Additional Information

Using the Azure High Availability Daemon

The clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. solution in Azure uses the daemon to make API calls to Azure when a cluster failover takes place.

This daemon uses a configuration file $FWDIR/conf/azure-ha.json on each Cluster MemberClosed Security Gateway that is part of a cluster..

When you deploy the solution above from the template supplied, this file is created automatically.

The configuration file is in JSON format and contains these attributes:

Attribute name

Type

Value

debug

Boolean

true or false

subscriptionId

String

Subscription ID.

location

String

Resource group location.

environment

String

Name of the environment.

resourceGroup

String

Resource group name.

credentials

String

IAM. Indicates using automatic credentials on the Cluster Member Virtual Machine.

proxy

String

Name of the proxy.

virtualNetwork

String

Name of the Virtual NetworkClosed Environment of logically connected Virtual Machines..

clusterName

String

Name of the cluster.

templateName

String

Name of the template.

tenantId

String

ID of the tenant.

Note - If you use your own service principal, the credentials attribute contains:

  • Your Client-ID

  • Your Client-secret

  • Grant type client-credentials

  • Your Tenant ID

You can confirm that the daemon in charge of communicating with Azure runs on each Cluster Member.

From the Expert mode, run:

cpwd_admin list | grep -E "PID|AZURE_HAD"

The output should look like in this example:

APP        PID    STAT  #START  START_TIME             MON  COMMAND
AZURE_HAD  3663   E     1       [12:58:48] 15/1/2016   N    python3 /opt/CPsuite-R81.20/fw1/scripts/azure_had.py

Notes:

  • The script appears in the output:

    • The STAT column should show E (executing)

    • The #START column should show 1 (the number of times this script was started by the Check Point WatchDog)

To troubleshoot issues related to this daemon, generate debug. From the Expert mode, run:

  • To enable debug printouts:

    azure-ha-conf --debug --force

  • To disable debug printouts:

    azure-ha-conf --no-debug --force

The debug output is written to $FWDIR/log/azure_had.elg* files.

Using a Different Azure Cloud Environment

If you want to deploy your cluster in an environment other than the standard Azure environment, make sure to edit this file:

$FWDIR/conf/azure-ha.json

Example:

{
...
    "environment": "[Azure-cloud-environment]",
...
}

The Azure-Cloud-Environment has to be one of these:

  • Azure Cloud (the default global cloud environment)

  • Azure China Cloud

  • Azure US Government

  • Azure German Cloud

Procedure:

  1. From the Expert mode, run:

    azure-ha-conf --environment '<Azure-cloud-environment>' --force

  2. Make sure the file syntax is correct. From the Expert mode, run:

    python3 -m json.tool $FWDIR/conf/azure-ha.json

  3. Apply the changes. From the Expert mode, run:

    $FWDIR/scripts/azure_ha_cli.py reconf

    Note - If you deploy in the default global cloud environment, you can omit this attribute.

Important note about the service principal:

If you use any of these different environments, you have to create your own service principal. No default service principal is created.

Working with a Proxy

In some deployments, you can only access the Internet through a web proxy.

To allow the Cluster Member to make API calls to Azure through the proxy, edit the $FWDIR/conf/azure-ha.json file and add this attribute:

{
...
    "proxy": "http://[Proxy-Server]:[Proxy-Port]",
...
}
  • Proxy-Server is the host name or IP address of the web proxy server

  • Proxy-Portis the port on the proxy server

Note - The URL scheme has to be HTTP and not HTTPS.

Example:

{
...
    "proxy": "http://proxy.example.com:8080",
...
}

Procedure:

  1. Change the proxy settings. From the Expert mode, run:

    azure-ha-conf --proxy 'http://[Proxy-Server]:[Proxy-Port]' --force

  2. Make sure the file syntax is correct. From the Expert mode, run:

    python3 -m json.tool $FWDIR/conf/azure-ha.json

  3. Apply the changes. From the Expert mode, run:

    $FWDIR/scripts/azure_ha_cli.py reconf

Changing Template Components

The Check Point cluster's public IP address has to be in the same resource group as the Cluster Members.

These resources can be in any resource group:

  • Virtual Network

  • Network interfaces

  • Route tables

  • Storage account

Note - Make sure the resources Virtual Network and External Network Interfaces use the same automatic service principal with the same permissions.

Naming Constraints

Important - Do not change the name of any resource.

Cluster Members VM names must match the Cluster name with a suffix of '1' and '2'.

Example:

<member_name1>

<member_name2>

Network Interface names must match the Cluster Member VM names with a suffix of '-eth0' and '-eth1'.

Example:

<member_name1-eth0>

<member_name1-eth1>

<member_name2-eth0>

<member_name2-eth1>

The IP address of the cluster has to match the configuration file.

By default it should match the cluster name.

Permissions

It is possible to assign service principal permissions to specific Azure resources. See sk116585 for information on how to find the image version.

To allow the cluster to update the necessary Azure resources on failover, you must assign the service principal at least these roles on resources in that list that follows, or on their related resource group:

Resource Type

Role

Any public IP address attached to the External Load Balancer

Virtual Machine contributor

Public Load Balancer

Network contributor

CloudGuard Virtual Machines

Reader

Cluster public IP address

Network contributor

Public IP address of each Cluster Member

Virtual Machine contributor

Virtual Network

Virtual Machine contributor

The external network interfaces (eth0) used by the Cluster Member

Virtual Machine contributor

Creating Objects in SmartConsole

For more information, see the Check Point Security Management Administration Guide for your Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. version.

Important - After you create an object, you must publish the session to save the changes in the management database.

To create a Host object:

  1. From the top right Objects Pane, click New > Host.

    The New Host window shows.

  2. In the Machine field, enter the private IP address of the machine.

To create a Network object:

  1. From the top right Objects Pane, click New > Network.

    The New Network window opens.

  2. Enter the Object Name (specifically the subnet name).

  3. Enter the Network address and Net mask.

To create a Service (port) object:

  1. From the top right Objects Pane, click New > More > Service.

  2. Select your TCP/UDP service.

  3. Enter the Object name.

  4. In the Enter Object Comment field, enter the port name.

  5. In the General field, select your Protocol.

  6. In the Match By field, select the Port number.

  7. Click OK.

To create a Network Group object:

  1. From the top right Objects Pane, click New > Network Group.

    The New Network Group window opens.

  2. Click + to select your internal subnets.

  3. Click OK.

Related Solutions