Support Center > Search Results > SecureKnowledge Details
Check Point Reference Architecture for Azure Technical Level
Solution

The following article describes a reference architecture of a Check Point Security Gateway protecting assets in an Azure virtual network.

Table of Contents

  • Network Diagram
  • Traffic Flow
  • Management
  • Deployment through the Azure portal
  • Setting up the route tables of the Frontend and Backend gateway subnets
  • Setting up backend subnets and their route tables
  • Setting up routes to the Internal subnets
  • Configuration in SmartDashboard/SmartConsole
    • R80.x
    • R77.30
  • Best Practices
  • Licensing
  • Known Limitations
  • Additional Resources
  • Related solutions
Click Here to Show the Entire Article

Network Diagram


In this architecture the Azure virtual network consists of 4 subnets:

  • A gateway frontend subnet - 10.0.1.0/24
  • A gateway backend subnet - 10.0.2.0/24
  • Two backend subnets:
    • A web tier subnet - 10.0.3.0/24
    • An application tier subnet - 10.0.4.0/24

    This environment consists of 2 separate web applications. Each web application consists of:

    • A separate public IP address through which the web application can be accessed
    • A web server on a web tier subnet - Web1, Web2
    • An application server on an application tier subnet - App1, App2


    The Security Gateway inspects:

    • Traffic arriving from the Internet to each of the web applications
    • Traffic between the web and application tiers
    • Traffic originating from the backend subnets to the Internet


    In addition Security Gateway provides the following services:

    • Performs Network Address Translation (NAT) to hide outgoing connections behind the gateway's address.
    • Provides site to site VPN connectivity to on-premises networks.
    • Provides remote access VPN services to roaming users.


    Public Addresses

    We have allocated 3 public addresses:

    • A public address directly associated with the Security Gateway's external interface. This address can be used to manage the gateway as well as for site to site VPN and remote access VPN.

    • Two public IP addresses (WebApp1, WebApp2), one for each web application. These public addresses are associated with an Azure load balancer.


    Traffic Flow

    FROM TO
    Traffic arriving from the Internet
    • Traffic for WebApp1 is sent to the public IP address allocated for that web application.
    • The Azure load balancer is set up with an inbound NAT rule that forwards all HTTP (port 80) traffic arriving at that public address to the Check Point gateway's external private address (10.0.1.10) on port 8081

    • Traffic for WebApp2 is sent to the public IP address allocated for that web application.
    • The Azure load balancer is set up with an inbound NAT rule that forwards all HTTP (port 80) traffic arriving at that public address to the Check Point gateway's external private address (10.0.1.10) on port 8083


    The Check Point Security Gateway uses NAT to:

    • Forward traffic arriving on TCP port 8081 to Web1 on port 80.
    • Forward traffic arriving on TCP port 8083 to Web2 on port 80.
    Traffic between the web and application tiers This traffic is routed through the Check Point gateway through the use of User Defined Routes (UDR). For more information on UDR, see the User Defined Routes and IP Forwarding article.
    Traffic from the backend subnets to the Internet

    This traffic is routed through the Check Point gateway through the use of User Defined Routes (UDR). The Gateway uses NAT to hide this type of traffic behind its external private address (10.0.1.10). As the traffic leaves the virtual network, Azure replaces this private address with the gateway's public address.

    Site-to-site VPN

    Encrypted IPsec traffic is sent to the gateway's public IP address. The gateway decrypts the traffic and sends it into the virtual network. Outgoing traffic that needs to be encrypted is routed to the Check Point gateway through the use of User Defined Routes (UDR). The gateway encrypts this traffic and sends it over a site to site VPN tunnel to a Check Point gateway on the perimeter of the on-premises network.

    Remote access traffic

    Remote access users connect to the Security Gateway using its public IP address. The gateway decrypts the traffic and sends it into the virtual network. Returning packets are routed back to the gateway through the use of User Defined Routes (UDR).

     

    Management

    The Security Gateway can be managed in several ways including:

    • A standalone configuration in which the gateway acts as its own management
    • Centrally managed where the management server is located on-premises outside the virtual network
    • Centrally managed where the management server is located in the same virtual network

     

    Deployment through the Azure portal

    To deploy this solution through the Azure portal use Standard Azure or Azure US Government.

    Notes:

    • This template can create a new virtual network or allow you to deploy into an existing virtual network
    • The template does not create the Web and App subnets - you will need to add these subnets yourself.
    • The template does not deploy any web or application VMs
    • VMs launched in the backend subnets might require Internet access in order to finalize their provisioning. You should launch these VMs only after you have applied NAT hide rules on the gateway to support this type of connectivity.
    • After you deploy the template, the gateway will automatically execute the Check Point First Time Configuration Wizard based on the parameters provided. Once the First Time Configuration Wizard completes, the gateway is expected to reboot
    • By default, every Check Point Security Gateway and Security Management Server's WebUI is accessible from the internet by browsing to http://<virtual-machine-public-IP>.
      Restricting access to the WebUI is possible by configuring a Network Security Group, or by configuring the Check Point Gateway and Management Server settings.

    Setting up the route tables of the Frontend and Backend gateway subnets

    In this section we will ensure that the route tables associated with the gateway frontend and backend subnets are set up correctly.

    You need to follow this section only if you have deployed the gateway into an existing virtual network. If you have opted to let the template create a new virtual network you should skip this step.

    The route table associated with the frontend subnet should consist of the following routes:

    -  name: frontend-local
       address-prefix: frontend-subnet-prefix (e.g. 10.0.1.0/24)
       next-hop-type: Virtual network
    -  name: frontend-to-other-subnets
       address-prefix: Virtual Network address prefix (e.g. 10.0.0.0/16)
       next-hop-type: Virtual Appliance
       next-hop-address: GATEWAY-EXTERNAL-ADDRESS (e.g. 10.0.1.10)
    


    The route table associated with the gateway backend subnet should consist of the following routes:

    -  name: internal-default
       address-prefix: 0.0.0.0/0
       next-hop-type: Virtual Appliance
       next-hop-address: GATEWAY-INTERNAL-ADDRESS (e.g. 10.0.2.10)

     

    Setting up backend subnets and their route tables

    Use the Azure portal or CLI to add backend subnets such as the Web and App subnets to the virtual network.

    For each such backend subnet, create an Azure routing table with the following user defined routes:

    -  name: SUBNET-NAME-local (e.g. web-local)
       address-prefix: SUBNET-PREFIX (e.g. 10.0.3.0/24)
       next-hop-type: Virtual network
    -  name: SUBNET-NAME-to-other-subnets (e.g. web-to-other-subnets)
       address-prefix: Virtual Network address prefix (e.g. 10.0.0.0/16)
       next-hop-type: Virtual Appliance
       next-hop-address: GATEWAY-INTERNAL-ADDRESS (e.g. 10.0.2.10)
    -  name: SUBNET-NAME-default (e.g. web-default)
       address-prefix: 0.0.0.0/0
       next-hop-type: Virtual Appliance
       next-hop-address: GATEWAY-INTERNAL-ADDRESS (e.g. 10.0.2.10)
    

    With reference to the diagram above, here is a routing table that can be used by the Web subnet:



    Associate the newly created routing table with the subnet.

     

    Setting up routes to the Internal subnets

    1. SSH into the gateway and add the following route:

      clish -c 'set static-route VIRTUAL-NETWORK-PREFIX nexthop gateway address ETH1-ROUTER on' -s

      Where:
      • VIRTUAL-NETWORK-PREFIX is the prefix of the entire virtual network (e.g. 10.0.0.0/16)
      • ETH1-ROUTER is the first unicast IP address on the subnet to which eth1 is connected (e.g. 10.0.2.1)

      For example: clish -c 'set static-route 10.0.0.0/16 nexthop gateway address 10.0.2.1 on' -s

      Note: If the virtual network is comprised of several non-contiguous address prefixes, repeat the above for each prefix.

    2. If you have selected sshPublicKey as the authentication method and would like to use the Gaia WebUI, connect to the gateway using SSH and run the following commands:
      clish
      set user admin password
      [enter the password x2]
      save config
      exit
    3. Using the WebUI or SSH, review the configuration of all network interfaces.

     

    Configuration in SmartDashboard/SmartConsole

    For R80.x

    Show / Hide this Section
    1. Connect to the Security Management server with SmartConsole.
      In Stand-Alone configuration, use the following credentials:
      User: admin
      Password: the adminPassword provided to the template

    2. Create an network object representing the VNET:



    3. Create a network group object containing the VNET network:



    4. Create a network object representing the frontend subnet:



    5. Create a network group object containing the Frontend subnet:



    6. Create a “Group with Exclusions…” object to represent all VNET subnets with the exception of the Frontend subnet:



    7. Name the object: VNET-internal
      Use the VNET-group and Frontend-group objects you created above, thus:



    8. Open the gateway object, click on the “Network Management” tab.
      Click on eth0.
      The topology for the first interface (eth0) should be set to External:



    9. Click on eth1
      Select the "This Network (Internal)" option
      Select Specific and choose the "VNET-internal" object:



    10. Create a network object representing the Web tier:



    11. Add Automatic Address Translation (hide)



    12. Create a network object representing the App tier:



    13. Add Automatic Address Translation (hide):



    14. Create a service object for WebApp1 on TCP:
      Protocol Type HTTP , port 8081:



    15. Create a service object for WebApp2 on TCP:
      Protocol HTTP, port 8083:



    16. Create a host object representing Web1:



    17. Create a host object representing Web2:



    18. Create the following NAT rules:

    Note: If the gateway object is configured with a public IP address, create a "host" network object with the gateway's private IP of the frontend subnet and use it in rules 1 and 2 instead of "Azure-gw".

    For R77.30

    Show / Hide this Section
    1. Connect to the Security Management server with SmartDashboard.
      In Stand-Alone configuration, use the following credentials:
      User: admin
      Password: the adminPassword provided to the template

    2. Create an object representing the VNET:



    3. Create a simple group object containing the VNET network:



    4. Create an object representing the frontend subnet:



    5. Create a simple group object containing the Frontend subnet:



    6. Create a group with exclusion object to represent all VNET subnets with the exception of the Frontend subnet:



    7. Name the object: VNET-internal
      Use the VNET-group and Frontend-group objects you created above, thus:



    8. Locate and open the gateway object, click on the Topology tab.
      Click on eth0.
      The topology for the first interface (eth0) should be set to External:



    9. Click on eth1
      Select Internal (leads to the local network)
      Select Specific and choose the VNET-internal object:



    10. Create an object representing the Web tier:



    11. Add Automatic Address Translation (hide)



    12. Create an object representing the App tier:



    13. Add Automatic Address Translation (hide):



    14. Create a service object for WebApp1 on TCP port 8081:



    15. Click Advanced and select Protocol Type HTTP:



    16. Create a service object for WebApp2 on TCP port 8083:



    17. Click Advanced and select Protocol Type HTTP:



    18. Create an object representing Web1:



    19. Create an object representing Web2:



    20. Create the following NAT rules:



      Notes:

      • If the gateway object is configured with a public IP address, create a “host” network object with the gateway’s private IP of the frontend subnet and use it in rules 1 and 2 instead of “Azure-gw”.
      • Rule 1: Forwards all traffic arriving on the gateway on TCP port 8081 to Web1
      • Rule 2: Forwards all traffic arriving on the gateway on TCP port 8083 to Web2
      • Rule 3: Avoids NAT within the Virtual Network
      • Rules 4-5 (Automatic): Hide outgoing traffic originating from the App-Tier
      • Rules 6-7 (Automatic): Hide outgoing traffic originating from the Web-Tier


    21. Set up any additional firewall rules, VPN and remote access configuration. Refer to the Best Practices section.

    22. Install the security policy

    Once the First Time Configuration Wizard completes, the gateway is expected to reboot.

     

    Best Practices: Site-to-Site VPN between Azure Check Point Gateway and Check Point (on-premises) Gateway

    Show / Hide this Section

    Whenever setting up a Site-to-Site VPN between a Check Point (on-premises) Security Gateway and a Check Point Gateway in an Azure cloud, check the following:

    Assuming both gateways are managed by the same (on-premises) Security Management Server:

      1. There should be no need to set up NAT-T in order to make Site-to-Site VPN work in this deployment.

      2. The gateway in Azure cloud is behind Static NAT.
    Procedure
    1. Configure the gateway object representing the Check Point Gateway in Azure cloud, as follows:

      1. In IPv4 Address: Enter the Public IP address of the gateway (this is the Azure public IP that the Check Point Gateway is behind). If the device is a standalone, then use the private IP otherwise internal communication will break.

      2. In IPsec VPN, Link Selection: Select "Always use this IP address" and then "Main address".

    2. The above two settings will ensure that the Security Management and (on-premises) Security Gateways send traffic to the gateway in Azure cloud over its public IP address.

    3. In the Link Selection settings of the same object, under Source IP address settings: Select 'Manual > Selected address from topology table:' and then select the private IP address of the external interface of the Check Point Gateway on the Azure side.


      These settings will ensure that the Gateway in the Azure cloud sends encrypted traffic with the source address set to its private IP address.
      This IP address is then translated by Azure to the public IP address before it reaches the (on-premises) Security Gateway.

      More information about the Azure side:

        • A public IP address in Azure can be either dynamic or static. For the deployment being discussed here, only Static is supported.

        • More importantly, a public IP address in Azure can be associated with one of two objects:

          • A load balancer
          • A network interface

        • Therefore, the gateway's public IP address should be:

          • Static
          • Associated directly with the network interface of the gateway only and not with load balancer.

     

    Licensing

    The Gateway can be licensed in two ways:

    • Bring-Your-Own-License (BYOL)

    • Pay-As-You-Go (PAYG) - The CloudGuard Gateway is pre-licensed. PAYG is only available in Standard Azure and is not available in Azure US Government.

      PAYG is only available in the following list of countries:

      Australia Czech Republic Hungary Malta Romania Taiwan
      Austria Denmark Ireland Netherlands Singapore United Kingdom
      Belgium Estonia Israel New Zealand Slovakia United States
      Bulgaria Finland Italy Norway Slovenia  
      Canada France Latvia Poland Spain  
      Croatia Germany Lithuania Portugal Sweden  
      Cyprus Greece Luxembourg Puerto Rico Switzerland  

     

    Known Limitations

    • QoS is currently not supported
    • VSX is not supported
    • Azure Linux extensions are not supported (including Azure Diagnostics, Custom Script, VM Access, VMSnapshotLinux)
    • Azure Site Recovery (DRaaS) is not supported
    • Azure Disk Encryption is not supported
    • Automatic updates of Azure Linux Agent are disabled and not supported
    • Azure Backup of Virtual Machines is not supported

     

    Additional Resources

     

    For more videos, visit the Check Point Support YouTube channel.

     

    Applies To:
    • This SK replaces sk109693

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment