Configuring a High Availability Cluster in GCP

Prerequisites:

  1. Google Cloud Platform Service Account with the following permissions:

    • Compute Admin

    • Cloud Infrastructure Manager Agent

    • Service Account User

    • Infrastructure Manager Service Agent

    • Service Usage Admin

    • Service Usage Consumer

    You can also create the service account during the deployment.

    Note - This prerequisite is required only for Marketplace deployments.

Step 1: Enable Google Private Access to the Cluster Network

Note - If the VPC was created during deployment, you can skip this step.

To enable Google Private Access to the ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Network:

  1. From Cloud Platform, select VPC network > VPC networks.

  2. Select cluster-network / cluster network-subnet.

  3. Set Private Google access to On.

Step 2: Deploy a Template in GCP

Deploy this solution throughout the GCPClosed Google® Cloud Platform is a suite of products and services that includes hosting, cloud computing, database services and more. Portal:

  • Check Point CloudGuard High Availability PAYG (Pay as You Go)

Parameter

Description

Deployment name

The name of the deployment. Deployment name must contain only lowercase characters, numbers, or dashes. It must start with a lowercase letter and cannot end with a dash.

Deployment Service Account

Select an existing service account with the required permissions (as explained in the prerequisites section) or create a new one.

Machines type

The machine type for both Cluster Members.
Machines type determines the specification of your machines including memory, virtual cores, and persistent disk limits.

Boot disk type

The type of disk used for deploying the Cluster Members.

Boot disk size in GB

The size of the disk used for deploying the Cluster Members.

OS Version

The Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. version to deploy.

Deploy HA with public IPs

Clear this checkbox if you want to deploy the HA with private IP addresses only.

Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. address

The public address of your Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. in CIDR notation.

VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address.

For the Management Servers and Security Gateways compatibility, refer to sk113113.

For Management HA/Multi-Domain Security Management Server HA insert the primary address of the Management and follow the instructions in Manage the GCP HA with Management High Availability/Multi-Domain Security Management Server High Availability.

SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. key

The Secure Internal Communication key that creates trusted connections between Check Point components. Trust is required to install policies on Security Gateways and to send logs between Security Gateways and Security Management Servers.

Automatically generate an administrator password

To manage the environment's security, administrators can connect to the Management Server with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. clients and via the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. WebUI using this password.

For additional security, it is recommended to change the password after deployment.

Maintenance Mode password hash

Maintenance mode password hash (relevant only for R81.20 and higher versions). Generate a password hash with the command grub2-mkpasswd-pbkdf2 on Linux and paste it here.

Allow download from/upload to Check Point

Do not select this checkbox if you do not want to automatically download Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. Contracts and other important data. Sending data to Check Point can improve your product experience.

Admin shell

Change the admin shell to enable advanced command line configuration.

Public SSH key for the user 'admin'

The public SSH key used to connect to both Cluster Members with the user 'admin'.

Enable Stackdriver monitoring

Select this checkbox to enable Stackdriver Monitoring.

Member A Zone

The zone for deploying Member A.

The zone determines available computing resources and where your data is stored and used. See GCP Regions and Zones documentation for more information.

Member B Zone

The zone for deploying Member B. Must be in the same region as Member A's zone.

Smart-1 Cloud Token Member A

The token you generate in Smart-1 Cloud portal.

Smart-1 Cloud Token Member B

The token you generate in Smart-1 Cloud portal.

Cluster external subnet CIDR

The Cluster's Public IP address will be translated to a private address assigned to the ActiveClosed State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. member in this external network.

Provide an RFC 1918 CIDR block in the Cluster external subnet CIDR field, or select a Network and a Subnetwork below the CIDR field. If a range is specified, a new VPC will be created, and the deployment will ignore the selected network above.

Note - Google Private Access must be enabled for this selected network.

Firewall

These GCP rules will determine if ICMP / TCP / UDP / SCTP / ESP traffic is enabled by default for the provided IP CIDR sources.

Management subnet CIDR

The Public IP address used to manage each member. It is translated to a private address in this external network.

Provide an RFC 1918 CIDR block in the Management external subnet CIDR field, or select a Network and a Subnetwork below the CIDR field.

If a range is specified, a new VPC will be created, and the deployment will ignore the selected network above.

Number of internal networks

This number will determine how many of the networks specified below this field will be used in this deployment.

Internal network(s)

Provide a RFC 1918 CIDR block in the internal subnet CIDR field, or select a Network and a Subnetwork below the CIDR field. If a range is specified, a new VPC will be created, and the deployment will ignore the selected network above.

Notes:

  • Smart-1 Cloud (Check Point’s Management Server as a Service) is a recommended option to start using CloudGuard Network Security Gateways.

  • Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.

Manage the GCP HA with Management High Availability/Multi-Domain Security Management Server High Availability

To manage the GCP HA with Management High AvailabilityClosed Deployment and configuration mode of two Check Point Management Servers, in which they automatically synchronize the management databases with each other. In this mode, one Management Server is Active, and the other is Standby. Acronyms: Management HA, MGMT HA./Multi-Domain Security Management Server High Availability you must set a static route to the Secondary Management IP address on both Cluster Members:

  1. Connect with SSH to each one of the Cluster members.

  2. From the Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., run the command:

    set static-route <SECONDARY_MANAGEMENT_IP> nexthop gateway address <MANAGEMENT_NETWORK_GATEWAY> on

    • SECONDARY_MANAGEMENT_IP - The public address of the secondary Management server using the CIDR notation (IPv4 Address / Mask Length).

    • MANAGEMENT_NETWORK_GATEWAY - The Management (nic1) subnet Gateway: In the GCP portal, go to VPC networks, select the Management VPC (nic1) > SUBNETS, and copy the value below Gateway.

  3. Run: save config

The deployment takes about five minutes. After the deployment is finished, information is displayed in the deployment details page, such as the Public IP addresses created and the network used for Primary Cluster Synchronization used later in this guide.

Components of the Check Point Solution

Important - No other Virtual Machines can be deployed in the solution's subnet.

  • Network interfaces can only be configured when instances are created.

  • By default, subnets/CIDR are automatically suggested. If you do not delete it, a new VPC network and a subnet within it, in the same region as the cluster members' Zones, is created.

  • If you want to use existing networks instead of specifying IP CIDR blocks, create them with a subnet in the same region as the cluster members Zones before starting this deployment. When deploying, delete the suggested subnet's address in "Cluster/Management/Internal subnet CIDR", and then select from the subnet CIDR in your existing VPC. If you specify both, then precedence is given to the CIDR field.

  • The Cluster Members each have a network interface in each of the subnetworks specified in this deployment. IP ranges of those subnets must not overlap.

  • The Security Cluster manipulates the routing in the networks you defined as internal in this deployment. The result is that all outbound traffic goes through the Cluster Member that is currently active.

  • It does not deploy any other Virtual Machines in the solution's frontend and backend subnets.

  • Virtual Machines that are launched in the backend subnets, may require Internet access to do final provisioning. Launch these Virtual Machines only after you have applied Hide NAT rules on the cluster object to support this type of connectivity.

  • The Check Point First Time Configuration Wizard automatically deploys after you have set up the cluster object. The cluster object is configured based on the applies parameters.

  • After the First Time Configuration Wizard completes, the Virtual Machines automatically reboot.

  • The member operating mode (A or B) is decided independently of the deployment or the order in which the members were added to the cluster. Instead, it is decided by Private IP addresses of their main network interface.

  • The cluster's secondary address is used for internet access to the member to which it is attached, while it is in standbyClosed State of a Cluster Member that is ready to be promoted to Active state (if the current Active Cluster Member fails). Applies only to ClusterXL High Availability Mode. mode, so that it will be able to receive important updates. The address is not used in the configuration of the cluster.

  • The Compute Engine default service account must exist and be enabled in the project.

Step 3 (Optional): Deploy the Cluster without a Public IP address

When you configure High Availability in GCP, you automatically receive Public IP addresses. Do this procedure to remove the Public IP addresses and configure your HA to work with Private IP addresses.

Note - For new deployments from the GCP Marketplace only, you can clear the Deploy HA with Public IPs checkbox and skip this procedure.

  • GCP HA deployment.

  • Important: Enable Google private access to the Cluster network.

  • Image build 991001558 and higher.

  1. Remove the Public IP addresses:

    1. Stop both Cluster members (from the GCP portal) and click Edit.

    2. Go to Network interfaces > select the Cluster's external interface > in External IPv4 address select None > Done.

    3. Repeat step b. for the Management's interface and save the changes.

    4. Go to IP addresses in the GCP portal, search the names of the Public IP addresses, and click on RELEASE STATIC ADDRESS at the top of the page.

      • <your-deployment-name>-primary-cluster-address

      • <your-deployment-name>-secondary-cluster-address

      • <your-deployment-name>-member-a-address

      • <your-deployment-name>-member-b-address

  2. Change the Cluster's Public IP addresses in the configuration file $FWDIR/conf/gcp-ha.json on the two Cluster members:

    1. Connect with SSH to each Cluster member.

    2. Edit the gcp-ha.json file with the command:

      # vi $FWDIR/conf/gcp-ha.json

    3. Change the values of public_ip and secondary_public_ip to no-public-ip, for example:

      {

          "debug": false,

          "public_ip": "no-public-ip",

          "secondary_public_ip": "no-public-ip",

          "dest_ranges": [

              "0.0.0.0/0"

          ]

      }

    4. Save the changes in the file and exit the editor.

  3. If the Security Management Server is in the same VPC as the Cluster members, add these NAT rules:

  4. Continue to the next step: Configure Cluster Objects in SmartConsole.

    • For the Cluster's IP address, use member's A Private IP address of the external interface (NIC 0).

    • Each Cluster member uses the Private IP address of the Management interface (NIC 1).

Notes:

Step 4: Configure Cluster Objects in SmartConsole

To configure objects in SmartConsole:

Step

Description

Note - If the Security Management Server is deployed in GCP and manages a Cluster Member in a different VPC, then modify the Security Management IP object in SmartConsole to be the Public IP address of the Management Server.
Click Publish to apply the change.

1

Click the Objects menu > New > More > Network Object > Gateways & Servers > Cluster > New Cluster.

2

Select Wizard Mode.

The Check Point Installed Gateway Cluster wizard window opens.

3

Enter a Cluster Name.

Example: checkpoint-cluster

4

In the Cluster IPv4 Address field, enter the cluster IP address (VIP). You can find the cluster IP address in the GCP portal:

  1. Browse to the VM instances page.

  2. Locate and select member a instance.

  3. From the Network interfaces section, copy the value of the External IP address for nic0 (the name ends with primary-cluster-address).

5

Click Next.

The Gateway Cluster Properties window opens.

6

Click Add new cluster member.

  1. In the Name field, enter the first Cluster Member's name. Example: member1

  2. In the IPv4 address field: Enter the Cluster Member's Public IP address from Management VPC (Member A external IP address and Member B external IP address are displayed on the deployment details page).

  3. In the Activation Key field, enter the SIC key (set up in GCP).

  4. In the Confirm Activation Key field, enter the SIC key again.

  5. Click Initialize. If the Activation Key is confirmed, the Trust State field shows Trust Established.

  6. Click OK.

7

Repeat the Step 7 to add the second Cluster Member.

8

Click Next.

The Cluster Topology window opens.

9

Select the subnetwork provided in the Management network field during the deployment as the Synchronization network.

10

Configure the other subnetworks as Private use for each member.

11

Complete the wizard, and then click Publish to save the settings.

12

Open the Cluster object.

13

Configure the ClusterXLClosed Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. mode:

  1. In the Cluster's object left tree, click ClusterXL and VRRP.

  2. Select High Availability.

  3. In versions R81.20 and higher, select Use Geo Mode in a Cloud.

14

Click OK

15

Open the Cluster object.

16

In the Network management tab, disable Anti-Spoofing for all interfaces by editing those interfaces in the cluster object.

17

The IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. blade is automatically enabled. To use the VPN blade, see Step 9: Configure VPN. Otherwise, disable the VPN blade.

18

Click OK.

19

Install the applicable Access Control Policy on the cluster object.

A few minutes after the applicable Access Control Policy is installed, the following changes occur automatically in GCP:

  1. The following Public IP addresses for each Cluster Member in Cluster VPC will be attached:

    • Primary Public IP address.

    • Secondary Public IP address.

  2. In each of the internal VPC networks, a GCP Route routes all outbound traffic (0.0.0.0/0) to the Active member with high priority (1) and to the secondary member with lower priority (2).

Notes:

Step 5 (Optional): Configure External and Internal Load Balancers

You can add a Load Balancer to your CloudGuard Network for the GCP environment. After you complete this procedure, the Security Gateways start responding to GCP probes.

Note - This feature is only available to machines that run CloudGuard Network version R81.10 and higher.

  1. Create an instance group in GCP.

    1. In the GCP Portal, search for Instance groups.

    2. Click Create instance group > New unmanaged instance group.

    3. Select the region where the HA is deployed.

    4. Select the Cluster's external network.

    5. In VM instances, select both Cluster's members.

    6. Click Create.

    Note - If each Cluster Member is in a different zone, create one unmanaged instance group for each.

  2. Create an External Load Balancer in Google Cloud Console.

    1. Open the Load Balancing section in Google Cloud Console.

    2. Click Create.

    3. Select Type > Network Load Balancing. Click Next.

    4. Select Passthrough load balancer. Click Next.

    5. Select Public facing ("From internet to my VMs").

    6. Click Configure.

    Backend configuration

    1. Enter a name for the new External Load Balancer.

    2. Select the region where the Security Gateways High Availability Cluster was deployed.

    3. From the Instance group drop-downClosed State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster. list, select the deployed Security Gateways unmanaged instance group. (If you created two unmanaged instance groups, select both by adding another backend).

    4. In Health check, click Create a new health check:

      1. Enter a name for the health check. For example, "cloudguard-gateways-healthchecks".

      2. For Port number, enter 8117. (Other ports are not supported.)

      3. Click Save and continue.

    5. From Session affinity, select Client IP and protocol.

    Frontend configuration

    1. Enter a name for the frontend. For example, "app1-ext-frontend".

    2. In IP, select a static Public IP address or create a new one.

    3. In Port, select the port on which this frontend should listen.

    4. Click Review and finalize to review the External Load Balancer configuration.

    5. Click Create.

  3. Create an Internal Load Balancer in Google Cloud Console.

    1. Open the Load Balancing section in Google Cloud Console.

    2. Click Create.

    3. Select Type > Network Load Balancing. Click Next.

    4. Select Passthrough load balancer. Click Next.

    5. Select Internal ("Only between VMs").

    6. Click Configure.

    Backend configuration

    1. Enter a name for the new Internal Load Balancer.

    2. Select the region where the Security Gateways High Availability Cluster was deployed.

    3. Choose the internal network the Internal Load Balancer will be facing.

    4. From the Instance group drop-down list, select the deployed Security Gateways unmanaged instance group. (If you created two unmanaged instance groups, select both by adding another backend).

    5. In Health check, click Create a new health check (if you have already created one for the External Load Balancer, you can use it here as well):

      1. Enter a name for the health check. For example, "cloudguard-gateways-healthchecks".

      2. For Port number, enter 8117. (Other ports are not supported.)

      3. Click Save and continue.

    6. From Session affinity, select Client IP and protocol.

    Frontend configuration

    1. Enter a name for the frontend. For example, "app1-int-frontend".

    2. In IP, select a static internal IP address or create a new one.

    3. In Port, select All.

    4. Click Review and finalize to review the Internal Load Balancer configuration.

    5. Click Create.

  4. Create Firewall and NAT Rules to allow inbound traffic to the published service or application.

    The HA Cluster deployed using the Google Cloud Marketplace template creates a network interface in the external and internal networks. Each Security Gateway in the Cluster has a dynamic object for each network interface. This allows for easier and clearer configuration of Firewall and NAT rules.

    A dynamic object is a "logical" object where the IP address is resolved differently for each Security Gateway.

    With a dynamic object for each network interface, you can describe Firewall and NAT rules. This dynamic object uses the network interface on which the Security Gateway sends or receives traffic without explicitly stating its IP address.

    These dynamic objects are created automatically on each Security Gateway in the Cluster:

    Network

    Interface

    Dynamic Object

    External

    eth0

    LocalGatewayExternal

    Internal

    eth1

    LocalGatewayInternal

    How to create dynamic objects

    Note - Dynamic objects on the Security Gateway are created automatically.

    To create dynamic objects on the Security Management Server, do these steps:

    1. In SmartConsole, connect to the Security Management Server (or to the Domain Management Server in the Multi-Domain Security Management Server environment).

    2. Create a Dynamic ObjectClosed Special object type, whose IP address is not known in advance. The Security Gateway resolves the IP address of this object in real time. named LocalGatewayExternal. For this, in the Object Browser, click New > More > Network Object > Dynamic Object. A Dynamic Object window opens.

      Note - Skip this step if the corresponding Dynamic Object already exists.

    3. Enter the name of the object. For example, LocalGatewayExternal.

    4. Click OK.

    5. Repeat Step b for LocalGatewayInternal.

    How to create the External Load Balancer Host object

    Note - Create a Host object for each Public IP address published on the External Load Balancer.

    To create the External Load Balancer Host object, do these steps:

    1. In the Object Browser, click New > More > Network Object > Host.
      The Host window opens.

    2. Enter a descriptive name (for example, App1-ELB).

    3. Enter the External Load Balancer's Public IP address.

      Example:

    How to create the Internal Load Balancer Host object

    Note - Create a Host object for each Internal Load Balancer.

    To create the Internal Load Balancer Host object, do these steps:

    1. In the Object Browser, click New > More > Network Object > Host. The Host window opens.

    2. Enter a descriptive name (for example, App1-ILB).

    3. Enter the Internal Load Balancer's Private IP address.

      Example:

    Notes:

    • GCP TCP Load Balancers forward traffic to the CloudGuard Security Gateways without changing the destination address of the original request. The request's destination address remains the Public IP address of the External Load Balancer.

    • If you have not created an outbound CA certificate, follow the instructions below to create one.

    Important - You must have an Outbound CA certificate for an inbound SSL inspection use case.
    How to create a Firewall rule

    Do these steps:

    Step

    Description

    1

    For each GCP forwardingClosed Process of transferring of an incoming traffic from one Cluster Member to another Cluster Member for processing. There are two types of forwarding the incoming traffic between Cluster Members - Packet forwarding and Chain forwarding. For more information, see "Forwarding Layer in Cluster" and "ARP Forwarding". rule, create a corresponding Firewall rule with these values:

    Source:

    Any (or any other applicable value)

    Destination

    The Public IP address on the External Load Balancer that will accept this traffic.
    For example, App1-ElB.

    Services:

    The service on which the External Load Balancer is listening. For example, http.

    Example:

    Name

    Source

    Destination

    Services &

    Applications

    Data

    Action

    Track

    Allow

    Appl

    All_Internet

    App1-ELB

    http

    *

    Any

    Accept

    Log

    2

    For each Load Balancer rule, create an applicable NAT rule with these values:

    Rule

    Value

    Original Source

    All_Internet (do not use "Any")

    Original Destination

    App1-ELB

    Original Services

    The service on which the External Load Balancer is listening (HTTP).

    Translated Source

    LocalGatewayInternal- Right-click on the cell and set the NAT Method to Hide.

    Host

    The Host object representing the Internal Load Balancer.

    Translated Service

    HTTP (or any service representing the port on which the Internal Load Balancer is listening).

    Example:

    Original
    Source

    Original
    Destination

    Original
    Services

    Translated
    Source

    Translate
    Destination

    Translated
    Service

    All_Internet

    App1 ELB

    http

    H LocalGatewayInternal

    S App1 ILB

    Original

    How to set the HTTPS Inspection

    Do these steps:

    1. In SmartConsole, go to each Security Gateway object and click the HTTPS Inspection tab.

    2. Click Server Certificates > Create Certificate.

    3. Enter the required information and click OK.

    4. Create an HTTPS service similar to the HTTP service from the Create Firewall and NAT Rules to allow inbound traffic to the published service or application. section (select port number 8443).

    5. In the Security policy, go to the HTTPS inspection table and add this rule:

    6. Save the changes. Click the diskette icon at the top or press CTRL+S.

    7. Publish the changes in SmartConsole.

    8. Install the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on any existing CloudGuard Security Gateway.

  5. Configure a GCP route.

    For the traffic to pass through the Internal Load Balancer, add a route with priority 0 in the internal VPCs in GCP. For example:

  6. Configure subnets on the Security Management Server.

    1. On the Security Management Server, create a table of subnets that are transferred to the Security Gateways after policy installation.

    2. Add this section to the $FWDIR/conf/user.def.FW1 file on the Security Management Server:

      Copy 
      cloud_balancer_ips = {
                                      <35.191.0.1, 35.191.255.254>,
                                      <130.211.0.1, 130.211.3.254>,
                                      <209.85.152.1, 209.85.155.254>,
                                      <209.85.204.1, 209.85.207.254>
                                  };

      Important - For R82 Security Management Server, add the section above to these files:

      • $FWDIR/conf/user.def.FW1

      • $FWDIR/conf/user.def.R8120CMP

    3. Install the policy.

For more information on Google's Load Balancer, refer to: https://cloud.google.com/load-balancing/docs/network/.

Step 6: Enable Outbound Traffic

To enable outbound traffic:

  1. From SmartConsole, connect to the Security Management Server.

  2. Find the Security Cluster object in the Gateways & Servers tab.

  3. Select the NAT tab.

  4. Select the Hide internal networks behind the Gateway's external IP checkbox.

  5. Click OK.

  6. Install policy.

Note - NAT does not support connection synchronization during failover. If you configure the cluster to always hide the internal networks (by selecting to automatically add address translation rules - instead of the option described above) this prevents connection synchronization in additional use cases, such as East-West traffic between internal VPCs.

Step 7: Create Object LocalGatewayExternal in SmartConsole

In SmartConsole, create the Dynamic object called LocalGatewayExternal.

This object represents the Cluster Member's Private IP addresses.

Note - This Dynamic object step is used in Step 9: Configure VPN.

Step 8: Configure Inbound Protection (Without Load Balancers)

  • You need to configure Access Control and NAT rules for North-South inbound traffic.

  • You can configure the Cluster's External IP address to listen on the TCP port 443, and forward this traffic to the Active Cluster Member. The Active Cluster Member then inspects the traffic and forward it to the Application server on the TCP port 8084.

  • The Active Cluster Member uses NAT to forward traffic, that belongs to the two web applications, to the appropriate web server.

  • NAT rules are defined with the special Dynamic Object.

  • The Dynamic object LocalGatewayExternal represents the Private IP addresses of the external interface of Member 1 and Member 2.

  • For more information, see Step 4: Create Object LocalGatewayExternal in SmartConsole.

Step

Description

1

Connect with SmartConsole to your Security Management Server.

2

Create a host object to represent:

  • The specific host that you want to access through the Internet.

3

Create a new TCP service.

Do the following for each internal port, such as port 8081.

Do these steps:

  1. Click the Objects menu > More object types > Service > New TCP.

  2. Enter a descriptive name. For example: http-8081

  3. In the Protocol field, select the applicable protocol (such as HTTP or HTTPS).

  4. In the Port field, select Customize and enter the port number. For example: 8081

  5. Click OK.

Create a NAT rule with these values.

NAT Rule

Value

Rule No

1

Original Source

All_Internet (do not use *Any)

Original Destination

LocalGatewayExternal

Original Services

The service object that represents the internal port.

Translated Source

Original

Translated Destination

The Host object that represents your web server.

Translated Services

The service object that represents the port on which the Active member listens (for example, HTTP).

Install On

*Policy Targets

About this NAT rule:

  • Matches any traffic that arrives at the CloudGuard Security Gateway on the applicable internal port.

  • Translates the destination IP address to the IP address of the Web Servers.

Step 9: Configure VPN

For more information, see the Check Point Security Management Administration Guide for your Management Server version.

Step

Description

1

Create a Network Group object to represent the encryption domain of the cluster:

  1. In SmartConsole, click the Objects menu > Object Explorer.

  2. From the top toolbar, select New > Network Group.

  3. In the Enter Object Name field, enter the desired name.

  4. Click the + icon and select the applicable network objects.

  5. Click OK.

  6. Close the Object Explorer.

2

Edit the cluster object:

  1. In SmartConsole, from the left navigation panel, click Gateways & Servers.

  2. Double-click the cluster object.
    The Gateway Cluster Properties window opens.

3

Configure your Network Group as the encryption domain of the cluster object:

  1. In SmartConsole, from the left navigation panel, click Gateways & Servers.

  2. Double-click the cluster object.
    The Gateway Cluster Properties window shows.

  3. In the cluster object left tree, click Network Management > VPN Domain.

  4. Select Manually defined.

  5. In the right corner of this field, click the [...] button and select the Network Group object created in Step 1.

4

Configure the VPN community:

  1. In the cluster object left tree, click IPsec VPN.

  2. In the section This Security Gateway participates in the following VPN Communities, select the applicable VPN community.

5

Configure the outgoing VPN interface:

6

Configure the VPN Community to use Permanent Tunnels:

  1. In SmartConsole, click the Objects menu > Object Explorer.

  2. In the left tree, clear all checkboxes except for VPN Communities.

  3. Double-click the VPN community, in which this cluster object participates.
    The VPN Community windows opens.

  4. In the left tree, click Tunnel Management.

  5. Select Set Permanent Tunnels.

  6. Select the applicable option.

  7. To close the VPN Community properties window, click OK.

  8. Close the Object Explorer.

7

Install the applicable Access Control Policy on the cluster object.

Check Point's Remote Access VPN solutions let you create a VPN tunnel between a remote user and the internal network.

Remote Access VPN is supported with GCP HA in the version R81.20 and higher.

For more information, see the R82 Remote Access VPN Administration Guide.

Step 10: (Optional) Deploying an Additional HA Cluster in a Shared VPC

Important - Version B991001727 or higher is required for this deployment.


To verify your version number:

  1. SSH into your machine.

  2. Run cat /etc/cloud-version.

Step

Description

1

Locate the configuration file on each HA cluster member:

$FWDIR/conf/gcp-ha.json

2

Add the "shared_internal_vpc" parameter to the end of the configuration file and set it to true:

"shared_internal_vpc": true

3

Load the new configuration on each HA cluster member. Use this command:

kill -9 $(cpwd_admin getpid -name GCP_HAD)

Notes:

  • Configure different CIDR ranges in "dest_ranges" for each HA deployment. This prevents routing conflicts between clusters.

  • New route format: x-chkp-<deployment_name>vpc<vpc_index>-<dst_range>.