Integrating with Data Center Servers

Connecting to a Data Center Server

The Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. connects to the Software-defined data center (SDDC Software-Defined Data Center. Data Center infrastructure components that can be provisioned, operated, and managed through an API for full automation.) through the Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. server object on SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

To create a connection to the Data Center

Step	Instructions
1	In SmartConsole, create a new Data Center object in one of these ways: In the top left corner, click Objects menu > More object types > Server > Data Center > applicable Data Center. In the top right corner, click Objects Pane > New > More > Server > Data Center > applicable Data Center.
2	In the Enter Object Name field, enter a name.
3	Enter the connection and credentials information.
4	To establish a secure connection, click Test Connection. If the certificate window opens, confirm the certificate and click Trust.
5	Click OK when the Connection Status changes to Connected. If the status is not Connected, troubleshoot the issues before you continue.
6	Click OK.
7	Publish the SmartConsole session.
8	Install the Access Control policy on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

Notes:

If the connection properties of a Data Center server changed (for example the credentials or the URL), make sure to re-install the policy on all the security gateways which have objects from that Data Center in their policy.
If the Data Center Server's certificate was changed, then communication with the Data Center Server fails.
To repair the issue:
1. Open the Data Center Server object in SmartConsole.
2. Click Test Connection again.
3. Accept the new certificate.

Creating Rules with Data Center Objects

You can add Data Center objects and Data Center Query objects to the Source and/or Destination columns of Access Control rules and Threat Prevention rules. In addition, Data Center objects (but not Data Center queries) can be added to the NAT policy.

To add Data Center objects to an Access Control rule

Step	Instructions
1	In SmartConsole, from the left navigation panel, click Security Policies.
2	At the top, click Access Control > Policy.
3	In the applicable rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., in the Source or Destination column, click + to add new items.
4	Click Import.
5	Select an existing Data Center object. Alternatively, click Data Centers > New Data Center > applicable Data Center.
6	Install the Access Control Policy.

To add Data Center objects to a Threat Prevention rule

Step	Instructions
1	In SmartConsole, from the left navigation panel, click Security Policies.
2	At the top, click Threat Prevention > Policy.
3	In the applicable rule, in the Source or Destination column, click + to add new items.
4	In the top right corner, click Import.
5	Select an existing Data Center object. Alternatively, click Data Centers > New Data Center > applicable Data Center.
6	Install the Threat Prevention Policy.

Data Center Query Objects

Overview

With Data Center Query Objects, administrators can now create one Query Object based on attributes across multiple data centers. This simplifies the work when administrators create policies for multiple rules, because they only need to use one query object for data center objects from multiple data centers. Furthermore, admins can create the policy even before they configure a data center in SmartConsole. This makes it easier to separate responsibilities between security admins and others teams that possibly need to create data centers in SmartConsole.

The new Query object is used in the same way as Data Center objects. As with Data Center Objects, when the Data Center Query is added to the Rule base All rules configured in a given Security Policy. Synonym: Rulebase. the CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. pulls the assets from all the Data Centers in the query object and updates the gateway so.

Without Data Center Query	With Data Center Query
Create the Data Center account(s). Import objects from each Data Center to the Rule base. No choice for complex logic inside the rules.	Create Data Center Query objects and add them to the rule base before or after you create Data Center account(s). Important - You cannot install policy if there is only a Data Center Query but no Data Center object(s). Create Data Center Query object with the All Data Centers option. The advantage is that if new Data Center Servers are added later on, then rules in the rule base with such Data Center Query object (with the ‘All Data Centers’ option) are automatically applied to assets in the new Data Centers. Note: After adding new Data Center, you must install the policy on all Security Gateways that have this Data Center Query in their policy. One Data Center Query Object can use assets (objects) from more than one, or all, Data Centers. This results in simpler security rules. The Query is more complex and larger than what is possible in the security rule's logic. `OR` logic inside each query rule, use `";"` between items `AND` logic between query rules

Without Data Center Query

With Data Center Query

Create the Data Center account(s).
Import objects from each Data Center to the Rule base.
No choice for complex logic inside the rules.

Create Data Center Query objects and add them to the rule base before or after you create Data Center account(s). Important - You cannot install policy if there is only a Data Center Query but no Data Center object(s).

Create Data Center Query object with the All Data Centers option. The advantage is that if new Data Center Servers are added later on, then rules in the rule base with such Data Center Query object (with the ‘All Data Centers’ option) are automatically applied to assets in the new Data Centers.

Note: After adding new Data Center, you must install the policy on all Security Gateways that have this Data Center Query in their policy.
One Data Center Query Object can use assets (objects) from more than one, or all, Data Centers. This results in simpler security rules.
The Query is more complex and larger than what is possible in the security rule's logic.
- OR logic inside each query rule, use ";" between items
- AND logic between query rules

With uses Data Center Query objects:

No need to update the rule when new data center(s) is added.
Rule can include complex OR and AND operations to better the policy.

Note - Rule No. 1 is without Data Center Query, Rule No 2 is with Data Center Query.

Creating Rules with Data Center Query Objects

To add Data Center Query to a rule:

You can add a Data Center Query to the Source and/or Destination columns of Access Control rules and Threat Prevention rules.

In the Rulebase, in the Source and/or Destination columns, click + and it from the list of items.

-or-

Click the + button > New > Data Center Query.

Configuring Data Center Query Objects in SmartConsole

Step 1: Create a Data Center Query Object.

Go to SmartConsole > Cloud > Data Center Queries > New.
Add the applicable Data Center(s).

Configure the Query Rules to match the value used for Type, Name, and IP in the Import Data Center window.

Type in Data Center	Type in Data Center, such as Instance, Virtual Machine, Load Balancer, Subnet, Availability Zone, and more. Note: You cannot query Tag, Tag Value, or Tag Key with Type in data center.
Name in Data Center	The asset's name
IP address	The asset's IP address
Customer tag	Free text key and value. If you have only Tags with keys without values, you can set the Tag with key only and keep the value empty and the CloudGuard Controller enforce all the assets which have this Tag key.

Note - All object IP addresses that match the query are updated on the Security Gateway.

Optional: To review the query, click Preview Query.
Click OK.

Step 2: Add the Data Center Query object from Step 1 to the Rule base.

Step 3: Install the Access Control policy on the Security Gateway object.

Check Point Management API

The Check Point Management API includes Data Center commands to add, delete, set, and show Data Center Servers and their contents, and to show, delete, and import Data Center objects.

Use the API to automate Data Center security management and monitoring.

To change the API configuration and to learn more:

See Check Point Management API Reference.