Azure Virtual WAN

You can configure your Network Virtual Appliance (NVAClosed Network Virtual Appliance - A resource deployed in Azure's Virtual Hub that includes Security Gateways and other networking infrastructure.) Security Gateways in the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. with CME.

For more information, see the Azure Virtual WAN Deployment Guide > Deploying new CloudGuard Network Security NVA.

Configure the NVA

Configuring the NVA with CME API (recommended)

The Azure Virtual WAN NVA Provision API enables asynchronous provisioning of Azure Virtual WAN NVA Security Gateways on a Check PointSecurity Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., Multi-Domain Security Management Server, and Smart-1 Cloud Management Server.

Prerequisites:

  • A Security Management Server or Multi-Domain Security Management Server with CME Take 288 and higher, with a valid license.

  • An Azure account with reader permission for the NVA's Resource Group configured in CME configuration.

API Documentation:

To provision NVA Security Gateways with the CME API:

Send a POST request:

POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.1/azure/virtualWANs/accounts/<account_id>/resourceGroups/<nva_resource_group>/provision/<nva_name>

This asynchronous operation returns a request_id to track progress.

You check progress using a separate GET request:

GET https://<Management_IP_address>/web_api/cme-api/status/<request_id>

Note - If a failure occurs, the response to this GET request includes the cause of the failure and steps to resolve the issue. After resolving the error, submit the POST request again to provision NVA Security Gateways.

Required URL parameters:

Parameter Name

Description

account_id

The Azure account with the permissions to retrieve the NVA object from Azure.

nva_resource_group

The NVA resource group name.

  1. In the Azure portal, go to your Virtual WAN resource.

  2. Enter the Hub.

  3. Enter the Network Virtual Appliance.

  4. Go to the NVA configurations > Manage Configurations.

  5. Copy the Resource Group name value (For example: mrg-cp-vwan-****).

nva_name

The NVA name.

  1. In the Azure portal, go to your Virtual WAN resource.

  2. Enter the Hub.

  3. Enter the Network Virtual Appliance and copy the Check Point's NVA name.

Request body parameters:

Parameter Name

Description

base64_sic_key

Base64-encoded SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. key to use with the Security Management Server.

policy

The name of an existing security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. package to install on the Security Gateways.

autonomous_threat_prevention

Enable/disable the Autonomous Threat Prevention blade.

identity_awareness

Enable/disable the Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. blade.

Examples:

POST request - provisioning:

URL: https://1.1.1.1/web_api/v1.8/cme-api/v1.2.1/azure/virtualWANs/accounts/myAzureAccount/resourceGroups/mrg-vwan-managed-app-preview-20241023102906/provision/myNVA

 

Body:

{

    "base64_sic_key": "MTIzNDU2Nzg=",

    "policy": "Standard",

    "autonomous_threat_prevention": true,

    "identity_awareness": true

}

Response:

{

    "result": {

        "request-id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"

    },

    "error": {},

    "status-code": 200

}

GET request - tracking progress:

URL: https://1.1.1.1/web_api/v1.8/cme-api/status/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa

Response:

{

    "result": {

    "requestId": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",

    "requestStatus": "Success",

    "result": "Successfully provisioned Azure vWAN NVA myNVA gateways"

    },

    "error": {},

    "status-code": 200

}

Limitations:

  1. The CME API is not supported in Azure GOV and Azure China regions.

  2. When you activate the Autonomous Threat Prevention and Identity Awareness blades with the CME API, you cannot deactivate them by re-running the API.

  3. The total length of the parameters: account_id, nva_resource_group and nva_name must be less than 99 characters.

Configure Ingress Rules for the NVA

Configuring ingress rules with CME API (recommended)

The Azure Virtual WAN NVA Ingress API enables asynchronous configuration of ingress rules. With this API, you can manage Network Security Group and Load Balancer rules on Azure, and then manually add NAT and access rules on the Security Management Server.

Requirements:

  • A Security Management Server or Multi-Domain Security Management Server with CME Take 288 and higher, with a valid license.

  • CME account with service principle that has:

    • Reader and Network Contributor roles for the NVA's managed resource group.

    • Reader role for relevant public IP addresses (or their resource group).

  • Configured NVA on the Security Management Server.

  • At least one public IP address attached to the NVA.

API Documentation:

Adding Ingress Rules

To add ingress rules with the CME API:

Send a POST request:

POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.1/azure/virtualWANs/accounts/<account_id>/resourceGroups/<nva_resource_group>/inboundRules/<nva_name>

This asynchronous operation returns a request_id to track progress.

Note - Multiple rules can be added in one request (see example below).

You check progress using a separate GET request:

GET https://<Management_IP>/web_api/cme-api/status/<request_id>

Note - If a failure occurs, the response to this GET request includes the cause of the failure and steps to resolve the issue. After resolving the error, submit the POST request again to create the ingress rules.

Required URL parameters:

Parameter Name

Description

account_id

The Azure account with sufficient permissions (as explained in the Prerequisites section above).

nva_resource_group

The NVA resource group name.

  1. In the Azure portal, go to your Virtual WAN resource.

  2. Enter the Hub.

  3. Enter the Network Virtual Appliance.

  4. Go to the NVA configurations > Manage Configurations.

  5. Copy the Resource Group name value (For example: mrg-cp-vwan-****).

nva_name

The NVA name.

  1. In the Azure portal, go to your Virtual WAN resource.

  2. Enter the Hub.

  3. Enter the Network Virtual Appliance and copy the Check Point's NVA name.

Rule parameters:

Parameter Name

Description

name

Unique ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. identifier.

original_source

Where traffic comes from (IP address).

lb_public_ips

Load Balancer public IP addresses attached to the NVA.

  1. In the Azure portal, go to your Virtual WAN resource.

  2. Enter the Hub.

  3. Enter the Network Virtual Appliance.

  4. Go to the NVA configurations > Manage Configurations.

  5. In the tree at the left, click Internet Inbound.

  6. Copy the relevant IP addresses.

original_ports

Ports to accept traffic on.

protocol

TCP or UDP.

Configure Access and NAT Rules

To enable ingress traffic, in addition to the rules on the Azure side created with CME API, you also need to add manually the corresponding access and NAT rules on the Security Management Server.

Access rule settings:

Source

Destination

VPN

Services & Applications

Action

Track

Install On

Matches the original_source parameter value from the CME API request.

Matches the lb_public_ips parameter value from the CME API request.

Any

Matches original_ports and protocol parameter values from the CME API request.

Accept

Log

NVA Instances

NAT rule settings:

Original Souce

Original Destination

Original Services

Translated Source

Translated Destination

Translated Services

Installed On

Matches the original_source parameter value from the CME API request.

Matches the lb_public_ips parameter value from the CME API request.

Matches original_ports and protocol parameter values from the CME API request.

LocalGatewayInternal NAT Method: Hide

The Internal Application Gateway frontend private IP address.

A listener port and protocol.

NVA Instances

Modifying Ingress Rules

To modify ingress rules with the CME API:

Send the same POST request you used for adding new ingress rules.

Important - This overrides existing rules, so if you want to add new rules without deleting the current ones, include all rules (current and new) in the request body.

Update access and NAT rules accordingly.

Deleting Ingress Rules

To delete ingress rules with the CME API:

Send a DELETE request:

DELETE https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.1/azure/virtualWANs/accounts/<account_id>/resourceGroups/<nva_resource_group>/inboundRules/<nva_name>

Important - This deletes all rules associated with the NVA.

This asynchronous operation returns a request_id to track progress.

Viewing Ingress Rules

To view ingress rules with the CME API:

Send a GET request:

GET https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.1/azure/virtualWANs/accounts/<account_id>/resourceGroups/<nva_resource_group>/inboundRules/<nva_name>

This operation returns a list of ingress rules with their status.

Examples:

POST request - adding rules:

URL: https://1.1.1.1/web_api/v1.8/cme-api/v1.2.1/azure/virtualWANs/accounts/myAzureAccount/resourceGroups/mrg-vwan-managed-app-preview-20241023102906/inboundRules/myNVA

 

Body:

{

  "rules": [

      {

      "name": "Rule1",

      "original_source": "10.0.0.0",

      "lb_public_ips": [

        "lb_publuc_ip_1",

        "lb_publuc_ip_2"

      ],

      "original_ports": [

        "80-85"

      ],

      "protocol": "TCP"

      }

  ]

}

Response:

{

    "result": {

        "request-id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"

    },

    "error": {},

    "status-code": 200

}

GET request - tracking progress:

URL: https://1.1.1.1/web_api/v1.8/cme-api/status/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa

Response:

{

    "result": {

    "requestId": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",

    "requestStatus": "Success",

    "result": "Successfully added Azure vWAN ingress rules."

    },

    "error": {},

    "status-code": 200

}

GET request - viewing ingress rules:

URL: https://1.1.1.1/web_api/v1.8/cme-api/v1.2.1/azure/virtualWANs/accounts/myAzureAccount/resourceGroups/mrg-vwan-managed-app-preview-20241023102906/inboundRules/myNVA

Response:

{

    "result": {

      "rules": [

        {

        "lb_public_ips": [

          "lb_publuc_ip_1",

          "lb_publuc_ip_2"

        ],

        "name": "Rule1",

        "original_ports": [

          "80-85"

        ],

        "original_source": "10.0.0.0",

        "protocol": "TCP"

        }

      ],

      "status": "Succeeded"

    },

    "error": {},

    "status-code": 200

}

Access rule:

NAT rule:

System Limitations

  • The CME API is not supported in Azure GOV and Azure China regions.

  • Maximum 600 public IP addresses for load balancing per NVA.

  • Maximum 300 ports per public IP address of a Load Balancer.

  • Maximum 1,500 total ports across all NVA rules.