Workflow for Setting Up a Security Gateway in Alibaba Cloud

Step 1: Preparing Your Alibaba Account

To prepare your Alibaba Cloud account, do the following:

If you do not already have an Alibaba Cloud account, create one at Alibaba Cloud Platform.
Navigate to ECS console using the menu bar.
In Network & Security, click SSH Key Pairs.
Use the region selector in the navigation bar to choose the Alibaba Cloud region, where you want to deploy Check Point Cloud Firewall Gateway .
Create a key pair in your preferred region.
If necessary, request a service limit increase for the Alibaba Cloud resources you are going to use.

You may have to do this, if you have an existing deployment that uses the Alibaba Cloud resources below, and you may exceed the default limit with this deployment.

The resources that may need a service limit increase are:
- Number of On-demand ECS instances.
- Number of Elastic IP addresses.
- Number of VPCs for each region.
- Number of VPN connections for each region.
- VPN connections for each VPC.

By default, this Deployment guide uses ec5.xlarge for the Security Gateways and ecs.hfg6.xlarge for the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

Step 2: Deploy with a Terraform template in Alibaba Cloud

How to run Terraform:

Notes -

Each module has its own README file that explains how to run the module and where to configure the parameters
Parameters are configured in the modules terraform.tfvars file

Open the terraform.tfvars file and fill all relevant input parameters.

You may need to prepare some manual preparation in the Alibaba Cloud Console (VPC, vSwitches, SSH key etc.).
Open command line in the module's directory and Initialize the module. Run:

terraform init
See the terraform plan to be executed:

terraform plan

Apply - Execute the module deployment plan (shows the plan again and prompts the user to type 'yes' to continue with execution). Run:

terraform apply

Note - In the Readme there may be instructions to run a different apply command (e.g. in the gateway-master TF).

Destroy your module deployment (Delete environment):

terraform destroy

Step 3: Deploy the Cloud Firewall Gateway in Alibaba Cloud:

Terraform Template	Description	Link
Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. into a new VPC	The template deploys: Cloud Firewall Gateway into a new VPC with public and private vSwitches	Cloud Firewall Gateway for Alibaba cloud into a new VPC
Security Gateway into an existing VPC	The template deploys: Cloud Firewall Gateway into an existing VPC with public and private vSwitches	Cloud Firewall Gateway for Alibaba cloud into an existing VPC

Terraform Template

Description

Link

Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. into a new VPC

The template deploys:

Cloud Firewall Gateway into a new VPC with public and private vSwitches

Cloud Firewall Gateway for Alibaba cloud into a new VPC

Security Gateway into an existing VPC

The template deploys:

Cloud Firewall Gateway into an existing VPC with public and private vSwitches

Cloud Firewall Gateway for Alibaba cloud into an existing VPC

Step 4: Deploying the Check Point Security Management Server

Use one of the options below to deploy the Check Point Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

Use the existing on-premises Security Management Server, or existing Security Management Server in Alibaba Cloud Platform.

If the Security Management Server is communicating over a private IP addresses with the Cloud Firewall Gateway, then make sure that the Security Management Server has connection to the Security VPC where they are deployed.
Deploy a new Security Management Server with the Management Terraform template.

Terraform Template	Description	Link
Security Management Server into a new VPC	The template deploys: Check Point Security Management into a new VPC with public VSwitch	Creates a new VPC and deploys a Management Gateway into it.
Security Management Server into an existing VPC	The template deploys: Check Point Security Management into an existing VPC with public and vSwitches	Deploys a Security Management into an existing VPC.

Terraform Template

Description

Link

Security Management Server into a new VPC

The template deploys:

Check Point Security Management into a new VPC with public VSwitch

Creates a new VPC and deploys a Management Gateway into it.

Security Management Server into an existing VPC

The template deploys:

Check Point Security Management into an existing VPC with public and vSwitches

Deploys a Security Management into an existing VPC.

Note - For direct access to the Cloud Firewall Security Gateway, deploy the Management in the same Security VPC where you deployed the Gateway in step 3.

To configure the Check Point Security Management Server, follow the steps in R81 Quantum Security Management Administration Guide.

Step 5: Set Up Routes on Security Gateway to the Internal vSwitches

Open To set up route on the Security Gateway to the internal vSwitches:

Connect over SSH to the Security Gateway
Log in to Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or Expert mode.
Add this route:
- In Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish, run these two commands:
  
  set static-route <VPC-IP-address/Prefix> nexthop gateway
  
  address <eth1-router-IP-address> on
  
  save config
- In Expert mode, run this command:
  
  clish -c 'set static-route <VPC-IP-address/Prefix>
  
  nexthop gateway address <eth1-router-IP-address> on' -s

Parameters:

Parameter	Description
<vpc-IP-address/Prefix>	Specifies the prefix of the entire VPC. Example: 10.0.0.0/16
<eth1-router-IP-address>	Specifies the unicast IP address on the subnet, to which the eth1 is connected. Example: 10.0.2.253

Parameter

Description

<vpc-IP-address/Prefix>

Specifies the prefix of the entire VPC.

Example:

10.0.0.0/16

<eth1-router-IP-address>

Specifies the unicast IP address on the subnet, to which the eth1 is connected.

Example:

10.0.2.253

Note - If the VPC comprises several non-contiguous address prefixes, repeat the command for each prefix.

Step 6: Configure Cloud Firewall Gateway in SmartConsole

To enforce a Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., the Cloud Firewall Gateway must first be configured on the Security Management Server using Check Point's SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Configuring the Gateway Object

Use SmartConsole to connect to your Check Point Security Management Server.

If the Security Management Server and the Security Gateway have to communicate through public IP addresses, make sure that the Security Management Server object is defined with the elastic IP address.

Edit the Security Management Server object and change the IP address.

Important - If you change the main IP address of the Security Management Server, you must issue and install the license(s) for the new IP address.

Create the Security Gateway:

In the top of the SmartConsole, click > More > Network Object > Gateway And Servers > Gateway > Classic Mode.
Define the gateway's general properties:
1. In the Gateway Name field, enter a name for the gateway object (as in "Alibaba_GW").
2. In the IPv4 address field:
  
  If you manage the gateway from the same VPC, enter the Gateway private IP address. Otherwise, enter the Gateway public IP address.
3. Click Communication.
4. In the One-Time Password field, enter the SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. key you set up in the Terraform Template.
5. In the One-Time Password field, enter the SIC key again.
6. Click Initialize.
  1. If the One-time-password is confirmed, the Trust State field shows Trust Established.
7. To close the Communication properties window, click Close.
  
  If the Activation Key is confirmed, the Trust State field shows Trust Established.
8. Click OK.
Click Network Management > Get Interfaces > Get Interfaces With Topology.

If this warning appears:

"Topology and Anti-Spoofing settings that are already defined will be overwritten. By results of this operation that contradict them, if any. Do you want to continue?"

Click Yes.

From the Network eth0 and eth1 window, click Topology and disable Anti-Spoofing.
Verify the settings:
1. To close the window, click OK.
2. Install policy on the Security Gateway.

To Allow Outbound Traffic

Use SmartConsole to connect to your Check Point Security Management Server.
Create an Internal Network Computers and resources protected by the Firewall and accessed by authenticated users. for the Security VPC:

In the right navigation bar, click new > Network….
Configure Network general properties:
1. Enter a name for your network (such as Security_network).
2. In the IPv4 section, insert the Network Address and the Net mask of the Security VPC
Create a NAT rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. for the network to hide behind the Security Gateways:
1. In the Network's object left pane, click NAT.
2. Check the box: Add automatic address translation rules.
3. Leave the configuration as default:
  - Translation method: Hide
Verify the settings:
1. To close the window, click OK.
2. Install policy.
Add a custom route table for the new vSwitch A software abstraction of a physical Ethernet switch. It can connect to physical switches through physical network adapters to join virtual networks with physical networks. It can also be a Distributed Virtual Switch (dvSwitch), for definition and use on multiple ESXi hosts. you created:
1. Go to AliCloud ECS console, Route tables > Create Route Table.
2. Select the VPC of the relevant vSwitch
3. Enter a name and click OK.
4. Select the route table you created > Custom route > Add Route Entry.
5. Set Destination CIDR to 0.0.0.0/0.
6. Set the next hop to ENI > select the Gateway's internal interface (eth1).
7. Go to Associated vSwitch tab > click Associated vSwitch > Select the peer vSwitch.
8. Click OK.

Step 7: Configure VPN

In SmartConsole, create a Network Group object to represent the encryption domain for the Security Gateway.

Create a Network Group object to represent the encryption domain of the gateway:
1. In SmartConsole, click the Objects menu > Object Explorer.
2. From the top toolbar, click New > Network Group.
3. In the Enter Object Name field, enter the desired name.
4. Click the + icon and select the applicable network objects.
5. Click OK.
6. Close the Object Explorer.
Edit the Gateway object:
1. In SmartConsole, from the left navigation panel, click Gateways & Servers.
2. Double-click the Security Gateway object.
  
  The Gateway Properties window shows.
3. On the General Properties pane, check the IPSec VPN box.
Define your Network Group as the encryption domain of the Security Gateway object:
1. In SmartConsole, from the left navigation panel, click Gateways & Servers.
2. Double-click the Security Gateway object.
  
  The Gateway Properties window shows.
3. In the gateway object left tree, click Network Management > VPN Domain.
4. Select manually defined.
5. In the right corner of this field, click the [...] button and select the Network Group object you created in Step 1.
Define the VPN community:
1. In the Security Gateway object left tree, click IPsec VPN.
2. In the section This Security Gateway participates in the following VPN Communities, select the applicable VPN community.
Define the outgoing VPN interface:
1. In the Security Gateway object left tree, click IPsec VPN > Link Selection.
2. In the IP Selection by Remote Peer section, select Always use this IP address > Statically NATed IP, and then enter the gateway public IP address.
3. In the Outgoing Route Selection section:
  1. Click Source IP address settings.
  2. Select Automatic (derived from method of IP selection by remote peer).
  3. Click OK.
4. In the Tracking section, select the desired option.
5. Click OK to close theSecurity Gateway Properties window.
Configure the VPN Community to use Permanent Tunnels:
1. In SmartConsole, click the Objects menu > Object Explorer.
2. In the left tree, clear all boxes except for VPN Communities.
3. Double-click the VPN community, in which this gateway object participates.
  
  The VPN Community window shows.
4. In the left tree, click Tunnel Management.
5. Select Set Permanent Tunnels.
6. Select the applicable option.
7. Click OK to close the VPN Community properties window.
8. Close the Object Explorer.
Install the applicable Access Control Policy on the gateway object.

Testing and Troubleshooting

Security Gateway

In AliCloud ECS console, go to the instance and check system log is finished successfully (machine is ready to be logged in):

Expected output:

This system is for authorized use only. login
Connect VIA SSH using configured SSH key / Password
1. Check user-data script finished successfully by running in Expert mode:
  
  cat /var/log/alicloud-user-data.log
  
  Expected output:
  
  Finished user data
2. Check both interfaces are configured correctly.
3. In the SmartConsole, check Device & License Information for problems.