CloudGuard Controller for VMware Servers

Connecting to a VMware Server

Step	Instructions
1	In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a new Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. object in one of these ways: In the top left corner, click Objects menu > More object types > Server > Data Center > New VMware vCenter, or New VMware NSX-V, or the new VMware NSX-T. In the top right corner, click Objects Pane > New > More > Server > Data Center > VMware vCenter, or VMware NSX-V, or VMware NSX-T.
2	In the Enter Object Name field, enter the applicable name.
3	In the Hostname field, enter the IP address or hostname of your vCenter or NSX Manager server.
4	In the Username field, enter your VMware administrator username.
5	In the Password field, enter your VMware administrator password.
6	Click Test Connection.
7	Click OK.
8	Publish the SmartConsole session.
9	Install the Access Control policy on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

CloudGuard Controller for VMware vCenter

VMware vCenter Prerequisites

VMware vCenter version 7.x or lower.
You must have a VMware NSX-V user with Auditor (or higher) permission to access the CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security..

For NSX operations, it is necessary to have at minimum read-only permissions.
The CloudGuard Controller integrates the VMware NSX Manager Server with Check Point security.

VMware vCenter Objects and Properties

VMware vCenter Imported Objects

Object	Description
Cluster	A collection of ESXi hosts and associated Virtual Machines configured to work as a unit.
Datacenter	An aggregation of many object types required to work in a virtual infrastructure. These include hosts, Virtual Machines, networks, and datastores.
Folder	Lets you group similar objects.
Host	The physical computer where you install ESXi. All Virtual Machines run on a host.
Resource pool	Compartmentalizes the host or cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. CPU and memory resources.
Virtual machine	A virtual computer environment where a guest operating system and associated application software runs.
vSphere vApp	A packaging and managing application format. A vSphere vApp can contain multiple Virtual Machines.
Tags	All the Virtual Machines tagged with the vCenter tag. Note - This is supported with vCenter 6.5 and above.

VMware vCenter Imported Properties

Imported Property	Description
IP	IP address or Hostname of vCenter Server. You must install VMware Tools on each Virtual Machine to retrieve the IP addresses for each computer.
Note	VMware vCenter object notes.
URI	Object path.

Imported Property

Description

IP address or Hostname of vCenter Server.

You must install VMware Tools on each Virtual Machine to retrieve the IP addresses for each computer.

Note

VMware vCenter object notes.

URI

Object path.

CloudGuard Controller for VMware NSX-T Management Server

The CloudGuard Controller integrates the VMware NSX-T Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. with Check Point security.

VMware NSX-T Prerequisites

NSX-T version 2.5 or 3.0/3.1.x/3.2.1.

Note - NSX-T 4.0.0.x and higher versions are supported in R81 with Jumbo HFA Take 82 and higher versions.

You must have a VMware NSX-T username with the minimal permission of an Auditor (or higher) to access the CloudGuard Controller.

Note - This role is sufficient for CloudGuard Controller functionality. More permissions may be required for service registration (CloudGuard Gateway for NSX-T).

VMware NSX-T Imported Objects

Object	Description
Ns Group	Enables a static or dynamic grouping based on objects such as Virtual Machines, vNICs, vSphere clusters, logical switches, and so on.

VMware NSX-T Imported Properties

Imported Property	Description
IP	All the Ns Group IP addresses
Note	Description value of a Ns Group
URI	Object path

VMware NSX-T Known Limitations

Logs for rules with VMware NSX-T Ns Groups will contain only the IP address. The logs will not contain the instance name.
VMware NSX-T object - No support for IP Set objects with ranges or CIDR block notations. There is support for IP Set Objects representing one or more individual IP address (or addresses).
Because of an API change on VMware side in NSX-T Manager 3.2, the creation of NSX-T 3.2 Data Center in the Security Management fails. VMware made a fix in version 3.2.1.

It is recommended to install official VMware Tools on a Virtual Machine in order for the VMware NSX-T Controller to successfully pool IP addresses. Install the VMware Tools for your specific version. Alternatives for IP discovery without VMware Tools can be found in the VMware NSX-T Administration Guide.

Note - Each have different limitations in practice.

CloudGuard Controller for VMware NSX-V Manager Server

The Check Point Data Center Server connects to the VMware NSX Manager Server and retrieves object data.
The CloudGuard Controller updates IP addresses and other object properties in the Data Center Objects group.
You must have a VMware NSX user with permission of an Auditor (or higher) to access the CloudGuard Controller.

All NSX permissions allow users to see everything, but allowed operations depend on the NSX permission profile.

Important - This role is sufficient for CloudGuard Controller functionality. More permissions can be required for service registration (CloudGuard Gateway for NSX).

VMware NSX-V Objects and Properties

VMware NSX-V Imported Objects

Object	Description
Security Group	Enables a static or dynamic grouping, based on objects such as Virtual Machines, vNICs, vSphere clusters, logical switches, and so on.
Universal Security Group	Enables defining a Security Group across VMware NSX managers. Note - Import these objects separately for each VMware NSX manager.

Object

Description

Security Group

Enables a static or dynamic grouping, based on objects such as Virtual Machines, vNICs, vSphere clusters, logical switches, and so on.

Universal Security Group

Enables defining a Security Group across VMware NSX managers.

Note - Import these objects separately for each VMware NSX manager.

VMware NSX-V Imported Properties

Imported Property	Description
IP	All the Security Group IP addresses
Note	Description value of a Security Group
URI	Object path

Threat Prevention Tagging for CloudGuard for NSX Gateway

Threat Prevention Tagging automatically assigns Security Tags to Data Center objects based on Threat Prevention analysis and group affiliation.

This enables the use of dynamic Security Groups in policy rules.

Enable Threat Prevention Tagging for Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. and Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. services to the CloudGuard for NSX Gateway.

When a threat from an infected Virtual Machine reaches the Security Gateway and is denied entry, it is tagged as an infected Virtual Machine in the NSX Manager.

Activating Threat Prevention Tagging

Step

Instructions

Connect to the command line on the CloudGuard for NSX Gateway.

Log in to Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or Expert mode.

Enable the tagging with this command:

tagger_cli

Select Activate Cluster.

CloudGuard for NSX Clusters with active Anti-Bot and/or Anti-VirusSoftware Blades appear on them.

Select the Cluster.

This line must appear:

Cluster activated successfully

When it is activated, the Cluster automatically tags infected Virtual Machines in the NSX Manager Server.

These are the Security Tags:

Default Anti-Bot Security Tag: Check_Point.BotFound
Default Anti-Virus Security Tag: Check_Point.VirusFound

The Security Tags are created automatically in the NSX Management Server when the Cluster is activated.

When Security Tags are configured, you can create policy rules based on the Security Groups that contain those tags.

Tagging Advanced Options

Use advanced menu options to configure the tags:

Option	Description
Show Activated gateways	Lists the activated Clusters and the status of each CloudGuard for NSX Gateway.
Modify Anti-Bot Security Tag	Enables or disables the tagging for the Anti-Bot Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. and change the Security Tag.
Modify Anti-Virus Security Tag	Enables or disables the tagging for the Anti-Virus Software Blade and change the Security Tag.
Modify White List	IP Addresses listed in the White List are not tagged. Separate with spaces. Ranges are not accepted.
Create New Security Tag	Creates a new Security Tag in the NSX Manager Server.
Update Data	When you add a new ESX to a Cluster, CloudGuard for NSX Gateway automatically updates the Threat Prevention Tagging data within 15 minutes. Select this option to update the data manually on the new CloudGuard for NSX Gateway.

Tagging Logs

In SmartConsole, in the Logs & Monitor view, see CloudGuard Tagging in the Blade column.

A list of messages and their descriptions:

Message	Description
The Virtual Machine `<VM ID>` was tagged successfully with Security Tag `'<Tag Name>'` in NSX `<NSX IP Address>`	Threat Prevention tagging successfully tagged a Virtual Machine due to malicious traffic.
The IP address `<VM IP Address>` appears twice in the ESX `<ESX IP Address>`. The infected Virtual Machine was not tagged	An IP address appears twice in the ESX. Tagging this prevents false positive tagging of Virtual Machines with duplicate IP addresses in the ESX.
Failed to get data from the Data Center `<Data Center IP Address>`	Failed to get a Data Center object from the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. API. Make sure that there is a trusted connection for CloudGuard Controller.
Threat Prevention Tag is ignored because the VM IP '`<VM IP Address>`' is on the White List	Virtual Machine IP address is on the Whitelist and the Threat Prevention tag is ignored.

Limitations

Logs for rules with VMware NSX-T Ns Groups contain only the IP address. The logs do not contain the instance name.
VMware NSX-T object - No support for IP Set objects with ranges or CIDR block notations. There is support for IP Set Objects representing one or more individual IP address (or addresses).
We recommend to install official VMware Tools on a Virtual Machine for the VMware NSX-T Controller to successfully pool IP addresses.

Install the VMware Tools for your specific version.

Alternatives for IP discovery without VMware Tools can be found in the VMware NSX-T Administration Guide.

Note - Each have different limitations in practice.