Workflow for Setting Up a High Availability Cluster in Alibaba Cloud Platform

Step 1: Deploy with a Terraform template in Alibaba Cloud

Deploy this solution in the Alibaba Cloud Portal using Terraform.

• Check Point Cloud Firewall Gateway Cluster

• Check Point Security Management Server

Deploy the Cloud Firewall Gateway Cluster in Alibaba Cloud

Use this Terraform Template: Check Point Cloud Firewall Gateway.

Deploy the Check Point Security Management Server

Use one of the options below to deploy the Check Point Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

1. Use the existing on-premises Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., or existing Security Management Server in Alibaba Cloud Platform.

   If the Security Management Server is communicating over a private IP addresses with the Cloud Firewall Gateway Check Point Virtual Security Gateway that protects dynamic virtual environments with policy enforcement. Cloud Firewall Gateway inspects traffic between Virtual Machines to enforce security, without changing the Virtual Network topology., then make sure that the Security Management Server has connection to the Security VPC where they are deployed.

2. Deploy a new Security Management Server with this Terraform template: Check Point Security Management Server.

Note - For direct access to the Cloud Firewall Gateway, deploy the Security Management Serverin the same Security VPC where you deployed the Cloud Firewall Gateway Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

To configure the Check Point Security Management Server, follow the steps in Security Management Administration Guide of your version.

At least five minutes are needed for the deployment. After the deployment is finished, information is displayed in the deployment terminal, such as the public IP addresses created and the network used for Primary Cluster Synchronization used later in this guide.

Important - No other ECS instances can be deployed in the solution's vSwitch A software abstraction of a physical Ethernet switch. It can connect to physical switches through physical network adapters to join virtual networks with physical networks. It can also be a Distributed Virtual Switch (dvSwitch), for definition and use on multiple ESXi hosts..

Notes about the templates: Use existing vSwitches and create them within the same region as the Cluster members Zone before starting this deployment. The Cluster Members each have a network interface in each of the vSwitches specified in this deployment. The IP ranges of those vSwitches must not overlap. The Security Cluster manipulates the routing in the networks you defined as internal in this deployment. The result is that all outbound traffic goes through the Cluster Member Security Gateway that is part of a cluster. that is currently active. It does not deploy any other ECS instances in the solution's frontend and backend subnets. ECS instances that are launched in the backend vSwitches, may require Internet access to do final provisioning. Launch these ECS instances only after you have applied Hide NAT rules on the Cluster object to support this type of connectivity. The Check Point First Time Configuration Wizard automatically deploys after you have set up the Cluster object. The Cluster object is configured based on the applies parameters. After the First Time Configuration Wizard completes, the ECS instances automatically reboot. The member operating mode (A or B) is decided independently of the deployment or the order in which the members were added to the Cluster. Instead, it is decided by the private IP addresses of their main network interface. The Cluster's secondary address is used for internet access to the member to which it is attached, while it is in standby mode, so that it will be able to receive important updates. The address is not used in the configuration of the Cluster.

Step 2: Configure Cluster Objects in SmartConsole

To configure objects in SmartConsole:

1. If the Security Management Server is deployed in Alibaba Cloud Platform and manages a Cluster Member in a different VPC, then modify the Security Management Server object in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to have the public IP address.

   Click Publish to apply the change.

2. Click the Objects menu > New > More > Network Object > Gateways & Servers > Cluster > New Cluster.

3. Select Classic Mode.

   The Check Point Installed Gateway Cluster classic window opens.

4. Define the Cluster's general properties:

   In the Cluster Name field, enter a name for the Cluster object (as in "Cluster_HA").

   In the IPv4 Address field, enter the Cluster IP address (VIP). You can find the Cluster IP address in the Alibaba Cloud Platform portal:

   1. Browse to the ECS page.

   2. Locate Member A under instances.

   3. Use the IP address property.

5. Define the Cluster Members:

   1. In the Cluster's object left pane, click Cluster Members.

   2. Select Member A

      1. Click Add > New Cluster Member.

      2. In the Name field, enter the member's name (in our example: Member_A).

      3. In the IPv4 Address field, enter the member's IP address of its management interface (eth1).

         • If the management connects to the Cluster Members over a private IP address, enter the private IP of the interface.

      • If the management connects to the Cluster Members over a public IP address, enter the Elastic IP address of the interface.

      4. Click Communication.

      5. Enter the one-time activation key used in the Terraform Template.

      6. Click Initialize.

   3. Member B

      1. Click Add > New Cluster Member.

      2. In the Name field, enter a member's name (in our example: Member_B).

      3. In the ;IPv4 Address field, enter the member's IP address of its external interface (eth1)

         • If the management is connecting to the Cluster Members over private IP address, enter the private IP of the interface.

      • If the management is connecting to the Cluster Members over public IP address, enter the Elastic IP address of the interface.

      4. Click Communication

      5. Enter the one-time activation key used in the Terraform Template.

      6. Click Initialize.

6. Get the Cluster's Topology:

   1. In the Cluster's object left pane, click Network Management.

   2. Click Get Interfaces > Get Interfaces With Topology.

   3. Click eth0, in the Network Type select Private.

   4. From the Network eth0 window, click Topology and disable Anti-Spoofing.

   5. Click eth1, in the Network Type select Sync.

   6. From the Network eth1 window, click Topology and disable Anti-Spoofing.

   7. Click eth2, in the Network Type select Private.

   8. From the Network eth2 window, click Topology and disable Anti-Spoofing.

7. The IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. blade is automatically enabled. To use the VPN blade, see Step 7: Configure VPN. Otherwise, disable the VPN blade.

8. Verify the settings:

   1. To close the window, click OK.

   2. Install policy on the Cluster.

A few minutes after the applicable Access Control Policy is installed, these changes occur automatically in Alibaba Cloud Platform:

• In each of the internal vSwitch, an Alibaba Cloud Platform Route routes all outbound traffic (0.0.0.0/0) to the Active member.

Notes: For the failover process to function, each Cluster Member initiates outbound HTTP and HTTPS traffic which is allowed by the gateway's implied rules. Do not override these implied rules. By default, every Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and Security Management Server's WebUI is accessible from the internet by browsing to Restricting access to the WebUI is possible by configuring a Security Group Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., or by configuring the Check Point Gateway and Management Server settings. When deleting the Standby member from SmartConsole, it must also be deleted from the Alibaba Cloud portal. The termination must be done to release secondary public IP addresses.

Step 3: Enable Outbound Traffic

To enable outbound traffic:

1. From SmartConsole, connect to the Security Management Server.

2. Find the Security Cluster object in the Gateways & Servers tab.

3. Select the NAT tab.

4. Check the Hide internal networks behind the Gateway's external IP check box.

5. Click OK.

6. Install policy.

Note - NAT does not support Connection synchronization during failover. If you configure the Cluster to always hide the internal networks (by selecting to automatically add address translation rules - instead of the option described above) this prevents connection synchronization in additional use cases, such as East-West traffic between internal VPCs.

Step 5: Create Object LocalGatewayExternal

In SmartConsole, create the Dynamic object called LocalGatewayExternal.

This object represents the private Cluster Member's IP addresses.

1. Click Objects menu > More object types > Network Object > Dynamic Object > New Dynamic Object.

   Enter this exact name (case-sensitive, no spaces):

   LocalGatewayExternal

2. Click OK.

3. Publish the SmartConsole session.

Note - This Dynamic object step is used in Step 7: Configure VPN

Step 6: Configure Inbound Protection

Overview

• You need to configure Access Control and NAT rules for North-South inbound traffic.

• You can configure the Cluster's External IP to listen on the TCP port 443, and forward this traffic to the Active Cluster Member. The Active Cluster Member then inspects the traffic and forward it to the Application server on the TCP port 8084.

• The Active Cluster Member uses NAT to forward traffic that belongs to the two web applications, to the appropriate web server.

• NAT rules are defined with the special Dynamic Object Special object type, whose IP address is not known in advance. The Security Gateway resolves the IP address of this object in real time..

• The Dynamic object LocalGatewayExternal represents the private IP addresses of the external interface of Member 1 and Member 2.

For more information, see Step 5: Create Object LocalGatewayExternal.

To configure Inbound Protection:

1. Connect with SmartConsole to your Security Management Server.

2. Create a host object to represent the specific host that you want to access through the Internet.

3. Create a new TCP service.

   Do the following for each internal port, such as port 8081.

   Do these steps:

   1. Click the Objects menu > More object types > Service > New TCP.

   2. Enter a descriptive name. For example: http-8081

   3. In the Protocol field, select the applicable protocol (such as HTTP or HTTPS).

   4. In the Port field, select Customize and enter the port number. For example: 8081

   5. Click OK.

Configure Access Control and NAT rules for North-South inbound traffic by using the following NAT rules:

Create a NAT rule with these values.

NAT Rule	Value
Rule No	1
Original Source	All_Internet (do not use *Any)
Original Destination	LocalGatewayExternal
Original Services	The service object that represents the internal port
Translated Source	Original
Translated Destination	The Host object that represents your web server
Translated Services	The service object that represents the port on which the Active member listens (for example, HTTP)
Install On	*Policy Targets

About this NAT rule:

• Matches any traffic that arrives at the Cloud Firewall Gateway on the applicable internal port.

• Translates the destination IP address to the IP address of the Web Servers.

Step 7: Configure VPN