action.skip
Megaport Documentation
Planning Your Deployment
Copy for LLM ▼
Copy Page Content Open in ChatGPT Open in Claude Open in VS Code View Markdown
PDF

Planning Your Check Point Deployment

This topic provides an overview of the provisioning process and describes deployment considerations for the Megaport Virtual Edge (MVE).

You Provide Megaport Provides
Internet connection from branch Platform to host virtual security instances
Check Point CloudGuard deployed at branch Complete connection from a branch to any destination on the Megaport network and interoperation with other Megaport products and services
Customer premises equipment (CPE) installed in branch Megaport Internet connection to terminate the tunnel between MVE and CPE at branch via internet
Check Point CloudGuard software license to use on Megaport SDN Access to the Megaport ecosystem

Deployment considerations

This section provides an overview of the MVE deployment options and features.

Note

Check Point’s architecture is different from many other firewall vendors.

Check Point uses a central Security Management Server (Policy Server) to manage and configure its Security Gateways, including MVEs. The Security Management Server defines security policies and distributes them to gateways, which then enforce those policies.

Initial access and management

  • Use vNIC 0 for initial communication with the device.
  • Configure vNIC 0 as untagged to allow first-time administrative login.
  • Check Point firewalls disable Internet Control Message Protocol (ICMP) by default. You cannot use ping or other ICMP-based tools to verify connectivity immediately after deployment.
  • After the MVE is live, log in using SSH or HTTPS.

Policy and advanced configuration

  • Use Check Point Smart Console for advanced configuration and policy management. You must fully configure the Smart Console before you can create or publish firewall policies.
  • Deploy a Management Gateway (Security Management Server) to define and distribute firewall policies. You can deploy the Management Gateway in any CSP environment.

For information about automating Check Point CloudGuard deployments, see CloudGuard Network Security - How to configure cloud-init automation and How to provide user data in KVM with Configuration Drive.

Network and Security Vendors

MVE integrates with Check Point CloudGuard to deliver advanced threat prevention and secure, policy-based traffic routing between your network and cloud environments.

For more information about supported NFVsThe MVE is an on-demand, vendor-neutral Network Function Virtualization (NFV) platform that provides virtual infrastructure for network services at the edge of Megaport’s global software-defined network (SDN). Network technologies such as SD-WAN and NGFW are hosted directly on Megaport’s global network via Megaport Virtual Edge.
 on the MVE platform, see the Megaport Virtual Edge (MVE) product page.

MVE locations

For a list of global locations where you can connect to an MVE, see Megaport Virtual Edge Locations.

Sizing your MVE instance

The instance size determines the MVE capabilities, such as how many concurrent connections it can support.

When choosing an MVE instance size, keep in mind these items:

  • Any increase on the network data stream load can degrade performance. For example, establishing secure tunnels with IPsec, adding traffic path steering, or using deep packet inspection (DPI) can affect the maximum throughput speed.

  • Future plans to scale the network.

To check which MVE instance sizes are available for your deployment, use the Megaport Portal during the MVE setup process. Instance size availability depends on both the selected vendor and the deployment location, and might vary accordingly. The Megaport Portal displays the sizes that are available for your selected vendor and location.

To check the MVE instance sizes in the Megaport Portal

  1. In the Megaport Portal, go to the Services page.

  2. Click Create MVE.
    Create MVE button

  3. Select Check Point CloudGuard Network.

  4. Select the software version.

  5. Click Next.

  6. Select an MVE location.

    Select a location geographically close to your target branch and/or on-premises locations.

    You can use the Search field to find the Port name, Country, Metro City, or address of your destination Port. You can also filter by diversity zone.

  7. A list of available instance sizes appear based on the selected location. Available sizes are highlighted in green and labeled Available. The sizes support varying numbers of concurrent connections, and individual partner product metrics vary slightly.

    Note

    If the MVE size you want is not in the list, then there is not enough capacity at the selected location. You can either select another location with enough capacity or contact your Account Manager to discuss requirements.

What if I need more MVE capacity in the future?

To increase your MVE capacity, you have these options:

  • You can provision another MVE instance, add it to your overlay network, and split the workload between the two MVEs.

  • You can provision a larger MVE instance, add it to your overlay network, migrate connections from the old MVE to the new larger MVE, and then retire the old MVE.

You can adjust the Megaport Internet bandwidth at any time without having to tear down the virtual machine.

Security

MVE provides secure connectivity between your branch locations and cloud or data center destinations via the Megaport SDN. Check Point CloudGuard instances hosted on MVE inspect, secure, and control traffic across Megaport’s private network backbone. Traffic stays encrypted and policy-enforced from edge to destination.

Licensing

Before creating an MVE in the Megaport Portal, ensure that your user account has ordering permissions. For more information, see Creating an Account.

You also need a valid Check Point CloudGuard license. To obtain or manage a Check Point CloudGuard license, see the Check Point User Center.

VLAN tagging

Megaport uses Q-in-Q802.1Q tunneling (also known as Q-in-Q or 802.1ad) is a technique used by OSI Layer 2 providers for customers. 802.1ad provides for both an inner and an outer tag whereby the outer (sometimes called S-tag for service provider) can be removed to expose the inner (C-tag or customer) tags that segment the data.
 to differentiate VXCs and MVEs on a host hardware system. The tenant MVE receives untagged traffic for the internet-facing link, and single-tagged 802.1Q traffic for VXCs toward other destinations on the Megaport network (such as CSP on-ramps or other MVEs). For more information, see Configuring Q-in-Q.

vNICs

One vNIC is supported for MVE integration with Check Point.