Deployment Steps for CloudGuard Network Geo Cluster in AWS

Before deploying Check Point's Security Geo Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. in AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services., you first need to prepare your AWS account and subscribe to Check Point 's CloudGuard Network Security.

After completing these two steps, decide if you need to deploy the Geo Cluster in a new or existing VPC.

Deploy the Check Point Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and configure the Security CloudGuard Geo Cluster in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Review and test your deployment.

Step 1: Prepare Your AWS Account

To prepare your AWS account, do these steps:

If you do not already have an AWS account, create one at AWS.
Use the region selector in the navigation bar to choose the AWS region where you want to deploy the Check Point CloudGuard Cross AZ Cluster.
Create a key pair in your preferred region.
If necessary, request a service limit increase for the AWS resources you are going to use.

You may need to do this if you have an existing deployment that uses the AWS resources below and you may exceed the default limit with this deployment.

The resources that may need a service limit increase are:
- Number of On-demand EC2 instances
- Number of Elastic IP addresses
- Number of VPCs for each region
- Number of VPN connections for each region
- Number of Customers for each region
- Number of virtual private gateways for each region
- VPN connections for each VPC

By default, this Deployment guide uses c5.xlarge for the Security Gateways and m5.xlarge for the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

Deployment minimum permissions

For a successful deployment, the relevant IAM policy must have the minimum permissions set as configured below.

In the AWS VPC AWS Virtual Private Cloud. A private cloud that exists in the public cloud of Amazon. It is isolated from other Virtual Networks in the AWS cloud. Console, navigate to the IAM service, select the relevant IAM policy, copy and paste this text:

For Cross AZ Cluster in a new VPC

Copy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Permissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStackResources",
                "cloudformation:ValidateTemplate",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateRouteTable",
                "ec2:AttachInternetGateway",
                "ec2:AttachNetworkInterface",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateInternetGateway",
                "ec2:CreateLocalGatewayRouteTable",
                "ec2:CreateNetworkInterface",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSubnet",
                "ec2:DeleteVpc",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRegions",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:DescribeVpcs",
                "ec2:DetachInternetGateway",
                "ec2:DetachNetworkInterface",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:ReleaseAddress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMPassRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}

For Cross AZ Cluster in an existing VPC

Copy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Permissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStackResources",
                "cloudformation:ValidateTemplate",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateRouteTable",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:CreateRoute",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteRoute",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeAddresses",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstances",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcs",
                "ec2:DetachNetworkInterface",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ReleaseAddress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMPassRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}

Step 2: Subscribe to CloudGuard Network Security

To subscribe to Check Point CloudGuard Network, do these steps:

Log in to the AWS Marketplace.
Search for "CloudGuard Network Security".

Select one of these licensing options for Check Point CloudGuard Security Gateways:

Or one of these licensing options for a Check Point CloudGuard Security Management Server:

Note - If you want to manage more than five Security Gateways, select the BYOL option and contact Check Point Sales to purchase a license.

Select Continue to subscribe.
Select Accept Terms to confirm that you accept the AWS Marketplace license agreement.

Note - In the deployment steps that follow, you are prompted for the licensing information for the Security Gateways and Security Management Server that you selected.

Step 3: Deploy the Security CloudGuard Network Geo Cluster in AWS

This step details the necessary procedure for deploying the Security CloudGuard Network Geo Cluster in AWS. To deploy the Transit Gateway High Availability (HA) in AWS, see .Deployment Steps for Geo Cluster in AWS Transit Gateway High Availability.

Before you deploy Check Point's Security Geo Cluster in AWS's HA, select a CloudFormation template for either a new or existing VPC. Next, follow the instructions in this section on how to deploy the AWS HA. Finally, review and test the deployment. If you decide to deploy the Geo Cluster without association of Elastic IP to the Cluster Members, see Deploying Geo Cluster Members without an Elastic IP.

Select one of the CloudFormation templates to launch the Geo Cluster template in to your AWS account:

CloudFormation Template	Description	S3 Link
Geo cluster into a new VPC	This template deploys: Check Point CloudGuard Network Security Geo Cluster into a new VPC with public and private subnets in two different Availability Zones on AWS.	Geo cluster with new VPC
Geo cluster into an existing VPC Note: The existing VPC must have a public and a private subnet in two Availability Zones	This template deploys: Check Point CloudGuard Network Security Geo Cluster into an existing VPC with public and private subnets in two different Availability Zones in AWS	Geo cluster into existing VPC

CloudFormation Template

Description

S3 Link

Geo cluster into a new VPC

This template deploys:

Check Point CloudGuard Network Security
Geo Cluster into a new VPC with public and private subnets in two different Availability Zones on AWS.

Geo cluster with new VPC

Geo cluster into an existing VPC

Note:

The existing VPC must have a public and a private subnet in two Availability Zones

This template deploys:

Check Point CloudGuard Network Security Geo Cluster into an existing VPC with public and private subnets in two different Availability Zones in AWS

Geo cluster into existing VPC

Notes:

When you deploy this template, there is no need to run the Check Point First Time Configuration Wizard. Instead, the wizard is executed automatically. As a result, there is single, one time reboot of the Cluster Members.
The CloudFormation template automatically creates an AWS routing table, and associates the internal subnets from both Availability Zones to it. This is to route all traffic going outside the VPC by means of Check Point's Cluster Active Member.
After running the template, by default, the Active Member is Member "A".

Parameters for Deploying a Geo Cluster into a New VPC

Use these parameters for deploying a Geo Cluster in to a New VPC:

VPC Network Configuration

Parameter Name	Default Value	Description
`Availability Zones`	Requires input	The specific Availability Zones that you want to use for the Cluster Members. This field shows the Available Zones within your selected region. You must select two Availability Zones from this list. The logical order of your selections is preserved in your deployment. Each member will be deployed in a different Availability Zone.
`VPC CIDR`	`10.0.0.0/16`	The CIDR block used for the VPC.
`Public Subnet 1 CIDR`	`10.0.0.0/24`	CIDR block used for Public Subnet 1 located in the 1^st Availability Zone.
`Public Subnet 2 CIDR`	`10.2.0.0/24`	CIDR block for used Public Subnet 2 located in the 2^nd Availability Zone.
`Private Subnet 1 CIDR`	`10.1.0.0/24`	CIDR block used for Private Subnet 1 located in the 1^st Availability Zone.
`Private Subnet 2 CIDR`	`10.3.0.0/24`	CIDR block used for Private Subnet 2 located in the 2^nd Availability Zone.

EC2 Instance Configuration

Parameter Name	Default Value	Description
`Gateway name prefix`	Optional	Prefix for Cluster Members name tag (the name ends with "member A" or "member B").
`Instance type`	`c5.xlarge`	The EC2 instance type for the Security Gateways.
`Key name`	Requires input	A pair of public and private keys that lets you to connect securely to your instance - after it launches. When you created an AWS account, this is the key pair that you created in your preferred region.
`Allocate Elastic IPs for cluster members`	`true`	When the value is true, then the Cluster Member Security Gateway that is part of a cluster. is deployed with an Elastic IP. If the value is false, then make sure the Cluster Members can connect to an EC2 endpoint.
`Root volume size (GB)`	`100`
`Volume encryption KMS key indentifier`	`alias/aws/ebs`	KMS or CMK key Identifier
`Enable Instance Connect`	`false`	When the value is true, then the AWS Instance Connect is enabled on the Cluster Member, and allows for opening a SSH console to the instances over HTTPS by means of the AWS web console.

Check Point Settings

Parameter Name	Default Value	Description
`Version and license`	R80.40-PAYG-NGTP	The license used for the Security Gateways.
`Admin shell`	`/etc/cli.sh`	The default administrator shell for logging in to Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS on your instance.
`Password hash`	Optional	The administrator password hash. Run this command to get the password hash: `openss1 passwd -1 <PASSWORD>`
`SIC key`	Requires input	One-time activation key. Enter a string that contains 8-127 alphanumeric numbers.
`Resources prefix tag`	Optional	Name tag prefix of the resources
Gateway Hostname	Optional	Host name of the Gateway when you connect with SSH. The host name is appended with member-a/b accordingly
`Allow upload & download`	`true`	When true, the instance can automatically download the Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. contracts and other important data. Also, this improves product experience by sending data to Check Point. For more information on configuration, see sk111080.
`Bootstrap Script`	Optional	An optional script with semicolon (;) separated commands to run on the initial boot.
`Primary NTP server`	`169.254.169.123` (Optional)	Option to input a different NTP server.
`Secondary NTP server`	`0.pool.ntp.org` (Optional)	Option to input a different Secondary NTP server.

Quick Connect to Smart-1 Cloud:

Smart-1 Cloud (Check Point’s management server as a Service) is a recommended option to use CloudGuard Network Security Gateways.

Parameter Name	Default Value	Description
`Smart-1 Cloud Token for member A`	Requires input	Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.
`Smart-1 Cloud Token for member B`	Requires input	Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.

Parameters for Deploying a Geo Cluster into an Existing VPC

Use these parameters for deploying a Geo Cluster in an Existing VPC:

VPC Network Configuration

Parameter Name	Default Value	Description
`VPC`	Requires input	The ID of your existing VPC.
`Public Subnet 1`	Requires input	Select a Public Subnet in the first Availability Zone of your VPC.
`Public Subnet 2`	Requires input	Select a Public Subnet in the second Availability Zone of your VPC.
`Private Subnet 1`	Requires input	Select a Private Subnet in the first Availability Zone of your VPC.
`Private Subnet 2`	Requires input	Select a Private Subnet in the second Availability Zone of your VPC.
`Internal`

EC2 Instance Configuration

Parameter Name	Default Value	Description
`Members name prefix`	Optional	Prefix for Cluster Members name tag (name ends with either "member A" or "member B").
`Instance type`	`c5.xlarge`	The EC2 instance type for the Security Gateways.
`Key name`	Requires input	A pair of public and private keys that allows you to connect securely to your instance after it launches. This is the key pair you created (when you created an AWS account) in your preferred region.
`Existing IAM role name`	Optional	A predefined IAM role hat is attach to the instance profile. If the IAM role is not set to existing, it is ignored.
`Allocate Elastic IPs for cluster members`	`true`	When the value is true, then the Cluster Member is deployed with an Elastic IP. If the value is false, then see .
`Enable Instance Connect`	`false`	When the value is true, then the AWS Instance Connect is enabled on the Cluster Member, and allows for opening a SSH console to the instances over HTTPS by means of the AWS web console.

Check Point Settings

Parameter Name	Default Value	Description
`Version and license`	`R80.40-PAYG-NGTP`	The license used for the Security Gateways.
`Admin shell`	`/etc/cli.sh`	The default administrator shell for logging in to Gaia OS on your instance.
Password hash	Optional	The administrator password hash. Run this command to get the password hash: `open1 passwd -1 <PASSWORD>`
`SIC key`	Requires input	One-time activation key. Enter a string that contains 8-127 alphanumeric numbers.
`Allow upload & download`	`true`	When true, the instance can automatically download the Software Blade contracts and other important data. Also, this improves product experience by sending data to Check Point. For more information on configuration, see sk111080.
`Primary NTP server`	`169.254.169.123` (Optional)	Option to input a different NTP server.
`Secondary NTP server`	`0.pool.ntp.org` (Optional)	Option to input a different Secondary NTP server.

Quick Connect to Smart-1 Cloud:

Smart-1 Cloud (Check Point’s management server as a Service) is a recommended option to use CloudGuard Network Security Gateways.

Parameter Name	Default Value	Description
`Smart-1 Cloud Token for member A`	Requires input	Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.
`Smart-1 Cloud Token for member B`	Requires input	Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.

Step 4: Deploy the Check Point Security Management Server

We recommend you to use Smart-1 Cloud (Check Point's management server as a Service) to manage CloudGuard Network Security gateways.

Refer to sk180501 for step-by-step instructions for connecting CloudGuard Network Public Cloud Gateways to Smart-1-Cloud management.

You can also use one of the options below to deploy the Check Point Security Management Server.

Use the existing on-premises Security Management Server, or existing Security Management Server in AWS.
Note - The Security Management Server must be R80.40 and higher.
If the Security Management Server is communicating over a private IP addresses with the CloudGuard Cluster Members, then make sure that the Security Management Server has connection to the Security VPC in which they are deployed (see sk130372).

Deploy a new Security Management Server with the Management CloudFormation template.
Note - For direct access to the CloudGuard Security Cluster, deploy the management in the same Security VPC in which you deployed the cluster in step 4.

Step 5: Configure the Security CloudGuard Geo Cluster in SmartConsole

To enforce a Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., the Security CloudGuard Geo Cluster must first be configured on the Security Management using Check Point's SmartConsole application.

Configuring the Cluster Object

Step	Description
1	Use SmartConsole to connect to your Check Point Security Management Server.
2	If the Security Management Server and the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. have to communicate through public IP addresses, make sure that the Security Management Server object is defined with the elastic IP address. Edit the Security Management Server object and change the IP address. Important - If you change the main IP address of the Security Management Server, you must issue and install the license(s) for the new IP address.
3	Create the Cluster Member: In SmartConsole, at the top click Cluster > Cluster... > Classic Mode.
4	Define the cluster's general properties: In the Cluster Name field, enter a name for the cluster object (as in "Cluster_HA"). In the IPv4 Address, enter a dummy IP address (such as `0.0.0.0`). Current limitation: The Geo Cluster does not work with the IPsec VPN, for that reason clear the IPsec VPN checkbox.
5	Define the Cluster Members: Select how you manage the cluster: From Smart-1 Cloud: Click Add > Existing Cluster Member and select the relevant cluster member from the list. Skip to step b.iii below. Otherwise, click Add > New Cluster Member. In the Cluster's object left pane, click Cluster Members. In the Name field, enter the member's name. In the IPv4 Address field, enter the member's IP address of its external interface (eth0). If the management connects to the Cluster Members over a private IP, enter the private IP of the interface. If the management connects to the Cluster Members over a public IP, enter the Elastic IP of the interface. Click Communication. Enter the one-time activation key used in the Geo Cluster CloudFormation Template. Click Initialize. Repeat this step for the second Cluster Member.
6	Change the Cluster mode to Active-Active: In the Cluster's object left pane, click ClusterXL and VRRP. Select Active-Active.
7	Get the Cluster's Topology: Note - Before you can retrieve the interfaces with their topology, you must click OK in the dialog box. In the Cluster's object left pane, click Network Management. Click Get Interfaces > Get Interfaces with Topology. Click eth0, in the Network Type select Cluster (the IPV must stay as `0.0.0.0`). From the Network eth0 window, click Topology and disable Anti-Spoofing. Click eth1, in the Network Type select Cluster and Sync (the IPV must stay as `0.0.0.0`). From the Network eth1 window, click Topology and disable Anti-Spoofing. Note - This network is also used for State Synchronization.
8	Verify the settings: To close the window, click OK. Install policy on the cluster.

Allowing Outbound Traffic

Step	Description
1	Use SmartConsole to connect to your Check Point Security Management Server.
2	Create an Internal Network Computers and resources protected by the Firewall and accessed by authenticated users. for the Security VPC: In the right navigation bar, click New > Network.
3	Define Network general properties: 1. Enter a name for your network (such as `Security_network`). 2. In the IPv4 section, enter the Network Address and the Net mask of the Security VPC.
4	Create a NAT rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. for the network to hide behind the Cluster Gateways: In the Network's object left pane, click NAT. Check the box: Add automatic address translation rules. Leave the configuration as default: Translation method: Hide Hide behind the gateway
5	Verify the settings: To close the window, click OK. Install policy.

Limitation:

During failover, outbound traffic that runs over protocols and save sessions must be restarted.

Step 6: Review and Test the Deployment

Use these steps to check for proper configuration and set up of all components.

Step Description

Go to the AWS WebUI:

In the VPC console, under Route Tables, go to the Private Route table (these are the Private Subnets of the Security VPC are associated with).
In the Routes tab, make sure there is a default route to the Active member's private interface (eth1).

Run cphaprob state to validate that the cluster is operating correctly.

Output of cphaprob state command on both cluster members must show identical information for Load State (“ACTIVE”).

Example:

[Expert@HostName:0]# cphaprob state

Cluster Mode: Active Active with IGMP Membership

Number       Unique Address   Assigned Load  State     Name
1 (local)    10.0.1.20        N/A            Active    Member-A
2            10.0.1.30        N/A            Active    Member-B

Run $FWDIR/scripts/aws_ha_test.py and make sure that it ends successfully without errors.

Simulate a cluster failover:

From the Active member, that is not on standby, run in the Expert mode:

clusterXL_admin down

After two seconds, you will see in AWS WebUI > VPC Console > Route Tables that all route tables (that had a default route directed to the Active Member) are now directed to the Standby Active member.

Notes:

To see the changes, refresh the AWS WebUI.
It can take a few minutes until failover is fully configured to pass traffic through the Active Member.

After you finish the test, it is necessary to bring the Down member back up, run in the Expert mode:

clusterXL_admin up