Configuring the Google Cloud Platform

Prerequisites

Make sure these components are configured before proceeding:

  1. An external VPC with at minimum one public subnet. You can also create the external VPC during deployment.

  2. An internal VPC with at minimum one private subnet. You can also create the internal VPC during deployment.

  3. A Check Point Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. running R81 or higher.

  4. A group of applications or web servers deployed in the private subnet or in a subnet peered with the MIG backend subnet.

  5. For Marketplace deployments - a Google Cloud Platform Service Account with the following permissions:

    • Compute Admin

    • Cloud Infrastructure Manager Agent

    • Service Account User

    • Infrastructure Manager Service Agent

    • Service Usage Admin

    • Service Usage Consumer

    You can also create the service account during the deployment.

Configuration steps:

  1. Create a Google Cloud Platform Service Account.

  2. Configure the Check Point Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

  3. Deploy the Check Point autoscaling Managed Instance Group (MIG).

  4. Set up the External Load Balancer.

  5. Set up the Firewall and NAT Rules.

Installing a Check Point Management Server

We recommend using Smart-1 Cloud (Check Point's Management Server as a Service) to manage the CloudGuard Network Autoscaling Managed Instance Group (MIG).

For step-by-step instructions on enabling Cloud Management Extension (CME) in Smart-1 Cloud management, refer to Quantum Smart-1 Cloud Administration Guide > Using the settings > Cloud Management Extension (CME) Configuration.

Alternative deployment options for the Check Point Security Management Server include Google Cloud Platform, other cloud platforms, or on-premises.

To control the CloudGuard Security Gateways, make sure:

  • The Management Server can open connections to the CloudGuard Security Gateways.

  • The CloudGuard Security Gateways can open connections to the Management Server (for example, for sending logs).

The autoscaling CloudGuard Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. can be deployed with or without a public IP address.

Deployments without a public IP address must have one of these topologies:

  • Install the Security Management Server in the same internal VPC.

  • Install the Security Management Server in a VPC peered with the internal VPC.

  • Install the Security Management Server on-premises and connect it to the internal VPC over Cloud Interconnect.

  • Install the Security Management Server on-premises and connect it to the internal VPC over a Cloud VPN.

To deploy the Security Management Server in GCPClosed Google® Cloud Platform is a suite of products and services that includes hosting, cloud computing, database services and more., refer to the Check Point CloudGuard Network Security NGFW and Threat Prevention (BYOL).

Notes:

Creating a Google Cloud Platform (GCP) Service Account

The Check Point Security Management Server uses the GCP Service account to monitor the creation and status of the autoscaling Managed Instance Group. This lets the Security Management Server complete provisioning of these Security Gateways.

To create a GCP service account:

  1. Go to https://cloud.google.com/iam/docs/creating-managing-service-accounts.

    Use these parameters:

    Name

    check-point-autoprovision

    Role

    Compute Engine \ Compute Viewer

  2. Click Create Key > JSON (as the key type). A JSON file is downloaded to your computer.

    Note - This JSON file is later used as the credentials file in Configuring the Check Point Management Server.

Deploying the Check Point Autoscaling Managed Instance Group

Deploy one of these Google Cloud Marketplace solutions:

  • The Check Point CloudGuard Network Security autoscaling with the Bring Your Own License (BYOL) licensing model,

    or

  • The Check Point CloudGuard Network Security autoscaling with the Pay as You Go (PAYG) licensing model.

Parameter

Description

Deployment Name

The name of the deployment. Deployment name must contain only lowercase characters, numbers, or dashes. It must start with a lowercase letter and cannot end with a dash.

Deployment Service Account

Select an existing service account with the required permissions (as explained in the prerequisites section) or create a new one.

Zone

The zone for deploying instances.

The zone determines available computing resources and where your data is stored and used. See GCP Regions and Zones documentation for more information.

Series

Select the desired machine series.

Machines Type

Select the desired machine configuration.

Target CPU usage

The GCP Autoscaler automatically scales out if the average CPU use exceeds this target.

Minimum number of instances

The minimum number of Security Gateways in the autoscaling MIG.

Maximum number of instances

The maximum number of Security Gateways in the autoscaling MIG.

Boot disk type

The type of disk used for deploying the instances (see Choose a disk type for more information).

Boot disk size in GB

The size of the disk used for deploying the instances. (see Choose a disk type for more information).

External subnet CIDR

The MIG's Public IP address will be translated to a private address assigned to the Security Gateway in this external network.

Provide an RFC 1918 CIDR block in the ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. external subnet CIDR field or select a Network and a Subnetwork below the CIDR field. If a range is specified, a new VPC will be created and the deployment will ignore the selected network above.

Firewall

These GCP rules will determine if ICMP / TCP / UDP / SCTP / ESP traffic is enabled by default for the provided IP CIDR sources.

Internal subnet CIDR

Provide an RFC 1918 CIDR block in the Cluster external subnet CIDR field or select a Network and a Subnetwork below the CIDR field. If a range is specified, a new VPC will be created and the deployment will ignore the selected network above.

OS Version

The Check Point Security Gateway version to be deployed.

Management Interface

The MIG instance's network interface used to communicate with the Security Management Server. When eth0 is selected, communication is done using an ephemeral public IP alias. When eth1 is selected, communication is done using a static private IP address assigned to this interface. This configuration is recommended when the Security Management Server is deployed in internal subnets of the MIGVPC or in a peered VPC.

Security Management Server name

The name of the Security Management Server as it appears in the CME configuration file. Use the same name in the autoprovision configuration section Configuring the Check Point Management Server. For example, my-management.

Configuration template name

The configuration template name as it appears in the CME configuration file. Use the same name in the autoprovision configuration section Configuring the Check Point Management Server. For example, my-configuration-template.

Public SSH key for the use ‘admin'

The SSH public key used for SSH authentication to the MIG instances. Leave it blank to use all project-wide pre-configured SSH keys.

SIC key

The Secure Internal Communication key that creates trusted connections between Check Point components. Trust is required to install policies on Security Gateways and to send logs between Security Gateways and Security Management Servers.

Admin shell

Change the admin shell to enable advanced command line configuration.

Allow download from/upload to Check Point

Do not select this checkbox if you do not want to automatically download Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. Contracts and other important data. Sending data to Check Point can improve your product experience.

Automatically generate an administrator password

To manage the environment's security, administrators can connect to the Management Server with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. clients and via the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. WebUI using this password.

For additional security, it is recommended to change the password after deployment.

Maintenance Mode password hash

Maintenance mode password hash (relevant only for R81.20 and higher versions). Generate a password hash with the command grub2-mkpasswd-pbkdf2 on Linux and paste it here.

Enable Stackdriver monitoring

Select this checkbox to enable Stackdriver Monitoring.

Automatically generate an administrator password

To manage the environment's security, administrators can connect to the Management Server with SmartConsole clients and via the Gaia WebUI using this password.

For additional security, it is recommended to change the password after deployment.

Notes:

Configuring Load Balancers

We recommend you to go through Google's Load Balancing documentation at: https://cloud.google.com/load-balancing/docs/network/.

The steps below are for TCP load balancers. Note that HTTP(S) load balancers are also supported and can be used alternatively.

External Load Balancer

You must set up the External (Internet-facing) Load Balancer to receive TCP traffic and distribute it to the pool of Check PointCloudGuardSecurity Gateways.

To create the External Load Balancer, do these steps:

  1. Open the Load Balancing section in Google Cloud Console.

  2. To create a new Load Balancer, click Create.

  3. Select Type > Network Load Balancing. Click Next.

  4. Select Passthrough load balancer. Click Next.

  5. Select Public facing ("From Internet to my VMs"). Click Configure.

  6. For the Backend type, select Backend Service.

  7. Enter a name for the new External Load Balancer

    Example:

    "prod-ext-lb"

In the Backend configuration section:

  1. Select the region where you deployed the Security Gateways autoscaling MIG.

  2. Select the deployed Security Gateway's autoscaling Managed Instance Group (MIG) from the Instance group drop-down list.

  3. In Health check, click Create a new health check.

    1. Enter a name for the health check. For example, "cloudguard-gateways-healthcheck"

    2. For the Port number, enter 8117.

      Note - Other ports are not supported.


    3. In the Request path, enter a correct path. The application server listens for HTTP health check requests from this path.

    4. Click Save and continue.

    5. From Session affinity, select Client IP and protocol.

In the Frontend configuration section:

  1. Enter a name for the frontend.

    Example:

    "app1-ext-frontend"

  2. In IP, select a static public IP address or create a new one.

  3. In Port, select the port on which this frontend must listen.

  4. Click Review and finalize to review the Load Balancer configuration.

  5. To create the Load Balancer, click Ready.

Internal Load Balancer

The Internal Load Balancer (ILBClosed Internal Load Balancer, used to load balance traffic in a virtual network) lets you use a next hop that redirects packets to the Load Balancer's targets and then to the instances in the MIG. You can find the route configuration instructions below.

When Virtual Machine (VM) instances in your Virtual Private Cloud (VPC) network send traffic to the Internet, the traffic is routed through the load-balanced Security Gateway virtual appliances.

Note - Using an internal load balancer with a MIG as the backend is supported starting from R81.10.

To create the Internal Load Balancer, do these steps:

  1. Open the Load Balancing section in Google Cloud Console.

  2. To create a new Load Balancer, click Create.

  3. Select Type > Network Load Balancing. Click Next.

  4. Select Passthrough load balancer. Click Next.

  5. Select Internal ("Only between my VMs"). Click Configure.

  6. Enter a name for the new Internal Load Balancer.

    Example:

    "prod-int-lb"

In the Backend configuration section:

  1. Select the region where you deployed the Security Gateway's Auto Scaling MIG.

  2. From the Instance group list, select the deployed Security Gateway's Auto Scaling Managed Instance Group (MIG) and select TCP/UDP protocol.

    Note - L3 protocols are not supported.

  3. In the Health check, click Create a new health check.

    1. Enter a name for the health check. For example, cloudguard-gateways-healthcheck.

    2. For the Port number, enter 8117.

      Note - Other ports are not supported.

    3. Click Save and continue.

In the Frontend configuration section:

  1. Enter a name for the frontend.

    Example:

    "app1-int-frontend"

  2. Select the MIG internal sub-network.

  3. In Internal IP, select an existing internal IP address or create a new one.

  4. Set the Port to All to make the ILB the internal network's next hop.

  5. Click Review to review the Load Balancer configuration.

  6. To create the Load Balancer, click Ready.

Implementing the Firewall and NAT Rules for inbound traffic

You must create Firewall and NAT rules to allow traffic to the published service or application. This traffic is then redirected to the Internal Load Balancer.

  • The autoscaling MIG deployed by the Google Cloud Marketplace template creates a network interface in the external and internal networks. Each Security Gateway in the autoscaling Managed Instance Group (MIG) has a dynamic object for each network interface. This allows for easier and clearer configuration of Firewall and NAT rules.

  • A dynamic object is a "logical" object where the IP address is resolved differently for each Security Gateway.

  • With a dynamic object for each network interface, you can describe Firewall and NAT rules. This dynamic object uses the network interface on which the Security Gateway sends or receives traffic without explicitly stating its IP address.

    These dynamic objects are created automatically on each Security Gateway in the autoscaling fleet:

    Network

    Interface

    Dynamic Object

    External

    eth0

    LocalGatewayExternal

    Internal

    eth1

    LocalGatewayInternal

How to create dynamic objects

Note - Dynamic objects on the Security Gateway are created automatically.

To create dynamic objects on the Security Management Server, do these steps:

  1. In SmartConsole, connect to the Security Management Server (also referred to as the Domain Management Server).

  2. Create a Dynamic Object named LocalGatewayExternal. For this, in the Object Browser, click New > More >Network Object > Dynamic object. A Dynamic Object window opens.

    Note - Skip this step if this Dynamic ObjectClosed Special object type, whose IP address is not known in advance. The Security Gateway resolves the IP address of this object in real time. already exists.

  3. Enter the name of the object. For example, LocalGatewayExternal.

  4. Click OK,

  5. Repeat Step 2 for LocalGatewayInternal.

How to create the External Load Balancer Host object

Note - Create a Host object for each Public IP address published on the External Load Balancer.

  1. In the Object Browser, click New > More > Network Object > Host. The Host window opens.

  2. Enter a descriptive name (for example, App1-ELB).

  3. Enter the External Load Balancer's public IP address.

    Example:

How to create the Internal Load Balancer Host object

Note - Create a Host object for each Internal Load Balancer.

  1. In the Object Browser, click New > More > Network Object > Host. The Host window opens.

  2. Enter a descriptive name (for example, App1-ILB).

  3. Enter the Internal Load Balancer's private IP address.

    Example:

How to create a new TCP service

Note - Create a new TCP service for each service port on which the External Load Balancer listens. Skip this step if you use a standard port (such as HTTP 80 or HTTPS 443) that already exists in the services list.

  1. In the Object Browser, click New > More > Service > TCP.

  2. Enter a descriptive name (for example, acme-54321).

  3. From the General > Protocol list, select the protocol.

  4. In the Match By > Port menu , select Customize.

  5. Enter the port number (for example, 54321).

Step

Description

1

For each GCP forwarding rule, create a corresponding Firewall rule with these values:

Source:

Any (or any other applicable value)

Destination

The Public IP address on the External Load Balancer that will accept this traffic.
For example, App1-ElB.

Services:

The service on which the External Load Balancer is listening, for example, http.

Example:

Name

Source

Destination

Services &

Applications

Data

Action

Track

Allow

Appl

All_Internet

App1-ELB

http

*

Any

Accept

Log

2

For each Load Balancer rule, create an applicable NAT rule with these values:

Rule

Value

Original Source

All_Internet (do not use "Any")

Original Destination

App1-ELB

Original Services

The service on which the ELB is listening on (HTTP).

Translated Source

LocalGatewayInternal- Right-click on the cell and set the NAT Method to Hide.

Host

The Host object representing the Internal Load Balancer.

Translated Service

HTTP (or any service representing the port on which the Internal Load Balancer is listening).

Example:

Original
Source

Original
Destination

Original
Services

Translated
Source

Translate
Destination

Translated
Service

All_Internet

App1 ELB

http

H LocalGatewayInternal

S App1 ILB

Original

Notes:

  • GCP TCP Load Balancers forward traffic to the CloudGuard Security Gateways without changing the destination address of the original request. The request's destination address remains the public IP address of the External Load Balancer.

  • If you have not created an outbound CA certificate, follow the instructions below to create one.

Important - You must have an Outbound CA certificate for an inbound SSL inspection use case.
How to set the HTTPS Inspection

  1. In SmartConsole, go to each Security Gateway object and click the HTTPS Inspection tab.

  2. Click Server Certificates > Create Certificate.

  3. Enter the required information and click OK.

  4. Create an HTTPS service similar to the HTTP service created in Implementing the Firewall and NAT Rules for inbound traffic (select port number 8443).

  5. In the Security policy, go to the HTTPS inspection table and add this rule:

    • Source: Any

    • Destination: Any (do not use the Internet object)

    • Service: Select the HTTPS service created in External Load Balancer

    • Action: Inspect

    • Certificate: The certificate you created in Step 2

  6. Save the changes. Click the diskette icon at the top or press CTRL+S.

To enable HTTPS Inspection (as explained in Enabling and Disabling Software Blades):

  1. Publish the changes in SmartConsole.

  2. Install the Security Policy on any existing CloudGuard Security Gateway.

Configuring the Check Point Management Server

Step

Description

1

Connect to the command line on the Management Server.

2

Log in to Expert mode.

3

 Install the latest CME version. See sk157492 for instructions on downloading and installing the latest CME version.

Note - Specific help documentation is available for each option you choose.

For example, this command displays the available initialization parameters for GCP and their meaning:

autoprov_cfg init GCP -h

4

Run this command:

autoprov_cfg init GCP -mn <MANAGEMENT-NAME> -tn <CONFIGURATION-TEMPLATE-NAME> -otp <SIC-KEY> -ver <VERSION> -po <POLICY-NAME> -cn <CONTROLLER-NAME> -proj <GCP-PROJECT> -cr <GCP-SERVICE-ACCOUNT-KEY-PATH>

Where:

Placeholder

Description

<MANAGEMENT-NAME>

Select a name for the Management Server. Use this name to deploy the autoscaling MIG. The Check Point Management Server uses this name to automatically identify and provision the MIG.

For example, 'my-management'.

Note - Use only lowercase letters, numbers, and dashes for this name, as specified in the documentation.

<CONFIGURATION-TEMPLATE-NAME>

Select a name for the configuration template. This template contains the configurations to automatically provision the Security Gateways in the autoscaling MIG. These configurations include the Policy to install and the Blades to enable.

Use this name when Deploying the Check Point Autoscaling Managed Instance Group . It refers to the set of configurations to apply to the group.

You can keep multiple configuration sets for different autoscaling Managed Instance Groups on this Security Management Server.

For example, 'my-configuration-template'.

Note - Use only lowercase letters, numbers, and dashes for this name, as specified in the documentation.

<SIC-KEY>

Create a Secure Internal Communication (SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) key with at minimum 8 alphanumeric characters. You need this key when you complete the MIG creation. The SIC key creates trusted connections between Security Gateways, the Security Management Server, and other Check Point components. This trust is necessary to install policies on Security Gateways and send logs between Security Gateways and Security Management Servers.

Write down this key and use it to create a trusted connection between this Security Management Server and Security Gateways in the autoscaling MIG.

Note - The system obfuscates this value in the configuration.

<VERSION>

Specify the Security Gateway version.

<POLICY-NAME>

Specify the name of the Policy to install on the Security Gateways in the autoscaling MIG. For example, 'Standard'

<CONTROLLER-NAME>

Select a name for the controller. This controller contains the configurations to connect to your Google Cloud Platform (GCP) environment, including the GCP project and Service account key.

With this Security Management Server, you can keep different types of controllers to automatically provision different cloud environments.

For example, 'GCP-Production'

<GCP-PROJECT>

Specify the ID of the GCP project where you deploy CloudGuard Security Gateways. For example, "ACME-Production".

<GCP-SERVICE-ACCOUNT-KEY>

Specify the full path to the GCP Service Account key file. Put this file in the $FWDIR/conf directory with admin-only read permissions.

For example, "$FWDIR/conf/ACME-Production13cebb.json"

Notes:

5

To apply the modifications, enter yes when prompted "Would you like to restart the service now?", and press Enter.

Note - In R81.10 and higher, you can configure CME with the CME API. For more information, see the Cloud Management Extension Administration Guide.

Updating Auto Provisioning

To download and install the latest Auto Provisioning version, follow the instructions in sk157492 for the latest Cloud Management Extension (CME) updates