CloudGuard Controller for Microsoft Azure

CloudGuard ControllerClosed integrates the Microsoft AzureClosed cloud with Check Point security.

Important - The CloudGuard Controller server clock must be synchronized with the current, local time. Use of a NTP server is recommended. Time synchronization issues can cause polling information from the cloud to fail.

Connecting to a Microsoft Azure Data Center Server

To connect to a Microsoft Data Center Server:

Best Practice - In Microsoft Azure create a service principal (see this article for details) and assign relevant rights.

The minimum recommended permission is Reader.

You can assign the Reader permission in one of these ways:

  • Assign to all Resource Groups, from which you want to pull an item

  • Add the permission on a subscription level

Step

Instructions

1

In SmartConsoleClosed, create a new Data CenterClosed object in one of these ways:

  • In the top left corner, click Objects menu > More object types > Server > Data Center > New Microsoft Azure.

  • In the top right corner, click Objects Pane > New > More > Server > Data Center > Microsoft Azure.

2

In the Enter Object Name field, enter a name.

3

Select the applicable authentication method:

  • Service Principal - Uses the Service Principal to authenticate.

  • Azure AD User Authentication - Uses the Azure AD User to authenticate.

4

If you selected Service Principal Authentication (default):

  • Enter your Application ID, Application Key, and Directory ID.

    You can create the Service Principal in the Azure Portal, with the Azure PowerShell, or with the Azure CLI.

If you select Azure AD User Authentication:

  • Enter you Username and Password.

The minimum recommended permission is Reader.

You can assign the Reader permission in one of these ways:

  • Assign to all Resource Groups, from which you want to pull an item

  • Add the permission on a subscription level

Important - If you do not have the necessary permissions, some of the functionality might not work.

5

Click Test Connection.

6

Click OK.

7

Import objects from your Microsoft Azure server to your policy (for more about these objects, see the next sections).

  • Network by Subscriptions - Import VNETS, subnets, Virtual Machines, or VMSS.

  • Network Security Groups (NSG) - Import all IP addresses that belong to a specific NSG.

    The NSG is used only as a container for the list of all IP addresses (assigned to NICs and subnets) that are attached to this group.

  • Tags - Imports all the IP addresses of Virtual Machines and VMSS that have specific tags and values.

Note - All changes in Microsoft Azure are updated automatically with the Check PointSecurity PolicyClosed.

Users with permissions to change Resource Tags in Microsoft Azure can change their access permissions.

8

Publish the SmartConsole session.

9

Install the Access Control policy on the Security GatewayClosed object.

Azure Objects and Properties

Azure Objects

Object

Description

Subscription

Helps you organize access to your cloud components.

Virtual Network

Represents your Microsoft Azure Virtual NetworkClosed (VNET) in the cloud.

Subnet

A range of IP addresses in a VNET.

A VNET can be divided into many subnets.

Virtual Machine (VM)

Virtual computing environment.

Virtual Machine Scale Set (VMSS)

Manages sets of Virtual Machines.

Network Security Group (NSG)

NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to the Virtual Machines instances in a Virtual Network.

NSGs can be associated with either subnets or individual Virtual Machine instances in that subnet.

Load Balancer

Load Balancer distributes incoming traffic that arrives into the Load Balancer's frontend to backend pool instances, according to rules and health probes.

Tags

Keys and values attached to the object.

Azure Imported Properties

Imported

Property

Description

Name

Name of the object and the object's Resource Group

Format is: obj_name (obj_resource_group_name)

The user can edit the name after importing the object.

Name in server

Name of the object and the object's Resource Group

Format is: obj_name (obj_resource_group_name)

Type in server

Object type

IP address

  • Virtual Machines and VMSS: Public and Private IP addresses

  • Load Balancers: Frontend IP addresses

  • Subnets: VMs, VMSSs, and Internal Load Balancers Frontend IPs

  • NSGs: VMSSs and Subnets IP addresses associated with this NSG

  • Tags: VNETS, VMs, VMSSs and Load Balancers IP addresses associated with this specific Tag Key or Tag Value

Note

Contains the address prefixes for VNETs and subnets

URI

Object path

Tags

Keys and Values attached to the Object

Location

Physical location in Microsoft Azure

Auto Scaling in Microsoft Azure

The Microsoft Azure Auto Scaling service with the Check Point Auto Scaling group can increase or decrease the number of CloudGuard Gateways according to the current load.

CloudGuard Controller for Microsoft Azure can work with the Check Point Auto Scaling Group.

The Check Point Security Management ServerClosed can update Data Center objects automatically on the Check Point Auto Scaling group.