cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Offir_Zigelman
inside CloudGuard-Dome9 yesterday
views 112 2 1
Employee

CloudGuard Dome9 Feature Enhancement: IAM Safety

CloudGuard Dome9 IAM Safety is a public cloud Privileged Identity Protection for Amazon Web Services (AWS) IAM users and roles. It provides just-in-time access to the most sensitive operations in AWS. We’re now enhancing the capabilities of IAM Safety, with better support for groups and better workflows. The changes include: Each IAM user/role can now be controlled by a group of Dome9 Users, and each Dome9 user can control a group of IAM users/roles.These new capabilities would allow a real team-based work in IAM safety. A use case example is explained later. Simplified UI, reducing the number of screens to improve usability. Enhanced UI capabilities, including multi-select, which would help Dome9 users to be more efficient. Added screen to present active permission elevations, to monitor current status. New Major Use Case: As mentioned above, with the new enhancements it is now possible to work in teams. For example, you can provide the Security Team access to Dome9, and let each team member control the IAM permission elevation of other AWS IAM users (Developers, DevOps and others). When AWS IAM users need to perform an operation restricted by IAM Safety, they can contact one of the Security Team members, explain the need, and ask for permission elevation. The Security team member can then login to Dome9 and authorize the permission elevation for the relevant IAM users or roles, for a specified time frame. When the time expires, the IAM restrictions are applied again. For more information on IAM Safety visit our new documentation site: https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/IAM-Safety/IAM.html
Krishna
Krishna inside CloudGuard IaaS Monday
views 663 3

The NAT issue on CP firewall deployed in the Azure

We have built tunnel between the CP firewall (FW1) in Azure and CP firewall(FW2) in On-Primese.The FW1 is a cluster and has two gateways in it. IP of gateway 1 is 10.10.10.4, IP of gateway 2 is 10.10.10.5 and IP of Cluster is 10.10.10.6. Gateway 1 is activeThe tunnel initiation traffic/Phase 1 traffic is sent by the FW2 from port 500 to port 500 of FW 1.We have done packet capture on the gateway 1 of FW1 and found that the the FW1 is receiving the traffic on cluster IP sent by the FW2, both source and destination ports are 500.The gateway1 of the FW1 is replying to the FW2 from port 500 to port 500 of FW2In the next packet while the gateway 1 IP is getting translated to the cluster IP i.e, from 10.10.10.4 to 10.10.10.6 the source port is also getting translated from port 500 to random port. Below are the logs collected from gateway 1[vs_0][fw_0] eth0:o[180]: X.X.X.X -> 10.10.10.6 (UDP) len=180 id=20396UDP: 500 -> 500[vs_0][fw_0] eth0:o[180]: 10.10.10.4 -> X.X.X.X (UDP) len=180 id=10087UDP: 500 -> 500[vs_0][fw_0] eth0:O[180]: 10.10.10.6 -> X.X.X.X (UDP) len=180 id=10087UDP: 12410 -> 500 Due to this the phase 1 of the tunnel is not getting established and the tunnel is not forming. Kindly provide a solution to this.
Dave_Hollis
Dave_Hollis inside CloudGuard IaaS Saturday
views 60 1

Asymmetric routing with AWS Transit VPC and BGP

I'm setting up a lab environment to get familiar with setting up a Transit VPC architecture at AWS and I think that I have all of the bits working, except I'm getting asymmetric routing on return traffic, thus keeping things from working. If I shutdown the vpnt interfaces on one of the transit gateways, everything becomes symmetric and traffic flows freely. I simply can't find what little thing I may have missed that's causing this.Here's my (fairly typical I think) setup for this implementation:On-prem gateway VM on VMware - BGP AS 65001Transit VPC @ AWS (R80.20, built using the cloud formation template w/ new VPC) - BGP AS 65000Spoke VPC (same tenant, added via tags for autoprovisioning to do it's magic, which it did) - BGP AS 64512I stood up a Amazon Linux EC2 host in the spoke VPC as a test destination. If I ping or SSH to it from an on-prem host, it fails and watching the traffic shows that it goes out the on-prem gateway, hits 'GW1' of the Transit VPC, hits the EC2 host, the return traffic winds up going through 'GW2' of the Transit VPC and gets dropped with "ICMP reply does not match a previous request" or 'First packet isn't SYN' for a TCP connection. If the Transit VPC hosts were ClusterXL, I suspect it would work due to state-sync, but these guys are independent, thus the asymmetric issue. Any quick tips on how I solve this? Thanks
Eyal_Fingold
inside CloudGuard-Dome9 Saturday
views 91 2
Employee

CloudBots GCP support released

Hi all, Weve just release CloudBots support of GCP. Getting started is easy and info is here
dantsec
dantsec inside CloudGuard IaaS Thursday
views 89 3

CloudGuard IaaS VE

We have a customer with CloudGuard IaaS VE (2 vCore) running GW and SMS in the same Server/Hardware. However, the performance is not satisfactory, so we want to install SMS on another Server/Hardware.In this scenario, where the customer has only one Standalone GW, to have the Management on another Server/Hardware, is it necessary the Next Generation Security Management Software for 5 Gateways License (CPSM-NGSM5)?
Abeja_huhuhu
Abeja_huhuhu inside CloudGuard IaaS a week ago
views 89 2

BGP does not import route from second peer

Hi Guys,We are currently configuring checkpoint to connect to two BGP peer using different AS. We have configure routemap to import routes coming from these two AS with specific local preference. local AS number is 138932. we have setup two routemap rules which stated as below:set routemap ipv4-new-import id 6 onset routemap ipv4-new-import id 6 allowset routemap ipv4-new-import id 6 match as 38182 onset routemap ipv4-new-import id 6 action localpref 15set routemap jbix-import id 5 onset routemap jbix-import id 5 allowset routemap jbix-import id 5 match as 2.6937 onset routemap jbix-import id 5 action localpref 10the issue that we have is that it seems like our checkpoint firewall manage to import route from AS 38182 but not from AS138009.i can confirm that there are routes being distribute from peer AS 138009 as i can see these routes with state Hidden and inactive when i run show route bgp allbelow are output from show bgp peersPeerID AS Routes ActRts State InUpds OutUpds Uptimex.x.x.x 38182 782587 782585 Established 139987 1 00:22:32y.y.y.y 2.6937 66241 0 Established 12965 1 00:25:08we try to simulate AS 38182 as down and still the route from AS 138009 is not being imported. i did try to change the routemap from using match as number to match nexthop, but still with no luck.i have also try to disable routemap and use inbound route filter instead, still not able to import routes coming from AS138009.would appreciate if anyone could help on this.
Martin_Valenta
Martin_Valenta inside CloudGuard IaaS a week ago
views 897 4

Revision history for autoprovision-addon

I'm unable to find any SK, which would be documenting autoprovision-addon which is used for deployments in Azure, AWS,GC. Only reference is a link to AWS, where is this addon stored and available to download.No information about current versions and changes done, when version of addon is increased.
Offir_Zigelman
inside CloudGuard-Dome9 a week ago
views 83 2
Employee

New CloudGuard Dome9 Feature: Alerts tab in Entity Page

We added Alert tab for all the protected assets in the Inventory. Background The Dome9 Inventory present all the assets that Dome9 fetch from the all onboarded cloud accounts, across all the platforms, in a single place. The inventory includes powerful filtering capabilities and export capabilities. For each asset in the inventory we provide an "Asset Page" that presents information on the asset. The page for all supported asset types presents the attributes we retrieve from the cloud platform, and for some assets we present additional information (such as IAM permissions and more). New Capability You can now see all the Compliance and Log.ic alerts in the asset page, for all the entity types. This new information makes the asset page the place to see 360 view on a protected asset. We plan to add additional information to the asset page - stay tuned!
Martins
Martins inside CloudGuard-Dome9 2 weeks ago
views 120 1 1

Why Dome9 doesn't control IAM on Azure?

Hi,I want to understand why the Dome9 actualy do not support IAM control on Azure.Maybe a API limitation on Azure?Thanks!
cjunior
cjunior inside CloudGuard-Dome9 2 weeks ago
views 112 1 1

How Dome9 can help us on serverless architecture?

Hello,Is the Dome9 able to give us visibility to a PaaS, Kubernetes services or it is able to only inventory IaaS (EC2, RDS, VM)?I asked because we have accounts that do not have IaaS and so not appears items on Inventory and Clarity flow map, for example.Wich features have Dome9 to help us on this environment kind?Thank you.
Offir_Zigelman
inside CloudGuard-Dome9 2 weeks ago
views 87 2
Employee

New CloudGuard Dome9 Feature: Compliance Playground Layout Improvements

We enhanced the the Compliance Playground layout, making it more usable for you. The new page layout separates cloud platforms by putting them on their own tabs and adding sorting functionality based on service categories. Cloud Provider tabs separation applies to all the rule building screens. Note: there will be no effect to the GSL Builder (GSL Playground) functionality or GSL syntax. For more information on the Compliance Engine you can refer to the documentation site: https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Compliance-and-Governance/Compliance.html
Offir_Zigelman
inside CloudGuard-Dome9 2 weeks ago
views 282 1
Employee

New CloudGuard Dome9 Feature: API Key name

CloudGuard Dome9 API Keys now support name and creation date. API Keys are required for working with Dome9 REST APIs. These new attributes would allow more informative use of the API Keys. It would also be clearer when key rotation (or deletion) may be required. For more information on API Keys management see here: Create CloudGuard Dome9 API Key.
Offir_Zigelman
inside CloudGuard-Dome9 2 weeks ago
views 82
Employee

New Compliance Entity: Azure LogProfile

We added a new Azure Entity in the Compliance Engine: LogProfile. Log Profiles are part of the Azure Activity log, and it it now possible to reason on configurations such as log retention policy, locations categories and more. We'd soon add additional GSL rules to some of the relevant compliance rulesets.
Eyal_Fingold
inside CloudGuard-Dome9 2 weeks ago
views 143 2
Employee

CloudBots new version and Azure support released

Hi all, We've just released a new version of CloudBots, CloudBots is an automatic remediation solution for public cloud platforms (AWS and Azure). An open source project Deployed in your cloud environment Powered and curated by Check Point CloudGuard Dome9 Ensures your cloud environment is protected So getting started is easy and info is here
Eyal_Fingold
inside CloudGuard-Dome9 2 weeks ago
views 109
Employee

AWS Organizations synchronization of accounts and organizational units into Cloud Guard Dome9

Some great work done by Matt Ambroziak that enables fully automated solution to onboard accounts into Dome9 using three options: Simple on-boarding of the AWS account that is running the script Cross-account on-boarding of child accounts from a parent AWS account AWS Organizations synchronization of accounts and organizational units (OUs) for on-boarding Check it out its open source so appreciate your contribution a well: https://github.com/Dome9/onboarding-scripts/tree/master/AWS/full_automation