ID Sharing on AutoScaling
Use case; since the VMSS setup on Azure allow to customers connect the On-Prem to cloud with Native VPN GW or Express Route and redirect the traffic to the VMSS members (Check Point Gateways), like the next diagram.
Now let's work on the need to use Identities on the rules and since this comes from the On-Prem, the identities will be based on AD, there is a good way to achieve this, in Check Point exist the ID-Sharing feature, where an On-Prem Check Point Gateway with connectivity to the AD can grab the Login events on the AD and create the list based on AD groups and share this to another GW, so the other GW don't need to reach the AD.
But this needs to be configured per GW basis, this in autoscaling scenarios need automation, the CME tool that handles the automation of the CG IaaS deployment also have the capability to customize based on scripts that can run on Management side or GW side.
So I created a bash script that allows to enable the identity sharing on each VMSS new deployed GW.
First we need to enable the capability to share identities on the On-Prem GW, this is done on the Gateway object under Identity Awareness menu.
Once we prepare this, we need to set up the CME based on CloudGuard Network for Azure VMSS R80.10 and Higher Administration Guide (This link was edited by Check Point on 19 Dec 2021)
Once all is done, we need to download the bash script and pass it to the management, the script is here Github, you can use curl_cli to do it.
curl_cli -k 'https://raw.githubusercontent.com/christiancastilloporras/Indentity-Sharing-with-CME----Check-Point/master/cme_identitysharing.bash' -O
and give it execution permissions.
Then on the CME need to add this file to the Management, make sure to put the correct path;
autoprov-cfg set management -cs 'path/to/script'
Then on the template need to call the Custom Parameter feature, this feature call the management script and pass params to the script, the script uses 5 parameters, the 1 and 2 are passed by the CME by default each time you call this feature ('add' or 'delete' as $1 and newly deployed GW Name as $2), then the script needs an action this should be "IDSHARING", needs the rulebase to install; this needs to be exactly the name of the Policy Package of the deployed Gateways and exactly the GW name where the VMSS will grab identities; all this will setup the next addition to the CME;
autoprov-cfg set template -tn "name-of-template" -cp 'IDSHARING rulebase gwname'
And now every newly deployed GW will have the identities and we can set up rules for the VMSS based on AD Groups.
Very nice input thx!
I was not aware that Identity Shareing isn't already useable by default for automatic deployed VMSS.
What will happen in the following case when I do not use an onPrem CP for Identity Shareing with the VMSS:
2 VMSS GWs (let us call them A and B) are always deployed and have their own DC to collect AD Idenitites. Something happens, for example very high load on the two GWs A and B and a third GW (C) will be deployed. And with the script it knows now where to get the Identities - good. But however, the load is still there, a fourth GW (D) will be deployed. Will GW C and D also share identities? And what happens the GWs A and B are under so much load that they cannot share the IDs to C and D?
I understand that Gaia Settings like add admin users and routes etc must be configured via script after the deployment. But i miss some automation and simplification in this process for the settings that are already done in the Management for the VMSS Gateways.
Is there somewhere a list available where I can see which features have to be configured via script after the deployment of a GW?
Would it be not easier to "copy" the same configuration in the Managemet of the always on VMSS GWs to newly deployed VMSS?