Integrating with Data Center Servers

Connecting to a Data Center Server

The Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. connects to the Software-defined data center (SDDCClosed Software-Defined Data Center. Data Center infrastructure components that can be provisioned, operated, and managed through an API for full automation.) through the Data CenterClosed Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. server object you create in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. In addition you can connect to the data center with management APIs and Terraform. See Management API Reference and the data_center_server Terraform such as checkpoint_management_azure_data_center_server.

To create a connection to the Data Center:

  1. In SmartConsole, create a new Data Center object in one of these ways:

    • In the top left corner, click Objects menu > More object types > Cloud > Data Center > applicable Data Center.

    • In the top right corner, click Objects Pane > New > More > Cloud > Data Center > applicable Data Center.

  2. In the Enter Object Name field, enter a name.

  3. Enter the connection and credentials information.

  4. To establish a secure connection, click Test Connection.

    If the certificate window opens, verify the certificate and click Trust.

  5. Click OK when the Connection Status changes to Connected.

    If the status is not Connected, troubleshoot the issues before you continue.

  6. Click OK.

  7. Publish the SmartConsole session.

Notes:

  • If the connection properties of a Data Center server changed (for example the credentials or the URL), make sure to re-install the policy on all the security gateways which have objects from that Data Center in their policy.

  • If the Data Center Server's certificate was changed, then communication with the Data Center Server fails.
    To repair:

    1. Open the Data Center Server object in SmartConsole.

    2. Click Test Connection again.

    3. Accept the new certificate.

You can use Data Center objects and Data Center Query objects in Access Control, Threat Prevention and HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. rules. In addition, you can use Data Center objects (but not Data Center Queries) in NAT rules in the Original Source and Original Destination columns.

To add Data Center objects to the policy:

  1. In the applicable ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., click + to add new items.

  2. Click Import.

  3. Do one of these:

    • Select an existing Data Center object.

    • Create a new Data Center object - click Data Centers > New Data Center > select the applicable Data Center type.

  4. Install the Access Control Policy.

Data Center Query Objects

Overview

Note - Support for Data Center Query Objects on Security Gateways is for versions R81 and higher.

With Data Center Query Objects, administrators can now create one Query Object based on attributes across multiple data centers. This simplifies the work when administrators create policies for multiple rules, because they only need to use one query object for data center objects from multiple data centers. Furthermore, admins can create the policy even before they configure a data center in SmartConsole. This makes it easier to separate responsibilities between security admins and others teams that possibly need to create data centers in SmartConsole.

The Query object is used in the same way as Data Center objects. As with Data Center Objects, when the Data Center Query is added to the Rule baseClosed All rules configured in a given Security Policy. Synonym: Rulebase. the CloudGuard ControllerClosed Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. pulls the assets from all the Data Centers in the query object and updates the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. accordingly.

Without Data Center Query

With Data Center Query

  1. Create the Data Center account(s).

  2. Import objects from each Data Center to the Rule base.

  3. No choice for complex logic inside the rules.

  • Create Data Center Query objects and add them to the rule base before or after you create Data Center account(s).

    Create Data Center Query object with the All Data Centers option. The advantage is that if new Data Center Servers are added later on, then rules in the rule base with such Data Center Query object (with the ‘All Data Centers’ option) are automatically applied to assets in the new Data Centers.

    Note: After adding new Data Center, you must install the policy on all the Security Gateways that have this Data Center Query in their policy.

  • One Data Center Query Object can use assets (objects) from more than one, or all, Data Centers. This results in simpler security rules.

  • The Query is more complex and larger than what is possible in the security rule's logic.

    • OR logic inside each query rule, use ";" between items

    • AND logic between query rules

Applies to all current and future data centers.

This is the query logic:

  • All assets from type instances OR Load Balancers

    AND

  • Tagged with:

    "server_type=prod_app"

    OR

    "server_type=prod_db"

Earlier versions require you to use multiple tag objects for multiple accounts.

  • Rules must be updated for every data center added.

  • Rules cannot have the logic for only Instances or Load Balancers.

With uses Data Center Query objects:

  • No need to update the rule when new data center(s) is added.

  • Rule can include complex OR and AND operations to better the policy.

Note - Rule No. 1 is without Data Center Query, and Rule No 2 is with Data Center Query.

Creating Rules with Data Center Query Objects

To add Data Center Query to a rule:

You can add a Data Center Query in the same way you can add Data Center Object to a rule.

Configuring Data Center Query Objects in SmartConsole

Step 1: Create a Data Center Query Object.

  1. Go to SmartConsole > Cloud > Data Center Queries > New.

  2. Add the applicable Data Center(s).

  3. Configure the Query Rules to match the value used for Type, Name, and IP in the Import Data Center window.

    Type in Data Center

    Type in Data Center, such as Instance, Virtual Machine, Load Balancer, Subnet, Availability Zone, and more.

    Note: You cannot query Tag, Tag Value, or Tag Key with Type in data center.

    Name in Data Center

    The asset's name (Not the Tag's name).

    IP address

    The asset's IP address.

    Customer tag

    Free text key and value. If you have only Tags with keys without values, you can set the Tag with key only and keep the value empty and the CloudGuard Controller enforce all the assets which have this Tag key.

    The Tags evaluation is case insensitive. For example, if the Tag configured on the Cloud is KEY=VALUE, and the Data Center Query Tag is key=value, there is a match.

    Note - All object IP addresses that match the query are updated on the Security Gateway.

  4. Optional: To review the query, click Preview Query.

  5. Click OK.

Configuring Data Center Query Objects using management API

See Management API Reference.

Configuring Data Center Query Objects using Terraform

See checkpoint_management_data_center_query.

Step 2: Add the Data Center Query object from Step 1 to the Rule base.

Step 3: Install the policy on the Security Gateway.

Automation and Monitoring

Check Point Management API and Terraform are available to add, delete, set, and show Data Center Servers and their contents, and to show, delete, and import Data Center objects and Data Center Query objects.

Use the API and resources to automate Data Center security management and monitoring.

See Check Point Management API Reference.

See https://registry.terraform.io/providers/CheckPointSW/checkpoint/latest/docs and search for 'data_center'.