Additional Information

Testing Scale In and Scale Out Events

Notes:

Licensing

Because the number of gateways in VMSS can increase and decrease over time, we recommend that you use CloudGuard Network Security Gateways with the Pay As You Go (PAYG) license model.

For the list of countries, see sk109360.

You can use this solution template to launch BYOL gateways.

For more information about licensing, see the Check Point CloudGuard Controller Administration Guide for your Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. version > Chapter vSEC Central Licensing.

Important - A VMSS can only use Security Gateways that have the same payment plan, either PAYG or BYOL.

IPS Geo Protection Based on X-Forwarded-For HTTP Header

The IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). Geo protection filters and logs traffic based on the country, from each it arrives. This protection is applied to both the source address of the connection, as well as to any IPv4 address present in an 'X-Forwarded-For' HTTP header.

Notes:

  • The External Load Balancer does not hide the client's original IP address.

  • If an HTTP request goes through multiple proxies or Load Balancers, the X-Forwarded-For HTTP header is expected to contain multiple IP addresses.

  • All IPv4 addresses contained in the X-Forwarded-For HTTP header, are inspected by the IPS Geo protection.

  • Any IPv6 address in the X-Forwarded-For HTTP header is ignored.

For more information, see sk115532 on IPS Geo protection based on X-Forwarded-For HTTP header.

Use Case 1

Use Case 2

User Defined Routes

Route

Destination

Nexthop

Route Purpose

East-West

Entire VNET

Virtual appliance -

Internal Load Balancer's private IP address

Inspects all traffic that goes to other subnets in the VNET.

Note:

You can replace this one route for the entire VNET with multiple specific subnet routes.

Outbound

0.0.0.0/0

Virtual appliance -

Internal Load Balancer's private IP address

Inspects outbound traffic.

Note:

The destination address has not been identified by any instance during any route (such as inbound). Therefore, it is subject to inspection by the Check Point instances in the VNET.

Inbound

VMSS backend subnet

Virtual NetworkClosed Environment of logically connected Virtual Machines.

Sends inbound reply traffic to the original CloudGuard Security Gateway instance to enable inspection.

Note:

This enables the inbound traffic to go back to the CloudGuard Security Gateway that is involved in the inspection.

Intra-subnet

Subnet itself

Virtual Network

Sends in-subnet traffic directly to its destination without inspection by a CloudGuard Security Gateway. There is no micro-segmentation.

If the Management Server is in the VNET, make sure to have specific routes to allow traffic between the Management Server Virtual Machine and the VMSS instances.

Autoscale setting

Azure Autoscale manages all scale in and scale out events. Go to the Azure portal for an overview of Azure AutoScale.

Azure Autoscale default settings:

  1. Adds a Virtual Machine to the VMSS, if the average CPU usage across the VMSS (as reported by the Azure host) is above 80% for five consecutive 1-minute intervals.

  2. Terminates a Virtual Machine, if the average CPU usage across the VMSS (as reported by the Azure host) is below 60% for five consecutive 1-minute intervals.

Note: After CloudGuard metrics is enabled, you can use it to trigger scale in and scale out events.

To configure CloudGuard metrics for the Azure Portal:

  1. Go to the Azure Portal.

  2. From the Azure portal, navigate to the VMSS Resource Group -> Virtual machine scale set resource > Scaling Policy tab.

  3. In the current Scale Policy profile( the Default one), remove the current scale out, scale in rules. Click on the rules, select Delete.

  4. Add a Scale Out ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:

    • In the Time Aggregation field, select Average.

    • In the "Metric namespace field, select cloudguard.

    • In the Metric name field, select IPsec number of VPN-1 RA peers.

    • In the checkbox, select Enable metric divide by instance count.

    • In the Operator field, select Greater than.

    • In the Operation field, select Increase count by.

    • In the Instance count field, enter 1.

    • Click Update.

  5. Add a Scale In rule:

    • In the Time Aggregation field, select Average.

    • In the Metric namespace field, select cloudguard.

    • In the Metric name field, select IPsec number of VPN-1 RA peers.

    • In the checkbox, select Enable metric divide by instance count.

    • In the Operator field, select Less than or equal to.

    • In the Operation field, select Decrease count by.

    • In the Instance count field, enter 1.

    • Click Update.

  6. Save the updated Auto Scaling policy.

Azure sends an email alert and ensures that the number of Virtual Machines in the VMSS stay in the range between the minimum and maximum number of Virtual Machines, based on the template.

Make sure to confirm that the settings you need, appear on the primary Azure portal. If a setting is not available, use the CLI or the Azure Resource Manager to change it. See the Azure Resource Manager.

Configuring the Load Balancer to Listen on Additional Ports

Configuring the Load Balancer to Listen on Additional Public IP Addresses

You can configure the VMSS to secure multiple web applications, each with its own IP address.

Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal'

You must create these Dynamic Objects in SmartConsole:

  • LocalGatewayExternal

  • LocalGatewayInternal

Procedure:

  1. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

  2. Enter this exact name (case-sensitive, no spaces):

    LocalGatewayExternal

  3. Click OK.

  4. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

  5. Enter this exact name (case-sensitive, no spaces):

    LocalGatewayInternal

  6. Click OK.

  7. Publish the SmartConsole session

Configuring HTTPS Inspection

Follow these steps to enable HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi..

Notes:

  • If you have an outbound CA certificate you can skip these steps. Otherwise, create one in "Creating an Outbound Certificate."

  • Only want inbound SSL inspection.

Creating an Outbound Certificate

Creating an HTTPS Inspection Rule to Inspect SSL Traffic

Downloading and Installing the Latest CME (Cloud Management Extension) Version

To download and install the CME (Cloud Management Extension) on the Management Server or Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., see sk157492.

Configuring the Cloud Management Extension (CME) on the Security Management Server

The instructions below contain information about how to configure a VMSS environment in CME. For more information about CME configurations, see the "Overview" section in the Cloud Management Extension Administration Guide.

Deploying a Security Management Server in Azure