Additional Information

Configuring Outbound Protection

There is an option to set up the CloudGuard Auto Scaling Group to inspect outbound HTTP/HTTPS traffic.

Administrators can use this to inspect and control traffic of various web clients such as:

Servers and containers that require software and image updates from repositories located outside the VPC.
Virtual Desktop environments that run inside the VPC and access the Internet.

In the diagram below, web clients in private subnets are configured to use an ELB as their HTTP/HTTPS proxy. This Proxy ELB is configured to forward TCP connections to the CloudGuard Auto Scaling Group.

Each Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. in the group is configured as an HTTP/HTTPS proxy that listens on the proxy port. The Security Gateway inspects the proxied HTTP/HTTPS connections, and can be used to log the URL.

Connections that arrive at the Security Gateways have a source IP address that belongs to the proxy ELB rather than the web client. Because the ELB acts as a TCP proxy, and not as an HTTP proxy, no "X-Forwarded-For" HTTP header is present to identify and log the original client. Instead, the ELB is set up by the CloudFormation template to add a Proxy Protocol header. This allows the Security Gateways to log the original client address.

Notes:

The proxy protocol is only supported in the context of HTTP/S connections as described here.

Currently, the original client's IP address can only be logged and cannot be used to enforce access rules in the security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

For additional information, see AWS ELB proxy protocol.

In addition, you can set up the Security Gateways to do deep packet inspection of encrypted HTTPS traffic with the HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. feature. When this feature is enabled, the web clients must be set up to trust a CA certificate issued by the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. during the HTTPS Inspection configuration. See the "Creating an Outbound Certificate" section below.

Configuration steps:

Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. setup:

Important - It is necessary to allow access to the Security Gateways' proxy port only from the internal ELB. Specifically, if you want to prevent access from the Internet to these ports. Otherwise, malicious clients on the Internet can bounce off the Security Gateways to attack 3rd party servers.

The proxy ELB is normally deployed in the same subnets as the CloudGuard Auto Scaling Group.

Use the firewall rule base All rules configured in a given Security Policy. Synonym: Rulebase. to limit access to the HTTP/HTTPS proxy ports only from these subnets:

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a network object for each subnet in which the Security Gateways are deployed.
Create a network group object that includes the VPC subnets from the previous step, for example, "GatewaysSubnets".

Create the following rules in the firewall security rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. base:

Source	Destination	VPN	Services & Applications	Action	Track	Install On
GatewaysSubnets	GatewaysSubnets	* Any	HTTP_and_HTTPS_proxy	Accept	Log	Policy Targets
* Any	GatewaysSubnets	* Any	HTTP_and_HTTPS_proxy	Drop	Log	Policy Targets

Note - This table regards the Application Load Balancer. If you are using Network Load Balancer, set the source from "GatewaysSubnets" to "WebserverSubnets."

Run the following command on the Security Management Server to add a proxy port:

autoprov_cfg set template -tn < TEMPLATE-NAME> -pp <PROXY-PORT>

Where:
- <TEMPLATE-NAME> - Specifies the name of the Auto scaling Group's template that you selected when setting up Automatic Provisioning Check Point Software Blade on a Management Server that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: SmartProvisioning, SmartLSM, Large-Scale Management, LSM..
- <PROXY-PORT > - Specifies the port on which the proxy would be listening.
If you want to use HTTPS Inspection, to enable it see Enabling and disabling Software Blades.

Web clients setup:

Use the AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Management console to determine the DNS name of the proxy ELB. You should configure your web clients to use the proxy ELB as their HTTP/HTTPS proxy. Consult the documentation of your web clients in order to determine how to achieve this.

Notes:

While some applications might use the operating system proxy settings, other applications might have application specific proxy configuration.
Systems hosted in EC2 normally require that access to the metadata service on 169.254.169.254 is not directed through a proxy

If HTTPS Inspection is enabled on the Security Gateways, then you must also configure your web clients to trust the HTTPS Inspection certificate generated by the Security Management Server.

For instructions, see the web client documentation.

Note - While some applications might use a system wide certificate store to determine trust, other applications might have their own separate configuration.

Multiple external ELBs

If necessary, you can create additional external ELBs that forward traffic to the same pool of CloudGuard Security Gateways.

To do so, for each additional external ELB:

Create an additional internal ELB.
The external ELB must forwards traffic on the same port, on which the internal ELB is listening.
You must allocate unique TCP/UDP ports for each such pair (such as 8081, 8083, and other ports).

External ELB with multiple ports

If necessary, an external ELB can listen on multiple TCP/UDP ports (e.g. 80, 443). Traffic that arrives on these ports can be forwarded on either a single port or multiple ports.

Examples:

Listening on multiple ports, (e.g. 80, 443), forwarding on a single port (as in 8081).
Listening on multiple ports (e.g. 80, 443), forwarding on multiple ports (as in, 8081, 8443).

In both cases, there must be a corresponding internal ELB. The internal ELB must be listening on the same set of ports, to which the external ELB forwards its traffic.

Note - The ports used to forward traffic should be unique

Cross-Zone Load Balancing

ELB supports Cross Zone Load Balancing. With Application Load Balancer, this feature is enabled by default upon creation.

With Network Load Balancer, it is necessary to manually enable this feature, after the Load Balancer is created:

Open the Amazon EC2 console.
From the main menu bar Load Balancers.
Right click on the newly created Network Load Balancer > Edit attributes.
Select the checkbox next to Cross-Zone load balancing.
Click Save.

This step is required when one of the Load Balancers, internal or external, is deployed in more Availability Zones than its targets.

Removing an Elastic Load Balancer

To remove a Load Balancer:

Delete the Load Balancer entirely.

or
Remove the x-chkp tags from the Load Balancer.

Make sure to wait for the CME cycle to finish (30 seconds by default), before applying any other changes.

Multiple VPCs

If necessary, the CloudGuard Security Gateways and the internal servers can be placed in different VPC's.

To place them in different VPC's:

Put the internal ELB in the same VPC as the internal servers.
Make sure that the Security Gateways can resolve the hostname of the internal ELB.
Make sure that there is connectivity from the Security Gateways to the internal ELB by either using VPC peering, or through an Internet Gateway.

Enabling inbound HTTPS Inspection

Follow these steps to enable HTTPS Inspection:

Note - An outbound CA certificate is necessary for inbound SSL inspection. If you have an outbound CA certificate you can skip these steps. Otherwise, create one in "Creating an Outbound Certificate".

Creating an Outbound Certificate

To create an Outbound Certificate

In SmartConsole, from the left navigation panel, select Gateways & Servers.
Right click on one of the CloudGuard Autoscaling Gateways and click Edit.
From the left tree, select HTTPS Inspection.
In Step 1 click on Create to create new certificate, enter the required information and click OK.
In Step 2 you can export the newly created certificate for distributing the CA on client computers.
For more information click on Learn more.
Click OK.
From the left tree, select Security Policies > HTTPS Inspection > Policy.
Go to the Destination column, and edit the default rule.
Right-click Internet > Remove.
Any shows. This means that the inspection takes place with a single-interface gateway.
Publish the SmartConsole session.

Creating an HTTPS Inspection Rule to Inspect SSL Traffic

This procedure creates an HTTPS Inspection rule to inspect SSL traffic that belongs to a web application

Create a new HTTPS service:
1. In the Right Object Browser, click New > More > Service > TCP.
2. Enter service name, for example, https-8443.
3. For Protocol, select HTTPS.
4. For Port, select Customize and enter the port number.
Create an HTTPS Inspection rule to inspect SSL traffic belonging to this web application:
1. From the left tree, select Security Policies > HTTPS Inspection > Policy.
2. Add the following rule:
  - Source - Any
  - Destination - Any (do not use the Internet object)
  - Service - The HTTPS service you created
  - Action - Inspect
  - Certificate - The certificate you created
3. Publish the SmartConsole session
Enable the HTTPS Inspection blade as explained in sk130372 > Enabling and disabling Software Blades section.

Updating the Auto Scaling Group

Notes:

Starting January 01, 2023 AWS no longer supports new instance types and features with launch configurations.

If your Auto Scale Group uses Launch Configuration, we recommend replacing it with Launch Template. Refer to Replace launch configuration with launch template section.
If you change the Security Gateway version, make sure you can use the existing Management Server with the newer Auto Scaling Group version you are deploying.
For AWS Gateway Load Balancer Auto Scaling Group, refer to the procedure in CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group Deployment Guide > Additional Information > Updating the Auto Scaling Group.

Updating AMI

00:00: 00:05: This guide will walk you through the steps to update the image of an autoscaling group. 00:11: Step 1 find the target Ami ID 00:15: Open the AWS Marketplace and search for cloudguard Network. 00:20: Select the software subscription that was used to deploy the auto-scaling group. 00:26: On the software subscription page click continue to subscribe 00:31: Click continue to configuration 00:34: On configure this software page select the target software version 00:38: and build and select the region. 00:42: Copy the Ami ID 00:45: Step 2 update the auto scaling group launch template 00:50: Open the AWS console and navigate to the ec2. 00:55: On the left navigation bar click launch templates 01:00: Select the launch template of the autoscaling group. 01:04: On the actions drop-down menu select modify template create 01:08: new version. 01:11: The modified template page opens check the provide guidance to help 01:15: me set up a template that I can use with ec2 auto-scaling checkbox. 01:21: Scroll down to the application and Os image section and in the search 01:25: box paste the Ami ID you copied in Step 1. 01:31: The choose an Amazon machine image page opens. 01:33: Click the community Amis table. 01:38: Click the select button next to the Ami matching the Ami ID you 01:42: paste it in the search bar. 01:45: Review the changes in the alert window and click confirm changes. 01:50: On the network settings section click the select existing Security Group 01:54: option. 01:56: Examine the configuration in all other sections and create the launch template 02:00: version. 02:02: You receive a message confirming the update of the launch template. 02:06: Step 3 update the auto scaling group. 02:10: On the ec2 left navigation bar. 02:12: Click the auto scaling groups. 02:16: Select the applicable auto-scaling group 02:20: Click to edit the launch template settings. 02:24: In the launch template screen select the updated template. 02:29: Click update to update the auto scaling group. 02:33: To apply the update on the ec2 console navigate to instances. 02:39: Manually, stop the security gateways one by one the auto-scaling 02:43: group deploys new gateways with the updated Ami. 02:48: Thank you for watching. 02:51:

For Launch Template:
1. Find the target AMI ID:
  1. Open AWS Marketplace and search for CloudGuard.
  2. Select the listing matching the one used to deploy the autoscaling group.
  3. Click Continue to subscribe.
  4. Click Continue to configuration.
  5. Select the target version and build (For example: R81.20-631.1427).
  6. Select the region of your autoscaling group.
  7. Copy the AMI ID.
2. Update the autoscaling group launch template:
  1. Open the Amazon EC2 console.
  2. From the main menu bar select Launch Templates and select the launch template of the Auto Scaling Group.
  3. Click Actions > Modify template (Create new version).
  4. In Auto Scaling Guidance Check Provide guidance to help me set up a template that I can use with EC2 Auto Scaling.
  5. Go to Application and OS Images (Amazon machine image) and click Browse more AMIs.
    1. In the search box enter the AMI-ID (“ami-xxxxxxxxxxxxxxxxx”) copied in step #1.
    2. Click the Community AMIs tab.
    3. Click the Select button next to the AMI matching the AMI-ID you pasted in the search bar.
    4. If you get the alert: Some of your current settings will be changed or removed if you proceed, review the changes and Confirm if you agree.
  6. In Network settings section mark Select existing security group.
  7. Examine your configuration in all other sections and create the launch template version.
3. From the Navigation Toolbar, select Auto Scaling Groups.
4. Select the applicable Auto Scaling Group, click Edit.
5. In the Launch Template section, select the new version and select Update.
6. To apply this update, manually stop the Security Gateways one by one. The Auto Scaling Group deploys new Gateways with the updated AMI and not with the terminated gateways.
For Launch Configuration:
1. Open the Amazon EC2 console.
2. From the Primary menu bar, select Launch Configurations and select the launch configuration of the Auto Scaling Group.
3. Click Actions > Copy launch configuration.
4. Go to Amazon machine image (AMI) and select the new AMI.
  
  Follow these steps to find the desired AMI id:
  1. Open the AWS Marketplace.
  2. Search for Check Point and click on the relevant product listing.
  3. Click Continue to Subscribe.
  4. Click Continue to Configuration.
  5. Select the relevant Software Version and Region.
  6. Copy the Ami Id.
5. Examine your configuration in all other sections and create the launch configuration.
6. From the Navigation Toolbar, select Auto Scaling Groups.
7. Select the applicable Auto Scaling Group, click Edit.
8. In the Launch Configuration section, select the newly created launch configuration, named the same as the previous configuration with Copy concatenated to it, and select Update.
9. To apply this update, manually stop the Security Gateways one by one. The Auto Scaling Group deploys new Gateways with the updated AMI and not with the terminated gateways.

Notes:

Avoid other configuration changes during the upgrade.

To avoid downtime, make sure to terminate a Security Gateway only after a previous gateway has finished its initialization and replaced its predecessor.

These updates necessitate additional actions:

If you have changed the Security Gateways version, update the relevant Cloud Management Extension (CME) configuration template. Use this command:

autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -ver <NEW-VERSION>

Replace <CONFIGURATION-TEMPLATE-NAME> with the name of the relevant CME configuration template, such as 'my-configuration-template', and <NEW-VERSION> with the new version of the Gateways.

Replace launch configuration with launch template

Copy a launch configuration to a launch template:
1. Open the Amazon EC2 console.
2. On the navigation pane below Auto Scaling, select Launch Configurations.
3. Select the launch configuration you want to copy and select Copy to launch template > Copy selected. It creates a new launch template with the same name and options as your selected launch configuration.
4. For New launch template name, you can use the name of the launch configuration (the default) or enter a new name. Launch template names must be unique.
5. Select Copy.
Replace the launch configuration for an Auto Scaling Group:
1. Open the Amazon EC2 console, and select Auto Scaling Groups from the navigation pane.
2. Select the check box next to your Auto Scaling Group.
  
  A pane opens at the bottom of the page, showing information about the selected group.
3. On the Details tab, select Launch configuration, Edit.
4. Select Switch to launch template.
5. For Launch template, select your launch template.
6. For Version, select the launch template version, as needed. After you create versions of a launch template, you can select if the Auto Scaling Group uses the default or the latest version of the launch template when scaling out.
7. When you have finished, select Update.

IPS Geo Protection Based on "X-Forwarded-For" HTTP header

When the Check Point CloudGuard Auto Scaling Group is deployed behind a Load Balancer, you can log and control the country of origin of the clients as explained in sk115532 - IPS Geo protection based on "X-Forwarded-For" HTTP header in Check Point CloudGuard for AWS / CloudGuard for Azure.

Automatic Rule Placement

The Cloud Management Extension (CME) service creates automatic access (in the network layer) and NAT (in the NAT policy) rules for each Security Gateway for each internal ELB for each listener port. These rules are added at the top of the layers.

Sometimes it is preferable to add the rules in a specific place in the policy rather than at the top. To do this, create, a section for these rules in SmartConsole, and specifying the section name in the automatic provisioning configuration.

In SmartConsole, in the relevant Security Policy, create a new section:
1. Right click on a rule number, under which you wish to create the section.
2. Choose Create New Section Title and click Below.
3. Name the section. Make note of the name.

Use SSH to connect to the Security Management Server.
Log in to Expert mode.
Run the following command:

autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -secn <SECTION-NAME>

Replace <CONFIGURATION-TEMPLATE-NAME> with the name of the configuration template you selected when Setting up Automatic Provisioning, e.g. 'my-configuration-template'.

Replace <SECTION-NAME> with the name of the section you created in step 1.

If the section is specified in the configuration template, but it is not found in the rule base, the rules are added at the top by default.

For more information, see the Automatic Rule Placement section in the Cloud Management Extension Administration Guide.

Note - Changes such as moving the section in the Security Policy or changing the section name in the automatic provisioning configuration impact only newly provisioned Gateways. Rules for existing Gateways remain in place. If you want to apply these changes to all of the Security Gateways in the Auto Scaling Group, then terminate the old gateways and the Auto Scaling Group automatically create new gateways to take their place with the new configuration.