Cloud infrastructure segmentation with Check Point Next-Generation Firewall

Written by

Updated at November 22, 2024

Prepare your cloud
- Required paid resources
- Required quotas
Prepare the environment
Deploy your resources
Configure the firewall gateway
Test the solution
Requirements for production deployment
How to delete the resources you created

This guide describes how to deploy a secure network infrastructure based on Check Point Next-Generation Firewall solution. The infrastructure comprises three segments, each hosting an isolated set of resources grouped by function. For example, the dedicated DMZ segment is where public-facing services are placed and the MGMT segment hosts resources used to manage the cloud infrastructure. The segments communicate with each other via a virtual Check Point Next-Generation Firewall, which provides end-to-end protection and traffic control across the segments.

If you need to ensure NGFW fault tolerance and high availability of deployed applications, use this recommended solution.

The solution has the following basic segments (folders):

The public folder contains the internet-facing resources.
The mgmt folder is used to manage the cloud infrastructure and host internal resources. It includes VMs for infrastructure protection and network segmentation into security zones (fw), a VM of the centralized firewall management server (mgmt-server), and a VM with WireGuard VPN configured for secure access to the management segment over a VPN (jump-vm).
The dmz folder enables you to publish applications with public access from the internet.

For more information, see the project repository.

To deploy a secure network infrastructure based on Check Point Next-Generation Firewall:

If you no longer need the resources you created, delete them.

Next-Generation Firewall

Yandex Cloud Marketplace offers multiple NGFW solutions. This scenario uses the Check Point CloudGuard IaaS solution. Its features include:

Firewall, NAT, IPS, antivirus, and anti-bot protect services.
Application layer granular traffic control, session logging.
Centralized security management with Check Point Security Management.
This example uses the basic access control and NAT policies for the Check Point solution.

Yandex Cloud Marketplace offers PAYG and BYOL licensing for Check Point CloudGuard IaaS. This example uses the BYOL option with a 15-day trial:

NGFW VM Check Point CloudGuard IaaS - Firewall & Threat Prevention BYOL.
Management server VM Check Point CloudGuard IaaS - Security Management BYOL for NGFW management.

We recommend the following options for production use:

NGFW Check Point CloudGuard IaaS - Firewall & Threat Prevention PAYG.
You need a separate license for the Check Point CloudGuard IaaS - Security Management management server. Alternatively, you can use your on-premise management server.

Prepare your cloud

Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Required paid resources

The infrastructure support cost includes:

Fee for continuously running VMs (see Yandex Compute Cloud pricing).
Fee for using public IP addresses and outgoing traffic (see Yandex Virtual Private Cloud pricing).

Required quotas

Warning

The tutorial involves deploying a resource-intensive infrastructure.

Make sure your cloud has sufficient quotas not being used by resources for other jobs.

Amount of resources used by the tutorial

Resource	Amount
Folders	3
Virtual machines	4
VM vCPUs	12
VM RAM	20 GB
Disks	4
SSD size	240 GB
HDD size	20 GB
Cloud networks	3
Subnets	3
Route tables	2
Security groups	5
Static public IP addresses	2
Static routes	3

Prepare the environment

The tutorial uses Windows software and the Windows Subsystem for Linux (WSL).
The infrastructure is deployed using Terraform.

Configure WSL

Check if WSL is installed on your PC. To do this, run the following command in the CLI terminal:
```
wsl -l
```
If WSL is installed, the terminal will display a list of available distributions, for example:
```
Windows Subsystem for Linux Distributions:
docker-desktop (Default)
docker-desktop-data
Ubuntu
```
If WSL is not installed, install it and repeat the previous step.
In addition, you can install on WSL a familiar Linux distribution, e.g., Ubuntu.
To make the installed distribution the default system, run:
```
wsl --setdefault ubuntu
```
To switch the terminal to the Linux subsystem operation mode, run:
```
wsl ~
```

Note

All the steps described below are completed in the Linux terminal.

Create a service account with the admin privileges for the cloud

Management console

CLI

API

In the management console, select the folder where you want to create a service account.
In the list of services, select Identity and Access Management.
Click Create service account.
Enter a name for the service account, e.g., sa-terraform.

The name format requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
Click Create.
Assign the account the admin role:
1. On the management console home page, select the cloud.
2. Click the Access permissions tab.
3. Find the sa-terraform account in the list and click .
4. Click Edit roles.
5. Click Add role in the dialog box that opens and select the admin role.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

Create a service account:
```
yc iam service-account create --name sa-terraform
```
Where name is the service account name. The naming requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
Result:
```
id: ajehr0to1g8bh0la8c8r
folder_id: b1gv87ssvu497lpgjh5o
created_at: "2024-01-04T09:03:11.665153755Z"
name: sa-terraform
```

Assign the account the admin role:

yc resource-manager cloud add-access-binding <cloud_ID> \
  --role admin \
  --subject serviceAccount:<service_account_ID>

Result:

done (1s)

To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.

To assign the service account a role for a cloud or folder, use the updateAccessBindings REST API method for the Cloud or Folder resource:

Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
Get the ID of the service accounts folder.
Get an IAM token required for authorization in the Yandex Cloud API.

Get a list of folder service accounts to find out their IDs:

export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaATEVAgA...
curl \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"

Result:

{
 "serviceAccounts": [
  {
   "id": "ajebqtreob2d********",
   "folderId": "b1gvmob95yys********",
   "createdAt": "2018-10-18T13:42:40Z",
   "name": "my-robot",
   "description": "my description"
  }
 ]
}

Create the request body, e.g., in the body.json file. Set the action property to ADD and roleId to the appropriate role, such as editor, and specify the serviceAccount type and service account ID in the subject property:

body.json:

{
  "accessBindingDeltas": [{
    "action": "ADD",
    "accessBinding": {
      "roleId": "editor",
      "subject": {
        "id": "ajebqtreob2d********",
        "type": "serviceAccount"
      }
    }
  }]
}

Assign a role to a service account. For example, for a folder with the b1gvmob95yys******** ID:

export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaAT********
curl \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  --data '@body.json' \
  "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"

Install the required utilities

Install Git using the following command:
```
sudo apt install git
```
Install Terraform:
1. Go to the root directory:
```
cd ~
```
2. Create a folder named terraform and open it:
```
mkdir terraform
cd terraform
```
3. Run the following command to download the terraform_1.3.9_linux_amd64.zip archive from the official website:
```
curl --location --remote-name https://hashicorp-releases.yandexcloud.net/terraform/1.3.9/terraform_1.3.9_linux_amd64.zip
```
4. Install the zip utility and unpack the ZIP archive:
```
apt install zip
unzip terraform_1.3.9_linux_amd64.zip
```
5. Add the path to the folder with the executable to the PATH variable:
```
export PATH=$PATH:~/terraform
```
6. Make sure that Terraform is installed by running this command:
```
terraform -help
```
Create a configuration file specifying the provider source for Terraform:
1. Create a file named .terraformrc using the native nano editor:
```
cd ~
nano .terraformrc
```
2. Add the following section to the file:
```
provider_installation {
  network_mirror {
    url = "https://terraform-mirror.yandexcloud.net/"
    include = ["registry.terraform.io/*/*"]
  }
  direct {
    exclude = ["registry.terraform.io/*/*"]
  }
}
```
  For more information about setting up mirrors, see the Terraform documentation.

Deploy your resources

Clone the GitHub repository and go to the yc-network-segmentation-with-checkpoint script folder:

git clone https://github.com/yandex-cloud-examples/yc-network-segmentation-with-checkpoint.git
cd yc-network-segmentation-with-checkpoint

Set up the CLI profile to run operations on behalf of the service account:
CLI
If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
1. Create an authorized key for your service account and save the file:
  yc iam key create \ --service-account-id <service_account_ID> \ --folder-id <ID_of_folder_with_service_account> \ --output key.json
  Where:
  - service-account-id: Service account ID.
  - folder-id: ID of the folder in which the service account was created.
  - output: Name of the file with the authorized key.
  Result:
  id: aje8nn871qo4a8bbopvb service_account_id: ajehr0to1g8bh0la8c8r created_at: "2023-03-04T09:16:43.479156798Z" key_algorithm: RSA_2048
2. Create a CLI profile to run operations on behalf of the service account:
  yc config profile create sa-terraform
  Result:
  Profile 'sa-terraform' created and activated
3. Set the profile configuration:
  yc config set service-account-key key.json yc config set cloud-id <cloud_ID> yc config set folder-id <folder_ID>
  Where:
  - service-account-key: File with the service account authorized key.
  - cloud-id: Cloud ID.
  - folder-id: Folder ID.
4. Add the credentials to the environment variables:
  export YC_TOKEN=$(yc iam create-token) export YC_CLOUD_ID=$(yc config get cloud-id) export YC_FOLDER_ID=$(yc config get folder-id)
Get your PC's IP address:
```
curl 2ip.ru
```
Result:
```
192.240.24.87
```

Open the terraform.tfvars file in the nano editor to edit as follows:

The line with the cloud ID:
```
cloud_id = "<cloud_ID>"
```
The line with a list of allowed public IP addresses for jump-vm access:
```
trusted_ip_for_access_jump-vm = ["<PC_external_IP>/32"]
```

Description of variables in terraform.tfvars

Name name	Needs editing	Description	Type	Example
`cloud_id`	Yes	ID of your cloud in Yandex Cloud	`string`	`b1g8dn6s3v2eiid9dbci`
`az_name`	-	Yandex Cloud availability zone to host your resources	`string`	`ru-central1-d`
`security_segment_names`	-	List of segment names. The first segment is for management resources, the second for resources with public internet access, the third for a DMZ. If you need more segments, add them at the end of the list. When adding a segment, make sure to specify the subnet prefix in `subnet_prefix_list`.	`list(string)`	`["mgmt", "public", "dmz"]`
`subnet_prefix_list`	-	List of subnet prefixes as indicated in the `security_segment_names` list. Specify one prefix for each segment.	`list(string)`	`["192.168.1.0/24", "172.16.1.0/24", "10.160.1.0/24"]`
`public_app_port`	-	TCP port for a DMZ application open for outside internet connection	`number`	`80`
`internal_app_port`	-	Internal TCP port of a DMZ application to which the NGFW will direct traffic. You may specify the same port as public_app_port or a different one.	`number`	`8080`
`trusted_ip_for_access_jump-vm`	Yes	List of public IPs/subnets trusted to access the jump VM. Used in the incoming rule of the `jump-vm` security group.	`list(string)`	`["A.A.A.A/32", "B.B.B.0/24"]`
`jump_vm_admin_username`	-	Username for connecting to `jump-vm` over SSH	`string`	`admin`
`wg_port`	-	UDP port for incoming traffic as indicated in the `jump-vm` WireGuard settings	`number`	`51820`

Warning

We recommend specifying additional segments in advance if you may need them later on, since a cloud-based NGFW VM does not support adding new network interfaces after it is created.

Deploy the resources in the cloud using Terraform:
1. Initialize Terraform:
```
terraform init
```
2. Check the Terraform file configuration:
```
terraform validate
```
3. Check the list of cloud resources you are about to create:
```
terraform plan
```
4. Create resources:
```
terraform apply
```

After the terraform apply process is over, the command line will output a list of information on the deployed resources. Later on, you can view this information by running the terraform output command:

Viewing information on deployed resources

Name	Description	Sample value
`dmz-web-server_ip_address`	DMZ web server IP for publishing a test application from the DMZ segment. Used for configuring destination NAT on a firewall.	`10.160.1.100`
`fw-mgmt-server_ip_address`	Firewall management server IP	`192.168.1.100`
`fw_gaia_portal_mgmt-server_password`	Default password for the initial connection to the firewall management server IP over HTTPS	`admin`
`fw_mgmt_ip_address`	Firewall IP in the management network	`192.168.1.10`
`fw_public_ip_address`	Public firewall IP	`D.D.D.D`
`fw_sic-password`	One-time password for adding a firewall to the firewall management server	The `terraform output` command does not return this variable. To view its value run `terraform output fw_sic-password`.
`fw_smartconsole_mgmt-server_password`	Password for connecting to the firewall management server via Check Point's SmartConsole GUI application.	The `terraform output` command does not return this variable. To view its value run `terraform output fw_smartconsole_mgmt-server_password`.
`jump-vm_path_for_WireGuard_client_config`	Configuration file for enabling a secure WireGuard VPN connection to `jump-vm`	`./jump-vm-wg.conf`
`jump-vm_public_ip_address_jump-vm`	Jump VM public IP	`E.E.E.E`
`path_for_private_ssh_key`	File with a private key used to connect to VMs over SSH (jump VM, firewalls, management server, DMZ web server)	`./pt_key.pem`

Configure the firewall gateway

This guide describes how to configure firewalls with basic access control and NAT policies required for performance testing but insufficient for production deployment.

Learn more about Check Point capabilities and configuration with our free course, A Deep Dive into Network Security.

Connect to the control segment via a VPN

After deploying the infrastructure, the mgmt folder will contain a VM named jump-vm based on an Ubuntu image with the WireGuard VPN configured for a secure connection. Set up a VPN tunnel to jump-vm on your PC to access the mgmt, dmz, and public segment subnets.

To set up the VPN tunnel:

Get the username in the Linux subsystem:
```
whoami
```
Install WireGuard on your PC.
Open WireGuard and click Add Tunnel.
In the dialog box that opens, select the jump-vm-wg.conf file in the yc-network-segmentation-with-checkpoint folder.
To find the directory created in a Linux subsystem, e.g., Ubuntu, type the file path in the dialog box address bar:
```
\\wsl$\Ubuntu\home\<Ubuntu_user_name>\yc-network-segmentation-with-checkpoint
```
Where <Ubuntu_user_name> is the name of the current Linux distribution user.
Click Activate to activate the tunnel.
Check network connectivity with the management server via the WireGuard VPN tunnel by running the following command in the terminal:
```
ping 192.168.1.100
```
Warning

If the packets fail to reach the management server, make sure that the mgmt-jump-vm-sg security group rules for incoming traffic have your PC external IP address specified.

Run SmartConsole

To manage and set up the Check Point solution, install and run the SmartConsole GUI client:

Connect to the NGFW management server by opening https://192.168.1.100 in your browser.
Sign in using the admin username and the admin password.
In the Gaia Portal interface that opens, download the SmartConsole GUI client. To do this, click Manage Software Blades using SmartConsole. Download Now!.
Install SmartConsole on your PC.

Get the SmartConsole access password:

terraform output fw_smartconsole_mgmt-server_password

Open SmartConsole and sign in with the admin username, 192.168.1.100 management server IP address, and SmartConsole password.

Add the firewall gateway

Add the FW firewall gateway to the management server using the Wizard:

In the Objects drop-down list at the top left, select More object types → Network Object → Gateways and Servers → New Gateway....
Click Wizard Mode.
In the dialog box that opens, enter the following:
- Gateway name: FW
- Gateway platform: CloudGuard IaaS
- IPv4: 192.168.1.10
Click Next.
Get the firewall access password:
```
terraform output fw_sic-password
```
In the One-time password field, type the previously obtained password.
Click Next and Finish.

Configure the FW gateway network interfaces

Configure the eth0 network interface:

In the Gateways & Servers tab, open the FW gateway setup dialog. To to this, double-click on the added FW in the list.
In the Network Management tab, the Topology table, select the eth0 interface, click Edit and then click Modify... in the window that opens.
Under Security Zone, activate Specify Security Zone and select InternalZone.

In the same way, configure the eth1 and eth2 network interfaces:

For the eth1 interface, specify ExternalZone under Security Zone.
For the eth2 interface, in the Leads To section select Override and enable Interface leads to DMZ. Under Security Zone, set DMZZone.

Interface	IPv4 address/mask	Leads To	Security Zone	Anti Spoofing
eth0	192.168.1.10/24	This network (Internal)	InternalZone	Prevent and Log
eth1	172.16.1.10/24	Internet (External)	ExternalZone	Prevent and Log
eth2	10.160.1.10/24	This network, DMZ (Internal)	DMZZone	Prevent and Log

Create network objects

In the Objects drop-down list at the top left, select New Network... to create networks named mgmt, public, and dmz with the following data:

Name Network address Net mask

mgmt 192.168.1.0 255.255.255.0

public 172.16.1.0 255.255.255.0

dmz 10.160.1.0 255.255.255.0

For the DMZ network, set up Automatic Hide NAT to hide the addresses of internet-facing VMs hosted in the DMZ segment behind the IP address of the FW gateway in the public segment. To do this:
1. In the dmz network editing dialog box, go to the NAT tab.
2. Activate Add automatic address translation rules, select Hide from the drop-down list and enable Hide behind the gateway.
In the Objects drop-down list at the top left, select New Host... and create hosts named dmz-web-server and FW-public-IP with the following data:

Name IPv4 address

dmz-web-server 10.160.1.100

FW-public-IP 172.16.1.10
Select More object types → Service → New TCP... to create a TCP service for the application deployed in the DMZ segment and specify TCP_8080 as its name and 8080 as the port.

Name	Network address	Net mask
mgmt	192.168.1.0	255.255.255.0
public	172.16.1.0	255.255.255.0
dmz	10.160.1.0	255.255.255.0

Name	IPv4 address
dmz-web-server	10.160.1.100
FW-public-IP	172.16.1.10

Set security policy rules

To add a security rule:

In the Security policies tab, select Policy under Access Control.
In the rule table, right-click next to the New Rule option in the context menu and select Above or Below.
In a new line:
- In the Name column, enter Web-server port forwarding on FW.
- In the Destination column, select the FW-public-IP object.
- In the Services & Applications column, select the http object.
- In the Action column, select Accept.
- In the Track column, select Log.

In the same way, add the other basic rules from the table below to test the firewall policies, run NLB health checks, publish a test application from the DMZ segment, and test its fault tolerance.

No	Name	Source	Destination	VPN	Services & Applications	Action	Track	Install On
1	Web-server port forwarding on FW	Any	FW-public-IP	Any	http	Accept	Log	Policy Targets (All gateways)
2	FW management	mgmt	FW, mgmt-server	Any	https, ssh	Accept	Log	Policy Targets (All gateways)
3	Stealth	Any	FW, mgmt-server	Any	Any	Drop	Log	Policy Targets (All gateways)
4	mgmt to DMZ	mgmt	dmz	Any	Any	Accept	Log	Policy Targets (All gateways)
5	mgmt to public	mgmt	public	Any	Any	Accept	Log	Policy Targets (All gateways)
6	ping from dmz to internet	dmz	ExternalZone	Any	icmp-reguests (Group)	Accept	Log	Policy Targets (All gateways)
7	Cleanup rule	Any	Any	Any	Any	Drop	Log	Policy Targets (All gateways)

Description of Access Control - Policy rules

Number	Name	Description
1	Web-server port forwarding on FW	Allows external internet access to the IP address of a public segment firewall on TCP port 80
2	FW management	Allows access to firewalls and the firewall management server from the MGMT segment for management tasks
3	Stealth	Denies access to firewalls and the firewall management server from other segments
4	mgmt to DMZ	Allows access from the MGMT segment to DMZ for management tasks
5	mgmt to public	Allows access from MGMT to the public segment for management tasks
6	ping from dmz to internet	Allows outbound ICMP packets from the DMZ segment to the internet for performance testing
7	Cleanup rule	Denies access to other traffic

Set up a static NAT table

Destination NAT routes user requests to the application's web server in the DMZ segment.

It will translate the destination IP address to the web server IP and the destination port to TCP port 8080 in the headers of packets with user requests sent to a DMZ application.

To set up the NAT tables of the FW gateway:

Go to the NAT subsection of the Access Control section.
In the rule table menu and select Add rule to top.

In a new line:

In the Original Destination column, select the FW-public-IP object.
In the Original Services column, select the http object.
In the Translated Destination column, select the dmz-web-server object.
In the Translated Services column, select the TCP_8080 object.

The NAT table will display this rule:

No	Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Install On
1	Any	FW-public-IP	http	Original	dmz-web-server	TCP_8080	Policy Targets (All gateways)

Apply the security policy rules

Click Install Policy at the top left of the screen.
In the dialog box that opens, click Publish & Install.
In the next dialog, click Install and wait for the process to finish.

Test the solution

To find out the public IP address of the firewall, run the following command in the terminal:
```
terraform output fw_public_ip_address
```
Make sure the network infrastructure can be accessed from the outside by opening the following address in the browser:
```
http://<FW_public_IP_address>
```
If the system is accessible from the outside, you will see the Welcome to nginx! page.
Make sure the firewall security policy rules that allow traffic are active. To do this, go to your PC’s yc-network-segmentation-with-checkpoint directory and connect to the DMZ VM over SSH:
```
cd ~/yc-network-segmentation-with-checkpoint
ssh -i pt_key.pem admin@<internal_IP_address_of_VM_in_DMZ_segment>
```
To check that there is access from the VM in the DMZ segment to a public resource on the internet, run this command:
```
ping ya.ru
```
The command must run according to the ping from dmz to internet rule that allows traffic.
Make sure the security policy rules that prohibit traffic are applied.
To check that jump-vm in the mgmt segment cannot be accessed from the dmz segment, run this command:
```
ping 192.168.1.101
```
The command must fail according to the Cleanup rule that prohibits traffic.
In SmartConsole, open the LOGS & MONITOR section; in the Logs tab, find the entries made during testing to see which security rules and actions were applied to the traffic.

Requirements for production deployment

If you need to ensure NGFW fault tolerance and high availability of deployed applications, use this recommended solution.
Make sure to change the passwords sent in the check-init...yaml files via the metadata service:
- SIC password for connecting the firewall and the firewall management server.
- Check Point SmartConsole password.
- Admin user password for the firewall management server. You can change this password in Gaia Portal.
Save the pt_key.pem private SSH key to a secure location or recreate it separately from Terraform.
Delete the public IP address of the jump VM if you do not plan on using it.
If you plan to use the jump VM for connecting to the management segment with WireGuard VPN, change the WireGuard keys in the jump VM and admin workstation.
Set up access control and NAT policies for your installation in the Check Point NGFW.
In security groups within segments, set up the required rules for deployed applications.
Do not assign public IP addresses to the VMs in those segments where the Check Point NGFW routing tables are used. The only exception is the MGMT segment where routing tables do not use the 0.0.0.0/0 default route.
Select your preferred Check Point CloudGuard IaaS license and image (see Next-Generation Firewall).

How to delete the resources you created

To stop paying for the resources you created, run this command:

terraform destroy

Terraform will permanently delete all the resources: networks, subnets, VMs, folders, etc.

As the resources you created reside in folders, a faster way to delete all resources is to delete all the folders using the Yandex Cloud console and then delete the terraform.tfstate file from the yc-network-segmentation-with-checkpoint folder on your PC.

Cloud infrastructure segmentation with Check Point Next-Generation Firewall

Next-Generation FirewallNext-Generation Firewall

Prepare your cloudPrepare your cloud

Required paid resourcesRequired paid resources

Required quotasRequired quotas

Prepare the environmentPrepare the environment

Configure WSLConfigure WSL

Create a service account with the admin privileges for the cloudCreate a service account with the admin privileges for the cloud

Install the required utilitiesInstall the required utilities

Deploy your resourcesDeploy your resources

Configure the firewall gatewayConfigure the firewall gateway

Connect to the control segment via a VPNConnect to the control segment via a VPN

Run SmartConsoleRun SmartConsole

Add the firewall gatewayAdd the firewall gateway

Configure the FW gateway network interfacesConfigure the FW gateway network interfaces

Create network objectsCreate network objects

Set security policy rulesSet security policy rules

Set up a static NAT tableSet up a static NAT table

Apply the security policy rulesApply the security policy rules

Test the solutionTest the solution

Requirements for production deploymentRequirements for production deployment

How to delete the resources you createdHow to delete the resources you created

Was the article helpful?