CloudGuard Components
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> [BACKGROUND] [MUSIC].
00:00
Welcome to Check Point Jump Start training series.
00:00
In this training module,
00:00
we'll examine the CloudGuard capabilities
00:00
called CloudGuard private and public network security.
00:00
The CloudGuard network security is
00:00
used to protect both your private,
00:00
and public Cloud network assets.
00:00
Lesson 2, CloudGuard components.
00:00
In the second lesson we're going to
00:00
go over the CloudGuard components.
00:00
We're going to list each component,
00:00
and discuss how they function.
00:00
Let's first start this lesson by
00:00
discussing some of the CloudGuard Cloud components.
00:00
I'm going to list some new components
00:00
that only function with the Cloud.
00:00
The CloudGuard components include the GUI client,
00:00
the management station, the enforcement gateway,
00:00
and now, there's a new component called the controller.
00:00
But more on that in a moment.
00:00
Even though you might be already
00:00
familiar with most of these components,
00:00
let's break them down,
00:00
at least from a Cloud perspective.
00:00
We'll start with the GUI client.
00:00
Available from version R80,
00:00
the GUI client has been refreshed with a new look,
00:00
and feel, with built-in Cloud support,
00:00
including API capabilities for
00:00
orchestration, and automation.
00:00
Using Restful APIs,
00:00
you can create rules,
00:00
and objects with the Management API.
00:00
You can add users, and identities
00:00
with Identity Awareness API.
00:00
You can add malware protection,
00:00
and threat protection with the Threat Prevention API.
00:00
All of these API capabilities help
00:00
automate and provision of the checkpoint gateways.
00:00
CloudGuard Gateway offers
00:00
>> the same level of security with
00:00
>> all the same access control solutions
00:00
that you're already familiar with.
00:00
We offer the firewall,
00:00
the NAT, IPsec VPN,
00:00
URL filtering, application control,
00:00
>> and content control.
00:00
>> All of these solutions can
00:00
>> be configured in the same way,
00:00
>> just as in traditional network.
00:00
CloudGuard also offers
00:00
the same fully integrated advanced threat
00:00
prevention solutions like IPS,
00:00
Anti-virus, Anti-bot,
00:00
Sandblast, which is
00:00
Threat Emulation, and Threat Extraction.
00:00
The checkpoint management station
00:00
is the industry's gold standard.
00:00
It is used to manage all of your checkpoint gateways,
00:00
enforcement points, and sensors.
00:00
The checkpoint management
00:00
>> station has a few key strings.
00:00
>> It holds and contains a centralized database.
00:00
This database stores all the objects and
00:00
rules that are pushed to all relevant gateways.
00:00
It is a GUI object-oriented,
00:00
which means it is easy to configure,
00:00
and intuitive to manage.
00:00
It can manage all of the checkpoint products,
00:00
and blades across different domains,
00:00
the clouds, the networks, the endpoints,
00:00
the mobile, IoT devices and datacenters.
00:00
It is also backwards compatible.
00:00
It can manage a gateways
00:00
that are running the latest version of
00:00
software or gateways running older versions.
00:00
On top of these components,
00:00
we've added a new component called the controller,
00:00
which is part of the management station.
00:00
It's embedded with the management solution.
00:00
The controller allows your database, policies,
00:00
and rules to be adaptive, and dynamically updateable.
00:00
This is crucial in
00:00
the dynamic nature of Cloud environments.
00:00
Let's look at it this way,
00:00
it's the controller's job to scour,
00:00
and comb through your Cloud environments,
00:00
and find objects that were added or deleted.
00:00
Consequently, it
00:00
updates the management station's database,
00:00
and a firewall rule base.
00:00
To make sure that you understand this power,
00:00
and flexibility, let's contrast
00:00
this with traditional networks.
00:00
In traditional firewalls,
00:00
when you add a new server on the network,
00:00
or when you need to create the server or host object,
00:00
or when you add or change
00:00
the IP address of a host or a network object,
00:00
you need to add or change the object in a rule,
00:00
or even create a new rule.
00:00
Then you need to compile,
00:00
and push the policy to the gateway.
00:00
This process can take time,
00:00
and it is slow, and methodical.
00:00
In addition, you might be
00:00
bound by the constraints of having to schedule,
00:00
change maintenance windows, or
00:00
perhaps you're in a change freeze lock-down time-frame.
00:00
This traditional approach will not work with
00:00
the Cloud because of the Cloud dynamic nature,
00:00
which renders this approach
00:00
as insufficient, and unacceptable.
00:00
In addition, application developers
00:00
upload their apps into the Cloud for testing,
00:00
performing tests on multiple platforms, PCs,
00:00
smartphones, and on various operating systems.
00:00
Developers might be in
00:00
a continuous cycle of testing,
00:00
>> recoding, and rebuilding.
00:00
>> You may also have the operators who deploy,
00:00
and spin up these apps,
00:00
and workloads in different regions,
00:00
and in different clouds.
00:00
This elasticity, and flexibility
00:00
>> that makes the Cloud so
00:00
>> dynamic in nature becomes impossible
00:00
to manage from a traditional firewall perspective.
00:00
To solve this, checkpoint uses the controller,
00:00
which operates with multiple Cloud providers,
00:00
and in multiple or a hybrid Clouds,
00:00
in multiple accounts,
00:00
and in multiple regions.
00:00
Scanning for changes in objects within hosts,
00:00
servers or networks,
00:00
including IP address reconfigurations,
00:00
and object deletions, and then updating,
00:00
enforcing the firewall policy
00:00
accordingly without a single policy push.
00:00
Let's take a look at how this is accomplished.
00:00
In a policy, you need to create
00:00
a control connection from
00:00
the management station to your Cloud provider.
00:00
Once you have established an authenticated,
00:00
a connection to the Cloud provider,
00:00
all network, and workload objects are viewable,
00:00
and accessible from the SmartConsole.
00:00
Now, instead of using IP addresses or host names,
00:00
and resource names in a rule base,
00:00
you can use tags.
00:00
Name tags are like labels that
00:00
>> you assign to the object,
00:00
>> like object names, object IP addresses,
00:00
objects servers, users, or groups.
00:00
Name tags can be created for
00:00
a single asset or for multiple assets,
00:00
such as workloads or virtual private networks.
00:00
Once you tag an asset in the Cloud,
00:00
you can use a tag in rule base.
00:00
All Cloud objects with the same tag name will be
00:00
matched by the rule base that uses those tag names.
00:00
If an object is removed it will
00:00
no longer be matched by a rule base.
00:00
If an object is created and then
00:00
tagged with the same tag name,
00:00
and a rule base, it will now be
00:00
matched by that rule in the rule base.
00:00
If the IP address of an object or workload changes,
00:00
the controller gets notified,
00:00
and it changes IP in rule-base accordingly.
00:00
Change in the Cloud object with a tag name,
00:00
will update the controller,
00:00
the controller updates the management station rule-base
00:00
that the tag has a new name change.
00:00
The management station then updates the firewall,
00:00
and starts enforcing a new change that has a tag name.
00:00
The controller component allows us to
00:00
have an adaptive management station,
00:00
so when your Cloud evolves,
00:00
the policy can automatically adapt
00:00
without needing to push a new policy.
00:00
That brings us to the end of this lesson.
00:00
Let's quickly recap before exiting this video.
00:00
In this training module,
00:00
we discussed the different CloudGuard components.
00:00
We have the GUI client component,
00:00
the Management server component, Enforcement Gateway,
00:00
and now new in the CloudGuard,
00:00
we have a new component called the Controller.
00:00
The Controller, it's responsibility is to
00:00
get the cloud identities from your Cloud accounts,
00:00
from your Cloud servers providers,
00:00
and then feed these
00:00
>> identities to the management station.
00:00
>> Then the administrator can use these identities,
00:00
these Cloud identities, and
00:00
use them in the policies, and rule base.
00:00
That completes our second lesson.
00:00
In the next lesson we're going to discuss how to use
00:00
CloudGuard for a segmentation. I'll see you there.
Up Next
Instructed By
Similar Content
