- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: VSEC - Deployment guide
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VSEC - Deployment guide
Hi All, I have a lot of experience deploying Checkpoint HA Clusters in traditional DC's but have recently been tasked with setting up Checkpoint VPN and Checkpoint Firewalls in an Azure environment. Is it similar to running cpconfig - setup SIC - attach license - download policy etc? if not is there a guide on how to do this using a provider-1 environment then setting up SIC with the Gateways?
Apologies but I'm totally new to VSEC and wanted a brief explanation on how you do this, from what I see you manage the cluster objects in exactly the same way, can anyone help?
Many Thanks in advance
Alan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alan,
Please check the Deploying a Check Point Cluster in Microsoft Azure for details. I've done quite a few AWS vSEC deployments, but didn't get my hands on Azure yet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alan,
You can follow sk110194 to deploy a cluster in Azure.
The short short description.
Define a vNet
Define a Frontend Subnet within the vNet
Define a Backend Subnet within the vNet
Deploy CheckPoint vSec Cluster from the marketplace
Follow the steps to deploy. This will take about 10 minutes once you complete all the steps.
Enable vSec on the management server via CLI. Command is vsec on
Create a new cluster object in your domain. Use the public IP created for the cluster as the cluster IP
Add each object to the cluster
Set both interfaces as sync only
You will need to create a service principal that has contributor rights
Run the command azure-ha-conf --client-id (with client-id from the service principal here) --client-secret (with the key created when you created the service principal here) This needs to be done on each firewall in the cluster.
Run the command $FWDIR/scripts/azure-ha-cli.py reconf This also needs to be done on each firewall in the cluster
Install your vsec license in the domain where you are deploying vSec.
Attach the license to the CMA.
Go to CLI of the management server and change to the domain environment mdsenv domain-name-here
Run the command vsec-central-license
That is the very short version.
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
John,
can you expand on "Set both interfaces as sync only"?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vladimir,
This is done under network management in the cluster object with SmartConsole. So the cluster for the most part is created just like any other cluster. Except with the interfaces. You have options like private, cluster, sync, and cluster + sync. Here we choose sync then use Azure route tables to direct traffic to the active firewalls interface. If the firewalls fail over they will use the python script to change the route table to point to the active firewalls interface. This used to take up to 3 minutes to complete, however now I generally see times as quick as less than 1 second.
I hope that better explains.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks.
Still hard to visualize: I am not getting which "both" interfaces you are referring to.
Since you've described FrontEnd and BackEnd vNets, I'd imagine each cluster member should have at least three interfaces, unless you are using Cluster + Sync, in which case it may be two.
I'll probably have to go through deployment myself in order to get a better feel for it.
Regards,
Vladimir
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No each cluster will have two interfaces by default. You will have eth0 and eth1. eth0 will be your frontend interface, which is just what Azure calls it, but it will set your default route to go out this interface. eth1 will be your backend interface. There is not VIP to define. So if your frontend subnet is 10.10.10.0/24 eth0 will get assigned 10.10.10.4 for firewall1 in the cluster and firewall2 will get 10.10.10.5. Your backend subnet must be different from your frontend subnet so lets give it 10.10.20.0/24. eth1 will get 10.10.20.4 for firewall1 and firewall2 will get 10.10.20.5. There will also be a public IP set as an alias to firewall1 on eth0. You will set a route table to direct traffic from your other subnets to point to the active cluster members eth1, so lets say 10.10.20.4. If you failover the firewalls the python script on the other firewall will reach out to Azure and change the route table to point 10.10.20.5. So as you can see there are no cluster interfaces in Azure. You just set both eth0 and eth1 to sync.
I hope this better describes how it works.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many Thanks,
I shall have a look and let you know how I get on.
I'm sure there may be a few more questions due to my lack of knowledge of Azure at the moment, some terminology things like "Define Frontend subnet within Vnet" ? is this done within Azure or on Vsec?
Thanks again in advance!
Alan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alan,
Both are done in Azure. During the deployment of the firewall cluster you can create both a new vNet(Virtual Network) and the front end and back end subnet.
I hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Deploying vSEC fw in Azure
https://community.checkpoint.com/docs/DOC-2650-day-1-03-vsec-training-azure-lab-ptkpdf
https://www.youtube.com/watch?v=nUyTWayUGHk
Deploying vSEC on AWS
https://community.checkpoint.com/docs/DOC-2661-day-2-04-vsec-training-aws-lab-ptkpdf
https://www.youtube.com/watch?v=1h2X_PwVXw0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Alan Camelo,
For Starter's you can visit,
Microsoft Azure Documentation | Microsoft Docs and then move on to Check Point Reference Architecture for Azure (Single Gateway), then move to cluster Deploying a Check Point Cluster in Microsoft Azure.
As you move ahead you can refer to many other Related Solutions when you are stuck or can come back to CheckMates.