Deployment Steps

Use the steps listed below to deploy your AWS Auto Scaling Group.

Step 1: Preparing Your AWS Account

To prepare your AWS account, do these steps:

If you do not already have an AWS account, create one at AWS.
Use the region selector in the navigation bar to choose the AWS region, where you want to deploy Check Point CloudGuard Auto Scaling on AWS.
Create a key pair in your preferred region.
If necessary, request a service limit increase for the AWS resources you are going to use.

You may have to do this, if you have an existing deployment that uses the AWS resources below, and you may exceed the default limit with this deployment.

The resources that may need a service limit increase are:

Number of On-demand EC2 instances.
Number of Elastic IP addresses.
Number of VPCs for each region.
Number of Network Load Balancers.
Number of Application Load Balancers.

By default, this Deployment guide uses c5.xlarge for the Security Gateways and m5.xlarge for the Security Management Server.

Step 2: Subscribing to Check Point CloudGuard Network

To subscribe to Check Point CloudGuard Network, do these steps:

Log in to AWS Marketplace.
Select one of these licensing options for Check Point CloudGuard Network Security Gateways:

Select Continue to subscribe.

Select Accept Terms to confirm that you accept the AWS Marketplace license agreement. After accepting the terms you can continue to Step 3: Deploy the Check Point Security Management Server (SMS).

Note - Do this step one time for each account subscription.

If you want to deploy a Check Point CloudGuard Security Management Server, repeat Steps 3 and 4 in this procedure and select one of these licensing options:

Note - If you want to manage more than five Security Gateways, select the BYOL option to purchase a license. Contact Check Point Sales to purchase a license.

Note - In the deployment steps that follow, you are prompted for the licensing information for the Security Gateways and Security Management Server that you selected.

Step 3: Deploy the Check Point Security Management Server (SMS)

We recommend you to use Smart-1 Cloud (Check Point's management server as a Service) to manage CloudGuard Network AWS Auto Scale Group.

Refer to Quantum Smart-1 Cloud Administration Guide > Using the settings > Cloud Management Extension (CME) Configuration for step-by-step instructions for enabling CME in Smart-1-Cloud management.

Other available options to deploy the Check Point Security Management Server are:

Deploying a New Security Management Server with a Management CloudFormation Template
Using the Existing On-Premises Security Management Server or the Security Management Server in AWS

To configure the Security Management Server to automatically provision newly deployed CloudGuard Security Gateways, refer to sk130372 > Automatic Provisioning with Security Management Server.

Deploying a New Security Management Server with a Management CloudFormation Template

Deploy the Security Management Server separately as described in sk130372.

Then, create an IAM role with read write permissions as described in Using the Existing On-Premises Security Management Server or the Security Management Server in AWS or deploy IAM role and attach it to the Security Management.

Using the Existing On-Premises Security Management Server or the Security Management Server in AWS

In AWS VPC Console, configure the required permissions for the Security Management Server:

Copy

Required Permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "autoscaling:DescribeAutoScalingGroups",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeSubnets",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeRules",
        "elasticloadbalancing:DescribeTargetHealth"
      ],
      "Resource": "*",
      "Effect": "Allow"
       }
  ]
}

Step 4: Creating an External Elastic Load Balancer

The external ELB will be set up to receive traffic from the Internet and forward it to the pool of CloudGuard Security Gateways.

It is assumed that an internal ELB with the following settings already exists:

The internal ELB is in front of a group of internal server instances.
The internal ELB is listening on a unique high port (e.g. 8081).

Notes -

Classic Load Balancer, Application Load Balancer and Network Load Balancer are supported.
These ports cannot be used: Ports defined in sk52421 (Ports used by Check Point software), 32768 – 65535 as defined in sk162619 (FWD daemon listening on multiple random high ports), 444, 8082 and 8880. For more information about using ports 80 and 443, see "Using Standard Ports on the Internal ELB Listeners".
The Internal ELB name (as defined in AWS) must follow certain restrictions to ensure that the Security Gateway will be able to resolve it properly. For more details, refer to sk116653.
Do not add tags to the ELB with keys starting with x-chkp-.

Create an External ELB in your VPC with the following settings:

Listens on a public port (e.g. port 80).
Sends traffic to the high port (e.g. port 8081).
Deployed in the same subnets where you intend to deploy the CloudGuard Auto Scaling group.
Has a Security Group that allows traffic from any source to the public port.
Health checks should use the same high port (e.g. 8081).

Follow these steps to configure the Application Load Balancer:

Log into the AWS Management Console.
From the menu bar, select Load Balancers > click Create Load Balancer > select Application Load Balancer.
Enter the Load Balancer name.
Check Internet-facing.
Enter the Load Balancer Port and Availability Zones.
Configure the Security Settings.
Configure the Security Groups.
In Configure Routing, enter the port that the Load Balancer will route traffic to.
For Target Group select a target group or create new one. Do not register any targets. These are configured at a later stage through the Auto Scaling group.
Review the configuration.
Click Create.

Content Based Routing:

Instead of deploying multiple internal ELB to route traffic to multiple applications, you can use Content Based Routing with Application Load Balancer. To do this, follow these steps:

After deploying an Application Load Balancer, open the AWS Management Console.
From the menu bar, click Load Balancers > select an Application Load Balancer > Listeners.
Select the listener that routes the traffic to the applications.
Click View/edit rules and select the plus icon.
Click Insert Rule.
Add the conditions and actions for your application.
Click Save.

Note - Each listener on the Application Load Balancer has a default rule that you cannot remove and is applied to any traffic that does not match any other rule.

Content Based Policy

Verify that the Application Control is enabled on the Auto Scaling Security Gateways.
In SmartConsole, from the Navigation Toolbar, select Security Policies.
Select a policy tab such as Standard.
1. In the Access Control, right click on Policy and click Edit Policy.
2. Select the plus icon on the Access Control pane and click New Layer.
3. Enter a name for the new policy layer (e.g. Application Control Layer).
4. Below Blades, select the checkbox Application & URL Filtering.
5. Click OK.

Select the newly created Access Control Policy Layer.

For each application, it is necessary to configure an Access Control rule.
1. Select the Add Rule Above icon.
2. Configure the rule's Name, Source, Destination, Action, and Track.
3. Below Services & Applications, select the plus icon and then select the asterisk icon.
4. Select Custom Application/Site > Application/Site.
5. Enter a name for the new application, e.g. "applicaiton1".
6. Add the application URL to the list. Regular expressions are supported.
7. Click OK.
To apply the new rules to existing gateways (new gateways in the Auto Scaling group enforce the policy automatically), click Install Policy.

Follow these steps to configure the Network Load Balancer:

Log into the AWS Management Console.
From the main menu bar, select Load Balancers > click Create Load Balancer > select Network Load Balancer.
Enter the Load Balancer name.
Check "Internet-facing".
Select your VPC and Availability Zones.
In Listeners and routing enter the Load Balancer Port.
For Default action, select a target group or create new one. Do not register any targets, these are configured at a later stage through the Auto Scaling group.
Review the configuration.
Click Create load balancer.

Notes:

For each internal ELB listener, a Security Policy rule is created. By default, the rule service is a TCP rule. If the traffic is actually HTTP, HTTPS or SSL\TLS, we recommend to change the service to HTTP, HTTPS or SSL\TLS service. To do this, tag the internal ELB with each of the associated listener's ports:
- HTTP:
  - Tag Key: x-chkp-http-ports
  - Tag Value: a colon separated list of port numbers, e.g. 8081:8083:9081
- HTTPS:
  - Tag Key: x-chkp-https-ports
  - Tag Value: a colon separated list of port numbers, e.g. 8443:8444:9444
- SSL\TLS:
  - Tag Key: x-chkp-ssl-ports
  - Tag Value: a colon separated list of port numbers, e.g. 8443:8444:9443
    
    Notes:
    - To apply IPS Protection for the SSL\TLS protocol, enable the IPS Protections Software Blade on the gateways and configure the desired protections with SmartConsole (SSL\TLS IPS Protections are only supported on R80.20).
    - Traffic arriving at the gateways from Load Balancers that terminate connections, i.e. Application Load Balancer and Classic Load Balancer Layer 7, originates from the Load Balancers and inspected as such.

One of the Network Load Balancer key features is to preserve the origin's client IP address. Therefore, the automatically added rule allows traffic from Any source. To restrict the traffic that is received from the Network Load Balancer, you can add tags to the internal ELB that determine the allowed traffic by its source IP address.

To allow traffic from specific IP addresses or networks according to their CIDRs:

Tag Key: x-chkp-source-cidrs
Tag Value: a list of white space separated network/mask, from which traffic is allowed, e.g. 1.0.0.0/8 192.168.0.0/16

Example:

To allow traffic from a preconfigured SmartConsole object:

Tag Key: x-chkp-source-object
Tag Value: a single preconfigured SmartConsole object name, from which traffic is allowed, e.g. chkp-allowed-source

Note: To avoid unexpected behavior, the name of the object must not match the CIDR format.

Example:

Important - These tags can only be used with an External Network Load Balancer.

The source IP addresses of the clients are preserved and provided to the Check Point Security Gateway, and not to the internal application.

Note - For HTTPS protocol, you must configure the listeners with HTTPS protocol. In addition, the server's SSL Certificate must be provided. To enable inbound HTTPS Inspection on the Security Gateways, use the same server certificate on the Security Gateways. See "Enabling inbound HTTPS Inspection"

Using Standard Ports on the Internal ELB Listeners

If you set the internal ELB listeners to listen to protocol HTTP, HTTPS or SSL\TLS on their standard ports, i.e. port 80 for HTTP and port 443 for HTTPS or SSL\TLS, the CloudGuard Security Gateways will automatically expect to receive traffic from a custom high port. The default high ports are 9080 for port 80 and 9443 for port 443.

The NAT and Firewall rules will be automatically configured with the custom high port as the origin port and the standard port as the destination port.

To change the default high ports, or to configure multiple internal ELBs to listen to the standard ports, tag the internal ELB as follows:

Tag Key: x-chkp-forwarding

Tag Value: a space separated list of <PROTOCOL>-<ORIGIN-PORT>-<DESTINATION-PORT> items representing the desired forwarding rules.

Replace <PROTOCOL> with a protocol (TCP, HTTP, HTTPS, SSL, UDP or TCP_UDP), <ORIGIN-PORT> with the port that the external ELB forwards traffic to, and <DESTINATION-PORT> with the internal ELB listener port, e.g. "HTTP-9081-80 HTTPS-9444-443 TCP-9022-22 SSL-9444-443".

This modifies the created NAT and Firewall rules to the selected protocol, origin and destination port.

Notes -

Each internal ELB that listens to standard ports must be configured with a unique origin port.
The external ELB should forward traffic to the configured protocols and origin ports.

Step 5: Deploying the CloudGuard Auto Scaling Group

To lunch the Auto Scale group template, refer to sk111013.

It is assumed that the following is already created and configured:

A VPC with a minimum of two Availability Zones, each with a public and private subnet.
A workload of servers deployed in the private subnets (possibly part of its own Auto Scaling group).
An internal Elastic Load Balancer (ELB) that sends traffic to the workload of servers.

To deploy a web service secured by an Auto Scaling group of Check Point CloudGuard Security Gateways, and automatically complete this configuration, see the AWS Quick Start for Check Point CloudGuard Auto Scaling.

To launch the Transit Gateway template into your AWS account, click here.

Newly provisioned Security Gateways automatically receive the most recently published Security Policy. For existing Security Gateways to get the Security Policy after manual changes, you must manually install the policy on the existing Security Gateways.
Important- As scaling events occur, Security Gateways objects are automatically created and deleted. Therefore, it is not recommended to use those objects explicitly in rules or to manually edit those objects.

Parameters for Deploying a Security Gateway Auto Scaling into an Existing VPC

VPC Network Configuration:

Parameter Name	Default Value	Description
`VPC`	Requires Input	The ID of your existing VPC.
`Gateways subnets`	Requires Input	The ID of your existing subnets.

EC2 Instance Configuration:

Parameter Name	Default Value	Description
`Gateway Name`	Check-Point-Gateway	The name tag of the Security Gateway instances (optional)
`Gateways instance type`	c5.xlarge	The instance type of the Security Gateways.
`Key name`	Requires Input	The EC2 Key Pair to allow SSH access to the instances.
`Root volume size (GB)`	100
`Enable volume encryption`	True	Encrypt Auto Scaling instances volume with default AWS KMS key.
`Enable AWS Instance Connect`	False	Enable SSH connection over AWS web console, see sk163494.

Auto Scaling Configuration:

Parameter Name	Default Value	Description
`Minimum Gateway group size`	2	The minimal number of gateways in the Auto Scaling group.
`Maximum Gateway group size`	10	The maximal number of gateways in the Auto Scaling group.
`Email address`	Optional	Notifications about scaling events will be sent to this email address (optional).
`Gateways target groups`	Optional	A list of Target Groups to associate with the Auto Scaling group (comma separated list of ARNs, without spaces) (optional).

Check Point Settings:

Parameter Name	Default Value	Description
`Gateways version & license`	R81-BYOL	The license to use for the Security Gateways.
`Admin shell`	/etc/cli.sh	Change the admin shell to enable advanced command line configuration.
`Gateways Password hash`	Optional	The administrator password hash. Run this command to get the password hash: openssl passwd -6 <PASSWORD>
`Gateways SIC key`	Requires input	The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
`Allow upload & download`	True	Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point.
`CloudWatch metrics`	False	Report Check Point specific CloudWatch metrics.
`Gateways bootstrap script`	Optional	An optional script with semicolon (;) separated commands to run on the initial boot (optional).

Automatic Provisioning with Security Management Server Settings:

Parameter Name	Default Value	Description
`Gateways addresses`	private	Determines if the gateways are provisioned using their private or public address.
`Management Server`	management-server	The name that represents the Security Management Server in the automatic provisioning configuration.
`Configuration template`	ASG-configuration	A name of a gateway configuration template in the automatic provisioning configuration.

Proxy Configuration (optional):

Important - creating Proxy Load Balancer is possible only from the cloudformation template.

Parameter Name	Default Value	Description
`Proxy type`	none	Whether to create an ELB acting as an HTTP/HTTPS proxy for outbound traffic.
`Proxy port`	8080	The TCP port, on which the proxy would be listening (default is 8080).
`Allowed proxy clients`	0.0.0.0/0	The CIDR range of the clients of the proxy.

Step 6: Post Deployment Configuration

Attaching the External Elastic Load Balancer to the CloudGuard Auto Scaling group

If you have a Target Group ARN in the CloudGuard Auto Scaling group CloudFormation template, then the Load Balancer is attached to your newly deployed CloudGuard Auto Scaling group and you can proceed to section Adding Tags to the Internal Elastic Load Balancer.

Otherwise, it is required to manually attach the external ELB to the CloudGuard Auto Scaling group.

If you created a Network Load Balancer, follow these steps to attach the external ELB to the CloudGuard Auto Scaling group:

Open the Amazon VPC console.
From main menu bar, select Target Groups.
Select the target group.
Set a target group’s health check:
- For CME Take 250 and Security Gateway's versions R81.10 and higher:
  
  Follow the steps in Configuring Health check settings for Network Load Balancer’s Target Group.
- For CME Take lower than 250 or Security Gateway’s versions R81 and lower:
  
  Set the target group's health check for traffic port.
Open the Amazon EC2 console.
From the main menu bar, select Auto Scaling Groups.
Select the CloudGuard Auto Scaling group and click Edit.
In the Load Balancing section, select the checkbox next to Network Load Balancer target groups.
Select the Target Group of your External Load Balancer from the list.
Click Update.

Note - If not all Network External Load Balancers target groups health check configurations are set with service TCP and port 8117, set the health probe to the traffic protocol and port.

If you created an Application Load Balancer, follow these steps to attach the external ELB to the CloudGuard Auto Scaling group:

Open the Amazon VPC console.
From the main menu bar, select Target Groups.
Select the target group.
Set the target group’s health check for the traffic port.
Open the Amazon EC2 console.
From the main menu bar, select Auto Scaling Groups.
Select the CloudGuard Auto Scaling group and click Edit.
In the Load Balancing section, select the checkbox next to Application Load Balancer target groups.
Select the Target Group of your External Load Balancer from the list.
Click Update.

Configuring Health check settings for Network Load Balancer’s Target Group

Open the Amazon EC2 console.
From main menu bar, select Load Balancing > Target Groups.
Select the applicable target group.
Select the Health checks section and click Edit.
Below the Health checks section, select TCP for Health check protocol.
Click on Advanced health check settings.
In the Health check port section, select Override and insert port 8117.
Click Save changes.

Adding Tags to the Internal Elastic Load Balancer

For the Security Management Server to recognize your AWS tags, you must add them to the internal ELBs. The Security Management Server is then able to automatically provision the Security Gateways to forward traffic to these internal ELBs.

Open the Amazon EC2 console.
From main menu bar, select Load Balancers > select the internal ELB.
From the Tags tab, add these tags:
- Tag Key: x-chkp-management
  Tag Value: <MANAGEMENT-NAME>
- Tag Key: x-chkp-template
  Tag Value: <TEMPLATE-NAME>
- Tag Key: x-chkp-ignore-ports (optional)
  Tag Value: <PORTS-LIST>

Where:

<MANAGEMENT-NAME> - Specifies the name of the Management Server. Use the same name you used when you executed the autoprov_cfg utility or when you deployed the CloudFormation template.
<TEMPLATE-NAME> - Specifies the name of the Autoscaling group's template. Use the same name you used when you executed the autoprov_cfg utility or when you deployed the CloudFormation template.

Note -

The value for the optional tag x-chkp-ignore-ports must be a colon separated list of Load Balancer ports (frontend ports), which users choose are to ignore. Traffic on these ports is not expected to go through the gateways in the Auto Scaling group. For example, these ports can serve traffic that arrives directly to the ELB from peered networks.
The internal ELB Security Group must allow, at minimum, the following traffic from the gateway's subnets:
- All ICMP traffic
- TCP/UDP traffic to the port to which the internal ELB is listening