So, there is a separate manager for the cloud, smart-1 and there is a separate gateway called cloudguard for firewall and IPS, what is the tab in infinity portal then for?     Is it a tool that complements the manager and gw to provide these additional features?  If so, can the cloudguard tab on infinity portal be integrated with both the cloud smart-1  manager & the on prem manager or just smart-1? 

Features.

cloudguard controller

cloudguard network

cloudguard posture management

cloudguard workload

cloudguard shiftleft

cloudguard Intelligence

cloudguard WAF

Cloudguard Firewalls can be managed by the same security management as your on-prem firewalls, separate management isn't mandatory (Smart-1 Cloud is just an option here as is hosting a management VM on Azure / VMware or running a Smart-1 appliance etc). Cloudguard controller is a component that allows the security policy of the gateway to be dynamically updated with cloud  objects such as items in your AWS or Azure environment.

Cloudguard in the infinity portal context is a separately licensed set of products different from the Firewall/IPS. Many of these deal with the native configuration / compliance & security of the cloud environment itself not a virtual firewall appliance.

Hope that helps to make it clearer?

Thanks Chris,

It's still not clear I can use the cloudguard tab in the infinity portal with an on prem manager and cloudguard fw/ips gw.  Does it only integrate with smart-1 cloud?   Will all of the options below work with an on prem manager?

cloudguard controller

cloudguard network

cloudguard posture management

cloudguard workload

cloudguard shiftleft

cloudguard Intelligence

cloudguard WAF

No it is a separate licensed product unrelated to NGFW and is a standalone SaaS solution in it's own right tackling other aspects of cloud security.

Smart-1 Cloud like on-prem Smart-1 management is for Firewall Management (physical or virtual).

If it is still unclear please provide a screenshot so I can see how the confusion has come about other than the "cloud" reference which merely indicates the portfolio categorization to which it belongs.

I believe what @Chris_Atkinson is saying is that those cloudguard firewalls CAN be managed by either regular or S1C mgmt server...

Andy

I know cloudguard IPS/fw can be managed by either smart-1 or on prem managers.

That's NOT what this post is about.

I'm asking about the tools in the cloudguard portal and IF it matters that the manager is on prem.

RE:

cloudguard controller

cloudguard network

cloudguard posture management

cloudguard workload

cloudguard shiftleft

cloudguard Intelligence

cloudguard WAF

Now I get it! That Im not sure, lets see what Chris says.

Andy

Your existing firewall management is unrelated to most all of those items except:

Cloudguard network = virtual NGFW managed by your choice of Mgmt.

Cloudguard controller is part of the management and integrates with the cloud environment to provide dynamic updates of policy objects e.g. VM to IP mappings.

It sounds like my on prem manager should integrate with the cloud guard tab in the infinity portal, but when I try to add my on prem account for licensing it's not letting me pick that account.   I'll call account services for some direction.

This is not the case in my experience, they're separately licensed solutions vs gateway/management with no  interelationship to them.

Suggest reaching out to your local SE to walk through what your trying to do and ultimately understand you requirements better.

My understanding is that these cloudguard tools on the portal work with both the the gateway and the manager, after the licensing is in place.

RE:

cloudguard controller

cloudguard network

cloudguard posture management

cloudguard workload

cloudguard shiftleft

cloudguard Intelligence

cloudguard WAF

No only the first two as "terms" have any relevance to an existing on-prem Management

Hey @Chris_Atkinson 

Apologies if this will sound like a dumb question, pardon my ignorance, but reading below link, sounds like you just integrate controller say into existing on prem management or am I missing something?

Andy

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CloudGuard_Controller_AdminG...

Correct for that specific component but not all "Cloudguard" named items are related to a Security Gateway or Smart-1 Management.

So is this the part that would be mandatory?

Andy

Not for Cloudguard no, that is relevant only to the items shown beneath it e.g. SD-WAN.

Now we are getting somewhere.  Ok, so with the an on prem manager and cloudguard network (the AWS gw) these tools aren't going to work?  I'm surprised because I've used load balancing software on the on prem manager to pull objects down and for autoscaling integration.   Oh, that's controller...  The compliance blade works as well from an on prem manager but that must also be a separate integration from CSPM.   That may just exist as a seperate tool   Maybe cspm doesn't work with an on prem manager.

These tools won't work with an on prem manager

cloudguard posture management

cloudguard workload

cloudguard shiftleft

cloudguard Intelligence

cloudguard WAF

Other

I think sdwan may not work either with on prem manager/cloud gw.

Thats precisely mu understanding as well based on what Chris said.

Suggest having a session with your local SE so you can better understand how each is used.

Not every product Check Point provides is related to SmartConsole, hope this much is clear. 

Sd-wan, most certainly is a gateway feature and this involves integration between infinity portal and the management.

Below is what they gave me for a customer who was using CP in Azure last year, hope it helps.

Andy

--------------------------------------------------
If you are a Licenser or Admin on the machine's account, please follow the below steps in order to license your product:
 
Please note that this is broken down into 3 stages:
 
A. Generate the license
B. Install the license
C. Update contracts file 
-------------------------------------------------------------------------------------------
A. Generate the license:

1. Login to your UC user > Click "Assets/Info" / "My Check Point" > Click "Product Center" > Select your account(s) from the "Selected Accounts" menu and click Done.
2. Check the box to the left of the line item(s) that require a license generation.
3. Click "License" button that has the key icon.
4. Choose 'Central' license and input the MGMT IP that manages the vSec gateway(s)
5. Complete the rest of the required fields (marked with an asterisk)
6. Click "Activate" button (if re-licensing a product, option will be "Change")
7. Click "Get License Information" and copy the two commands that begin with 'cplic put ...' aside
 ------------------------------------------------------------------------------------------
B. Install the license:

1. Open SSH to the MGMT in expert mode
2. Paste the command which is labeled "For the Security Management Server"
3. Run the command "vsec_lic_cli on"
4. Run the command "vsec_lic_cli"
5. Choose option 1 (Add license)
6. Paste the command labeled "For the Security Gateway:" without the parts "cplic put" and "[module name]".
Example:
1.2.3.4 never dUy6trBX8-jmVyWKQSX-xzdTkVFVT-76nMEXDks cpsg-ve+8 cpsb-base cpsb-fw cpsm-c-2 cpsb-vpn cpsb-adnc cpsb-npm cpsb-logs cpsb-ips cpsb-av cpsb-urlf cpsb-apcl cpsb-aspm cpsb-abot-s cpsb-ctnt CK-ABCDEF1234567
7. The license should be distributed to the GW's - if not manage the distribution through the other commands in "vsec_lic_cli", for more information see:
sk109713

The admin guide:
https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Central_License_Tool_Admin...
-------------------------------------------------------------------------------------------
C. Update Contracts File:

1. Login to your UC user
2. Click "Assets/Info"/"My Check Point" > Click "Download Contract File".
3. In the section titled "Service Contract File Download", select the Account(s) you need your Service Contract File for.
4. Select "Email File" or "Download Now".
5. Login to SmartUpdate
6. From the menu:  select "Licenses & Contracts" > "Update Contracts > "Import File"
7. Browse to the directory where the file is located and click "Open"
8. The file will be added to the respective certificate key(s) 
 
​​​​​​​Finally, to verify the file was successfully installed, run 'cplic print -x' on the command line.