How to deploy and configure scale sets in Smarconsole and policies
We are building an environment that has a Checkpoint Manager and several scale sets. The manager and firewalls (scale sets) are all in Azure. The firewall manager and a single scale set have been built (by a different team) and both fw's show up as objects in Smartconsole. It is not clear to me how to add the scale set to a policy within Smartconsole. Additionally, can we have more than one scale set associated with a single policy? Or does each scale set require it's own unique policy.
The policy is defined in the autoprovisioning json script and not SmartConsole. Also, you won't set anything in the install on cell in the policy. Make sure you create the policy before modifying your json script.
FWIW, Autoprovisioning is now Cloud Management Extension (CME).
The json file should live in /var/opt/CPmds-R80/conf/ (for 80.10). It's safe to cat it, but I wouldn't try to manually edit the file.
autoprov-cfg is the command that would allow you to modify your json file. See sk120992 for more details.
I don't seem to have that directory. This is an R80.30 Management station.
I reviewed the document in the link below and it doesnt mention modifying a json file:
I have a case open with Checkpoint Support and they also stated that a json file needs to be modified (application.json) but it does not exist on the manager.
Are you on a MDS platform?
If so, for 80.30 try here:
You should have autoprovision.json there.
You could also try: "autoprov-cfg show all" from expert.
Here's a sample of what my script looks like:
(this part defines the controller(s)):
The controller calls the template, in this case Azure-DMZ. Here's the template (this will all show up in the same file) note we also enable the blades here:
In my case, I have an MDS and a MLM, so I define that I want the logs to go to the MLM.
Note the policy line. That's the policy that will be assigned in the CMA to the autoprovisioned firewalls. Make sure this policy is created first. And make sure you have sufficient permits to continue talking to the firewall when that policy first starts so you don't lock yourself out.
When you go to push policy, you'll notice that you don't have to define the gateways like you normally would for a normal new setup.