topic Cloud Guard Azure Appliances & Express Route Guidance in Cloud Firewall

Cloud Guard Azure Appliances & Express Route Guidance

mr87 — Wed, 31 Aug 2022 00:55:29 GMT

Hi all. I am helping a customer on their journey migrating to Microsoft Azure. They currently are using (2) Cloud Guard Network Security appliances in Azure in a HA pair with a S2S VPN configuration connecting to on-premise Checkpoint NGFW 6400s. We're starting the process to identifying a ExpressRoute service provider, and will eventually be looking to go through the process of configuring the Azure ExpressRoute from their on-premise data center to Azure using the Check Point devices. I'm reaching out to see if there was any guidance or knowledge base to properly set this up with these devices. I did some searching and wasn't able to find anything.

Any guidance, input, or help would be greatly appreciated. Thanks!

Re: Cloud Guard Azure Appliances & Express Route Guidance

Nir_Shamir — Thu, 01 Sep 2022 05:23:39 GMT

Hi,

There is no official guide for this but with ExpressRoute you will connect the customer's Azure environment via ExpressRoute directly do his On-Premise Gateways on a new interface and then you can use Static-routes or BGP , which is the preferred way, to route the networks between them . the Azure Cluster is not needed in this configuration and you will just need to route the traffic coming from On-Premise to the Cluster using Azure UDRs.

Re: Cloud Guard Azure Appliances & Express Route Guidance

mr87 — Thu, 01 Sep 2022 11:16:38 GMT

Hi @Nir_Shamir. Thanks for your reply. This makes sense. They currently have a S2S VPN tunnel between on-premise and Azure. They are terminating their VPN directly on the Check Point appliances in Azure and are not using the Azure VPN Gateway to connect. As you stated, they will need to send all traffic from the on-premise Check Point firewalls to an ExpressRoute Virtual Network Gateway, and then route that traffic from the GatewaySubnet to the Check Point virtual appliances in Azure using UDRs.

Do you see any issues with the S2S VPN and ExpressRoute co-existing in this configuration?

Re: Cloud Guard Azure Appliances & Express Route Guidance

Nir_Shamir — Thu, 01 Sep 2022 11:37:41 GMT

If the VPN is Domain-Based then it will take precedence over the Routing. you will need to remove the VPN configuration on both sides before moving to the ExpressRoute.

If it's route-based (VTI) then we can play with the routing.

Re: Cloud Guard Azure Appliances & Express Route Guidance

mr87 — Thu, 01 Sep 2022 11:51:45 GMT

Thanks Nir! I'm not familiar with the Check Points. Is there a straight forward way to see if the VPN is Domain or VTI based? I was looking at this article - https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/Domain-Based-VPN.htm?tocpath=Domain%20Based%20VPN%7C_____0#Domain_Based_VPN but wasn't sure if there is a sure fire way to know or not. I'll have to ask the customer to check.

Re: Cloud Guard Azure Appliances & Express Route Guidance

Nir_Shamir — Thu, 01 Sep 2022 12:17:24 GMT

if it's route-based you will have under the networking topology of the GW/Cluster object in SmartConsole interfaces with names like vpntX.

also , if you have access to the GAIA WEBUI you will see under the interfaces , interfaces names like vpntX.

If you don't see them them it's Domain-Based.

Re: Cloud Guard Azure Appliances & Express Route Guidance

mr87 — Thu, 01 Sep 2022 12:20:07 GMT

Thanks Nir! Appreciate the quick responses.