Upgrading Cloud Firewall NVA for Azure Virtual WAN

Side-by-Side Upgrade

Side-by-Side upgrade results in a new NVA Network Virtual Appliance - A resource deployed in Azure's Virtual Hub that includes Security Gateways and other networking infrastructure. with new Cloud Firewall Gateways deployed.

The IP addresses of the new Cloud Firewall Gateways are different from the old Cloud Firewall Gateways' IP addresses.

Follow this procedure:

1. Deploy a new NVA in the Virtual Hub (with a public IP address if you need ingress traffic.).

   When performing an upgrade, select Yes for the "Are you upgrading your Cloud Firewall NVA deployment?" parameter.

   

   Refer to Step 4: Deploy new Cloud Firewall NVA in the Virtual WAN Hub for more information.

2. Custom configurations adjustments (if required)

   • Configure the Cloud Firewall Gateways of the NVA with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.: Adjust the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. to include the new Cloud Firewall Gateways' IP addresses.

   • If there is configuration on related machines, update them to use the updated IP addresses (for example BGP settings).

3. If Ingress traffic is configured:

   1. Delete the configured ingress rules using CME API.

   2. Detach the public IP address from the old NVA SLB Software Load Balancer, used to distribute tenant and tenant customer network traffic to virtual network resources. SLB enables multiple servers to host the same workload, providing high availability and scalability.

   3. Attach the public IP address to the new NVA.

   4. Establish the load balancing and NSG rules.

   5. Confirm that the NAT rules are correctly aligned.

4. Install the policy on the new Cloud Firewall Gateways.

5. Navigate to the Virtual Hub and select Routing Intent and Routing Policies.

6. In Next Hop Resource select the new NVA instead of the previous NVA.