Advanced Configuration

Configuring the Security Management Server

Important - If you deploy a new Management Server with the Transit Gateway template, all configuration is applied automatically. In such case, skip this entire section.

Follow the instructions below to configure the Transit service, which controls CloudGuard's integration to AWS Endpoints that seamlessly operate the AWS Transit Hub solution.

Examples of other configuration are in the Examples of 'autoprov_cfg' Configuration section.

Configuring the Auto_Provisioning Automation

There are two options to configure auto_provisioning for the first time on the Security Management Server:

Option

Description

Recommended

Configure the Security Management Server with the CloudGuard Auto Scaling Transit Gateway First Time Configuration Wizard

Advanced

Configure the Security Management Server with the autoprov_cfg utility

Configuring the Security Management Server with the 'autoprov_cfg' Utility

Important - If you have an existing configuration for different CloudGuard solutions, make sure not to initialize your configuration. Add the Controller or Template for the Transit Gateway solution with the applicable configuration.

This utility configures the Check Point Security Management Server with all the settings needed for Transit:

  1. Connect to the command line on the Check Point Security Management Server.

  2. Log in to the Expert mode.

  3. Run all the commands below.

    Commands and their description:

    • autoprov_cfg init AWS -mn "<MANAGEMENT-NAME>" -tn "<TEMPLATE-NAME>" -otp "<SIC-KEY>" -ver R80.20 -po "<POLICY-NAME>" -cn "<CONTROLLER-NAME>" -r "<REGIONS>" -iam

      Initializes configuration with IAM credentials.

      Options:

      • -mn - Specifies the name of the Security Management Server

      • -tn - Specifies the template name

      • -otp - Specifies the one-time SIC password

      • -ver - Specifies the Gateway version

      • -po - Specifies the name of the policy package

      • -cn - Specifies the name of the Controller

      • -r - Specifies the list of regions, separated by commas

      • -iam - Specifies to use IAM to connect to AWS

    • autoprov_cfg set controller AWS -cn "<CONTROLLER-NAME>" -sg -sv -com "<VPN-COMMUNITY-NAMES>" -sn "<SUBACCOUNT-NAME> -ssr <STS-ROLE-ARN>

      Sets Controller with the required attributes for transit.

      Options:

      • -sg - Specifies to scan gateways (enables cme)

      • -sv - Specifies to scan VPN (enables Transit)

      • -com - Specifies the list of VPN communities allowed to be used by this Controller

      • -sn - Specifies the custom name for your sub-account

      • -ssr - Specifies the STS role name of trustee (spoke account)

    • autoprov_cfg set template -tn "<TEMPLATE-NAME>" -vpn -vd "" -con "<VPN-COMMUNITY-NAME>" -dt TGW

      Sets template with the required attributes for transit.

      Options:

      • -vpn - Enables the IPsec VPN blade on gateways

      • -vd - Specifies the name of the VPN Domain object

      • -con - Specifies the name of the VPN Community

      • -dt - Specifies the deployment type

    • autoprov_cfg show all

      Shows all the used configurations.

      Run this command to confirm all the configurations are correct.

    Run this command to test the configuration:

    service cme test

    Make sure there are no errors.

    If the test ends with any error, see the Troubleshooting section.

Examples of 'autoprov_cfg' Configuration

Learn how to use the autoprov_cfg CLI utility to configure different deployment scenarios.

Notes:

  • The examples below apply only if you did not run the tgw-menu command.

  • The CloudGuard Auto Scale is always the primary account.

  • In the examples below, replace the bolded variables, with values in your environment.

Configuring the VPN Community with the 'config-community.sh' Script

This script creates a VPN Community with all the settings needed for Transit:

  1. Connect to the command line on the Check Point Security Management Server.

  2. Log in to the Expert mode.

  3. Run:

    /opt/CPcme/menu/additions/config-community.sh "<VPN-COMMUNITY-NAME>"

    Example:

    /opt/CPcme/menu/additions/config-community.sh "Transit-VPN-Community"

Configuring the Multi-Domain Server

To configure the Multi-Domain Server:

Note - Steps 1-4 apply only if you did not run the tgw-menu command.

  1. Connect to the command line on the Check Point Multi-Domain Server.

  2. Log in to the Expert mode.

  3. Execute the autoprov-cfg utility on the Multi-Domain Server. See sk120992.

  4. Execute the config-community.sh script on the Multi-Domain Server:

    /etc/fw/scripts/autoprovision/config-community.sh
    "<VPN-COMMUNITY-NAME>" "<DOMAIN_NAME>"

    Replace the "<DOMAIN_NAME>" with the name of your Domain.

  5. Tag the Transit Gateway and its route tables on a Multi-Domain Server.

    On a Multi-Domain Server, you have to indicate the specific Domain, on which Transit has to manage the VPN connection to the spoke VPC. Therefore, the tag value structure for the spoke VPC also must have the Domain name.

    Tag Key: x-chkp-vpn

    Tag Value: <MANAGEMENT_NAME>/<DOMAIN_NAME>/<VPN_COMMUNITY_NAME>

    Where:

    • <MANAGEMENT_NAME> - Specifies the name of your Multi-Domain Server. Use the same name you used when you executed the autoprov_cfg command.

    • <DOMAIN_NAME> - Specifies the name of the Domain as defined in the SmartConsole.

    • <VPN_COMMUNITY_NAME> - Specifies the name of your VPN Community. Use the same name you used when you created the VPN Community

Provisioning CloudGuard Gateways with Private IP addresses from an On-Premises Management Server

AWS Transit Gateway enables your on-premises Management Server to manage the CloudGuard Gateways that are assigned Private IP addresses. See the Architecture section.

Follow these steps to configure the AWS Transit Gateway:

  1. In Amazon VPC console, go to the Create Customer Gateway tab.

  2. Create a new Customer Gateway with the IP address of your Corporate Gateway.

  3. Create a VPN Attachment to the Transit Gateway, which you created in the section Deploying the AWS Transit Gateway of Step 4.

  4. In Amazon VPC console, go to the Site-to-Site VPN connection tab.

    Make sure a VPN connection is created and established.

  5. Configure the Transit Gateway Attachment to the Transit Auto Scaling Group VPC:

    1. Create the Transit Gateway Attachment to a VPC.

    2. Add a route in the Transit ASG VPC route table:

      Destination: <MANAGEMENT_IP>

      Target: Transit Gateway ID

  6. In Amazon VPC console, go to the Transit Gateway Route Tables tab.

  7. Configure a Corporate route table:

    1. Create a Corporate route table.

    2. Associate the Corporate Gateway VPN attachment to this route table.

    1. Propagate the route table to the Transit Gateway Auto Scale VPC attachment.

      This creates a route from the Corporate Gateway to the Transit Gateway Auto Scale VPC.

  8. Configure a Transit Auto scaling route table.
    1. Create a Transit Auto scaling route table.

    2. Associate the Transit Gateway Auto Scale VPC attachment to this route table.

    3. Propagate the route table to the Transit Gateway Corporate Gateway VPN attachment.

    1. Create a static route from the Transit Gateway Auto Scale VPC to the Management Server CIDR using the Corporate Gateway attachment.

Configuring Inbound Auto Scaling through a Transit Gateway

AWS Transit Gateway supports inbound traffic through CloudGuard Auto Scaling Group.

Follow these steps to configure the AWS Transit Gateway:

  1. Configure Inbound Auto Scaling on Amazon side.

  2. Configure Inbound Auto Scaling on Check Point side.

Configuring Inbound Auto Scaling on Amazon Side

To configure Inbound Auto Scaling on Amazon side:

  1. Deploy the CloudGuard Auto Scaling Group in a dedicated VPC. See sk112575 - Section (4) Configuration.

    Notes:

    • Place the Internal Load Balancer in the spokes VPC with the services you want to get.

    • Deploy the External Load Balancer using the public subnets.

  2. Configure the Transit Gateway Attachment to the Transit Auto Scaling Group VPC:
    1. Create the Transit Gateway Attachment to the ASG VPC.

    1. Associate the ASG subnets to a route table.

      The route table must contain a default route to the Internet Gateway and specific routes for the spokes to the Transit Gateway.

      Route 1:

      Destination: <SPOKES_CIDR_INITIAL>

      Target: Transit Gateway ID

      Route 2:

      Destination: 0.0.0.0/0

      Target: Internet Gateway ID

  1. In Amazon VPC console, go to the Transit Gateway Route Tables tab.

  2. Configure an inbound checkpoint route table to associate the CloudGuard ASG VPC attachment:

    1. Create an inbound checkpoint route table.

    2. Associate the CloudGuard ASG VPC attachment to this route table.

    1. Propagate the route table to the applicable Spoke VPCs for inbound traffic.

      This creates a route from the CloudGuard ASG to the applicable Spoke VPCs.

  3. Configure an inbound spokes route table to propagate the applicable Spoke VPCs to the ASG VPC attachment:
    1. Create an inbound spokes route table.

    2. Associate the spoke VPCs attachment to this route table.

    3. Propagate the route table to the ASG VPC attachment.

      This creates a route from the applicable Spoke VPCs to the CloudGuard ASG.

      Note - To support outbound traffic and East-West traffic for these Spoke VPCs, you must add the dedicated tag.

      Tag Key: x-chkp-vpn

      Tag Value: <MANAGEMENT-NAME>/<VPN-COMMUNITY-NAME>/propagate

      Where:

      • <MANAGEMENT-NAME> - Specifies the name of the Management Server. Use the same name you used when you executed the autoprov_cfg utility.

      • <VPN-COMMUNITY-NAME> - Specifies the name of the VPN Community. Use the same name you used when you created the VPN Community.

      • propagate - Specifies that the auto provisioning service propagates dynamically the spokes to the CloudGuard Transit Gateway VPN tunnels in the route table.

    1. Associate the applicable Spoke VPCs to this route table.

Configuring Inbound Auto Scaling on Check Point Side

To configure Inbound Auto Scaling on Check Point Side:

  1. Connect to the command line the Management Server.

  2. Log in to the Expert mode.

  3. Use the autoprov_cfg CLI utility to add the -slb attribute to the main Controller:

    autoprov_cfg set controller AWS -cn "<CONTROLLER-NAME>" -slb

  4. Use the autoprov_cfg CLI utility to create an additional template for the Auto Scale Gateway:

    autoprov_cfg add template -tn "<NEW-TEMPLATE-NAME>" -otp "<SIC-KEY>" -ver R80.20 -po "<POLICY-NAME>"

Cross-Account Spoke VPCs

To configure Cross-Account Spoke VPCs:

  1. When you create the AWS Transit Gateway, enable the Auto accept shared attachments.
    See the section Deploying the AWS Transit Gateway.

  2. Follow the instructions in the AWS Documentation > Amazon VPC > Transit Gateways >
    Working with Transit Gateways > Transit Gateways - section Sharing a Transit Gateway.

  3. Follow the instructions in the AWS Documentation > Amazon VPC > Transit Gateways >
    Working with Transit Gateways > Transit Gateways - section Accepting a Resource Share.

  4. Attach all Spoke VPCs in each account to the Transit Gateway you just created.
    At this point, the attachment has a "pending acceptance" status.

  5. In the main account, go to the Transit Gateway and accept all pending transactions.

  6. Add a default route to the Transit Gateway in each Spoke VPC route table:

    Destination: 0.0.0.0/0

    Target: Transit Gateway ID

    Note - The route table must be the route table, in which the associated subnets are those attached to the Transit Gateway.

AWS Transit Gateway, Outbound Auto Scale, and Management in Cross-Accounts

You can create the Transit Gateway solution on multiple accounts in a number of ways:

  • The Transit Gateway and Auto Scaling Group can be in multiple accounts.

    Note - The Outbound Auto Scaling Group must be in the primary account.

  • You can do one of these:

    • Create a Management Server in the same account as the Auto Scaling Group and AWS Transit Gateway

    • Use an on-premises Management Server

  • Management Server account access for Transit Gateway and Auto Scaling Group is provided with one of these:

    • Access key and Secret key

    • SRS role

    • IAM (in this case, the Management Server must be in the AWS cloud)

Notes:

Updating the AMI/Version of the Transit Gateway Auto Scaling Group

If you want to update the AMI or the Version of the Transit Gateway Auto Scaling group, refer to this link:

Static Routes

To create static routes on each Security Transit Gateway Auto Scaling Group gateway:

  1. Connect to the command line in the Management Server.

  2. Log in to Expert mode.

  3. Use the autoprov_cfg CLI utility to set the static routes that must be created on the Security Transit Gateway Auto Scaling Group's configuration template.

    Run autoprov_cfg:

    autoprov_cfg set template -tn <TEMPLATE_NAME> -gtr <COMMA_SEPARATED_LIST_OF_CIDRS>

  4. To test the configuration, log in to Clish, and then run (on one of the provisioned Gateways):

    show configuration static-route

    Make sure that the static routes were created.

Note - To add a CIDR, set the flat with the existing CIDRs as well.

Re-Advertising Spoke Routes

To activate the CloudGuard TGW gateways to Re-advertise the spoke route's CIDRs.

  1. Connect to the command line on the Check Point Management Server.

  2. Log in to Expert Mode.

  3. Use the autoprov_cfg CLI utility to set the CIDR to be re-advertised by the Gateways.

    Run: autoprov_cgf

    autoprov_cfg set template -tn <TEMPLATE_NAME> -gsr <COMMA_SEPARATED_LIST_OF_CIDRS>

  4. To test the configuration:
    1. In the AWS console, go the propagated tagged TGW route tables. The route tables show a route to each spoke CIDR added in the configuration.

    1. On of the provisioned Gateways, log in to Clish, and then run:

      show configuration routemaps

Make sure that the maps were created (starting with spoke-)

Note - To add a CIDR, set the flag with the existing CIDRs as well.

 

 

AWS Transit Gateway R80.10 and Above Deployment Guide