Integrating CloudGuard Network Security NVA with Azure Virtual WAN

Step 1: Deploy Azure Virtual WAN

  1. Log in to the Azure Portal, navigate to the Search resources bar, type Virtual WAN in the search box, and select Enter.

  2. Select Virtual WANs if needed and select + Create on the Virtual WANs page.

  3. Fill in the necessary fields on the Create WAN page > Basics tab. Keep the Type option as Standard. Click Next : Review + create >.

  4. When the validation passes, click Create to create the virtual WAN.

Step 2: Create an Azure Virtual WAN Hub

  1. Navigate to the virtual WAN you created. On the virtual WAN left pane, below Connectivity, select Hubs.

  2. On the Hubs page, select + New Hub to open the Create virtual hub page. Fill out the applicable fields:

    1. Region: Select the region where you want to deploy the virtual hub.

    2. Name: The name to assign to the virtual hub.

    3. Hub private address space: The hub’s address range in CIDR notation. The minimum address space is /24 to create a hub.

    4. Virtual hub capacity: Select from the drop-down. For more information, see Azure Virtual hub settings.

    5. Hub routing preference: Leave as default. For more information, see Azure Virtual hub routing preference.

  3. Once complete, select Review + create.

  4. After validation passes, select Create. (Note: Creating a new hub takes approximately 30 minutes).

  5. To validate that your Virtual Hub is successfully provisioned, navigate to your Virtual WAN below Connectivity > Hubs, and select the Hub you created.

  6. Check the Routing status; if it is still Provisioning, do not proceed.

    Once the Routing status states Provisioned, you can proceed to the next step.

Step 3: Deploy new CloudGuard Network Security NVA in the Virtual WAN Hub

  1. Navigate to your Azure Virtual WAN Hub > on the left tree, select Network Virtual Appliance.

  2. Click Create Network Virtual Appliance

  3. From the Network Virtual Appliance drop down box, select check point and click Create.

  4. On the pop-up, select Leave.

  5. Click Create on the CloudGuard Network Security for Azure Virtual WAN screen.

  6. On the Create CloudGuard Network Security for Azure Virtual WAN, provide this information:

    Basics page

    Parameter

    Description

    Subscription

    Azure subscription into which you deploy the NVAClosed Network Virtual Appliance - A resource deployed in Azure's Virtual Hub that includes Security Gateways and other networking infrastructure. object.

    Resource group

    Azure resource group into which you deploy the NVA object.

    Region

    Region into which you deploy the NVA object.

    Application name

    The name of the managed app that is displayed in the Resource Group.

    Managed Resource Group

    The name of the Azure Managed Resource Group.

    Check Point NVA Gateways page

    Parameter

    Description

    Virtual WAN Hub

    Select the Virtual WAN Hub to deploy the CGNS NVA in to.

    NVA name

    Name of the new NVA.

    Scale units

    The scale unit determines the size and number of resources deployed. The higher the scale unit, the greater the amount of traffic that can be handled.

    BGP ASNClosed Autonomous System Number – Special number that used for the BGP

    BGP autonomous system number. (BGP ASN 64512 to 65534 excluding 65515, 65520)

    SSH public key source

    Select the SSH key source:

    • If you select to create a new key - enter a new name for the key.

    • If you select to use an existing key stored in Azure - select your key.

    • If you select to use a public key - enter the key to the text box.

    Key pair name

    The name depends on the SSH key source.

    Check Point CloudGuard settings page

    Parameter

    Description

    Check Point CloudGuard version

    The CloudGuard Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. Version

    License type

    Type of license:

    • Pay As You Go (NGTP)

    • Pay As You Go (NGTX)

    Default shell for the admin user

    Select the shell for the admin user.

    SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. key

    SIC key to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

    Bootstrap Script

    Custom script that configures the NVA instance after deployment.

    You can find custom scripts here.

    Quick connect to Smart-1 Cloud

    If you select yes (and provide tokens), the NVA Gateways deploy with a secured tunnel to the Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

    Smart-1 Cloud Token for instance x

    The token you generate in Smart-1 Cloud portal for Gateway instance number x.

    (x between 1 to 5).

    Use public IP for ingress (public preview)

    Select yes to deploy the NVA with attached public IP address that is used for ingress traffic.

    Create new public IP for ingress traffic

    Select yes to create the public IP resource with the NVA

    Public IP resource ID

    If you selected no in the previous section, enter the existing public IP resource ID here.

    Tags

    Parameter

    Description

    Tags

    Azure tags (Name, Value) that you attach to the selected resources.

    Notes:

    • Smart-1 Cloud (Check Point's Management Server as a Service) is a recommended option to start using CloudGuard Network Security Gateways.

    • Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.

  7. On the Review + Create page, check the radio box to agree to the terms and conditions and click Create.

  8. When the NVA creation completes, go to your Virtual WAN, navigate to the hub you selected in the deployment > on the left tree, select Network Virtual Appliance, and make sure you can see your new NVA and its provisioning state is Succeeded (it can take some time).

  9. To see the public IP addresses of your CGNS NVA machines click on Click here below Instances info. (Make note of these IP addresses for future use).

Important - CloudGuard Network Security Gateways deployed in the Virtual WAN hub do not scale in or out in response to demand. If your throughput increases, you must deploy a new Managed Application that supports the required throughput and modify routing intent from old to new. Refer to Upgrade.

Step 4: Connect to Check Point Security Management Server or Quantum Smart-1 Cloud (Management-as-a-Service)

These steps are required only if you do not have an installed Check Point Security Management Server or a Quantum Smart-1 Cloud instance.

If you already have a Check Point Security Management Server installed or Quantum Smart-1 Cloud instance configured, skip to Step 5.

If this is your first Check Point deployment, pay attention that the Quantum Smart-1 Cloud service is included with CloudGuard Network Security for Azure Virtual WAN when purchased with these bundles:

  • Full Package

  • Full Package Premium

Main benefits of utilizing Quantum Smart-1 Cloud:

  • Always the latest security management

    The newest features are automatically updated in a unified management platform.

  • Zero Maintenance

    No installation, no upgrade.

  • On-demand Expansion

    Seamlessly expand capacity by supporting additional Gateways and storage.

Quantum Smart-1 Cloud Setup Instructions

Note - You can set up Smart-1 Cloud before configuring the CloudGuard NVAs in Azure.

  1. Navigate to https://portal.checkpoint.com and click Don’t have an account? Register here.

  2. Fill in the Create Your Infinity Account form (required fields have a *) and click Next.

    When completed, you see an Account Created Successfully message and receive an email to the email address you provided to complete the registration.

  3. Log in to the Infinity Portal.

  4. Click the menu button in the top left corner and then Smart-1 Cloud below the Quantum column.

  5. Click the check box to accept the terms of service and click Try Now.

  6. Click Get Started.

  7. Configure the service and click Create.

    You are now ready to connect your CloudGuard Network Security NVA Gateways.

  8. Click +Add new Gateway below the Connect Gateways section.

  9. Click the large + sign. Repeat this step for each NVA Security Gateway.

  10. On the Register Security Gateway screen, give the first NVA Security Gateway a name and click Register (the name cannot include spaces or special characters). Repeat this step for each NVA Security Gateway.

    After you add your NVA Security Gateway objects, you see the state: Waiting for Connection.

  11. Click Connect Gateway. Repeat this step for each NVA Security Gateway.

  12. On the Instructions to Connect Gateway screen, click the Copy icon and then click Close.

  13. Log in to the relevant NVA Security Gateway’s GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. CLI and paste the command.

  14. The output must show successful connectivity to Smart-1 Cloud, for example:

  15. On the Smart-1 Cloud portal, the Gateway(s) are in a Pending Trust (SIC) Establishment status.

You are ready to securely connect your NVA Security Gateways to Smart-1 Cloud, install security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on the Gateways, and collect logs and other telemetry information.

Configuration in SmartConsole

  1. Navigate back to the Infinity Portal's Welcome page and click Open Streamed SmartConsole.

    Note: Make sure pop-up blockers are disabled.

  2. A new tab opens. Click Gateways & Servers and double-click the first NVA Security Gateway to open its properties.

  3. Click Communication.

  4. In the One-time password field, enter the SIC key you provided during the initial NVA Security Gateway creation.

  5. Click Initialize. If successful, the Certificate state shows Trust established. Click OK.

  6. The Topology Results show. Click Close.

  7. Click Network Management, then double-click on eth0 (repeat for eth1). Then click Modify and clear the box next to Perform Anti-Spoofing based on interface topology. Click OK on the applicable dialog boxes.

  8. Click OK on the main properties screen when you complete both interfaces (eth0 and eth1).

  9. Repeat steps 2 to 8 for all remaining NVA Security gateways.

  10. Click Publish to commit the changes to Smart-1 Cloud.

  11. In the SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. window, enter a Session name and Description and click Publish again.

You are ready to create and install a security policy for your NVA Security Gateways. Refer to the Security Management Administration Guide for full guidance on creating a policy that fits your organization’s needs.

After you configure your policy, you can Install Policy. On the first policy installation, install only the Access Control policy. On the next installations, you can also include the Threat Prevention policy.

Congratulations! You have set up your CloudGuard Network Security NVA Gateways in Azure Virtual WAN.

After you set Routing Intent in your Hub, the Gateways start to inspect traffic.

  • Supported on Security Management Server R81.10 version or higher.

  • The Security Management Server must communicate with the CloudGuard Network Security Gateways.

The Security Gateways must communicate with the Security Management Server. For example, to send logs.

Item

Description

1

From the Azure Marketplace, deploy this solution to create a Check Point Security Management Server:

Check Point Security Management Server.

2

Select the Check Point Security Management software plan.

Important - It must be R80.40 and higher.

Use these parameters:

  • Server name - The name of the Security Management Server.

  • Credentials - The SSH public key, or the SSH password to manage the server.

  • Subscription - The Azure subscription, where the servers are deployed.

  • Resource Group - The name of the Resource Group, where the server is deployed.

  • Location - The Azure location, where the server is deployed.

  • Network setting - A pre-existing Virtual NetworkClosed Environment of logically connected Virtual Machines. and its subnets, or a name of a new Virtual Network and subnets, where the server is deployed.

  • Virtual Machine size - The size of the Security Management Server Virtual Machine.

  • Storage setting - The name of an existing or new storage account that the Security Management Server uses.

  • Allowed GUI clients - IP addresses (in CIDR notation) of the allowed SmartConsole, Gaia Portal and SSH clients.

3

This template deploys the Management Server in the selected subnet.

When the management instance starts, it automatically executes its own Gaia First Time Configuration Wizard.

This can take up to 30 minutes.

Configure the Check Point Security Management Server

  1. Download and Install the Latest CME (Cloud Management Extension) Version.

    To download and install the CME (Cloud Management Extension) on the Management Server or Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., see sk157492.

  2. Configure the Security Policy in SmartConsole.

Note - By default, each Check Point Security Gateway and Security Management Server's Gaia PortalClosed Web interface for the Check Point Gaia operating system. is accessible from the internet by browsing to http://<virtual-machine-public-ip>. Restriction of access to the Gaia Portal is possible by configuring a Network Security Group, or by configuring the Check Point Security Gateway and Management Server settings.

Follow the instructions in the Check Point Installation and Upgrade Guide for your Management Server version.

Step 5: Configuring the NVA in the Security Management Server

Note - You can skip this step if you manage your Security Gateways from Smart-1 Cloud.

There are two options to configure the NVA, automatic and manual.

  • We recommend to use the automatic configuration script.

    Procedure:

    1. Connect to the command line on the Security Management Server.

    2. Log in to the Expert mode.

    3. Run the command:

      cme_menu

    4. On the Menu select .Azure (1) > vWAN (2) > Configure NVA gateways on management server (1)

    5. Enter the requested parameters.

    You can see logs in the file: /var/log/CPcme/cme_menu.log.

    For details regarding the automatic configuration option, refer to the instructions in the Cloud Management Extension R80.10 and Higher Administration Guide > Azure Virtual WAN.

  • In the manual option, on Check Point Management Server:

    1. Open SmartConsole and create a new Security Gateway object for each one of the NVA instances.

    2. Give each Security Gateway the IP address of a Network Virtual Appliance in Step 3: Deploy new CloudGuard Network Security NVA in the Virtual WAN Hub, point 3.

    3. Disable anti-spoofing on the external (eth0) and the internal (eth1) interfaces on each Security Gateway.

      Graphical user interface, application Description automatically generated

    4. If VPN is enabled, enter the Gateway's external IP address in Statically NATed IP.

    5. Install the policy.

      Note - Be careful not to block Management or SSH access to the Gateways from the Internet because it is not possible to connect to the deployed Security Gateway instances with a serial console.

Step 6: Set Routing Intent and Routing Policies

Select your Virtual WAN > Select the applicable virtual hub > on the left tree, select Routing Intent and Routing Policies.

  • For Internet bound Traffic:
    In the Internet Traffic drop-down select Network Virtual Appliance, in the Next Hop Resource select the NVA you created and click Save.

  • For private traffic:
    In the Private Traffic drop-down select Network Virtual Appliance, in the Next Hop Resource select the NVA you created and click Save.

Note - To add prefixes for routing intent click on Additional prefixes.

Step 7: Configure NAT

For outbound traffic, the packets should be NATTed behind the Security Gateway's IP address.

Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal'

For the manual NAT rules, you must create these Dynamic Objects in SmartConsole:

  • LocalGatewayExternal

  • LocalGatewayInternal

Procedure:

  1. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

  2. Enter this exact name (case-sensitive, no spaces):

    LocalGatewayExternal

  3. Click OK.

  4. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

  5. Enter this exact name (case-sensitive, no spaces):

    LocalGatewayInternal

  6. Click OK.

  7. Publish the SmartConsole session.

Note - The NVA instances IP addresses are automatically associated with the LocalGatewayInternal and LocalGatewayExternal objects.

Creating Manual NAT Rules

Add these two manual NAT rules to the Access Policy:

  1. No NAT for internal communication:

    Source

    Destination

    Port

    Xlate Source

    Xlate Destination

    Xlate Port

    Internal Networks Group

    Internal Networks Group

    Any

    Original

    Original

    Original

  2. For Internet access, Hide NAT to external interface:

    Source

    Destination

    Port

    Xlate Source

    Xlate Destination

    Xlate Port

    Internal Networks Group

    All Internet

    Any

    LocalGatewayExternal

    Original

    Original

  3. Publish the SmartConsole session.

Step 8: Configuring Ingress traffic

Prerequisites:

  1. Generate a public IP address with the standard SKU (in the same region as the NVA in the Azure portal).

  2. A deployed NVA with attached public IP.

  3. NVA instances are configured at Smart Console (See step 5).

  4. See the cme_menu requirements in the Cloud Management Extension Administration Guide > Azure Virtual WAN.

  5. Gateway image version must be at least 8120.900631.1522 for R81.20 and 8110.900335.1522 for R81.10.

Configuring rule for ingress traffic:

To configure the ingress rules, use the cme_menu.

  1. Connect to the command line on the Security Management Server.

  2. Log in to the Expert mode.

  3. Run the command: cme_menu.

  4. Enter the requested parameters.

  5. Use the Ingress Menu to add, edit, and delete rules.

For details regarding the cme_menu, refer to the Cloud Management Extension Administration Guide > Azure Virtual WAN.

Attach additional existing public IP addresses to Network Virtual Appliance (NVA) SLB:

  1. Log in to Azure Portal.

  2. Enter your virtual WAN and navigate to your HUB.

  3. On the left tree, click on Network Virtual Appliance.

  4. Select the applicable NVA and, below NVA Configuration, click on Manage Configuration.

  5. On the left tree, click on Internet Inbound.

  6. Click on the Add button on the top left.

  7. Select the resource group where you created the public IP and the public IP address name and click Save.

  8. After the process is complete, make sure that the NVA provisioning state is Succeeded.