word template - community.checkpoint.com€¦ · web viewhow to upgrade a cloudguard scaleset...

HOW TO UPGRADE A CLOUDGUARD SCALESET FROM R80.20--> R80.30 IN MICROSOFT AZURE: STEP-BY- STEP GUIDE

Version1.0: Date: Oct. 11th 2019Created by Eugene Tcheby – Cloud Security Architect Canada

DISCLAIMER: This guide is based on instructions from the VMSS for Azure R80.10 and above Administration Guide release of August 14th 2019. https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/html_frameset.htm?topic=documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/216060

This document assumes that user is familiar with Checkpoint autoprovision service, cloudguard controller, and Checkpoint VMSS solution template components (frontend + backend load balancers).

EXERCISE 1: Reviewing existing Cloudguard VMSS deployment in Azure & Pre-requisites.

R80.20 Checkpoint Management Server - Ensure Jumbo Hotfix Take 103 of Aug. 26th 2019 is installed to be able to manage R80.30

gateways. For more information see https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113113&partition=General&product=Security

- From your web browser, access the Management Server WebUI with its public or private IP address depending on your setup. Under Upgrades (CPUSE) --> Status and Actions --> Hotfixes, select the Jumbo Hotfix Take 103 --> Install Update.

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 1

- Install Smart Console for R80.20 client Build 0067 or latest. - Review the existing VMSS template configuration of gateway autoprovision by running

autoprov-cfg show all from Management server.

The above parameters will be useful when creating autoprovisioning template for the newly deployed VMSS in R80.30 and also help delete the old configuration. I called the current template to manage my R80.20 gateways in the existing scaleset “VMSS_Template”. In purple, you can see the blades activated, policy name and gateway version, my SIC (obfuscated).


EXERCISE 2: Create 2 empty load balancer backend pools for the existing VMSS Frontend & Backend Azure load balancers

Log in the Azure portal --> Load Balancers --> Frontend-lb

Select “Backend pools”--> “+add”

Create the new empty backend pool. I called mine frontend-lb-pool-new. Feel free to follow your own naming convention


Copy the frontend-lb resource ID under the load balancer’s “properties” for a later use. This will be used as parameter in the ARM template of the new R80.30 Checkpoint VMSS deployment.

Repeat the same steps for the existing backend-lb-pool.


EXERCISE 3: DEPLOY CHECK POINT R80.30 VMSS IN AZURE.

From the Azure portal, type in key word “Cloudguard” in the search bar, and under Marketplace select “Cloudguard IaaS – Firewall & Threat Prevention”

Under Software Plan, click on the drop-down menu and select “Check Point Cloudguard IaaS Scale Set” --> Create

1- BASIC SETTINGS


Gateway Scaleset Name: NewVMSSAuthentication type: Pick between password and public key – (I chose password)Resource Group: RG_NewVMSS (create a new one)Location: Canada Central (select the region closest to your location, or to comply with)

2- CHECKPOINT VMSS SETTINGS

a- Are you upgrading your Cloudguard VMSS solution : YESb- Initial number of gateways : 2 - use similar configuration as the old VMSS.c- Maximum number of gateways : 2 – use similar configuration as old VMSS. d- Management Name : VMSSMgmt – use similar name as the one management server

managing the old VMSSe- Configuration Template Name : NewVMSS_Template (do not use same configuration

template name the old VMSS). f- Target Load Balancer Resource Group : RG_VMSS (enter the resource group name where

the frontend and backend load balancers for the existing VMSS reside)


g- Target External load balancer resource ID: paste resource ID from step 2 instructionsh- External Load Balancer New Backend Pool Name: frontend-lb-pool-newi- Target Internal load balancer resource ID: paste resource ID from step 2 instructionsj- Internal Load Balancer New Backend Pool Name: backend-lb-pool-new

k- Management Interface and IP address: frontend NIC’s private IP

NOTE: Select the frontend NIC private IP if you’re managing the VMSS using public IP. This will allow SIC to be established between Mgmt and VMSS gateways. Otherwise select other option “backend NIC’s private IP address” if managing gateways using private IP.

l- Management Server IP address: Enter the frontend private IP of Mgmt server

Leave everything else as is. This procedure will keep the existing load balancers (hence using the resource ID) and their public IP. This will prevent having to move the existing public IP to new VMSS resource group. Something that isn’t possible in Azure at the moment.


CLOUDGUARD SETTINGS

m- Check Point Cloudguard Version : R80.30 – Please note, at the time this document is being created; only BYOL licensing is available for R80.30 deployments. PAYG will become available in future release of our ARM template.

NETWORK SETTINGS

n- Virtual Network : VMSS_VNET – select same VNET where the old VMSS solution was deployed

o- VMSS Frontend Subnet : same frontend subnet as the old VMSS solutionp- VMSS Backend Subnet : same backend subnet as the old VMSS solution.

Review and make sure validation of template parameters is successful


Once the deployment of the new VMSS is completed; go under Dashboard --> Virtual Machine Scale Sets.

This concludes exercise 3.


EXERCISE 4: CONFIGURE THE NEW VMSS TEMPLATE CONFIGURATION ON MANAGEMENT SERVER

This setup will allow the autoprovision service of the management server to discover R80.30 gateways of the newly provisioned VMSS, establish SIC, push policy and enable all relevant software blades.

a. Download the CME (Cloud Management Extension) package as per SK157492. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk157492&partition=Advanced&product=CloudGuard

Make sure you select take 55 for R80.20 Management Server

b. Follow the below CPUSE offline installation instructions

Open your web browser and access the Management Server WebUI, using its public IP or private IP depending on your setup. Follow Upgrades (CPUSE) --> Status and Actions --> Import Package

Select the CME package from local device and click import


Once package is imported, from the dropdown select “Showing All Packages”, click on the CME package --> Install Update

The CME is a utility that runs on the Checkpoint Management Server, and is contains the newer version of autoprovision service 2.0 for all Checkpoint autoscaling solutions in the public cloud (Azure, AWS and GCP) but also features the automatic hotfix deployment for autoscaling solutions, among other features.

For more information, and useful CME commands follow the CME Admin Guide.https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CME/Content/Topics/Installing_and_Updating_CME.htm?tocpath=_____4#Installing_and_Updating_CME

CME debug and config file: -tail –f /var/log/CPcme/cme.log

c. SSH into the management Server

Run the command service cme status to make sure CME is running.


d. Add the new VMSS template configuration to the autoprovision service of the CME with the below command.

Where:-tn flag = template name matching the one that was entered while deploying the new VMSS-otp flag = SIC key to establish connectivity to the VMSS gateway. It should also match parameter that was entered while provisioning the new VMSS.

e. Enable similar software Blades on new VMSS than the ones on old VMSS template configuration.

f. Now that the VMSS has been deployed in Azure and the new template configuration is set on the Check Point Management Server, let’s see the magic happen :)

From the Management Server, tail –f /var/log/CPcme/cme.log to witnessg. Discovery of the new VMSS gateways

h. SIC establishment with new VMSS gateways

i. Push Policy and VMSS gateways configuration completion


EXERCISE 5: CHANGE EXTERNAL & INTERNAL LOAD BALANCER RULES BACKEND POOLIn this exercise we will change the frontend & backend load balancer pool with the newly created backend pool (which we created in exercise 1) with the 2 newly provisioned VMSS instances as target.

a. From the Azure Portal, select Load balancers --> frontend-lb/backend-lb --> load balancing rules

b. In the load balancing rules, switch the backend pool from the old pool which contains the old VMSS instance in R80.20 to the new Checkpoint VMSS instances in R80.30

c. Shut down the old VMSS instances from Azure portal --> Virtual Machine Scale Sets --> Select the old VMSS --> Stop


d. At this point the new VMSS instances should be handling traffic. You can test inbound traffic flow using the frontend load balancer public IP --> test server in the backend subnets.


e. If test is successful, you can now delete the old VMSS instancesNOTE: DO NOT delete the entire resource group where the old VMSS belonged, as it may still contain the VNET and load balancers which are still being used.

f. Delete old VMSS template configuration from Management Server

g. Delete the old backend pools for both frontend & backend load balancers.

Repeat the same steps for backend load balancer.

After cleaning up the old VMSS instances, load balancers backend pools and deleting old autoprovision template configuration, we should be left with and R80.20 Management + R80.30 gateways in SmartConsole.


This concludes the upgrade procedure from Checkpoint R80.20 VMSS--> R80.30 VMSS


word template - community.checkpoint.com€¦ · web viewhow to upgrade a cloudguard scaleset...

Documents