topic Re: Checkpoint gateway failover with service principal in Cloud Firewall

Checkpoint gateway failover with service principal

snehams — Mon, 08 Feb 2021 11:54:15 GMT

Currently we have 2 checkpoint gateways R80.40 deployed on Azure. UDR changes during failover is happening automatically using Azure service principal.

UDR changes to current active firewall is taking least 15 mins and causing a huge downtime/outage.

Can we set the Front end LB ip and cluster VIP as the next hop is route table instead of using active firewall ip’s. We think the outage will be minimal with this.

Also need to understand what api's will be executed during failover?

Can you please confirm if this setup is possible. Also need some highlight on this approach.

Re: Checkpoint gateway failover with service principal

PhoneBoy — Sun, 19 Dec 2021 08:45:57 GMT

You can set up the firewall using a VMSS.

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm

Re: Checkpoint gateway failover with service principal

snehams — Wed, 10 Feb 2021 10:50:13 GMT

Hi,

We don't want to use VMSS, we have already deployed cloud guard high availability R 8.40 in azure. We want to utilize the same.

Can you please confirm what will be the next hop in route table. Is it backend ILB and Cluster VIP or is it gateway eth0 and eth1 interface IP?

Re: Checkpoint gateway failover with service principal

PhoneBoy — Wed, 10 Feb 2021 16:34:04 GMT

The HA works as you describe: by changing UDR routes.
The fact it can take some time for Azure to process the relevant API calls is one of the limitations of this approach.
The canonical (supported) approach to resolve this is to deploy with VMSS.

You might be able to change how the HA works by modifying the azure_ha_test.py script, but I assume this won't survive an upgrade...or be supported.

Re: Checkpoint gateway failover with service principal

snehams — Wed, 10 Feb 2021 16:46:15 GMT

Thank you for the explanation, One last question.

If I use backend ILB and Cluster VIP as a next hop in the azure route table, during failover will checkpoint API calls modify the next hop in the azure route table?

Re: Checkpoint gateway failover with service principal

PhoneBoy — Sun, 19 Dec 2021 09:14:25 GMT

Pretty sure it's supposed to go to the ILB.
Refer to the documentation: https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_Azure/Default.htm

Re: Checkpoint gateway failover with service principal

Matthias_Haas — Thu, 11 Feb 2021 14:04:09 GMT

with the latest HA template, I would expect no UDR modification at all. There should be a internal LB with a VIP. This VIP is the next hop for your UDRs and will not change. Only the Master/Active FW will answer the LB health checks, so the traffic is forwarded to the Master only. After failover, the Backup FW will answer the LB Health Checks and will get the traffic. This failover should happen within seconds.

On the external side, the Public/Private Cluster IP will move via Azure API calls from the Master to the Backup which could take a while

Re: Checkpoint gateway failover with service principal

snehams — Thu, 11 Feb 2021 14:52:28 GMT

Thanks for the solution. This was the exact answer I was looking for.

Re: Checkpoint gateway failover with service principal

Equipe_reseau — Wed, 24 Feb 2021 15:13:31 GMT

Hi,

Thanks for your answer. How many SPN we need in case we had two members ?

Thank you

Re: Checkpoint gateway failover with service principal

Matthias_Haas — Wed, 24 Feb 2021 16:42:37 GMT

You only need one SPN with contributor rights for the resource group, the cluster is deployed in. If, during deployment, you decide checkpoint to create the SPN, they will create two, one for each GW. See for example

CP_CloudGuard_IaaS_High_Availability_for_Azure_R80.10_and_Higher_Deployment_Guide.pdf