Configuration Steps

Step 1: Set up authentication using either Microsoft Entra ID (formerly Azure AD) or Azure IAM

Azure provides two options for managing access to resources. You can use either Microsoft Entra ID (formerly Azure AD) or Azure Identity and Access Management (IAM) to establish secure authentication.

To grant access using Azure IAM (starting from CME Take 297), go to Step 4.7.

To create a Microsoft Entra ID and Service Principal:

With the Microsoft Entra ID and Service Principal, the Check Point Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. monitors the creation and status of the VMSS, so it can complete the provision of these Security Gateways.

1. Connect to portal.azure.com.

2. Click Microsoft Entra ID.

3. Click +Add > App registration. The Register an application screen opens

4. Create new registration:

   1. Select a meaningful Name.

   2. Supported account types - Select Accounts in this organizational directory only (Single tenant).

   3. Redirect URL - Select Web, and type https://localhost/vmss-name - instead of vmss-name. It can be any name.

   4. Click Register. The new application is created.

   5. In the new application screen, on the left menu pane, click Manage > Certificates and secrets.

   6. In the Client Secrets tab, click + New Client Secret.

   7. Add the duration for the key.

   8. Click Add.

   9. Backup the key. You cannot look at the key later. Save it now.

After you create the application, write down these values to use in the "Configure the Check Point Security Management Server" step.

• Application ID

  client_id

• Key value

  client_secret

• Tenant ID

  directory (tenant) ID

Step 2: Install the Check Point Security Management Server

We recommend you to use Smart-1 Cloud (Check Point's Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. as a Service) to manage CloudGuard Network for Azure Virtual Machine Scale Sets (VMSS).

Refer to Quantum Smart-1 Cloud Administration Guide > Using the settings > Cloud Management Extension (CME) Configuration for step-by-step instructions for enabling CME in Smart-1 Cloud.

These steps are required only if you do not have an installed Check Point Security Management Server.

If you already have the Check Point Security Management Server installed, skip to Step 3.

Step 3: Configure the Check Point Security Management Server

Do these steps to manage the Virtual Machine Scale Sets with the Check Point Security Management Server:

1. Downloading and Installing the Latest CME Version.

2. Configuring the CME on the Security Management Server

3. Configure the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. in SmartConsole.

   Important - The policy name must be the same as the value you configured in Step 2.

Note - By default, each Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and Security Management Server's Gaia Portal Web interface for the Check Point Gaia operating system. is accessible from the internet by browsing to http://<virtual-machine-public-ip>. Restriction of access to the Gaia Portal is possible by configuring a Network Security Group, or by configuring the Check Point Security Gateway and Management Server settings.

Step 4: Deploy the Check Point VMSS and assign the Microsoft Entra ID application

1. Deploy the CloudGuard Network Security - Firewall & Threat Prevention from the Azure Marketplace.

2. Click Get it Now.

3. In Software plan drop-down window, Select CloudGuard Scale Set and click Continue.

4. Click Create.

5. In the Create CloudGuard Scale Set screen that opens, fill in the parameters according to the tables below.

   • Use these parameters in the Basic section

     Parameter	Description
     Subscription	The Azure subscription, where the VMSS is deployed.
     Resource group	The Azure Resource Group, where the VMSS is deployed. Important - The Resource Group must be empty (must not contain any Azure resources). Note - Resource group name must not contain reserved words based on sk40179.
     Region	The region, where the VMSS is deployed.
     Gateway scale set name	The name of the VMSS resource group.
     Authentication type	The option to authenticate either with the public key or with a username and password when establishing SSH connections to the CloudGuard Network Security Gateway.

   • Use these parameters in the Check Point VMSS settings section

     Parameter	Description
     Are you upgrading your CloudGuard VMSS solution?	Defines if this a new deployment or an upgrade of the existing VMSS deployment. If this is an upgrade of the CloudGuard VMSS solution, select Yes and follow the VMSS Upgrade procedure.
     Initial number of Security Gateways	The minimum number of CloudGuard Network Security Gateway instances in the VMSS. We recommend a minimum of two.
     Maximum number of Security Gateways	The maximum number of CloudGuard Network Security Gateway instances in the VMSS.
     Management name	The name of the Security Management Server. Example: my-management See Configuring the CME on the Security Management Server
     Configuration template name	The name of the configuration template from the CME service. Example: my-configuration-template
     Administrator email address	The email address of the Administrator responsible for scaling operations, such as the launch of a new Security Gateway, or a Security Gateway termination.
     Load Balancer deployment	Defines which Load Balancer to deploy: Standard (External & Internal inspection). External only (Inbound inspection only). Internal only (Outbound & East-West inspection only). For outbound inspection, it is mandatory to deploy an External Load Balancer and instance-level public IP addresses.
     Deploy the Load Balancers with floating IP	If you select yes, each Load Balancer is deployed with Floating IP enabled. Default value: no.
     Check Point CloudGuard External Load Balancer session persistence	The load balancing distribution method for the External Load Balancer - Inbound. See Configure the distribution mode for Azure Load Balancer.
     Check Point CloudGuard Internal Load Balancer session persistence	The load balancing distribution method for the Internal Load Balancer - Outbound and East-West. See Configure the distribution mode for Azure Load Balancer.
     Deploy the VMSS with instance level public IP address	If you select yes, each VMSS instance gets its own public IP address. The Security Management Server can use those IP addresses to manage from the external VNET. Default value: no. Important - The value you configure is irreversible.
     Deploy the VMSS with Public IP Prefix	If you select yes, the VMSS is deployed with a Public IP Prefix.
     Create new or existing Public IP Prefix	If you select new, select the IPv4 prefix length. Note - The VMSS is not allowed to contain more instances than the prefix size.
     Management interface and IP address	Select which IP address to use as the management interface for the VMSS: Backend NIC's private IP address. Frontend NIC's public IP address - only available if you deploy an Instance Level Public IP (ILPIP) address. Frontend NIC's private IP address. Private: Manage the Gateway VMSS with the private IP address of the instance. The Security Management Server must have access to the private IP addresses. For example, to be in the same/peered VNET. In case you use the frontend NIC, you must add a corresponding rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in the Frontend Route Table: Destination & Next Hop: <The private IP address of the Security Management Server>. Public: Manage the Gateway VMSS with the public IP address of the instance. Note - Support for private addresses is available with the Add-On version 419 and above, and the template version 20200303 and above.
     Number of Availability Zones to use	Defines the Azure Availability Zones for your VMSS: None - Do not use Azure Availability Zones. 1 - Use Azure zonal redundancy. 2 - Use Azure two-zones redundancy (zones [1, 2]) 3 - Use Azure three-zones redundancy (zones [1, 2, 3]) Notes: Only available if you deploy in a supported Azure location. Support for Azure Availability Zones is available with the template version 20200303 and above.
     DNS Resource Zone ID	Resource ID is the unique permanent identifier assigned to each Azure resource. ID of the DNS Zone Resource can be found in its related Properties tab.
     DNS Record Set Name	DNS Record that includes a maximum of 20 public IPs of VMSS instances. If a current Record Set is used, all its records are replaced with the VMSS instances' public IPs.
     Enable CloudGuard metrics	Enables CloudGuard metrics to allow VMSS instances to send statuses and statistics to the Azure Monitor service. If the CloudGuard metrics are enabled in the VMSS deployment, then: System Assigned Managed Identity is created and the "Monitoring Metrics Publisher" role is assigned to the VMSS Resource Group. The CloudGuard metrics agent starts to send metrics each minute. The CloudGuard metrics are sent to the Azure Monitor resource immediately after the VMSS deployment is completed. To show CloudGuard, from the VMSS view, click Monitoring > Metrics > Metric Namespace - "cloudguard".

   • Use these parameters in the Check Point CloudGuard Settings

     Parameter	Description
     Check Point CloudGuard version	Select the Check Point version you want to install.
     License type	Select the license type to use: Bring Your Own License Pay As You Go (NGTP) Pay As You Go (NGTX)
     Virtual Machine size	The VM size of the Security Gateway.
     Default shell for the admin user	Select the admin’s default shell.
     SIC key	Set the Secure Internal Communication one-time secret.
     Enable Maintenance Mode	A password hash to enable the VM maintenance mode.
     Maintenance Mode password hash	To get a hash string for a password, run this command in the Expert mode: grub2-mkpasswd-pbkdf2

   • Use these parameters in the Network settings section

     Parameter	Description
     Network setting	A pre-existing Virtual Network and its subnets, or the name of a new Virtual Network and subnets, where the VMSS is deployed. Note: When you use a pre-existing subnet: Make sure no other Virtual Machines are deployed in those subnets Make sure to correctly define user-defined routes (UDR) for each subnet (see the Network Diagram section). Make sure the NSG is associated with the frontend subnet that allows all inbound and outbound TCP and UDP traffic.
     Network Security Group	The Network Security Group that you attach to the VNet.

   • Use these parameters in the Tags section

     Parameter	Description
     Name, Value	Azure tags to attach to the selected resources.

6. Go to the Review+create tab, review the information, and click Create.

7. After the deployment is complete:

   If you choose to register the Microsoft Entra ID application, assign a role to the application as described in Register a Microsoft Entra app and create a service principal. Give the VMSS, VNET, and the Frontend Load Balancer a minimum role of Reader.

   Alternatively, you can grant access to Azure VMSS resources based on IAM role. See Step 5: (Optional): Grant access to Azure resources based on IAM role for instructions.

For more information on Managed identities, see the Azure documentation overview.

Notes: Newly provisioned Security Gateways automatically receive the latest published Security Policy. You have to install the policy on the existing Security Gateways to update their Security Policy. Auto-Scaling Security Gateway objects are automatically created and deleted according to the current environment. Therefore, we do not recommend that you use specified objects in rules. In additions, we do not recommend that you manually edit those objects. In the case of a scale-out event, the latest released Check Point image is used to deploy the new Virtual Machine. When you use the template version 20181017 or above: Fast Deployment Images (Blink) with a pre-installed Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. is used. In the case of a scale-out event, the newer Virtual Machine uses the latest released Check Point image. For more information, see these SK articles: CloudGuard for Azure Latest Updates - see sk132192. Blink - Gaia Fast Deployment - see sk120193.

Step 5: (Optional): Grant access to Azure resources based on IAM role

Prerequisite: The Security Management Server was configured to use the system-managed identity on Step 3.

To configure IAM and assign a role for managed identity:

1. Connect to portal.azure.com.

2. Go to the VMSS resource group.

3. Click Access control (IAM).

4. Click +Add > Add role assignment. The Role Assignment screen opens.

5. Choose the role definition (minimal permissions of "Reader" are required).

6. Click Next to choose members to assign access to.

7. Choose Managed identity.

8. Click Select members. Select Managed Identities screen opens.

9. Choose the Managed identity option and pick the Check Point Security Management Server VM.

10. Click Select > Review + assign.

11. Review the role and click Review + assign to grant access to the desired resource.

Step 6: (Optional): Deploy External Application Gateway

Prerequisites:

• A domain in your possession.

• A subnet that contains only the External Application Gateway in the VMSS's VNET.

To deploy an External Application Gateway:

From the Azure Portal, go to Application gateways > deploy a new Application Gateway.

To complete the HTTP settings creation, click Add.

To complete the Routing rule creation, click Add.

Review and create this Application Gateway.

Note - The Application Gateway deployment completes in about 20 minutes or less.

Important - The Health Probe checks the communication up to the application server. Hence, the Backend health tests pass only when the full solution is deployed and configured.

Edit the route table:

1. Add a route from the VMSS Frontends subnet to the Application Gateway subnet.

2. Go the external VMSS subnet by default named "VMSS-Frontend" > Routes > click Add.

   • Name: "To-external-application-gateway"

   • Address prefix: the address prefix of the external Application Gateway subnet

   • Next hop type: Virtual network

3. Click OK.

Add a static route for the VMSS instances:

1. Connect to the command line on the Security Management Server.

2. Log in to the Expert mode.

3. Download the static_route_config_sh script from this link.

4. Edit static_route_config_sh and enter the EXTERNAL_AGW_SUBNET_CIDR and EXTERNAL_VMSS_SUBNET_DEFAULT_GATEWAY values.

5. Copy the script to the Management Server, use this name:

   $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

6. Assign the execute permission to the shell script, run:

   chmod u+x $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

7. Make sure there are no syntax mistakes in the shell script, run:

   sh -n $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

8. Configure CME and set the relevant template to use this script, run:

   autoprov_cfg set template –tn <CONFIGURATION-TEMPLATE-NAME> –cg $MDS_FWDIR/conf/static_route_config_<CONFIGURATION-TEMPLATE-NAME>.sh

Step 7: (Optional): Deploy Internal Application Gateway

Prerequisite - A subnet that can contain only Internal Application Gateway in the VMSS's VNET. This subnet is different from the one created in Step 6.

To deploy Internal Application Gateway:

From the Azure Portal, go to Application gateways > deploy a new Application Gateway.

To complete a Path-based routing rule, click Add. If necessary, you can create more Path-based rules.

Review and create this Application Gateway.

Note - The Application Gateway deployment completes in about 20 minutes.

Cleanup:

After the deployment of the Internal and External Application Gateways (steps 6 and 7), go to the VMSS resource group and delete the External Load Balancer object created automatically in step 4. The External Load Balancer is named by default: "frontend-lb".

Note - For outbound inspection, use the Internal Load Balancer.

Step 8: (Optional) Set Up Traffic Manager External Endpoints

Microsoft Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. Traffic Manager allows you to control how network traffic is distributed to VMSS that run in different regions.

When the Traffic Manager receives a DNS request, it selects an available endpoint in the closest region to return the DNS response.

To set up Traffic Manager External Endpoints:

Step	Instructions
1	From the Azure portal, navigate to the Traffic Manager profile.
2	In the Traffic Manager profile, select Configuration and enter this information: In the Protocol field, enter: HTTPS. In the Port field, enter: 443.
3	In the Traffic Manager profile, select Endpoints, click Add, and enter this information: In the Type field, select External endpoint In the Name field, enter the Endpoint's name In the Fully-qualified domain name (FQDN) or IP field, enter a DNS Record Set FQDN that includes the VMSS Instances' public IP addresses. Note - DNS Record Set is used for one VMSS only. In the Location field, select the geographic location from which the DNS Record Set FQDN defined in previous step will be accessible. In the Health Checks field, select: Enable: We recommend selecting this option: Health Checks determine if to send traffic to the Endpoint. Always serve traffic: No Health Checks run. Traffic is always sent to the Endpoint.
4	After creating the Endpoint, make sure the Monitor Status is set to Online.
5	To create more Endpoints with different DNS Record Sets, do steps 3 and 4 again.

Step 9: Set Up the External Load Balancer

By default, the template you deploy creates an external (Internet-facing) Load Balancer that:

• Listens on TCP port 80 on the static public IP address of the External Load Balancer.

• Forwards the traffic it receives to the pool of CloudGuard Network Security Gateways on TCP port 8081.

• Uses TCP health probes on port 8117 to know the health of the CloudGuard Network Security Gateways.

Notes: You cannot use ports 80, 443, 444, 8082, 8117, and 8880 for forwarded traffic. In addition, you cannot use the ports defined in sk52421 (used by Check Point software), and 32768 – 65535 as defined in sk162619 (FWD daemon listening on multiple random high ports). Do not change the health probes. The Check Point VMSS Resource Group includes a Network Security Group (NSG). By default, the NSG allows all outbound and inbound traffic.

You can configure the Load Balancer to listen on more ports and/or on more public IP addresses. See Load balancing with Multiple front-ends.

For use cases, see these links:

• Configuring the Load Balancer to Listen on Additional Ports

• Configuring the Load Balancer to Listen on Additional Public IP Addresses

Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal'

You must also create these Dynamic Objects in SmartConsole:

• LocalGatewayExternal

• LocalGatewayInternal

Procedure:

1. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

2. Enter this exact name (case-sensitive, no spaces):
   

   LocalGatewayExternal

3. Click OK.

4. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

5. Enter this exact name (case-sensitive, no spaces):

   LocalGatewayInternal

6. Click OK.

7. Publish the SmartConsole session

Step 10: Configure Inbound Protection

Note - If HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. is necessary, see Configure HTTPS Inspection.

Step 11: Configure Outbound and East-West Protection

Configure UDR tables and NAT rules for Southbound-Northbound and East-West traffic protection.

You can configure the Check Point VMSS to examine Outbound and East-West traffic across internal subnets.

You can use this to examine and control traffic of different web clients, such as:

• Servers and containers that must have software and image updates from repositories located outside the Virtual Network.

• Virtual desktop environments that run in the Virtual Network and access the Internet or each other.

• Servers that send traffic to each other.

To configure inspection of the traffic from servers in internal private subnets, you have to route traffic through the Check Point VMSS. Use the Check Point Internal Load Balancer as the Next hop in the private subnet UDR. The Internal Load Balancer then forwards all the traffic to one of the Check Point Security Gateways.

Note - The Internal Load Balancer deploys by default as part of the solution template and is automatically configured. It is configured to listen and forward all TCP or UDP traffic on HA Ports. The Internal Load Balancer gets an automatically assigned name backend-lb. Probes monitor the health of the Check PointVMSS on the TCP port 8117 from the source IP address 168.63.129.16.

Configuring Protection for the VMSS VNET

Note - The Internal Load Balancer private IP address is static. To find it, browse into the Internal Load Balancer named backend-lb. For more information, see User Defined Routes.

Configuring Protection for External VNETs

Limitations:

This section is only supported when:

• The template version is 20180711 or above.

• The applicable peered VNETs use private address spaces as defined in the RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

• Global VNET peering is not supported. See Azure requirements and constraints.

Do the steps below for inspection of traffic between a subnet in the peered VNET and a subnet in the VMSS VNET, or a different peered VNET.

Use case:

Your hub-spoke network topology uses peered VNETs and you want the VMSS, as the hub, to examine the traffic.