Oracle Cloud Infrastructure offers a native firewall service where the customer can create Security Lists with stateful rules for packet inspections using IP addresses as source and destination with TCP and UDP ports. But customers also have the option to install and deploy other third party firewall products to satisfy additional requirements:
- To comply with their existing or required InfoSec policy
- To leverage existing operational knowledge
- To add security features that are not available with Security Lists like IDS/IPS
In this blog we are featuring Check Point as many of our existing customers use Check Point Firewall products on their on-premise and they have enterprise licenses which they can use on Oracle IaaS as part of the "bring your own license" (BYOL) scheme.
The Check Point CloudGuard family of security products can be deployed as virtual appliances to protect enterprise workloads running on cloud infrastructures (IaaS) or software services and applications (SaaS) against generation V cyberattacks. This post describes the general workflow and provides some associated steps for installing the Check Point CloudGuard IaaS virtual appliance on Oracle Cloud Infrastructure. For general guidance, see the How to Deploy a Virtual Firewall Appliance on Oracle Cloud Infrastructure blog post.
To perform the steps in this post, you must meet the following prerequisites:
- You have an Oracle Cloud Infrastructure tenancy.
- You need have access to the Oracle Cloud Marketplace to download the Check Point CloudGuard IaaS Security Gateway.
- Optionally, you can store the image in your Object Storage (for example, in us-ashburn-1).
- You are familiar with the following Oracle Cloud Infrastructure terms: availability domain, bucket, compartment, image, instance, key pair, region, shape, tenancy, and VCN. For definitions, see the documentation glossary.
The example in this post uses the VM.Standard2.4 compute shape. For a list of Oracle Compute shapes and pricing information, see the Compute pricing page.
In this example, CloudGuard is deployed in a single gateway configuration, with three VNICs: one for the public internet facing traffic, the second for the DMZ, and the third for internal workloads. The internet and DMZ zones are on public subnets, and the internal zone is on a private subnet.
The following table lists the interface properties as shown in the architecture diagram:
Step 1: Create the VCN
Using the Oracle Cloud Infrastructure Console, create a virtual cloud network (VCN) and its associated resources for the CloudGuard security zones. The following images show examples of the resources in the console.
Security Lists with Ingress and Egress Rules
Step 2: Import the CloudGuard Image as a Custom Image
Import the image from Object Storage and create a custom image.
If you want to create the CloudGuard gateway in another region (for example, uk-london-1), you must preauthenticate the image from Object Storage.
Then, create the custom image.
Step 3: Launch an Instance from the Custom Image
- Open the navigation menu. Under Core Infrastructure, go to Compute and click Custom Images.
- Find the custom image that you want to use.
- Click the Actions icon (three dots), and then click Launch Instance.
- Provide additional launch options as described in Creating an Instance.
Step 4: Add More VNICs (for the DMZ Security Zone)
You can create additional VNICs when the first instance is running. To complete the additional VNIC configuration, you have to reboot.
- Double-click the instance.
- In the left-side menu, click Attached VNICs.
- Click Create VNIC.
- Enter a name.
- For Virtual Cloud Network, select the VCN.
- For Subnet, select a private subnet.
- Select the Skip Source/Destination Check check box.
- Click Create VNIC.
Step 5: Create a Serial Console Connection to the Running Instance
Create an serial console connection to the running instance by following the instructions at Instance Console Connections.
Step 6: Configure CloudGuard
Configure the gateway by using the Check Point Gaia Portal or the SmartConsole.
You can manage your Check Point Security Gateway in the following ways:
- Standalone configuration: CloudGuard acts as its own Security Management Server and Security Gateway
- Centrally managed: Same virtual network or outside the gateway
- On premises
- From a different cloud or from another Oracle Cloud Infrastructure VCN or region
- From a different tenant in Oracle Cloud
Configure the Gateway from the Gaia Portal
- Open an SSH client.
- Set the user for the administrator. Enter set user admin password.
- Set the password.
- Enter save config.
- Go to the Gaia Portal: https:\\<IP_address>
The First Time Configuration Wizard is displayed. Perform the following steps to configure your system. When you get to the Installation Type page, you select the specific deployment of your system.
- On the Deployment Options page, select Setup, Install, or Recovery.
- On the Management Connection page, configure your system.
- On the Internet Connection page, configure the interface to connect to the internet.
- On the Device Information page, configure the DNS and proxy settings.
- On the Date and Time Settings page, set the time manually, or use the Network Time Protocol (NTP).
- On the Installation Type page, configure the system for your needs.
Configure the Gateway from the SmartConsole
- Open the SmartConsole and go to the Gateways & Servers view.
- Click the new icon and then select Gateway.
The Check Point Security Gateway Creation window is displayed.
- Select Wizard Mode.
- Enter values on the General Properties page.
- Initiate secure internal communications.
- Click Finish.
The Check Point Gateway General Properties window is displayed.
- Configure the gateway.
Please refer to CheckPoint CloudGuard documentation for the step-by-step configuration:
In the next blog we will tackle high availability options for CloudGuard on OCI in a multi-VCN configuration. Please stay tuned!