CloudGuard Network Security Gateway (BYOL)

Get Interfaces >Get Interfaces With Topology. If this warning appears: "Topology and Anti-Spoofing settings that are already defined will be overwritten. By results of this operation that contradict them, if any. Do you want to continue?" Click Yes. From the Network eth1 window, click Topology and disable Anti-Spoofing. 6. Verify the settings: a. To close the window, clickOK. b. Install policy on the gateway To Allow Outbound Traffic 1. Use SmartConsole to connect to your Check Point Security Management Server. 2. Create an Internal Network for the Security VPC: In the right navigation bar, click new >Network…. 3. Define Network general properties: a. Enter a name for your network (such as Security_network). b. In the IPv4 section, insert the Network Address and the Net mask of the Security VPC 4. Create a NAT rule for the network to hide behind the Security Gateways: a. In the Network''s object left pane, clickNAT. b. Check the box: Add automatic address translation rules. c. Leave the configuration as default: CloudGuard Network for Alibaba CloudGateway R81Deployment Guide   |   14CloudGuard Network Security Gateway for Alibaba n Translation method: Hide n Hide behind the gateway 5. Verify the settings: a. To close the window, clickOK. b. Install policy. Step 7: Configure VPN In SmartConsole, create a Network Group object to represent the encryption domain for the gateway For more information, see the Check Point Security Management Administration Guide for your Management Server version. 1. Create a Network Group object to represent the encryption domain of the gateway: a. In SmartConsole, click theObjects menu >Object Explorer. b. From the top toolbar, clickNew > Network Group. c. In the Enter Object Name field, enter the desired name. d. Click the + icon and select the applicable network objects. e. ClickOK. f. Close the Object Explorer. 2. Edit the Gateway object: a. In SmartConsole, from the left navigation panel, clickGateways & Servers. b. Double-click the Gateway object. TheGateway Properties window shows. c. On theGeneral Properties pane, check the IPSec VPN box. 3. Define your Network Group as the encryption domain of the gateway object: a. In SmartConsole, from the left navigation panel, clickGateways & Servers. b. Double-click the Gateway object. TheGateway Properties window shows. c. In the gateway object left tree, clickNetwork Management >VPN Domain. d. Selectmanually defined. e. In the right corner of this field, click the [...] button and select the Network Group object you created in Step 1. 4. Define the VPN community: a. In the gateway object left tree, click IPsec VPN. b. In the section This Security Gateway participates in the following VPN Communities, select the applicable VPN community. 5. Define the outgoing VPN interface: CloudGuard Network for Alibaba CloudGateway R81Deployment Guide   |   15CloudGuard Network Security Gateway for Alibaba a. In the gatway object left tree, click IPsec VPN > Link Selection. b. In the IP Selection by Remote Peer section, select Always use this IP address > Statically NATed IP, and then enter the gateway public IP address. c. In theOutgoing Route Selection section: i. Click Source IP address settings. ii. SelectManual. iii. Choose Selected address from topology table. iv. Select the private internal object VIP address. v. ClickOK. d. In the Tracking section, select the desired option. e. ClickOK to close the Gateway Properties window. 6. Configure the VPNCommunity to use Permanent Tunnels: a. In SmartConsole, click theObjects menu >Object Explorer. b. In the left tree, clear all boxes except for VPN Communities. c. Double-click the VPN community, in which this gateway object participates. The VPN Community window shows. d. In the left tree, click Tunnel Management. e. Select Set Permanent Tunnels. f. Select the applicable option. g. ClickOK to close the VPNCommunity properties window. h. Close theObject Explorer. 7. Install the applicable Access Control Policy on the gateway object. Testing and Troubleshooting Security Gateway 1. In AliCloud ECS console. Go to the instance and check system log is finished successfully (machine is ready to be logged in): Expected output: ‘This system is for authorized use only. login'' 2. Connect VIA SSH using configured SSH key / Password a. Check user-data script finished successfully by running in Expert mode: ‘cat /var/log/alicloud- user-data.log'' Expected output: ‘Finished user data.'' CloudGuard Network for Alibaba CloudGateway R81Deployment Guide   |   16CloudGuard Network Security Gateway for Alibaba b. Check both interfaces are configured correctly. c. In the SmartConsole Check Device & License Information for problems. CloudGuard Network for Alibaba CloudGateway R81Deployment Guide   |   17CloudGuard Network Security Gateway for Alibaba Known Limitations n Alibaba Disk Encryption is not supported. n CloudGuard Controller is not supported for Alibaba cloud n Traffic travels freely in the subnet and security VPCwithout inspection. CloudGuard Network for Alibaba CloudGateway R81Deployment Guide   |   18">