Workflow for Setting Up a High Availability Cluster in Azure Stack

Step 1: Download the Marketplace Template

To deploy this solution through the Azure Stack user portal, use the Check Point CloudGuard Network Security High Availability and Management packages.

Do these steps:

  1. Register Azure Stack with Azure. This lets you add images from Azure Marketplace Management to your on-premises environment. See Azure Stack Operator Azure-Stack Registration.

  2. Download the Check Point CloudGuard image from the Marketplace Management.

    1. Search for Check Point and click on the Check Point vSEC (now called CloudGuard) image link.

    1. Click Download.

  3. Download the Azure Gallery Package *.azpkg to the Azure Stack environment using the following command in the PowerShell CLI:

    No

    Description

    3.a

    Add endpoints for an instance of Azure Resource Manager by executing:

    Add-AzureRmEnvironment -Name AzureStackAdmin –ARMEndpoint https://adminmanagement.<REGION>.<DOMAIN>

    Notes:

    Replace <REGION> with your Azure Stack region.

    Replace <DOMAIN> with your Azure Stack domain.

    3.b

    Adds an Azure Resource Manager account to run cmdlets for the specified environment and tenant by default. This is done by executing:

    Add-AzureRmAccount -EnvironmentName "AzureStackAdmin" -TenantId <TENANT>

    Note:

    Replace <TENANT> with your tenant ID.

    3.c

    Gallery item

    • Add High Availability package gallery item:

      Add-AzsGalleryItem -GalleryItemUri https://chkpazurestack.blob.core.windows.net/azpkg-stack-ha/checkpoint.CloudGuard-stack-ha.1.0.0.azpkg -VERBOSE

    • Add Management package gallery item:

      Add-AzsGalleryItem -GalleryItemUri https://chkpazurestack.blob.core.windows.net/azpkg-stack-management/checkpoint.CloudGuard-stack-management.1.0.0.azpkg -VERBOSE

    3.d

    Make sure that the Marketplace items downloaded successfully:

    • For High Availability Gallery item, run:

      Get-AzsGalleryItem | select name

    • Detect High Availability package in the output list, run:

      checkpoint.CloudGuard-stack-ha.1.0.0.azpkgkg

    • Detect Management package in the output list, run:

      checkpoint.CloudGuard-stack-management.1.0.0.azpkg

    3.e

    Locate High Availability solution in your Azure Stack Admin portal:

    1. Click on create new resource.

    1. Confirm that HA Marketplace successfully downloaded.

Step 2: High Availability Deployment

Deploying with a Template in Azure

Deploy this solution through the Azure Stack User Portal.

Parameter

Description
Cluster object name

Name of the cluster object resource group.
Credentials

Public key or user name and password for SSH connections to the Cluster Members.
Subscription

Azure Stack subscription into which the cluster object is deployed
Resource group

Azure Stack resource group in which the cluster object is deployed
Location

Location in which the cluster object is deployed

License

Type of license:

  • Bring your own license (BYOL)

Virtual Machine size

Size of each Virtual Machine instance in the cluster object

SIC

SIC key to the Security Management Server

Network setting

  • Pre-existing Virtual Network and its subnets

  • Name of a new Virtual Network and subnets, into which the cluster object is deployed

Notes:

When you use pre-existing subnets, make sure that:

Components of the Check Point Solution

The Check Point deployed solution has these components:

  • Frontend subnet

  • Backend subnet

  • Two Virtual Machines configured as a Check Point cluster

  • Internal Load Balancer

  • External Load Balancer

  • Public IP address for each Cluster Member

Important - Other Virtual Machines cannot be deployed in the solution's subnet.

Notes about the template:

  • You can create a new Virtual Network, or deploy into an existing Virtual Network.

  • Web and App subnets are not deployed automatically.

  • It does not deploy any other Virtual Machines in the solution's frontend and backend subnets.

  • Virtual Machines that are launched in the backend subnets, may require Internet access to finalize provisioning. Launch these Virtual Machines only after you have applied Hide NAT rules on the cluster object to support this type of connectivity.

  • The Check Point First Time Configuration Wizard automatically deploys after you have set up the cluster object. The cluster object is configured based on the parameters that you applied.

  • After the First Time Configuration Wizard completes, the Virtual Machines automatically reboot.

Step 3: Configuring Cluster Objects in SmartConsole

Notes:

  • SmartConsole must be installed on the Windows VM host and not on your Azure Stack host.

  • Deploy your Windows VM host from the Azure Stack portal.

:

No

Description
1

Change the Management Object private IP address with its public address:

In Gateways & Servers:

  1. Select Management Server object.

  2. Change the private IP address with its public IP address.

  3. Click OK.

2

Click the Objects menu > More object types > Network Object > Gateways & Servers > Cluster > New Cluster.
3

Select Wizard Mode.
The Check Point Installed Gateway Cluster wizard window opens.
4

Enter a Cluster Name.

Example: checkpoint-cluster
5

In the Cluster IPv4 Address field, enter the public address of the External Load Balancer.

Note:

You can find the frontend-lb IP address in the Azure Stack portal by selecting the frontend-lb address IP address.
6

Click Next.
The Gateway Cluster Properties window opens.

7

Click Add, and then do these steps:

  1. In the Name field, enter the first Cluster Member's name.

    Example: member1

  1. In the IPv4 address field:
    Enter the Cluster Member's public IP address.

  2. In the Activation Key field, enter the SIC key set up in Azure.

  3. In the Confirm Activation Key field, enter the SIC key again.

  4. Click Initialize.
    If the Activation Key is confirmed, the Trust State field shows: Trust Established.

  5. Click OK.

8

Repeat Step 6 to add the second Cluster Member.

9

Click Next.
The Cluster Topology window opens.

10

Select Cluster Synchronization > Primary > Next.

11

Select Cluster Synchronization > Secondary > Next.

12

Select Edit Cluster's Properties > Finish.

13

Configure the interfaces eth0 and eth1.

  1. Select Network Management.

  2. Double-click the interface eth0.
    The Network eth0 window opens.

  3. From the General tab, in the Network type field, select Cluster.

  4. In the Virtual IPv4 field, enter a dummy VIP address ‘0.0.0.0’ and a dummy subnet mask ‘24’ – we use dummy values because the traffic is routed with the load balancer and not with a VIP.

  5. From the Network eth0 window, click Topology, and then disable the Anti-Spoofing.

  6. Click OK.

  7. Double-click the interface eth1.
    The Network eth1 window opens.

  8. From the General tab:

    In the Network type field, select Sync.

  9. From the Network eth1 window, click Topology and disable the Anti-Spoofing.

  10. Click OK.

  11. Select Advanced.

  12. Disable Extended Cluster Anti-Spoofing.

  13. Click OK.

14

Install the applicable Access Control policy on the cluster object.

Step 4: Configuring Cluster Members for Azure Stack Environment

No

Description
1

From Expert Mode, run this command on each Cluster Member:

# cpopenssl s_client -servername management.<REGION>.<DOMAIN> -connect management.<REGION>.<DOMAIN>:443 2>/dev/null </dev/null | cpopenssl x509 -outform DER | sha256sum | awk '{printf "export HTTPS_SERVER_FINGERPRINT=management.<REGION>.<DOMAIN>/sha256:%s\n", $1}'

Notes:

  • Replace <REGION> with your Azure Stack region.

  • Replace <DOMAIN> with your Azure Stack domain.
2

Write down the output from Step 1 (you need again for a different step).

export HTTPS_SERVER_FINGERPRINT=management.<REGION>.<DOMAIN>/sha256:<YOUR_FINGERPRINT>
3

In Expert mode, run this command on each Cluster Member:

# vi /opt/CPshared/5.0/tmp/.CPprofile.sh
4

Add the following parameters to the file:

AZURE_STACK='management.<REGION>.<DOMAIN>' ; export AZURE_STACK ; hash 1>/dev/null 2>&1
AZURE_REST_HTTPS=${FWDIR}/scripts/https.py ; export AZURE_REST_HTTPS ; hash 1>/dev/null 2>&1
HTTPS_SERVER_FINGERPRINT='management.<REGION>.<DOMAIN>/sha256:<YOUR_FINGERPRINT>'; export HTTPS_SERVER_FINGERPRINT ; hash 1>/dev/null 2>&1

Notes:

Replace <REGION> with your Azure Stack region.

Replace <DOMAIN> with your Azure Stack domain.

Replace <YOUR FINGERPRINT> with the fingerprint from step 2.
5

In Expert mode, run this command on each Cluster Member to reload the configuration:

reboot

6

Define your cluster environment on each Cluster Member:

In Expert mode, run:

# azure-ha-conf --region <REGION> --domain <DOMAIN> --force

Notes:

Replace <REGION> with your Azure Stack region.

Replace <DOMAIN> with your Azure Stack domain.

7

In Expert mode, run these commands on each Cluster Member:

    1. [Expert@HostName:0]# cpwd_admin list | grep -E "PID|AZURE_HAD"
    1. Kill PID

      Note - Replace the <PID> with process ID.

    2. Make sure the daemon has been reloaded by running:
      [Expert@HostName:0]# cpwd_admin list | grep -E "PID|AZURE_HAD"

Step 5 : Setting Credentials in Azure

Creating Your Own Service Principal

See How to Use the portal to create an Azure AD application and service principal that can access resources.

For Azure Stack Federation Services (AD FS) create service principal. see Create a service principal that uses client secret credentials.

Field

Parameter

Name

<Application_Name>

Example:

check-point-<cluster>

Supported
account types

Accounts in this organizational directory only (Microsoft)

Application type

Web

Sign-on URL

https://localhost/<Application_Name>

Example:

https:/localhost/check-point-<cluster>

After you create the application, write down these values:

  • ApplicationId

    client_id

    To create a new application secret:

    1. Select Certificates & secrets.

    2. Select Client secrets > New client secret.

    3. Enter a description of the secret, and a duration, click Add.
      We recommend to set the key to never expire.

    4. Important - After saving the client secret, the value of the client secret is displayed. Copy and save this value. Otherwise, you will not be able to retrieve the key later.

  • Key Value

    client_secret

Step

Description

1

To allow the cluster to update the necessary Azure resources on failover, the service principal must be assigned at least the following roles on these resources, or on their respective resource group:

Resource types:

  • Load Balancer Public IP addresses

  • External Load Balancer

  • CloudGuard Virtual Machines

  • Public cluster member's IP

  • Virtual Network

  • Any route table used by subnets in the VNET

  • The network interfaces used by the Cluster Member

2

Navigate to the relevant source.

Note - When deploying a cluster into an existing vNET, make sure to assign a Contributor role to it.

3

Click Access control (IAM) > Add.

4

Select Contributor role.

5

Select your AD application.

6

Click Save.

7

Set the client_id and client_secret on each of the Cluster Members. In Expert mode, run this command on each Cluster Member:

# azure-ha-conf --client-id '5c1896fe-26b6-4a5b-8c81-34ae07c09a24' --client-secret '2G6E_|]Y&|@Il(L}-O>g' --force

Example:

# azure-ha-conf --client-id '5c1896fe-26b6-4a5b-8c81-34ae07c09a24' --client-secret '2G6E_|]Y&|@Il(L}-O>g' --force

Note:

To avoid shell expansion, use single quotes.

8

Make sure the file syntax is correct.

In Expert mode, run this command on each Cluster Member:

# python -m json.tool $FWDIR/conf/azure-ha.json

9

Reload the cluster Azure configuration.

In Expert mode, run this command on each Cluster Member:

# $FWDIR/scripts/azure_ha_cli.py reconf

Step 6: Set up Internal Subnets and Route Tables Settings

You can use the Azure portal or the CLI to add internal subnets. This section describes how to add the Web and App subnets to a Virtual Network.

For each internal subnet, you must create an Azure Stack routing table with these UDRs:

#

Name

Address-prefix

Nexthop-type

Nexthop-address
1 <web-subnet>-local <10.0.4.0/24> Virtual Network --
2 web-subnet-to-app-subnet 10.0.5.0/24 Virtual Appliance IP of the Active Member Internal Private Address
3 web-subnet-default 0.0.0.0/0 Virtual Appliance IP of the Active Member Internal Private Address

#

Name

Address-prefix

Nexthop-type

Nexthop-address
1 <app-subnet>-local <10.0.5.0/24> Virtual Network --
2 app-subnet-to-web-subnets 10.0.4.0/24 Virtual Appliance IP of the Active Member Internal Private Address
3 app-subnet-default 0.0.0.0/0 Virtual Appliance IP of the Active Member Internal Private Address

  • If traffic inspection is required inside the Web/App subnets, then override Rule 1 in the route tables above, <web-subnet>-local, and <app-subnet>-local.

  • To achieve traffic inspection by the Active Cluster Member, add a route that forwards the traffic through the Active Cluster Member for each subnet in your vNET.

Important - Associate the newly created routing table with the subnet to which it belongs.

If the subnet houses the Security Management Server that manages the Cluster Member, add these routes in the example table below as well. This allows the Security Management Server to communicate directly with each Cluster Member - without passing through the Active Cluster Member.

Name

Address-prefix

Nexthop-type

Nexthop-address
Subnet-name- cluster_member1-management cluster_member1-internal-address/32 <10.0.2.10/32> Virtual appliance cluster_member1-internal address <10.0.2.10>
Subnet-name- cluster_member2-management cluster_member2-internal-address/32 <10.0.2.11/32> Virtual appliance cluster_member2-internal address <10.0.2.11>

Step 7: Setting Up Routes on Cluster Member to the Internal Subnets

No

Description
1 Connect with SSH to each of the Cluster Members.
2 Log in to Gaia Clish, or Expert mode.
3

Add this route:

  • In Gaia Clish, run these two commands:

    set static-route <Virtual-Network-IP-address/Prefix> nexthop gateway address <eth1-router-IP-address> on

    save config

  • In Expert mode, run this command:

    clish -c 'set static-route <Virtual-Network-IP-address/Prefix> nexthop gateway address <eth1-router-IP-address> on' -s

Notes:

  • Replace <Virtual-Network-IP-address/Prefix> with your internal Web server subnet.

  • Replace <eth1-router-IP-address> with the first address of the cluster backend subnet.

Example:

set static-route 10.0.0.0/16 nexthop gateway address 10.0.2.1 on

Parameter

Description
<Virtual-Network-IP-address/Prefix>

Specifies the prefix of the entire Virtual Network.

Example: 10.0.0.0/16
<eth1-router-IP-address>

Specifies the first unicast IP address on the subnet, to which the eth1 is connected.

Example: 10.0.2.1

Note - If the Virtual Network comprises several non-contiguous address prefixes, then repeat the command for each prefix.

Step 8: Configuring NAT Rules

Note - See Creating Objects in SmartConsole

In SmartConsole, create these NAT rules to provide Internet connectivity from the internal subnets.

No

Description
1
Original Source Virtual Network
Original Destination Virtual Network
Original Services *Any
Translated Source =Original
Translated Destination =Original
Translated Services =Original
Install On cluster object
Comments Avoid NAT in the Virtual Network
2
Original Source App-subnet
Original Destination App-subnet
Original Services *Any
Translated Source =Original
Translated Destination =Original
Translated Services =Original
Install On cluster object
3
Original Source App-subnet
Original Destination *Any
Original Services *Any
Translated Source App-subnet (hidden address)
Translated Destination =Original
Translated Services =Original
Install On cluster object
4
Original Source Web-subnet
Original Destination Web-subnet
Original Services *Any
Translated Source =Original
Translated Destination =Original
Translated Services =Original
Install On cluster object
5
Original Source

Web-subnet
Original Destination *Any
Original Services *Any
Translated Source Web-subnet (hidden address)
Translated Destination =Original
Translated Services =Original
Install On cluster object

  • Rule 1 - You have to define this NAT rule manually.

  • Rules 2 - 5 - SmartConsole creates these NAT rules automatically.

  • Traffic between the Web-subnet and the App-subnet is based on the UDR rules. Each subnet has its own routing table.

No

Description

1

Double-click the Web-subnet object.

The Web-subnet object window opens.

2

Select the NAT tab > Add automatic address translation rules.

3

In the Translation method field, select Hide > Hide Behind Gateway.

4

In the Install on Gateway field, select the cluster object.

5

Click OK.

This creates the automatic NAT rules.

6

Install the applicable Access Control policy on the cluster object.

Step 9: Setting Up the
External Load Balancer in Azure Stack

By default, the template you deploy creates an External Load Balancer, with the name frontend-lb, which faces the Internet.

The External Load Balancer sends health probes to TCP port 8081 to determine the health of the CloudGuard Network Security Security Gateways. You can create the load balancing rules in the Azure portal to allow incoming connections.

  • You cannot use these ports for forwarded traffic:

    • 80

    • 443

    • 444

    • 8082

    • 8080

    • 8117

  • The Load Balancer can be set to listen on other ports or on additional public IP addresses.

Configuring the Load Balancer in Azure Stack

You can configure the Load Balancer to listen on the TCP port 443, and forward this traffic to the Check Point CloudGuard Security Gateways on the TCP port 8081.

No

Description

1

Go to the Azure Stack User portal https://portal

Notes:

  • Replace the <REGION> with your Azure Stack region.

  • Replace <DOMAIN> with your Azure Stack domain

2

Find the External Load Balancer.

The Load Balancer is in your Resource Group.

The Load Balancer's name is frontend-Ib.

3

Configure the health probe:

  1. Click Health Probes, and then select Add.

  2. Give the health probe a name (such as health-app-1-tcp-8081).

  3. In Protocol, select TCP.

  4. From Port, select 8081.

  5. In the Interval, enter a health probe interval (for example, 5 seconds).

  6. In the Unhealthy threshold, enter a desired value (for example, 2).

  7. Click OK

4

Configure a new Load Balancing Rule:

  1. From the Load Balancing Rules, select Add.

  2. Give the rule a name. For example, cluster-app-1-tcp-443

  3. From the Frontend IP address field, select the pre-existing Frontend IP address.

  4. In the Protocol field, select TCP.

  5. From Port, select 443.

  6. In Backend port, select 8081.

  7. In Backend pool, select the pre-existing Cluster pool.

  8. In Health probe, select the health probe created in the previous step.

  9. Select the Session persistenceNone.

  10. Set the Idle timeout.

  11. In Floating IP, select Disabled.

  12. Click OK.

Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal'

You must create these Dynamic Objects in SmartConsole:

  • LocalGatewayExternal

  • LocalGatewayInternal

No

Description
1

Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.
2

Enter this name exactly as it appears below (case-sensitive, no spaces):

LocalGatewayExternal

3

Click OK.
4

Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.
5

Enter this name exactly as it appears below (case-sensitive, no spaces):

LocalGatewayInternal

6

Click OK.

7

Publish the session.

Configuring the Load Balancer to Listen on Additional Public IP Addresses and Ports

When using multiple web applications, each with its own public IP address, you need to configure the Load Balancer to listen on an additional public IP address on the TCP port 80. Forward this traffic to the Check Point CloudGuard Security Gateways on TCP port 8083.

No

Description
1

Go to the Azure Stack User portal https://portal.<REGION>.<DOMAIN>

Notes:

  • Replace <REGION> with your Azure Stack region.

  • Replace <DOMAIN> with your Azure Stack domain.

2

Find the External Load Balancer.

The Load Balancer is in the Resource Group.

The Load Balancer's name is frontend-lb.
3 In the Azure portal, allocate a new public IP address.
4

  1. Go to External Load Balancer (frontend-lb) > Frontend IP configuration.

  2. Click Add.

    (Add the new public IP address from step 3).

    1. Enter the Name.

    2. Select the IP address resource.

5

Configure the health probe:

  1. Click Health Probes, and then select Add.

  2. Give the health probe a name (such as health-app-2-tcp-8083).

  3. In Protocol, select TCP.

  4. From Port, select 8083.

  5. In Interval, enter a health probe interval (for example, 5 seconds).

  6. In Unhealthy threshold, enter a value (for example, 2).

  7. Click OK.
6

Configure a new Load Balancing Rule:

  1. From the Load Balancing Rules, select Add.

  2. Give the rule a name. For example: cluster-app-2-tcp-80

  3. From the Frontend IP address field, select the newly created Frontend IP address.

  4. In the Protocol field, select TCP.

  5. From Port, select 80.

  6. In Backend port, select 8083.

  7. In Backend pool, select the pre-existing Cluster Members pool.

  8. In Health probe, select the health probe.

  9. Select the Session persistence.

  10. Set the Idle timeout.

  11. In Floating IP, select Disabled > OK.

  12. Click OK.

Step 10: Configuring Inbound Protection

Configure Access Control and NAT rules for North-South inbound traffic.

No

Description
1

Connect with SmartConsole to your Security Management Server.
2

Create a host object to represent the specific host you want to access through the Internet.

Do these steps:

  1. Click the Objects menu > New Host.

  2. Enter a descriptive name. For example: web-app-1

  3. Enter the private IP address of the Internal Host.

  4. Click OK.
3

Create a new TCP service to represent the External Load Balancer configuration.

You have to do this for each internal port, such as port 8081.

Do these steps:

  1. Click the Objects menu > More object types > Service > New TCP.

  2. Enter a descriptive name. For example: https-8081

  3. In the Protocol field, select the applicable protocol (such as HTTP or HTTPS).

  4. In the Port field, select Customize and enter the port number. For example: 8081.

  5. Click OK.
4

Create a corresponding Access Control rule for each External Load Balancer with these values.

Rule

Rule No - 1

Name - Desired rule name

Source - *Any

Destination - LocalGatewayExternal

VPN - *Any

Services and Applications - The service object that represents the internal port

Data - *Any

Action - Accept

Track - Log

Install On - *Policy Targets

Note - Create only one LocalGatewayExternal object for each Security Management Server. (see Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal').
5

Create a NAT rule with these values for each Azure External Load Balancer:

Rule

Rule No - 1

Original Source - All_Internet (do not use *Any)

Original Destination - LocalGatewayExternal

Original Services - The service object that represents the internal port

Translated Source - LocalGatewayInternal - right-click on this cell and select the NAT method called Hide.

Translated Destination - The Host object that represents the Internal Web Server.

Translated Services - The service object that represents the port, on which the Web server listens (for example, http).

Install On - *Policy Targets

 

About this NAT rule:

  • Matches any traffic that arrives to the CloudGuard Security Gateway on the applicable internal port.

  • Translates the Source IP address to match the IP address of the CloudGuard Security Gateway that handles the connection ("eth1"). When you use this, the packets that return are routed to the correct CloudGuard Security Gateway.

  • Translates the destination IP address to the IP address of the Internal Web Server.

6

Publish the session.

7

Install the Access Control policy on the CloudGuard Security Gateways.