Configurations Steps

Step 1: Create an Azure AD and Service Principal

With the Azure AD and Service Principal, the Check Point Security Management Server monitors the creation and status of the VMSS, so it can complete the provision of these gateways.

From the Azure website, go to Create an Azure Active Directory Application and Service Principal.

Use these parameters:

Field

Parameter

Name

<Application_Name>

Example:

check-point-autoprovision

Application Type

Web-App / API

Sign-on URL

https://localhost/<Application_Name>

Example:

https://localhost/check-point-autoprovision

After you create the application, write down these values (you use them later):

  • Application ID

    client_id

  • Key value

    client_secret

  • Tenant ID

    tenant

  • Directory ID

Note - We recommend that you set the key to never expire.

Step 2: Install the Check Point Security Management Server

These steps are required only if you do not have an installed Check Point Security Management Server.

If you already have the Check Point Security Management Server installed, skip to Step 3.

Requirements for the Check Point Security Management Server

  • Must be Check Point R81.10 and Higher.

  • Must start connections to the CloudGuard IaaS Security Gateways.

Requirements for CloudGuard IaaS Security Gateways

  • Must be Check Point R81.10 and Higher.

  • Have to start connections to the Security Management Server. For example, to send logs.

Deploying a Security Management Server in Azure

Refer to: Deploying a Security Management Server in Azure

Deploying a Security Management Server on-premises

Follow the instructions in the Check Point Installation and Upgrade Guide for your Management Server version.

Important - Must be Check Point R81.10 and higher.

Step 3: Configure the Check Point Security Management Server

Do these steps to manage the Virtual Machine Scale Sets with the Check Point Security Management Server:

  1. Download, install, and configure the latest Cloud Management Extension.

    See Cloud Management Extension R80.10 and Higher Administration Guide.

    Note - Azure Gateway Load Balancer is supported starting from CME take 168.

  2. Configure the required Security Policy in SmartConsole.

Important - The name of the policy has to match correctly the value that you configured in "Install the Check Point Security Management Server".

Note - By default, each Check Point Security Gateway and Security Management Server's Gaia Portal is accessible from the internet by browsing to http://<virtual-machine-public-ip>. Restriction of access to the Gaia Portal is possible by configuring a Network Security Group, or by configuring the Check Point Security Gateway and Management Server settings.

Step 4: Deploy the Check Point VMSS and the Gateway Load Balancer and Assign the Azure AD Application

As part of the Pubic Preview of Azure Gateway Load Balancer, it is required to register the Gateway Load Balancer feature in your Azure subscription.

To register run the following commands from CloudShell:

  1. az account set --subscription <The subscription ID where the Gateway Load Balancer is deployed>

  2. az feature register --name AllowGatewayLoadBalancer --namespace Microsoft.Network

  3. az provider register --namespace Microsoft.Network

From the Azure Marketplace, deploy the CloudGuard Network Security - Firewall & Threat Prevention:

On Plan select Public Preview CloudGuard Gateway Load Balancer and click Create

  • Use these parameters in the Basic section:

    Parameter

    Description

    Gateway scale set name

    The name of the VMSS resource group.

    Credentials

    The public key or username and password for SSH connections to the CloudGuard IaaS Gateway.

    Subscription

    The Azure subscription, where the VMSS is deployed.

    Resource group

    The Azure Resource Group, where the VMSS is deployed.

    Important - The Resource Group must be empty (must not contain any Azure resources),

    Location

    The location - where the VMSS is deployed.

  • Use these parameters in the Check Point VMSS settings section:

    Parameter

    Description

    Are you upgrading your CloudGuard VMSS solution?

    Defines if this is a new deployment, or function of this deployment is to upgrade an existing VMSS deployment.

    If this is an upgrade of the CloudGuard VMSS solution, select Yes.

    see

    Initial number of Security Gateways

    The minimum number of CloudGuard IaaS Gateways instances in the VMSS.

    We recommend a minimum of two.

    Maximum number of Security Gateways

    The maximum number of CloudGuard IaaS Gateways instances in the VMSS.

    Management name

    The name of the Security Management Server.

    Example:

    my-management

    See Cloud Management Extension R80.10 and Higher Administration Guide.

    Configuration template name

    The name of the configuration template from the CME service.

    Example:

    my-configuration-template

    Administrator email address

    The email address of the Administrator responsible for scaling operations, such as the launch of a new gateway, or a gateway termination.

    Check Point CloudGuard Gateway Load Balancer session persistence

    The load balance distribution method for the External Load Balancer - Inbound.

    See Configure the distribution mode for Azure Load Balancer.

    Deploy the VMSS with instance level public IP address

    If you select yes, each VMSS instance gets its own public IP address.

    The Security Management Server can use those IP addresses to manage from the external VNET.

    Default value: no.

    Important - The value you configure is irreversible.

    Management interface and IP address

    Select which IP address to use as the management interface for the VMSS:

    • NIC's private IP address.

    • NIC's public IP address - only available if you deploy an Instance Level Public IP (ILPIP) address.

    Private:

    Manage the Gateway VMSS with the private IP address of the instance. The Security Management Server must have access to the private IP addresses. For example, to be in the same/peered VNET.

    In case you use the frontend NIC, you must add a corresponding rule in the Frontend Route Table: Destination & Next Hop: <The private IP address of the Security Management Server>.

    Public:

    Manage the Gateway VMSS with the public IP address of the instance.

    Number of Availability Zones to use

    Defines the Azure Availability Zones for your VMSS:

    • None - Do not use Azure Availability Zones.

    • 1 - Use Azure zonal redundancy.

    • 2 - Use Azure two-zones redundancy (zones [1, 2])

    • 3 - Use Azure three-zones redundancy (zones [1, 2, 3])

    Notes:

    • Only available if you deploy in a supported Azure location.

    • Support for Azure Availability Zones is available with template version 20200303 and above.

    Enable CloudGuard metrics

    Enables CloudGuard metrics to allow VMSS instances to send statuses and statistics to the Azure Monitor service.

    If the CloudGuard metrics are enabled in the VMSS deployment, then:

    • System Assigned Managed Identity is created and the "Monitoring Metrics Publisher" role is assigned to the VMSS Resource Group.

    • The CloudGuard metrics agent starts to send metrics each minute.

    • The CloudGuard metrics are sent to the Azure Monitor resource immediately after the VMSS deployment is completed.

    To show CloudGuard, from the VMSS view -> click Monitoring -> Metrics -> Metric Namespace -> "cloudguard".

  • Use these parameters in the Network settings section:

    Parameter

    Description

    Network setting

    A pre-existing Virtual Network and subnets, or the name of a new Virtual Network and subnets, where the VMSS is deployed.

    Note:

    When you use a pre-existing subnet:

    • Make sure no other Virtual Machines are deployed in those subnets

    • Make sure to correctly define user defined routes (UDR) for the subnet (see the Scale In and Scale Out Events).

    • Make sure that an NSG is associated with the frontend subnet that allows all inbound and outbound TCP and UDP traffic.

Assign the Azure Active Directory application as described in Add a minimum role of Reader to the VMSS and the VNET. See Assign application to role.

For more about Managed identities, see the Azure documentation overview.

Step 5: Chaining external Load Balancers

After steps 1-4 are finished, CME provisions the CloudGuard IaaS Security Gateways (according to the “Initial number of Security Gateways” value in step 4). When the provisioning process is finished, you can chain your application to the Gateway Load Balancer.

You can chain these Azure resources to a Gateway Load Balancer:

  1. Standard Public Load Balancer frontend IP configuration

  2. Standard Public IP configuration

To enforce inbound & outbound inspection you need to make sure:

  1. All traffic to/from your application is routed using the above resources.

  2. Each of the above resources is chained to the Gateway Load Balancer.

Chaining a Standard Pubic Load Balancer (external):

  1. From the Azure Portal, go to the Load Balancer you want to chain.

  2. Click on Frontend IP Configuration.

  3. In the Gateway Load Balancer section, select the Gateway Load Balancer created in step 4.

  4. Click Save.

Note - If the Load Balancer has more than one frontend IP Configuration (for example one for inbound and one for outbound), make sure to chain all of them.

Chaining a Virtual Machine with Standard Public IP:

  1. From the Azure Portal, go to the Public IP resource you want to chain

  2. Click on properties

  3. Click on the Network Interface under Associated to

  4. Click on IP configuration

  5. In the Gateway Load Balancer section, select the Gateway Load Balancer created in step 4

  6. Click Save

As your application is chained to the Gateway Load Balancer, all traffic to and from the application is inspected first by the CloudGuard IaaS Security Gateways.

Load Balancer notes:

  1. For Virtual Machines in a Load Balancer backend pool, outbound inspection is enforced only if they do not have a Public IP associated with them.

  2. Back end Pool Configuration – NIC (recommended by Azure)

  3. Load Balancing Rules outbound source network address translation (SNAT) options:

    Option Notes

    (Recommended) Use outbound rules to provide backend pool members access to the internet

    Requires you to set an outbound rule. (Best practice).

    Use implicit outbound rule. This is not recommended because it can cause SNAT port exhaustion

    You use the frontend IP address of a load balancer for outbound and inbound and are more prone to connectivity failures from SNAT port exhaustion.

Step 6: Automatic Rule Placement (Optional)

As a part of each CloudGuard IaaS Security Gateway provisioning process, the Security Management Server creates automatic Access rules to allow tunnel traffic between the Gateway Load Balancer and the CloudGuard IaaS Security Gateway. By default the automatic Access rules are created at the top of the rulebase. Sometimes it is recommended to add the rules in a specific place in the policy rather than at the top.

This can be achieved by creating a section for these rules in SmartConsole, and specifying the section name in CME configuration. To do so, follow these steps:

  1. In SmartConsole, in the applicable Security Policy, create a New Section:

    1. To create a New Section, right-click below a rule number.

    1. Select Create New Section, click Below.

    1. Name the New Section and make sure to record the name.

  2. Connect to command line on the Security Management Server

  3. Log in to the Expert mode.

  4. Run this command:

    autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -secn <SECTION-NAME>

  5. Replace <CONFIGURATION-TEMPLATE-NAME> with the name of the configuration template name used in Step 4: Deploy the Check Point VMSS and the Gateway Load Balancer and Assign the Azure AD Application (for example, my-configuration-template).

  6. Replace <SECTION-NAME> with the name of the section created in step 1.

If the section is specified in the configuration template, but not found in the rule base, the rules are added at the top by default.

Note - The changes above occur only for new VMSS instances. The existing rules stay the same.

Change section name:

To change the section in which new automatic Access rules are added, run:

autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -secn <SECTION-NAME>

Remove section name:

To add the new automatic Access rules to the top of the rulebase, run:

autoprov_cfg delete template -tn <CONFIGURATION-TEMPLATE-NAME> -secn