CloudGuard Controller for Cisco ACI

CloudGuard Controller integrates the Cisco ACI fabric with Check Point security.

The Check Point Data Center Server connects to the ACI fabric and retrieves object data.

The CloudGuard Controller updates IP addresses and other object properties in the Data Center Objects group. It supports the connection to an APIC cluster for redundancy.

To learn more, see vSEC for ACI Managed by R80.10 Security Management Server Administration Guide for R80.10.

Prerequisites:

You must have a Cisco ACI user role with at least read permissions for Tenant EPG.
Note - This role is sufficient for CloudGuard Controller functionality. More permissions may be required for device package installation (CloudGuard for ACI).
Enable Bridge Domain unicast routing to allow IP address learning for EPGs on the Cisco APIC.
Define a subnet on the Bridge Domain to help the fabric maintain IP address learning tables. This prevents time-outs on silent hosts that respond to periodic ARP requests.

Connecting to a Cisco ACI APIC Data Center Server

Step	Description
1	In SmartConsole, create a new Data Center object in one of these ways: In the top left corner, click Objects menu > More object types > Server > Data Center > New Cisco APIC. In the top right corner, click Objects Pane > New > More > Server > Data Center > Cisco APIC.
2	In the Enter Object Name field, enter the desired name.
3	In the URLs field, enter the addresses of APIC cluster members, delimited with a semicolon (;). Important - These addresses can be HTTP or HTTPS, but not mixed.
4	In the Username field, enter your APIC service username. If you use login domains for APIC authentication, the username format is: `apic:<`domain`>\<`username`>`
5	In the Password field, enter your APIC password.
6	Click Test Connection.
7	Click OK.
8	Publish the session.

Cisco APIC Objects

Object	Description
Tenant	A logical separator for customers, BU, groups, traffic, administrators, visibility, and more.
Application Profile	A container of logically related EPGs, their connections, and the policies that define those connections.
End-Point Group (EPG)	A container for objects that require the same policy treatment. Examples of these are app tiers or services (usually, VLAN).
L2 Out	A bridged external network.
L2 External EPG	An EPG that represents external bridged network endpoints.