- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- CloudMates General
- :
- Preserve connectivity allowed by policy when insta...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Preserve connectivity allowed by policy when instance moves from on-prem to cloud
Hi CloudMates!
One of my colleagues has a requirement for a network security solution that an instance (VM) can be migrated (re-provisioned if necessary) from on-prem VMware to AWS or Azure and retain the connectivity allowed by the security policy without having to update or push policy. Let's assume that the policies applied to both the on-premise and Cloud Check Point gateways permit the connectivity, and that the policies are based on security groups containing the VM names.
There are other related requirements such as, if more VMs or Instances of the same type as the first VM are created, they inherit the connectivity, which may favour the use of TAGs rather then names.
A solution using VM TAGs would be ideal. As long as the VM or AWS instance has the TAG "DB server app 17" it should inherit the connectivity of servers with the same TAG.
I had a quick look at the CloudGuard Controller documentation and it seems there is the potential for Check Point to be able to do this.
1. Integration with vCenter, AWS, and Azure
2. Can pull VM name, TAGS from vCenter, AWS, and Azure
3. Can use VM names in a security group, in a policy
As long as the VM admins create or move the instances and use the correct VM names:
1. During a VM migration, the VM object is removed from vCenter with it's old address and appears in AWS with it's new address.
2. After a few minutes, Check Point is updated that the IP address of the VM name has changed, and the migrated VM (now in AWS) inherits the correct connectivity (assumes the correct policies are in place on the AWS Check Points, assumes underlying network connectivity is in place, etc.)
I have a few questions:
1. Is my thinking about this broadly correct?
2. Does anyone do anything like this "in the real world"
3. Are there any caveats to the functionality? Such that a security group or object within it must be picked from a particular "datacenter" which prevents the object migrating from one datacenter to another?
4. Can TAGs be used in security policies in a similar way to VM/instance names?
5. Can you provide any white paper, howto, or SK on this scenario?
6. Would a POC be recommended to validate the expected behaviour?
7. Any other comments/considerations?
At present I'm trying to understand capabilities, and am trying to get a solution that does not depend on VMware NSX-T/NSX Cloud.
Thanks in advance!
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yes Check Point is able to do so by Data-Center-Query Objects
see in the CloudGuard Controller documentation under the section of Data Center Query Objects:
With Data Center Query Objects, administrators can now create one Query Object based on attributes across multiple data centers. This simplifies the work when administrators create policies for multiple rules, because they only need to use one query object for data center objects from multiple data centers. Furthermore, admins can create the policy even before they configure a data center in SmartConsole. This makes it easier to separate responsibilities between security admins and others teams that possibly need to create data centers in SmartConsole.
For more details and examples see:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yes Check Point is able to do so by Data-Center-Query Objects
see in the CloudGuard Controller documentation under the section of Data Center Query Objects:
With Data Center Query Objects, administrators can now create one Query Object based on attributes across multiple data centers. This simplifies the work when administrators create policies for multiple rules, because they only need to use one query object for data center objects from multiple data centers. Furthermore, admins can create the policy even before they configure a data center in SmartConsole. This makes it easier to separate responsibilities between security admins and others teams that possibly need to create data centers in SmartConsole.
For more details and examples see:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yehuda, thanks very much for confirming this!
Cheers,
Andrew