IPv6 Traffic Inspection Configuration for GWLB
The Centralized Gateway Load Balancer (GWLB) supports IPv6 traffic inspection with IPv4 Check Point Security Gateways over the GENEVE protocol.
Prerequisites:
To deploy the Gateway Load Balancer to a new VPC CFT or to an existing VPC and enable IPv6 traffic inspection support, make sure that all resources support IPv6.
-
Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. version must be R81.20 with the Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. Take 99 and higher. -
The Security VPC and its subnets must support IPv6 and have IPv6 CIDRs assigned (see Check if a VPC supports IPv6 and Check if a Subnet supports IPv6 for more information).
-
The Endpoint service and Endpoint must have the "Supported IP address type" configured for both IPv4 and IPv6 (seeCheck if an Endpoint supports IPv6 and Check if the Endpoint Service supports IPv6 for more information).
-
The Load Balancer IP address must support Dual mode (seeCheck if a Load Balancer supports IPv6 for more information).
-
Routes must be configured for supported IPv6 CIDRs (see Check and configure IPv6 routes for more information).
-
The Security Group must allow IPv6 CIDRs (see Check if a Security Group supports IPv6 for more information).
Configuring the IPv6 traffic inspection
To configure the IPv6 traffic inspection in the new GWLB environment:
-
Deploy the new Centralized GWLB Security VPC using the CloudFormation template (as described in Step 4: Deploy the Centralized Security VPC).
Note - In the template, set the value of the "
Add support for IPv6 traffic inspection" parameter to "true" (see Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration: for details). -
After the deployment, set the GWLB service Supported IP address type to support IPv4 and IPv6 (see Configure IPv6 for the Endpoint Service for more information).
-
Deploy Servers subnets with IPv6 support as needed (see Configure IPv6 for a Subnet for more information).
To configure the IPv6 traffic inspection in the existing GWLB environment:
-
Add IPv6 support to all AWS
Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. resources: first, at the Security VPC, and then at the relevant Servers VPC (see Configure IPv6 for a VPC and Configure IPv6 for a Subnet for more information).
Important - Check Point GWLB Security Gateways do not support IPv6 address assignment. If you assign an IPv6 address to the Security Gateway, your GWLB environment will stop working.
-
Update the launch template (see Update the Launch Template for more information).
-
Change the image in the associated launch template.
-
Modify the user data to enable IPv6 at the First Time Configuration Wizard.
-
-
Update the Launch Template version in the Auto Scaling Group(see Update the Launch Template version in the Auto Scaling Group for more information).
-
Scale in and scale out the Auto Scaling Group to apply changes to all Security Gateways in a group.
|
|
Important: Because of an AWS limitation, the Transit Gateway GWLB architecture does not support IPv6 traffic inspection. |
Update Launch Templates
Update the Launch Template
-
Log in to the AWS Management Console. Make sure you are in the correct region where the Launch Template is deployed.
-
Go to the EC2 section.
-
In the navigation pane, select the Launch Templates section.
-
Find the Launch Template you want to configure.
-
Click Actions and select Modify template (Create new version).
-
Change the Launch Template image. For that, in the launch template contents section, under Application and OS Images (Amazon Machine Image), select the correct image for the template.
-
Change the Launch Template user data:
-
Go to the Advanced details section.
-
Add the user data script in the User data text box.
-
-
Click Create template version to save the changes.
Update the Launch Template version in the Auto Scaling Group
-
Log in to the AWS Console. Make sure you are in the correct region where the Auto Scaling group is deployed.
-
Go to the EC2 section.
-
In the navigation pane, select the Auto Scaling Groups section.
-
Find the Auto Scaling group you want to configure.
-
Under the Details tab, click Edit.
-
In the Launch Template section, select the correct version number to use in the Auto Scaling group.
-
Click Override launch template to save the changes.
Syntax to paste for Terraform Template
#cloud-config
network:
version: 1
config:
- type: bridge
name: br0
mtu: *eth0-mtu
subnets:
- address: *eth0-private
type: static
gateway: *default-gateway
dns_nameservers:
- *eth0-dns1
bridge_interfaces:
- eth0
kernel_parameters:
sim:
- sim_geneve_enabled=1
- sim_geneve_br_dev=br0
fw:
- fwtls_bridge_mode_inspection=1
- fw_geneve_enabled=1
bootcmd:
- echo "brctl hairpin br0 eth0 on" >> /etc/rc.local
- echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local
- |
gparam_file_path="$(find $PPKDIR/boot/modules/ -regextype egrep -regex '.*(sim_kern_64_3_10_64_v6|sim_kern_64_v6)\.gparams')"
if cat $gparam_file_path | grep -q sim_geneve_enabled ; then
cp /etc/basedb /etc/basedb.bak
grep -vx "ipv6 t" /etc/basedb.bak | grep -vx "ipv6 f" > /etc/basedb;
echo "ipv6 t" >> /etc/basedb
/etc/rc3.d/S07ipv6gen
insmod -o ssm_api_v6 /etc/ssm_api_stubs/modules/ssm_api_kern_64_v6.o
fi
runcmd:
- |
python3 /etc/cloud_config.py enableCloudWatch=\"PUT HERE true OR false\" sicKey=\"PUT HERE ONE TIME PASSWORD ENCODED TO BASE64\" installationType=\"autoscale\" osVersion=\"PUT HERE CHECK POINT VERSION\" allowUploadDownload=\"PUT HERE true OR false\" templateVersion=\"20221226\" templateName=\"autoscale_gwlb\" templateType=\"terraform\" shell=\"PUT HERE /etc/cli.sh OR /bin/bash OR /bin/csh OR /bin/tcsh\" enableInstanceConnect=\"PUT HERE true OR false\" passwordHash=\"PUT HASH PASSWORD ENCODED TO BASE64 OR KEEP IT EMPTY\" bootstrapScript64=\"\"
Check and Configure IPv6 AWS resources
Verify and set the AWS Region
-
Log in to the AWS Console.
-
Locate the current region in the upper left corner of the navigation bar.
-
Change the region by clicking the dropdown next to the region name and selecting your desired region.
Check if a VPC supports IPv6
-
Log in to the AWS console. Make sure you are in the correct region where the VPC is deployed.
-
Go to the VPC section.
-
In the navigation pane, select the Your VPCs section.
-
Find the VPC you want to check.
-
Check if this VPC has the IPv6 pool.
Configure IPv6 for a VPC
-
Log in to the AWS console. Make sure you are in the correct region where the VPC is deployed.
-
Go to the VPC section.
-
In the navigation pane, select the Your VPCs section.
-
Find the VPC you want to configure.
-
Click Actions and select Edit CIDRs.
-
In the IPv6 CIDRs section, click Add new IPv6 CIDR, configure the IPv6, and click Select CIDR.
-
Click Close.
Check if a Subnet supports IPv6
-
Log in to the AWS console. Make sure you are in the correct region where the Subnet is deployed.
-
Go to the VPC section.
-
In the navigation pane, select the Subnets section.
-
Find the subnet you want to check.
-
Check if this subnet has IPv6 CIDR.
Configure IPv6 for a Subnet
-
Log in to the AWS console. Make sure you are in the correct region where the Subnet is deployed.
-
Go to the VPC section.
-
In the navigation pane, select the Subnets section.
-
Find the subnet you want to configure.
-
Click Actions and select Edit IPv6 CIDRs.
-
In the Subnet CIDR block, click Add IPv6 CIDR, configure the CIDR block as needed, and click Save.
Check if the Endpoint Service supports IPv6
-
Log in to the AWS console. Make sure you are in the correct region where the Endpoint Service is deployed.
-
Go to the VPC section.
-
In the navigation pane, select the Endpoint Services section.
-
Find the Endpoint Service you want to check.
-
Check if the Subnet has a Supported IP address type parameter set to IPv4 and IPv6.
Configure IPv6 for the Endpoint Service
-
Log in to the AWS console. Make sure you are in the correct region where the Endpoint Service is deployed.
-
Make sure the VPC where the Endpoint Service is deployed supports IPv6.
-
Go to the VPC section.
-
In the navigation pane, select the Endpoint Services section.
-
Find the Endpoint Service you want to configure.
-
Click Actions and select Modify supported IP address types.
-
In the Supported IP address types settings, select IPv6 and click Save changes.
Check if an Endpoint supports IPv6
-
Log in to the AWS console. Make sure you are in the correct region where the Endpoint is deployed.
-
Go to the VPC section.
-
In the navigation pane, select the Endpoints section.
-
Find the Endpoint you want to check.
-
Check if the subnet has the IP address type parameter set to Dualstack.
Configure IPv6 for an Endpoint
-
Log in to the AWS console. Make sure you are in the correct region where the Endpoint is deployed.
-
Make sure the VPC and Subnet for this Endpoint support IPv6.
-
Go to the VPC section.
-
In the navigation pane, select the Endpoints section.
-
Find the Endpoint you want to configure.
-
Click Actions and select Modify endpoint settings.
-
At the Modify IP address type settings, select Dualstack and click Save changes.
Check and configure IPv6 routes
-
Log in to the AWS console. Make sure you are in the correct region where the Route Table is deployed.
-
Make sure the VPC and Subnet support IPv6.
-
Go to the VPC section.
-
In the navigation pane, select the Subnets section.
-
Select the public subnet. On the Route Table tab, select the Route Table you want to check or configure.
-
On the details page for the route table, open the Routes tab to check if the needed IPv6 routes exist in the route table.
-
To add Routes:
-
On the Routes tab, click Edit routes.
-
Click Add route and add the needed routes for the IPv6 network.
- Click Save changes.
-
Check if a Load Balancer supports IPv6
-
Log in to the AWS Management Console. Make sure you are in the correct region where the Load Balancer is deployed.
-
Go to the EC2 section.
-
In the navigation pane, select the Load Balancers section.
-
Find the Load Balancer you want to check.
-
Check if the Load Balancer's IP address type parameter has the dualstack value.
Configure IPv6 for a Load Balancer
-
Log in to the AWS console. Make sure you are in the correct region where the Load Balancer is deployed.
-
Go to the EC2 section.
-
In the navigation pane, select the Load Balancers section.
-
Find the Load Balancer you want to configure.
-
Click Actions and select the Edit IP address type.
-
For IP address type, select dualstack and click Save.
Check if a Security Group supports IPv6
-
Log in to the AWS console. Make sure you are in the correct region where the Security Group is deployed.
-
Go to the VPC section.
-
In the navigation pane, select the Security Groups section.
-
Select the Security Group tied to your resource.
-
Open Inbound Rules and Outbound Rules tabs to check if the Security Group has inbound and outbound rules for IPv6 subnets.
Configure IPv6 for a Security Group
-
Log in to the AWS Management Console. Make sure you are in the correct region where the Security Group is deployed.
-
Go to the VPC section.
-
In the navigation pane, select the Security Groups section.
-
Select the Security Group you want to configure.
-
To edit the Inbound rules:
-
Open the Inbound rules tab.
-
Click Edit inbound rules.
-
Add the rules to allow the IPv6 traffic.
-
Click Save rules to save the configuration.
-
-
To edit the Outbound rules:
-
Open the Outbound rules tab.
-
Click Edit outbound rules.
-
Add the rules to allow the IPv6 traffic.
-
Click Save rules to save the configuration.
-