Scaling In and Scaling Out

Background

Network Diagram

The Google Cloud Platform (GCPClosed Google® Cloud Platform is a suite of products and services that includes hosting, cloud computing, database services and more.) environment contains two Virtual Private Clouds (VPCs) - an External VPC and an Internal VPC - as shown in the diagram below.

An External Load Balancer directs incoming traffic to an Autoscaling Managed Instance Group (MIG) in the external VPC. CloudGuard Network Security Gateways in this group inspect the traffic. If allowed by policy, traffic is forwarded to an Internal Load Balancer. The Internal Load Balancer distributes traffic to servers in a more secure internal network.

CloudGuard Network Security Gateways are managed by the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. located in GCP or on-premises.

GCP Autoscale adjusts the number of CloudGuard Network Security Gateways in the MIG based on the traffic load.

It uses two main events:

  • Scale Out: Adds Security Gateways to the MIG when the traffic load increases.

  • Scale In: Removes Security Gateways from the MIG when the traffic load decreases.

Default Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. CPU thresholds to trigger autoscaling events:

  • Scale Out: Triggers at 80% CPU use (5-minute average).

  • Scale In: Triggers at 60% CPU use (5-minute average).

Scale Out

When a scale-out event triggers:

  1. GCP Autoscale launches new Security Gateways.

  2. New Security Gateways automatically run the First Time Configuration Wizard and reboot.

  3. The Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.:

    1. Detects new Security Gateway instances.

    2. Establishes a Secure Internal Communication (SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) channel with these Security Gateway instances.

    3. Installs a Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on each new Security Gateway.

  4. External Load Balancer starts sending traffic to these new Security Gateways.

Note - For R81.10 and higher, Security Gateways automatically respond to health checks on port 8117 after CME configuration. New Security Gateways report their status and send logs to the Security Management Server.

Scale In

When a scale-in event triggers:

  1. GCP Autoscale marks one or more Security Gateways as candidates for termination.

  2. The External Load Balancer stops sending traffic to marked Security Gateways.

  3. GCP Autoscale terminates marked Security Gateways.

  4. The Security Management Server removes terminated Security Gateways from its database.

Important - Keep at least two Security Gateways (one in each Availability Zone) running for redundancy and availability.

Testing Scale-In and Scale-Out Processes

The initial solution deployment process includes these steps:

  1. When the Check Point CloudGuard Network for GCP Autoscaling MIG solution is deployed, it creates CloudGuard Network Security Gateways with the autoprov tool.

  2. Each new Security Gateway automatically runs the First Time Configuration Wizard. This usually takes 10 minutes to complete. Large Virtual Machines may require additional time.

  3. After configuration completes, the Security Management Server automatically installs the Security Policy on these Security Gateways.

  4. To verify deployment success, use SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to:

    • Confirm the Security Policy installation.

    • Verify log generation and transmission by Security Gateways.

Step

Description

1

Connect to the Security Gateway command line interface (CLI) over SSH.

2

Enter Expert mode.

3

Create a script to load the CPUs of CloudGuard Security Gateways at /var/tmp/simulate_cpu_load.sh:

[Expert@HostName:0]# vi /var/tmp/simulate_cpu_load.sh

#!/bin/bash

ncores="$(cat /proc/cpuinfo | grep vendor_id | wc -l)"

PIDS=()

for i in $(seq $ncores)

do

taskset ff dd if=/dev/zero of=/dev/null &

PIDS+=($!)

done

echo "Load started"

read -n1 -r -p "Press any key to stop the load..." key

kill ${PIDS[@] }

4

Set execute permissions to the script:

[Expert@HostName:0]# chmod u+x /var/tmp/simulate_cpu_load.sh

5

Execute the script to simulate high CPU load:

[Expert@HostName:0]# ./var/tmp/simulate_cpu_load.sh

6

Monitor CPU load in a separate terminal (it must be at a high level):

top

Note - After 10 minutes of high CPU load, a scale-out event triggers. GCP Autoscale provisions a new Security Gateway.

7

After the new Security Gateway is provisioned, press any key to stop the simulation script on the original Security Gateway.

8

Monitor CPU load in a separate terminal (it must return to normal levels):

top

Note - After 10 minutes of normal CPU load, a scale-in event triggers. The Security Management Server automatically removes the newly provisioned Security Gateway.