Integrating with Data Center Servers

Connecting to a Data Center Server

The Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. connects to the Software-defined data center (SDDCClosed Software-Defined Data Center. Data Center infrastructure components that can be provisioned, operated, and managed through an API for full automation.) through the Data CenterClosed Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. server object you create in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

To create a connection to the Data Center:

  1. In SmartConsole, create a new Data Center object in one of these ways:

    • In the top left corner, click Objects menu > More object types > Cloud > Data Center > applicable Data Center.

    • In the top right corner, click Objects Pane > New > More > Cloud > Data Center > applicable Data Center.

  2. In the Enter Object Name field, enter a name.

  3. Enter the connection and credentials information.

  4. To establish a secure connection, click Test Connection.

    If the certificate window opens, make sure the certificate and click Trust.

  5. Click OK when the Connection Status changes to Connected.

    If the status is not Connected, troubleshoot the issues before you continue.

  6. Click OK.

  7. Publish the SmartConsole session.

  8. Install the Access Control policy on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.


  • If the connection properties of a Data Center server changed (for example the credentials or the URL), make sure to re-install the policy on all the security gateways which have objects from that Data Center in their policy.

  • If the Data Center Server's certificate was changed, then communication with the Data Center Server fails.
    To repair:

    1. Open the Data Center Server object in SmartConsole.

    2. Click Test Connection again.

    3. Accept the new certificate.

You can add Data Center objects and Data Center Query objects to the Source and/or Destination columns of Access Control rules and Threat Prevention rules. In addition, Data Center objects (but not Data Center queries) can be added to the NAT policy.

Note - In the NAT policy you can add Data Center Objects only in the Original Source and Original Destination columns, not in Translated Source / Destination.

To add Data Center objects to an Access Control or Threat Prevention rule:

  1. In SmartConsole, from the left navigation panel, click Security Policies.

  2. At the top, click Access Control > Policy.

  3. In the applicable ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., in the Source or Destination column, click + to add new items.

  4. Click Import.

  5. Do one of these:

    • Select an existing Data Center object.

    • Create a new Data Center object - click Data Centers > New Data Center > select the applicable Data Center type.

  6. Install the Access Control Policy.

Data Center Query Objects


Note - Support for Data Center Query Objects on Security Gateways is for versions R81 and higher.

With Data Center Query Objects, administrators can now create one Query Object based on attributes across multiple data centers. This simplifies the work when administrators create policies for multiple rules, because they only need to use one query object for data center objects from multiple data centers. Furthermore, admins can create the policy even before they configure a data center in SmartConsole. This makes it easier to separate responsibilities between security admins and others teams that possibly need to create data centers in SmartConsole.

The new Query object is used in the same way as Data Center objects. As with Data Center Objects, when the Data Center Query is added to the Rule baseClosed All rules configured in a given Security Policy. Synonym: Rulebase. the CloudGuard ControllerClosed Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. pulls the assets from all the Data Centers in the query object and updates the Security Gateway accordingly.

Without Data Center Query

With Data Center Query

  1. Create the Data Center account(s).

  2. Import objects from each Data Center to the Rule base.

  3. No choice for complex logic inside the rules.

  • Create Data Center Query objects and add them to the rule base before or after you create Data Center account(s). Important - You cannot install policy if there is only a Data Center Query but no Data Center object(s).

    Create Data Center Query object with the All Data Centers option. The advantage is that if new Data Center Servers are added later on, then rules in the rule base with such Data Center Query object (with the ‘All Data Centers’ option) are automatically applied to assets in the new Data Centers.

    Note: After adding new Data Center, you must install the policy on all Security Gateways that have this Data Center Query in their policy.

  • One Data Center Query Object can use assets (objects) from more than one, or all, Data Centers. This results in simpler security rules.

  • The Query is more complex and larger than what is possible in the security rule's logic.

    • OR logic inside each query rule, use ";" between items

    • AND logic between query rules

With uses Data Center Query objects:

  • No need to update the rule when new data center(s) is added.

  • Rule can include complex OR and AND operations to better the policy.

Note - Rule No. 1 is without Data Center Query, and Rule No 2 is with Data Center Query.

Creating Rules with Data Center Query Objects

To add Data Center Query to a rule:

You can add a Data Center Query to the Source and/or Destination columns of Access Control rules and Threat Prevention rules in one of these ways:

  • From the Rulebase, click + and select it from the list of items.

  • Click the + button > NewData Center Query.

Configuring Data Center Query Objects in SmartConsole

Step 1: Create a Data Center Query Object.

  1. Go to SmartConsole > Cloud > Data Center Queries > New.

  2. Add the applicable Data Center(s).

  3. Configure the Query Rules to match the value used for Type, Name, and IP in the Import Data Center window.

    Type in Data Center

    Type in Data Center, such as Instance, Virtual Machine, Load Balancer, Subnet, Availability Zone, and more.

    Note: You cannot query Tag, Tag Value, or Tag Key with Type in data center.

    Name in Data Center

    The asset's name.

    IP address

    The asset's IP address.

    Customer tag

    Free text key and value. If you have only Tags with keys without values, you can set the Tag with key only and keep the value empty, and the CloudGuard Controller enforces all the assets that have this Tag key.

    The Tags evaluation is case insensitive. For example, if the Tag configured on the Cloud is KEY=VALUE, and the Data Center Query Tag is key=value, there is a match.

    Note - All object IP addresses that match the query are updated on the Security Gateway.

  4. Optional: To review the query, click Preview Query.

  5. Click OK.

Configuring Data Center Query Objects using management API

See Management API Reference.

Configuring Data Center Query Objects using Terraform

See checkpoint_management_data_center_query.

Step 2: Add the Data Center Query object from Step 1 to the Rule base.

Step 3: Install the policy on the Security Gateway object.