Support Center > Search Results > SecureKnowledge Details
How to deploy a Check Point Security Gateway with a single interface in Microsoft Azure Technical Level
Solution

This article has been deprecated because Check Point in Azure has to be configured now in different way than described below.
Refer to sk109360 - Check Point Reference Architecture for Azure.

 


 

This article provides instructions on how to deploy Check Point Security Gateways with a single interface in Microsoft Azure.

The Check Point solution is offered through the Azure marketplace in two licensing models:

Bring Your Own License (BYOL)

This licensing model requires you to bring an Open Server license. The advantage of this model is that it allows to select which software blades you want to use in the Microsoft Azure environment. The image comes with a 15-day evaluation license.


Pay As You Go (PAYG)

In this model the image supports the following software blades:

  • Firewall
  • IPS
  • VPN
  • Mobile Access Blade
  • Identity Awareness
  • Anti-Bot
  • Anti-Virus
  • Application Control / URL filtering

This image can be self-managed (i.e. Standalone) or centrally managed from your on-premises Security Management server. Using this image, you are also entitled for support. In this model, you pay an hourly fee based on the amount of time you have been using the image.

 

Creating а Microsoft Azure High Availability setup containing two Check Point Security Gateways

The solution contains:

  • Two Check Point Security Gateways
  • External Load Balancer
  • Internal Load Balancer
  • Web servers

    Note: ClusterXL is not really used 

Before you start:

  • You should have an Azure subscription. If you do not have one, go to the Microsoft Azure page to obtain one.
  • You need the Azure PowerShell Windows PowerShell extensions, that can be downloaded from the Microsoft Azure Downloads

To provide the fault tolerance, we will deploy the gateways in a Microsoft Azure availability set in a cloud service.
For a discussion of Azure availability sets, see the Manage the availability of virtual machines Microsoft page.

To manage the gateways, each of them will be allocated its own Public Instance Level IP address (PIPs).
In addition, we will set up an Azure Load Balancer with its own Virtual IP address (VIP) to provide access to our web application.
The Microsoft Azure Load Balancer will balance the incoming traffic between the Check Point gateways and will steer traffic away from a gateway that has failed or is taken down for maintenance.
Finally, to ensure that the gateways internal IP addresses are not reassigned by Azure, we will set the gateways to use Static Internal IP addresses (DIP).

For more information, see:

 

Note: an alternative solution is to deploy a Check Point Security Gateway with a multiple interfaces as described in sk106144.

A Security Gateway with a multiple network interface:

  • Can act as a router between subnets.
  • Can inspect traffic arriving from the Internet into your virtual network in Azure as well as traffic between subnets inside your virtual network.
  • In this deployment redundancy is limited


Procedure

Table of Contents

  • I. Create a Microsoft Azure Virtual Network
  • II. Create a Microsoft Azure cloud service
  • III. Launch two Check Point Security Gateways
  • IV. Finalize the gateways configuration:
  • V. Set up the gateway Security Policy on the Management side
  • VI. Configure the Azure Load Balancer
  • Forwarding traffic to Internal servers

 

Show All

 

I. Create a Microsoft Azure Virtual Network

Show / Hide
  1. In the Azure portal, go to: NETWORK SERVICES > VIRTUAL NETWORK > CUSTOM CREATE

     

  2. Choose a Name (e.g. AppNet) and a Location (e.g. West US):



  3. Setup DNS if needed



  4. Modify the subnet settings if needed

     


II. Create a Microsoft Azure cloud service

Show / Hide
  1. Create an Azure cloud service. We will use this cloud service later as a container for the availability set containing the gateways.

    From: New -> COMPUTE -> CLOUD SERVICE -> CUSTOM CREATE

     

  2. Enter URL (e.g. CheckPointGateways) and REGION (e.g. West US):

     

III. Launch two Check Point Security Gateways

Show / Hide
  1. Go to the Azure marketplace and locate the Check Point Virtual Appliance.

  2.  Click Create

  3. Enter Host Name (e.g. CheckPointGW1).

  4. Enter User Name (e.g. notused)
    Note: the user name you enter here will be ignored. The credentials you supply will be associated with the user admin.

  5. Enter SSH Public Key.



  6. Select Pricing Tier (optional)

  7. Click OPTIONAL CONFIGURATION > Availability Set and create one.

  8. Click OPTIONAL CONFIGURATION > Network > Virtual Network > Use an existing virtual network and select the network you created previously:



  9.  Click OPTIONAL CONFIGURATION > Network > IP ADDRESS

    For Valid IP address assignment select RESERVED
    For Instance IP address select ON
    For Use Static IP Address select STATIC 
    For IP Address, enter an IP address from the Subnet CIDR block (e.g. 10.0.0.4)

     

  10. Launch the VM and repeat these steps to create a second gateway
    Make sure you use the same Pricing Tier and Availability Set 


IV. Finailze the gateways configuration:

Note: It may take several minutes the gateway to be fully provisioned

Show / Hide
  1. Use an SSH client to login as user ‘admin’ to the gateways. The gateway's IP address and host name can be found in the Azure portal.

    You should be able to verify the gateway’s SSH fingerprint through the Azure portal



  2. Set up an administrator password by entering:

    [Expert@CheckPointGW1:0]# clish
    CheckPointGW1> set user admin password
    New password: *******
    Verify new password: *******
    CheckPointGW1> save config
    CheckPointGW1> exit

  3. Use a browser to login to: https://<gateways-host-name>

    To verify the gateway’s self signed SSL certificate fingerprint, run the following command on the gateway: 

    [Expert@CheckPointGW1:0]# cpopenssl x509 -in /web/conf/server.crt -fingerprint -noout

  4. With a browser, complete the first time wizard. Click Next 

     

  5. Click Next

     

  6.  Leave default values and click Next:

     

  7. Change the DNS settings or leave defaults and click Next 

     

  8. Set up NTP (recommended) or leave defaults. Click Next

     

  9. Leave defaults (Security Gateway or Security Management) and click Next



  10. Select which products you want installed (Security Gateway, Security Management or both). Make sure not to check Unit is part of a cluster. Click Next

     

  11. Leave defaults (No) and click Next



  12. Select a strong random string as an activation key and click Next. We will use it later to establish trust between the gateway and the Security Management.



  13. Click Finish

     

  14. The gateway will reboot.

  15. Repeat the above steps for the second gateway.


V. Set up the gateway Security Policy on the Management side

Show / Hide
  1. Using the SmartDashboard, create a new Check Point Security Gateway object:



  2. Under Static IP address, enter the gateway’s public IP address.

     

  3. Under One-time password enter the activation key you selected in the first time wizard.  



  4.  Go to the gateway's topology tab and click GET



  5. Since the gateway has a single interface, disable Anti-Spoofing. 

  6. Configure the Security policy and install it on both gateways. 


VI. Configure the Azure Load Balancer

Show / Hide

Create a load-balanced endpoint for each service you want to offer over the Internet:

  1. In the Azure portal, click the first gateway.

  2. Go to EndPoints and click Add

  3. Select ADD A STAND-ALONE ENDPOINT




  4. Define: NAME, PROTOCOL, PUBLIC PORT and PRIVATE PORT.
    Select the CREATE A LOAD-BALANCED SET checkbox



  5.  Fill in the load-balanced set parameters:

     

  6. In the Azure portal, go to the second Check Point gateway

  7. Go to EndPoints and click Add

  8. Select ADD AN ENDPOINT TO AN EXISTING LOAD-BALANCED SET checkbox

     

     

 



Forwarding traffic to Internal servers

There are several options for forwarding traffic to Internal servers:

  • Direct Forward to a single server

  • Using Check Point’s Logical Server feature

  • Using Azure’s Internal Load Balancers.

 

Show All

 


Direct forward to a single server

Show / Hide
  1. Create a simple Host Node object to represent your Internal server:

     

  2. Create a simple Host Node object to represent the private IP address of the two gateways (e.g.):

     

  3. Create appropriate NAT Hide rules to forward incoming HTTP (or any other service) traffic to internal server:



    Note: Use the All_Internet pre-defined address range in the source column in order to avoid a policy verification

  4. Install the Security Policy 

 

Forward using a Logical Server

Show / Hide
    Create a simple group containing all of your internal web servers; you can name it “web_servers”.

  1. For each of your gateways, create a logical server object:



  2. In the IPv4 Address, enter the internal IP address of your 1st gateway. 
    In the Servers group, select the simple group you create above.



  3.  Create a similar logical server object called “Internal_web2” that uses your 2nd gateway IP address and the same server group from before.

  4. In the Security Policy create the following rules: 

     

  5. Install the Security Policy. 

 

Forward Using Azure Internal Load Balancers

Traffic could be forwarded to an Azure Internal Load Balancer.

Traffic could be forwarded to an Azure Internal Load Balancer. Please refer to http://azure.microsoft.com/blog/2014/05/20/internal-load-balancing/

This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment