Workflow for Deploying a CloudGuard Controller

CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. is a process that runs on the Check Point Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

Important:

When you install an R81 CloudGuard Controller, these files are overwritten with default values:
- $MDS_FWDIR/conf/vsec.conf
- $MDS_FWDIR/conf/tagger_db.C
- $MDS_FWDIR/conf/AWS_regions.conf
Before you start the upgrade, back up all files that you have changed.

Note - During the upgrade, CloudGuard Controller does not communicate with the Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data.. Therefore, Data Center objects are not updated on the CloudGuard Controller or the Security Gateways.

Supported Security Gateways

R81 CloudGuard Controller can manage these Security Gateways:

R80.10 and higher
R77.30
R77.20
Maestro Security Groups that run R80.20SP and higher
Scalable Chassis 40000 / 60000 that run R76SP.50 with the R76SP.50 Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. (Take 20 and higher)

Important - To use the CloudGuard Controller with R77.20 and R77.30 Security Gateways (with the R77.30 Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulator below Take 309), you must install the CloudGuard Controller / vSEC Controller Enforcer Hotfix (see sk129152) on those R77.20 and R77.30 Security Gateways.

Note - Support for Data Center Query Objects is from R80.10 and above.

Activating the Identity Awareness Software Blade

Step

Instructions

Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

From the left navigation panel, click Gateways & Servers.

Create a new Host object with these settings:

Name: LocalHost
IPv4 address: 127.0.0.1

Open the applicable Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.

From the left tree, click the General Properties page.

On the Network Security tab, select the Identity Awareness Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.:

The Identity Awareness Configuration wizard opens.
In the Methods for Acquiring Identity window, clear the AD Query option, if you do not use it.
Click Cancel.

From the left tree, click the Identity Awareness page.

Select Identity Web API and click Settings.

Configure the Identity Web API settings:

In the section Authorized Clients, click [+] and select the Host object you created earlier (LocalHost).
In the Selected Client Secret field, enter your secret word, or generate a random secret.
Click OK.

Note - If you add more than one authorized client host, the host that represent 127.0.0.1 must be the first item in the Authorized Clients list of the Identity Web API.

Click OK.

Install the Access Control Policy.