Follow the instructions below in order to deploy Check Point's CloudGuard Cluster solution in Oracle. Perform the steps from the Oracle portal using the preferred compartment. For more information, such as how to generate an SSH Key pair, instance creation, terms, and more, refer to the CloudGuard for Oracle Cloud Infrastructure Getting Started Guide.
1. Sign in to cloud tenant - your OCI tenant account.
2. Select the relevant CloudGuard listing from the Oracle Cloud Marketplace or upload the CloudGuard image to one of your storage accounts.
Skip step 3 if using a Marketplace listing
3. Import the image into your custom images.
4. Create VCN (for example VCN with CIDR Block 10.0.0.0/16 ).
5. Add two subnets to your VCN: one public subnet and one private subnet.
- Frontend public subnet (10.0.0.0/24)
- Backend private subnet (10.0.1.0/24)
Go to the VCN you created in the previous stage and add two subnets: public subnet (frontend) and private subnet (backend).
6. Create a public subnet: for example, frontend (CIDR Block 10.0.0.0/24).
7. Create a private subnet: for example, backend (CIDR Block 10.0.1.0/24).
Final VCN configuration with two subnets: frontend and backend.
8. Set the following Egress and Ingress Rules for your VCN.
VCN Full Configuration:
9. Create both CloudGuard cluster members.
Note: The "require an authorization header" option must be disabled in advanced options during instance creation
10. Attach the first instance Primary vNIC (at the member creation) to your frontend subnet.
11. Add an additional Secondary vNIC and attach it to the Private Subnet (backend) you created in the previous step.
Note: During the creation of instances, you can use a user-defined script which will be executed at the first boot. You can use this script to complete the FTW(while using a non-blink image), the configuration (while using a blink image),or for any other purpose.
- All R80.30 and above Oracle Cloud images use Blink
12. Choose one of the members (only one) and add a new Secondary Private IP to the Primary vNIC.
13. Create a reserve Public IP and attach it to the Secondary Private IP you created in step 12. This will serve as the cluster IP (first VIP use for VPN tunnel).
14. Create one more Secondary private IP and attach it to the member Secondary vNIC of the chosen member from step # 12 (secondary VIP for outbound traffic).
15. Add the following new routing tables to the Private Subnet (the backend subnet, which should be configured after adding the Additional Secondary vNIC) and the Public subnet, respectively. This rule redirects the traffic to the Secondary Private IP of the Secondary vNIC (traffic goes through the VIP).
Note: Instances are created with only one vNIC, which is called the Primary vNIC. After the instance creation, one more vNIC should be added to this vNIC, which is called the Secondary vNIC.
Note: The Primary vNIC should be connected/attached to the public subnet; the additional vNIC should be connected to the private subnet.
Note: It is very important that you edit both vNICs of each member and click on the check box for skip Source/destination Check.
16. Add the following Route Table to the Public Subnet (Frontend).
17. Create a Dynamic Group and include both members in this Dynamic Group (in this example, we will name it cp_cluster_group). You can create the rules which define the Dynamic Group by using the OCI Rule Builder: create two separate rules, one for each member. If you are not using the OCI Rule Builder, you can manually define a single rule to include both members, as appears below.
18. Create the policy and allow the defined Dynamic Group to use resources in the compartment to which it belongs.
19. Connect to both CloudGuard members using the Private Key match to the Public Key you used when you created the instance (ssh –i privateKey admin@<cluster-member-public-ip>) and set the password by running the following command:
> set user admin password
- insert your password <XXXXX>
> save config
20. Connect to the members using a web browser with the member public IP and complete the FTW.
User name : admin
21. Configure the CloudGuard members and Cluster in the Management SmartConsole (see below).
Note: In order to set an administrator password, you can ssh to each member as described above OR use the user-defined script while you create the instance. You can launch the script at first boot.