Usage Metering

NVA Network Virtual Appliance - A resource deployed in Azure's Virtual Hub that includes Security Gateways and other networking infrastructure. Security Gateways have metering capability. Each Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. reports throughput usage to Azure, and Microsoft bills this usage.

Prerequisites

CPotelcol_AutoUpdate Take 74 installed on the Security Gateway (can be downloaded from here).

To find the current Take number, run on the Security Gateway: # cpinfo -y all | grep BUNDLE_CPOTELCOL_AUTOUPDATE
Internet Access for the Security Gateway and the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..
CME Take 255 or higher installed on the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

To find the current Take number, run on Security Management Server: # cpinfo -y all | grep BUNDLE_CME_AUTOUPDATE
NVA Security Gateway objects in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. must have the {tags=vwan} in the Comment field, to enable cme_menu actions.

For Example:

Usage overview

Each Security Gateway in the NVA collects and reports usage data. You can view the usage on the Management Server with the cme_menu command.

With the menu, you can view or export a detailed view of the usages that are collected and reported on each NVA.

Note - Multi-Domain Security Management Server is not supported.

Export usage data

To export a detailed usage report to a CSV file, on the Management Server:

Enter the CME menu: cme_menu.
Navigate to Azure > vWAN > Export Metering Data.
Select a path to save the files or click enter to use the default path.
After it complete loading, select which NVA data to export.

The process exports the data as CSV files from the NVA Security Gateways into the selected location on the Management Server.

View usage overview

The cme_menu provides a terminal user interface to see the usage overview of an NVA.

To show the usage:

Enter the CME menu: cme_menu.
Navigate to Azure > vWAN > Show Metering Overview.
After it complete loading, select which NVA data to show (use the arrow keys & Enter to select).
Use the arrow keys to select between Total usage and a specific instance.
Click q or Esc to exit the menu.

Manual metering configuration

Note - In newly deployed NVAs, the metering capability works out of the box.

You can skip this section for R81.20 image build 991001433 and higher and R81.10 image build 991001435 and higher.

To find the image build, connect to your Security Gateway and run: # cat /etc/cloud-version

For example:

You can configure the metering solution on the Management Server after adding the Security Gateways to the SmartConsole, refer to: Step 6: Configure NVA Security Gateways on the Security Management Server or Quantum Smart-1 Cloud.

Prerequisites:

The managed app is deployed from the most recent marketplace offer. You can validate this by looking at the JSON view of the managed app. (Select the managed app resource in the portal > click JSON View on the top right).

In the plan property, the value must be "product": "azure-vwan". If there is a different value, you must deploy a new managed app.

For example:
{tags=vwan} in the Security Gateways object’s comment.

Refresh permissions before the next step; run this command in the Azure’s cloud shell:

az rest --method POST --uri "/subscriptions/<SUBSCIRPTION ID>/resourceGroups/<RG_NAME>/providers/Microsoft.Solutions/applications/<MANAGED APP>/refreshPermissions?api-version=2019-07-01&targetVersion=1.0.7"

Replace these variables:

<SUBSCRIPTION ID> with the subscription where the managed app is deployed.
<RG NAME> with the managed resource group name of the managed app.
<MANAGED APP> with the managed app name.

App registration with these permissions:
- Assign the app registration with Network Contributor role to the managed resource group of the managed app (The name is in Managed app > Managed resource group).
  
  You can find the managed resource group here:
- Assign the app registration with Managed Identity Contributor and Managed Identity Operator role to the Virtual WAN resource group.

The configuration assigns managed identity (if needed) to the NVA and deploys the user assigned identity in the Virtual WAN resource group.

To configure the NVA(s), enter expert mode on the Management Server:

Enter the CME menu: cme_menu.
Navigate to Azure > vWAN > Configure Metering for NVAs.
Enter the credentials of the app registration.

The process loads the available NVA's.
Navigate with the arrow keys and press enter to select the applicable NVA(s).
Wait for the process to complete. You can view information on errors in the /var/log/CPcme/cme_menu.log file.

Custom API for retrieving reported usage

You can invoke an API call from the Security Gateway to retrieve the usages that is sent.

For more information, refer to: Metered billing retrieve usage events.

Viewing Charges on Azure

There are two ways to view the charges from the metering functionality on Azure.

To view the charges with the cost management service, refer to: View and download your Azure usage and charges.
With the Cost analysis option on the applicable resource group/subscription:
1. In the Cost Analysis window, group the records by Resource and adjust the other filters as required.
2. Select the relevant Managed application and view the usage cost (the rows have unassigned attributes).