Additional Information
Updating the Auto Scaling Group
|
Notes:
|
Updating the Amazon Machine Image (AMI)
-
For Launch Template:
-
Find the target AMI ID:
-
Open AWS Marketplace and search for:
-
R81.20 and higher:
CloudGuard Network Security with Threat Prevention.
-
R80.40:
CloudGuard Network Security for Gateway Load Balancer.
-
-
Select the listing matching the one used to deploy the autoscaling group.
-
Click Continue to subscribe.
-
Click Continue to configuration.
-
Select the target version and build (For example: R81.20-631.1427).
-
Select the region of your autoscaling group.
-
Copy the AMI ID.
-
-
Update the autoscaling group launch template:
-
Open the Amazon EC2 console.
-
From the main menu bar, select Launch Templates. Then select the launch template of the Auto Scaling Group.
-
Click Actions > Modify template (Create new version).
-
In Auto Scaling Guidance, check Provide guidance to help me set up a template that I can use with EC2 Auto Scaling.
-
Go to Application and OS Images (Amazon machine image) and click Browse more AMIs.
-
In the search box, enter the AMI-ID (“ami-xxxxxxxxxxxxxxxxx”) copied in step 1.
-
Click the Community AMIs tab.
-
Click the Select button next to the AMI matching the AMI-ID you pasted in the search bar.
-
If you get the alert: Some of your current settings will be changed or removed if you proceed, review the changes and Confirm if you agree.
-
-
In Network settings section, mark Select existing security group.
-
Update from R80.40 to a higher version must include updating user data:
-
Go to user data in Advanced details.
-
Paste the syntax below and replace parameters values with the applicable ones. You can copy the parameters values from previous user data.
Note - The templates below are just examples. For the latest available templates for your solution, see sk125252.
Syntax to paste for Terraform TemplateCopy#cloud-config
network:
version: 1
config:
- type: bridge
name: br0
mtu: *eth0-mtu
subnets:
- address: *eth0-private
type: static
gateway: *default-gateway
dns_nameservers:
- *eth0-dns1
bridge_interfaces:
- eth0
kernel_parameters:
sim:
- sim_geneve_enabled=1
- sim_geneve_br_dev=br0
fw:
- fwtls_bridge_mode_inspection=1
- fw_geneve_enabled=1
bootcmd:
- echo "brctl hairpin br0 eth0 on" >> /etc/rc.local
- echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local
runcmd:
- |
python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20241027\" templateName=\"autoscale_gwlb\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\"Syntax to paste for Cloud Formation TemplateCopy#cloud-config
network:
version: 1
config:
- type: bridge
name: br0
mtu: *eth0-mtu
subnets:
- address: *eth0-private
type: static
gateway: *default-gateway
dns_nameservers:
- *eth0-dns1
bridge_interfaces:
- eth0
kernel_parameters:
sim:
- sim_geneve_enabled=1
- sim_geneve_br_dev=br0
fw:
- fwtls_bridge_mode_inspection=1
- fw_geneve_enabled=1
bootcmd:
- echo "brctl hairpin br0 eth0 on" >> /etc/rc.local
- echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local
runcmd:
- |
set -e
admin_shell=PUT HERE /etc/cli.sh OR /bin/bash OR /bin/csh OR /bin/tcsh ; allow_info=PUT HERE true OR false ; cw=PUT HERE true OR false ; eic=PUT HERE true OR false
sic="$(echo PUT HERE A BASE64-ENCODED ONE-TIME PASSWORD)"
pwd_hash="$(echo PUT HERE A BASE64-ENCODED PASSWORD HASH OR KEEP IT EMPTY)"
maintenance_pwd_hash="$(echo )"
bootstrap="$(echo )"
version=PUT HERE CHECK POINT VERSION: R81.20/R82
python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20241023\" templateName=\"autoscale_gwlb\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"
-
-
Examine your configuration in all other sections and create the launch template version.
-
-
From the Navigation Toolbar, select Auto Scaling Groups.
-
Select the applicable Auto Scaling Group, click Edit.
-
In the Launch Template section, select the new version and select Update.
-
To apply this update, manually stop the Security Gateways one by one. The Auto Scaling Group deploys new Security Gateways with the updated AMI and not with the terminated Security Gateways.
-
-
For Launch Configuration:
-
Open the Amazon EC2 console.
-
From the main menu bar, select Launch Configurations. Then select the launch configuration of the Auto Scaling Group.
-
Click Actions > Copy launch configuration.
-
Go to Amazon machine image (AMI) and select the new AMI.
Follow these steps to find the desired AMI ID:
-
Open the AWS Marketplace.
-
Search for
-
R81.20 and higher:
CloudGuard Network Security with Threat Prevention.
-
R80.40:
CloudGuard Network Security for Gateway Load Balancer.
-
-
Click on the relevant product listing.
-
Click Continue to Subscribe.
-
Click Continue to Configuration.
-
Select the relevant Software Version and Region.
-
Copy the Ami Id.
-
-
Update from R80.40 to a higher version must include updating user data:
Go to Additional configuration - optional, open Advanced details, in user data paste the syntax below and replace parameters values with the applicable ones. You can copy the parameters values from previous user data.
Syntax to paste for Terraform TemplateCopy#cloud-config
network:
version: 1
config:
- type: bridge
name: br0
mtu: *eth0-mtu
subnets:
- address: *eth0-private
type: static
gateway: *default-gateway
dns_nameservers:
- *eth0-dns1
bridge_interfaces:
- eth0
kernel_parameters:
sim:
- sim_geneve_enabled=1
- sim_geneve_br_dev=br0
fw:
- fwtls_bridge_mode_inspection=1
- fw_geneve_enabled=1
bootcmd:
- echo "brctl hairpin br0 eth0 on" >> /etc/rc.local
- echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local
runcmd:
- |
python3 /etc/cloud_config.py enableCloudWatch=\"PUT HERE true OR false\" sicKey=\"PUT HERE ONE TIME PASSWORD ENCODED TO BASE64\" installationType=\"autoscale\" osVersion=\"PUT HERE CHECK POINT VERSION\" allowUploadDownload=\"PUT HERE true OR false\" templateVersion=\"20221226\" templateName=\"autoscale_gwlb\" templateType=\"terraform\" shell=\"PUT HERE /etc/cli.sh OR /bin/bash OR /bin/csh OR /bin/tcsh\" enableInstanceConnect=\"PUT HERE true OR false\" passwordHash=\"PUT HASH PASSWORD ENCODED TO BASE64 OR KEEP IT EMPTY\" bootstrapScript64=\"\"Syntax to paste for Cloud Formation TemplateCopy#cloud-config
network:
version: 1
config:
- type: bridge
name: br0
mtu: *eth0-mtu
subnets:
- address: *eth0-private
type: static
gateway: *default-gateway
dns_nameservers:
- *eth0-dns1
bridge_interfaces:
- eth0
kernel_parameters:
sim:
- sim_geneve_enabled=1
- sim_geneve_br_dev=br0
fw:
- fwtls_bridge_mode_inspection=1
- fw_geneve_enabled=1
bootcmd:
- echo "brctl hairpin br0 eth0 on" >> /etc/rc.local
- echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local
runcmd:
- |
set -e
admin_shell=PUT HERE /etc/cli.sh OR /bin/bash OR /bin/csh OR /bin/tcsh ; allow_info=PUT HERE true OR false ; cw=PUT HERE true OR false ; eic=PUT HERE true OR false
sic="$(echo PUT HERE ONE TIME PASSWORD ENCODED TO BASE64)"
pwd_hash="$(echo PUT HERE PASSWORD HASH ENCODED TO BASE64 OR KEEP IT EMPTY)"
bootstrap="$(echo )"
version=PUT HERE CHECK POINT VERSION: R80.40/R81/R81.10/R81.20
python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20230117\" templateName=\"autoscale_gwlb\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" bootstrapScript64=\"${bootstrap}\" -
Verify your configuration in all other sections and create the launch configuration.
-
From the Navigation Toolbar, select Auto Scaling Groups.
-
Select the applicable Auto Scaling Group and click Edit.
-
In the Launch Configuration section, select the newly created launch configuration, named the same as the previous configuration with Copy concatenated to it, and select Update.
-
To apply this update, manually stop the Security Gateways one by one. The Auto Scaling group deploys new Security Gateways with the updated AMI and not with the terminated Security Gateways.
-
|
Notes:
|
Replace the Launch Configuration with a Launch Template
-
Copy a launch configuration to a launch template:
-
Open the Amazon EC2 console.
-
In the navigation pane under Auto Scaling, select Launch Configurations.
-
Select the launch configuration to copy and select Copy to launch template > Copy selected. It creates a new launch template with the same name and options as the selected launch configuration.
-
For New launch template name, use the name of the launch configuration (the default) or enter a new name. The launch template names must be unique.
-
Select Copy.
-
-
Replace the launch configuration for an Auto Scaling group:
-
Open the Amazon EC2 console.
-
In the navigation pane, select Auto Scaling Groups.
-
Select the check box next to your Auto Scaling group.
A pane opens at the bottom of the page with information about the selected group.
-
On the Details tab, select Launch configuration, Edit.
-
Select Switch to launch template.
-
For Launch template, select your launch template.
-
For Version, select the launch template version as necessary. After you create versions of a launch template, you can specify if the Auto Scaling group uses the default or the latest version of the launch template when scaling out.
-
When complete, select Update.
-