CloudGuard Controller for Proxmox Virtual Environment

The CloudGuard ControllerClosed Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. integrates the Check Point Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. with a Proxmox Virtual Environment (VE).

Authentication is done with an API Token.

Important - The CloudGuard Controller server clock must be synchronized with the current, local time. Use of an NTP server is recommended. Time synchronization issues can cause polling information from the cloud to fail.

Prerequisites

  • Proxmox VE Version 8.3 or higher.

  • qemu-guest-agent installation is mandatory on endpoint machines for the CloudGuard Controller to be able to import IPv4/IPv6 addresses. See https://pve.proxmox.com/wiki/Qemu-guest-agent.

  • API Token from the Proxmox server.

Connecting to the Proxmox Server

Step

Instructions

1

In the Proxmox Virtual Environment, go to Datacenter > Permissions > Users, and create a dedicated user.

2

Create an API Token:

Go to Datacenter > Permissions > API Tokens. Select Add, attach the dedicated user to the API-Token, and enter a Token ID name.

3

Click Add, save the token-id (<user>@<realm>!<token-name>), and the Secret.

Important: The Secret appears only once.

4

Grant permissions: In Datacenter > Permissions > Add:

  1. Select User permission.

  2. Select the dedicated user from step 1 and the applicable role (see below).

5

Select API Token Permission, click the API Token from step 2, and the applicable role.

Note - We strongly recommend that you assign the minimum necessary permissions to the API token. Both the user and the API token require the Sys.Audit, VM.Audit and VM.Monitor permissions. You can create a dedicated role with those permissions in Datacenter > Permissions > roles > create.

Connecting to a Proxmox Data Center Server with SmartConsole

Step

Instructions

1

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a new Data CenterClosed Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. object in one of these ways:

  • In the top left corner, click the Objects menu > Cloud > Data Center > New Proxmox

  • In the top right corner, click the Objects Pane > New > Cloud > Data Center > Proxmox

2

In Enter Name, enter the applicable name.

3

In the Hostname field, enter the IP address or the URL of your Proxmox server in this format (HTTP or HTTPS), for example:

pve.node.example

172.0.1.2<:Port>

Note: The Proxmox port is optional and is set to 8006 by default. If your Proxmox server uses port 8006, you do not need to provide the port.

4

In the Token ID field, enter the Token ID from the Proxmox server.

Note: The Token ID must be in the format: <user>@<realm>!<token-name>

5

In the Secret field, enter your Token ID secret from the Proxmox server.

6

Click Test Connection.

If the certificate window opens, confirm the certificate and click Trust.

7

When the connection status changes to Connected, click OK.

If the status is not Connected, troubleshoot the issue before you continue.

8

Click OK.

9

Publish the SmartConsole session.

10

Install the Access Control policy on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

Connecting to a Proxmox Data Center Server with Management API

Proxmox Data Center is available starting from Management API V2.1.

Go to Management API Reference > click on see arguments per Data Center Server type and select Proxmox.

Connecting to a Proxmox Data Center Server with Terraform

Refer to checkpoint_management_proxmox_data_center_server.

Proxmox Objects and Properties

Proxmox Objects

Object

Description

Cluster

ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. that contains Proxmox nodes. Optional in a single-node scenario (node without cluster).

Nodes

Proxmox server.

VMs

Virtual Machines in the cloud.

Proxmox Imported Properties

Imported Property

Description

IP

  • Nodes - IP addresses of the Proxmox nodes.

  • VM - Virtual Machine's IP address.

Tags

You can apply Tags to VMs to categorize them by function, environment (e.g., development, production), or any other criteria applicable to the user.

Notes:

  • A Virtual Machine can have multiple Tags, one Tag, or no Tags at all.

  • Important:

    • Tags import is disabled by default. To enable it, you must set the importTags parameter in the vsec.conf file:

      • proxmox.importTags=true

    • Import of IPv6 addresses is disabled by default. To enable it, you must set the collectIpv6 parameter in the vsec.conf file:

      proxmox.collectIpv6=true

      • For details, refer to the Configuration Parameters section.

Limitations

  • qemu-guest-agent must be installed on a VM for the CloudGuard Controller to pool IP addresses successfully.

  • The Virtual Machine IP address is not imported if the VM is turned off, qemu-guest-agent is not installed, or the IP address is localhost (127.0.0.1, ::1 or “localhost”).

  • The server’s hardware specifications directly influence the performance of API daemons running on a Proxmox server. Factors such as CPU speed, memory capacity, and storage type significantly impact the response times and overall efficiency of these daemons.

  • If a tag name is changed, the user continues to see the original tag name in the Tags column for the dedicated Virtual Machine.