CloudGuard for ACI

This article describes the CloudGuard for ACI managed by CloudGuard Controller.

Table of Contents

1. Introduction to CloudGuard
2. Components required for installation of CloudGuard Gateway for ACI
3. CloudGuard Service Registration Hotfix
4. Installation Instructions
5. Documentation 
6. Previous Versions
7. Revision History

(1) Introduction to CloudGuard

Check Point CloudGuard solutions and products:

CloudGuard solution	CloudGuard product
CloudGuard for Private Cloud with SDN (Micro-segment your data center. Secure East-West traffic between applications.)	CloudGuard for VMware NSX CloudGuard for Cisco ACI (described in this article) CloudGuard for OpenStack
CloudGuard for Public IaaS (Secure applications and connectivity in public clouds.)	CloudGuard for Amazon Web Services (AWS) CloudGuard for Microsoft Azure CloudGuard for Google Cloud Platform CloudGuard for VMware vCloud Air CloudGuard for OCI
CloudGuard for Virtual Data Center (Virtual Security Gateway with integration to cloud management platforms.)	CloudGuard Virtual Edition (VE)

(2) Components required for installation of CloudGuard for ACI

The following components are mandatory for installation of CloudGuard for ACI managed by CloudGuard Controller:

• On the Management side, the following should be installed:

  #	Component	Description
  1	Security Management Server / Multi-Domain Security Management Server	Check Point Management Server is the basic infrastructure to manage Check Point Security Gateways.
  2	CloudGuard Controller Hotfix	Installing this package on top of Check Point Management Server turns it into CloudGuard Controller server that is able: to fetch Data Center objects from Cisco APIC to manage CloudGuard for Cisco ACI
  3	CloudGuard Service Registration Hotfix	This package installs modules on Check Point CloudGuard Management server that are required by Cisco ACI fabric: to deploy Check Point service to Cisco ACI to manage CloudGuard for Cisco ACI
  4	SmartConsole for CloudGuard Controller server	This is the graphical UI for controlling and configuring the Check Point Management Server and its managed Check Point Security Gateways. The improved SmartConsole for CloudGuard Controller server allows the administrator to create and work with Data Center objects.

• On the Gateway side, the following should be installed:

  #	Component	Description
  1	Security Gateway	This is the standard Check Point Security Gateway.

Refer to the following illustration:

(3) CloudGuard Service Registration Hotfix

What's New

• CloudGuard Service Insertion Hotfix

  Show / Hide this section
  

  Package	CPUSE Online Identifier	CPUSE Offline
  Service Registration v7 Hotfix for R80.10 Management Server	Check_Point_R80.10_VSR7_Bundle_T14_FULL.tgz	(TGZ)
  Service Registration v7 Hotfix for R80.20 Management Server	Check_Point_R80.20_VSR7_Bundle_T15_FULL.tgz	(TGZ)
  Service Registration v7 Hotfix for R80.30 Management Server	Check_Point_R80.30_VSR7_Bundle_T15_FULL.tgz	(TGZ)
  Service Registration v7 Hotfix for R80.40 Management Server	Check_Point_R80.40_VSR7_Bundle_T3_FULL.tgz	(TGZ)

  
  

  1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
  2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
  3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).

(4) Installation Instructions (all versions post R80.20)

(5) Documentation

(6) Previous Versions

R77.30 CloudGuard v2 for ACI managed by R80 CloudGuard Controller v2

• What's New

  Show / Hide this sub-section
  

  • Integration of R77.30 CloudGuard for ACI with the new R80 CloudGuard Controller v2 (sk115772).
  • Improved R80 CloudGuard Controller v2 Enforcer Hotfix.

•  Installation Instructions

  Show / Hide this sub-section
  

  1. Install R80 CloudGuard Controller v2

     1. Refer to sk115772 - R80 CloudGuard Controller v2 - Step 1:

        1. Install R80 Security Management Server / Multi-Domain Security Management Server
        2. Install R80 CloudGuard Controller v2 Hotfix on R80 Security Management Server / Multi-Domain Security Management Server
        3. Install R80 CloudGuard SmartConsole for R80 CloudGuard Controller v2

     2. Install R80 CloudGuard Service Registration v2 Hotfix on R80 CloudGuard Controller v2:

        Package	CPUSE Online Identifier (a)	CPUSE Offline (b,c)
        CloudGuard Service Registration v2 Hotfix for R80 CloudGuard Controller v2	Check_Point_R80_vSEC_Service_Hotfix2_FULL.tgz	(TGZ)

        Show / Hide the Notes
        

        1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
        4. Legacy CLI installation is not supported.

  2. Install CloudGuard for ACI:

     1. Install Security Gateway R77.30 GA on Gaia OS.

     2. Install Take_185 and above of Jumbo Hotfix Accumulator for R77.30.

        Note: Installation of Jumbo Hotfix Accumulator for R77.30 is recommended, but is not mandatory.

     3. Install R80 CloudGuard Controller v2 Enforcer for ACI Hotfix on R77.30 Security Gateway:

        Package	CPUSE Online Identifier	CPUSE Offline	Legacy CLI
        CloudGuard Controller v2 Enforcer hotfix for Security Gateway R77.30 (a)	Check_Point_R77.30_vSEC_Controller_Enforcer_Hotfix_FULL.tgz (b)	(TGZ) (c,d)	(TGZ) (e)

        Show / Hide the Notes
        

        1. This package of CloudGuard Controller v2 Enforcer Hotfix for Security Gateway R77.30 can be installed:
           
           • either on top of R77.30 GA,
           • or on top of Take_185 (and above) of R77.30 Jumbo Hotfix Accumulator
           (otherwise, the installation of the CloudGuard Controller v2 Enforcer Hotfix would fail)
        2. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        3. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        4. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).
        5. Legacy CLI installation instructions:
           
           1. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
           2. Unpack and install the hotfix package:
              [Expert@HostName:0]# cd /some_path_to_fix/
              [Expert@HostName:0]# tar -zxvf Check_Point_R77.30_vSEC_Controller_Enforcer_Hotfix_Gaia_sk115772.tgz
              [Expert@HostName:0]# ./fw1_wrapper_HOTFIX_GIRAFFE_V2_<BUILD>
              Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
           3. Reboot the machine.

  3. Install Device Package for Cisco APIC:

     The Device package is already included in hotfix. It is recommended to refer to sk112726: CloudGuard for ACI - Device Packages for Cisco APIC in order to verify that the latest available Device Package is being used.

  
  
  

• Documentation

  Show / Hide this sub-section
  

  • R77.30 CloudGuard for ACI managed by R80 CloudGuard Controller Release Notes
  • R77.30 CloudGuard for ACI managed by R80 CloudGuard Controller Administration Guide
  • sk111970 - R77.30 CloudGuard for ACI managed by R80 CloudGuard Controller Known Limitations
  • sk115772 - R80 CloudGuard Controller v2

R77.30 CloudGuard v1 for ACI managed by R80 CloudGuard Controller v1

• What's New

  Show / Hide this sub-section
  

  • Fetch dynamic ACI (APIC) objects for use in Check Point policy and SmartConsole to securely deliver applications in a fraction of cost and time.
  • Automated service-insertion using ACI device package - prevents lateral movement of threats between private cloud applications.
  • View ACI endpoint group names in security logs - provides ease of operation with forensic analysis inside the data center.
  • Multi-tenancy with context selection from APIC.

  
  
  

• Installation Instructions

  Show / Hide this sub-section
  

  1. Install R80 CloudGuard Controller v1

     1. Refer to sk111963 - R80 CloudGuard Controller v1 - Step 1:

        1. Install R80 Security Management Server / Multi-Domain Security Management Server
        2. Install R80 CloudGuard Controller v1 Hotfix on R80 Security Management Server / Multi-Domain Security Management Server
        3. Install R80 CloudGuard SmartConsole for R80 CloudGuard Controller v1

     2. Install R80 CloudGuard Service Registration v1 Hotfix on R80 CloudGuard Controller v1:

        Package	CPUSE Online Identifier (a)	CPUSE Offline (b,c)
        CloudGuard Service Registration v1 Hotfix for R80 CloudGuard Controller v1	Check_Point_R80_vSEC_Service_Hotfix1_FULL.tgz	(TGZ)

        Show / Hide the Notes
        

        1. For CPUSE Online installation instructions, refer to sk92449 - sections (6-A-a) / (6-A-b) and (6-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (6-A-c) / (6-A-d) and (6-B-a).
        4. Legacy CLI installation is not supported.

  2. Install CloudGuard for ACI:

     1. Install Security Gateway R77.30 GA on Gaia OS.

     2. Install Take_159 and above of Jumbo Hotfix Accumulator for R77.30.

        Note: Installation of Jumbo Hotfix Accumulator for R77.30 is recommended, but is not mandatory.

     3. Install R80 CloudGuard Controller v1 Enforcer for ACI Hotfix on R77.30 Security Gateway:

        Package	CPUSE Online Identifier	CPUSE Offline	Legacy CLI
        CloudGuard Controller v1 Enforcer hotfix for Security Gateway R77.30 (a)	Check_Point_R77.30_vSEC_Controller_Enforcer_Hotfix1_FULL.tgz (b)	(TGZ) (c,d)	(TGZ) (e)

        Show / Hide the Notes
        

        1. This package of CloudGuard Controller v1 Enforcer Hotfix for Security Gateway R77.30 can be installed:
           
           • either on top of R77.30 GA,
           • or on top of Take_159 (and above) of R77.30 Jumbo Hotfix Accumulator
           (otherwise, the installation of the CloudGuard Controller v1 Enforcer Hotfix would fail)
        2. For CPUSE Online installation instructions, refer to sk92449 - sections (6-A-a) / (6-A-b) and (6-B-a).
        3. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        4. For CPUSE Offline installation instructions, refer to sk92449 - sections (6-A-c) / (6-A-d) and (6-B-a).
        5. Legacy CLI installation instructions:
           
           1. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
           2. Unpack and install the hotfix package:
              [Expert@HostName:0]# cd /some_path_to_fix/
              [Expert@HostName:0]# tar -zxvf Check_Point_R77.30_vSEC_Controller_Enforcer_Hotfix1_Gaia_sk111963.tgz
              [Expert@HostName:0]# ./fw1_wrapper_HOTFIX_GIRAFFE_V2_<BUILD>
              Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
           3. Reboot the machine.

  3. Install Device Package for Cisco APIC:

     The Device package is already included in hotfix. It is recommended to refer to sk112726: CloudGuard for ACI - Device Packages for Cisco APIC in order to verify that the latest available Device Package is being used.

• Documentation

  Show / Hide this sub-section
  

  • R77.30 CloudGuard for ACI managed by R80 CloudGuard Controller Release Notes
  • R77.30 CloudGuard for ACI managed by R80 CloudGuard Controller Administration Guide
  • sk111970 - R77.30 CloudGuard for ACI managed by R80 CloudGuard Controller Known Limitations
  • sk111963 - R80 CloudGuard Controller v1

CloudGuard for ACI managed by R80.10 Management Server

•  What's New

  Show / Hide this sub-section
  

  • R80.10 Security Management Server support for integrating with Cisco APIC and managing the Security Gateways deployed in the ACI fabric.
  • R80.10 Security Gateways inside the ACI fabric.
  • Managed service support for VSX and the Security Gateways (physical appliance or the CloudGuard Virtual Edition).
  • PBR support for both managed and unmanaged modes.
  • IPv6 support for VSX.
  • Dynamic Routing configuration support in the managed mode.
  • R80.10 Security Management Server support for micro segmentation EPG.

  
  
  

• Resolved Issues

  Show / Hide this sub-section
  

  Note: For Known Limitations, refer to CloudGuard for ACI managed by R80.10 Management Server Known Limitations.
  In addition, refer to R80.10 Known Limitations - section "CloudGuard Controller".

  ID	Symptoms
  -	When using CloudGuard Controller for ACI, the Default GW for servers needs to be defined as a Bridge Domain Subnet in order for IP entries of silent endpoints not to be aged out by the fabric. In this scenario, the VS connectors can be configured as: L2-adjacent ('General') GoTo deployments can define a dummy IP address as Default GW for the subnet. In this case, a VRF split is necessary in order to prevent firewall bypass. L3-adjacent
  -	IPv6 was not supported.
  -	Dynamic Routing configuration via Device Package is not supported. Dynamic Routing requires manual configuration in Gaia Clish.

  
  
  

• Installation Instructions

  Show / Hide this sub-section
  

  1. Install R80.10 Management Server:

     1. Refer to sk111841 - Check Point R80.10

        1. Install R80.10 Security Management Server / Multi-Domain Security Management Server
        2. Install R80.10 SmartConsole for R80.10 Management Server
        3. Enable the CloudGuard Controller by running the "vsec on" command
           (refer to the R80.10 CloudGuard Controller Administration Guide -
           chapter "Integrating with Data Center Servers" - section "Enabling the CloudGuard Controller")

     2. Install CloudGuard Service Registration v3 Hotfix on R80.10 Management Server:

        Package	CPUSE Online Identifier	CPUSE Offline
        CloudGuard Service Registration v3 Hotfix for R80.10 Management Server	Check_Point_R80.10_vSEC_Service_Hotfix3_FULL.tgz (a)	(TGZ) (b,c)

        Show / Hide the Notes
        

        1. For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a).
        2. Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499.
        3. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a).

  2. Install CloudGuard for ACI Gateway:

     Version	Instructions
     R80.10 CloudGuard for ACI Gateway	Install Security Gateway R80.10 GA.
     R77.30 CloudGuard v2 for ACI Gateway	Install Security Gateway R77.30 GA on Gaia OS. Install Take_185 and above of Jumbo Hotfix Accumulator for R77.30. Note: Installation of Jumbo Hotfix Accumulator for R77.30 is recommended, but is not mandatory. Install R80 CloudGuard Controller v2 Enforcer for ACI Hotfix on R77.30 Security Gateway: Package CPUSE Online Identifier CPUSE Offline Legacy CLI CloudGuard Controller v2 Enforcer hotfix for Security Gateway R77.30 (a) Check_Point_R77.30_vSEC_Controller_Enforcer_Hotfix_FULL.tgz (b) (TGZ) (c,d) (TGZ) (e) Show / Hide the Notes This package of CloudGuard Controller v2 Enforcer Hotfix for Security Gateway R77.30 can be installed: either on top of R77.30 GA, or on top of Take_185 (and above) of R77.30 Jumbo Hotfix Accumulator (otherwise, the installation of the CloudGuard Controller v2 Enforcer Hotfix would fail) For CPUSE Online installation instructions, refer to sk92449 - sections (4-A-a) / (4-A-b) and (4-B-a). Before installing this package using CPUSE on an offline machine, it is required to manually install the latest build of CPUSE Agent from sk92499. For CPUSE Offline installation instructions, refer to sk92449 - sections (4-A-c) / (4-A-d) and (4-B-a). Legacy CLI installation instructions: Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/). Unpack and install the hotfix package: [Expert@HostName:0]# cd /some_path_to_fix/ [Expert@HostName:0]# tar -zxvf Check_Point_R77.30_vSEC_Controller_Enforcer_Hotfix_Gaia_sk115772.tgz [Expert@HostName:0]# ./fw1_wrapper_HOTFIX_GIRAFFE_V2_<BUILD> Note: The script will stop all of Check Point services (cpstop) - read the output on the screen. Reboot the machine.

  3. Install Device Package for Cisco APIC:

     The Device package is already included in hotfix. It is recommended to refer to sk112726: CloudGuard for ACI - Device Packages for Cisco APIC in order to verify that the latest available Device Package is being used.

  
  
  

•  Documentation

  Show / Hide this sub-section
  

  • CloudGuard for ACI Release Notes
  • CloudGuard for ACI managed by R80.10 Management Server Administration Guide
  • R80.10 CloudGuard Controller Administration Guide
  • sk117077 - CloudGuard for ACI managed by R80.10 Management Server Known Limitations
  • sk111841 - Check Point R80.10

(7) Revision History