Configuration Steps

Step 1 Create an Azure AD and Service Principal

With the Azure AD and Service Principal, the Check Point Security Management Server monitors the creation and status of the VMSS, so it can complete the provision of these gateways.

1. Connect to portal.azure.com.

2. Click Active Directory -> App registrations -> New registration.

3. Create new registration:

   1. Select a meaningful Name.

   2. Supported account types - Select Single tenant.

   3. Redirect URL - Select Web, and type https://localhost/vmss-name - instead of: vmss-name. It can be any name.

   4. Click Register.

   5. Open Certificates and secrets pane -> click New secret key.

   6. Add the duration for the key.

   7. Backup the key. You cannot look at the key later. Save it now.

After you create the application, write down these values, for "Configure the Check Point Security Management Server"

• Application ID

  client_id

• Key value

  client_secret

• Tenant ID

  tenant

• Directory ID

Note - We recommend that you set the key to never expire.

Step 2 Install the Check Point Security Management Server

These steps are required only if you do not have an installed Check Point Security Management Server.

If you already have the Check Point Security Management Server installed, skip to Step 3.

Step 3: (Optional) Deploy the Azure App Service Domain and Assign the Azure AD Application

This step is optional and is only required for Remote Access VPN configuration.

The App Service Domain (DNS Zone) is used to store the Record Set with the VMSS Instances' public IPs. Remote Access VPN clients run a DNS query to the Record Set FQDN to resolve the current active IP addresses and do a load-share mechanism on the resolved IP list.

Deploy the Azure App Service Domain from the Azure Portal.

Notes:

• Skip this step if you already have an existing Azure App Service Domain to use for the Remote Access solution.

• To use an existing domain name registrar, it must be delegated to the Azure DNS Zone. For more information, see the Microsoft Azure documentation.

Use these parameters when deploying a DNS Zone resource in Azure:

Parameter	Description
Search for domain	The domain name that you want to buy and validate its availability.
Subscription	The Azure subscription where the App Service Domain is deployed.
Resource group	The Azure Resource Group where the App Service Domain is deployed.
Contact information	The Domain registration information.
Privacy protection	Accept terms and purchase.

Step 4: Configure the Check Point Security Management Server

Do these steps to manage the Virtual Machine Scale Sets with the Check Point Security Management Server:

1. Downloading and Installing the Latest CME (Cloud Management Extension) Version of CME.

2. Configuring the Cloud Management Extension (CME) on the Security Management Server

3. Configure the Security Policy in SmartConsole.

   Important - The name of the policy has to match correctly the value that you configured in "Install the Check Point Security Management Server".

Note - By default, each Check Point Security Gateway and Security Management Server's Gaia Portal is accessible from the internet by browsing to http://<virtual-machine-public-ip>. Restriction of access to the Gaia Portal is possible by configuring a Network Security Group, or by configuring the Check Point Security Gateway and Management Server settings.

If Remote Access VPN is used, do these steps:

Remote Access – part 1

1. Configure the Management Server to centrally manage Endpoint Client's settings. Do steps 1-4 in sk55502 (Note - Skip step 5).

2. Edit the trac_client_1.ttm file on the Management Server:

   1. Connect to the command line on the Security Management Server / Multi-Domain Security Management Server.

   2. Log in to the Expert mode.

   3. On the Multi-Domain Server, switch to the context of the applicable Domain Management Server:

      mdsenv <Name or IP address of Domain Management Server>

   4. Edit the trac_client_1.ttm file:

      1. Run:

         vi $FWDIR/conf/trac_client_1.ttm

      2. Set the default value of the "automatic_mep_topology" attribute to false.

      3. To disable "SecondaryConnect", add this section in the file:

         :enable_secondary_connect ( :gateway ( :map ( :true (true) :false (false) :client_decide (client_decide) ) :default (false) ) )

Note - If this section already exists, change the "default" value to (false).

Remote Access – part 2

Do these steps in SmartConsole:

1. Open Global Properties.

2. Click the Remote Access tab.

3. Click Endpoint Connect.

4. Set the Connect Mode to Always Connected.

5. Set the Disconnect when connectivity to network is lost to yes.

6. Create a Network object to represent the VMSS Gateway's frontend subnet:

   Example: eth0: 10.10.1.1 -> Network: 10.10.1.0/24

   1. Select the Objects menu > New Network.

   2. Enter a descriptive name. For example, FrontEndNetwork.

   3. From the left tree, click General.

   4. Enter the applicable information.

   5. Click OK.

7. In Security Policies > Access Control, click NAT and add a Manual NAT rule to skip NAT for outbound traffic:

   Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Install On
   A Network Group object that represents the full external Gateway's address space	Any	Any	= Original	= Original	= Original	Policy Targets

Remote Access – part 3, Add "Server Authentication" to the Extended Key Usage (EKU) of the GW IKE Certificate

1. If the Management or Multi-Domain Management Server is deployed in Azure, add the security rule that allows TCP access to port 18265 for Management network interface to the network security group.

2. Set up the ICA Management Tool, see sk30501.

3. Access the ICA Management Tool, at this URL:

   https://<Management_Machine_IP_Address>:18265

4. Click Configure the CA.

5. Below the IKE Certificate extended key usage, select Server Authentication > click Apply.

6. Disable the ICA management tool. On the Management Server, in Expert mode run:

   cpca_client set_mgmt_tool off

7. If the Security Management Server or Multi-Domain Server is deployed in Azure, remove the security rule that allows TCP access to the port 18265 for Management network interface from the network security group.

Step 5: Deploy the Check Point VMSS and Assign the Azure AD Application

Deploy the CloudGuard Network Security - Firewall & Threat Prevention from the Azure Marketplace.

Contact Check Point Support or Check Point Local Office for the solution template to deploy a VMSS with Remote Access VPN.

Note - If Multi Region Remote Access VPN is used, do this step again to deploy VMSS in different regions.

• Use these parameters in the Basic section

  Parameter	Description
  Gateway scale set name	The name of the VMSS resource group.
  Credentials	The public key or username and password for SSH connections to the CloudGuard Network Security Gateway.
  Subscription	The Azure subscription, where the VMSS is deployed.
  Resource group	The Azure Resource Group, where the VMSS is deployed. Important - The Resource Group must be empty (must not contain any Azure resources), Note: Resource group name must not contain reserved words based on: sk40179.
  Location	The location - where the VMSS is deployed.

• Use these parameters in the Check Point VMSS settings section

  Parameter	Description
  Are you upgrading your CloudGuard VMSS solution?	Defines if this a new deployment, or function of this deployment is to upgrade an existing VMSS deployment. If this is an upgrade of the CloudGuard VMSS solution, select Yes. see Upgrading the CloudGuard VMSS Solution
  Initial number of Security Gateways	The minimum number of CloudGuard Network Security Gateways instances in the VMSS. We recommend a minimum of two.
  Maximum number of Security Gateways	The maximum number of CloudGuard Network Security Gateways instances in the VMSS.
  Management name	The name of the Security Management Server. Example: my-management See Configuring the Cloud Management Extension (CME) on the Security Management Server
  Configuration template name	The name of the configuration template from the CME service. Example: my-configuration-template
  Administrator email address	The email address of the Administrator responsible for scaling operations, such as the launch of a new gateway, or a gateway termination.
  Load Balancer deployment	Defines which Load Balancer to deploy: Standard (External & Internal inspection). External only (Inbound inspection only). Internal only (Outbound & East-West inspection only). For outbound inspection, it is mandatory to deploy an External Load Balancer and, or instance level public IP addresses.
  Deploy the Load Balancers with floating IP	If you select yes, each Load Balancer will be deployed with Floating IP enabled. Default value: no.
  Check Point CloudGuard External Load Balancer session persistence	The load balance distribution method for the External Load Balancer - Inbound. See Configure the distribution mode for Azure Load Balancer.
  Check Point CloudGuard Internal Load Balancer session persistence	The load balance distribution method for the Internal Load Balancer - Outbound and East-West. See Configure the distribution mode for Azure Load Balancer.
  Deploy the VMSS with instance level public IP address	If you select yes, each VMSS instance gets its own public IP address. The Security Management Server can use those IP addresses to manage from the external VNET. Default value: no. Important - The value you configure is irreversible. When the Remote Access VPN is used, you must manage VMSS with public IPs.
  Deploy the VMSS with Public IP Prefix	If you select yes, the VMSS will be deployed with a Public IP Prefix
  Create new or existing Public IP Prefix	If you select new, select the IPv4 prefix length Note: The VMSS will not be allowed to contain more instances then the prefix size
  Management interface and IP address	Select which IP address to use as the management interface for the VMSS: Backend NIC's private IP address. Frontend NIC's public IP address - only available if you deploy an Instance Level Public IP (ILPIP) address. Frontend NIC's private IP address. Private: Manage the Gateway VMSS with the private IP address of the instance. The Security Management Server must have access to the private IP addresses. For example, to be in the same/peered VNET. In case you use the frontend NIC, you must add a corresponding rule in the Frontend Route Table: Destination & Next Hop: <The private IP address of the Security Management Server>. Public: Manage the Gateway VMSS with the public IP address of the instance. Note: Support for private addresses is available with Add-On version 419 and above, and template version 20200303 and above.
  Number of Availability Zones to use	Defines the Azure Availability Zones for your VMSS: None - Do not use Azure Availability Zones. 1 - Use Azure zonal redundancy. 2 - Use Azure two-zones redundancy (zones [1, 2]) 3 - Use Azure three-zones redundancy (zones [1, 2, 3]) Notes: Only available if you deploy in a supported Azure location. Support for Azure Availability Zones is available with template version 20200303 and above.
  Remote Access VPN settings	If you select yes, the Remote Access VPN required Azure resources, Azure function with System Assigned Managed Identity are deployed and configured. Notes: Select yes only in case Remote Access VPN functionality is used. After the VMSS is successfully deployed, it is recommended to change the metrics used in the Scaling Policy to the CloudGuard Remote Access VPN > "IPsec number of VPN-1 RA peers". See Autoscale setting.
  DNS Resource Zone ID	Resource Id is the unique, permanent, identifier assigned to each Azure resource. The DNS Zone Resource in its related Properties tab.
  DNS Record Set Name	DNS Record that includes a maximum of 20 public IPs of VMSS instances. If a current Record Set is used, all its records are replaced with the VMSS instances' public IPs. If the Multi Region Remote Access VPN is used, then a different DNS Record Set name must be defined for each VMSS deployment.
  Enable CloudGuard metrics	Enables CloudGuard metrics to allow VMSS instances to send statuses and statistics to the Azure Monitor service. If the CloudGuard metrics are enabled in the VMSS deployment, then: System Assigned Managed Identity is created and the "Monitoring Metrics Publisher" role is assigned to the VMSS Resource Group. The CloudGuard metrics agent starts to send metrics each minute. The CloudGuard metrics are sent to the Azure Monitor resource immediately after the VMSS deployment is completed. To show CloudGuard, from the VMSS view -> click Monitoring -> Metrics -> Metric Namespace - "cloudguard".

• Use these parameters in the Network settings section

  Parameter	Description
  Network setting	A pre-existing Virtual Network and its subnets, or the name of a new Virtual Network and subnets, where the VMSS is deployed. Note: When you use a pre-existing subnet: Make sure no other Virtual Machines are deployed in those subnets Make sure to correctly define user defined routes (UDR) for each subnet (see the Network Diagram section). Make sure that an NSG is associated with the frontend subnet that allows all inbound and outbound TCP and UDP traffic.
  Network Security Group	The Network Security Group that you attach to the Vnet.

• Use these parameters in the Tags section

  Parameter	Description
  Name, Value	Azure tags to attach to the selected resources.

1. Assign the Azure Active Directory application as described in Add a minimum role of Reader to the VMSS and the VNET. See Assign application to role.

2. If you use Remote Access VPN, do these steps:

   1. Assign the Azure AD application as described in Step 1 Create an Azure AD and Service Principal. Add a minimum role of Reader to the VNET and the role of Contributor to the VMSS.

   2. Assign System Assigned Managed Identity application is created as part of the VMSS deployment. Add a minimum role of Contributor to the Resource Group of the App Service DNS (DNS Zone). The name of the System Assigned Managed Identity is equal to the VMSS Resource Group one.

For more about Managed identities, see the Azure documentation overview.

Notes:

• Newly provisioned Security Gateways automatically receive the latest published Security Policy. You have to install the policy on the existing Security Gateways to update their Security Policy.

• Auto Scaling Security Gateway objects are automatically created and deleted according to the current environment. Therefore, we do not recommend that you use specified objects in rules. In additions, we do not recommend that you manually edit those objects.

• In case of scale out event, the latest released Check Point image is used to deploy the new Virtual Machine.

• As part of Remote Access VPN deployment, the Azure function (or "Function App") is deployed. The Azure function is triggered in two minute intervals to get VMSS provisioned instances and add their public IPs to the DNS Zone Record Set.

• When you use the template version 20181017 or above:

  1. Fast Deployment Images (Blink) with a pre-installed Jumbo Hotfix Accumulator is used.

  2. In case of scale out event, the newer Virtual Machine uses the latest released Check Point image.

     For R80.10, the latest release image might include a newer Jumbo Hotfix Accumulator version.

  For more information, see these SK articles:

  • CloudGuard for Azure Latest Updates - see sk132192

  • Jumbo Hotfix Accumulator for R80.10 - see Jumbo Hotfix Accumulator for R80.10

  • Blink - Gaia Fast Deployment - see sk120193

• By default, each Check Point Security Gateway and Security Management Server's Gaia Portal is accessible from the internet at https://<virtual-machine-public-ip>. It is possible to control the access to the Gaia Portal. Configure a Network Security Group, or configure the Check Point Gateway and Management Server settings.

Step 10: (Optional) Set Up Traffic Manager External Endpoints

Note - For Remote Access VPN, Multi Region Configuration it is required.

Microsoft Azure Traffic Manager allows you to control how network traffic is distributed to VMSS that run in different regions.

When the Traffic Manager receives a DNS request, it selects an available endpoint in the closest region to return the DNS response.

To set up Traffic Manager External Endpoints:

Step	Instructions
1	From the Azure portal, navigate to the Traffic Manager profile created in the step 7.
2	In the Traffic Manager profile, select Configuration and enter this information in the required information: In the Protocol field, enter: HTTPS In the Port field, enter: 443
3	In the Traffic Manager profile, select Endpoints, click Add and enter this information in the required field: In the Type field, select External endpoint In the Name field, enter the Endpoint's name In the Fully-qualified domain name (FQDN) or IP field, enter a DNS Record Set FQDN that includes the VMSS Instances' public IP addresses. Note - DNS Record Set is used for one VMSS only. In the Location field, select the geographic location from which the DNS Record Set FQDN defined in previous step will be accessible. In the Health Checks field, select: Enable: We recommend selecting this option: Health Checks determine if to send traffic to the Endpoint. Always serve traffic: No Health Checks run. Traffic is always sent to the Endpoint.
4	After creating the Endpoint makes sure the Monitor Status is set to Online.
5	To create morel Endpoints with different DNS Record Sets, do steps 3 and 4 again.

Step 11: Set Up the External Load Balancer

By default, the template you deploy creates an external (Internet facing) Load Balancer that:

• Listens on TCP port 80 on the static public IP address of the External Load Balancer.

• Forwards the traffic it receives to the pool of Check Point CloudGuard Security Gateways on TCP port 8081.

• Uses TCP health probes on port 8117 to know the health of the Check Point CloudGuard Network Security Gateways.

Notes:

• You cannot use ports 80, 443, 444, 8082, 8117, and 8880 for forwarded traffic.

• In addition, you cannot use the ports defined in sk52421 (used by Check Point software), and 32768 – 65535 as defined in sk162619 (FWD daemon listening on multiple random high ports).

• Do not change the health probes.

• The Check Point VMSS Resource Group includes a Network Security Group (NSG). By default, the NSG allows all outbound and inbound traffic.

You can configure the Load Balancer to listen on more ports and/or on more public IP addresses. See Load balancing with Multiple front-ends.

For use cases, see these links:

• Configuring the Load Balancer to Listen on Additional Ports

• Configuring the Load Balancer to Listen on Additional Public IP Addresses

Step 12: Configure Inbound Protection

Note - If HTTPS Inspection is necessary, see Configuring HTTPS Inspection.

Step 13: Configure Outbound and East-West Protection

Configure UDR tables and NAT rules for Southbound-Northbound and East-West traffic protection. See the diagrams of the traffic flows.

You can configure the Check Point VMSS to examine Outbound and East-West traffic across internal subnets.

You can use this to examine and control traffic of different web clients such as

• Servers and containers that must have software and image updates from repositories located outside the Virtual Network.

• Virtual desktop environments that run in the Virtual Network and that access the Internet or each other.

• Servers that send traffic to each other.

To configure inspection of the traffic from servers in internal private subnets, you have to route traffic through the Check Point VMSS. Use the Check Point Internal Load Balancer as the Next hop in the private subnet UDR. The Internal Load Balancer then forwards all the traffic to one of the Check Point Security Gateways.

Note - The Internal Load Balancer deploys by default as part of the solution template and is automatically configured. It is configured to listen and forward all TCP or UDP traffic on HA Ports. The Internal Load Balancer gets an automatically assigned name backend-lb. Probes monitor the health of the Check Point VMSS on the TCP port 8117 from source IP address 168.63.129.16.

Configuring Protection for the VMSS VNET

Note - The Internal Load Balancer private IP address is static. To find it, browse into the Internal Load Balancer named backend-lb.

For more information, see User Defined Routes.

Configuring Protection for External VNETs

Limitations:

This section is only supported when:

• The template version is 20180711 or above.

• The applicable peered VNETs use private address spaces as defined in the RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

• Global VNET peering is not supported. See Azure requirements and constraints.

Do these steps below for inspection of traffic between a subnet in the peered VNET, and a subnet in the VMSS VNET, or a different peered VNET.

Use case:

Your hub-spoke network topology uses peered VNETs and you want the VMSS, as the hub, to examine the traffic.

Step 14: (Optional) Configure and Deploy the Remote Access VPN Client

This step is optional and is only required for Remote Access VPN configuration.

Download the Endpoint Security VPN standalone package, or the Endpoint Security Managed client package.

For information on the client deployment and distribution options:

• For a Standalone client, see the R81 Remote Access VPN Administration Guide > section Setting Up Remote Access Clients

• For the Endpoint Security Managed client, see the R80.40 Harmony Endpoint Security Server Administration Guide > section Deploying Endpoint Security Clients in this Guide.

• For more information, see the E80.72 and higher Remote Access Clients for Windows Administration Guide.

Notes:

• When you create the VPN site on the client, it is important to configure the site's DNS name in the Server address or name. This is for the client to resolve the IP list and do a load share on the resolved IP list.

• If Multi Region Remote Access VPN is used, it is required to configure a site's DNS name with a Traffic Manager Profile DNS name. The Traffic Manager Profile DNS name can be found in its Overview tab.

Best Practice - While the client moves between the site's Gateway (scale in and out events), we recommend to use the CAPI certificate for the user authentication method.