Additional Information

Deploying a Security Management Server in Azure

To deploy a Security Management Server in Azure:

1. From the Azure Marketplace, deploy this solution to create a Check Point Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.:

   Check Point Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

2. Select the Check Point Security Management software plan.

   Important - Must be Check Point R81.10 and higher.

   Use these parameters:

   • Server name - The name of the Security Management Server.

   • Credentials - The SSH public key, or the SSH password to manage the server.

   • Subscription - The Azure subscription, where you deploy the servers.

   • Resource Group - The name of the Resource Group, where you deploy the server.

   • Location - The Azure location, where you deploy the server.

   • Network setting - A pre-existing Virtual Network Environment of logically connected Virtual Machines. and its subnets, or a name of a new Virtual Network and subnets, where you deploy the server.

   • Virtual Machine size - The size of the Security Management Server Virtual Machine.

   • Storage setting - The name of an existing or new storage account that the Security Management Server uses.

   • Allowed GUI clients - IP addresses (in CIDR notation) of the allowed SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., Gaia Portal Web interface for the Check Point Gaia operating system. and SSH clients.

3. This template deploys the Management Server in the selected subnet.

   When the management instance starts, it automatically executes its own Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. First Time Configuration Wizard.

   This can take up to 30 minutes.

4. Do the instructions in Step 3: Configure the Check Point Security Management Server.

Upgrading the CloudGuard VMSS Solution

This section includes instructions and guidelines for upgrading an existing, deployed CloudGuard VMSS solution.

The method to upgrade a VMSS solution is to deploy a new solution (side-by-side), reconfigure Azure resources and Check Point configuration to use the new solution, and then remove the old one.

Note:

• It is not necessary to upgrade the VMSS solution to obtain newer images of the same Check Point version as in R81.10). On each Scale Out, an instance with the latest available image for the version is deployed automatically.

• Make sure that you can use your existing Management Server or Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. can with the newer VMSS version that you are deploying.

To upgrade the CloudGuard VMSS solution:

Step	Description
1	Log in to the Azure portal.
2	Open the existing CloudGuard VMSS solution's resource group.
3	For the Gateway Load Balancer ("gateway-lb"): Create an empty backend pool. Obtain the new backend pool's resource ID. Make sure to save the ID for future reference. Add a new Frontend IP Configuration.
5	Deploy a new CloudGuard Gateway Check Point Virtual Security Gateway that protects dynamic virtual environments with policy enforcement. CloudGuard Gateway inspects traffic between Virtual Machines to enforce security, without changing the Virtual Network topology. Load Balancer solution from the Azure Marketplace: Below the CloudGuard VMSS settings: Select "Yes" below "Are you upgrading your vmss version?" Select the same Management Server as in the existing CloudGuard VMSS solution. Use a different configuration template name than in the existing CloudGuard VMSS solution. Fill out the saved resource IDs. Fill out the names of the created backend pools. Use the same network settings as in the existing CloudGuard Gateway Load Balancer solution.
6	Add a new Load Balancing Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.: Protocol All, Frontend Port: 0, Backend Port: 0. Backend Pool: The backend pool that you create in step #3. Frontend IP: The Frontend IP that you create in step #3. Associate with: The VMSS Scale Set that you deploy in step #5.
7	Set the CME template based on the admin guide. Example: autoprov_cfg add template -tn "<Template-Name>" -otp "<SIC-key>" -ver R81 -po "<Policy-Name>"
	In this step, you will lose connection to the Internet. Save and close all necessary items before proceeding to the next step.
8	Wait for provisioning to complete and for policy to install on the new CloudGuard VMSS instances.
9	To use the new backend pools, change the Standard Load Balancer to point to the new Frontend IP configuration.
10	Shut down the old CloudGuard VMSS and examine the traffic flows.
	Note - At this point, the new VMSS is handling all the traffic in the environment (inbound, outbound, E-W). Make sure that all the traffic flows work as expected before proceeding.
11	Remove the old VMSS CME template based on the admin guide. Example: autoprov_cfg delete template -tn "<Template-Name>"
12	Remove the old VMSS resource. Important - Do not remove the old resource group. It contains the VNET resource and the Load Balancers currently in use.
13	Remove the old backend pools (referencing the old VMSS) from the Gateway Load Balancer.