Académique Documents
Professionnel Documents
Culture Documents
SUPPORT CENTER USER CENTER / PARTNER MAP CYBER TALK FOR EXECUTIVES MY ACCOUNT
Solution ID sk109360
Product vSEC for Azure
Version R77.30
OS Gaia
Platform / Model Azure
Date Created 04-Jan-2016
Last Modified 21-Jun-2017
Solution
The following article describes a reference architecture of a Check Point Security Gateway protecting assets in an Azure virtual network.
Table of Contents
• Network Diagram
• Traffic Flow
• Management
• Deployment through the Azure portal
• Setting up the route tables of the Frontend and Backend gateway subnets
• Setting up backend subnets and their route tables
• Configuration
• Best Practices
• Licensing
• Known Limitations
• Additional Resources
• Related solutions
Network Diagram
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 2 of 16
This environment consists of 2 separate web applications. Each web application consists of:
• A separate public IP address through which the web application can be accessed
• A web server on a web tier subnet
• An application server on an application tier subnet
• Performs Network Address Translation (NAT) to hide outgoing connections behind the gateway's address.
• Provides site to site VPN connectivity to on premise networks.
• Provides remote access VPN services to roaming users.
Public Addresses
• A public address directly associated with the Security Gateway's external interface. This address can be used to manage the gateway as well as for site to site VPN and
remote access VPN.
• Two public IP addresses (WebApp1, WebApp2), one for each web application. These public addresses are associated with an Azure load balancer.
Traffic Flow
FROM TO
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 3 of 16
• The Azure load balancer is set up with an inbound NAT rule that forwards all HTTP (port 80) traffic
arriving at that public address to the Check Point gateway's external private address (10.0.1.10) on
port 8081
• Traffic for WebApp2 is sent to the public IP address allocated for that web application.
• The Azure load balancer is set up with an inbound NAT rule that forwards all HTTP (port 80) traffic
arriving at that public address to the Check Point gateway's external private address (10.0.1.10) on
port 8082
This traffic is routed through the Check Point gateway through the use of User Defined Routes (UDR). For
Traffic between the web and application tiers
more information on UDR, see the User Defined Routes and IP Forwarding article.
This traffic is routed through the Check Point gateway through the use of User Defined Routes (UDR). The
Traffic from the backend subnets to the Internet Gateway uses NAT to hide this type of traffic behind its external private address (10.0.1.10). As the traffic
leaves the virtual network, Azure replaces this private address with the gateway's public address.
Encrypted IPsec traffic is sent to the gateway's public IP address. The gateway decrypts the traffic and
sends it into the virtual network. Outgoing traffic that needs to be encrypted is routed to the Check Point
Site-to-site VPN
gateway through the use of User Defined Routes (UDR). The gateway encrypts this traffic and sends it over
a site to site VPN tunnel to a Check Point gateway on the perimeter of the on premise network.
Remote access users connect to the Security Gateway using its public IP address. The gateway decrypts
Remote access traffic the traffic and sends it into the virtual network. Returning packets are routed back to the gateway through
the use of User Defined Routes (UDR).
Management
The Security Gateway can be managed in several ways including:
The gateway can be managed by a Security Management server running R77 or higher.
Notes:
• This template can create a new virtual network or allow you to deploy into an existing virtual network
• The template does not create the Web and App subnets - you will need to add these subnets yourself.
• The template does not deploy any web or application VMs
• VMs launched in the backend subnets might require Internet access in order to finalize their provisioning. You should launch these VMs only after you have applied NAT hide
rules on the gateway to support this type of connectivity.
• After you deploy the template, the gateway will automatically execute the Check Point First Time Configuration Wizard based on the parameters provided. Once the First
Time Configuration Wizard completes, the gateway is expected to reboot
Setting up the route tables of the Frontend and Backend gateway subnets
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 4 of 16
In this section we will ensure that the route tables associated with the gateway frontend and backend subnets are set up correctly.
You need to follow this section only if you have deployed the gateway into an existing virtual network. If you have opted to let the template create a new virtual network you should
skip this step.
The route table associated with the frontend subnet should consist of the following routes:
- name: frontend-local
address-prefix: frontend-subnet-prefix (e.g. 10.0.1.0/24)
next-hop-type: Virtual network
- name: frontend-to-other-subnets
address-prefix: Virtual Network address prefix (e.g. 10.0.0.0/16)
next-hop-type: Virtual Appliance
next-hop-address: GATEWAY-EXTERNAL-ADDRESS (e.g. 10.0.1.10)
The route table associated with the gateway backend subnet should consist of the following routes:
- name: internal-default
address-prefix: 0.0.0.0/0
next-hop-type: Virtual Appliance
next-hop-address: GATEWAY-INTERNAL-ADDRESS (e.g. 10.0.2.10)
For each such backend subnet, create an Azure routing table with the following user defined routes:
With reference to the diagram above, here is a routing table that can be used by the Web subnet:
Configuration
1. SSH into the gateway and add the following route:
Where:
◦ VIRTUAL-NETWORK-PREFIX is the prefix of the entire virtual network (e.g. 10.0.0.0/16)
◦ ETH1-ROUTER is the first unicast IP address on the subnet to which eth1 is connected (e.g. 10.0.2.1)
For example: clish -c 'set static-route 10.0.0.0/16 nexthop gateway address 10.0.2.1 on' -s
Note: If the virtual network is comprised of several non-contiguous address prefixes, repeat the above for each prefix.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 5 of 16
2. If you have selected sshPublicKey as the authentication method and would like to use the Gaia WebUI, connect to the gateway using SSH and run the following commands:
clish
set user admin password
[enter the password x2]
save config
exit
3. Using the WebUI or SSH, review the configuration of all network interfaces.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 6 of 16
9. Create a group with exclusion object to represent all VNET subnets with the exception of the Frontend subnet:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 7 of 16
11. Locate and open the gateway object, click on the Topology tab.
Click on eth0.
The topology for the first interface (eth0) should be set to External:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 8 of 16
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 9 of 16
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 10 of 16
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 11 of 16
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 12 of 16
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 13 of 16
Notes:
◦ Rule 1: Forwards all traffic arriving on the gateway on TCP port 8081 to Web1
◦ Rule 2: Forwards all traffic arriving on the gateway on TCP port 8082 to Web2
◦ Rule 3: Avoids NAT within the Virtual Network
◦ Rules 4-5 (Automatic): Hide outgoing traffic originating from the App-Tier
◦ Rules 6-7 (Automatic): Hide outgoing traffic originating from the Web-Tier
24. Set up any additional firewall rules, VPN and remote access configuration. Refer to the Best Practices section.
Once the First Time Configuration Wizard completes, the gateway is expected to reboot.
Best Practices: Site-to-Site VPN between Azure Check Point Gateway and Check Point (on premise) Gateway
Whenever setting up a Site-to-Site VPN between a Check Point (on premise) Security Gateway and a Check Point Gateway in an Azure cloud, check the following:
Assuming both gateways are managed by the same (on premise) Security Management Server:
1. There should be no need to set up NAT-T in order to make Site-to-Site VPN work in this deployment.
IKEv2 is not recommended, as there are issues (related with gateway behind NAT in cloud) for this deployment.
3. Configure the gateway object representing the Check Point Gateway in Azure cloud, as follows:
a. In IPv4 Address: Enter the Public IP address of the gateway (this is the Azure public IP that the Check Point Gateway is behind). If the device is a standalone, then use
the private IP otherwise internal communication will break.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 14 of 16
b. In IPsec VPN, Link Selection: Select "Always use this IP address" and then "Main address".
The above two settings will ensure that the Security Management and (on premise) Security Gateways send traffic to the gateway in Azure cloud over its public IP address.
4. In the Link Selection settings of the same object, under Source IP address settings: Select 'Manual > Selected address from topology table:' and then select the private IP
address of the external interface of the Check Point Gateway on the Azure side.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 15 of 16
These settings will ensure that the Gateway in the Azure cloud sends encrypted traffic with the source address set to its private IP address.
This IP address is then translated by Azure to the public IP address before it reaches the (on premise) Security Gateway.
◦ A public IP address in Azure can be either dynamic or static. For the deployment being discussed here, only Static is supported.
◦ More importantly, a public IP address in Azure can be associated with one of two objects:
◾ A load balancer
◾ A network interface
◾ Static
◾ Associated directly with the network interface of the gateway only and not with load balancer.
Other than that - the VPN set up is very much like any gateway behind Static NAT scenario.
Note: If this is a Cluster, refer to sk110194 - Deploying a Check Point Cluster in Microsoft Azure - VPN Configuration
Licensing
The Gateway can be licensed in two ways:
• Bring-Your-Own-License (BYOL)
• Pay-As-You-Go (PAYG) - The vSEC Gateway is pre-licensed. PAYG is only available in Standard Azure and is not available in Azure US Government.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017
Check Point Reference Architecture for Azure Page 16 of 16
Known Limitations
• QoS is currently not supported
• VSX is not supported
Additional Resources
For more videos, visit the Check Point Support YouTube channel.
Related solutions
• sk110993 - Securing ExpressRoute traffic in Microsoft Azure
• sk110194 - Deploying a Check Point Cluster in Microsoft Azure
• sk113583 - How to add a network interface to a Check Point Security Gateway in Azure
Applies To:
• This SK replaces sk109693
Comment
Enter your comment here
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolution... 8/11/2017