topic Re: Vsec Cluster in Azure ?? anyone know how to? in Cloud Firewall

Vsec Cluster in Azure ?? anyone know how to?

Edson_Adrian_Di — Tue, 24 Oct 2017 12:48:29 GMT

Hi CheckMates!,

I need to know is someone can help me or lead me in order to setup a HA cluster of checkpoint Vsec on Azure.

Following sk110194 doesn't mention nothing about the proper way to configure the cluster HA, just we need to work with Active directory and API. but , to be honest, i never worked before with active directory on azure and no API knowledge.

So , if someone can lead me some tip about how to deploy it? we already have all running but, to failover, have to be done manually changing the route tables to point the new active memeber.

Thanks for any help

Re: Vsec Cluster in Azure ?? anyone know how to?

PhoneBoy — Tue, 24 Oct 2017 14:16:53 GMT

For HA to work correctly in Azure, we must make calls to the Azure API.

The API calls allow us to monitor state and fail over the relevant routes when needed.

In order to call the API, you need credentials.

Those credentials need to be created and configured on the instances, as described in the SK.

Re: Vsec Cluster in Azure ?? anyone know how to?

Dmitry_Gorn — Wed, 25 Oct 2017 11:09:55 GMT

Hello,

My name is Dmitry and I'm from Check Point R&D.

It is possible to deploy a check point vSEC high availability cluster in MS Azure. The deployment and configuration process is described in sk110194 that you're referring to.

After deploying the vSEC Cluster from the Azure marketplace you should follow the steps in the article to create a service account and assign it to the cluster's resource group. No API knowledge is required in order to do that - this can be done via the azure portal.

It is then required to configure the high availability daemon on each cluster member (see the section "Deployment using a Solution Template" that covers the creation of a service account and the configuration of the HA daemon).

On failover, the HA daemon will make all the API calls automatically and reassign all routing tables accordingly.

Note that the cluster must be properly configured in SmartDashboard / SmartConsole and policy must be installed (see section "SmartDashboard Configuration" for instructions).

If you have specific comments on the SK please feel free share them with me. If you are having trouble configuring the cluster you may open a support ticket or contact your local SE.

Thanks,

Dmitry

Re: Vsec Cluster in Azure ?? anyone know how to?

Edson_Adrian_Di — Wed, 25 Oct 2017 19:49:27 GMT

Thanks for your detailed answer Dmitry,

Actually, we already have working the cluster in Azure following the sk110194 and this video which is really helpful: Checkpoint vSEC cluster Deployment in azure - YouTube

But now, we are stock because everything is ok for the incoming traffic, but outgoing, traffic generated from the lan of the checkpoint in azure doesn't work.....

Re: Vsec Cluster in Azure ?? anyone know how to?

PhoneBoy — Wed, 25 Oct 2017 21:48:18 GMT

Off the top of my head, I would troubleshoot each hop.

From host behind the vSEC Gateway, try to ping the vSEC Gateway.

Use tcpdump on the vSEC gateway to confirm traffic is being received on the expected interface.

If not you will need to review the User Defined Routes to ensure they are configured correctly.

Re: Vsec Cluster in Azure ?? anyone know how to?

Kurt_Abela — Thu, 26 Oct 2017 10:48:29 GMT

Hi,

i have followed sk110194 and applied the routing tables as explained in the article.

When i NAT behind the clustermember-frontend IP, outgoing internet access is fine. When I NAT behind the cluster virtual front-end IP, we have no internet access.

From fwmonitor we see that traffic is correctly being NAT-ted behind the cluster IP but we see no return traffic. Is there any further configuration we need to do in Azure routing tables for this to work?

Thanks,

Kurt

Re: Vsec Cluster in Azure ?? anyone know how to?

gyula_jona — Tue, 19 Dec 2017 03:05:56 GMT

Hi Kurt,

we had the same issue. To get outgoing azure traffic hide NATed by the cluster IP address, it should leave the gateway as hide NATed to its _private_ interface address, and Azure will translate the src address to the cluster IP.
This works fine until a failover, when the secondary still translates to the private address of the _primary_ gateway, as they have identical policies/config but interface addresses are different.

I am still trying to find an answer to a failover scenario and outgoing internet traffic.

Gyula

Re: Vsec Cluster in Azure ?? anyone know how to?

Kurt_Abela — Tue, 19 Dec 2017 07:33:20 GMT

Hi Gyula,

You need to set the external interface as Sync only not Cluster or Cluster + Sync. There is no need for a VIP to be defined. Gateways will then automatically NAT behind their respective Front End IPs.

You do not need to define a manual NAT rule to hide behind a specific IP, just auto hide NAT all subnet behind Gateway.

Kurt

Re: Vsec Cluster in Azure ?? anyone know how to?

Vladislav_Nedos — Tue, 02 Jan 2018 15:30:57 GMT

Hi All,

Can I ask what is the point to have a cluster in Azure?

There is no physical device that you would need to replace.

HA - takes a bit of time, within average environment almost the same time as to redeploy appliance.

Keep a live packages some time cause split brain, so you have an outage.

From my personal point of view it is quite a bad practice to try to replicated on-premise datacentre in the cloud, instead of using benefits that cloud introduce.

Re: Vsec Cluster in Azure ?? anyone know how to?

Kurt_Abela — Tue, 02 Jan 2018 15:59:10 GMT

Hi,

The gateways in the cluster are put into an availability-group. Although they are in the same Datacenter, they should be on different racks and hardware. This ensures that in case of any failures or maintenance the cluster will switch over onto the secondary gateway. This process takes around 4 minutes due to changes done automatically using APIs.

Re: Vsec Cluster in Azure ?? anyone know how to?

gyula_jona — Mon, 08 Jan 2018 22:35:28 GMT

Hi Kurt,

thanks for your share. Inherited the system as-is... no auto hide-nat enabled on Azure subnet objects, just a single NAT to the Cluster PIP, which was not working
On the other hand, due to Azur's fabric nature (heavily policy routing like UDRs) there is a heavy traffic arriving and leaving the same inside interface. This is the reason why I tried to do hide NAT explicitly/manually applied only traffic heading out to the Internet. I do not want to get the traffic (from subnets in Azure with auto hide-nat configured) NAT-ed when not going out to the internet, and the ingress/egress are inside.

Gyula

Re: Vsec Cluster in Azure ?? anyone know how to?

Gilad_Pomerantz — Mon, 21 May 2018 14:54:04 GMT

I have the same question as Vladislav Nedosekin‌

I have a ClouldGuard Cluster but had lots of problems when fail-over takes place, and it happens occasionally. Every few days/weeks randomly, fail-over takes place with no good reason out of the blue, and most of the time the whole API call process does not complete smooth, until manually using cluster_XL down/up command.

We decided to shutdown manually the secondary node for a while (we are few months in this state), and since then we have a stable environment, except one known in advance Microsoft maintenance activity.

I agree about availability-group, but I think we saved lots of money every month since then.

Re: Vsec Cluster in Azure ?? anyone know how to?

Nikhil_Deshmukh — Tue, 22 May 2018 06:51:28 GMT

Hi Edson Adrian Diaz Cuevas‌,

If u are still facing LAN outgoing traffic issue, please check on Network Interface of any LAN VM, the Effective Routes that are active to understand what routes are active.

Validate your HA related configuration is correct. (including API Credentials and Role being provided to respective Resource Group)

[Expert]# python -m json.tool $FWDIR/conf/azure-ha.json

Reconf the same

[Expert]# $FWDIR/scripts/azure_ha_cli.py reconf

Test the same

[Expert]# $FWDIR/scripts/azure_ha_test.py

Work on the errors found with test.

FACT: Highest Priority for User defined routes, the Express Route / On Premise Routes and Lastly System Defined Routes.

Re: Vsec Cluster in Azure ?? anyone know how to?

Gilad_Pomerantz — Tue, 22 May 2018 13:25:05 GMT

Hi,

Thanks for the information, I have already used the script long time ago:

# python -m json.tool $FWDIR/conf/azure-ha.json

And while the results were OK, we found later that the API user credentials where incorrect.

I'll go over the configuration again and see if it is mature enough to be stable as it should be.

Re: Vsec Cluster in Azure ?? anyone know how to?

Edson_Adrian_Di — Tue, 22 May 2018 20:27:22 GMT

Hi Nikhil

Issue was already solved. As kurt explained "

You do not need to define a manual NAT rule to hide behind a specific IP, just auto hide NAT all subnet behind Gateway.

This is not "clear" in the checkpoint Azure documentation.

Regards.

Re: Vsec Cluster in Azure ?? anyone know how to?

Kurt_Abela — Tue, 22 May 2018 21:28:25 GMT

We've had vSec cluster deployed for around 6 months now and I agree with you, there are a lot of issues when it comes to cluster and failover.

Whenever a change related to interfaces, static routes, dynamic routing or route redistribution is made on the gateways, the routing daemon crashes, causing a failover. Unlike on premise, a failover in Azure takes 5-6 minutes due to API calls so this effectively results in 6 minutes of downtime.

As a workaround, we always do a clusterXL_admin down on the standby member to avoid failover. We then perform the necessary changes and re enable cluster on the standby member.

Re: Vsec Cluster in Azure ?? anyone know how to?

PhoneBoy — Wed, 23 May 2018 04:46:14 GMT

Due to the nature of public cloud environments, we are reliant on things like the public cloud APIs to perform cluster failovers.

Obviously we can't control how long it takes for these API calls to complete.

That said, the experience is not currently optimal and we are looking for ways to improve it.

Re: Vsec Cluster in Azure ?? anyone know how to?

Sarath_M — Thu, 30 Aug 2018 06:34:01 GMT

Hi,

@Kurt Abela

What are the internal interfaces need to be set to? sync or cluster + sync.

Both interfaces set to sync.

"You do not need to define a manual NAT rule to hide behind a specific IP, just auto hide NAT all subnet behind Gateway."

I currently have 2 NAT rules in the below manner and failover works(UDR's change) but outgoing traffic still NAT's to GW1-IP.

Please let me know what am i missing?

Re: Vsec Cluster in Azure ?? anyone know how to?

Kurt_Abela — Thu, 30 Aug 2018 06:40:29 GMT

Hi Sarath M‌

External = Sync

Internal = cluster + Sync.

Do not use manual Hide-NAT rules. Use automatic NAT (object NAT) and choose hide behind gateway. This will ensure that during a fail over, traffic is NAT-ted behind the correct active gateway.

Re: Vsec Cluster in Azure ?? anyone know how to?

Sarath_M — Thu, 30 Aug 2018 06:50:43 GMT

Thank you.