This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nicholas_Sherid
Contributor
‎2018-10-06 01:43 PM

Data Center Object Enforcement in Azure

Hi forum!

My management server has been integrated with azure (I set up the data centre server). 

I can read all the objects in Azure.  (I'm running R80.10 gateway and mgt)

I have set up Identity Awareness too.

My gateways are not enforcing the rules I have created with datacentre objects! Smiley Sad

Everything looks perfect on the management server, I can even see the IP addresses dynamically associated with the tags!!

I need some help figuring out why the gateways are not enforcing the rules.

I have looked all over for this - and I have a case raised, but TAC have gone a bit quiet!

Anyone help me with locating the documentation for this?  I have looked everywhere.

When I do a "pep show user all" (not sure if this shows output on azure integration) i get nothing on the gateway - whcih makes sense. 

Are there any logfiles?  I have checked /var/log/messages - nothing!

Thanks! Smiley Happy

10 Replies
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2018-10-07 11:17 AM

I think: TAC will know better

How to debug issues related to Security Groups / Data Center objects not being enforced by vSEC Gate... 

GW side:

"$FWDIR/log/azure_had.elg*" log files. 
"$FWDIR/conf/azure-ha.json" log file. 
"$FWDIR/log/cloud_proxy.elg" log file. 

+

How to troubleshoot Updatable Objects in R80.20 (and higher) 

Azure portal reports read and/or write limits, throttling API resources 

Nicholas_Sherid
Contributor
‎2018-10-07 02:20 PM
In response to Ofir_Shikolski

I'll post up root cause and corrective action when I am done - share the wealth - I suspect it's something I have overlooked!!

Nicholas_Sherid
Contributor
‎2018-10-08 10:10 AM
In response to Ofir_Shikolski

  1. configured datacentre object (azure intergration)
  2. entered dynamically learned objects into fw policy
  3. console told me to configure identity awareness
  4. configured as terminal based, do AD later
  5. no enforcement occuring - but updates being learned by console
  6. Added a host_localhost (127.0.0.1) object 
  7. Went to cluster config > identity awareness > ticket Identity web api
  8. Dropped host_localhost object into authorized client
  9. BOOOM!

Dynamic enforcement enabled!!!!

So I missed out the bold bits Smiley Happy  HTH anyone who has the same issue as me 

Nicholas_Sherid
Contributor
‎2018-10-08 10:46 AM
In response to Nicholas_Sherid

validate with pep show user all

Senaka
Explorer
‎2019-11-07 06:53 PM
In response to Nicholas_Sherid

I would like to know if Azure Data Center objects only work with vSec gateways or does it also work with 15400 (r80.30) on-prem security gateways?
0 Kudos
Gil_Sudai
Employee
Employee
‎2019-11-07 11:52 PM
In response to Senaka

Data Center objects works also with on-prem GW.

0 Kudos
Nicholas_Sherid
Contributor
‎2018-10-07 02:17 PM

Top response ofirsea040d26-f1f2-3b12-9fc6-5c89debaf56c!  I was thinking about getting R80.20 and just blowing away my cirrent install.

Thanks again mate - much appreciated Smiley Happy 

Carsten_R
Contributor
‎2019-02-18 05:38 AM

Hello,

I have problems with that data center objetcs on an VMSS gateway in Azure.

I have enabled the Identity Awareness blade with the autoprov CLI feature. The VMSS gateway has an active Identity Awareness blade, the Remote Web API is checked, and one autogenerated host with IP 127.0.0.1 is added.

I have added the data center object for Azure, and everything is fine, I can seach all objects in my Azure inventory.

But when I would like to install the policy with one virtual machine from that Azure inventory, I receive an error.

Policy install error

If you have any good advise, because I'm normally familar with that data center objects for on-prem vCenter environments. In my opinion, it should the nearly "the same" for Azure objects...

Management and VMSS gateway is running on R80.20.

Best Regards,

Carsten

0 Kudos
Nicholas_Sherid
Contributor
‎2019-02-18 05:49 AM
In response to Carsten_R

Hi Carsten,

Dont panic! Smiley Happy  All thats happened it is you must have combined regular objects, and objects learned from Azure in the same source field in the rule

Easiest thing I expect is to duplicate the rule, and in one rule leave the normal objects, and in the other rule put the objects in that are learned from azure

HTH

0 Kudos
Carsten_R
Contributor
‎2019-02-18 09:00 PM
In response to Nicholas_Sherid

Upps, life can be so easy when you only read the error message 🙂

You're right Nicholas, that was the problem, it is working now - thanks a lot!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events