Support Center > Search Results > SecureKnowledge Details
CloudGuard Network for Microsoft Azure Stack Technical Level
Solution

Table of Contents:

  1. Overview
  2. Prerequisites
  3. Network Diagram
  4. Management
  5. Deployment through the Azure Stack admin portal - using *.azpkg
  6. Setting up the route tables of the Frontend and Backend subnets
  7. Setting up backend subnets and their route tables
  8. Known Limitations and Issues
  9. Related documentation
  10. Related solutions
  11. Revision history

 

(1) Overview

Microsoft Azure Stack is an extension of Microsoft Azure, bringing the agility and fast-paced innovation of cloud computing to on-premises environments. Only Azure Stack lets you deliver Azure services from your organization's datacenter, while balancing the right amount of flexibility and control-for truly-consistent hybrid cloud deployments.

Check Point vSEC for Microsoft Azure Stack extends advanced Threat Prevention security to protect customers' Azure Stack on-premises environments from malware and other sophisticated threats. As a Microsoft Azure Stack certified solution, vSEC enables you to easily and seamlessly secure your workloads, data and assets while providing secure connectivity across your cloud and on-premises environments.

This article will guide you in deploying a Check Point vSEC single Security Gateway or Check Point vSEC Standalone machine (Security Gateway and Security Management Server) in Microsoft Azure Stack.

 

(2) Prerequisites

It is assumed that the reader is familiar with the following topics:

Vendor Topic
Azure
Check Point

You should have installed and configured Azure PowerShell version 1.0 or higher.
For additional information on how to install it, refer to the Install PowerShell for Azure Stack article.

You should have installed and configured the Azure AD PowerShell module.
For additional information on how to install it, refer to the Azure Active Directory PowerShell 1.0 article.

 

(3) Network Diagram

Example Network Diagram:

In this architecture, the Azure Stack virtual network consists of four subnets:

  • A vSEC Security Gateway frontend subnet
  • A vSEC Security Gateway backend subnet
  • Two backend subnets:
    • A web tier subnet
    • An application tier subnet

This environment consists of two separate web applications. Each web application consists of:

  • A separate public IP address, through which the web application can be accessed
  • A web server on a web tier subnet
  • An application server on an application tier subnet

The vSEC Security Gateway for Azure Stack inspects:

  • Traffic arriving from the Internet to each of the web applications
  • Traffic between the web and application tiers
  • Traffic originating from the backend subnets to the Internet

 

(4) Management

The vSEC Security Gateway for Azure Stack can be managed in several ways, including:

  • A StandAlone configuration, in which the vSEC Security Gateway machine also acts as its own Management Server
  • Centrally managed, where the Management Server is located on premises, outside the virtual network
  • Centrally managed, where the Management Server is located in the same virtual network (support for this scenario is planned)

The vSEC Security Gateway for Azure Stack can be managed by a Security Management Server running R80.10 or higher.

 

(5) Deployment through the Azure Stack admin portal - using *.azpkg

To deploy this solution through the Azure Stack portal, use the Check Point vSEC package:

  1. Execute the RegisterWithAzure.ps1 script, which lets you add images from Azure Marketplace Management to your on-premises environment.

  2. Download the Check Point vSEC image from the Marketplace Management:

    1. Search for either check point or vsec and click on the Check Point vSEC image link.

      Example:
    2. Click on the Download button at the bottom.

      Example:
    3. Download the Azure Gallery Package *.azpkg to the environment using the following command in the PowerShell CLI:

      Add-AzsGalleryItem -GalleryItemUri https://chkpazurestack.blob.core.windows.net/azpkg-single/checkpoint.vSEC.1.0.0.azpkg -VERBOSE

      1. Example output of the "Get-AzsGalleryItem | select name" command before adding the package:

      2. Example output of the above "Add-AzsGalleryItem ... checkpoint.vSEC.1.0.0.azpkg ..." command:

      3. Example output of the "Get-AzsGalleryItem | select name" command after adding the package:

    4. In the left tree, click on the More services - click on the Security + Identity menu - you should see Check Point vSEC Single Gateway.

      Example:

Notes about the Check Point vSEC *.azpkg package:

  • This package deploys a single Check Point vSEC Security Gateway with 2 network interfaces.
    After deployment, you should set up User Defined Routes (UDR) to route traffic through the vSEC Gateway.
    This package can also be used in a Standalone (Security Gateway and Security Management Server) configuration.

  • This package contains a template that can either create a new virtual network, or allow you to deploy into an existing virtual network.

  • This package does not create the Web and App subnets - you will need to add these subnets by yourself.

  • This template does not deploy any web or application VMs.

  • VMs launched in the backend subnets, might require Internet access in order to finalize their provisioning.
    You should launch these VMs only after you have applied NAT hide rules on the vSEC Security Gateway for Azure Stack to support this type of connectivity.

  • After you deploy the template, the vSEC Security Gateway for Azure Stack will automatically execute the Check Point First Time Configuration Wizard based on the provided parameters. Once the First Time Configuration Wizard completes, the vSEC Security Gateway for Azure Stack has to be rebooted.

 

(6) Setting up the route tables of the Frontend and Backend subnets

This section shows how to ensure that the route tables associated with the vSEC Security Gateway frontend and backend subnets are set up correctly.

Note: Follow this section only if you have deployed the vSEC Security Gateway into an existing virtual network. If you have opted to let the template create a new virtual network, then you should skip this step.

To setup route table, visit the "Route Table" section of Azure Stack portal (refer to Connect to Azure Stack and Using the administrator and user portals in Azure Stack).

For step by step instructions, refer to User-defined routes and IP forwarding.

The route table associated with the frontend subnet should consist of the following routes:

Note: This is an example of a route table taken from Azure Stack portal "Route Tables" menu.

-  name: frontend-local
   address-prefix: frontend-subnet-prefix #e.g., 10.0.1.0/24
   next-hop-type: Virtual network
-  name: frontend-to-other-subnets
   address-prefix: Virtual Network address prefix #e.g., 10.0.0.0/16
   next-hop-type: Virtual Appliance
   next-hop-address: GATEWAY-EXTERNAL-ADDRESS #e.g., 10.0.1.10

The route table associated with the vSEC Security Gateway backend subnet should consist of the following routes:

Note: This is an example of a route table taken from Azure Stack portal "Route Tables" menu.

-  name: internal-default
   address-prefix: 0.0.0.0/0
   next-hop-type: Virtual Appliance
   next-hop-address: GATEWAY-INTERNAL-ADDRESS #e.g., 10.0.2.10

 

(7) Setting up backend subnets and their route tables

Use either the Azure portal, or CLI to add backend subnets, such as the Web and App subnets to the virtual network.

For each such backend subnet, create an Azure routing table with the following User Defined Routes (UDR):

Note: This is an example of a route table taken from Azure Stack portal "Route Tables" menu.

-  name: SUBNET-NAME-local #e.g., web-local
   address-prefix: SUBNET-PREFIX #e.g., 10.0.3.0/24
   next-hop-type: Virtual network
-  name: SUBNET-NAME-to-other-subnets #e.g., web-to-other-subnets
   address-prefix: Virtual Network address prefix #e.g., 10.0.0.0/16
   next-hop-type: Virtual Appliance
   next-hop-address: GATEWAY-INTERNAL-ADDRESS #e.g., 10.0.2.10
-  name: SUBNET-NAME-default #e.g., web-default
   address-prefix: 0.0.0.0/0
   next-hop-type: Virtual Appliance
   next-hop-address: GATEWAY-INTERNAL-ADDRESS #e.g., 10.0.2.10

With reference to the example Network Diagram above, this is the example routing table that can be used by the Web subnet:

NAME ADDRESS PREFIX NEXT HOP
web-subnet-local 10.0.3.0/24 Virtual network
web-subnet-to-other-subnets 10.0.0.0/16 10.0.2.10
web-subnet-default 0.0.0.0/0 10.0.2.10

Associate the newly created routing table with the subnet.

 

(8) Known Limitations and Issues

  • When entering a username in the deployment template, the username field is ignored and admin is used instead.
    This is by design.

 

 

 

(11) Revision history

Show / Hide revision history

Enter the string to filter this table:

Date Description
27 Sep 2017
  • First release of this article

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment