Deploying a Quick Start Centralized GWLB Security VPC with Customer Web Services
This Quick Start provides step-by-step instructions for deploying a web service secured by a CloudGuard Network Security VPC with Gateway Load Balancer.
The Quick Start is for users who want to publish an automatically scaled and dynamically secured web service on AWS
Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services., configure content-level access policy, monitor incoming/outgoing/east-west requests to and from the service, apply intrusion prevention system (IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System).) protections for web servers, enforce geo-based policy, prevent malicious bots activity, and more.
The Quick Start Gateway Load Balancer deployment includes a Security VPC with a Gateway Load Balancer, an Auto Scaling Group of Security Gateways, a server VPC with Gateway Load Balancer Endpoints (1 per Availability Zone), an Application Load Balancer, and Services.
You can manage the CloudGuard Security Gateways with a preconfigured Check Point CloudGuard Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., or an existing Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
Architecture
The Quick Start Centralized GWLB solution deploys:
-
A new virtual private cloud (Security VPC) on AWS.
-
Into the new Security VPC: A Gateway Load Balancer, Check Point CloudGuard Network Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. Auto Scaling Group, and a Security Management Server (optional). -
Servers VPC with service subnets and a Gateway Load Balancer endpoint (GWLBe) in each Availability Zone.
-
Connects the Gateway Load Balancer endpoints to the Gateway Load Balancer service.
-
Set routes in Servers VPC.
Step 1: Prepare your AWS Account
Before you begin, make sure to do these steps.
To prepare your AWS account:
-
If you do not have an AWS account, create one.
-
Use the region selector in the navigation bar to select the AWS region where you want to deploy Check Point CloudGuard Network Auto Scaling on AWS.
-
Create a key pair in your preferred region.
-
Request a service limit increase for the AWS resources you plan to use, if necessary.
By default, this Deployment Guide uses:
-
c5.xlarge instances for Security Gateways
-
m5.xlarge instances for the Security Management Server.
-
Minimum Permissions for Deployment
Configure the relevant IAM policy with the minimum permissions for a successful deployment, as shown below.
In the AWS VPC AWS Virtual Private Cloud. A private cloud that exists in the public cloud of Amazon. It is isolated from other Virtual Networks in the AWS cloud. Console, navigate to the IAM service, select the relevant IAM policy, copy the required permissions from this guide (see below) and paste them into the policy:
For GWLB in a new VPC
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Permissions",
"Effect": "Allow",
"Action": [
"SNS:CreateTopic",
"SNS:DeleteTopic",
"SNS:GetTopicAttributes",
"SNS:Subscribe",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeletePolicy",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScalingActivities",
"autoscaling:PutNotificationConfiguration",
"autoscaling:PutScalingPolicy",
"autoscaling:SetInstanceProtection",
"autoscaling:UpdateAutoScalingGroup",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources",
"cloudformation:ValidateTemplate",
"cloudwatch:DeleteAlarms",
"cloudwatch:PutMetricAlarm",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateLaunchTemplate",
"ec2:CreateLocalGatewayRouteTable",
"ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:DeleteInternetGateway",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpointServiceConfigurations",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ec2:TerminateInstances",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": "*"
},
{
"Sid": "IAMPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Permissions",
"Effect": "Allow",
"Action": [
"SNS:CreateTopic",
"SNS:DeleteTopic",
"SNS:GetTopicAttributes",
"SNS:Subscribe",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeletePolicy",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScalingActivities",
"autoscaling:PutNotificationConfiguration",
"autoscaling:PutScalingPolicy",
"autoscaling:SetInstanceProtection",
"autoscaling:UpdateAutoScalingGroup",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources",
"cloudformation:ValidateTemplate",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:ListTagsForResource",
"cloudwatch:PutMetricAlarm",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateLaunchTemplate",
"ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVpcEndpointServiceConfigurations",
"ec2:DescribeAddresses",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DetachNetworkInterface",
"ec2:DisassociateAddress",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ec2:TerminateInstances",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": "*"
},
{
"Sid": "IAMPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Permissions",
"Effect": "Allow",
"Action": [
"SNS:CreateTopic",
"SNS:DeleteTopic",
"SNS:GetTopicAttributes",
"SNS:Subscribe",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeletePolicy",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScalingActivities",
"autoscaling:PutNotificationConfiguration",
"autoscaling:PutScalingPolicy",
"autoscaling:SetInstanceProtection",
"autoscaling:UpdateAutoScalingGroup",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources",
"cloudformation:ValidateTemplate",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:ListTagsForResource",
"cloudwatch:PutMetricAlarm",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateLaunchTemplate",
"ec2:CreateLocalGatewayRouteTable",
"ec2:CreateNatGateway",
"ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:CreateVpcEndpoint",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:DeleteInternetGateway",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpointServiceConfigurations",
"ec2:DeleteVpcEndpoints",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePrefixLists",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ec2:TerminateInstances",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": "*"
},
{
"Sid": "IAMPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Permissions",
"Effect": "Allow",
"Action": [
"SNS:CreateTopic",
"SNS:DeleteTopic",
"SNS:GetTopicAttributes",
"SNS:Subscribe",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeletePolicy",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScalingActivities",
"autoscaling:PutNotificationConfiguration",
"autoscaling:PutScalingPolicy",
"autoscaling:SetInstanceProtection",
"autoscaling:UpdateAutoScalingGroup",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources",
"cloudformation:ValidateTemplate",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:ListTagsForResource",
"cloudwatch:PutMetricAlarm",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateRouteTable",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateLaunchTemplate",
"ec2:CreateNatGateway",
"ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpcEndpoint",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteVpcEndpointServiceConfigurations",
"ec2:DeleteVpcEndpoints",
"ec2:DescribeAddresses",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePrefixLists",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DetachNetworkInterface",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ec2:TerminateInstances",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": "*"
},
{
"Sid": "IAMPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
}
]
}Step 2: Subscribe to Check Point CloudGuard Network
To deploy a CloudGuard Network Security for Gateway Load Balancer, do these steps:
-
Log in to the AWS Marketplace.
-
Search for "CloudGuard Network Security".
-
Select one of these licensing options for the CloudGuard Network Security for Gateway Load Balancer:
-
CloudGuard Network Security with Threat Prevention & SandBlast BYOL
-
CloudGuard Network Security Next-Gen Firewall with Threat Prevention
-
CloudGuard Network Security with Threat Prevention and SandBlast
Or one of these licensing options for a Check Point CloudGuard Security Management Server:
-
-
Select Continue to subscribe.
-
Select Accept Terms to confirm that you accept the AWS Marketplace license agreement.
Step 3: Deploy the Check Point Security Management Server
Use one of these options to deploy the Check Point Security Management Server:
Deploying a New Security Management Server with a Management CloudFormation Template
-
Deploy the Security Management Server separately as described in sk130372 > Installing Check Point Security Management Server section.
-
Create an IAM role with read and write permissions as described in the section below or deploy the IAM role and attach it to the Security Management Server that manages the Security Gateway Load Balancing Auto Scale solution.
Using the Existing On-Premises Security Management Server or the Security Management Server in AWS
In the AWS VPC Console, add the required permissions for the Security Management Server.
Permissions to add:
|
Service |
Action |
|---|---|
|
autoscaling |
DescribeAutoscalingGroups |
|
ec2 |
DescribeInstances |
|
|
DescribeNetworkInterfaces |
|
|
DescribeSubnets |
|
|
DescribeRegions |
|
elasticloadbalancing |
DescribeLoadBalancers |
|
|
DescribeTags |
|
|
DescribeListeners |
|
|
DescribeTargetGroups |
|
|
DescribeRules |
|
|
DescribeTargetHealth |
You can also copy and paste the text below to your existing Management Server's IAM permissions:
Management IAM Permissions:
"autoscaling:DescribeAutoScalingGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeRegions",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetHealth"With the Solution CloudFormation Template, you can create a dedicated Security Management Server as part of the deployment.
Step 4: Deploy Quick Start GWLB Centralized Security VPC
There are two deployment options:
|
CloudFormation (CFT) Template |
Description |
|---|---|
|
Deploying Quick Start GWLB with new VPCs |
Creates a new VPC and deploys a Gateway Load Balancer, Check Point CloudGuard Security Gateway Auto Scaling Group, and an optional Security Management Server to the new VPC. |
|
Deploy Quick Start GWLB into existing VPCs |
Deploys a Gateway Load Balancer, Check Point CloudGuard Security Gateway Auto Scaling Group, and an optional Security Management Server to the existing VPC. |
Step 4.1: Launch the Quick start CloudFormation
Load the applicable CloudFormation Template URI in the AWS CloudFormation portal.
Steps 4.2: Configure the required parameters to specify the GWLB deployment details
Deploying Quick Start GWLB to a New VPC:
|
Parameter Name |
Default Value |
Description |
|---|---|---|
|
|
Requires input |
Select, at minimum, two Availability Zones (AZs) for the VPC subnets. |
|
|
2 |
Specify the number of AZs to use in the VPC. This must align with the number of AZs selected for the Availability Zones parameter. |
|
|
10.0.0.0/16 |
Configure the CIDR block for the VPC. |
|
|
10.0.10.0/24 |
A CIDR block for the public subnet 1 is located in the 1st Availability Zone. If you select to deploy a Security Management Server, it is deployed in this subnet. |
|
|
10.0.20.0/24 |
A CIDR block for the public subnet 2 located in the 2nd Availability Zone. |
|
|
10.0.30.0/24 |
A CIDR block for the public subnet 3 located in the 3rd Availability Zone. |
|
|
10.0.40.0/24 |
A CIDR block for the public subnet 4 located in the 4th Availability Zone. |
|
|
192.168.0.0/16 |
A CIDR block for the VPC. |
|
|
192.168.10.0/24 |
A CIDR block for the public subnet 1 located in the 1st Availability Zone. |
|
|
192.168.20.0/24 |
A CIDR block for the public subnet 2 located in the 2nd Availability Zone. |
|
|
192.168.30.0/24 |
A CIDR block for the public subnet 3 located in the 3rd Availability Zone. |
|
|
192.168.40.0/24 |
A CIDR block for the public subnet 4 located in the 4th Availability Zone. |
|
|
192.168.70.0/24 |
A CIDR block for the GWLBe subnet 1 located in Availability Zone 1. |
|
|
192.168.80.0/24 |
A CIDR block for the GWLBe subnet 2 located in Availability Zone 2. |
|
|
192.168.90.0/24 |
A CIDR block for the GWLBe subnet 3 located in Availability Zone 3. |
|
|
192.168.100.0/24 |
A CIDR block for the GWLBe subnet 4 located in Availability Zone 4. |
|
|
0.0.0.0/0 |
Inbound Subnet tagging for Inspection (Comma-delimited list of CIDR blocks for inspection). |
|
|
0.0.0.0/0 |
Outbound Subnet tagging for Inspection (Comma-delimited list of CIDR blocks for inspection). |
Deploy Quick Start GWLB into existing VPC’s:
|
Parameter Name |
Default Value |
Description |
|---|---|---|
|
|
2 |
Specify the number of AZs to use in the VPC. This must align with the number of AZs selected for the Availability Zones parameter. |
|
|
Requires input |
Specify the Security VPC ID. |
|
|
Requires input |
Specify the Subnets ID for the Gateway deployment. |
|
|
Requires input |
Specify the Servers VPC ID. |
|
|
Requires input |
Specify the Subnets ID for the Servers deployment. |
|
|
Requires input |
Specify the Subnets CIDR for the Servers deployment. |
|
|
Requires input |
Specify the Subnets ID for the GWLB endpoints deployment. |
|
|
Requires input |
Specify the Internet Gateway ID that is attached to the Servers VPC. |
General Settings:
|
Parameter Name |
Default Value |
Description |
|---|---|---|
|
|
Requires input |
Specify an EC2 key pair to enable SSH access to the instances created by this stack. |
|
|
True |
Enable or disable instance volume encryption with the default AWS Key Management Service (KMS) key. |
|
|
False |
Enable or disable establishing SSH connections through the AWS web console. |
|
|
False |
Enable or disable protection against accidental instance termination. |
|
|
True |
Enable or disable automatic download of Software Blade |
|
|
gwlb-management server |
Provide a name for the Security Management Server in the automatic provisioning configuration. |
|
|
gwlb-ASG-configuration |
Specify a name for a Security Gateway configuration template in the automatic provisioning configuration. |
|
|
Optional |
(Optional) Provide an email address to receive AWS notifications about scaling events. |
|
|
/etc/cli.sh |
Select the admin shell to enable advanced command line configuration for Security Gateways and Security Management Server. |
Gateway Load Balancer Configuration:
|
Parameter Name |
Default Value |
Description |
||
|---|---|---|---|---|
|
Gateway Load Balancer |
gwlb1 |
Provide a unique name for the Gateway Load Balancer. The name can have a maximum of 32 alphanumeric characters and hyphens.
|
||
|
|
tg1 |
Specify a unique name for the target group. The name can have a maximum of 32 alphanumeric characters and hyphens.
|
||
|
|
False |
Specify if requests from Service Consumers to create endpoints on your service require acceptance. The default value is set to False ("acceptance" is not required). |
||
|
|
True |
Enable or disable Cross-AZ Load Balancing.
|
Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration:
|
Parameter Name |
Default Value |
Description |
|---|---|---|
|
|
Check Point Gateway |
Provide a name tag for the Security Gateway instances. |
|
|
c5.xlarge |
Select the EC2 instance type for Security Gateways. |
|
|
2 |
Set the minimum number of Security Gateways in the Auto Scaling Group. |
|
|
10 |
Set the maximum number of Security Gateways in the Auto Scaling Group. |
|
|
R81.20-BYOL |
Select the version and license type for Security Gateways. |
|
|
Optional |
(Optional) Provide the admin user's password hash (use the command " |
|
|
Optional |
(Optional) Check Point recommends to set the admin user's password and maintenance-mode password for recovery purposes (use command |
|
|
Requires input |
Enter a SIC |
|
|
Private |
Select if provisioned Security Gateways use private or public addresses. |
|
|
False |
Enable or disable allocation of public IP addresses for Security Gateways. |
|
|
False |
Enable or disable support for IPv6 traffic inspection. |
|
|
False |
Enable or disable reporting of Check Point-specific CloudWatch metrics. |
|
|
Optional |
Provide an optional script with semicolon-separated commands to run on initial boot. |
|
|
Note - For more information on how to use Check Point metrics to trigger AWS Auto-Scaling events, refer to sk162592. |
Check Point CloudGuard Network Security Configuration:
|
Parameter Name |
Default Value |
Description |
|---|---|---|
|
|
True |
Specify False to use an existing Security Management Server, or True to deploy a new Security Management Server. If you select False, ignore the other parameters in this section. . |
|
|
m5.xlarge |
Select the EC2 instance type for the Security Management Server. |
|
|
R81.20-BYOL |
Select the version and license type for the Security Management Server. |
|
|
Optional |
(Optional) Provide the admin user's password hash (use the command " |
|
|
Optional |
(Optional) Check Point recommends to set the admin user's password and maintenance-mode password for recovery purposes (use the command |
|
|
Standard |
Specify the name of the Security Policy |
|
|
On |
Enable or disable the Intrusion Prevention System, Application Control |
|
|
Requires input |
Specify the network allowed to connect to the Security Management Server through web, SSH, and graphical clients.. |
|
|
Locally managed |
Select between local management or management over the Internet based on Security Gateway accessibility. If, at minimum, one of the Security Gateways that you want to manage is not directly accessed through its private IP address, select Over the internet. |
|
|
Requires input |
Specify the network allowed for communication of Security Gateways with the Security Management Server. |
|
|
Note - Interfaces of Auto Scaling Group instances are automatically configured with Internal Topology. This is not defined in SmartConsole |
|
|
Important - The External Load Balancer sends health probes to TCP port 8117 to determine the health of the CloudGuard Network Security Gateways, so port 8117 must be open on the Security Gateways |
Web Servers Auto Scaling Group Configuration:
|
Parameter Name |
Default Value |
Description |
|---|---|---|
|
|
Requires input |
Specify the Amazon Machine Image (AMI) ID of the preconfigured web server to deploy (for example: ami-0dc7dc63). |
|
|
HTTP |
Specify the protocol to use on the Application Load Balancer. If the Network Load Balancer was selected, this section is ignored. |
|
|
Optional |
(Optional) Specify the port for the external Load Balancer. Keep this field blank to use default ports: Port 80 for HTTP and port 443 for HTTPS. |
|
|
t3.micro |
Select the EC2 instance type for the web servers. |
|
Resources Tag Name |
Optional |
(Optional) Specify the name tag for the resources. |