Configuring OCI Cluster in Check Point Security Management

CloudGuard Network Security Gateway

You can manage the Security Gateway in several different configurations:

  • Standalone - The Security Gateway handles its own management locally.

  • Centrally Managed (On-Premises) - The Security Gateway is managed by a Security Management Server located outside the cloud virtual network, on-premises.

  • Centrally Managed (Cloud) - The Security Gateway is managed by a Security Management Server located in the same cloud virtual network.

CloudGuard Cluster Configuration

  1. Use Check Point SmartConsole to connect to the Check Point Security Management Server.

  2. To create a new Check Point Cluster, in the Cluster menu, click the star icon and select Cluster...

  3. Select Wizard Mode.

  4. Enter a cluster object's name (for example, checkpoint-oci-cluster). In the Cluster IPv4 Address field, enter the public IP address (secondary public IP address of the primary vNIC) allocated to the Cluster and click Next.

    Note - To see the Cluster IP address in the OCI portal, select the CloudGuard active member's primary vNIC and then select the secondary Public IP address (secondary public IP address of the primary vNIC; primary vNIC is the first vNIC of the deployed instance).

    Sample cluster configuration:

  5. Click Add to add Cluster members.

  6. Configure the Cluster members properties:

    1. In the Name field, enter the name of the first Cluster member (for example, member1).

    2. In the IPv4 Address field: If you manage the cluster from the same VCN, enter the member's Primary Private IP address of the Primary vNIC. Otherwise, insert the member's Primary public IP address of the Primary vNIC.

    3. In the Activation Key field, enter the SIC (Secure Internal Communication) key you defined for the CloudGuard Cluster member in the First Time Configuration Wizard.

    4. In the Confirm Activation Key field, re-enter the key and click Initialize. The Trust State field must show: "Trust established."

    5. Click OK.

      Example:

  7. Repeat steps 5-6 to add the second CloudGuard Cluster member. Click Next.

    Example:

  8. In the new window, click Finish:

  9. Click Finish.

  10. Configure cluster interfaces:

    1. Click the cluster object checkpoint-oci-cluster.

    2. Click Network Management.

    3. Double-click eth0.

    4. Click General.

    5. Select Network Type "Cluster" and enter the member's secondary private IP address of the primary vNIC (definition of the first VIP).

    6. Click OK.

    7. In Network Management, double-click eth1.

    8. Click General.

    9. Select Network Type "Cluster + Sync" and enter the member's secondary private IP address of the secondary vNIC (definition of the second VIP).

    10. Click OK and exit the cluster object configurations dialog.

  11. Configure NAT rules to provide Internet connectivity to the internal subnet (publish services)

  12. Configure and install the security policy on the cluster.

  13. Set the perform_cluster_hide_fold attribute for the relevant cluster object on the Security Management Server to 0. Refer to sk170296 for details.

    Note - For new deployments, this step is optional.

Adding Additional Secondary IPs to OCI Cluster

If secondary IP addresses other than the primary Cluster IP address have to be attached to the active Cluster member:

  1. Attach all desired secondary IP addresses to the active Cluster member in the OCI console.

  2. Push the policy to the Security Gateways.

Configure IPv6

To configure IPv6, refer to sk181535 - IPv6 support for CloudGuard Network Security in Oracle Cloud Infrastructure (OCI).