Support Center > Search Results > SecureKnowledge Details
CloudGuard for ACI Technical Level
Solution

This article describes the CloudGuard for ACI managed by CloudGuard Controller.

Table of Contents

  1. Introduction to CloudGuard
  2. Components required for installation of CloudGuard Gateway for ACI
  3. CloudGuard Service Registration Hotfix
  4. Installation Instructions
  5. Documentation 
  6. Previous Versions
  7. Revision History

 

Click Here to Show the Entire Article

 

(1) Introduction to CloudGuard

Check Point CloudGuard solutions and products:

CloudGuard solution CloudGuard product

CloudGuard for Private Cloud with SDN

(Micro-segment your data center. Secure East-West traffic between applications.)

CloudGuard for Public IaaS

(Secure applications and connectivity in public clouds.)

CloudGuard for Virtual Data Center

(Virtual Security Gateway with integration to cloud management platforms.)

 

(2) Components required for installation of CloudGuard for ACI

The following components are mandatory for installation of CloudGuard for ACI managed by CloudGuard Controller:

  • On the Management side, the following should be installed:

    # Component Description
    1

    Security Management Server /
    Multi-Domain Security Management Server

    Check Point Management Server is the basic infrastructure to manage Check Point Security Gateways.
    2

    CloudGuard Controller Hotfix

    Installing this package on top of Check Point Management Server turns it into CloudGuard Controller server that is able:

    • to fetch Data Center objects from Cisco APIC

    • to manage CloudGuard for Cisco ACI
    3

    CloudGuard Service Registration Hotfix

    This package installs modules on Check Point CloudGuard Management server that are required by Cisco ACI fabric:

    • to deploy Check Point service to Cisco ACI

    • to manage CloudGuard for Cisco ACI
    4

    SmartConsole for CloudGuard Controller server

    This is the graphical UI for controlling and configuring the Check Point Management Server and its managed Check Point Security Gateways.

    The improved SmartConsole for CloudGuard Controller server allows the administrator to create and work with Data Center objects.

  • On the Gateway side, the following should be installed:

    # Component Description
    1

    Security Gateway

    This is the standard Check Point Security Gateway.

Refer to the following illustration:

 

(3) CloudGuard Service Registration Hotfix

What's New

Show / Hide this section
  • R80.30 Security Management Support
  • R80.40 Security Management Support
  • New Device Package V1.5
  • Support Maestro MHO-140 and MHO-170
  • Stability fixes

  • CloudGuard Service Insertion Hotfix

    Show / Hide this section
    Package CPUSE
    Online Identifier    		 CPUSE
    Offline
    Service Registration v7 Hotfix
    for R80.10 Management Server    		 Check_Point_R80.10_VSR7_Bundle_T14_FULL.tgz (TGZ)
    Service Registration v7 Hotfix
    for R80.20 Management Server    		 Check_Point_R80.20_VSR7_Bundle_T15_FULL.tgz (TGZ)
    Service Registration v7 Hotfix
    for R80.30 Management Server    		 Check_Point_R80.30_VSR7_Bundle_T15_FULL.tgz (TGZ)
    Service Registration v7 Hotfix
    for R80.40 Management Server    		 Check_Point_R80.40_VSR7_Bundle_T3_FULL.tgz (TGZ)

    1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
    2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
    3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).

(4) Installation Instructions (all versions post R80.20)

Show / Hide this section

1. Install Security Management Server / Multi-Domain Security Management Server:

  1. Install SmartConsole for Management Server.
  2. Enable the CloudGuard Controller by running the 'cloudguard on' command (refer to the relevant CloudGuard Controller Administration Guide, chapter "Integrating with Data Center Servers", section "Enabling the CloudGuard Controller")
  3. Install the Service Registration Hotfix on the Management Server. Refer to section 3 above for the supported Hotfixes and management versions.

3. How to upgrade to CloudGuard Service Registration

  1. Upgrade to Management Server if needed.
  2. Install the new CloudGuard Service Registration Hotfix. The Security Management Server with the new CloudGuard registration Hotfix re-attaches itself to a Gateway that has already been deployed. All services continue as they did before the upgrade.

Important Notes about upgrading a CloudGuard Service Registration:

  • Upgrading to a newer Service Insertion Hotfix is applicable only from VSRv5.
  • Refer to the instructions in sk141955. Only R80.10 Management with R80.10 jumbo Hotfix Take 112 is supported.

(5) Documentation

(6) Previous Versions

R77.30 CloudGuard v2 for ACI managed by R80 CloudGuard Controller v2

Click Here to Show the Entire section

  • What's New

    Show / Hide this sub-section
    • Integration of R77.30 CloudGuard for ACI with the new R80 CloudGuard Controller v2 (sk115772).
    • Improved R80 CloudGuard Controller v2 Enforcer Hotfix.

  •  Installation Instructions

    Show / Hide this sub-section

    1. Install R80 CloudGuard Controller v2

      1. Refer to sk115772 - R80 CloudGuard Controller v2 - Step 1:

        1. Install R80 Security Management Server / Multi-Domain Security Management Server
        2. Install R80 CloudGuard Controller v2 Hotfix on R80 Security Management Server / Multi-Domain Security Management Server
        3. Install R80 CloudGuard SmartConsole for R80 CloudGuard Controller v2

      2. Install R80 CloudGuard Service Registration v2 Hotfix on R80 CloudGuard Controller v2:

        Package CPUSE
        Online Identifier (a)        		 CPUSE
        Offline (b,c)
        CloudGuard Service Registration v2 Hotfix
        for R80 CloudGuard Controller v2        		 Check_Point_R80_vSEC_Service_Hotfix2_FULL.tgz (TGZ)
        Show / Hide the Notes
        1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
        4. Legacy CLI installation is not supported.

    2. Install CloudGuard for ACI:

      1. Install Security Gateway R77.30 GA on Gaia OS.

      2. Install Take_185 and above of Jumbo Hotfix Accumulator for R77.30.

        Note: Installation of Jumbo Hotfix Accumulator for R77.30 is recommended, but is not mandatory.

      3. Install R80 CloudGuard Controller v2 Enforcer for ACI Hotfix on R77.30 Security Gateway:

        Package CPUSE
        Online Identifier        		 CPUSE
        Offline        		 Legacy
        CLI
        CloudGuard Controller v2 Enforcer hotfix
        for Security Gateway R77.30 (a)        		 Check_Point_R77.30_vSEC_Controller_Enforcer_Hotfix_FULL.tgz (b) (TGZ) (c,d) (TGZ) (e)
        Show / Hide the Notes
        1. This package of CloudGuard Controller v2 Enforcer Hotfix for Security Gateway R77.30 can be installed:
          • either on top of R77.30 GA,
          • or on top of Take_185 (and above) of R77.30 Jumbo Hotfix Accumulator
          (otherwise, the installation of the CloudGuard Controller v2 Enforcer Hotfix would fail)
        2. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        3. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        4. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
        5. Legacy CLI installation instructions:
          1. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
          2. Unpack and install the hotfix package:
            [Expert@HostName:0]# cd /some_path_to_fix/
            [Expert@HostName:0]# tar -zxvf Check_Point_R77.30_vSEC_Controller_Enforcer_Hotfix_Gaia_sk115772.tgz
            [Expert@HostName:0]# ./fw1_wrapper_HOTFIX_GIRAFFE_V2_<BUILD>
            Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
          3. Reboot the machine.

    3. Install Device Package for Cisco APIC:

      The Device package is already included in hotfix. It is recommended to refer to sk112726: CloudGuard for ACI - Device Packages for Cisco APIC in order to verify that the latest available Device Package is being used.



  • Documentation

R77.30 CloudGuard v1 for ACI managed by R80 CloudGuard Controller v1

Click Here to Show the Entire section

  • What's New

    Show / Hide this sub-section
    • Fetch dynamic ACI (APIC) objects for use in Check Point policy and SmartConsole to securely deliver applications in a fraction of cost and time.
    • Automated service-insertion using ACI device package - prevents lateral movement of threats between private cloud applications.
    • View ACI endpoint group names in security logs - provides ease of operation with forensic analysis inside the data center.
    • Multi-tenancy with context selection from APIC.


  • Installation Instructions

    Show / Hide this sub-section

    1. Install R80 CloudGuard Controller v1

      1. Refer to sk111963 - R80 CloudGuard Controller v1 - Step 1:

        1. Install R80 Security Management Server / Multi-Domain Security Management Server
        2. Install R80 CloudGuard Controller v1 Hotfix on R80 Security Management Server / Multi-Domain Security Management Server
        3. Install R80 CloudGuard SmartConsole for R80 CloudGuard Controller v1

      2. Install R80 CloudGuard Service Registration v1 Hotfix on R80 CloudGuard Controller v1:

        Package CPUSE
        Online Identifier (a)        		 CPUSE
        Offline (b,c)
        CloudGuard Service Registration v1 Hotfix
        for R80 CloudGuard Controller v1        		 Check_Point_R80_vSEC_Service_Hotfix1_FULL.tgz (TGZ)
        Show / Hide the Notes
        1. For CPUSE Online installation instructions, refer to sk92449 - sections (6-A-a) / (6-A-b) and (6-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (6-A-c) / (6-A-d) and (6-B-a).
        4. Legacy CLI installation is not supported.

    2. Install CloudGuard for ACI:

      1. Install Security Gateway R77.30 GA on Gaia OS.

      2. Install Take_159 and above of Jumbo Hotfix Accumulator for R77.30.

        Note: Installation of Jumbo Hotfix Accumulator for R77.30 is recommended, but is not mandatory.

      3. Install R80 CloudGuard Controller v1 Enforcer for ACI Hotfix on R77.30 Security Gateway:

        Package CPUSE
        Online Identifier        		 CPUSE
        Offline        		 Legacy
        CLI
        CloudGuard Controller v1 Enforcer hotfix
        for Security Gateway R77.30 (a)        		 Check_Point_R77.30_vSEC_Controller_Enforcer_Hotfix1_FULL.tgz (b) (TGZ) (c,d) (TGZ) (e)
        Show / Hide the Notes
        1. This package of CloudGuard Controller v1 Enforcer Hotfix for Security Gateway R77.30 can be installed:
          • either on top of R77.30 GA,
          • or on top of Take_159 (and above) of R77.30 Jumbo Hotfix Accumulator
          (otherwise, the installation of the CloudGuard Controller v1 Enforcer Hotfix would fail)
        2. For CPUSE Online installation instructions, refer to sk92449 - sections (6-A-a) / (6-A-b) and (6-B-a).
        3. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        4. For CPUSE Offline installation instructions, refer to sk92449 - sections (6-A-c) / (6-A-d) and (6-B-a).
        5. Legacy CLI installation instructions:
          1. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
          2. Unpack and install the hotfix package:
            [Expert@HostName:0]# cd /some_path_to_fix/
            [Expert@HostName:0]# tar -zxvf Check_Point_R77.30_vSEC_Controller_Enforcer_Hotfix1_Gaia_sk111963.tgz
            [Expert@HostName:0]# ./fw1_wrapper_HOTFIX_GIRAFFE_V2_<BUILD>
            Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
          3. Reboot the machine.

    3. Install Device Package for Cisco APIC:

      The Device package is already included in hotfix. It is recommended to refer to sk112726: CloudGuard for ACI - Device Packages for Cisco APIC in order to verify that the latest available Device Package is being used.

  • Documentation

CloudGuard for ACI managed by R80.10 Management Server

Click Here to Show the Entire section

  •  What's New

    Show / Hide this sub-section


  • Resolved Issues

    Show / Hide this sub-section

    Note: For Known Limitations, refer to CloudGuard for ACI managed by R80.10 Management Server Known Limitations.
    In addition, refer to R80.10 Known Limitations - section "CloudGuard Controller".

    ID Symptoms
    -

    When using CloudGuard Controller for ACI, the Default GW for servers needs to be defined
    as a Bridge Domain Subnet in order for IP entries of silent endpoints not to be aged out by the fabric.

    In this scenario, the VS connectors can be configured as:

    • L2-adjacent ('General')
      GoTo deployments can define a dummy IP address as Default GW for the subnet.
      In this case, a VRF split is necessary in order to prevent firewall bypass.
    • L3-adjacent
    - IPv6 was not supported.
    - Dynamic Routing configuration via Device Package is not supported.
    Dynamic Routing requires manual configuration in Gaia Clish.


  • Installation Instructions

    Show / Hide this sub-section

    1. Install R80.10 Management Server:

      1. Refer to sk111841 - Check Point R80.10

        1. Install R80.10 Security Management Server / Multi-Domain Security Management Server
        2. Install R80.10 SmartConsole for R80.10 Management Server
        3. Enable the CloudGuard Controller by running the "vsec on" command
          (refer to the R80.10 CloudGuard Controller Administration Guide -
          chapter "Integrating with Data Center Servers" - section "Enabling the CloudGuard Controller")

      2. Install CloudGuard Service Registration v3 Hotfix on R80.10 Management Server:

        Package CPUSE
        Online Identifier        		 CPUSE
        Offline
        CloudGuard Service Registration v3 Hotfix
        for R80.10 Management Server        		 Check_Point_R80.10_vSEC_Service_Hotfix3_FULL.tgz (a) (TGZ) (b,c)
        Show / Hide the Notes
        1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).

    2. Install CloudGuard for ACI Gateway:

      Version Instructions
      R80.10
      CloudGuard for ACI
      Gateway
      R77.30
      CloudGuard v2
      for ACI
      Gateway

      1. Install Security Gateway R77.30 GA on Gaia OS.

      2. Install Take_185 and above of Jumbo Hotfix Accumulator for R77.30.

        Note: Installation of Jumbo Hotfix Accumulator for R77.30 is recommended, but is not mandatory.

      3. Install R80 CloudGuard Controller v2 Enforcer for ACI Hotfix on R77.30 Security Gateway:

        Package CPUSE
        Online Identifier        		 CPUSE
        Offline        		 Legacy
        CLI
        CloudGuard Controller v2 Enforcer hotfix
        for Security Gateway R77.30 (a)        		 Check_Point_R77.30_vSEC_Controller_Enforcer_Hotfix_FULL.tgz (b) (TGZ) (c,d) (TGZ) (e)
        Show / Hide the Notes
        1. This package of CloudGuard Controller v2 Enforcer Hotfix for Security Gateway R77.30 can be installed:
          • either on top of R77.30 GA,
          • or on top of Take_185 (and above) of R77.30 Jumbo Hotfix Accumulator
          (otherwise, the installation of the CloudGuard Controller v2 Enforcer Hotfix would fail)
        2. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        3. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        4. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
        5. Legacy CLI installation instructions:
          1. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
          2. Unpack and install the hotfix package:
            [Expert@HostName:0]# cd /some_path_to_fix/
            [Expert@HostName:0]# tar -zxvf Check_Point_R77.30_vSEC_Controller_Enforcer_Hotfix_Gaia_sk115772.tgz
            [Expert@HostName:0]# ./fw1_wrapper_HOTFIX_GIRAFFE_V2_<BUILD>
            Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
          3. Reboot the machine.

    3. Install Device Package for Cisco APIC:

      The Device package is already included in hotfix. It is recommended to refer to sk112726: CloudGuard for ACI - Device Packages for Cisco APIC in order to verify that the latest available Device Package is being used.


  •  Documentation

(7) Revision History

Show / Hide the revision history

Date Description
27 July 2020
  • Adding R80.40 references 
24 Feb 2020
  • Redesigned the entire article.
  • Adding "Installation Instructions"
  • Adding "CloudGuard Service Registration Hotfix"
  • Adding "Documentation" 
  • Adding "Installation Instruction"
21 May 2017
  • Added "CloudGuard for ACI managed by R80.10 Management Server"
09 Apr 2017
  • Redesigned the entire article.
  • Added information about "R77.30 CloudGuard v2 for ACI managed by R80 CloudGuard Controller v2"
28 Feb 2017
  • Minor text corrections.
26 Feb 2017
  • Minor text corrections.
12 Feb 2017
  • Updated the instructions for "R77.30 vSEC v1 for ACI managed by R80 CloudGuard Controller v1" to say "Take_159 and above of Jumbo Hotfix Accumulator for R77.30".
25 Aug 2016
21 July 2016
  • First release of this article.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment 

SECURE YOUR EVERYTHING

©

Copyright | Privacy Policy
Follow Us