This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
seanmc12
Contributor
‎2021-09-10 10:25 AM

Cloud Space IP Rules

We are moving some of our resources to AWS cloud space. We've setup rules to allow traffic to/from and from/to internal resources/external resources. The issue we are now seeing is that in the cloud space, their source IP addresses constantly change. We have to go in, look at the logs, see what IPs have changed and update the rules. How are folks setting up rules for cloud sources so that they aren't constantly going in and updating their rule set.

Thanks,

Sean

0 Kudos
6 Replies
Marcel_Gramalla
Advisor
‎2021-09-10 10:45 AM

It really depends on how detailed your rules have to be. One option is to just use small subnets vor every usecase and build the rules based on that. Another option would be to use the AWS Datacenter Object so you could easily use tags etc. on the machines. 

We use both options currently (but GCP and not AWS) and for basic internet access we use the zone Objects so we don't even have to add new subnets to the rulebase.

0 Kudos
seanmc12
Contributor
‎2021-09-10 10:52 AM
In response to Marcel_Gramalla

I'm newer to this. Our rule base has a source IP address and a desination IP address/DNS Name. We aren't given any groups of subnets really to use to create a AWS DC object. Don't recognize what GCP is referencing. Is that global Checkpoint Policy?

Sorry, still tryin to pick this up.

0 Kudos
Marcel_Gramalla
Advisor
‎2021-09-10 01:06 PM
In response to seanmc12

I was talking about the CloudGuard Controller: Supported Data Centers (checkpoint.com)

You can add your AWS credentials (permissions needed are in this document) to a Data Center Object and import resources based on vpc, subnets, tags etc. It looks like this for GCP (Google Cloud Platform):

controller.png

 

You create this Data Center Objects and afterwards you can right-click on it and select "import". Select the resources you want. They are updated automatically. 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-10 11:26 AM

This is what Cloud Management Extension (formerly CloudGuard Controller) is designed to solve.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

You can create objects based on their definition in AWS.
Your gateways (on premise and/or in the cloud) will be continually up-to-date with the relevant IP addresses.

0 Kudos
Marcel_Gramalla
Advisor
‎2021-09-10 01:10 PM
In response to PhoneBoy

Was the CME also a part of CloudGuard Controller naming before? Because that is a different feature: Introduction to CloudGuard Controller (checkpoint.com)

CME is for managing the Gateways etc. itself (from what I understand) and CloudGuard Controller is for using actual resources from the Cloud in the rulebase.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-10 02:12 PM
In response to Marcel_Gramalla

I believe at one point they were the same, but you're right, they're different.
CloudGuard Controller is definitely what I was thinking of.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top