Configure CloudGuard Network for GCP MIG

Prerequisites

Make sure these components are configured before proceeding:

  1. An external VPC with at minimum one public subnet. You can also create the external VPC during deployment.

  2. An internal VPC with at minimum one private subnet. You can also create the internal VPC during deployment.

  3. A Check Point Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. running R81 or higher.

  4. A group of applications or web servers deployed in the private subnet or in a subnet peered with the MIG backend subnet.

  5. For Marketplace deployments - a Google Cloud PlatformClosed Google® Cloud Platform is a suite of products and services that includes hosting, cloud computing, database services and more. Acronym: GCP. Service Account with the following permissions:

    • Compute Admin

    • Cloud Infrastructure Manager Agent

    • Service Account User

    • Infrastructure Manager Service Agent

    • Service Usage Admin

    • Service Usage Consumer

    You can also create the service account during the deployment.

    Note - CloudGuard Network Security Gateways can be deployed as IPv4-only or as dual-stack (IPv4/IPv6).

    Dual-stack deployment requires:

    • CME Take 320 and higher.

    • IPv6-enabled VPC/subnets and appropriate IPv6 firewall rules (these can also be created during deployment).

Step 1: Install the Check Point Security Management Server

We recommend you to use Smart-1 Cloud (Check Point's Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. as a Service) to manage CloudGuard Network Autoscaling Managed Instance Group (MIG).

Refer to Quantum Smart-1 Cloud Administration Guide > Using the settings > Cloud Management Extension (CME) Configuration for step-by-step instructions for enabling CME in Smart-1 Cloud.

Alternative deployment options for the Check Point Security Management Server include Google Cloud Platform, other cloud platforms, or on-premises.

To control the CloudGuard Security Gateways, make sure:

  • The Security Management Server can open connections to the CloudGuard Security Gateways.

  • The CloudGuard Security Gateways can open connections to the Security Management Server (for example, for sending logs).

The autoscaling CloudGuard Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. can be deployed with or without a public IP address.

Deployments without a public IP address must have one of these topologies:

  • Install the Security Management Server in the same internal VPC.

  • Install the Security Management Server in a VPC peered with the internal VPC.

  • Install the Security Management Server on-premises and connect it to the internal VPC over Cloud Interconnect.

  • Install the Security Management Server on-premises and connect it to the internal VPC over a Cloud VPN.

To deploy the Security Management Server in GCPClosed See 'Google Cloud Platform'., go to the Check Point CloudGuard Network Security NGFW and Threat Prevention (BYOL).

Notes:

Step 2: Configure the Check Point Management Server

Do these steps to manage MIG with the Check PointSecurity Management Server:

  1. Downloading and Installing the Latest CME Version.

  2. Configuring the CME on the Security Management Server

  3. Configure the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

    Important - The policy name must be the same as the name you used when configured a GCP template in CME.

Step 3: Create a Google Cloud Platform (GCP) Service Account

The Check Point Security Management Server uses the GCP Service account to monitor the creation and status of the autoscaling Managed Instance Group. This lets the Security Management Server complete provisioning of these Security Gateways.

To create a GCP service account:

  1. Go to https://cloud.google.com/iam/docs/creating-managing-service-accounts.

    Use these parameters:

    Name: check-point-autoprovision

    Role: Compute Engine \ Compute Viewer

  2. Click Create Key > JSON (as the key type). A JSON file is downloaded to your computer.

    Note - This JSON file is later used as the credentials file in Step 2: Configure the Check Point Management Server.

Step 4: Deploy the Check Point Autoscaling Managed Instance Group

Deploy one of these Google Cloud Marketplace solutions:

  • The Check Point CloudGuard Network Security autoscaling with the Bring Your Own License (BYOL) licensing model,

    or

  • The Check Point CloudGuard Network Security autoscaling with the Pay as You Go (PAYG) licensing model.

Parameter

Description

Deployment Name

The name of the deployment. Deployment name must contain only lowercase characters, numbers, or dashes. It must start with a lowercase letter and cannot end with a dash.

Deployment Service Account

Select an existing service account with the required permissions (as explained in the prerequisites section) or create a new one.

Zone

The zone for deploying instances.

The zone determines available computing resources and where your data is stored and used. See GCP Regions and Zones documentation for more information.

Series

Select the desired machine series.

Machines Type

Select the desired machine configuration.

Target CPU usage

The GCP Autoscaler automatically scales out if the average CPU use exceeds this target.

Minimum number of instances

The minimum number of Security Gateways in the autoscaling MIG.

Maximum number of instances

The maximum number of Security Gateways in the autoscaling MIG.

Boot disk type

The type of disk used for deploying the instances (see Choose a disk type for more information).

Boot disk size in GB

The size of the disk used for deploying the instances. (see Choose a disk type for more information).

IP Stack Type

Select the IP mode for the Security Gateways: IPv4-only or Dual-stack (IPv4/IPv6).

External subnet CIDR

The MIG's Public IP address will be translated to a private address assigned to the Security Gateway in this external network.

Provide an RFC 1918 CIDR block in the ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. external subnet CIDR field or select a Network and a Subnetwork below the CIDR field. If a range is specified, a new VPC will be created and the deployment will ignore the selected network above.

Firewall

These GCP rules determine if ICMP / TCP / UDP / SCTP / ESP traffic is enabled by default for the provided IP CIDR sources.

Firewall (IPv6)

These GCP rules determine if ICMPv6 / TCP / UDP / SCTP / ESP traffic is enabled by default for the provided IPv6 sources.

VPC ULA

Optional IPv6 Unique Local Address (ULA) range used for internal IPv6 addressing in the VPC.

Internal subnet CIDR

Provide an RFC 1918 CIDR block in the Cluster external subnet CIDR field or select a Network and a Subnetwork below the CIDR field. If a range is specified, a new VPC will be created and the deployment will ignore the selected network above.

OS Version

The Check Point Security Gateway version to be deployed.

Management Interface

The MIG instance's network interface used to communicate with the Security Management Server. When eth0 is selected, communication is done using an ephemeral public IP alias. When eth1 is selected, communication is done using a static private IP address assigned to this interface. This configuration is recommended when the Security Management Server is deployed in internal subnets of the MIGVPC or in a peered VPC.

Security Management Server name

The name of the Security Management Server as it appears in the CME configuration file. Use the same name in the autoprovision configuration section Step 2: Configure the Check Point Management Server. For example, my-management.

Note - For CME Take 320 and higher, the name comparison is case-insensitive.

Configuration template name

The configuration template name as it appears in the CME configuration file. Use the same name in the autoprovision configuration section Step 2: Configure the Check Point Management Server. For example, my-configuration-template.

Public SSH key for the use ‘admin'

The SSH public key used for SSH authentication to the MIG instances. Leave it blank to use all project-wide pre-configured SSH keys.

SIC key

The Secure Internal Communication key that creates trusted connections between Check Point components. Trust is required to install policies on Security Gateways and to send logs between Security Gateways and Security Management Servers.

Admin shell

Change the admin shell to enable advanced command line configuration.

Allow download from/upload to Check Point

Do not select this checkbox if you do not want to automatically download Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. Contracts and other important data. Sending data to Check Point can improve your product experience.

Automatically generate an administrator password

To manage the environment's security, administrators can connect to the Management Server with SmartConsole clients and via the Gaia WebUI using this password.

For additional security, it is recommended to change the password after deployment.

Maintenance Mode password hash

Maintenance mode password hash (relevant only for R81.20 and higher versions). Generate a password hash with the command grub2-mkpasswd-pbkdf2 on Linux and paste it here.

Enable Stackdriver monitoring

Select this checkbox to enable Stackdriver Monitoring.

Automatically generate an administrator password

To manage the environment's security, administrators can connect to the Management Server with SmartConsole clients and via the Gaia WebUI using this password.

For additional security, it is recommended to change the password after deployment.

Notes:

  • New provisioned Security Gateways automatically receive the latest published Security Policy. Existing Security Gateways do not automatically receive additional policy installations after provisioning.

  • Autoscaling Security Gateways objects are created and deleted automatically based on environment needs. Do not use these objects explicitly in rules or edit them manually.

  • By default, the WebUI of each Check Point Security Gateway and Security Management Server is accessible online at http://<virtual-machine-public-ip>. To limit access to the WebUI, configure a Firewall Rule or adjust the Check Point Security Gateway and Security Management Server settings.

Step 5: Configure Load Balancers

Load Balancers are automatically deployed and configured as part of the CloudGuard Network Security for GCP MIG solution deployment with Terraform templates.

When the Managed Instance Group (MIG) is deployed in dual-stack (IPv4/IPv6) mode, the required Load Balancer components are automatically created and configured to support IPv4 and IPv6 traffic.

If you deploy the CloudGuard Network Security for GCP MIG solution from GCP Marketplace, you must create and configure Load Balancers manually as described below.

We recommend you to go through Google's Load Balancing documentation at: https://cloud.google.com/load-balancing/docs/network/.

The steps below are for TCP load balancers. HTTP(S) load balancers are also supported and can be used alternatively.

This section describes how to configure Load Balancer health probes for dual-stack (IPv4/IPv6) deployments.

In dual-stack deployments, Google Cloud Load Balancers use HTTPS health checks on port 443. For health checks to function correctly, Firewall rules, Security Policy rules, and NAT rules must allow traffic from Google Cloud health probe IP ranges.

Firewall and Security Policy Requirements

To allow health probe traffic, create ingress allow rules in the relevant VPC networks and configure the required objects and rules in SmartConsole.

Create a Network Group for Health Probes

  1. In SmartConsole, create a Network Group named: GCP_Health_Check_Probes.

  2. Add the following IP ranges to the group.

    IPv4 Probe Ranges:

    CIDR

    Netmask

    35.191.0.0

    255.255.0.0

    130.211.0.0

    255.255.252.0

    209.85.152.0

    255.255.252.0

    209.85.204.0

    255.255.252.0

    IPv6 Probe Ranges:

    • 2600:2d00:1:b029::/64

    • 2600:2d00:1:1::/64

    • 2600:1901:8001::/48

  3. Create Host objects for the External LB and Internal LB in SmartConsole.

    • Create a Host object that represents the External Load Balancer frontend and configure the IPv4 address and the IPv6 address.

    • Create a Host object that represents the Internal Load Balancer frontend and configure the IPv4 address and the IPv6 address.

Add Access Control Rules

Add the following Access Control rule on the CloudGuard Security Gateways:

Source

Destination

Services

Action

GCP_Health_Check_Probes

External LB

Internal LB

HTTPS

Accept

Configure NAT Rules for Health Probes

Configure NAT rules to ensure health probe traffic is forwarded correctly to the gateway interfaces.

Original Source

Original Destination

Original Services

Translated Source

Translated Destination

Translated Service

GCP_Health_Check_Probes

External LB

HTTPS

Original

LocalGatewayExternal

Original

GCP_Health_Check_Probes

Internal LB

HTTPS

Original

LocalGatewayInternal

Original

External Load Balancer

You must set up the External (Internet-facing) Load Balancer to receive TCP traffic and distribute it to the pool of Security Gateways.

To create the External Load Balancer, do these steps:

  1. Open the Load Balancing section in Google Cloud Console.

  2. To create a new Load Balancer, click Create.

  3. Select Type > Network Load Balancing. Click Next.

  4. Select Passthrough load balancer. Click Next.

  5. Select Public facing ("From Internet to my VMs"). Click Configure.

  6. For the Backend type, select Backend Service.

  7. Enter a name for the new External Load Balancer

    Example: "prod-ext-lb"

In the Backend configuration section:

  1. Select the region where you deployed the Security Gateways autoscaling MIG.

  2. Select the deployed Security Gateway's autoscaling Managed Instance Group (MIG) from the Instance group drop-down list.

  3. In Health check, click Create a new health check.

    1. Enter a name for the health check. For example, "cloudguard-gateways-healthcheck"

    2. For the Port number, enter 8117 (for dual-stack deployments, use port 443).

      Note - Other ports are not supported.

    3. In the Request path, enter a correct path. The application server listens for HTTP health check requests from this path.

    4. Click Save and continue.

    5. From Session affinity, select Client IP and protocol.

In the Frontend configuration section:

  1. Enter a name for the frontend.

    Example: "app1-ext-frontend"

  2. In IP, select a static public IP address or create a new one.

  3. In Port, select the port on which this frontend must listen.

  4. Click Review and finalize to review the Load Balancer configuration.

  5. To create the Load Balancer, click Ready.

Internal Load Balancer

The Internal Load Balancer (ILBClosed Internal Load Balancer, used to load balance traffic in a virtual network) lets you use a next hop that redirects packets to the Load Balancer's targets and then to the instances in the MIG. You can find the route configuration instructions below.

When Virtual Machine (VM) instances in your Virtual Private Cloud (VPC) network send traffic to the Internet, the traffic is routed through the load-balanced Security Gateway virtual appliances.

Note - Using an internal load balancer with a MIG as the backend is supported starting from R81.10.

To create the Internal Load Balancer, do these steps:

  1. Open the Load Balancing section in Google Cloud Console.

  2. To create a new Load Balancer, click Create.

  3. Select Type > Network Load Balancing. Click Next.

  4. Select Passthrough load balancer. Click Next.

  5. Select Internal ("Only between my VMs"). Click Configure.

  6. Enter a name for the new Internal Load Balancer.

    Example: "prod-int-lb"

In the Backend configuration section:

  1. Select the region where you deployed the Security Gateway's Auto Scaling MIG.

  2. From the Instance group list, select the deployed Security Gateway's Auto Scaling Managed Instance Group (MIG) and select the TCP/UDP protocol.

  3. In the Health check, click Create a new health check.

    1. Enter a name for the health check. For example, cloudguard-gateways-healthcheck.

    2. For the Port number, enter 8117 (for dual-stack deployments, use port 443).

      Note - Other ports are not supported.

    3. Click Save and continue.

In the Frontend configuration section:

  1. Enter a name for the frontend.

    Example: "app1-int-frontend"

  2. Select the MIG internal sub-network.

  3. Select the TCP/UDP protocol.

    Note - L3 protocols are not supported.

  4. In Internal IP, select an existing internal IP address or create a new one.

  5. Set the Port to All to make the ILB the internal network's next hop.

  6. Click Review to review the Load Balancer configuration.

  7. To create the Load Balancer, click Ready.

Step 6: Implement the Firewall and NAT Rules for inbound traffic

You must create Firewall and NAT rules to allow traffic to the published service or application. This traffic is then redirected to the Internal Load Balancer.

  • The autoscaling MIG deployed by the Google Cloud Marketplace template creates a network interface in the external and internal networks. Each Security Gateway in the autoscaling Managed Instance Group (MIG) has a dynamic object for each network interface. This allows for easier and clearer configuration of Firewall and NAT rules.

  • A dynamic object is a "logical" object where the IP address is resolved differently for each Security Gateway.

  • With a dynamic object for each network interface, you can describe Firewall and NAT rules. This dynamic object uses the network interface on which the Security Gateway sends or receives traffic without explicitly stating its IP address.

    These dynamic objects are created automatically on each Security Gateway in the autoscaling fleet:

    Network

    Interface

    Dynamic Object

    External

    eth0

    LocalGatewayExternal

    Internal

    eth1

    LocalGatewayInternal

How to create dynamic objects

Note - Dynamic objects on the Security Gateway are created automatically.

To create dynamic objects on the Security Management Server, do these steps:

  1. In SmartConsole, connect to the Security Management Server (also referred to as the Domain Management Server).

  2. Create a Dynamic Object named LocalGatewayExternal. For this, in the Object Browser, click New > More >Network Object > Dynamic object. A Dynamic Object window opens.

    Note - Skip this step if this Dynamic ObjectClosed Special object type, whose IP address is not known in advance. The Security Gateway resolves the IP address of this object in real time. already exists.

  3. Enter the name of the object. For example, LocalGatewayExternal.

  4. Click OK,

  5. Repeat Step 2 for LocalGatewayInternal.

How to create the External Load Balancer Host object

Note - Create a Host object for each Public IP address published on the External Load Balancer.

  1. In the Object Browser, click New > More > Network Object > Host. The Host window opens.

  2. Enter a descriptive name (for example, App1-ELB).

  3. Enter the External Load Balancer's public IP address.

    Example:

How to create the Internal Load Balancer Host object

Note - Create a Host object for each Internal Load Balancer.

  1. In the Object Browser, click New > More > Network Object > Host. The Host window opens.

  2. Enter a descriptive name (for example, App1-ILB).

  3. Enter the Internal Load Balancer's private IP address.

    Example:

How to create a new TCP service

Note - Create a new TCP service for each service port on which the External Load Balancer listens. Skip this step if you use a standard port (such as HTTP 80 or HTTPS 443) that already exists in the services list.

Note - The All_Internet object represents IPv4 Internet addresses only.

For dual-stack deployments, modify the All_Internet object to also include the full IPv6 address range (:: – ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff).

  1. In the Object Browser, click New > More > Service > TCP.

  2. Enter a descriptive name (for example, acme-54321).

  3. From the General > Protocol list, select the protocol.

  4. In the Match By > Port menu , select Customize.

  5. Enter the port number (for example, 54321).

Step 1: For each GCP forwarding rule, create a corresponding Firewall rule with these values:

Source:

Any (or any other applicable value)

Destination

The Public IP address on the External Load Balancer that will accept this traffic.
For example, App1-ElB.

Services:

The service on which the External Load Balancer is listening, for example, http.

Example:

Name

Source

Destination

Services &

Applications

Data

Action

Track

Allow

Appl

All_Internet

App1-ELB

http

*

Any

Accept

Log

Step 2: For each Load Balancer rule, create an applicable NAT rule with these values:

Rule

Value

Original Source

All_Internet (do not use "Any")

Original Destination

App1-ELB

Original Services

The service on which the ELB is listening on (HTTP).

Translated Source

LocalGatewayInternal- Right-click on the cell and set the NAT Method to Hide.

Host

The Host object representing the Internal Load Balancer.

Translated Service

HTTP (or any service representing the port on which the Internal Load Balancer is listening).

Example:

Original
Source

Original
Destination

Original
Services

Translated
Source

Translate
Destination

Translated
Service

All_Internet

App1 ELB

http

H LocalGatewayInternal

S App1 ILB

Original

Notes:

  • GCP TCP Load Balancers forward traffic to the CloudGuard Security Gateways without changing the destination address of the original request. The request's destination address remains the public IP address of the External Load Balancer.

  • If you have not created an outbound CA certificate, follow the instructions below to create one.

Important - You must have an Outbound CA certificate for an inbound SSL inspection use case.
How to set the HTTPS Inspection

  1. In SmartConsole, go to each Security Gateway object and click the HTTPS Inspection tab.

  2. Click Server Certificates > Create Certificate.

  3. Enter the required information and click OK.

  4. Create an HTTPS service similar to the HTTP service created in Step 6: Implement the Firewall and NAT Rules for inbound traffic (select port number 8443).

  5. In the Security policy, go to the HTTPS inspection table and add this rule:

    • Source: Any

    • Destination: Any (do not use the Internet object)

    • Service: Select the HTTPS service created in External Load Balancer

    • Action: Inspect

    • Certificate: The certificate you created in step 2.

  6. Save the changes. Click the diskette icon at the top or press CTRL+S.

To enable HTTPS Inspection (as explained in Enabling and Disabling Software Blades):

  1. Publish the changes in SmartConsole.

  2. Install the Security Policy on any existing CloudGuard Security Gateway.

Updating Auto Provisioning

To download and install the latest Auto ProvisioningClosed Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. version, follow the instructions in sk157492 for the latest Cloud Management Extension (CME) update.