Configure Cloud Management Extension (CME)
Downloading and Installing the Latest CME Version
To download and install the CME (Cloud Management Extension) on the Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., see sk157492.
Configuring the CME on the Security Management Server
The instructions below contain information about how to configure a VMSS environment in CME. For more information about CME configurations, see the "Overview" section in the Cloud Management Extension Administration Guide.
Configure the CME on the Security Management Server with CME API (recommended)
With CME Management API you can configure the CME tool.
API Documentation:
-
SwaggerHub: CME API
-
Postman Collection: CME API Postman collection
Prerequisites:
-
CME Take 139 or higher installed on the Security Management Server
Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.. -
Management API version 1.8 or higher installed on the Security Management Server (see the Check Point Management API Reference).
- To configure Security Management Server during the CloudGuard Network Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. for Azure VMSS deployment:
Send a PUT request:
PUT https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/management
Request body parameters:
Parameter Name
Description
nameYour Azure account name (for example, "my-management").
This operation returns
"status-code": 200. -
To configure CME on the Security Management Server:
-
With Azure IAM:
Prerequisite: Security Management Server virtual machine is using a system-assigned managed identity.
Send a POST request:
POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/azure
Request body parameters:
Parameter Name
Description
nameYour Azure account name.
subscriptionThe resource group containing your Security Management Server.
iamEnable/disable IAM. Must be set to
true.This operation returns
"status-code": 200. -
With Microsoft Entra ID and Service Principal:
Send a POST request:
POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/azur
Request body parameters:
Parameter Name
Description
nameYour Azure account name.
subscriptionThe resource group containing your Security Management Server.
directory_idThe Azure Active Directory tenant ID.
application_idThe service principal's client ID value.
client_secretThe service principal's client secret value.
This operation returns
"status-code": 200.
-
-
To configure gw_conf:
Send a POST request:
POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/gwConfigurations/azure
Request body parameters:
Parameter Name
Description
nameThe name of the relevant set of VMSS configurations to apply (for example, "my-configuration-template-for-x").
base64_sic_keyA random value that has at least 8 alphanumeric characters (for example, "MySICkey123").
versionThe Security Gateway version.
policyThe name of the policy to install (for example, "Standard").
To configure the CME on the Security Management Server with autoprov-cfg
|
Step |
Description |
||
|---|---|---|---|
|
1 |
Connect to the command line on the Security Management Server. |
||
|
2 |
Log in to the Expert mode. |
||
|
3 |
Execute this command (see the explanation of parameters): Run:
Example:
|
||
|
4 |
When this message shows, type yes and press Enter to apply the modifications:
|
||
|
5 |
Confirm the configuration:
Every controller in the configuration has to have unique credentials. |
||
|
6 |
Follow the instructions in the Enabling and Disabling Software Blades section in the Cloud Management Extension Administration Guide. |
Parameters
|
|
Important - The exact values that you select, must be typed exactly when you deploy the VMSS. Make sure to write them down and enter them correctly. Otherwise, the components cannot communicate with each other. |
|
Parameter |
Description |
Example |
||
|---|---|---|---|---|
|
|
Select a descriptive name. When you deploy the Check PointVMSS with this name, the Check PointSecurity Management Server identifies and automatically provisions it. |
|
||
|
|
Configurations that automatically provision the Security Gateways in the VMSS are found in this template. When you deploy the Check PointVMSS with this template name, it references the relevant set of configurations to apply to it. Therefore, you can maintain multiple sets of configurations and associate them with different VMSS that are managed by the Security Management Server. |
|
||
|
|
Select a random key that has at least 8 alphanumeric characters. |
|
||
|
|
The Security Gateway version. |
|
||
|
|
The name of the policy to install. The name of this policy has to be the exact same name of the policy in SmartConsole |
|
||
|
|
Select a name that represents the controller. The controller name includes configurations for your Azure environment, such as the subscription ID and application ID. You can maintain different controllers to automatically provision different Cloud environments, with the Security Management Server. |
|
||
|
|
The Azure subscription ID that deploys the CloudGuard Security Gateways. |
|
||
|
|
The Azure directory tenant ID. |
|
||
|
|
The application ID. |
|
||
|
|
The application key.
|
|
