Support Center > Search Results > SecureKnowledge Details
How to deploy a Check Point Security Gateway with multiple interfaces in Microsoft Azure Technical Level
Solution

This article has been deprecated because Check Point in Azure has to be configured now in different way than described below.
Refer to sk109360 - Check Point Reference Architecture for Azure.

 


 

This article describes how to deploy a Check Point Security Gateway with multiple interfaces in Microsoft Azure.

The Security Gateway is connected to 3 subnets (1 external and 2 internal), as outlined in the below diagram:

The Security Gateway will be able to:

  • Inspect traffic between internal subnets
  • Inspect traffic between the Internet to servers located in a backend network

 

An alternative solution is to deploy a Check Point Security Gateway with a single interface as described in sk102831.

A Security Gateway with a single network interface

  • Can only receive traffic destined to it and forwards it using NAT (Network Address Translation) or as a proxy.
  • Can inspect traffic arriving from the Internet into your virtual network in Azure.
  • Achieve redundancy by deploying multiple gateways

 


 

Table of Contents:

  • Prerequisites
  • Limitations
  • Conventions used in this document
  • Procedure

 

Prerequisites

  • You should have an Azure subscription. If you do not have one, go to the Microsoft Azure page to obtain one.
  • You need Microsoft Azure Powershell (May 2015 or newer) installed. If Azure Powershell is not installed or set up, refer to How to install and configure Azure PowerShell page.
  • Decide on the Azure location in which you want the Check Point Security Gateway to be deployed.
  • In your Azure subscription, you should have a storage account available in the Location in which you want the Check Point Security Gateway to be running.
  • You should have a basic understanding of Azure, specifically around networking, compute and storage.

 

Limitations

This solution relies on the following networking features introduced recently by Microsoft into Azure:


These features currently have a few limitations you should be aware of, specifically:

  • A virtual machine with multiple interfaces cannot have an instance level IP address (also known as ILPIP or PIP).
  • A virtual machine with multiple interfaces cannot have more than one Virtual IP address (also known as VIP).
  • A virtual machine with multiple interfaces can only be launched from CLI (Powershell) and cannot be launched from the Azure portal.
  • A virtual machine with multiple interfaces cannot be directly based on an Azure marketplace image.

Due to the Azure marketplace limitations, this configuration is only available using the Bring-Your-Own-License scheme.


Additional limitations:

  • Clustering is currently not supported
  • Site-to-Site VPN is not supported
  • DNS network traffic to the default Azure DNS servers bypasses the Security Gateway. To work around this limitation, set up your virtual network to use external DNS servers

 

Conventions used in this document

In this solution we will assume that a virtual network with 3 subnets is already set up.

This virtual network properties are:

Name: MyVNet1

Address Space: 10.0.0.0/16

Location: North Central US

Subnets:
  • Frontend: 10.0.1.0/24
  • Backend2: 10.0.2.0/24
  • Backend3: 10.0.3.0/24


For more information on Virtual Networks in Azure, refer to Tutorial: Create a Cloud-Only Virtual Network in Azure.

Note: The above values are given for demonstration purposes only. You can change them to meet your needs.

 

Procedure

  1. Create an image of the Check Point Security Gateway under your Azure account
  2. Deploy a Virtual Machine based on the image
  3. Set up routes
  4. Configure the Virtual Machine (Security Gateway)

 

Create an image of the Check Point Security Gateway under your Azure account

In this section we will create an image of the Check Point Security Gateway under your Azure account.
This is required as an interim solution because running a virtual machine with multiple interfaces directly from an Azure marketplace image is currently not supported by Microsoft.

If you plan on running multiple Check Point virtual machines in the same location you only need to follow the instructions in this section once.

To achieve this goal, we will:

  • Create a new container under your storage account.

  • Copy the VHD of the Check Point image to this container.

  • Create an Image under your Azure subscription based on the VHD.

Note: it is assumed that you have configured Powershell to use a storage account available in the desired location:

  • Use Get-AzureSubscription to see your current storage account
  • Use Set-AzureSubscription to change your current storage account

 

Open an Azure Powershell console and enter the following commands:

$url = "[Use the URL given in sk110313]"
$subscription = get-AzureSubscription
$storageAccountName = $subscription.CurrentStorageAccountName
$containerName = "checkpoint-sg"
$vhd = "Check-Point-Security-Gateway-BYOL"
$imageName = "Check-Point-Security-Gateway"
# Create a new container to store the VHD of the Check Point image
#
New-AzureStorageContainer $containerName
$storageKey = Get-AzureStorageKey -StorageAccountName $storageAccountName
$destContext = New-AzureStorageContext `
 -StorageAccountName $storageAccountName `
 -StorageAccountKey $storageKey.Primary
# Copy the VHD of the Check Point image to the newly created container in your storage account
#
$blobCopyState = Start-AzureStorageBlobCopy `
 -AbsoluteUri $url `
 -DestContainer $containerName `
 -DestBlob $vhd `
 -DestContext $destContext

$blobCopyState | Get-AzureStorageBlobCopyState -WaitForComplete
# Create the image
#
Add-AzureVMImage `
	-ImageName $imageName `
	-MediaLocation $blobCopyState.ICloudBlob.container.uri.absoluteuri + "/" + $vhd `
	-OS Linux

 

Deploy a virtual machine based on the image

In this section we will run a virtual machine in the virtual network. The machine will be based on the image we created in the previous step. The machine will have 3 interfaces, one interface on each subnet.

Conventions used in this section:

Attribute Value Comment
Location North Central US  The Azure location the machine will be launched in. 
ServiceName  [TBD]  The name of the Azure service in which the machine will be part of. Note that this name needs to be globally unique 
ImageName  Check-Point-Security-Gateway-BYOL-R77.10-44.07  The name given to the image in the previous section 
VMName  CP-SG The name of the virtual machine 
VNetName  MyVNet1  The name of the virtual network
Password  [TBD]  The password used to manage the Security Gateway. 
InstanceSize  ExtraLarge  The instance size used to launch the Security Gateway Virtual Machine. 
IsManagement  True  Is the Gateway acting as a Security Management server 
IsGateway  True  Is the machine acting as a Check Point Security Gateway 


In addition, the machine will be assigned the following addresses:

Subnet and routing table names Security Gateway IP address
Frontend  10.0.1.10 
Backend2  10.0.2.10 
Backend3  10.0.3.10 

Note: The routing table names need to be unique under your Azure subscription.

 # The following default values can be changed to accommodate your needs
#
$Location="North Central US"
$VNetName="MyVNet1"
$FrontendName="FrontEnd"
$Backend2Name="Backend2"
$Backend3Name="Backend3"
$ImageName="Check-Point-Security-Gateway-BYOL"
$VMName="SecurityGateway"
$SGName="Allow-Internet-SG" # Note: This Security Group name needs to be unique under your Azure subscription
$InstanceSize="ExtraLarge" # Note: Consult the Azure documentation to see the maximum amount of NICs supported by this instance size
$IsManagement=$true # Set this to $false if the machine is not expected to act as a management server
$IsGateway=$true # Set this to $false if the machine not expected to act as a security gateway


# The following parameters must be set
#
$ServiceName="[TBD]" # Note: The service name needs to be globally unique
$Password="[TBD]"

New-AzureService -ServiceName $ServiceName -Location $Location
$VMConfig = New-AzureVMConfig -Name $VMName -InstanceSize $InstanceSize -ImageName $ImageName
Add-AzureProvisioningConfig -VM $VMConfig -Linux -LinuxUser admin -Password $Password -NoSSHEndpoint
Set-AzureSubnet -VM $VMConfig -SubnetNames $FrontendName
Set-AzureStaticVNetIP -VM $VMConfig -IPAddress "10.0.1.10"
Add-AzureNetworkInterfaceConfig -VM $VMConfig -Name "NIC2" -SubnetName $Backend2Name -StaticVNetIPAddress "10.0.2.10" 
Add-AzureNetworkInterfaceConfig -VM $VMConfig -Name "NIC3" -SubnetName $Backend3Name -StaticVNetIPAddress "10.0.3.10"
Add-AzureEndpoint -Name SSH -Protocol tcp -LocalPort 22 -PublicPort 22 -VM $VMConfig
Add-AzureEndpoint -Name HTTPS -Protocol tcp -LocalPort 443 -PublicPort 443 -VM $VMConfig

If ($IsManagement) {
	# If this Gateway is expected to act as a management server run the following command:
	Add-AzureEndpoint -Name SmartDashboard -Protocol tcp -LocalPort 18190 -PublicPort 18190 -VM $VMConfig
} 
If ($IsGateway -and -not $IsManagement) {
	# If this gateway is managed by an external SmartCenter run the following commands:
	Add-AzureEndpoint -Name Policy -Protocol tcp -LocalPort 18191 -PublicPort 18191 -VM $VMConfig
	Add-AzureEndpoint -Name AMON -Protocol tcp -LocalPort 18192 -PublicPort 18192 -VM $VMConfig
	Add-AzureEndpoint -Name ICA_PUSH -Protocol tcp -LocalPort 18211 -PublicPort 18211 -VM $VMConfig
}

# Launch the Virtual Machine
New-AzureVM -ServiceName $ServiceName -VNetName $VNetName -VMs $VMConfig -WaitForBoot
$VM=Get-AzureVM -ServiceName $ServiceName -Name $VMName

 

Setup routes

In this section we will:

  1. Create 3 routing tables.
  2. Associate each routing table with one of the subnets.
  3. Set up routes so that traffic from the backend subnets go through the Security Gateway.
  4. Set up routes so that traffic arriving on the frontend subnet can be forwarded to the backend servers through the Security Gateway.
  5. Enable IP Forwarding on the Security Gateway network interfaces
# Set the route table of the Frontend network:
#
$FrontRT = New-AzureRouteTable -Name $FrontendName -Location $Location -Label "FrontendRoutingTable"
Set-AzureRoute -RouteTable $FrontRT -RouteName "Backend2" -AddressPrefix "10.0.2.0/24" -NextHopType "VirtualAppliance" -NextHopIpAddress "10.0.1.10"
Set-AzureRoute -RouteTable $FrontRT -RouteName "Backend3" -AddressPrefix "10.0.3.0/24" -NextHopType "VirtualAppliance" -NextHopIpAddress "10.0.1.10"
Set-AzureSubnetRouteTable -VirtualNetworkName $VNetName -SubnetName $FrontendName -RouteTableName $FrontendName
# Set the route table of the Backend2 network:
#
$Back2RT = New-AzureRouteTable -Name $Backend2Name -Location $Location -Label "Backend2-RoutingTable"
Set-AzureRoute -RouteTable $Back2RT -RouteName FrontendRoute -AddressPrefix 10.0.1.0/24 -NextHopType "VirtualAppliance" -NextHopIpAddress 10.0.2.10
Set-AzureRoute -RouteTable $Back2RT -RouteName Backend3 -AddressPrefix 10.0.3.0/24 -NextHopType "VirtualAppliance" -NextHopIpAddress 10.0.2.10
Set-AzureRoute -RouteTable $Back2RT -RouteName Default -AddressPrefix 0.0.0.0/0 -NextHopType "VirtualAppliance" -NextHopIpAddress 10.0.2.10
Set-AzureSubnetRouteTable -VirtualNetworkName $VNetName -SubnetName $Backend2Name -RouteTableName $Backend2Name
 
# Set the route table of the Backend3 network:
#
$Back3RT = New-AzureRouteTable -Name $Backend3Name -Location $Location -Label "Backend3-RoutingTable"
Set-AzureRoute -RouteTable $Back3RT -RouteName Frontend -AddressPrefix 10.0.1.0/24 -NextHopType VirtualAppliance -NextHopIpAddress 10.0.3.10
Set-AzureRoute -RouteTable $Back3RT -RouteName backend2 -AddressPrefix 10.0.2.0/24 -NextHopType VirtualAppliance -NextHopIpAddress 10.0.3.10
Set-AzureRoute -RouteTable $Back3RT -RouteName default -AddressPrefix 0.0.0.0/0 -NextHopType VirtualAppliance -NextHopIpAddress 10.0.3.10
Set-AzureSubnetRouteTable -VirtualNetworkName $VNetName -SubnetName $Backend3Name -RouteTableName $Backend3Name

# Enable IP Forwarding on the main NIC and secondary NICs:
#
Set-AzureIPForwarding -ServiceName $ServiceName -VM $VM -Enable
Set-AzureIPForwarding -ServiceName $ServiceName -VM $VM -NetworkInterfaceName NIC2 -Enable
Set-AzureIPForwarding -ServiceName $ServiceName -VM $VM -NetworkInterfaceName NIC3 -Enable
# Allow Internet traffic to the backend networks:
#
$SG = New-AzureNetworkSecurityGroup -Name $SGName -Location $Location
Set-AzureNetworkSecurityRule -NetworkSecurityGroup $SG `
	-Name AllowInternet --Type Inbound -Priority 100 -Action Allow `
	-SourceAddressPrefix * -SourcePortRange * `
	-DestinationAddressPrefix * -DestinationPortRange * -Protocol *
Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName $VNetName -SubnetName $Backend2Name -Name $SGName
Set-AzureNetworkSecurityGroupToSubnet -VirtualNetworkName $VNetName -SubnetName $Backend3Name -Name $SGName

 

Configure the Virtual Machine (Security Gateway)

Follow the standard procedure to set up and configure the Security Gateway.
Specifically:

  • Connect to the Security Gateway over SSH or HTTPS using its Virtual Private Address (VIP) allocated by Azure.
  • Only the main interface (eth0) will be set. You need to use the Gaia CLI (CLISH) or web UI to enable and set up the other network interfaces.
  • Use Gaia WebUI or CLI (config_system) to complete the setup of the Security Gateway

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment