Advanced Configuration

Configuring the Security Management Server

Important - If you deploy a new Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. with the Transit Gateway template, all configuration is applied automatically. In such case, skip this entire section.

Use these instructions to configure the Transit service, which controls CloudGuard's integration to AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Endpoints that seamlessly operate the AWS Transit Hub solution.

For examples of other configuration, see Examples of 'autoprov_cfg' Configuration.

Configuring the Auto_Provisioning Automation

There are two options to configure auto_provisioning for the first time on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.:

Options	Description
Recommended	Configuration with the CloudGuard Auto Scaling Transit Gateway First Time Configuration Wizard
Advanced	Configuring the Security Management Server with the 'autoprov_cfg' Utility

Configuring the Security Management Server with the 'autoprov_cfg' Utility

Important - If you have an existing configuration for different CloudGuard solutions, make sure not to initialize your configuration. Add the Controller or Template for the Transit Gateway solution with the applicable configuration.

This utility configures the Check Point Security Management Server with all the settings needed for Transit:

1. Connect to the command line on the Check Point Security Management Server.

2. Log in to the Expert mode.

3. Run all the commands below.

   Commands and their description:

   • autoprov_cfg init AWS -mn "<MANAGEMENT-NAME>" -tn "<TEMPLATE-NAME>" -otp "<SIC-KEY>" -ver <recommended_version> -po "<POLICY-NAME>" -cn "<CONTROLLER-NAME>" -r "<REGIONS>" -iam

     Initializes configuration with IAM credentials.

     Options:

     • -mn - Specifies the name of the Security Management Server

     • -tn - Specifies the template name

     • -otp - Specifies the one-time SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. password

     • -ver - Specifies the Gateway version

     • -po - Specifies the name of the policy package

     • -cn - Specifies the name of the Controller

     • -r - Specifies the list of regions, separated by commas

     • -iam - Specifies to use IAM to connect to AWS

   • autoprov_cfg set controller AWS -cn "<CONTROLLER-NAME>" -sg -sv -com "<VPN-COMMUNITY-NAMES>" -sn "<SUBACCOUNT-NAME> -ssr <STS-ROLE-ARN>

     Sets Controller with the required attributes for transit.

     Options:

     • -sg - Specifies to scan gateways (enables CME)

     • -sv - Specifies to scan VPN (enables Transit)

     • -com - Specifies the list of VPN communities allowed to be used by this Controller

     • -sn - Specifies the custom name for your sub-account

     • -ssr - Specifies the STS role name of trustee (spoke account)

   • autoprov_cfg set template -tn "<TEMPLATE-NAME>" -vpn -vd "" -con "<VPN-COMMUNITY-NAME>" -dt TGW

     Sets template with the required attributes for transit.

     Options:

     • -vpn - Enables the IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. blade on gateways

     • -vd - Specifies the name of the VPN Domain object

     • -con - Specifies the name of the VPN Community

     • -dt - Specifies the deployment type

   • autoprov_cfg show all

     Shows all the used configurations.

     Run this command to confirm all the configurations are correct.

4. Run this command to test the configuration: service cme test

   Make sure there are no errors.

   If the test ends with any error, see the Troubleshooting section.

Examples of 'autoprov_cfg' Configuration

Learn how to use the autprov_cfg utility to configure different deployment scenarios.

Notes:

• The examples below apply only if you did not run the tgw-menu command. see Note - Steps 1-4 apply only if you did not run the tgw-menu command.

• The CloudGuard Auto Scale is always the primary account.

• In the examples below, replace the bolded variables, with values in your environment.

Configuring the VPN Community with the 'config-community.sh' Script

This script creates a VPN Community with all the settings needed for Transit:

1. Connect to the command line on the Check Point Security Management Server.

2. Log in to the Expert mode.

3. Run:

   /opt/CPcme/menu/additions/config-community.sh "<VPN-COMMUNITY-NAME>"

   Example:

   /opt/CPcme/menu/additions/config-community.sh "Transit-VPN-Community"

Configuring the Multi-Domain Server

To configure the Multi-Domain Server:

Note - Steps 1-4 apply only if you did not run the tgw-menu command.

1. Connect to the command line on the Check Point Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS..

2. Log in to the Expert mode.

3. Execute the autoprov-cfg utility on the Multi-Domain Server. See sk120992.

4. Execute the config-community.sh script on the Multi-Domain Server:

   /etc/fw/scripts/autoprovision/config-community.sh"<VPN-COMMUNITY-NAME>" "<DOMAIN_NAME>"

   Replace the "<DOMAIN_NAME>" with the name of your Domain.

5. Tag the Transit Gateway and its route tables on a Multi-Domain Server.

   On a Multi-Domain Server, you have to indicate the specific Domain, on which Transit has to manage the VPN connection to the spoke VPC.

   Therefore, the tag value structure for the spoke VPC also must have the Domain name.

   Tag Key: x-chkp-vpn

   Tag Value: <MANAGEMENT_NAME>/<DOMAIN_NAME>/<VPN_COMMUNITY_NAME>

   Where:

   • <MANAGEMENT_NAME> - Specifies the name of your Multi-Domain Server. Use the same name you used when you executed the autoprov_cfg command.

   • <DOMAIN_NAME> - Specifies the name of the Domain as defined in the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

   • <VPN_COMMUNITY_NAME> - Specifies the name of your VPN Community. Use the same name you used when you created the VPN Community

Provisioning CloudGuard Gateways with Private IP addresses from an On-Premises Management Server

AWS Transit Gateway enables your on-premises Management Server to manage the CloudGuard Gateways that are assigned Private IP addresses. See the Architecture section.

Configuring Inbound Auto Scaling through a Transit Gateway

AWS Transit Gateway supports inbound traffic through CloudGuard Auto Scaling Group.

Follow these steps to configure the AWS Transit Gateway:

1. Configure Inbound Auto Scaling on Amazon side.

2. Configure Inbound Auto Scaling on Check Point side.

Configuring Inbound Auto Scaling on Amazon Side

To configure Inbound Auto Scaling on Amazon side:

1. Deploy the CloudGuard Auto Scaling Group in a dedicated VPC. See sk112575 - "Section (4) Configuration".

   Notes:

   • Place the Internal Load Balancer in the spokes VPC with the services you want to get.

   • Deploy the CloudGuard External Load Balancer using the public subnets. Configure the Attachment to the Transit Auto Scaling Group VPC: Create the Attachment to the ASG VPC.

2. Configure the Transit Gateway Attachment to the Transit Auto Scaling Group VPC:

   1. Create the Transit Gateway Attachment to the ASG VPC.

   2. Associate the ASG subnets to a route table.

      The route table must contain a default route to the Internet Gateway and specific routes for the spokes to the Transit Gateway.

      Route 1:

      Destination: <SPOKES_CIDR_INITIAL>

      Target: Transit Gateway ID

      Route 2:

      Destination: 0.0.0.0/0

      Target: Internet Gateway ID

3. In Amazon VPC console, go to the Transit Gateway Route Tables tab.

4. Configure an inbound checkpoint route table to associate the CloudGuard ASG VPC attachment:

   1. Create an inbound checkpoint route table.

   2. Associate the CloudGuard ASG VPC attachment to this route table.

   3. Propagate the route table to the applicable Spoke VPCs for inbound traffic.

      This creates a route from the CloudGuard ASG to the applicable Spoke VPCs.

5. Configure an inbound spokes route table to propagate the applicable Spoke VPCs to the ASG VPC attachment:

   1. Create an inbound spokes route table.

   2. Associate the spoke VPCs attachment to this route table.

   3. Propagate the route table to the ASG VPC attachment.

      This creates a route from the applicable Spoke VPCs to the CloudGuard ASG.

      Note - To support outbound traffic and East-West traffic for these Spoke VPCs, you must add the dedicated tag.

      Tag Key: x-chkp-vpn

      Tag Value: <MANAGEMENT-NAME>/<VPN-COMMUNITY-NAME>/propagate

      Where:

      • <MANAGEMENT-NAME> - Specifies the name of the Management Server. Use the same name you used when you executed the step - Configuring the Security Management Server with the 'autoprov_cfg' Utility.

      • <VPN-COMMUNITY-NAME> - Specifies the name of the VPN Community. Use the same name you used when you created the Configuring the VPN Community with the 'config-community.sh' Script.

      • propagate - Specifies that the auto provisioning service propagates dynamically the spokes to the CloudGuard Transit Gateway VPN tunnels in the route table.

   4. Associate the applicable Spoke VPCs to this route table.

Configuring Inbound Auto Scaling on Check Point Side

To configure Inbound Auto Scaling on the Check Point Side:

1. Connect the command line to the Management Server.

2. Log in to the Expert mode.

3. Use the autoprov_cfg CLI utility to add the "-slb" attribute to the main Controller:

   autoprov_cfg set controller AWS -cn "<CONTROLLER-NAME>" -slb

4. Use the autoprov_cfg CLI utilityto create an additional template for the Auto Scale:

   autoprov_cfg add template -tn "<NEW-TEMPLATE-NAME>" -otp "<SIC-KEY>" -ver <recommended_version> -po "<POLICY-NAME>"

Configuring Cross Account Spoke VPCs

To configure Cross Account spoke VPCs

1. When you create the AWS Transit Gateway, enable the Auto accept shared attachments.

   See Deploying the AWS Transit Gateway.

2. Follow the instructions in the AWS Documentation > Amazon VPC > Transit Gateways > Working with Transit Gateways > Transit Gateways - section Sharing a Transit Gateway.

3. Follow the instructions in the AWS Documentation > Amazon VPC > Transit Gateways > Working with Transit Gateways > Transit Gateways - section Accepting a Resource Share.

4. Attach all Spoke VPCs in each account to the Transit Gateway you just created. At this point, the attachment has a "pending acceptance" status.

5. In the main account, go to the Transit Gateway and accept all pending transactions.

6. Add a default route to the Transit Gateway in each Spoke VPC route table:

   Destination: 0.0.0.0/0

   Target: Transit Gateway ID

   Note - The route table must be the route table, in which the associated subnets are those attached to the Transit Gateway.

AWS Transit Gateway, Outbound Auto Scale, and Management in Cross-Accounts

If you want to update the Amazon Machine Image (AMI) or the Version of the Transit Gateway Auto Scaling Group, see sk112575.

Static Routes

Note - To add a CIDR, set the flat with the existing CIDRs as well.

Re-Advertising Spoke Routes

To activate the CloudGuard TGW gateway to Re-advertise the spoke route's CIDRs.

1. Connect to the command line on the Check Point Management Server.

2. Log in to the Expert mode.

3. Use the autoprov_cfg CLI utility to set the CIDR to be re-advertised by the Gateways.

   Run:

   autoprov_cfg set template -tn <TEMPLATE_NAME> -gsr <COMMA_SEPARATED_LIST_OF_CIDRS>

4. Test the configuration:

   1. In the AWS console, go the propagated tagged TGW route tables. The route tables show a route to each spoke CIDR added in the configuration.

   2. On of the provisioned Gateway, log in to Clish, and then run: show configuration routemaps

Important - Make sure that the maps were created (starting with spoke-)

Note - To add a CIDR, set the flag with the existing CIDRs as well.

Updating the Auto Scaling Group

Notes: Starting 01/01/2023 AWS no longer supports new instance types and features with launch configurations. If your Auto Scale Group uses Launch Configuration, we recommend replacing it with Launch Template. Refer to Replace launch configuration with launch template section. If you change the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. version, make sure you can use the existing Management Server with the newer Auto Scaling Group version you are deploying.

Updating AMI

• For Launch Template:

  1. Find the target AMI ID:

     1. Open AWS Marketplace and search for CloudGuard.

     2. Select the listing matching the one used to deploy the autoscaling group.

     3. Click Continue to subscribe.

     4. Click Continue to configuration.

     5. Select the target version and build (For example: R81.20-631.1427).

     6. Select the region of your autoscaling group.

     7. Copy the AMI ID.

  2. Update the autoscaling group launch template:

     1. Open the Amazon EC2 console.

     2. From the main menu bar select Launch Templates and select the launch template of the Auto Scaling Group.

     3. Click Actions > Modify template (Create new version).

     4. In Auto Scaling Guidance Check Provide guidance to help me set up a template that I can use with EC2 Auto Scaling.

     5. Go to Application and OS Images (Amazon machine image) and click Browse more AMIs.

        1. In the search box enter the AMI-ID (“ami-xxxxxxxxxxxxxxxxx”) copied in step #1.

        2. Click the Community AMIs tab.

        3. Click the Select button next to the AMI matching the AMI-ID you pasted in the search bar.

        4. If you get the alert: Some of your current settings will be changed or removed if you proceed, review the changes and Confirm if you agree.

     6. In Network settings section mark Select existing security group.

     7. Examine your configuration in all other sections and create the launch template version.

  3. From the Navigation Toolbar, select Auto Scaling Groups.

  4. Select the applicable Auto Scaling Group, click Edit.

  5. In the Launch Template section, select the new version and select Update.

  6. To apply this update, manually stop the Security Gateways one by one. The Auto Scaling Group deploys new Gateways with the updated AMI and not with the terminated gateways.

• For Launch Configuration:

  1. Open the Amazon EC2 console.

  2. From the Primary menu bar, select Launch Configurations and select the launch configuration of the Auto Scaling Group.

  3. Click Actions > Copy launch configuration.

  4. Go to Amazon machine image (AMI) and select the new AMI.

     Follow these steps to find the desired AMI id:

     1. Open the AWS Marketplace.

     2. Search for Check Point and click on the relevant product listing.

     3. Click Continue to Subscribe.

     4. Click Continue to Configuration.

     5. Select the relevant Software Version and Region.

     6. Copy the Ami Id.

  5. Examine your configuration in all other sections and create the launch configuration.

  6. From the Navigation Toolbar, select Auto Scaling Groups.

  7. Select the applicable Auto Scaling Group, click Edit.

  8. In the Launch Configuration section, select the newly created launch configuration, named the same as the previous configuration with Copy concatenated to it, and select Update.

  9. To apply this update, manually stop the Security Gateways one by one. The Auto Scaling Group deploys new Gateways with the updated AMI and not with the terminated gateways.

Notes - Avoid other configuration changes during the upgrade. To avoid downtime, make sure to terminate a Security Gateway only after a previous gateway has finished its initialization and replaced its predecessor. These updates necessitate additional actions: If you have changed the Security Gateways version, update the relevant Cloud Management Extension (CME) configuration template. Use this command: autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -ver <NEW-VERSION> Replace <CONFIGURATION-TEMPLATE-NAME> with the name of the relevant CME configuration template, such as 'my-configuration-template', and <NEW-VERSION> with the new version of the Gateways.

Replace launch configuration with launch template

1. Copy a launch configuration to a launch template:

   1. Open the Amazon EC2 console.

   2. In the navigation pane under Auto Scaling, select Launch Configurations.

   3. Select the launch configuration to copy and select Copy to launch template > Copy selected. It creates a new launch template with the same name and options as the selected launch configuration.

   4. For New launch template name, use the name of the launch configuration (the default) or enter a new name. The launch template names must be unique.

   5. Select Copy.

2. Replace the launch configuration for an Auto Scaling group:

   1. Open the Amazon EC2 console.

   2. In the navigation pane, select Auto Scaling Groups.

   3. Select the check box next to your Auto Scaling group.

      A pane opens at the bottom of the page with information about the selected group.

   4. On the Details tab, select Launch configuration, Edit.

   5. Select Switch to launch template.

   6. For Launch template, select your launch template.

   7. For Version, select the launch template version as necessary. After you create versions of a launch template, you can specify if the Auto Scaling group uses the default or the latest version of the launch template when scaling out.

   8. When complete, select Update.