CloudGuard Controller for Cisco Application Centric Infrastructure (ACI)
CloudGuard Controller
Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. integrates the Cisco ACI Cisco® Application Centric Infrastructure. Comprehensive SDN architecture, policy-based automation solution for increased scalability through a distributed enforcement system with greater network visibility. Trademark of Cisco. fabric with Check Point security.
Prerequisites
-
Cisco ACI version 6.0 or lower.
-
You must have a Cisco ACI user role with at least read permissions for Tenant EPG.
Note - This role is sufficient for CloudGuard Controller functionality.
More permissions may be required for device package installation (CloudGuard for ACI).
-
Enable Bridge Domain unicast routing to allow IP address learning for EPGs on the Cisco ACI.
-
Define a subnet on the Bridge Domain to help the fabric maintain IP address learning tables.
This prevents time-outs on silent hosts that respond to periodic ARP requests.
-
Before you upgrade the Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., if you have a Cisco APIC Cisco® Application Policy Infrastructure Controller. Automation and management point for the Cisco ACI fabric. It centralizes access to fabric information, optimizes the application lifecycle for scale and performance, and supports flexible application provisioning across physical and virtual resources. server, keep only one URL. After the upgrade, add the other URLs.
Connecting to a Cisco ACI Data Center Server with SmartConsole
|
Step |
Instructions |
|
|---|---|---|
|
1 |
In SmartConsole
|
|
|
2 |
In the Enter Object Name field, enter the applicable name. |
|
|
3 |
In the URLs field, enter the IP addresses of Cisco ACI Cluster Important - These IP addresses can be either HTTP or HTTPS, but not both. You must add Important - When using multiple cluster members with HTTPS, all members must have the same HTTPS Certificate. |
|
|
4 |
In the Username field, enter your Cisco APIC server User ID. When using Login Domains, use the following syntax:
|
|
|
5 |
In the Password field, enter the Cisco APIC server password. |
|
|
6 |
Click Test Connection. |
|
|
7 |
Click OK. |
|
|
8 |
Publish the SmartConsole session. |
|
|
9 |
Install the Access Control Policy on the Security Gateway |
Connecting to a Cisco ACI Data Center Server with Management API
Go to Management API Reference > Click on see arguments per Data Center Server type and select Cisco ACI.
Connecting to a Cisco ACI Data Center Server with Terraform
See checkpoint_management_aci_data_center_server.
Cisco ACI Objects and Properties
Cisco ACI Imported Objects
|
Object |
Description |
|---|---|
|
Tenant |
A logical separator for customers, BU, groups, traffic, administrators, visibility, and more. |
|
Application Profile |
A container of logically related EPGs, their connections, and the policies that define those connections. |
|
End-Point Group (EPG) |
A container for objects that require the same policy treatment. EPG examples : app tiers or services (usually, VLAN) |
|
End-point Security Group (ESG) |
A logical entity that contains a collection of physical or virtual network endpoints. |
|
Policy tag |
A user-definable key and value pairs for use by ACI features. |
|
L2 Out |
A bridged external network. |
|
L2 External EPG |
An EPG that represents external bridged network endpoints. |
|
|
Note - Name Alias, A cosmetic substitute for a GUI entity, is also imported. |
Limitations
-
Supported fabric size: The total amount of all the following objects must not exceed 100,000:
-
Tenants
-
Application Profiles
-
EPGs
-
IP addresses
For information regarding Cisco guidelines and limitations, refer to Guidelines and Limitations for Using the REST API.
-
-
APIC HTTP URLs, which redirect to HTTPS, are not supported. Use either HTTPS URLs directly, or HTTP without redirection.
-
When multiple APIC URLs are specified, the connectivity test will succeed, as long as one of the URLs connects. There is no requirement for initial verification for all the URLs.
-
On failure to connect to all the given APIC URLs, the returned error message is for the first unsuccessful URL.
-
If an object imported from Cisco APIC is deleted on the APIC, and created again, the object must be re-imported into Check Point Policy. Enforcement will work correctly once the object is recreated in APIC, but the re-import is required to maintain updates for the object in the Management Server.
-
Changes to privileges of the APIC user that was used to create the Data Center Object, are not reflected during an active login session.
For example, if a new security domain is added to the user, which allows him to see a new tenant, this is not visible to the APIC scanner.
-
To resolve: Run the vsec_controller_stop command on the CloudGuard Controller to restart the CloudGuard Controller services and force a new log in.
-