Scale-In and Scale-Out Events in CloudGuard Network for OCI Instance Pools

Oracle Autoscale adjusts the number of CloudGuard Network Security Gateways in the Instance pool based on the traffic load.

It uses two main events:

  • Scale Out: Adds Security Gateways to the Instance pool when the traffic load increases.

  • Scale In: Removes Security Gateways from the Instance pool when the traffic load decreases.

To view or edit Oracle Autoscale settings, go to OCI Portal > Compute > Autoscaling Configurations.

Default Security Gateway CPU thresholds to trigger autoscaling events:

  • Scale Out: Triggers at 80% CPU use (5-minute average).

  • Scale In: Triggers at 60% CPU use (5-minute average).

Note - To use CloudGuard Metrics as triggers for scale-in and scale-out events, you need special permissions. For more information, see Adding proper permissions for metrics. [[INTERNAL LINK]]

Scale Out

When a scale-out event triggers:

  1. Oracle Autoscale launches new Security Gateways.

  2. New Security Gateways automatically run the First Time Configuration Wizard and reboot.

  3. The Security Management Server:

    1. Detects new Security Gateway instances.

    2. Creates a Secure Internal Communication (SIC) channel with these Security Gateway instances.

    3. Installs a Security Policy on each new Security Gateway.

  4. The External Load Balancer starts sending traffic to these new Security Gateways.

Note - New Security Gateways report their status and send logs to the Security Management Server.

Scale In

When a scale-in event triggers:

  1. Oracle Autoscale marks one or more Security Gateways as candidates for termination.

  2. The External Load Balancer stops sending traffic to marked Security Gateways.

  3. Oracle Autoscale terminates marked Security Gateways.

  4. The Security Management Server removes terminated Security Gateways from its database.

Important - : Keep at least two Security Gateways (one in each Availability Zone) running for redundancy and availability.

Testing Scale-In and Scale-Out Processes

The initial solution deployment process includes these steps:

  1. When the Check Point CloudGuard Network for OCI Instance Pools solution is deployed, it creates CloudGuard Network Security Gateways.

  2. Each new Security Gateway automatically runs the First Time Configuration Wizard. This usually takes 10 minutes to complete. Large Virtual Machines may require additional time.

  3. After configuration completes, the Security Management Server automatically installs the Security Policy on these Security Gateways.

  4. To verify deployment success, use SmartConsole to:

    • Confirm the Security Policy installation.

    • Verify log generation and transmission by Security Gateways.

Step

Description

1

Connect to the Security Gateway command line interface (CLI) over SSH.

2

Enter Expert mode.

3

Download the CPU load simulation script (simulate_cpu_load.sh) from this link:

https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/common/simulate_cpu_load.sh

4

Place the script in the correct directory of the Security Gateway:

/var/tmp/simulate_cpu_load.sh

5

Set execute permissions to the script:

chmod u+x /var/tmp/simulate_cpu_load.sh

6

Validate script syntax:

sh -n /var/tmp/simulate_cpu_load.sh

7

Execute the script to simulate high CPU load:

./var/tmp/simulate_cpu_load.sh

8

In a separate terminal, monitor CPU load (it must be at a high level):

top

Note - After 10 minutes of high CPU load, a scale-out event triggers. Oracle Autoscale provisions a new Security Gateway.

9

After the new Security Gateway is provisioned, press any key to stop the simulation script on the original Security Gateway.

10

In a separate terminal, monitor CPU load (it must return to normal levels):

top

Note - After 10 minutes of normal CPU load, a scale-in event triggers. Security Management Server automatically removes the newly provisioned Security Gateway.