Scale-In and Scale-Out Events in Cloud Firewall for OCI Instance Pools

Oracle Autoscale adjusts the number of Cloud Firewall Gateways in the Instance pool based on the traffic load.

It uses two main events:

  • Scale Out: Adds Cloud Firewall Gateways to the Instance pool when the traffic load increases.

  • Scale In: Removes Cloud Firewall Gateways from the Instance pool when the traffic load decreases.

To view or edit Oracle Autoscale settings, go to OCI Portal > Compute > Autoscaling Configurations.

Default Cloud Firewall Gateway CPU thresholds to trigger autoscaling events:

  • Scale Out: Triggers at 80% CPU use (5-minute average).

  • Scale In: Triggers at 60% CPU use (5-minute average).

Note - To use Cloud Firewall Metrics as triggers for scale-in and scale-out events, you need special permissions. For more information, see Adding proper permissions for metrics.

Scale Out

When a scale-out event triggers:

  1. Oracle Autoscale launches new Cloud Firewall Gateways.

  2. New Cloud Firewall Gateways automatically run the First Time Configuration Wizard and reboot.

  3. The Security Management Server:

    1. Detects new Cloud Firewall Gateway instances.

    2. Creates a Secure Internal Communication (SIC) channel with these Cloud Firewall Gateway instances.

    3. Installs a Security Policy on each new Cloud Firewall Gateway.

  4. The External Load Balancer starts sending traffic to these new Cloud Firewall Gateways.

Note - New Cloud Firewall Gateways report their status and send logs to the Security Management Server.

Scale In

When a scale-in event triggers:

  1. Oracle Autoscale marks one or more Cloud Firewall Gateways as candidates for termination.

  2. The External Load Balancer stops sending traffic to marked Cloud Firewall Gateways.

  3. Oracle Autoscale terminates marked Cloud Firewall Gateways.

  4. The Security Management Server removes terminated Cloud Firewall Gateways from its database.

Important - : Keep at least two Cloud Firewall Gateways (one in each Availability Zone) running for redundancy and availability.

Testing Scale-In and Scale-Out Processes

The initial solution deployment process includes these steps:

  1. When the Check Point Cloud Firewall for OCI Instance Pools solution is deployed, it creates Cloud Firewall Gateways.

  2. Each new Cloud Firewall Gateway automatically runs the First Time Configuration Wizard. This usually takes 10 minutes to complete. Large Virtual Machines may require additional time.

  3. After configuration completes, the Security Management Server automatically installs the Security Policy on these Cloud Firewall Gateways.

  4. To verify deployment success, use SmartConsole to:

    • Confirm the Security Policy installation.

    • Verify log generation and transmission by Cloud Firewall Gateways.

Step

Description

1

Connect to the Cloud Firewall Gateway command line interface (CLI) over SSH.

2

Enter Expert mode.

3

Download the CPU load simulation script (simulate_cpu_load.sh) from this link:

https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/common/simulate_cpu_load.sh

4

Place the script in the correct directory of the Cloud Firewall Gateway:

/var/tmp/simulate_cpu_load.sh

5

Set execute permissions to the script:

chmod u+x /var/tmp/simulate_cpu_load.sh

6

Validate script syntax:

sh -n /var/tmp/simulate_cpu_load.sh

7

Execute the script to simulate high CPU load:

./var/tmp/simulate_cpu_load.sh

8

In a separate terminal, monitor CPU load (it must be at a high level):

top

Note - After 10 minutes of high CPU load, a scale-out event triggers. Oracle Autoscale provisions a new Cloud Firewall Gateway.

9

After the new Cloud Firewall Gateway is provisioned, press any key to stop the simulation script on the original Cloud Firewall Gateway.

10

In a separate terminal, monitor CPU load (it must return to normal levels):

top

Note - After 10 minutes of normal CPU load, a scale-in event triggers. Security Management Server automatically removes the newly provisioned Cloud Firewall Gateway.