The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Check Point Reference Architecture for Azure
CloudGuard for Azure
R77.30, R80.10, R80.20, R80.30, R80.40
Platform / Model
The following article describes a reference architecture of a Check Point Security Gateway protecting assets in an Azure virtual network.
Table of Contents
Deployment through the Azure portal
Setting up the route tables of the Frontend and Backend gateway subnets
Setting up backend subnets and their route tables
Setting up routes to the Internal subnets
Configuration in SmartDashboard/SmartConsole
Click Here to Show the Entire Article
In this architecture the Azure virtual network consists of 4 subnets:
A gateway frontend subnet - 10.0.1.0/24
A gateway backend subnet - 10.0.2.0/24
Two backend subnets:
A web tier subnet - 10.0.3.0/24
An application tier subnet - 10.0.4.0/24
This environment consists of 2 separate web applications. Each web application consists of:
A separate public IP address through which the web application can be accessed
A web server on a web tier subnet - Web1, Web2
An application server on an application tier subnet - App1, App2
The Security Gateway inspects:
Traffic arriving from the Internet to each of the web applications
Traffic between the web and application tiers
Traffic originating from the backend subnets to the Internet
In addition Security Gateway provides the following services:
Performs Network Address Translation (NAT) to hide outgoing connections behind the gateway's address.
Provides site to site VPN connectivity to on-premises networks.
Provides remote access VPN services to roaming users.
We have allocated 3 public addresses:
A public address directly associated with the Security Gateway's external interface. This address can be used to manage the gateway as well as for site to site VPN and remote access VPN.
Two public IP addresses (WebApp1, WebApp2), one for each web application. These public addresses are associated with an Azure load balancer.
Traffic arriving from the Internet
Traffic for WebApp1 is sent to the public IP address allocated for that web application.
The Azure load balancer is set up with an inbound NAT rule that forwards all HTTP (port 80) traffic arriving at that public address to the Check Point gateway's external private address (10.0.1.10) on port 8081
Traffic for WebApp2 is sent to the public IP address allocated for that web application.
The Azure load balancer is set up with an inbound NAT rule that forwards all HTTP (port 80) traffic arriving at that public address to the Check Point gateway's external private address (10.0.1.10) on port 8083
The Check Point Security Gateway uses NAT to:
Forward traffic arriving on TCP port 8081 to Web1 on port 80.
Forward traffic arriving on TCP port 8083 to Web2 on port 80.
This traffic is routed through the Check Point gateway through the use of User Defined Routes (UDR). The Gateway uses NAT to hide this type of traffic behind its external private address (10.0.1.10). As the traffic leaves the virtual network, Azure replaces this private address with the gateway's public address.
Encrypted IPsec traffic is sent to the gateway's public IP address. The gateway decrypts the traffic and sends it into the virtual network. Outgoing traffic that needs to be encrypted is routed to the Check Point gateway through the use of User Defined Routes (UDR). The gateway encrypts this traffic and sends it over a site to site VPN tunnel to a Check Point gateway on the perimeter of the on-premises network.
Remote access traffic
Remote access users connect to the Security Gateway using its public IP address. The gateway decrypts the traffic and sends it into the virtual network. Returning packets are routed back to the gateway through the use of User Defined Routes (UDR).
The Security Gateway can be managed in several ways including:
A standalone configuration in which the gateway acts as its own management
Centrally managed where the management server is located on-premises outside the virtual network
Centrally managed where the management server is located in the same virtual network
This template can create a new virtual network or allow you to deploy into an existing virtual network
The template does not create the Web and App subnets - you will need to add these subnets yourself.
The template does not deploy any web or application VMs
VMs launched in the backend subnets might require Internet access in order to finalize their provisioning. You should launch these VMs only after you have applied NAT hide rules on the gateway to support this type of connectivity.
After you deploy the template, the gateway will automatically execute the Check Point First Time Configuration Wizard based on the parameters provided. Once the First Time Configuration Wizard completes, the gateway is expected to reboot
By default, every Check Point Security Gateway and Security Management Server's WebUI is accessible from the internet by browsing to http://<virtual-machine-public-IP>. Restricting access to the WebUI is possible by configuring a Network Security Group, or by configuring the Check Point Gateway and Management Server settings.
Setting up the route tables of the Frontend and Backend gateway subnets
In this section we will ensure that the route tables associated with the gateway frontend and backend subnets are set up correctly.
You need to follow this section only if you have deployed the gateway into an existing virtual network. If you have opted to let the template create a new virtual network you should skip this step.
The route table associated with the frontend subnet should consist of the following routes:
Connect to the Security Management server with SmartConsole. In Stand-Alone configuration, use the following credentials: User: admin Password: the adminPassword provided to the template
Create an network object representing the VNET:
Create a network group object containing the VNET network:
Create a network object representing the frontend subnet:
Create a network group object containing the Frontend subnet:
Create a “Group with Exclusions…” object to represent all VNET subnets with the exception of the Frontend subnet:
Name the object: VNET-internal Use the VNET-group and Frontend-group objects you created above, thus:
Open the gateway object, click on the “Network Management” tab. Click on eth0. The topology for the first interface (eth0) should be set to External:
Click on eth1 Select the "This Network (Internal)" option Select Specific and choose the "VNET-internal" object:
Create a network object representing the Web tier:
Add Automatic Address Translation (hide)
Create a network object representing the App tier:
Add Automatic Address Translation (hide):
Create a service object for WebApp1 on TCP: Protocol Type HTTP , port 8081:
Create a service object for WebApp2 on TCP: Protocol HTTP, port 8083:
Create a host object representing Web1:
Create a host object representing Web2:
Create the following NAT rules:
Note: If the gateway object is configured with a public IP address, create a "host" network object with the gateway's private IP of the frontend subnet and use it in rules 1 and 2 instead of "Azure-gw".
Whenever setting up a Site-to-Site VPN between a Check Point (on-premises) Security Gateway and a Check Point Gateway in an Azure cloud, check the following:
Assuming both gateways are managed by the same (on-premises) Security Management Server:
There should be no need to set up NAT-T in order to make Site-to-Site VPN work in this deployment. IKEv2 is not recommended, as there are issues (related with gateway behind NAT in cloud) for this deployment.
The gateway in Azure cloud is behind Static NAT.
Configure the gateway object representing the Check Point Gateway in Azure cloud, as follows:
In IPv4 Address: Enter the Public IP address of the gateway (this is the Azure public IP that the Check Point Gateway is behind). If the device is a standalone, then use the private IP otherwise internal communication will break.
In IPsec VPN, Link Selection: Select "Always use this IP address" and then "Main address".
The above two settings will ensure that the Security Management and (on-premises) Security Gateways send traffic to the gateway in Azure cloud over its public IP address.
In the Link Selection settings of the same object, under Source IP address settings: Select 'Manual > Selected address from topology table:' and then select the private IP address of the external interface of the Check Point Gateway on the Azure side.
These settings will ensure that the Gateway in the Azure cloud sends encrypted traffic with the source address set to its private IP address. This IP address is then translated by Azure to the public IP address before it reaches the (on-premises) Security Gateway.
More information about the Azure side:
A public IP address in Azure can be either dynamic or static. For the deployment being discussed here, only Static is supported.
More importantly, a public IP address in Azure can be associated with one of two objects:
A load balancer
A network interface
Therefore, the gateway's public IP address should be:
Associated directly with the network interface of the gateway only and not with load balancer.
The Gateway can be licensed in two ways:
Pay-As-You-Go (PAYG) - The CloudGuard Gateway is pre-licensed. PAYG is only available in Standard Azure and is not available in Azure US Government.
PAYG is only available in the following list of countries:
QoS is currently not supported
VSX is not supported
Azure Linux extensions are not supported (including Azure Diagnostics, Custom Script, VM Access, VMSnapshotLinux)
Azure Site Recovery (DRaaS) is not supported
Azure Disk Encryption is not supported
Automatic updates of Azure Linux Agent are disabled and not supported