Network

Follow this network diagram to configure your system. Make sure to replace the IP addresses in the sample environment with the IP addresses in your environment.

Network Diagram

See the routing tables below the diagram.

1

Example 1

Frontend

Web:443

Backend port

8081

2

Example 2

Frontend

App:80

Backend port

8083

3

Destination

Nexthop

 

10.0.0.0/16

None (Drop)

 

10.0.1.0/24

Virtual Network

4

Destination

Nexthop

 

0.0.0.0/0

None (Drop)

Routing Table for Web and App - User Defined Routes (UDR)

Web and App routing tables have the same Virtual Network address, but different subnet addresses.

5

Frontend

Nexthop

 

10.0.0.0/16 - Virtual Network address

10.0.2.4 -IP of the Internal Load Balancer

 

0.0.0.0/0

10.0.2.4 -IP of the Internal Load Balancer

 

10.0.3.0/24 (Web) - Subnet address

Virtual Network

6

Frontend

Nexthop

 

10.0.0.0/16 -Virtual Network address

10.0.2.4 -IP of the Internal Load Balancer

 

0.0.0.0/0

10.0.2.4 -IP of the Internal Load Balancer

 

10.0.4.0/24 (App) - Subnet address

Virtual Network

Diagram Components

The diagram shows:

  • Virtual Network in Azure that is divided into four subnets

    • Frontend

    • Backend

    • Web

    • App

  • On-premises network with these components

    • Security Gateway

    • Hosts

Check Point High Availability consists of two Cluster Members, Member 1 and Member 2. Each Cluster Member has two interfaces.

When the Cluster Members are in the same Availability Set, it guarantees that the two Cluster Members are in separate fault domains. For more information, see Manage the availability of Windows virtual machines in Azure.

In the diagram:

  • The cluster protects two web applications.

  • There is Site-to-Site VPN connectivity between the Cluster Members and on-premises Security Gateways.

Each web application has:

  • Public IP address

  • Web server

  • Application server

You must manually configure these components:

  • Backend hosts

  • Subnets

  • Routing tables for Web and App servers

Name

Attached to

Use

Cluster public address

The external interface of the Active Cluster Member.

VPN

Cluster private address

The external interface of the Active Cluster Member.

VPN

Member 1 public address

The external interface of Member 1.

  • External management of Member 1

  • Internet and Azure API access

Do not disable or delete this resource.

Member 2 public address

The external interface of Member 2.

  • External management of Member 2

  • Internet and Azure API access

Do not disable or delete this resource.

Web

Azure Load Balancer

Public service Web

App

Azure Load Balancer

Public service App

You cannot use these ports:

  • 80

  • 443

  • 444

  • 8082

  • 8880

  • 8117

Frontend IP address

Frontend TCP ports

Destination IP address

Destination port

Web

HTTPS

Active Cluster Member

8081

App

HTTP

Active Cluster Member

8083

Failover

  1. The Cluster Member that fails, immediately stops responding to the Load Balancer health probes.

  2. The Cluster Member that gets promoted to Active, starts responding to the Load Balancer health probes.

  3. The Azure External Load Balancer and Internal Load Balancer detect the new health status of each Cluster Member, and forward traffic to the healthy Cluster Member. For more information, see Azure Load Balancer health probes.

    This usually happens in less than 15 seconds based on the health probe Load Balancer configuration. This affects inbound and East-West traffic inspection.

  4. The Cluster Member that gets promoted to Active, uses the Azure API to associate itself with the cluster private and public IP addresses.

    This usually happens in less than 2 minutes. This affects VPN tunnel failover.

Use Case

Expected Failover Time

Comments

Site-to-Site VPN

Less than 2 minutes

Depends on the Azure API.

Inbound inspection through the External Load Balancer

Less than 15 seconds

Depends on the Load Balancer health probe.

Outbound inspection through the Internal Load Balancer

Less than 2 minutes

Depends on the Load Balancer health probe and Azure API.

East-West inspection through the Internal Load Balancer

Less than 15 seconds

Depends on the Load Balancer health probe.

Traffic Flows

If the Management Server is in the Virtual Network, make sure to have specific routes to allow traffic between the Management Server Virtual Machine and the Cluster Members.

Note - It is not possible to deploy other Virtual Machines in the Check Point solution subnets.

Inbound Traffic

There are two options for inbound traffic:

  1. Traffic travels into the External Load Balancer:

    1. Packet enters into the External Load Balancer via low port (80/443/etc.).

    2. The External Load Balancer forwards the packet to the Active Cluster Member and translates the port to the back-end high port (8081/4433/etc.).

    3. The Active Cluster Member inspects the packet and forwards it to the destination performing NAT translation back to the original low port.

  2. Traffic travels into the front-end network interface (VIP):

    1. Packet enters the front-end network interface (eth0) of the Active Cluster Member.

    2. The Active Cluster Member inspects the packet and forwards it to the destination.

  1. The traffic travels from the Web Server to the Internal Load Balancer.

  2. The Internal Load Balancer forwards it to the Active Cluster Member.

  3. The Active Cluster Member forwards it to the destination.

  1. Packet enters the frontend NIC of the Active Cluster Member.

  2. The Active Cluster Member decrypts the packet.

  3. The Active Cluster Member forwards the packet to its destination.

  1. Traffic travels to an Internal Load Balancer based on the UDR.

  2. The Internal Load Balancer forwards the traffic to the Active Cluster Member.

  3. The Active Cluster Member inspects the traffic and forwards it to the destination.

  1. Traffic travels from one of the internal servers to the Internal Load Balancer of the Check Point solution.

  2. The Internal Load Balancer forwards the traffic to the Active Cluster Member.

  3. The Active Cluster Member forwards the traffic to the destination.

The Internal Load Balancer deploys by default as part of the solution template and is automatically configured. It is configured to listen and forward any TCP or UDP traffic High Availability ports. It gets an automatically assigned name: backend-lb.

Azure sends probes from the source IP address 168.63.129.16 to TCP port 8117 to monitor the health of the Cluster Members.

Intra-Subnet Traffic

Traffic travels freely in the subnet without inspection.