Configuring OCI Cluster in Check Point Security Management
CloudGuard Network Security Gateway
You can manage the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. in several different configurations:
-
Standalone - The Security Gateway handles its own management locally.
-
Centrally Managed (On-Premises) - The Security Gateway is managed by a Security Management Server
Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. located outside the cloud virtual network, on-premises.
-
Centrally Managed (Cloud) - The Security Gateway is managed by a Security Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. located in the same cloud virtual network.
CloudGuard Cluster Configuration
-
Use Check Point SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to connect to the Check Point Security Management Server.
-
To create a new Check Point Cluster
Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., in the Cluster menu, click the star icon and select Cluster...
-
Select Wizard Mode.
-
Enter a cluster object's name (for example, checkpoint-oci-cluster). In the Cluster IPv4 Address field, enter the public IP address (secondary public IP address of the primary vNIC
Virtual Network Interface Card. Software-based abstraction of a physical interface that supplies network connectivity for Virtual Machines.) allocated to the Cluster and click Next.
Note - To see the Cluster IP address in the OCI portal, select the CloudGuard active member's primary vNIC and then select the secondary Public IP address (secondary public IP address of the primary vNIC; primary vNIC is the first vNIC of the deployed instance).
Sample cluster configuration:
-
Click Add to add Cluster members.
-
Configure the Cluster members properties:
-
In the Name field, enter the name of the first Cluster member
Security Gateway that is part of a cluster. (for example, member1).
-
In the IPv4 Address field: If you manage the cluster from the same VCN, enter the member's Primary Private IP address of the Primary vNIC. Otherwise, insert the member's Primary public IP address of the Primary vNIC.
-
In the Activation Key field, enter the SIC
Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. (Secure Internal Communication) key you defined for the CloudGuard Cluster member in the First Time Configuration Wizard.
-
In the Confirm Activation Key field, re-enter the key and click Initialize. The Trust State field must show: "Trust established."
-
Click OK.
Example:
-
-
Repeat steps 5-6 to add the second CloudGuard Cluster member. Click Next.
Example:
-
In the new window, click Finish:
-
Click Finish.
-
Configure cluster interfaces:
-
Click the cluster object checkpoint-oci-cluster.
-
Click Network Management.
-
Double-click eth0.
-
Click General.
-
Select Network Type "Cluster" and enter the member's secondary private IP address of the primary vNIC (definition of the first VIP).
-
Click OK.
-
In Network Management, double-click eth1.
-
Click General.
-
Select Network Type "Cluster + Sync" and enter the member's secondary private IP address of the secondary vNIC (definition of the second VIP).
-
Click OK and exit the cluster object configurations dialog.
-
-
Configure NAT rules to provide Internet connectivity to the internal subnet (publish services)
-
Configure and install the security policy
Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on the cluster.
-
Set the
perform_cluster_hide_fold
attribute for the relevant cluster object on the Security Management Server to0
. Refer to sk170296 for details.Note - For new deployments, this step is optional.
Adding Additional Secondary IPs to OCI Cluster
If secondary IP addresses other than the primary Cluster IP address have to be attached to the active Cluster member:
-
Attach all desired secondary IP addresses to the active Cluster member in the OCI console.
-
Push the policy to the Security Gateways.
Configure IPv6
To configure IPv6, refer to sk181535 - Configuring IPv6 for CloudGuard Network Security in Oracle Cloud Infrastructure (OCI).