Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Scottc98
Contributor

Cloudguard datacenter objects - AWS multiple accounts

My company has been looking at integrating our on premise management server to ingest datacenter objects from AWS.   We have a cloud deployment in one region today but have multiple accounts (~8) in AWS we need to pull from.  

Our on-premise MGMT and GWs are all R80.30 today and want to use tags in our on premise access policies to get around the changing of resource IPs. 

We have Dome9 as well and we had to set up each account with its own role to access each; so wasn't sure if the vsec controller setup was similar 

The vSEC controller R80.30 docs didn't mention anything about multiple accounts and hence looking from some guidance from those that have deployed this solution with multiple AWS accounts.

 

Thanks in advance 🙂 

 

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

I believe you can do this by creating a Data Center object for each account.
In fact, in later versions, you can create a query object that allows you to make objects involving multiple data centers.
See: https://community.checkpoint.com/t5/How-To-Videos/R81-Data-Center-Query/td-p/108391

Mark_Halsall
Employee
Employee

Correct. 
In this case, you’d have 8 Data Center objects, and would need to import the tag(s) from each Data Center object for use in policy. 
The Data Center Query object is more efficient since although you still have to create each Data Center, you only need to do one Query object to search all of them. 
thw docs referenced above will show how it works. 

0 Kudos
GBrembati
Employee
Employee

Hi Scottc98,

The suggestion of creating multiple Data Center Servers (one per AWS account) is the correct way since you are using R80.30 as the Management version today.

It may also be useful to note that from the R81.10, we have now introduced the capability to utilize AWS Security Token Service (STS) Assume Role to simplify the access to AWS Data Centers. 
With this feature, instead of creating multiple AWS user accounts and configure access permissions to AWS resources for each account, the STS Assume Role allows creating the necessary permissions once for use across multiple AWS accounts.

This is well documented in the CloudGuard Controller Admin Guide R81.10 here:
https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CloudGuard_Controller_AdminG...

 

0 Kudos
Scottc98
Contributor

 Not to stir up an old thread but I have a general question regarding the CloudGuard Controller supported objects and some of the features in the releases.   

- Are the CloudGuard features based on the version of the management server or on the version of the gateways?  

If I have a management server on R81.10 but have GWs on R80.40, would the supported data center objects follow the GW or does it vary?

For example, would you be able to use the data center query objects features released starting in R81 to be used on R80.40 gateways....as long as management is indeed R81 or higher?     

Same with support for new data Centers (i.e VMware vCenter, version 7 in R81.10 or Oracle OCI support coming in R81.20)....does that have any relation to the GW versions to use these?    I 'feel' like it would be management only here since its the integrator between each cloud but questioning that thought that there would be some use cases (some or all) that might be GW/JHF version dependent. 

0 Kudos
PhoneBoy
Admin
Admin

Depends on the feature.
Generic Data Center objects, which do not use the CloudGuard Controller, require R81 or above gateways.
For Data Center Query objects, provided the management is on at least R81 and the gateways are on any R8x version, they should be supported.
I presume support for new Data Centers would work the same way, but we'll have to wait until R81.20 is released to confirm.

beniyaminr
Employee Alumnus
Employee Alumnus

Hi Scottc98,

Since the CloudGuard Controller runs on the management, the features availability is dependent on the version of the management you currently use .

For example you can use the Data Center Query feature since R81 but you will be able to push the identities to an older version GW version (for example R80.40).

In addition you can find in the admin guide the supported GWs by the CloudGuard Controller  - https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CloudGuard_Controller_AdminG...

beniyaminr
Employee Alumnus
Employee Alumnus

I'll add that in some cases the feature will have dependence on the GW version , for example as mentioned above in the generic data center objects 
But in general, the CloudGuard Controller supports backwards compatibility hence you will be able to use it with older version GWs that the CloudGuard Controller supports 

Scottc98
Contributor

Thank you @PhoneBoy  and @beniyaminr  for the clarifications.   That's great to hear and I'll pass that info along.   

0 Kudos