Scaling In and Scaling Out

GCP See 'Google Cloud Platform'. Autoscale adjusts the number of Cloud Firewall Gateways in the MIG based on the traffic load.

It uses two main events:

• Scale Out: Adds Cloud Firewall Gateways to the MIG when the traffic load increases.

• Scale In: Removes Cloud Firewall Gateways from the MIG when the traffic load decreases.

Default Cloud Firewall Gateway CPU thresholds to trigger autoscaling events:

• Scale Out: Triggers at 80% CPU use (5-minute average).

• Scale In: Triggers at 60% CPU use (5-minute average).

Scale Out

When a scale-out event triggers:

1. GCP Autoscale launches new Cloud Firewall Gateways.

2. New Cloud Firewall Gateways automatically run the First Time Configuration Wizard and reboot.

3. The Cloud Management Extension (CME) on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.:

   1. Detects new Cloud Firewall Gateway instances.

   2. Establishes a Secure Internal Communication (SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) channel with these Cloud Firewall Gateway instances.

   3. Installs a Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on each new Cloud Firewall Gateway.

4. The Internal Load Balancer starts sending traffic to these new Cloud Firewall Gateways.

Note - For R81.10 and higher, Cloud Firewall Gateways automatically respond to health checks on port 8117 after CME configuration. New Cloud Firewall Gateways report their status and send logs to the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

Scale In

When a scale-in event triggers:

1. GCP Autoscale marks one or more Cloud Firewall Gateways as candidates for termination.

2. The Internal Load Balancer stops sending traffic to marked Cloud Firewall Gateways.

3. GCP Autoscale terminates marked Cloud Firewall Gateways.

4. The Security Management Server removes terminated Cloud Firewall Gateways from its database.

Important - Keep at least two Cloud Firewall Gateways (one in each Availability Zone) running for redundancy and availability.

Testing Scale-In and Scale-Out Processes

The initial solution deployment process includes these steps:

1. After the Cloud Firewall for GCP Network Security Integration solution is deployed, it creates Cloud Firewall Gateways with the autoprov tool.

2. Each new Cloud Firewall Gateway automatically runs the First Time Configuration Wizard. This usually takes 10 minutes to complete. Large Virtual Machines may require additional time.

3. After configuration is completed, the Security Management Server automatically installs the Security Policy on these Cloud Firewall Gateways.

4. To verify deployment success, use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to:

   • Confirm the Security Policy installation.

   • Verify log generation and transmission by Cloud Firewall Gateways.