CloudGuard Controller for VMware Servers

Connecting to a VMware Server

Step

Instructions

1

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a new Data CenterClosed Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. object in one of these ways:

  • In the top left corner, click Objects menu > More object types > Server > Data Center > New VMware vCenter, or New VMware NSX-V, or the new VMware NSX-T.

  • In the top right corner, click Objects Pane > New > More > Server > Data Center > VMware vCenter, or VMware NSX-V, or VMware NSX-T.

2

In the Enter Object Name field, enter the applicable name.

3

In the Hostname field, enter the IP address or hostname of your vCenter or NSX Manager server.

4

In the Username field, enter your VMware administrator username.

5

In the Password field, enter your VMware administrator password.

6

Click Test Connection.

7

Click OK.

8

Publish the SmartConsole session.

9

Install the Access Control policy on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

CloudGuard Controller for VMware vCenter

VMware vCenter Prerequisites

VMware vCenter Objects and Properties

VMware vCenter Imported Objects

Object

Description

Cluster

A collection of ESXi hosts and associated Virtual Machines configured to work as a unit.

Datacenter

An aggregation of many object types required to work in a virtual infrastructure.

These include hosts, Virtual Machines, networks, and datastores.

Folder

Lets you group similar objects.

Host

The physical computer where you install ESXi. All Virtual Machines run on a host.

Resource pool

Compartmentalizes the host or clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. CPU and memory resources.

Virtual machine

A virtual computer environment where a guest operating system and associated application software runs.

vSphere vApp

A packaging and managing application format. A vSphere vApp can contain multiple Virtual Machines.

Tags

All the Virtual Machines tagged with the vCenter tag.

Note - This is supported with vCenter 6.5 and above.

VMware vCenter Imported Properties

Imported Property

Description

IP

IP address or Hostname of vCenter Server.

You must install VMware Tools on each Virtual Machine to retrieve the IP addresses for each computer.

Note

VMware vCenter object notes.

URI

Object path.

CloudGuard Controller for VMware NSX-T Management Server

The CloudGuard Controller integrates the VMware NSX-T Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. with Check Point security.

VMware NSX-T Prerequisites

  • NSX-T version 2.5 or 3.0/3.1.x/3.2.1.

    Note - NSX-T 4.0.0.x and higher versions are supported in R81 with Jumbo HFA Take 82 and higher versions.

  • You must have a VMware NSX-T username with the minimal permission of an Auditor (or higher) to access the CloudGuard Controller.

    Note - This role is sufficient for CloudGuard Controller functionality. More permissions may be required for service registration (CloudGuard Gateway for NSX-T).

VMware NSX-T Imported Objects

Object

Description

Ns Group

Enables a static or dynamic grouping based on objects such as Virtual Machines, vNICs, vSphere clusters, logical switches, and so on.

VMware NSX-T Imported Properties

Imported Property

Description

IP

All the Ns Group IP addresses

Note

Description value of a Ns Group

URI

Object path

VMware NSX-T Known Limitations

  • Logs for rules with VMware NSX-T Ns Groups will contain only the IP address. The logs will not contain the instance name.

  • VMware NSX-T object - No support for IP Set objects with ranges or CIDR block notations. There is support for IP Set Objects representing one or more individual IP address (or addresses).

  • Because of an API change on VMware side in NSX-T Manager 3.2, the creation of NSX-T 3.2 Data Center in the Security Management fails. VMware made a fix in version 3.2.1.

  • It is recommended to install official VMware Tools on a Virtual Machine in order for the VMware NSX-T Controller to successfully pool IP addresses. Install the VMware Tools for your specific version. Alternatives for IP discovery without VMware Tools can be found in the VMware NSX-T Administration Guide.

    Note - Each have different limitations in practice.

CloudGuard Controller for VMware NSX-V Manager Server

  • The Check Point Data Center Server connects to the VMware NSX Manager Server and retrieves object data.

  • The CloudGuard Controller updates IP addresses and other object properties in the Data Center Objects group.

  • You must have a VMware NSX user with permission of an Auditor (or higher) to access the CloudGuard Controller.

    All NSX permissions allow users to see everything, but allowed operations depend on the NSX permission profile.

Important - This role is sufficient for CloudGuard Controller functionality. More permissions can be required for service registration (CloudGuard Gateway for NSX).

VMware NSX-V Objects and Properties

VMware NSX-V Imported Objects

Object

Description

Security Group

Enables a static or dynamic grouping, based on objects such as Virtual Machines, vNICs, vSphere clusters, logical switches, and so on.

Universal Security Group

Enables defining a Security Group across VMware NSX managers.

Note - Import these objects separately for each VMware NSX manager.

VMware NSX-V Imported Properties

Imported Property

Description

IP

All the Security Group IP addresses

Note

Description value of a Security Group

URI

Object path

Threat Prevention Tagging for CloudGuard for NSX Gateway

Threat Prevention Tagging automatically assigns Security Tags to Data Center objects based on Threat Prevention analysis and group affiliation.

This enables the use of dynamic Security Groups in policy rules.

Enable Threat Prevention Tagging for Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. and Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. services to the CloudGuard for NSX Gateway.

When a threat from an infected Virtual Machine reaches the Security Gateway and is denied entry, it is tagged as an infected Virtual Machine in the NSX Manager.

Activating Threat Prevention Tagging

Step

Instructions

1

Connect to the command line on the CloudGuard for NSX Gateway.

2

Log in to Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or Expert mode.

3

Enable the tagging with this command:

tagger_cli

4

Select Activate Cluster.

CloudGuard for NSX Clusters with active Anti-Bot and/or Anti-VirusSoftware Blades appear on them.

5

Select the Cluster.

This line must appear:

Cluster activated successfully

When it is activated, the Cluster automatically tags infected Virtual Machines in the NSX Manager Server.

These are the Security Tags:

  • Default Anti-Bot Security Tag: Check_Point.BotFound

  • Default Anti-Virus Security Tag: Check_Point.VirusFound

The Security Tags are created automatically in the NSX Management Server when the Cluster is activated.

When Security Tags are configured, you can create policy rules based on the Security Groups that contain those tags.

Tagging Advanced Options

Use advanced menu options to configure the tags:

Option

Description

Show Activated gateways

Lists the activated Clusters and the status of each CloudGuard for NSX Gateway.

Modify Anti-Bot Security Tag

Enables or disables the tagging for the Anti-Bot Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. and change the Security Tag.

Modify Anti-Virus Security Tag

Enables or disables the tagging for the Anti-Virus Software Blade and change the Security Tag.

Modify White List

IP Addresses listed in the White List are not tagged.

Separate with spaces. Ranges are not accepted.

Create New Security Tag

Creates a new Security Tag in the NSX Manager Server.

Update Data

When you add a new ESX to a Cluster, CloudGuard for NSX Gateway automatically updates the Threat Prevention Tagging data within 15 minutes.

Select this option to update the data manually on the new CloudGuard for NSX Gateway.

Tagging Logs

In SmartConsole, in the Logs & Monitor view, see CloudGuard Tagging in the Blade column.

A list of messages and their descriptions:

Message

Description

The Virtual Machine <VM ID> was tagged successfully with Security Tag '<Tag Name>' in NSX <NSX IP Address>

Threat Prevention tagging successfully tagged a Virtual Machine due to malicious traffic.

The IP address <VM IP Address> appears twice in the ESX <ESX IP Address>. The infected Virtual Machine was not tagged

An IP address appears twice in the ESX. Tagging this prevents false positive tagging of Virtual Machines with duplicate IP addresses in the ESX.

Failed to get data from the Data Center <Data Center IP Address>

Failed to get a Data Center object from the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. API.
Make sure that there is a trusted connection for CloudGuard Controller.

Threat Prevention Tag is ignored because the VM IP '<VM IP Address>' is on the White List

Virtual Machine IP address is on the Whitelist and the Threat Prevention tag is ignored.

Limitations

  • Logs for rules with VMware NSX-T Ns Groups contain only the IP address. The logs do not contain the instance name.

  • VMware NSX-T object - No support for IP Set objects with ranges or CIDR block notations. There is support for IP Set Objects representing one or more individual IP address (or addresses).

  • We recommend to install official VMware Tools on a Virtual Machine for the VMware NSX-T Controller to successfully pool IP addresses.

    Install the VMware Tools for your specific version.

    Alternatives for IP discovery without VMware Tools can be found in the VMware NSX-T Administration Guide.

    Note - Each have different limitations in practice.