This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mr87
Explorer
‎2022-08-30 05:55 PM
Jump to solution

Cloud Guard Azure Appliances & Express Route Guidance

Hi all.  I am helping a customer on their journey migrating to Microsoft Azure.  They currently are using (2) Cloud Guard Network Security appliances in Azure in a HA pair with a S2S VPN configuration connecting to on-premise Checkpoint NGFW 6400s.   We're starting the process to identifying a ExpressRoute service provider, and will eventually be looking to go through the process of configuring the Azure ExpressRoute from their on-premise data center to Azure using the Check Point devices.  I'm reaching out to see if there was any guidance or knowledge base to properly set this up with these devices.  I did some searching and wasn't able to find anything. 

Any guidance, input, or help would be greatly appreciated.  Thanks!

Labels
0 Kudos
1 Solution

Accepted Solutions
Nir_Shamir
Employee Employee
Employee
‎2022-09-01 05:17 AM
In response to mr87
Jump to solution

if it's route-based you will have under the networking topology of the GW/Cluster object in SmartConsole interfaces with names like vpntX.

also , if you have access to the GAIA WEBUI you will see under the interfaces , interfaces names like vpntX.

If you don't see them them it's Domain-Based.

View solution in original post

0 Kudos
6 Replies
Nir_Shamir
Employee Employee
Employee
‎2022-08-31 10:23 PM
Jump to solution

Hi,

There is no official guide for this but with ExpressRoute you will connect the customer's Azure environment via ExpressRoute directly do his On-Premise Gateways on a new interface and then you can use Static-routes or BGP , which is the preferred way, to route the networks between them . the Azure Cluster is not needed in this configuration and you will just need to route the traffic coming from On-Premise to the Cluster using Azure UDRs.

0 Kudos
mr87
Explorer
‎2022-09-01 04:14 AM
In response to Nir_Shamir
Jump to solution

Hi @Nir_Shamir.  Thanks for your reply.  This makes sense.  They currently have a S2S VPN tunnel between on-premise and Azure.  They are terminating their VPN directly on the Check Point appliances in Azure and are not using the Azure VPN Gateway to connect.  As you stated, they will need to send all traffic from the on-premise Check Point firewalls to an ExpressRoute Virtual Network Gateway, and then route that traffic from the GatewaySubnet to the Check Point virtual appliances in Azure using UDRs. 

Do you see any issues with the S2S VPN and ExpressRoute co-existing in this configuration?  

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2022-09-01 04:37 AM
In response to mr87
Jump to solution

If the VPN is Domain-Based then it will take precedence over the Routing. you will need to remove the VPN configuration on both sides before moving to the ExpressRoute.

If it's route-based (VTI)  then we can play with the routing.

0 Kudos
mr87
Explorer
‎2022-09-01 04:51 AM
In response to Nir_Shamir
Jump to solution

Thanks Nir!  I'm not familiar with the Check Points.  Is there a straight forward way to see if the VPN is Domain or VTI based?  I was looking at this article - https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VP... but wasn't sure if there is a sure fire way to know or not.  I'll have to ask the customer to check.

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2022-09-01 05:17 AM
In response to mr87
Jump to solution

if it's route-based you will have under the networking topology of the GW/Cluster object in SmartConsole interfaces with names like vpntX.

also , if you have access to the GAIA WEBUI you will see under the interfaces , interfaces names like vpntX.

If you don't see them them it's Domain-Based.

0 Kudos
mr87
Explorer
‎2022-09-01 05:20 AM
In response to Nir_Shamir
Jump to solution

Thanks Nir!   Appreciate the quick responses.  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events