Aviatrix Transit FireNet allows the deployment of 3rd party firewalls onto the Aviatrix transit architecture.
Transit FireNet works the same way as the Firewall Network where traffic in and out of the specified Spoke is forwarded to the firewall instances for inspection or policy application.
The diagram below shows the Aviatrix Firenet design for Azure. When a transit gateway is deployed with the firenet option checked, the Aviatrix controller will:
- create subnets
- create UDRs
- create an internal NLB
- configure the internal NLB (front end, back-end, healtch check)
Aviatrix deploys and configures the Internal Load Balancers for a Firenet.
If you are new to Aviatrix and or Aviatrix Firenet, there are few posts where I talk about it:
Number of Interfaces
Check Point CloudGuard Gateway instance has only 2 interfaces as described below:
Check Point Consumption Models
Check Point offers its NGFW in two consumption models:
- BYOL (Bring Your Own License): let you run software on Compute Engine while using licenses purchased directly from the provider. Google only charges you for the infrastructure costs, giving you the flexibility to purchase and manage your own licenses.
You can obtain licenses for the BYOL licensing model through any CheckPoint partner. After you purchase a license or obtain an evaluation license (90-day term), you receive a PDF with an activation code.
- PAYG (Pay as you Go): PAYG license is a usage-based or pay-per-use license.
CloudGuard Network Security NGFW is priced based on the number of CPU cores (vCPU) of the instance.
CloudGuard provides the following options to deploy directly from Azure Marketplace:
- Security Management
- High Availability
- Single Gateway
- Scale Set
- Multi-Domain Server
- Gateway Load Balancer (at this time in public preview)
Check Point Security Management
A Security Management CloudGuard is required to manage multiple nodes. This solution template deploys a single Check Point Security Management Server with a single network interface.
If you have deployed the VM using an SSH public key, you should set the Management administrator password through the WebUI (Maintenance -> Management Administrator) or using SSH (cpconfig).
The ARM template needs to be filled with the proper information for the deployment:
Once it is provisioned, we can open a browser pointing to the public ip assigned to the CloudGuard management VM:
From a machine running Windows access using a browswer the recently deployed CloudGuard Management:
Click on “Download Now!” button right on the middle of the screen to get the SmartConsole. Once the software is downloaded, install it:
Using the SmartConsole, access the CloudGuard Management:
CloudGuard Single Gateway
I’m going to deploy from Azure Marketplace and later associate to Aviatrix Firenet:
- frontend subnet = public
- backend subnet = dmz-firewall-lan
The steps above can be completed using Aviatrix Firenet GUI (or terraform 🙂 ):
Gaia GUI is accessible through the web:
The next step is add the Gateway to the management:
Publish once the configuration is done:
Disable Anti-Spoofing on eth1(LAN) interface:
Security policy for health probes
Azure uses the address 18.104.22.168 as source of NLB health checks as such we need to grant access:
Associate the new gateway to the Firenet:
Clicking on “show” we can see if the integration was complete successfully:
Security Police for East-West Inspection
To inspect traffic from spokes 30 and 40, we have to add them to the Inspection Policy using the sub menu Policy under the Firewall Network menu:
CloudGuard implicit denies all communication. We need to create a security policy for inter vnet flows:
Security Police for Internet Inspection
Besides configuring Aviatrix Firenet for centralized egress, CheckPoint GWs also requires configuration: access policy and NAT.
- Egress trough Firewall is enabled under Firewall Network -> List -> Details:
Create a policy to allow egress traffic:
In SmartConsole, set up Network Address Translation (NAT) rules, so that Internet bound traffic is hidden behind the CloudGuard cisGateway’s public address:
CloudGuard gateway logs:
Default subnets (Insane Mode enabled):
dmz-firewall route table:
- 10.255.160.132 is the ip associated to the NLB
- routes are created for each spoke attached to the transit
dmz-firewall-lan route table:
- 10.255.160.133 is the ip associated to transit gw eth1 interface
- 10.255.160.68 is the ip associated to the transit gateway
Default security rules: