topic Re: GWLB Question in Cloud Firewall

GWLB Question

biskit — Thu, 27 May 2021 12:09:13 GMT

This is the very first dip in the water I've had with configuring CloudGuard, so I realise my question will sound novice and stupid to those who already know, but I'm really struggling to grasp setting up a GWLB CloudGuard in AWS. I can't seem to find any admin guides or documentation that cover my questions below.

Firstly - I've watched Shay's "Deep Dive" webinar, but I'm still confused.

I've run through the GWLB TGW CloudFormation template (actually an AWS partner did this bit).

I've installed CME to the management server (on-prem).

I've run the "autoprov_cfg" command with the relevant parameters.

Two AWS gateways magically appeared in SmartConsole, so I'm guessing that bit worked OK. SIC is communicating with both. WEB API automatically installs the policy every 3-4 minutes, which after the first install, promptly blocked my SSH to the gateways.

On advice from my local SE, I've opened the __monitor__-restrictive-policy and changed that Any Any rule from Drop, to Allow & log. Now I can SSH to them again.

WEB API says it's installing the proper policy name, but when I SSH to the CloudGuards and run #fw stat, it shows they have __monitor__-restrictive-policy installed. Not the proper policy name.

So, I'm confused.

I've added the Data Center in SmartConsole, which connects fine. When I click + on a rule I can open the Data Center object and browse it all... So I think that's working fine too.

My novice questions are:

1) Why is it still pushing the __monitor__-restrictive-policy policy? Why isn't it installing the main/proper policy that it says it is, and that I specified in the autoprov_cfg command?

2) How do I configure my security rules for these gateways? I get that I need to use the Data Center tagged objects in my rules, but how do the gateways get the policy? Firstly as it's still pushing the __monitor__-restrictive-policy policy instead of the proper policy, and secondly as I can't add the gateways to the "Install On" column. Or to be more accurate I can add the current two gateways, but when the ASG grows - the new gateways won't be automatically included in "Install On", so that can't be the way to do it?

3) At the moment the policy installation targets for the main/proper rulebase specifies the existing physical gateways. Do I need to change this to "All gateways" for it to work with AWS as the number of gateways in the ASG dynamically grows and shrinks?

4) How do I put a Stealth rule on these to protect the public IP? Or in the case of GLWB gateways is that done only via the AWS firewall/access list?

5) When I manually install the policy, the Threat Prevent gives a verification error about the topology not being defined on the AWS instances, and that Threat blades won't apply until the topology is fixed. Shouldn't this be done automatically by whatever process creates the gateway objects in SmartConsole? (CME?)

If there is any documentation etc. that covers this I'd be grateful if someone could point me at it. So far I can't find anything that tells me how to get past the __monitor__-restrictive-policy policy, or configure what security rules I want on these GWLB gateways, differently to my other physical gateways... Or fix the topology verification warning... I'm sure I'm missing something obvious and simple, but rightly or wrongly I'm extremely confused and documentation around this stuff seems to be lacking? 🤔 Any help would be hugely appreciated.

Re: GWLB Question

Roman_Kats — Sun, 19 Dec 2021 11:34:15 GMT

Hello Matt

During new instance provisioning, CME install policy twice. It is done in order to avoid Threat Prevention policy installation before the Access one(first policy installation on newly provisioned GW has to be the Access one).
In case CME wasn't able to complete new instance provisioning and configuration, in the next cycle(by default CME cycle re-occurs every 30 seconds) CME will clean up all previous instance configurations and will try to configure the instance from scratch.
Usually uncompleted configuration points to CME configuration issues.
In order to troubleshoot the issue, I suggest first to check CME log that is located in the /var/log/CPcme/cme.log and see if there are any errors.

In general we have CME and GWLB admin guides with detailed explanation on how to configure and troubleshoot CloudGuard Network solutions.

CME Admin guide
Cloud Management Extension R80.10 and Higher Administration Guide

GWLB Admin guides:
CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide

CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment Guide

Referencing to your question How do I put a Stealth rule on these to protect the public IP? The public IP(Elastic IP) is AWS resource
So when the packet arrives to Internet Gateway(AWS VPC component) it performs NAT from/to Public IP
Therefore in the policy you should protect private IP

In case you need additional assistance, just let me know

Thanks,
Roman

Re: GWLB Question

biskit — Thu, 27 May 2021 15:03:51 GMT

Hi Roman,

Thanks for your reply. I do see errors in the log file. It seems to be trying over and over again... creating it, hitting a problem, deleting it, then trying again....

The Troubleshooting sections in the guides aren't helping. Am I best turning on debugging mode in CME then opening an SR with TAC?

Thanks,

Matt

Re: GWLB Question

Roman_Kats — Thu, 27 May 2021 15:30:45 GMT

Hi Matt,
I suggest to open a SR
In addition please send me cme.log privately so I can check the errors you are getting
Thanks,
Roman

Re: GWLB Question

Shay_Levin — Mon, 31 May 2021 07:34:45 GMT

It will help if you could share the CME configuration

autoprov_cfg show all ( hide the key)

Re: GWLB Question

Miguel_Villarr1 — Wed, 02 Jun 2021 14:38:33 GMT

Or another alternative is you can use STRUCTURA.IO and do all of that in a drag and drop fashion with CheckPoint.

- https://youtu.be/dP1XFSQjVxA

Re: GWLB Question

Razotevs — Tue, 15 Feb 2022 18:26:23 GMT

Hi Shay, same problem with R81.10 management and R81.10 VMSS on Azure. Applying "__Monitor__RestrictivePolicy" out of nowhere.

On top of that the image of the security gateways is missing "cloud_balancer_port=8117" and newly provisioned instances are not returning the health probes, respectively azure load balancer is not sending traffic because thinks they are unhealthy.

Autoprov_cfg show all seems correct and vSec controller is working fine. API status is ready, CME test is passing as also.

Any idea how to proceed? I've opened SR with Checkpoint TAC, but it's been 10 days and no development.

Thanks