- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: CME Quick Start Guide
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CME Quick Start Guide
CME Quick Start Guide
For configuring Check Point Cloud Management Extension (CME)
This guide is meant as a tool to assist in basic CGNS architecture deployments using autoscaling features such as AWS’ AutoScaling Group (ASG), Azure’s Virtual Machine ScaleSet (VMSS) or GCP’s Machine Instance Group (MIG), such as testing or Proof of Concepts, to aggregate the most basic, and/or important, pieces of information used in those scenarios. It is not meant as a full guide. The full CME Admin Guide can be found here: Cloud Management Extension Administration Guide
Overview of Cloud Management Extension (CME)
CME is a tool that runs on Check Point's Security Management Server and Multi-Domain Security Management Server. CME allows cloud-native integration between Check Point CloudGuard Network solutions and Cloud platforms. As a Service, it continuously monitors CloudGuard Network solutions deployed in different cloud vendors and synchronizes them with the Security Management Server. The full online CME Administration Guide can be found here.
- Installing and Updating CME
Check Point recommends always installing an updated version of CME when available. The CME should be pre-installed on any new deployment of the SMS, Management server. However, if it is not, or for other use cases, the CME package is available for online or for offline installation. Check Point recommends following the instructions in sk157492 to update CME to the latest version.
To install/update the CME utility:
- Go to sk157492.
- Download the latest CME package for the Management Server version.
- Follow the Installation Instructions in the SK article to install CME.
- CME Authentication
This section describes the necessary steps for CME authentication with different public cloud platforms.
AWS
Refer to sk130372 > 3. Creating an AWS IAM User and IAM Role section. AWS Controller (account) connects to these URLs:
- https://ec2.<region_code>.amazonaws.com
- https://elasticloadbalancing.<region_code>.amazonaws.com
For example https://ec2.ap-northeast-2.amazonaws.com/
Azure
Create a Microsoft Entra ID (formerly Azure AD) and Service Principal
With the Microsoft Entra ID and Service Principal, the Check Point Security Management Server monitors the creation and status of the VMSS, so it can complete the provision of these Security Gateways.
- Connect to portal.azure.com.
- Click Microsoft Entra ID.
- Click +Add > App registration. The Register an application screen opens
- Create new registration:
- Select a meaningful Name.
- Supported account types - Select Accounts in this organizational directory only (Single tenant).
- Redirect URL - Select Web, and type https://localhost/vmss-name - (It can be any name.)
- Click Register. The new application is created.
- In the new application screen, on the left menu pane click Manage > Certificates and secrets.
- In the Client Secrets tab, click + New Client Secret.
- Add the duration for the key.
- Click Add.
- Backup the key. You cannot look at the key later. Save it now.
After you create the application, write down these values to use in Step 5, ‘Using the autoprov_cfg Command Line Configuration Tool’.
- Application ID: client_id
- Key value: client_secret
- Tenant ID: directory (tenant) ID
Permissions:
Give the Azure Active Directory application a minimum role of Reader to the VMSS and the VNET.
GCP
To create a GCP service account:
Use these parameters:
Name: check-point-autoprovision
Role: Compute Engine \ Compute Viewer
- Click Create Key > JSON (as the key type). A JSON file is downloaded to your computer.
Note - This JSON file will be used as the credentials file in "CME Structure and Configurations".
Permissions:
"Compute viewer"
GCP Controller (account) connects to this URL:
- Controllers (accounts)
To connect to the cloud account and automatically provision Security Gateways deployed in the account, the Security Management Server needs cloud-specific information, such as credentials and regions. This information is tied to a ‘controller’ in the CME configuration.
- To see the current controllers used by the Management Server connected to the cloud environments, run: autoprov_cfg show controllers
- To add a new controller to an existing CME configuration, run: autoprov_cfg add controller {AWS,Azure,GCP,NSX,Nutanix}
- To show the command help message, run: autoprov_cfg add controller -h
Important:
- Check Point recommends changing the account's passwords regularly for security reasons.
- Each controller in the configuration must have unique credentials, with the exception of the Multi-Domain Security Management Server configuration.
- Configuration Templates (gateway-configurations)
Information required to automatically provision Security Gateways, such as what policy to install and which Software Blades to enable, is placed in a configuration template in the CME configuration.
- To see the current configuration templates that can be applied to Security Gateways, run: autoprov_cfg show templates
- To add a new configuration template to an existing CME configuration, run the command: autoprov_cfg add template -tn <CONFIGURATION-TEMPLATE-NAME> -otp <SIC-KEY> -ver <VERSION> -po <POLICY-NAME>
For more information, consult the Cloud Management Extension Administration Guide, in the Configuration Templates (gateway-configurations) section here.
- Using the autoprov_cfg Command Line Configuration Tool
The autoprov_cfg is a command-line tool to configure autoscaling solutions, such as Azure VMSS, AWS ASG, and GCP MIG.
For instructions about how to use the autoprov_cfg, from the SMS Management server CLI, in Expert mode, run: autoprov_cfg -h
Commands Summary
Command |
Description |
init |
Initialize auto-provision with Management, a Configuration Template, and a Controller (account) configuration |
show |
Show all or specific configuration settings |
add |
1. Add a new Configuration Template or a Controller 2. Add a new configuration to the Management or to a Configuration Template or a Controller |
set |
Set values in an existing configuration of Management, Configuration Template or a Controller |
delete |
1. Remove a Configuration Template or a Controller 2. Remove a configuration from the Management or from a Configuration Template or a Controller |
-v |
Show the version of CME |
-h |
Shows specific help documentation |
Important - If you have an existing configuration, running the ‘autoprov_cfg init’ command will override it. To add one more auto-provisioned environment, use the ‘autoprov_cfg add’ command instead of ‘autoprov_cfg init’.
Specific help documentation is available for each option that you select. For example, this command shows the available initialization parameters for AWS and their definition:
autoprov_cfg init AWS -h
Azure Example: Initializing the Autoprovision Configuration
autoprov-cfg init Azure -mn "cpmgmt" -tn "Azure-Template" -otp "Checkpoint123" -ver "R81.20" -po "VMSS-Standard" -cn "Azure-Controller" -sb "123445" -at "123456" -aci "456456" -acs “123456”
Items Parameters Example
Item |
Parameter |
Example |
-mn |
<management-name> |
cpmgmt |
-tn |
<configuration-template-name> |
Azure-Template |
-opt |
<SIC-key> |
Checkpoint123 |
-ver |
<version> |
R81.20 |
-po |
<policy-name> |
VMSS-Standard |
-cn |
<controller-name> |
Azure-Controller |
-sb |
<Azure subscription> |
123445 |
-at |
<tenant-ID> |
123456 |
-aci |
<client-ID> |
456456 |
-acs |
<Client-secret> |
123456 |
AWS Example: Initializing the Autoprovision Configuration
autoprov-cfg init aws -mn “cpmgmt” -tn “AWS-Template” -otp “Checkpoint123” -ver “R81.20” -po “ASG-Standard” -cn “AWS-Controller” –r us-west-1 -iam
Items Parameters Example
Item |
Parameter |
Example |
-mn |
<management-name> |
cpmgmt |
-tn |
<configuration-template-name> |
AWS-Template |
-opt |
<SIC-key> |
Checkpoint123 |
-ver |
<version> |
R81.20 |
-po |
<policy-name> |
ASG-Standard |
-cn |
<controller-name> |
AWS-Controller |
-r |
<region> |
us-west-1 |
-iam |
No value |
|
|
|
|
GCP Example: Initializing the Autoprovision Configuration
autoprov-cfg init gcp -mn “cpmgmt” -tn “GCP-Template” -otp “Checkpoint123” -ver “R81.20” -po “MIG-Standard” -cn “GCP-Controller”
Items Parameters Example
Item |
Parameter |
Example |
-mn |
<management-name> |
cpmgmt |
-tn |
<configuration-template-name> |
GCP-Template |
-opt |
<SIC-key> |
Checkpoint123 |
-ver |
<version> |
R81.20 |
-po |
<policy-name> |
MIG-Standard |
-cn |
<controller-name> |
GCP-Controller |
- Enabling and Disabling Software Blades
When enabling or disabling software blades, it is always best to do so via the command line by modifying the CME template. This ensures that all instances created by scale-out events have the proper blades.
(See "Supported Configuration Template parameters" for parameter information.)
To Enable Software Blades in CLI on Security Gateways in the Future:
- Connect to the command line on the Security Management Server.
- Log in to the Expert mode.
- Enable the Software Blades:
- To enable one Software Blade at a time, run: autoprov_cfg set template -tn "<CONFIGURATION-TEMPLATE-NAME>" -<SOFTWARE-BLADE-NAME>
- Example: autoprov_cfg set template -tn " MY-CONFIGURATION-TEMPLATE " -ips
- To enable multiple Software Blades at a time, run: autoprov_cfg set template -tn "<CONFIGURATION-TEMPLATE-NAME>" -<SOFTWARE-BLADE-NAME-1> -<SOFTWARE-BLADE-NAME-2> -<SOFTWARE-BLADE-NAME-3>
- Example: autoprov_cfg set template -tn "my-configuration-template" -ips -uf -hi
To Disable Software Blades in CLI on Security Gateways in the Future:
- Connect to the command line on the Security Management Server.
- Log in to the Expert mode.
- Disable the Software Blades:
- To disable one Software Blade at a time, run: autoprov_cfg delete template -tn "<CONFIGURATION-TEMPLATE-NAME>" -<SOFTWARE-BLADE-NAME>
- Example: autoprov_cfg delete template -tn "MY-CONFIGURATION-TEMPLATE" -ips
- To disable multiple Software Blades at a time, run: autoprov_cfg delete template -tn "<CONFIGURATION-TEMPLATE-NAME>" -<SOFTWARE-BLADE-NAME-1> -<SOFTWARE-BLADE-NAME-2> -<SOFTWARE-BLADE-NAME-3>
- Example: autoprov_cfg delete template -tn "my-configuration-template" -ips -uf -hi
To Enable and, or Disable Software Blades in SmartConsole on Existing Security Gateways:
- From the left navigation panel, click Gateways & Servers.
- Double-click the Security Gateway object.
- Select the Software Blade to enable it.
- Clear the Software Blade check box to disable it.
- Click OK.
- Install the applicable policy on the Security Gateway.
This information should be enough to get started with configuring CME. Always refer to the official Check Point documentation for the most up-to-date and comprehensive information. You may need to independently verify any information that is not from the given sources.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect! Was looking for something awesome like this.
Andy
Happy New Year!