- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: How to deploy and configure scale sets in Smar...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to deploy and configure scale sets in Smarconsole and policies
We are building an environment that has a Checkpoint Manager and several scale sets. The manager and firewalls (scale sets) are all in Azure. The firewall manager and a single scale set have been built (by a different team) and both fw's show up as objects in Smartconsole. It is not clear to me how to add the scale set to a policy within Smartconsole. Additionally, can we have more than one scale set associated with a single policy? Or does each scale set require it's own unique policy.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The policy is defined in the autoprovisioning json script and not SmartConsole. Also, you won't set anything in the install on cell in the policy. Make sure you create the policy before modifying your json script.
FWIW, Autoprovisioning is now Cloud Management Extension (CME).
The json file should live in /var/opt/CPmds-R80/conf/ (for 80.10). It's safe to cat it, but I wouldn't try to manually edit the file.
autoprov-cfg is the command that would allow you to modify your json file. See sk120992 for more details.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't seem to have that directory. This is an R80.30 Management station.
I reviewed the document in the link below and it doesnt mention modifying a json file:
I have a case open with Checkpoint Support and they also stated that a json file needs to be modified (application.json) but it does not exist on the manager.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you on a MDS platform?
If so, for 80.30 try here:
/var/opt/CPmds-R80.30/conf
You should have autoprovision.json there.
You could also try: "autoprov-cfg show all" from expert.
Here's a sample of what my script looks like:
(this part defines the controller(s)):
controllers:
Azure1:
class: Azure
credentials:
"client_id": "My_Azure_client_ID_here"
"client_secret": "More_privateclient_stuff_here"
"grant_type": "client_credentials"
tenant: My_Azure_tenant_ID
domain: "CMA_Mine-Mine-Mine"
subscription: "My_Azure_Sub_ID"
templates:
- Azure-DMZ
The controller calls the template, in this case Azure-DMZ. Here's the template (this will all show up in the same file) note we also enable the blades here:
Azure-DMZ:
anti-bot: true
anti-virus: true
identity-awareness: true
ips: true
one-time-password: "My-one-time-password-aka-SIC"
policy: "Azure_DMZ"
send-alerts-to-server: "CMA_Mine_Mine_Mine_Log_01"
send-logs-to-server: "CMA_Mine_Mine_Mine_Log_01"
version: "R80.20"
In my case, I have an MDS and a MLM, so I define that I want the logs to go to the MLM.
Note the policy line. That's the policy that will be assigned in the CMA to the autoprovisioned firewalls. Make sure this policy is created first. And make sure you have sufficient permits to continue talking to the firewall when that policy first starts so you don't lock yourself out.
When you go to push policy, you'll notice that you don't have to define the gateways like you normally would for a normal new setup.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I don't seem to have autoprov-cfg. Is that something I need to install?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Before we go down this path any further - are you in an MDS based environment?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. Single R80.30 management station in Azure. Standalone.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll have to defer to someone else. I've only setup MDS environments. You may also want to reach out to TAC.