Showing results for 
Search instead for 
Did you mean: 
Create a Post
CloudGuard IaaS

CloudGuard IaaS is Check Point's solution for Public Cloud Network Security.

Michael_Thompso inside CloudGuard IaaS Wednesday
views 109 1

Enable Monitoring Blade on Cloudguard through API

Hello everyone,I am using the CME service to provision my scaleset and autoscaling group gateways in Azure and AWS respectively . How can I enable the Monitoring Blade on newly provisioned gateways through the CME? I know that if a feature can be configured using set-simple-gateway it should be configurable using the CME service but in this case I don't see an option to enable the Monitoring Blade.  How can I configure this?Thanks
BLD inside CloudGuard IaaS a week ago
views 270 4

Migrate from AWS vSEC R80.10 to R80.30

We have been using vSEC R80.10 succesfully in AWS. One instance with both gateway and management.We got a notice that it will no longer be supported so we got the new R80.30 AMI from the AWS Marketplace.We activated our licenses but it seems the new AMI does not include the management server. It says in the marketplace description:"This BYOL distributed security gateway is managed from a central Security Management Server, which provides consistent security policy management, enforcement, and reporting AWS and hybrid deployments within a single pane of glass. The Security Management Server is not included in this offering. Please choose one of the CloudGuard IaaS Security Management offerings in AWS Marketplace."Does this mean we now have to runt TWO EC2 instances instead of one?  This would double operating costs.Any help to clarify this will be greatly appreciated.  
Nicholas_Sherid inside CloudGuard IaaS a week ago
views 1628 10 2

Data Center Object Enforcement in Azure

Hi forum!My management server has been integrated with azure (I set up the data centre server). I can read all the objects in Azure.  (I'm running R80.10 gateway and mgt)I have set up Identity Awareness too.My gateways are not enforcing the rules I have created with datacentre objects! Everything looks perfect on the management server, I can even see the IP addresses dynamically associated with the tags!!I need some help figuring out why the gateways are not enforcing the rules.I have looked all over for this - and I have a case raised, but TAC have gone a bit quiet!Anyone help me with locating the documentation for this?  I have looked everywhere.When I do a "pep show user all" (not sure if this shows output on azure integration) i get nothing on the gateway - whcih makes sense. Are there any logfiles?  I have checked /var/log/messages - nothing!Thanks!
inside CloudGuard IaaS a week ago
views 323 1 4

Upgrading a Checkpoint Cloudguard VMSS (Scaleset) from R80.20 --> R80.30 in Azure

Cross posting from "General Management Topics"  As R80.10 and R80.20 images are soon to be delisted from the Azure Marketplace, I put together a step-by-step guide with screenshots on how to upgrade a Cloudguard VMSS (Scale Set) from R80.20 to R80.30 in Microsoft Azure - with R80.20 Management. This "how-to" is based on the new procedure from the Admin Guide which you can find here: Your feedback and comments are appreciated.  Find original post below  
inside CloudGuard IaaS 2 weeks ago
views 2488 4 10

R80.10 CloudGuard IaaS High Availability for Microsoft Azure

Most current version of this document will be here: Check Point CloudGuard IaaS High Availability for Microsoft Azure R80.10 Deployment Guide 
inside CloudGuard IaaS 2 weeks ago
views 452 2 1

CloudGuard IaaS Product Announcement - Cloud Management Extension (CME) Take 66 Release

Hi,   I'm happy to inform of our latest update of Cloud Management Extension (CME). Take 66. In this release, you can find For Azure Improved handling of API request throttling in Azure Minor fixes For AWS Autoscaling: integration with Network Load Balancer new listeners - UDP and UDP_TCP Transit VPC: spoke-routes and export-routes are now configured via the autoprov_cfg tool TGW: GW can be configured to re-advertise desired spoke routes over BGP back to the TGW (for Direct Connect) TGW: Gateways can be configured to automatically set static routes on their instance route table For all platforms Set a prefix to all SmartConsole objects created by the CME. For more information type 'autoprov_cfg set template -h' and look under '-pn' Added the CME take number to version’s information (through ‘autoprov_cfg –v’ and cme_menu) Fixed degradation inserted in Take 55 - Custom gateway script (-cg Flag) is now supported on AWS and GCP and not just Azure Please, note that a new limitation was added - Automatic HF deployment and setting a prefix to all SmartConsole objects' features cannot be activated in parallel for the same controller.   Download Information: CME is provided as a CPUSE package and available for online or offline installation. Follow the installation instructions in sk157492 to install or update CME.   Related SKs/Documentation: sk157492 – CME (Cloud Management Extension) for CloudGuard Latest Updates CME Admin Guide sk139213 – CloudGuard for NSX-T: Service Insertion at the Edge & Service Chaining CloudGuard for NSX-T
rohan_savant inside CloudGuard IaaS 2 weeks ago
views 150 3

Can i import an Internal ELB from aws and use it in the NAT and security policy

we are trying to setup an internal ALB and nat to the Public IP of the On-prem firewall so any inbound connections go from the public ip get NAT'ed and go to the internal  ALB via VPN and VGW, i do not see any load balancers when i import objects using cloudguard controller 
Everest_Aponte inside CloudGuard IaaS 2 weeks ago
views 300 3

Announce networks behind remote peer VPN to Virtual Network Gateway. Azure

Hello EverybodyI have the following request,We have an environment on Azure (R80.20 Cluster) and access to On-premises networks through ExpressRoute. We' configuring a tunnel VPN using VTIs with 3rd Party (Cisco). So,  I would like to know if possible to announce the networks behind remote peer VPN, for example ( on my virtual network gateway in order to announce it on the BGP to on-premises networks.  Thank you so much for your attention and commentsBest regardsEverest 
Andreas_Ahrnby inside CloudGuard IaaS 3 weeks ago
views 485 7

CloudGuard for NSX

Hi,im running a few CloudGuard for nsx instances with the latest template (R80.10). Is it possible to update the gateways to get the latest “take” thru CPUSE?Is there any knowledge when a new template with R80.20 or R80.30 will be available? 
Adrian_Dittmann inside CloudGuard IaaS 3 weeks ago
views 391 6

Support for Datacenter Objects in NAT Policy and Network Groups

Hello guys, i hope i chose the right forum.We have connected a Cisco ACI to a R80.20 Management System and are using dynamic Datacenter Objects in the Firewall Policy.sk128612 says that Data Center Objects are not supported in NAT Policy and Network Groups.This considerably limits the function of the ACI for us.Will this "known limitation" fixed in the future or is it not possbile from the technical point of view? I am looking forward to your answers!Best regards,Adrian
inside CloudGuard IaaS 4 weeks ago
views 2573 6 9

Building Infrastructure as Code (IaC) with Terraform and vSEC

This video presents best practices on protecting dynamic infrastructures managed as code by aligning the Check Point Infinity architecture to the requirements of next generation data center operations.Enjoy!
Abhishek_Kumar1 inside CloudGuard IaaS 4 weeks ago
views 459 9

Static NAT configuration with Load balacer in Azure Vsec

HI All we have R80.20 deployed on Azure Cloud, we have to configure Staic NAT with multiple server.Where request coming with 443 and SSH, we have approx 100 servers which needs to configure Static NAT.Can we configure same as AWS where we can add secondary IP on both firewall and attched public IP with firewall external subnet through the load balacer and configure static NAT.Or if we have anu other option?Please provide me solution for the same. RegardsAbhishek
Abhishek_Singh1 inside CloudGuard IaaS 4 weeks ago
views 446 5

Azure VMSS R80.30 issue

Hi Mates,  I have deployed the VMSS solution with custom blades and everything looks fine from management, gateway, policy perspective.  On the day of actual cutover of traffic from traditional cluster to the VMSS Lb, it failed really bad 🙂 . The traffic we are testing is EAST - West, with no NAT needed. On investigation, I could see the the initial traffic reaching the destination sever and response coming to my VMSS gateway... But for some reason the response / reply is not reaching the source machine. ( and I know it's not lb persistence issue, since added persistence with client up &port -> all the traffic is passing thru one gateway) I have checked all the routing, NSG, etc --- everything is pretty much same, since we are just changing the routes to point to the new vmss lb, instead of old cluster lb ...  I can see that eth0 - in vmss instance has ipforwarding as false in Azure ,  also eth1 doesnot has the default NSG attached... Is this correct?? Anyone faced same issue?? Do let me know if I am missing something in the VMSS deployment. Tx, Abhishek
andy_currigan inside CloudGuard IaaS a month ago
views 255 1

Cloudguard backend routing problem

We're installing a CloudGuard IaaS High Availability using the latest deployment guide.We experience problem on the internal routing, the internal load balancer, automatically created with the template, seems not to route the traffic to the cloudguard appliance.On the management we do not see any traffic logs but if we configure a cluster ip address on the checkpoint backend network  using the address that should be configured to the backend-lb (.4) suddenly we see the traffic on the management, even the traffic from internet...The routing table assigned to the backend subnets and the routing on the checkpoint are configured as described on the guide. (strange that checkpoint route to a phantomatic .1 address and the internal subnets route to the backend loadbalancer ip .4)Any idea how to debug and solve this problem?ThanksAndy 
Constantin_Pop inside CloudGuard IaaS 2019-10-16
views 740 9

Azure NIC issues - possibly waagent related

Hi all,  I noticed recurring issues with the Azure CP R80.20 cluster and was wondering if anyone else had this behavior.Basically the interfaces related to Azure Accelerated Networking unregister and may come up with a different name which breaks the traffic completely.Although this was supposed to be solved by Jumbo HF take 17 it occurred again.I believe it may be related to outdated buggy version of the Microsoft Azure Linux Agent (waagent) v2.2.11 installed on the VM (the last available version is v2.2.42)Now waiting for my SR to be picked up...Two other issues with the agent that are resolved in newer version:-agent's logs filling up the Azure Serial Console making it unusable-does not use the configured proxy serverEntries in /var/log/messages: kernel: kernel: hv_netvsc 000d3a25-c27e-000d-3a25-c27e000d3a25 eth0: Data path switched from VF: enP1p0s2 kernel: kernel: hv_netvsc 000d3a25-c27e-000d-3a25-c27e000d3a25 eth0: VF unregistering: enP1p0s2 kernel: kernel: [SIM4];cphwd_api_forward_packet: sim_mgr_prepare_packet failed kernel: kernel: [SIM4];simlinux_br_port: dev == NULL !!!!!