Additional Information

IPS Geo Protection Based on X-Forwarded-For HTTP Header

The IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). Geo protection filters and logs traffic based on the country, from each it arrives. This protection is applied to both the source address of the connection, as well as to any IPv4 address present in an 'X-Forwarded-For' HTTP header.

Notes:

  • The External Load Balancer does not hide the client's original IP address.

  • If an HTTP request goes through multiple proxies or Load Balancers, the X-Forwarded-For HTTP header is expected to contain multiple IP addresses.

  • All IPv4 addresses contained in the X-Forwarded-For HTTP header, are inspected by the IPS Geo protection.

  • Any IPv6 address in the X-Forwarded-For HTTP header is ignored.

For more information, see sk115532 on IPS Geo protection based on X-Forwarded-For HTTP header.

Use Case 1

  1. A user is located in Dallas (USA), and the client opens a direct connection to the External Load Balancer.

  2. The Load Balancer forwards the connection to one of the Check Point CloudGuard Network Security Gateways and leaves the source IP address unchanged.

  3. The IPS Geo protection on the CloudGuard Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. identifies the country of origin as the United States.

  4. The CloudGuard Security Gateway allows or drops the connection based on the policy.

Use Case 2

  1. A user is located in Dallas (USA), and the client opens a direct connection to the External Load Balancer.

    The Load Balancer forwards the UserA's connection to one of the Check Point CloudGuard Network Security Gateways and leaves the UserA's source IP address unchanged.

    The IPS Geo protection on the CloudGuard Security Gateway identifies the country of origin as the United States for the UserA's connection.

  2. UserB is also located in Dallas (USA), and the client uses a proxy server to connect to the External Load Balancer.

    The proxy adds an X-Forwarded-For HTTP header to the UserB's connection with the IP address of the UserB's client in Dallas.

    The Load Balancer forwards the connection to one of the Check Point CloudGuard Network Security Gateways.

    The IPS Geo protection on the CloudGuard Security Gateways identifies the country of origin as the United States for the UserB's connection.

  3. The CloudGuard Security Gateway allows or drops the connections based on the policy.

User Defined Routes

Route

Destination

Nexthop

Route Purpose

East-West

Entire VNET

Virtual appliance -

Internal Load Balancer's private IP address

Inspects all traffic that goes to other subnets in the VNET.

Note:

You can replace this one route for the entire VNET with multiple specific subnet routes.

Outbound

0.0.0.0/0

Virtual appliance -

Internal Load Balancer's private IP address

Inspects outbound traffic.

Note:

The destination address has not been identified by any instance during any route (such as inbound). Therefore, it is subject to inspection by the Check Point instances in the VNET.

Inbound

VMSS backend subnet

Virtual NetworkClosed Environment of logically connected Virtual Machines.

Sends inbound reply traffic to the original CloudGuard Security Gateway instance to enable inspection.

Note:

This enables the inbound traffic to go back to the CloudGuard Security Gateway that is involved in the inspection.

Intra-subnet

Subnet itself

Virtual Network

Sends in-subnet traffic directly to its destination without inspection by a CloudGuard Security Gateway. There is no micro-segmentation.

If the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is in the VNET, make sure to have specific routes to allow traffic between the Management Server Virtual Machine and the VMSS instances.

Configuring the Load Balancer to Listen on Additional Ports

Step

Description

1

Go to the Azure portal.

2

Find the External Load Balancer.

The Load Balancer is in your Resource Group.

The Load Balancer name is frontend-lb

3

Configure a new Load Balancing RuleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:

  1. From the Load Balancing Rules> Add.

  2. Give the rule a name.

    Example:

    vmss-app-1-tcp-443

  3. In the Frontend IP address field, select the pre-existing Frontend IP address.

  4. In the Protocol field, select TCP.

  5. In the Port field, select 443.

  6. In the Backend port field, select a high port.

    NOTE - These ports cannot be used: Ports defined in sk52421 (ports used by Check Point software), 32768 – 65535 as defined in sk162619 (FWD daemon listening on multiple random high ports), 444, 8082, and 8880.

  7. In the Backend pool field, select the pre-existing VMSS pool.

  8. In the Health probe, select the health probe.

    This is the probe that was created by default by the template (TCP, port 8117).

  9. Select the Session persistence.

  10. Set the Idle timeout.

  11. In the Floating IP field, use the same value used in Deploy the Load Balancer with floating IP from step 5.

  12. Click Add.

Configuring the Load Balancer to Listen on Additional Public IP Addresses

You can configure the VMSS to secure multiple web applications, each with its own IP address.

Step

Description

1

Go to the Azure portal.

2

Find the External Load Balancer.

The Load Balancer is in your Resource Group.

The Load Balancer name is frontend-lb

3

In the Azure portal, allocate a new public IP address.

  1. In the pane Go to Public IP addresses > Click Create.

  2. Add name of the IP. (For example: name-public-https)

  3. Resource group - put group of the VMSS.

  4. Click Create.

4

Configure the Frontend IP pool.

  1. Go to the Load Balancer.

  2. Click Frontend IP configuration > Add.

  3. Give the IP pool a name.

    Example:

    vmss-app-2

  4. Select the public IP address you created in Step 3.

  5. Click OK.

5

Configure a new Load Balancing Rule:

  1. Click Load Balancing Rules > Add.

  2. Give the rule a name.

    Example,

    vmss-app-2-tcp-80

  3. In the Frontend IP address field, select the newly created Frontend IP address.

  4. In the Protocol field, select TCP.

  5. In the Port field, select 80.

  6. In the Backend port field, select 8083.

  7. In the Backend pool field, select the pre-existing VMSS pool.

  8. In the Health probe field, select the health probe.

    This is the probe that was created by default by the template (TCP, port 8117).

  9. Select the Session persistence.

  10. Set the Idle timeout.

  11. In the Floating IP field, use the same value used in Deploy the Load Balancer with floating IP from step 5.

  12. Click Add

Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal'

You must create these Dynamic Objects in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.:

  • LocalGatewayExternal

  • LocalGatewayInternal

Procedure:

  1. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

  2. Enter this exact name (case-sensitive, no spaces):

    LocalGatewayExternal

  3. Click OK.

  4. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

  5. Enter this exact name (case-sensitive, no spaces):

    LocalGatewayInternal

  6. Click OK.

  7. Publish the SmartConsole session

Configuring HTTPS Inspection

Follow these steps to enable HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi..

Notes:

  • If you have an outbound CA certificate you can skip these steps. Otherwise, create one in "Creating an Outbound Certificate."

  • Only want inbound SSL inspection.

Creating an Outbound Certificate

Step Description
1 In SmartConsole, go to Policy > HTTPs policy.
2

Go to the Destination column, and edit the default rule to be Any.

3

Go to the Track column, and edit to Log.

4

Go to Gateways and Servers.

Open one of the VMSS instances you have.

5

Open HTTPs Inspection > Click Create Certificate.

6

Enter the information and click OK.

7

Click Enable HTTPs Inspection.

8

Publish the SmartConsole session.

9

Install policy.

Creating an HTTPS Inspection Rule to Inspect SSL Traffic

Step

Description

1

In SmartConsole, from the left navigation panel, click Manage & Settings.

2

From the left tree, click Blades.

3

In the HTTPS Inspection section, click Configure in SmartConsole.

4

From the left tree, click Gateways.

5

At the bottom of the page, click Create Certificate.

6

Enter the information and click OK.

7

From the left tree, click Server Certificates.

8

Enter the information and click OK.

9

From the left tree, click Policy.

10

Add this rule:

  • Source - Any

  • Destination - Any (do not use the Internet object)

  • Service - The HTTPS service you created

  • Action - Inspect

  • Certificate - The certificate you created

11

Save the changes:

Click Menu > File > Save.

12

Close the SmartConsole.

13

Publish the SmartConsole session

Downloading and Installing the Latest CME (Cloud Management Extension) Version

To download and install the CME (Cloud Management Extension) on the Management Server or Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., see sk157492.

Configuring the Cloud Management Extension (CME) on the Security Management Server

The instructions below contain information about how to configure a VMSS environment in CME. For more information about CME configurations, see the "Overview" section in the Cloud Management Extension Administration Guide.

Step

Description

1

Connect to the command line on the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

2

Log in to the Expert mode.

3

Execute this command (see the explanation of parameters):

Run:

autoprov_cfg init Azure -mn "<Management-Name>" -tn "<Configuration-Template-Name>" -otp "<SIC-key>" -ver <Version> -po "<Policy-Name>" -cn "<Controller-Name>" -sb "<Azure-Subscription>" -at "<Active-Directory-Tenant-ID>" -aci "<Client-ID>" -acs "<Client-Secret>"

Example:

autoprov_cfg init Azure -mn "my-management" -tn "my-configuration-template" -otp "MySICkey123" -ver R81.20 -po "Standard" -cn "Azure-Production" -sb "98e34f37-ece4-4cdc-97dc-44a074f84aff" -at "7113cebb-911c-4122-aa5c-34db449380f7" -aci "82fb1445-f40e-46dc-9cd3-c065e14f132b" -acs "xxx="

4

When this message shows, type yes and press Enter to apply the modifications:

Would you like to restart the service now?

5

Confirm the configuration:

service cme test

Every controller in the configuration has to have unique credentials.

6

Follow the instructions in the Enabling and Disabling Software Blades section in the Cloud Management Extension Administration Guide.

Important - The exact values that you select, must be typed exactly when you deploy the VMSS. Make sure to write them down and enter them correctly. Otherwise, the components cannot communicate with each other.

Parameter

Description

Example

"<Management-Name>"

Select a descriptive name.

When you deploy the Check PointVMSS with this name, the Check PointSecurity Management Server identifies and automatically provisions it.

"my-management"

"<Configuration-Template-Name>"

Configurations that automatically provision the Security Gateways in the VMSS are found in this template.

When you deploy the Check PointVMSS with this template name, it references the relevant set of configurations to apply to it.

Therefore, you can maintain multiple sets of configurations and associate them with different VMSS that are managed by the Security Management Server.

"my-configuration-template-for-x"

"<SIC-key>"

Select a random key that has at least 8 alphanumeric characters.

"MySICkey123"

<Version>

The Security Gateway version. One of these:

  • R81.20

  • R81.10

  • R81

R81.20

"<Policy-Name>"

The name of the policy to install.

The name of this policy has to be the exact same name of the policy in SmartConsole.

"Standard"

"<Controller-Name>"

Select a name that represents the controller.

The controller name includes configurations for your Azure environment, such as the subscription ID and application ID.

You can maintain different controllers to automatically provision different Cloud environments, with the Security Management Server.

"Azure-Production"

"<Azure-Subscription>"

The Azure subscription ID that deploys the CloudGuard Security Gateways.

"98e34f37-ece4-4cdc-97dc-44a074f84aff"

"<Active-Directory-Tenant-ID>"

The Azure directory tenant ID.

"7113cebb-911c-4122-aa5c-34db449380f7"

"<Client-ID>"

The application ID.

"82fb1445-f40e-46dc-9cd3-c065e14f132b"

"<Client-Secret>"

The application key.

Note - This value is not readable in the configuration.

 

Deploying a Security Management Server in Azure

Item

Description

1

From the Azure Marketplace, deploy this solution to create a Check Point Security Management Server:

Check Point Security Management Server.

2

Select the Check Point Security Management software plan.

Important - It must be R81 and above.

Use these parameters:

  • Server name - The name of the Security Management Server.

  • Credentials - The SSH public key, or the SSH password to manage the server.

  • Subscription - The Azure subscription, where the servers are deployed.

  • Resource Group - The name of the Resource Group, where the server is deployed.

  • Location - The Azure location, where the server is deployed.

  • Network setting - A pre-existing Virtual Network and its subnets, or a name of a new Virtual Network and subnets, where the server is deployed.

  • Virtual Machine size - The size of the Security Management Server Virtual Machine.

  • Storage setting - The name of an existing or new storage account that the Security Management Server uses.

  • Allowed GUI clients - IP addresses (in CIDR notation) of the allowed SmartConsole, GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Portal and SSH clients.

3

This template deploys the Management Server in the selected subnet.

When the management instance starts, it automatically executes its own Gaia First Time Configuration Wizard.

This can take up to 30 minutes.

4

Do the instructions in Step 3: Configure the Check Point Security Management Server.