topic Re: Cloud Space IP Rules in General Topics

Cloud Space IP Rules

seanmc12 — Fri, 10 Sep 2021 17:25:24 GMT

We are moving some of our resources to AWS cloud space. We've setup rules to allow traffic to/from and from/to internal resources/external resources. The issue we are now seeing is that in the cloud space, their source IP addresses constantly change. We have to go in, look at the logs, see what IPs have changed and update the rules. How are folks setting up rules for cloud sources so that they aren't constantly going in and updating their rule set.

Thanks,

Sean

Re: Cloud Space IP Rules

Marcel_Gramalla — Fri, 10 Sep 2021 17:45:53 GMT

It really depends on how detailed your rules have to be. One option is to just use small subnets vor every usecase and build the rules based on that. Another option would be to use the AWS Datacenter Object so you could easily use tags etc. on the machines.

We use both options currently (but GCP and not AWS) and for basic internet access we use the zone Objects so we don't even have to add new subnets to the rulebase.

Re: Cloud Space IP Rules

seanmc12 — Fri, 10 Sep 2021 17:52:00 GMT

I'm newer to this. Our rule base has a source IP address and a desination IP address/DNS Name. We aren't given any groups of subnets really to use to create a AWS DC object. Don't recognize what GCP is referencing. Is that global Checkpoint Policy?

Sorry, still tryin to pick this up.

Re: Cloud Space IP Rules

PhoneBoy — Fri, 10 Sep 2021 18:26:05 GMT

This is what Cloud Management Extension (formerly CloudGuard Controller) is designed to solve.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk157492&partition=Advanced&product=CloudGuard

You can create objects based on their definition in AWS.
Your gateways (on premise and/or in the cloud) will be continually up-to-date with the relevant IP addresses.

Re: Cloud Space IP Rules

Marcel_Gramalla — Fri, 10 Sep 2021 20:06:37 GMT

I was talking about the CloudGuard Controller: Supported Data Centers (checkpoint.com)

You can add your AWS credentials (permissions needed are in this document) to a Data Center Object and import resources based on vpc, subnets, tags etc. It looks like this for GCP (Google Cloud Platform):

You create this Data Center Objects and afterwards you can right-click on it and select "import". Select the resources you want. They are updated automatically.

Re: Cloud Space IP Rules

Marcel_Gramalla — Fri, 10 Sep 2021 20:10:26 GMT

Was the CME also a part of CloudGuard Controller naming before? Because that is a different feature: Introduction to CloudGuard Controller (checkpoint.com)

CME is for managing the Gateways etc. itself (from what I understand) and CloudGuard Controller is for using actual resources from the Cloud in the rulebase.

Re: Cloud Space IP Rules

PhoneBoy — Fri, 10 Sep 2021 21:12:01 GMT

I believe at one point they were the same, but you're right, they're different.
CloudGuard Controller is definitely what I was thinking of.