Support Center > Search Results > SecureKnowledge Details
CloudGuard for NSX-T: Service Insertion at the Edge & Service Chaining
Solution

Table of Contents:

  1. Introduction to CloudGuard for NSX-T
    • NSX-T Overview
    • Service Insertion at the Edge
    • Service Chaining
  2. Required Components for installation of CloudGuard Gateway for NSX-T on ESXi Server
  3. Logical Components
  4. Prerequisites
  5. Installation Instructions
    • NSX-T 2.5 - Service Chaining and Service Insertion at the Edge
    • NSX-T 2.4 - Service Chaining
    • NSX-T 2.3 - Service Insertion at the Edge
  6. Configuration
    • NSX-T 2.5 - Service Chaining and Service Insertion at the Edge
    • NSX-T 2.4 - Service Chaining
    • NSX-T 2.3 - Service Insertion at the Edge
  7. Documentation
  8. Known Limitations

(1) Introduction to CloudGuard for NSX-T

NSX-T Overview

In much the same way that server virtualization programmatically creates, snapshots, deletes, and restores software-based virtual machines (VMs), NSX-T network virtualization programmatically creates, snapshots, deletes, and restores software-based virtual networks.

With network virtualization, the functional equivalent of a network hypervisor reproduces the complete set of Layer 2 through Layer 7 networking services (for example, switching, routing, access control, firewalling, and QoS) in software. As a result, these services can be programmatically assembled in any arbitrary combination to produce unique, isolated virtual networks in a matter of seconds.

Service Insertion at the Edge

Service Insertion at the Edge NSX-T Data Center as a key networking platform provides a rich set of capabilities that allow you to create network topologies that connect and secure application endpoints (VMs, containers, bare-metal servers). With this release, NSX can now deploy your choice of partner security solutions at the edge of NSX-T network topologies, i.e., at the Tier 0 and Tier 1 routing boundaries. NSX-T Data Center onboards and catalogs the partner services, allowing the NSX Administrator to deploy and consume the cataloged services. 

CloudGuard for NSX-T acts as a Security Gateway in a bridge mode that is invisible to Layer-3 traffic. When authorized traffic arrives, the Security Gateway passes it to the next interface through bridging. This creates a Layer-2 relationship between two or more interfaces. Traffic that enters one interface exits the other interface. Bridging lets the Security Gateway inspect and forward traffic without the original IP routing.

Service Chaining 

NSX-T Data Center 2.4 introduces a broad array of native security functionalities such as Layer 7 Application Identity, FQDN Whitelisting, and Identity Firewall, all of which allow more granular micro-segmentation. In addition to the native security controls delivered by the Distributed and Gateway Firewall, the NSX Service Insertion Framework allows various types of Partner Services (e.g., IDS/IPS, NGFW, and Network Monitoring solutions) to be inserted transparently into the data path and consumed from within NSX without making changes to the topology.

In NSX-T Data Center 2.4, Service Insertion now supports East-West Traffic (i.e., traffic between the VMs in the Data Center). All traffic between VMs in the Data Center can be redirected to a dynamic chain of partner services.

The East-West service plane provides its own forwarding mechanism. The forwarding mechanism allows policy-based redirection of traffic along chains of services. Forwarding along the service plane is entirely automated by the platform: failures are detected, existing/new flows are redirected as appropriate, flow pinning is performed to support stateful services, and multiple path selection policies are available to optimize for throughput/latency or density.

CloudGuard for NSX-T can leverage this service insertion to act as a Security Gateway in hairpin bridge mode, in which the Gateway can inspect all the traffic redirected to it by the forwarding mechanism; authorized traffic will be passed back to the bridge interface, allowing the forwarding mechanism to return the traffic to its original path. Bridging lets the Security Gateway inspect and return traffic without the original IP routing.

As of NSX-T 2.5, two modes of Partner SVM deployment are supported: clustered deployment, in which Service Virtual Machines are deployed on a dedicated vSphere (Service) Cluster, and Host-Based delployment, in which one Service Virtual Machine per service is deployed on each Compute Host in a particular cluster. In this mode, when a new compute host is added to a cluster, the appropriate SVMs are automatically deployed.


(2) Required Components for installation of CloudGuard Gateway for NSX-T on ESXi Server

Component Description
Security Management Server/Multi-Domain Security Management Server The Check Point Security Management Server is the basic infrastructure managing Check Point Security Gateways.
SmartConsole SmartConsole is the new unified application of Check Point's R80.10 Security Management.
Service Registration Bundle This package installs modules on the Check Point Security Management Server that are required by VMware NSX-T Manager in order to register a service.
CloudGuard for NSX-T OVF Template This is the standard OVF template that deploys the Check Point Security Gateway as a Service VM.
VMware's NSX-T Manager NSX Manager is a virtual appliance that provides the Graphical User Interface (GUI) and the REST APIs for creating, configuring, and monitoring NSX-T components, such as logical switches and NSX Edge services Gateways.

NSX Controller

NSX Controller, called Central Control Plane (CCP), is an advanced distributed state management system that controls virtual networks and overlay transport tunnels.

NSX Edge NSX Edge provides routing services and connectivity to networks that are external to the NSX-T deployment.
File Server A dedicated file server should be used in order to make the OVF bundle files reachable for the deployment of the CloudGuard Gateways.
CME Bundle The CME (Cloud Management Extension) is a utility that runs on Check Point Security Management Servers and Multi-Domain Security Management Servers running Gaia OS. The utility allows integration between Check Point CloudGuard IaaS solutions and cloud platforms such as AWS (Amazon Web Services), Azure and GCP (Google Cloud Platform). CME can be installed on Management and Multi-Domain Management Servers deployed in cloud platforms or on-premise.


(3) Logical Components

Component Description
Transport Zone A transport zone is a logical construct that controls which hosts a logical switch can reach. It can span one or more host clusters. Transport zones dictate which hosts and, therefore, which VMs can participate in the use of a particular network.

Logical Router

An NSX-T Data Center logical router reproduces routing functionality in a virtual environment completely decoupled from underlying hardware.

The Tier-0 logical router provides an on-and-off Gateway service between the logical and physical networks. The Tier-1 logical router must be connected to the Tier-0 logical router to get the northbound physical router access. For more information about Logical Routers, refer to:

 

(4) Prerequisites

Supported versions of VMware's components

Component Service Chaining (E/W) Service Insertion on the Edge (N/S)
NSX-T Manager 2.4.1, 2.5  2.3 

vCenter/ESXi Server

6.5U2, 6.7 6.5, 6.7 
ESXi Server 6.5U2, 6.7 6.5, 6.7

Refer to "CloudGuard for NSX-T Service Chaining" in the VMware Compatibility Guide for supported versions.

CloudGuard for NSX-T service Insertion on the edge requires the following VMware components:

  • NSX Edge
  • Tier-0/1 Logical Router

Refer to the VMware NSX-T Data Center Documentation for more information.

 


(5) Installation Instructions

NSX-T 2.5 - Service Chaining and Service Insertion at the Edge 

Show / Hide this section

1. Install the R80.30 Security Management Server:

  1. Refer to sk144293: Check Point R80.30.
  2. Install R80.30 Security Management Server / Multi-Domain Security Management Server.
  3. Install R80.30 SmartConsole for R80.30 Security Management Server.
  4. Install the CloudGuard Registration Bundle on the Security Management Server.
  5. Install the CME Bundle on the Security Management Server.
  6. Install R80.30 CloudGuard for NSX-T OVF on a file server.
Package Link
R80.30 CloudGuard for NSX-T Management Bundles
R80.30 CloudGuard for NSX-T Registration Bundle  (TGZ)
R80.30 Check Point R80.30 CME T67 Bundle
 (TGZ)
R80.30 CloudGuard for NSX-T Service Chaining (East/West)
R80.30 CloudGuard for NSX-T (With jumbo HFA Take 10) - OVF package   (TGZ)
R80.30 CloudGuard for NSX-T Service Insertion at the Edge (North/South)
R80.10 CloudGuard for NSX-T - OVF package   (TGZ)

NSX-T 2.4 - Service Chaining 

Show / Hide this section

1. Install the R80.30 Security Management Server:

  1. Refer to sk144293: Check Point R80.30.
  2. Install R80.30 Security Management Server / Multi-Domain Security Management Server.
  3. Install R80.30 SmartConsole for R80.30 Security Management Server.
  4. Download the CloudGuard Registration Bundle and copy it to the Security Management Server.
  5. Extract the TGZ file.
  6. Install R80.30 CloudGuard for NSX-T OVF on a file server.
Package Link
R80.30 CloudGuard for NSX-T - OVF package   (TGZ)
R80.30 CloudGuard for NSX-T Registration Bundle  (TGZ)

NSX-T 2.3 - Service Insertion at the Edge

Show / Hide this section

1. Install the R80.10 Management Server:

  1. Refer to sk111841: Check Point R80.10.
  2. Install R80.10 Security Management Server / Multi-Domain Security Management Server.
  3. Install R80.10 SmartConsole for R80.10 Management Server.

2. Download the CloudGuard Registration Bundle and copy it to the Security Management Server.

3. Extract the TGZ file.

4. Install R80.10 CloudGuard for NSX-T OVF on a file server.

Package Link
R80.10 CloudGuard for NSX-T - OVF package   (TGZ)
CloudGuard for NSX-T Registration Bundle  (TGZ)

 


(6) Configuration

NSX-T 2.5 - Service Chaining and Service Insertion at the Edge 

Show / Hide this section
  1. Add a New CME Controller using the CME menu
  2. Register a New Service using the CME menu
  3. Deploy a Check Point Service using the NSX-T Manager UI
  4. Enable the Redirection Rules
Refer to the Deployment Guide for detailed instructions.

NSX-T 2.4 - Service Chaining 

Show / Hide this section

Add a New Controller

The Controller is the NSX-T Manager. Before you can create a new service, you will need to add the Controller to your environment. To register a new Controller, do the following:

1. Log in to Expert mode and run the command 'python $MDS_FWDIR/scripts/autoprovision/cme_menu/cme_menu.py' to initiate the service from MDS or Security Management.

2. Choose VMware NSX-TManage NSX-T ManagerAdd NSX-T Manager.

3. Enter the Host IP: this is the NSX-T Manager IP. You will then see the thumbprint of the server. Verify it. To get the thumbprint from the NSX-T Manager CLI, log in as an administrator and run the 'get certificate API thumbprint' command. 

4. Controller Name: Choose a name for your Controller. Each Controller must have a unique name.

5. Controller User Name: The user name for the NSX-T Manager login. The user name must contain only English characters, numbers, and an underscore (_).

6. Controller User Password: The password for the NSX-T Manager login. The password must:

  • Be at least 8 characters in length.
  • Contain both upper and lowercase alphabetic characters (e.g., A-Z, a-z).
  • Have at least one numerical character (e.g., 0-9).
  • Have at least one special character (e.g., ~!@#$%^&*()_-+=)

7. Choose a domain name if you are adding the Controller via MDS.

Register a New Service:

After you create the Controller, you can register a new service.

1. Go to VMware NSX-TRegister New Service.

2. Go to Attachment Point - East-West or North-South.

  1. For East-West service, enter the URL path.
  2. For the OVF for North-South service:

i. Choose the Tier on which you want to deploy your service: Tier 0 or Tier 1.

ii. Choose Failure Policy.

iii. Enter the URL path for the OVF.

3. Select the Controller.

4. Enter and confirm the SIC one-time password for the Gateway that will be deployed in the NSX-T Manager web client.

5. The service is now available for deployment on the NSX-T Manager web client.

Deploy a Check Point Service:

1. Log in to the NSX-T manager web client.

2. Go to SystemService DeploymentsDeployment.

3. Choose the service you created and click on Deploy Service.

4. Enter the Service Deployment Name.

5. Choose Compute Manager.

6. Choose the Cluster on which the service will be deployed.

7. Choose the Datastore.

8. Choose the Network. For Eth0, choose Network Type static IP pool only.

9. Choose service segment. Note that there is only one segment for each Transport Zone.

10. Choose Deployment Specification.

11. Choose Deployment Template CheckPoint_template. To change the SIC and the admin password given in the service registration, provide a new SIC in base64 and the admin password hash.

12. Choose the number of Gateways that will be deployed on the cluster. For NSX-T 2.4, you can deploy only one Gateway each time.

13. Click on Save. The service will now be deployed.

14. Go to the Service Instances tab, where you will see the status of the deployment. When the status is UP, you can activate the redirection rule (see below).

Enable Redirection Rules

In order for the traffic to be inspected by the deployed service (Check Point Gateway), you will need to enable the redirection rules after you successfully deploy a service in your environment.

1. Log in to the NSX-T manager web client.

2. Go to SecurityNetwork Introspection (E-W)Service profile.

3. Choose the service for which you want to create the profile and click on Add Service Profile.

4. Enter the Service Profile Name.

5. Choose the vendor template. The vendor templates were created during the service registration and expose protection levels for the policies.

6. Click on the Service Chains tab and create a new service chain.

7. Enter the Service Chain name.

8. Choose a service segment.

9. Set Forward path. Choose the service profile you created before.

10. Choose Failure policy.

11. You can now define the redirection rule. Click on the Rules tab → Add Policy. A policy section is similar to a Security Policy. Each section belongs to a single Service Chain (however, multiple sections can belong to the same Service Chain). The rules in the section define which traffic is redirected to the chain and which is not.

12. Choose the service to which the policy will be redirected.

13. Add a new rule by clicking on the button on the left and choose Add Rule.

14. Choose a name for the rule.

15. Choose a traffic source. It can be NSgroups, VM, IP, and more.

16. Choose a traffic destination. It can be NSgroups, VM, IP, and more.

17. Choose what the policy will be applied to. It can be the DFW or any groups you created.

18. Make sure that the green checkbox is green and click on Publish to apply the changes.

CME Service

The CME Service will automatically configure the new Gateway with the First Time Configuration Wizard, and create the Security Gateway on SmartConsole.

NSX-T 2.3 - Service Insertion at the Edge

Show / Hide this section

You can set up service insertion to redirect north-south traffic at a Tier-0 router, or east-west traffic at a Tier-1 router to a VM. A service running in the VM can process the traffic and take appropriate actions.

You can read more about Service Insertion in the NSX-T Manager Administration Guide's Service Insertion section.

The following architectural diagram shows the flow of data with Service Insertion configured:

Setting up Service Insertion

1. From the Security Management Server:

  1. Register a service (see steps below). 

2. From the NSX-T Partner Services panel (see steps below):

  1. Deploy a service instance
  2. Configure traffic redirection

Register a Service

1. Connect to the Security Management Server.

2. Run python cloudguard_config.py.

3. Choose Register Service.

4. Enter the NSX-T Manager network address.

5. Validate and approve the NSX-T Manager server certificate.

6. Enter the NSX-T Manager user name.

7. Enter the NSX-T Manager user password.

8. Enter the desired Tier (attachment point).

9. Enter the OVF file URL.

Deploy a Service Instance

1. From your browser, log in with administrator privileges to an NSX Manager at https://nsx-manager-ip-address.

2. Choose Partner Services from the navigation panel.

3. Click on Deploy.

4. Enter an instance name and, optionally, a description.

5. Click on the Partner Service field and choose Check Point CloudGuard for NSX-T service.

6. Choose the Deployment Specification esx-01a.corp.local

7. Choose a logical router. Only routers that do not have Service Insertion configured will be displayed.

8. Click on Next.

9. Click on the Compute Manager field and choose a compute manager.

10. Click on the Cluster field and choose a cluster.

11. Click on the Datastore field and choose a datastore.

12. Choose a Deployment Mode. At this point, only Standalone deployment is supported.

13. Choose a Failure Policy. The choices are Allow or Block. These options specify the default action when the Service VM is not functioning. Allow means the traffic will pass without inspection; Block means that all traffic will be dropped.

14. Enter the IP address of the VM.

15. Enter the default Gateway for the VM's IP address.

16. Enter the subnet mask for the VM's IP address.

17. Click on Next.

18. Click on Finish.

Configure the Service VMs

This procedure is relevant to NSX-T 2.3 only. From NSX-T 2.4, the Service VM will be configured automatically.

1. Connect to the service VM CLI and configure the default Gateway by running 'set static-route default nexthope gateway address <default gateway IP> on' 

2. For each CloudGuard SVM, use your browser and log in to the Blink installation portal.

3. Fill in the Blink Installation page. Cluster membership is not supported at this point.

4. Click on Go!

5. Log into the service web-UI.

6. Go to Network Interfaces and edit interface br0 IP. 

7. Enter the IPv4 address: 192.0.2.1

8. Enter the Subnet mask: 255.255.255.0

9. Go to Time and click on Set Time Zone to set the service time zone.

10. Log out.

Create a New CloudGuard for NSX-T Security Gateway on the Security Manager Server

This procedure is relevant to NSX-T 2.3 only. From NSX-T 2.4, the Security Gateway will be created automatically on the Security Management Server.

For more information refer to the Security Management R80.10 Administration Guide - Managing Gateways section.

To define a new Security Gateway object:

1. From the navigation toolbar, choose Gateways & Servers.

2. Click on New, and choose Gateway. The Check Point Security Gateway Creation window will open.

3. Click on Classic Mode. The Check Point Gateway's properties window will open and show the General Properties screen.

4. Enter the host Name and the IPv4 Address.

5. Click on Communication. The Trusted Communication window will open.

6. Choose a Platform.

7. In the Authentication section, enter and confirm a one-time password.

8. Click on Initialize to establish trusted communication with the Gateway. If trust fails to establish, click on OK to continue configuring the Gateway.

9. Click on OK.

10. The Get Topology Results window that now opens shows interfaces successfully configured on the Gateway.

11. Click on Close.

12. In the Platform section, choose the Hardware, the Version, and the OS. If trust is established between the server and the Gateway, click on Get to automatically retrieve the information from the Gateway.

13. Choose the Software Blades to enable on the Security Gateway. For some of the Software Blades, a first-time setup wizard will open. You can run the wizard now or later. For more on the setup wizards, refer to the relevant Administration Guide.

Configure Traffic Redirection

1. From your browser, log in with administrator privileges to NSX Manager at https://nsx-manager-ip-address.

2. Choose Partner Services from the navigation panel.

3. Click on Check Point's CloudGuard for NSX-T Service.

4. Click on the Traffic Redirection tab.

5. Add or remove sections and rules.

Note: To redirect the traffic to the service VM, you will need to add a rule to allow BFD-Single_hop traffic.

 


(7) Documentation

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment