Configure CloudGuard Network for Azure VMSS GWLB

Step 1: Set up authentication using either Microsoft Entra ID (formerly Azure AD) or Azure IAM

Azure provides two options for managing access to resources. You can use either Microsoft Entra ID (formerly Azure AD) or Azure Identity and Access Management (IAM) to establish secure authentication.

To grant access using Azure IAM (starting from CME Take 297), go to Step 4.7.

To create a Microsoft Entra ID and Service Principal:

00:00: 00:05: This video shows how to create a Microsoft entra ID and service principle 00:09: for Azure vmss deployment. 00:12: Log in to the Azure portal. 00:17: Click Microsoft enter ID. 00:20: Click the add button and select app registration. 00:23: On the register and application window, give it a meaningful name and 00:27: select accounts in this organizational directory only single tenant. 00:32: In redirect URI select web is platform. 00:36: In the address field, enter Local Host slash vmss name. 00:41: Click register and the new application is created. 00:47: On the new application, window select manage certificates and secrets. 00:52: In the client Secrets, tab, click new client Secret. 00:56: Enter a description in an expiration time for the client secret and click 01:00: add. 01:02: It is important to back up the key. Now as you cannot see it later. 01:07: Go to the applications overview Tab, and copy the application client ID 01:11: object, ID and directory tenant ID, you will need 01:15: to use them in step 3 to configure the checkpoint management server. 01:21:

With the Microsoft Entra ID and Service Principal, the Check Point Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. monitors the creation and status of the VMSS, so it can complete the provision of these Security Gateways.

Note - Grant the Service Principal at least "Managed Application Contributor", "Storage Account Contributor", "Network Contributor", and "Virtual Machine Contributor" permissions to the Azure subscription.

For any extra permissions needed, see the official Microsoft documentation for guidance.

  1. Connect to portal.azure.com.

  2. Click Microsoft Entra ID.

  3. Click +Add > App registration. The Register an application screen opens

  4. Create new registration:

    1. Select a meaningful Name.

    2. Supported account types - Select Accounts in this organizational directory only (Single tenant).

    3. Redirect URL - Select Web, and type https://localhost/vmss-name - instead of vmss-name. It can be any name.

    4. Click Register. The new application is created.

    5. In the new application screen, on the left menu pane, click Manage > Certificates and secrets.

    6. In the Client Secrets tab, click + New Client Secret.

    7. Add the duration for the key.

    8. Click Add.

    9. Backup the key. You cannot look at the key later. Save it now.

After you create the application, write down these values to use in the "Configure the Check Point Security Management Server" step.

  • Application ID

    client_id

  • Key value

    client_secret

  • Tenant ID

    directory (tenant) ID

Step 2: Install the Check Point Security Management Server

We recommend you to use Smart-1 Cloud (Check Point's Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. as a Service) to manage CloudGuard Network for Azure Virtual Machine Scale Sets (VMSS).

Refer to Quantum Smart-1 Cloud Administration Guide > Using the settings > Cloud Management Extension (CME) Configuration for step-by-step instructions for enabling CME in Smart-1 Cloud.

These steps are required only if you do not have an installed Check Point Security Management Server.

If you already have the Check Point Security Management Server installed, skip to Step 3.

Must start connections to the CloudGuard Network Security Gateways.

Must start connections to the Security Management Server. For example, to send logs.

Follow these steps:

Step

Description

1

From the Azure Marketplace, deploy this solution to create a Check Point Security Management Server:

Check Point Security Management Server.

2

Select the Check Point Security Management software plan.

Important - It must be R81 and higher.

Use these parameters:

3

This template deploys the Management Server in the selected subnet.

When the management instance starts, it automatically executes its own Gaia First Time Configuration Wizard.

This can take up to 30 minutes.

4

Do the instructions in Step 3: Configure the Check Point Security Management Server.

Follow the instructions in the Check Point Installation and Upgrade Guide for your Security Management Server version.

Step 3: Configure the Check Point Security Management Server

Do these steps to manage the Virtual Machine Scale Sets with the Check Point Security Management Server:

  1. Downloading and Installing the Latest CME Version.

  2. Configuring the CME on the Security Management Server

  3. Configure the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. in SmartConsole.

    Important - The policy name must be the same as the value you configured in the CME Azure template.

Note - By default, you can access each Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and Security Management Server's Gaia PortalClosed Web interface for the Check Point Gaia operating system. from the Internet by browsing to http://<virtual-machine-public-ip>. Restriction of access to the Gaia Portal is possible by configuring a Network Security Group, or by configuring the Check Point Security Gateway and Management Server settings.

Step 4: Deploy the Check Point VMSS and the Gateway Load Balancer and Assign the Microsoft Entra ID Application

  1. Deploy the CloudGuard Network Security - Firewall & Threat Prevention from the Azure Marketplace.

  2. Click Get it Now.

  3. In the Software plan drop-down window, select CloudGuard Gateway Load Balancer and click Continue.

  4. Click Create.

  5. Fill in the parameters according to the tables below.

    • Parameter

      Description

      Subscription

      The Azure subscription, where the VMSS is deployed.

      Resource group

      The Azure Resource Group, where the VMSS is deployed.

      Important - The Resource Group must be empty (must not contain any Azure resources).

      Note - Resource group name must not contain reserved words based on sk40179.

      Region

      The region, where the VMSS is deployed.

      Gateway scale set name

      The name of the VMSS resource group.

      Authentication type

      The option to authenticate either with the public key or with a username and password when establishing SSH connections to the CloudGuard NetworkSecurity Gateway.

    • Parameter

      Description

      Are you upgrading your CloudGuardVMSS solution?

      Defines if this a new deployment or an upgrade of the existing VMSS deployment.

      If this is an upgrade of the CloudGuardVMSS solution, select Yes and follow the VMSS Upgrade procedure.

      Initial number of Security Gateways

      The minimum number of CloudGuard NetworkSecurity Gateway instances in the VMSS.

      We recommend a minimum of two.

      Maximum number of Security Gateways

      The maximum number of CloudGuard NetworkSecurity Gateway instances in the VMSS.

      Management name

      The name of the Security Management Server.

      Important - You must specify the same name you used when configured CME on the Security Management Server.

      The default Security Management Server name is MGMT.

      See Configuring the CME on the Security Management Server

      Configuration template name

      The name of the configuration template.

      Important - You must specify the same name you used when configured a CME Azure template on the Security Management Server.

      Example:

      my-configuration-template

      Administrator email address

      The email address of the Administrator responsible for scaling operations, such as the launch of a new Security Gateway, or a Security Gateway termination.

      Load Balancer deployment

      Defines which Load Balancer to deploy:

      • Standard (External & Internal inspection).

      • External only (Inbound inspection only).

      • Internal only (Outbound & East-West inspection only). For outbound inspection, it is mandatory to deploy an External Load Balancer and instance-level public IP addresses.

      Deploy the Load Balancers with floating IP

      If you select yes, each Load Balancer is deployed with Floating IP enabled.

      Default value: no.

      Check PointCloudGuardExternal Load Balancer session persistence

      The load balancing distribution method for the External Load Balancer - Inbound.

      See Configure the distribution mode for AzureLoad Balancer.

      Check PointCloudGuardInternal Load Balancer session persistence

      The load balancing distribution method for the Internal Load Balancer - Outbound and East-West.

      See Configure the distribution mode for AzureLoad Balancer.

      Deploy the VMSS with instance level public IP address

      If you select yes, each VMSS instance gets its own public IP address.

      The Security Management Server can use those IP addresses to manage from the external VNET.

      Default value: no.

      Important - The value you configure is irreversible.

      Deploy the VMSS with Public IP Prefix

      If you select yes, the VMSS is deployed with a Public IP Prefix.

      Create new or existing Public IP Prefix

      If you select new, select the IPv4 prefix length.

      Note - The VMSS is not allowed to contain more instances than the prefix size.

      Management interface and IP address

      Select which IP address to use as the management interface for the VMSS:

      • Backend NIC's private IP address.

      • Frontend NIC's public IP address - only available if you deploy an Instance Level Public IP (ILPIP) address.

        Note - Select this option if you use Smart-1 Cloud to manage CloudGuard Network for Azure (VMSS).

      • Frontend NIC's private IP address.

      Private:

      Manage the GatewayVMSS with the private IP address of the instance. The Security Management Server must have access to the private IP addresses. For example, to be in the same/peered VNET.

      In case you use the frontend NIC, you must add a corresponding ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in the Frontend Route Table: Destination & Next Hop: <The private IP address of the Security Management Server>.

      Public:

      Manage the GatewayVMSS with the public IP address of the instance.

      Note - Support for private addresses is available with the Add-On version 419 and above, and the template version 20200303 and above.

      Number of Availability Zones to use

      Defines the Azure Availability Zones for your VMSS:

      • None - Do not use Azure Availability Zones.

      • 1 - Use Azure zonal redundancy.

      • 2 - Use Azure two-zones redundancy (zones [1, 2])

      • 3 - Use Azure three-zones redundancy (zones [1, 2, 3])

      Notes:

      • Only available if you deploy in a supported Azure location.

      • Support for Azure Availability Zones is available with the template version 20200303 and above.

      DNS Resource Zone ID

      Resource ID is the unique permanent identifier assigned to each Azure resource. ID of the DNS Zone Resource can be found in its related Properties tab.

      DNS Record Set Name

      DNS Record that includes a maximum of 20 public IPs of VMSS instances. If a current Record Set is used, all its records are replaced with the VMSS instances' public IPs.

      Enable CloudGuard metrics

      Enables CloudGuard metrics to allow VMSS instances to send statuses and statistics to the Azure Monitor service.

      If the CloudGuard metrics are enabled in the VMSS deployment, then:

      • System Assigned Managed Identity is created and the "Monitoring Metrics Publisher" role is assigned to the VMSS Resource Group.

      • The CloudGuard metrics agent starts to send metrics each minute.

      • The CloudGuard metrics are sent to the Azure Monitor resource immediately after the VMSS deployment is completed.

      To show CloudGuard, from the VMSS view, click Monitoring > Metrics > Metric Namespace - "cloudguard".

    • Parameter

      Description

      Check Point CloudGuard version

      Select the Check Point version you want to install.

      License type

      Select the license type to use:

      • Bring Your Own License

      • Pay As You Go (NGTP)

      • Pay As You Go (NGTX)

      Virtual Machine size

      The VM size of the Security Gateway.

      Default shell for the admin user

      Select the admin’s default shell.

      SIC key

      Set the Secure Internal Communication one-time secret.

      Enable Maintenance Mode

      A password hash to enable the VM maintenance mode.

      Maintenance Mode password hash

      To get a hash string for a password, run this command in the Expert mode: grub2-mkpasswd-pbkdf2

    • Parameter

      Description

      Network setting

      A pre-existing Virtual Network and its subnets, or the name of a new Virtual Network and subnets, where the VMSS is deployed.

      Note:

      When you use a pre-existing subnet:

      • Make sure no other Virtual Machines are deployed in those subnets

      • Make sure to correctly define user-defined routes (UDR) for each subnet (see the Network Diagram section).

      • Make sure the NSG is associated with the frontend subnet that allows all inbound and outbound TCP and UDP traffic.

      Network Security Group

      The Network Security Group that you attach to the VNet.

    • Parameter

      Description

      Name, Value

      Azure tags to attach to the selected resources.

  6. Go to the Review+create tab, review the information, and click Create.

  7. After the deployment is complete:

    If you choose to register the Microsoft Entra ID application, assign a role to the application as described in Register a Microsoft Entra app and create a service principal. Give the VMSS, VNET, and the Frontend Load Balancer a minimum role of Reader.

    Alternatively, you can grant access to Azure VMSS resources based on IAM role. See Step 5: (Optional): Grant access to Azure resources based on IAM role for instructions.

For more information on Managed identities, see the Azure documentation overview.

Notes:

  • Newly provisioned Security Gateways automatically receive the latest published Security Policy. You have to install the policy on the existing Security Gateways to update their Security Policy.

  • Auto-Scaling Security Gateway objects are automatically created and deleted according to the current environment. Therefore, we do not recommend that you use specified objects in rules. In additions, we do not recommend that you manually edit those objects.

  • In the case of a scale-out event, the latest released Check Point image is used to deploy the new Virtual Machine.

  • During CloudGuard Network Security deployment in Azure, the system automatically creates a storage account with a name starting with "bootdiag" in the clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. resource group. This storage account enables serial console connections and provides access to boot logs for VMs. While you can safely modify the TLS version settings, deleting this storage account will result in the loss of serial console access and boot diagnostics services.

  • When you use the template version 20181017 or above:

      1. Fast Deployment Images (Blink) with a pre-installed Jumbo Hotfix AccumulatorClosed Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. is used.

      2. In the case of a scale-out event, the newer Virtual Machine uses the latest released Check Point image.

    For more information, see these SK articles:

    • CloudGuard for Azure Latest Updates - see sk132192.

    • Blink - Gaia Fast Deployment - see sk120193.

Step 5: (Optional): Grant access to Azure resources based on IAM role

Prerequisite: The Security Management Server was configured to use the system-managed identity on Step 3.

To configure IAM and assign a role for managed identity:

  1. Connect to portal.azure.com.

  2. Go to the VMSS resource group.

  3. Click Access control (IAM).

  4. Click +Add > Add role assignment. The Role Assignment screen opens.

  5. Choose the role definition (minimal permissions of "Reader" are required).

  6. Click Next to choose members to assign access to.

  7. Choose Managed identity.

  8. Click Select members. Select Managed Identities screen opens.

  9. Choose the Managed identity option and pick the Check Point Security Management Server VM.

  10. Click Select > Review + assign.

  11. Review the role and click Review + assign to grant access to the desired resource.

Step 6: Chaining external Load Balancers

After steps 1-5 are finished, CME provisions the CloudGuard Network Security Gateways (according to the "Initial number of Security Gateways" value in step 4). When the provisioning process is finished, you can chain your application to the Gateway Load Balancer.

You can chain these Azure resources to a Gateway Load Balancer:

  1. Standard Public Load Balancer frontend IP configuration

  2. Standard Public IP configuration

To enforce inbound & outbound inspection it is necessary to make sure:

  1. All traffic to/from your application is routed using the above resources.

  2. Each of the above resources is chained to the Gateway Load Balancer.

Chaining a Standard Pubic Load Balancer (external):

  1. From the Azure Portal, go to the Load Balancer you want to chain.

  2. Click on Frontend IP Configuration.

  3. In the Gateway Load Balancer section, select the Gateway Load Balancer created in step 4.

  4. Click Save.

Note - If the Load Balancer has more than one frontend IP Configuration (for example one for inbound and one for outbound), make sure to chain all of them.

Chaining a Virtual Machine with Standard Public IP:

  1. From the Azure Portal, go to the Public IP resource you want to chain.

  2. Click on properties.

  3. Click on the Network Interface below Associated to.

  4. Click on IP configuration.

  5. In the Gateway Load Balancer section, select the Gateway Load Balancer created in step 4.

  6. Click Save.

As your application is chained to the Gateway Load Balancer, all traffic to and from the application is inspected first by the CloudGuard Network Security Gateways.

Load Balancer notes:

  1. For Virtual Machines in a Load Balancer backend pool, outbound inspection is enforced only if they do not have a Public IP associated with them.

  2. Back end Pool Configuration - NIC (recommended by Azure).

  3. Load Balancing Rules outbound source network address translation (SNAT) options:

    Option Notes

    (Recommended) Use outbound rules to provide backend pool members access to the Internet

    Requires you to set an outbound rule. (Best practice).

    Use implicit outbound rule. This is not recommended because it can cause SNAT port exhaustion

    You use the frontend IP address of a load balancer for outbound and inbound and are more prone to connectivity failures from SNATClosed Source Network Address Translation (Source NAT). port exhaustion.

Step 7: Automatic Rule Placement (Optional)

As a part of each CloudGuard Network Security Gateway provisioning process, the Security Management Server creates automatic Access rules to allow tunnel traffic between the Gateway Load Balancer and the CloudGuard Network Security Gateway. By default the automatic Access rules are created at the top of the rulebase. Sometimes it is recommended to add the rules in a specific place in the policy rather than at the top.

You can achieve this by creating a section for these rules in SmartConsole, and specifying the section name in CME configuration. To do so, follow these steps:

  1. In SmartConsole, in the applicable Security Policy, create a New Section:

    1. To create a New Section, right-click below a rule number.

    1. Select Create New Section, click Below.

    1. Name the New Section and make sure to record the name.

  2. Connect to command line on the Security Management Server.

  3. Log in to the Expert mode.

  4. Run this command:

    autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -secn <SECTION-NAME>

  5. Replace <CONFIGURATION-TEMPLATE-NAME> with the name of the configuration template name used in Step 2: Install the Check Point Security Management Server (for example, my-configuration-template).

  6. Replace <SECTION-NAME> with the name of the section created in step 1.

If the section is specified in the configuration template, but not found in the rule baseClosed All rules configured in a given Security Policy. Synonym: Rulebase., the rules are added at the top by default.

Note - The changes above occur only for new VMSS instances. The existing rules stay the same.

Change section name:

To change the section in which new automatic Access rules are added, run:

autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -secn <SECTION-NAME>

Remove section name:

To add the new automatic Access rules to the top of the rulebase, run:

autoprov_cfg delete template -tn <CONFIGURATION-TEMPLATE-NAME> -secn