Support Center > Search Results > SecureKnowledge Details
R80.20 Private ThreatCloud Technical Level
Solution

Table of Contents:

  • Introduction
  • Deployment
  • Managing the Private ThreatCloud
  • Installation and Configuration
  • Monitoring
  • Logging
  • PTC Diagnostics Tool
  • Documentation
  • Downloads
  • Known Limitation

Introduction

Check Point Software Blades (e.g., Anti-Bot, Anti-Virus, IPS, Threat Emulation, Application Control and URL Filtering) leverage the power of the Cloud. The Private ThreatCloud provides a solution for customers whose Security Gateways or other Check Point devices do not connect directly to the Internet. With the Private ThreatCloud, customers receive continuous protection as cloud services are extended into offline or other compartmentalized environments.

The Private ThreatCloud is a copy of the Check Point public ThreatCloud. Check Point devices use the Private ThreatCloud to get updates instead of connecting directly to the Internet through their Gateways.

The Private ThreatCloud Download Agent downloads updates from the public ThreatCloud and pushes them to the Private ThreatCloud.

 

Deployment

You can deploy Private ThreatCloud in the following ways:

  • Single Box - Install the Private ThreatCloud and the Private ThreatCloud Download Agent on the same appliance.

 

  • Unidirectional - Install the Download Agent on a different appliance or VM (not the Private ThreatCloud appliance). The Download Agent sends unidirectional updates to the Private ThreatCloud appliance. Select this deployment if you do not want the Private ThreatCloud appliance to access the Internet directly.

 

Managing the Private ThreatCloud

Starting from R80.20, the Private ThreatCloud is installed on a dedicated Management Server and manages only the Private ThreatCloud (standalone). The Gateways that connect to the Private ThreatCloud as clients must be managed by a different Management Server.

The Download Agent can be installed on the Gateway or Management Server. It is highly recommended to install it on a Gateway.
If you would like to install only the Download Agent on GW installation, please use the following image and Jumbo instead of the one mentioned on the 'Initial Configuration' step 1 & 2:
Gateway R80.20 ISO , Jumbo Take 118

 

Click Here to Show the Entire Article


Installation

Understanding the Private ThreatCloud Environment

Show / Hide this section

Before you install the Private ThreatCloud, it is important to understand the different hosts you connect to as part of the installation.

  • The Private ThreatCloud: Replies to queries from Security Gateways or other Check Point devices for updates.
  • The Download Agent: Downloads updates from the public ThreatCloud and pushes them to the Private ThreatCloud. In a single box deployment, the Download Agent is on the same appliance as the Private ThreatCloud. In a unidirectional deployment, the Download Agent is on a separate appliance or VM.
  • The Security Management Server: A separate server that manages the Security Gateways in the Private ThreatCloud environment.
  • Security Gateways or other Check Point devices: Receive updates from the Private ThreatCloud. They must be configured as a client to the Private ThreatCloud.

The Download Agent must have HTTP or SSL access to these domains. Use Application Control rules to allow outgoing connections only to these domains:

  • updates.checkpoint.com 
  • secureupdates.checkpoint.com 
  • ptcd.checkpoint.com 
  • ptcs.checkpoint.com 
  • dl3.checkpoint.com 
  • sc1.checkpoint.com 
  • cws.checkpoint.com 
  • te.checkpoint.com 
  • downloads.checkpoint.com
  • threat-emulation.checkpoint.com

Initial Configuration

Show / Hide this section
  1. Install R80.20 Management server and complete the first time wizard (use only this image).
  2. Optional - Install Jumbo Take 118 on top of the Management Server
  3. Place the PTC package on the server (see download information under the 'Downloads' section).
  4. Extract the package content: # tar -xvzf <package_name> 
  5. Run the installation script: # sh install_R80.20_ptc.sh 
  6. Select the installation type: 
    • Private ThreatCloud only
    • Download Agent only 
    • SingleBox (Private ThreatCloud and Download Agent)
  7. Reboot the server once the installation is complete. 

    SingleBox Configuration

    In a Single Box deployment, the Private ThreatCloud and the Download Agent are installed on the same appliance. This section describes the procedure for this type of installation once the initial configuration is complete.

    1. Add the PTC license and restart the server.
    2. Run the Private ThreatCloud Setup Wizard: # ptc_cli mgmt or # ptc_cli config (both comnnads will work).
    3. Select Adding a new Private ThreatCloud and follow the instructions in the wizard

    Private ThreatCloud only Configuration

    In this type of installation, the Private ThreatCloud is installed on a different appliance than the Download Agent and receives continuous updates from it. This section describes the procedure for this type of installation once the initial configuration is complete.

    1. Add the PTC license and restart the server.
    2. Run the Private ThreatCloud Setup Wizard: # ptc_cli mgmt.
    3. Select Adding a new Private ThreatCloud and follow the instructions in the wizard.

    Download Agent only Configuration

    In this type of installation, the Download Agent is installed on a different appliance or VM than the Private ThreatCloud. The Download Agent connects to the Internet and sends unidirectional updates to the Private ThreatCloud. In this deployment, the Private ThreatCloud cannot access the Internet. This section describes the procedure for this type of installation once the initial configuration is complete.

    1. Run the Download Agent setup wizard: # ptc_cli config.
    2. Follow the instructions in the wizard and add the relevant Private ThreatCloud which will receive updates from this Download Agent.

    To get the certificate key:

    Get the certificate key from your User Center account or use the Private ThreatCloud.

    1. Use a new SSH session to connect to your Private ThreatCloud
    2. In expert mode, run: # cplic print

    The certificate is the last item (in bold) in the line. It has this structure:

    X.X.X.X never cpap-sm3050x cpsb-fw cpsb-vpn cpsg-ptc cpsb-swb CK- XX-XX-XX-XX-XX-XX

    Note: The certificate key might also be in one of these formats:

    CK-XXXXXXXXXX , CK-XXXX-XXXX-XXXX

    Hardware Requirements

    Show / Hide this section

    Private ThreatCloud:

    Smart-1 3050 | 3150 | 5050 | 5150

    Download Agent:

    Smart-1 Appliance / Open server / VM

    Minimum of: 2 Cores, 8 GB RAM, 1 TB Disk space allocated for /var/log partition

    Configuring Check Point Devices to Use the Private ThreatCloud

    Show / Hide this section

    You must establish trust between the Security Management/Domain Management Server and the Security Gateways that you want to connect to the Private ThreatCloud. To download updates directly from the Management Server/ Multi Domain Management server, you must configure it as a client to the Private ThreatCloud.

    No need to add any configuration for Private ThreatCloud on SmartConsole

    Before you begin:

    1. Disable the Internet proxy on the Security Gateways or other devices that use the Private ThreatCloud. This ensures that they cannot bypass the Private ThreatCloud to the Internet.
    2. Copy the ptc_mgmt_addon.rpm file to the Security Management Server that manages the Security Gateways or other Check Point devices. You can extract the 'ptc_mgmt_addon.rpm' from the Private ThreatCloud using one of the following options:   
      • Copy the file from /home/admin/ on the Private ThreatCloud.
      • Download the file from: http://<ptc_ip>/client_cli/ptc_mgmt_addon.rpm
    3. Place the 'ptc_mgmt_addon.rpm' on the Management server under /home/admin and run the rpm: # rpm -i ptc_mgmt_addon.rpm 

      Adding a client to the Private ThreatCloud from a Security Management Server:

      1. Connect to your Security Management with SSH.
      2. Run:# ptc_cli mgmt
      3. Select Configure Security Gateways or other Check Point devices
      4. Select add an externally managed Private ThreatCloud
      5. Follow the instructions on the wizard.

      To configure the Security Management Server as a client to the Private ThreatCloud, enter 127.0.0.1 in the list of IP addresses that can connect to the Private ThreatCloud. 

      Adding a client to the Private ThreatCloud from R80.20 Multi-Domain Server:

      1. Connect to your Multi-Domain Security Management with SSH.
      2. Change to the Domain Management Server context: # mdsenv <CMA> 
      3. Run: # ptc_cli mgmt
      4. Select Configure Security Gateways or other Check Point devices 
      5. Select add an externally managed Private ThreatCloud 
      6. Follow the instructions in the wizard. 

      To configure the Multi-Domain Server/ Domain Management Server as a client to the Private ThreatCloud, enter 127.0.0.1 in the list of IP addresses that can connect to the Private ThreatCloud. 

      Adding a client to the Private ThreatCloud from R77.30 Multi-Domain Server:

      1. Connect to your Multi-Domain Security Management with SSH. 
      2. Change to the Domain Management Server context: # mdsenv <CMA> 
      3. Run: # /home/admin/ptc_mgmt_addon/ptc_cli_slim.sh 
      4. Select connect a Security Gateways or other Check Point Devices to your Private ThreatCloud.
      5. Follow the instructions in the wizard. 

      To configure the Multi-Domain Server/ Domain Management Server as a client to the Private ThreatCloud, enter 127.0.0.1 in the list of IP addresses that can connect to the Private ThreatCloud. 

      To revert the client configuration:

      1. From the Management Server that has SIC with the client, run: ptc_cli mgmt 
      2. Select Configuring the Security Gateways or other Check Point devices that use the Private ThreatCloud.
      3. Select revert Security Gateways or other Check Point Devices back to public ThreatCloud.
      4. Follow the instructions on the wizard. 

      Administering the Private ThreatCloud

      This section describes how to administer and reconfigure the Private ThreatCloud and the Download Agent after you run the ptc_cli mgmt Setup Wizard.

      General Notes:

      • When configuring Cluster Firewall as clients to the PTC you should use private IP's of the cluster nodes and not the VIP.
      • The Private ThreatCloud also receives software updates for the Private ThreatCloud itself. Engine updates with security updates are downloaded by the Private ThreatCloud Download Agent when available, and are automatically updated on the Private ThreatCloud
      • The Private ThreatCloud software is updated by the automatic engine updates. Do not use CPUSE to update the Private ThreatCloud, as this can break the Private ThreatCloud's functionality.

      Changing the IP Address of the Private ThreatCloud

      Show / Hide this section

      You can use the Gaia WebUI or CLI to change the Private ThreatCloud IP address. Use the Gaia WebUI or CLI to remove existing licenses and install new ones generated for the new IP address.

      Note: Generate the Private ThreatCloud license from your User Center account. Use the Private ThreatCloud IP address to select a local license. Do not use the MGMT IP address to select a central license.

      To change the Private ThreatCloud IP address:

      1. In the WebUI, go to Network Management > Network Interfaces.
      2. Install the license for the Private ThreatCloud.
      3. After you install the new licenses, restart the appliance.
      4. Open SmartDashboard and connect to the new Private ThreatCloud IP.
      5. Update the IP address of the Private ThreatCloud object.
      6. Install the database.

      On the Download Agent:

      1. Run: ptc_cli config 
      2. Select Private ThreatCloud configuration
      3. Change the IP of the Private ThreatCloud.

      Configure the Security Gateways or other Check Point devices that trust and are connected to the Private ThreatCloud to use the new IP address. For more information, read the "Configuring Check Point Devices That Use the Private ThreatCloud" section. 

      Scheduling Large Downloads

      Show / Hide this section

      CPUSE and Threat Emulation require very large updates. With the Private ThreatCloud, you can configure the time at which the downloads for these updates start. You can set up a daily or weekly update, or you can set an interval (for example, 2 days).

      Using your download schedule, the Private ThreatCloud Download Agent requests new updates from the public ThreatCloud. Set the time at which the Private ThreatCloud Download Agent starts to download the updates. When an update is found, the Private ThreatCloud Download Agent downloads until all parts get to the ThreatCloud. These downloads might take a  several hours.

      To configure the download schedule:

      1. On the Private ThreatCloud Download Agent, run: ptc_cli config
      2. Select Large file downloads scheduling
      3. Select a schedule: Daily, Weekly, or Periodically. 

      Restoring Private ThreatCloud

      Show / Hide this section

      The Private ThreatCloud automatically saves backups at 24 hour intervals. If necessary, you can restore the appliance settings from a backup.

      To restore the Private ThreatCloud:

      1. Connect to the Private ThreatCloud with SSH.
      2. Run: ptc_cli mgmt 
      3. Select Restoring the Private ThreatCloud from a backup
      4. Enter the number of the backup. 
      5. On the Private ThreatCloud Download Agent, run: ptc_cli config 
      6. Select to restore updates after a backup version restore.

      Note: When you use a backup, it cannot be restored again. For example, if you have three backups and you restore number 2, the next time you see the backups, number 2 will not be listed. When a restore begins, the database is locked and updates are turned off.

      Configuring a Private ThreatCloud Cluster

      Show / Hide this section

      R80.20 Private ThreatCloud supports High Availability using the keepalived open source solution.

      Keepalived is a routing software and its main goal is to provide simple and robust facilities for load balancing and high-availability to Linux system and Linux based infrastructures.

      Before activating keepalived on the Private ThreatCloud, you must use the same certificate for both the 'Master' and 'Slave' servers.

      On the 'Master' Private ThreatCloud, extract the following files:

      • /web/conf/server.crt
      • /web/conf/server.key

      On the 'Slave' Private ThreatCloud:

      • Place the server.crt & server.key under /home/admin
      • Run ‘ptc_cli config’ >> [3] Generate/import a certificate >> Press [i] to import a certificate from an external certificate authority
      • Provide the location of the files and approve the change

      To activate the keepalived on the R80.20 Private ThreatCloud:

      1. Run the keepalived installation script:

      # cd $PTCDIR/system/keepalived/

      # sh keepalived_install.sh

      2. Update the default keepalived configuration file with the relevant information. The file is located in /etc/keepalived/keepalived.conf.

      vrrp_instance VI_1 {

      interface <interface_name>

      state <MASTER/SLAVE>

      priority <200/100>

       

      virtual_router_id 1

      virtual_ipaddress {

      <FLOATING_VIP>

      }

      unicast_src_ip <SERVER_IP>

      unicast_peer {

      <PEER_SERVER_IP>

      }

      }

      Where:

      <interface_name> represents the interface which has connectivity to the environment

      <MASTER/SLAVE> represents which server will be the active and which server will be the backup

      <200/100> represents the priority (200 for MASTER, 100 for SLAVE)

      <FLOATING_VIP> represents the VIP that the Security Gateways will connect to

      <SERVER_IP> represents the IP of the current PTC

      <PEER_SERVER_IP> represents the IP of the peer PTC

      3. Start the keepalived using the '# service keepalived start' command. 

      4. Repeat the same procedure on the peer PTC and update the configuration file with the relevant information.

      5. To check which PTC is active according to the VIP: # ip a

      To stop keepalived service: '# service keepalived stop'

      Certificate Best Practice

      Show / Hide this section

      Save certificate files on removable media or an external computer. If you install the Private ThreatCloud again, use the original certificate. If you use a new certificate, you must change the certificate on all the Security Gateways and other devices that receive Private ThreatCloud updates.

      To export your current certificate, copy these files from your Private ThreatCloud to a different device or computer:

      • /web/conf/server.crt 
      • /web/conf/server.key 

      To import the certificate you saved elsewhere:

      1. Copy both files to the newly installed Private ThreatCloud,
      2. Connect to your Private ThreatCloud with SSH,
      3. Run: ptc_cli config 
      4. Select Generate/import a certificate
      5. Follow the instructions in the wizard. You must provide the two files you copied from your previous Private ThreatCloud installation.

      Upgrade from R77.30 to R80.20

      Show / Hide this section
      The following table lists the differences between R77.30 and R80.20:

      R77.30 R80.20
      Supported image Private Threat Cloud Add-on on top of R80.20 GA
      Installation type Gateway/Standalone Management Only
      Hardware Smart-1 3xxx/210 Smart-1 3xxx/5xxx
      HA mechanism ClusterXL  VRRP

      • Direct upgrade from existing R77.30 PTC to R80.20 PTC is not supported. A fresh install of the appliance is needed.
      • R80.20 PTC is self-managed, so there is no way to manage it from a separate Management server anymore.
      • To send logs from R80.20 PTC to another Management server see the Logging section.
      • Using the R80.20 PTC Management for Security Gateways is not supported.

      Private ThreatCloud License

      Show / Hide this section
      Note that a license is required only for the PTC. The DA uses the PTC CK in order to download files.
      • CPAP-PTC-5005-SOC (supports up to 50 gateways)
      • CPAP-PTC-5025-SOC (supports up to 250 gateways)
      • CPAP-PTC-5050-SOC (supports up to 250 gateways)
      • CPSB-PTC-3005-SOC-EVAL (unlimited, can only be obtained via internal order)

      Monitoring

      Show / Hide this section

      The Private ThreatCloud Download Agent on the Private ThreatCloud starts to download updates and push them to the Private ThreatCloud. You can access the ThreatCloud services after the Private ThreatCloud Download Agent finishes downloading updates. The initial download after set up takes approximately 2 hours, depending on your connection speed. You can monitor the Private ThreatCloud Download Agent to see the download progress. If you run Private ThreatCloud monitoring before the Private ThreatCloud Download Agent finishes downloading updates, not all services will be available.

      To monitor the Private ThreatCloud Download Agent:

      • In your SSH connection to the Private ThreatCloud Download Agent, run ptc_cli downloads

      To monitor the Private ThreatCloud:

      Use one or more of these options to make sure that the appliance is ready and that all services are available:

      • If you enabled web access to the system monitoring, browse to https://IP_Address_of_Private_ThreatCloud/ptcd/report.html.
      • Browse to: http://IP_Address_of_Private_ThreatCloud/ptcd/monitor (JSON viewer is recommended). 
      • In your SSH connection to the Private ThreatCloud, run ptc_cli monitor

        Logging

        Show / Hide this section

        R80.20 Private ThreatCloud supports the syslog mechanism to send syslog to the logging server. To configure a new Syslog server, do the following:

        Private ThreatCloud Configuration:

        1. On the Private ThreatCloud, run: # ptc_cli config
        2. Select Syslog Configuration and follow the instructions in the wizard.
        3. Copy the following files from the Private ThreatCloud: 
          • /opt/CPtms/cur/rad_logger/key.c
          • /opt/CPtms/cur/rad_logger/addParsingFile

        Log Server Configuration:

        1. Configure the Log Server to accept syslog messages: On the Management server that manages the Log Server, open the 'Log Server' object > Logs > Additional Logging Configuration > Accept Syslog messages. 
        2. Publish and install the database on the Management server. Restart the Log Server services with # cpstop;cpstart.
        3. Verify that the syslog services are up and running using # ps aux | grep syslog:
          • /bin/bash /opt/CPsuite-R80.20/fw1/bin/syslog 514 all
          • syslogd -m 0 -z 515 -P info -f /var/run/syslog.conf
        4. Place the files 'key.c' and 'addParsingFile' on the Log server and run the following commands:
        • # chmod +x addParsingFile
        • # ./addParsingFile -p key.c

          PTC Diagnostic Tool

          Show / Hide this section
          • Introduced in engine version 12
          • Script location under: /opt/CPtms/cur/scripts/ptc_doctor.sh
          • Output location: /var/log/ptc_doctor_output_XX-XX-XXXX.tgz 
          • Collects information about: installation type, system information, missing packages, monitor status, download status, log files, certificate, etc.
          • Can be executed on all installation types: DA only, PTC only and SingleBox.
          • Script execution: # /opt/CPtms/cur/scripts/ptc_doctor.sh 

          Documentation

          Show / Hide this section

          Downloads

          Show / Hide this section

          Private Threat Cloud requires a dedicated license immediately after installation (there is no trial or EVAL).

          In addition, due to the sensitivity of the data stored on it, customers who would like to purchase it must sign an NDA.

          To get the package, please contact your sales representative.

          Known Limitations

          Show / Hide this section
          Feature  Limitation
          Security Management / Multi- Domain Security Management upgrade After upgrade of the Multi-Domain Security Management / Security Management Server, the "ptc_mgmt_addon.rpm" must be installed again on the upgraded server.
           IPS
          • Offline Update is not supported (Using the offline method of the upf file to update the Private ThreatCloud itself is not supported).
          Multi-Domain Security Management environment
          • It is not possible to configure only one Domain to work with the Private ThreatCloud. It is only possible to configure all Domains or none.
           Threat Prevention
          • In SmartDashboard, when you try to access the Threat Prevention tab - Protections pane, the pane will not be displayed, and an error message will appear: "Cannot access protection information due to connectivity issue."
          Application & URL Filtering
          • Categorizing of social network widgets is not supported.
           Anti-Spam
          • Anti-Spam is not supported when using Private ThreatCloud.
           ThreatWiki
          • Access from logs to ThreatWiki is not supported.
           SmartConsole Overview
          • Updates for 'Protections' overview in SmartConsole are not supported.
          Client configuration on the PTC
          • Adding a client from the PTC's SmartConsole is not supported. The client must be connected from a different Management Server.
          Upgrade
          • Direct upgrade from existing R77.30 PTC to R80.20 PTC is not supported.
          Jumbo Installation
          • Installing Jumbo (any version) on top of the PTC is not supported.
          This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

          Give us Feedback
          Please rate this document
          [1=Worst,5=Best]
          Comment