This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Forsaken_61
Explorer
‎2023-09-13 01:41 AM

Threat Prevention API Calls to virtual IP & HA

Hi!

So I've som questions regarding High Availability, regarding 2 Security Gateways and a TE appliance on-prem. The goal Is to keep the Security gateways In sync so that they can distribute the load to the TE. The Security Gateway acts as one single interface towards the network using a single virtual IP address. 

Is It possible to point the Threat Prevention API to a virtual IP-address that Is fronting the two security gateways that sits behind?

Been testing out to access the API against one local security gateway that Is connected to a TE in the cloud and It worked fine, used this syntax to access the API according to the documentation. https://<service_address>:18194/tecloud/api/<version>/file/query

One more question. The HA sync interface alternative for the Security Gateways to keep them in state and synchronised. Is the sync interface options available is the Security Gateways are virtual appliances? 

Thanks!

0 Kudos
9 Replies
Hugo_vd_Kooij
Advisor
‎2023-09-13 08:23 AM

A drawing would go a long way towards explaining t the configuration. The text is rather confusing,

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Forsaken_61
Explorer
‎2023-09-15 06:33 AM
In response to Hugo_vd_Kooij

Sorry for my late response. Let's see If I can come up with some drawings. In the meanwhile.

My Idea Is to have two separate Security Gateways. Each one of the Security Gateway:s has an TE appliance connected to them, local TE appliance. 

The Security Gateways are connected to a Management Server we're we administrate them. The Gateways are clustered and has one VIP IP (virtual IP-address) that Is fronted to the network.

The end user Is connecting to the Security Gateways throught the Prevention API, the Security gateways then handles this request by send the data to the Sandboxes.

My question again then,
- Is It possible to make a API request to the VIP-adress that fronts the Security Gateways?

The Security Gateways acts as ACTIVE/PASSIVE. The TE-appliances Is ACTIVE/ACTIVE.

Does this make any more sense?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-13 09:31 AM

TEX appliances cannot be clustered to the best of my knowledge.
However, it is possible to configure the use of multiple TE appliances for redundancy/load balancing: https://support.checkpoint.com/results/sk/sk102309 

0 Kudos
Forsaken_61
Explorer
‎2023-09-15 06:37 AM
In response to PhoneBoy

All right! Do you have any more documentations on HA towards TE-appliances?

Does the TE-appliances have a HA-functionality? ACTIVE/ACTIVE perhaps. I wanna make sure that both TE-appliances Is running and can emulate files at the same time.

In front of the TE-appliances sits Security Gateways, the Security Gateways are clustred. 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-15 03:56 PM
In response to Forsaken_61

The SK I linked to tells you how to configure your regular gateways to communicate with more than one Threat Emulation appliance for HA/Load Sharing purposes.
If you are using the API to your local TE appliances, you must address the appliance directly.

0 Kudos
Forsaken_61
Explorer
‎2023-09-18 01:00 AM
In response to PhoneBoy

I read the SK article and I got It.

I'm not gonna us the API against the TE-appliances directly. The API call will go against the Security Gateway that then will distribute the LOAD to the TE-appliances. 

Also, where can I find the LOCAL Threat Prevention API? The Threat Prevention API Reference Guide only preferece If you're using a Security Gateway + Sandblast (CLOUD) or full CLOUD.

For customer that use Security Gateway + TE appliance ON-PREM, there's no API documentation at all.

"The Check Point Threat Prevention API lets you use Threat Prevention products through cloud web services. The request/response API has functionality similar to Next Generation Threat Extraction (NGTX) and SandBlast appliances"

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-18 06:47 AM
In response to Forsaken_61

The API is the same whether you use cloud or on-prem Threat Emulation appliances.
The difference is the API endpoint you call (either our cloud or your local appliance).
Again, the local appliance must be the TE appliance itself (not your cluster).

0 Kudos
Forsaken_61
Explorer
‎2023-09-18 07:19 AM
In response to PhoneBoy

Okey!

Not quite sure what you mean by "the local appliance must be the TE appliance itself".

So now to my scenario were everything is ON-PREM.
Local Security Gateway + Local Threat Emulation appliance

I assume that I point the service_address to the IP of the local gateway here aswell? And the Security Gateway will then handle the TE emulation to the Threat Emulation Sandbox. 

0 Kudos
Forsaken_61
Explorer
‎2023-09-15 07:58 AM
In response to PhoneBoy

One more thing.

This documentation. 

https://sc1.checkpoint.com/documents/TPAPI/CP_1.0_ThreatPreventionAPI_APIRefGuide/html_frameset.htm?...

It says "Activate the API with the URL"
https://<service_address>/tecloud/api/<version>/file/<API_name>

Most the <service_address> be the IP of the local gateway? Or can I put in a VIP-adress of the Clustred Gateways?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events