Integrating CloudGuard Network Security NVA with Azure Virtual WAN
Step 1: Deploy Azure Virtual WAN
-
Log in to the Azure Portal, navigate to the Search resources bar, type Virtual WAN in the search box, and select Enter.
-
Select Virtual WANs if needed and select + Create on the Virtual WANs page.
-
Fill in the necessary fields on the Create WAN page > Basics tab. Keep the Type option as Standard. Click Next : Review + create >.
-
When the validation passes, click Create to create the virtual WAN.
Step 2: Create an Azure Virtual WAN Hub
-
Navigate to the virtual WAN you created. On the virtual WAN left pane, below Connectivity, select Hubs.
-
On the Hubs page, select + New Hub to open the Create virtual hub page. Fill out the applicable fields:
-
Region: Select the region where you want to deploy the virtual hub.
-
Name: The name to assign to the virtual hub.
-
Hub private address space: The hub’s address range in CIDR notation. The minimum address space is /24 to create a hub.
-
Virtual hub capacity: Select from the drop-down. For more information, see Azure Virtual hub settings.
-
Hub routing preference: Leave as default. For more information, see Azure Virtual hub routing preference.
-
-
Once complete, select Review + create.
-
After validation passes, select Create. (Note: Creating a new hub takes approximately 30 minutes).
-
To validate that your Virtual Hub is successfully provisioned, navigate to your Virtual WAN below Connectivity > Hubs, and select the Hub you created.
-
Check the Routing status; if it is still Provisioning, do not proceed.
Once the Routing status states Provisioned, you can proceed to the next step.
Step 3: Deploy new CloudGuard Network Security NVA in the Virtual WAN Hub
-
Navigate to your Azure Virtual WAN Hub > on the left tree, select Network Virtual Appliance.
-
Click Create Network Virtual Appliance
-
From the Network Virtual Appliance drop down box, select check point and click Create.
-
On the pop-up, select Leave.
-
Click Create on the CloudGuard Network Security for Azure Virtual WAN screen.
-
On the Create CloudGuard Network Security for Azure Virtual WAN, provide this information:
Basics page
Parameter
Description
Subscription
Azure subscription into which you deploy the NVA Network Virtual Appliance - A resource deployed in Azure's Virtual Hub that includes Security Gateways and other networking infrastructure. object.
Resource group
Azure resource group into which you deploy the NVA object.
Region
Region into which you deploy the NVA object.
Application name
The name of the managed app that is displayed in the Resource Group.
Managed Resource Group
The name of the Azure Managed Resource Group.
Check Point NVA Gateways page
Parameter
Description
Virtual WAN Hub
Select the Virtual WAN Hub to deploy the CGNS NVA in to.
NVA name
Name of the new NVA.
Scale units
The scale unit determines the size and number of resources deployed. The higher the scale unit, the greater the amount of traffic that can be handled.
BGP ASN Autonomous System Number – Special number that used for the BGP
BGP autonomous system number. (BGP ASN 64512 to 65534 excluding 65515, 65520)
SSH public key source
Select the SSH key source:
-
If you select to create a new key - enter a new name for the key.
-
If you select to use an existing key stored in Azure - select your key.
-
If you select to use a public key - enter the key to the text box.
Key pair name
The name depends on the SSH key source.
Check Point CloudGuard settings page
Parameter
Description
Check Point CloudGuard version
The CloudGuard Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. Version
License type
Type of license:
-
Security Enforcement (NGTP) - Check Point Security Gateways (NGTP package).
-
Full Package (NGTX + S1C) - Check Point Security Gateways (NGTX package, i.e. NGTP and Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. and Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE.) and Smart-1 Cloud Security Management.
-
Full Package Premium (NGTX + S1C++) - Check Point Security Gateways (NGTX package) and Smart-1 Cloud Security Management, Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration., DLP and SmartEvent.
Default shell for the admin user
Select the shell for the admin user.
Bootstrap Script
Custom script that configures the NVA instance after deployment.
You can find custom scripts here.
Quick connect to Smart-1 Cloud
If you select yes (and provide tokens), the NVA Gateways deploy with a secured tunnel to the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
Smart-1 Cloud Token for instance x
The token you generate in Smart-1 Cloud portal for Gateway instance number x.
(x between 1 to 5).
Use public IP for ingress (public preview)
Select yes to deploy the NVA with attached public IP address that is used for ingress traffic.
Create new public IP for ingress traffic
Select yes to create the public IP resource with the NVA
Public IP resource ID
If you selected no in the previous section, enter the existing public IP resource ID here.
Tags
Parameter
Description
Tags
Azure tags (Name, Value) that you attach to the selected resources.
Notes:
-
Smart-1 Cloud (Check Point's Management Server as a Service) is a recommended option to start using CloudGuard Network Security Gateways.
-
Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.
-
-
On the Review + Create page, check the radio box to agree to the terms and conditions and click Create.
-
When the NVA creation completes, go to your Virtual WAN, navigate to the hub you selected in the deployment > on the left tree, select Network Virtual Appliance, and make sure you can see your new NVA and its provisioning state is Succeeded (it can take some time).
-
To see the public IP addresses of your CGNS NVA machines click on Click here below Instances info. (Make note of these IP addresses for future use).
|
Important - CloudGuard Network Security Gateways deployed in the Virtual WAN hub do not scale in or out in response to demand. If your throughput increases, you must deploy a new Managed Application that supports the required throughput and modify routing intent from old to new. Refer to Upgrade. |
Step 4: Connect to Check Point Security Management Server or Quantum Smart-1 Cloud (Management-as-a-Service)
These steps are required only if you do not have an installed Check Point Security Management Server or a Quantum Smart-1 Cloud instance.
If you already have a Check Point Security Management Server installed or Quantum Smart-1 Cloud instance configured, skip to Step 5.
If this is your first Check Point deployment, pay attention that the Quantum Smart-1 Cloud service is included with CloudGuard Network Security for Azure Virtual WAN when purchased with these bundles:
-
Full Package
-
Full Package Premium
Main benefits of utilizing Quantum Smart-1 Cloud:
-
Always the latest security management
The newest features are automatically updated in a unified management platform.
-
Zero Maintenance
No installation, no upgrade.
-
On-demand Expansion
Seamlessly expand capacity by supporting additional Gateways and storage.
Quantum Smart-1 Cloud Setup Instructions
|
Note - You can set up Smart-1 Cloud before configuring the CloudGuard NVAs in Azure. |
-
Navigate to https://portal.checkpoint.com and click Don’t have an account? Register here.
-
Fill in the Create Your Infinity Account form (required fields have a *) and click Next.
When completed, you see an Account Created Successfully message and receive an email to the email address you provided to complete the registration.
-
Log in to the Infinity Portal.
-
Click the menu button in the top left corner and then Smart-1 Cloud below the Quantum column.
-
Click the check box to accept the terms of service and click Try Now.
-
Click Get Started.
-
Configure the service and click Create.
You are now ready to connect your CloudGuard Network Security NVA Gateways.
-
Click +Add new Gateway below the Connect Gateways section.
-
Click the large + sign. Repeat this step for each NVA Security Gateway.
-
On the Register Security Gateway screen, give the first NVA Security Gateway a name and click Register (the name cannot include spaces or special characters). Repeat this step for each NVA Security Gateway.
After you add your NVA Security Gateway objects, you see the state: Waiting for Connection.
-
Click Connect Gateway. Repeat this step for each NVA Security Gateway.
-
On the Instructions to Connect Gateway screen, click the Copy icon and then click Close.
-
Log in to the relevant NVA Security Gateway’s Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. CLI and paste the command.
-
The output must show successful connectivity to Smart-1 Cloud, for example:
-
On the Smart-1 Cloud portal, the Gateway(s) are in a Pending Trust (SIC) Establishment status.
You are ready to securely connect your NVA Security Gateways to Smart-1 Cloud, install security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on the Gateways, and collect logs and other telemetry information.
Configuration in SmartConsole
-
Navigate back to the Infinity Portal's Welcome page and click Open Streamed SmartConsole.
Note: Make sure pop-up blockers are disabled.
-
A new tab opens. Click Gateways & Servers and double-click the first NVA Security Gateway to open its properties.
-
Click Communication.
-
In the One-time password field, enter the SIC key you provided during the initial NVA Security Gateway creation.
-
Click Initialize. If successful, the Certificate state shows Trust established. Click OK.
-
The Topology Results show. Click Close.
-
Click Network Management, then double-click on eth0 (repeat for eth1). Then click Modify and clear the box next to Perform Anti-Spoofing based on interface topology. Click OK on the applicable dialog boxes.
-
Click OK on the main properties screen when you complete both interfaces (eth0 and eth1).
-
Repeat steps 2 to 8 for all remaining NVA Security gateways.
-
Click Publish to commit the changes to Smart-1 Cloud.
-
In the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. window, enter a Session name and Description and click Publish again.
You are ready to create and install a security policy for your NVA Security Gateways. Refer to the Security Management Administration Guide for full guidance on creating a policy that fits your organization’s needs.
After you configure your policy, you can Install Policy. On the first policy installation, install only the Access Control policy. On the next installations, you can also include the Threat Prevention policy.
Congratulations! You have set up your CloudGuard Network Security NVA Gateways in Azure Virtual WAN.
After you set Routing Intent in your Hub, the Gateways start to inspect traffic.
-
Supported on Security Management Server R81.10 version or higher.
-
The Security Management Server must communicate with the CloudGuard Network Security Gateways.
The Security Gateways must communicate with the Security Management Server. For example, to send logs.
Item |
Description |
---|---|
1 |
From the Azure Marketplace, deploy this solution to create a Check Point Security Management Server: |
2 |
Select the Check Point Security Management software plan. Important - It must be R80.40 and higher. Use these parameters:
|
3 |
This template deploys the Management Server in the selected subnet. When the management instance starts, it automatically executes its own Gaia First Time Configuration Wizard. This can take up to 30 minutes. |
Configure the Check Point Security Management Server
-
Download and Install the Latest CME (Cloud Management Extension) Version.
To download and install the CME (Cloud Management Extension) on the Management Server or Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., see sk157492.
-
Configure the Security Policy in SmartConsole.
Note - By default, each Check Point Security Gateway and Security Management Server's Gaia Portal Web interface for the Check Point Gaia operating system. is accessible from the internet by browsing to http://<virtual-machine-public-ip>. Restriction of access to the Gaia Portal is possible by configuring a Network Security Group, or by configuring the Check Point Security Gateway and Management Server settings.
Follow the instructions in the Check Point Installation and Upgrade Guide for your Management Server version.
Step 5: Configuring the NVA in the Security Management Server
|
Note - You can skip this step if you manage your Security Gateways from Smart-1 Cloud. |
There are two options to configure the NVA, automatic and manual.
-
We recommend to use the automatic configuration script.
Procedure:
-
Connect to the command line on the Security Management Server.
-
Log in to the Expert mode.
-
Run the command:
cme_menu
-
On the Menu select .Azure (1) > vWAN (2) > Configure NVA gateways on management server (1)
-
Enter the requested parameters.
You can see logs in the file: /var/log/CPcme/cme_menu.log.
For details regarding the automatic configuration option, refer to the instructions in the Cloud Management Extension R80.10 and Higher Administration Guide > Azure Virtual WAN.
-
-
In the manual option, on Check Point Management Server:
-
Open SmartConsole and create a new Security Gateway object for each one of the NVA instances.
-
Give each Security Gateway the IP address of a Network Virtual Appliance in Step 3: Deploy new CloudGuard Network Security NVA in the Virtual WAN Hub, point 3.
-
Disable anti-spoofing on the external (eth0) and the internal (eth1) interfaces on each Security Gateway.
-
If VPN is enabled, enter the Gateway's external IP address in Statically NATed IP.
-
Install the policy.
Note - Be careful not to block Management or SSH access to the Gateways from the Internet because it is not possible to connect to the deployed Security Gateway instances with a serial console.
-
Step 6: Set Routing Intent and Routing Policies
Select your Virtual WAN > Select the applicable virtual hub > on the left tree, select Routing Intent and Routing Policies.
-
For Internet bound Traffic:
In the Internet Traffic drop-down select Network Virtual Appliance, in the Next Hop Resource select the NVA you created and click Save. -
For private traffic:
In the Private Traffic drop-down select Network Virtual Appliance, in the Next Hop Resource select the NVA you created and click Save.
|
Note - To add prefixes for routing intent click on Additional prefixes. |
Step 7: Configure NAT
For outbound traffic, the packets should be NATTed behind the Security Gateway's IP address.
Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal'
For the manual NAT rules, you must create these Dynamic Objects in SmartConsole:
-
LocalGatewayExternal
-
LocalGatewayInternal
Procedure:
-
Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.
-
Enter this exact name (case-sensitive, no spaces):
LocalGatewayExternal
-
Click OK.
-
Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.
-
Enter this exact name (case-sensitive, no spaces):
LocalGatewayInternal
-
Click OK.
-
Publish the SmartConsole session.
|
Note - The NVA instances IP addresses are automatically associated with the LocalGatewayInternal and LocalGatewayExternal objects. |
Creating Manual NAT Rules
Add these two manual NAT rules to the Access Policy:
-
No NAT for internal communication:
Source
Destination
Port
Xlate Source
Xlate Destination
Xlate Port
Internal Networks Group
Internal Networks Group
Any
Original
Original
Original
-
For Internet access, Hide NAT to external interface:
Source
Destination
Port
Xlate Source
Xlate Destination
Xlate Port
Internal Networks Group
All Internet
Any
LocalGatewayExternal
Original
Original
-
Publish the SmartConsole session.
Step 8: Configuring Ingress traffic
Prerequisites:
-
Generate a public IP address with the standard SKU (in the same region as the NVA in the Azure portal).
-
A deployed NVA with attached public IP.
-
NVA instances are configured at Smart Console (See step 5).
-
See the cme_menu requirements in the Cloud Management Extension Administration Guide > Azure Virtual WAN.
-
Gateway image version must be at least 8120.900631.1522 for R81.20 and 8110.900335.1522 for R81.10.
Configuring rule for ingress traffic:
To configure the ingress rules, use the cme_menu.
-
Connect to the command line on the Security Management Server.
-
Log in to the Expert mode.
-
Run the command:
cme_menu
. -
Enter the requested parameters.
-
Use the Ingress Menu to add, edit, and delete rules.
For details regarding the cme_menu, refer to the Cloud Management Extension Administration Guide > Azure Virtual WAN.
Attach additional existing public IP addresses to Network Virtual Appliance (NVA) SLB:
-
Log in to Azure Portal.
-
Enter your virtual WAN and navigate to your HUB.
-
On the left tree, click on Network Virtual Appliance.
-
Select the applicable NVA and, below NVA Configuration, click on Manage Configuration.
-
On the left tree, click on Internet Inbound.
-
Click on the Add button on the top left.
-
Select the resource group where you created the public IP and the public IP address name and click Save.
-
After the process is complete, make sure that the NVA provisioning state is Succeeded.