Self-Managed Security Gateways

Introduction

R82 introduced a new Dynamic Layer in the Access Control policy to assist customers with highly automated network ‎environments.

This Policy LayerClosed Layer (set of rules) in a Security Policy. serves as a container for rules created directly on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. using the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. API call "set-dynamic-content", catering to environments where provisioning, configuration, and other IT processes are regularly managed through the distribution of JSON files.

Workflow:

  1. On the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., in the Access Control, you create a new Policy Layer and configure it as a Dynamic Layer.

  2. On the Security Gateway, you configure the required Access Control rules in this Dynamic Layer with the Gaia API call "set-dynamic-content" (in the JSON format).

The Dynamic Layer works only as a container for rules that you configure on the Security Gateway. After you run the Gaia API command on the Security Gateway, it ignores all rules in this Dynamic Layer that were configured in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. If permanent rules are needed (for example, to allow access from a remote API client), you must configure them in the main policy on the Management Server and not in Dynamic Layers.

For additional information, refer to sk182252.

Requirements

  1. Management Server R82 and higher:

  2. Security Gateway R82 and higher:

  3. On the Security Gateway, the user that runs the Gaia API must have this configuration in Gaia OS:

    1. Role: adminRole.

    2. Access Mechanism: Gaia API.

    3. Shell: /bin/cli.sh or /bin/bash

    See the Gaia Administration Guide for your version > User Management chapter> Users and Roles sections.

Limitations

Notes

Configuration

  1. Connect with SmartConsole to the Security Management Server / Domain Management Server.

  2. Add a new Policy Layer and configure it as a Dynamic Layer.

    Notes:

    • You can configure a new Policy Layer directly in a specific policy, or as a shared Policy Layer for several policies.

    • You can configure an Inline Layer (within a specific rule), or an Ordered Layer (a separate set of rules in a dedicated Policy Layer).

      See Ordered Layers and Inline Layers.

    • You can add a new Policy Layer and configure it as a Dynamic Layer either in SmartConsole (described below) or with the Management API call "add-access-layer dynamic-layer true" (see Check Point Management API Reference v1.8 and higher).‎

    Procedure in SmartConsole:

    1. In the top left corner, click Menu > Manage policies and layers.

    2. In the left panel, click Policies.

    3. Right-click the applicable Policy Package and click Edit.

    4. In the Access Control section, click the + icon.

    5. In the top right corner, click New Layer.

    6. Enter the name for this Policy Layer.

    7. On the General page:

      In the Blades section, select the supported blades:

      1. Mandatory: Firewall

      2. Optional: Application & URL Filtering

    8. On the Advanced page:

      1. In the Implicit Cleanup Action section, select the option Drop (default).

        This Drop rules makes sure to drop all traffic that matches this Ordered Layer until you run the Gaia API call "set-dynamic-content" on the Security Gateway.

        You can change it later in SmartConsole.

      2. In the Dynamic Layer section, select Set as a Dynamic Layer.

    9. On the Permissions page, select the permission profiles that can edit the Dynamic Layer. This is essential when multiple Dynamic Layers are used, each configured by different users. Only the profiles shown here can edit the Layer. To add additional profiles that can edit the Layer, go to the bottom of the Permissions page.

      To create a new permission profile, in SmartConsole, go to the Manage & Settings view > Permissions & AdministratorsPermission Profiles. In the profile editor, go to Access Control > Policy, and make sure Edit layers by the selected profile in a layer editor is selected.

    10. Click OK to close the Layer Editor window.

    11. In the policy, to the right of the Access Control section, you now see the Layer called Network (default name) and the new Dynamic Layer.

      Important - You can change the order of these Policy Layers.

    12. Click OK to close the Policy window.

    1. From the left navigation panel, click Security PoliciesClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

    2. If you need to open a different Security Policy:

      1. At the top, click the [+] tab.

      2. Click the required policy.

    3. In the Access Control section, click Policy.

    4. Locate the applicable rule.

    5. In the rule, click in the Action cell > click Inline Layer > click New Layer.

    6. Enter the name for this Policy Layer.

    7. On the General page, in the Blades section, select the supported blades:

      • Mandatory: Firewall

      • Optional: Application & URL Filtering

      • Optional: In the Sharing section, select Multiple policies and rules can use this layer.

    8. On the Advanced page:

      1. In the Implicit Cleanup Action section, select the option Accept.

        This makes sure to accept traffic that matches this Inline Layer until you run the Gaia API call "set-dynamic-content" on the Security Gateway.

        You can change it later in SmartConsole.

      2. In the Dynamic Layer section, select Set as a Dynamic Layer.

    9. On the Permissions page, select the permission profiles that can edit the Dynamic Layer. This is essential when multiple Dynamic Layers are used, each configured by different users. Only the profiles shown here can edit the Layer. To add additional profiles that can edit the Layer, go to the bottom of the Permissions page.

      To create a new permission profile, in SmartConsole, go to the Manage & Settings view > Permissions & AdministratorsPermission Profiles. In the profile editor, go to Access Control > Policy, and make sure Edit layers by the selected profile in a layer editor is selected.

    10. Click OK to close the Layer Editor window.

    11. In the rule, you now see the new Inline Layer.

    1. In the top left corner, click Menu > Manage policies and layers.

    2. In the left panel, click Layers > Access Control.

    3. From the top tool bar, click New.

    4. Enter the name for this Policy Layer.

    5. On the General page, in the Blades section, select the supported blades:

      • Mandatory: Firewall

      • Optional: Application & URL Filtering

      • Optional: In the Sharing section, select Multiple policies and rules can use this layer.

    6. On the Advanced page:

      1. In the Implicit Cleanup Action section, select the option Drop.

        This Drop rules makes sure to drop all traffic that matches this Ordered Layer until you run the Gaia API call "set-dynamic-content" on the Security Gateway.

        You can change it later in SmartConsole.

      2. In the Dynamic Layer section, select Set as a Dynamic Layer.

    7. On the Permissions page, select the permission profiles that can edit the Dynamic Layer. This is essential when multiple Dynamic Layers are used, each configured by different users. Only the profiles shown here can edit the Layer. To add additional profiles that can edit the Layer, go to the bottom of the Permissions page.

      To create a new permission profile, in SmartConsole, go to the Manage & Settings view > Permissions & AdministratorsPermission Profiles. In the profile editor, go to Access Control > Policy, and make sure Edit layers by the selected profile in a layer editor is selected.

    8. Click OK to close the Layer Editor window.

    9. In the left panel, click Policies.

    10. Right-click the applicable Policy Package and click Edit.

    11. In the Access Control section, click the + icon.

    12. Click the new Dynamic Layer.

    13. In the policy, to the right of the Access Control section, you now see the Layer called Network (default name) and the new Dynamic Layer.

      Important - You can change the order of these Policy Layers.

    14. Click OK to close the Policy window.

    15. Click Close to close the Manage policies and layers window.

  3. If you run Gaia API calls on the Security Gateway from a remote API client (and not locally on the Security Gateway), make sure your Access Control policy allows such connection to the Security Gateway.

    Best Practice - To avoid losing connectivity loss for the API client, add the applicable rule only in a static Policy Layer (that is not configured as a Dynamic Layer).

  4. Install this Access Control Policy on the Security Gateway / Cluster object.

  5. Run the Gaia API call "set-dynamic-content" on the Security Gateway / each Cluster MemberClosed Security Gateway that is part of a cluster. / Security Group to configure the required dynamic Access Control rules.

    Warning - Pay close attention to the rules you configure on the Security Gateway.

    There is no verification of possible conflicts between the rules configured on the Security Gateway and the rules configured in SmartConsole.

    Notes:

    • Refer to the online Check Point Gaia API Reference (v1.8 and higher) > section System > sub-section Dynamic Content.

      To see the local Gaia API Reference, go to this URL on a Management Server or Security Gateway (R82 or higher):

      https://<IP Address of Gaia Management Interface>/gaia_docs/#web/set-dynamic-content

      At the top of the Gaia API Reference, click the Web Services tab.

    • Because you run Gaia API calls from a remote API client, make sure your Access Control policy allows such connection to the Security Gateway.

      Best Practice - To avoid losing connectivity loss for the API client, add the applicable rule only in a static Policy Layer (that is not configured as a Dynamic Layer).

    1. Install the Postman application.

    2. Get the Gaia REST API collection from sk143612.

    3. Import the Gaia REST API collection into the Postman application (first, you must create a Postman account). Refer to the Postman documentation about the import methods.

    4. Configure the required API variables:

      1. In the left panel, in the Gaia REST API collection, click the top folder Gaia API.

      2. Add these variables:

        Variable Name

        Variable Value

        Comment

        username

        Username of the applicable user in the Gaia OS on the Security Gateway.

        The default user is admin.

        You can create other users (see the Requirements section).

        password

        Password of the applicable user in the Gaia OS on the Security Gateway.

        You configure this password.

        ip

        IP Address of the Gaia Management InterfaceClosed (1) Interface on a Gaia Security Gateway or Cluster member, through which Management Server connects to the Security Gateway or Cluster member. (2) Interface on Gaia computer, through which users connect to Gaia Portal or CLI. on the Security Gateway / each Cluster Member / Security Group.

        This is the IP address on the Security Gateway / each Cluster Member / Security Group, to which the API client connects.

        sid

        Initially, empty.

        Use this variable to contain the required SID after running the Gaia API call "login".

    5. Get the Login Session ID (SID):

      1. In the left pane, open the folder Session Management.

      2. Click the API call "login".

      3. In the top right corner, click Send.

      4. In the bottom panel, copy the value of the parameter "sid".

    6. Configure the SID variable:

      1. In the left panel, click the top folder Gaia API.

      2. In the sid variable, enter the copied value in the column Current Value.

      3. In the top right corner, click Save.

    7. Run the API call "set-dynamic-content" on the Security Gateway / each Cluster Member / Scalable Platform Security Group:

      1. In the left panel, click the API "set-dynamic-content".

      2. At the top, click the Body tab.

      3. Configure the required parameters and values in the JSON format.

      4. In the top right corner, click Send.

      5. In the bottom panel, copy the entire response with a Task ID.

      6. In the left panel, open the Misc folder, and click the API call "show task".

      7. At the top, click the Body tab and click the raw option.

      8. Paste the entire response with the Task ID.

      9. In the top right corner, click Send.

      10. In the bottom panel, see the API response for the API call "set-dynamic-content".

  6. Optional: Examine the configured dynamic Access Control rules.

    • To see the configured dynamic Access Control rules in a specific Dynamic Layer, run the Gaia API call "show-dynamic-layer" on the Security Gateway / each Cluster Member / Security Group.

    • To see the configured dynamic Access Control rules in all configured Dynamic Layers, run the Gaia API call "show-dynamic-layers" on the Security Gateway / each Cluster Member / Security Group.

Resetting a Dynamic Layer

To remove all dynamic rules, you must reset the Dynamic Layer that contains these rules on the Security Gateway.‎

Run the Gaia API call "set-dynamic-content" on the Security Gateway and use "operation": "reset".

Syntax part for a remote REST API client

‎"access-layers-content": [‎
‎  {‎
‎    "name": "<Name_of_Dynamic_Layer>",‎
‎    "operation": "reset",‎
‎    "rulebase": []‎
‎  }‎
‎]‎