Create a Post
Shay_Levin
Admin
Admin

CloudGuard Controller - Support New Object Types

In Amazon Web Services (AWS):

  • Added Load Balancers tags. The tags can now be viewed in SmartConsole and used in the Security policy.

In Azure:

  • Added Application Security Groups
  • Added Private Endpoints

The above objects can now be viewed in SmartConsole and used in the Security policy.

 

The new objects would be supported starting from R80.40 and above on the next jumbo release.

For R80.40 - Above Jumbo HF Take_126 (The new objects are not included in Take_126 )

For R81 - Above Jumbo HF Take_44 (The new objects are not included in Take_44)

For R81.10 - Above Jumbo HF Take_9 (The new objects are not included in Take_9)

The new object would be supported on the upcoming GA release - R81.20.

 

In order to prevent misconfiguration (For example: preventing enforcement in the case of tags that have been already  attached to the load balancer and already used in the security policy) 

For R80.40/R80/R81.10 you will need to enable the support of the new objects as explained bellow:

For the upcoming release of R81.20, no additional configuration would be required.

For AWS: 

To enable this feature:

  1. Edit $MDSDIR/conf/vsec.conf on the Management Server and add this line: aws.enableLoadBalancersTags=true
  2. From SSH run:  vsec stop ; vsec start
  3. Note: This feature requires adding elasticloadbalancing:DescribeTags and elasticloadbalancing:DescribeLoadBalancers permissions to the AWS Data Centers accounts.

 

  1. The complete minimal required policy is

{

     "Version": "2012-10-17",

     "Statement": [

           {

                "Sid": "VisualEditor0",

                "Effect": "Allow",

                "Action": [

                     "ec2:DescribeInstances",

                     "ec2:DescribeNetworkInterfaces",

                     "elasticloadbalancing:DescribeTags",

                     "ec2:DescribeVpcs",

                     "ec2:DescribeSubnets",

                     "elasticloadbalancing:DescribeLoadBalancers",

                     "ec2:DescribeSecurityGroups"

                ],

                "Resource": "*"

           }

     ]

}

 

For Azure:

To enable this feature:

  1. Edit $MDSDIR/conf/vsec.conf on the Management Server and add this line:  azure.enableAsgAndPep=true
  2. From SSH run:  vsec stop ; vsec start
  3. Note: This feature might require added permissions to list Application Security Groups and Private Endpoints 

 

 

0 Kudos
0 Replies