Workflow for Deploying CloudGuard Controller

CloudGuard ControllerClosed Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. is a component of the R80.40 Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

Important:

  1. When you install an R80.40 CloudGuard Controller, these files are overwritten with default values:

    • $MDS_FWDIR/conf/vsec.conf

    • $MDS_FWDIR/conf/tagger_db.C

    • $MDS_FWDIR/conf/AWS_regions.conf

  2. Before you start the upgrade, back up all files that you have changed.

  3. Before you perform the upgrade on the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., if you have a Cisco APICClosed Cisco® Application Policy Infrastructure Controller. Automation and management point for the Cisco ACI fabric. It centralizes access to fabric information, optimizes the application lifecycle for scale and performance, and supports flexible application provisioning across physical and virtual resources. server, keep only one URL. After the upgrade, add the other URLs.

  4. A Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. that contains imported Data CenterClosed Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. objects in the Global Domain is not supported in the upgrade to R80.40.

    You must remove objects from the Global Domain before you install the upgrade.

Note - During the upgrade, CloudGuard Controller does not communicate with the Data Center. Therefore, Data Center objects are not updated on the CloudGuard Controller or the Security Gateways.

Supported Security Gateways

CloudGuard Controller works with these Security Gateways:

Important - To use the CloudGuard Controller with R77.20 and R77.30 Security Gateways (with the R77.30 Jumbo HotfixClosed Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulator below Take 309), you must install the CloudGuard Controller / vSEC Controller Enforcer Hotfix (see sk129152) on those R77.20 and R77.30 Security Gateways.

Activating the Identity Awareness Software Blade

Activating Identity Awareness for Security Gateways R80.10 and higher

Step

Instructions

1

Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Management Server.

2

From the left navigation panel, click Gateways & Servers.

3

Create a new Host object with these settings:

  • Name: LocalHost

  • IPv4 address: 127.0.0.1

4

Open the applicable Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.

5

From the left tree, click the General Properties page.

6

On the Network Security tab, select the Identity Awareness Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.:

  1. The Identity Awareness Configuration wizard opens.

  2. In the Methods for Acquiring Identity window, clear the AD Query option, if you do not use it.

  3. Click Cancel.

7

From the left tree, click the Identity Awareness page.

8

Select Identity Web API and click Settings.

9

Configure the Identity Web API settings:

  1. In the section Authorized Clients, click [+] and select the Host object you created earlier (LocalHost).

  2. In the Selected Client Secret field, enter your secret word, or generate a random secret.

  3. Click OK.

Note - If you add more than one authorized client host, the host that represent 127.0.0.1 must be the first item in the Authorized Clients list of the Identity Web API.

10

Click OK.

11

Install the Access Control Policy.

Activating Identity Awareness for Security Gateways R77.30, R77.20, and R76SP.50

  1. Enable the Identity Awareness Software Blade and select Terminal Servers as the identity source.

    Step

    Instructions

    1

    Connect with SmartConsole to the Management Server.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Open the applicable Security Gateway / Cluster object.

    4

    From the left tree, click General Properties.

    5

    On the Network Security tab, select the Identity Awareness Software Blade:

    1. The Identity Awareness Configuration wizard opens.

    2. In the Methods for Acquiring Identity window, clear the AD Query option, if you do not use it.

    3. Select Terminal Servers > and click Next.

    4. In the Integration with Active Directory window, select I do not wish to configure an Active Directory at this time.

    5. Click Next.

    6. Click Finish.

    6

    Click OK.

    7

    Install the Access Control Policy.

  2. Step

    Instructions

    1

    Connect to the command line on each applicable Security Gateway / each Cluster MemberClosed Security Gateway that is part of a cluster..

    On Scalable Chassis, connect to the applicable Security Group.

    2

    Log in to the Expert mode.

    3

    On a VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0., go to the context the applicable Virtual System:

    vsenv <VSID>

    3

    Enable the Identity Web API:

    pdp api enable