03 February 2025

CLOUDGUARD
NETWORK FOR AZURE
GATEWAY LOAD
BALANCER VIRTUAL

Deployment Guide
 Important Information

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-
date with the latest functional improvements, stability fixes, security
enhancements and protection against new and evolving attacks.

Certifications
For third party independent certification of Check Point products, see the Check
Point Certifications page.

Check Point CloudGuard Network for Azure Gateway Load Balancer Virtual
Machine Scale Sets (GWLB VMSS) Deployment Guide

Latest Version of this Document in English

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Important Information

Revision History

Date Description

21 May 2023 Updated "Limitations" on page 27

10 May 2023 Updated "Step 4: Deploy the Check Point VMSS and the Gateway Load
Balancer and Assign the Microsoft Entra ID Application" on page 17

17 April 2023 Removed Public Preview Disclaimer

26 January Improved formatting and document layout

2023

13 November Replaced icons

2022

03 April 2022 n Updated "Step 5: Chaining external Load Balancers" on page 20

n Removed a limitation related to outbound traffic inspection

03 January n Removed a limitation related to the Azure Preview Portal

2022 n Removed a limitation related when Implied Rules are disabled
(Starting from CME take 175).

29 November n Added a known limitation when Implied Rules are disabled

2021 n Added Microsoft Azure known limitations
n Added traffic flow animated GIF

04 November n Added a new configuration step "Chaining external Load Balancers"

2021 n Updated deployment instructions for Public Preview
n Updated "Step 3: Configure the Check Point Security Management
Server" on page 16.

02 November First release of this document

2021

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Table of Contents

Table of Contents
Introduction to Gateway Load Balancer 5
Introduction to Virtual Machine Scale Sets (VMSS) 5
Prerequisites 7
Scale In and Scale Out Events 8
Scale Out 8
Components of the Check Point Deployed Solution 9
Network-Diagram 11
Traffic flow explanation 12
Configurations Steps 15
Step 1: Create a Microsoft Entra ID and Service Principal 15
Step 2: Install the Check Point Security Management Server 16
Deploying a Security Management Server in Azure 16
Deploying a Security Management Server on-premises 16
Step 3: Configure the Check Point Security Management Server 16
Step 4: Deploy the Check Point VMSS and the Gateway Load Balancer and Assign the
Microsoft Entra ID Application 17
Step 5: Chaining external Load Balancers 20
Step 6: Automatic Rule Placement (Optional) 21
CloudGuard Solution Upgrade 23
Deploying a Security Management Server in Azure 26
Limitations 27
Glossary 28

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Introduction to Gateway Load Balancer

Introduction to Gateway Load

Balancer
Gateway Load Balancer (LB) is a type of Load Balancer which enables high performance and
high availability scenarios for a network virtual appliance (NVA) like a next-generation firewall
or security gateway. It lets Azure customers deploy, scale, and manage NVAs quickly and
easily. Additionally, it enables transparent NVA insertion in a network path.
Gateway LB uses a technology called VXLAN, "a network virtualization technology that
attempts to address the scalability problems related to large cloud computing deployments" for
the communication between the Load Balancer and the cloud network security gateway.

A Standard Azure LB forwards the traffic through a VXLAN tunnel to the new Gateway LB.
Gateway LB encapsulates the traffic, so there is no change to the original traffic, and the
security gateway decapsulates it. As a result, the security gateway can see the original source
of the traffic. The source and destination operate without knowledge of having a Gateway LB in
the path - making service chaining a reality.
On the return traffic, the Standard LB removes the VXLAN encapsulation and forwards this as
usual.
The primary benefit of Gateway LB is the ease and speed of deployment, the cost efficiency
while scaling NVAs up and down, improved network availability and flow symmetry, removing
the need for complex and frequent manual route configurations, and making the destination
applications see the original source.

Introduction to Virtual Machine Scale Sets

(VMSS)
Virtual Machine Scale Sets (VMSS) are an Azure compute resource you can use to deploy and
manage sets of identical Virtual Machines (VMs). The Scale Sets increase or decreases the
number of Virtual Machines based on the current needs.
For example, multiple web servers serve a web application. The web servers are deployed
across multiple fault and update domains. A Load Balancer distributes network traffic across
this group of web servers as needed.
In the current cyber landscape, it is very important that you protect these environments from
attackers with a security solution that is as scalable as the resources it protects. As the number
of resources you protect scales up or down, the number of Security Gateways that provide
protection has to scale too.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Introduction to Gateway Load Balancer

Azure Auto Scale is set up to increase or decrease the number of Check Point CloudGuard
Network Security Gateways that protect your environment in the VMSS. A Check Point
Security Management Server manages these Check Point CloudGuard Security Gateways.
You can locate the Check Point Security Management Server in Azure, or on-premises.

Note - When you create a virtual machine (VM), you must create a virtual network
(VNet) or use an existing VNet. It is also necessary to decide how your VMs are
intended to be accessed on the VNet. Planning before creating resources is important
and ensuring you understand networking resources' limits.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Prerequisites

Prerequisites
Make sure you are familiar with these topics:

Vendor Topics

Microsoft n VMSS
Azure n Autoscaling
n Gateway Load Balancer
n Identity and access management

Check Point n Check Point Security Management and Security Gateway R81.10
and Higher
n Check Point with Azure
n Check Point CME

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Scale In and Scale Out Events

Scale In and Scale Out Events

Each VMSS must have Scale In and Scale Out events configured.
You can edit or see the configuration in Azure Portal > VMSS > Scaling.
Default triggers for the firewall VMSS:
n Scale Out on more than 80% CPU usage, for an average of five minutes.
n Scale In on less than 60% CPU usage, for an average of five minutes.

Scale Out
A scale out event occurs, if the current load increases. When a scale out event is triggered:
n Azure Autoscale launches one or more new instances of the Check Point CloudGuard
Network Security Gateways.
n The new instances of CloudGuard Network Security Gateways automatically runs the
Check Point First Time Configuration Wizard and then reboot.
During the scale-out, the Check Point Security Management Server detects that new
instances of CloudGuard Network Security Gateways have launched. The Security
Management Server waits until the CloudGuard Network Security Gateways complete to
deploy, and then the Security Management Server automatically:
n Initializes a Secure Internal Communication (SIC) channel with these CloudGuard
Network Security Gateways.
n Adds 2 VXLAN Bridge Mode interfaces (internal and external).
n Creates automatic Access Rules to allow tunnel traffic between the Gateway Load
Balancer and the CloudGuard Network Security Gateways:

Services & Installed

Source Destination Action
Applications on

A host that CloudGuard UDP services with the Accept Policy

represent the Network VXLAN tunnel Targets
Gateway Load Security interfaces port
Balancer Gateway numbers (internal &
Frontend IP. external).

To control the location of the automatic Access rules, see section "Step 6: Automatic
Rule Placement (Optional)" on page 21.
n Installs a Security Policy on these CloudGuard Network Security Gateways.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Scale In and Scale Out Events

After a Security Policy installation, these CloudGuard Network Security Gateways start to
respond to health probes. The Load Balancer then starts to forward new connections to them.
The newly created CloudGuard Network Security Gateways report their status and send logs
to the Check Point Security Management Server.

Note -
n Newly provisioned Security Gateways automatically receive the latest published
Security Policy. You have to install the policy on the existing Security Gateways
to update their Security Policy.
n The system automatically creates and deletes Auto Scaling Security Gateway
objects according to the current environment. Therefore, we do not recommend
to use specified objects in rules or to manually edit those objects.
n By default, you can access each Check Point Security Gateway and Security
Management Server's Gaia Portal from the Internet at https://<virtual-machine-
public-ip>. It is possible to control the access to the Gaia Portal. Configure a
Network Security Group, or configure the Check Point Gateway and
Management Server settings.
n Updated Virtual Machines:
1. In case of a scale out event, the system deploys a new virtual machine
using the latest available Check Point image.
2. The system uses Fast Deployment Images (Blink) with a pre-installed
Jumbo Hotfix Accumulator.
For more information, see these SK articles:
n CloudGuard for Azure Latest Updates - see sk132192.
n Blink - Gaia Fast Deployment - see sk120193.

Components of the Check Point Deployed

Solution
The diagram below depicts an Azure Virtual Network (VNET) with the Check Point solution
deployed.
There is one user deployed VNET - Services VNET with its own external Standard Load
Balancer.

The Check Point deployed solution has these components:

n Security VNET
n Virtual Machine Scale Set (VMSS)
The number of instances that you can deploy in the Cloud is dynamic.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Scale In and Scale Out Events

n Gateway Load Balancer

n VMSS subnet
n Public IP address for each VMSS instance (optional)
n You cannot deploy other VMs in the VMSS subnet

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Scale In and Scale Out Events

Network-Diagram

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Scale In and Scale Out Events

Traffic flow explanation

Inbound:

1. The External Load Balancer redirects all packets to the Gateway Load Balancer.
VXLAN tunnel preserves the original source and destination addresses.

2. The Gateway Load Balancer send packet to next healthy CloudGuard Gateway.
3. CloudGuard Gateway decides if to forward or drop packet.

4. External Gateway Load Balancer sends the inspected packet to next VM in the Backend
Pool.
5. External Load Balancer redirects reply packets to the Gateway Load Balancer.
6. Symmetrical hashing return packet to the original CloudGuard Gateway to keep state.
7. External Load Balancer sends return packet to original source address.
When inbound traffic arrives, the CloudGuard Gateway receives it follows:

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Scale In and Scale Out Events

1. A VXLAN tunneled traffic with:

a. Source: The Gateway Load Balancer frontend IP.
b. Service: UDP services with the VXLAN tunnel interfaces port numbers (internal &
external).
c. Destination: The VMSS instance.
2. Encapsulated traffic with:
a. Source: Original source.
b. Service: Original service.
c. Destination: Original (The Frontend IP of the External Load Balancer).

Note - Traffic flow is the same for Load Balancing rule and Inbound NAT rules.

Outbound:

1. The External Load Balancer receives traffic from a Backend Pool VM.
The External Load Balancer redirects all packets to the Gateway Load Balancer.
VXLAN tunnel preserves the original source and destination addresses.
2. Gateway Load Balancer sends packet to next healthy CloudGuard Gateway.
3. CloudGuard Gateway decides forward or drop packet.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Scale In and Scale Out Events

4. External Load Balancer sends request packet to original destination address.

5. External Load Balancer redirects reply packet to Gateway Load Balancer.
6. Symmetrical hashing return packet to original CloudGuard Gateway to keep state.
7. External Gateway Load Balancer sends inspected reply packet to original source
address, a Backend Pool VM.

When outbound traffic arrives, the CloudGuard Gateway receives it follows:

1. A VXLAN tunneled traffic with:
a. Source: The Gateway Load Balancer frontend IP.
b. Service: UDP services with the VXLAN tunnel interfaces port numbers (internal &
external).
c. Destination: The VMSS instance.
2. Encapsulated traffic with:
a. Source: Original source (The Frontend IP of the External Load Balancer).
b. Service: Original service.
c. Destination: Original destination.

Gateway Load Balancer Frontend Routing Table - User Defined Routes (UDR):

Name Destination Nexthop

Local-Subnet Gateway Load Balancer Frontend subnet Virtual network

To-VNet Gateway Load Balancer VNet: None (drop)

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Configurations Steps

Configurations Steps
Step 1: Create a Microsoft Entra ID and Service
Principal
With the Microsoft Entra ID (formerly Azure AD) and Service Principal, the Check Point
Security Management Server monitors the creation and status of the VMSS, so it can
complete the provision of these gateways.
From the Azure website, go to Create a Microsoft Entra application and service principal.

Use these parameters:

Field Parameter

Name <Application_Name>
Example:
check-point-autoprovision

Application Type Web-App / API

Sign-on URL https://localhost/<Application_Name>

Example:
https://localhost/check-point-
autoprovision

After you create the application, write down these values (you use them later):
n Application ID
client_id
n Key value
client_secret
n Tenant ID
tenant
n Directory ID

Note - We recommend that you set the key to never expire.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Configurations Steps

Step 2: Install the Check Point Security

Management Server
These steps are required only if you do not have an installed Check Point Security
Management Server.
If you already have the Check Point Security Management Server installed, skip to Step 3.
Requirements for the Check Point Security Management Server:
n Must be Check Point R81.10 and Higher.
n Must start connections to the CloudGuard Network Security Gateways.

Requirements for CloudGuard Network Security Gateways:

n Must be Check Point R81.10 and Higher.
n Have to start connections to the Security Management Server. For example, to send
logs.

Deploying a Security Management Server in Azure

Refer to: "Deploying a Security Management Server in Azure" on page 26

Deploying a Security Management Server on-premises

Follow the instructions in the Check Point Installation and Upgrade Guide for your
Management Server version.

Important - Must be Check Point R81.10 and higher.

Step 3: Configure the Check Point Security

Management Server
Do these steps to manage the Virtual Machine Scale Sets with the Check Point Security
Management Server:
1. Download, install, and configure the latest Cloud Management Extension.
See Cloud Management Extension Administration Guide.

Note - Azure Gateway Load Balancer is supported starting from CME Take 168.

2. Configure the required Security Policy in SmartConsole.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Configurations Steps

Important - The name of the policy has to match correctly the value that you
configured in "Install the Check Point Security Management Server."
Note - By default, you can access each Check Point Security Gateway and Security
Management Server's Gaia Portal from the Internet by browsing to
http://<virtual-machine-public-ip>. Restriction of access to the Gaia
Portal is possible by configuring a Network Security Group, or by configuring the
Check Point Security Gateway and Management Server settings.

Step 4: Deploy the Check Point VMSS and the

Gateway Load Balancer and Assign the
Microsoft Entra ID Application
From the Azure Marketplace, deploy the CloudGuard Network Security - Firewall & Threat
Prevention:
On Plan select CloudGuard Gateway Load Balancer and click Create.
n Use these parameters in the Basic section:

Parameter Description

Gateway scale The name of the VMSS resource group.

set name

Credentials The public key or username and password for SSH connections to
the CloudGuard Network Gateway.

Subscription The Azure subscription, where the VMSS is deployed.

Resource The Azure Resource Group, where the VMSS is deployed.

group Important - The Resource Group must be empty (must not contain
any Azure resources).
Note: Resource group name must not contain reserved words
based on: sk40179.

Location The location - where the VMSS is deployed.

n Use these parameters in the Check Point VMSS settings section:

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Configurations Steps

Parameter Description

Are you upgrading Defines if this is a new deployment, or function of this

your CloudGuard deployment is to upgrade an existing VMSS deployment.
VMSS solution? If this is an upgrade of the CloudGuard VMSS solution, select
Yes.
see

Initial number of The minimum number of CloudGuard Network Gateways

Security Gateways instances in the VMSS.
We recommend a minimum of two.

Maximum number of The maximum number of CloudGuard Network Gateways

Security Gateways instances in the VMSS.

Management name The name of the Security Management Server.

Example:
my-management
See Cloud Management Extension Administration Guide.

Configuration The name of the configuration template from the CME service.
template name Example:
my-configuration-template

Administrator email The email address of the Administrator responsible for scaling
address operations, such as the launch of a new gateway, or a
gateway termination.

Check Point The load balance distribution method for the External Load
CloudGuard Balancer - Inbound.
Gateway Load See Configure the distribution mode for Azure Load Balancer.
Balancer session
persistence

Deploy the VMSS If you select yes, each VMSS instance gets its own public IP
with instance level address.
public IP address The Security Management Server can use those IP addresses
to manage from the external VNET.
Default value: no.
Important - The value you configure is irreversible.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Configurations Steps

Parameter Description

Management Select which IP address to use as the management interface

interface and IP for the VMSS:
address l NIC's private IP address.

l NIC's public IP address - only available if you deploy an

Instance Level Public IP (ILPIP) address.

Private:
Manage the Gateway VMSS with the private IP address of the
instance. The Security Management Server must have access
to the private IP addresses. For example, to be in the
same/peered VNET.
If you use the frontend NIC, you must add a corresponding
rule in the Frontend Route Table: Destination & Next Hop:
<The private IP address of the Security Management Server>.
Public:
Manage the Gateway VMSS with the public IP address of the
instance.

Number of Defines the Azure Availability Zones for your VMSS:

Availability Zones to l None - Do not use Azure Availability Zones.

use l 1 - Use Azure zonal redundancy.

l 2 - Use Azure two-zones redundancy (zones [1, 2])

l 3 - Use Azure three-zones redundancy (zones [1, 2, 3])

Notes:
l Only available if you deploy in a supported Azure

location.
l Support for Azure Availability Zones is available with

template version 20200303 and above.

Enable CloudGuard Enables CloudGuard metrics to allow VMSS instances to send

metrics statuses and statistics to the Azure Monitor service.
If the CloudGuard metrics are enabled in the VMSS
deployment, then:
l System Assigned Managed Identity is created and

assign the "Monitoring Metrics Publisher" role to the

VMSS Resource Group.
l The CloudGuard metrics agent starts to send metrics

each minute.
l The CloudGuard metrics are sent to the Azure Monitor

resource immediately after the VMSS deployment is

completed.
To show CloudGuard, from the VMSS view -> click Monitoring
-> Metrics -> Metric Namespace -> "cloudguard".

n Use these parameters in the Network settings section:

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Configurations Steps

Parameter Description

Network A pre-existing Virtual Network and subnets, or the name of a new

setting Virtual Network and subnets, where the VMSS is deployed.
Note:
When you use a pre-existing subnet:
l Make sure no other Virtual Machines are deployed in those

subnets.
l Make sure to correctly configure user defined routes (UDR) for

the subnet (see the "Scale In and Scale Out Events" on page 8).
l Make sure that an NSG is associated with the frontend subnet

that allows all inbound and outbound TCP and UDP traffic.

Assign the Azure Active Directory application as described in Add a minimum role of Reader to
the VMSS and the VNET. See Assign application to role.
For more about Managed identities, see the Azure documentation overview.

Step 5: Chaining external Load Balancers

After steps 1-4 are finished, CME provisions the CloudGuard Network Security Gateways
(according to the "Initial number of Security Gateways" value in step 4). When the provisioning
process is finished, you can chain your application to the Gateway Load Balancer.
You can chain these Azure resources to a Gateway Load Balancer:
1. Standard Public Load Balancer frontend IP configuration

2. Standard Public IP configuration

To enforce inbound & outbound inspection it is necessary to make sure:

1. All traffic to/from your application is routed using the above resources.
2. Each of the above resources is chained to the Gateway Load Balancer.

Chaining a Standard Pubic Load Balancer (external):

1. From the Azure Portal, go to the Load Balancer you want to chain.
2. Click on Frontend IP Configuration.
3. In the Gateway Load Balancer section, select the Gateway Load Balancer created in
step 4.
4. Click Save.

Note - If the Load Balancer has more than one frontend IP Configuration (for example
one for inbound and one for outbound), make sure to chain all of them.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Configurations Steps

Chaining a Virtual Machine with Standard Public IP:

1. From the Azure Portal, go to the Public IP resource you want to chain.
2. Click on properties.
3. Click on the Network Interface below Associated to.
4. Click on IP configuration.
5. In the Gateway Load Balancer section, select the Gateway Load Balancer created in
step 4.
6. Click Save.
As your application is chained to the Gateway Load Balancer, all traffic to and from the
application is inspected first by the CloudGuard Network Security Gateways.

Load Balancer notes:

1. For Virtual Machines in a Load Balancer backend pool, outbound inspection is enforced
only if they do not have a Public IP associated with them.
2. Back end Pool Configuration - NIC (recommended by Azure).
3. Load Balancing Rules outbound source network address translation (SNAT) options:

Option Notes

(Recommended) Use outbound Requires you to set an outbound rule. (Best

rules to provide backend pool practice).
members access to the Internet

Use implicit outbound rule. This You use the frontend IP address of a load
is not recommended because it balancer for outbound and inbound and are more
can cause SNAT port prone to connectivity failures from SNAT port
exhaustion exhaustion.

Step 6: Automatic Rule Placement (Optional)

As a part of each CloudGuard Network Security Gateway provisioning process, the Security
Management Server creates automatic Access rules to allow tunnel traffic between the
Gateway Load Balancer and the CloudGuard Network Security Gateway. By default the
automatic Access rules are created at the top of the rulebase. Sometimes it is recommended
to add the rules in a specific place in the policy rather than at the top.
You can achieve this by creating a section for these rules in SmartConsole, and specifying the
section name in CME configuration. To do so, follow these steps:

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Configurations Steps

1. In SmartConsole, in the applicable Security Policy, create a New Section:

a. To create a New Section, right-click below a rule number.
b. Select Create New Section, click Below.
c. Name the New Section and make sure to record the name.
2. Connect to command line on the Security Management Server.
3. Log in to the Expert mode.
4. Run this command:

autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -

secn <SECTION-NAME>

5. Replace <CONFIGURATION-TEMPLATE-NAME> with the name of the configuration

template name used in "Step 4: Deploy the Check Point VMSS and the Gateway Load
Balancer and Assign the Microsoft Entra ID Application" on page 17 (for example, my-
configuration-template).
6. Replace <SECTION-NAME> with the name of the section created in step 1.
If the section is specified in the configuration template, but not found in the rule base, the rules
are added at the top by default.

Note - The changes above occur only for new VMSS instances. The existing rules
stay the same.

Change section name:

To change the section in which new automatic Access rules are added, run:

autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -secn

<SECTION-NAME>

Remove section name:

To add the new automatic Access rules to the top of the rulebase, run:

autoprov_cfg delete template -tn <CONFIGURATION-TEMPLATE-NAME> -

secn

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Configurations Steps

CloudGuard Solution Upgrade

This section provides instructions for upgrading an already deployed CloudGuard Gateway
Load Balancer VMSS solution.
The upgrade procedure includes these steps:
1. Deploying a new version of the CloudGuard Gateway Load Balancer VMSS solution
alongside the older version (a side-by-side upgrade).
2. Reconfiguring Azure resources and Check Point configuration to use this new version of
the CloudGuard Gateway Load Balancer VMSS solution.
3. Deleting the older version of the CloudGuard Gateway Load Balancer VMSS solution.

Note:
n Do not upgrade the CloudGuard Gateway Load Balancer VMSS solution to get
newer images of the same Check Point CloudGuard version. During each Scale
Out operation, an instance with the latest available image for the current version
deploys automatically.

n Make sure your current Security Management Server or Multi-Domain Security

Management Server is compatible with the newer CloudGuard Gateway Load
Balancer VMSS version you are deploying.

Terms:
n Source - The original template and solution (with the lower version)
n Target - The new template and solution (with the higher version)
To upgrade the CloudGuard Gateway Load Balancer VMSS solution

Step Description

1 Log in to the Azure portal.

2 Open the resource group of the source CloudGuard Gateway Load

Balancer VMSS solution.

3 For the Gateway Load Balancer ("frontend-lb"):

1. Create an empty backend pool.
2. Get the new backend pool's resource ID and write it down for
future reference.
3. Add a new Frontend IP Configuration.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Configurations Steps

Step Description

4 Deploy a target CloudGuard Gateway Load Balancer VMSS solution

from the Azure Marketplace. To do this:
a. On the Basics tab, fill in the fields based on the Deployment
Guide.

b. On the Check Point VMSS settings tab:

i. Select "Yes" in "Are you upgrading your CloudGuard

VMSS solution?"

ii. Use the same Security Management Server name as for the
source CloudGuard Gateway Load Balancer VMSS solution.

iii. Use a different configuration template name than in the

source CloudGuard Gateway Load Balancer VMSS solution.

iv. Enter the saved resource ID (from Step 3).

v. Enter name of the related backend pool (from Step 3).

c. On the Check Point CloudGuard settings tab, fill in the fields

based on the Deployment Guide.

d. On the Network settings tab, use the same network settings

(VNET and subnets) as for the source CloudGuard Gateway Load
Balancer VMSS solution.

e. On the Tags tab, fill in the fields based on the Deployment Guide.

5 Add a new Load Balancing Rule:

1. Protocol: All, Frontend Port: 0, Backend Port: 0.
2. Backend Pool: The backend pool that you created in Step 3.
3. Frontend IP: The Frontend IP that you created in Step 3.
4. Associate with: The VMSS that you deployed in Step 4.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Configurations Steps

Step Description

6 Configure the CME template.

For this, run:

autoprov_cfg add template -tn "<Template-Name>" -

otp "<SIC-key>" -ver <Version> -po "<Policy-Name>"

7 Wait for provisioning to complete and for the policy to install on the new
CloudGuard VMSS instances.

8 To use the new backend pools, change the Standard Load Balancer to
point to the new Frontend IP configuration.

9 Note - In this step, all open connections on the source CloudGuard

Gateway Load Balancer VMSS become closed.

Shut down the source CloudGuard Gateway Load Balancer VMSS and
make sure that traffic flows correctly.

10 Note - Before proceeding, make sure the target VMSS handles all
traffic (inbound, outbound, East-West) as expected.

Delete the CME template of the source CloudGuard Gateway Load

Balancer VMSS.
For this, run:

autoprov_cfg delete template -tn "<Template-Name>"

11 Delete the corresponding VMSS resource.

Important - Do NOT delete the resource group of the source

CloudGuard Gateway Load Balancer VMSS, as it can contain the
VNET resource and Load Balancers currently in use.

12 Remove the backend pools referencing the source VMSS from the
Gateway Load Balancer.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Deploying a Security Management Server in Azure

Deploying a Security Management

Server in Azure
To deploy a Security Management Server in Azure:
1. From the Azure Marketplace, deploy this solution to create a Check Point Security
Management Server:
Check Point Security Management Server.
2. Select the Check Point Security Management software plan.

Important - Must be Check Point R81.10 and higher.

Use these parameters:
n Server name - The name of the Security Management Server.
n Credentials - The SSH public key, or the SSH password to manage the server.
n Subscription - The Azure subscription, where you deploy the servers.
n Resource Group - The name of the Resource Group, where you deploy the server.
n Location - The Azure location, where you deploy the server.
n Network setting - A pre-existing Virtual Network and its subnets, or a name of a
new Virtual Network and subnets, where you deploy the server.
n Virtual Machine size - The size of the Security Management Server Virtual
Machine.
n Storage setting - The name of an existing or new storage account that the Security
Management Server uses.
n Allowed GUI clients - IP addresses (in CIDR notation) of the allowed
SmartConsole, Gaia Portal and SSH clients.
3. This template deploys the Management Server in the selected subnet.
When the management instance starts, it automatically executes its own Gaia First Time
Configuration Wizard.
This can take up to 30 minutes.
4. Do the instructions in "Step 3: Configure the Check Point Security Management Server"
on page 16.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Limitations

Limitations
1. This solution uses Bridge Mode on Gaia OS and its limitations apply. See sk101371 for
details.
2. This solution uses Virtual Extensible LAN (VXLAN) and its limitations apply. See
sk170014 for details.
3. Anti-Spoofing is disabled for the VMSS instance interfaces and you must not enable it.
4. All Load Balancing rules pointing to a specific VMSS must have the same Frontend IP
Configuration.
5. Changing the Gateway Load Balancer Tunnel Interfaces port or ID is not supported.

6. Creating a VMSS environment with a name for the Load Balancer that is different from
the default ("frontend-lb" or "backend-lb") is not supported.
7. For Gateway Load Balancer (Preview) limitations, see this Microsoft article.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

Glossary
A

Anti-Bot
Check Point Software Blade on a Security Gateway that blocks botnet behavior and
communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.

Anti-Spam
Check Point Software Blade on a Security Gateway that provides comprehensive
protection for email inspection. Synonym: Anti-Spam & Email Security. Acronyms: AS,
ASPAM.

Anti-Virus
Check Point Software Blade on a Security Gateway that uses real-time virus signatures
and anomaly-based protections from ThreatCloud to detect and block malware at the
Security Gateway before users are affected. Acronym: AV.

Application Control
Check Point Software Blade on a Security Gateway that allows granular control over
specific web-enabled applications by using deep packet inspection. Acronym: APPI.

ARM
Microsoft® Azure Resource Manager. Technology to administer assets using Resource
Group.

ASN
Autonomous System Number – Special number that used for the BGP

Audit Log
Log that contains administrator actions on a Management Server (login and logout,
creation or modification of an object, installation of a policy, and so on).

Available Quota
The available license pool quota is the number of unallocated cores.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

AWS
Amazon® Web Services. Public cloud platform that offers global compute, storage,
database, application and other cloud services.

AWS Region
In AWS, a geographic area to place resources. Each region has multiple, isolated
locations known as Availability Zones.

AWS VPC
AWS Virtual Private Cloud. A private cloud that exists in the public cloud of Amazon. It is
isolated from other Virtual Networks in the AWS cloud.

Bridge Mode
Security Gateway or Virtual System that works as a Layer 2 bridge device for easy
deployment in an existing topology.

Central License
A Central License is a CloudGuard Security Gateway license. It is deployed and
managed on the Security Management Server or Multi-Domain Server and distributed
from a license pool to all CloudGuard Security Gateways connected to corresponding
Management Servers.

Cisco ACI
Cisco® Application Centric Infrastructure. Comprehensive SDN architecture, policy-
based automation solution for increased scalability through a distributed enforcement
system with greater network visibility. Trademark of Cisco.

Cisco APIC
Cisco® Application Policy Infrastructure Controller. Automation and management point
for the Cisco ACI fabric. It centralizes access to fabric information, optimizes the
application lifecycle for scale and performance, and supports flexible application
provisioning across physical and virtual resources.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

Cisco Contract
In Cisco ACI SDN, a policy between Endpoint Groups (EPGs), with one EPG providing
and one EPG consuming, to virtualize a physical network cable connection.

Cisco ISE
Cisco® Identity Services Engine. Provides highly secure network access to users and
devices to streamline security policy management and reduce operating costs.
Trademark of Cisco.

CK
Certificate Keys (CKs) of Central Licenses in the License Pool.

CloudGuard Controller
Provisions SDDC services as Virtual Data Centers that provide virtualized computer
networking, storage, and security.

CloudGuard Gateway
Check Point Virtual Security Gateway that protects dynamic virtual environments with
policy enforcement. CloudGuard Gateway inspects traffic between Virtual Machines to
enforce security, without changing the Virtual Network topology.

Cluster
Two or more Security Gateways that work together in a redundant configuration - High
Availability, or Load Sharing.

Cluster Member
Security Gateway that is part of a cluster.

Compliance
Check Point Software Blade on a Management Server to view and apply the Security
Best Practices to the managed Security Gateways. This Software Blade includes a
library of Check Point-defined Security Best Practices to use as a baseline for good
Security Gateway and Policy configuration.

Content Awareness
Check Point Software Blade on a Security Gateway that provides data visibility and
enforcement. Acronym: CTNT.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

Cores Quota
The Central License Cores Quota is the number of virtual cores the license covers. This
number is specified when the license is purchased. The Central License can be used on
multiple Security Gateways up to the cores quota. The number of cores in a Security
Gateway determines how many cores that Security Gateway uses from the Central
License cores quota.

CoreXL
Performance-enhancing technology for Security Gateways on multi-core processing
platforms. Multiple Check Point Firewall instances are running in parallel on multiple
CPU cores.

CoreXL Firewall Instance

On a Security Gateway with CoreXL enabled, the Firewall kernel is copied multiple
times. Each replicated copy, or firewall instance, runs on one processing CPU core.
These firewall instances handle traffic at the same time, and each firewall instance is a
complete and independent firewall inspection kernel. Synonym: CoreXL FW Instance.

CoreXL SND
Secure Network Distributer. Part of CoreXL that is responsible for: Processing incoming
traffic from the network interfaces; Securely accelerating authorized packets (if
SecureXL is enabled); Distributing non-accelerated packets between Firewall kernel
instances (SND maintains global dispatching table, which maps connections that were
assigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewall
instances is statically based on Source IP addresses, Destination IP addresses, and the
IP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision to stick
to a particular FWK daemon is done at the first packet of connection on a very high level,
before anything else. Depending on the SecureXL settings, and in most of the cases, the
SecureXL can be offloading decryption calculations. However, in some other cases,
such as with Route-Based VPN, it is done by FWK daemon.

CPUSE
Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can
automatically update Check Point products for the Gaia OS, and the Gaia OS itself.

DAIP Gateway
Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway, on which the
IP address of the external interface is assigned dynamically by the ISP.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

Data Center
Virtual centralized repository, or a group of physical networked hosts, Virtual Machines,
and datastores. They are collected in a group for secured remote storage, management,
and distribution of data.

Data Loss Prevention

Check Point Software Blade on a Security Gateway that detects and prevents the
unauthorized transmission of confidential information outside the organization. Acronym:
DLP.

Data Type
Classification of data in a Check Point Security Policy for the Content Awareness
Software Blade.

Default Pool
A pool created by the first Central License that is added with the Central License tool.
The pool type is defined based on the blades package of the first added Central License.
CloudGuard Security Gateways automatically receive licenses from that pool. When all
licenses in the Default License Pool are removed, a random pool is set as a default.
When there are multiple pools, the user can select the default license pool.

Distributed Deployment
Configuration in which the Check Point Security Gateway and the Security Management
Server products are installed on different computers.

Dynamic Object
Special object type, whose IP address is not known in advance. The Security Gateway
resolves the IP address of this object in real time.

Endpoint Policy Management

Check Point Software Blade on a Management Server to manage an on-premises
Harmony Endpoint Security environment.

Expert Mode
The name of the elevated command line shell that gives full system root permissions in
the Check Point Gaia operating system.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

Gaia
Check Point security operating system that combines the strengths of both
SecurePlatform and IPSO operating systems.

Gaia Clish
The name of the default command line shell in Check Point Gaia operating system. This
is a restricted shell (role-based administration controls the number of commands
available in the shell).

Gaia Portal
Web interface for the Check Point Gaia operating system.

GCP
Google® Cloud Platform is a suite of products and services that includes hosting, cloud
computing, database services and more.

GCP Project
GCP Projects form the basis for creating, enabling, and using all Cloud Platform
services. This includes managing APIs, enabling billing, adding and removing
collaborators, and managing permissions for Cloud Platform resources.

GCP Regions and Zones

A region is a specific geographical location where you can run resources. Each region
has one or more zones.

GCP VPC Network

A Virtual Private Cloud is a global private isolated Virtual Network partition that provides
managed networking functionality for your GCP resources.

Generic Data Center

The Generic Data Center is an object that points to a JSON file on an external server that
contains the IP addresses that you want to access. This way, when the Generic Data
Center object is used in a policy, SmartConsole can retrieve the IP information from the
JSON file as necessary.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

Hotfix
Software package installed on top of the current software version to fix a wrong or
undesired behavior, and to add a new behavior.

HTTPS Inspection
Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets
Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection.
Acronyms: HTTPSI, HTTPSi.

ICA
Internal Certificate Authority. A component on Check Point Management Server that
issues certificates for authentication.

Identity Awareness
Check Point Software Blade on a Security Gateway that enforces network access and
audits data based on network location, the identity of the user, and the identity of the
computer. Acronym: IDA.

Identity Logging
Check Point Software Blade on a Management Server to view Identity Logs from the
managed Security Gateways with enabled Identity Awareness Software Blade.

ILB
Internal Load Balancer, used to load balance traffic in a virtual network

Internal Network
Computers and resources protected by the Firewall and accessed by authenticated
users.

IoT Cloud Adapter

IoT Cloud Adapters are connectors between IoT devices and cloud platforms. IoT
adapters deliver data from the device to the cloud platform that stores it.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

IPS
Check Point Software Blade on a Security Gateway that inspects and analyzes packets
and data for numerous types of risks (Intrusion Prevention System).

IPsec VPN
Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and
Remote Access VPN access.

Jumbo Hotfix Accumulator

Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA.

Kerberos
An authentication server for Microsoft Windows Active Directory Federation Services
(ADFS).

Kubernetes
Kubernetes is a portable, extensible, open-source platform for managing containerized
workloads and services that facilitates both declarative configuration and automation.

License Pool
A License Pool is a group of CloudGuard Central Licenses with the same blades and
valid contracts. A Security Management Server or Multi-Domain Server can have
multiple license pools. Each pool is defined by: - Pool Type - Total Quota - Available
Quota - Certificate Keys - Subscribed Security Gateways

Log Server
Dedicated Check Point server that runs Check Point software to store and process logs.

Logging & Status

Check Point Software Blade on a Management Server to view Security Logs from the
managed Security Gateways.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

Management Interface
(1) Interface on a Gaia Security Gateway or Cluster member, through which
Management Server connects to the Security Gateway or Cluster member. (2) Interface
on Gaia computer, through which users connect to Gaia Portal or CLI.

Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security
Management Server.

Manual NAT Rules

Manual configuration of NAT rules by the administrator of the Check Point Management
Server.

Microsoft Azure
Collection of integrated cloud services that developers and IT professionals use to build,
deploy, and manage applications through a global network of data centers managed by
Microsoft®.

Mobile Access
Check Point Software Blade on a Security Gateway that provides a Remote Access VPN
access for managed and unmanaged clients. Acronym: MAB.

Multi-Domain Log Server

Dedicated Check Point server that runs Check Point software to store and process logs
in a Multi-Domain Security Management environment. The Multi-Domain Log Server
consists of Domain Log Servers that store and process logs from Security Gateways that
are managed by the corresponding Domain Management Servers. Acronym: MDLS.

Multi-Domain Server
Dedicated Check Point server that runs Check Point software to host virtual Security
Management Servers called Domain Management Servers. Synonym: Multi-Domain
Security Management Server. Acronym: MDS.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

Network Object
Logical object that represents different parts of corporate topology - computers, IP
addresses, traffic protocols, and so on. Administrators use these objects in Security
Policies.

Network Policy Management

Check Point Software Blade on a Management Server to manage an on-premises
environment with an Access Control and Threat Prevention policies.

Nuage
The Nuage Networks Virtualized Services Platform (VSP) is the industry-leading network
automation platform, enabling a complete range of SDN, SD-WAN, and cloud solutions.

Nutanix
Nutanix is a private and hybrid cloud software provider that offers software for
virtualization, Kubernetes, database-as-a-service, software-defined networking,
security, as well as software-defined storage for file, object, and block storage.

NVA
Network Virtual Appliance - A resource deployed in Azure's Virtual Hub that includes
Security Gateways and other networking infrastructure.

Open Server
Physical computer manufactured and distributed by a company, other than Check Point.

OpenStack
An open source cloud-computing infrastructure for service providers and enterprises. It
includes modules for administration, storage, networking and Virtual Machine
deployment and control.

Oracle Cloud
Oracle Cloud is a cloud computing service offered by Oracle Corporation. It provides
servers, storage, networks, applications, and services through a global network of
Oracle Corporation-managed data centers.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

Private Network (L3)

A Layer 3 network that separates routing instances, and can be used as an administrator
separation.

Provisioning
Check Point Software Blade on a Management Server that manages large-scale
deployments of Check Point Security Gateways using configuration profiles. Synonyms:
SmartProvisioning, SmartLSM, Large-Scale Management, LSM.

QoS
Check Point Software Blade on a Security Gateway that provides policy-based traffic
bandwidth management to prioritize business-critical traffic and guarantee bandwidth
and control latency.

Resource Group for Microsoft Azure

Object used in ARM to monitor, control access, provision and manage billing for
collections of assets that are required to run an application, or used by a client or
company department.

Rule
Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause
specified actions to be taken for a communication session.

Rule Base
All rules configured in a given Security Policy. Synonym: Rulebase.

SD-WAN
Software Defined – Wide Area Network (WAN), more information on this solution:
https://www.checkpoint.com/cyber-hub/network-security/what-is-sd-wan/

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

SDDC
Software-Defined Data Center. Data Center infrastructure components that can be
provisioned, operated, and managed through an API for full automation.

SDN
Software-Defined Network. Virtualization of topology, traffic, and functionality.

SecureXL
Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that
passes through a Security Gateway.

Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and
enforce Security Policies for connected network resources.

Security Group for AWS

Acts as a virtual firewall that controls the traffic for one or more instances in AWS.
Security Groups are associated with network interfaces.

Security Group for VMware NSX

A collection of virtual objects that defines the Distributed Firewall protection policy in
VMware NSX.

Security Management Server

Dedicated Check Point server that runs Check Point software to manage the objects and
policies in a Check Point environment within a single management Domain. Synonym:
Single-Domain Security Management Server.

Security Policy
Collection of rules that control network traffic and enforce organization guidelines for
data protection and access to resources with packet inspection.

Service Graph
Ordered set of function nodes between terminals, which identifies network service
functions required by an application. Required for CloudGuard integration.

Service Manager
Component that manages the communication between Check Point products,
CloudGuard Controller and the VMware NSX, through the VMware REST API.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

SIC
Secure Internal Communication. The Check Point proprietary mechanism with which
Check Point computers that run Check Point software authenticate each other over SSL,
for secure communication. This authentication is based on the certificates issued by the
ICA on a Check Point Management Server.

SLB
Software Load Balancer, used to distribute tenant and tenant customer network traffic to
virtual network resources. SLB enables multiple servers to host the same workload,
providing high availability and scalability

SmartConsole
Check Point GUI application used to manage a Check Point environment - configure
Security Policies, configure devices, monitor products and events, install updates, and
so on.

SmartDashboard
Legacy Check Point GUI client used to create and manage the security settings in
versions R77.30 and lower. In versions R80.X and higher is still used to configure
specific legacy settings.

SmartProvisioning
Check Point Software Blade on a Management Server (the actual name is
"Provisioning") that manages large-scale deployments of Check Point Security
Gateways using configuration profiles. Synonyms: Large-Scale Management,
SmartLSM, LSM.

SmartUpdate
Legacy Check Point GUI client used to manage licenses and contracts in a Check Point
environment.

SNAT
Source Network Address Translation (Source NAT)

Software Blade
Specific security solution (module): (1) On a Security Gateway, each Software Blade
inspects specific characteristics of the traffic (2) On a Management Server, each
Software Blade enables different management capabilities.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

Standalone
Configuration in which the Security Gateway and the Security Management Server
products are installed and configured on the same server.

Subscribed Security Gateways

All Security Gateways on the Management Server are subscribed to the Default License
Pool (unless configured differently) and get their licenses automatically. The user can
exclude each Security Gateway from the automatic license distribution.

Tenant for ACI

Group of users, to isolate access to resources in Cisco ACI. Also known as Project.

Threat Emulation
Check Point Software Blade on a Security Gateway that monitors the behavior of files in
a sandbox to determine whether or not they are malicious. Acronym: TE.

Threat Extraction
Check Point Software Blade on a Security Gateway that removes malicious content from
files. Acronym: TEX.

Total Quota
The total license pool quota is the sum of all Central Licenses' cores.

Updatable Object
Network object that represents an external service, such as Microsoft 365, AWS, Geo
locations, and more.

URL Filtering
Check Point Software Blade on a Security Gateway that allows granular control over
which web sites can be accessed by a given group of users, computers or networks.
Acronym: URLF.

User Directory
Check Point Software Blade on a Management Server that integrates LDAP and other
external user management servers with Check Point products and security solutions.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

Virtual Network
Environment of logically connected Virtual Machines.

VMware ESXi
A VMware® physical hypervisor server that hosts one or more Virtual Machines and
other virtual objects. All references to ESX are also relevant for ESXi unless specifically
noted otherwise.

VMware NSX
VMware NSX is a network virtualization and security platform that enables the virtual
cloud network, a software-defined approach to networking that extends across data
centers, clouds, and application frameworks

VMware NSX-T
VMware NSX-T is a network virtualization and security platform that builds security into
the network virtualization infrastructure.

VMware NSX Manager

Basic network and security functionality for virtual computer environments. A VMware®
product family for SDN of Virtual Machines on the cloud (previously known as vShield).

VMware vCenter
Centralized management tool for VMware® vSphere. It manages many ESX servers and
Virtual Machines from different ESX servers, from one console application.

VMware vSphere
VMware® cloud computing virtualization operating system. The vSphere Web Client is
the GUI to manage Virtual Machines and their objects.

vNIC
Virtual Network Interface Card. Software-based abstraction of a physical interface that
supplies network connectivity for Virtual Machines.

vsec_lic_cli
The Central License tool (vsec_lic_cli) runs on Management Servers and Multi-Domain
Servers. It deploys and manages licenses for all subscribed Security Gateways. The tool
can be used only in the Expert mode of the Management Server CLI.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment
 Glossary

vSwitch
A software abstraction of a physical Ethernet switch. It can connect to physical switches
through physical network adapters to join virtual networks with physical networks. It can
also be a Distributed Virtual Switch (dvSwitch), for definition and use on multiple ESXi
hosts.

VSX
Virtual System Extension. Check Point virtual networking solution, hosted on a computer
or cluster with virtual abstractions of Check Point Security Gateways and other network
devices. These Virtual Devices provide the same functionality as their physical
counterparts.

VSX Gateway
Physical server that hosts VSX virtual networks, including all Virtual Devices that provide
the functionality of physical network devices. It holds at least one Virtual System, which
is called VS0.

Zero Phishing
Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides
real-time phishing prevention based on URLs. Acronym: ZPH.

CloudGuard Network for Azure Gateway Load Balancer Virtual Machine Scale Sets (GWLB VMSS) Deployment