- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Deploying Auto Scaling CloudGuard gateways in Azur...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Deploying Auto Scaling CloudGuard gateways in Azure using VM Scale Sets
Hi everyone,
This is a step by step guide I created on how to deploy CloudGuard (Vsec) virtual gateways in Azure using virtual machine scale sets in Microsoft Azure. Feel free to comment, leave feedback or contact me directly should you have questions.
For the full list of White Papers, go here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great Work
Does the API need to be assigned the Role of Reader or Contributor?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both actually work, Reader Role is the minimal role for autoprovision to work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Eugene,
I know that the ARM templates are available for the VM Scale Sets. But, is it possible to deploy the Gateway Scale Sets without the ARM template, say in Terraform? I know that the ARM template accepts parameters if this was done in a different way, is there a bootstrap file or something to pass along when creating the VM?
Thank you,
Oscar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Oscar,
To my knowledge deploying VMSS can only be done using the ARM templates.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Eugene,
Thank you for your response; I'd love to eventually be able to do this in Terraform as we can pass parameters as well or use a user_data file to bootstrap the VM.
Thank again,
Oscar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updated Version 1, with changes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changes based on feedback received:
- Exercise 9: "LocalGatewayExternal" dynamic gateway object created applies for for Virtual machine types B2s and above (page 33), otherwise traditional dynamic gateway object "LocalGateway" applies.
Added how to configure "Hide NAT" rule in NAT policy (page 37)
- Exercise 10: Added comment on why auto-scaling of CloudGuard virtual gateways average 7-10 minutes despite tweaks in Azure Auto scaling parameters; Mostly due to First Time Wizard. New CloudGuard deployment templates including Blink in the roadmap (page 40)- Document to be updated as soon as images with improvements released.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Eugene Tcheby . I have what may be a silly question; but must ask. In this deployment where the Gateway is deployed as a Scale Set, what IP address does one use to create new NAT Rules or Policies? The Scale Set has multiple nodes, my understanding they are identical. But how is that tracked from a CheckPoint perspective when it comes to updating NAT Rules and Polices etc?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I found the answer to my own question. It looks like your guide, page 33 talks about a LocalGatewayExternal which handles this if I understand correctly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Eugene, After I created the rule using dynamic object LocalGatewayExternal, I get bellow error when I try to view Logs. I am using VMSS 2 x D3v2 Gateway.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Omprakash,
Try running this command on any gateway of your scaleset:
# dynamic_object -l
and observe output as shown on page 34.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Eugene, I had tried the same, but sadly ssh connection to gateway not working from management server too. I have created the allow SSH rule (with ssh, icmp services) in Access Control Policy of Gateway (SmartConsole). I have tried with destinations LocalGatewayExternal and also with individual Gateway objects, but no luck.Do we need NSG for fronted subnet? not sure as the rules there are driven by Gateway policy rules itself. Also gateways and management server are in the same frontend subnet. I have followed the document for entire configuration. Everything seems ok, except this final configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I manage to establish SSH connection to Gateway. The dynamic object name on both the gateways is "LocalGateway". Now it works as expected, I tried with HTTP and RDP services.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Eugene, Oscar Medina, creating this same setup with terraform should be a simple as a terraform template including the same load balancer components and the VMSS with the Check Point image. Note that the Check Point management server will be automatically registering the gateways populated by the VMSS so no need to code anything on that side. Let us know if you have issues terraforming this 😉
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks https://community.checkpoint.com/people/jhija3895aba2-c664-3ac5-9425-5b0626caeb0f I ended up using the Azure ARM Templates for our CheckPoint Gateway Scale Sets, but it is awesome to know I can do that, and I should have known that, since it is a matter of picking the image from the gallery and adding the bootstrap script.
I've got similar scenario for our Management Servers which I've deployed in HA mode (primary/secondary). I am using the ARM template and modified it to include adding both nodes into an Availability Set. Do you see anything wrong with doing so? I am just trying to use Azure native capabilities for redundancy...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not at all, any combination of Check Point HA capabilities with the cloud platform native HA is always recommended. Distributing across regions and combining on-prem mgmt. with cloud mgmt are also combinations we see in other organizations.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Javier Hijas . I was thinking it might be helpful to the community if I share the ARM Template that adds the Azure Availability Set. I'll setup a Github repository for it!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Eugene,
This is a very nice exercise that i will like to perform myself.
Although everything looks straightforward i have something to clear out.
Gateways from scale set - how we can ensure that they have the latest hotfix's included as the scaleset scales out? Is this something that concerns only the Cloud Provider, they should offer the latest images?
Thanks a lot again for this exercise which will help me a lot in mastering this solution.
br,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bogdan,
When defining your scale set configuration and parameters, essentially what happens when scaling out - the additional virtual gateways being deployed are identical to the ones from your default set of Cloudguard virtual gateways. In short, should you update your original virtual gateways with the latest hotfix, auto scaling will inherit the same gateway configuration from your default virtual machines including latest hotfix if already installed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have followed the guide, but I have problems with the NAT.
However, each gateway performs a Source NAT on the external IP. That means, the internal loadbalancer only gets packets from gateway's external IP.
That generate anti spoofing, when the internal LB / webserver is responding.
[Expert@vsecvmss000000:0]# dynamic_objects -l
object name : LocalGatewayExternal
range 0 : 10.1.0.6 10.1.0.6
object name : LocalGatewayInternal
range 0 : 10.1.50.5 10.1.50.5
Operation completed successfully
[Expert@vsecvmss000000:0]#
Please change the guide for the NAT section. The dynamic object has to be "LocalGatewayInternal".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Carsten,
Thank you for your feedback, you are absolutely right.I will update the document to reflect the recent improvements. At the time I produced document was we solution template didn't support dynamic object "local Gateway Internal" (because it didn't exist) as translated source in NAT rules. Templates have since been updated to support it. Nevertheless, I will update this document to reflect latest improvements.
We now have official releases of the Virtual Machine Scale Sets admin guide.
URL to latest guide (updated February 11th 2019) ---> https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/html_frameset.htm
See pages 25-26 for inbound NAT rules configuration
Also to have the latest updates on Cloudguard Solutions see SK132552 ---> Check Point CloudGuard / vSEC solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, when we talk about template is it ARM template or we need to create a template to proceed further when we are talking about the autoprov-cfg.
""autoprov-cfg init Azure -mn "CPMgmt" -tn "template_name" ""
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This template object is a Check Point object that is part of autoprovision configuration. This template is a set of configuration for gateways (SIC password, Policy to push, blades to activate etc..). Autoprovision is using a controller (set of credential) to connect to the cloud API, then autoprovision discover new machine tag with Check Point tag and on this tag understand which template to apply..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Eugene Tcheby What's the best way to make sure that during VMSS deployment, there will be certain static route entries added? Should it be via bootstrap file? Vnet where VMSS is deployed is connected via ExpressRoute and i need to make sure that set of static route entries is in place for new instances of VMSS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Martin,
by default, the VMSS has one default route, pointing to Internet on eth0.
Eth1 - which is pointing to the backend - has all RfC1918 routes (10/8, 172.16/12, 192.168/16).
Additional setting should be handled with this script: GitHub - CheckPointSW/sddc, I had a similar question in this topic: https://community.checkpoint.com/docs/DOC-3107-custom-script-example-for-autoprovision-of-autoscale-...
Best Regards,
Carsten
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, will look on it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The command autoprov-cfg -h is not available in R80.30 (management) Azure. If there an equivalent or how that can be enabled?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good question, I would also like to know how you can run autoprov-cfg in R80.30
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'll need to install it. See the admin guide for more:
CloudGuard Network for Azure VMSS R80.10 and Higher Administration Guide
Specifically sk157492