This SK highlights Check Point's CloudGuard solutions for Oracle Cloud Infrastructure (OCI) as well as general guidance, best practices, and solutions to issues discovered in the field.

• Supported Versions: R80.20 | R80.30 | R80.40 | R81 | R81.10 recommended version)
• Supported Deployments:
  • Security Management Server
  • High Availability Cluster (CloudGuard Network for Oracle Cloud Getting Started Guide)
  • Hub & Spoke (sk176863)
  • Single Gateway
  • All-in-One (contact your SE for details) > not recommended for production use
  • Multi-Domain Management (contact your SE for details)
• Licensing: BYOL (all versions), PAYG (R80.40, R81, and R81.10 only)
• Definition of OCPU: Instance sizes: 1 OCPU is equivalent to 2 vCPUs. When you purchase a quantity, you must license according to the total amount of vCPUs.
  • Example: If you want to deploy a cluster with 2 OCPU instances you must purchase a quantity of 4 cores of CloudGuard.
• Cluster Note: Cluster members' system time needs to be within 5 minutes of the actual time to communicate with the OCI API properly.
• Interface MTU: All interfaces must have an MTU of 9000.
• VFIO/SRIOV(***Recommended for best network performance***): VFIO/SRIOV is supported on all supported shapes except Standard2.
• Standard2 Shapes: Supported
• E3.Flex Shapes: Supported(VFIO/SRIOV strongly recommended)
• E4.Flex Shapes: Supported(VFIO/SRIOV strongly recommended)
• Optimized3.Flex Shapes: Supported(VFIO/SRIOV strongly recommended)
• Enhanced DRG(Dynamic Routing Gateway): Supported
• Identity Policies: Ensure that Identity Policies cover all compartments that contain resources relevant to your Check Point installation.  (Ex. - VCN's associated with cluster IP moves due to failover events)
• Making use of DRGs and OCI Service Gateways: OCI service gateways are needed to provide access to the Oracle API Service for cluster operations when internet access is unavailable.  When used in conjunction with DRG's, the OCI Service Gateway route rule must be created in the DRG Route Table.

Performance

Test Coverage / Shape Size	2 OCPUs	4 OCPUs	8 OCPUs	16 OCPUs
Firewall only	2 Gbps	4 Gbps	8 Gbps	16 Gbps
Firewall + IPS	2 Gbps	4 Gbps	8 Gbps	16 Gbps
NGFW (Firewall + IPS + Application Control)	2 Gbps	4 Gbps	8 Gbps	16 Gbps
NGTP (NGFW + URL Filtering + Anti-Virus + Anti-Bot)	2 Gbps	4 Gbps	8 Gbps	16 Gbps

- Performance is limited by the amount of bandwidth allocated to each shape size
- Test environment utilized CloudGuard Network Security R80.40 and E3 shapes with VFIO/SRIOV network interfaces

Current Oracle Cloud Marketplace Listings (as of 10 December 2021)

BYOL Stacks (Terraform deployment templates)

• CloudGuard Security Management - Stack
• CloudGuard NextGen Firewall High Availability - Stack
  
• CloudGuard Next-Gen Firewall with Threat Prevention and SandBlast - Stack
  
• Github Repository for CloudGuard BYOL Stacks
  

BYOL (all versions supported)

• CloudGuard Next-Gen Firewall with Threat Prevention and SandBlast
• CloudGuard Security Management
  
  

PAYG (R80.40, R81, and R81.10 only)

• CloudGuard Security Management for up to 5 Gateways
• CloudGuard Security Management for up to 25 Gateways
• CloudGuard Next-Gen Firewall w/ Threat Prevention - 1 OCPU
• CloudGuard Next-Gen Firewall w/ Threat Prevention - 2 OCPUs
• CloudGuard Next-Gen Firewall w/ Threat Prevention - 4 OCPUs
• CloudGuard Next-Gen Firewall w/ Threat Prevention - 8 OCPUs
• CloudGuard Next-Gen Firewall w/ Threat Prevention and SandBlast - 1 OCPU
• CloudGuard Next-Gen Firewall w/ Threat Prevention and SandBlast - 2 OCPUs
• CloudGuard Next-Gen Firewall w/ Threat Prevention and SandBlast - 4 OCPUs
• CloudGuard Next-Gen Firewall w/ Threat Prevention and SandBlast - 8 OCPUs

Related Information:

• sk176863 - CloudGuard for Oracle Cloud Infrastructure (OCI) - Reference Architecture (Dynamic Routing Gateway method) ***RECOMMENDED***
  • Deep Dive YouTube video on deploying the Reference Architecture
  • Deep Dive Step-by-Step Lab Guide for the Reference Architecture
• sk170205 - CloudGuard for Oracle Cloud Infrastructure (OCI) - Reference Architecture(LPG method)
• CloudGuard Network for Oracle Cloud Getting Started Guide
• sk169814 - How to back up Security Gateways and Security Management Servers deployed in a Public Cloud (Azure, AWS, GCP, OCI)
• sk174257 - How to change shape (instance) size in CloudGuard for Oracle Cloud Infrastructure (OCI)
• sk179225 - Traffic does not pass through the Oracle OCI cluster after rebooting one of the cluster members

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.