Scale In and Scale Out Events

Each VMSS must have Scale In and Scale Out events configured.

You can edit or see the configuration in Azure Portal > VMSS > Scaling.

Default triggers for the firewall VMSS:

• Scale Out on more than 80% CPU usage, for an average of five minutes.

• Scale In on less than 60% CPU usage, for an average of five minutes.

Scale Out

A scale out event occurs, if the current load increases. When a scale out event is triggered:

• Azure Autoscale launches one or more new instances of the Check Point CloudGuard Network Security Gateways.

• The new instances of CloudGuard Network Security Gateways automatically runs the Check Point First Time Configuration Wizard and then reboot.

During the scale-out, the Check Point Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. detects that new instances of CloudGuard Network Security Gateways have launched. The Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. waits until the CloudGuard Network Security Gateways complete to deploy, and then the Security Management Server automatically:

• Initializes a Secure Internal Communication (SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) channel with these CloudGuard Network Security Gateways.

• Adds 2 VXLAN Bridge Mode Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology. interfaces (internal and external).

• Creates automatic Access Rules to allow tunnel traffic between the Gateway Load Balancer and the CloudGuard Network Security Gateways:

  Source	Destination	Services & Applications	Action	Installed on
  A host that represent the Gateway Load Balancer Frontend IP.	CloudGuard Network Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.	UDP services with the VXLAN tunnel interfaces port numbers (internal & external).	Accept	Policy Targets

  To control the location of the automatic Access rules, see section Step 6: Automatic Rule Placement (Optional).

• Installs a Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on these CloudGuard Network Security Gateways.

After a Security Policy installation, these CloudGuard Network Security Gateways start to respond to health probes. The Load Balancer then starts to forward new connections to them. The newly created CloudGuard Network Security Gateways report their status and send logs to the Check Point Security Management Server.

Note - Newly provisioned Security Gateways automatically receive the latest published Security Policy. You have to install the policy on the existing Security Gateways to update their Security Policy. The system automatically creates and deletes Auto Scaling Security Gateway objects according to the current environment. Therefore, we do not recommend to use specified objects in rules or to manually edit those objects. By default, you can access each Check Point Security Gateway and Security Management Server's Gaia Portal Web interface for the Check Point Gaia operating system. from the Internet at https://<virtual-machine-public-ip>. It is possible to control the access to the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Portal. Configure a Network Security Group, or configure the Check Point Gateway and Management Server settings. Updated Virtual Machines: In case of a scale out event, the system deploys a new virtual machine using the latest available Check Point image. The system uses Fast Deployment Images (Blink) with a pre-installed Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA.. For more information, see these SK articles: CloudGuard for Azure Latest Updates - see sk132192. Blink - Gaia Fast Deployment - see sk120193.

Components of the Check Point Deployed Solution

The diagram below depicts an Azure Virtual Network Environment of logically connected Virtual Machines. (VNET) with the Check Point solution deployed.

There is one user deployed VNET - Services VNET with its own external Standard Load Balancer.

The Check Point deployed solution has these components:

• Security VNET

• Virtual Machine Scale Set (VMSS)

The number of instances that you can deploy in the Cloud is dynamic.

• Gateway Load Balancer

• VMSS subnet

• Public IP address for each VMSS instance (optional)

• You cannot deploy other VMs in the VMSS subnet