Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
J_Saun
Contributor

How to deploy and configure scale sets in Smarconsole and policies

We are building an environment that has a Checkpoint Manager and several scale sets. The manager and firewalls (scale sets) are all in Azure. The firewall manager and a single scale set have been built (by a different team) and both fw's show up as objects in Smartconsole. It is not clear to me how to add the scale set to a policy within Smartconsole. Additionally, can we have more than one scale set associated with a single policy? Or does each scale set require it's own unique policy.

 

Thanks

0 Kudos
7 Replies
Tommy_Forrest
Advisor

The policy is defined in the autoprovisioning json script and not SmartConsole.  Also, you won't set anything in the install on cell in the policy.  Make sure you create the policy before modifying your json script.

FWIW, Autoprovisioning is now Cloud Management Extension (CME).

The json file should live in /var/opt/CPmds-R80/conf/ (for 80.10).  It's safe to cat it, but I wouldn't try to manually edit the file.

autoprov-cfg is the command that would allow you to modify your json file.  See sk120992 for more details.

 

 

0 Kudos
J_Saun
Contributor

I don't seem to have that directory. This is an R80.30 Management station.

 

I reviewed the document in the link below and it doesnt mention modifying a json file:

 

https://community.checkpoint.com/t5/CloudGuard-IaaS/Deploying-Auto-Scaling-CloudGuard-gateways-in-Az...

 

I have a case open with Checkpoint Support and they also stated that a json file needs to be modified (application.json) but it does not exist on the manager.

 

 

0 Kudos
Tommy_Forrest
Advisor

Are you on a MDS platform?

If so, for 80.30 try here:

/var/opt/CPmds-R80.30/conf

You should have autoprovision.json there.

You could also try:  "autoprov-cfg show all" from expert.

 

Here's a sample of what my script looks like:

 

(this part defines the controller(s)):

controllers:
Azure1:
class: Azure
credentials:
"client_id": "My_Azure_client_ID_here"
"client_secret": "More_privateclient_stuff_here"
"grant_type": "client_credentials"
tenant: My_Azure_tenant_ID
domain: "CMA_Mine-Mine-Mine"
subscription: "My_Azure_Sub_ID"
templates:
- Azure-DMZ

The controller calls the template, in this case Azure-DMZ.  Here's the template (this will all show up in the same file) note we also enable the blades here:

Azure-DMZ:
anti-bot: true
anti-virus: true
identity-awareness: true
ips: true
one-time-password: "My-one-time-password-aka-SIC"
policy: "Azure_DMZ"
send-alerts-to-server: "CMA_Mine_Mine_Mine_Log_01"
send-logs-to-server: "CMA_Mine_Mine_Mine_Log_01"
version: "R80.20"

In my case, I have an MDS and a MLM, so I define that I want the logs to go to the MLM.

Note the policy line.  That's the policy that will be assigned in the CMA to the autoprovisioned firewalls.  Make sure this policy is created first.  And make sure you have sufficient permits to continue talking to the firewall when that policy first starts so you don't lock yourself out.

When you go to push policy, you'll notice that you don't have to define the gateways like you normally would for a normal new setup.

0 Kudos
J_Saun
Contributor

Thanks. I don't seem to have autoprov-cfg. Is that something I need to install?

0 Kudos
Tommy_Forrest
Advisor

Before we go down this path any further - are you in an MDS based environment?

0 Kudos
J_Saun
Contributor

No. Single R80.30 management station in Azure. Standalone.

0 Kudos
Tommy_Forrest
Advisor

I'll have to defer to someone else.  I've only setup MDS environments.  You may also want to reach out to TAC.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.