Creating an MVE Integrated with Check Point

This topic describes how to create and configure a Megaport Virtual Edge (MVE) with Check Point.

Note

Check Point’s architecture is different from many other firewall vendors.

Check Point uses a central Security Management Server (Policy Server) to manage and configure its Security Gateways, including MVEs. The Security Management Server defines security policies and distributes them to gateways, which then enforce those policies.

Initial access and management

Use vNIC 0 for initial communication with the device.
Configure vNIC 0 as untagged to allow first-time administrative login.
Check Point firewalls disable Internet Control Message Protocol (ICMP) by default. You cannot use ping or other ICMP-based tools to verify connectivity immediately after deployment.
After the MVE is live, log in using SSH or HTTPS.

Policy and advanced configuration

Use Check Point Smart Console for advanced configuration and policy management. You must fully configure the Smart Console before you can create or publish firewall policies.
Deploy a Management Gateway (Security Management Server) to define and distribute firewall policies. You can deploy the Management Gateway in any CSP environment.

For information about automating Check Point CloudGuard deployments, see CloudGuard Network Security - How to configure cloud-init automation and How to provide user data in KVM with Configuration Drive.

Basic steps

This section summarizes the configuration steps using the Megaport Portal. Detailed procedures follow this basic step summary.

The basic steps are:

Obtain a license from Check Point.
Create the Check Point MVE in the Megaport Portal. Check Point’s architecture is different from many other firewall vendors as it uses a central Security Management Server (Policy Server) to manage and configure its Security Gateways.
Ensure that the connection has been established on the Check Point portal.

Generating an SSH key pair

You connect your MVE through a public/private SSH key pair to establish a secure connection. The public SSH key allows you to use SSH to access the MVE.

Megaport supports the 2048-bit RSA key type.

To generate an SSH key pair (Linux/Mac OSX)

Enter the SSH keygen command in the terminal.

 ssh-keygen -f ~/.ssh/megaport-mve-instance-1-2048 -t rsa -b 2048

The key generator command creates an SSH key pair and adds two files to your ~/.ssh directory:

megaport-mve-instance-1-2048 - contains the private key.
megaport-mve-instance-1-2048.pub - contains the public key that is authorized to log in to the vendor account.

To generate an SSH key pair (Windows, using PuTTYgen)

Open PuTTYgen.
In the Key section, choose RSA 2048 bit and click Generate.
Move your mouse randomly in the small screen to generate the key pairs.
Enter a key comment to identify the key.
This is convenient when you use several SSH keys.
Enter a Key passphrase, and re-enter to confirm.
The passphrase is used to protect your key. You will be asked for it when you connect via SSH.
Click Save private key, choose a location, and click Save.
Click Save public key, choose a location, and click Save.

You’ll copy and paste the contents of the public key file in the Megaport Portal later to distribute the public key to the MVE. Your private key will match the public key to grant access. Only a single private key has access to the MVE for SSH access.

Creating an MVE in the Megaport Portal

When creating an MVE, select a location that supports the MVE and is in a compatible metro area for your network design. You can connect multiple locations to an individual MVE. For more information about location details, see Planning Your Deployment.

You can deploy multiple MVEs within the same metropolitan area for redundancy or capacity reasons.

To create an MVE

In the Megaport Portal, go to the Services page.
Click Create MVE.
Select Check Point CloudGuard Network.
Select the software version.

The MVE will be configured to be compatible with that version of Check Point CloudGuard.
Click Next.
Specify the MVE details:
- Location – Select the MVE location.
  
  Select a location geographically close to your target branch and/or on-premises locations.
  
  The country you choose must be a market in which you have already registered.
  
  If you haven’t registered a billing market in the location where you will deploy the MVE, follow the procedure in Enabling Billing Markets.
  
  You can use the Search field to find the Port name, Country, Metro City, or address of your destination Port. You can also filter by diversity zone.
- Diversity Zone – Select a diversity zone.
  
  You can select either Red or Blue, or select Auto and have Megaport select the zone for you. The selected or allocated diversity zone will be displayed on the location details through the rest of the provisioning, and on the Summary page at the end.
  For more information, see MVE Diversity.
- Size – Select a size from the list of available sizes. Available sizes are highlighted in green and labeled Available. The sizes support varying numbers of concurrent connections, and individual partner product metrics vary slightly.
  
  Note
  
  If the MVE size you want is not in the list, then there is not enough capacity at the selected location. You can either select another location with enough capacity or contact your Account Manager to discuss requirements.
- Minimum Term – Select No Minimum Term, 12 Months, 24 Months, or 36 Months. Longer terms result in a lower monthly rate. 12 Months is selected by default. Take note of the information on the screen to avoid early termination fees (ETF).
  
  Enable the Minimum Term Renewal option for services with a 12, 24, or 36-month term to automatically renew the contract at the same discounted price and term length at the end of the contract. If you don’t renew the contract, at the end of the term, the contract will automatically roll over to month-to-month contract for the following billing period, at the same price, without term discounts.
  
  For more information, see MVE Pricing and Contract Terms.
Click Next.
Specify the Check Point CloudGuard-specific settings:
- Admin Password –Specify a temporary administrator password that you will use to access the virtual device. The password must be a minimum of 8 characters and include:
  - 1 uppercase character (A-Z)
  - 1 lowercase character (a-z)
  - 1 number (0-9)
  - 1 symbol
  Store the admin password securely and do not share it with anyone. You can reset the admin password at the first login into the configured device.
  
  Note
  
  Megaport does not store customer passwords.
- SSH Key – Copy and paste the contents of your public SSH key here. You can find the public key in the megaport-mve-instance-1-2048.pub file generated earlier.
- Virtual Interfaces (vNICs) – Each Check Point MVE is configured with one vNIC named Data Plane. To change the name, type over the name text in the box. You can also change the vNIC name later, after the MVE has been deployed.
- Megaport Marketplace – By default, each service is private to your enterprise and consumes services from the Megaport network for your own internal company, team, and resources. When set to private, the service is not searchable in the Megaport Marketplace, however, others can still connect to you using a service key. Megaport Marketplace visibility is controlled on your Megaport Marketplace profile. For more information about how to make your service visible to the Megaport Marketplace, see Adding services to your profile.
Click Next.
Specify optional settings:
- MVE Name – Enter a name for the MVE that is easily identifiable, particularly if you plan on provisioning more than one. This name appears in the Megaport Portal.
  
  The MVE name is auto-generated based on the location name and shown on the Summary page. You can override it by entering your own.
- Service Level Reference (optional) – Specify a unique identifying number for your Megaport service to be used for billing purposes, such as a cost center number, unique customer ID, or purchase order number. The service level reference number appears for each service under the Product section of the invoice. You can also edit this field for an existing service.
- Resource Tags – You can use resource tags to add your own reference metadata to a Megaport service.
  To add a tag:
  1. Click Add Tags.
  2. Click Add New Tag.
  3. Enter details into the fields:
    - Key – string maximum length 128. Valid values are a-z 0-9 _ : . / \ -
    - Value – string maximum length 256. Valid values are a-z A-Z 0-9 _ : . @ / + \ - (space)
  4. Click Save.
  If you already have resource tags for that service, you can manage them by clicking Manage Tags.
  
  Warning
  
  Never include sensitive information in a resource tag. Sensitive information includes commands that return existing tag definitions and information that will identify a person or company.
Confirm the configuration and pricing on the Summary page.

The monthly rate is based on location and size.
Click Add MVE.

You are prompted to create a Megaport Internet connection. A Megaport Internet connection provides connectivity and allows MVE to register and communicate with Check Point CloudGuard. The overlay network is created and maintained by Check Point CloudGuard to provide secure tunnels from the branch locations.

To create the Megaport Internet connection

Click Create Megaport Internet to proceed (recommended), or click Not now to provision internet access at a later time.

Note

MVE requires connectivity to the internet onto the management plane virtual interface. You can either provision a Megaport Internet connection or configure a third-party internet connection using a private VXC. We strongly recommend that you create a Megaport Internet connection for the initial MVE startup and deployment to ensure that the MVE is provisioned and functioning correctly.
Select the target Port (the internet router).
The B-End of a Megaport Internet connection can be anywhere that Megaport Internet is available.
You can use the Search field to find the Port name, Country, Metro City, or address of your destination Port. You can also filter by diversity zone.
Click Next.
Specify the connection details:
- Connection Name – The name of your Megaport Internet connection to be shown in the Megaport Portal.
- Service Level Reference (optional) – Specify a unique identifying number for your Megaport service to be used for billing purposes, such as a cost center number, unique customer ID, or purchase order number. The service level reference number appears for each service under the Product section of the invoice. You can also edit this field for an existing service.
  
  Tip
  
  Use the same Service Level Reference numbers for the Megaport Internet connection and MVE to help identify the matching pair in your invoice.
- Rate Limit – The speed of your connection in Mbps. The rate limit is configurable starting from 20 Mbps and can scale to several Gbps or more, in 1 Mbps increments. Available speed tiers might vary by location and service type. You can change the speed as needed after you create the Megaport Internet connection. Monthly billing details appear based on location and rate limit.
- VXC State – Select Enabled or Shut Down to define the initial state of the connection. For more information, see Shutting Down a VXC for Failover Testing.
  
  Note
  
  If you select Shut Down, traffic will not flow through this service and it will behave as if it was down on the Megaport network. Billing for this service will remain active and you will still be charged for this connection.
- Preferred A-End VLAN (optional) – Click Untag to remove VLAN tagging and allow first-time administrative login to the device.
- Minimum Term – Select No Minimum Term, 12 Months, 24 Months, or 36 Months. Longer terms result in a lower monthly rate. 12 Months is selected by default. Take note of the information on the screen to avoid early termination fees (ETF).
  
  Enable the Minimum Term Renewal option for services with a 12, 24, or 36-month term to automatically renew the contract at the same discounted price and term length at the end of the contract. If you don’t renew the contract, at the end of the term, the contract will automatically roll over to month-to-month contract for the following billing period, at the same price, without term discounts.
  
  For more information, see Megaport Internet Pricing and Contract Terms and VXC, Megaport Internet, and IX Billing.
- Resource Tags – You can use resource tags to add your own reference metadata to a Megaport service.
  To add a tag:
  1. Click Add Tags.
  2. Click Add New Tag.
  3. Enter details into the fields:
    - Key – string maximum length 128. Valid values are a-z 0-9 _ : . / \ -
    - Value – string maximum length 256. Valid values are a-z A-Z 0-9 _ : . @ / + \ - (space)
  4. Click Save.
  If you already have resource tags for that service, you can manage them by clicking Manage Tags.
  
  Warning
  
  Never include sensitive information in a resource tag. Sensitive information includes commands that return existing tag definitions and information that will identify a person or company.
Click Next to proceed to the connection detail summary.
Click Add VXC to order the connection.
Click Review Order in the Configured Services area.
If you have a promotional code, click Add Promo Code, enter it, then click Add Code.
Click Order Now.

Ordering MVE provisions the appliance and assigns IP addresses from the Megaport SDN. The MVE provisioning takes only a few minutes to complete. The provisioning process spins up a Check Point CloudGuard instance.

Next steps

Once the MVE is provisioned with an Active status, the next step is to connect a VXC to a Cloud Service Provider (CSP), a local port, or a third-party network. You can optionally connect a physical Port to the MVE through a private VXC or connect to a service provider in the Megaport Marketplace.

For more information, see Creating a VXC.