port, IP Set, and more.

  9. In the Action field:

    Select Redirect to redirect traffic along the service instance.

    OR -

    To not apply network introspection on the traffic, select Do Not Redirect.

  10. Click Publish.

  11. To revert to a published rule, select the rule and then click Revert.

  12. To add a policy, click + Add Policy.

  13. To clone a policy or a rule, select the policy or rule and then click Clone.

  14. To enable a rule, enable the Enable/Disable icon or select the rule and then from the menu click Enable > Enable Rule.

  15. After a rule is enabled or disabled, click Publish to enforce the rule.

Manually Creating CloudGuard Objects

This procedure is not necessary if you use East-West and already enabled Automatic Provisioning of CloudGuard objects.

Step 1: Create a network object to represent the gateway:

  1. In SmartConsole > Objects Explorer > More Object Types > Network Objects > Gateways and Servers > Gateway. A Check Point Security Gateway Creation window opens.

  2. Select Classic mode.

  3. In the Gateway properties box, enter a Name for the cluster.

  4. Enter the IP address.

  5. Click Communication, and then enter the SIC internal communication password.

  6. Click Initialize. Wait for the Trust state to change to Trust established.

  7. In General Properties, select Network Security. Change the platform to R80.30.

  8. In General Properties, select Network Security tab, and then select Software Blades.

Note - Before you add a CloudGuard Gateway instance to the CloudGuard cluster, make sure that you coordinate the Date, Time and Time zone settings between the Smart Center and the CloudGuard Gateway.

Step 2: Configure the topology of the gateway:

  1. From the Objects Explorer, click in the Search box, and then enter the name of the gateway.

  2. Double-click on the gateway object, the Gateway Properties window opens.

  3. Select Network Management [+], the z. eth0 appears.

    1. Select Network defined by the interface IP and Net Mask.

    2. Select do not Perform Anti-Spoofing based on interface topology.

Multi-Tenancy Support

CloudGuard supports multi-tenant protection on ESXi. This means it can protect multiple customers or organizations as well as departments or business units that share the same ESXi cluster.

Depending on the requirements, these solutions may provide multi-tenant protection:

  1. Dedicated cluster for each tenant. Each tenant's traffic is handled by a single service deployed on the cluster. This enforces the Security Policy that applies to the security groups for the specific tenant.

  2. Tenants share the same cluster. This solution requires a service registration for each tenant. Manage each tenant through a different service. To control the tenant traffic redirection, separate security groups have to be created for each tenant.

To configure multiple services on a cluster:

  1. Register a new service with a unique name that identifies the tenant.

  2. Deploy the service on the required cluster. A service instance is added to each host in the cluster.

  3. Create a new security group for the tenant. Include all objects that require protection.

  4. Redirect each tenant's traffic through the designated service.

Configuring Identity Awareness in CloudGuard

Configure CloudGuard to use Identity Awareness to see Security Group details in the CloudGuard logs. See Activating the Identity Awareness Blades. If you do not have the Identity Awareness blade enabled, then enable Terminal Servers.

To enable Terminal Servers:

  1. If there is no host object with the IP address 127.0.0.1, then create one.

  2. From SmartConsole, select Gateways & Servers.

  3. Double-click the CloudGuard Gateway. The Gateway Properties > General Properties window opens.

  4. In the Network Security tab, enable the Identity Awareness Software Blade. The Identity Awareness Configuration window opens.

  5. Select Terminal Servers only, click Next.

  6. Select I do not wish to configure an Active Directory at this time > Next > Finish.

  7. From Identity Awareness tab, select Identity Web API > Settings. The Identity Web API Settings window opens.

  8. Click Edit.

  9. In the Accessibility tab, click Through all interfaces > OK.

  10. In Authorized Client, add the host with the IP address, 127.0.0.1

  11. Click Generate > OK.

  12. Install policy.

Configuring the Anti-Virus Policy

To use the Anti-VirusSoftware Blade in CloudGuard for NSX, create a new profile in SmartConsole (this is the profile that you used in the Threat Prevention Policy).

  1. Select the Security Policies tab.

  2. Click Threat Prevention > Custom Policy Tools > Profiles.

  3. Select the profile > Edit.

  4. Click Anti-Virus > Protected Scope > Inspect incoming and outgoing files.

Configuring HTTPS Inspection

To use the HTTPS Inspection Blade in CloudGuard IaaS for NSX, see the R80.30 Threat Prevention Administration Guide, "Configuring HTTPS Inspection".

Notes:

  • To create redirection rules for HTTPS Inspection, see the steps in Creating Redirection Rules. Make sure the policy is not Stateful.x

  • NSX-T's design does not let you to configure HTTPS Inspection for VMs in the same Security Group.

Advanced Configurations

To use the advanced configurations, use the autoprov_cfg utility.

See the "Using the autoprov_cfg Command Line Configuration utility" section in the Cloud Management Extension R80.10 and Higher Administration Guide.