Support Center > Search Results > SecureKnowledge Details
ATRG: CloudGuard Controller
Solution

Table of Contents

  • Overview
  • Troubleshooting
  • Debugging
  • Recommended Articles
Show All in this article

Overview

Show / Hide this section
The CloudGuard cloud security solution delivers advanced threat protection to private or public cloud infrastructures. It controls and manages the security in both the physical and virtual environments with one unified management solution. With trusted APIs, the CloudGuard Controller connects to the Software-Defined Data Center (SDDC) and integrates the virtual cloud environment with Check Point Security Gateways. The CloudGuard Controller automatically updates the security policy on security logs. It updates GUI, API, and security logs with new and changed appliances, computers, devices, and addresses.

Check Point Security Gateways run on virtual machines. Deploy the gateway in the public and private cloud for perimeter and lateral protection, and industry-leading advanced threat prevention security. The CloudGuard Gateways integrate seamlessly with SDN solutions, such as VMware vCenter, VMware NSX, Cisco ACI and Cisco ISE.

The CloudGuard Controller integrates with these virtual cloud environments:

  • Amazon Web Services (AWS) 
  • Microsoft Azure 
  • Cisco ACI 
  • Cisco ISE 
  • Google Cloud Platform (GCP) 
  • Nuage Networks VSP 
  • OpenStack 
  • VMware vCenter 
  • VMware NSX

Refer to CloudGuard Controller R80.20 Administration Guide

High Level Components




  • Data Center - Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data.
  • Scanner - Polls objects from the Data Center periodically. One scanner for each Data Center
  • Enforcement - Updates Data Center objects used in the security policy on the gateways.
  • Auto-update - Updates Data Center objects imported on the Management server.

Workflow for Deploying CloudGuard Controller

The CloudGuard Controller is a component of the R80.20 Security Management Server. Make sure you have the most up to date CloudGuard Controller. The steps below may be necessary to enable the CloudGuard Controller to communicate with your Data Center.

  • Step 1: Install or upgrade to R80.20 that includes the CloudGuard Controller.
  • Step 2: Run the cloudguard on command on the Management Server.
  • Step 3: Activate the Identity Awareness Software Blade on each gateway, on which you want to deploy Data Center objects. 
  • Step 4: Integrate with Data Centers.

Support for Data Center Objects on the gateway


Gateway requirements
  • R77.20 and R77.30 gateways
    • Enforcer hotfix required. (sk111963)
    • Included in a later version of R77.30 JHF 309 and above
  • R80.10 and above gateways
    • Included in standard image.
Activating Identity Awareness for an R80.10 and above Gateway



Updating Data Center Objects on the gateway

On the Security Management:

  • The $FWDIR/conf/vsec_controller_targets_data.set file gets updated or created with mapping of each gateway and its DataCenter Objects (not with the IP addresses). (Note: The file is created/updated during Install Policy.)
  • The Security Management generates a /tmp/vsecUpdate.sh file, and it is pushed down to the gateway with Data Center Objects. This file is pushed to the gateway using CPRID.
  • /tmp/vsecUpdate.sh is a curl command to localhost with a JSON formatted payload that adds the identities to the Identity Awareness process.
    /tmp/vsecUpdate.sh file output
  • The Security Management remotely executes the /tmp/vsecUpdate.sh script with the Identity Awareness secret key using CPRID
  • The learned DataCenter identities are added as PDP identities. This can be viewed by running pdp m a
    Identity Awareness output pdp m a

Troubleshooting

Show / Hide this section

Confirming CloudGuard Controller is running

Check to see the status of the CloudGuard Controller:
  1. Run cloudguard


For additional troubleshooting scenarios, refer to the "CloudGuard Controller Troubleshooting" section in the CloudGuard Controller R80.20 Administration Guide

Debugging

Show / Hide this section

Logs and debugs for Data Center Object creation

  • Log files on Security Management 
    (For MDS: $MDS_FWDIR)
    • $FWDIR/logs/cpm.elg 
    • $FWDIR/logs/cloud_proxy.elg
  • Debugs
    • Debug values $VSECDIR/lib/log4j.properties. Set to TRACE
      log4j.logger.com.cp.cms_proxy=ERROR
      log4j.logger.com.cp.cms_common=ERROR
      Select from the following as relevant to your scanner
      log4j.logger.com.cp.awsscanner=ERROR

      log4j.logger.com.cp.azurescanner=ERROR
      log4j.logger.com.checkpoint.apic=ERROR
      log4j.logger.cms_proxy.CMS.nsx=ERROR
    • CPM debugs for object creation failures (sk110913)

Example of a failure for Data Center Object Creation or Importing

When creating a Data Center Object and authentication fails, you can see the authentication failure in the cloud_proxy log. The debug value was used log4j.logger.com.cp.cms_proxy to TRACE

Cloud_proxy log

Errors:

09/05/18 17:44:37,817 TRACE cms_proxy.Process.ProcessExecutor [qtp258411693-28]: Executing: [/opt/CPsuite-R80/fw1/Python/bin/python, /opt/CPvsec-R80/scripts/azure/vsec.py, --max-time, 60, -t]
09/05/18 17:44:37,822 TRACE cms_proxy.Process.ProcessExecutor [qtp258411693-28]: Running process with time out of: 300 seconds
09/05/18 17:44:38,429 TRACE cms_proxy.Process.ProcessExecutor [pool-18-thread-1]: Process finished (callable)
09/05/18 17:44:38,430 ERROR CMS.azure.AzureDeployment [qtp258411693-28]: Command failed:
ProcessOutputData{
ProcessBuilder= [/opt/CPsuite-R80/fw1/Python/bin/python, /opt/CPvsec-R80/scripts/azure/vsec.py, --max-time, 60, -t]
errCode= 1
processTimeoutSeconds= 300
processDurationSeconds= 0
Process Output String= AuthenticationProblem

Logs and debugs for enforcement on the gateway

  • Log files on Security Management
    (For MDS: $MDS_FWDIR)
    • $FWDIR/logs/cloud_proxy.elg
    • $FWDIR/conf/cpm.elg
    • $FWDIR/conf/vsec_controller_targets_data.set
  • Log files on Gateway
    • $FWDIR/log/CPRID.elg
    • $FWDIR/log/pdp.elg*
    • /tmp/vsecUpdate.sh
  • Debugs on management
    • Debug values $VSECDIR/lib/log4j.properties. Set to TRACE
      log4j.logger.com.cp.enforcement_updater
    • Debug CPRID on Security Management and Gateway
  • Debugs on gateway
    • Command output of pdp m a
    • Debug PDP on the gateway (sk86441)

Cloud Guard Controller Advanced debugs


Debugging Connectivity issue to the Cloud Provider:

Command
  • Azure: curl_cli --verbose https://management.azure.com --cacert /var/opt/CPshrd-R80/conf/ca-bundle-public-cloud.crt
  • AWS: curl_cli http://169.254.169.254/latest/user-data
Additional debugs levels
  • AWS: AWS_API_DEBUG=true AWS_ACCESS_KEY= AWS_SECRET_KEY= $FWDIR/Python/bin/python $VSECDIR/scripts/aws/vsec.py

  • GCP: export GCP_CREDENTIALS=$(cat /$VSECDIR/scripts/google/creds.json) GCP_DEBUG=true $FWDIR/Python/bin/python $VSECDIR/scripts/google/vsec.py __ALL__

  • Azure: AZURE_REST_DEBUG=true AZURE_CREDENTIALS='{"client_id": "","client_secret": "","grant_type": "client_credentials","tenant": ""}' $FWDIR/Python/bin/python $VSECDIR/scripts/azure/vsec.py

  • The Azure Credentials can also be written in a file with the same format as above.

  • AZURE_REST_DEBUG=true AZURE_CREDENTIALS=creds.json $FWDIR/Python/bin/python $VSECDIR/scripts/azure/vsec.py
Testing CPRID
  • Check to see if cprid port 18208 is allowed between Security Management and gateway
    Verify that cprid_util -server GW_IP getenv -attr FWDIR gets output
  • How to remotely execute vsecUpdat.sh on a gateway
    cprid_util -server -timeout 120 -verbose rexec -rcmd bash /tmp/vsecUpdate.sh
PDP controller debugs steps

First ensure that Identity Awareness is properly working, by running the following commands pdp api status and pdp api enable

Debugs:
  1. Remove the existing old files:
    # mkdir $FWDIR/log/pdpLog/
    # mv $FWDIR/log/pdpd.elg* $FWDIR/log/pdpLog/
  2. Clean the logs rotation: # pdp d rotate
  3. Revoke the Security Group association from pdpd (The used pdp m command):
    # pdp control revoke_ip
    * The Security Group will not appear under the pdp m command until it is re-associated.
  4. Start debug:
    # echo “=======> start debug `date` ” >> $FWDIR/log/pdpd.elg
    # pdp debug on
    # pdp d s all all
  5. Replicate the issue (if possible). 
  6. Stop the debug:
    # pdp d unset all all
    # pdp d off
    # echo “=======> stop debug `date` ” >> $FWDIR/log/pdpd.elg
  7. Collect the following files and share them with Support: # $FWDIR/log/pdpd.elg*

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment