Check Point CloudGuard IaaS - Azure

24 Launches
Solution Overview
Welcome to the WWT ATC Check Point CloudGuard IaaS - Azure on-demand environment. 
This lab allows you to gain hands-on experience with the Check Point CloudGuard IaaS - Azure solution. It can also be used for the testing and validation of tactical maneuvers, such as deployment strategies, rollout plans, and integrations.

Please find the Lab Guide at the bottom of this page for walk through and steps to complete this lab.

Welcome to Check Point CloudGuard for Microsoft Azure test drive!
Check Point CloudGuard test drive for Microsoft Azure enables customers to rapidly try out CloudGuard enterprise security gateway features deployed on a virtual instance inside a Microsoft Azure IaaS (Infrastructure as a Service) virtual cloud. This test drive will allow you to experience the capabilities of the CloudGuard gateway in action using a real web server app, simulated attack vectors, and verification of activity in event logs.

Why do I need CloudGuard for Azure when the cloud is already secure?
Check Point CloudGuard allows you to protect your apps and data deployed in Azure. As you may well know, when you deploy a server in Azure configured with a public facing IP (even a private IP with NAT allowing for Internet access), it is exposed to cyber-attacks from the Internet, just like any server deployed in an on-premise environment. Cloud providers provide cost efficient computing resources but only secure the infrastructure layer. Check Point CloudGuard allows you to secure the higher layers (network layer up to application layer) with advanced multi-layer security in order to gain visibility into traffic and threats as well as detect and prevent attacks inside and outside your cloud network and demonstrate compliance. Additionally, a perimeter-based security gateway approach makes it easier to protect multiple virtual machine instances (with unknown security posture, software, and patch levels) in a highly dynamic cloud environment where VMs are constantly spun up and removed. It is the customer’s responsibility to protect their data and apps in the cloud.

Additional Notes
Designed for the dynamic security requirements of cloud deployments, CloudGuard IaaS provides advanced threat protections to inspect traffic entering and leaving private subnets of customer VNETs. 

Fully integrated security features include: Firewall, IPS, Application Control, IPsec VPN, Antivirus, Anti-Bot and SandBlast sandboxing technology.  CloudGuard IaaS integrates with the Azure Security Center, providing the ability to rapidly provision CloudGuard IaaS security gateways in just a few clicks and allowing security alerts from CloudGuard IaaS to be viewed from the Security Center console.

CloudGuard IaaS provides consistent security policy management, enforcement and reporting.

Goals & Objectives

Activities included in this Test Drive
At the end of the test drive, you will have accomplished the following:
  • Remotely access and navigate the SmartConsole management user interface (UI) to
  • provision and monitor the CloudGuard security gateway
  • Enable internet/public facing app (web server) by provisioning a security policy and verify correct operation of the web server
  • Simulate an SQL attack, watch it succeed, and then block the attack by provisioning Intrusion Prevention (IPS) functionality and verify correct operation in the SmartEvent logs
  • Block all access to social networks (i.e. Facebook/LinkedIn/Twitter) by enabling Application and URL Filtering and verify correct operation using SmartEvent logs
  • If you wish to purchase and deploy CloudGuard for Azure immediately in either “PAY as you Go” (PAYG) or “Bring Your Own License” (BYOL) licensing model, please visit the CloudGuard listing on Azure Marketplace which contains ARM templates for rapid single click provisioning and deployment.

A reference architecture is available at:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&s olutionid=sk109360&partition=General&product=CloudGuard

Please note that Check Point CloudGuard is fully integrated with Azure Security Center as well, to automate and orchestrate the deployment. Follow the instructions below to begin your test drive. Enjoy your journey!

Hardware & Software

This test drive will have you working on securing a single tier app environment where tier one is a web server deployed inside Azure cloud behind the Azure load balancer. This simulates a real-world scenario where the web server hosts dynamic content from the cloud but needs to be secured with advance threat protection using a virtual enterprise security gateway.
In this scenario, all inbound/outbound (i.e. North/South) traffic to the web server is secured by the CloudGuard gateway.

You will access the environment using a WWT Windows-based jump host from which you can browse web consoles, open RDP/SSH sessions, etc.
This lab consists of the following hardware and software:

An Azure Virtual Network with the following subnets:
    • A Gateway external subnet (
    • A Gateway internal subnet (
    • A Web Server Subnet (internal1-subnet) (
    • A Windows Machine Subnet (external1subnet (

• Check Point CloudGuard IaaS - Azure Core Platform

Endpoint Devices (3)
  • A Linux machine
  • A Windows machine
  • A Check Point CloudGuard gateway

Client Devices
  • The Linux machine is pre-configured as a web server listening on TCP port 80.
  • The Windows machine is pre-installed with the Check Point SmartConsole (R80.10) Graphical User Interface clients.
  • The Check Point CloudGuard gateway has two interfaces attached to external and internal subnets.
  • The Windows machine is attached to external subnet.
  • The Web Server is attached to the web server subnet.
  • The CloudGuard external network interface has an extra public IP set up to receive HTTP traffic on a dedicated public address and forward it to through the Check Point CloudGuard security gateway to the web server.
  • The Check Point CloudGuard Security gateway is pre-configured with security and Network Address Translation (NAT) policies to receive and forward this traffic.

Components of Lab
This environment can be broken down into essentially three major components: (1) the WWT LAB jump box and the (2) Check Point CloudGuard IaaS – Azure environment.