CCCS-R81.20-V1.0 Instructor Slides - Check Point Certified Cloud Specialist PDF

CHECK POINT CERTIFIED CLOUD SPECIALIST © 2024 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and de-compilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third-Party copyright notices (http:// www.checkpoint.com/ 3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Document Number: DOC-Slides-CCCS-R81.20-V1.0 PREFACE Course Overview Audience: Security professionals want to gain the practical knowledge and skills to implement CloudGuard Network Security. Duration: Two days NICE/NIST Work Role Categories: Design & Development Implementation & Operation Protection & Defense Course Goal Gain the fundamental knowledge and skills to deploy, manage, and troubleshoot a CloudGuard Network Security solution within a Check Point Security environment. NICE/NIST Work Role Categories Design & Development Implementation & Operation Protection & Defense For more information how Check Point can help, see What is NIST Compliance? https://www.checkpoint.com/ cyber-hub/cyber-security/nist- compliance/ Base Knowledge Unix-like and/or Windows OS Other: Internet Fundamentals A minimum of six months Networking - Fundamentals of practical experience with Check Point security Networking Security System Administration Cloud native deployment using public clouds Recommended Learning Path Check Point Certified Security Administrator CCSA is useful (CCSA) but not required. CCSA - 3 Days CCCS - 2 Days (Recommended) https://training-certifications.checkpoint.com Framework for Success Start your Journey Prepare for Success Learn from Experts Certify your Skills Expand your Knowledge Path For Continuous Progress and Lasting Achievement 1. Introduction to 5. CloudGuard Network A CloudGuard Security Clustering in the Cloud G 2. CloudGuard Network Security Architectures 6. CloudGuard Network E Security Policy 3. CloudGuard Network N Security Management 7. CloudGuard Network D 4. CloudGuard Network Security Automation A Security Scaling 8. CloudGuard Network Solutions Security Troubleshooting Subject to change Course Conventions Syntax Description Book titles Italicized font; for example: CLI Reference Guide Commands Courier New, bold font; for example: cpstat Enclose a list of available commands or parameters, separated by the vertical bar |. Users Curly brackets or braces { } can enter only one of the available commands or parameters. Enclose a variable. Users must explicitly specify a Angle brackets < > supported value. Enclose an optional command or parameter that Square brackets or brackets [ ] users can also enter. T O P O L O G Y MODULE 1 INTRODUCTION TO CLOUDGUARD Learning Objective Describe the CloudGuard Network Security solution, including key components, supported cloud platforms, use cases, and licensing. CloudGuard Platform Overview CloudGuard WAF CloudGuard Posture Management CloudGuard CDR CloudGuard Code Security CloudGuard Network Security (focus of this course) CloudGuard Workload CloudGuard Cloud CNAPP Developer Security Secure the Cloud This course focuses on the CloudGuard Network Security solution. For additional information about other CloudGuard products, see the CloudGuard - Secure the Network section online at: https://www.checkpoint.com/products/ Supported Cloud Platforms Alibaba Cloud Microsoft Azure Amazon Web Services (AWS) Oracle Cloud Infrastructure Google Cloud Tencent Cloud Huawei Cloud VMware Cloud on AWS IBM Cloud Extends On-Premises Security to Cloud This course focuses on the AWS and Microsoft Azure platforms. For information about other cloud platforms, refer to their respective documentation and websites. Check Point Security Framework Architecture Three-Tier Architecture The Check Point Security Framework (Three-Tier Architecture) is discussed in greater detail in the CCSA Core training course. Architecture - Create and manage: SmartConsole Security policies User and administrator accounts Management Servers, Gateways, devices Settings for Check Point environment Monitor: Logs and events Performance Regulation compliance Maintain: Licenses Update products Architecture - Security Management Default roles: Server Database Internal Certificate Authority (ICA) Log Server Licenses and Contracts Repository Monitoring Security Gateways Security Automation Architecture - Security Gateway (Quantum Translation capabilities of network Firewall) gateways, security functions of NGFWs, and other security features. Security Gateway Protections: Access Control (includes Identity Awareness) Threat Prevention Other CloudGuard Network Security Components CloudGuard Controller CloudGuard Management Extension Sub-component of the Security Management Server. Integrated with Security Management Server. Useful for dynamic cloud environments. Allows integration between the Security Management Server, Handles automation and CloudGuard Network Security adaptive security. solution, and CSPs. You learn more about the CloudGuard Controller and CME in subsequent modules and labs. CloudGuard Network Security Use Cases 1 2 3 Hybrid Data Center Greenfield Disaster Recovery Deployment Deployment Sites Some components that No existing data center One or more secondary reside in organization’s or existing ones might sites for data storage or On-Premises data be fully used. Can build data center operations to center, and some are new physical data help prevent data loss in housed by the CSP. center or build entire the event of a disaster. project in cloud. CloudGuard Network Security Licensing Elastic Software  Usesflexible model to add/remove CloudGuard Network License Security Gateways on demand. Pay As You Go  Purchased through the CSP and is based on number of (PAYG) License cores assigned to the Check Point virtual machine Bring Your Own  UsesCheck Point licenses like those used on physical License open servers but on cloud-based virtual machines.  SpecialCloudGuard Security Gateway license that is Central License managed and deployed on the Security Management Server. To comprehensively license CloudGuard protections, Check Point requires a license for the Security Management Server in addition to any Security Gateway elastic licenses. Key Points CloudGuard Network Security offers cloud-native Security Gateways that keeps your data in public, private and hybrid cloud networks safe, even the most sophisticated attacks. Use cases include a Hybrid Data Center deployment, Greenfield, deployment, and Disaster Recovery sites. Like other Check Point products, CloudGuard Network Security must be licensed for use. Lab Time No Lab MODULE 2 CLOUDGUARD NETWORK SECURITY ARCHITECTURES Learning Objective Describe supported deployment options for CloudGuard Network Security and identify deployment considerations for each architecture. CloudGuard Network Security Architecture Fundamentals - Basic Components Workloads - Virtual Machines Security Infrastructure - Integrated security solutions Scaling Solutions – Technologies for platform expansion and contraction Virtual Networks - Software-based computer These concepts are discussed briefly in the following sections. They are discussed in more detail in the Prepare for Success video for this course. For details, see: https://training-certifications.checkpoint.com Basic Components (Continued) Component Description Notes AWS - Elastic Compute Workloads (Virtual Virtual machine. Equivalent Cloud (EC2) Instance of the servers in an On- Azure - Azure Virtual Machines) Premises environment. Machine (AVM) Provides threat prevention and unified security Security Infrastructure Built into the cloud management across environment. public, private, and hybrid clouds. Allows for expansion and AWS - EC2 Auto Scaling contraction of the Scaling Solutions environment as needed to Instances Azure - Virtual Machine compensate for changes in traffic load. Scale Sets (VMSS) Basic Components (Continued) Component Description Notes All Workloads can communicate with each other as if they were within AWS - Virtual Private Cloud the same network Segment. (VPC) Virtual Networks The internal routing can be changed to direct traffic Azure - Azure Virtual from one Workload to Network (AVN) another through Security Gateways. CloudGuard Network Security Architectures Single Gateway architecture Mesh architecture (Peering) Hub and Spoke architecture Cluster architecture Common Deployment Architectures Single Gateway Architecture Simplest Deployment Architecture Deployment Tools CSP Portal - Provides access to create, view, and manage CloudGuard Network Security resources through a graphical interface. Primary resource. Least complicated. Shell deployment - Relies on predefined shell script templates and powerful scripting languages for automated deployments. (Different than CLI.) Command Line Interface (CLI) - Launches CloudGuard Network Security Gateway with command line scripts. Basic Deployment Workflow From CSP Portal, Assign Security Connect routeable search for Check Gateway to same external address to Point Security network/regions as external interface of Gateway template. web server. Security Gateway. Remove external Reroute traffic Install Security Policy addresses from web to/from web server to on Security Gateway. server. Security Gateway. A Single Gateway Architecture is a good solution for coordinated and organized deployment in a cloud managed by one team. But, what happens when multiple teams are working with cloud resources without a coordinated plan? Mesh Architecture (Peering) Useful when different teams share multiple Workloads. Each network connects to other networks for resources they need. Workload connects via Peering links. Peering Links Use Case Application Team A - Has Workload that provides product database for inventory control. Application Team B - Wants to use Team A database for sales application. Application Team C - Has web server. Wants to use Team A and B databases for order processing. Application Team D - Has application server that needs information from other teams' servers. Over time, more connections are formed, and the mesh grows and complexity. Some Workloads connect to some Workloads, while others connect to all. Mesh Limitations Each Workload requires routing to all other Workloads involved. Peering offers peer-to-peer connectivity but does not allow extended peering relationships. Each member of Mesh requires connection to other Workloads to use their resources. As Mesh expands, the number of connections increases much faster than the number of Workloads. 1/2 (Number of Peers) * (Number of Peers - 1) Rapid Expansion Example 2 Workloads = 1 connection 3 Workloads = 3 connections 4 Workloads = 6 connections 5 Workloads = 10 connections 6 Workloads = 15 connections 7 Workloads = 21 connections Cloud Service Provider limitations can limit the growth of the Mesh and create bottlenecks, resulting compute overhead. An alternative to these limitations is a Hub and Spoke architecture. Hub and Spoke Architecture Independent Connections to Hubs Secure Cloud Network Architecture Security (Advanced Threat Prevention) Micro-segmentation Agility Automation Borderless Underlying Security Principles Hub Functionality Operate as software-defined data centers. Use load balancers to protect cloud perimeter based on current scale. Separates traffic using two hubs (recommended): Northbound hub - Ingress (Workloads) Southbound hub - Egress Manages and Delivers Traffic to Spoke Networks Front end of Workload Lets inbound web communications, such as HTTP traffic from Internet. Northbound Includes public IP addresses, external Hub load balancers, Cloud Security Gateways, and spoke connections. Requires external load balancer with public IP address to receive incoming web traffic. Handles a complex blend of outbound transit traffic and sustains high traffic loads, such as: Spoke connections to the Internet for Southbound software updates. Hub Communications with applications in another spoke. VPN tunnels with On-Premises networks Spoke Functionality Includes virtual resources that establish connections with other Workloads. Guidelines: One Security Management Server One or two hubs with CloudGuard Network Security Gateway Isolated Environments to Deploy Applications and Services Hub and Spoke Topologies AWS Azure Cluster Architecture Two or more Security Gateways that work together in a redundant configuration - High Availability or Load Sharing. Discussed in more detail in Module 5. High Availability - Redundant Security Gateways Provides uninterrupted security for traffic. Only supports two Security Gateway members Security Gateways must reside in the same location in a region. With the support of availability zones, the locations differ. Load Balancing Categories Components Public (external) - Distribute Listening Rules traffic from Internet to cloud. Target Groups Internal - Let administrators Health Checks actively scale Workloads and backend resources. Inbound NAT rules Distributes Workloads across Group of Servers Cloud Traffic Flow Traffic flow in a load-balanced, secure cloud environment involves multiple network address translations and port modifications. Key Points The simplest architecture is a single Gateway. All traffic is routed through the same Security Gateway. In a Mesh architecture, each Workload connects to other Workloads via Peering links. In a Hub and Spoke architecture, all spokes (Workloads) maintain independent connections to hubs (network interfaces in the Workload), which permit access to the Internet. A Cluster is two or more Security Gateways that work together in a redundant configuration, either High Availability or Load Sharing. Redundant Security Gateways are supported for High Availability. Load balancing is useful to prevent a single server from being overwhelmed by traffic and possibly breaking down. Lab Time No Lab MODULE 3 CLOUD SECURITY MANAGEMENT Learning Objective Discuss the role of the Cloud Management Extension (CME) and Identity and Access IAM (IAM) controls in a CloudGuard Network Security solution and identify how they are configured. Cloud Management Extension Allows integration between the Security Management Server, CloudGuard Network solution, and CSPs. Runs on Security Management Server. Continuously monitors Cloud Security Gateway. Synchronizes Cloud Security Gateway with Security Management Server. Allows Cloud-native Integration CME Installation Part of basic Security Management Server installation. Also, part of AutoUpdater process. Generally updated automatically updated if the Security Management Server has Internet access and can reach the Check Point Servers. If necessary, however, you can install the CME manually. Discussed later in this module. CME Functions and Operation Functions Operation Responsible for provisioning Provides CSP with current tasks (formerly Auto- policy package. Provisioning) Configures required NAT and Detects scaling events. Access Rules. Sends information to new Handles policy installation. Security Gateway. CPUSE Integration With CPUSE integration, connections to the CSP's API, the CME constantly changes and adjusts to the cloud environment. This lets the Security Management Server maintain control. IAM Solutions (AWS) IAM Roles AWS STS Roles Let you securely manage Let you request temporary, access to AWS services and limited-privilege credentials resources. for AWS IAM users. Provide AWS account root Work like long-term access (single sign-in identity) with key credentials associated complete access to all AWS with an IAM role but services and resources. credentials are short-term. AWS strongly recommends you do not use root user for everyday tasks, even the administrative ones. Only use the root user to create the first IAM user. Securely lock the root user credentials and use these credentials only for a few account and service management tasks. IAM Solutions (Azure) Microsoft Entra ID Cloud-based identity and access management service. Provides both long-term and temporary credentials for Identity and Access Management. Lets you manage, control, and monitor access to important resources in Azure environment. For more information, refer to the Microsoft documentation. Installation Guidelines Run the CME Installation Script as written (no other parameters). After installation, no further action is required. On High Availability deployments, future CME installations do not happen automatically. You must run the CME Installation Script each time a new installation of CME is required. If AutoUpdater goes down and does not display after running the AutoUpdater CLI stop command, run the following command: /opt/AutoUpdater/latest/bin/AutoUpdaterWDReg.sh See Student Guide for steps. CME Resource For installation instructions and additional information, refer to sk157492 - CME (Cloud Management Extension) for CloudGuard - Latest Updates: https://support.checkpoint.com/results/sk/ sk157492 Configure Cloud Management Extension Different steps for AWS and Azure. Before you begin: Security Management Server is deployed and configured. Access Control Policy Package is created and saved. CloudGuard Controller is enabled. See Student Guide for details. Key Points The Cloud Management Extension (CME) runs on a Security Management Server and supports cloud native integration between CloudGuard and cloud platforms. The CME handles provisioning tasks involved in the expansion and contraction that is common in Scaling Solutions and other automatically deploying elements within cloud ecosystems. The CME is an add on component for Security Management Servers and must be installed on the Security Management Server and configured separately. Lab Time Lab 3A: Deploy a Security Management Server (Azure) Lab 3B: Deploy a Security Management Server (AWS) MODULE 4 CLOUDGUARD NETWORK SECURITY SCALING SOLUTIONS Learning Objective Discuss Scaling Solutions for a CloudGuard Network Security solution, including purpose, benefits, and deployment workflow. Scaling Challenge: Single Security Gateways/static clusters support limited amount of traffic. Business expansion eventually causes excessive load on Security Gateway. Solution: Scaling can help. Two types - Vertical and Horizontal. Scalability is System’s Elasticity or Ability to Accommodate Growth. Vertical Scaling Analogy - Building multi-family complex. Extra capacity built into design. Advantage - Scaling is easier from hardware perspective. Challenge - Increased cost and complexity with grows and requirement to add new hardware In IT world - Building server and when limits are reached. adding resources as needs change. Horizontal Scaling Analogy - Building single-family home. Extra capacity is added, as needed. Advantage - Less complex management and maintenance. No real limit to growth. Challenge - Underutilization of resources for same costs. In IT world – Creating new machines, each with same capacity as original. This focuses on Horizontal scaling, which is generally more efficient than vertical scaling. Vertical scaling involves increasing the resources available to a server. This form of scaling is hardware-limited. Horizontal scaling involves increasing the number of servers involved. This form of scaling is only limited by the number servers available. Cloud Guard Network Security Scaling Solutions AWS Auto Scaling Azure VMSS Steady, predictable performance Easy creation and management of at lowest possible cost. group of load balanced VMs. Monitors applications. Provides high availability and application resiliency. Offers simple recommendations. Allows automatically scaling as Adjusts capacity automatically. resource demand changes AWS Scaling - Simplified Deployment Workflow Deploy External Add tags to Deploy Auto Elastic Load Internal Elastic Scaling Group. Balancer. Load Balancer. See Student Guide for details. AWS Auto Scaling Requirements Virtual Private Cloud (VPC) with at least two Availability Zones with public subnet and private subnet. Workload of servers deployed in the private subnets (possibly part of its own Auto Scaling Group). Internal Elastic Load Balancer that sends traffic to the Workload of servers. Azure Scaling - Simplified Deployment Workflow Deploy External Deploy VMSS Deploy Internal Load Balancer Security Gateway. Load Balancer. See Student Guide for details. Azure VMSS To provide redundancy and improved performance, applications are typically distributed across multiple instances. To perform maintenance or update an application instance, customers must be distributed to another available application instance. Key Points AWS and Azure Scaling Solutions let administrators implement redundancy and stability protection in a cloud environment. There are two types of scaling: Vertical Scaling and Horizontal Scaling. Vertical Scaling is like building a high-rise multifamily housing complex instead of a single-family home. Horizontal Scaling is like building a residential community made up of single- family homes. Lab Time Lab 4A: Deploy Azure VMSS Lab 4B: Deploy AWS EC2 Auto Scaling MODULE 5 CLOUDGUARD NETWORK SECURITY CLUSTERING IN THE CLOUD Learning Objective Discuss Clustering in a CloudGuard Network Security solution, including purpose, benefits, and deployment workflow. CLUSTERING FUNDAMENTALS This section reviews clustering fundamentals to provide a base understanding of important concepts. Clustering in a non-cloud environment is discussed in detail in the Check Point Certified Security Expert (CCSE) course. ClusterXL Check Point's proprietary clustering system. HA Security Cluster ensures Security Gateway provides transparent failover to backup Security Gateway in event of failure. CloudGuard Network Security Load Sharing Cluster is not supported. 1. Internal network 2. Switch for internal network 3. Security Gateways with ClusterXL 4. Switch for internal network 5. Internet Cluster Control Protocol (CCP) Used by all ClusterXL modes. Runs between Cluster Members on UDP Port 8116. Key functions are State Reporting and State Synchronization (Delta Sync). Non-Cloud and CloudGuard Clustering Differences Non-Cloud Environment Cloud Environment Uses multicast or broadcast for state synchronization and health checks across Multicast and broadcast are not supported. Cloud Cluster Members. Cluster Members communicate using unicast. GARP does not function correctly in the Cluster Members use Gratuitous ARP cloud. Cloud Security Gateway Clusters (GARP) to announce the MAC Address of perform failover by making API calls to the the Active member associated with the CSP. Virtual IP Address, during the normal Important: For the Cluster Members to operation and when cluster failover make the necessary API calls, they occurs. require credentials. This is achieved using Identify and Access (IAM) roles. To be able to automatically make API calls to Azure, the Cluster Members need to be provided with Microsoft Entra ID credentials. For the Cluster Members to make the necessary API calls to AWS, the Cluster Members need to be provided with credentials. This is achieved using IAM roles. Clustering in Azure - Basic Workflow Create cluster (Azure Portal). Create Cluster Members. Add Microsoft Entra ID Service Configure ETH0, ETH1, NAT account or application. rules, External Load Balancer, Dynamic Object, Load Add internal subnets and define Balancer static routes. Publish and install policy on Create cluster (SmartDashboard). Security Gateway. See Student Guide for details. Clustering in Azure - Examples SmartDashboard - New Check Point Cluster (Wizard Mode) Clustering in Azure - Examples Member A Configuration Member B Configuration Clustering in Azure - Basic Workflow Verify that the AWS account is Define Cluster Members. subscribed to the Security Configure and enable External Gateway (AWS Portal). and Internal Virtual interfaces. Deploy the CloudFormation Define Gateway Cluster template (sk111013). Properties and Topology. Connect and configure Publish and install policy on Management Server. (SmartDashboard). Security Gateway Cluster. See Student Guide for detailed steps. Clustering in AWS - Examples SmartDashboard - Network Objects Clustering in AWS - Examples Cluster General Properties Clustering in AWS - Examples Member A Member B Clustering in AWS - Examples Enable and Finish (Wizard) Clustering in AWS - Examples Gateway Cluster Network Objective Properties Topology Key Points Clustering ensures transparent failover to a backup Security Gateway in the event of failure. Standby Cluster Member is promoted to Active and takes ownership of the Cluster resources. Cluster Control Protocol (CCP) packets link the members in the Security Cluster. With Clustering in Azure, to be able to automatically make API calls to Azure, the Cluster Members need to be provided with Microsoft Entra ID credentials. With Clustering in AWS, for the Cluster Members to make the necessary API calls to AWS, the Cluster Members need to be provided with credentials. This is achieved using IAM roles. Lab Time Lab 5A: Create Azure High Availability Lab 5B: Create an AWS Cluster MODULE 6 CLOUDGUARD NETWORK SECURITY POLICY Learning Objective Describe the purpose of the CloudGuard Adaptive Policy and CloudGuard Controller for CloudGuard Network Security policy management and identify how they are configured. Security Policy Fundamentals Security Policy Fundamentals include: Security Policy Rules Rulebase Fundamentals Rule order is a critical aspect of an effective Rulebase. Always place more specific rules at the top of the rulebase and place more general rules last. CloudGuard Network Security Policy Management CloudGuard Adaptive Cloud Policy: Required to handle the dynamic nature of cloud environments. Uses provisioning capabilities of CME (Cloud Management Extension). Uses data collection capabilities of CloudGuard Controller. Unique to CloudGuard Adaptive Cloud Policy Configuration Configure using SmartConsole. Create Data Install policy on Create policy rule. Security Gateway. Center objects. Configured Using SmartConsole Administrators can also create the policy even before they configure a data center in SmartConsole. This makes it easier to separate responsibilities between security administrators and other teams that might need to create data centers in SmartConsole. CloudGuard Controller Sub-component of the Security Management Server that allows cloud policies to adjust dynamically. Uses the Identity Awareness feature on Security Gateways to access the Cloud Service Provider, synchronizing the current state of the associated accounts. Establishes a trusted relationship with the CSP. Part of the Security Management Server Use Case Source Destination Action X.X.X.X Internet Accept X.X.X.X Internet Accept X.X.X.X Internet Accept X.X.X.X Internet Accept X.X.X.X Internet Accept Source Destination Action department=rnd Internet Accept If the certificate window opens, make sure the certificate is valid and click Trust. Key Points Adaptive Cloud Policy uses the provisioning capabilities of the Cloud Management Extension and the data collection capabilities of CloudGuard Controller to create a dynamic policy that allows for rapid changes without administrator intervention. Data Center Objects deploy a pool of cloud resource information that is pulled down from the CSP to dynamically control traffic. The CloudGuard Controller is a component of the Security Management Server that allows cloud policies to adjust dynamically to changes in the cloud environment. Lab Time Lab 6A: Create Adaptive Security Policy (Azure) Lab 6B: Create Adaptive Security Policy (AWS) MODULE 7 CLOUDGUARD AUTOMATION Learning Objective Discuss CloudGuard Automation, including purpose, benefits, and tools. Automation Practice of using software-based tools and methods to minimize human intervention. Saves time and reduces errors. Not new to Check Point. Tools and techniques: APIs, Scripts, Check Point Updatable Objects, Automation Templates (focus of this module). Check Point APIs, scripts, and Updateable Objects are beyond the scope of this course. Check Point APIs, scripts are discussed in the Check Point Certified Automation Specialist (CCAS) course. Updateable Objects are discussed in more detail in the Check Point Certified Security Expert (CCSE) course. Use Cases for CloudGuard Network Security Task Automation Tool or Technique Add load balancer. Deployment automation template Change the IP address range on multiple API web servers simultaneously. Delete a Workload. API or manual Important: To avoid the risk of deleting the wrong Workload, you might want to use the CSP Portal. Perform simple maintenance tasks. API, script, or automation template Perform more complex tasks. API or automation template AWS CloudFormation Templates Easy way to model collection of related AWS and third-party resources, provision them quickly and consistently, and manage them throughout their lifecycles by treating infrastructure as code. Describes your desired resources and their dependencies so administrators can launch and configure them together as a stack. Typically written in JSON or YAML and define every aspect of the deployment. sk111013 - AWS CloudFormation Templates Azure Resource Manager Templates Azure Resource Manager is the deployment and management service for Azure. JSON files that define the infrastructure and configuration for your project. Files use declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it. sk109360 - Check Point Reference Architecture for Azure Third-Party Automation Tools Red Hat Ansible Terraform by HashiCorp Configuration management Open-source orchestration platform created by Red Hat. platform. Uses Playbooks (templates) Uses ACL Hiyashi scripting written in YAML (JSON variant). system. For more information how Check Point leverages Ansible and Terraform, see Quick Links section of sk121360 - Check Point APIs Homepage: https://support.checkpoint.com/results/sk/sk121360 Key Points Through the use of APIs and HTTPS, administrators can send commands to the CSP (Cloud Service Provider) and request changes. Third-Party or External Automation tools allow administrators to deploy automation templates using software that is platform agnostic. There are two main External Automation Suites Check Point administrators use: Ansible and Terraform. Ansible is a configuration management platform that was created by Red Hat, and allows administrators to define automation jobs. Terraform, created by Hashicorp, is an open-source orchestration platform that allows administrators to create, modify, and even remove resources simultaneously. Lab Time No Lab MODULE 8 TROUBLESHOOT CLOUDGUARD NETWORK SECURITY Learning Objective Identify basic guidelines and resources for troubleshooting a CloudGuard Network solution. Basic Troubleshooting in CloudGuard Communication issues Traffic handling issues Policy installation issues CloudGuard Controller issues CloudGuard installation issues Examples of Basic Cloud Network Troubleshooting Issues Security logs Communication Verify Security Gateway allows traffic to pass. Failures between Security Management Traffic captures Server and Security Verify exiting traffic uses correct interface. Gateway Verify arriving traffic being sent to Security Management Server Security logs Identify if traffic is being allowed or blocked by the policy. Traffic Handing Traffic captures Verify traffic arrives at Security Gateway, passes through it , and exits it. Initial diagnostics Command: CloudGuard on Data center object: Test Configuration CloudGuard Controller Additional diagnostics Operation state: TRACE File: $FWDIR/logs/cloud_proxy.elg See sk115657. General recommendations Tags IAM client-id IAM client-secret credentials Installation - Networks and subnets Recommendations Installation time and Guidelines CSP-related issues AWS - Software subscription agreements Azure - Deployment times CSP-side Open ticket with CSP. Custom side Verify CloudGuard Controller is running Automation Review SmartConsole logs. Run CME test. Verify Security Management Server clock is set using NAT. Verify Management API. Status tail -f $FWDIR/log/api.elg api status api restart APIs - Useful api reconf Commands Scaling service cme test tail -f /var/log/CPcme/cme.log cme_menu Useful Commands /var/log/cloud-user-data APIs /var/log/ftw_install.log $FWDIR/log/autoprovision.elg*files /opt/CPsuite-R80/fw1/scripts/monitor.p $FWDIR/conf/autoprovision.json file Check Point portion - Involves Security Management Server, CloudGuard Controller, CME, and Security Gateways. AWS portion - Consists of Auto Scaling Scaling Group and other infrastructure components. Azure portion - Consists of VMSS and other infrastructure components. ClusterXL logs Recorded on Logs tab of the LOGS & MONITOR tab of SmartConsole Clusters ClusterXL monitoring commands show cluster cphaprob ClusterXL error messages Begin with prefix CLUS-XXXXXX-Y In cases of a cluster failover, you can use various techniques to simulate the issue, such as: Unplug a cable from a cluster interface. Shut down a cluster interface. Unload the Security Policy. Stop the FWD daemon. Although these approaches let you test the cluster failover, they are not recommended. AWS Script responsible for communicating with AWS is running on each Cluster. IAM roles. AWS Custers Security policy and Azure System clocks Clusters Azure Daemon responsible for communicating with AWS is running on each Cluster. Cluster state and interface status AWS Script responsible for communicating with AWS is running on each Cluster. IAM roles. AWS Custers Security policy and Azure System clocks Clusters Azure Daemon responsible for communicating with AWS is running on each Cluster. Cluster state and interface status Common Configuration Errors Message Recommendation The attribute [ATTRIBUTE] is missing in Repair the configuration. the configuration. Primary DNS servers are not configured Configure DNS server on Cluster Member. Failed to resolve [host]. Failed in DNS resolving test. Confirm that DNS resolution on the Cluster Member is working. You do not seem to have a valid cluster Make sure Cluster Member configuration. configuration on Security Management Server is complete and Security Policy is installed. Common Configuration Errors (Continued) Message Recommendation IP forwarding is not enabled on the Use PowerShell to enable IP forwarding interface [Interface Name]. on network interfaces of Cluster Member. The Cluster Member configuration is not current, is written correctly, or is corrupted. Failed to read the configuration file The recommendation varies, depending /opt/ on the JSON output; for example, if file CPsuite- RXX/fw1/conf/azure_ ha.json is corrupted, you can copy it from working member. Failed to log in with the credentials provided. Testing credentials [Exception] See the exception text to understand why. Make sure Microsoft Entra ID service account Testing authorization [Exception] associated with Cloud Cluster is designated as a Contributor. Lab Time Lab 8A: Troubleshoot CloudGuard Network Security Thank you for participating in this course. Please take a few minutes to complete the Student Satisfaction Survey. The survey measures your satisfaction with the training course delivery, the instructor, training materials, and ATC facilities. https://www.surveymonkey.com/r/CheckPointATC

CCCS-R81.20-V1.0 Instructor Slides - Check Point Certified Cloud Specialist PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue