Network

This section describes a reference architecture of a Check Point Security Gateway protecting assets in an Alibaba Cloud Platform.

Network Diagram

Follow this network diagram to configure your system. Make sure to replace the IP addresses in the sample environment with the IP addresses in your environment.

The end-to-end solution includes:

  • Security VPC with the CloudGuard Network Gateway.

The template can deploy Gateway into existing VPC or create new VPC and deploy the Gateway into it.

Routing Table for Web vSwitch:

Destination

Next Hop

Type

10.0.4.0/24

-

System

10.0.2/0/24

-

System

100.64.0.0/10

-

System

0.0.0.0/0

Eth1

Custom

Routing Table for App vSwitch:

Destination

Next Hop

Type

10.0.3.0/24

-

System

10.0.2/0/24

-

System

100.64.0.0/10

-

System

0.0.0.0/0

Eth1

Custom

Diagram Components

The diagram shows:

  • VPC in Alibaba Cloud that is divided into four vSwitches (subnets)

    • Frontend

    • Backend

    • Web

    • App

In the diagram:

  • The Security Gateway protects two Web and App vSwitches.

The vSwitches have:

  • Web servers (vSwitch1)

  • Application server (vSwitch2)

Traffic Flows

Inbound Traffic

  • Traffic travels from external source to the Security Gateway.

  • The Security Gateway inspects the traffic and forwards it to the destination.

OpenOutbound Traffic

  1. Traffic travels from internal source to the Security Gateway based on the custom route table.

  1. The Security Gateway inspects the traffic and forwards it to the destination.

OpenEast-West Traffic

  1. Traffic travels from one of the internal source to the Security Gateway.

  1. The Security Gateway forwards the traffic to the destination.

Intra-Subnet Traffic

Traffic passes through the subnet and security VPC without inspection.

In addition, Security Gateway provides these services:

  • Performs Network Address Translation (NAT) to hide outgoing connections behind the Security Gateway's address.

  • Provides site to site VPN connectivity to on-premises networks.

  • Provides Remote Access VPN services to roaming users.

A public address is directly associated with the Security Gateway's external interface. This address can be used to manage the Security Gateway as well as for the Web applications, site to site VPN and Remote Access VPN.