Deployment Steps

Use the steps listed below to deploy your AWS Transit Gateway.

Step 1: Preparing Your AWS Account

To prepare your AWS account, do the following:

  1. If you do not already have an AWS account, create one at AWS.

  2. Use the region selector in the navigation bar to choose the AWS region, where you want to deploy Check Point CloudGuard Auto Scaling on AWS.

  3. Create a key pair in your preferred region.

  4. If necessary, request a service limit increase for the AWS resources you are going to use.

    You may have to do this, if you have an existing deployment that uses the AWS resources below, and you may exceed the default limit with this deployment.

    The resources that may need a service limit increase are:

    • Number of On-demand EC2 instances.

    • Number of Elastic IP addresses.

    • Number of VPCs for each region.

    • Number of VPN connections for each region.

    • Number of Customer Gateways for each region.

    • Number of virtual private gateways for each region.

    • VPN connections for each VPC.

By default, this Deployment guide uses c5.xlarge for the Security Gateways and m5.xlarge for the Security Management Server.

Step 2: Subscribing to Check Point CloudGuard IaaS

To subscribe to Check Point CloudGuard IaaS, do the following:

  1. Log in to AWS Marketplace.

  2. Select one of these licensing options for Check Point CloudGuard Security Gateways:
  1. Select Continue to subscribe.

  2. Select Accept Terms to confirm that you accept the AWS Marketplace license agreement.

  3. If you want to deploy a Check Point CloudGuard Security Management Server, repeat Step 3 and Step 5 in this procedure and select one of these licensing options:
    • CloudGuard IaaS Security Management (BYOL)

    • CloudGuard IaaS Security Management for five Security Gateways (PAYG-MGMT5)

    Note - If you want to manage more than five Security Gateways, select the BYOL option to purchase a license. Contact Check Point Sales to purchase a license.

Note - In the deployment steps that follow, you are prompted for the licensing information for the Security Gateways and Security Management Server that you selected.

Step 3: Deploying the Check Point Security Management Server

Using the Existing On-Premises Security Management Server or Security Management Server in AWS

Deploying a Dedicated Security Management Server as Part of the Security VPC among the CloudGuard Gateways

It is not necessary to configure the Check Point Security Management Server.

Skip to Step 5: Deploying Security Transit Gateway Auto Scaling Group.

Deploying a New Security Management Server with a Management CloudFormation Template

Deploy the Security Management Server separately as described in sk130372.

Note - Create an IAM role with read-write permissions.

Step 4: Configuring the Check Point Security Management Server

To configure the Check Point Security Management Server, follow these steps:

  1. Configure the Auto-Provisioning Automation.

  2. (Optional) Enable the CloudGuard Controller.

  3. Configure the Access Control Policy.

Configuring the Auto_Provisioning Automation

There are two options to configure auto-provisioning for the first time on the Security Management Server:

Option

Description

Recommended

Configure the Security Management Server with the CloudGuard Auto Scaling Transit Gateway First Time Configuration Wizard

Advanced

Configure the Security Management Server with the autoprov_cfg utility

Configuration with the CloudGuard Auto Scaling Transit Gateway First Time Configuration Wizard

To configure using the CloudGuard Auto Scaling Transit Gateway First Time Configuration Wizard:

Important - This procedure removes all existing configuration. To preserve it, use the autoprov_cfg utility.

  1. Connect to the command line on the Check Point Security Management Server.

  2. Log in to the Expert mode.

  3. Run: tgw-menu

  4. Follow the First Time Configuration Wizard.

    Note - The tgw-menu supports multi-account configuration. For more information, see AWS Transit Gateway, Outbound Auto Scale and Management in Cross-Accounts.

  5. To test or change the existing configuration, use the autoprov_cfg utility.

Enabling the CloudGuard Controller

We recommend to enable the CloudGuard Controller to benefit from more CloudGuard features.

To use the CloudGuard Controller capabilities, you must install the required Jumbo Hotfix Accumulator. See the Known Limitation VSECC-784 in sk141173.

For more information, see the R80.20 CloudGuard Controller Administration Guide.

Configuring the Access Control Policy

Step 5: Deploying the Security Transit Gateway Auto Scaling Group

To deploy the Security Transit Gateway Auto Scaling Group, follow these steps:

  1. Deploy the AWS Transit Gateway.

  2. Deploy the Security Transit Gateway Auto Scaling Group.

Deploying the AWS Transit Gateway

Follow the AWS instructions to deploy Transit Gateways.

When you create the Transit Gateway configure these settings in Amazon VPC console:

  1. Disable the Default route table association.

  2. Disable the Default route table propagation.

  3. For cross-account spokes, enable the Auto accept shared attachments.

  4. Add this tag:

    Tag Key:x-chkp-vpn

    Tag Value:<MANAGEMENT-NAME>/<VPN-COMMUNITY-NAME>

    Where:

    • <MANAGEMENT-NAME> - Specifies the name of the Management Server. Use the same name you used when you executed the autoprov_cfg utility.

    • <VPN-COMMUNITY-NAME> - Specifies the name of the VPN Community. Use the same name you used when you created the VPN Community.

Note - If you did not disable the Default route table association and the Default route table propagation settings, then delete the existing Transit Gateway and create a new one. If you do not delete the previous Transit Gateway, AWS associates and propagates all attachments to the Transit Gateway to the same default Transit Gateway route table. As a result, traffic can to flow directly between spokes and through CloudGuard Gateways. To change this, move the association and propagation to the correct Transit Gateway route table.

Deploying the Security Transit Gateway Auto Scaling Group

Select one of these templates to launch the Transit Gateway template into your AWS account:

CloudFormation Template

Description

S3 Link

Transit Gateway into a new VPC

This template deploys:

  • Check Point CloudGuard IaaS Transit Auto Scaling Group into a new VPC on AWS

  • Optional: Management Server

Link

Transit Gateway into an existing VPC

This template deploys:

  • Check Point CloudGuard IaaS Transit Auto Scaling Group into an existing VPC on AWS

  • Optional: Management Server

Link

After the Security Gateways are created, they are automatically added to the Management Server database. You can see them in SmartConsole.

Important - When creating a new Management Server, remember to:

  1. Use the latest CloudGuard Security Management Server add-on from sk130372.

  2. The Main parameters configured on the Management Server for tagging objects in AWS are the following:

    Parameter

    Value

    <VPN-COMMUNITY-NAME>

    tgw-community

    <MANAGEMENT-NAME>

    management-server

Note - To review all configurations from Management run:

autoprov_cgf show all

Parameters for Deploying a Transit Gateway into a New VPC

 

Parameters for Deploying a Transit Gateway into an Existing VPC

 
 

Step 6: Configuring Security Transit Gateway Auto Scaling Group

Attaching Spoke VPCs to the Transit Gateway

To attach spokes VPCs to the Transit Gateway:

  1. Create the Spoke VPCs and its subnets.

  2. Attach all Spoke VPCs to the Transit Gateway you just created.

  3. Add a default route to the Transit Gateway in each Spoke VPC route table:

    Destination: 0.0.0.0/0

    Target: Transit Gateway ID

Notes:

  • The route table must be the route table, in which the associated subnets are those attached to the Transit Gateway.

  • To unlink a spoke, delete the VPC attachment from the Transit Gateway.

Configuring Transit Gateway Route Tables

When the CloudGuard Transit Gateway provisioning starts, a VPN tunnel is created for each Transit Gateway.

The automation performs these tasks:

  1. Creates a VPN connection with two tunnels.

  2. Creates an attachment to the Transit Gateway you tagged in the section Deploying the AWS Transit Gateway.

  3. Associates each VPN attachment with the checkpoint route table.

  4. Propagates each VPN attachment to the spokes route table.

Step 7: Reviewing and Testing the Deployment

If the set up was successful, you should see these components:

  1. In AWS Management Console:
    • Each Gateway has a VPN connection with two tunnels in the UP status.

    • Under the Transit Gateway Route tables:

      • In the spokes route table, all spokes VPCs are propagated to the CloudGuard Security Gateways VPN attachments.

      • In the checkpoint route table, all CloudGuard Security Gateways VPN attachments are associated.

  1. In Check Point SmartConsole:
    • All the Check Point CloudGuard Security Gateways (you defined in the Auto Scaling Group in Amazon EC2 Console) are provisioned successfully.

    • On the Management Server, the command service cme test runs and ends without errors.

    • Check Point IPsec VPN Software Blade is enabled, on each Security Gateway.

    • Star VPN Community with both gateways, each configured as a Center Gateway.

    • Security Policy with a Directional VPN rule exists.

    • The Security Policy is installed successfully on the Security Gateways.

 

 

AWS Transit Gateway R80.10 and Above Deployment Guide