Contact UsGet started

Implementing a secure high-availability network infrastructure with a dedicated DMZ based on the Check Point NGFW

Written by
Improved by
Updated at February 27, 2025

Follow this tutorial to deploy a high-availability fail-safe network infrastructure with a dedicated DMZ segment and comprehensive protection based on the Check Point next-generation firewall.

The infrastructure elements reside in two availability zones; we will also group them by purpose, placing the groups into different folders. This solution enables you to publish web resources, e.g., front-end applications, in a DMZ, restricting access to the internal network and thus ensuring its extra security.

We will use the following folders:

  • The public folder contains Application Load Balancer enabling public access to DMZ applications.
  • The mgmt folder contains NGFW firewalls and other resources, including FW-A and FW-B firewall VMs, mgmt-server, which is a firewall management server VM, and jump-vm, a VM for accessing the VPN protected segment.
  • The dmz folder contains publicly accessible applications.
  • The app and database folders contain application business logic; we will not use them in this tutorial.

For more information, see the project repository.

To deploy a secure high-availability network infrastructure with a dedicated DMZ based on the Check Point next-generation firewall:

  1. Get your cloud ready.
  2. Prepare the environment.
  3. Deploy your resources.
  4. Set up firewall gateways.
  5. Enable the route-switcher module.
  6. Test the solution for performance and fault tolerance.

If you no longer need the resources you created, delete them.

Next-Generation Firewall

We will use a next generation firewall for cloud network protection and segmentation, creating a dedicated DMZ for publicly accessible applications. Yandex Cloud Marketplace offers multiple NGFW solutions.

In this scenario, we use the Check Point CloudGuard IaaS solution offering the following features:

  • Firewalling
  • NAT
  • Intrusion prevention
  • Antivirus
  • Bot protection
  • Application layer granular traffic control
  • Session logging
  • Centralized management with Check Point Security Management

In this tutorial, we will configure Check Point CloudGuard IaaS with basic access management and NAT policies.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The infrastructure support cost includes:

Required quotas

Warning

In this tutorial, you will have to deploy a resource-intensive infrastructure.

Make sure your cloud has sufficient quotas that are not used by other projects.

Resources used by this tutorial
Resource Amount
Folders 7
Instance groups 1
Virtual machines 6
VM vCPUs 18
VM RAM 30 GB
Disks 6
SSD size 360 GB
HDD size 30 GB
Cloud networks 7
Subnets 14
Route tables 4
Security groups 10
Static public IP addresses 2
Public IP addresses 2
Static routes 17
Buckets 1
Cloud functions 1
Cloud function triggers 1
Total RAM for all running functions 128 MB
Network load balancers (NLBs) 2
NLB target groups 2
Application load balancers (ALBs) 1
ALB backend groups 1
ALB target groups 1

Prepare the environment

In this tutorial, we will use Windows software and Windows Subsystem for Linux (WSL).
To deploy the infrastructure, we will use Terraform.

Configure WSL

  1. Check whether WSL is installed on your PC. To do this, run this command in the CLI terminal:

    wsl -l

    If WSL is installed, the terminal will display a list of available distributions, for example:

    Windows Subsystem for Linux Distributions:
docker-desktop (Default)
docker-desktop-data
Ubuntu

  2. If WSL is not installed, install it and repeat the previous step.

  3. Additionally, you can install your preferred Linux distribution, e.g., Ubuntu, on top of WSL.

  4. To set the installed distribution as default, run this command:

    wsl --setdefault ubuntu

  5. To switch the terminal to Linux, run:

    wsl ~

Note

Perform all steps below in the Linux terminal.

Create a cloud administrator service account

  1. In the management console, select the folder where you want to create your service account.

  2. In the list of services, select Identity and Access Management.

  3. Click Create service account.

  4. Specify the service account name, e.g., sa-terraform.

    The name should match the following format:

    • It must be 2 to 63 characters long.
    • It may contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

    Make sure the service account name is unique within your cloud.

  5. Click Create.

  6. Assign the admin role to the service account.

    1. On the management console home page, select your cloud.
    2. Navigate to the Access bindings tab.
    3. Click Configure access.
    4. In the window that opens, click Service accounts and select the sa-terraform service account.
    5. Click Add role and select the admin role.
    6. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

  1. Create a service account:

    yc iam service-account create --name sa-terraform

    Where name is the service account name. The name should match the following format:

    • It must be 2 to 63 characters long.
    • It may contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

    Result:

    id: ajehr0to1g8bh0la8c8r
folder_id: b1gv87ssvu497lpgjh5o
created_at: "2023-03-04T09:03:11.665153755Z"
name: sa-terraform

  2. Assign the admin role to the account:

    yc resource-manager cloud add-access-binding <cloud_ID> \
  --role admin \
  --subject serviceAccount:<service_account_ID>

    Result:

    done (1s)

To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.

To assign the service account a role for a cloud or folder, use the updateAccessBindings REST API method for the Cloud or Folder resource:

  1. Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.

  2. Get the ID of the service accounts folder.

  3. Get an IAM token required for authorization in the Yandex Cloud API.

  4. Get a list of folder service accounts to find out their IDs:

    export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaATEVAgA...
curl \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"

    Result:

    {
 "serviceAccounts": [
  {
   "id": "ajebqtreob2d********",
   "folderId": "b1gvmob95yys********",
   "createdAt": "2018-10-18T13:42:40Z",
   "name": "my-robot",
   "description": "my description"
  }
 ]
}

  5. Create the request body, e.g., in the body.json file. Set the action property to ADD and roleId to the appropriate role, such as editor, and specify the serviceAccount type and service account ID in the subject property:

    body.json:

    {
  "accessBindingDeltas": [{
    "action": "ADD",
    "accessBinding": {
      "roleId": "editor",
      "subject": {
        "id": "ajebqtreob2d********",
        "type": "serviceAccount"
      }
    }
  }]
}

  6. Assign a role to a service account. For example, for a folder with the b1gvmob95yys******** ID:

    export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaAT********
curl \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  --data '@body.json' \
  "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"

Install the required tools

  1. Install Git using the following command:

    sudo apt install git

  2. Install Terraform:

    1. Navigate to the root directory:

      cd ~

    2. Create the terraform directory and open it:

      mkdir terraform
cd terraform

    3. Download the terraform_1.3.9_linux_amd64.zip file:

      curl \
  --location \
  --remote-name \
  https://hashicorp-releases.yandexcloud.net/terraform/1.3.9/terraform_1.3.9_linux_amd64.zip

    4. Install zip and unpack the ZIP archive:

      apt install zip
unzip terraform_1.3.9_linux_amd64.zip

    5. Add the executable directory to your PATH:

      export PATH=$PATH:~/terraform

    6. Make sure Terraform is installed by running this command:

      terraform -help

  3. Create a configuration file specifying the Terraform provider source:

    1. Create the .terraformrc file in nano:

      cd ~
nano .terraformrc

    2. Add the following section to the file:

      provider_installation {
  network_mirror {
    url = "https://terraform-mirror.yandexcloud.net/"
    include = ["registry.terraform.io/*/*"]
  }
  direct {
    exclude = ["registry.terraform.io/*/*"]
  }
}

      For more information about mirror settings, see the Terraform documentation.

Deploy your resources

  1. Clone the yandex-cloud-examples/yc-dmz-with-high-available-ngfw GitHub repository and navigate to the yc-dmz-with-high-available-ngfw directory:

    git clone https://github.com/yandex-cloud-examples/yc-dmz-with-high-available-ngfw.git
cd yc-dmz-with-high-available-ngfw

  2. Set up the CLI profile to run operations on behalf of the service account:

    If you do not have the Yandex Cloud CLI yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

    1. Create an authorized key for your service account and save it to the file:

      yc iam key create \
  --service-account-id <service_account_ID> \
  --folder-id <ID_of_folder_with_service_account> \
  --output key.json

      Where:

      • service-account-id: Service account ID.
      • folder-id: ID of the service account folder.
      • output: Authorized key file name.

      Result:

      id: aje8nn871qo4********
service_account_id: ajehr0to1g8b********
created_at: "2023-03-04T09:16:43.479156798Z"
key_algorithm: RSA_2048

    2. Create a CLI profile to run operations on behalf of the service account:

      yc config profile create sa-terraform

      Result:

      Profile 'sa-terraform' created and activated

    3. Configure the profile:

      yc config set service-account-key key.json
yc config set cloud-id <cloud_ID>
yc config set folder-id <folder_ID>

      Where:

      • service-account-key: Authorized key file name.
      • cloud-id: Cloud ID.
      • folder-id: Folder ID.

    4. Add your credentials to the environment variables:

      export YC_TOKEN=$(yc iam create-token)
export YC_CLOUD_ID=$(yc config get cloud-id)
export YC_FOLDER_ID=$(yc config get folder-id)

  3. Get your PC IP address:

    curl 2ip.ru

    Result:

    192.2**.**.**

  4. Open the terraform.tfvars file in nano and edit it as follows:

    1. The cloud ID line:

      cloud_id = "<cloud_ID>"

    2. The line with a list of allowed public IP addresses for jump-vm access:

      trusted_ip_for_access_jump-vm = ["<PC_external_IP_address>/32"]

  5. Deploy the resources in the cloud with Terraform:

    1. Initialize Terraform:

      terraform init

    2. Check the Terraform file configuration:

      terraform validate

    3. Check the list of cloud resources you want to create:

      terraform plan

    4. Create resources:

      terraform apply

Set up firewall gateways

In this tutorial, we will configure FW-A and FW-B firewalls with basic access management and NAT policies required to test performance and fault tolerance, but insufficient for the production environment.

Connect to the control segment via a VPN

After deploying the infrastructure, the mgmt folder will contain an Ubuntu jump-vm instance with a configured WireGuard VPN allowing secure connections. Set up a VPN tunnel between your PC and mgmt, dmz, app, and database segment subnets through jump-vm.

To set up the VPN tunnel:

  1. Get your Linux username:

    whoami

  2. Install WireGuard on your PC.

  3. Open WireGuard and click Add Tunnel.

  4. In the dialog that opens, select the jump-vm-wg.conf file in the yc-dmz-with-high-available-ngfw directory.

    To find a Linux, e.g., Ubuntu, directory, type the file path in the dialog address bar:

    \\wsl$\Ubuntu\home\<Ubuntu_user_name>\yc-dmz-with-high-available-ngfw

    Where <Ubuntu_user_name> is your Linux username you got in the previous step.

  5. Click Activate to activate the tunnel.

  6. Check whether you can connect to the management server via WireGuard VPN by running this command in the terminal:

    ping 192.168.1.100

    Warning

    If ping fails, make sure the mgmt-jump-vm-sg security group inbound rules include your PC external IP address.

Run SmartConsole

To set up and manage Check Point, install and run the SmartConsole GUI client:

  1. Connect to the NGFW management server by opening https://192.168.1.100 in your browser.

  2. Sign in using admin as both username and password.

  3. You will enter Gaia Portal where you can download the SmartConsole GUI client by clicking Manage Software Blades using SmartConsole. Download Now!.

  4. Install SmartConsole on your PC.

  5. Get a password to access SmartConsole by running this command in the terminal:

    terraform output fw_smartconsole_mgmt-server_password

  6. Open SmartConsole and sign in as admin with the password you got in the previous step, specifying 192.168.1.100 as your management server IP address.

Add firewall gateways

Use the wizard to add the FW-A firewall gateway to the management server:

  1. In the Objects drop-down list at the top left, select More object types → Network Object → Gateways and Servers → New Gateway....

  2. Click Wizard Mode.

  3. In the dialog that opens, specify the following:

    • Gateway name: FW-A
    • Gateway platform: CloudGuard IaaS
    • IPv4: 192.168.1.10

  4. Click Next.

  5. Get the firewall password by running this command in the terminal:

    terraform output fw_sic-password

  6. Enter the received password in the One-time password field.

  7. Click Next, and then Finish.

Similarly, add the FW-B firewall gateway with the values below:

  • Gateway name: FW-B
  • IPv4: 192.168.2.10

Configure the FW-A gateway network interfaces

Configure the eth0 network interface:

  1. In the Gateways & Servers tab, open the FW-A gateway setup dialog.
  2. In the Topology table within the Network Management tab, select the eth0 interface and click Modify....
  3. Under Leads To, select Override.
  4. Next to the Specific option, hover over the FW-A-eth0 interface name and click the edit icon in the window that opens.
  5. In the dialog that opens, rename FW-A-eth0 to mgmt.
  6. Under Security Zone, activate Specify Security Zone and select InternalZone.

Similarly, configure the eth1, eth2, eth3, and eth4 network interfaces:

  1. For the eth1 interface, select ExternalZone under Security Zone. Do not rename this interface.

  2. Rename the eth2 interface to dmz, enable Interface leads to DMZ, and specify DMZZone.

    Set up Automatic Hide NAT to hide the addresses of internet-facing VMs hosted in the DMZ segment. To do this:

    1. In the dmz interface edit dialog, click Net_10.160.1.0 and navigate to the NAT tab.
    2. Enable Add automatic address translation rules, select Hide from the drop-down list, and then enable Hide behind gateway.
    3. Repeat these steps for Net_10.160.2.0.

  3. Rename the eth3 interface to app and specify InternalZone.

  4. Rename the eth4 interface to database and specify InternalZone.

Configure the FW-B gateway network interfaces

Configure the FW-B gateway network interfaces the same way as you did for FW-A. Give the interfaces existing names from the list.

To select an already specified interface name:

  1. Under Leads To, select Override.
  2. Find the relevant name in the drop-down list next to the Specific option.

Warning

Renaming the interfaces the second time will cause the network object name replication error when setting security policies.

Create network objects

  1. In the Objects drop-down list at the top left, select New Network... and create public - a and public - b networks with the following parameters:

    Name Network address Net mask
    public - a 172.16.1.0 255.255.255.0
    public - b 172.16.2.0 255.255.255.0

  2. Select New Network Group..., create the public group, and add the public - a and public - b networks to it.

  3. Select New Host... and create hosts with the following parameters:

    Name IPv4 address
    dmz-web-server 10.160.1.100
    FW-a-dmz-IP 10.160.1.10
    FW-a-public-IP 172.16.1.10
    FW-b-dmz-IP 10.160.2.10
    FW-b-public-IP 172.16.2.10

  4. Select More object types → Network Object → Service → New TCP... and create a TCP service for the DMZ application, specifying its name: TCP_8080 and port: 8080.

Set security policy rules

To add a security rule:

  1. In the Security policies tab, select Policy under Access Control.
  2. Right-click the rule table area and, in the context menu that opens, select Above or Below next to New Rule.
  3. In the new line that appears:
    • In the Name column, specify Web-server port forwarding on FW-a.
    • In the Source column, click + and select public.
    • In the Destination column, select FW-a-public-IP.
    • In the Services & Applications column, select TCP_8080.
    • In the Action column, select Accept.
    • In the Track column, select Log.
    • In the Install On column, select FW-a.

In the same way, add other rules from the table below; these rules will allow you to test the firewall policies, pass NLB health checks, publish a test application from the DMZ segment, and run a fault tolerance test.

No Name Source Destination VPN Services & Applications Action Track Install On
1 Web-server port forwarding on FW-a public FW-a-public-IP Any TCP_8080 Accept Log FW-a
2 Web-server port forwarding on FW-b public FW-b-public-IP Any TCP_8080 Accept Log FW-b
3 FW management & NLB healthcheck mgmt FW-a, FW-b, mgmt-server Any https, ssh Accept Log Policy Targets (All gateways)
4 Stealth Any FW-a, FW-b, mgmt-server Any Any Drop Log Policy Targets (All gateways)
5 mgmt to DMZ mgmt dmz Any Any Accept Log Policy Targets (All gateways)
6 mgmt to app mgmt app Any Any Accept Log Policy Targets (All gateways)
7 mgmt to database mgmt database Any Any Accept Log Policy Targets (All gateways)
8 ping from dmz to internet dmz ExternalZone Any icmp-requests (Group) Accept Log Policy Targets (All gateways)
9 Cleanup rule Any Any Any Any Drop Log Policy Targets (All gateways)

Set up a static NAT table

Source NAT ensures that the return traffic of the user’s connection returns to the firewall. Destination NAT routes user requests to the network load balancer upstream of the group of application web servers.

Source IP and Destination IP headers of packets coming from Application Load Balancer to the DMZ application will be translated to the firewall IP and load balancer IP, respectively.

To set up the FW-A gateway NAT table:

  1. Navigate to the NAT section under Access Control.
  2. Right-click the rule table area and, in the context menu that opens, select Above or Below next to New Rule.
  3. In the new line that appears:
    • In the Original Source column, click + and select public.
    • In the Original Destination column, select FW-a-public-IP .
    • In the Original Services column, select TCP_8080.
    • In the Translated Source column, select FW-a-dmz-IP.
    • In the Translated Destination column, select dmz-web-server.
    • In the Install On column, select FW-a.
  4. Change the NAT method for FW-a-dmz-IP by right-clicking FW-a-dmz-IP in the table and selecting NAT Method > Hide from the context menu.

In the same way, set up the FW-B gateway static NAT table based on the table below:

No Original Source Original Destination Original Services Translated Source Translated Destination Translated Services Install On
1 public FW-a-public-IP TCP_8080 FW-a-dmz-IP (Hide) dmz-web-server Original FW-a
2 public FW-b-public-IP TCP_8080 FW-b-dmz-IP (Hide) dmz-web-server Original FW-b

Apply the security policy rules

  1. Click Install Policy at the top left of the screen.
  2. In the dialog that opens, click Push & Install.
  3. In the next dialog, click Install and wait for the process to complete.

Enable the route-switcher module

After completing the NGFW setup, make sure FW-A and FW-B health checks return Healthy. To do this, select Network Load Balancer in the mgmt folder of the Yandex Cloud management console and navigate to the route-switcher-lb-... network load balancer page. Expand the target group and check whether its resources are Healthy. If they are Unhealthy, make sure FW-A and FW-B are configured correctly and running.

Once the FW-A and FW-B status changes to Healthy, open the route-switcher.tf file and change the route-switcher start_module value to true. To enable the module, run these commands:

terraform plan
terraform apply

Within five minutes, the route-switcher module will start working, providing outbound traffic fault tolerance.

Test the solution for performance and fault tolerance

Test the system

  1. To get the load balancer IP address, run this command in the terminal:

    terraform output fw-alb_public_ip_address

  2. Make sure your network infrastructure is accessible from outside by opening the following address in your browser:

    http://<ALB_load_balancer_public_IP_address>

    If your system is accessible from outside, you will see the Welcome to nginx! page.

  3. Make sure the firewall rules allowing traffic are active. To do this, navigate to the yc-dmz-with-high-available-ngfw folder on your PC and connect to a DMZ VM over SSH:

    cd ~/yc-dmz-with-high-available-ngfw
ssh -i pt_key.pem admin@<VM_internal_IP_address_in_DMZ_segment>

  4. To check whether there is internet access on the DMZ VM, run this command:

    ping ya.ru

    The ping from dmz to internet rule should allow the command to run.

  5. Make sure the firewall traffic-blocking rules are active.

    To check that Jump VM in the mgmt segment cannot be accessed from the dmz segment, run this command:

    ping 192.168.1.101

    The Cleanup rule should block the command.

Testing fault tolerance

  1. Install the httping tool for making HTTP requests on your PC:

    sudo apt-get install httping

  2. To get the load balancer IP address, run this command in the terminal:

    terraform output fw-alb_public_ip_address

  3. Emulate the DMZ application inbound traffic by making a request to the ALB public IP address:

    httping http://<ALB_load_balancer_public_IP_address>

  4. Open another terminal window and connect to a DMZ VM over SSH:

    ssh -i pt_key.pem admin@<VM_internal_IP_address_in_DMZ_segment>

  5. Set admin password:

    sudo passwd admin

  6. In the Yandex Cloud management console, change the settings of this VM:

    1. In the list of services, select Compute Cloud.
    2. In the left-hand panel, select Virtual machines.
    3. Click next to the VM you need and select Edit.
    4. In the window that opens, under Additional, enable Access to serial console.
    5. Click Save changes.

  7. Connect to the VM serial console, enter the admin username and password you set earlier.

  8. Emulate the DMZ to internet outbound traffic by running ping on the DMZ VM:

    ping ya.ru

  9. Emulate the main firewall failure by stopping the FW-A VM in the mgmt folder of the Yandex Cloud management console.

  10. Monitor the loss of httping and ping packets. After FW-A fails, you may see a traffic loss for about one minute with the subsequent traffic recovery.

  11. Make sure the dmz-rt route table in the dmz folder uses the FW-B address as next hop.

  12. Emulate the main firewall recovery by running the FW-A VM in the Yandex Cloud management console.

  13. Monitor the loss of httping and ping packets. After FW-A is restored, you may see a traffic loss for about one minute with the subsequent traffic recovery.

  14. Make sure the dmz-rt route table in the dmz folder uses the FW-A address as next hop.

How to delete the resources you created

To stop paying for the resources you created, run this command:

terraform destroy

Terraform will permanently delete all resources, such as networks, subnets, VMs, load balancers, folders, etc.

You can delete the resources faster by deleting all folders in the Yandex Cloud console and then deleting the terraform.tfstate file from the yc-dmz-with-high-available-ngfw folder on your PC.

Previous
Building a CI/CD pipeline in GitLab using serverless products
Next
Cloud infrastructure segmentation with the Check Point next-generation firewall