Cloud infrastructure segmentation with the Check Point next-generation firewall
In this tutorial, we will deploy a secure network infrastructure based on the Check Point next-generation firewall. It will include three segments hosting resources grouped by function and isolated from other resources. We will host public-facing applications in the dmz
mgmt
segment. The segments will communicate through a Check Point
To ensure NGFW fault tolerance and application high availability, use this recommended solution.
- public folder with internet-facing resources.
- mgmt folder with cloud management resources including
FW
: protection and network segmentation VM,mgmt-server
: firewall management VM, andjump
: WireGuard VPN VM providing secure access to the management segment. - dmz folder with public-facing applications.
For more information, see the project repository
To deploy a secure Check Point NGFW-based network infrastructure:
- Get your cloud ready.
- Prepare your environment.
- Deploy your resources.
- Set up your firewall gateway.
- Test the solution.
- Requirements for production deployment.
If you no longer need the resources you created, delete them.
Next-Generation Firewall
Among various Yandex Cloud Marketplace NGFW solutions we will choose Check Point CloudGuard IaaS. Its features include:
- Firewall, NAT, IPS, antivirus and anti-bot protection.
- Application layer granular traffic management, session logging.
- Centralized Check Point security management.
- In our example, we will configure Check Point firewall with basic access control and NAT policies.
Yandex Cloud Marketplace offers PAYG and BYOL licensing for Check Point CloudGuard IaaS. We will use BYOL with a 15-day trial:
- NGFW VM Check Point CloudGuard IaaS: Firewall & Threat Prevention BYOL.
- Management server VM Check Point CloudGuard IaaS: Security Management BYOL.
For production deployment, we recommend to use the following options:
- NGFW Check Point CloudGuard IaaS: Firewall & Threat Prevention PAYG
- Separate license for the Check Point CloudGuard IaaS: Security Management server. Alternatively, you can use your on-premise server.
Get your cloud ready
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support cost includes:
- Fee for continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for public IP addresses and outgoing traffic (see Yandex Virtual Private Cloud pricing).
Required quotas
Warning
In this tutorial, you will have to deploy a resource-intensive infrastructure.
Make sure your cloud has sufficient quotas that are not used by other projects.
Resources used by this tutorial
Resource | Amount |
---|---|
Folders | 3 |
Virtual machines | 4 |
VM vCPUs | 12 |
VM RAM | 20 GB |
Disks | 4 |
SSD size | 240 GB |
HDD size | 20 GB |
Cloud networks | 3 |
Subnets | 3 |
Route tables | 2 |
Security groups | 5 |
Static public IP addresses | 2 |
Static routes | 3 |
Set up your environment
In this tutorial, we will use Windows software and Windows Subsystem for Linux
Also, we will use Terraform
Configure WSL
-
Check whether WSL is installed on your PC by running this command in the CLI terminal:
wsl -l
If WSL is installed, the terminal will display the list of available distributions, for example:
Windows Subsystem for Linux Distributions: docker-desktop (Default) docker-desktop-data Ubuntu
-
If WSL is not installed, install
it and repeat the previous step. -
Additionally, you can install your preferred Linux distribution, e.g., Ubuntu
, on top of WSL. -
To make it the default system, run this command:
wsl --setdefault ubuntu
-
To switch your terminal to Linux, run this command:
wsl ~
Note
To perform the following steps, we use Linux terminal.
Create a cloud administrator service account
-
In the management console
, select the folder where you want to create a service account. -
In the list of services, select Identity and Access Management.
-
Click Create service account.
-
Specify the service account name, e.g.,
sa-terraform
.The name should meet the following requirements:
- It must be 2 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
-
Click Create.
-
Assign the admin role to the account:
- On the management console home page
, select your cloud. - Click the Access permissions tab.
- Find the
sa-terraform
account in the list and click . - Click Edit roles.
- In the dialog that opens, click Add role and select the
admin
role.
- On the management console home page
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name
or --folder-id
parameter.
-
Create a service account:
yc iam service-account create --name sa-terraform
Where
name
is the service account name. The name should meet the following requirements:- It must be 2 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
Result:
id: ajehr0to1g8b******** folder_id: b1gv87ssvu49******** created_at: "2024-01-04T09:03:11.665153755Z" name: sa-terraform
-
Assign the admin role to the account:
yc resource-manager cloud add-access-binding <cloud_ID> \ --role admin \ --subject serviceAccount:<service_account_ID>
Result:
done (1s)
To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.
To assign the service account a role for a cloud or folder, use the updateAccessBindings
REST API method for the Cloud or Folder resource:
-
Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Get the ID of the service accounts folder.
-
Get an IAM token required for authorization in the Yandex Cloud API.
-
Get a list of folder service accounts to find out their IDs:
export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaATEVAgA... curl \ --header "Authorization: Bearer ${IAM_TOKEN}" \ "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
Result:
{ "serviceAccounts": [ { "id": "ajebqtreob2d********", "folderId": "b1gvmob95yys********", "createdAt": "2018-10-18T13:42:40Z", "name": "my-robot", "description": "my description" } ] }
-
Create the request body, e.g., in the
body.json
file. Set theaction
property toADD
androleId
to the appropriate role, such aseditor
, and specify theserviceAccount
type and service account ID in thesubject
property:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "ajebqtreob2d********", "type": "serviceAccount" } } }] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl \ --request POST \ --header "Content-Type: application/json" \ --header "Authorization: Bearer ${IAM_TOKEN}" \ --data '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
Install the required tools
-
Install Git
using the following command:sudo apt install git
-
Install Terraform:
-
Navigate to the root directory:
cd ~
-
Create the
terraform
directory and open it:mkdir terraform cd terraform
-
Run the following command to download the
terraform_1.3.9_linux_amd64.zip
archive from the official website:curl --location --remote-name https://hashicorp-releases.yandexcloud.net/terraform/1.3.9/terraform_1.3.9_linux_amd64.zip
-
Install
zip
and unpack the ZIP archive:apt install zip unzip terraform_1.3.9_linux_amd64.zip
-
Add the executable directory to your
PATH
:export PATH=$PATH:~/terraform
-
Make sure that Terraform is installed by running this command:
terraform -help
-
-
Create a configuration file specifying the Terraform provider source:
-
Create the
.terraformrc
file innano
:cd ~ nano .terraformrc
-
Add the following section to the file:
provider_installation { network_mirror { url = "https://terraform-mirror.yandexcloud.net/" include = ["registry.terraform.io/*/*"] } direct { exclude = ["registry.terraform.io/*/*"] } }
For more information about mirror settings, see the relevant Terraform
guides.
-
Deploy your resources
-
Clone the GitHub repository
and navigate to theyc-network-segmentation-with-checkpoint
script directory:git clone https://github.com/yandex-cloud-examples/yc-network-segmentation-with-checkpoint.git cd yc-network-segmentation-with-checkpoint
-
Set up a CLI profile to run operations on behalf of the service account:
CLIIf you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the
--folder-name
or--folder-id
parameter.-
Create an authorized key for your service account and save it to the file:
yc iam key create \ --service-account-id <service_account_ID> \ --folder-id <ID_of_folder_with_service_account> \ --output key.json
Where:
service-account-id
: Service account ID.folder-id
: ID of the folder where you created the service account.output
: Authorized key file name.
Result:
id: aje8nn871qo4******** service_account_id: ajehr0to1g8b******** created_at: "2023-03-04T09:16:43.479156798Z" key_algorithm: RSA_2048
-
Create a CLI profile to run operations on behalf of the service account:
yc config profile create sa-terraform
Result:
Profile 'sa-terraform' created and activated
-
Configure the profile:
yc config set service-account-key key.json yc config set cloud-id <cloud_ID> yc config set folder-id <folder_ID>
Where:
-
Export your credentials to environment variables:
export YC_TOKEN=$(yc iam create-token) export YC_CLOUD_ID=$(yc config get cloud-id) export YC_FOLDER_ID=$(yc config get folder-id)
-
-
Get your PC IP address:
curl 2ip.ru
Result:
192.240.24.87
-
Open the
terraform.tfvars
file innano
and edit it as follows:-
The cloud ID line:
cloud_id = "<cloud_ID>"
-
The
jump-vm
allowed public IP addresses:trusted_ip_for_access_jump-vm = ["<PC_external_IP>/32"]
terraform.tfvars variable description
Name
of parameterNeeds
editingDescription Type Example cloud_id
Yes Your Yandex Cloud ID string
b1g8dn6s3v2e********
az_name
- Your Yandex Cloud resourcesavailability zone string
ru-central1-d
security_segment_names
- Segment names Specify three segments: for management resources, public-facing resources, and DMZ.. If you need more segments, add them at the end of the list. When adding a segment, make sure to specify its subnet prefix in subnet_prefix_list
.list(string)
["mgmt", "public", "dmz"]
subnet_prefix_list
- Segment subnet prefixes. Specify one prefix for each segment from the security_segment_names
list.list(string)
["192.168.1.0/24", "172.16.1.0/24", "10.160.1.0/24"]
public_app_port
- DMZ application external TCP port number
80
internal_app_port
- DMZ application internal TCP port receiving traffic from NGFW. Internal and external public_app_port
TCP ports may be the same.number
8080
trusted_ip_for_access_jump-vm
Yes List of IP addresses allowed to access the jump
VM according to its inbound traffic ruleslist(string)
["A.A.A.A/32", "B.B.B.0/24"]
jump_vm_admin_username
- jump
VM username for SSH connectionsstring
admin
wg_port
- ‘jump` VM WireGuard inbound UDP port number
51820
Warning
If you think you may need additinal segments later, add them now because you will not be able to add extra network interfaces to the NGFW VM once it is created.
-
-
Deploy your cloud resources with Terraform:
-
Initialize Terraform:
terraform init
-
Check the Terraform configuration:
terraform validate
-
Preview the list of new cloud resources:
terraform plan
-
Create resources:
terraform apply
-
-
Once the process is completed, you will see the list of created resources. You can also display this list with the
terraform output
command:Expand to see the list of deployed resources
Name Description Value (example) dmz-web-server_ip_address
DMZ web server IP address. Used for testing the DMZ application and configuring destination NAT on the firewall. 10.160.1.100
fw-mgmt-server_ip_address
Firewall management server IP address 192.168.1.100
fw_gaia_portal_mgmt-server_password
Default password for the firewall management server HTTPS handshake admin
fw_mgmt_ip_address
Management network firewall IP address 192.168.1.10
fw_public_ip_address
Public firewall IP address D.D.D.D
fw_sic-password
OTP for adding a firewall to the firewall management server The terraform output
command does not show this value. To see it, runterraform output fw_sic-password
.fw_smartconsole_mgmt-server_password
Password for connecting to the firewall management server from the Check Point SmartConsole GUI The terraform output
command does not show this value. To see it, runterraform output fw_smartconsole_mgmt-server_password
.jump-vm_path_for_WireGuard_client_config
WireGuard VPN jump
VM connection configuration file./jump-vm-wg.conf
jump-vm_public_ip_address_jump-vm
Jump
VM public IPE.E.E.E
path_for_private_ssh_key
SSH private key used to connect to the jump
VM, firewall, management server, and DMZ web server./pt_key.pem
Configure the firewall gateway
In this guide, you will configure a firewall with basic access control and NAT policies required for performance testing but insufficient for production use.
Learn more about Check Point features and configuration options with our free course, A Deep Dive into Network Security.
Connect to the control segment through a VPN
Once you deployed the infrastructure, the mgmt
folder will contain an Ubuntu jump-vm
instance with a configured WireGuard VPNjump-vm
so you can access the mgmt
, dmz
, and public
segment subnets.
To set up a VPN tunnel:
-
Get your Linux username:
whoami
-
Install
WireGuard on your PC. -
Open WireGuard and click Add Tunnel.
-
In the dialog that opens, select the
jump-vm-wg.conf
file in theyc-network-segmentation-with-checkpoint
directory.
To find a Linux, e.g., Ubuntu, directory, type the file path in the dialog address bar:\\wsl$\Ubuntu\home\<Ubuntu_user_name>\yc-network-segmentation-with-checkpoint
Where
<Ubuntu_user_name>
is your Linux username you got in the previous step. -
Click Activate to activate the tunnel.
-
Check whether you can connect to the management server through the VPN tunnel by running this command in the terminal:
ping 192.168.1.100
Warning
If
ping
fails, make sure themgmt-jump-vm-sg
security group inbound rules include your PC external IP address.
Run SmartConsole
To set up and manage Check Point
-
Connect to the NGFW management server by opening
https://192.168.1.100
in your browser. -
Sign in using
admin
as both username and password. -
You will enter Gaia Portal where you can download the SmartConsole GUI client by clicking Manage Software Blades using SmartConsole. Download Now!.
-
Install SmartConsole on your PC.
-
Get the SmartConsole password:
terraform output fw_smartconsole_mgmt-server_password
-
Open SmartConsole and sign in as
admin
with the password you got in the previous step, specifying,192.168.1.100
as your management server IP address.
Add the firewall gateway
Use the wizard to add the FW
firewall gateway to the management server:
-
In the Objects top left drop-down list, select More object types → Network Object → Gateways and Servers → New Gateway....
-
Click Wizard Mode.
-
In the dialog that opens, specify the following settings:
- Gateway name:
FW
- Gateway platform:
CloudGuard IaaS
- IPv4:
192.168.1.10
- Gateway name:
-
Click Next.
-
Get the firewall password:
terraform output fw_sic-password
-
Enter the password in the One-time password field.
-
Click Next, and then Finish.
Configure the firewall gateway network interfaces
Configure the eth0
network interface:
- In the Gateways & Servers tab, open the firewall gateway setup dialog. by double-clicking
FW
. - In the Topology table on the Network Management tab, select the
eth0
interface, click Edit, and then in the window that opens, click Modify.... - Under Security Zone, activate Specify Security Zone and select InternalZone.
In the same way, configure the eth1
and eth2
network interfaces:
- For the
eth1
interface, specify ExternalZone under Security Zone. - For the
eth2
interface, select Override in the Leads To section and enable Interface leads to DMZ. Under Security Zone, specify DMZZone.
Interface | IPv4 address/mask | Leads To | Security Zone | Anti Spoofing |
---|---|---|---|---|
eth0 | 192.168.1.10/24 | This network (Internal) | InternalZone | Prevent and Log |
eth1 | 172.16.1.10/24 | Internet (External) | ExternalZone | Prevent and Log |
eth2 | 10.160.1.10/24 | This network, DMZ (Internal) | DMZZone | Prevent and Log |
Create network objects
-
In the Objects top left drop-down list, select New Network... and create
mgmt
,public
, anddmz
networks with the following settings:Name Network address Net mask mgmt 192.168.1.0 255.255.255.0 public 172.16.1.0 255.255.255.0 dmz 10.160.1.0 255.255.255.0 For the DMZ network, configure Automatic Hide NAT rules to hide the addresses of DMZ-hosted internet-facing VMs behind the firewall public IP address. To do this:
- In the
dmz
network editing dialog, navigate to the NAT tab. - Activate Add automatic address translation rules, select Hide from the drop-down list, and enable Hide behind the gateway.
- In the
-
In the Objects top left drop-down list, select New Host... and create
dmz-web-server
andFW-public-IP
hosts with the following settings:Name IPv4 address dmz-web-server 10.160.1.100 FW-public-IP 172.16.1.10 -
Select More object types → Service → New TCP... and create a TCP service named
TCP_8080
at port8080
for the DMZ-hosted application.
Define security policy rules
To add a security rule:
- In the Security policies tab, under Access Control, select Policy.
- Right-click the rule table area and, in the context menu that opens, select Above or Below next to the New Rule.
- In the new line that appears:
- In the Name column, specify
Web-server port forwarding on FW
. - In the Destination column, select
FW-public-IP
. - In the Services & Applications column, select
http
. - In the Action column, select
Accept
. - In the Track column, select
Log
.
- In the Name column, specify
In the same way using the table below, add other rules allowing you to test firewall policies, run NLB health checks, publish a DMZ-hosted test application, and test its fault tolerance.
No | Name | Source | Destination | VPN | Services & Applications | Action | Track | Install On |
---|---|---|---|---|---|---|---|---|
1 | Web-server port forwarding on FW | Any | FW-public-IP | Any | http | Accept | Log | Policy Targets (All gateways) |
2 | FW management | mgmt | FW, mgmt-server | Any | https, ssh | Accept | Log | Policy Targets (All gateways) |
3 | Stealth | Any | FW, mgmt-server | Any | Any | Drop | Log | Policy Targets (All gateways) |
4 | mgmt to DMZ | mgmt | dmz | Any | Any | Accept | Log | Policy Targets (All gateways) |
5 | mgmt to public | mgmt | public | Any | Any | Accept | Log | Policy Targets (All gateways) |
6 | ping from dmz to internet | dmz | ExternalZone | Any | icmp-reguests (Group) | Accept | Log | Policy Targets (All gateways) |
7 | Cleanup rule | Any | Any | Any | Any | Drop | Log | Policy Targets (All gateways) |
Access management policy rule description
Number | Name | Description |
---|---|---|
1 | Web-server port forwarding on FW | Allows internet access to the firewall TCP port 80 |
2 | FW management | Allows access to the firewall and the firewall management server from the mgmt segment |
3 | Stealth | Blocks access to the firewall and the firewall management server from other segments |
4 | mgmt to DMZ | Allows access to DMZ from the mgmt segment |
5 | mgmt to public | Allows access from the mgmt segment to the public segment |
6 | ping from dmz to internet | Allows outbound ICMP packets from the DMZ segment to the internet; the rule is used for performance testing |
7 | Cleanup rule | Blocks other network traffic |
Create a static NAT table
The destination NAT will route internet user requests to the DMZ-hosted web server.
It will translate packet headers, replacing the destination IP address and port number with the web server IP address and TCP port 8080, respectively.
To set up the firewall gateway NAT table:
-
Navigate to the NAT section under Access Control.
-
In the rule table menu, select Add rule to top.
-
In the new line that appears:
- In the Original Destination column, select
FW-public-IP
. - In the Original Services column, select
http
. - In the Translated Destination column, select
dmz-web-server
. - In the Translated Services column, select
TCP_8080
.
The new rule will appear in the NAT rule table:
No Original Source Original Destination Original Services Translated Source Translated Destination Translated Services Install On 1 Any FW-public-IP http Original dmz-web-server TCP_8080 Policy Targets (All gateways) - In the Original Destination column, select
Apply the security policy rules
- Click Install Policy at the top left of the screen.
- In the dialog that opens, click Publish & Install.
- In the next dialog, click Install and wait for the process to complete.
Test the solution
-
To get the firewall public IP address, run this command in the terminal:
terraform output fw_public_ip_address
-
Make sure you can access your network infrastructure from the internet by opening the following address in your browser:
http://<FW_public_IP_address>
If your system is accessible from the internet, you will see the
Welcome to nginx!
page. -
Make sure the firewall rules allowing traffic are active by navigating to the
yc-network-segmentation-with-checkpoint
directory on your PC and connecting to the DMZ-hosted VM over SSH:cd ~/yc-network-segmentation-with-checkpoint ssh -i pt_key.pem admin@<internal_IP_address_of_VM_in_DMZ_segment>
-
To check whether the DMZ-hosted VM has internet access, run this command:
ping ya.ru
The
ping from dmz to internet
rule should allow the command to run. -
Make sure the firewall traffic-blocking rules are active.
To check that thejump
VM in themgmt
segment is not accessible from DMZ, run this command:ping 192.168.1.101
The
Cleanup rule
should block the command. -
In SmartConsole, navigate to the
Logs
tab of theLOGS & MONITOR
section, find the entries made while you tested the firewall rules, and see which rules were applied.
Production deployment requirements
- To ensure NGFW fault tolerance and applicatoin high availability, use this recommended solution.
- Make sure to change the passwords transferred through the metadata service in
check-init...yaml
files:- SIC password for connecting the firewall and the firewall management server.
- Check Point SmartConsole password.
- Firewall management server admin password. You can change this password in Gaia Portal.
- Save the
pt_key.pem
private SSH key to a secure location or recreate it without using Terraform. - If you do not plan on using the
jump
VM further, delete its public IP address. - If you plan to connect to the
mgmt
segment through thejump
VM WireGuard VPN, change the WireGuard keys on thejump
VM and your remote PC, e.g., admin workstation. - Set up access control and NAT policies for your Check Point NGFW configuration.
- Set up security group rules for applications deployed in different segments.
- Do not assign public IP addresses to the VMs in the segments protected by the Check Point NGFW rules and routing, with the exception of the
mgmt
segment where routing tables do not use the0.0.0.0/0
default route. - Select your preferred Check Point CloudGuard IaaS license and image (see Next-Generation Firewall).
How to delete the resources you created
To stop paying for the resources you created, run this command:
terraform destroy
Terraform will permanently delete all resources you created, including networks, subnets, VMs, folders, etc.
You can delete your resources faster by deleting all folders in Yandex Cloud console and then deleting the terraform.tfstate
file from the yc-network-segmentation-with-checkpoint
folder on your PC.