Workflow for Setting Up a High Availability Cluster in Alibaba Cloud Platform

Step 1: Deploy a Template in Alibaba Cloud

Deploy this solution throughout the Alibaba Cloud Portal using Terraform:

• Check Point CloudGuard High Availability BYOL (Bring Your Own License)

How to run Terraform:

• Each module has its own README file that explains how to run the module and where to configure the parameters.

• Parameters are configured in the modules terraform.tfvars file.

• Open the terraform.tfvars file and fill all relevant input parameters.
  You may need to prepare some manual preparation in the Alibaba Cloud Console (VPC, vSwitches, SSH key etc.).

• Open command line in the module's directory and Initialize the module -
  Run:
  terraform init

• See the terraform plan to be executed:
  terraform plan

• Execute the module deployment plan (shows the plan again and prompts the user to type 'yes' to continue with execution). Run:
  terraform apply

Notes The README file may have instructions to run a different apply command (e.g. in the Cluster TF). To delete the deployed solution, run the command: terraform destroy

At least five minutes are needed for the deployment. After the deployment is finished, information is displayed in the deployment terminal, such as the public IP addresses created and the network used for Primary Cluster Synchronization used later in this guide.

Components of the Check Point Solution

The CloudGuard Network Security deployed solution has these components:

• Security group

• Network interface

• EIP - conditional creation

• Route Entry - conditional creation

• ECS Instance - Gateway Instances

• RAM Role

Important - No other ECS instances can be deployed in the solution's vSwitch.

Notes about the templates Use existing vSwitches and create them within the same region as the Cluster members Zone before starting this deployment. The Cluster Members each have a network interface in each of the vSwitches specified in this deployment. The IP ranges of those vSwitches must not overlap. The Security Cluster manipulates the routing in the networks you defined as internal in this deployment. The result is that all outbound traffic goes through the Cluster Member that is currently active. It does not deploy any other ECS instances in the solution's frontend and backend subnets. ECS instances that are launched in the backend vSwitches, may require Internet access to do final provisioning. Launch these ECS instances only after you have applied Hide NAT rules on the Cluster object to support this type of connectivity. The Check Point First Time Configuration Wizard automatically deploys after you have set up the Cluster object. The Cluster object is configured based on the applies parameters. After the First Time Configuration Wizard completes, the ECS instances automatically reboot. The member operating mode (A or B) is decided independently of the deployment or the order in which the members were added to the Cluster. Instead, it is decided by the private IP addresses of their main network interface. The Cluster's secondary address is used for internet access to the member to which it is attached, while it is in standby mode, so that it will be able to receive important updates. The address is not used in the configuration of the Cluster.

Step 2: Configure Cluster Objects in SmartConsole

To configure objects in SmartConsole:

1. If the Security Management Serveris deployed in Alibaba Cloud Platform and manages a Cluster Member in a different VPC, then modify the Security Management IP object inSmartConsolee to be the public IP of the Management Server.
   Click Publish to apply the change.

2. Click the Objects menu > New > More > Network Object > Gateways & Servers > Cluster > New Cluster.

3. Select Classic Mode.

   The Check Point Installed Gateway Cluster classic window opens.

4. Define the Cluster's general properties:

   In the Cluster Name field, enter a name for the Cluster object (as in "Cluster_HA").

   In the IPv4 Address field, enter the Cluster IP address (VIP). You can find the Cluster IP address in the Alibaba Cloud Platform portal:

   1. Browse to the ECS page.

   2. Locate Member A under instances.

   3. Use the IP address property.

5. Define the Cluster Members:

   1. In the Cluster's object left pane, click Cluster Members.

   2. Select Member A

      1. Click Add > New Cluster Member….

   2. In the Name field, enter the member's name (in our example: Member_A).

   3. In the IPv4 Address field, enter the member's IP address of its management interface (eth1).

      • If the management connects to the Cluster Members over a private IP, enter the private IP of the interface.

   • If the management connects to the Cluster Members over a public IP, enter the Elastic IP of the interface.

   4. Click Communication….

   5. Enter the one-time activation key used in the Terraform Template.

   6. Click Initialize.

   3. Member B

      1. Click Add > New Cluster Member.

   2. In the Name field, enter a member's name (in our example: Member_B).

   3. In the IPv4 Address field, enter the member's IP address of its external interface (eth1)

      • If the management is connecting to the Cluster Members over private IP, enter the private IP of the interface.

   • If the management is connecting to the Cluster Members over public IP, enter the Elastic IP of the interface.

   4. Click Communication

   5. Enter the one-time activation key used in the Terraform Template.

   6. Click Initialize.

6. Get the Cluster's Topology:

   1. In the Cluster's object left pane, click Network Management.

   2. Click Get Interfaces > Get Interfaces With Topology.

   3. Click eth0, in the Network Type select Private. 

   4. From the Network eth0 window, click Topology and disable Anti-Spoofing.

   5. Click eth1, in the Network Type select Sync.

   6. From the Network eth1 window, click Topology and disable Anti-Spoofing.

   7. Click eth2, in the Network Type select Private.

   8. From the Network eth2 window, click Topology and disable Anti-Spoofing.

7. The IPsec VPN blade is automatically enabled. To use the VPN blade, see Step 7: Configure VPN. Otherwise, disable the VPN blade.

8. Verify the settings:

   1. To close the window, click OK.

   2. Install policy on the Cluster.

A few minutes after the applicable Access Control Policy is installed, these changes occur automatically in Alibaba Cloud Platform:

• In each of the internal vSwitch, an Alibaba Cloud Platform Route routes all outbound traffic (0.0.0.0/0) to the Active member.

Notes - For the failover process to function, each Cluster Member initiates outbound HTTP and HTTPS traffic which is allowed by the gateway's implied rules. Do not override these implied rules. By default, every Check Point Security Gateway and Security Management Server's WebUI is accessible from the internet by browsing to Restricting access to the WebUI is possible by configuring a Security Group Rule, or by configuring the Check Point Gateway and Management Server settings. When deleting the Standby member from SmartConsole, it must also be deleted from the Alibaba Cloud portal. The termination must be done to release secondary public IP addresses.

Step 3: Set Up Routes on Cluster to the Internal vSwitches

To set up routes on each Cluster member to the internal vSwitches:

1. Connect over SSH to each Member.

2. Log in to Gaia Clish, or Expert mode.

3. Add this route:

   • In Gaia Clish, run these two commands:

     set static-route <VPC-IP-address/Prefix> nexthop gateway address <eth2-router-IP-address> on

     save config

   • In Expert mode, run this command:

     clish -c 'set static-route <VPC-IP-address/Prefix> nexthop gateway address <eth2-router-IP-address> on' -s

   Example:

   set static-route 10.0.0.0/16 nexthop gateway address 10.0.2.253 on

Parameters:

Parameter	Description
<VPC-IP-address/Prefix>	Specifies the prefix of the entire VPC. Example: 10.0.0.0/16
<eth2-router-IP-address>	Specifies the unicast IP address on the subnet, to which the eth2 is connected. Example: 10.0.2.253

Note - If the VPC comprises several non-contiguous address prefixes, repeat the command for each prefix.

Step 4: Enable Outbound Traffic

1. Enable outbound traffic:

   1. From SmartConsole, connect to the Security Management Server.

   2. Find the Security Cluster object in the Gateways & Servers tab.

   3. Select the NAT tab.

   4. Check the Hide internal networks behind the Gateway's external IP check box.

   5. Click OK.

   6. Install policy.

   Note - NAT does not support Connection synchronization during failover. If you configure the Cluster to always hide the internal networks (by selecting to automatically add address translation rules - instead of the option described above) this prevents connection synchronization in additional use cases, such as East-West traffic between internal VPCs.

2. Add a custom route table for the new vSwitch you created:

   1. Go to Alibaba Cloud ECS console, Route tables > Create Route Table.

   2. Select the VPC of the relevant vSwitch.

   3. Enter a name and click OK.

   4. Select the route table you created > Custom route > Add Route Entry.

   5. Set Destination CIDR to 0.0.0.0/0.

   6. Set the next hop to ENI > select your Gateway's internal interface (eth1).

   7. Go to Associated vSwitch tab > click Associated vSwitch > Select your peer vSwitch.

   8. Click OK.

Step 5: Create Object LocalGatewayExternal

In SmartConsole, create the Dynamic object called LocalGatewayExternal.

This object represents the private Cluster Member's IP addresses.

1. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

   Enter this exact name (case-sensitive, no spaces):

   LocalGatewayExternal

2. Click OK.

3. Publish the SmartConsole session.

Note - This Dynamic object step is used in Step 7: Configure VPN

Step 6: Configure Inbound Protection

Overview

• You need to configure Access Control and NAT rules for North-South inbound traffic.

• You can configure the Cluster's External IP to listen on the TCP port 443, and forward this traffic to the Active Cluster Member. The Active Cluster Member then inspects the traffic and forward it to the Application server on the TCP port 8084.

• The Active Cluster Member uses NAT to forward traffic that belongs to the two web applications, to the appropriate web server.

• NAT rules are defined with the special Dynamic Object.

• The Dynamic object LocalGatewayExternal represents the private IP addresses of the external interface of Member 1 and Member 2.

For more information, see Step 5: Create Object LocalGatewayExternal.

To configure Inbound Protection:

1. Connect with SmartConsole to your Security Management Server.

2. Create a host object to represent the specific host that you want to access through the Internet.

3. Create a new TCP service.

   Do the following for each internal port, such as port 8081.

   Do these steps:

   1. Click the Objects menu > More object types > Service > New TCP.

   2. Enter a descriptive name. For example: http-8081

   3. In the Protocol field, select the applicable protocol (such as HTTP or HTTPS).

   4. In the Port field, select Customize and enter the port number. For example: 8081

   5. Click OK.

Configure Access Control and NAT rules for North-South inbound traffic by using the following NAT rules:

Create a NAT rule with these values.

NAT Rule	Value
Rule No	1
Original Source	All_Internet (do not use *Any)
Original Destination	LocalGatewayExternal
Original Services	The service object that represents the internal port
Translated Source	Original
Translated Destination	The Host object that represents your web server
Translated Services	The service object that represents the port on which the Active member listens (for example, HTTP)
Install On	*Policy Targets

About this NAT rule:

• Matches any traffic that arrives at the CloudGuard Security Gateway on the applicable internal port.

• Translates the destination IP address to the IP address of the Web Servers.

Step 7: Configure VPN

For more information, see the R81 Quantum Security Management Administration Guide.

To configure a VPN:

1. Create a Network Group object to represent the encryption domain of the Cluster:

   1. In SmartConsole, click the Objects menu > Object Explorer.

   2. From the top toolbar, select New > Network Group.

   3. In the Enter Object Name field, enter the desired name.

   4. Click the + icon and select the applicable network objects.

   5. Click OK.

   6. Close the Object Explorer.

2. Edit the Cluster object:

   1. In SmartConsole, from the left navigation panel, click Gateways & Servers.

   2. Double-click the Cluster object.
      The Gateway Cluster Properties window opens.

3. Define your Network Group as the encryption domain of the Cluster object:

   1. In SmartConsole, from the left navigation panel, click Gateways & Servers.

   2. Double-click the Cluster object.
      The Gateway Cluster Properties window shows.

   3. In the Cluster object left tree, click Network Management > VPN Domain.

   4. Select Manually defined.

   5. In the right corner of this field, click the [...] button and select the Network Group object created in Step 1.

4. Configure the VPN community:

   1. In the Cluster object left tree, click IPsec VPN.

   2. In the section This Security Gateway participates in the following VPN Communities, select the applicable VPN community.

5. Configure Geo mode:

   1. Go to ClusterXL and VRRP > enable Use Geo mode in a cloud.

   2. Click OK to close the Gateway Cluster Properties window and save the changes.

6. Configure the VPN Community to use Permanent Tunnels:

   1. In SmartConsole, click the Objects menu > Object Explorer.

   2. In the left tree, clear all boxes except for VPN Communities.

   3. Double-click the VPN community, in which this Cluster object participates.
      The VPN Community window opens.

   4. In the left tree, click Tunnel Management.

   5. Select Set Permanent Tunnels.

   6. Select the applicable option.

   7. To close the VPN Community properties window, click OK.

   8. Close the Object Explorer.

7. Install the applicable Access Control Policy on the Cluster object.