Additional Information

Updating the Auto Scaling Group

Notes: Starting 01/01/2023 AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. no longer supports new instance types and features with launch configurations. If your Auto Scale Group uses Launch Configuration, we recommend replacing it with Launch Template. Refer to Replace launch configuration with launch template section. If you change the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. version, make sure you can use the existing Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. with the newer Auto Scaling group version you are deploying.

Updating AMI

• For Launch Template:

  1. Find the target AMI ID:

     1. Open AWS Marketplace and search for:

        1. R81.20 and higher: CloudGuard Network Security with Threat Prevention.

        2. R80.40: CloudGuard Network Security for Gateway Load Balancer.

     2. Select the listing matching the one used to deploy the autoscaling group.

     3. Click Continue to subscribe.

     4. Click Continue to configuration.

     5. Select the target version and build (For example: R81.20-631.1427).

     6. Select the region of your autoscaling group.

     7. Copy the AMI ID.

  2. Update the autoscaling group launch template:

     1. Open the Amazon EC2 console.

     2. From the main menu bar select Launch Templates and select the launch template of the Auto Scaling Group.

     3. Click Actions > Modify template (Create new version).

     4. In Auto Scaling Guidance Check Provide guidance to help me set up a template that I can use with EC2 Auto Scaling.

     5. Go to Application and OS Images (Amazon machine image) and click Browse more AMIs.

        1. In the search box enter the AMI-ID (“ami-xxxxxxxxxxxxxxxxx”) copied in step #1.

        2. Click the Community AMIs tab.

        3. Click the Select button next to the AMI matching the AMI-ID you pasted in the search bar.

        4. If you get the alert: Some of your current settings will be changed or removed if you proceed, review the changes and Confirm if you agree.

     6. In Network settings section mark Select existing security group.

     7. Update from R80.40 to a higher version must include updating user data:

        1. Go to user data in Advanced details.

        2. Paste the syntax below and replace parameters values with the applicable ones. You can copy the parameters values from previous user data.

           Syntax to paste for Terraform Template

           Copy

           #cloud-config
           network:
           version: 1
           config:
           - type: bridge
           name: br0
           mtu: *eth0-mtu
           subnets:
           - address: *eth0-private
           type: static
           gateway: *default-gateway
           dns_nameservers:
           - *eth0-dns1
           bridge_interfaces:
           - eth0
           kernel_parameters:
           sim:
           - sim_geneve_enabled=1
           - sim_geneve_br_dev=br0
           fw:
           - fwtls_bridge_mode_inspection=1
           - fw_geneve_enabled=1
           bootcmd:
           - echo "brctl hairpin br0 eth0 on" >> /etc/rc.local
           - echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local
           runcmd:
           - |
           python3 /etc/cloud_config.py enableCloudWatch=\"PUT HERE true OR false\" sicKey=\"PUT HERE ONE TIME PASSWORD ENCODED TO BASE64\" installationType=\"autoscale\" osVersion=\"PUT HERE CHECK POINT VERSION\" allowUploadDownload=\"PUT HERE true OR false\" templateVersion=\"20221226\" templateName=\"autoscale_gwlb\" templateType=\"terraform\" shell=\"PUT HERE /etc/cli.sh OR /bin/bash OR /bin/csh OR /bin/tcsh\" enableInstanceConnect=\"PUT HERE true OR false\" passwordHash=\"PUT HASH PASSWORD ENCODED TO BASE64 OR KEEP IT EMPTY\" bootstrapScript64=\"\"

           Syntax to paste for Cloud Formation Template

           Copy

           #cloud-config
           network:
           version: 1
           config:
           - type: bridge
           name: br0
           mtu: *eth0-mtu
           subnets:
           - address: *eth0-private
           type: static
           gateway: *default-gateway
           dns_nameservers:
           - *eth0-dns1
           bridge_interfaces:
           - eth0
           kernel_parameters:
           sim:
           - sim_geneve_enabled=1
           - sim_geneve_br_dev=br0
           fw:
           - fwtls_bridge_mode_inspection=1
           - fw_geneve_enabled=1
           bootcmd:
           - echo "brctl hairpin br0 eth0 on" >> /etc/rc.local
           - echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local
           runcmd:
           - |
           set -e
           admin_shell=PUT HERE /etc/cli.sh OR /bin/bash OR /bin/csh OR /bin/tcsh ; allow_info=PUT HERE true OR false ; cw=PUT HERE true OR false ; eic=PUT HERE true OR false
           sic="$(echo PUT HERE ONE TIME PASSWORD ENCODED TO BASE64)"
           pwd_hash="$(echo PUT HERE PASSWORD HASH ENCODED TO BASE64 OR KEEP IT EMPTY)"
           bootstrap="$(echo )"
           version=PUT HERE CHECK POINT VERSION: R80.40/R81/R81.10/R81.20
           python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20230117\" templateName=\"autoscale_gwlb\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" bootstrapScript64=\"${bootstrap}\"

     8. Examine your configuration in all other sections and create the launch template version.

  3. From the Navigation Toolbar, select Auto Scaling Groups.

  4. Select the applicable Auto Scaling Group, click Edit.

  5. In the Launch Template section, select the new version and select Update.

  6. To apply this update, manually stop the Security Gateways one by one. The Auto Scaling Group deploys new Gateways with the updated AMI and not with the terminated gateways.

• For Launch Configuration:

  1. Open the Amazon EC2 console.

  2. From the main menu bar select Launch Configurations and select the launch configuration of the Auto Scaling Group.

  3. Click Actions > Copy launch configuration.

  4. Go to Amazon machine image (AMI) and select the new AMI.

     Follow these steps to find the desired AMI id:

     1. Open the AWS Marketplace.

     2. Search for

        • R81.20 and higher:

          CloudGuard Network Security with Threat Prevention.

        • R80.40

          CloudGuard Network Security for Gateway Load Balancer.

     3. Click on the relevant product listing.

     4. Click Continue to Subscribe.

     5. Click Continue to Configuration.

     6. Select the relevant Software Version and Region.

     7. Copy the Ami Id.

  5. Update from R80.40 to a higher version must include updating user data:

     Go to Additional configuration - optional, open Advanced details, in user data paste the syntax below and replace parameters values with the applicable ones. You can copy the parameters values from previous user data.

     Syntax to paste for Terraform Template

     Copy

     #cloud-config
     network:
       version: 1
       config:
       - type: bridge
         name: br0
         mtu: *eth0-mtu
         subnets:
           - address: *eth0-private
             type: static
             gateway: *default-gateway
             dns_nameservers:
             - *eth0-dns1
         bridge_interfaces:
           - eth0
     kernel_parameters:
       sim:
         - sim_geneve_enabled=1
         - sim_geneve_br_dev=br0
       fw:
      
         - fwtls_bridge_mode_inspection=1
         - fw_geneve_enabled=1
     bootcmd:
         - echo "brctl hairpin br0 eth0 on" >> /etc/rc.local
         - echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local
     runcmd:
       - |
         python3 /etc/cloud_config.py enableCloudWatch=\"PUT HERE true OR false\" sicKey=\"PUT HERE ONE TIME PASSWORD ENCODED TO BASE64\" installationType=\"autoscale\" osVersion=\"PUT HERE CHECK POINT VERSION\" allowUploadDownload=\"PUT HERE true OR false\" templateVersion=\"20221226\" templateName=\"autoscale_gwlb\" templateType=\"terraform\" shell=\"PUT HERE /etc/cli.sh OR /bin/bash OR /bin/csh OR /bin/tcsh\" enableInstanceConnect=\"PUT HERE true OR false\" passwordHash=\"PUT HASH PASSWORD ENCODED TO BASE64 OR KEEP IT EMPTY\" bootstrapScript64=\"\"

     Syntax to paste for Cloud Formation Template

     Copy

     #cloud-config
     network:
       version: 1
       config:
       - type: bridge
         name: br0
         mtu: *eth0-mtu
         subnets:
           - address: *eth0-private
             type: static
             gateway: *default-gateway
             dns_nameservers:
             - *eth0-dns1
         bridge_interfaces:
           - eth0
     kernel_parameters:
       sim:
         - sim_geneve_enabled=1
         - sim_geneve_br_dev=br0
       fw:
         - fwtls_bridge_mode_inspection=1
         - fw_geneve_enabled=1
     bootcmd:
       - echo "brctl hairpin br0 eth0 on" >> /etc/rc.local
       - echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local
     runcmd:
       - |
         set -e
         admin_shell=PUT HERE /etc/cli.sh OR /bin/bash OR /bin/csh OR /bin/tcsh ; allow_info=PUT HERE true OR false ; cw=PUT HERE true OR false ; eic=PUT HERE true OR false
         sic="$(echo PUT HERE ONE TIME PASSWORD ENCODED TO BASE64)"
         pwd_hash="$(echo PUT HERE PASSWORD HASH ENCODED TO BASE64 OR KEEP IT EMPTY)"
         bootstrap="$(echo )"
         version=PUT HERE CHECK POINT VERSION: R80.40/R81/R81.10/R81.20
         python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20230117\" templateName=\"autoscale_gwlb\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" bootstrapScript64=\"${bootstrap}\"
     

  6. Verify your configuration in all other sections and create the launch configuration.

  7. From the Navigation Toolbar, select Auto Scaling Groups.

  8. Select the applicable Auto Scaling Group and click Edit.

  9. In the Launch Configuration section, select the newly created launch configuration, named the same as the previous configuration with Copy concatenated to it, and select Update.

  10. To apply this update, manually stop the Security Gateways, one by one. The Auto Scaling group deploys new Gateways with the updated AMI and not with the terminated gateways.

Notes: Do not do any other configuration changes during the upgrade. To avoid downtime, make sure to stop a Security Gateway only after a previous gateway has finished its initialization and replaced its predecessor. These updates necessitate additional actions: If you have changed the Security Gateways version, update the relevant configuration template in the Auto Provisioning Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM. configuration. Use this command: autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -ver <NEW-VERSION> Replace <CONFIGURATION-TEMPLATE-NAME> with the name of the configuration template you selected when Setting up Automatic Provisioning, such as 'my-configuration-template', and <NEW-VERSION> with the new version of the Gateways.

Replace launch configuration with launch template

1. Copy a launch configuration to a launch template:

   1. Open the Amazon EC2 console.

   2. On the navigation pane below Auto Scaling, select Launch Configurations.

   3. Select the launch configuration you want to copy and select Copy to launch template > Copy selected. It creates a new launch template with the same name and options as your selected launch configuration.

   4. For New launch template name, you can use the name of the launch configuration (the default) or enter a new name. Launch template names must be unique.

   5. Select Copy.

2. Replace the launch configuration for an Auto Scaling group:

   1. Open the Amazon EC2 console, and select Auto Scaling Groups from the navigation pane.

   2. Select the check box next to your Auto Scaling group.

      A pane opens at the bottom of the page, showing information about the selected group.

   3. On the Details tab, select Launch configuration, Edit.

   4. Select Switch to launch template.

   5. For Launch template, select your launch template.

   6. For Version, select the launch template version, as needed. After you create versions of a launch template, you can select if the Auto Scaling group uses the default or the latest version of the launch template when scaling out.

   7. When you have finished, select Update.