Anyone can advise how can we build a Vsec CloudGuard using Terraform code.
something that can mapped original ARM template as attached.
based on Javier's link https://community.checkpoint.com/docs/DOC-3027
I managed to get some progress:- bring up 2 Vsec Gateway
- apply correct API
- test API
- register to MDM (manual step)
what is missing:
1. cluster VIP integration 'cluster-vip'
2. failover testing
anyone has any input.
Thanks for sharing Ranokarno, it looks promising. Feel free to share your code once you feel it is mature through the codepoint ;-) BTW, why didn't you try the VMSS setup directly instead of the cluster one?
My understanding that VMSS relies on Azure Loadbalancer which then defeat the purpose of Cloudguard gateway to identify source/destination rules. especially since we are moving toward Identity awareness with Azure Datacenter objects.
However I am interested how can we automate security gateway registration via autoprov-cfg script without enabling VMSS.
The azure LB does not source NAT, so the CG gateways do see the original source addresses.
Thanks for your advise Jonathan , I am currently testing it with dual instance vsec gateway and loadbalancer.
I think this approach much better than building cluster Vsec.
it reduce the overhead of API request, UDR change, etc.
Retrieving data ...