Showing results for 
Search instead for 
Did you mean: 
Create a Post
CloudGuard IaaS

CloudGuard IaaS is Check Point's solution for Public Cloud Network Security.

rjpereira inside CloudGuard IaaS 33m ago
views 14 1

Multi-homed EC2: How to force topology for auto-provisioning ?

Hi.I'm using R80.40 AMI, and have my gateway with eth0 bound to a private subnet, and eth1 bound to public subnet, to which I associate an public EIP.The default setup of this in AWS, would create a default gateway for the instance with the default gateway of the private subnet which is not the desired setup, so during cloud-init phase I also do: set static-route default nexthop gateway address offset static-route default nexthop gateway address on to switch the default gateway to eth1's default gateway.As far as I understand  CME autoprovisioning uses the private or public address of eth0 _always_, and I want SIC ports to be open on the private subnet, therefore my choice to deploy eth0 on the private subnet, and eth1 in the public subnet.With this deployment I can access ssh and https normally from internet.Managing server detects the new machine, starts to autoprovision it in private address but fails because the topology of the two interfaces is set to External (which I also see in SmartConsole). If I switch it in SmartConsole to Internal, everything starts to work automatically.My question: how can I eithera) Do something so that Gateway doesn't see eth0 as External in my scenario ?orb) Issue a CLI/bash/.. command in cloud-init to change topology of eth0 to internal ?Without this auto-provisioning doesn't work..Thanks     
rjpereira inside CloudGuard IaaS yesterday
views 95 4

Missing "config-vpn"

I'm deployed R80.40 AMI in AWS, with a Transit Gateway integration, that should recognize TGW tags and initiate the configuration of site-to-site VPNs with existing gateways.I see that on the logs management server issues a "config-vpn" command to gateway, but the reply is "command not found", which I confitm if I login there via SSH. This config-vpn is also referred in documentation (e.g. ).Does anyone know how to make sure that config-vpn binary is installed on the security gateways ?Thanks 
natureson inside CloudGuard IaaS yesterday
views 843 6

PPPoE connection problem (CP3200)

Hi Mates,I have a problem with PPPoE connection to ISP on my CP3200 HW appliance. Everything`s work fine on Cisco router with these settings:interface Dialer1mtu 1492ip address negotiatedip mtu 1480ip nat outsideencapsulation pppdialer pool 1dialer-group 1ppp authentication chap callinppp chap hostname ******@***ppp chap password 0 ****ip virtual-reassemblyinterface GigabitEthernet0/0/0.20encapsulation dot1Q 20ip address 192.168.*.1 nat insideip tcp adjust-mss 1196 (*non standart value, but provided from ISP and works fine)ip ospf 1 area 4ip virtual-reassemblyAs you can see we`ve set required parameteres (such as adjust-mss and MTUs) and this is working fine on Cisco router, but i need to connect my ISP connection directly to CP3200. I`ve created PPPoE interface and it is connecting normally but the issue is that clients doesn`t have Web access, only pings (ICMP) works fine. Currently we don`t have any stricts in policy it just set to Allow all, and we use typical ethernet interface facing to Internet everythings work but not with PPPoE. So, how i can adjust mss values on interfaces to make HTTP sessions establishing normally. Thank you very much.
HeikoAnkenbrand inside CloudGuard IaaS yesterday
views 151 4

Azure CloudGuard laaS Cluster and BGP question!

Hi Check Point guys, I have an R80.30 Azure Cluster installation. So far everything works 🙂 Now the question appeared whether the firewall cluster can be connected via BGP (not via VPN) using VeloCloud. Because there is always a frontend  or backend load balancer for a cluster instance, I am not sure how to implement this. In the manuals and in the knowledge base I didn't find anything about this topic. Now my question: - Is BGP supported (without VPN) on a CloudGuard laaS cluster?- Where can I find more information for Azure cluster and BGP via VeloCloud integration?- Do you have an example integration paper.  
rjpereira inside CloudGuard IaaS yesterday
views 122 3

Multi-homed R80.40 AWS AMIs

Hi.Would appreciate your guidance on the following scenario.I'm trying to deploy a Securtity Management and a Gateway in an AWS VPC. My preferred solution would be to have both instances multi-homed in both private and public subnets, where managin server<->gateway traffic happened on the private subnet, and management, at least for the time being, was done though the public subnet from public internet addresses.I believe that for CME/self-discovery, instances will try to use eth0, therefore I made eth0 the interfaces on the private subnet and eth1 is on the public subnet.I've added the default route for the public subnet .1 address, but then got into the problem of not being able to access the management HTTS UI or SSH. If we set aside any other potential mistakes that I'm making in AWS config, what is the config_system parameters (or others), that I need to change to have 22/443 bounded in eth1 ? To make it clear, if I change the order of network interfaces and make eth0 the public, I can access them fine.Already in the are of trying things auto, already run "set management interface eth1" on the user data script, but didn't seem to help... Thanks 
Juan_Concepcion inside CloudGuard IaaS yesterday
views 37

AWS R77.30 Cluster to R80.30 Upgrade w/Load Balancer

Recently tasked with upgrading an R77.30 environement built off of sk104249.  In attempting to follow this sk there were a couple of manual tasks i was able to turn into 'aws cli' commands which can then be scripted to reduce the amount of down time experienced as part of this upgrade. --Juan
rjpereira inside CloudGuard IaaS Monday
views 57

AWS CloudGuard IaaS: Change external interface topology via cli/bash

Hi.I have a deployment of a R80.40 AMI, dual homed, with eth0 on a private subnet and eth1 on a public subnet.On the cloud-init script, I remove the default route from eth0, add it to eth1, and add a static route for on eht0.When Management server tries to auto-configure it via tagging it is failing saying that "all the interfaces have a EXTERNAL policy, that is not allowed".I confirm that if I go through SmartConsole, and change the topology of eth0 to Internal the error disappears.The problem that I have is that I want to script this change using cli, or know how I could avoid the problem in a first instance.Any suggestions ? Thanks in advance
HeikoAnkenbrand inside CloudGuard IaaS Sunday
views 106 1

R80.30 Azure CloudGuard - Links and SK's

Documentation   R80.30 Security Management Administration Guide R80.20 Security Management Administration Guide R80.30 CloudGuard Controller Administration Guide R80.20 CloudGuard Controller Administration Guide CloudGuard IaaS High Availability R80.10 and above for Microsoft Azure Deployment Guide CloudGuard IaaS for Azure Stack Virtual Machine Scale Sets (VMSS) for Microsoft Azure Administration Guide Check Point CloudGuard IaaS High Availability for Microsoft Azure Deployment Guide Check Point for the Microsoft Azure Virtual WAN Quick Start Guide   Interesting SK's   sk122793 - Deploying a Check Point Cluster in Microsoft Azure - for templates older than 20180301 sk110194 - Deploying a Check Point Cluster in Microsoft Azure sk110313 - Deploying a Check Point Security Gateway in Azure classic sk109713 - CloudGuard (vSEC) Central License Management Utility sk120157 - CloudGuard / vSEC for Microsoft Azure Stack sk115533 - R77.30 Virtual Machine Scale Sets (VMSS) for Azure sk102831 - How to deploy a Check Point Security Gateway with a single interface in Microsoft Azure sk106144 - How to deploy a Check Point Security Gateway with multiple interfaces in Microsoft Azure sk116061 - Installation of CloudGuard / vSEC Controller and CloudGuard / vSEC Gateway in public cloud AWS / Azure sk132192 - CloudGuard for Azure Latest Updates sk164252 - CloudGuard for Azure Stack Latest Updates sk109360 - Check Point Reference Architecture for Azure sk110194 - Deploying a Check Point Cluster in Microsoft Azure sk110993 - Securing ExpressRoute traffic in Microsoft Azure sk123564 - How to find the Check Point SKUs in each Azure location sk136315 - Security Hotfix for CloudGuard sk146092 - How to find out if a CloudGuard instance or a scale set in Azure is BYOL (bring your own license) or PAYG (pay as you go) sk113583 - How to add a network interface to a Check Point Security Gateway in Azure sk111089 - Increasing the disk size of a Check Point VM in Azure sk115532 - IPS Geo protection based on "X-Forwarded-For" HTTP header in Check Point CloudGuard for AWS / CloudGuard for Azure sk161015 - How to upgrade a CloudGuard Management VM to a stronger VM size in Azure sk155632 - How to upgrade CloudGuard Management from R80.10 to R80.20 and above in AWS or Azure
Prabulingam_N1 inside CloudGuard IaaS Friday
views 182 2

R80.30 AWS - AutoScaleGW for Outbound traffic from Internal Webservers

Dear CheckMates, I have deployed R80.30 Mgmt server Cloudguard controller and R80.30 AutoScale Gateways in AWS.Deployed External Network LB and Internal Application LB.Placed internal Webserver behind Internal ALB - works fine.(Inbound traffic from Internet to the Webserver thru LBs) Now we need to make the outbound traffic from Internal webservers thru AutoScale GW to the internet so that we can inspect the outbound webserver traffic.Is this feasible?.  Per sk112575 - Point 5th: "Web clients in private subnets are configured to use an ELB as their HTTP/HTTPS proxy.This Proxy ELB is configured to forward TCP connections to the CloudGuard Auto Scaling group" Per AWS team they could not make Internal ALB as proxy. Only Classic LB we can docreate ProxyProtocolPolicy. Any comments to do will be helpful. Regards, Prabulingam.N 
Jeff inside CloudGuard IaaS Thursday
views 2306 11

R80.20 vSec license disappearing from the gateway

Hello to everybody. Did anybody try to deploy vSec on the R80.20? We have a problem. 1 MNG Server, 2 Gateways (6 Core total, 2 Cores for one GW and 4 Cores for another). When trying install central license, after sever times (30min - several hours) the license from one of those gateways disappearing. We tried to use 2 methods:- #vsec_central_license- using "pool" like in the admin guideBut nothing helps. We opened the case, but there is no answers from R&D yet. Maybe somebody has encountered a problem.
Ole_Jakobsen inside CloudGuard IaaS a week ago
views 7689 17 3

AWS deployment with VSX on-prem gateway

Hi, I'm trying to do a deployment of CG in a AWS Transi VPC. I have read the guides Transit VPC for AWS R80.10 Deployment Guide and CloudGuard for AWS - Transit VPC Architecture, I have watched the video Step by Step deployment of automated, multi hub Transit VPC. One thing that is described in every guide is to make a VTI between the on-prem gateway via the Direct Connect (DC) to the gateways in the Transit VPC. My challange is that the on-prem gateway that is used to connect to the DC is a VS on VSX where VTI is not supported. (See: VSX supported features on R75.40VS and above) As I understand the VTI is primarily used with the BGP peering so the peers is directly connected. Then my solution to the unsupported VTI on VSX is to use BGP multihop os I don't need the VTI. Can any of you see any issues with this solution? I'm looking forward to any reply to this question  CheersOle J
BLD inside CloudGuard IaaS a week ago
views 825 10

Migrate from AWS vSEC R80.10 to R80.30

We have been using vSEC R80.10 succesfully in AWS. One instance with both gateway and management.We got a notice that it will no longer be supported so we got the new R80.30 AMI from the AWS Marketplace.We activated our licenses but it seems the new AMI does not include the management server. It says in the marketplace description:"This BYOL distributed security gateway is managed from a central Security Management Server, which provides consistent security policy management, enforcement, and reporting AWS and hybrid deployments within a single pane of glass. The Security Management Server is not included in this offering. Please choose one of the CloudGuard IaaS Security Management offerings in AWS Marketplace."Does this mean we now have to runt TWO EC2 instances instead of one?  This would double operating costs.Any help to clarify this will be greatly appreciated.  
J_Saun inside CloudGuard IaaS a week ago
views 195 1

Multiple scale sets in same policy

We have a single management station and 1 scale set. We will be adding 1 additional scale set to our environment. This new scale set will have/need some similar rules as the primary scale set, but it will also require rules that are unique to itself (communication between vlan's that are behind the 2nd scale set). We will be adding a few more scale sets in the future.My question is around the number of policies. I know we can add all the scale sets to the same policy and break things up into sections for the rules that are required on the different scale sets, but my understanding is you don't put the scale set(s) into the 'install on' column. So how is it determined which scale set gets which rules?Also, if we use a single policy, how will we be able to view which rules are installed on which scale set?
inside CloudGuard IaaS 2 weeks ago
views 267 4

CloudGuard IaaS logging to GCP Stackdriver

Hello, Looking for some documentation regarding if and how CloudGuard IaaS devices can log to the GCP Stackdriver module in Google Cloud. Is there any related documentation around the topic? Thanks.  
Juan_Concepcion inside CloudGuard IaaS 2 weeks ago
views 3060 9 3

Auto Provisioning Multi-Domain Setup

I am attempting to get auto scaling in an MDS environment working but on second CMA the tag does not get appended correctly to the Azure members.Environment:R80.10 MDSAuto Scale set is setup for 2 membersHave this going to 1 CMA without issues. Defined a new controller for the second CMA, created new templates, added the templates to the new controllers, specified the domain for the controller and then kicked off the Azure Deployment - the new instances get associated to the correct domain but the tag is not correct.In the working one I get:{tags=managed-virtual-gateway|__once__|__generation__|__template__<name>-template}In current I'm only getting:{tags=managed-virtual-gateway}Have tried to read documentation but where it's split across 2 sk's it's not very clear.