This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
J_Saun
Contributor
‎2020-02-05 04:41 AM

How to deploy and configure scale sets in Smarconsole and policies

We are building an environment that has a Checkpoint Manager and several scale sets. The manager and firewalls (scale sets) are all in Azure. The firewall manager and a single scale set have been built (by a different team) and both fw's show up as objects in Smartconsole. It is not clear to me how to add the scale set to a policy within Smartconsole. Additionally, can we have more than one scale set associated with a single policy? Or does each scale set require it's own unique policy.

 

Thanks

0 Kudos
7 Replies
Tommy_Forrest
Advisor
‎2020-02-05 05:59 AM

The policy is defined in the autoprovisioning json script and not SmartConsole.  Also, you won't set anything in the install on cell in the policy.  Make sure you create the policy before modifying your json script.

FWIW, Autoprovisioning is now Cloud Management Extension (CME).

The json file should live in /var/opt/CPmds-R80/conf/ (for 80.10).  It's safe to cat it, but I wouldn't try to manually edit the file.

autoprov-cfg is the command that would allow you to modify your json file.  See sk120992 for more details.

 

 

0 Kudos
J_Saun
Contributor
‎2020-02-06 04:56 AM
In response to Tommy_Forrest

I don't seem to have that directory. This is an R80.30 Management station.

 

I reviewed the document in the link below and it doesnt mention modifying a json file:

 

https://community.checkpoint.com/t5/CloudGuard-IaaS/Deploying-Auto-Scaling-CloudGuard-gateways-in-Az...

 

I have a case open with Checkpoint Support and they also stated that a json file needs to be modified (application.json) but it does not exist on the manager.

 

 

0 Kudos
Tommy_Forrest
Advisor
‎2020-02-06 05:17 AM
In response to J_Saun

Are you on a MDS platform?

If so, for 80.30 try here:

/var/opt/CPmds-R80.30/conf

You should have autoprovision.json there.

You could also try:  "autoprov-cfg show all" from expert.

 

Here's a sample of what my script looks like:

 

(this part defines the controller(s)):

controllers:
Azure1:
class: Azure
credentials:
"client_id": "My_Azure_client_ID_here"
"client_secret": "More_privateclient_stuff_here"
"grant_type": "client_credentials"
tenant: My_Azure_tenant_ID
domain: "CMA_Mine-Mine-Mine"
subscription: "My_Azure_Sub_ID"
templates:
- Azure-DMZ

The controller calls the template, in this case Azure-DMZ.  Here's the template (this will all show up in the same file) note we also enable the blades here:

Azure-DMZ:
anti-bot: true
anti-virus: true
identity-awareness: true
ips: true
one-time-password: "My-one-time-password-aka-SIC"
policy: "Azure_DMZ"
send-alerts-to-server: "CMA_Mine_Mine_Mine_Log_01"
send-logs-to-server: "CMA_Mine_Mine_Mine_Log_01"
version: "R80.20"

In my case, I have an MDS and a MLM, so I define that I want the logs to go to the MLM.

Note the policy line.  That's the policy that will be assigned in the CMA to the autoprovisioned firewalls.  Make sure this policy is created first.  And make sure you have sufficient permits to continue talking to the firewall when that policy first starts so you don't lock yourself out.

When you go to push policy, you'll notice that you don't have to define the gateways like you normally would for a normal new setup.

0 Kudos
J_Saun
Contributor
‎2020-02-06 05:31 AM
In response to Tommy_Forrest

Thanks. I don't seem to have autoprov-cfg. Is that something I need to install?

0 Kudos
Tommy_Forrest
Advisor
‎2020-02-06 05:35 AM
In response to J_Saun

Before we go down this path any further - are you in an MDS based environment?

0 Kudos
J_Saun
Contributor
‎2020-02-06 05:40 AM
In response to Tommy_Forrest

No. Single R80.30 management station in Azure. Standalone.

0 Kudos
Tommy_Forrest
Advisor
‎2020-02-06 06:02 AM
In response to J_Saun

I'll have to defer to someone else.  I've only setup MDS environments.  You may also want to reach out to TAC.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events