Deploy a Web Server Part 2
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:06
>> Welcome to the Check Point Jump Start training.
00:06
How to deploy a CloudGuard network security
00:06
and threat prevention product lab.
00:06
Exercise 4, how to deploy a web server.
00:06
In the previous exercise,
00:06
we created that 3rd subnet called Web-net with
00:06
a range of 10.0.2.0/24.
00:06
We created a routing table called MyRouteTable.
00:06
We added three routes to this route table,
00:06
which all point to
00:06
the CloudGuard gateway, the virtual appliance.
00:06
We then associated this route table to the VNet subnet.
00:06
In this 4th exercise,
00:06
we're going to deploy and
00:06
install a web server on this subnet.
00:06
Then we will configure a firewall policy,
00:06
a NAT rule base to be able to
00:06
communicate to this web server from the Internet.
00:06
How do I create this Linux Virtual Machine?
00:06
Let me show you how to do this.
00:06
Let's get started.
00:06
Again go to your Home menu.
00:06
Select, Create a resource in the marketplace.
00:06
Search for BITNAMI NGINX.
00:06
Here, we are looking for
00:06
a simple and cheap Linux server to
00:06
deploy in a Web-net subnet.
00:06
We have a few choices.
00:06
Let's select the first one.
00:06
Select it, and then hit Create.
00:06
Again, we need to define a few parameters.
00:06
Subscription is the same as always in my account.
00:06
We will pick the first resource group.
00:06
Machine name, let's call it Web-VM.
00:06
Keep the East US region.
00:06
We keep the image and image size as is.
00:06
Let's change the authentication type to password.
00:06
For the username,
00:06
we'll use Webadmin and now we'll use the same password
00:06
as before and also confirm the password,
00:06
select Next for Disks.
00:06
No need to change the disk sizes.
00:06
Select next for networking.
00:06
Here we will make a few changes.
00:06
Let's select the Web-net subnet.
00:06
This is where I want to place the virtual machine.
00:06
Public IP address we will select none.
00:06
We don't want a public IP to be bound to the web server.
00:06
You will see why later.
00:06
Next for management we'll keep the defaults.
00:06
Next for Advanced.
00:06
Next for Tags.
00:06
Next for Review and Create.
00:06
We need to define an email and phone number.
00:06
You can put whatever you like here.
00:06
A real email, in my case,
00:06
I will just add anything here to get past this stage.
00:06
Let's hit Create.
00:06
It's now deploying.
00:06
This can take awhile.
00:06
Deployment is in progress.
00:06
Fast forward.
00:06
A few minutes have elapsed,
00:06
the deployment is complete.
00:06
Select Go To Resource,
00:06
we now have created a web virtual machine.
00:06
Notice the private IP of 10.0.2.4.
00:06
We don't have a public IP address that's
00:06
because we selected none during the deployment.
00:06
The reason for that is that I want to
00:06
use the firewall to protect this virtual machine.
00:06
Let's scroll down to the effective routes.
00:06
Notice we have five routes.
00:06
Two are invalid routes.
00:06
These are the system defined routes.
00:06
They are no longer valid because they have
00:06
been superseded by the user defined routes.
00:06
These are the routes that we created.
00:06
The user defined routes are the routes that we created.
00:06
You see we have three user-defined routes.
00:06
These are the routes from
00:06
the routing table that we created earlier.
00:06
This web server or virtual machine inherited
00:06
these routes from the myVNet route table.
00:06
Because this virtual machine is part of
00:06
the web-net subnet that we
00:06
associated to my VNet route table.
00:06
We have the default route,
00:06
we have the inter-VNet route,
00:06
and we have the micro-segmentation route.
00:06
All these routes are pointing to the virtual appliance,
00:06
the CloudGuard gateway of 10.0.1.4.
00:06
Now that we have
00:06
the web virtual machine created with the proper routes,
00:06
we want to create a policy and a rule to allow
00:06
communication through the firewall
00:06
to the web and virtual machine.
00:06
Again, let's open SmartConsole.
00:06
Log in to the management station.
00:06
I'm logging in from
00:06
my office PC to the management station that is
00:06
running in the Azure Cloud in
00:06
my VNet virtual network in the frontend subnet.
00:06
Now, I want to create firewall rules to allow traffic
00:06
from the office to
00:06
the web virtual machine on the Web-net subnet.
00:06
>> But first, let's disable anti-spoofing.
00:06
Let's open the CloudGuard Gateway.
00:06
Select Network Management tab,
00:06
edit Eth0 interface by double-clicking it.
00:06
Select the modified tab
00:06
and now disable Perform Anti-spoofing checkbox.
00:06
Select okay button, select okay again.
00:06
Let's do the same thing for Eth1.
00:06
Select modify, again
00:06
uncheck Perform Anti-spoofing checkbox.
00:06
In addition, we will select
00:06
the override button and select that specific button.
00:06
Now, select new network.
00:06
Let's call this network object All_myVNET.
00:06
Network address is 10.0.0.0/16
00:06
which is a mask of 255.255.0.0.
00:06
Select okay and okay again.
00:06
One more okay and a final okay.
00:06
Select the security policy menu tab.
00:06
Now we are going to add a rule above.
00:06
Select the add rule above tab.
00:06
Let's call this rule traffic to the webserver.
00:06
We'll keep the source as any,
00:06
we will change the destination to a new host.
00:06
Let's call this host
00:06
CGIGW_frontend with IP address of 10.0.0.5.
00:06
Remember, that's the firewall's IP address
00:06
in the frontend subnet.
00:06
This host object will represent traffic
00:06
that is destined to the firewall frontend IP address.
00:06
Select, okay.
00:06
We get a message warning that
00:06
multiple hosts have the same IP address.
00:06
That's fine. Let's say yes to approve.
00:06
This is not a conflict,
00:06
it is just a warning.
00:06
Let's change the service to HTTP.
00:06
Action to accept and track to log.
00:06
Let's add another rule below this rule.
00:06
This rule is going to allow SSH communication.
00:06
Name it SSH to everywhere,
00:06
source and destination is any,
00:06
the service is SSH,
00:06
action is except, tracking is log.
00:06
Now let's go to the NAT rule base.
00:06
We are going to add NAT rules to
00:06
allow communication to the web virtual machine.
00:06
Select add rule to the top.
00:06
This is the default NAT rule. Let's change it.
00:06
We are going to make a few changes
00:06
on the original side of the NAT rule base.
00:06
In original source,
00:06
we are going to select the all-internet object.
00:06
In original destination,
00:06
we're going to add
00:06
the CGIGW_frontend object that we created before.
00:06
We're going to change the original service to HTTP.
00:06
On the translated NAT side,
00:06
the source is going to be original,
00:06
the destination is going to be the web virtual machine.
00:06
Let's create a new host object
00:06
to represent the web server.
00:06
Let's call it my web.
00:06
The IP address is 10.0.2.4.
00:06
Let's okay that.
00:06
The translated service will keep it original.
00:06
Basically, this is what we call a port mapping rule.
00:06
All HTTP traffic that is
00:06
destined to the firewall's IP address of
00:06
10.0.0.5 will be redirected or
00:06
NATED to the destination of the web server 10.0.2.4.
00:06
Let's go ahead and install this policy.
00:06
Let's approve to publish and install.
00:06
Let's now push the policy.
00:06
Again, double-check,
00:06
that's threat prevention is unchecked.
00:06
Hit Install.
00:06
Let's view the details.
00:06
I always like to see the progress bar.
00:06
Fifty-seven percent completed.
00:06
Installation is in progress.
00:06
Ninety-nine percent completed.
00:06
We can ignore the anti-spoofing warnings
00:06
because we purposely turned them off.
00:06
This is more of a warning than an error.
00:06
Installation has succeeded.
00:06
Let's close this.
00:06
Now, we're going to test access to the web server.
00:06
First, we need the IP address of the firewall.
00:06
Select CGIGW.
00:06
What is the public IP address?
00:06
Let's copy that.
00:06
Now we open a browser tab.
00:06
Now we HTTP, we don't HTTPS.
00:06
We only use HTTP,
00:06
HTTPS is a firewall Gaia page.
00:06
HTTP traffic will be redirected to
00:06
the web server HTTP://23101.141.87.
00:06
Bingo, congratulations,
00:06
we have access to the web server.
00:06
Let's go back and take a look at the logs.
00:06
Let's refresh and take a look at only today's logs.
00:06
I'm looking for the service of HTTP.
00:06
Here is one. Let's double-click it.
00:06
Notice the service is HTTP,
00:06
the destination is the CGI gateway frontend 10.0.0.5.
00:06
On a NAT, xlate means the translate side.
00:06
We see the destination of
00:06
my web object with IP of 10.0.2.4.
00:06
This completes the end of this exercise.
00:06
Before exiting, let's recap once again.
00:06
In exercise 4,
00:06
we did a few things.
00:06
We then created a Linux web server
00:06
and deployed it in the web network.
00:06
After we created firewall policies and
00:06
NAT rules to allow
00:06
communication from the internet to the web server.
00:06
I then open a browser from
00:06
the office on HTTP and connected to
00:06
the firewall public IP of 23.101.141.87.
00:06
We then got redirected to the firewall
00:06
private IP of 10.0.0.5.
00:06
Then the firewall port mapped HTTP to
00:06
the NATed IP of the web server of 10.0.2.4.
00:06
This completes the end of exercise 4.
00:06
In the next exercise,
00:06
we are going to configure
00:06
the management control and process to
00:06
communicate to the Azure Cloud
00:06
with my VNet virtual network.
00:06
I will see you there.
Up Next
Instructed By
Similar Content
