This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Shay_Levin
Admin
Admin
‎2021-10-14 12:32 AM

CloudGuard Controller - Support New Object Types

In Amazon Web Services (AWS):

  • Added Load Balancers tags. The tags can now be viewed in SmartConsole and used in the Security policy.

In Azure:

  • Added Application Security Groups
  • Added Private Endpoints

The above objects can now be viewed in SmartConsole and used in the Security policy.

 

The new objects would be supported starting from R80.40 and above on the next jumbo release.

For R80.40 - Above Jumbo HF Take_126 (The new objects are not included in Take_126 )

For R81 - Above Jumbo HF Take_44 (The new objects are not included in Take_44)

For R81.10 - Above Jumbo HF Take_9 (The new objects are not included in Take_9)

The new object would be supported on the upcoming GA release - R81.20.

 

In order to prevent misconfiguration (For example: preventing enforcement in the case of tags that have been already  attached to the load balancer and already used in the security policy) 

For R80.40/R80/R81.10 you will need to enable the support of the new objects as explained bellow:

For the upcoming release of R81.20, no additional configuration would be required.

For AWS: 

To enable this feature:

  1. Edit $MDSDIR/conf/vsec.conf on the Management Server and add this line: aws.enableLoadBalancersTags=true
  2. From SSH run:  vsec stop ; vsec start
  3. Note: This feature requires adding elasticloadbalancing:DescribeTags and elasticloadbalancing:DescribeLoadBalancers permissions to the AWS Data Centers accounts.

 

  1. The complete minimal required policy is

{

     "Version": "2012-10-17",

     "Statement": [

           {

                "Sid": "VisualEditor0",

                "Effect": "Allow",

                "Action": [

                     "ec2:DescribeInstances",

                     "ec2:DescribeNetworkInterfaces",

                     "elasticloadbalancing:DescribeTags",

                     "ec2:DescribeVpcs",

                     "ec2:DescribeSubnets",

                     "elasticloadbalancing:DescribeLoadBalancers",

                     "ec2:DescribeSecurityGroups"

                ],

                "Resource": "*"

           }

     ]

}

 

For Azure:

To enable this feature:

  1. Edit $MDSDIR/conf/vsec.conf on the Management Server and add this line:  azure.enableAsgAndPep=true
  2. From SSH run:  vsec stop ; vsec start
  3. Note: This feature might require added permissions to list Application Security Groups and Private Endpoints 

 

 

0 Kudos
0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events