topic Re: Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode in Cloud Firewall

Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

Abhishek_Singh1 — Thu, 15 Aug 2019 14:17:08 GMT

Hi guys ,

I am looking for a solution to implement Active-Active (Load sharing) clusterXL in Azure , but didn't find any templates . Does checkpoint Vsec in Azure doesnot support this by design , or , What changes it would require to support this config ?

Thanks!

Re: Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

Chris_Atkinson — Sun, 19 Dec 2021 10:21:55 GMT

VMSS is typically the approach used for this in Azure, please see:
https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm

Re: Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

PhoneBoy — Thu, 15 Aug 2019 18:50:34 GMT

The multicast traffic required for traditional ClusterXL (Load Sharing or otherwise) is not supported by public cloud providers.
However, you get "active active" deploying as a VMSS, which incorporates load balancers into the design.
It's not Clustering, which means the scalability is significantly better.

Re: Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

Abhishek_Singh1 — Fri, 20 Sep 2019 06:39:09 GMT

Thanks @PhoneBoy , @Chris_Atkinson for your responses .

I am running a POC to implement the VMSS in Azure to utilize both the gateways .

I believe because of the dynamic nature of the Gateways being scaled out/in we cann't use the traditional Gateway object in the policy rules cells ( Source , destination , Install On) .

Refer attachment for reference on the existing policy .

Can you help me out what object I shall use in the standard policy of Firewall management , Stealth rule , MTA specific rules ?? -- Is it the dynamic "LocalGateway" object ?

Also how we manipulate the Gateway specific settings for the VMSS gateways , that we used to do using SMS - editing the GW object properties - like enabling MTA , configuring HTTPS inspection , etc ?? -- I mean do we need to change these properties for all the gateways being spinup during scale out event manually ? Or is there any setting approch in the auto-confi provision files to handle this ?

Regards,

Abhishek

Re: Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

Tommy_Forrest — Fri, 20 Sep 2019 11:42:38 GMT

It's not a good idea to use the actual firewall object in your policy. That's because if Azure scales up or down (and especially down) the objects are no longer valid.

What I did (after setting the Min/Max/Def to 2/2/2) was create secondary FW objects and put those into the policy. The manager complains every push or FW modification because of duplicate objects. But it works.

If you have to host inbound traffic, you should be looking at those setup steps now too. It's an utter pain in the rear.

Probably the coolest thing I've seen is autoprovisioning doing its thing. Azure adds a firewall and autoprovisioning does the rest. Which is super cool, but I lost 2/3rds of the hair on my head getting it all going.

I still need to figure out how to modify autoprovisioning so that it will deploy all of our machine level settings (TZ/passwords/routes/usernames/etc).

Also, you don't need to define a gateway to "install on". That's done in your autoprov script and is taken care of for you automagically.

Re: Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

Abhishek_Singh1 — Fri, 20 Sep 2019 14:15:03 GMT

@Tommy_Forrest - so you have created the secondary gateway object after spinning the firewalls from autoprovisioning...

Did you faced any issue with using the dynamic object - "LocalGatewayExternal" In policy rules as source / destination??

About inbound traffic, we have the usercase of using Checkpoint gateway as MTA, do you have any experience with this regard?? --- hence was my query second part... How we manipilate the gateway objects global properties - blades, https inspection, MTA, etc in gateways being spin-up by VMSS autoprovisioning template.

@PhoneBoy -- can you pls guide me here with any official recommendation(s) ?? Or, may be tag some more folks who have an prior experience with VMSS deployment

Re: Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

PhoneBoy — Fri, 20 Sep 2019 14:26:47 GMT

The dynamic objects LocalGateway or LocalGatewayExternal can safely be used.
In the past (pre-R80.10), there was a performance penalty to use these objects (not SecureXL friendly) but that issue has since been resolved.
I would do this over using secondary firewall objects.

As for what blades are enabled as part of the provisioning process, that's actually controlled on the management server.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk130372

Re: Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

Abhishek_Singh1 — Tue, 24 Sep 2019 11:23:05 GMT

Thanks @PhoneBoy .Do we have control on adding specific route, enabling MTA settings with custom specs?? May be in autoprovisioning file, or some sort of script.

Re: Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

PhoneBoy — Tue, 24 Sep 2019 16:09:24 GMT

If it requires setting specific properties on the gateway object and they can be set via the API, there is a way to set those.
See the SK I specified previously.
Not sure you need to change routes on the AWS instance as that doesn't really have an effect, given the way VPCs work.
That said, the gateways are created using an autoprovision.json file that I assume you can modify to do what is required (the user-data section, I believe).

Re: Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

Abhishek_Singh1 — Sun, 19 Dec 2021 10:21:29 GMT

Thanks @PhoneBoy for sharing the details . However , I dont see any management API command to manipulate the MTA config ( adding mail domain , next hop ) Refer the attachment - Desired setting for MTA.

Also , now I am a bit confused between CME (Cloud Management Extension ) and Autoprovision Add-On. There is a latest update on 23-Sep-2019 to the checkpoint official VMSS deployment guide and it talks about using the CME .

The CME has a limitation of not working in parallel with Autoprovision Add-On . Please refer the attachment -

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm

Do we have any guidelines what should be used and recommended between these two , whats the advantage/disadvantage of using these respectively ( CME Vs Autoprovision add-on ) .

Re: Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

PhoneBoy — Thu, 26 Sep 2019 14:54:43 GMT

Based on the screenshot you provided, I assume these are modifications to the gateway object, some of which may not have a specific API exposed to modify.
They may be doable with Generic Objects, but recommend asking that specific question in the appropriate space: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/bd-p/codehub

My understanding is that CME supersedes the Autoprovision add-on.
The configuration steps are similar in either case.