Deploying CloudGuard Network Cross AZ Cluster in AWS

Before you deploy the Cross AZ ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. in AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services., it is necessary to prepare your AWS account and subscribe to a CloudGuard Network Security product.

After completing these two steps, decide if you deploy the CloudGuard Network Cross AZ Cluster in a new or existing VPC.

Deploy the Check Point Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and configure the CloudGuard Network Cross AZ Cluster in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Examine and test your deployment.

Step 1: Prepare Your AWS Account

To prepare your AWS account, do these steps:

  1. If you do not already have an AWS account, create one at AWS.

  2. Use the region selector in the navigation bar to choose the AWS region, where you want to deploy Check Point CloudGuard Cross AZ Cluster on AWS.

  3. Create a key pair in your preferred region.

  4. If necessary, request a service limit increase for the AWS resources you are going to use.

    You may have to do this, if you have an existing deployment that uses the AWS resources below, and you may exceed the default limit with this deployment.

    The resources that may need a service limit increase are:

    • Number of On-demand EC2 instances.

    • Number of Elastic IP addresses.

    • Number of VPCs for each region.

    • Number of VPN connections for each region.

    • Number of Customer for each region.

    • Number of virtual private for each region.

    • VPN connections for each VPC.

By default, this Deployment guide uses c5.xlarge for the Security Gateways and m5.xlarge for the Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

Step 2: Subscribe to Check Point CloudGuard Network Security

To subscribe to Check Point CloudGuard Network, do these steps:

  1. Log in to AWS Marketplace.

  2. Select one of these licensing options for Check Point CloudGuard Security Gateways:

  3. Select Continue to subscribe.

  4. Select Accept Terms to confirm that you accept the AWS Marketplace license agreement.

  5. If you want to deploy a Check Point CloudGuard Security Management Server, repeat Step 3 and Step 5 in this procedure and select one of these licensing options:

    • CloudGuard Network Security Management (BYOL)

    • CloudGuard Network Security Management (PAYG)

    Note - If you want to manage more than five Security Gateways, select the BYOL option to purchase a license. Contact Check Point Sales to purchase a license.

Note - In the deployment steps that follow, you are prompted for the licensing information for the Security Gateways and Security Management Server that you selected.

Step 3: Deploy the CloudGuard Cross AZ Cluster in AWS

This step details the necessary procedure for deploying the CloudGuard Cross AZ Cluster in AWS. To deploy the Transit Gateway High Availability (HA) in AWS, see Deploying CloudGuard Network Cross AZ Cluster Members without an Elastic IP.

Before you deploy CloudGuard Cross AZ Cluster in AWS, select a CloudFormation template for a new or for existing VPC. Then, follow the instructions in this section on how to deploy the AWS HA. Finally, examine and test the deployment. If you decide to deploy the Cross AZ Cluster without an association of Elastic IP to the Cluster Members, see Deploying CloudGuard Network Cross AZ Cluster Members without an Elastic IP

Select one of the CloudFormation templates to launch the Cross AZ Cluster template into your AWS account:

CloudFormation Template

Description

Cross AZ cluster for a new VPC

This template deploys:

  • Check Point CloudGuard Network Security.

  • Cross AZ Cluster into a new VPC with public and private subnets in two different Availability Zones on AWS.

Cross AZ cluster for an existing VPC

Note:

The existing VPC must have a public and a private subnet in two Availability Zones

This template deploys:

  • Check Point CloudGuard Network Security Cross AZ Cluster into an existing VPC with public and private subnets in two different Availability Zones in AWS

Notes:

  • When you deploy this template, you do not need to run the Check Point First Time Configuration Wizard. The wizard is executed automatically. This causes a single, one-time reboot of the Cross AZ Cluster.

  • The CloudFormation template automatically creates an AWS routing table and associates it with the internal subnets from the two Availability Zones. The Cross AZ Cluster Active Member routes all traffic that goes outside the VPC.

Parameters for Deploying a Cross AZ Cluster in a New VPC

VPC Network Configuration:

Parameter Name

Default Value

Description

Availability Zones

Requires input

The specific Availability Zones that you want to use for the Cross AZ Cluster.

This field shows the Available Zones in your selected region. You must select two Availability Zones from this list. Your deployment preserves the logical order of your selections. Each member is deployed in a different Availability Zone.

VPC CIDR

10.0.0.0/16

The CIDR block used for the VPC.

Public Subnet 1 CIDR

10.0.0.0/24

CIDR block used for Public Subnet 1 located in the first Availability Zone.

Public Subnet 2 CIDR

10.2.0.0/24

CIDR block for used Public Subnet 2 located in the second Availability Zone.

Private Subnet 1 CIDR

10.1.0.0/24

CIDR block used for Private Subnet 1 located in the first Availability Zone.

Private Subnet 2 CIDR

10.3.0.0/24

CIDR block used for Private Subnet 2 located in the second Availability Zone.

EC2 Instance Configuration:

Parameter Name

Default Value

Description

Gateway name

Check-Point-Cluster

The name tag for the Cluster Members instances (the name ends with "Member-A" or "Member-B").

Security Gateways instance type

c5.xlarge

The EC2 instance type for the Cluster Members instances.

Key name

Requires input

The EC2 Key Pair to allow SSH access to the Cluster Members instance.

Allocate Elastic IPs

true

When the value is true, the Cross AZ Cluster member deployed with Elastic IPs, in addition to the shared cluster Elastic IP. If the value is false, you must make sure the Cross AZ Cluster members can connect to a VPC endpoint, see Deploying CloudGuard Network Cross AZ Cluster Members without an Elastic IP.

Root volume size (GB)

100

 

Volume encryption KMS key identifier

alias/aws/ebs

KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').

Enable Instance Connect

false

When the value is true, the AWS Instance Connect is enabled on the Cross AZ Cluster. You can open an SSH console to the instances over HTTPS through the AWS web console.

Existing IAM role name

Optional

A predefined IAM role to attach to the cluster profile.

Termination Protection

false

Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly.

Check Point Settings:

Parameter Name

Default Value

Description

Version & license

R81.20-BYOL

The license to use for the Cross AZ Cluster members.

Admin shell

/etc/cli.sh

The default administrator shell to log into GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS on your instance.

Password hash

Optional

The administrator password hash. Run this command to get the password hash: openssl passwd -6 <PASSWORD>

SIC key

Requires input

One-time activation key. Enter a string that contains from 8 to 127 alphanumeric characters.

Resources prefix tag

Optional

Name tag prefix of the resources.

Gateway Hostname

Optional

The host name will be appended with Cluster MemberClosed Security Gateway that is part of a cluster.-a/b accordingly.

Allow upload & download

true

Automatically download updates and share statistical data for product improvement purpose. Improve product experience by sending data to Check Point.

CloudWatch metrics

Optional

Report Check Point specific CloudWatch metrics.

Bootstrap Script

Optional

An optional script with semicolon (;) separated commands to run on the initial boot.

Primary NTP server

169.254.169.123 (Optional)

Option to enter a different NTP server.

Secondary NTP server

0.pool.ntp.org (Optional)

Option to enter a different Secondary NTP server.

Quick Connect to Smart-1 Cloud:

Smart-1 Cloud (Check Point’s management server as a Service) is a recommended option to use CloudGuard Network Security gateways.

Parameter Name

Default Value

Description
Smart-1 Cloud Token for member A

Requires input

Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.

Smart-1 Cloud Token for member B

Requires input

Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.

Parameters for Deploying a Cross AZ Cluster in an Existing VPC

VPC Network Configuration:

Parameter Name

Default Value

Description

VPC

Requires input

The ID of your existing VPC.

Public Subnet 1

Requires input

Select a Public Subnet in the first Availability Zone of your VPC.

Public Subnet 2

Requires input

Select a Public Subnet in the second Availability Zone of your VPC.

Private Subnet 1

Requires input

Select a Private Subnet in the first Availability Zone of your VPC.

Private Subnet 2

Requires input

Select a Private Subnet in the second Availability Zone of your VPC.

Internal route table

Optional

Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table.

EC2 Instance Configuration:

Parameter Name

Default Value

Description

Gateway name

Check-Point-Cluster

The name tag for the Cluster Members instances (the name ends with "Member-A" or "Member-B").

Security Gateways instance type

c5.xlarge

The EC2 instance type for the Cluster Members instances.

Key name

Requires input

The EC2 Key Pair to allow SSH access to the Cluster Members instance.

Allocate Elastic IPs

true

When the value is true, the Cross AZ Cluster members deployed with Elastic IPs, in addition to the shared cluster Elastic IP. If the value is false, you must make sure the Cross AZ Cluster members can connect to an VPC endpoint, see Deploying CloudGuard Network Cross AZ Cluster Members without an Elastic IP

Root volume size (GB)

100

 

Volume encryption KMS key identifier

alias/aws/ebs

KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').

Enable Instance Connect

false

When the value is true, the AWS Instance Connect is enabled on the Cross AZ Cluster. You can open an SSH console to the instances over HTTPS through the AWS web console.

Existing IAM role name

Optional

A predefined IAM role to attach to the cluster profile.

Termination Protection

false

Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly.

Check Point Settings:

Parameter Name

Default Value

Description

Version & license

R81.20-BYOL

The license to use for the Cross AZ Cluster members.

Admin shell

/etc/cli.sh

The default administrator shell to log into Gaia OS on your instance.

Password hash

Optional

The administrator password hash. Run this command to get the password hash: openssl passwd -6 <PASSWORD>.

SIC key

Requires input

One-time activation key. Enter a string that contains from 8 to 127 alphanumeric characters.

Quick Connect to Smart-1 Cloud:

Smart-1 Cloud (Check Point’s management server as a Service) is a recommended option to use CloudGuard Network Security gateways.

Parameter Name

Default Value

Description
Smart-1 Cloud Token for member A

Requires input

Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.

Smart-1 Cloud Token for member B

Requires input

Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.

Advanced Settings:

Parameter Name

Default Value

Description

Resources prefix tag

Optional

Name tag prefix of the resources.

Gateway Hostname

Optional

The host name will be appended with Cluster Member-a/b accordingly.

Allow upload & download

true

Automatically download updates and share statistical data for product improvement purpose. Improve product experience by sending data to Check Point.

CloudWatch metrics

Optional

Report Check Point specific CloudWatch metrics.

Bootstrap Script

Optional

An optional script with semicolon (;) separated commands to run on the initial boot.

Primary NTP server

169.254.169.123 (Optional)

Option to enter a different NTP server.

Secondary NTP server

0.pool.ntp.org (Optional)

Option to enter a different Secondary NTP server.

Step 4: Deploy the Check Point Security Management Server

We recommend you to use Smart-1 Cloud (Check Point's management server as a Service) to manage CloudGuard Network Security gateways.

Refer to sk180501 for step-by-step instructions for connecting CloudGuard Network Public Cloud Gateways to Smart-1-Cloud management.

You can also use one of these options to deploy the Check Point Security Management Server.

  • Use the existing on-premises Security Management Server or existing Security Management Server in AWS.

    Note - The Security Management Server must be version R81.20 or higher.

    If the Security Management Server communicates over private IP addresses with the Cross AZ Cluster Members, make sure that the Security Management Server has a connection to the Security VPC in which they are deployed.

  • Deploy a new Security Management Server with the Management CloudFormation template (see sk130372).

    Note - For direct access to the Cross AZ Cluster, deploy the management in the same Security VPC where you deployed the Cross AZ Cluster in Step 4.

Step 5: Configure the CloudGuard Cross AZ Cluster in SmartConsole

To enforce a Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., you must configure the CloudGuard Cross AZ Cluster on the Security Management Server with the Check Point SmartConsole application.

Configuring the Cluster Object

Important:

  • You can configure the Cross AZ Cluster only on a Management Server R81.20 (and higher) and only on a ClusterXL R81.20 (and higher).

  • Cluster Control Protocol (CCP) Encryption must be enabled, which is the default (see the ClusterXL Administration Guide for your version).

To configure the Cluster object:

  1. Use SmartConsole to connect to your Check Point Security Management Server.

  2. If the Security Management Server and the Cluster Members communicate over public IP addresses, make sure that the Security Management Server object defined with the public IP address.

  3. (Optional) Edit the Security Management Server object and change the IP address to the public one.

    Important - If you change the primary IP address of the Security Management Server, you must issue and install the license(s) for the new IP address.

  4. In SmartConsole, at the top click > select Cluster.

  5. Click Classic Mode.

  6. Configure the cluster's general properties:

    1. In the Cluster Name field, enter a name for the cluster object (example: Cluster_HA).

    2. In the IPv4 Address, enter the Cluster's public IP.

      To get the IP address in AWS Console:

      Navigate to CloudFormation service -> Click the Cross AZ Cluster stack > select the IP address with the key ClusterPublicAddress.

    3. If you use the IPsec VPN Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities., you must configure the VPN settings in the cluster object before you click OK.

      If you do not use this Software Blade, clear its check box.

  7. Configure the Cluster Members:

    Note - If you manage this cluster from Smart-1 Cloud, use the existing cluster member and start from step iv.

    1. In the Cluster's object left pane, click Cluster Members.

    2. Configure Member A:

      1. Click Add > New Cluster Member.

      2. In the Name field, enter the member's name (in our example: Member_A).

      3. In the IPv4 Address field, enter the member's IP address of its external interface (eth0).

        • If the Management Server connects to the Cross AZ Cluster Members over a private IP, enter the private IP of the interface.

        • If the Management Server connects to the Cross AZ Cluster Members over a public IP, enter the Elastic Primary IP of the interface. You can find it in the Cross AZ Cluster stack, the same as the Cluster Public IP.

      4. Click Communication.

      5. Enter the one-time activation key used in the Cross AZ Cluster CloudFormation Template.

      6. Click Initialize > Close > OK.

    3. Configure Member B:

      Note - If you manage this cluster from Smart-1 Cloud, use the existing cluster member and start from step iv.

      1. Click Add > New Cluster Member.

      2. In the Name field, enter a member's name (in our example: Member_B).

      3. In the IPv4 Address field, enter the member's IP address of its external interface (eth0)

        • If the Management Server connects to the Cross AZ Cluster Members over private IP, enter the private IP of the interface.

        • If the Management Server connects to the Cross AZ Cluster Members over public IP, enter the Elastic Primary IP of the interface. You can find it in the Cross AZ Cluster stack, the same as the Cluster Public IP.

      4. Click Communication.

      5. Enter the one-time activation key used in the Cross AZ Cluster CloudFormation Template.

      6. Click Initialize > Close > OK.

  8. Configure the ClusterXL mode:

    1. In the Cluster's object left tree, click ClusterXL and VRRP.

    2. Select High Availability.

    3. Select Use Geo Mode in a Cloud.

    4. Click OK. (It closes the Cluster object configuration).

  9. Open the Cluster object again to continue the configuration.

  10. Configure the Cluster's Topology:

    1. In the Cluster's object left tree, click Network Management.

    2. Click Get Interfaces > Get Interfaces with Topology > click Yes.

    3. Configure the eth0 interface:

      1. Select eth0.

      2. Click Edit.

      3. In the General section, in the Network Type field, select Private.

      4. In the Topology section, in the Anti-Spoofing section click Modify.

      5. Make sure the option Perform Anti-Spoofing based on interface topology is cleared.

      6. Click OK.

    4. Configure the eth1 interface:

      1. Select eth1.

      2. Click Edit.

      3. In the General section, in the Network Type field, select Sync.

      4. In the Topology section, in the Anti-Spoofing section click Modify.

      5. Make sure the option Perform Anti-Spoofing based on interface topology is cleared.

      6. Click OK.

    Note - This network is also used for State Synchronization.

  11. Add an alias interface to the Cluster members:

    1. In the Cluster's object left tree, click Network Management.

    2. At the top click Actions > New Interfaces.

    3. Configure Network properties: Enter a name for the interface (for example: Private VIP).

    4. Keep the Network Type as Private.

    5. Configure Member IP addresses: Enter secondary private IPv4 address of the external interface for each cluster member and click OK.

      To get the IP address in the AWS console:

      In AWS Console, select Cluster member > Navigate to the Networking tab.

    6. Change the interface topology to External: In the Topology section click Modify and select Override > Internet (External) and click OK. It is not necessary to make more changes.

  12. Click OK.

  13. Install the Access Control policy on the Cluster object.

Allowing Outbound Traffic

  1. Use SmartConsole to connect to your Check Point Security Management Server.

  2. Create a Network object for the Web Servers subnet:

    In the right navigation bar, click New > More > Network Object > Network.

  3. Configure the general properties:

    1. Enter a name for your network (example: Web_Network).

    2. In the IPv4 section, enter the Network Address and the Net mask of the Web Servers subnet.

  4. Create a NAT ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. for the network to hide behind the Cluster Gateways:

    1. In the Network's object left tree, click NAT.

    2. Select Add automatic address translation rules.

    3. Leave the configuration as default:

      • Translation method: Hide

      • Hide behind the gateway

  5. Click OK.

  6. Install the Access Control policy on the Cluster object.

Configuring Inbound Protection

There are 2 options to configure inbound protection with AWS Cross-AZ Cluster:

Check Point recommends using ingress topology for inbound traffic inspection whenever possible.

  1. Using ingress routing

    In AWS Console:

    1. Create a new routing table and associate it with the Internet Gateway as edge association.

      In the route table:

      • The target must be the Active Cluster Member's external ENI (Elastic Network Interface).

      • The destination must be the subnet that you want to protect.

      • Add a specific route for every subnet that you want to protect.

        Route example to Web Server subnet:

        Destination

        Target

        Status

        Propagated

        172.31.7.0/24

        eni-xxxx

        Active

        No

      Note: Ingress routing only supports routes to existing subnets.

    2. Add a default route to the Active member's internal ENI to the route table of every subnet that you want to protect.

      1. Connect over SSH to each of the Cluster Members.

      2. Log in to Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or Expert mode.

      3. Add this route:

        • In Gaia Clish, run these two commands:

          set static-route <Internal-Subnet-IP-address/Prefix> nexthop gateway address <eth1-AWS-VPC-router-IP-address> on

          save config

        • In Expert mode, run this command:

          clish -c 'set static-route <Internal-Subnet-IP-address/Prefix> nexthop gateway address <eth1-AWS-VPC-router-IP-address> on' -s

        For example:

        The internal subnet is 172.31.7.0/24 (Web Servers subnet) and the Cluster Members internal subnets are 172.31.5.0/24 for Member "A" and 172.31.6.0/24 for Member "B".

        The result is that Member A must have static route for 172.31.7.0/24 to go through 172.31.5.1 (AWS VPCClosed AWS Virtual Private Cloud. A private cloud that exists in the public cloud of Amazon. It is isolated from other Virtual Networks in the AWS cloud. router IP) and Member B 172.31.7.0/24 to go through 172.31.6.1 (AWS VPC router IP).

        For more information regarding VPC Ingress Routing integration with CGI, see the Ingress Routing in sk166575.

  2. Using NAT on the Cluster

    Create a Dynamic ObjectClosed Special object type, whose IP address is not known in advance. The Security Gateway resolves the IP address of this object in real time. named LocalgatewayAlias on both Cluster members:

    1. Connect over SSH to each of the Cluster Members.

    2. Log in to Expert mode.

    3. Add Dynamic Object:

      dynamic_objects -n LocalgatewayAlias -r < eth0:1 (secondary)-interface-IP-address> <eth0:1 (secondary)-interface-IP-address> -a

      For example:

      dynamic_objects -n LocalgatewayAlias -r 172.31.3.40 172.31.3.40 -a

      Note - The first and second IP addresses in the command must be the same.

    4. Use SmartConsole to connect to your Check Point Security Management Server.

      Note - For information on dynamic IP configuration, refer to: skI1915 - Configuring Dynamic Objects.

    5. Create a Dynamic Object named LocalgatewayAlias:

      1. In the Object Browser, click on New > go to More menu > go to Network Object menu > click on Dynamic Object...

      2. Enter the name LocalgatewayAlias:

    6. Create a new Host object that represents internal machine (for example Web Server).

    7. Create a new Service object with internet facing protocol and port of the internal machine:

      For example:

      1. From the Objects menu, select More object types > Service > New TCP.

      2. Enter a name. For example: http-8084

      3. In the Protocol field, select the protocol (HTTP).

      4. In the Port field, select Customize and enter the port number: 8084

      5. Click OK.

    8. Create a NAT rule for north-south inbound traffic.

      Notes:

      • This NAT rule matches any traffic that arrives at the CloudGuard Cluster on the applicable internal port.

      • This NAT rule translates the destination IP address to the IP address of the Web Servers.

      Create a NAT rule with these values:

      No

      Original Source

      Original Destination

      Original Services

      Translated Source

      Translated Destination

      Translated Services

      Install On

      1

      All_Internet

      LocalgatewayAlias

      http-8084

      = Original

      Web Server

      http

      Cluster object

Configuring VPN

For more information, see the Check Point Security Management Administration Guide for your Management Server version.

To configure a VPN:

  1. Verify in the Cluster's object left tree > Network Management that an alias interface is configured. If the alias interface is not configured, perform Configuring the Cluster Object > step 11.

  2. Create a Network Group object to represent the encryption domain of the Cross AZ Cluster:

    1. In SmartConsole, click Objects > Object Explorer.

    2. From the top toolbar, select New > Network Group.

    3. In the Enter Object Name field, enter a name.

    4. Click the '+' icon, and select the applicable network objects.

    5. Click OK.

    6. Close the Object Explorer.

  3. Edit the cluster object:

    1. From the left navigation panel, click Gateways & Servers.

    2. Double-click the cluster object.

  4. Configure your Network Group as the Encryption Domain:

    1. In the left tree, click Network Management > VPN Domain.

    2. Select User defined.

    3. In the right corner of this field, click the [...] button and select the Network Group object you created in Step 1.

  5. Select the VPN community:

    1. In the left tree, click IPsec VPN.

    2. In the section: This Security Gateway participates in the following VPN Communities, select the applicable VPN community.

  6. Configure the VPN Community settings:

    1. From the top, click the Objects menu > Object Explorer.

    2. In the left tree, clear all boxes except for VPN Communities.

    3. Double-click the VPN community in which this Cross AZ Cluster object participates.

    4. Configure the VPN Community to use Permanent Tunnels (recommended, not required):

      1. In the left tree, click Tunnel Management.

      2. Select Set Permanent Tunnels.

      3. Select the applicable option.

    5. Disable NAT in the VPN community:

      1. In the left tree, click Advanced.

      2. Select Disable NAT inside the VPN community.

        		3.

        Note - Using NAT in the VPN community affects the state sync, causing cluster failover to be stateless. To make sure the cluster failover is stateful, you must disable NAT in the VPN community.

    6. Click OK to close the VPN Community properties window.

    7. Close the Object Explorer.

  7. Install the applicable Access Control Policy on the cluster object.

Configuring Remote Access VPN

Check Point's Remote Access VPN solutions let you create a VPN tunnel between a remote user and the internal network.

For more information, see the R81.20 Remote Access VPN Administration Guide.

Step 6: Review and Test the Deployment

Follow these steps to make sure your configuration is correct and set up all components.

  1. Go to the AWS Web UI:

    1. In the VPC console, in the Route Tables, go to the Private Route table (these are the Private Subnets of the Security VPC).

    2. In the Routes tab, make sure there is a default route to the Active member's private interface (eth1).

  2. Connect to the command line on the two cluster members.

  3. Log in to the Expert mode.

  4. Run the cphaprob state command to validate the Cross AZ Cluster operation is correct. The output of this command on both Cross AZ Cluster members must show the same information (except the "(local)" string).

    Example:

    [Expert@HostName:0]# cphaprob state

    Cluster Mode: High Availability (Active Up) with IGMP Membership

    Number

    Unique Address

    Assigned Load

    State

    1 (local)

    172.31.3.20

    0%

    Active

    2

    172.31.4.20

    100%

    Standby

  5. Run the $FWDIR/scripts/aws_ha_test.py script and make sure that it ends successfully without errors.

  6. Simulate a cluster failover:

    On the Active cluster member, run in the Expert mode:

    clusterXL_admin down

    After two seconds, AWS WebUI > VPC Console > Route Tables must show that all route tables (that had a default route directed to the Active cluster member) point to the Standby cluster member.

    Notes:

    • To see the changes, update the data in the AWS WebUI.

    • It can take a few minutes until failover is fully configured to pass traffic through the Active Member.

  7. Bring back the former Active cluster member:

    On the former Active cluster member, run in the Expert mode:

    clusterXL_admin up