05 February 2020

Virtual Machine Scale

Sets (VMSS) for Microsoft
Azure

R80.10 AND ABOVE

Administration Guide
[Classification: Protected]
Check Point Copyright Notice
© 2020 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed
under licensing restricting their use, copying, distribution, and decompilation. No part of this product or
related documentation may be reproduced in any form or by any means without prior written authorization
of Check Point. While every precaution has been taken in the preparation of this book, Check Point
assumes no responsibility for errors or omissions. This publication and features described herein are
subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)
(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.

TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.
 Important Information

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the
latest functional improvements, stability fixes, security enhancements and protection
against new and evolving attacks.

Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page.

Latest Version of this Document

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 3
 Important Information

Revision History

Date Description

05 February Added Note - By default, every Check Point Security Gateway and Security
2020 Management Server's WebUI is accessible from the internet by browsing to
http://<virtual-machine-public-ip> . Restricting access to the WebUI is possible by
configuring a Network Security Group, or by configuring the Check Point Gateway
and Management Server settings.

30 December Updated steps 3, 4, and 5 (removed step 5 "Save the changes in the shell script and
2020 exit the Vi editor", step 6 is now step 5 and so on) in "Testing scale-in and scale-out
events" (on page 37) > "To test scale-in and scale-out events, simulate a high CPU
load on the CloudGuard IaaS Security Gateways".

23 September Updated the guide to reflect the release of the new CME (Cloud Management
2020 Extension ) and the new CME Admin Guide.

14 August 2020 Updated: "Upgrading the CloudGuard VMSS Solution" (on page 49) steps 3,4, and
5

17 April 2020 Updated: "Licensing" (on page 38)

26 March 2020 Updated: Downloading and Installing the Latest Auto Provisioning Version (now
CME)

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 4
 Important Information

Date Description

12 March 2020 Updated:

n "Inbound Traffic" (on page 16)
n "Inbound Traffic Reply" (on page 16)
n "Outbound Traffic" (on page 17)
n "Outbound Traffic Reply" (on page 18)
n "East-West Outbound Traffic" (on page 19)
n "East-West Outbound Traffic Reply" (on page 20)
n "Step 4: Deploy the Check Point VMSS and Assign the Azure AD
Application" (on page 24)
n Downloading and Installing the Latest Auto Provisioning Version (now CME)
n "Known Limitations" (on page 52)
Remove these limitations:
o Management High Availability deployment is not supported.
o Multi-Domain Server and Multi-Domain Server High Availability are not
supported.
Added these limitations:
o To manage R80.20 VMSS with R80.10 Management Server, you must
install R80.10 Jumbo Hotfix Accumulator (R80_10_jumbo_hf) - Take
169 and above.
o On a Multi-Domain Server, automatic provisioning works on the
configured Domains sequentially (and not on all Domains in parallel).
o Support for Multi-Domain Server and Management High Availability is
available with Add-On version 419 and above.

Added:
n Managing VMSS with One Multi-Domain Server
n Managing VMSS with Management High Availability

11 February Updated "Known Limitations" (on page 52) - added information about the Instance
2020 Level Public IP (ILPIP) address.

14 January Updated "Network Diagram" (on page 11)

2020

06 January First release of this document

2020

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 5
 Table of Contents

Table of Contents
Overview 8
Introduction to Virtual Machine Scale Sets (VMSS) 8
Prerequisites 8
Scale-In and Scale-Out Events 9
Scale-In 9
Scale-Out 9
Components of the Check Point Deployed Solution 10
Load Balancers 11
Network Diagram 11
Traffic Flows 16
Inbound Traffic 16
Inbound Traffic Reply 16
Outbound Traffic 17
Outbound Traffic Reply 18
East-West Outbound Traffic 19
East-West Outbound Traffic Reply 20
Intra-Subnet Traffic 21
Configuration Steps 22
Step 1 Create an Azure AD and Service Principal 22
Step 2 Install the Check Point Security Management Server 23
Step 3: Configure the Check Point Security Management Server 23
Step 4: Deploy the Check Point VMSS and Assign the Azure AD Application 24
Step 5: Set up the External Load Balancer 27
Step 6: Configure Inbound Protection 28
Step 7: Configure Outbound and East-West Protection 30
Configuring Protection for the VMSS VNET 31
Configuring Protection for External VNETs 33
Additional Information 37
Testing scale-in and scale-out events 37
Licensing 38

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 6
 Table of Contents

IPS Geo Protection Based on X-Forwarded-For HTTP Header 38

Use Case 1 39
Use Case 2 39
User Defined Routes 40
Autoscale setting 40
Configuring the Load Balancer to Listen on Additional Ports 41
Configuring the Load Balancer to Listen on Additional Public IP Addresses 42
Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal' 44
Configuring HTTPS Inspection 44
Creating an Outbound Certificate 44
Creating an HTTPS Inspection Rule to Inspect SSL Traffic 45
Downloading and Installing the Latest CME (Cloud Management Extension) Version 46
Configuring the CME (Cloud Management Extension) on the Security Management Server 46
Deploying a Security Management Server in Azure 49
Upgrading the CloudGuard VMSS Solution 49
Known Limitations 52

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 7
 Overview

Overview
Use this guide to:
n Deploy a new Check Point VMSS1 for Microsoft Azure.
n Configure an existing Check Point VMSS for Microsoft Azure, for templates 20180610 and above.
You can locate the template version on each CloudGuard instance in this file:

/etc/cloud-version

See sk115533:
l To configure an existing R80.10 VMSS for Microsoft Azure with a template version below
2018610
l To deploy or configure R77.30 VMSS for Microsoft Azure

Introduction to Virtual Machine Scale Sets

(VMSS)
Virtual Machine Scale Sets (VMSS) are an Azure compute resource you can use to deploy and manage
sets of identical Virtual Machines (VMs). The scale sets increase or decrease the number of Virtual
Machines based on the current needs.
For example, multiple web servers server a web application. The web servers are deployed across
multiple fault and update domains. A Load Balancer distributes network traffic across this group of web
servers as needed.
In the current cyber-landscape, it is critical that you protect these environments from attackers with a
security solution that is as scalable as the resources it protects. As the number of resources you protect
scales up or down, the number of Security Gateways that provide protection has to scale as well.
Azure Autoscale is set up to increase or decrease the number of Check Point CloudGuard IaaS Security
Gateways that protect your environment in the VMSS. A Check Point Security Management Server
manages these Check Point CloudGuard Security Gateways. The Check Point Security Management
Server can be located either in Azure, or on-premises.
See Azure documentation for information on configuring multiple Virtual Machines - Configure multiple
virtual machines in an availability set for redundancy.

Prerequisites
Make sure you are familiar with these topics:

1 When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an exist-
ing VNet. You also need to decide how your VMs are intended to be accessed on the VNet. It is important
to plan before creating resources and make sure that you understand the limits of networking resources.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 8
 Overview

Vendor Topics

Microsoft Azure n VMSS

n Autoscaling
n Load Balancers
l High Availability
ports
n Identity and access
management

Check Point n Check Point R80.10 and

Above
n Check Point with Azure

Scale-In and Scale-Out Events

Each VMSS must define Scale-In and Scale-Out events.
You can edit or view the configuration in Azure Portal > VMSS > Scaling.
Default triggers for the firewall VMSS:
n Scale-out on more than 80% CPU usage, for an average of five minutes.
n Scale-in on less than 60% CPU usage, for an average of five minutes.
Note - For additional information, see "Autoscale setting" (on page 40)

Scale-In
A scale-in event occurs as a result of a decrease of the current load. When a scale-in event triggers, Azure
Autoscale designates one or more of the gateways as candidates for termination. The External Load
Balancer stops forwarding new connections to these gateways, and Autoscale ends them. The Check
Point Security Management Server detects that these CloudGuard IaaS Security Gateways are stopped
and automatically deletes these gateways from its database.
Note - We recommended that you have at least two Security Gateways for redundancy and availability
purposes.

Scale-Out
A scale-out event occurs, if the current load increases. When a scale-out event is triggered:
n Azure Autoscale launches one or more new instances of the Check Point CloudGuard IaaS Security
Gateways.
n The new instances of CloudGuard IaaS Security Gateways automatically execute the Check Point
First Time Configuration Wizard and then reboot.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 9
 Overview

During the scale-out, the Check Point Security Management Server detects that new instances of
CloudGuard IaaS Security Gateways launched. The Security Management Server waits until the
CloudGuard IaaS Security Gateways finish to deploy and then the Security Management Server
automatically:
n Initializes a Secure Internal Communication (SIC) channel with these CloudGuard IaaS Security
Gateways.
n Installs a Security Policy on these CloudGuard IaaS Security Gateways.
After a Security Policy is installed, these CloudGuard IaaS Security Gateways start to respond to health
probes. The Load Balancer then starts to forward new connections to them. The newly created
CloudGuard IaaS Security Gateways report their status and send logs to the Check Point Security
Management Server.
Notes:
1. In case of Scale-Out event, the latest available Check Point image is used to deploy the new Virtual
Machine.
2. When you use the template version 20181017 or above:
a. Fast Deployment Images (Blink) with a pre-installed Jumbo Hotfix Accumulator is used.
b. In case of Scale-Out event, newer Virtual Machine will use the latest available Check Point
image.
For R80.10, the latest available image might include a newer Jumbo Hotfix Accumulator
version.
For more information:
n CloudGuard for Azure Latest Updates - see sk132192
n Jumbo Hotfix Accumulator for R80.10 - see sk116380
n Blink - Gaia Fast Deployment - see sk120193

Components of the Check Point Deployed

Solution
The diagram below depicts an Azure Virtual Network (VNET) with the Check Point solution deployed.
There are two backend subnets - WebApp1 and WebApp2.
WebApp1 and WebApp2 are each a user-deployed backend subnet. Each has its own load-balanced web
server.
The Check Point deployed solution has these components:
n Frontend subnet
n Virtual Machine Scale Set (VMSS)
The number of instances that you can deploy in the Cloud is dynamic.
n Internal Load Balancer
n Backend subnet

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 10
 Overview

n External Load Balancer

n Public IP address for each VMSS instance (optional)
n You cannot deploy other VMs in the VMSS subnets

Load Balancers
In the diagram below you can see Load Balancers at three levels.
These routes describe the flow of traffic through the Load Balancers:
n The Load Balancer at the first level is the External Load Balancer, where traffic comes in from the
Internet.
n The Load Balancer at the second level is the Internal Load Balancer of the Check Point deployed
solution.
n The Load Balancer at the third level (in this diagram there are two), is the Internal Load Balancer of
the Web Servers.
Subnets with load balanced hosts (such as web servers), use the Load Balancers at the third level.

Multiple Load Balancers deployment options:

n Standard - Both Load Balancers (including the ELB public IP address).
n External Only - The Internal Load Balancer is not deployed.
n Internal Only - The External Load Balancer (including its public IP) is not deployed. For outbound
inspection, it is mandatory to deploy an External Load Balancer and/or instance level public IP
addresses.

Network Diagram
See the routing tables below the diagram.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 11
 Overview

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 12
 Overview

Note - WebAppA and WebAppB routing tables have the same VNET address, but different subnet
addresses.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 13
 Overview

Load Balancing Rules of the External Load Balancer

1 Example 1 Frontend Backend port

WebAppA:80 8081

Example 2 Frontend Backend port

WebAppB:80 8083

Frontend Routing Table - User Defined Routes (UDR)

2 Destination Nexthop
10.0.0.0/16 None (Drop)

10.0.1.0/24 Virtual Network

Backend Routing Table - User Defined Routes (UDR)

3 Destination Nexthop
0.0.0.0/0 None (Drop)

WebAppA - User Defined Routes (UDR)

4 Frontend Nexthop

10.0.0.0/16 -VNET address 10.0.2.4 -IP address of the Internal Load Balancer

0.0.0.0/0 10.0.2.4 -IP address of the Internal Load Balancer

10.0.2.0/24 Virtual Network

10.0.3.0/24 (WebApp1) - Subnet address Virtual Network

WebAppB - User Defined Routes (UDR)

5 Frontend Nexthop

10.0.0.0/16 -VNET address 10.0.2.4 -IP address of the Internal Load Balancer

0.0.0.0/0 10.0.2.4 -IP address of the Internal Load Balancer

10.0.2.0/24 Virtual Network

10.0.4.0/24 (WebApp2) - Subnet address Virtual Network

Hosts

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 14
 Overview

6 WebAppA (subnet) load balanced VMSS

WebAppB (subnet) load balanced VMSS

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 15
 Traffic Flows

Traffic Flows
Inbound Traffic
Inbound traffic flow:

Step Action / Description

1 The request traffic arrives from the Internet at the External Load Balancer in the Check Point
deployed solution.

2 The External Load Balancer forwards the request traffic to a VMSS Gateway instance.

3 The VMSS Gateway instance:

a. Inspects the request traffic.
b. Performs Static NAT on the request traffic.
c. Forwards the request traffic to the Application's Internal Load Balancer.

4 The Application's Internal Load Balancer forwards the request traffic to the Web Server Host.

Inbound Traffic Reply

Inbound traffic reply:

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 16
 Traffic Flows

Step Action/Description

1 The reply traffic arrives from the Web Server Host to the original VMSS Gateway instance.

2 The VMSS Gateway instance:

a. Inspects the reply traffic.
b. Forwards the reply traffic to the External Load Balancer.

3 The External Load Balancer forwards the reply traffic to the destination on the Internet.

Outbound Traffic
Outbound traffic flow:

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 17
 Traffic Flows

Step Action / Description

1 The request traffic arrives from the Web Server Host at the Internal Load Balancer in the Check
Point deployed solution.

2 The Internal Load Balancer forwards the request traffic to a VMSS Gateway instance.

3 The VMSS Gateway instance:

a. Inspects the request traffic.
b. Performs Hide NAT on the request traffic.
c. Forwards the request traffic to the External Load Balancer.

4 The External Load Balancer forwards the request traffic to the destination on the Internet.

Outbound Traffic Reply

Outbound traffic reply:

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 18
 Traffic Flows

Step Action / Description

1 The reply traffic arrives from the Internet at the External Load Balancer in the Check Point
deployed solution.

2 The External Load Balancer forwards the reply traffic to a Check Point Security Gateway
instance (Active Cluster Member) in the VMSS.

3 The Check PointSecurity Gateway instance:

a. Inspects the reply traffic.
b. Forwards the reply traffic to the Internal Load Balancer in the Check Point
deployed solution.

East-West Outbound Traffic

East-West outbound traffic flow:

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 19
 Traffic Flows

Step Action / Description

1 The request traffic arrives from the Web Server Host 1 at the Internal Load Balancer in the
Check Point deployed solution.

2 The Internal Load Balancer forwards the request traffic to a VMSS Gateway instance.

3 The VMSS Gateway instance:

a. Inspects the request traffic.
b. Forwards the request traffic to the corresponding Internal Load Balancer of the
Web Server Host 2.

4 The Internal Load Balancer Internal Load Balancer of the Web Server Host 2 forwards the
request traffic to the destination Web Server Host 2.

East-West Outbound Traffic Reply

East-West outbound traffic reply:

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 20
 Traffic Flows

Step Action / Description

1 The reply traffic arrives from the Web Server Host 2 at the Internal Load Balancer in the Check
Point deployed solution.

2 The Internal Load Balancer forwards the reply traffic to the same VMSS Gateway instance that
processed the request traffic from the Web Server Host 1 to the Web Server Host 2.

3 The Check PointSecurity Gateway instance:

a. Inspects the reply traffic.
b. Forwards the reply traffic to the corresponding Internal Load Balancer of the Web
Server Host 1 in the Check Point deployed solution.

Intra-Subnet Traffic
Traffic travels freely in the subnet without inspection.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 21
 Configuration Steps

Configuration Steps
Step 1 Create an Azure AD and Service
Principal
With the Azure AD and Service Principal, the Check Point Security Management Server monitors the
creation and state of the VMSS, so it can complete the provisioning of these gateways.
From the Azure website, go to Create an Azure Active Directory Application and Service Principal.
Use these parameters:

Field Parameter

Name Application_Name
Example:

check-point-autoprovision

Application Type Web-App / API

Sign-on URL https://localhost/<Application_Name>

Example:

https://localhost/check-point-
autoprovision

After you create the application, write down these values, because you will use them in "Step 3:
Configure the Check Point Security Management Server" (on the next page):
n Application ID
client_id
n Key value
client_secret
n Tenant ID
tenant
n Directory ID

Note - We recommend that you set the key to never expire.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 22
 Configuration Steps

Step 2 Install the Check Point Security

Management Server
These steps are required only if you do not have an installed Check Point Security Management Server.
If you already have the Check Point Security Management Server installed, skip to Step 3.
Requirements for the Check Point Security Management Server:
n Must be Check Point R80.10 and Above.
n Must initiate connections to the CloudGuard IaaS Security Gateways.

Requirements for CloudGuard IaaS Security Gateways:

n Have to initiate connections to the Security Management Server. For example, to send logs.

Deploying a Security Management Server in Azure:

Follow the instructions in the "Deploying a Security Management Server in Azure" (on page 49) section.

Deploying a Security Management Server on-premises:

Follow the instructions in the Check Point Installation and Upgrade Guide for your Management Server
version (for example: R80.10, R80.20, R80.30).

Step 3: Configure the Check Point Security

Management Server
Follow these steps to manage the Virtual Machine Scale Sets with the Check PointSecurity
Management Server:

Step Description

1 "Downloading and Installing the Latest CME (Cloud Management Extension)

Version" (on page 46) of CME.

2 "Configuring the CME (Cloud Management Extension) on the Security

Management Server" (on page 46)

3 Configure the Security Policy in SmartConsole.

Important - The name of the policy has to match exactly the value that you
configured in Step 2 above.

Note - By default, every Check Point Security Gateway and Security Management Server's WebUI is
accessible from the internet by browsing to http://<virtual-machine-public-ip> . Restricting access to the
WebUI is possible by configuring a Network Security Group, or by configuring the Check Point Gateway
and Management Server settings.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 23
 Configuration Steps

Step 4: Deploy the Check Point VMSS and

Assign the Azure AD Application
Deploy the CloudGuard IaaS - Firewall and Threat Prevention from the Azure Marketplace.
n Use these parameters in the Basic section:

Parameter Description

Gateway scale The name of the VMSS resource group.

set name

Credentials The public key or username and password for SSH connections to the
CloudGuard IaaS Gateway.

Subscription The Azure subscription, where the VMSS is deployed.

Resource group The Azure Resource Group, where the VMSS is deployed.
Important - The Resource Group must be empty.

Location The location - where the VMSS is deployed.

n Use these parameters in the Check Point VMSS settings section:

Parameter Description

Are you upgrading your Defines whether this a new deployment, or purpose of this
CloudGuard VMSS deployment is to upgrade an existing VMSS deployment. If upgrading
solution? the CloudGuard VMSS solution, choose Yes .
See, "Upgrading the CloudGuard VMSS Solution" (on page 49)

Initial number of The minimum number of CloudGuard IaaS Gateways instances in

Security Gateways the VMSS.
We recommend at least two.

Maximum number of The maximum number of CloudGuard IaaS Gateways instances in

Security Gateways the VMSS.

Management name The name of the Security Management Server.

Example:

my-management

See, "Configuring the CME (Cloud Management Extension) on the

Security Management Server" (on page 46)

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 24
 Configuration Steps

Parameter Description

Configuration template The name of the configuration template from the CME service.
name
Example:

my-configuration-template

Administrator email The email address of the Administrator responsible for scaling
address operations, such as the launching of a new gateway, or a gateway
termination.

Load Balancer Defines which Load Balancer to deploy:

deployment
l Standard (External & Internal inspection).
l External only (Inbound inspection only).
l Internal only (Outbound & East-West inspection only). For
outbound inspection, it is mandatory to deploy an External
Load Balancer and/or instance level public IP addresses.

Check Point The load balancing distribution method for the External Load
CloudGuard External Balancer - Inbound.
Load Balancer session
See, Configure the distribution mode for Azure Load Balancer.
persistence

Check Point The load balancing distribution method for the Internal Load Balancer
CloudGuard Internal - Outbound and East-West.
Load Balancer session
See, Configure the distribution mode for Azure Load Balancer.
persistence

Deploy the VMSS with If you select yes , each VMSS instance gets its own public IP address.
instance level public
The Security Management Server can use those IP addresses to
IP address
manage from the external VNET.
Default value: no.
Important - The value you configure is irreversible.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 25
 Configuration Steps

Parameter Description

Management interface Select which IP address to use as the management interface for the
and IP address VMSS:
l Backend NIC's private IP address.
l Frontend NIC's public IP address - only available if you deploy
an Instance Level Public IP (ILPIP) address.
l Frontend NIC's private IP address.
Private:
Manage the Gateway VMSS with the private IP address of the
instance. The Security Management Server must have access to the
private IP addresses. For example, to be in the same/peered VNET.
In case you use the frontend NIC, you must add a corresponding rule
in the Frontend Route Table: Destination & Next Hop: <The private
IP address of the Security Management Server>.
Public:
Manage the Gateway VMSS with the public IP address of the
instance.
Note:
Support for private addresses is available with Add-On version 419
and above, and template version 20200303 and above.

Number of Availability Defines the Azure Availability Zones for your VMSS:
Zones to use
l None - Do not use Azure Availability Zones.
l 1 - Use Azure zonal redundancy.
l 2 - Use Azure two-zones redundancy (zones [1, 2])
l 3 - Use Azure three-zones redundancy (zones [1, 2, 3])
Notes:
l Only available if you deploy in a supported Azure location.
l Support for Azure Availability Zones is available with template
version 20200303 and above.

n Use these parameters in the Network settings section:

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 26
 Configuration Steps

Parameter Description

Network A pre-existing Virtual Network and its subnets, or the name of a new Virtual
setting Network and subnets, where the VMSS is deployed.
Note:
When you use a pre-existing subnet:
l Make sure no other Virtual Machines are deployed in those subnets
l Make sure to correctly define user defined routes (UDR) for each subnet
(see the "Network Diagram" (on page 11) section).

Assign the Azure Active Directory application as described in Step 1: "Step 1 Create an Azure AD and
Service Principal" (on page 22). Add a minimum role of Reader to both the VMSS and the VNET. See
Assign application to role.
Notes:
n Newly provisioned Security Gateways automatically receive the latest published Security Policy. You
have to install the policy on the existing Security Gateways to update their Security Policy.
n Auto Scaling Security Gateway objects are automatically created and deleted according to the
current environment. Therefore, we do not recommend that you use specified objects in rules. We
also do not recommend that you manually edit those objects.
n In case of Scale-Out event, the latest available Check Point image is used to deploy the new Virtual
Machine.
n When you use the template version 20181017 or above:
a. Fast Deployment Images (Blink) with a pre-installed Jumbo Hotfix Accumulator is used.
b. In case of Scale-Out event, newer Virtual Machine will use the latest available Check
Point image.
For R80.10, the latest available image might include a newer Jumbo Hotfix
Accumulator version.
For more information:
l CloudGuard for Azure Latest Updates - see sk132192
l Jumbo Hotfix Accumulator for R80.10 - see sk116380
l Blink - Gaia Fast Deployment - see sk120193
n By default, every Check Point Security Gateway and Security Management Server's WebUI is
accessible from the internet by browsing to http://<virtual-machine-public-ip> . Restricting access to
the WebUI is possible by configuring a Network Security Group, or by configuring the Check Point
Gateway and Management Server settings.

Step 5: Set up the External Load Balancer

By default, the template you deploy creates an external (Internet facing) Load Balancer that:

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 27
 Configuration Steps

n Listens on TCP port 80 on the static public IP address of the External Load Balancer.
n Forwards the traffic it receives to the pool of Check Point CloudGuard Security Gateways on TCP
port 8081.
n Uses TCP health probes on port 8117 to determine the health of the Check Point CloudGuard IaaS
Security Gateways.

Notes:
n You cannot use ports 80, 443, 444, 8082, 8117 and 8880 for forwarded traffic.
n Do not change the health probes.
n The Check Point VMSS Resource Group includes a Network Security Group (NSG). By default, the
NSG allows all outbound and inbound traffic.

You can configure the Load Balancer to listen on additional ports and/or on additional public IP addresses.
See Load balancing with Multiple front-ends.
For use cases, see:
n "Configuring the Load Balancer to Listen on Additional Ports" (on page 41)
n "Configuring the Load Balancer to Listen on Additional Public IP Addresses" (on page 42)

Step 6: Configure Inbound Protection

Configure Access Control and NAT rules for Northbound-Southbound inbound traffic:

Step Description

1 Connect with SmartConsole to your Security Management Server or Multi-Domain Server.

2 Create a host object to represent one of these:

n The Internal Load Balancer that is related to your backend scale sets.
n The specific host you want to access through the Internet.
You have to do this for each Internal Load Balancer you use to balance your servers.
Follow these steps:

a. Click Objects menu > New Host.

b. Enter a descriptive name. For example, internal-load-balancer-
app-1
c. Enter the private IP address of the Internal Load Balancer.
d. Click OK.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 28
 Configuration Steps

Step Description

3 Create a new TCP service to represent the External Load Balancer configuration.
You have to do this for each internal port, such as port 8081.
Follow these steps:

a. Click Objects menu > More object types > Service > New TCP.
b. Enter a descriptive name. For example, http-8081.
c. In the Protocol field, select the applicable protocol (such as HTTP or HTTPS).
d. In the Port field, select Customize and enter the port number. For example,
8081.
e. Click OK.

4 Create a corresponding Access Control rule for each External Load Balancer with these
values:
n Rule No - 1
n Name - Desired rule name
n Source - *Any
n Destination - LocalGatewayExternal
n VPN - *Any
n Services and Applications - The service object that represents the internal port
n Data - *Any
n Action - Accept
n Track - Log
n Install On - *Policy Targets
Note:
Create only one LocalGatewayExternal object for each Security Management Server. See
"Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal'" (on
page 44).

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 29
 Configuration Steps

Step Description

5 Create a NAT rule with these values for each Azure External Load Balancer:
n Rule No - 1
n Original Source - All_Internet (do not use *Any)
n Original Destination - LocalGatewayExternal
n Original Services - The service object that represents the internal port
n Translated Source - LocalGatewayInternal - right-click on this cell and select
the NAT method called Hide
n Translated Destination - The Host object that represents the Internal Load Balancer
n Translated Services - The service object that represents the port, on which the
Internal Load Balancer listens (for example, http)
n Install On - *Policy Targets

This NAT rule:

n Matches any traffic that arrives at the CloudGuard Security Gateway on the
applicable internal port.
n Translates the Source IP address to match the IP address of the CloudGuard
Security Gateway that handles the connection ("eth1"). When you use this, the
packets that return are routed to the correct CloudGuard Security Gateway.
n Translates the destination IP address to the IP address of the Internal Load Balancer
associated with the Web Servers.

6 Publish the session.

7 Install the Access Control Policy on the CloudGuard Security Gateways.

Note - If you need HTTPS Inspection, see "Configuring HTTPS Inspection" (on page 44).

Step 7: Configure Outbound and East-West

Protection
Configure UDR tables and NAT rules for Southbound-Northbound and East-West traffic protection. See
the diagrams of the traffic flows.
You can configure the Check Point VMSS to inspect Outbound and East-West traffic across internal
subnets.
You can use this to inspect and control traffic of various web clients such as:
n Servers and containers that require software and image updates from repositories located outside
the Virtual Network.
n Virtual desktop environments that run inside the Virtual Network and that access the Internet or each

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 30
 Configuration Steps

other.
n Servers that send traffic to each other.

To configure inspection of the traffic from servers in internal private subnets, you have to route traffic
through the Check Point VMSS. Use the Check Point Internal Load Balancer as the Next hop in the private
subnet UDR. The Internal Load Balancer then forwards all the traffic to one of the Check Point Security
Gateways.
Note:
The Internal Load Balancer deploys by default as part of the solution template and is automatically
configured. It is configured to listen and forward all TCP or UDP traffic on HA Ports. The Internal Load
Balancer gets an automatically assigned name backend-lb. Probes monitor the health of the Check
Point VMSS on TCP port 8117 from source IP address 168.63.129.16.

Configuring Protection for the VMSS VNET

To configure the protection of the VMSS VNET:

Step Description

1 Connect with SmartConsole to your Security Management Server or Multi-Domain Server.

2 Create a Network object:

1. Click Objects menu > New Network .

2. Enter a descriptive name.
3. From the left tree, click General .
Enter the applicable information.
4. From the left tree, click NAT.
Select Add automatic address translation rules .
This performs Static NAT for all outbound rules.
5. Click OK.

3 In SmartConsole, from the left navigation panel, click Security Policies .

4 In the Access Control section, click NAT.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 31
 Configuration Steps

Step Description

5 Make sure these Automatic NAT rules exist:

Rule No - 2
n Original Source - AllVnet
n Original Destination - AllVnet
n Original Services - *Any
n Translated Source - Original
n Translated Destination - Original
n Translated Services - Original
n Install On - *Policy Targets
Rule No - 3
n Original Source - AllVnet
n Original Destination - *Any
n Original Services - *Any
n Translated Source - AllVnet (Hiding Address)
n Translated Destination - Original
n Translated Services - Original
n Install On - *Policy Targets

6 In the Access Control section, click Policy .

7 Add this explicit Access Control rule:

n Name - To Internet
n Source - AllVnet
n Destination - All_Internet
n VPN - *Any
n Services and Applications - *Any
n Data - *Any
n Action - Accept
n Track - Log
n Install On - *Policy Targets

8 In SmartConsole, install the Access Control Policy.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 32
 Configuration Steps

Step Description

9 Connect to the Azure portal.

10 Add UDR rules with the Internal Load Balancer private IP as next hop.
Do this for each internal private subnet.

1. Override the rule To-internet to use the Internal Load Balancer as the next hop.
2. Add a rule to the Security Gateways with the Virtual Network.
3. Add a rule to internal subnets with the Internal Load Balancer as the next hop.
4. Add a rule to the same subnet with the nexthop Virtual Network.

Example - UDR rules with the Internal Load Balancer private IP as next hop:

NAME ADDRESS PREFIX NEXT HOP

to-internal 10.1.0.0/16 10.1.2.4

to-internet 0.0.0.0/0 10.1.2.4

to-specific-gw 10.1.2.0/24 Virtual Network

intra-subnet 10.0.3.0/24 Virtual Network

Note:
The Internal Load Balancer private IP address is static. To find it, browse into the Internal Load Balancer
named backend-lb.

For more information, see "User Defined Routes" (on page 40)

Configuring Protection for External VNETs

Limitations:
This section is only supported when:
n The template version is 20180711 or above.
n The relevant peered VNETs use private address spaces as defined in the RFC 1918 (10.0.0.0/8,
172.16.0.0/12, 192.168.0.0/16).
n Global VNET peering is not supported. See Azure requirements and constraints.

Follow the steps below to inspect traffic between a subnet inside the peered VNET, and a subnet inside the
VMSS VNET, or another peered VNET.
Use case:
Your hub-spoke network topology uses peered VNETs and you want the VMSS, as the hub, to inspect the
traffic.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 33
 Configuration Steps

Solution:
Perform these steps for each VNET:

Step Description

1 Connect with SmartConsole to your Security Management Server or Multi-Domain Server.

2 Create a Network object:

1. Click Objects menu > New Network .

2. Enter a descriptive name.
3. From the left tree, click General .
Enter the applicable information.
4. From the left tree, click NAT.
Select Add automatic address translation rules .
This performs Static NAT for all outbound rules.
5. Click OK.

3 In SmartConsole, from the left navigation panel, click Security Policies .

4 In the Access Control section, click NAT.

5 Make sure these Automatic NAT rules exist:

Rule No - 2
n Original Source - AllVnet
n Original Destination - AllVnet
n Original Services - *Any
n Translated Source - Original
n Translated Destination - Original
n Translated Services - Original
n Install On - *Policy Targets
Rule No - 3
n Original Source - AllVnet
n Original Destination - *Any
n Original Services - *Any
n Translated Source - AllVnet (Hiding Address)
n Translated Destination - Original
n Translated Services - Original
n Install On - *Policy Targets

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 34
 Configuration Steps

Step Description

6 Create a Network Group object to represent the entire internal address space:

1. Click Objects menu > More object types > Network Object > Group > New Network
Group.
2. Enter a descriptive name. For example, AllInternalAddressSpace
3. Add the VNET's Network objects that you created in Step 2 above.
4. Click OK.

7 In the Access Control section, click NAT.

8 Add a Manual NAT rule to skip NAT for internal traffic between VNETs:
n Original Source - Network Group object that represent the entire internal address space
n Original Destination - Network Group object that represent the entire internal address
space
n Original Services - *Any
n Translated Source - Original
n Translated Destination - Original
n Translated Services - Original
n Install On - *Policy Targets

9 In the Access Control section, click Policy .

10 Add this explicit Access Control rule to allow outbound access from the entire internal address
space to the Internet:
n Name - To Internet
n Source - Network Group object that represent the entire internal address space
n Destination - All_Internet
n VPN - *Any
n Services and Applications - *Any
n Data - *Any
n Action - Accept
n Track - Log
n Install On - *Policy Targets

11 In SmartConsole, install the Access Control Policy.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 35
 Configuration Steps

Step Description

12 Connect to the Azure portal.

13 Override automatic UDR rules for each internal private subnet:

1. Override the rule to-internet to use the next hop as the Internal Load Balancer to monitor
outbound traffic.
2. Add a rule to the subnet's VNET to use the Internal Load Balancer as the next hop to
monitor traffic inside the current VNET.
3. Add a rule to the same subnet with the Virtual Network as the next hop to not monitor
intra-subnet traffic.
4. Add a rule to each of your internal subnets inside the VMSSs VNET with the Internal Load
Balancer as the next hop to monitor traffic to internal subnets inside the VMSS VNET.
5. Add a rule to the other internal VNETs you have, to use the Internal Load Balancer as the
next hop to monitor cross-VNET traffic.

Notes:
n You have to define UDR routes from the internal subnet to all the internal subnets inside
the VMSSs VNET, except for the VMSS subnets: frontend and backend.
n You do not have to add a rule to the Security Gateway backend subnet with Virtual
Network as the next hop.
n In Azure, if you use a hub-spoke with multiple VNETs peering, make sure to configure
Allow forwarded traffic . You do not have to connect the VNETs directly, if monitoring is
needed.

Example - Override automatic UDR rules for each internal private subnet:

NAME ADDRESS PREFIX NEXT HOP

to-Internet 0.0.0.0/0 10.1.2.4

to-internal-current-vnet 192.168.1.0/16 10.1.2.4

to-internal-current-subnet 192.168.3.0/24 Virtual Network

to-internal-subnet#1-in-VMSS-VNET 10.1.3.0/24 10.1.2.4

to-internal-subnet#2-in-VMSS-VNET 10.1.4.0/24 10.1.2.4

to-internal-specific-VNET#2 172.16.1.0 10.1.2.4

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 36
 Additional Information

Additional Information
Testing scale-in and scale-out events
Notes:
n When the VMSS deploys, new Check Point CloudGuard IaaS Security Gateways appear.
n When the CloudGuard IaaS Security Gateways are created, they execute the Gaia First Time
Configuration Wizard. This usually takes 10 minutes to complete, but if you have a large Virtual
Machine, it can take longer.
n After the Gaia First Time Configuration Wizard completes, the Check Point Security Management
Server and automatically installs policy on the CloudGuard IaaS Security Gateways.
n Use SmartConsole to confirm the Security Policy on the CloudGuard IaaS Security Gateways.
n Use SmartConsole to confirm the CloudGuard IaaS Security Gateways generate and send their
logs.

To test scale-in and scale-out events, simulate a high CPU load on the CloudGuard IaaS Security
Gateways:

Ste
Description
p

1 Connect to the command line on the CloudGuard IaaS Security Gateways.

2 Log in to the Expert mode.

3 Download the simulate_cpu_load.sh script from this link:

https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/common/simulat
e_cpu_load.sh

4 Copy the script to the Management Server as: /var/tmp/simulate_cpu_load.sh

5 Assign the execute permission to the shell script:

[Expert@HostName:0]# chmod u+x /var/tmp/simulate_cpu_load.sh

6 Make sure there are no syntax mistakes in the shell script:

[Expert@HostName:0]# sh -n /var/tmp/simulate_cpu_load.sh

7 Execute the shell script to simulate a high CPU load:

[Expert@HostName:0]# ./var/tmp/simulate_cpu_load.sh

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 37
 Additional Information

Ste
Description
p

8 In another command line shell, examine the current CPU load (must be at a high level):

[Expert@HostName:0]# top

9 After 10 minutes, a scale-out event is triggered.

This creates a newly provisioned CloudGuard Security Gateway.

10 After the newly CloudGuard Security Gateways are provisioned, on the old CloudGuard Security
Gateways press any key to stop the shell script.

11 On the old CloudGuard Security Gateways, in another command line shell, examine the current
CPU load (must go back to a normal level):

[Expert@HostName:0]# top

12 After approximately 10 minutes, a scale-in event is triggered.

This deletes the new CloudGuard Security Gateway.

Licensing
Because the number of gateways in VMSS can increase and decrease over time, we recommend that you
use CloudGuard IaaS Security Gateways with the Pay As You Go (PAYG) licensing model.
For the list of countries, see sk109360.
You can use this solution template to launch BYOL gateways.
For more information about licensing, see the Check Point CloudGuard Controller Administration Guide
for your Management Server version - Chapter vSEC Central Licensing (for example: R80.10, R80.20).
Important - A VMSS can only use Security Gateways that have the same payment plan, either PAYG or
BYOL.

IPS Geo Protection Based on X-Forwarded-For

HTTP Header
The IPS Geo protection filters and logs traffic based on the country, from each it arrives. This protection is
applied to both the source address of the connection, as well as to any IPv4 address present in an 'X-
Forwarded-For' HTTP header.
Notes:
n The External Load Balancer does not hide the client's original IP address.
n If an HTTP request goes through multiple proxies or Load Balancers, the X-Forwarded-For HTTP

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 38
 Additional Information

header is expected to contain multiple IP addresses.

n All IPv4 addresses contained in the X-Forwarded-For HTTP header, are inspected by the IPS Geo
protection.
n Any IPv6 address in the X-Forwarded-For HTTP header is ignored.
For more information, see sk115532 on IPS Geo protection based on X-Forwarded-For HTTP header.

Use Case 1
Single user:
1. A user is located in Dallas (USA), and the client opens a direct connection to the External Load
Balancer.
2. The Load Balancer forwards the connection to one of the Check Point CloudGuard IaaS Security
Gateways and leaves the source IP address unchanged.
3. The IPS Geo protection on the CloudGuard Security Gateway identifies the country of origin as the
United States.
4. The CloudGuard Security Gateway allows or drops the connection based on the policy.

Use Case 2
Multiple users:
1. A user is located in Dallas (USA), and the client opens a direct connection to the External Load
Balancer.
The Load Balancer forwards the UserA's connection to one of the Check Point CloudGuard IaaS
Security Gateways and leaves the UserA's source IP address unchanged.
The IPS Geo protection on the CloudGuard Security Gateway identifies the country of origin as the
United States for the UserA's connection.
2. UserB is also located in Dallas (USA), and the client uses a proxy server to connect to the External
Load Balancer.
The proxy adds an X-Forwarded-For HTTP header to the UserB's connection with the IP address of
the UserB's client in Dallas.
The Load Balancer forwards the connection to one of the Check Point CloudGuard IaaS Security
Gateways.
The IPS Geo protection on the CloudGuard Security Gateways identifies the country of origin as the
United States for the UserB's connection.
3. The CloudGuard Security Gateway allows or drops the connections based on the policy.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 39
 Additional Information

User Defined Routes

Route Destination Nexthop Route Purpose

Route Destination Nexthop Route Purpose

East- Entire Virtual Inspects all traffic that goes to other subnets in the VNET.
West VNET appliance -
Note:
Internal
Load You can replace this one route for the entire VNET with
Balancer's multiple specific subnet routes.
private IP
address

Outbound 0.0.0.0/0 Virtual Inspects outbound traffic.

appliance -
Note:
Internal
Load The destination address has not been identified by any
Balancer's instance during any route (such as inbound). Therefore, it
private IP is subject to inspection by the Check Point instances in the
address VNET.

Inbound VMSS Virtual Sends inbound reply traffic to the original CloudGuard
backend Network Security Gateway instance to enable inspection.
subnet
Note:
This enables the inbound traffic to go back to the
CloudGuard Security Gateway that is involved in the
inspection.

Intra- Subnet Virtual Sends in-subnet traffic directly to its destination without
subnet itself Network inspection by a CloudGuard Security Gateway. There is no
micro-segmentation.

If the Management Server is in the VNET, make sure to have specific routes to allow traffic between the
Management Server Virtual Machine and the VMSS instances.

Autoscale setting
Azure Autoscale manages all scale-in and scale-out events. Go to the Azure portal for an overview of
Azure AutoScale.
Azure Autoscale default settings:
1. Adds a Virtual Machine to the VMSS, if the average CPU usage across the VMSS (as reported by the
Azure host) is above 80% for five consecutive 1-minute intervals.
2. Terminates a Virtual Machine, if the average CPU usage across the VMSS (as reported by the Azure
host) is below 60% for five consecutive 1-minute intervals.
Azure sends an email alert and ensures that the number of Virtual Machines in the VMSS stay in the range
between the minimum and maximum number of Virtual Machines, based on the template.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 40
 Additional Information

Make sure to confirm that the settings you need, appear on the main Azure portal. If a setting is not
available, use the CLI or the Azure Resource Manager to modify it. See the Azure Resource Manager.

Configuring the Load Balancer to Listen on

Additional Ports
You can configure the Load Balancer to listen on the TCP port 443, and forward this traffic to the
Check Point CloudGuard Security Gateways on the TCP port 8443:

Step Description

1 Go to the Azure portal.

2 Find the External Load Balancer.

The Load Balancer is in your Resource Group.
The Load Balancer name is frontend-lb

3 Configure a new Load Balancing Rule:

1. From the Load Balancing Rules > Add.

2. Give the rule a name.
Example:

vmss-app-1-tcp-443

3. In the Frontend IP address field, select the pre-existing Frontend IP

address.
4. In the Protocol field, select TCP.
5. In the Port field, select 443.
6. In the Backend port field, select 8443.
7. In the Backend pool field, select the pre-existing VMSS pool.
8. In the Health probe, select the health probe.
This is the probe that was created by default by the template (TCP, port
8117).
9. Select the Session persistence.
10. Set the Idle timeout.
11. In the Floating IP field, select Disabled.
12. Click OK.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 41
 Additional Information

Configuring the Load Balancer to Listen on

Additional Public IP Addresses
You can configure the VMSS to secure multiple web applications, each with its own IP address.
You can configure the Load Balancer to listen on a second public IP address on the TCP port 80, and
forward this traffic to the Check PointCloudGuardSecurity Gateways on the TCP port 8083:

Step Description

1 Go to the Azure portal.

2 Find the External Load Balancer.

The Load Balancer is in your Resource Group.
The Load Balancer name is frontend-lb

3 In the Azure portal, allocate a new public IP address.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 42
 Additional Information

Step Description

4 Configure the Frontend IP pool .

1. Go to the Load Balancer.
2. Click Frontend IP pool > Add.
3. Give the IP pool a name.
Example:

vsmm-app-2

4. Select the public IP address you created in Step 3.

5. Click OK.

5 Configure a new Load Balancing Rule:

1. Click Load Balancing Rules > Add.

2. Give the rule a name.
Example,

vmss-app-2-tcp-80

3. In the Frontend IP address field, select the newly created Frontend IP

address.
4. In the Protocol field, select TCP.
5. In the Port field, select 80.
6. In the Backend port field, select 8083.
7. In the Backend pool field, select the pre-existing VMSS pool.
8. In the Health probe field, select the health probe.
This is the probe that was created by default by the template (TCP, port
8117).
9. Select the Session persistence.
10. Set the Idle timeout.
11. In the Floating IP field, select Disabled > OK.
12. Click OK.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 43
 Additional Information

Creating Dynamic Objects

'LocalGatewayExternal' and
'LocalGatewayInternal'
You must create these Dynamic Objects in SmartConsole:
n LocalGatewayExternal
n LocalGatewayInternal
Procedure:

Step Description

1 Click Objects menu > More object types > Network Object > Dynamic Object > New
Dynamic Object.

2 Enter this exact name (case-sensitive, no spaces):

LocalGatewayExternal

3 Click OK.

4 Click Objects menu > More object types > Network Object > Dynamic Object > New
Dynamic Object.

5 Enter this exact name (case-sensitive, no spaces):

LocalGatewayInternal

6 Click OK.

7 Publish the session.

Configuring HTTPS Inspection

Follow these steps to enable HTTPS Inspection.
Notes:
n If you have an outbound CA certificate you can skip these steps. Otherwise, create one below.
n only want inbound SSL inspection.

Creating an Outbound Certificate

To create an Outbound Certificate:

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 44
 Additional Information

Step Description

1 In SmartConsole, from the left navigation panel, click Manage & Settings.

2 From the left tree, click Blades.

3 In the HTTPS Inspection section, click Configure in SmartDashboard.

4 From the left tree, click Gateways .

5 At the bottom of the page, click Create Certificate.

6 Enter the information and click OK.

7 From the left tree, click Policy .

8 Go to the Destination column, and edit the default rule.

9 Right-click Internet > Remove.

Any shows. This means that the inspection takes place with a single-interface gateway.

10 Save the changes:

Click Menu > File > Save.

11 Close the SmartDashboard.

12 In SmartConsole, publish the session.

Creating an HTTPS Inspection Rule to Inspect SSL Traffic

This procedure creates an HTTPS Inspection rule to inspect SSL traffic that belongs to a web
application:

Step Description

1 In SmartConsole, from the left navigation panel, click Manage & Settings.

2 From the left tree, click Blades .

3 In the HTTPS Inspection section, click Configure in SmartDashboard.

4 From the left tree, click Gateways .

5 At the bottom of the page, click Create Certificate.

6 Enter the information and click OK.

7 From the left tree, click Server Certificates .

8 Enter the information and click OK.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 45
 Additional Information

Step Description

9 From the left tree, click Policy .

10 Add this rule:

n Source - Any
n Destination - Any (do not use the Internet object)
n Service - The HTTPS service you created
n Action - Inspect
n Certificate - The certificate you created

11 Save the changes:

Click Menu > File > Save.

12 Close the SmartDashboard.

13 In SmartConsole, publish the session.

Downloading and Installing the Latest CME

(Cloud Management Extension) Version
To download and install the CME (Cloud Management Extension) on the Management Server or Multi-
Domain Server,see sk157492.

Configuring the CME (Cloud Management

Extension) on the Security Management Server
The instructions below contain information about configuring a VMSS environment in CME. For more
information about CME configurations, see the CME R80.10 and Above Administration Guide.

To configure the CME on the Security Management Server:

Step Description

1 Connect to the command line on the Security Management Server.

2 Log in to Expert Mode.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 46
 Additional Information

Step Description

3 Execute this command (see the explanation of parameters below):

autoprov_cfg init Azure -mn "<Management-Name>" -tn

"<Configuration-Template-Name>" -otp "<SIC-key>" -ver <Version>
-po "<Policy-Name>" -cn "<Controller-Name>" -sb "<Azure-
Subscription>" -at "<Active-Directory-Tenant-ID>" -aci "<Client-
ID>" -acs "<Client-Secret>"

Example:

autoprov_cfg init Azure -mn "my-management" -tn "my-

configuration-template" -otp "MySICkey123" -ver R80.10 -po
"Standard" -cn "Azure-Production" -sb "98e34f37-ece4-4cdc-97dc-
44a074f84aff" -at "7113cebb-911c-4122-aa5c-34db449380f7" -aci
"82fb1445-f40e-46dc-9cd3-c065e14f132b" -acs "xxx="

4 When this message shows, type yes and press Enter to apply the modifications:
Would you like to restart the autoprovision service now?

5 Confirm the configuration:

[Expert@HostName:0]# service cme test

Every controller in the configuration has to have unique credentials.

6 Follow the instructions in the Enabling and Disabling Software Blades section in CME R80.10
and Above Administration Guide.

Parameters:

Parameter Description Example

"<Management- Select a descriptive name. "my-

Name>" management"
When you deploy the Check Point VMSS with this
name, the Check Point Security Management Server
identifies and automatically provisions it.

"<Configuration- Configurations that automatically provision the "my-

Template-Name>" Security Gateways in the VMSS are found in this configuration-
template. template-for-
x"
When you deploy the Check Point VMSS with this
template name, it references the relevant set of
configurations to apply to it.
Therefore, you can maintain multiple sets of
configurations and associate them with different
VMSS that are managed by the Security
Management Server.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 47
 Additional Information

Parameter Description Example

"<SIC-key>" Select a random key that has at least 8 alphanumeric "MySICkey123"

characters.

<Version> The Security Gateway version. One of these: R80.20

n R77.30
n R80.10
n R80.30

"<Policy-Name>" The name of the policy to install. "Standard"

The name of this policy has to be the exact same
name of the policy in SmartConsole.
Note - This solution only supports R80.10 and Above.
For R77.30, see sk115533.

"<Controller- Select a name that represents the controller. "Azure-

Name>" Production"
The controller name includes configurations for your
Azure environment, such as the subscription ID and
application ID.
You can maintain different controllers to automatically
provision different Cloud environments, with the
Security Management Server.

"<Azure- The Azure subscription ID that deploys the "98e34f37-

Subscription>" CloudGuard Security Gateways. ece4-4cdc-
97dc-
44a074f84aff"

"<Active- The Azure directory tenant ID. "7113cebb-

Directory- 911c-4122-
Tenant-ID>" aa5c-
34db449380f7"

"<Client-ID>" The application ID. "82fb1445-

f40e-46dc-
9cd3-
c065e14f132b"

"<Client- The application key.

Secret>"
Note - This value is not readable in the configuration.

Important:
The exact values that you select, must be typed exactly when you deploy the VMSS. Make sure to write
them down and enter them correctly. Otherwise, the components cannot communicate with each other.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 48
 Additional Information

Deploying a Security Management Server in

Azure
To deploy a Security Management Server in Azure:

Item Description

1 From the Azure marketplace, deploy this solution to create a Check Point Security Management
Server:
Check Point Security Management Server.

2 Select the Check Point Security Management software plan.

Important - It must be R80.10 and above. R77.30 is not supported.
Use these parameters:
n Server name - The name of the Security Management Server.
n Credentials - The SSH public key, or the SSH password to manage the server.
n Subscription - The Azure subscription, where the servers are deployed.
n Resource Group - The name of the Resource Group, where the server is deployed.
n Location - The Azure location, where the server is deployed.
n Network setting - A pre-existing Virtual Network and its subnets, or a name of a new
Virtual Network and subnets, where the server is deployed.
n Virtual Machine size - The size of the Security Management Server Virtual Machine.
n Storage setting - The name of an existing or new storage account that the Security
Management Server uses.
n Allowed GUI clients - IP addresses (in CIDR notation) of the allowed SmartConsole,
Gaia Portal and SSH clients.

3 This template deploys the Management Server in the selected subnet.

When the management instance starts, it automatically executes its own Gaia First Time
Configuration Wizard.
This can take up to 30 minutes.

4 Follow the instructions in "Step 3: Configure the Check Point Security Management Server" (on
page 23).

Upgrading the CloudGuard VMSS Solution

This section includes instructions and guidelines for upgrading an existing, deployed CloudGuard VMSS
solution (for example, upgrade from R80.10 CloudGuard VMSS solution to R80.20 CloudGuard VMSS
solution).

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 49
 Additional Information

The method of upgrading a VMSS solution is by deploying a new solution (side-by-side), reconfiguring
Azure resources and Check Point configuration to use the new solution and then deleting the old one.
Note:
n It is not necessary to upgrade the VMSS solution in order to obtain newer images of the same Check
Point version as in R80.10, R80.20). On each scale-out, an instance with the latest available image
for the version will be deployed automatically.
n Verify that your existing Management Server or Multi-Domain Server can be used with the newer
VMSS version that you are deploying.
To upgrade the CloudGuard VMSS solution:

Step Description

1 Log in to the Azure portal

2 Open the existing CloudGuard VMSS solution ’s resource group.

3 For the External Load Balancer (“frontend-lb”):

a. Create an empty backend pool.
b. Get the new backend pool’s resource ID. Make sure to save the ID for future reference.

4 For the Internal Load Balancer ("backend-lb"):

a. Create an empty backend pool.
b. Get the new backend pool’s resource ID. Make sure to save the ID for future reference.

5 Deploy a new CloudGuard VMSS solution from the Azure Marketplace: Under "CloudGuard
VMSS settings":

a. Choose "Yes " under "Are you upgrading your vmss version?"
b. Choose the same Management Server as in the existing CloudGuard VMSS solution.
c. Use a different configuration template name than in the existing CloudGuard VMSS
solution.
d. Choose the same Load Balancers deployment mode as in the existing CloudGuard
VMSS solution.
e. Fill out the saved resource IDs.
f. Fill out the names of the created backend pools.
g. Use the same network settings as in the existing CloudGuard VMSS solution.

6 Set the CME template according to the admin guide.

Example:

autoprov_cfg add template -tn "<Template-Name>" -otp "<SIC-

key>" -ver R80.20 -po "<policy-Name>"

In the following step, you will lose connection to the internet. Save and close all necessary items
before proceeding to the next step.

7 Wait for provisioning to finish and for policy to install on the new CloudGuard VMSS instances.

8 To use the new backend pools, change the Load Balancing rules for both Load Balancers.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 50
 Additional Information

Step Description

9 Shut down the old CloudGuard VMSS and verify traffic flows.

Note - At this point, the new VMSS is handling all the traffic in the environment (inbound,
outbound, E-W). Verify that all the traffic flows work as expected before proceeding.

10 Delete the old VMSS CME template according to the admin guide.
Example:

autoprov_cfg delete template -tn "<Template-Name>"

11 Delete the old VMSS resource.

Note – DO NOT DELETE THE OLD RESOURCE GROUP. It may contain the VNET resource and
the Load Balancers currently in use.

12 Delete the old backend pools (referencing the old VMSS) from both the ILB and the ELB.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 51
 Known Limitations

Known Limitations
n Refer to sk109141 for more information on supported Jumbo Hotfixes.
n Refer to sk157492 for more information about CME limitations.
n To manage R80.20 VMSS with R80.10 Management Server, you must install R80.10 Jumbo Hotfix
Accumulator (R80.10_jumbo_hf) - Take 169 and above.
n IPv6 is not supported.
n Only Azure Resource Manager (ARM) deployments are supported.
Deployment in the Azure classic environment is not supported.
n Azure Load Balancers have limits. There is a limit on the number of front-end IP addresses it
supports.
See Microsoft documentation on Azure Networking Limits.
n VPN is not supported.
n East-West inspection between peered VNETs is supported only for RFC 1918 private networks
(10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
n Anti-Spoofing on the internal NIC of the VMSS instances (eth1) is disabled by default and must not
be enabled.
n Instance Level Public IP (ILPIP) address:
Because of Microsoft Azure design, if you deploy a Check Point Security Gateway with an ILPIP
address to manage the VMSS by its public IP addresses:
1. Each instance is configured in Check Point SmartConsole with the original (first) ILPIP
address.
2. If the deployed Check Point Security Gateway is restarted, the ILPIP address could be
released by Microsoft Azure and a new IP address is dynamically allocated.
In such case:
l The Check Point Security Gateway still functions.
l However, the Check Point Management Server is no longer able to communicate with the
Check Point Security Gateway (this affects policy installation, receiving logs, monitoring).
These two options are available:
l Delete the instance in Azure portal and let Azure bring up a new one (which is then
automatically recognized by the Check Point Management Server)
l Manually reset the SIC:
a. Reset the SIC in SmartConsole and on the Check Point Security Gateway instance.
b. In SmartConsole, manually change the IP address of Check Point Security Gateway object
to the new dynamically assigned IP address.
c. In SmartConsole, manually initialize the SIC.

Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and Above Administration Guide | 52