Configure CloudGuard Network for OCI Instance Pools

Step 1: Prepare your OCI Account

The Check Point Security Management Server uses an API signing key to monitor Instance Pools and Security Gateway provisioning.

To set up user permissions:

  1. Create a permission group. For that:

    • In your OCI account, navigate to Identity & Security.

    • Under Identity, click Domains.

    • Select the target user domain.

    • On the left pane, click Groups.

    • Click Create Group to create a new group for autoscale permissions.

  2. Configure Security Policies. For that:

    • Navigate to Identity & Security > Policies.

    • Create a new policy for the previously created group (use the group name for <group_name>) with these permissions:

    Allow group <domain>/<group_name> to manage instance-family in compartment <compartment_name>

    Allow group <domain>/<group_name> to inspect vnic-attachments in compartment <compartment_name>

    Allow group <domain>/<group_name> to manage virtual-network-family in compartment <compartment_name>

    Allow group <domain>/<group_name> to inspect instance-pools in compartment <compartment_name>

  3. Assign target users to the created permission group. For that, go to the group and click Assign user to groups.

To generate an API Signing Key pair, refer to the OCI documentation for the most up-to-date instructions. After generating an API signing key, write down these values for the "Configure the Check Point Security Management Server" step:

  • User OCID

  • Tenancy OCID

  • Private API key.

To allow the Security Gateway to publish metrics to the Monitoring service, you must set up necessary permissions. For that:

  1. Create a Dynamic Group.

    • In your OCIaAccount, navigate to Identity & Security.

    • Under Identity, click Domains.

    • Click Create domain. For Domain type, select Free.

    • Click on the created domain. Under Identity domain, select Dynamic groups.

    • Click Create dynamic group. For the matching rules, select Match any rules defined below and add the following:

      Any {instance.compartment.id = '<compartment_name>'}

  2. Configure Security Policies. For that:

    • Navigate to Identity & Security/ > Policies.

    • Click Create Policy. For Policy Builder, press Show manual editor and add these permissions:

    allow dynamic-group <domain>/<dynamic_group> to use metrics in compartment <compartment_name>

Step 2: Install the Check Point Security Management Server

These steps are required only if you do not have an installed Check Point Security Management Server.

If you already have the Check Point Security Management Server installed, skip to Step 3.

Must start connections to the CloudGuard Network Security Gateways.

Must start connections to the Security Management Server. For example, to send logs.

From the OCI Marketplace, deploy the solution "CloudGuard Security Management".

Follow the instructions in the Check Point Installation and Upgrade Guide for your Management Server version.

Step 3: Configure the Check Point Security Management Server

Do these steps to manage Instance Pools with the Check Point Security Management Server:

  1. In SmartConsole, change the IP address of the Security Management Server object to be its public IP address.

  2. Downloading and Installing the Latest CME Version of CME.

  3. Configuring the CME on the Security Management Server

  4. Configure the Security Policy in SmartConsole.

Note - By default, each Check Point Security Gateway and Security Management Server's Gaia Portal is accessible from the internet by browsing to http://<virtual-machine-public-ip>. Restriction of access to the Gaia Portal is possible by configuring a Security List, or by configuring the Check Point Security Gateway and Management Server settings.

Step 4: Deploy the Check Point Instance Pool

To deploy the Check Point Instance Pool, do these steps:

  1. Find the stack by searching for "CloudGuard AutoScale - BYOL Stack" in the OCI marketplace, agree to the licensing terms, and click Launch Stack.

  2. Name your stack and add a description. Use the default Terraform version.

  3. Use these parameters in the Compute Configuration section:

    Parameter

    Description

    Compartment

    The OCI compartment where the Instance Pool is deployed.

    Minimum Instance Count in Pool

    The minimum number of CloudGuard Network Security Gateway instances in the Instance Pool.

    We recommend a minimum of two.

    Maximum Instance Count in Pool

    The maximum number of CloudGuard Network Security Gateway instances in the Instance Pool.

    Scale In CPU Threshold

    The CPU utilization threshold percentage to scale in.

    Scale Out CPU Threshold

    The CPU utilization threshold percentage to scale out.

  4. For the Network Configuration section, choose to either create a new VCN and subnets or use an existing one.

  5. Use these parameters in the Additional Configuration section:

    Parameter

    Description

    Name of the Existing Management with CME

    Must exactly match the management name configured in CME on the Security Management Server.

    Name of the Template for this stack.

    Must exactly match the configuration template name configured in CME on the Security Management Server.

    Management interface to use.

    Select which interface to use as the management interface for the Instance Pool:

    • eth0: frontend VNIC

    • eth1: backend VNIC

    Indicates if the management interface is using its public IP address or private IP address to connect.

    Public:

    Manage the Security Gateway Instance Pool with the public IP addresses of the instance.

    Private:

    Manage the Security Gateway Instance Pool with the private IP address of the instance. The Security Management Server must have access to the private IP addresses.

    Enable CloudGuard metrics

    Enable CloudGuard metrics to send statuses and statistics collected from instances to the OCI Monitor service.

    If the CloudGuard metrics are enabled:

    • The CloudGuard metrics agent starts to send metrics each minute.

    • The CloudGuard metrics are sent to the OCI Monitor resource immediately after the instance pool deployment is completed.

    Note - To allow the Security Gateway to publish metrics to the Monitoring service, you must set up necessary permissions. For that:

  6. After reviewing that everything is correct, click Create.

  7. The Stack Details page opens. Click Apply to start creation of the autoscale resources.

  8. The next screen shows the status updates as the deployment proceeds, allowing you to troubleshoot any problems if necessary.

The deployment includes a VCN and two subnets (if you decided not to use the existing subnets), two network Load Balancers, and an Instance Pool with the configured minimum number of Security Gateways.

After the deployment finishes successfully, it takes 1-3 minutes until the Security Management Server finishes the configuration. Autoscaling is ready when the health check of the Load Balancer passes (find it at OCI console > Compute > Instance Pools > Your Instance Pool Stack > Load Balancers > Health Check).

All resources can be deleted by clicking Destroy on the Stack Details page.

Step 5: Set Up the Load Balancers

By default, the stack you deploy creates an external and internal Load Balancer.

The External Load Balancer:

  • Listens on TCP port 80 on the static public IP address of the External Load Balancer.

  • Forwards the traffic it receives to the pool of Check Point CloudGuard Security Gateways on TCP port 8081.

  • Uses TCP health probes on port 8117 to know the health of the Check Point CloudGuard Network Security Gateways.

The Internal Load Balancer:

  • Listens and forwards all TCP or UDP traffic on all ports.

  • Uses TCP health probes on port 8117 to know the health of the Check Point CloudGuard Network Security Gateways.

Notes:

  • You cannot use ports 80, 443, 444, 8082, 8117, and 8880 for forwarded traffic.

  • In addition, you cannot use the ports defined in sk52421 (used by Check Point software), and 32768 – 65535 as defined in sk162619 (FWD daemon listening on multiple random high ports).

  • Do not change the health probes.

  • The Instance Pool deployment includes a default security list that allows all outbound and inbound traffic.

Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal'

You must also create these Dynamic Objects in SmartConsole:

  • LocalGatewayExternal

  • LocalGatewayInternal

Procedure:

  1. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

  2. Enter this exact name (case-sensitive, no spaces):

    LocalGatewayExternal

  3. Click OK.

  4. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

  5. Enter this exact name (case-sensitive, no spaces):

    LocalGatewayInternal

  6. Click OK.

  7. Publish the SmartConsole session

Step 6: Configure Inbound Protection

Step

Description

1

Connect with SmartConsole to your Security Management Server or Multi-Domain Server.

2

Create a host object to represent one of these:

  • The Application Load Balancer that is related to your backend Instance Pools.

  • The specific Application Host you want to access through the Internet.

You must do this for each Application Load Balancer you use to balance your servers.

Follow these steps:

    1. Click Objects menu > New Host.

    2. Enter a descriptive name. For example, application-load-balancer-app-1

    3. Enter the private IP address of the Application Load Balancer.

    4. Click OK.

3

Create a new TCP service to represent the internal port of the External Load Balancer or External Application Gateway configuration.

You must do this for each backend port, such as port 8081.

Do these steps:

    1. Click Objects menu > More object types > Service > New TCP.

    2. Enter a descriptive name. For example, http-8081.

    3. In the Protocol field, select the applicable protocol (such as HTTP or HTTPS).

    4. In the Port field, select Customize and enter the port number. For example, 8081.

    5. Click OK.

4

Create a corresponding Access Control rule for each External Load Balancer with these values:

No

Name

Source

Destination

VPN

Services & Applications

Action

Track

Install On

1

Descriptive name

Any

LocalGatewayExternal

Any

The service object that represents the internal port of the External Load Balancer

Accept

Log

Policy Targets

Note - Create only one LocalGatewayExternal object for each Security Management Server. See Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal'.

5

Create a NAT rule with these values for each Application Host or Application Load Balancer.

In the Translated Source column:

  1. Add the LocalGatewayInternal object.

  2. Right-click on the LocalGatewayInternal object > select NAT Method > click Hide.

No

Original Source

Original Destination

Original Services

Translated Source

Translated Destination

Translated Services

Install On

1

All_Internet

LocalGatewayExternal

The service object that represents the internal port of the External Load Balancer

LocalGatewayInternal

The Host object that represents the internal Application Host or Application Load Balancer

The service object that represents the port, on which the Internal Load Balancer or Application Host listens (for example, http)

Policy Targets

Note - Do not use *Any in the Original Source column.

 

This NAT rule:

  • Matches any traffic that arrives at the CloudGuard Security Gateway on the applicable backend port.

  • Translates the Source IP address to match the IP address of the CloudGuard Security Gateway that handles the connection ("eth1"). When you use this, the packets that return are routed to the correct CloudGuard Security Gateway.

  • Translates the destination IP address to the IP address of the Application Load Balancer or Application Host associated with the Web Servers.

6

Publish the session.

7

Install the Access Control Policy on the CloudGuard Security Gateways.

Step 7: Configure Outbound and East-West Protection

Configure UDR tables and NAT rules for Outbound and East-West traffic protection.

You can configure the Check Point Instance Pool to examine Outbound and East-West traffic across internal subnets.

To configure the traffic inspection from servers in internal private subnets, you must route traffic through the Check Point Instance Pool. Use the Check Point Internal Load Balancer as the Next hop in the private subnet UDR. The Internal Load Balancer then forwards all the traffic to one of the Check Point Security Gateways.

Configuring Outbound Protection

Step

Description

1

Connect with SmartConsole to your Security Management Server or Multi-Domain Server.

2

Create a Network object that represents the OCI VCN:

  1. Click Objects menu > New Network.

  2. Enter a descriptive name.

  3. From the left tree, click General.

    Enter the applicable information.

  4. From the left tree, click NAT.

    Select Add automatic address translation rules.

    This performs Static NAT for all outbound rules.

  5. Click OK.

3

In SmartConsole, from the left navigation panel, click Security Policies.

4

In the Access Control section, click NAT.

5

Make sure these Automatic NAT rules exist:

No

Original Source

Original Destination

Original Services

Translated Source

Translated Destination

Translated Services

Install On

2

AllVnet

AllVnet

Any

=Original

=Original

=Original

Policy Targets

3

AllVnet

Any

Any

HAllVnet

=Original

=Original

Policy Targets

6

In the Access Control section, click Policy.

7

Add this explicit Access Control rule:

Name

Source

Destination

VPN

Services & Applications

Action

Track

Install On

To Internet

AllVnet

All_Internet

Any

Any

Accept

Log

Policy Targets

8

In SmartConsole, install the Access Control Policy.

9

Connect to the OCI portal.

10

Add UDR rules with the Internal Load Balancer's private IP address as next hop.

NAME

ADDRESS PREFIX

NEXT HOP

to-internet

0.0.0.0/0

Private IP address of the Internal Load Balancer.

Configuring East-West Protection Between Internal Subnets.

Do these steps for each subnet:

Step

Description

1

Connect with SmartConsole to your Security Management Server or Multi-Domain Server.

2

Create a Network object:

  1. Click Objects menu > New Network.

  2. Enter a descriptive name (for example, "NetworkA").

  3. From the left tree, click General.

    Enter the applicable information.

  4. From the left tree, click NAT.

    Select Add automatic address translation rules.

    This performs Static NAT for all outbound rules.

  5. Click OK.

3

In SmartConsole, from the left navigation panel, click Security Policies.

4

In the Access Control section, click NAT.

5

Make sure these Automatic NAT rules exist:

No

Original Source

Original Destination

Original Services

Translated Source

Translated Destination

Translated Services

Install On

2

NetworkA

NetworkA

Any

= Original

= Original

= Original

Policy Targets

3

NetworkA

Any

Any

HNetworkA

= Original

= Original

Policy Targets

6

Create a Network Group object to represent the full internal address space:

  1. Click Objects menu > More object types > Network Object > Group > New Network Group.

  2. Enter a descriptive name. For example, AllInternalAddressSpace.

  3. Add the VCN's Network objects you created in Step 2.

  4. Click OK.

7

In the Access Control section, click NAT.

8

Add a Manual NAT rule to skip NAT for internal traffic between VCNs:

Original Source

Original Destination

Original Services

Translated Source

Translated Destination

Translated Services

Install On

Network Group object that represents the full internal address space (AllInternalAddressSpace)

Network Group object that represents the full internal address space (AllInternalAddressSpace)

Any

= Original

= Original

= Original

Policy Targets

9

In the Access Control section, click Policy.

10

Add this explicit Access Control rule to allow outbound access from the full internal address space to the Internet:

Name

Source

Destination

VPN

Services & Applications

Action

Track

Install On

To Internet

Network Group object that represents the full internal address space (AllInternalAddressSpace)

All_Internet

Any

Any

Accept

Log

Policy Targets

11

In SmartConsole, install the Access Control Policy.

12

Connect to the OCI portal.

13

Add UDR rules for each internal private subnet:

  1. Create the rule to 0.0.0.0/0, use the Internal Load Balancer’s private IP address as the next hop to monitor outbound traffic.

  2. Create the rule to a different internal private subnet, use the Internal Load Balancer’s private IP address as the next hop to monitor outbound traffic.

NAME

ADDRESS PREFIX

NEXT HOP

to-Internet

0.0.0.0/0

Private IP address of the Internal Load Balancer

to-internal-subnet

10.0.2.0/0

Private IP address of the Internal Load Balancer