Configure Cloud Management Extension (CME)

Downloading and Installing the Latest CME Version

To download and install the CME (Cloud Management Extension) on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., see sk157492.

Configuring the CME on the Security Management Server

The instructions below contain information about how to configure a VMSS environment in CME. For more information about CME configurations, see the "Overview" section in the Cloud Management Extension Administration Guide.

Configure CME on the Security Management Server in SmartConsole (recommended)

CME is integrated into SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., Web , and Smart-1 Cloud starting from:

SmartConsoleR82 SmartConsole Releases Build 1055
R81.20 SmartConsole Releases Build 663
Web SmartConsole Take 128
CME Take 297

This integration facilitates cloud-native connectivity between Check Point CloudGuard Network solutions and various cloud platforms.

To configure an Azure account in CME and create configuration templates with SmartConsole, go to Manage & Settings > CloudGuard Network. Then, follow the steps described in the Cloud Management Extension Administration Guide.

Configure CME on the Security Management Server with CME API (recommended)

With CME Management API you can configure the CME tool.

API Documentation:

SwaggerHub: CME API
Postman Collection: CME API Postman collection

Prerequisites:

CME Take 139 or higher installed on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..
Management API version 1.8 or higher installed on the Security Management Server (see the Check Point Management API Reference (at the top, select the correct version) ).

To configure Security Management Server during the CloudGuard Network Security Gateway

Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. for Azure VMSS deployment:

Send a PUT request:

PUT https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/management

Request body parameters:

Parameter Name	Description
`name`	Your Azure account name (for example, "my-management").

This operation returns "status-code": 200.

To configure CME Azure account (controller) on the Security Management Server:

With Microsoft Entra ID and Service Principal:

Send a POST request:

POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/accounts/azure

Request body parameters:

Parameter Name	Description
`name`	Azure account name.
`subscription`	Azure subscription ID.
`directory_id`	The Azure Active Directory tenant ID.
`application_id`	The service principal's client ID value.
`client_secret`	The service principal's client secret value.
`deletion_tolerance`	The number of cycles until a Gateway object in SmartConsole is deleted.

This operation returns "status-code": 200.

With Azure IAM (starting from CME API v1.2.3):

Prerequisite: Security Management Server virtual machine is using a system-assigned managed identity.

Send a POST request:

POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/accounts/azure

Request body parameters:

Parameter Name	Description
`name`	Azure account name.
`subscription`	Azure subscription ID.
`iam`	Enable/disable IAM. Must be set to `true`.
`deletion_tolerance`	The number of cycles until a Gateway object in SmartConsole is deleted.
`domain`	Specify the domain name or the domain UID that manages this controller. This parameter is mandatory for Multi-Domain Security Management Server environments with more than one domain configured.
`environment`	An optional attribute that specifies Azure's environment type. The possible values are: AzureCloud (default) AzureChinaCloud AzureUSGovernment

This operation returns "status-code": 200.

To configure CME Azure template (gateway-configuration) on the Security Management Server:

Send a POST request:

POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.3/gwConfigurations/azure

Request body parameters:

Parameter Name	Description
`name`	Unique configuration template name for identification.
`version`	The Security Gateway version.
`base64_sic_key`	Key for trusted communication between Security Management Server and Security Gateway. A base64-encoded string, the decoded string have to be between 8 and 30 alphanumeric characters.
`policy`	Policy name to be installed on the Security Gateway.
`related_account`	Azure account to associate with the Security Gateway Configuration.
`blades`	Blades to activate/deactivate on the Security Gateway.
`identity_awareness_settings`	Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. settings that can be configured on the Security Gateway.
`repository_gateway_scripts`	A name or UID of a script that exists in the scripts repository on the Security Management Server.
`x_forwarded_for`	Enable XFF headers in HTTP / HTTPS requests.
`section_name`	Name of a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. section in the Access and NAT layers in the policy, where to insert the automatically generated rules.
`color`	Color of the Security Gateway objects in SmartConsole.
`communication_with_servers_behind_nat`	"Gateway behind NAT" communications settings with the Check Point Servers(Management, Multi-Domain, Log Servers).
`ipv6`	Enable IPv6 for Azure VMSS.
`send_logs_to_server`	Names of Primary Log Servers to which logs are sent.
`send_logs_to_backup_server`	Names of Backup Log Servers to which logs are sent when Primary Log Servers are not available.
`send_alerts_to_server`	Names of Alert Log Servers to which alerts are sent.

This operation returns "status-code": 200.

To configure CME on the Security Management Server with autoprov-cfg (not recommended)

Step

Description

Connect to the command line on the Security Management Server.

Execute this command (see the explanation of parameters):

Run:

autoprov_cfg init Azure -mn "<Management-Name>" -tn "<Configuration-Template-Name>" -otp "<SIC-key>" -ver <Version> -po "<Policy-Name>" -cn "<Controller-Name>" -sb "<Azure-Subscription>" -at "<Active-Directory-Tenant-ID>" -aci "<Client-ID>" -acs "<Client-Secret>"

Example:

autoprov_cfg init Azure -mn "my-management" -tn "my-configuration-template" -otp "MySICkey123" -ver R81.20 -po "Standard" -cn "Azure-Production" -sb "98e34f37-ece4-4cdc-97dc-44a074f84aff" -at "7113cebb-911c-4122-aa5c-34db449380f7" -aci "82fb1445-f40e-46dc-9cd3-c065e14f132b" -acs "xxx="

When this message shows, type yes and press Enter to apply the modifications:

Would you like to restart the service now?

Confirm the configuration:

service cme test

Every controller in the configuration has to have unique credentials.

Follow the instructions in the Enabling and Disabling Software Blades section in the Cloud Management Extension Administration Guide.

Parameters

Important - The exact values that you select, must be typed exactly when you deploy the VMSS. Make sure to write them down and enter them correctly. Otherwise, the components cannot communicate with each other.

Parameter

Description

Example

"<Management-Name>"

Select a descriptive name.

When you deploy the Check PointVMSS with this name, the Check PointSecurity Management Server identifies and automatically provisions it.

"my-management"

"<Configuration-Template-Name>"

Configurations that automatically provision the Security Gateways in the VMSS are found in this template.

When you deploy the Check PointVMSS with this template name, it references the relevant set of configurations to apply to it.

Therefore, you can maintain multiple sets of configurations and associate them with different VMSS that are managed by the Security Management Server.

"my-configuration-template-for-x"

"<SIC-key>"

Select a random key that has at least 8 alphanumeric characters.

"MySICkey123"

<Version>

The Security Gateway version.

R8X.XX

"<Policy-Name>"

The name of the policy to install.

The name of this policy has to be the exact same name of the policy in SmartConsole.

"Standard"

"<Controller-Name>"

Select a name that represents the controller.

The controller name includes configurations for your Azure environment, such as the subscription ID and application ID.

You can maintain different controllers to automatically provision different Cloud environments, with the Security Management Server.

"Azure-Production"

"<Azure-Subscription>"

The Azure subscription ID that deploys the CloudGuard Security Gateways.

"98e34f37-ece4-4cdc-97dc-44a074f84aff"

"<Active-Directory-Tenant-ID>"

The Azure directory tenant ID.

"7113cebb-911c-4122-aa5c-34db449380f7"

"<Client-ID>"

The application ID.

"82fb1445-f40e-46dc-9cd3-c065e14f132b"

"<Client-Secret>"

The application key.

Note - This value is not readable in the configuration.