Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Kavan
Advisor
Advisor
Jump to solution

cloudguard on infinity portal

Hi Mates,

What exactly is cloudguard section of infinity portal for?  For cloud gateway management or is there a separate cloud manager for AWS/Azure gws?

We have a cloudguard gw being managed by an on prem dedicated manager, just managing this gw.    However I suspect infinity portal cloudguard section is for just that.   Can someone confirm that cloudguard management (the cloudguard section of infinity portal)  IS the cloudguard cloud manager.   It seems like there's more features with cloudguard management on the infinity portal then having on prem listed below.  

It's confusing because the gw is called cloud guard and the section in infinity is also cloudguard, not cloudguard manger.

Features.

cloudguard controller

cloudguard network

cloudguard posture management

cloudguard workload

cloudguard shiftleft

cloudguard Intelligence

cloudguard WAF

 

1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

Cloudguard in this context is CNAPP & WAF etc.

Smart-1 Cloud is the "as a service" management option you are likely after in the portal. This is not dedicated to managing Cloudguard Network Security Gateways as it can also manage typical on-prem Quantum & Spark gateways.

CCSM R77/R80/ELITE

View solution in original post

23 Replies
the_rock
Legend
Legend

Cloudguard has nothing to do with management server, its totally different. I believe its mostly referring to cloud applications, similar to most vendors nowdays call SASE, CP has it, PAN, Fortinet, Aruba...

Andy

Chris_Atkinson
Employee Employee
Employee

Cloudguard in this context is CNAPP & WAF etc.

Smart-1 Cloud is the "as a service" management option you are likely after in the portal. This is not dedicated to managing Cloudguard Network Security Gateways as it can also manage typical on-prem Quantum & Spark gateways.

CCSM R77/R80/ELITE
Daniel_Kavan
Advisor
Advisor

So, there is a separate manager for the cloud, smart-1 and there is a separate gateway called cloudguard for firewall and IPS, what is the tab in infinity portal then for?     Is it a tool that complements the manager and gw to provide these additional features?  If so, can the cloudguard tab on infinity portal be integrated with both the cloud smart-1  manager & the on prem manager or just smart-1? 

 

Features.

cloudguard controller

cloudguard network

cloudguard posture management

cloudguard workload

cloudguard shiftleft

cloudguard Intelligence

cloudguard WAF

 

Chris_Atkinson
Employee Employee
Employee

Cloudguard Firewalls can be managed by the same security management as your on-prem firewalls, separate management isn't mandatory (Smart-1 Cloud is just an option here as is hosting a management VM on Azure / VMware or running a Smart-1 appliance etc). Cloudguard controller is a component that allows the security policy of the gateway to be dynamically updated with cloud  objects such as items in your AWS or Azure environment.

Cloudguard in the infinity portal context is a separately licensed set of products different from the Firewall/IPS. Many of these deal with the native configuration / compliance & security of the cloud environment itself not a virtual firewall appliance.

Hope that helps to make it clearer?

CCSM R77/R80/ELITE
Daniel_Kavan
Advisor
Advisor

Thanks Chris,

It's still not clear I can use the cloudguard tab in the infinity portal with an on prem manager and cloudguard fw/ips gw.  Does it only integrate with smart-1 cloud?   Will all of the options below work with an on prem manager?

 

cloudguard controller

cloudguard network

cloudguard posture management

cloudguard workload

cloudguard shiftleft

cloudguard Intelligence

cloudguard WAF

Chris_Atkinson
Employee Employee
Employee

No it is a separate licensed product unrelated to NGFW and is a standalone SaaS solution in it's own right tackling other aspects of cloud security.

Smart-1 Cloud like on-prem Smart-1 management is for Firewall Management (physical or virtual).

If it is still unclear please provide a screenshot so I can see how the confusion has come about other than the "cloud" reference which merely indicates the portfolio categorization to which it belongs.

CCSM R77/R80/ELITE
the_rock
Legend
Legend

I believe what @Chris_Atkinson is saying is that those cloudguard firewalls CAN be managed by either regular or S1C mgmt server...

Andy

Daniel_Kavan
Advisor
Advisor

I know cloudguard IPS/fw can be managed by either smart-1 or on prem managers.

That's NOT what this post is about.

I'm asking about the tools in the cloudguard portal and IF it matters that the manager is on prem.

RE:

cloudguard controller

cloudguard network

cloudguard posture management

cloudguard workload

cloudguard shiftleft

cloudguard Intelligence

cloudguard WAF

the_rock
Legend
Legend

Now I get it! That Im not sure, lets see what Chris says.

Andy

Chris_Atkinson
Employee Employee
Employee

Your existing firewall management is unrelated to most all of those items except:

Cloudguard network = virtual NGFW managed by your choice of Mgmt.

Cloudguard controller is part of the management and integrates with the cloud environment to provide dynamic updates of policy objects e.g. VM to IP mappings.

CCSM R77/R80/ELITE
Daniel_Kavan
Advisor
Advisor

It sounds like my on prem manager should integrate with the cloud guard tab in the infinity portal, but when I try to add my on prem account for licensing it's not letting me pick that account.   I'll call account services for some direction.

Chris_Atkinson
Employee Employee
Employee

This is not the case in my experience, they're separately licensed solutions vs gateway/management with no  interelationship to them.

Suggest reaching out to your local SE to walk through what your trying to do and ultimately understand you requirements better.

CCSM R77/R80/ELITE
Daniel_Kavan
Advisor
Advisor

My understanding is that these cloudguard tools on the portal work with both the the gateway and the manager, after the licensing is in place.

 

RE:

cloudguard controller

cloudguard network

cloudguard posture management

cloudguard workload

cloudguard shiftleft

cloudguard Intelligence

cloudguard WAF

Chris_Atkinson
Employee Employee
Employee

No only the first two as "terms" have any relevance to an existing on-prem Management

CCSM R77/R80/ELITE
the_rock
Legend
Legend

Hey @Chris_Atkinson 

Apologies if this will sound like a dumb question, pardon my ignorance, but reading below link, sounds like you just integrate controller say into existing on prem management or am I missing something?

Andy

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CloudGuard_Controller_AdminG...

Chris_Atkinson
Employee Employee
Employee

Correct for that specific component but not all "Cloudguard" named items are related to a Security Gateway or Smart-1 Management.

CCSM R77/R80/ELITE
the_rock
Legend
Legend

So is this the part that would be mandatory?

Andy

 

Screenshot_1.png

Chris_Atkinson
Employee Employee
Employee

Not for Cloudguard no, that is relevant only to the items shown beneath it e.g. SD-WAN.

CCSM R77/R80/ELITE
Daniel_Kavan
Advisor
Advisor

Now we are getting somewhere.  Ok, so with the an on prem manager and cloudguard network (the AWS gw) these tools aren't going to work?  I'm surprised because I've used load balancing software on the on prem manager to pull objects down and for autoscaling integration.   Oh, that's controller...  The compliance blade works as well from an on prem manager but that must also be a separate integration from CSPM.   That may just exist as a seperate tool   Maybe cspm doesn't work with an on prem manager.

These tools won't work with an on prem manager

cloudguard posture management

cloudguard workload

cloudguard shiftleft

cloudguard Intelligence

cloudguard WAF

 

Other

I think sdwan may not work either with on prem manager/cloud gw.

the_rock
Legend
Legend

Thats precisely mu understanding as well based on what Chris said.

Chris_Atkinson
Employee Employee
Employee

Suggest having a session with your local SE so you can better understand how each is used.

Not every product Check Point provides is related to SmartConsole, hope this much is clear. 

Sd-wan, most certainly is a gateway feature and this involves integration between infinity portal and the management.

CCSM R77/R80/ELITE
the_rock
Legend
Legend

Below is what they gave me for a customer who was using CP in Azure last year, hope it helps.

Andy

 

--------------------------------------------------
If you are a Licenser or Admin on the machine's account, please follow the below steps in order to license your product:
 
Please note that this is broken down into 3 stages:
 
A. Generate the license
B. Install the license
C. Update contracts file 
-------------------------------------------------------------------------------------------
A. Generate the license:

1. Login to your UC user > Click "Assets/Info" / "My Check Point" > Click "Product Center" > Select your account(s) from the "Selected Accounts" menu and click Done.
2. Check the box to the left of the line item(s) that require a license generation.
3. Click "License" button that has the key icon.
4. Choose 'Central' license and input the MGMT IP that manages the vSec gateway(s)
5. Complete the rest of the required fields (marked with an asterisk)
6. Click "Activate" button (if re-licensing a product, option will be "Change")
7. Click "Get License Information" and copy the two commands that begin with 'cplic put ...' aside
 ------------------------------------------------------------------------------------------
B. Install the license:

1. Open SSH to the MGMT in expert mode
2. Paste the command which is labeled "For the Security Management Server"
3. Run the command "vsec_lic_cli on"
4. Run the command "vsec_lic_cli"
5. Choose option 1 (Add license)
6. Paste the command labeled "For the Security Gateway:" without the parts "cplic put" and "[module name]".
Example:
1.2.3.4 never dUy6trBX8-jmVyWKQSX-xzdTkVFVT-76nMEXDks cpsg-ve+8 cpsb-base cpsb-fw cpsm-c-2 cpsb-vpn cpsb-adnc cpsb-npm cpsb-logs cpsb-ips cpsb-av cpsb-urlf cpsb-apcl cpsb-aspm cpsb-abot-s cpsb-ctnt CK-ABCDEF1234567
7. The license should be distributed to the GW's - if not manage the distribution through the other commands in "vsec_lic_cli", for more information see:
sk109713

The admin guide:
https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Central_License_Tool_Admin...
-------------------------------------------------------------------------------------------
C. Update Contracts File:

1. Login to your UC user
2. Click "Assets/Info"/"My Check Point" > Click "Download Contract File".
3. In the section titled "Service Contract File Download", select the Account(s) you need your Service Contract File for.
4. Select "Email File" or "Download Now".
5. Login to SmartUpdate
6. From the menu:  select "Licenses & Contracts" > "Update Contracts > "Import File"
7. Browse to the directory where the file is located and click "Open"
8. The file will be added to the respective certificate key(s) 
 
​​​​​​​Finally, to verify the file was successfully installed, run 'cplic print -x' on the command line.

the_rock
Legend
Legend

Chris explained it way better than I did.

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.