Additional Information
Using the Azure High Availability Daemon
The cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. solution in Azure uses the daemon to make API calls to Azure when a cluster failover takes place.
This daemon uses a configuration file $FWDIR/conf/azure-ha.json
on each Cluster Member Security Gateway that is part of a cluster..
When you deploy the solution above from the template supplied, this file is created automatically.
The configuration file is in JSON format and contains these attributes:
Note - If you use your own service principal, the credentials
attribute contains:
-
Your Client-ID
-
Your Client-secret
-
Grant type
client-credentials
-
Your Tenant ID
You can confirm that the daemon in charge of communicating with Azure runs on each Cluster Member.
From the Expert mode, run:
|
The output should look like in this example:
Notes:
-
The script appears in the output:
-
The
STAT
column should show E (executing) -
The
#START
column should show 1 (the number of times this script was started by the Check Point WatchDog)
-
To troubleshoot issues related to this daemon, generate debug. From the Expert mode, run:
-
To enable debug printouts:
azure-ha-conf --debug --force
-
To disable debug printouts:
azure-ha-conf --no-debug --force
The debug output is written to $FWDIR/log/azure_had.elg*
files.
Using a Different Azure Cloud Environment
If you want to deploy your cluster in an environment other than the standard Azure environment, make sure to edit this file:
$FWDIR/conf/azure-ha.json
Example:
{
...
"environment": "[Azure-cloud-environment]",
...
}
|
The Azure-Cloud-Environment has to be one of these:
-
Azure Cloud (the default global cloud environment)
-
Azure China Cloud
-
Azure US Government
-
Azure German Cloud
Procedure:
-
From the Expert mode, run:
azure-ha-conf --environment '<Azure-cloud-environment>' --force
-
Make sure the file syntax is correct. From the Expert mode, run:
python3 -m json.tool $FWDIR/conf/azure-ha.json
-
Apply the changes. From the Expert mode, run:
$FWDIR/scripts/azure_ha_cli.py reconf
Note - If you deploy in the default global cloud environment, you can omit this attribute.
Important note about the service principal:
If you use any of these different environments, you have to create your own service principal. No default service principal is created.
Working with a Proxy
In some deployments, you can only access the Internet through a web proxy.
To allow the Cluster Member to make API calls to Azure through the proxy, edit the $FWDIR/conf/azure-ha.json
file and add this attribute:
{ ... "proxy": "http://[Proxy-Server]:[Proxy-Port]", ... } |
-
Proxy-Server is the host name or IP address of the web proxy server
-
Proxy-Portis the port on the proxy server
Note - The URL scheme has to be HTTP and not HTTPS.
Example:
{ ... "proxy": "http://proxy.example.com:8080", ... } |
Procedure:
-
Change the proxy settings. From the Expert mode, run:
azure-ha-conf --proxy 'http://[Proxy-Server]:[Proxy-Port]' --force
-
Make sure the file syntax is correct. From the Expert mode, run:
python3 -m json.tool $FWDIR/conf/azure-ha.json
-
Apply the changes. From the Expert mode, run:
$FWDIR/scripts/azure_ha_cli.py reconf
Changing Template Components
The Check Point cluster's public IP address has to be in the same resource group as the Cluster Members.
These resources can be in any resource group:
-
Virtual Network
-
Network interfaces
-
Route tables
-
Storage account
Note - Make sure the resources Virtual Network and External Network Interfaces use the same automatic service principal with the same permissions.
Naming Constraints
Important - Do not change the name of any resource.
Cluster Members VM names must match the Cluster name with a suffix of '1' and '2'.
Example:
<member_name1>
<member_name2>
Network Interface names must match the Cluster Member VM names with a suffix of '-eth0' and '-eth1'.
Example:
<member_name1-eth0>
<member_name1-eth1>
<member_name2-eth0>
<member_name2-eth1>
The IP address of the cluster has to match the configuration file.
By default it should match the cluster name.
Permissions
It is possible to assign service principal permissions to specific Azure resources. See sk116585 for information on how to find the image version.
To allow the cluster to update the necessary Azure resources on failover, you must assign the service principal at least these roles on resources in that list that follows, or on their related resource group:
Resource Type |
Role |
---|---|
Any public IP address attached to the External Load Balancer |
Virtual Machine contributor |
Public Load Balancer |
Network contributor |
CloudGuard Virtual Machines |
Reader |
Cluster public IP address |
Network contributor |
Public IP address of each Cluster Member |
Virtual Machine contributor |
Virtual Network |
Virtual Machine contributor |
The external network interfaces ( |
Virtual Machine contributor |
Creating Objects in SmartConsole
For more information, see the Check Point Security Management Administration Guide for your Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. version.
Important - After you create an object, you must publish the session to save the changes in the management database.
To create a Host object:
-
From the top right Objects Pane, click New > Host.
The New Host window shows.
-
In the Machine field, enter the private IP address of the machine.
To create a Network object:
-
From the top right Objects Pane, click New > Network.
The New Network window opens.
-
Enter the Object Name (specifically the subnet name).
-
Enter the Network address and Net mask.
To create a Service (port) object:
-
From the top right Objects Pane, click New > More > Service.
-
Select your TCP/UDP service.
-
Enter the Object name.
-
In the Enter Object Comment field, enter the port name.
-
In the General field, select your Protocol.
-
In the Match By field, select the Port number.
-
Click OK.
To create a Network Group object:
- From the top right Objects Pane, click New > Network Group.
The New Network Group window opens.
-
Click + to select your internal subnets.
-
Click OK.