Workflow for Setting Up a Security Gateway in Alibaba Cloud

Step 1: Preparing Your Alibaba Account

To prepare your Alibaba Cloud account, do the following:

1. If you do not already have an Alibaba Cloud account, create one at Alibaba Cloud Platform.

2. Navigate to ECS console using the menu bar.

3. In Network & Security, click SSH Key Pairs.

4. Use the region selector in the navigation bar to choose the Alibaba Cloud region, where you want to deploy Check Point CloudGuard Network Security Gateway.

5. Create a key pair in your preferred region.

6. If necessary, request a service limit increase for the Alibaba Cloud resources you are going to use.

   You may have to do this, if you have an existing deployment that uses the Alibaba Cloud resources below, and you may exceed the default limit with this deployment.

   The resources that may need a service limit increase are:

   • Number of On-demand ECS instances.

   • Number of Elastic IP addresses.

   • Number of VPCs for each region.

   • Number of VPN connections for each region.

   • VPN connections for each VPC.

By default, this Deployment guide uses ec5.xlarge for the Security Gateways and ecs.hfg6.xlarge for the Security Management Server.

Step 2: Deploy with a Terraform template in Alibaba Cloud

How to run Terraform:

Notes - Each module has its own README file that explains how to run the module and where to configure the parameters Parameters are configured in the modules terraform.tfvars file

1. Open the terraform.tfvars file and fill all relevant input parameters.
   You may need to prepare some manual preparation in the Alibaba Cloud Console (VPC, vSwitches, SSH key etc.).

2. Open command line in the module's directory and Initialize the module. Run:

   terraform init

3. See the terraform plan to be executed:

   terraform plan

4. Apply - Execute the module deployment plan (shows the plan again and prompts the user to type 'yes' to continue with execution). Run:

   terraform apply

   Note - In the Readme there may be instructions to run a different apply command (e.g. in the gateway-master TF).

5. Destroy your module deployment (Delete environment):

   terraform destroy

Step 3: Deploy the CloudGuard Network Security Gateway in Alibaba Cloud:

Terraform Template	Description	Link
Security Gateway into a new VPC	The template deploys: Check Point CloudGuard Network Security Gateway into a new VPC with public and private vSwitches	CloudGuard Network Security Gateway for Alibaba cloud into a new VPC
Security Gateway into an existing VPC	The template deploys: Check Point CloudGuard Network Security Gateway into an existing VPC with public and private vSwitches	CloudGuard Network Security Gateway for Alibaba cloud into an existing VPC

Step 4: Deploying the Check Point Security Management Server

Use one of the options below to deploy the Check Point Security Management Server.

1. Use the existing on-premises Security Management Server, or existing Security Management Server in Alibaba Cloud Platform.

   If the Security Management Server is communicating over a private IP addresses with the CloudGuard Network Security Gateway, then make sure that the Security Management Server has connection to the Security VPC where they are deployed.

2. Deploy a new Security Management Server with the Management Terraform template.

Terraform Template	Description	Link
Security Management into a new VPC	The template deploys: Check Point CloudGuard Network Security Management into a new VPC with public VSwitch	Creates a new VPC and deploys a Management Gateway into it.
Security Management into an existing VPC	The template deploys: Check Point CloudGuard Network Security Management into an existing VPC with public and vSwitches	Deploys a Security Management into an existing VPC.

Note - For direct access to the CloudGuard Network Security Gateway, deploy the Management in the same Security VPC where you deployed the Gateway in step 3.

To configure the Check Point Security Management Server, follow the steps in R81 Quantum Security Management Administration Guide.

Step 5: Set Up Routes on Security Gateway to the Internal vSwitches

To set up route on the Security Gateway to the internal vSwitches:

1. Connect over SSH to the Security Gateway

2. Log in to Gaia Clish, or Expert mode.

3. Add this route:

   • In Gaia Clish, run these two commands:

     set static-route <VPC-IP-address/Prefix> nexthop gateway

     address <eth1-router-IP-address> on

     save config

   • In Expert mode, run this command:

     clish -c 'set static-route <VPC-IP-address/Prefix>

     nexthop gateway address <eth1-router-IP-address> on' -s

   Example:

   set static-route 10.0.0.0/16 nexthop gateway address 10.0.2.253 on
   

Parameters:

Parameter	Description
<vpc-IP-address/Prefix>	Specifies the prefix of the entire VPC. Example: 10.0.0.0/16
<eth1-router-IP-address>	Specifies the unicast IP address on the subnet, to which the eth1 is connected. Example: 10.0.2.253

Note - If the VPC comprises several non-contiguous address prefixes, repeat the command for each prefix.

Step 6: Configure CloudGuard Network Gateway in SmartConsole

To enforce a Security Policy, the CloudGuard Network Gateway must first be configured on the Security Management Server using Check Point's SmartConsole application.

Configuring the Gateway Object

1. Use SmartConsole to connect to your Check Point Security Management Server.

2. If the Security Management Server and the Security Gateway have to communicate through public IP addresses, make sure that the Security Management Server object is defined with the elastic IP address.

   Edit the Security Management Server object and change the IP address.

   Important - If you change the main IP address of the Security Management Server, you must issue and install the license(s) for the new IP address.

3. Create the Security Gateway:

   In the top of the SmartConsole, click > More > Network Object > Gateway And Servers > Gateway > Classic Mode.

4. Define the gateway's general properties:

   1. In the Gateway Name field, enter a name for the gateway object (as in "Alibaba_GW").

   2. In the IPv4 address field:
      If you manage the gateway from the same VPC, enter the Gateway private IP address. Otherwise, enter the Gateway public IP address.

   3. Click Communication.

   4. In the One-Time Password field, enter the SIC key you set up in the Terraform Template.

   5. In the One-Time Password field, enter the SIC key again.

   6. Click Initialize.

      1. If the One-time-password is confirmed, the Trust State field shows Trust Established.

   7. To close the Communication properties window, click Close.
      If the Activation Key is confirmed, the Trust State field shows Trust Established.

   8. Click OK.

5. Click Network Management > Get Interfaces > Get Interfaces With Topology.

   If this warning appears:

   "Topology and Anti-Spoofing settings that are already defined will be overwritten. By results of this operation that contradict them, if any. Do you want to continue?"

   Click Yes.

   From the Network eth0 and eth1 window, click Topology and disable Anti-Spoofing.

6. Verify the settings:

   1. To close the window, click OK.

   2. Install policy on the Security Gateway.

To Allow Outbound Traffic

1. Use SmartConsole to connect to your Check Point Security Management Server.

2. Create an Internal Network for the Security VPC:

   In the right navigation bar, click new > Network….

3. Configure Network general properties:

   1. Enter a name for your network (such as Security_network).

   2. In the IPv4 section, insert the Network Address and the Net mask of the Security VPC

4. Create a NAT rule for the network to hide behind the Security Gateways:

   1. In the Network's object left pane, click NAT.

   2. Check the box: Add automatic address translation rules.

   3. Leave the configuration as default:

      • Translation method: Hide

   • Hide behind the gateway

5. Verify the settings:

   1. To close the window, click OK.

   2. Install policy.

6. Add a custom route table for the new vSwitch you created:

   1. Go to AliCloud ECS console, Route tables > Create Route Table.

   2. Select the VPC of the relevant vSwitch

   3. Enter a name and click OK.

   4. Select the route table you created > Custom route > Add Route Entry.

   5. Set Destination CIDR to 0.0.0.0/0.

   6. Set the next hop to ENI > select the Gateway's internal interface (eth1).

   7. Go to Associated vSwitch tab > click Associated vSwitch > Select the peer vSwitch.

   8. Click OK.

Step 7: Configure VPN

In SmartConsole, create a Network Group object to represent the encryption domain for the Security Gateway.

For more information, see the R81 Quantum Security Management Administration Guide.

1. Create a Network Group object to represent the encryption domain of the gateway:

   1. In SmartConsole, click the Objects menu > Object Explorer.

   2. From the top toolbar, click New > Network Group.

   3. In the Enter Object Name field, enter the desired name.

   4. Click the + icon and select the applicable network objects.

   5. Click OK.

   6. Close the Object Explorer.

2. Edit the Gateway object:

   1. In SmartConsole, from the left navigation panel, click Gateways & Servers.

   2. Double-click the Gateway object.
      The Gateway Properties window shows.

   3. On the General Properties pane, check the IPSec VPN box.

3. Define your Network Group as the encryption domain of the gateway object:

   1. In SmartConsole, from the left navigation panel, click Gateways & Servers.

   2. Double-click the Gateway object.
      The Gateway Properties window shows.

   3. In the gateway object left tree, click Network Management > VPN Domain.

   4. Select manually defined.

   5. In the right corner of this field, click the [...] button and select the Network Group object you created in Step 1.

4. Define the VPN community:

   1. In the gateway object left tree, click IPsec VPN.

   2. In the section This Security Gateway participates in the following VPN Communities, select the applicable VPN community.

5. Define the outgoing VPN interface:

   1. In the Security Gateway object left tree, click IPsec VPN > Link Selection.

   2. In the IP Selection by Remote Peer section, select Always use this IP address > Statically NATed IP, and then enter the gateway public IP address.

   3. In the Outgoing Route Selection section:

      1. Click Source IP address settings.

      2. Select Automatic (derived from method of IP selection by remote peer).

      3. Click OK.

   4. In the Tracking section, select the desired option.

   5. Click OK to close the Gateway Properties window.

6. Configure the VPN Community to use Permanent Tunnels:

   1. In SmartConsole, click the Objects menu > Object Explorer.

   2. In the left tree, clear all boxes except for VPN Communities.

   3. Double-click the VPN community, in which this gateway object participates.
      The VPN Community window shows.

   4. In the left tree, click Tunnel Management.

   5. Select Set Permanent Tunnels.

   6. Select the applicable option.

   7. Click OK to close the VPN Community properties window.

   8. Close the Object Explorer.

7. Install the applicable Access Control Policy on the gateway object.

Testing and Troubleshooting

Security Gateway

1. In AliCloud ECS console. Go to the instance and check system log is finished successfully (machine is ready to be logged in):
   Expected output:

   ‘This system is for authorized use only.

login'
   

2. Connect VIA SSH using configured SSH key / Password

   1. Check user-data script finished successfully by running in Expert mode:

      cat /var/log/alicloud-user-data.log

      Expected output:

      Finished user data

   2. Check both interfaces are configured correctly.

   3. In the SmartConsole, check Device & License Information for problems.