Connecting Gateways and Clusters

Connecting a Security Gateway/CloudGuard Network Security Gateway

  1. From the left navigation panel, click Connect Gateways.

  2. Click the large plus icon.

    The Register Gateway window opens.

    Note - The server checks if there are existing gateway objects in the database.

    For existing gateway objects, the server prompts:

    Do you want to create a new gateway object, or use an existing gateway

  3. Create a new Gateway:

    1. In the Gateway Name field, enter a name for this object.

    2. Optional: Add relevant information in the Comment field.

    3. To configure the Security Gateway with a static IP address, select the Use a main static IP address check box.

      You can configure the Security Gateway object in Smart-1 Cloud with a static IP address as the main IP address (similar to configuring a Security Gateway from an on-premises Security Management Server).

      When you configure the Security Gateway object with a Tunnel IP address, management traffic, control connections, and Smart-1 Cloud tenant communications use this main static IP address through the maas_tunnel interface.

      Note - We recommend using a static IP address when available, unless configuring an SD-WAN Gateway.

      This simplifies configuration for features such as UserCheck, NAT rules, and VPN configuration.

      If the Security Gateway object already exists with a Tunnel IP address, use these steps to change it to a static IP address:

      1. Open SmartConsole or Streamed SmartConsole.

      2. Change the IP address in the Security Gateway object properties to the static IP address.

      3. Click OK.

      4. Reopen the Security Gateway object and click Test SIC Status to verify SIC communication.

    4. Click Register.

      This creates a new Security Gateway object with the name you entered.

    5. Click Connect Gateway.

      • For an on-premises Security Gateway, follow the on-screen instructions to complete the connection.

        Note - Connecting a new Security Gateway involves two steps:

        1. Connect the Security Gateway to the service by performing the required steps on the Security Gateway as instructed.

          When complete, the status in the portal shows: Pending SIC.

        2. Connect the Security Management Server to the Security Gateway by logging into SmartConsole and establishing SIC between the Security Management Server and Security Gateway. When complete, the portal shows Registration complete.

      • For a CloudGuard Network Security Gateway:

        1. Copy the Token from the Connect Gateway screen.

        2. In the Security Gateway deployment template:

          1. Paste the Token into the appropriate field.

          2. Complete all other required fields and start the deployment.

          3. When Security Gateway deployment completes:

            1. A tunnel is established between the Security Gateway and Smart-1 Cloud.

            2. The Security Gateway status changes to Pending trust (SIC) establishment.

        3. Connect to SmartConsole, open the new Security Gateway object, initialize SIC, and publish the session.

        Note - Connecting CloudGuard Security Gateway is supported across all major public cloud providers (AWS, Azure, GCP).

To use an Existing Security Gateway:

  1. Select the Security Gateway you want to use.

    Note - The object's IP address is changed to an IP address from one of these service-allocated subnets:

    • 100.64.x.x

    • 100.70.x.x

    • 100.71.x.x

    • 100.100.x.x

    • 100.101.x.x

    A new card is created with instructions for connecting the Security Gateway to the service.

  2. Click Connect Gateway and follow the instructions to complete the connection.

    When you connect an existing Security Gateway to the service, you must perform the connection steps on the gateway side. When this process completes, the portal status shows: Registration complete. Do not restart the SIC between the Management Service and the Security Gateway unless you changed the SIC on the Security Gateway.

Connecting a Cluster

  1. In SmartConsole or Web SmartConsole:

    1. From the left navigation panel, click Gateways & Servers.

      Create a new Cluster object. Make sure to select the Classic mode and not the Wizard mode.

      If you already have a configure cluster, open the existing Cluster object.

      Note - You must manually enter the Cluster Virtual IP address. Do not use IP addresses from these subnets:

      • 100.64.x.x

      • 100.70.x.x

      • 100.71.x.x

      • 100.100.x.x

      • 100.101.x.x

    2. Create the cluster members:

      1. Navigate to Cluster Members.

      2. Click Add > Add New Cluster Member.

      3. Enter the cluster member name.

      4. Enter a temporary IP address (this IP address will change automatically later).

    3. Repeat the cluster member creation process for all Cluster Members.

    4. Click OK.

    5. Publish the SmartConsole session.

  2. In Smart-1 Cloud:

    1. From the left navigation panel, click Connect Gateways.

    2. Click the large plus icon. The Register Security Gateway window opens.

    3. Select Use an existing Gateway object.

    4. Select one of cluster members from the list and click Register.

    5. A Gateway card is created.

      Example:

    6. Click Connect Gateway and follow the instructions:

      1. In SmartConsole - Initialize SIC to the Cluster Member.

      2. In SmartConsole - Publish the SmartConsole session.

    7. Repeat the registration process for all remaining Cluster Members.

  3. In SmartConsole or Streamed SmartConsole:

    1. From the left navigation panel, click Gateways & Servers.

    2. Open the Cluster Object.

    3. Navigate to the Network Management tab.

    4. Click Get Interfaces > Get Interfaces With Topology.

    5. Click the MaaS Tunnel interface, and in General > Network Type section, select Private.

    6. On the same MaaS Tunnel settings page, in Advanced > Monitoring section, make sure the Monitored Interface check box is cleared.

    7. Finalize the topology definitions for the cluster.

    8. Install the policy.

  1. In the Smart-1 Cloud portal, for each Cluster member:

    1. Click Connect Gateways on the left navigation panel.

    2. Click the large plus icon. The Register Gateway window opens.

    3. In the Gateway Name field, enter a name for this object.

      Optional: In the Comment field, add relevant information.

    4. Click Register.

      This creates a new Security Gateway object in the Service with the name you entered.

    5. Click Connect Gateway.

    6. Copy the Token from the Connect Gateway screen.

  2. In the Security Cluster deployment template:

    1. Paste the Tokens you copied from the Smart-1 Cloud portal for each member into the appropriate fields in the deployment template.

    2. Fill in all remaining fields in the template and start the deployment.

    3. When the CloudGuard Network Security Gateway deployment completes:

      1. A tunnel is established between the Security Gateway and the Smart-1 Cloud.

      2. The status of the Security Gateway changes to Pending trust (SIC) establishment.

  3. In SmartConsole or Web SmartConsole:

    Follow the administration guide specific to your deployed solution to configure the Cluster object and Cluster members in SmartConsole.

    Notes::

    • When you enter the Cluster Virtual IP address, do not use IP addresses from these subnets:

      • 100.64.x.x

      • 100.70.x.x

      • 100.71.x.x

      • 100.100.x.x

      • 100.101.x.x

    • When you add cluster members to the cluster object, use the existing members created in step 1.

Onboarding a new Quantum appliance using Zero Touch deployment

Follow these steps to deploy a new appliance in Zero Touch mode and configure it as a Security Gateway or Cluster Member.

  1. Remove your new appliance from the shipping carton, connect the power cable, and turn on the appliance.

  2. Wait for the light on one of the network interface ports to start blinking, then:

    • If you have a DHCP server:

      Connect the network cable to the blinking interface port.

      Make sure this connection leads to the environment with a working DHCP server.

    • If you do not have a DHCP server:

      Configure an interface with the appropriate networking settings:

      1. Connect to the command line on the appliance.

      2. In Expert mode, disable Zero Touch DHCP:

        /opt/CPzetc/bin/zetc_setlaunch 0

      3. In Gaia Clish, configure the IP address:

        set interface <Name of Interface> on

        set interface <Name of Interface> ipv4-address <IPv4 Address> mask-length <Subnet Mask Length>

      4. In Gaia Clish, configure the default route:

        set static-route default nexthop gateway address 192.168.1.254 off

        set static-route default nexthop gateway address <IPv4 Address> on

      5. In Gaia Clish, configure DNS servers:

        set dns primary <IPv4 Address>

        set dns secondary <IPv4 Address>

        set dns tertiary <IPv4 Address>

      6. In Gaia Clish, save the configuration:

        save config

      7. Plug the network cable into the configured interface port.

  3. Go to the Connect Gateways page in the Smart-1 Cloud portal.

  4. Wait for your appliance to appear (this typically takes 2-3 minutes).

    Note - If your appliance does not appear, check the Service and Contract page.

  5. Click on your appliance's card, enter the required information, and click OK.

    To replace an existing Security Gateway, click the arrow next to the Configure Device button.

  6. Follow the on-screen instructions in the portal.

  7. After the card status changes to Registration completed, you can configure your new Security Gateway in SmartConsole.

Connecting a Quantum Spark Appliance

To connect Quantum Spark appliance to Smart-1 Cloud, follow these steps:

  1. Connect to the Quantum Spark WebUI, navigate to the Security Management tab, and click Setup.

  2. Select the Use Security Management service checkbox and click Next.

  3. Click Use the Infinity Portal to generate a new authentication token and add the token.

  4. Wait for the status to change to: "Connected successfully to the Security Management Server", then click Next.

  5. Set the one-time password and click Next:

  6. Select Connect to the Security Management Server Later and click Finish.

    You can see in the WebUI that the appliance is waiting for a connection from the Security Management Server.

  7. In SmartConsole, open the Security Gateway object and verify that the Hardware type is correct.

  8. Enter a one-time password, select the Initiate trusted communication now checkbox and click Initialize.

  9. Save the object in SmartConsole and publish the changes.

Connecting a Maestro Security Group

Important - This procedure only supports Maestro Security Groups running R81.10 and higher versions.

  • Smart-1 Cloud does not support Maestro Security Groups in VSX mode.

  • The SMO Image Cloning is not supported if the Security Group (R81.10 and higher) contains different appliance models.

  • DAIP is not supported.

  1. On the Maestro Orchestrator, configure the required Security Group using Gaia Portal or Gaia Clish.

    See the Quantum Maestro Getting Started Guide and the Maestro Administration Guide for your version.

    Important - Write down the IP address of the Security Group for later configuration in Smart-1 Cloud.

  2. Install the required Hotfixes on the Security Group (see sk181495 for details).

  3. Connect to the Smart-1 Cloud Portal (see Getting Started with Smart-1 Cloud for details).

    1. Add the Security Group as a new Security Gateway object:

      1. From the left navigation panel, click Connect Gateways.

      2. Click the large plus icon.

        The Register a New Security Gateway window opens.

        Note - The server detects if there are existing gateway objects in the database.

        For existing gateway objects, the server asks:

        Do you want to create a new gateway object, or use an existing gateway

      3. Create a New Gateway object:

        1. In the Gateway Name field, enter a name for this object.

        2. Optional: Add relevant information in the Comment field.

        3. Select Configure as Maestro.

        4. In the IP address field, enter the IP address of the Security Group as configured on the Maestro Orchestrator (this is the IP address assigned to the Mgmt interface of the Security Group).

        5. Click Register.

          This creates a new Security Gateway object in the Service with the name you entered.

        6. Click Connect Gateway and follow the instructions to complete the connection.

          Note - Connecting a new Security Gateway involves two steps:

          1. Connect the Security Gateway to the service by performing the required steps on the Security Gateway as instructed. When complete, the status in the portal shows: Pending SIC.

          2. Connect the Security Management Server to the Security Gateway by logging into SmartConsole and establishing SIC between the Security Management Server and Security Gateway. When complete, the portal shows Registration complete.

  4. Connect with SmartConsole to the Smart-1 Cloud Portal (see Log in to SmartConsole for more information).

  5. From the left navigation panel, click Gateways & Servers.

  6. Open the Security Gateway object for this Maestro Security Group.

  7. From the left, click the General Properties page.

  8. Establish SIC:

    1. In the Secure Internal Communication field, click Communication.

    2. Enter the one-time password you configured on the Maestro Orchestrator when you created the Security Group.

    3. Click Initialize.

    4. Click OK.

  9. Publish the session.

  10. Install the Access Control policy on the Security Gateway object.

  11. Install the Threat Prevention policy on the Security Gateway object.

  • Before adding a new Security Group Member to the Security Group that is connected to Smart-1 Cloud (while the "maas_tunnel" is active and working), install the required Hotfixes on that Security Group Member.

  • To check the Smart-1 Cloud connection status on all Security Group Members:

    • In Gaia gClish:

      1. Connect to the command line on the Security Group.

      2. If your default shell is the Expert mode, go to Gaia gClish:

        gclish

      3. Run:

        show security-gateway cloud-mgmt-service

    • In Expert mode:

      1. Connect to the command line on the Security Group.

      2. If your default shell is Gaia gClish, go to the Expert mode:

        expert

      3. Run:

        maas status

  • To disable the Smart-1 Cloud connection on the Security Group:

    • In Gaia gClish:

      1. Connect to the command line on the Security Group.

      2. If your default shell is the Expert mode, go to Gaia gClish:

        gclish

      3. Run:

        set security-gateway cloud-mgmt-service off

    • In the Expert mode:

      1. Connect to the command line on the Security Group.

      2. If your default shell is Gaia gClish, go to the Expert mode:

        expert

      3. Run:

        maas off

  • To enable the Smart-1 Cloud connection on the Security Group again:

    • In Gaia gClish:

      1. Connect to the command line on the Security Group.

      2. If your default shell is the Expert mode, go to Gaia gClish:

        gclish

      3. Run:

        set security-gateway cloud-mgmt-service on

    • In the Expert mode:

      1. Connect to the command line on the Security Group.

      2. If your default shell is Gaia gClish, go to the Expert mode:

        expert

      3. Run:

        maas on