Contact UsGet started

Implementing a secure high-availability network infrastructure with a dedicated DMZ based on the Check Point NGFW

Written by
Improved by
Updated at June 11, 2025

In this tutorial, we will deploy a high-availability fail-safe network infrastructure with a dedicated DMZ segment and comprehensive protection based on the Check Point next-generation firewall.

The infrastructure elements reside in two availability zones; we will also group them by purpose, placing the groups into different folders. This solution enables you to publish web resources, e.g., front-end applications, in a DMZ, restricting access to the internal network and thus ensuring its extra security.

Our solution uses the following folders:

  • public that contains Application Load Balancer enabling public access to DMZ applications.
  • mgmt that contains NGFW firewalls and other resources, including FW-A and FW-B firewall VMs, mgmt-server, which is a firewall management server VM, and jump-vm, a VM for accessing the VPN protected segment.
  • dmz that contains publicly accessible applications.
  • app and database that contain application business logic; we will not use them in this tutorial.

For more information, see the project repository.

To deploy a secure high-availability network infrastructure with a dedicated DMZ based on the Check Point next-generation firewall:

  1. Get your cloud ready.
  2. Set up your environment.
  3. Deploy your resources.
  4. Set up firewall gateways.
  5. Enable the route switcher.
  6. Test the solution for performance and fault tolerance.

If you no longer need the resources you created, delete them.

Next-Generation Firewall

A next generation firewall provides cloud network protection and segmentation, creating a dedicated DMZ for publicly accessible applications. Yandex Cloud Marketplace offers multiple NGFW solutions.

In this scenario, we will use the Check Point CloudGuard IaaS solution offering the following features:

  • Firewalling
  • NAT
  • Intrusion prevention
  • Antivirus
  • Bot protection
  • Application layer granular traffic control
  • Session logging
  • Centralized management with Check Point Security Management

In this tutorial, we will configure Check Point CloudGuard IaaS with basic access control and NAT policies.

Get your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The infrastructure support cost includes:

Required quotas

Warning

In this tutorial, you will have to deploy a resource-intensive infrastructure.

Make sure your cloud has sufficient quotas that are not used by other projects.

Resources used by this tutorial
Resource Quantity
Folders 7
Instance groups 1
Virtual machines 6
VM vCPUs 18
VM RAM 30 GB
Disks 6
SSD size 360 GB
HDD size 30 GB
Cloud networks 7
Subnets 14
Route tables 4
Security groups 10
Static public IP addresses 2
Public IP addresses 2
Static routes 17
Buckets 1
Cloud functions 1
Cloud function triggers 1
Total RAM for all running functions 128 MB
Network load balancers (NLB) 2
NLB target groups 2
Application load balancers (ALB) 1
ALB backend groups 1
ALB target groups 1

Set up your environment

In this tutorial, we will use Windows software and Windows Subsystem for Linux (WSL).
To deploy the infrastructure, we will use Terraform.

Configure WSL

  1. Check whether WSL is installed on your PC. To do this, run the following command in the CLI:

    wsl -l

    If WSL is installed, the terminal will return a list of available distributions, such as the following:

    Windows Subsystem for Linux Distributions:
docker-desktop (Default)
docker-desktop-data
Ubuntu

  2. If WSL is not installed, install it and repeat the previous step.

  3. Additionally, you can install your preferred Linux distribution, e.g., Ubuntu, on top of WSL.

  4. To set the installed distribution as default, run this command:

    wsl --setdefault ubuntu

  5. To switch your terminal to Linux, run this command:

    wsl ~

Note

We use the Linux terminal to perform the following steps.

Create a cloud administrator service account

  1. In the management console, select the folder where you want to create your service account.

  2. In the list of services, select Identity and Access Management.

  3. Click Create service account.

  4. Enter a name for the service account, e.g., sa-terraform.

    Follow these naming requirements:

    • It must be from 2 to 63 characters long.
    • It can only contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

    Make sure the service account name is unique within your cloud.

  5. Click Create.

  6. Assign the admin role to the service account:

    1. On the management console home page, select your cloud.
    2. Navigate to the Access bindings tab.
    3. Click Configure access.
    4. In the window that opens, click Service accounts and select the sa-terraform service account.
    5. Click Add role and select the admin role.
    6. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Create a service account:

    yc iam service-account create --name sa-terraform

    Where name is the service account name. It must meet the following requirements:

    • It must be from 2 to 63 characters long.
    • It can only contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

    Result:

    id: ajehr0to1g8bh0la8c8r
folder_id: b1gv87ssvu497lpgjh5o
created_at: "2023-03-04T09:03:11.665153755Z"
name: sa-terraform

  2. Assign the admin role to the account:

    yc resource-manager cloud add-access-binding <cloud_ID> \
  --role admin \
  --subject serviceAccount:<service_account_ID>

    Result:

    done (1s)

To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.

To assign the service account a role for a cloud or folder, use the updateAccessBindings REST API method for the Cloud or Folder resource:

  1. Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.

  2. Get the ID of the service accounts folder.

  3. Get an IAM token required for authorization in the Yandex Cloud API.

  4. Get a list of folder service accounts to find out their IDs:

    export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaATEVAgA...
curl \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"

    Result:

    {
 "serviceAccounts": [
  {
   "id": "ajebqtreob2d********",
   "folderId": "b1gvmob95yys********",
   "createdAt": "2018-10-18T13:42:40Z",
   "name": "my-robot",
   "description": "my description"
  }
 ]
}

  5. Create the request body, e.g., in the body.json file. Set the action property to ADD and roleId to the appropriate role, such as editor, and specify the serviceAccount type and service account ID in the subject property:

    body.json:

    {
  "accessBindingDeltas": [{
    "action": "ADD",
    "accessBinding": {
      "roleId": "editor",
      "subject": {
        "id": "ajebqtreob2d********",
        "type": "serviceAccount"
      }
    }
  }]
}

  6. Assign a role to a service account. For example, for a folder with the b1gvmob95yys******** ID:

    export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaAT********
curl \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  --data '@body.json' \
  "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"

Install the required tools

  1. Install Git using the following command:

    sudo apt install git

  2. Install Terraform:

    1. Navigate to the root directory:

      cd ~

    2. Create the terraform directory and open it:

      mkdir terraform
cd terraform

    3. Download the terraform_1.3.9_linux_amd64.zip file:

      curl \
  --location \
  --remote-name \
  https://hashicorp-releases.yandexcloud.net/terraform/1.3.9/terraform_1.3.9_linux_amd64.zip

    4. Install zip and unpack the ZIP archive:

      apt install zip
unzip terraform_1.3.9_linux_amd64.zip

    5. Add the path to the directory with the executable to the PATH variable:

      export PATH=$PATH:~/terraform

    6. Make sure Terraform is installed by running this command:

      terraform -help

  3. Create a configuration file specifying the Terraform provider source:

    1. Create the .terraformrc file in nano:

      cd ~
nano .terraformrc

    2. Add the following section to the file:

      provider_installation {
  network_mirror {
    url = "https://terraform-mirror.yandexcloud.net/"
    include = ["registry.terraform.io/*/*"]
  }
  direct {
    exclude = ["registry.terraform.io/*/*"]
  }
}

      For more information about mirror settings, see the relevant Terraform guides.

Deploy your resources

  1. Clone the yandex-cloud-examples/yc-dmz-with-high-available-ngfw GitHub repository and navigate to the yc-dmz-with-high-available-ngfw directory:

    git clone https://github.com/yandex-cloud-examples/yc-dmz-with-high-available-ngfw.git
cd yc-dmz-with-high-available-ngfw

  2. Set up the CLI profile to run operations under the service account:

    If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

    By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

    1. Create an authorized key for your service account and save it to the file:

      yc iam key create \
  --service-account-id <service_account_ID> \
  --folder-id <ID_of_folder_with_service_account> \
  --output key.json

      Where:

      • service-account-id: Service account ID.
      • folder-id: Service account folder ID.
      • output: Authorized key file name.

      Result:

      id: aje8nn871qo4********
service_account_id: ajehr0to1g8b********
created_at: "2023-03-04T09:16:43.479156798Z"
key_algorithm: RSA_2048

    2. Create a CLI profile to run operations under the service account:

      yc config profile create sa-terraform

      Result:

      Profile 'sa-terraform' created and activated

    3. Configure the profile:

      yc config set service-account-key key.json
yc config set cloud-id <cloud_ID>
yc config set folder-id <folder_ID>

      Where:

      • service-account-key: Service account authorized key file.
      • cloud-id: Cloud ID.
      • folder-id: Folder ID.

    4. Add your credentials to the environment variables:

      export YC_TOKEN=$(yc iam create-token)
export YC_CLOUD_ID=$(yc config get cloud-id)
export YC_FOLDER_ID=$(yc config get folder-id)

  3. Get your PC IP address:

    curl 2ip.ru

    Result:

    192.2**.**.**

  4. Open the terraform.tfvars file in nano and edit the following:

    1. Cloud ID line:

      cloud_id = "<cloud_ID>"

    2. Line with a list of public IP addresses allowed to access jump-vm:

      trusted_ip_for_access_jump-vm = ["<PC_external_IP_address>/32"]

  5. Deploy your cloud resources with Terraform:

    1. Initialize Terraform:

      terraform init

    2. Check the Terraform file configuration:

      terraform validate

    3. Check the list of new cloud resources:

      terraform plan

    4. Create the resources:

      terraform apply

Set up firewall gateways

In this tutorial, we will configure the FW-A and FW-B firewalls with basic access control and NAT policies required to test performance and fault tolerance, but insufficient for the production environment.

Connect to the management segment via a VPN

After deploying the infrastructure, the mgmt folder will contain the jump-vm Ubuntu instance with the configured WireGuard VPN allowing secure connections. Set up a VPN tunnel between your PC and the mgmt, dmz, app, and database segment subnets through jump-vm.

To set up the VPN tunnel:

  1. Get your Linux username:

    whoami

  2. Install WireGuard on your PC.

  3. Open WireGuard and click Add Tunnel.

  4. In the dialog that opens, select the jump-vm-wg.conf file in the yc-dmz-with-high-available-ngfw directory.

    To find a Linux, e.g., Ubuntu, directory, type the file path in the dialog address bar:

    \\wsl$\Ubuntu\home\<Ubuntu_user_name>\yc-dmz-with-high-available-ngfw

    Where <Ubuntu_user_name> is your Linux username you got in the previous step.

  5. Click Activate to activate the tunnel.

  6. Check whether you can connect to the management server through the WireGuard VPN tunnel by running this command in the terminal:

    ping 192.168.1.100

    Warning

    If ping fails, make sure the mgmt-jump-vm-sg security group inbound rules include your PC external IP address.

Run SmartConsole

To set up and manage Check Point, install and run the SmartConsole GUI client:

  1. Connect to the NGFW management server by opening https://192.168.1.100 in your browser.

  2. Sign in using admin as both the username and the password.

  3. You will enter Gaia Portal where you can download the SmartConsole GUI client by clicking Manage Software Blades using SmartConsole. Download Now!.

  4. Install SmartConsole on your PC.

  5. Get a password to access SmartConsole by running this command in the terminal:

    terraform output fw_smartconsole_mgmt-server_password

  6. Open SmartConsole and sign in as admin with the password you got in the previous step, specifying 192.168.1.100 as your management server IP address.

Add firewall gateways

Use the wizard to add the FW-A firewall gateway to the management server:

  1. In the Objects drop-down list at the top left, select More object types → Network Object → Gateways and Servers → New Gateway....

  2. Click Wizard Mode.

  3. In the dialog that opens, specify the following:

    • Gateway name: FW-A
    • Gateway platform: CloudGuard IaaS
    • IPv4: 192.168.1.10

  4. Click Next.

  5. Get the firewall password by running this command in the terminal:

    terraform output fw_sic-password

  6. Enter this password in the One-time password field.

  7. Click Next, and then Finish.

Similarly, add the FW-B firewall gateway with the values below:

  • Gateway name: FW-B
  • IPv4: 192.168.2.10

Configure the FW-A gateway network interfaces

Configure the eth0 network interface:

  1. In the Gateways & Servers tab, open the FW-A gateway setup dialog.
  2. In the Topology table within the Network Management tab, select the eth0 interface and click Modify....
  3. Under Leads To, select Override.
  4. Next to Specific, hover over the FW-A-eth0 interface name and click the edit icon in the window that opens.
  5. In the dialog that opens, rename FW-A-eth0 to mgmt.
  6. Under Security Zone, enable Specify Security Zone and select InternalZone.

Similarly, configure the eth1, eth2, eth3, and eth4 network interfaces:

  1. For eth1, specify ExternalZone under Security Zone. Do not rename this interface.

  2. Rename the eth2 interface to dmz, enable Interface leads to DMZ, and specify DMZZone.

    Set up Automatic Hide NAT to hide the addresses of internet-facing VMs hosted in the DMZ segment. To do this:

    1. In the dmz interface edit dialog, click Net_10.160.1.0 and navigate to the NAT tab.
    2. Enable Add automatic address translation rules, select Hide from the drop-down list, and then enable Hide behind gateway.
    3. Repeat these steps for Net_10.160.2.0.

  3. Rename the eth3 interface to app and specify InternalZone.

  4. Rename the eth4 interface to database and specify InternalZone.

Configure the FW-B gateway network interfaces

Configure the FW-B gateway network interfaces the same way as you did for FW-A. Give the interfaces existing names from the list.

To select an already specified interface name:

  1. Under Leads To, select Override.
  2. Find the relevant name in the drop-down list next to Specific.

Warning

Renaming the interfaces again will cause the network object name replication error when setting security policies.

Create network objects

  1. In the Objects drop-down list at the top left, select New Network... and create the public - a and public - b networks with the following settings:

    Name Network address Net mask
    public - a 172.16.1.0 255.255.255.0
    public - b 172.16.2.0 255.255.255.0

  2. Select New Network Group..., create the public group, and add the public - a and public - b networks to it.

  3. Select New Host... and create hosts with the following settings:

    Name IPv4 address
    dmz-web-server 10.160.1.100
    FW-a-dmz-IP 10.160.1.10
    FW-a-public-IP 172.16.1.10
    FW-b-dmz-IP 10.160.2.10
    FW-b-public-IP 172.16.2.10

  4. Select More object types → Network Object → Service → New TCP... and create a TCP service for the DMZ application, specifying TCP_8080 as its name and 8080 as the port.

Set security policy rules

To add a security rule:

  1. In the Security policies tab, select Policy under Access Control.
  2. Right-click the rule table area and, in the context menu that opens, select Above or Below next to New Rule.
  3. In the new line that appears:
    • In the Name column, specify Web-server port forwarding on FW-a.
    • In the Source column, click + and select public.
    • In the Destination column, select FW-a-public-IP.
    • In the Services & Applications column, select TCP_8080.
    • In the Action column, select Accept.
    • In the Track column, select Log.
    • In the Install On column, select FW-a.

In the same way, add other rules from the table below; these rules will allow you to test the firewall policies, pass NLB health checks, publish a test application from the DMZ segment, and run a fault tolerance test.

No Name Source Destination VPN Services & Applications Action Track Install On
1 Web-server port forwarding on FW-a public FW-a-public-IP Any TCP_8080 Accept Log FW-a
2 Web-server port forwarding on FW-b public FW-b-public-IP Any TCP_8080 Accept Log FW-b
3 FW management & NLB healthcheck mgmt FW-a, FW-b, mgmt-server Any https, ssh Accept Log Policy Targets (All gateways)
4 Stealth Any FW-a, FW-b, mgmt-server Any Any Drop Log Policy Targets (All gateways)
5 mgmt to DMZ mgmt dmz Any Any Accept Log Policy Targets (All gateways)
6 mgmt to app mgmt app Any Any Accept Log Policy Targets (All gateways)
7 mgmt to database mgmt database Any Any Accept Log Policy Targets (All gateways)
8 ping from dmz to internet dmz ExternalZone Any icmp-requests (Group) Accept Log Policy Targets (All gateways)
9 Cleanup rule Any Any Any Any Drop Log Policy Targets (All gateways)

Set up a static NAT table

Source NAT ensures that the return traffic of the user’s connection goes back through the same firewall as the user's request. Destination NAT routes user requests to the network load balancer upstream of the group of application web servers.

The headers of packets arriving from Application Load Balancer with user requests to the DMZ application will be translated to Source IP of the firewall DMZ interface and Destination IP of the web server traffic load balancer.

To set up the FW-A gateway NAT table:

  1. Navigate to the NAT section under Access Control.
  2. Right-click the rule table area and, in the context menu that opens, select Above or Below next to New Rule.
  3. In the new line that appears:
    • In the Original Source column, click + and select public.
    • In the Original Destination column, select FW-a-public-IP .
    • In the Original Services column, select TCP_8080.
    • In the Translated Source column, select FW-a-dmz-IP.
    • In the Translated Destination column, select dmz-web-server.
    • In the Install On column, select FW-a.
  4. Make sure to change the NAT method for FW-a-dmz-IP by right-clicking FW-a-dmz-IP in the table and selecting NAT Method > Hide in the context menu.

In the same way, set up the FW-B gateway static NAT table based on the table below:

No Original Source Original Destination Original Services Translated Source Translated Destination Translated Services Install On
1 public FW-a-public-IP TCP_8080 FW-a-dmz-IP (Hide) dmz-web-server Original FW-a
2 public FW-b-public-IP TCP_8080 FW-b-dmz-IP (Hide) dmz-web-server Original FW-b

Apply the security policy rules

  1. Click Install Policy at the top left of the screen.
  2. In the dialog that opens, click Push & Install.
  3. In the next dialog, click Install and wait for the process to complete.

Enable the route switcher

After completing the NGFW setup, make sure FW-A and FW-B health checks return Healthy. To do this, in the Yandex Cloud management console, navigate to the mgmt folder, select Network Load Balancer, and go to the route-switcher-lb-... page. Expand the target group and check whether its resources are Healthy. If they are Unhealthy, make sure FW-A and FW-B are configured correctly and running.

Once the FW-A and FW-B status changes to Healthy, open the route-switcher.tf file and change the route-switcher start_module value to true. To enable the module, run these commands:

terraform plan
terraform apply

Within five minutes, the route-switcher module will start working, providing outbound traffic fault tolerance.

Test the solution for performance and fault tolerance

Test the system

  1. To get the load balancer public IP address, run this command in the terminal:

    terraform output fw-alb_public_ip_address

  2. Make sure your network infrastructure is accessible from outside by opening the following address in your browser:

    http://<ALB_load_balancer_public_IP_address>

    If your system is accessible from outside, you will see the Welcome to nginx! page.

  3. Make sure the firewall rules allowing traffic are active. To do this, navigate to the yc-dmz-with-high-available-ngfw folder on your PC and connect to a DMZ VM over SSH:

    cd ~/yc-dmz-with-high-available-ngfw
ssh -i pt_key.pem admin@<VM_internal_IP_address_in_DMZ_segment>

  4. To check whether the DMZ-hosted VM has internet access, run this command:

    ping ya.ru

    The ping from dmz to internet rule should allow the command to run.

  5. Make sure the firewall traffic-blocking rules are active.

    To check that Jump VM in the mgmt segment cannot be accessed from the dmz segment, run this command:

    ping 192.168.1.101

    The Cleanup rule should block the command.

Testing fault tolerance

  1. Install httping for making HTTP requests on your PC:

    sudo apt-get install httping

  2. To get the load balancer public IP address, run this command in the terminal:

    terraform output fw-alb_public_ip_address

  3. Initiate DMZ application inbound traffic by making a request to the ALB public IP address:

    httping http://<ALB_load_balancer_public_IP_address>

  4. Open another terminal window and connect to a DMZ VM over SSH:

    ssh -i pt_key.pem admin@<VM_internal_IP_address_in_DMZ_segment>

  5. Set a password for the admin user:

    sudo passwd admin

  6. In the Yandex Cloud management console, change the settings of this VM:

    1. In the list of services, select Compute Cloud.
    2. In the left-hand panel, select Virtual machines.
    3. Click next to the VM you need and select Edit.
    4. In the window that opens, under Additional, enable Access to serial console.
    5. Click Save changes.

  7. Connect to the VM serial console, enter the admin username and password you set earlier.

  8. Initiate outbound traffic from the DMZ VM to an internet resource by running ping:

    ping ya.ru

  9. Emulate the main firewall failure by stopping the FW-A VM in the mgmt folder of the Yandex Cloud management console.

  10. Monitor the loss of httping and ping packets. After FW-A fails, you may see a traffic loss for about one minute with the subsequent traffic recovery.

  11. Make sure the dmz-rt route table in the dmz folder uses the FW-B address as next hop.

  12. Emulate the main firewall recovery by running the FW-A VM in the Yandex Cloud management console.

  13. Monitor the loss of httping and ping packets. After FW-A recovers, you may see a traffic loss for about one minute with the subsequent traffic recovery.

  14. Make sure the dmz-rt route table in the dmz folder uses the FW-A address as next hop.

How to delete the resources you created

To stop paying for the resources you created, run this command:

terraform destroy

Terraform will permanently delete all resources, such as networks, subnets, VMs, load balancers, folders, etc.

You can delete the resources faster by deleting all folders in the Yandex Cloud console and then deleting the terraform.tfstate file from the yc-dmz-with-high-available-ngfw directory on your PC.

Previous
Building a CI/CD pipeline in GitLab using serverless products
Next
Cloud infrastructure segmentation with the Check Point next-generation firewall