Deploying CloudGuard Network Cross AZ Cluster in AWS Transit Gateway

This section presents advanced use cases for CloudGuard Network Cross AZ ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. in AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services.. A typical Cross AZ Cluster use case is cross VPC, region, and account protection (see more use cases here). Use AWS attachment and inter-region peering to interconnect and protect an entire distributed environment with a central security solution. This solution is highly available and does not interfere with legitimate traffic.

Step 1: Prepare Your AWS Account

To prepare your AWS account, do these steps:

  1. If you do not already have an AWS account, create one at AWS.

  2. Use the region selector in the navigation bar to choose the AWS region where you want to deploy the Check Point CloudGuard Cross AZ Cluster.

  3. Create a key pair in your preferred region.

  4. If necessary, request a service limit increase for the AWS resources you are going to use.

    You may need to do this if you have an existing deployment that uses the AWS resources below and you may exceed the default limit with this deployment.

    The resources that may need a service limit increase are:

    • Number of On-demand EC2 instances

    • Number of Elastic IP addresses

    • Number of VPCs for each region

    • Number of VPN connections for each region

    • Number of Customers for each region

    • Number of virtual private gateways for each region

    • VPN connections for each VPC

By default, this Deployment guide uses c5.xlarge for the Security Gateways and m5.xlarge for the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

Deployment minimum permissions

For a successful deployment, the relevant IAM policy must have the minimum permissions set as configured below.

In the AWS VPCClosed AWS Virtual Private Cloud. A private cloud that exists in the public cloud of Amazon. It is isolated from other Virtual Networks in the AWS cloud. Console, navigate to the IAM service, select the relevant IAM policy, copy and paste this text:

Copy 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Permissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStackResources",
                "cloudformation:ValidateTemplate",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateRouteTable",
                "ec2:AttachInternetGateway",
                "ec2:AttachNetworkInterface",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateInternetGateway",
                "ec2:CreateLocalGatewayRouteTable",
                "ec2:CreateNetworkInterface",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSubnet",
                "ec2:DeleteVpc",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRegions",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:DescribeVpcs",
                "ec2:DetachInternetGateway",
                "ec2:DetachNetworkInterface",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:ReleaseAddress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMPassRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}
Copy 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Permissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStackResources",
                "cloudformation:ValidateTemplate",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateRouteTable",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeAddresses",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstances",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcs",
                "ec2:DescribeRegions",
                "ec2:DetachNetworkInterface",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ReleaseAddress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMPassRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}

Step 2: Subscribe to Check PointCloudGuard Network Security

To subscribe to Check Point CloudGuard Network, do these steps:

  1. Log in to the AWS Marketplace.

  2. Search for "CloudGuard Network Security".

  3. Select one of these licensing options for Check Point CloudGuard Security Gateways:

    Or one of these licensing options for a Check Point CloudGuard Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.:

    Note - If you want to manage more than five Security Gateways, select the BYOL option and contact Check Point Sales to purchase a license.

  4. Select Continue to subscribe.

  5. Select Accept Terms to confirm that you accept the AWS Marketplace license agreement.

Note - In the deployment steps that follow, the system prompts for the licensing information for the Security Gateways and Security Management Server that you selected.

Step 3: Deploy the CloudGuard Network Cross AZ Cluster for Transit Gateway

Before you deploy the Cross AZ Cluster for AWS Transit Gateway:

  1. Select a CloudFormation template for a new or existing VPC.

  2. Follow the instructions in this section to deploy the AWS TGW HA.

  3. Examine and test the deployment.

Select one of the CloudFormation templates to start the Cross AZ Cluster for Transit Gateway template in your AWS account. Refer to sk111013 for more information.

Notes:

  • When you deploy the CloudFormation template, the Check Point First Time Configuration Wizard starts automatically. The wizard requires one reboot.

  • The CloudFormation template automatically creates an AWS routing table. The table is associated with the internal subnets from both Availability Zones. This action routes all traffic that goes outside the VPC through the Cross AZ Cluster Active Member.

  • The CloudFormation template automatically creates an AWS routing table. The table is associated with the TGW subnets from both Availability Zones. This action routes all traffic from the TGW attachments outside the subnet through the Cross AZ Cluster Active Member.

Parameters for Deploying a Cross AZ Cluster for TGW Cross AZ in a New VPC

VPC Network Configuration:

Parameter Name

Default Value

Description

Availability Zones

Input required

The Availability Zones for the Cross AZ Cluster.

This field shows the Availability Zones in your selected region. You must select two Availability Zones from this list. The system preserves the logical order of your selections. Each member is deployed in a different Availability Zone.

VPC CIDR

10.0.0.0/16

The CIDR block for the VPC

Public Subnet 1 CIDR

10.0.10.0/24

The CIDR block for the Public Subnet 1 in the first Availability Zone.

Public Subnet 2 CIDR

10.0.20.0/24

The CIDR block for the Public Subnet 2 in the second Availability Zone.

Private Subnet 1 CIDR

10.0.11.0/24

The CIDR block for the Private Subnet 1 in the first Availability Zone.

Private Subnet 2 CIDR

10.0.21.0/24

The CIDR block for the Private Subnet 2 in the second Availability Zone.

TGW Subnet 1 CIDR

10.0.12.0/24

The CIDR block for the TGW Subnet 1 (for the Security VPC TGW attachment) in the first Availability Zone.

TGW Subnet 2 CIDR

10.0.22.0/24

The CIDR block for the TGW Subnet 2 (for the Security VPC TGW attachment) in the second Availability Zone.

EC2 Instance Configuration

Parameter Name

Default Value

Description

Gateway Name

Check-Point-Cluster

The name tag for Cluster Members instances (the name ends with "member-A" or "member-B").

Security Gateways Instance type

c5.xlarge

The EC2 instance type for Cluster Members instances.

Key name

Input required

The EC2 Key Pair to allow SSH access to the Cluster Members instance.

Allocate Elastic IPs

True

When true, the system deploys Cross AZ Cluster members with Elastic IP addresses, in addition to the shared cluster Elastic IP address. When false, you must make sure Cross AZ Cluster members can connect to a VPC endpoint. For more information, see Deploying CloudGuard Network Cross AZ Cluster Members without an Elastic IP.

Root volume size (GB)

100

The size of the root volume in gigabytes.

Volume encryption KMS key identifier

alias/aws/ebs

The KMS or CMK key Identifier. Use key ID, alias, or ARN. Add the prefix 'alias/' to the key alias (for example, for KMS default alias 'aws/ebs', enter 'alias/aws/ebs').

Enable Instance Connect

False

When true, the system enables AWS Instance Connect on the Cross AZ Cluster. You can open an SSH console to the instances over HTTPS through the AWS web console.

Existing IAM role name

Optional

A predefined IAM role to attach to the cluster profile.

Termination Protection

False

Prevents accidental termination of an instance.

Note - When this value is true, the terraform destroy command will not work correctly.

Check Point Settings

Parameter Name

Default Value

Description

Version & license

"version"-"license"

The license for Cross AZ Cluster members. By default, "version" points to the current recommended version and "license" is set to NGTX.

Admin shell

/etc/cli.sh

The default administrator shell to log into the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS on your instance.

Password hash

Optional

The administrator password hash.To get the password hash, run this command: openssl passwd -6 <PASSWORD>.

SIC key

Input required

A one-time activation key. Enter a string with 8 to 127 alphanumeric characters.

Advanced Settings

Parameter Name

Default Value

Description

Resources prefix tag

Optional

Specify the name tag prefix for the resources.

Gateway Hostname

Optional

Specify the host name. It will be appended with Cluster MemberClosed Security Gateway that is part of a cluster.-a/b correspondingly.

Allow upload & download

True

Automatically download updates and send statistical data to Check Point to improve the product experience.

CloudWatch metrics

Optional

Report Check Point-specific CloudWatch metrics.

Bootstrap Script

Optional

Specify an optional script with commands separated by semicolons (;) to run on the initial boot.

Primary NTP server

169.254.169.123 (Optional)

Specify a different Primary NTP server.

Secondary NTP server

0.pool.ntp.org (Optional)

Specify a different Secondary NTP server.

Parameters for Deploying a Cross AZ Cluster for TGW in an Existing VPC

VPC Network Configuration:

Parameter Name

Default Value

Description

VPC CIDR

Input required

Enter the ID of your existing VPC.

Public Subnet 1

Input required

Select a Public Subnet in the first Availability Zone of your VPC.

Public Subnet 2

Input required

Select a Public Subnet in the second Availability Zone of your VPC.

Private Subnet 1

Input required

Select a Private Subnet in the first Availability Zone of your VPC.

Private Subnet 2

Input required

Select a Private Subnet in the second Availability Zone of your VPC.

Transit Gateway

HA Subnet 1

Input required

Select a Transit Gateway Subnet in the first Availability Zone of your VPC. This subnet is used for the Security VPC TGW attachment.

Transit Gateway

HA Subnet 2

Input required

Select a Transit Gateway Subnet in the second Availability Zone of your VPC. This subnet is used for the Security VPC TGW attachment.

Internal route table

Optional

Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (for example, rtb-12a34567). The route table must not have an existing 0.0.0.0/0 route. If this field is empty, traffic will not be routed through the Security Cluster. This requires manual configuration in the Route Table.

EC2 Instance Configuration:

Parameter Name

Default Value

Description

Gateway Name

Check-Point-Cluster

The name tag for Cluster Members instances (the name ends with "member-A" or "member-B").

Security Gateways Instance type

c5.xlarge

The EC2 instance type for Cluster Members instances.

Key name

Input required

The EC2 Key Pair to allow SSH access to the Cluster Members instance.

Allocate Elastic IPs

True

When true, the system deploys Cross AZ Cluster members with Elastic IPs, in addition to the shared cluster Elastic IP. When false, you must make sure Cross AZ Cluster members can connect to a VPC endpoint. For more information, see Deploying CloudGuard Network Cross AZ Cluster Members without an Elastic IP.

Root volume size (GB)

100

The size of the root volume in gigabytes.

Volume encryption KMS key identifier

alias/aws/ebs

The KMS or CMK key Identifier. Use key ID, alias, or ARN. Add the prefix 'alias/' to the key alias (for example, for KMS default alias 'aws/ebs', enter 'alias/aws/ebs').

Enable Instance Connect

False

When true, the system enables AWS Instance Connect on the Cross AZ Cluster. You can open an SSH console to the instances over HTTPS through the AWS web console.

Existing IAM role name

Optional

A predefined IAM role to attach to the cluster profile.

Termination Protection

False

Prevents accidental termination of an instance.

Note - When this value is true, the terraform destroy command will not work correctly.

Check Point Settings:

Parameter Name

Default Value

Description

Version & license

"version"-"license"

The license for Cross AZ Cluster members. By default, "version" points to the current recommended version and "license" is set to NGTX.

Admin shell

/etc/cli.sh

The default administrator shell to log into the Gaia OS on your instance.

Password hash

Optional

The administrator password hash.To get the password hash, run this command: openssl passwd -6 <PASSWORD>.

SIC key

Input required

A one-time activation key. Enter a string with 8 to 127 alphanumeric characters.

Advanced Settings:

Parameter Name

Default Value

Description

Resources prefix tag

Optional

Specify the name tag prefix for the resources.

Gateway Hostname

Optional

Specify the host name. It will be appended with Cluster Member-a/b correspondingly.

Allow upload & download

True

Automatically download updates and send statistical data to Check Point to improve the product experience.

CloudWatch metrics

Optional

Report Check Point-specific CloudWatch metrics.

Bootstrap script

Optional

Specify an optional script with commands separated by semicolons (;) to run on the initial boot.

Primary NTP server

169.254.169.123 (Optional)

Specify a different Primary NTP server.

Secondary NTP server

0.pool.ntp.org (Optional)

Specify a different Secondary NTP server.

Step 4: Deploy the AWS Transit Gateway

Minimum Permissions for Deployment

Follow the AWS instructions to deploy Transit Gateways.

When you create the Transit Gateway, set these options in the Amazon VPC console:

  1. Disable the Default route table association.

  2. Disable the Default route table propagation.

  3. For cross-account spokes, enable the Auto accept shared attachments.

Note - If you did not disable the Default route table association and the Default route table propagation settings, you must remove the existing Transit Gateway and create a new one. If you do not remove the existing Transit Gateway, AWS connects all attachments to the Transit Gateway to the same default Transit Gateway route table. This causes traffic to move directly between spokes instead of flowing through the CloudGuard Security Gateways. To change this, move the association and propagation to the correct Transit Gateway route table.

Step 5: Configure the Cross AZ Cluster for Transit Gateway

Attaching Spoke VPCs to the Transit Gateway

To attach Spoke VPCs to the Transit Gateway:

  1. Create the Spoke VPCs and their subnets.

  2. Connect all Spoke VPCs to the Transit Gateway you created before.

  3. Add a default route to the Transit Gateway in each Spoke VPC route table:

    Destination: 0.0.0.0/0
    Target: Transit Gateway ID

Notes:

  • The route table must connect to the subnets that are attached to the Transit Gateway.

  • To remove a connection from a spoke, remove the VPC attachment from the Transit Gateway.

Attaching a Security VPC to the Transit Gateway

To route all traffic that enters the Transit Gateway (TGW) to the Security Gateways and send traffic from the Security Gateways to the correct destination, you must attach the Security VPC to the TGW.

To attach a Security VPC to the Transit Gateway:

  1. Connect the Security VPC (where the Cross AZ Cluster Members are deployed) to the Transit Gateway you created. Use dedicated TGW subnets in both Availability Zones for the VPC connection.

  2. Add a default route to the Transit Gateway in the public route table (which connects to the public subnets):

    The routing table must have a default route to the Internet Gateway and specific routes for the spokes to the Transit Gateway.

    Route 1:

    • Destination: <SPOKES_CIDR_INITIAL>

    • Target: Transit Gateway ID

    Route 2:

    • Destination: 0.0.0.0/0

    • Target: Internet Gateway ID

Configuring Transit Gateway Route Tables

To configure a Transit Gateway route table:

  1. In the Amazon VPC console, go to the Transit Gateway Route Tables tab.

  2. Set up a security VPC route table:

    1. Connect the Security VPC attachment.

    2. Propagate the route table to the spokes.

    This creates a route from each CloudGuard Transit Gateway member to all spoke VPCs.

  3. Set up a spokes VPC route table:

    1. Create a new spokes route table.

    2. Connect the spokes attachments to the route table.

    3. Create a static default route to the Security VPC attachment.

    This creates a default route from each spoke to the Security VPC attachment. The route goes to the Active Cross AZ Cluster member.

Step 6: Configure the CloudGuard Cross AZ Cluster for Transit Gateway in SmartConsole

To make the Security Gateways work as a synchronized Cross AZ Cluster and apply a security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. to the Cross AZ Cluster, you must set up the cluster object on the Security Management Server.

Configuring the Cluster Object

Follow Step 5: Configure the CloudGuard Cross AZ Cluster in SmartConsole.

Allowing Outbound Traffic

To allow Outbound Traffic for the Spoke VPCs:

  1. Use SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to connect to your Check Point Security Management Server.

  2. Create an Internal NetworkClosed Computers and resources protected by the Firewall and accessed by authenticated users. for the Spoke VPCs:

    1. In the right navigation bar, click new > Network.

    2. Configure the general properties:

      • Enter a name for your network (for example: internal_aws_networks).

      • In the IPv4 section, enter the Network Address and the Net mask of the Spoke VPCs.

  3. Create a NAT ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. for the network to hide behind the Cross AZ Cluster Gateways:

    1. In the Network’s object left tree, click NAT.

    2. Select Add automatic address translation rules.

    3. Keep the default configuration:

      • Translation method: Hide

      • Hide behind the gateway

    4. Click OK.

  4. Install the Access Control policy on the cluster object.

Note - These steps create a general internal network for the spoke VPCs. In some cases, you may need to create more internal networks. For example, if spoke 1 CIDR is 10.1.0.0/16 and spoke 2 CIDR is 169.168.0.0/16, you need two different network objects.

Configuring Inbound Protection

There are 2 options to configure inbound protection with AWS Cross-AZ Cluster for Transit Gateway:

Check Point recommends using ingress topology for inbound traffic inspection whenever possible.

  1. Using ingress routing

    In AWS Console:

    1. Create a new routing table and associate it with the Internet Gateway as edge association.

      In the route table:

      • The target must be the Active Cluster Member's external ENI (Elastic Network Interface).

      • The destination must be the subnet that you want to protect.

      • Add a specific route for every subnet that you want to protect.

        Route example to Web Server subnet:

        Destination

        Target

        Status

        Propagated

        172.31.7.0/24

        eni-xxxx

        Active

        No

      Note: Ingress routing only supports routes to existing subnets.

    2. Add a default route to the Active member's internal ENI to the route table of every subnet that you want to protect.

      1. Connect over SSH to each of the Cluster Members.

      2. Log in to Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or Expert mode.

      3. Add this route:

        • In Gaia Clish, run these two commands:

          set static-route <Internal-Subnet-IP-address/Prefix> nexthop gateway address <eth1-AWS-VPC-router-IP-address> on

          save config

        • In Expert mode, run this command:

          clish -c 'set static-route <Internal-Subnet-IP-address/Prefix> nexthop gateway address <eth1-AWS-VPC-router-IP-address> on' -s

        For example:

        The internal subnet is 172.31.7.0/24 (Web Servers subnet) and the Cluster Members internal subnets are 172.31.5.0/24 for Member "A" and 172.31.6.0/24 for Member "B".

        The result is that Member A must have static route for 172.31.7.0/24 to go through 172.31.5.1 (AWS VPC router IP address) and Member B 172.31.7.0/24 to go through 172.31.6.1 (AWS VPC router IP address).

        For more information regarding VPC Ingress Routing integration with CGI, see the Ingress Routing in sk166575.

  2. Using NAT on the Cluster

    Create a Dynamic ObjectClosed Special object type, whose IP address is not known in advance. The Security Gateway resolves the IP address of this object in real time. named LocalgatewayAlias on both Cluster members:

    1. Connect over SSH to each of the Cluster Members.

    2. Log in to Expert mode.

    3. Add Dynamic Object:

      dynamic_objects -n LocalgatewayAlias -r < eth0:1 (secondary)-interface-IP-address> <eth0:1 (secondary)-interface-IP-address> -a

      For example:

      dynamic_objects -n LocalgatewayAlias -r 172.31.3.40 172.31.3.40 -a

      Note - The first and second IP addresses in the command must be the same.

    4. Use SmartConsole to connect to your Check Point Security Management Server.

    5. Create a Dynamic Object named LocalgatewayAlias:

      1. In the Object Browser, click on New > go to More menu > go to Network Object menu > click on Dynamic Object...

      2. Enter the name LocalgatewayAlias:

    6. Create a new Host object that represents internal machine (for example Web Server).

    7. Create a new Service object with internet facing protocol and port of the internal machine:

      For example:

      1. From the Objects menu, select More object types > Service > New TCP.

      2. Enter a name. For example: http-8084

      3. In the Protocol field, select the protocol (HTTP).

      4. In the Port field, select Customize and enter the port number: 8084

      5. Click OK.

    8. Create a NAT rule for north-south inbound traffic.

      Notes:

      • This NAT rule matches any traffic that arrives at the CloudGuard Cluster on the applicable internal port.

      • This NAT rule translates the destination IP address to the IP address of the Web Servers.

      Create a NAT rule with these values:

      No

      Original Source

      Original Destination

      Original Services

      Translated Source

      Translated Destination

      Translated Services

      Install On

      1

      All_Internet

      LocalgatewayAlias

      http-8084

      = Original

      Web Server

      http

      Cluster object

Configuring VPN

For more information, see the Check PointSecurity ManagementAdministration Guide for your Management Server version.

To configure a VPN:

  1. Verify in the Cluster's object left tree > Network Management that an alias interface is configured. If the alias interface is not configured, perform Deploying CloudGuard Network Cross AZ Cluster in AWS Transit Gateway > step 11.

  2. Create a Network Group object to represent the encryption domain of the Cross AZ Cluster:

    1. In SmartConsole, click Objects > Object Explorer.

    2. From the top toolbar, select New > Network Group.

    3. In the Enter Object Name field, enter a name.

    4. Click the '+' icon, and select the applicable network objects.

    5. Click OK.

    6. Close the Object Explorer.

  3. Edit the cluster object:

    1. From the left navigation panel, click Gateways & Servers.

    2. Double-click the cluster object.

  4. Configure your Network Group as the Encryption Domain:

    1. In the left tree, click Network Management > VPN Domain.

    2. Select User defined.

    3. In the right corner of this field, click the [...] button and select the Network Group object you created in Step 1.

  5. Select the VPN community:

    1. In the left tree, click IPsec VPN.

    2. In the section: This Security Gateway participates in the following VPN Communities, select the applicable VPN community.

  6. Configure the VPN Community settings:

    1. From the top, click the Objects menu > Object Explorer.

    2. In the left tree, clear all boxes except for VPN Communities.

    3. Double-click the VPN community in which this Cross AZ Cluster object participates.

    4. Configure the VPN Community to use Permanent Tunnels (recommended, not required):

      1. In the left tree, click Tunnel Management.

      2. Select Set Permanent Tunnels.

      3. Select the applicable option.

    5. Disable NAT in the VPN community:

      1. In the left tree, click Advanced.

      2. Select Disable NAT inside the VPN community.

        		3.

        Note - Using NAT in the VPN community affects the state sync, causing cluster failover to be stateless. To make sure the cluster failover is stateful, you must disable NAT in the VPN community.

    6. Click OK to close the VPN Community properties window.

    7. Close the Object Explorer.

  7. Install the applicable Access Control Policy on the cluster object.

Configuring Remote Access VPN

Check Point's Remote Access VPN solutions let you create a VPN tunnel between a remote user and the internal network.

For more information, see the R81.20 Remote Access VPN Administration Guide.

Step 7: Review and Test the Deployment

Follow these steps to examine the configuration and set up all the components:

  1. In AWS WebUI:

    1. In the VPC console, under Route Tables, go to the Private Route table (which is associated with the Private Subnets of the Security VPC).

    2. In the Routes table, make sure there is a default route to the Active member’s private interface (eth1).

    3. In the VPC console, under Route Tables, go to the TGW Route table (which is associated with the TGW attachment Subnets of the Security VPC).

    4. In the Routes table, make sure there is a default route to the Active member’s public interface (eth0).

  2. Log in to both members in the Expert mode:

    1. Run the cphaprob stat command to make sure that the Cross AZ Cluster works correctly. The output of the cphaprob stat command on both Cross AZ Cluster member must show the same information (except for the "(local)" string).

    2. Run the python3 $FWDIR/scripts/aws_ha_test.py command and make sure that it finishes successfully without errors.

  3. Simulate a Cross AZ Cluster failover:

    1. On the Active cluster member, run this command in Expert mode:

      clusterXL_admin down

    2. After two seconds, you should see in AWS WebUI > VPC Console > Route Tables that all route tables (that had a default route directed to the Active cluster member) point to the Standby cluster member.

    Notes:

    • To see the changes, update the data on the AWS WebUI.

    • It can take a few minutes until failover is fully configured to pass traffic through the Active cluster member.