Additional Information
Deploying and configuring High-Availability Security Management Servers
Follow these steps:
-
Deploy the Secondary Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..In the Azure portal, create a new instance for the Secondary Management Server.
On the CloudGuard Advanced Settings tab, set the Installation type to Configure manually.
-
Complete the First Time Configuration Wizard (FTW) on the Secondary Management Server.
After the instance starts, connect to the Secondary Management Server using the Web UI. Complete the First Time Configuration Wizard.
In the Products section of the FTW, set the Security Management option to Secondary. This step registers the server as the Secondary Management Server in the HA pair.
-
Add the Secondary Management Server in SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..After the FTW completes, log in to the Primary Management Server using SmartConsole. Add the Secondary Management Server as a Check Point Host object.
For that, on the Primary Management Server:
-
Go to Objects > New > More > Check Point Host.
-
Fill in the Machine details: Name and IP Address of the Secondary Management Server.
On the Management tab, flag the Network Policy Management and Secondary Server checkboxes. Also flag the Logging & Status checkbox.
-
Publish the changes.
-
After you publish the changes, the HA status becomes visible in SmartConsole. The Secondary Management Server appears as synchronised with the Primary Management Server.
Using the Azure High Availability Daemon
The cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. solution in Azure uses the daemon to make API calls to Azure when a cluster failover takes place.
This daemon uses a configuration file $FWDIR/conf/azure-ha.json on each Cluster Member Security Gateway that is part of a cluster..
When you deploy the solution above from the template supplied, this file is created automatically.
The configuration file is in JSON format and contains these attributes:
|
Attribute name |
Type |
Value |
|---|---|---|
|
|
Boolean |
|
|
|
String |
Subscription ID. |
|
|
String |
Resource group location. |
|
|
String |
Name of the environment. |
|
|
String |
Resource group name. |
|
|
String |
IAM. Indicates using automatic credentials on the Cluster Member Virtual Machine. |
|
|
String |
Name of the proxy. |
|
|
String |
Name of the Virtual Network |
|
|
String |
Name of the cluster. |
|
|
String |
Name of the template. |
|
|
String |
ID of the tenant. |
|
|
Note - If you use your own service principal, the
|
You can confirm that the daemon in charge of communicating with Azure runs on each Cluster Member.
From the Expert mode, run:
|
|
The output should look like in this example:
|
|
Note - The script appears in the output:
|
To troubleshoot issues related to this daemon, generate debug. From the Expert mode, run:
-
To enable debug printouts:
azure-ha-conf --debug --force -
To disable debug printouts:
azure-ha-conf --no-debug --force
The debug output is written to $FWDIR/log/azure_had.elg* files.
Using a Different Azure Cloud Environment
If you want to deploy your cluster in an environment other than the standard Azure environment, make sure to edit this file:
$FWDIR/conf/azure-ha.json
Example:
{
...
"environment": "[Azure-cloud-environment]",
...
}
|
The Azure-Cloud-Environment has to be one of these:
-
Azure Cloud (the default global cloud environment)
-
Azure China Cloud
-
Azure US Government
Procedure:
-
From the Expert mode, run:
azure-ha-conf --environment '<Azure-cloud-environment>' --force -
Make sure the file syntax is correct. From the Expert mode, run:
python3 -m json.tool $FWDIR/conf/azure-ha.json -
Apply the changes. From the Expert mode, run:
$FWDIR/scripts/azure_ha_cli.py reconf
Note - If you deploy in the default global cloud environment, you can omit this attribute.
|
|
Important - If you use any of these different environments, you have to create your own service principal. No default service principal is created. |
Working with a Proxy
In some deployments, you can only access the Internet through a web proxy.
To allow the Cluster Member to make API calls to Azure through the proxy, edit the $FWDIR/conf/azure-ha.json file and add this attribute:
{
...
"proxy": "http://[Proxy-Server]:[Proxy-Port]",
...
}
|
-
Proxy-Server is the host name or IP address of the web proxy server
-
Proxy-Portis the port on the proxy server
|
|
Note - The URL scheme has to be HTTP and not HTTPS. |
Example:
{
...
"proxy": "http://proxy.example.com:8080",
...
}
|
Procedure:
-
Change the proxy settings. From the Expert mode, run:
azure-ha-conf --proxy 'http://[Proxy-Server]:[Proxy-Port]' --force -
Make sure the file syntax is correct. From the Expert mode, run:
python3 -m json.tool $FWDIR/conf/azure-ha.json -
Apply the changes. From the Expert mode, run:
$FWDIR/scripts/azure_ha_cli.py reconf
Changing Template Components
The Check Point cluster's public IP address has to be in the same resource group as the Cluster Members.
These resources can be in any resource group:
-
Virtual Network
-
Network interfaces
-
Route tables
-
Storage account
|
|
Note - Make sure the resources Virtual Network and External Network Interfaces use the same automatic service principal with the same permissions. |
Naming Constraints
|
|
Important - Do not change the name of any resource. |
Cluster Members VM names must match the Cluster name with a suffix of '1' and '2'.
Example:
<member_name1>
<member_name2>
Network Interface names must match the Cluster Member VM names with a suffix of '-eth0' and '-eth1'.
Example:
<member_name1-eth0>
<member_name1-eth1>
<member_name2-eth0>
<member_name2-eth1>
The IP address of the cluster has to match the configuration file.
By default it should match the cluster name.
Permissions
It is possible to assign service principal permissions to specific Azure resources. See sk116585 for information on how to find the image version.
To allow the cluster to update the necessary Azure resources on failover, you must assign the service principal at least these roles on resources in that list that follows, or on their related resource group:
|
Resource Type |
Role |
|---|---|
|
Any public IP address attached to the External Load Balancer |
Virtual Machine Contributor |
|
Public Load Balancer |
Network Contributor |
|
Cloud Firewall Virtual Machines |
Reader |
|
Cluster public IP address |
Network Contributor |
|
Public IP address of each Cluster Member |
Virtual Machine Contributor |
|
Virtual Network |
Virtual Machine Contributor |
|
The external network interfaces ( |
Virtual Machine Contributor |
Creating Objects in SmartConsole
For more information, see the Check Point Security Management Administration Guide for your Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. version.
|
|
Important - After you create an object, you must publish the session to save the changes in the management database. |
To create a Host object:
-
From the top right Objects Pane, click New > Host.
The New Host window shows.
-
In the Machine field, enter the private IP address of the machine.
To create a Network object:
-
From the top right Objects Pane, click New > Network.
The New Network window opens.
-
Enter the Object Name (specifically the subnet name).
-
Enter the Network address and Net mask.
To create a Service (port) object:
-
From the top right Objects Pane, click New > More > Service.
-
Select your TCP/UDP service.
-
Enter the Object name.
-
In the Enter Object Comment field, enter the port name.
-
In the General field, select your Protocol.
-
In the Match By field, select the Port number.
-
Click OK.
To create a Network Group object:
- From the top right Objects Pane, click New > Network Group.
The New Network Group window opens.
-
Click + to select your internal subnets.
-
Click OK.
SecureXL Traffic Acceleration
SecureXL traffic acceleration is supported for these versions:
-
R81.10 Jumbo Hotfix Accumulator
Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. Take 177 and higher -
R81.20 Jumbo Hotfix
Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulator Take 99 and higher -
R82 Jumbo Hotfix Accumulator Take 25 and higher
|
|
Note - For lower versions, see the sk172625. |
Enabling SecureXL Traffic Acceleration
To enable SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. traffic acceleration on existing Cloud Firewall Gateways, follow these steps on both members of the High Availability cluster:
-
Log in using SSH to the Cluster member.
-
Backup the current fwkern.conf file. For that, in Expert mode run:
cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP} -
Open the configuration file for editing. For that, in Expert mode, run:
vi $FWDIR/boot/modules/fwkern.conf -
Add the following line at the end of this file:
accel_dnat_to_cluster=1 -
Save and exit the file.
-
Enable the parameter for the current session (no reboot required):
fw ctl set int accel_dnat_to_cluster 1
Monitoring SecureXL Traffic Acceleration
To monitor accelerated traffic and connections on the Cloud Firewall Gateways, use these commands:
-
To view SecureXL statistics:
fwaccel stats -
To view accelerated connections:
fwaccel conns