Introduction

Check Point Security Gateway Virtual Edition protects dynamic virtual environments and external networks from internal and external threats by securing virtual machines and applications. This solution uses proven Check Point security technologies: Software Blade architecture, Firewall with content inspection, IPS, central management, and more.

Security Gateway Virtual Edition has different operation modes. Find which is best for your environment and plan the installation accordingly.

• Hypervisor Mode enforces VM security in the VMware Hypervisor with inter-VM traffic inspection, without virtual network topology changes.
• The Network Mode is deployed as a virtual network device to protect virtual networks and physical environments. You can configure it as a router or a bridge, with the same procedure as a physical gateway.

Important Notes:

• This release supports only Network Mode on Gaia.
• All references to ESX in the document are also for ESXi unless noted differently.

Key Benefits

• Operates as a layer-2 or layer-3 Security Gateway for virtual network environments.
• Supports ClusterXL for High Availability and Load Sharing.
• Enforces security with no downtime during and after VMware vMotion migration.
• Supports vMotion of the Security Gateway Virtual Edition virtual machine.
• Protects expanding virtual networks while reducing hardware investment, maintenance, energy, and site costs.
• Optimizes performance for virtual environments.

Basic Deployment with Network Mode

In this basic Network Mode deployment, one VM has a standalone Security Management Server with a Security Gateway Virtual Edition to protect three networks. These networks connect using vSwitches.

The Security Gateway Virtual Edition inspects all traffic between virtual networks. For example, Security Gateway Virtual Edition inspects traffic between the Web server and database server VMs.

Administrators manage network security using SmartDashboard, which connects to the Security Management Server VM.

Network Mode Overview

Secures virtual environments and perimeter networks by deploying the Security Gateway Virtual Edition as a virtual network device (layer 2 or layer 3). To use Network Mode, the network topology must include Explicit Routing or Layer-2 Bridging.

Licensing Security Gateway Virtual Edition

Each Security Gateway Virtual Edition instance requires its own license. You must purchase a license according to the number of physical cores on the local ESX host. Security Gateway Virtual Edition licenses are assigned to IP addresses.

Each Security Gateway and Security Management Server installed on a VM must have a license.

By default, Security Gateway Virtual Edition installs with a 15-day trial license.

ESX Host Security Considerations

We recommend that you read the VMware Best Practices - Security Hardening document for suggestions on how to secure your ESX host.

Check Point Best Practices:

• Always use different, secured networks for the VMkernel and ESX service console/ESXi Host Management Network. This traffic is not automatically inspected by Security Gateway Virtual Edition. Configure Security Gateway Virtual Edition to protect the ESX host and VMkernel.
• Grant users only the necessary privileges. For example, only VMware security administrators have access to the Security Gateway Virtual Edition.

  This recommendation applies to Check Point and VMware permissions. To learn more about VMware roles and permissions, see the best practices in the Managing VMware Virtual Center Roles and Permissions Guide.