Setting Up a Security Gateway in Alibaba Cloud

Step 1: Prepare Your Alibaba Account

To prepare your Alibaba Cloud account, do the following:

  1. If you do not already have an Alibaba Cloud account, create one at Alibaba Cloud Platform.

  2. Navigate to ECS console using the menu bar.

  3. In Network & Security, click SSH Key Pairs.

  4. Use the region selector in the navigation bar to choose the Alibaba Cloud region where you want to deploy Check Point Cloud Firewall GatewayClosed Check Point Virtual Security Gateway that protects dynamic virtual environments with policy enforcement. Cloud Firewall Gateway inspects traffic between Virtual Machines to enforce security, without changing the Virtual Network topology. .

  5. Create a key pair in your preferred region.

  6. If necessary, request a service limit increase for the Alibaba Cloud resources you are going to use.

    You may have to do this if you have an existing deployment that uses the Alibaba Cloud resources below, and you may exceed the default limit with this deployment.

    The resources that may need a service limit increase are:

    • Number of On-demand ECS instances.

    • Number of Elastic IP addresses.

    • Number of VPCs for each region.

    • Number of VPN connections for each region.

    • VPN connections for each VPC.

By default, this Deployment guide uses ec5.xlarge for the Cloud Firewall Gateways and ecs.hfg6.xlarge for the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

Step 2: Deploy with a Terraform template in Alibaba Cloud

Deploy this solution in the Alibaba Cloud Portal using Terraform.

Deploy the Cloud Firewall Gateway in Alibaba Cloud:

Use this Terraform Template: Check Point Cloud Firewall Gateway.

Deploy the Security Management Server:

Use one of the options below to deploy the Check Point Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

  1. Use the existing on-premises Security Management Server, or existing Security Management Server in Alibaba Cloud Platform.

    If the Security Management Server is communicating over a private IP addresses with the Cloud Firewall Gateway, then make sure that the Security Management Server has connection to the Security VPC where they are deployed.

  2. Deploy a new Security Management Server with the Management Terraform template: Check Point Security Management Server.

Note - For direct access to the Cloud Firewall Gateway, deploy the Security Management Serverin the same Security VPC where you deployed the Cloud Firewall Gateway.

To configure the Check Point Security Management Server, follow the steps in Security Management Administration Guide of your version.

Step 3: Configure Cloud Firewall Gateway in SmartConsole

To enforce a Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., the Cloud Firewall Gateway must first be configured on the Security Management Server using Check Point's SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Configuring the Gateway Object

  1. Use SmartConsole to connect to your Check Point Security Management Server.

  2. If the Security Management Server and the Cloud Firewall Gateway have to communicate through public IP addresses, make sure that the Security Management Server object is defined with the elastic IP address.

    Edit the Security Management Server object and change the IP address.

    Important - If you change the main IP address of the Security Management Server, you must issue and install the license(s) for the new IP address.

  3. Create the Cloud Firewall Gateway:

    In the top of the SmartConsole, click https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Transit_Gateway_High_Availability/Content/Resources/Images/tgw_ha_star.png > More > Network Object > Gateway & Servers > Gateway > Classic Mode.

  4. Define the gateway's general properties:

    1. In the Gateway Name field, enter a name for the gateway object (as in "Alibaba_GW").

    2. In the IPv4 address field:

      If you manage the gateway from the same VPC, enter the Gateway private IP address. Otherwise, enter the Gateway public IP address.

    3. Click Communication.

    4. In the One-Time Password field, enter the SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. key you set up in the Terraform Template.

    5. In the One-Time Password field, enter the SIC key again.

    6. Click Initialize.

      1. If the One-time password is confirmed, the Trust State field shows Trust Established.

    7. To close the Communication properties window, click Close.

      If the Activation Key is confirmed, the Trust State field shows Trust Established.

    8. Click OK.

  5. Click Network Management > Get Interfaces > Get Interfaces With Topology.

    If this warning appears:

    "Topology and Anti-Spoofing settings that are already defined will be overwritten. By results of this operation that contradict them, if any. Do you want to continue?"

    Click Yes.

    From the Network eth0 and eth1 window, click Topology and disable Anti-Spoofing.

  6. Verify the settings:

    1. To close the window, click OK.

    2. Install policy on the Cloud Firewall Gateway.

To Allow Outbound Traffic

  1. Use SmartConsole to connect to your Check Point Security Management Server.

  2. Create an Internal NetworkClosed Computers and resources protected by the Firewall and accessed by authenticated users. for the Security VPC:

    In the right navigation bar, click new > Network….

  3. Configure Network general properties:

    1. Enter a name for your network (such as Security_network).

    2. In the IPv4 section, insert the Network Address and the Net mask of the Security VPC

  4. Create a NAT ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. for the network to hide behind the Security Gateways:

    1. In the Network's object left pane, click NAT.

    2. Check the box: Add automatic address translation rules.

    3. Leave the configuration as default:

      • Translation method: Hide

      • Hide behind the gateway

  5. Verify the settings:

    1. To close the window, click OK.

    2. Install policy.

Step 4: Configure VPN

Step

Description

1

Create a Network Group object to represent the encryption domain for the Cloud Firewall Gateway:

  1. In SmartConsole, click the Objects menu > Object Explorer.

  2. From the top toolbar, select New > Network Group.

  3. In the Enter Object Name field, enter the desired name.

  4. Click the + icon and select the applicable network objects.

  5. Click OK.

  6. Close the Object Explorer.

2

Decide if you want to proceed with a default VPN Community or use any of your existing VPN Communities.

In the first case, just follow the steps below.

In the second case, make sure the VPN Community you plan to use is properly configured. For that:

  1. In SmartConsole, click the Objects menu >Object Explorer.

  2. In the left tree, clear all checkboxes except for VPN Communities.

  3. Double-click the VPN Community you plan to use with your clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.

    The VPN Community properties window opens.

  4. On the Gateways tab, make sure to enable Legacy mode in the Link Selection Mode section.

  5. Set Permanent Tunnels as described in step 6 below.

Note - To create a VPN Community, see the R82.10 Site to Site VPN Administration Guide.

3

Enable the VPN Blade and configure your Network Group as the encryption domain of the cluster object:

  1. In SmartConsole, from the left navigation panel, click Gateways & Servers.

  2. Double-click the Cloud Firewall Gateway object.

    The Gateway properties window opens.

  3. On the General Properties page, click the Network Security tab.

  4. Select IPsec VPN.

  5. In the cluster object left tree, click Network Management > VPN Domain.

  6. Select User defined.

  7. In the right corner of this field, click the [...] button and select the Network Group object created in Step 1.

4

Configure the VPN community:

  1. In the cluster object left tree, click IPsec VPN.

  2. In the section This Cloud Firewall Gateway participates in the following VPN Communities, select the VPN community. If you don't have any pre-configured VPN communities, select a default VPN community.

5

Configure the outgoing VPN interface:

  1. In the Cloud Firewall Gateway object left tree, click IPsec VPN > Link Selection.

  2. In the IP Selection by Remote Peer section, select Always use this IP address > Statically NATed IP, and then enter the gateway public IP address.

  3. In the Outgoing Route Selection section:

    1. Click Source IP address settings.

    2. Select Automatic (derived from the method of IP address selection by remote peer).

    3. Click OK.

  4. In the Tracking section, select the desired option.

  5. Click OK to close the Cloud Firewall Gateway properties window.

  6. Click Yes in the Check Point SmartDashboard pop-up window.

6

Configure the VPN Community to use Permanent Tunnels:

  1. In SmartConsole, click the Objects menu >Object Explorer.

  2. In the left tree, clear all checkboxes except for VPN Communities.

  3. Double-click the VPN community, in which this Cloud Firewall Gateway object participates.

    The VPN Community windows opens.

  4. In the left tree, click Tunnel Management.

  5. Select Set Permanent Tunnels.

  6. Select the applicable option.

  7. To close the VPN Community properties window, click OK.

  8. Close the Object Explorer.

7

Install the applicable Access Control Policy on the cluster object.

Testing and Troubleshooting

Cloud Firewall Gateway

  1. In AliCloud ECS console, go to the instance and check system log is finished successfully (machine is ready to be logged in):

    Expected output:

    This system is for authorized use only.
    login

  2. Connect VIA SSH using configured SSH key / Password

    1. Check user-data script finished successfully by running in Expert mode:

      cat /var/log/cloud_config.log

      Expected output:

      cloud_config finished successfully

    2. Check both interfaces are configured correctly.

    3. In the SmartConsole, check Device & License Information for problems.