Integrating with Data Center Servers

Connecting to a Data Center Server

The Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. connects to the Software-defined data center (SDDCClosed Software-Defined Data Center. Data Center infrastructure components that can be provisioned, operated, and managed through an API for full automation.) through the Data CenterClosed Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. server object on SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Notes:

  • If the connection properties of a Data Center server changed (for example the credentials or the URL), make sure to re-install the policy on all the security gateways which have objects from that Data Center in their policy.

  • If the Data Center Server's certificate was changed, then communication with the Data Center Server fails.
    To repair the issue:

    1. Open the Data Center Server object in SmartConsole.

    2. Click Test Connection again.

    3. Accept the new certificate.

Creating Rules with Data Center Objects

You can add Data Center objects and Data Center Query objects to the Source and/or Destination columns of Access Control rules and Threat Prevention rules. In addition, Data Center objects (but not Data Center queries) can be added to the NAT policy.

Data Center Query Objects

Overview

With Data Center Query Objects, administrators can now create one Query Object based on attributes across multiple data centers. This simplifies the work when administrators create policies for multiple rules, because they only need to use one query object for data center objects from multiple data centers. Furthermore, admins can create the policy even before they configure a data center in SmartConsole. This makes it easier to separate responsibilities between security admins and others teams that possibly need to create data centers in SmartConsole.

The new Query object is used in the same way as Data Center objects. As with Data Center Objects, when the Data Center Query is added to the Rule baseClosed All rules configured in a given Security Policy. Synonym: Rulebase. the CloudGuard ControllerClosed Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. pulls the assets from all the Data Centers in the query object and updates the gateway so.

Without Data Center Query

With Data Center Query

  1. Create the Data Center account(s).

  2. Import objects from each Data Center to the Rule base.

  3. No choice for complex logic inside the rules.

  • Create Data Center Query objects and add them to the rule base before or after you create Data Center account(s). Important - You cannot install policy if there is only a Data Center Query but no Data Center object(s).

    Create Data Center Query object with the All Data Centers option. The advantage is that if new Data Center Servers are added later on, then rules in the rule base with such Data Center Query object (with the ‘All Data Centers’ option) are automatically applied to assets in the new Data Centers.

    Note: After adding new Data Center, you must install the policy on all Security Gateways that have this Data Center Query in their policy.

  • One Data Center Query Object can use assets (objects) from more than one, or all, Data Centers. This results in simpler security rules.

  • The Query is more complex and larger than what is possible in the security rule's logic.

    • OR logic inside each query rule, use ";" between items

    • AND logic between query rules

With uses Data Center Query objects:

  • No need to update the rule when new data center(s) is added.

  • Rule can include complex OR and AND operations to better the policy.

Note - Rule No. 1 is without Data Center Query, Rule No 2 is with Data Center Query.

Creating Rules with Data Center Query Objects

To add Data Center Query to a rule:

You can add a Data Center Query to the Source and/or Destination columns of Access Control rules and Threat Prevention rules.

In the Rulebase, in the Source and/or Destination columns, click + and it from the list of items.

-or-

Click the + button > New > Data Center Query.

Configuring Data Center Query Objects in SmartConsole

Step 1: Create a Data Center Query Object.

  1. Go to SmartConsole > Cloud > Data Center Queries > New.

  2. Add the applicable Data Center(s).

  3. Configure the Query Rules to match the value used for Type, Name, and IP in the Import Data Center window.

    Type in Data Center

    Type in Data Center, such as Instance, Virtual Machine, Load Balancer, Subnet, Availability Zone, and more.

    Note: You cannot query Tag, Tag Value, or Tag Key with Type in data center.

    Name in Data Center

    The asset's name

    IP address

    The asset's IP address

    Customer tag

    Free text key and value. If you have only Tags with keys without values, you can set the Tag with key only and keep the value empty and the CloudGuard Controller enforce all the assets which have this Tag key.

    Note - All object IP addresses that match the query are updated on the Security Gateway.

  4. Optional: To review the query, click Preview Query.

  5. Click OK.

Step 2: Add the Data Center Query object from Step 1 to the Rule base.

Step 3: Install the Access Control policy on the Security Gateway object.

Check Point Management API

The Check Point Management API includes Data Center commands to add, delete, set, and show Data Center Servers and their contents, and to show, delete, and import Data Center objects.

Use the API to automate Data Center security management and monitoring.

To change the API configuration and to learn more:

See Check Point Management API Reference.