CloudGuard Controller for Amazon Web Services
The CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. integrates the Amazon Web Services (AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services.) cloud with Check Point security.
Note - See the "AWS Data Center enhancements" in What's New.
|
Important - The CloudGuard Controller server clock must be synchronized with the current, local time. Use of a NTP server is recommended. Time synchronization issues can cause polling information from the cloud to fail. |
Connecting to an Amazon Web Services Data Center Server
Step |
Instructions |
---|---|
1 |
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a new Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. object in one of these ways:
|
2 |
In the Enter Object Name field, enter a name. |
3 |
Select the applicable authentication method:
|
4 |
If you choose User Authentication, enter your Access key ID and Secret access key. |
5 |
In the Region field, select the AWS region to which you want to connect. |
6 |
Click Test Connection. |
7 |
Click OK. |
8 |
Publish the SmartConsole session. |
9 |
Install the Access Control policy on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object. |
Amazon Web Services Objects and Properties
AWS Imported Objects
Object |
Description |
---|---|
VPC |
Amazon Virtual Private Cloud enables you to launch resources into your Virtual Network Environment of logically connected Virtual Machines.. |
Availability Zone |
A separate geographic area of a region. There are multiple locations with regions and availability zones worldwide. |
Subnet |
All the IP addresses from the Network Interfaces related to this subnet. |
Instance |
Virtual computing environments. |
Tags |
Groups all the instances that have the same Tag Key and Tag Value. |
Security Group |
Groups all the IP addresses and Security Groups from all objects associated with this Security Group. |
Load Balancers |
Load Balancer distributes incoming traffic across multiple targets such as EC2 Instances and IP addresses. Only Application and Network Load Balancers are supported. |
AWS Import Options
Use one of these options to import AWS objects to your policy:
Option |
Description |
---|---|
Regions |
Import AWS VPCs, Load Balancers, Subnets, or Instances from a certain region to your Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.. |
Security Groups |
Import all IP addresses that belong to a specific Security Group. The Security Group is used only as a container for the list of all IP addresses of Instances that are attached to this group. |
Tags |
Import all instances and Security Groups that have a specific Tag Key or Tag Value. |
|
Notes:
|
AWS Object Names (Tags)
Object names are the same as those in the AWS console.
VPC, Subnet, Instance, and Security Group use the following namesare named as follows:
Tag Name |
Object Name |
---|---|
Tag Name exists |
|
Tag Name does not exist |
|
Tag Name is empty |
|
AWS Imported Properties
Property |
Description |
---|---|
Name |
Resource name as shown in the AWS console. User can edit the name after importing the object. |
Name in Server |
Resource name as shown in the AWS console |
Type in Server |
Resource type |
IP |
Associated private and public IP addresses |
Note |
CIDR for subnets and VPC objects |
URI |
Object path |
Tags |
Tags (Keys and Values) that are attached to the object |
Configuring Permissions for Amazon Web Services
Minimal permissions for the User or Role
Item |
Value |
---|---|
Effect |
|
Actions |
|
Resource |
|
For more information about Roles and the IAM policy, see Amazon Web Services documentation.
Auto Scaling in Amazon Web Services
The AWS Auto Scaling service with the Check Point Auto Scaling group can increase or decrease the number of CloudGuard Gateways according to the current load.
CloudGuard Controller for AWS works with the Check Point Auto Scaling Group. The Check Point Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. updates Data Center objects automatically on the Check Point Auto Scaling group.