- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- CP CME: Using CME to deploy a shared Threat Preven...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CP CME: Using CME to deploy a shared Threat Prevention Profile
Hi,
I am today using CP Cloud Management Extention (CP CME) to deploy scale sets in Azure.
MDS as management in HA setup.
If I need to automate new Cloudguard scale set with both security policy and threat prevention policy then how should that be done?
Should I include a line in the custom script as shown in the below extract of the json file (/home/admin/cg-script.sh) using mgmt_cli to install policy (threat prevention policy) afterwards and solve it by doing so?
The autoprovison.json file which is auto generated by the tool delivered with CME called autoprov_cfg only allows me to install a security policy and with that it will also install the standard threat prevention policy. In my case have no rule enabled at all to inspect traffic for known and unknown vulnerabilities. The help details to "autoprov_cfg add template -h" suggest using the restrictive policy with '-rp' parameter but it states: "Created to avoid a limitation in which Access Policy and Threat Prevention Policy cannot be installed at the first time together"
Eg. of the configuration file used by CME. Extract of the json file - auto genereated by autoprov_cfg tool.
},
"tnPROD": {
"anti-bot": true,
"anti-virus": true,
"application-control": true,
"custom-gateway-script": "/home/admin/cg-script.sh",
"generation": "3",
"identity-awareness": true,
"ips": true,
"one-time-password": "one-time-password",
"policy": "Northbound",
"send-logs-to-server": "SMEserver1",
"url-filtering": true,
"version": "R81.10"
}
Because I have more Azure environment I am using the same Threat Prevention profile with just different source and destination in the TP rulebase.
When I deploy new scale sets I want to make sure automatically to deploy this shared TP policy.
I was recommended to look at MDS Global Assignment for managing this but might also introduce other challenges.
Therefore are there any ways of using the custom script defined in the autoprov_cfg tool were I could deploy the shared threat prevention policy using the API using MGMT_CLI to install it?
Eg. using mgmt_cli installing Northbound policy together with TP policy
mgmt_cli install-policy policy-package "Northbound" access true threat-prevention true targets.1 "corporate-gateway" targets.2 "corporate-gateway1" targets.3 "corporate-gateway2 " --version 1.1 --format json
Thanks
/Kim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The shared TP profile must be added to the relevant policy package before the policy installation takes place.
I presume this can be done with set package, publish, then install the relevant policy package.
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/set-package~v1.9%20
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dameon,
That could be a way but I am having 7 VMSS scale sets with different gateway names with 2 instances per set that can scale out..approx. maximum 8x 7 is the amount of gateways.
Basically CME script should have an option like either to use standard policy own threat prevention policy or to use a shared threat prevention policy. One just enter the name and that one is being deployed.
I know of a work around that I am being presented to on Thursday this week.
Kim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Roman_Kats
have you considered to add the feature to CME to be using a shared Threat Prevention Profile in the CME templates?
Like you are specifying "-po" for "policy to installed" and it just takes that security policies Threat Prevention Policy to install. Example could be to specify "-tp" for specifying the standard/shared Threat Prevention policy.
If you have multiple scale sets in the cloud eg. in Azure to represent different environments like DEV, QA/TEST, PROD, one need to maintain all three Threat Prevention policies in each Security Policy.
It gets more complicated when moving into other regions with other Azure VMSS Scale Sets. The you need to maintain those as well.
On our on-premise MDs domain we can share the Threat Prevention policy across datacenters, and that is what we want do across Azure VMSS scale sets with our Cloudguards installed in different environments and regions.
Thanks
Kim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Kim_Moberg
Appreciate your feedback, we are reviewing the suggested feature and will consider adding it to our roadmap
Thanks,
Roman