Professional Documents
Culture Documents
11:15-12:00 Azure-Lab
12:00-13:00 Lunch
13:00-17:00 Azure-Lab
Application Firewall
Anti-Malware
https://aka.ms/pciresponsibilitymatrix
Enterprise
ONE CONSOLE
APP
APP
South
Application
Control
Firewall
URL
Filtering
Anti-Virus
IPS
Threat
Emulation
Anti-Bot
• Site-to-Site VPN
• SSL/Client VPN VPC
Customer Datacenter
IoT sensor
Management Server
Inet gw
Vnet 10.0.0.0/16
Inet gw
Vnet 10.0.0.0/16
Inet gw
Vnet 10.0.0.0/16
Express Route gw
Inet gw
Vnet 10.0.0.0/16
Express Route gw
Inet gw
Vnet 10.0.0.0/16
PROS • Traditional design • Can use “External” and • No need to add NIC per
“Internal” in threat policy subnet
• No need to add NIC per
subnet
ExpressRoute
vNET Peering
vNET Peering
• Deployment can be single/cluster
• Configure Check Point VPN to AWS VGW using BGP for redundancy
FW FW FW FW
• Using firewall vendor’s centralized
AZ1 AZ2 AZ1 AZ2
management solution for VPN
Production
VPC
Staging
VPC management
Full Mes h VPN
FW FW FW FW
Internet WAN
©2017 Check Point Software Technologies Ltd. 39
Clustering
• 2 members only and must be in
same Availability Zone
• AWS API calls to move private IP
addresses and change routing
tables – requires IAM role
• Can take up to 40 sec
Instances
• Internal load balancer can be used Instances
Private subnet 1
Private Subnet 2
for outgoing proxy
Availability Zone 1 Availability Zone 2
Pros Cons
Free Basic layer 4 packet filter/ACL
Integrated with platform Platform specific – no central management
No infrastructure to manage Basic management, reporting and visibility
Pros Cons
Can be more granular Application dependencies
Scales with instances Performance and management overhead
Minimal platform interaction Lack of separation of duties
No access control
Lack scalability
Some platforms cannot install agent
WAF NGFW
L7 protection L4-L7 protection
Custom application protection User access control
VPN, Anti-Bot, Anti-malware
Pay As You Go licensing embeds license in image vSEC controller for Azure can use Azure Active Directory or Service Principal for
authentication
Deploying via ISO and upload is not supported A Virtual Network/VPC can replicate on-premise network security design using
subnets
CloudFormation/ARM templates can be modified by end user There is no layer 2 in the cloud – it is all layer 3 only
AWS IAM and Azure Service Principal are used as authentication for cluster script There is only 1 CIDR per Azure virtual network
to call cloud APIs
vSEC Pay As You Go is a per-hour license You can configure NAT for VMs in AWS by adding public IPs to the external NIC
Subnets cannot span across AWS Availability Zones Additional public IP addresses for Azure cluster are added on the load balancer
System Routes in Azure cannot be modified There is no console access in public cloud
Gateways and management in public cloud are 77.30 and above vSEC controller is R80 management and above
Open-Server licensing is not available for the vSEC gateway There is only 1 Internet Gateway per VPC in AWS
All blades are available in vSEC public cloud You can use Powershell or Portal to deploy Azure gateways
Standalone deployments are supported You cannot modify the local route in AWS VPC