CP R77.30 Gateway For OpenStack AdminGuide
CP R77.30 Gateway For OpenStack AdminGuide
CP R77.30 Gateway For OpenStack AdminGuide
OpenStack
R77.30
Administration Guide
21 May 2015
Protected
© 2015 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the
latest functional improvements, stability fixes, security enhancements and protection against
new and evolving attacks.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:[email protected]?subject=Feedback on Security Gateway for
OpenStack R77.30 Administration Guide).
Revision History
Date Description
Configure the Gateway instance as a Security Gateway. You can then connect from a Security Management
Server that is not in the cloud, over the Internet, to the Security Gateway. Alternatively, configure the
Security Gateway for OpenStack Administration Guide R77.30 | 6
Gateway as a Security Gateway and Security Management Server (a standalone deployment). You can
then connect from a SmartConsole over the Internet to the Security Management Server.
The Check Point Security Gateway inspects all traffic to and from the Internet, and protects servers that are
connected to the "internal" network.
In this Section:
Creating a Security Group ........................................................................................ 7
Creating the Internal Network ................................................................................... 7
Creating the Internal Subnet ..................................................................................... 7
Creating the Internal Gateway Port........................................................................... 8
Allowing Traffic from the Internet through the Internal Gateway Port ....................... 8
Creating the External Gateway Port ......................................................................... 8
Allowing Traffic from the Internal Network through the External Gateway Port ....... 8
Adding a Route to the Internal Network .................................................................... 9
$ neutron security-group-create \
--description 'A permissive security group to be applied to the gateway' \
gateway-security-group
$ neutron security-group-rule-create \
--direction ingress \
--remote_ip_prefix 0.0.0.0/0 \
gateway-security-group
$ neutron subnet-create \
--name internal-subnet \
--allocation_pool start=INTERNAL-START,end=INTERNAL-END \
--gateway INTERNAL-GATEWAY-ADDRESS \
internal \
INTERNAL-SUBNET-CIDR
$ neutron port-create \
--name internal-gw-port \
--fixed-ip ip_address=INTERNAL-GATEWAY-ADDRESS \
--security-group gateway-security-group \
internal
$ neutron port-update \
internal-gw-port \
--allowed_address_pairs type=dict list=true mac_address=$int_port_mac,ip_address=0.0.0.0/0
$ neutron port-create \
--name external-gw-port \
--fixed-ip ip_address=EXTERNAL-GATEWAY-ADDRESS \
--security-group gateway-security-group \
external
$ neutron port-update \
external-gw-port \
--allowed_address_pairs type=dict list=true mac_address=$ext_port_mac,ip_address=INTERNAL-
SUBNET-CIDR
$ neutron router-update \
router1 \
--routes type=dict list=true nexthop=EXTERNAL-GATEWAY-ADDRESS,destination=INTERNAL-SUBNET-CIDR
$ glance image-create \
--name Check-Point-R77.30-image \
--disk-format qcow2 \
--container-format bare \
--file Check_Point_R77.30_for_OpenStack.qcow2
$ cinder create \
--display-name R77.30-volume \
--image-id $image_id 50
Wait for the new volume to become available. Monitor the status of the volume in the Web UI, or by running
this command line:
$ nova boot \
--flavor 2048MiB-50GiB-1CPU \
--key-name KEY-NAME \
--image Check-Point-R77.30-image \
--block-device id=$volume_id,source=volume,dest=volume,size=50 \
--nic port-id=$external_gw_port_id \
--nic port-id=$internal_gw_port_id \
--config-drive=true \
R77.30-instance
2. Run the first time wizard. See Configuring the Check Point Gateway (on page 11).
(config_system -s
'install_security_gw=true&install_ppak=true&install_security_managment=true&install_mgmt_primary=t
rue&install_mds_primary=false&mgmt_admin_name=MANAGEMENT-ADMIN-
USERNAME&mgmt_admin_passwd=MANAGEMENT-ADMIN-
PASSWORD&mgmt_gui_clients_radio=any&ipstat_v4=manually&ipaddr_v4=INTERNAL-GATEWAY-
ADDRESS&masklen_v4=EXTERNAL-GATEWAY-MASKLEN&default_gw_v4=EXTERNAL-GATEWAY-ADDRESS&ipstat_v6=off'
; shutdown -r now &)
$ nova boot \
--flavor 2048MiB-50GiB-1CPU \
--key-name KEY-NAME \
--image Check-Point-R77.30-image \
--block-device id=$volume_id,source=volume,dest=volume,size=50 \
--nic port-id=$external_gw_port_id \
--nic port-id=$internal_gw_port_id \
--user-data USER-SCRIPT \
--config-drive=true \
R77.30-instance
Several minutes after you configure the Check Point gateway for the first time, you can use the Gaia WebUI
to configure your Gateway.
Note - The host IP address and the default route are set automatically. Do not change them.
Note - You can also automate the first time configuration. To do that, refer to sk69701
http://supportcontent.checkpoint.com/solutions?id=sk69701.
$ neutron floatingip-create \
--port-id $external_gw_port_id \
public \
| awk '/ floating_ip_address /{print $4}'
Note - It can take a few minutes after the launch of an instance before the system log is available
on the OpenStack Console.
To get the SSH public key fingerprints of the Gateway from the OpenStack Console:
1. Open an SSH client.
2. Run:
$ nova console-log R77.30-instance | grep '^ec2:'
Note the fingerprint strings. One of these fingerprints will match the key fingerprint that is presented when
making an SSH connection to the Gateway for the first time.
Security Gateway for OpenStack Administration Guide R77.30 | 12
To connect to the Gateway instance over ssh:
1. Run:
$ ssh admin@GATEWAY-FLOATING-IP
The address GATEWAY-FLOATING-IP is the public IP address that was associated with the Gateway in
Associating a Public Address with the Gateway Instance (on page 12).
2. Compare the public key fingerprint with the string sent by the Gateway.