Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Eugene_Tcheby
Employee Alumnus
Employee Alumnus

Deploying Auto Scaling CloudGuard gateways in Azure using VM Scale Sets

Hi everyone,

This is a step by step guide I created on how to deploy CloudGuard (Vsec) virtual gateways in Azure using virtual machine scale sets in Microsoft Azure. Feel free to comment, leave feedback or contact me directly should you have questions. 

 

For the full list of White Papers, go here

31 Replies
Nikhil_Deshmukh
Contributor

Great Work Smiley Happy

Does the API need to be assigned the Role of Reader or Contributor?

0 Kudos
Eugene_Tcheby
Employee Alumnus
Employee Alumnus

Both actually work, Reader Role is the minimal role for autoprovision to work.

Oscar_Medina1
Contributor

Hi Eugene,

I know that the ARM templates are available for the VM Scale Sets.  But, is it possible to deploy the Gateway Scale Sets without the ARM template, say in Terraform?  I know that the ARM template accepts parameters if this was done in a different way, is there a bootstrap file or something to pass along when creating the VM?

Thank you,
Oscar

0 Kudos
Eugene_Tcheby
Employee Alumnus
Employee Alumnus

Hi Oscar,

To my knowledge deploying VMSS can only be done using the ARM templates.

0 Kudos
Oscar_Medina1
Contributor

Hey Eugene, 

Thank you for your response; I'd love to eventually be able to do this in Terraform as we can pass parameters as well or use a user_data file to bootstrap the VM.

Thank again,
Oscar

Eugene_Tcheby
Employee Alumnus
Employee Alumnus

Updated Version 1, with changes 

0 Kudos
Eugene_Tcheby
Employee Alumnus
Employee Alumnus

Changes based on feedback received:

-  Exercise 9:  "LocalGatewayExternal" dynamic gateway object created applies for for Virtual machine types B2s and above (page 33), otherwise traditional dynamic gateway object "LocalGateway" applies.

                        Added how to configure "Hide NAT" rule in NAT policy (page 37)

- Exercise 10: Added comment on why auto-scaling of CloudGuard virtual gateways average 7-10 minutes despite tweaks in Azure Auto scaling parameters; Mostly due to First Time Wizard. New CloudGuard deployment templates including Blink in the roadmap (page 40)- Document to be updated as soon as images with improvements released.

Oscar_Medina1
Contributor

Thanks Eugene Tcheby‌ . I have what may be a silly question; but must ask.  In this deployment where the Gateway is deployed as a Scale Set, what IP address does one use to create new NAT Rules or Policies?  The Scale Set has multiple nodes, my understanding they are identical.  But how is that tracked from a CheckPoint perspective when it comes to updating NAT Rules and Polices etc?

0 Kudos
Oscar_Medina1
Contributor

I think I found the answer to my own question.  It looks like your guide, page 33 talks about a LocalGatewayExternal which handles this if I understand correctly.

Omprakash_Kesar
Participant

Hi Eugene, After I created the rule using dynamic object LocalGatewayExternal, I get bellow error when I try to view Logs. I am using VMSS 2 x D3v2 Gateway.

0 Kudos
Eugene_Tcheby
Employee Alumnus
Employee Alumnus

Hi Omprakash,

Try running this command on any gateway of your scaleset:

# dynamic_object -l

and observe output as shown on page 34. 

0 Kudos
Omprakash_Kesar
Participant

Hi Eugene, I had tried the same, but sadly ssh connection to gateway not working from management server too. I have created the allow SSH rule (with ssh, icmp services) in Access Control Policy of Gateway (SmartConsole). I have tried with destinations LocalGatewayExternal and also with individual Gateway objects, but no luck.Do we need NSG for fronted subnet? not sure as the rules there are driven by Gateway policy rules itself. Also gateways and management server are in the same frontend subnet. I have followed the document for entire configuration. Everything seems ok, except this final configuration.

0 Kudos
Omprakash_Kesar
Participant

I manage to establish SSH connection to Gateway. The dynamic object name on both the gateways is "LocalGateway". Now it works as expected,  I tried with HTTP and RDP services.

Javier_Hijas
Employee Alumnus
Employee Alumnus

Eugene, Oscar Medina‌, creating this same setup with terraform should be a simple as a terraform template including the same load balancer components and the VMSS with the Check Point image. Note that the Check Point management server will be automatically registering the gateways populated by the VMSS so no need to code anything on that side. Let us know if you have issues terraforming this 😉

0 Kudos
Oscar_Medina1
Contributor

Thanks https://community.checkpoint.com/people/jhija3895aba2-c664-3ac5-9425-5b0626caeb0f I ended up using the Azure ARM Templates for our CheckPoint Gateway Scale Sets, but it is awesome to know I can do that, and I should have known that, since it is a matter of picking the image from the gallery and adding the bootstrap script.

I've got similar scenario for our Management Servers which I've deployed in HA mode (primary/secondary).  I am using the ARM template and modified it to include adding both nodes into an Availability Set.  Do you see anything wrong with doing so?  I am just trying to use Azure native capabilities for redundancy...

0 Kudos
Javier_Hijas
Employee Alumnus
Employee Alumnus

Not at all, any combination of Check Point HA capabilities with the cloud platform native HA is always recommended. Distributing across regions and combining on-prem mgmt. with cloud mgmt are also combinations we see in other organizations.

Oscar_Medina1
Contributor

Thanks Javier Hijas‌ . I was thinking it might be helpful to the community if I share the ARM Template that adds the Azure Availability Set.  I'll setup a Github repository for it!

Bogdan_Florin_D
Explorer

Hi Eugene,

This is a very nice exercise that i will like to perform myself. 

Although everything looks straightforward i have something to clear out.

Gateways from scale set - how we can ensure that they have the latest hotfix's included as the scaleset scales out? Is this something that concerns only the Cloud Provider, they should offer the latest images?

Thanks a lot again for this exercise which will help me a lot in mastering this solution.

br,

Eugene_Tcheby
Employee Alumnus
Employee Alumnus

Hi Bogdan,

When defining your scale set configuration and parameters, essentially what happens when scaling out - the additional virtual gateways being deployed are identical to the ones from your default set of Cloudguard virtual gateways. In short, should you update your original virtual gateways with the latest hotfix, auto scaling will inherit the same gateway configuration from your default virtual machines including latest hotfix if already installed

Carsten_R
Contributor

Hi,

I have followed the guide, but I have problems with the NAT.

However, each gateway performs a Source NAT on the external IP. That means, the internal loadbalancer only gets packets from gateway's external IP.

That generate anti spoofing, when the internal LB / webserver is responding.

[Expert@vsecvmss000000:0]# dynamic_objects -l

object name : LocalGatewayExternal
range 0 : 10.1.0.6               10.1.0.6

object name : LocalGatewayInternal
range 0 : 10.1.50.5              10.1.50.5

Operation completed successfully
[Expert@vsecvmss000000:0]#

Please change the guide for the NAT section. The dynamic object has to be "LocalGatewayInternal".

Eugene_Tcheby
Employee Alumnus
Employee Alumnus

Hi Carsten,

Thank you for your feedback, you are absolutely right.I will update the document to reflect the recent improvements. At the time I produced document was we solution template didn't support dynamic object "local Gateway Internal" (because it didn't exist) as translated source in NAT rules. Templates have since been updated to support it. Nevertheless, I will update this document to reflect latest improvements. 

 

We now have official releases of the Virtual Machine Scale Sets admin guide.

URL to latest guide (updated February 11th 2019) --->  https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/html_frameset.htm 

See pages 25-26 for inbound NAT rules configuration

 

Also to have the latest updates on Cloudguard Solutions see SK132552 ---> Check Point CloudGuard / vSEC solutions 

ASHUTO_CHAUHAN
Participant

Hi, when we talk about template is it ARM template or we need to create a template to proceed further when we are talking about the autoprov-cfg. 

""autoprov-cfg init Azure -mn "CPMgmt" -tn "template_name" ""

0 Kudos
Julien_Moreau
Employee Alumnus
Employee Alumnus

This template object is a Check Point object that is part of autoprovision configuration. This template is a set of configuration for gateways (SIC password, Policy to push, blades to activate etc..). Autoprovision is using a controller (set of credential) to connect to the cloud API, then autoprovision discover new machine tag with Check Point tag and on this tag understand which template to apply..

0 Kudos
Martin_Valenta
Advisor

Eugene Tcheby   What's the best way to make sure that during VMSS deployment, there will be certain static route entries added? Should it be via bootstrap file? Vnet where VMSS is deployed is connected via ExpressRoute and i need to make sure that set of static route entries is in place for new instances of VMSS.

0 Kudos
Carsten_R
Contributor

Hi Martin,

by default, the VMSS has one default route, pointing to Internet on eth0.

Eth1 - which is pointing to the backend - has all RfC1918 routes (10/8, 172.16/12, 192.168/16).

Additional setting should be handled with this script: GitHub - CheckPointSW/sddc, I had a similar question in this topic: https://community.checkpoint.com/docs/DOC-3107-custom-script-example-for-autoprovision-of-autoscale-... 

Best Regards,

Carsten

0 Kudos
Martin_Valenta
Advisor

Thanks, will look on it.

0 Kudos
Edgar_Lun_Pum
Participant

The command autoprov-cfg -h is not available in R80.30 (management) Azure. If there an equivalent or how that can be enabled?

 

0 Kudos
RPdeBeer
Participant

Good question, I would also like to know how you can run autoprov-cfg in R80.30

0 Kudos
Tommy_Forrest
Advisor

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.