Deploy CloudGuard Gateway

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 22 minutes
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:05
>> Welcome to the Check Point jumpstart training.
00:05
How to deploy
00:05
a CloudGuard network security
00:05
and threat prevention product Lab.
00:05
Exercise 3, how to deploy a CloudGuard gateway.
00:05
In the previous exercise,
00:05
we deployed a CloudGuard management station
00:05
on our VBC and attached it to the frontend subnet.
00:05
In this third exercise,
00:05
we're going to deploy a CloudGuard gateway.
00:05
We are going to place it in
00:05
between the frontend and the backend subnet.
00:05
Meaning that it will have one NIC attached to
00:05
the frontend subnet and
00:05
another NIC attached to the backend subnet.
00:05
Finally, we're going to establish
00:05
SIC and then configure and push a policy.
00:05
Let's get started.
00:05
Again, connect to your Azure account,
00:05
go to the home menu and select Create a Resource.
00:05
This will take you to the Marketplace search bar.
00:05
Here we type Checkpoint.
00:05
We get a few firewalls that pop up,
00:05
but we want to install the CloudGuard, so select it.
00:05
Again, this is the same product as before
00:05
and we have three types of firewalls that we can deploy.
00:05
We have the Single Gateway,
00:05
we have the High Availability solution,
00:05
and we also have the highly
00:05
scalable CloudGuard Scale Set.
00:05
We're going to keep it simple in this lab.
00:05
Let's select the CloudGuard Single Gateway.
00:05
Click Create.
00:05
We need to add some basic configurations.
00:05
The Subscription, we'll keep the same.
00:05
Order Resource group, we need to
00:05
select an unused resource group.
00:05
The first two we have already used,
00:05
so we cannot use them.
00:05
We get an error that they are being used.
00:05
Let's select the third one in my list.
00:05
Again, depending on your account permissions,
00:05
you might need to create a completely new resource group.
00:05
We will keep the Region the same,
00:05
like always East US.
00:05
For the Virtual Machine Name,
00:05
I will use CPIGW.
00:05
Let's enter a password.
00:05
I will use the same password that I
00:05
used before on the management station.
00:05
This makes administering both machines easier.
00:05
Again, we have to meet
00:05
the same password restrictions just like before.
00:05
We need to confirm
00:05
the password and we need to be sure that they match.
00:05
Once again, we get a green icon so we're good to go.
00:05
Select Next to proceed
00:05
to configure the Check Point CloudGuard settings.
00:05
Again, we're going to select the RAD.40 Gateway version.
00:05
One more time Select the Pay As You Go license.
00:05
We'll keep the default VM size.
00:05
Installation type is Gateway only.
00:05
Now we need to add the SIC key.
00:05
The SIC key is like a password,
00:05
that will be used to build trust
00:05
between the management station and the gateway.
00:05
It is used to build
00:05
a secure communication channel over an SSL link.
00:05
All internal communication will be
00:05
encrypted using this SSL link.
00:05
We need to confirm the SIC key.
00:05
Select Next to configure the network settings.
00:05
We'll add this gateway to my VNet, virtual network.
00:05
The gateway will need to be hooked up to two networks.
00:05
On the front side, we select
00:05
the Frontend subnet that we used
00:05
before, the 10.00.0/24.
00:05
On the backside,
00:05
we select the Backend subnet that
00:05
we created, the 10.0.1.0/24.
00:05
Finally, let's now select Review and Create.
00:05
The verification will verify that
00:05
all the information that we entered is correct.
00:05
Notice that it found an issue.
00:05
Let's take a look.
00:05
There is an asterisk on
00:05
the Check Point CloudGuard settings page.
00:05
Let's take a look there.
00:05
Found the problem. The SIC password did not match.
00:05
Let's fix and confirm that.
00:05
We get a green icon so we are good to go.
00:05
Let's Review and Create one more time.
00:05
Perfect. The verification is
00:05
complete and we're good to create. Hit Create.
00:05
It's now deploying a CloudGuard gateway.
00:05
This step can take a while.
00:05
For time constraints,
00:05
I will fast forward to the end of the completion stage.
00:05
A few minutes have
00:05
elapsed to complete the gateway deployment.
00:05
Let's select Go to resource.
00:05
Let's select the virtual machine resource,
00:05
the CGI gateway virtual machine.
00:05
Again, I want to check that IP address.
00:05
Just as before, we never specified an IP address.
00:05
The Azure software will add
00:05
a private IP address and a public IP address.
00:05
Let's select Copy public IP address.
00:05
Let's open a browser tab and connect to the gateway,
00:05
https://23.101.141.87.
00:05
Let's proceed to continue.
00:05
Nice. We get the guy login page.
00:05
So far so good.
00:05
Let's login.
00:05
Enter the username and password.
00:05
We're in. The gateway is up and running.
00:05
Let's once again take a look at
00:05
a few things while we are here.
00:05
Let's go to the network interfaces.
00:05
We have three IP addresses,
00:05
eth0 has a 10.0.0.5.
00:05
This is the second IP in the frontend subnet.
00:05
Remember that.4 is the management station IP,
00:05
so.5 is the next available IP address.
00:05
Then the Azure software also created an alias,
00:05
880:1 with a public IP of 23.101.141.87.
00:05
The third IP address is on eth1,
00:05
which is connected to the backend subnet 10.0.1.4.
00:05
Again, this is the first IP in the backend subnet.
00:05
Let's take a look at the routes.
00:05
We have again a default gateway of 10.0.0.1,
00:05
which is the implied gateway that Azure creates for us.
00:05
I will use this gateway as the path of
00:05
last resort. Everything looks good.
00:05
Let's move on to the next step.
00:05
We're going to establish SIC and push a policy.
00:05
Let's open the SmartConsole to the management station.
00:05
Connecting, initializing,
00:05
loading, launching, good.
00:05
We have SmartConsole access.
00:05
Let's select the Gateway and Server tab
00:05
and select the Create icon,
00:05
we'll create a new gateway.
00:05
Let's use the Wizard Mode,
00:05
but you can also use the Classic Mode, if you like.
00:05
We need to add a gateway name, CGIGW.
00:05
We need to select the gateway type.
00:05
In this case, it's
00:05
CloudGuard IAAS with IP address of 10.0.0.5,
00:05
which is the private IP on the frontend subnet.
00:05
This will be the IP address
00:05
that the management station will be
00:05
using to connect to
00:05
the gateway because they are on the same network.
00:05
Now, we need to enter the SIC activation key,
00:05
which is a SIC password that
00:05
we used during the deployment stage.
00:05
Hit Enter. Trust is established.
00:05
Since we got the pop up interface page,
00:05
uncheck the Edit Gateway properties box for now.
00:05
We will make changes later.
00:05
Select Finish. The gateway object is completed.
00:05
Now we'll need to create and push out a policy.
00:05
Select the Security policy tab.
00:05
We will just change
00:05
the cleanup rule to allow all traffic.
00:05
Change the Action to Accept and Track to Log.
00:05
Select Installation policy icon.
00:05
Confirm by selecting Publish and Install,
00:05
policy is being published.
00:05
Uncheck the Threat Prevention check mark.
00:05
We won't be configuring
00:05
threat prevention policy in this lab.
00:05
Then select Install.
00:05
Policy is now installing.
00:05
I like to view the details.
00:05
Policy installation is completed.
00:05
Let's close this box.
00:05
Let's go now to the Logs and Monitoring tab.
00:05
We want to check and
00:05
see if we have logging communication.
00:05
We have logs.
00:05
Notice that the logs' origin is from the gateway,
00:05
CGIGW.
00:05
We have success.
00:05
Before exiting this lab,
00:05
let's recap Exercise 3.
00:05
In this lab, we deployed an Azure CloudGuard gateway.
00:05
We deployed a gateway in between
00:05
our two subnets: the frontend and the backend.
00:05
In the frontend we received an IP address of
00:05
10.0.0.5/24 and in the backend subnet
00:05
we received an IP of 10.0.1.4/24.
00:05
The Azure software also provided us with
00:05
a public IP address of 23.101.141.87.
00:05
We then opened a SmartConsole to the management station.
00:05
We then established SIC
00:05
between the management station and
00:05
the gateway and we pushed a symbol any, any, any policy.
00:05
That completes the end of Exercise 3.
00:05
In the next exercise,
00:05
we will deploy a web server.
00:05
I'll see you there.
Up Next