Additional Information

Testing Scale In and Scale Out Events

Notes:

  • When the VMSS deploys, new Check Point CloudGuard Network Security Security Gateways appear.

  • When the CloudGuard Network Security Gateways are created, they execute the Gaia First Time Configuration Wizard. This usually takes 10 minutes to complete, but if you have a large Virtual Machine, it can take longer.

  • After the Gaia First Time Configuration Wizard completes, the Check Point Security Management Server and automatically installs policy on the CloudGuard Network Security Gateways.

  • Use SmartConsole to confirm the Security Policy on the CloudGuard Network Security Gateways.

  • Use SmartConsole to confirm the CloudGuard Network Security Security Gateways generate and send their logs.

Licensing

Because the number of gateways in VMSS can increase and decrease over time, we recommend that you use CloudGuard Network Security Gateways with the Pay As You Go (PAYG) license model.

For the list of countries, see sk109360.

You can use this solution template to launch BYOL gateways.

For more information about licensing, see the Check Point CloudGuard Controller Administration Guide for your Management Server version > Chapter vSEC Central Licensing.

Important - A VMSS can only use Security Gateways that have the same payment plan, either PAYG or BYOL.

IPS Geo Protection Based on X-Forwarded-For HTTP Header

The IPS Geo protection filters and logs traffic based on the country, from each it arrives. This protection is applied to both the source address of the connection, as well as to any IPv4 address present in an 'X-Forwarded-For' HTTP header.

Notes:

  • The External Load Balancer does not hide the client's original IP address.

  • If an HTTP request goes through multiple proxies or Load Balancers, the X-Forwarded-For HTTP header is expected to contain multiple IP addresses.

  • All IPv4 addresses contained in the X-Forwarded-For HTTP header, are inspected by the IPS Geo protection.

  • Any IPv6 address in the X-Forwarded-For HTTP header is ignored.

For more information, see sk115532 on IPS Geo protection based on X-Forwarded-For HTTP header.

Use Case 1

Use Case 2

User Defined Routes

Route

Destination

Nexthop

Route Purpose

Route

Destination

Nexthop

Route Purpose

East-West

Entire VNET

Virtual appliance -

Internal Load Balancer's private IP address

Inspects all traffic that goes to other subnets in the VNET.

Note:

You can replace this one route for the entire VNET with multiple specific subnet routes.

Outbound

0.0.0.0/0

Virtual appliance -

Internal Load Balancer's private IP address

Inspects outbound traffic.

Note:

The destination address has not been identified by any instance during any route (such as inbound). Therefore, it is subject to inspection by the Check Point instances in the VNET.

Inbound

VMSS backend subnet

Virtual Network

Sends inbound reply traffic to the original CloudGuard Security Gateway instance to enable inspection.

Note:

This enables the inbound traffic to go back to the CloudGuard Security Gateway that is involved in the inspection.

Intra-subnet

Subnet itself

Virtual Network

Sends in-subnet traffic directly to its destination without inspection by a CloudGuard Security Gateway. There is no micro-segmentation.

If the Management Server is in the VNET, make sure to have specific routes to allow traffic between the Management Server Virtual Machine and the VMSS instances.

Autoscale setting

Azure Autoscale manages all scale in and scale out events. Go to the Azure portal for an overview of Azure AutoScale.

Azure Autoscale default settings:

  1. Adds a Virtual Machine to the VMSS, if the average CPU usage across the VMSS (as reported by the Azure host) is above 80% for five consecutive 1-minute intervals.

  2. Terminates a Virtual Machine, if the average CPU usage across the VMSS (as reported by the Azure host) is below 60% for five consecutive 1-minute intervals.

Note: After CloudGuard metrics is enabled, you can use it to trigger scale in and scale out events.

To configure CloudGuard metrics for the Azure Portal:

  1. Go to the Azure Portal.

  2. From the Azure portal, navigate to the VMSS Resource Group -> Virtual machine scale set resource > Scaling Policy tab.

  3. In the current Scale Policy profile( the Default one), remove the current scale out, scale in rules. Click on the rules, select Delete.

  4. Add a Scale Out rule:

    • In the Time Aggregation field, select Average.

    • In the "Metric namespace field, select cloudguard.

    • In the Metric name field, select IPsec number of VPN-1 RA peers.

    • In the checkbox, select Enable metric divide by instance count.

    • In the Operator field, select Greater than.

    • In the Operation field, select Increase count by.

    • In the Instance count field, enter 1.

    • Click Update.

  5. Add a Scale In rule:

    • In the Time Aggregation field, select Average.

    • In the Metric namespace field, select cloudguard.

    • In the Metric name field, select IPsec number of VPN-1 RA peers.

    • In the checkbox, select Enable metric divide by instance count.

    • In the Operator field, select Less than or equal to.

    • In the Operation field, select Decrease count by.

    • In the Instance count field, enter 1.

    • Click Update.

  6. Save the updated Auto Scaling policy.

Azure sends an email alert and ensures that the number of Virtual Machines in the VMSS stay in the range between the minimum and maximum number of Virtual Machines, based on the template.

Make sure to confirm that the settings you need, appear on the primary Azure portal. If a setting is not available, use the CLI or the Azure Resource Manager to change it. See the Azure Resource Manager.

Configuring the Load Balancer to Listen on Additional Ports

Configuring the Load Balancer to Listen on Additional Public IP Addresses

You can configure the VMSS to secure multiple web applications, each with its own IP address.

Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal'

You must create these Dynamic Objects in SmartConsole:

  • LocalGatewayExternal

  • LocalGatewayInternal

Procedure:

  1. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

  2. Enter this exact name (case-sensitive, no spaces):

    LocalGatewayExternal

  3. Click OK.

  4. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

  5. Enter this exact name (case-sensitive, no spaces):

    LocalGatewayInternal

  6. Click OK.

  7. Publish the SmartConsole session

Configuring HTTPS Inspection

Follow these steps to enable HTTPS Inspection.

Notes:

  • If you have an outbound CA certificate you can skip these steps. Otherwise, create one in "Creating an Outbound Certificate."

  • Only want inbound SSL inspection.

Creating an Outbound Certificate

Creating an HTTPS Inspection Rule to Inspect SSL Traffic

Downloading and Installing the Latest CME (Cloud Management Extension) Version

To download and install the CME (Cloud Management Extension) on the Management Server or Multi-Domain Server, see sk157492.

Configuring the Cloud Management Extension (CME) on the Security Management Server

The instructions below contain information about how to configure a VMSS environment in CME. For more information about CME configurations, see the "Overview" section in the Cloud Management Extension R80.10 and Higher Administration Guide.

Deploying a Security Management Server in Azure

Upgrading the CloudGuard VMSS Solution

This section includes instructions and guidelines for upgrading an existing, deployed CloudGuard VMSS solution (for example, upgrade from R80.10 CloudGuard VMSS solution to R80.20 CloudGuard VMSS solution).

The method of upgrading a VMSS solution is by deploying a new solution (side-by-side), reconfiguring Azure resources and Check Point configuration to use the new solution and then deleting the old one.

Note:

  • It is not necessary to upgrade the VMSS solution in order to obtain newer images of the same Check Point version as in R80.10, R80.20). On each Scale Out, an instance with the latest available image for the version will be deployed automatically.

  • Make sure that your existing Management Server or Multi-Domain Server can be used with the newer VMSS version that you are deploying.