Additional Information

Testing Scale In and Scale Out Events

Notes:

• When the VMSS deploys, new Check Point CloudGuard Network Security Security Gateways appear.

• When the CloudGuard Network Security Gateways are created, they execute the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. First Time Configuration Wizard. This usually takes 10 minutes to complete, but if you have a large Virtual Machine, it can take longer.

• After the Gaia First Time Configuration Wizard completes, the Check Point Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and automatically installs policy on the CloudGuard Network Security Gateways.

• Use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to confirm the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on the CloudGuard Network Security Gateways.

• Use SmartConsole to confirm the CloudGuard Network Security Security Gateways generate and send their logs.

Licensing

Because the number of gateways in VMSS can increase and decrease over time, we recommend that you use CloudGuard Network Security Gateways with the Pay As You Go (PAYG) license model.

For the list of countries, see sk109360.

You can use this solution template to launch BYOL gateways.

For more information about licensing, see the Check Point CloudGuard Controller Administration Guide for your Management Server version > Chapter vSEC Central Licensing.

Important - A VMSS can only use Security Gateways that have the same payment plan, either PAYG or BYOL.

IPS Geo Protection Based on X-Forwarded-For HTTP Header

The IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). Geo protection filters and logs traffic based on the country, from each it arrives. This protection is applied to both the source address of the connection, as well as to any IPv4 address present in an 'X-Forwarded-For' HTTP header.

Notes:

• The External Load Balancer does not hide the client's original IP address.

• If an HTTP request goes through multiple proxies or Load Balancers, the X-Forwarded-For HTTP header is expected to contain multiple IP addresses.

• All IPv4 addresses contained in the X-Forwarded-For HTTP header, are inspected by the IPS Geo protection.

• Any IPv6 address in the X-Forwarded-For HTTP header is ignored.

For more information, see sk115532 on IPS Geo protection based on X-Forwarded-For HTTP header.

Use Case 1

Use Case 2

User Defined Routes

If the Management Server is in the VNET, make sure to have specific routes to allow traffic between the Management Server Virtual Machine and the VMSS instances.

Autoscale setting

Azure Autoscale manages all scale in and scale out events. Go to the Azure portal for an overview of Azure AutoScale.

Azure Autoscale default settings:

1. Adds a Virtual Machine to the VMSS, if the average CPU usage across the VMSS (as reported by the Azure host) is above 80% for five consecutive 1-minute intervals.

2. Terminates a Virtual Machine, if the average CPU usage across the VMSS (as reported by the Azure host) is below 60% for five consecutive 1-minute intervals.

Note: After CloudGuard metrics is enabled, you can use it to trigger scale in and scale out events.

To configure CloudGuard metrics for the Azure Portal:

1. Go to the Azure Portal.

2. From the Azure portal, navigate to the VMSS Resource Group -> Virtual machine scale set resource > Scaling Policy tab.

3. In the current Scale Policy profile( the Default one), remove the current scale out, scale in rules. Click on the rules, select Delete.

4. Add a Scale Out rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:

   • In the Time Aggregation field, select Average.

   • In the "Metric namespace field, select cloudguard.

   • In the Metric name field, select IPsec number of VPN-1 RA peers.

   • In the checkbox, select Enable metric divide by instance count.

   • In the Operator field, select Greater than.

   • In the Operation field, select Increase count by.

   • In the Instance count field, enter 1.

   • Click Update.

5. Add a Scale In rule:

   • In the Time Aggregation field, select Average.

   • In the Metric namespace field, select cloudguard.

   • In the Metric name field, select IPsec number of VPN-1 RA peers.

   • In the checkbox, select Enable metric divide by instance count.

   • In the Operator field, select Less than or equal to.

   • In the Operation field, select Decrease count by.

   • In the Instance count field, enter 1.

   • Click Update.

6. Save the updated Auto Scaling policy.

Azure sends an email alert and ensures that the number of Virtual Machines in the VMSS stay in the range between the minimum and maximum number of Virtual Machines, based on the template.

Make sure to confirm that the settings you need, appear on the primary Azure portal. If a setting is not available, use the CLI or the Azure Resource Manager to change it. See the Azure Resource Manager.

Configuring the Load Balancer to Listen on Additional Ports

Configuring the Load Balancer to Listen on Additional Public IP Addresses

You can configure the VMSS to secure multiple web applications, each with its own IP address.

Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal'

You must create these Dynamic Objects in SmartConsole:

• LocalGatewayExternal

• LocalGatewayInternal

Procedure:

1. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

2. Enter this exact name (case-sensitive, no spaces):
   

   LocalGatewayExternal

3. Click OK.

4. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

5. Enter this exact name (case-sensitive, no spaces):

   LocalGatewayInternal

6. Click OK.

7. Publish the SmartConsole session

Configuring HTTPS Inspection

Follow these steps to enable HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi..

Notes:

• If you have an outbound CA certificate you can skip these steps. Otherwise, create one in "Creating an Outbound Certificate."

• Only want inbound SSL inspection.

Creating an Outbound Certificate

Creating an HTTPS Inspection Rule to Inspect SSL Traffic

Downloading and Installing the Latest CME (Cloud Management Extension) Version

To download and install the CME (Cloud Management Extension) on the Management Server or Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., see sk157492.

Configuring the Cloud Management Extension (CME) on the Security Management Server

The instructions below contain information about how to configure a VMSS environment in CME. For more information about CME configurations, see the "Overview" section in the Cloud Management Extension Administration Guide.

Deploying a Security Management Server in Azure