CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 10 of 10

Thread: Microsoft Azure CheckPoint virtual appliance

  1. #1
    Join Date
    2010-09-19
    Posts
    10
    Rep Power
    0

    Default Microsoft Azure CheckPoint virtual appliance

    Hi,

    Does the virtual appliance support the use of IPsec VPNs?

    I have tried setting up one using the same method I used with our production firewalls but every time try to establish the connection, the firewalls report IKE Phase 1 Payload malformed.

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,499
    Rep Power
    18

    Default Re: Microsoft Azure CheckPoint virtual appliance

    It's possible Azure is filtering IP Protocol 50 in which case a site-to-site VPN won't work.
    Even if you can get past that, you can't force the instances in Azure to route through the Check Point to reach the hosts on the other end of the VPN, so a site-to-site VPN wouldn't be terribly useful.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2015-03-26
    Posts
    11
    Rep Power
    0

    Default Re: Microsoft Azure CheckPoint virtual appliance

    I can confirm IPSEC vpn does work with this - we have this setup on on our test Virtual Appliance and VPN tunnel to our on premise Check Point gateways.

    Make sure you open the ports (endpoints) within Azure. I found myself opening up all the well-known CP management ports within azure, including tcp256 and udp500 for vpn iirc.

    Phoneboy is right though, once set up you can't do much with it. A current limitation of Azure.

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,499
    Rep Power
    18

    Default Re: Microsoft Azure CheckPoint virtual appliance

    Microsoft just released some changes to the networking in Azure that might fix that :)
    Specifically they announced the ability to create user-defined routes: http://azure.microsoft.com/blog/2015...-hybrid-cloud/
    The technical documentation on User-Defined Routes and IP Forwarding is here: http://azure.microsoft.com/en-us/doc...-udr-overview/
    As these do not require any changes from the Check Point side to leverage, you should be able to use them immediately.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  5. #5
    Join Date
    2015-03-26
    Posts
    11
    Rep Power
    0

    Default Re: Microsoft Azure CheckPoint virtual appliance

    I've been testing this for a few days now, finally made some progress!

    Phoneboy, due to the changes that Microsoft made, this now seems to work as we would expect. We can route traffic from VM, via the Check Point Virtual Gateway, and either out over internet or over VPN connection!

    The only issue i can now see is that the Check Point VM does not support multiple NIC - yet, I have raised this issue with CP support. However it seems to work well for us as it is with just the one NIC.

  6. #6
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,499
    Rep Power
    18

    Default Re: Microsoft Azure CheckPoint virtual appliance

    From what I understand, our instances should work with multi-NIC just fine.
    However, Azure has some pretty significant limitations around multi-NIC, one of which you can't add the NICs after the fact, only when initially
    And, in practice, a single NIC will work just fine.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  7. #7
    Join Date
    2010-08-06
    Location
    UK (Surrey)
    Posts
    48
    Rep Power
    0

    Default Re: Microsoft Azure CheckPoint virtual appliance

    Hey All

    I've been testing this for a while now and there seems to be a number of limitations which make me wonder if we can realistically implement a tiered security infrastructure within Azure (as we would typically do on-premise/private cloud etc)

    On-premise Security Management R77.20
    Azure CP VM R77.10

    * (as Phoneboy stated) you must build the multi-interface Check Point VM with a known number of interfaces, you cannot simply add an additional interface at a later stage - which means the prospect of having to re-image the VM if you want to add additional interfaces.

    * Assuming you have a VPN setup between on-premise and the Azure VPN Gateway (not the Check Point VM), User Defined Routing does not work for on-premise-to-Azure traffic flows - this is since the on-premise networks (through the VPN) bypass UDR, so you must remove the on-premise subnets from any UDR configuration otherwise the Azure CP VM sees asymmetric flows and drops all the return traffic.

    * as yet I've still not found how we can have multiple Public IP addresses which can be used for DMZ-hosted web applications and services (as would typically be the case in the 'real world'). Azure only allows one Public IP for the CP VM, which means you end up with a sort of broadband-router-port-forwarding arrangement (with all the obvious limitations that ensue); if you allocate a Public IP to a VM (such as a web server) directly in Azure, then access from the internet bypasses the CP Firewall, which makes me think "what's the point?"

    * from a commercial perspective, both BYOL and PAYG are 'officially supported'; however in the UK, which is 100% channel model for Check Point, I cannot see how partners can work with PAYG. If the revenue is going to direct to MS then how do partners make any money in the reseller capacity? Also what are the support contract implications with PAYG? do product Cert keys and valid support contract IDs appear in customer User Centres? I have asked these questions of CP UK though the conclusion is that BYOL is the only approach which is 'understood'.

    My conclusion at this point (based on this and other Azure experience with F5 Networks BYOL VMs) is that Azure is not quite ready to support a multi-tiered security infrastructure, though that's just my opinion of course! Happy to corrected if I'm missing something glaringly obvious!!

    regards

    -PG

  8. #8
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,499
    Rep Power
    18

    Default Re: Microsoft Azure CheckPoint virtual appliance

    At the moment, I'm not aware of any way to have multiple IPs on an interface of an instance (public or otherwise).
    This is an Azure limitation.

    PAYG pricing for Azure (and AWS) includes EBS Standard support from Check Point directly.
    When you open a ticket with TAC you will need to provide your Azure account ID so they can verify you have an active PAYG instance on Azure.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  9. #9
    Join Date
    2010-08-06
    Location
    UK (Surrey)
    Posts
    48
    Rep Power
    0

    Default Re: Microsoft Azure CheckPoint virtual appliance

    Quote Originally Posted by PhoneBoy View Post
    ...
    PAYG pricing for Azure (and AWS) includes EBS Standard support from Check Point directly.
    When you open a ticket with TAC you will need to provide your Azure account ID so they can verify you have an active PAYG instance on Azure.
    That is no doubt true, but for a customer with their whole existing estate as CES Co-Standard/Co-Premium/Co-Elite, then adding a few Azure systems as EBS Standard would undoubtedly throw up some support 'operational challenges' - plus i still cant see how incumbent Check Point channel partners would make any money from Azure PAYG subscriptions, though I would almost guarantee they'd be dragged into technical and account issues relating to the same ;-)

  10. #10
    Join Date
    2016-02-28
    Posts
    1
    Rep Power
    0

    Default Re: Microsoft Azure CheckPoint virtual appliance

    We have provision a virtual appliance on Azure named checkpoint vsec and created site-2-site vpn tunnel between on-prem and virtual appliance using checkpoint admin console on both and setup route table to forward the traffic for backend subet to virtual appliance.

    We have problem in bandwidth performance getting 1.5 Mbps! the size of the VM A1 (assume 100 Mpbs bandwidth)

    any thought on that !

    Thanks,
    yousef

Similar Threads

  1. Azure Documentation
    By mcnallym in forum Installing And Upgrading
    Replies: 5
    Last Post: 2015-03-31, 14:49
  2. Checkpoint Virtual Security Appliance for AWS
    By hemanthsec in forum Off-Topic
    Replies: 0
    Last Post: 2015-01-18, 16:53
  3. Support for Windows Azure
    By PhoneBoy in forum Check Point Release Notifications
    Replies: 0
    Last Post: 2014-10-29, 17:17
  4. Azure vpn
    By larsdemo in forum Check Point Small Appliances
    Replies: 5
    Last Post: 2014-07-25, 09:54
  5. VPN with Checkpoint VSX (Virtual Router)
    By akhtar.samo in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2013-01-31, 08:24

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •