Additional Information
Testing Scale In and Scale Out Events
To test Scale In and scale-out events, simulate a high CPU load on the CloudGuard Network Security Gateways
|
Step |
Description |
|
|---|---|---|
|
1 |
Connect to the command line on the CloudGuard Network Security Gateways. |
|
|
2 |
Log in to the Expert mode. |
|
|
3 |
Download the https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/common/simulate_cpu_load.sh |
|
|
4 |
Copy the script to the Security Gateways with this name:
|
|
|
5 |
Assign the execute permission to the shell script:
|
|
|
6 |
Make sure there are no syntax mistakes in the shell script:
|
|
|
7 |
Execute the shell script to simulate a high CPU load:
|
|
|
8 |
In another command line shell, examine the current CPU load (must be at a high level):
|
|
|
9 |
After 10 minutes, a scale-out event is triggered. This provisions new Security Gateways. |
|
|
10 |
After the new Security Gateways are provisioned, on the old Security Gateways press any key to stop the shell script. |
|
|
11 |
On the old Security Gateways, in another command line shell, examine the current CPU load (must go back to a normal level):
|
|
|
12 |
After approximately 10 minutes, a scale-in event is triggered. This deletes the new Security Gateways. |
Licensing
Because the number of gateways in VMSS can increase and decrease over time, we recommend that you use CloudGuard Network Security Gateways with the Pay As You Go (PAYG) license model.
For the list of countries, see sk109360.
You can use this solution template to launch BYOL gateways.
For more information about licensing, see the Check Point CloudGuard Controller Administration Guide for your Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. version > Chapter vSEC Central Licensing.
Important - A VMSS can only use Security Gateways that have the same payment plan, either PAYG or BYOL.
IPS Geo Protection Based on X-Forwarded-For HTTP Header
The IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). Geo protection filters and logs traffic based on the country, from each it arrives. This protection is applied to both the source address of the connection, as well as to any IPv4 address present in an 'X-Forwarded-For' HTTP header.
Notes:
-
The External Load Balancer does not hide the client's original IP address.
-
If an HTTP request goes through multiple proxies or Load Balancers, the X-Forwarded-For HTTP header is expected to contain multiple IP addresses.
-
All IPv4 addresses contained in the X-Forwarded-For HTTP header, are inspected by the IPS Geo protection.
-
Any IPv6 address in the X-Forwarded-For HTTP header is ignored.
For more information, see sk115532 on IPS Geo protection based on X-Forwarded-For HTTP header.
Use Case 1
Single user
-
A user is located in Dallas (USA), and the client opens a direct connection to the External Load Balancer.
-
The Load Balancer forwards the connection to one of the Check Point CloudGuard Network Security Gateways and leaves the source IP address unchanged.
-
The IPS Geo protection on the CloudGuard Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. identifies the country of origin as the United States. -
The CloudGuard Security Gateway allows or drops the connection based on the policy.
Use Case 2
Multiple users
-
A user is located in Dallas (USA), and the client opens a direct connection to the External Load Balancer.
The Load Balancer forwards the UserA's connection to one of the Check Point CloudGuard Network Security Gateways and leaves the UserA's source IP address unchanged.
The IPS Geo protection on the CloudGuard Security Gateway identifies the country of origin as the United States for the UserA's connection.
-
UserB is also located in Dallas (USA), and the client uses a proxy server to connect to the External Load Balancer.
The proxy adds an X-Forwarded-For HTTP header to the UserB's connection with the IP address of the UserB's client in Dallas.
The Load Balancer forwards the connection to one of the Check Point CloudGuard Network Security Gateways.
The IPS Geo protection on the CloudGuard Security Gateways identifies the country of origin as the United States for the UserB's connection.
-
The CloudGuard Security Gateway allows or drops the connections based on the policy.
User Defined Routes
|
Route |
Destination |
Nexthop |
Route Purpose |
|---|---|---|---|
|
East-West |
Entire VNET |
Virtual appliance - Internal Load Balancer's private IP address |
Inspects all traffic that goes to other subnets in the VNET. Note: You can replace this one route for the entire VNET with multiple specific subnet routes. |
|
Outbound |
0.0.0.0/0 |
Virtual appliance - Internal Load Balancer's private IP address |
Inspects outbound traffic. Note: The destination address has not been identified by any instance during any route (such as inbound). Therefore, it is subject to inspection by the Check Point instances in the VNET. |
|
Inbound |
VMSS backend subnet |
Virtual Network |
Sends inbound reply traffic to the original CloudGuard Security Gateway instance to enable inspection. Note: This enables the inbound traffic to go back to the CloudGuard Security Gateway that is involved in the inspection. |
|
Intra-subnet |
Subnet itself |
Virtual Network |
Sends in-subnet traffic directly to its destination without inspection by a CloudGuard Security Gateway. There is no micro-segmentation. |
If the Management Server is in the VNET, make sure to have specific routes to allow traffic between the Management Server Virtual Machine and the VMSS instances.
Autoscale setting
Azure Autoscale manages all scale in and scale out events. Go to the Azure portal for an overview of Azure AutoScale.
Azure Autoscale default settings:
-
Adds a Virtual Machine to the VMSS, if the average CPU usage across the VMSS (as reported by the Azure host) is above 80% for five consecutive 1-minute intervals.
-
Terminates a Virtual Machine, if the average CPU usage across the VMSS (as reported by the Azure host) is below 60% for five consecutive 1-minute intervals.
Note: After CloudGuard metrics is enabled, you can use it to trigger scale in and scale out events.
To configure CloudGuard metrics for the Azure Portal:
-
Go to the Azure Portal.
-
From the Azure portal, navigate to the VMSS Resource Group -> Virtual machine scale set resource > Scaling Policy tab.
-
In the current Scale Policy profile( the Default one), remove the current scale out, scale in rules. Click on the rules, select Delete.
-
-
In the Time Aggregation field, select Average.
-
In the "Metric namespace field, select cloudguard.
-
In the Metric name field, select IPsec number of VPN-1 RA peers.
-
In the checkbox, select Enable metric divide by instance count.
-
In the Operator field, select Greater than.
-
In the Operation field, select Increase count by.
-
In the Instance count field, enter 1.
-
Click Update.
-
-
Add a Scale In rule:
-
In the Time Aggregation field, select Average.
-
In the Metric namespace field, select cloudguard.
-
In the Metric name field, select IPsec number of VPN-1 RA peers.
-
In the checkbox, select Enable metric divide by instance count.
-
In the Operator field, select Less than or equal to.
-
In the Operation field, select Decrease count by.
-
In the Instance count field, enter 1.
-
Click Update.
-
-
Save the updated Auto Scaling policy.
Azure sends an email alert and ensures that the number of Virtual Machines in the VMSS stay in the range between the minimum and maximum number of Virtual Machines, based on the template.
Make sure to confirm that the settings you need, appear on the primary Azure portal. If a setting is not available, use the CLI or the Azure Resource Manager to change it. See the Azure Resource Manager.
Configuring the Load Balancer to Listen on Additional Ports
You can configure the Load Balancer to listen on the TCP port 443, and forward this traffic to the Check Point CloudGuard Security Gateways on the TCP port 8443
|
Step |
Description |
|
|---|---|---|
|
1 |
Go to the Azure portal. |
|
|
2 |
Find the External Load Balancer. The Load Balancer is in your Resource Group. The Load Balancer name is |
|
|
3 |
Configure a new Load Balancing Rule:
|
Configuring the Load Balancer to Listen on Additional Public IP Addresses
You can configure the VMSS to secure multiple web applications, each with its own IP address.
You can configure the Load Balancer to listen on a second public IP address on the TCP port 80, and forward this traffic to the Check Point CloudGuard Security Gateways on the TCP port 8083
|
Step |
Description |
|
|---|---|---|
|
1 |
Go to the Azure portal. |
|
|
2 |
Find the External Load Balancer. The Load Balancer is in your Resource Group. The Load Balancer name is |
|
|
3 |
In the Azure portal, allocate a new public IP address.
|
|
|
4 |
Configure the Frontend IP pool.
|
|
|
5 |
Configure a new Load Balancing Rule:
|
Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal'
You must create these Dynamic Objects in SmartConsole:
-
LocalGatewayExternal
-
LocalGatewayInternal
Procedure:
-
Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.
-
Enter this exact name (case-sensitive, no spaces):
LocalGatewayExternal
-
Click OK.
-
Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.
-
Enter this exact name (case-sensitive, no spaces):
LocalGatewayInternal
-
Click OK.
-
Publish the SmartConsole session
Configuring HTTPS Inspection
Follow these steps to enable HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi..
Notes:
-
If you have an outbound CA certificate you can skip these steps. Otherwise, create one in "Creating an Outbound Certificate."
-
Only want inbound SSL inspection.
Creating an Outbound Certificate
To create an Outbound Certificate
| Step | Description |
|---|---|
| 1 | In SmartConsole, go to Policy > HTTPs policy. |
| 2 |
Go to the Destination column, and edit the default rule to be Any. |
|
3 |
Go to the Track column, and edit to Log. |
|
4 |
Go to Gateways and Servers. Open one of the VMSS instances you have. |
|
5 |
Open HTTPs Inspection > Click Create Certificate. |
|
6 |
Enter the information and click OK. |
|
7 |
Click Enable HTTPs Inspection. |
|
8 |
Publish the SmartConsole session. |
|
9 |
Install policy. |
Creating an HTTPS Inspection Rule to Inspect SSL Traffic
This procedure creates an HTTPS Inspection rule to inspect SSL traffic that belongs to a web application
|
Step |
Description |
|---|---|
|
1 |
In SmartConsole, from the left navigation panel, click Manage & Settings. |
|
2 |
From the left tree, click Blades. |
|
3 |
In the HTTPS Inspection section, click Configure in SmartConsole. |
|
4 |
From the left tree, click Gateways. |
|
5 |
At the bottom of the page, click Create Certificate. |
|
6 |
Enter the information and click OK. |
|
7 |
From the left tree, click Server Certificates. |
|
8 |
Enter the information and click OK. |
|
9 |
From the left tree, click Policy. |
|
10 |
Add this rule:
|
|
11 |
Save the changes: Click Menu > File > Save. |
|
12 |
Close the SmartConsole. |
|
13 |
Publish the SmartConsole session |
Downloading and Installing the Latest CME (Cloud Management Extension) Version
To download and install the CME (Cloud Management Extension) on the Management Server or Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., see sk157492.
Configuring the Cloud Management Extension (CME) on the Security Management Server
The instructions below contain information about how to configure a VMSS environment in CME. For more information about CME configurations, see the "Overview" section in the Cloud Management Extension Administration Guide.
To configure the CME on the Security Management Server
|
Step |
Description |
||
|---|---|---|---|
|
1 |
Connect to the command line on the Security Management Server. |
||
|
2 |
Log in to the Expert mode. |
||
|
3 |
Execute this command (see the explanation of parameters): Run:
Example:
|
||
|
4 |
When this message shows, type yes and press Enter to apply the modifications:
|
||
|
5 |
Confirm the configuration:
Every controller in the configuration has to have unique credentials. |
||
|
6 |
Follow the instructions in the Enabling and Disabling Software Blades section in the Cloud Management Extension Administration Guide. |
Parameters
Important - The exact values that you select, must be typed exactly when you deploy the VMSS. Make sure to write them down and enter them correctly. Otherwise, the components cannot communicate with each other.
Deploying a Security Management Server in Azure
To deploy a Security Management Server in Azure
|
Item |
Description |
|---|---|
|
1 |
From the Azure Marketplace, deploy this solution to create a Check Point Security Management Server: |
|
2 |
Select the Check Point Security Management software plan. Important - It must be R81 and above. Use these parameters:
|
|
3 |
This template deploys the Management Server in the selected subnet. When the management instance starts, it automatically executes its own Gaia First Time Configuration Wizard. This can take up to 30 minutes. |
|
4 |
Do the instructions in Step 3: Configure the Check Point Security Management Server. |