Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
seanmc12
Contributor

Cloud Space IP Rules

We are moving some of our resources to AWS cloud space. We've setup rules to allow traffic to/from and from/to internal resources/external resources. The issue we are now seeing is that in the cloud space, their source IP addresses constantly change. We have to go in, look at the logs, see what IPs have changed and update the rules. How are folks setting up rules for cloud sources so that they aren't constantly going in and updating their rule set.

Thanks,

Sean

0 Kudos
6 Replies
Marcel_Gramalla
Advisor

It really depends on how detailed your rules have to be. One option is to just use small subnets vor every usecase and build the rules based on that. Another option would be to use the AWS Datacenter Object so you could easily use tags etc. on the machines. 

We use both options currently (but GCP and not AWS) and for basic internet access we use the zone Objects so we don't even have to add new subnets to the rulebase.

0 Kudos
seanmc12
Contributor

I'm newer to this. Our rule base has a source IP address and a desination IP address/DNS Name. We aren't given any groups of subnets really to use to create a AWS DC object. Don't recognize what GCP is referencing. Is that global Checkpoint Policy?

Sorry, still tryin to pick this up.

0 Kudos
Marcel_Gramalla
Advisor

I was talking about the CloudGuard Controller: Supported Data Centers (checkpoint.com)

You can add your AWS credentials (permissions needed are in this document) to a Data Center Object and import resources based on vpc, subnets, tags etc. It looks like this for GCP (Google Cloud Platform):

controller.png

 

You create this Data Center Objects and afterwards you can right-click on it and select "import". Select the resources you want. They are updated automatically. 

0 Kudos
PhoneBoy
Admin
Admin

This is what Cloud Management Extension (formerly CloudGuard Controller) is designed to solve.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

You can create objects based on their definition in AWS.
Your gateways (on premise and/or in the cloud) will be continually up-to-date with the relevant IP addresses.

0 Kudos
Marcel_Gramalla
Advisor

Was the CME also a part of CloudGuard Controller naming before? Because that is a different feature: Introduction to CloudGuard Controller (checkpoint.com)

CME is for managing the Gateways etc. itself (from what I understand) and CloudGuard Controller is for using actual resources from the Cloud in the rulebase.

0 Kudos
PhoneBoy
Admin
Admin

I believe at one point they were the same, but you're right, they're different.
CloudGuard Controller is definitely what I was thinking of.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events