CME Quick Start Guide

For configuring Check Point Cloud Management Extension (CME)

This guide is meant as a tool to assist in basic CGNS architecture deployments using autoscaling features such as AWS’ AutoScaling Group (ASG), Azure’s Virtual Machine ScaleSet (VMSS) or GCP’s Machine Instance Group (MIG), such as testing or Proof of Concepts, to aggregate the most basic, and/or important, pieces of information used in those scenarios.  It is not meant as a full guide. The full CME Admin Guide can be found here: Cloud Management Extension Administration Guide

Overview of Cloud Management Extension (CME)

CME is a tool that runs on Check Point's Security Management Server and Multi-Domain Security Management Server. CME allows cloud-native integration between Check Point CloudGuard Network solutions and Cloud platforms. As a Service, it continuously monitors CloudGuard Network solutions deployed in different cloud vendors and synchronizes them with the Security Management Server. The full online CME Administration Guide can be found here.

1. Installing and Updating CME

Check Point recommends always installing an updated version of CME when available. The CME should be pre-installed on any new deployment of the SMS, Management server.  However, if it is not, or for other use cases, the CME package is available for online or for offline installation. Check Point recommends following the instructions in sk157492 to update CME to the latest version.

To install/update the CME utility:

1. Go to sk157492.
2. Download the latest CME package for the Management Server version.
3. Follow the Installation Instructions in the SK article to install CME.

2. CME Authentication

This section describes the necessary steps for CME authentication with different public cloud platforms.

AWS

Refer to sk130372 > 3. Creating an AWS IAM User and IAM Role section. AWS Controller (account) connects to these URLs:

• https://ec2.<region_code>.amazonaws.com
• https://elasticloadbalancing.<region_code>.amazonaws.com

For example https://ec2.ap-northeast-2.amazonaws.com/

Azure

Create a Microsoft Entra ID (formerly Azure AD) and Service Principal

With the Microsoft Entra ID and Service Principal, the Check Point Security Management Server monitors the creation and status of the VMSS, so it can complete the provision of these Security Gateways.

1. Connect to portal.azure.com.
2. Click Microsoft Entra ID.
3. Click +Add > App registration. The Register an application screen opens
4. Create new registration:
• Select a meaningful Name.
• Supported account types - Select Accounts in this organizational directory only (Single tenant).
• Redirect URL - Select Web, and type https://localhost/vmss-name - (It can be any name.)
• Click Register. The new application is created.
• In the new application screen, on the left menu pane click Manage > Certificates and secrets.
• In the Client Secrets tab, click + New Client Secret.
• Add the duration for the key.
• Click Add.
• Backup the key. You cannot look at the key later. Save it now.

After you create the application, write down these values to use in Step 5, ‘Using the autoprov_cfg Command Line Configuration Tool’.

• Application ID: client_id
• Key value:  client_secret
• Tenant ID: directory (tenant) ID

Permissions:

Give the Azure Active Directory application a minimum role of Reader to the VMSS and the VNET.

GCP

To create a GCP service account:

1. Go to https://cloud.google.com/iam/docs/creating-managing-service-accounts.

Use these parameters:

Name: check-point-autoprovision

Role: Compute Engine \ Compute Viewer

1. Click Create Key > JSON (as the key type). A JSON file is downloaded to your computer.

Note - This JSON file will be used as the credentials file in "CME Structure and Configurations".

Permissions:

"Compute viewer"

GCP Controller (account) connects to this URL:

https://www.googleapis.com/

3. Controllers (accounts)

To connect to the cloud account and automatically provision Security Gateways deployed in the account, the Security Management Server needs cloud-specific information, such as credentials and regions. This information is tied to a ‘controller’ in the CME configuration.

• To see the current controllers used by the Management Server connected to the cloud environments, run: autoprov_cfg show controllers
• To add a new controller to an existing CME configuration, run: autoprov_cfg add controller {AWS,Azure,GCP,NSX,Nutanix}
• To show the command help message, run: autoprov_cfg add controller -h

Important:

• Check Point recommends changing the account's passwords regularly for security reasons.
• Each controller in the configuration must have unique credentials, with the exception of the Multi-Domain Security Management Server configuration.

4. Configuration Templates (gateway-configurations)

Information required to automatically provision Security Gateways, such as what policy to install and which Software Blades to enable, is placed in a configuration template in the CME configuration.

• To see the current configuration templates that can be applied to Security Gateways, run: autoprov_cfg show templates
• To add a new configuration template to an existing CME configuration, run the command: autoprov_cfg add template -tn <CONFIGURATION-TEMPLATE-NAME> -otp <SIC-KEY> -ver <VERSION> -po <POLICY-NAME>

For more information, consult the Cloud Management Extension Administration Guide, in the Configuration Templates (gateway-configurations) section here.

5. Using the autoprov_cfg Command Line Configuration Tool

The autoprov_cfg is a command-line tool to configure autoscaling solutions, such as Azure VMSS, AWS ASG, and GCP MIG.

For instructions about how to use the autoprov_cfg, from the SMS Management server CLI, in Expert mode, run: autoprov_cfg -h

Commands Summary

Important - If you have an existing configuration, running the ‘autoprov_cfg init’ command will override it. To add one more auto-provisioned environment, use the ‘autoprov_cfg add’ command instead of ‘autoprov_cfg init’.

Specific help documentation is available for each option that you select. For example, this command shows the available initialization parameters for AWS and their definition:

autoprov_cfg init AWS -h

Azure Example: Initializing the Autoprovision Configuration

autoprov-cfg init Azure -mn "cpmgmt" -tn "Azure-Template" -otp "Checkpoint123" -ver "R81.20" -po "VMSS-Standard" -cn "Azure-Controller" -sb "123445" -at "123456" -aci "456456" -acs “123456”

Items Parameters Example

AWS Example: Initializing the Autoprovision Configuration

autoprov-cfg init aws -mn “cpmgmt” -tn “AWS-Template” -otp “Checkpoint123” -ver “R81.20” -po “ASG-Standard” -cn “AWS-Controller” –r us-west-1 -iam

Items Parameters Example

GCP Example: Initializing the Autoprovision Configuration

autoprov-cfg init gcp -mn “cpmgmt” -tn “GCP-Template” -otp “Checkpoint123” -ver “R81.20” -po “MIG-Standard” -cn “GCP-Controller”

Items Parameters Example

6. Enabling and Disabling Software Blades

When enabling or disabling software blades, it is always best to do so via the command line by modifying the CME template. This ensures that all instances created by scale-out events have the proper blades.

(See "Supported Configuration Template parameters" for parameter information.)

To Enable Software Blades in CLI on Security Gateways in the Future:

1. Connect to the command line on the Security Management Server.
2. Log in to the Expert mode.
3. Enable the Software Blades:
• To enable one Software Blade at a time, run: autoprov_cfg set template -tn "<CONFIGURATION-TEMPLATE-NAME>" -<SOFTWARE-BLADE-NAME>
1. Example: autoprov_cfg set template -tn " MY-CONFIGURATION-TEMPLATE " -ips
• To enable multiple Software Blades at a time, run: autoprov_cfg set template -tn "<CONFIGURATION-TEMPLATE-NAME>" -<SOFTWARE-BLADE-NAME-1> -<SOFTWARE-BLADE-NAME-2> -<SOFTWARE-BLADE-NAME-3>
1. Example: autoprov_cfg set template -tn "my-configuration-template" -ips -uf -hi

To Disable Software Blades in CLI on Security Gateways in the Future:

1. Connect to the command line on the Security Management Server.
2. Log in to the Expert mode.
3. Disable the Software Blades:
• To disable one Software Blade at a time, run: autoprov_cfg delete template -tn "<CONFIGURATION-TEMPLATE-NAME>" -<SOFTWARE-BLADE-NAME>
1. Example: autoprov_cfg delete template -tn "MY-CONFIGURATION-TEMPLATE" -ips
• To disable multiple Software Blades at a time, run: autoprov_cfg delete template -tn "<CONFIGURATION-TEMPLATE-NAME>" -<SOFTWARE-BLADE-NAME-1> -<SOFTWARE-BLADE-NAME-2>  -<SOFTWARE-BLADE-NAME-3>
1. Example: autoprov_cfg delete template -tn "my-configuration-template" -ips -uf -hi

To Enable and, or Disable Software Blades in SmartConsole on Existing Security Gateways:

1. From the left navigation panel, click Gateways & Servers.
2. Double-click the Security Gateway object.
• Select the Software Blade to enable it.
• Clear the Software Blade check box to disable it.
3. Click OK.
4. Install the applicable policy on the Security Gateway.

This information should be enough to get started with configuring CME. Always refer to the official Check Point documentation for the most up-to-date and comprehensive information. You may need to independently verify any information that is not from the given sources.