The Zone (e.g., us-central-1a), into which the CloudGuard IaaS Security Gateway is going to be deployed.
The Machine type (e.g., n1-standard-2).
The Network (e.g., web-application-network) and Subnetwork (e.g., security), into which to deploy the solution.
GCP firewall rules: Which protocols to allow in the GCP Network (VPC).
The type of External IP address (e.g. Static) of the primary network interface of the instance.
The Installation Type from the following list:
Gateway and Management (Standalone).
Select the number of network interfaces under the Additional Network Interfaces section. Note: You should select networks and sub-networks for all network interfaces even if they are not used. The unused network interfaces will be ignored and will not be deployed.
Once the instance starts, it will set itself up automatically based on the installation type you have selected.
The use of the Manual configuration installation type is discouraged as it will require you to manually perform additional steps, such as:
Set up Google Compute Engine firewall rules.
Run the first time wizard manually.
Tag the instance.
Advanced deployment options:
In addition to the above, you have the option of setting up the following advanced options:
The type of disk used by the Check Point instance
At least 100 GB
See Comment #1
Automatically generate an administrator password
See Comment #2
Allow download from/upload to Check Point
Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point.
Select the administrator default shell
Public SSH key for the user 'admin'
See Comment #3
An empty string, or at least 8 alphanumeric characters
See Comment #4
Allowed GUI clients
See Comment #5
The network, in which the managed Security Gateways reside
When installing a Security Management Server, this password could be used to connect to the Security Management Server using SmartConsole GUI clients.
Note this password will not work over SSH, as SSH password authentication is disabled by default.
By default, the instance will trust all instance level and project level public keys as explained here: https://cloud.google.com/compute/docs/instances/connecting-to-instance. To lock down access to the instance even further, you can enter here a specific SSH public key. If one is given, only the owner of the corresponding private key would be able to connect over SSH to the instance.
The Secure Internal Communication (SIC) Activation key needed to establish trust between the CloudGuard IaaS Security Gateway and its Security Management Server. If not provided and needed, then a key will be automatically generated.
Only used in Gateway and Management (Standalone) and Management only installations. Access to the Security Management Server over SSH, HTTPS and SmartConsole GUI clients would only be allowed from this address range.
Only used in Management only installations. Communication from gateways to this Management Server will only be allowed from this address range.
By default, every Check Point Security Gateway and Security Management Server's WebUI is accessible from the internet by browsing to http://<virtual-machine-public-ip>. Restricting access to the WebUI is possible by configuring a Firewall Rule, or by configuring the Check Point Gateway and Management Server settings.
Additional network interfaces: Google Compute Engine supports instances with multiple network interfaces, for more information how to configure CloudGuard for GCP with multiple interfaces refer to: sk121637
Click Deploy to start the deployment process. The deployment time will depend on installation type and is expected to complete in less than 10 minutes.
If a public address was not allocated, then the deployment will complete once the instance has started. Note that in such a case, you should wait a few more minutes until the first time wizard completes.
If a public address was allocated, then the deployment will be pending until the first time wizard has completed running, and the product is ready for use.
Once completed, you should be presented with a page similar to this:
Note that some variations on the below are possible depending on the deployment options you have selected.
The page will contain the following items:
External IP address
The CloudGuard IaaS instance public address.
Will only be presented, if External IP address of the primary (first) network interface was set to Static or Ephemeral.
Additional external IP addresses
List of additional external IP addresses.
Will only be presented if any of the additional External IP addresses was set to Static or Ephemeral.
A link to the instance in the Google Compute Engine console.
The zone, in which the instance was deployed.
Instance machine type
The instance machine type.
Use this username to connect to the instance using SSH and the Web portal. Also, if this instance acts as a Security Management Server, then use this username to connect using the SmartConsole GUI clients.
Admin password (Temporary)
An automatically randomly generated password.
Use this password to connect to the instance's web portal. Also, if this instance acts as a Security Management Server, then use this password to connect using the SmartConsole GUI clients. Note that this password will not work over SSH, as SSH password authentication is disabled by default. This field will only be presented, if Automatically generate an administrator password was selected. We recommend that you change this password. To change or set the SmartConsole GUI clients login password, connect over SSH to the instance and run the 'cpconfig' command. To change or set the Gaia Portal login password, connect over SSH to the instance and run the 'set user admin ...' Gaia Clish command.
Secure Internal Communication (SIC) one time secret
The one-time SIC key used to establish trust between the CloudGuard IaaS Security Gateway and its Security Management Server. Will only be presented, if this Security Gateway is managed by an external Security Management Server.
In addition to the Check Point instance, this template will perform the following:
Allocate a public address and associate it with the instance (unless None was requested).
Create the following Google Compute Engine firewall rules for each configured network interface:
For a Gateway only, or a Gateway and Management (Standalone) deployment:
A permissive Google Compute Engine firewall rule allowing all traffic. The rationale for this is that the instance already enforces a Check Point security policy, and there is no need for a second security mechanism.
For a Management only deployment:
A rule allowing connections from the Check Point CloudGuard IaaS Security Gateways to the Security Management Server.
A rule allowing connections over SSH / HTTPS, with SmartConsole GUI clients to the Security Management Server.
For a Manual configuration deployment, no firewall rules would be created.
Tag the instance:
For a Gateway only installation type, the following tag would be added:
For a Management only installation type, the following tag would be added:
For a Gateway and Management (Standalone) installation type, the following tags would be added:
You can connect to the Gaia Portal over HTTPS using a web browser.
The username is 'admin'.
If you have selected Automatically generate an administrator password, then use the Admin password (Temporary) shown at the end of the deployment.
If you have not selected Automatically generate an administrator password, then first you will need to connect over SSH to the machine and set the user 'admin' password.
When you connect to the Gaia Portal, you will be presented with an SSL warning similar to the following:
Your connection is not private NET::CERT_AUTHORITY_INVALID
This is due to the fact that the certificate presented by the Gaia Portal is self-signed.
You can validate the certificate by comparing its fingerprint to the fingerprint of the certificate found on the CloudGuard IaaS Gateway. To retrieve the CloudGuard IaaS Gateway's certificate fingerprint, connect to the CloudGuard IaaS Gateway over SSH and run the following command: [Expert@HostName:0]# cpopenssl x509 -in /web/conf/server.crt -fingerprint
Alternatively, you can install your own SSL certificate. Refer to the following articles:
If you have selected Automatically generate an administrator password, then use the Admin password (Temporary) shown at the end of the deployment.
If you have not selected Automatically generate an administrator password, then first you will need to connect over SSH to the machine and set the Security Management password (run the 'cpconfig' command and select the relevant option).
(6) Connecting the CloudGuard IaaS Security Gateway to its Management Server
CHECK_POINT_ADDRESS with the private IP address of the Check Point CloudGuard IaaS Security Gateway.
The first route will be applied to the Check Point CloudGuard IaaS Security Gateway because it has the checkpoint-gateway tag and because its priority value (100) has a higher precedence over the priority value of the second route (500).
The second route will be applied to all other instances sending their Internet bound traffic to the CloudGuard IaaS Security Gateway.
Note that by default, Google Compute Engine creates a default route with a priority value of 1000. The two routes above have therefore higher precedence over it and this third route can be deleted.
Check Point Firewall and NAT rules:
In R80.X SmartConsole / R77.X SmartDashboard, set up Network Address Translation (NAT) rules, so that Internet bound traffic, originating from the Web and Application subnets, is hidden behind the CloudGuard IaaS Security Gateway's public address.
Follow the instructions in this section, if you want to set up a VPN tunnel between the Check Point CloudGuard IaaS Security Gateway in Google Compute Engine and an on-premises Security Gateway.
In this section, we will setup the encryption domain of the CloudGuard IaaS Security Gateway. The encryption domain will consist of the Web and Application subnets.
Traffic from these subnets to the on-premises network will be routed to the CloudGuard IaaS Security Gateway using the Google Compute Engine route we have set up in the "Inspecting Internet bound traffic" section above.
For more information about defining VPN tunnels with Security Gateways on different sites and different servers, see the VPN Administration Guide (R77.X, R80, R80.10).
In this deployment, the company's on-premises Security Management Server centrally manages the CloudGuard IaaS Security Gateway at the company's local site and the CloudGuard IaaS Security Gateway protecting the company's private subnets in Google Compute Engine.
You can encrypt the data going between the company's on-premises and the company's private subnets in Google Compute Engine by creating a VPN tunnel.
Follow the instructions in this section, if you want traffic between subnets (e.g., between the Web subnet and the Application subnet) in Google Compute Engine to be inspected by the Check Point CloudGuard IaaS Security Gateway.
(9.A) Inspecting traffic between subnets from different VPCs
It is recommended to use Check Point CloudGuard Security Gateway with multiple network interfaces and inspect traffic between subnets from different VPCs. Follow the steps in section (7) Inspecting Internet bound traffic for each VPC in which the Check Point CloudGuard Security Gateway is deployed.
If the hosts you wish to protect are in a different subnet than the Check Point CloudGuard Security Gateway, for each such subnet follow these steps:
Connect to the Check Point CloudGuard Security Gateway via SSH, and create a static route using the following command: set static-route SUBNET-ADDRESS/SUBNET-MASK nexthop gateway address GCP-DEFAULT-GATEWAY on Where:
SUBNET-ADDRESS/SUBNET-MASK is the subnet address range (e.g. 10.1.2.0/24).
GCP-DEFAULT-GATEWAY is the GCP default gateway of the subnet in which the Check Point CloudGuard Security Gateway is deployed (e.g. 10.0.2.1).
For example:set static-route 10.1.2.0/24 nexthop gateway address 10.0.2.1 on
Make sure to run: save config, for the configuration to be saved after reboot.
Create a Network object as described in section (7) Inspecting Internet bound traffic sub section Check Point Firewall and NAT rules.
For each VPC that contains such subnets:
Create a Network Group object.
Name the object.
Add all the Network objects you have created that represent the subnets within the VPC.
Double-click the Check Point CloudGuard Security Gateway object.
In the left pane select Network Management.
Double-click the interface within the VPC.
Under General in the Topology section select Modify….
In section Leads To tick override.
Tick This Network (Internal).
In the drop-down list select the newly created Network Group object.
Select OK 3 time in order to save the configurations.
After adding all the VPCs and subnetworks, perform install policy in order to apply the configuration.
(9.B) Inspecting traffic between subnets within the same VPC
Ideally, we would like traffic between the Web and Application subnets to be sent through the Check Point CloudGuard IaaS Security Gateway using Google Compute Engine routes.
That being said, currently, Google Compute Engine routes can only be applied to traffic leaving the virtual network, but cannot be applied to traffic that remains inside the virtual network.
To work around this limitation, we will use NAT to force traffic between these subnets to pass through the Check Point CloudGuard IaaS Security Gateway.
To best explain the configuration steps, we will use the following example environment.
The Web Server (10.0.1.10) is configured to connect to a Shadow App Server, whose address (172.16.2.20) is in a Shadow Application subnet, which resides outside the virtual network.
The Web Server initiates a connection to that address.
Google Compute Engine routes send this connection to the Check Point CloudGuard IaaS Security Gateway.
The CloudGuard IaaS Security Gateway inspects the traffic and if allowed, translates the source and destination addresses.
The source address is translated to an address belonging to the Shadow Web Subnet (172.16.1.10), and the destination address is translated to the App Server address (10.0.2.20).
Make sure to replace the addresses to reflect your environment when you follow these steps:
Component / Range
Check Point CloudGuard IaaS Security Gateway private address
Shadow Addresses (*)
Shadow Web subnet
Shadow Application subnet
(*) NAT Shadow addresses must be outside the virtual network address space.
Add the following NAT rule to the Check Point NAT policy:
Note that this rule should be placed above the NAT rules created in the chapter "Inspecting Internet bound traffic" - section "Check Point Firewall and NAT rules" above.
Configure the Web servers to reach the Application servers through the Shadow Application addresses (172.16.2.0).
You would need to create a Google Compute Engine firewall rule to allow traffic from the Shadow Web subnet to the Application subnet.
For example, assuming the servers in the Web subnet need to open connections to servers in the Application subnet over TCP port 8080, the following Google Compute Engine firewall rule should be created:
You should review the Google Compute Engine firewall rules in your network to ensure that no other Google Compute Engine firewall rules allow direct access from the Web subnet to the Application subnet.
You can limit the scope of this firewall rule further by tagging your application instances and adding the same tag to the above Google Compute Engine firewall rules.
In this example, we assumed that the servers in the Web subnet need to initiate connections to the servers in the Application subnet. If connections need to also be initiated from the reverse direction, then repeat the steps above reversing the role of the Web and Application subnets.
Write down the private address of the internal load balancer you have created.
Use the following script to create the external load balancer and have it forward traffic on its external port (80) to the Check Point CloudGuard IaaS Security Gateway on an internal port (8081). Set the variables marked in red at the beginning of the script with the values that represent your environment.
In more detail, the script performs the following:
Creates an instance group.
Adds the Check Point CloudGuard IaaS Security Gateway into that group.
Assigns a named port to the Check Point instance group.
Creates a health check.
Creates a backend service that uses the named port group and the health check.
Adds the Check Point instance group to the backend service.
Creates a URL map that maps all requests by default to the backend service we created.
Creates a target HTTP proxy to route requests to your URL map.
Allocates a public address.
Creates a global forwarding rule to handle and route incoming requests.
If the installation type is Manual configuration, and you have manually configured the machine to be a Security Gateway or StandAlone, then run the following command to add Dynamic Object named "LocalGateway" with the IP range that contains only the IP address of the CloudGuard IaaS Gateway:
[Expert@HostName:0]# dynamic_objects -n LocalGateway -r <IP_ADDRESS> <IP_ADDRESS> -a
If needed, additional CloudGuard IaaS Security Gateways can be added to this setup in the same region.
Having more than one CloudGuard IaaS Security Gateway can provide a higher level of availability as well as load sharing.
In such a setup, for every connection, the external load balancer chooses a CloudGuard IaaS Security Gateway from the backend service and forwards the connection to that CloudGuard IaaS Security Gateway.
Note: There is no state synchronization between the different CloudGuard IaaS Security Gateways.
To add an additional CloudGuard IaaS Security Gateway to this environment:
Deploy a second CloudGuard IaaS Security Gateway.
Connect the second CloudGuard IaaS Security Gateway to the Security Management Server.
(12) A second CloudGuard IaaS Security Gateway in the same zone
Important: This article provides reference architecture only for the deployment of Check Point CloudGuard Security Gateways version R80.10 and higher. For information regarding deployment of Check Point CloudGuard Security Gateways version R77.30, contact Check Point Support.
QoS blade is not supported.
VSX mode is not supported.
For supported versions of Jumbo Hotfix Accumulator refer to sk109141.
The R77.30 Jumbo Hotfix Accumulator (all its Takes) is not supported on CloudGuard for Google Cloud Platform.