Deployment Steps

Use the steps listed below to deploy your AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Transit Gateway.

Step 1: Preparing Your AWS Account

To prepare your AWS account, do these steps:

  1. If you do not already have an AWS account, create one at AWS.

  2. Use the region selector in the navigation bar to choose the AWS region, where you want to deploy Check Point CloudGuard Cross AZ ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. on AWS.

  3. Create a key pair in your preferred region.

  4. If necessary, request a service limit increase for the AWS resources you are going to use.

    You may have to do this, if you have an existing deployment that uses the AWS resources below, and you may exceed the default limit with this deployment.

    The resources that may need a service limit increase are:

    • Number of On-demand EC2 instances.

    • Number of Elastic IP addresses.

    • Number of VPCs for each region.

    • Number of VPN connections for each region.

    • Number of Customer for each region.

    • Number of virtual private for each region.

    • VPN connections for each VPC.

By default, this Deployment guide uses c5.xlarge for the Security Gateways and m5.xlarge for the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

Deployment minimum permissions

For a successful deployment, the relevant IAM policy must have minimum permissions set configured below.

In the AWS VPCClosed AWS Virtual Private Cloud. A private cloud that exists in the public cloud of Amazon. It is isolated from other Virtual Networks in the AWS cloud. Console navigate to IAM service, select the relevant IAM policy and copy/paste this text:

Copy 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Permissions",
            "Effect": "Allow",
            "Action": [
                "SNS:CreateTopic",
                "SNS:DeleteTopic",
                "SNS:GetTopicAttributes",
                "SNS:Subscribe",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DeletePolicy",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribePolicies",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:PutNotificationConfiguration",
                "autoscaling:PutScalingPolicy",
                "autoscaling:SetInstanceProtection",
                "autoscaling:UpdateAutoScalingGroup",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStackResources",
                "cloudformation:ValidateTemplate",
                "cloudwatch:DeleteAlarms",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:ListTagsForResource",
                "cloudwatch:PutMetricAlarm",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateRouteTable",
                "ec2:AttachInternetGateway",
                "ec2:AttachNetworkInterface",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateInternetGateway",
                "ec2:CreateLaunchTemplate",
                "ec2:CreateLocalGatewayRouteTable",
                "ec2:CreateNetworkInterface",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteLaunchTemplate",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSubnet",
                "ec2:DeleteVpc",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRegions",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:DescribeVpcs",
                "ec2:DetachInternetGateway",
                "ec2:DetachNetworkInterface",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:ReleaseAddress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMPassRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}
Copy 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Permissions",
            "Effect": "Allow",
            "Action": [
                "SNS:CreateTopic",
                "SNS:DeleteTopic",
                "SNS:GetTopicAttributes",
                "SNS:Subscribe",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DeletePolicy",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribePolicies",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:PutNotificationConfiguration",
                "autoscaling:PutScalingPolicy",
                "autoscaling:SetInstanceProtection",
                "autoscaling:UpdateAutoScalingGroup",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStackResources",
                "cloudformation:ValidateTemplate",
                "cloudwatch:DeleteAlarms",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:ListTagsForResource",
                "cloudwatch:PutMetricAlarm",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateLaunchTemplate",
                "ec2:CreateNetworkInterface",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteLaunchTemplate",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeAddresses",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstances",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcs",
                "ec2:DescribeRegions",
                "ec2:DetachNetworkInterface",
                "ec2:DisassociateAddress",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ReleaseAddress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMPassRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}

Step 2: Subscribing to Check Point CloudGuard Network

To subscribe to Check Point CloudGuard Network, do these steps:

  1. Log in to the AWS Marketplace.

  2. Search for "CloudGuard Network Security".

  3. Select one of these licensing options for Check Point CloudGuard Security Gateways:

    Or one of these licensing options for a Check Point CloudGuard Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.:

    Note - If you want to manage more than five Security Gateways, select the BYOL option and contact Check Point Sales to purchase a license.

  4. Select Continue to subscribe.

  5. Select Accept Terms to confirm that you accept the AWS Marketplace license agreement.

Note - In the deployment steps that follow, the system prompts for the licensing information for the Security Gateways and Security Management Server that you selected.

Step 3: Deploying the Check Point Security Management Server

Use one of these options to deploy the Check Point Security Management Server

Using the Existing On-Premises Security Management Server or the Security Management Server in AWS

In AWS VPC Console, configure the required permissions for the Security Management Server:

Copy

Required Permissions


  "Version": "2012-10-17",
  "Statement": [
  {
  "Action": [
  "ec2:DescribeInstances",
  "ec2:DescribeNetworkInterfaces",
  "ec2:DescribeSubnets",
  "ec2:DescribeVpcs",
  "ec2:DescribeSecurityGroups",
  "elasticloadbalancing:DescribeLoadBalancers",
  "elasticloadbalancing:DescribeTags",
  "elasticloadbalancing:DescribeListeners",
  "elasticloadbalancing:DescribeTargetGroups",
  "elasticloadbalancing:DescribeRules",
  "elasticloadbalancing:DescribeTargetHealth",
  "autoscaling:DescribeAutoScalingGroups",
  "ec2:DescribeRegions",
  "ec2:DescribeCustomerGateways",
  "ec2:CreateCustomerGateway",
  "ec2:DeleteCustomerGateway",
  "ec2:DescribeRouteTables",
  "ec2:EnableVgwRoutePropagation",
  "ec2:DisableVgwRoutePropagation",
  "ec2:DescribeVpnGateways",
  "ec2:CreateVpnGateway",
  "ec2:AttachVpnGateway",
  "ec2:DetachVpnGateway",
  "ec2:DeleteVpnGateway",
  "ec2:DescribeVpnConnections",
  "ec2:CreateVpnConnection",
  "ec2:DeleteVpnConnection",
  "ec2:DescribeTransitGateways",
  "ec2:DescribeTransitGatewayRouteTables",
  "ec2:DescribeTransitGatewayAttachments",
  "ec2:AssociateTransitGatewayRouteTable",
  "ec2:DisassociateTransitGatewayRouteTable",
  "ec2:EnableTransitGatewayRouteTablePropagation",
  "ec2:DisableTransitGatewayRouteTablePropagation",
  "ec2:GetTransitGatewayAttachmentPropagations",
  "cloudformation:DescribeStacks",
  "cloudformation:DescribeStackResources",
  "cloudformation:ListStacks"
  ],
  "Resource": "*",
  "Effect": "Allow"
  },
  {
  "Action": [
  "cloudformation:CreateStack",
  "cloudformation:DeleteStack"
  ],
  "Resource": "arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/*",
  "Effect": "Allow"
  }
  ]
}

Note - To deploy a new IAM role with read-write permissions,, run this CloudFormation Template.

Deploying a Dedicated Security Management Server as Part of the Security VPC

The solution CloudFormation Template has the option to create a dedicated Security Management Server as part of the deployment.

Deploying a New Security Management Server with a Management CloudFormation Template

Deploy the Security Management Server separately as described in sk130372, in the section Installing Check Point Security Management Server.

Note - To deploy a new IAM role with read-write permissions, run this CloudFormation Template.

Step 4: Configuring the Check Point Security Management Server

To configure the Check Point Security Management Server, do these steps:

  1. Configuring the "Auto_Provisioning" Automation

  2. Optional: Enabling the CloudGuard Controller

  3. Configuring the Access Control Policy

Configuring the "Auto_Provisioning" Automation

There are two options to configure auto-provisioning for the first time on the Security Management Server:

Option Description

Recommended

Configuration with the CloudGuard Auto Scaling Transit Gateway First Time Configuration Wizard

Advanced

Configuring the Security Management Server with the 'autoprov_cfg' Utility

Configuration with the CloudGuard Auto Scaling Transit Gateway First Time Configuration Wizard

To configure with the CloudGuard Auto Scaling Transit Gateway First Time Configuration Wizard:

Important - This procedure removes all existing configuration. To keep it, use the autoprov_cfg utility.

  1. Connect to the command line on the Check Point Security Management Server.

  2. Log in to the Expert mode.

  3. Run: tgw-menu

  4. Follow the First Time Configuration Wizard.

    Note - The tgw-menu supports multi-account configuration.

    For more information, see AWS Transit Gateway, Outbound Auto Scale, and Management in Cross-Accounts

  5. To test or change the existing configuration, use the autoprov_cfg utility.

Enabling the CloudGuard Controller

We recommend to enable the CloudGuard ControllerClosed Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. to benefit from more CloudGuard features.

To use the CloudGuard Controller capabilities, you must install the required Jumbo Hotfix AccumulatorClosed Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA.. See the Known Limitation VSECC-784 in sk141173.

For more information, see the CloudGuard Controller Administration Guide.

Configuring the Access Control Policy

To configure the Access Control policy:

  1. Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to your Check Point Security Management Server.

  2. If the Security Management Server and the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. have to communicate through public IP addresses, make sure that the Security Management Server object is defined with the elastic IP address.

    Edit the Security Management Server object and change the IP address.

    Important - If you change the main IP address of the Security Management Server, you must issue and install the license(s) for the new IP address.

  3. Create the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. you want to install on the Transit Gateways:

    1. In SmartConsole, click Menu > Manage policies and layers.

    2. From the left tree, click Policies.

    3. From the top toolbar, click New.

    4. Enter the policy package name.

      Important - Use the package name you set when you executed the autoprov_cfg utility.

    5. Select the Policy Types.

    6. Click OK.

    7. Click Close.

  4. Add the required explicit rules:

    1. In SmartConsole, from the left navigation panel, click Security Policies.

    2. At the top, click the plus sign to open the Manage Policies tab.

    3. Select the new policy package your created earlier.

    4-A. Add the applicable explicit Access Control rules.

    1. In the top left Access Control section, click Policy.

    2. Add the applicable rules.

    4-B. Add a Manual NAT ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that hides all internet sources behind the Auto Scale Group instances:

    1. Connect with SmartConsole to Security Management Server / Domain Management Server.

    2. Create a Dynamic ObjectClosed Special object type, whose IP address is not known in advance. The Security Gateway resolves the IP address of this object in real time. named LocalGateway.

      Note - Skip this step if a Dynamic Object by that name already exists.

      1. In the Object Browser, click on New, go to More menu, go to Network Object menu, click on Dynamic Object.

      2. Enter the name LocalGateway:

    3. In the top left Access Control section, click NAT.

    4. From the top toolbar, click Add rule and select Add rule to bottom.

      Important - This rule must be the last rule in the NAT rule baseClosed All rules configured in a given Security Policy. Synonym: Rulebase..

    5. Configure this Manual NAT rule:

      • Original Source: Select the object called All Internet

      • Original Destination: *Any

      • Original Services: *Any

      • Translated Source: Select the object called LocalGateway

        Note - Make sure red capital letter H appears between the object icon and the object name. Otherwise, right-click on the object > NAT Method > Hide.

      • Translated Destination: =Original

      • Translated Services: =Original

      • Install On: Transit Gateways

  5. We recommend you create an explicit VPN Directional rule in the Access Control Policy to allow the required services to work over the VPN tunnels:

    5-A. Enable the support for VPN directional rules:

    1. In SmartConsole, click Menu > Global properties.

    2. In the left tree, click VPN > Advanced.

    3. Select Enable VPN Directional Match in VPN Column.

    4. Click OK.

    5-B Create an explicit VPN Directional cleanup rule:

    • Source: Applicable Objects

    • Destination: Applicable Objects

    • VPN: All these:

      Community -> Community

      Community -> External_clear

    • Services & Applications: Applicable Services

    • Action: Drop

    • Track: None, or Log

    • Install On: Transit Gateways

Step 5: Deploying the Security Transit Gateway Auto Scaling Group

To deploy the Security Transit Gateway Auto Scaling Group, follow these steps:

  1. Deploying the AWS Transit Gateway

  2. Deploying the Security Transit Gateway Auto Scaling Group

Deploying the AWS Transit Gateway

Do the AWS instructions to deploy Transit Gateways.

When you create the Transit Gateway configure these settings in Amazon VPC console:

  1. Disable the Default route table association.

  2. Disable the Default route table propagation.

  3. For cross-account spokes, enable the Auto accept shared attachments.

  4. Add this tag:

    Tag Key: x-chkp-vpn

    Tag Value: <MANAGEMENT-NAME>/<VPN-COMMUNITY-NAME>

    Where:

    • <MANAGEMENT-NAME> - Specifies the name of the Management Server. Use the same name you used when you executed the autoprov_cfg utility.

    • <VPN-COMMUNITY-NAME> - Specifies the name of the VPN Community. Use the same name you used when you created the VPN Community.

Note - If you did not disable the Default route table association and the Default route table propagation settings, then delete the existing Transit Gateway and create a new one. If you do not delete the previous Transit Gateway, AWS associates and propagates all attachments to the Transit Gateway to the same default Transit Gateway route table. As a result, traffic cannot flow directly between spokes and through CloudGuard Gateways. To change this, move the association and propagation to the correct Transit Gateway route table.

Deploying the Security Transit Gateway Auto Scaling Group

To launch the Transit Gateway template into your AWS account, click here.

After the Security Gateways are created, they are automatically added to the Management Server database. You can see them in SmartConsole.

Important - When creating a new Management Server, remember to:

  1. Use the latest CloudGuard Security Management Server add-on from sk130372.

  2. The Main parameters configured on the Management Server for tagging objects in AWS are these:

    Parameter Value

    <VPN-COMMUNITY-NAME>

    tgw-community

    <MANAGEMENT-NAME>

    management-server

Note - To review all configurations from Management run:

autoprov_cfg show all

Parameters for Deploying a Transit Gateway into a New VPC

Network Configuration:

Parameter Name Default Value Description

VPC CIDR

10.0.0.0/16

The CIDR block for the VPC

Availability Zones

Requires Input

The specific Availability Zones you want to use for resource distribution.

This field shows the available zones in your selected region. You must select at least two Availability Zones from this list. The logical order of your selections is preserved in your deployment.

Number of Availability Zones

2

Number of Availability Zones to use in the VPC.

Important - This aligns with your choices in the Availability Zones parameter.

Public Subnet 1

10.0.0.0/24

CIDR block for Public Subnet 1 located in the 1st Availability Zone.

If you choose to deploy a Management Server, it is deployed in this subnet.

Public Subnet 2

10.0.2.0/24

CIDR block for Public Subnet 2 located in the 2nd Availability Zone.

Public Subnet 3

10.0.4.0/24

CIDR block for Public Subnet 2 located in the 3rd Availability Zone.

Public Subnet 4

10.0.6.0/24

CIDR block for Public Subnet 2 located in the 4th Availability Zone.

General Settings:

Parameter Name Default Value Description

Key name

Requires Input

A pair of public and private keys that allows you to connect safely to your instance after it launches.

When you created an AWS account, this is the key pair you created in your preferred region.

Upload upload & donwload

Yes

When you select Yes, your instance can automatically download Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. contracts and other important data. This also improves product experience by sending data to Check Point.

For information on configuration, see sk111080.

Check Point CloudGuard Network Security Gateway Auto Scaling Group Configuration:

Parameter Name Default Value Description

Name

Optional: Check Point Gateway

AWS name tag of the Security Gateways.

Instance type

C5.xlarge

The EC2 instance for the Security Gateways.

Minimum group size

2

The minimum number of Security Gateway instances in the Auto Scaling Group.

Maximum group size

5

The minimum number of Security Gateway instances in the Auto Scaling Group.

Version & license

"version"-"license"

The license to use for the Security Gateways. By default, "version" points to the current recommended version and "license" is set to NGTX.

Password hash

Optional

The administrator password hash.

Run this command to get the password hash:

openssl passwd -1 <PASSWORD>

SIC key

Requires input

One-time activation key.

Enter a string that contains 8 to 127 alphanumeric characters.

BGP ASN

65000

The organization Autonomous System Number (ASNClosed Autonomous System Number – Special number that used for the BGP) that identifies the routing domain for the Security Gateways.

Email address

Optional

The email address, to which notifications about scaling events are sent.

Check Point CloudGuard Network Management Server Configuration:

Parameter Name Default Value Description

Deploy management server

Yes

  • Select Yes to deploy a new Management Server in the new VPC.

  • Select No to use an existing Management Server, or to deploy one later and to ignore the other parameters of this section.

Default VPN access

accept

Select accept to allow all traffic between the Spoke VPCs and from the Spoke VPCs to the Internet.

Instance type

m5.xlarge

The EC2 type for the Management Server.

Version & license

<recommended_version>-PAYG-MGMT

The license to use for the Management Server.

Password hash

Optional

The administrator password hash. Run this command to get the password hash:

openssl passwd -1 <PASSWORD>

Default blades

On

Enables (On) or Disables (Off) these Software Blades:

Note - You can manually enable or disable these and additional Software Blades later.

Administrator addresses

0.0.0.0/0

Specify the networks, from which clients (SmartConsole, Gaia PortalClosed Web interface for the Check Point Gaia operating system., SSH) can connect to the Management Server.

Manage gateways

Locally managed

Select Over the internet if the Management Server is not able to connect to Security Gateways, then it is necessary for you to manage them from their private IP addresses.

Gateway addresses

10.0.0.0/16

Only Security Gateways from this CIDR range of IP addresses are allowed to communicate with the Management Server.

Settings for Automatic ProvisioningClosed Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. with Management Server:

Parameter Name Default Value Description

Gateway addresses

private

Determines how the Security Gateways are provisioned with their private or public IP addresses.

Management server

management-server

The name that represents the Management Server in the automatic provisioning configuration. When you use an existing Management Server, select the name you configured in the Configuring the Security Management Server with the 'autoprov_cfg' Utilitysection.

Configuration template

TGW-ASG-configuration

A name of a Security Gateway configuration template in the automatic provisioning configuration. When you use an existing Management Server, select the name you configured in the Configuring the Security Management Server with the 'autoprov_cfg' Utility section.

Step 6: Configuring Security Transit Gateway Auto Scaling Group

To configure the Security Transit Gateway Auto Scaling Group, do these steps:

  1. Attaching Spoke VPCs to the Transit Gateway

  2. Configuring Transit Gateway Route Tables

Attaching Spoke VPCs to the Transit Gateway

To attach spokes VPCs to the Transit Gateway:

  1. Create the Spoke VPCs and its subnets.

  2. Attach all Spoke VPCs to the Transit Gateway you just created.

  3. Add a default route to the Transit Gateway in each Spoke VPC route table:

    Destination: 0.0.0.0/0

    Target: Transit Gateway ID

Notes:

  • The route table must be the route table, in which the associated subnets are those attached to the Transit Gateway.

  • To unlink a spoke, delete the VPC attachment from the Transit Gateway.

Configuring Transit Gateway Route Tables

To configure Transit Gateway Route Tables:

  1. In Amazon VPC console, go to the Transit Gateway Route Tables tab.

  2. Configure a checkpoint route table:

    1. Create a new checkpoint route table.

      Later, the CloudGuard Transit Gateway VPN attachments are automatically associated with this route table.

    2. Add this tag:

      Tag Key: x-chkp-vpn

      Tag Value: <MANAGEMENT-NAME>/<VPN-COMMUNITY-NAME>/associate

      Where:

      • <MANAGEMENT-NAME> - Specifies the name of the Management Server. Use the same name you used when you executed the autoprov_cfg utility.

      • <VPN-COMMUNITY-NAME> - Specifies the name of the VPN Community. Use the same name you used when you created the VPN Community.

      • associate - Specifies that the auto provisioning service associates dynamically the CloudGuard Gateway VPN tunnels with the route table.

    3. Propagate the route table to your spokes.

      This creates a route from each CloudGuard Transit Gateway VPN attachments to all spoke VPCs.

      This lets the CloudGuard Transit Gateways to route traffic to the Spoke VPCs over their VPN tunnels.

  3. Configure a spokes route table:

    1. Create a new spokes route table.

      Later, the spokes are automatically propagated to the CloudGuard Transit Gateway VPN attachments.

    2. Add this tag:

      Tag Key: x-chkp-vpn

      Tag Value: <MANAGEMENT-NAME>/<VPN-COMMUNITY-NAME>/propagate

      Where:

      • <MANAGEMENT-NAME> - Specifies the name of the Management Server. Use the same name you used when you executed the autoprov_cfg utility.

      • <VPN-COMMUNITY-NAME> - Specifies the name of the VPN Community. Use the same name you used when you created the VPN Community.

      • propagate - Specifies that the auto provisioning service propagates dynamically the spokes to the CloudGuard Transit Gateway VPN tunnels in the route table.

    3. Associate your spokes to the route table.

      This creates a default route to all VPN tunnels (which route by ECMP), and a specific route to each VPN attachment to respond to the requesting Transit Gateway.

      This lets the spoke VPCs to route traffic through the CloudGuard Transit Gateway over their VPN attachments.

    When the CloudGuard Transit Gateway provisioning starts, a VPN tunnel is created for each Transit Gateway.

The automation performs these tasks:

  1. Creates a VPN connection with two tunnels.

  2. Creates an attachment to the Transit Gateway you tagged in the section Deploying the AWS Transit Gateway.

  3. Associates each VPN attachment with the checkpoint route table.

  4. Propagates each VPN attachment to the spokes route table.

Step 7: Reviewing and Testing the Deployment

If the set up was successful, these components show:

  1. In AWS Management Console:

    • Each Gateway has a VPN connection with two tunnels in the UP status.

    • Under the Transit Gateway Route tables:

      • In the spokes route table, all spokes VPCs are propagated to the CloudGuard Security Gateways VPN attachments.

      • In the checkpoint route table, all CloudGuard Security Gateways VPN attachments are associated.

  2. In Check Point SmartConsole:

    • All the Check Point CloudGuard Security Gateways (you defined in the Auto Scaling Group in Amazon EC2 Console) are provisioned successfully.

    • On the Management Server, the command "service cme test" runs and ends without errors.

    • Check Point IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. Software Blade is enabled, on each Security Gateway.

    • Star VPN Community with both gateways, each configured as a Center Gateway.

    • Security Policy with a Directional VPN rule exists.

    • The Security Policy is installed successfully on the Security Gateways.

(Optional) Enable Transit Gateway Appliance Mode

The TGW Appliance Mode allows traffic inspection to happen on different AZ's than the traffic is sourced from or destined to.

With the AWS Transit Gateway Appliance Mode, you have the ability to specify attachments that should forward network flows out of the same AZ regardless of the flow's direction and from what availability zone it originated. The AWS Transit Gateway Appliance Mode ensures that network flows are symmetrically routed to the same AZ and network appliance. For more information AWS Transit Gateway Appliance Mode, see this example: Appliance in a shared services VPC.

To set Transit Gateway Appliance Mode on the Security VPC attachment, use this AWS CLI command with the latest version of AWS CLI v2:

aws ec2 modify-transit-gateway-vpc-attachment --transit-gateway-attachment-id <tgw-attach-xyx> --options ApplianceModeSupport="enable"

Follow these steps to set Transit Gateway Appliance Mode on the Security VPC attachment from the AWS console:

  1. Log in to the AWS Management Console.

  2. From the primary menu bar, select VPC > Transit Gateway attachments > select the Security VPC attachment.

  3. Click Actions > Modify transit gateway attachment.

  4. Check Appliance Mode support.

  5. Click Modify transit gateway attachment.