Additional Information
Testing Scale In and Scale Out Events
Notes:
-
When the VMSS deploys, new Check Point CloudGuard Network Security Security Gateways appear.
-
When the CloudGuard Network Security Gateways are created, they execute the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. First Time Configuration Wizard. This usually takes 10 minutes to complete, but if you have a large Virtual Machine, it can take longer.
-
After the Gaia First Time Configuration Wizard completes, the Check Point Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and automatically installs policy on the CloudGuard Network Security Gateways.
-
Use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to confirm the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on the CloudGuard Network Security Gateways.
-
Use SmartConsole to confirm the CloudGuard Network Security Security Gateways generate and send their logs.
Step |
Description |
|
---|---|---|
1 |
Connect to the command line on the CloudGuard Network Security Gateways. |
|
2 |
Log in to the Expert mode. |
|
3 |
Download the https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/common/simulate_cpu_load.sh |
|
4 |
Copy the script to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. with this name:
|
|
5 |
Assign the execute permission to the shell script:
|
|
6 |
Make sure there are no syntax mistakes in the shell script:
|
|
7 |
Execute the shell script to simulate a high CPU load:
|
|
8 |
In another command line shell, examine the current CPU load (must be at a high level):
|
|
9 |
After 10 minutes, a scale-out event is triggered. This creates a newly provisioned CloudGuard Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. |
|
10 |
After the newly CloudGuard Security Gateways are provisioned, on the old CloudGuard Security Gateways press any key to stop the shell script. |
|
11 |
On the old CloudGuard Security Gateways, in another command line shell, examine the current CPU load (must go back to a normal level):
|
|
12 |
After approximately 10 minutes, a scale-in event is triggered. This deletes the new CloudGuard Security Gateway. |
Licensing
Because the number of gateways in VMSS can increase and decrease over time, we recommend that you use CloudGuard Network Security Gateways with the Pay As You Go (PAYG) license model.
For the list of countries, see sk109360.
You can use this solution template to launch BYOL gateways.
For more information about licensing, see the Check Point CloudGuard Controller Administration Guide for your Management Server version > Chapter vSEC Central Licensing.
Important - A VMSS can only use Security Gateways that have the same payment plan, either PAYG or BYOL.
IPS Geo Protection Based on X-Forwarded-For HTTP Header
The IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). Geo protection filters and logs traffic based on the country, from each it arrives. This protection is applied to both the source address of the connection, as well as to any IPv4 address present in an 'X-Forwarded-For' HTTP header.
Notes:
-
The External Load Balancer does not hide the client's original IP address.
-
If an HTTP request goes through multiple proxies or Load Balancers, the X-Forwarded-For HTTP header is expected to contain multiple IP addresses.
-
All IPv4 addresses contained in the X-Forwarded-For HTTP header, are inspected by the IPS Geo protection.
-
Any IPv6 address in the X-Forwarded-For HTTP header is ignored.
For more information, see sk115532 on IPS Geo protection based on X-Forwarded-For HTTP header.
Use Case 1
-
A user is located in Dallas (USA), and the client opens a direct connection to the External Load Balancer.
-
The Load Balancer forwards the connection to one of the Check Point CloudGuard Network Security Gateways and leaves the source IP address unchanged.
-
The IPS Geo protection on the CloudGuard Security Gateway identifies the country of origin as the United States.
-
The CloudGuard Security Gateway allows or drops the connection based on the policy.
Use Case 2
-
A user is located in Dallas (USA), and the client opens a direct connection to the External Load Balancer.
The Load Balancer forwards the UserA's connection to one of the Check Point CloudGuard Network Security Gateways and leaves the UserA's source IP address unchanged.
The IPS Geo protection on the CloudGuard Security Gateway identifies the country of origin as the United States for the UserA's connection.
-
UserB is also located in Dallas (USA), and the client uses a proxy server to connect to the External Load Balancer.
The proxy adds an X-Forwarded-For HTTP header to the UserB's connection with the IP address of the UserB's client in Dallas.
The Load Balancer forwards the connection to one of the Check Point CloudGuard Network Security Gateways.
The IPS Geo protection on the CloudGuard Security Gateways identifies the country of origin as the United States for the UserB's connection.
-
The CloudGuard Security Gateway allows or drops the connections based on the policy.
User Defined Routes
If the Management Server is in the VNET, make sure to have specific routes to allow traffic between the Management Server Virtual Machine and the VMSS instances.
Autoscale setting
Azure Autoscale manages all scale in and scale out events. Go to the Azure portal for an overview of Azure AutoScale.
Azure Autoscale default settings:
-
Adds a Virtual Machine to the VMSS, if the average CPU usage across the VMSS (as reported by the Azure host) is above 80% for five consecutive 1-minute intervals.
-
Terminates a Virtual Machine, if the average CPU usage across the VMSS (as reported by the Azure host) is below 60% for five consecutive 1-minute intervals.
Note: After CloudGuard metrics is enabled, you can use it to trigger scale in and scale out events.
To configure CloudGuard metrics for the Azure Portal:
-
Go to the Azure Portal.
-
From the Azure portal, navigate to the VMSS Resource Group -> Virtual machine scale set resource > Scaling Policy tab.
-
In the current Scale Policy profile( the Default one), remove the current scale out, scale in rules. Click on the rules, select Delete.
-
-
In the Time Aggregation field, select Average.
-
In the "Metric namespace field, select cloudguard.
-
In the Metric name field, select IPsec number of VPN-1 RA peers.
-
In the checkbox, select Enable metric divide by instance count.
-
In the Operator field, select Greater than.
-
In the Operation field, select Increase count by.
-
In the Instance count field, enter 1.
-
Click Update.
-
-
Add a Scale In rule:
-
In the Time Aggregation field, select Average.
-
In the Metric namespace field, select cloudguard.
-
In the Metric name field, select IPsec number of VPN-1 RA peers.
-
In the checkbox, select Enable metric divide by instance count.
-
In the Operator field, select Less than or equal to.
-
In the Operation field, select Decrease count by.
-
In the Instance count field, enter 1.
-
Click Update.
-
-
Save the updated Auto Scaling policy.
Azure sends an email alert and ensures that the number of Virtual Machines in the VMSS stay in the range between the minimum and maximum number of Virtual Machines, based on the template.
Make sure to confirm that the settings you need, appear on the primary Azure portal. If a setting is not available, use the CLI or the Azure Resource Manager to change it. See the Azure Resource Manager.
Configuring the Load Balancer to Listen on Additional Ports
Step |
Description |
|
---|---|---|
1 |
Go to the Azure portal. |
|
2 |
Find the External Load Balancer. The Load Balancer is in your Resource Group. The Load Balancer name is |
|
3 |
Configure a new Load Balancing Rule:
|
Configuring the Load Balancer to Listen on Additional Public IP Addresses
You can configure the VMSS to secure multiple web applications, each with its own IP address.
Step |
Description |
|
---|---|---|
1 |
Go to the Azure portal. |
|
2 |
Find the External Load Balancer. The Load Balancer is in your Resource Group. The Load Balancer name is |
|
3 |
In the Azure portal, allocate a new public IP address.
|
|
4 |
Configure the Frontend IP pool.
|
|
5 |
Configure a new Load Balancing Rule:
|
Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal'
You must create these Dynamic Objects in SmartConsole:
-
LocalGatewayExternal
-
LocalGatewayInternal
Procedure:
-
Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.
-
Enter this exact name (case-sensitive, no spaces):
LocalGatewayExternal
-
Click OK.
-
Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.
-
Enter this exact name (case-sensitive, no spaces):
LocalGatewayInternal
-
Click OK.
-
Publish the SmartConsole session
Configuring HTTPS Inspection
Follow these steps to enable HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi..
Notes:
-
If you have an outbound CA certificate you can skip these steps. Otherwise, create one in "Creating an Outbound Certificate."
-
Only want inbound SSL inspection.
Creating an Outbound Certificate
Step | Description |
---|---|
1 | In SmartConsole, go to Policy > HTTPs policy. |
2 |
Go to the Destination column, and edit the default rule to be Any. |
3 |
Go to the Track column, and edit to Log. |
4 |
Go to Gateways and Servers. Open one of the VMSS instances you have. |
5 |
Open HTTPs Inspection > Click Create Certificate. |
6 |
Enter the information and click OK. |
7 |
Click Enable HTTPs Inspection. |
8 |
Publish the SmartConsole session. |
9 |
Install policy. |
Creating an HTTPS Inspection Rule to Inspect SSL Traffic
Step |
Description |
---|---|
1 |
In SmartConsole, from the left navigation panel, click Manage & Settings. |
2 |
From the left tree, click Blades. |
3 |
In the HTTPS Inspection section, click Configure in SmartConsole. |
4 |
From the left tree, click Gateways. |
5 |
At the bottom of the page, click Create Certificate. |
6 |
Enter the information and click OK. |
7 |
From the left tree, click Server Certificates. |
8 |
Enter the information and click OK. |
9 |
From the left tree, click Policy. |
10 |
Add this rule:
|
11 |
Save the changes: Click Menu > File > Save. |
12 |
Close the SmartConsole. |
13 |
Publish the SmartConsole session |
Downloading and Installing the Latest CME (Cloud Management Extension) Version
To download and install the CME (Cloud Management Extension) on the Management Server or Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., see sk157492.
Configuring the Cloud Management Extension (CME) on the Security Management Server
The instructions below contain information about how to configure a VMSS environment in CME. For more information about CME configurations, see the "Overview" section in the Cloud Management Extension Administration Guide.
Step |
Description |
||
---|---|---|---|
1 |
Connect to the command line on the Security Management Server. |
||
2 |
Log in to the Expert mode. |
||
3 |
Execute this command (see the explanation of parameters): Run:
Example:
|
||
4 |
When this message shows, type yes and press Enter to apply the modifications:
|
||
5 |
Confirm the configuration:
Every controller in the configuration has to have unique credentials. |
||
6 |
Follow the instructions in the Enabling and Disabling Software Blades section in the Cloud Management Extension Administration Guide. |
Important - The exact values that you select, must be typed exactly when you deploy the VMSS. Make sure to write them down and enter them correctly. Otherwise, the components cannot communicate with each other.
Deploying a Security Management Server in Azure
Item |
Description |
---|---|
1 |
From the Azure Marketplace, deploy this solution to create a Check Point Security Management Server: |
2 |
Select the Check Point Security Management software plan. Important - It must be R81 and above. Use these parameters:
|
3 |
This template deploys the Management Server in the selected subnet. When the management instance starts, it automatically executes its own Gaia First Time Configuration Wizard. This can take up to 30 minutes. |
4 |
Do the instructions in Step 2 Install the Check Point Security Management Server. |