Azure Virtual WAN
You can configure your Network Virtual Appliance (NVA Network Virtual Appliance - A resource deployed in Azure's Virtual Hub that includes Security Gateways and other networking infrastructure.) Security Gateways in the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. with CME.
For more information, see the Azure Virtual WAN Deployment Guide > Deploying new CloudGuard Network Security NVA.
Configure the NVA
Configuring the NVA with CME API (recommended)
The Azure Virtual WAN NVA Provision API enables asynchronous provisioning of Azure Virtual WAN NVA Security Gateways on a Check PointSecurity Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., Multi-Domain Security Management Server, and Smart-1 Cloud Management Server.
Prerequisites:
-
A Security Management Server or Multi-Domain Security Management Server with CME Take 288 and higher, with a valid license.
-
An Azure account with reader permission for the NVA's Resource Group configured in CME configuration.
API Documentation:
-
SwaggerHub: Azure Virtual WAN
-
Postman Collection: CME API Postman collection
To provision NVA Security Gateways with the CME API:
Send a POST request:
POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.1/azure/virtualWANs/accounts/<account_id>/resourceGroups/<nva_resource_group>/provision/<nva_name>
This asynchronous operation returns a request_id to track progress.
You check progress using a separate GET request:
GET https://<Management_IP_address>/web_api/cme-api/status/<request_id>
|
Note - If a failure occurs, the response to this GET request includes the cause of the failure and steps to resolve the issue. After resolving the error, submit the POST request again to provision NVA Security Gateways. |
Required URL parameters:
Parameter Name |
Description |
---|---|
|
The Azure account with the permissions to retrieve the NVA object from Azure. |
The NVA resource group name.
|
|
|
The NVA name.
|
Request body parameters:
Parameter Name |
Description |
---|---|
|
Base64-encoded SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. key to use with the Security Management Server. |
|
The name of an existing security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. package to install on the Security Gateways. |
|
Enable/disable the Autonomous Threat Prevention blade. |
|
Enable/disable the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. blade. |
Examples:
POST request - provisioning:
URL:
Body:
|
Response:
|
GET request - tracking progress:
URL: |
Response:
|
|
Limitations:
|
Requirements:
-
A regular Security Management server (not Smart-1 Cloud) or Multi-Domain Security Management Server with CME Take 261 and higher, with a valid license.
-
CME Take 240 and higher installed on the Security Management Server.
-
Make sure you have a service principal with reader permission for the NVA's Managed Resource Group.
To configure the NVA automatically:
-
Connect to the command line interface on the Security Management Server.
-
Log in to the Expert mode.
-
Run the command:
cme_menu
-
From the Azure (1) > vWAN (2) > Configure NVA gateways on management server (1)
select -
Enter the requested parameters.
You can see logs in the file: /var/log/CPcme/cme_menu.log.
-
After you enter the parameters, the script starts to run. Wait for the script to complete.
To run the script manually:
-
Connect to the command line interface on the Security Management Server.
-
Log in to the Expert mode.
-
Run the command:
python3 /opt/CPcme/features/vWAN/vWAN_automatic_script.py "tenant="<Active-Directory-Tenant-ID>"" "client_id="<Client-ID>"" "client_secret="<Client-Secret>"" "subscription="<Azure-Subscription>"" "managed_app_resource_group_name="<Managed-App-Resource-Group-Name>"" "nva_name="<NVA-name>"" "sic_key="<SIC-key>"" "policy="<Policy-Name>"" "atp="<True/False>""
For example:
python3 /opt/CPcme/features/vWAN/vWAN_automatic_script.py "tenant="7113cebb-911c-4122-aa5c-34db449380f7"" "client_id="82fb1445-f40e-46dc-9cd3-c065e14f132b"" "client_secret="xxx="" "subscription="98e34f37-ece4-4cdc-97dc-44a074f84aff"" "managed_app_resource_group_name="mrg-vwan-managed-app-12340424143321"" "nva_name="nvaGw"" "sic_key="SIC123456"" "policy="Standard""
-
Wait for the script to complete.
Parameters for the NVA configuration:
Parameter Name |
Default Value |
Description |
---|---|---|
|
TENANT ID |
The Azure Active Directory tenant ID. |
|
CLIENT ID |
The service principal's client ID value. |
|
CLIENT SECRET |
The service principal's client secret value. |
|
SUBSCRIPTION ID |
The Azure subscription ID. |
|
MANAGED APP RESOURCE GROUP NAME |
The managed resource group name.
|
|
NVA NAME |
The NVA name.
|
|
SIC KEY |
SIC key to the Security Management Server. |
|
POLICY NAME |
The name of an existing security policy to install on the Security Gateways. |
|
True |
Optional. Available in CME Take 239 and higher. Enable the Autonomous Threat Prevention blades. |
Configure Ingress Rules for the NVA
Configuring ingress rules with CME API (recommended)
The Azure Virtual WAN NVA Ingress API enables asynchronous configuration of ingress rules. With this API, you can manage Network Security Group and Load Balancer rules on Azure, and then manually add NAT and access rules on the Security Management Server.
Requirements:
-
A Security Management Server or Multi-Domain Security Management Server with CME Take 288 and higher, with a valid license.
-
CME account with service principle that has:
-
Reader and Network Contributor roles for the NVA's managed resource group.
-
Reader role for relevant public IP addresses (or their resource group).
-
-
Configured NVA on the Security Management Server.
-
At least one public IP address attached to the NVA.
API Documentation:
-
SwaggerHub: Azure Virtual WAN
-
Postman Collection: CME API Postman collection
Adding Ingress Rules
To add ingress rules with the CME API:
Send a POST request:
POST https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.1/azure/virtualWANs/accounts/<account_id>/resourceGroups/<nva_resource_group>/inboundRules/<nva_name>
This asynchronous operation returns a request_id to track progress.
|
Note - Multiple rules can be added in one request (see example below). |
You check progress using a separate GET request:
GET https://<Management_IP>/web_api/cme-api/status/<request_id>
|
Note - If a failure occurs, the response to this GET request includes the cause of the failure and steps to resolve the issue. After resolving the error, submit the POST request again to create the ingress rules. |
Required URL parameters:
Parameter Name |
Description |
---|---|
|
The Azure account with sufficient permissions (as explained in the Prerequisites section above). |
|
The NVA resource group name.
|
|
The NVA name.
|
Rule parameters:
Parameter Name |
Description |
---|---|
|
Unique rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. identifier. |
|
Where traffic comes from (IP address). |
|
Load Balancer public IP addresses attached to the NVA.
|
|
Ports to accept traffic on. |
|
TCP or UDP. |
Configure Access and NAT Rules
To enable ingress traffic, in addition to the rules on the Azure side created with CME API, you also need to add manually the corresponding access and NAT rules on the Security Management Server.
Access rule settings:
Source |
Destination |
VPN |
Services & Applications |
Action |
Track |
Install On |
---|---|---|---|---|---|---|
Matches the |
Matches the lb_public_ips parameter value from the CME API request. |
Any |
Matches |
Accept |
Log |
NVA Instances |
NAT rule settings:
Original Souce |
Original Destination |
Original Services |
Translated Source |
Translated Destination |
Translated Services |
Installed On |
---|---|---|---|---|---|---|
Matches the |
Matches the |
Matches |
LocalGatewayInternal NAT Method: Hide |
The Internal Application Gateway frontend private IP address. |
A listener port and protocol. |
NVA Instances |
Modifying Ingress Rules
To modify ingress rules with the CME API:
Send the same POST request you used for adding new ingress rules.
|
Important - This overrides existing rules, so if you want to add new rules without deleting the current ones, include all rules (current and new) in the request body. |
Update access and NAT rules accordingly.
Deleting Ingress Rules
To delete ingress rules with the CME API:
Send a DELETE request:
DELETE https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.1/azure/virtualWANs/accounts/<account_id>/resourceGroups/<nva_resource_group>/inboundRules/<nva_name>
|
Important - This deletes all rules associated with the NVA. |
This asynchronous operation returns a request_id to track progress.
Viewing Ingress Rules
To view ingress rules with the CME API:
Send a GET request:
GET https://<Management_IP_address>/web_api/v1.8/cme-api/v1.2.1/azure/virtualWANs/accounts/<account_id>/resourceGroups/<nva_resource_group>/inboundRules/<nva_name>
This operation returns a list of ingress rules with their status.
Examples:
POST request - adding rules:
URL:
Body:
|
Response:
|
GET request - tracking progress:
URL: |
Response:
|
GET request - viewing ingress rules:
URL: |
Response:
|
Access rule:
NAT rule:
System Limitations
-
The CME API is not supported in Azure GOV and Azure China regions.
-
Maximum 600 public IP addresses for load balancing per NVA.
-
Maximum 300 ports per public IP address of a Load Balancer.
-
Maximum 1,500 total ports across all NVA rules.
Ingress rules enable ingress traffic through the NVA, and with the ingress menu, you can configure ingress rules on the Security Management Server and on the Azure side.
The ingress menu creates NSG rules on the Azure side and NAT and access rules on the Security Management Server side to enable ingress traffic.
Each generated NAT rule is located in a dedicated NAT section called Automatic Generated Rules: vWAN, and each generated access rule is located in the selected section of the access policy.
|
Important - Do not change NAT and access rules manually. |
Requirements:
-
A Security Management Server/Multi-Domain Security Management Server (not Smart-1 Cloud) with a valid license.
-
NVA instances configured in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. with the {tags=vwan} comment.
-
NVA must have a minimum of one public IP address attached to it.
-
CME Take 271 and higher installed on the Security Management Server.
-
CME account (controller) with a service principle assigned to:
-
NVA’s Managed resource group with Reader and Network Contributor roles.
-
Relevant public IP addresses (or their resource group) with Reader role.
-
-
Terminal with a minimum of 150 characters in width and 40 characters in height (150 columns and 40 lines).
-
Terminal emulator that supports line drawings. Confirmed terminals:
-
MobaXterm
-
Windows Command Line
-
Windows Terminal
-
SecureCRT
-
PuTTY (Need to enable VT100 line drawing support)
-
Procedure:
-
Connect to the command line interface on the Security Management Server.
-
Log in to the Expert mode.
-
Run the command:
cme_menu
-
From the menu, select Azure (1) > vWAN (2) > Configure Ingress Rules (Preview) (5).
-
Enter the requested parameters. After you enter the parameters, the ingress menu User Interface starts.
Parameters for NVA configuration:
Parameter Name |
Description |
---|---|
|
The Azure account you use to connect to the cloud for data about NVAs. |
|
The relevant domain name, only for a Multi-Domain Management server environment. |
|
The policy package name to create the ingress NAT and Access rules in. |
|
The section in the access policy to create and update the access rules. |
|
The NVA you configure with the ingress rules. |
Using the Ingress User Interface
The ingress menu starts after you provide the initial parameters.
In this menu, you can create or edit the ingress rules. Changes are published, and the relevant policy package is installed only when you press the Publish button.
Use the keyboard to navigate and control the menu. The mouse does not work on it.
Controls:
-
Use the arrow keys to navigate between the button and inputs. The relevant input/button is marked in yellow when you select it.
-
Use the Enter key to select an element.
-
When you select an input, its background changes to white, and you can edit it in this mode.
(Some inputs accept certain characters; for example, IP inputs accept characters that are relevant for IP addresses).
-
To exit the menu press Ctrl + C.
To add a rule:
-
Select Add Rule and enter the relevant details
-
Click add.
|
Note - When you create a new rule, you must add or discard the rule before you can navigate to a different rule. |
To delete a rule:
Select an existing rule and press Delete.
To edit a rule:
-
Select an existing rule
-
Navigate to the desired input
-
Click Enter and make the changes
-
Click ESC to deselect and save.
|
Note - Invalid values are marked in red, and you can only deselect a rule once you fix the values. |
To publish the changes and rules:
Press Publish to publish the changes. If there is an issue, it shows in the message box, and details are added to the logs.
Once the publishing process is completed successfully, press any key to exit the menu.
You can see logs in the file: /var/log/CPcme/cme_menu.log.