Thanks @PhoneBoy  , @Chris_Atkinson  for your responses . 

I am running a POC to implement the VMSS in Azure to utilize both the gateways . 

I believe because of the dynamic nature of the Gateways being scaled out/in we cann't use the traditional Gateway object in the policy rules cells ( Source , destination , Install On) . 

Refer attachment for reference on the existing policy .

Can you help me out what object I shall use in the standard policy of Firewall management , Stealth rule , MTA specific rules ??  -- Is it the dynamic "LocalGateway" object ? 

Also how we manipulate the Gateway specific settings for the VMSS gateways , that we used to do using SMS - editing the GW object properties - like enabling MTA , configuring HTTPS inspection , etc ??  -- I mean do we need to change these properties for all the gateways being spinup during scale out event manually ? Or is there any setting approch in the auto-confi provision files to handle this ?

Regards,

Abhishek

It's not a good idea to use the actual firewall object in your policy.  That's because if Azure scales up or down (and especially down) the objects are no longer valid.

What I did (after setting the Min/Max/Def to 2/2/2) was create secondary FW objects and put those into the policy.  The manager complains every push or FW modification because of duplicate objects.  But it works.

If you have to host inbound traffic, you should be looking at those setup steps now too.  It's an utter pain in the rear.

Probably the coolest thing I've seen is autoprovisioning doing its thing.  Azure adds a firewall and autoprovisioning does the rest.  Which is super cool, but I lost 2/3rds of the hair on my head getting it all going.

I still need to figure out how to modify autoprovisioning so that it will deploy all of our machine level settings (TZ/passwords/routes/usernames/etc).

Also, you don't need to define a gateway to "install on".  That's done in your autoprov script and is taken care of for you automagically.

@Tommy_Forrest  - so you have created the secondary gateway object after spinning the firewalls from autoprovisioning... 

Did you faced any issue with using the dynamic object - "LocalGatewayExternal" In policy rules as source / destination?? 

About inbound traffic, we have the usercase of using Checkpoint gateway as MTA, do you have any experience with this regard?? --- hence was my query second part... How we manipilate the gateway objects global properties - blades, https inspection, MTA, etc in  gateways being spin-up by VMSS autoprovisioning template. 

@PhoneBoy  -- can you pls guide me here with any official recommendation(s) ??   Or, may be tag some more folks who have an prior experience with VMSS deployment

Thanks @PhoneBoy   .Do we have control on adding specific route, enabling MTA settings with custom specs?? May be in autoprovisioning file, or some sort of script. 

Thanks @PhoneBoy  for sharing the details . However , I dont see any management API command to manipulate the MTA config ( adding mail domain , next hop  ) Refer the attachment - Desired setting for MTA.

Also , now I am a bit confused between  CME (Cloud Management Extension )  and Autoprovision Add-On.  There is a latest update on 23-Sep-2019 to the checkpoint official VMSS deployment guide and it talks about using the CME .

The CME has a limitation of not working in parallel with Autoprovision Add-On . Please refer the attachment -

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm

Do we have any guidelines what should be used and recommended between these two , whats the advantage/disadvantage of using these respectively ( CME Vs Autoprovision add-on ) .