CloudGuard Controller for VMware Servers
Connecting to a VMware Server
Step |
Instructions |
---|---|
1 |
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a new Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. object in one of these ways:
|
2 |
In the Enter Object Name field, enter the applicable name. |
3 |
In the Hostname field, enter the IP address or hostname of your vCenter or NSX Manager server. |
4 |
In the Username field, enter your VMware administrator username. |
5 |
In the Password field, enter your VMware administrator password. |
6 |
Click Test Connection. |
7 |
Click OK. |
8 |
Publish the SmartConsole session. |
9 |
Install the Access Control policy on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object. |
CloudGuard Controller for VMware vCenter
VMware vCenter Prerequisites
-
VMware vCenter version 7.x or lower.
-
You must have a VMware NSX-V user with Auditor (or higher) permission to access the CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security..
For NSX operations, it is necessary to have at minimum read-only permissions.
-
The CloudGuard Controller integrates the VMware NSX Manager Server with Check Point security.
VMware vCenter Objects and Properties
VMware vCenter Imported Objects
Object |
Description |
---|---|
Cluster |
A collection of ESXi hosts and associated Virtual Machines configured to work as a unit. |
Datacenter |
An aggregation of many object types required to work in a virtual infrastructure. These include hosts, Virtual Machines, networks, and datastores. |
Folder |
Lets you group similar objects. |
Host |
The physical computer where you install ESXi. All Virtual Machines run on a host. |
Resource pool |
Compartmentalizes the host or cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. CPU and memory resources. |
Virtual machine |
A virtual computer environment where a guest operating system and associated application software runs. |
vSphere vApp |
A packaging and managing application format. A vSphere vApp can contain multiple Virtual Machines. |
Tags |
All the Virtual Machines tagged with the vCenter tag. Note - This is supported with vCenter 6.5 and above. |
VMware vCenter Imported Properties
Imported Property |
Description |
---|---|
IP |
IP address or Hostname of vCenter Server. You must install VMware Tools on each Virtual Machine to retrieve the IP addresses for each computer. |
Note |
VMware vCenter object notes. |
URI |
Object path. |
CloudGuard Controller for VMware NSX-T Management Server
The CloudGuard Controller integrates the VMware NSX-T Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. with Check Point security.
VMware NSX-T Prerequisites
-
NSX-T version 2.5 or 3.0/3.1.x/3.2.1.
Note - NSX-T 4.0.0.x and higher versions are supported in R81 with Jumbo HFA Take 82 and higher versions.
-
You must have a VMware NSX-T username with the minimal permission of an Auditor (or higher) to access the CloudGuard Controller.
Note - This role is sufficient for CloudGuard Controller functionality. More permissions may be required for service registration (CloudGuard Gateway for NSX-T).
VMware NSX-T Imported Objects
Object |
Description |
---|---|
Ns Group |
Enables a static or dynamic grouping based on objects such as Virtual Machines, vNICs, vSphere clusters, logical switches, and so on. |
VMware NSX-T Imported Properties
Imported Property |
Description |
---|---|
IP |
All the Ns Group IP addresses |
Note |
Description value of a Ns Group |
URI |
Object path |
VMware NSX-T Known Limitations
-
Logs for rules with VMware NSX-T Ns Groups will contain only the IP address. The logs will not contain the instance name.
-
VMware NSX-T object - No support for IP Set objects with ranges or CIDR block notations. There is support for IP Set Objects representing one or more individual IP address (or addresses).
-
Because of an API change on VMware side in NSX-T Manager 3.2, the creation of NSX-T 3.2 Data Center in the Security Management fails. VMware made a fix in version 3.2.1.
-
It is recommended to install official VMware Tools on a Virtual Machine in order for the VMware NSX-T Controller to successfully pool IP addresses. Install the VMware Tools for your specific version. Alternatives for IP discovery without VMware Tools can be found in the VMware NSX-T Administration Guide.
Note - Each have different limitations in practice.
CloudGuard Controller for VMware NSX-V Manager Server
-
The Check Point Data Center Server connects to the VMware NSX Manager Server and retrieves object data.
-
The CloudGuard Controller updates IP addresses and other object properties in the Data Center Objects group.
-
You must have a VMware NSX user with permission of an Auditor (or higher) to access the CloudGuard Controller.
All NSX permissions allow users to see everything, but allowed operations depend on the NSX permission profile.
|
Important - This role is sufficient for CloudGuard Controller functionality. More permissions can be required for service registration (CloudGuard Gateway for NSX). |
VMware NSX-V Objects and Properties
VMware NSX-V Imported Objects
Object |
Description |
---|---|
Security Group |
Enables a static or dynamic grouping, based on objects such as Virtual Machines, vNICs, vSphere clusters, logical switches, and so on. |
Universal Security Group |
Enables defining a Security Group across VMware NSX managers. Note - Import these objects separately for each VMware NSX manager. |
VMware NSX-V Imported Properties
Imported Property |
Description |
---|---|
IP |
All the Security Group IP addresses |
Note |
Description value of a Security Group |
URI |
Object path |
Threat Prevention Tagging for CloudGuard for NSX Gateway
Threat Prevention Tagging automatically assigns Security Tags to Data Center objects based on Threat Prevention analysis and group affiliation.
This enables the use of dynamic Security Groups in policy rules.
Enable Threat Prevention Tagging for Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. and Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. services to the CloudGuard for NSX Gateway.
When a threat from an infected Virtual Machine reaches the Security Gateway and is denied entry, it is tagged as an infected Virtual Machine in the NSX Manager.
Activating Threat Prevention Tagging
Step |
Instructions |
|
---|---|---|
1 |
Connect to the command line on the CloudGuard for NSX Gateway. |
|
2 |
Log in to Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or Expert mode. |
|
3 |
Enable the tagging with this command:
|
|
4 |
Select Activate Cluster. CloudGuard for NSX Clusters with active Anti-Bot and/or Anti-VirusSoftware Blades appear on them. |
|
5 |
Select the Cluster. This line must appear: Cluster activated successfully |
When it is activated, the Cluster automatically tags infected Virtual Machines in the NSX Manager Server.
These are the Security Tags:
-
Default Anti-Bot Security Tag:
Check_Point.BotFound
-
Default Anti-Virus Security Tag:
Check_Point.VirusFound
The Security Tags are created automatically in the NSX Management Server when the Cluster is activated.
When Security Tags are configured, you can create policy rules based on the Security Groups that contain those tags.
Tagging Advanced Options
Use advanced menu options to configure the tags:
Option |
Description |
---|---|
Show Activated gateways |
Lists the activated Clusters and the status of each CloudGuard for NSX Gateway. |
Modify Anti-Bot Security Tag |
Enables or disables the tagging for the Anti-Bot Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. and change the Security Tag. |
Modify Anti-Virus Security Tag |
Enables or disables the tagging for the Anti-Virus Software Blade and change the Security Tag. |
Modify White List |
IP Addresses listed in the White List are not tagged. Separate with spaces. Ranges are not accepted. |
Create New Security Tag |
Creates a new Security Tag in the NSX Manager Server. |
Update Data |
When you add a new ESX to a Cluster, CloudGuard for NSX Gateway automatically updates the Threat Prevention Tagging data within 15 minutes. Select this option to update the data manually on the new CloudGuard for NSX Gateway. |
Tagging Logs
In SmartConsole, in the Logs & Monitor view, see CloudGuard Tagging in the Blade column.
A list of messages and their descriptions:
Limitations
-
Logs for rules with VMware NSX-T Ns Groups contain only the IP address. The logs do not contain the instance name.
-
VMware NSX-T object - No support for IP Set objects with ranges or CIDR block notations. There is support for IP Set Objects representing one or more individual IP address (or addresses).
-
We recommend to install official VMware Tools on a Virtual Machine for the VMware NSX-T Controller to successfully pool IP addresses.
Install the VMware Tools for your specific version.
Alternatives for IP discovery without VMware Tools can be found in the VMware NSX-T Administration Guide.
Note - Each have different limitations in practice.