Deploying a Check Point Cluster in Oracle Cloud Infrastructure

Known Limitations

Method of Operation

In a traditional Check Point Cluster, Cluster members use multicast or broadcast for state synchronization and health checks. However, Oracle CloudClosed Oracle Cloud is a cloud computing service offered by Oracle Corporation. It provides servers, storage, networks, applications, and services through a global network of Oracle Corporation-managed data centers. Infrastructure (OCI) does not support multicast and broadcast, so Check Point Cluster members communicate over unicast.

Additionally, a regular ClusterXL in High Availability mode uses Gratuitous ARP to announce the Active member's MAC address associated with the Virtual IP during normal operation and failover. In contrast, OCI leverages API calls.

When an Active OCI Cluster member fails, the Standby member takes over by:

This process allows the new Active Cluster member to take ownership of the cluster resources without using Gratuitous ARP in the OCI environment.

Oracle API Authentication

For the Cluster members to make API calls to Oracle automatically, they must have permissions to perform those API calls within the target compartment. This is accomplished through Oracle Identity Manager.

Assuming that all resources are in the same compartment, set these permissions:

Allow group <your_group> to use instance-family in compartment <your_compartment>

Allow group <your_group> to use virtual-network-family in compartment <your_compartment>

Note - For domain-based dynamic groups, use this structure:


Allow dynamic-group <domain>/<dynamic_group> ...

This guide covers how to:

By following these steps, the correct Cluster members get the necessary privileges to make Oracle API calls for automating failover and other cluster operations.

Solution Topology

This sample environment is used to explain the configuration steps. When implementing these steps in your own environment, be sure to substitute the IP addresses used in the examples with the actual IP addresses relevant to your specific setup.

CloudGuard Cluster Deployment

The Check Point CloudGuard Cluster solution for Oracle can be deployed using either a predefined template or a manual setup process.

Deployment using a Template (Recommended)

Follow these instructions to deploy the Check Point CloudGuard Cluster solution using a template:

  1. From the Navigation Menu, go to Marketplace > All Applications.

  2. Search for CloudGuard High Availability - BYOL Stack.

  3. Click Launch Stack.

  4. Select deployment options:

    1. Select the compartment where to create the stack.

    2. Select the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. version you want to deploy.

    Click Next.

  5. Fill out the stack information page as needed.

    Click Next.

  6. Configure the variables as needed.

    Click Next.

  7. Review the stack information and click Create.

  8. Connect to the two CloudGuard cluster members with the private key that matches the public key provided in the stack:

    ssh -i privateKey admin@<cluster-member-public-ip>

  9. Set the administrator password.

    • If the password hash was not provided in the stack, run these commands at the Clish prompt:

      set user admin password

      [YOUR_PASSWORD]

      save config

      exit

    • If the password hash was provided in the stack, proceed to the next step using the password from the password hash.

  10. Use a web browser to connect to the cluster members using the member public IP address: https://<member_public_ip>.

    • User name: admin

    • Password: [Your configured password]

  11. Configure the CloudGuard members and cluster in the Management SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. (see Configuring OCI Cluster in Check Point Security Management for more information).

Manual Deployment

Follow these instructions to deploy the Check Point's CloudGuard Cluster solution in Oracle. Perform the steps from the Oracle portal in the preferred compartment(s).

  1. Sign in to your OCI tenant account.

  2. Select the relevant CloudGuard listing from the Oracle Cloud Marketplace.

  3. Create a new VCN or select an existing VCN (for example, VCN with CIDR Block 10.0.0.0/16).

  4. Add two subnets to your VCN: one public subnet and one private subnet.

    • Frontend public subnet (Ex. - 10.0.0.0/24)

    • Backend private subnet (Ex. - 10.0.1.0/24)

    Optional: You can place each subnet in its own independent VCN. In this scenario, the VCN CIDR contains only one subnet which is the entire VCN CIDR.

    Example: VCN defined as 10.1.0.0/24 has one subnet that also uses 10.1.0.0/24

  5. Create a public subnet: for example, Frontend (CIDR Block 10.0.0.0/24).

    Optional: The Frontend subnet can also be private. In this case, you must set the default route for the Frontend subnet to use a Target Type of Service Gateway and a Destination Service of All <Region> Oracle Services in Oracle Services Network for the API calls to succeed.

  6. Create a private subnet: for example, Backend (CIDR Block 10.0.1.0/24).

    Final VCN configuration with two subnets: Frontend and Backend.

  7. Configure your VCN's Security List to allow all traffic on all protocols. This lets Check Point control and monitor all traffic.

  8. Create both CloudGuard Cluster members.

    By default, the Primary vNIC on each instance is attached to the Frontend subnet.

  9. Add a Secondary vNIC to each Cluster member.

    Notes:

    • Connect the Primary vNIC to the Frontend subnet; Connect the Secondary vNIC to the Backend subnet.

    • You must ensure both vNICs of each Cluster member are configured with the check box for Skip source/destination check.

  10. Select one of the Cluster members and add a new Secondary Private IP address to the Primary vNIC.

  11. Create a reserve Public IP address and attach it to the Secondary Private IP address you created in step 10. This represents the cluster IP address.

  12. Create one more Secondary private IP and attach it to the member's Secondary vNIC of the slected member from step 10 (secondary VIP for outbound traffic).

  13. Add these new routing tables to the Private Subnet (the Backend subnet, that you configure after you add the Additional Secondary vNIC) and the Public subnet, respectively. This rule redirects the traffic to the Secondary Private IP address of the Secondary vNIC (traffic goes through the VIP).

  14. Add this Route Table to the Public Subnet (Frontend):

  15. Create a Dynamic Group and include the two Cluster members in this Dynamic Group (in this example, the group name is cp_cluster_group). To create the rules which define the Dynamic Group, use the OCI Rule Builder and create two different rules, one for each Cluster member. If you do not use the OCI Rule Builder, you can manually configure one rule to include the two Cluster members, as appears below.

  16. Create the policy and allow the defined Dynamic Group to use resources in the compartment where it belongs.

  17. Connect to the two CloudGuard Cluster members with the Private Key matched to the Public Key you used when you created the instance (ssh –i privateKey admin@<cluster-member-public-ip>). Run these commands in the Clish prompt to set the password:

    > set user admin password

    - insert your password <XXXXX>

    > save config

    > exit

  18. Use a web browser to connect to the Cluster members with the member public IP address. Enter the Blink wizard information to complete the configuration.

    https://<member_public_ip>

    User name : admin

    Password: XXXXX

  19. Configure the CloudGuard members and Cluster in the Management SmartConsole.

Best Practice - Apply the latest GA Jumbo Hotfix AccumulatorClosed Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. to each Cluster member.