Print Download PDF Send Feedback

Previous

Next

Installing the CloudGuard Controller

In This Section:

Prerequisites for Upgrading vSEC Controller to R80.30

Enabling CloudGuard Controller

Supported Security Gateways

Activating the Identity Awareness Software Blade

If you do not have CloudGuard Controller, install R80.30 or upgrade the vSEC Controller from an earlier version.

See the R80.30 Installation and Upgrade Guide.

Prerequisites for Upgrading vSEC Controller to R80.30

Important Information:

  1. When you install R80.30 CloudGuard Controller, these files are overwritten with default values:
    • $MDS_FWDIR/conf/vsec.conf
    • $MDS_FWDIR/conf/tagger_db.C
    • $MDS_FWDIR/conf/AWS_regions.conf
  2. Before you begin the upgrade, back up all files that you have changed.
  3. Before you perform the upgrade on the Management Server, if you have a Cisco APIC server, keep only one URL. After the upgrade, add the other URLs.
  4. A Multi-Domain Server that contains imported Data Center objects in the Global Domain is not supported in the upgrade to R80.30. You must remove objects from the Global Domain before you install the upgrade.

Note - During the upgrade, CloudGuard Controller does not communicate with the Data Center. Therefore, Data Center objects are not updated on the CloudGuard Controller or the Security Gateways.

Enabling CloudGuard Controller

In the R80.30 Security Management Server, the CloudGuard Controller is disabled by default.

Note - On the Management Servers in High Availability deployment, perform these steps on both Management Servers.

To enable the CloudGuard Controller on the Management Server:

Step

Description

1

Connect to the command line on the Management Server.

2

Log in to Gaia Clish, or Expert mode.

3

On a Multi-Domain Server, go to the main MDS context:

mdsenv

4

Enable the CloudGuard Controller:

cloudguard on

The output shows:

CloudGuard IaaS turned on successfully

To disable the CloudGuard Controller on the Management Server:

Step

Description

1

Connect to the command line on the Management Server.

2

Log in to Gaia Clish, or Expert mode.

3

On a Multi-Domain Server, go to the main MDS context:

mdsenv

4

Enable the CloudGuard Controller:

cloudguard off

Command prompts you:

Are you sure? [y/n: y to turn off, n to ignore]

After you confirm, the output shows:

CloudGuard IaaS turned off successfully

Note - When you disable CloudGuard Controller, CloudGuard Controller functionality does not work.

Supported Security Gateways

CloudGuard Controller works with these Security Gateways:

Important - To use the CloudGuard Controller with R77.20 and R77.30 Security Gateways (R77.30 with Jumbo Hotfix Accumulator below Take 309), you must install the CloudGuard Controller / vSEC Controller Enforcer Hotfix on those R77.20 and R77.30 Security Gateways. See sk129152.

Activating the Identity Awareness Software Blade

For a Security Gateway to work with Data Center objects:

  1. Enable the Identity Awareness Software Blade
  2. Enable the Identity Awareness API
  3. Add the IP address 127.0.0.1 to the trusted clients list.

Activating Identity Awareness for R80.10 and above Gateway

Step

Description

1

In SmartConsole, from the left navigation panel, click Gateways & Servers.

2

Open the applicable Security Gateway object.

3

From the left tree, click General Properties.

4

On the Network Security tab, select the Identity Awareness Software Blade.

The Identity Awareness Configuration > Methods for Acquiring Identity window opens.

Clear the AD Query, if it is not necessary.

5

Select I do not wish to configure an Active Directory at this time.

The Identity Awareness Software Blade is activated by default.

6

Click Next > Finish.

7

From the left tree, click Identity Awareness.

8

Select Identity Web API.

9

Click Settings.

The Identity Web API Settings window opens.

10

From the Authorized Clients section, add the 127.0.0.1 host object.

11

In the Selected Client Secret, enter a secret word.

Press Generate to create the client secret.

Click OK.

12

Install the Access Control Policy.

Activating Identity Awareness for R77.30 and R77.20 Gateways

To work with Data Center objects, you must:

  1. Enable the Identity Awareness Software Blade and select Terminal Servers as the identities source.
  2. Enable the communication between the CloudGuard Controller and the Identity Awareness daemon on the Security Gateway.

To enable Identity Awareness Software Blade:

Step

Description

1

In SmartConsole, from the left navigation panel, click Gateways & Servers.

2

Open the applicable Security Gateway object.

3

From the left tree, click General Properties.

4

On the Network Security tab, select the Identity Awareness Software Blade.

The Identity Awareness Configuration > Methods for Acquiring Identity window opens.

Clear the AD Query, if it is not necessary.

5

Select Terminal Servers > Next.

The Identity Awareness Configuration > Integration with Active Directory window opens.

6

Select I do not wish to configure an Active Directory at this time.

The Identity Awareness Software Blade is activated by default.

7

Click Next > Finish.

8

Click OK.

9

Install the Access Control Policy.

To enable the communication between the CloudGuard Controller and the Identity Awareness daemon on the Security Gateway:

Step

Description

1

Connect to the command line on each applicable Security Gateway.

2

Log in to Gaia Clish, or Expert mode.

3

Enable the Identity Awareness API:

pdp api enable

Note: On a VSX Gateway, run the command in the context of each applicable Virtual System.

Activating Identity Awareness for Scalable Platforms 40000/60000

To work with Data Center objects, you must:

  1. Enable the Identity Awareness Software Blade and select Terminal Servers as the identities source.
  2. Enable the communication between the CloudGuard Controller and the Identity Awareness daemons on the Security Gateway Modules.

To enable Identity Awareness Software Blade:

Step

Description

1

In SmartConsole, from the left navigation panel, click Gateways & Servers.

2

Open the applicable Security Gateway object.

3

From the left tree, click the General Properties.

4

On the Network Security tab, select the Identity Awareness Software Blade.

The Identity Awareness Configuration > Methods for Acquiring Identity window opens.

Clear the AD Query, if it is not necessary.

5

Select Terminal Servers > Next.

The Identity Awareness Configuration > Integration with Active Directory window opens.

6

Select I do not wish to configure an Active Directory at this time.

The Identity Awareness Software Blade is activated by default.

7

Click Next > Finish.

8

Click OK.

9

Install the Access Control Policy.

To enable the communication between the CloudGuard Controller and the Identity Awareness daemons on the Security Gateway Modules:

Step

Description

1

Connect to the command line on the Scalable Platform.

2

Log in to Gaia Clish, or Expert mode.

3

Enable the Identity Awareness API:

g_all pdp api enable

Note: On a VSX Gateway, run the command in the context of each applicable Virtual System.