Connecting Gateways and Clusters

Connecting a Security Gateway/CloudGuard Network Security Gateway

  1. From the left navigation panel, click Connect Gateways.

  2. Click the large plus icon.

    The Register Security Gateway window opens.

    Note - The server detects if there are existing gateway objects in the database.

    For existing gateway objects, the server asks:

    Do you want to create a new gateway object, or use an existing gateway

  3. Create a New Gateway:

    1. In the Gateway Name field, enter the name for this object.

    2. Optional: In the Comment field, enter the applicable text.

    3. To configure the Security Gateway with a static IP address, check the Use a main static IP address checkbox.

      You can configure the Security Gateway object in Smart-1 Cloud with a Static IP address as the main IP address (in the same way you configure when managing a Security Gateway from an on-premises Management Server).

      When you configure the Security Gateway object with a Tunnel IP, management traffic, control connections and Smart-1 Cloud tenant communicate to that main static IP address through the maas_tunnel interface.

      Note - We recommend configuring the main static IP address if you have a static IP address and it is not a SD-WAN Gateway.

      This approach simplifies the configuration for functions such as UserCheck, NAT rules, and VPN configuration.

      If the Security Gateway object already exists with a tunnel IP, use these steps to change it to a static IP:

      1. Open SmartConsole or Streamed SmartConsole.

      2. Change the IP address in the Security Gateway object properties to static IP address.

      3. Click OK.

      4. Open the Security Gateway object again and click Test SIC Status to test SIC communication.

    4. Click Register.

      This creates a new Security Gateway object in the Service with the name that you entered.

    5. Click Connect Gateway

      • For an on-premises Security Gateway, follow the instructions to complete the connection.

        Note - The connection of a new Security Gateway includes two steps:

        1. Connect the Security Gateway to the service.

          Here, it is necessary to perform a step on the Security Gateway (according to the instructions) to connect the Gateway to the service.

          When the process is finished, the status in the portal shows: Pending SIC.

        2. Connect the Management to the Security Gateway.

          After you connect to the service, log in to SmartConsole and start the SIC between the Management and Gateway.

          The portal shows Registration complete.

      • For a CloudGuard Network Security Gateway:

        1. Copy the Token from the Connect Gateway screen.

        2. In the Security Gateway deployment template:

          1. Paste the Token into the applicable field in the deployment template.

          2. Complete all other fields in the template and start the deployment.

          3. When the CloudGuard Security Gateway deployment completes:

            1. A tunnel is established between the Security Gateway and the Smart-1 Cloud.

            2. The status of the Security Gateway changes to Pending trust (SIC) establishment.

        3. Connect to SmartConsole, open the new Security Gateway object, init SIC, and publish the session.

To use an Existing Security Gateway:

  1. Select the Security Gateway you would like to use.

    Note - The object's IP address is changed to an IP address from the service allocated subnets below:

    100.64.0.0/16

    100.70.0.0/16

    100.71.0.0/16

    100.100.0.0/16

    100.101.0.0/16

    A new card is created with instructions about how to connect the Security Gateway to the service.

  2. Click Connect Gateway and follow the instructions to complete the connection.

    When you connect an existing Security Gateway to the service, you must (on the gateway side) connect the gateway to the service. When this process completes, the status in the portal shows: Registration complete. Do not restart the SIC between the Management Service and the Security Gateway (unless you changed the SIC on the Security Gateway).

Connecting a Cluster

  1. In SmartConsole or Web SmartConsole:

    1. From the left navigation panel, click Gateways & Servers.

      Create a new Cluster object, make sure to select the Classic mode (and not the Wizard mode).

      If you already have a cluster configured open the existing Cluster object.

      The Cluster Virtual IP address is not populated automatically. It is necessary to enter the Cluster Virtual IP address.

      Make sure not to give an IP address from this subnet: 100.64.x.x

    2. Create the cluster members:

      1. Navigate to Cluster Members.

      2. Click Add > Add New Cluster Member.

      3. Enter the cluster member name.

      4. Enter a dummy IP address (later, this IP address changes automatically).

    3. Perform steps 1-b and 1-c again for all Cluster Members.

    4. Click OK.

    5. Publish the SmartConsole session.

  2. In Smart-1 Cloud:

    1. From the left navigation panel, click Connect Gateways.

    2. Click the large plus icon. The Register Security Gateway window opens.

    3. Select Use an existing Gateway object.

    4. Select one of cluster members from the list and click Register.

    5. A Gateway card is created.

      Example:

    6. Click Connect Gateway and follow the instructions.

      1. In SmartConsole - Initiate SIC to the Cluster Member.

      2. In SmartConsole - Publish the SmartConsole session.

    7. Perform steps 2-b - 2-d again for other Cluster Members.

  3. In SmartConsole or Streamed SmartConsole:

    1. From the left navigation panel, click Gateways & Servers.

    2. Open the Cluster Object.

    3. Navigate to the Network Management tab.

    4. Click Get Interfaces > Get Interfaces With Topology.

    5. Click the MaaS Tunnel interface, and in General > Network Type, select Private.

    6. Finalize the topology definitions for the cluster.

    7. Install policy.

  1. In the Smart-1 Cloud portal:

    For each Cluster member:

    1. Click Connect Gateways on the left navigation panel.

    2. Click the large plus icon. The Register Gateway window opens.

    3. In the Gateway Name field, enter the name for this object.

      Optional: In the Comment field, enter the applicable text.

    4. Click Register.

      This creates a new Security Gateway object in the Service with the name that you entered.

    5. Click Connect Gateway.

    6. Copy the Token from the Connect Gateway screen.

  2. In the Security Cluster deployment template:

    1. Paste the Tokens you copied from the Smart-1 Cloud portal for each member into the applicable fields in the deployment template.

    2. Fill all the other fields in the template and start the deployment.

    3. When the CloudGuard Network Security Gateway deployment completes:

      1. A tunnel is established between the Security Gateway and the Smart-1 Cloud.

      2. The status of the Security Gateway changes to Pending trust (SIC) establishment.

  3. In SmartConsole or Web SmartConsole:

    Follow the admin guide applicable to the solution you are deploying to configure the Cluster object and Cluster members in SmartConsole.

    Notes::

    • When you enter the Cluster Virtual IP address, make sure not to give an IP address in the subnet 100.64.x.x.

    • When you add the cluster members to the cluster object, use the existing members from step 1.

Onboarding a new Quantum appliance using Zero Touch deployment

Run this procedure to on-board a new appliance in Zero Touch and configures it as a Security Gateway or a Cluster Member.

  1. Remove your new appliance from the shipping carton, connect the power cable and turn on the appliance.

  2. The light on one of the network interface ports starts blinking.

    • With a DHCP Server:

      Connect the network cable to that interface port.

      Your connection must lead to the environment with a working DHCP server.

    • Without a DHCP Server:

      Configure one of the interfaces with the applicable networking information:

      1. Connect to the command line on the appliance.

      2. In the Expert mode, disable the Zero Touch DHCP:

        /opt/CPzetc/bin/zetc_setlaunch 0

      3. In Gaia Clish, configure the applicable IP address:

        set interface <Name of Interface> on

        set interface <Name of Interface> ipv4-address <IPv4 Address> mask-length <Subnet Mask Length>

      4. In Gaia Clish, configure the applicable default route:

        set static-route default nexthop gateway address 192.168.1.254 off

        set static-route default nexthop gateway address <IPv4 Address> on

      5. In Gaia Clish, configure the applicable DNS servers:

        set dns primary <IPv4 Address>

        set dns secondary <IPv4 Address>

        set dns tertiary <IPv4 Address>

      6. In Gaia Clish, save the configuration:

        save config

      7. Plug the network cable into that interface port.

  3. Navigate to Connect Gateways page in the Smart-1 Cloud portal.

  4. A card that represents your appliance appears.

    This may take 2-3 minutes.

    Note - If the card for your appliance does not appear, check the Service and Contract page.

  5. Click the card for your appliance and enter all applicable information, then click OK.

    To replace an existing Security Gateway, click the arrow near the Configure Device button.

  6. Follow the instructions in the portal.

  7. After the card status changes to Registration completed, you can configure your new Security Gateway in SmartConsole.

Connecting a Quantum Spark Appliance

To connect Quantum Spark to Smart-1 Cloud, follow these steps:

  1. Connect to the Quantum Spark WebUI and in the Security Management tab, click Setup.

  2. Check the Use Security Management service check box and click Next.

  3. Click Use the Infinity Portal to generate a new authentication token and add the token.

  4. The status changes to: Connected successfully to the Security Management Server. Click Next.

  5. Add the one-time password and click Next:

  6. Check Connect to the Security Management Server Later and click Finish.

    You can see in the WebUI that it is waiting for a connection from The Security Management.

  7. Open the Security Gateway object in SmartConsole and ensure the Hardware type is correct.

  8. Enter a one-time password, check the Initiate trusted communication now check box and click Initialize.

  9. Save the object in SmartConsole and publish the changes.

Connecting a Maestro Security Group

Important - This procedure supports only Maestro Security Groups that runs R81.10 and higher versions.

  • Smart-1 Cloud does not support Maestro Security Groups in the VSX mode.

  • The SMO Image Cloning is not supported if the Security Group R81.10 and higher contains different appliance models.

  • DAIP is not supported.

  1. On the Maestro Orchestrator, configure the required Security Group - in Gaia Portal or Gaia Clish.

    See the Quantum Maestro Getting Started Guide and the Maestro Administration Guide for your version.

    Important - Write down the IP address of the Security Group. You must configure it later in Smart-1 Cloud.

  2. Install the required Hotfixes on the Security Group: For details, refer to sk181495.

  3. Connect to the Smart-1 Cloud Portal.

    See Getting Started with Smart-1 Cloud.

    1. Add the Security Group as a new Security Gateway object:

      1. From the left navigation panel, click Connect Gateways.

      2. Click the large plus icon.

        The Register a New Security Gateway window opens.

        Note - The server detects if there are existing gateway objects in the database.

        For existing gateway objects, the server asks:

        Do you want to create a new gateway object, or use an existing gateway

      3. Create a New Gateway object:

        1. In the Gateway Name field, enter the name for this object.

        2. Optional: In the Comment field, enter the applicable text.

        3. Select Configure as Maestro.

        4. In the IP address field, enter the IP address of the Security Group as you configured it on the Maestro Orchestrator (this is the IP address assigned to the Mgmt interface of the Security Group).

        5. Click Register.

          This creates a new Security Gateway object in the Service with the name that you entered.

        6. Click Connect Gateway and follow the instructions to complete the connection.

          Note - The connection of a new Security Gateway includes two steps:

          1. Connect the Security Gateway to the service.

            Here, it is necessary to perform a step on the Security Gateway (according to the instructions) to connect the gateway to the service.

            When the process is finished, the status in the portal shows: Pending SIC.

          2. Connect the Management to the Security Gateway.

            After you connect to the service, log in to SmartConsole and start the SIC between the Management and Gateway.

            The portal shows Registration complete.

  4. Connect with SmartConsole to the Smart-1 Cloud Portal.

    See Log in to SmartConsole.

  5. From the left navigation panel, click Gateways & Servers.

  6. Open the Security Gateway object for this Maestro Security Group.

  7. From the left, click the General Properties page.

  8. Establish SIC:

    1. In the Secure Internal Communication field, click Communication.

    2. Enter the one-time password you configured on the Maestro Orchestrator when you created the Security Group.

    3. Click Initialize.

    4. Click OK.

  9. Publish the session.

  10. Install the Access Control policy on the Security Gateway object.

  11. Install the Threat Prevention policy on the Security Gateway object.

  • Before you add a new Security Group Member to the Security Group that is connected to Smart-1 Cloud (while the "maas_tunnel" is active and working), you must install the required Hotfixes on that Security Group Member.

  • To examine the status of the Smart-1 Cloud connection on all Security Group Members:

    • In Gaia gClish:

      1. Connect to the command line on the Security Group.

      2. If your default shell is the Expert mode, go to Gaia gClish:

        gclish

      3. Run:

        show security-gateway cloud-mgmt-service

    • In the Expert mode:

      1. Connect to the command line on the Security Group.

      2. If your default shell is Gaia gClish, go to the Expert mode:

        expert

      3. Run:

        maas status

  • To disable the Smart-1 Cloud connection on the Security Group:

    • In Gaia gClish:

      1. Connect to the command line on the Security Group.

      2. If your default shell is the Expert mode, go to Gaia gClish:

        gclish

      3. Run:

        set security-gateway cloud-mgmt-service off

    • In the Expert mode:

      1. Connect to the command line on the Security Group.

      2. If your default shell is Gaia gClish, go to the Expert mode:

        expert

      3. Run:

        maas off

  • To enable the Smart-1 Cloud connection on the Security Group again:

    • In Gaia gClish:

      1. Connect to the command line on the Security Group.

      2. If your default shell is the Expert mode, go to Gaia gClish:

        gclish

      3. Run:

        set security-gateway cloud-mgmt-service on

    • In the Expert mode:

      1. Connect to the command line on the Security Group.

      2. If your default shell is Gaia gClish, go to the Expert mode:

        expert

      3. Run:

        maas on