This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AK2
Collaborator
‎2024-01-17 02:58 PM
Jump to solution

Preserve connectivity allowed by policy when instance moves from on-prem to cloud

Hi CloudMates!

One of my colleagues has a requirement for a network security solution that an instance (VM) can be migrated (re-provisioned if necessary) from on-prem VMware to AWS or Azure and retain the connectivity allowed by the security policy without having to update or push policy. Let's assume that the policies applied to both the on-premise and Cloud Check Point gateways permit the connectivity, and that the policies are based on security groups containing the VM names.

There are other related requirements such as, if more VMs or Instances of the same type as the first VM are created, they inherit the connectivity, which may favour the use of TAGs rather then names.

A solution using VM TAGs would be ideal. As long as the VM or AWS instance has the TAG "DB server app 17" it should inherit the connectivity of servers with the same TAG.

I had a quick look at the CloudGuard Controller documentation and it seems there is the potential for Check Point to be able to do this.

1. Integration with vCenter, AWS, and Azure
2. Can pull VM name, TAGS from vCenter, AWS, and Azure
3. Can use VM names in a security group, in a policy

As long as the VM admins create or move the instances and use the correct VM names:

1. During a VM migration, the VM object is removed from vCenter with it's old address and appears in AWS with it's new address.
2. After a few minutes, Check Point is updated that the IP address of the VM name has changed, and the migrated VM (now in AWS) inherits the correct connectivity (assumes the correct policies are in place on the AWS Check Points, assumes underlying network connectivity is in place, etc.)

I have a few questions:

1. Is my thinking about this broadly correct?

2. Does anyone do anything like this "in the real world"

3. Are there any caveats to the functionality? Such that a security group or object within it must be picked from a particular "datacenter" which prevents the object migrating from one datacenter to another?

4. Can TAGs be used in security policies in a similar way to VM/instance names?

5. Can you provide any white paper, howto, or SK on this scenario?

6. Would a POC be recommended to validate the expected behaviour?

7. Any other comments/considerations?

 

At present I'm trying to understand capabilities, and am trying to get a solution that does not depend on VMware NSX-T/NSX Cloud.

Thanks in advance!

0 Kudos
1 Solution

Accepted Solutions
Yehuda_Cooper
Employee
Employee
‎2024-01-18 06:01 AM
Jump to solution

Hi, 

Yes Check Point is able to do so by Data-Center-Query Objects

see in the CloudGuard Controller documentation under the section of Data Center Query Objects:

With Data Center Query Objects, administrators can now create one Query Object based on attributes across multiple data centers. This simplifies the work when administrators create policies for multiple rules, because they only need to use one query object for data center objects from multiple data centers. Furthermore, admins can create the policy even before they configure a data center in SmartConsole. This makes it easier to separate responsibilities between security admins and others teams that possibly need to create data centers in SmartConsole.

For more details and examples see:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_CloudGuard_Controller_AdminG...  

 

View solution in original post

(1)
2 Replies
Yehuda_Cooper
Employee
Employee
‎2024-01-18 06:01 AM
Jump to solution

Hi, 

Yes Check Point is able to do so by Data-Center-Query Objects

see in the CloudGuard Controller documentation under the section of Data Center Query Objects:

With Data Center Query Objects, administrators can now create one Query Object based on attributes across multiple data centers. This simplifies the work when administrators create policies for multiple rules, because they only need to use one query object for data center objects from multiple data centers. Furthermore, admins can create the policy even before they configure a data center in SmartConsole. This makes it easier to separate responsibilities between security admins and others teams that possibly need to create data centers in SmartConsole.

For more details and examples see:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_CloudGuard_Controller_AdminG...  

 

(1)
AK2
Collaborator
‎2024-01-18 11:23 AM
In response to Yehuda_Cooper
Jump to solution

Hi Yehuda, thanks very much for confirming this!

Cheers,

Andrew

0 Kudos
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events