Deployment Steps

Use the steps listed below to deploy your AWS Auto Scaling Group.

Step 1: Preparing Your AWS Account

00:05: This guide will walk you through the process of deploying an Auto Scaling Group in AWS. Step 1: Preparing Your AWS Account 00:15: If you do not already have an AWS account, create one. Use the region selector in the the AWS console navigation bar to select the AWS region, where you want to deploy Check Point CloudGuard Auto Scaling. 00:30: Click EC2 00:33: To create a key pair in your preferred region, in the navigation pane, under Network and Security, select Key Pairs. 00:41: Select the option to create a new key pair. 00:44: For Name, enter a descriptive name for the key pair. 00:48: Select the key pair type. 00:51: For Private key file format, select the format in which to save the private key. 00:57: To add a tag to the public key, select Add tag, and enter the key and value for the tag. 01:04: Create the key pair by clicking on the "Create key pair" button. 01:08: Note that this is the only chance for you to save the private key file. 01:13: if you have an existing deployment that uses the AWS resources, you may need to request a service limit increase.

To prepare your AWS account, do these steps:

  1. If you do not already have an AWS account, create one at AWS.

  2. Use the region selector in the navigation bar to choose the AWS region, where you want to deploy Check Point CloudGuard Auto Scaling on AWS.

  3. Create a key pair in your preferred region.

  4. If necessary, request a service limit increase for the AWS resources you are going to use.

You may have to do this, if you have an existing deployment that uses the AWS resources below, and you may exceed the default limit with this deployment.

The resources that may need a service limit increase are:

  • Number of On-demand EC2 instances.

  • Number of Elastic IP addresses.

  • Number of VPCs for each region.

  • Number of Network Load Balancers.

  • Number of Application Load Balancers.

By default, this Deployment guide uses c5.xlarge for the Security Gateways and m5.xlarge for the Security Management Server.

Deployment minimum permissions

For a successful deployment, the relevant IAM policy must have minimum permissions set configured below.

In the AWS VPC Console navigate to IAM service, select the relevant IAM policy and copy/paste this text:

Copy 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Permissions",
            "Effect": "Allow",
            "Action": [
                "SNS:CreateTopic",
                "SNS:DeleteTopic",
                "SNS:GetTopicAttributes",
                "SNS:Subscribe",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DeletePolicy",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:PutNotificationConfiguration",
                "autoscaling:PutScalingPolicy",
                "autoscaling:UpdateAutoScalingGroup",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStackResources",
                "cloudformation:ValidateTemplate",
                "cloudwatch:DeleteAlarms",
                "cloudwatch:PutMetricAlarm",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateLaunchTemplate",
                "ec2:CreateNetworkInterface",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteLaunchTemplate",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeAddresses",
                "ec2:DescribeInstances",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeRegions",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ReleaseAddress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
                "elasticloadbalancing:AttachLoadBalancerToSubnets",
                "elasticloadbalancing:ConfigureHealthCheck",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:CreateLoadBalancerListeners",
                "elasticloadbalancing:CreateLoadBalancerPolicy",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:DeleteLoadBalancerPolicy",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "iam:AddRoleToInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMPassRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}

Step 2: Subscribing to Check Point CloudGuard Network

To subscribe to Check Point CloudGuard Network, do these steps:

  1. Log in to AWS Marketplace.

  2. Select one of these licensing options for Check Point CloudGuard Network Security Gateways:

  1. Select Continue to subscribe.

  2. Select Accept Terms to confirm that you accept the AWS Marketplace license agreement. After accepting the terms you can continue to Step 3: Deploy the Check Point Security Management Server (SMS).

    Note - Do this step one time for each account subscription.

  3. If you want to deploy a Check Point CloudGuard Security Management Server, repeat Steps 3 and 4 in this procedure and select one of these licensing options:

    Note - If you want to manage more than five Security Gateways, select the BYOL option to purchase a license. Contact Check Point Sales to purchase a license.

Note - In the deployment steps that follow, you are prompted for the licensing information for the Security Gateways and Security Management Server that you selected.

Step 3: Deploy the Check Point Security Management Server (SMS)

We recommend you to use Smart-1 Cloud (Check Point's management server as a Service) to manage CloudGuard Network AWS Auto Scale Group.

Refer to Quantum Smart-1 Cloud Administration Guide > Using the settings > Cloud Management Extension (CME) Configuration for step-by-step instructions for enabling CME in Smart-1 Cloud management.

00:06: In this guide, we will walk you through the steps to enable Cloud Management Extension in you Smart one cloud account. 00:16: On the infinity Smart one cloud portal, go to settings. 00:22: Navigate to "CME Configuration" 00:27: Click General Information 00:32: Click the off button next to CME status to turn it on. 00:39: Click confirm 00:44: To add a new AWS account, click accounts. 00:50: Click new. 00:53: The add account window opens. In the vendor field, select AWS. 01:01: Give the account a name. 01:05: Enter the AWS access key ID. 01:10: Enter the Secret Access Key. 01:14: Click "Regions" and select a region. 01:19: You can enter STS Role A R N of a role to assume, STS External ID and a list of VPN communities. 01:30: To complete the new account creation, click "Add". 01:36: The new account is added to your portal. 01:41: To add a new Security Gateway configuration template, click "Gateway Configurations". 01:50: Click the "New" button. 01:55: The "Add Gateway Configuration" window opens. Give the Gateway a Name. 02:03: Enter the security gateway version. 02:08: Select the related account for the security gateway configuration. 02:15: Enter a One time password. 02:20: In Access Control, select the policy to install on the Security Gateway. 02:28: Select the checkbox near the Access Control and Threat Prevention blades you want to enable on the Security Gateway. 02:37: To complete the configuration template creation wizard, click "Add". 02:43: The new security gateway configuration template is added. 02:49: Thank you for watching this guide.

Other available options to deploy the Check Point Security Management Server are:

  • Deploying a New Security Management Server with a Management CloudFormation Template

  • Using the Existing On-Premises Security Management Server or the Security Management Server in AWS

To configure the Security Management Server to automatically provision newly deployed CloudGuard Security Gateways, refer to sk130372 > Automatic Provisioning with Security Management Server.

Deploying a New Security Management Server with a Management CloudFormation Template

Deploy the Security Management Server separately as described in sk130372.

Then, create an IAM role with read write permissions as described in Using the Existing On-Premises Security Management Server or the Security Management Server in AWS or deploy IAM role and attach it to the Security Management.

Using the Existing On-Premises Security Management Server or the Security Management Server in AWS

In AWS VPC Console, configure the required permissions for the Security Management Server:

Copy
Required Permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "autoscaling:DescribeAutoScalingGroups",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeSubnets",
        "ec2:DescribeRegions",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeRules",
        "elasticloadbalancing:DescribeTargetHealth"
      ],
      "Resource": "*",
      "Effect": "Allow"
       }
  ]
}

Step 4: Creating an External Elastic Load Balancer

Set up an external ELB to receive traffic from the Internet and forward it to the pool of CloudGuard Security Gateways.

It is assumed that an internal ELB with these settings already exists:

  • The internal ELB is in front of a group of internal server instances.

  • The internal ELB is listening on a unique high port (for example, 8081).

Notes -

  • Application Load Balancer and Network Load Balancer are supported.

  • These ports cannot be used: Ports defined in sk52421 (Ports used by Check Point software), 32768 – 65535 as defined in sk162619 (FWD daemon listening on multiple random high ports), 444, 8082 and 8880. For more information about using ports 80 and 443, see "Using Standard Ports on the Internal ELB Listeners".

  • The Internal ELB name (as defined in AWS) must follow certain restrictions to ensure that the Security Gateway can resolve it properly. For more details, refer to sk116653.

  • Do not add tags to the ELB with keys starting with x-chkp-.

Create an External ELB in your VPC with these settings:

  • Listens on a public port (for example, port 80).

  • Sends traffic to the high port (for example, port 8081).

  • Deployed in the same subnets where you intend to deploy the CloudGuard Auto Scaling group.

  • Has a Security Group that allows traffic from any source to the public port.

  • Health checks should use the same high port (e.g. 8081).

00:00: 00:05: This guide will walk you through the steps to create an elastic load balancer in 00:09: AWS. 00:19: On your AWS console go to the ec2 page and click load 00:23: balancers. 00:25: Click the arrow next to create load balancer and select create application 00:29: load balancer. 00:56: In the listeners and routing section select the protocol and Port HTTP 01:00: Port 80 in this example, then you must select a Target group 01:04: or create a new one. 01:18: Select the applicable VPC 01:21: Click next 01:24: Do not register the Target in the registered targets page. 01:27: This is configured at a later stage on the auto-scaling group. 01:32: Create the target group. 01:35: Back on the load balancer creation page click the refresh button and 01:39: select the target group. 01:42: Finally review the configuration and click create load balancer. 01:47: The guide covered the process of creating an application load balancer. 01:51: Thank you for watching. 01:54:

Follow these steps to configure the Application Load Balancer:

  1. Log into the AWS Management Console.

  2. From the menu bar, select Load Balancers > click Create Load Balancer > select Application Load Balancer.

  3. Enter the Load Balancer name.

  4. Select Internet-facing.

  5. On the Network Mapping section select the VPC to locate the ELB in.

  6. Select the Availability Zones for the ELB, and in each Availability Zone select the applicable external subnet.

  7. In the Security Groups section select at minimum one Security Group.

  8. In Listeners and routing section, enter the protocol and port that the Load Balancer will route traffic to.

  9. For Target Group, select a target group or create a new one. Do not register any targets. These are configured at a later step through the Auto Scaling group.

  10. Review the configuration.

  11. Click Create.

Content Based Routing:

Instead of deploying multiple internal ELB's to route traffic to multiple applications, you can use Content Based Routing with Application Load Balancer. To do this, follow these steps:

  1. After deploying an Application Load Balancer, open the AWS Management Console.

  2. From the menu bar, click Load Balancers > select an Application Load Balancer > Listeners.

  3. Select the listener that routes the traffic to the applications.

  4. Click View/edit rules and select the plus icon.

  5. Click Insert Rule.

  6. Add the conditions and actions for your application.

  7. Click Save.

Note - Each listener on the Application Load Balancer has a default rule that you cannot remove and is applied to any traffic that does not match any other rule.

Content Based Policy

  1. Verify that the Application Control is enabled on the Auto Scaling Security Gateways.

  2. In SmartConsole, from the Navigation Toolbar, select Security Policies.

  3. Select a policy tab such as Standard.

    1. In the Access Control, right click on Policy and click Edit Policy.

    2. Select the plus icon on the Access Control pane and click New Layer.

    3. Enter a name for the new policy layer (e.g. Application Control Layer).

    4. Below Blades, select the checkbox Application & URL Filtering.

    5. Click OK.

  1. Select the newly created Access Control Policy Layer.

    For each application, it is necessary to configure an Access Control rule.

    1. Select the Add Rule Above icon.

    2. Configure the rule's Name, Source, Destination, Action, and Track.

    3. Below Services & Applications, select the plus icon and then select the asterisk icon.

    4. Select Custom Application/Site > Application/Site.

    5. Enter a name for the new application, e.g. "applicaiton1".

    6. Add the application URL to the list. Regular expressions are supported.

    7. Click OK.

  2. To apply the new rules to existing gateways (new gateways in the Auto Scaling group enforce the policy automatically), click Install Policy.

Follow these steps to configure the Network Load Balancer:

  1. Log into the AWS Management Console.

  2. From the main menu bar, select Load Balancers > click Create Load Balancer > select Network Load Balancer.

  3. Enter the Load Balancer name.

  4. Check "Internet-facing".

  5. Select your VPC and Availability Zones.

  6. In Listeners and routing enter the Load Balancer Port.

  7. For Default action, select a target group or create new one. Do not register any targets, these are configured at a later stage through the Auto Scaling group.

  8. Review the configuration.

  9. Click Create load balancer.

Notes:

  • For each internal ELB listener, a Security Policy rule is created. By default, the rule service is a TCP rule. If the traffic is actually HTTP, HTTPS or SSL\TLS, we recommend to change the service to HTTP, HTTPS or SSL\TLS service. To do this, tag the internal ELB with each of the associated listener's ports:

    • HTTP:

      • Tag Key: x-chkp-http-ports

      • Tag Value: a colon separated list of port numbers, e.g. 8081:8083:9081

    • HTTPS:

      • Tag Key: x-chkp-https-ports

      • Tag Value: a colon separated list of port numbers, e.g. 8443:8444:9444

    • SSL\TLS:

      • Tag Key: x-chkp-ssl-ports

      • Tag Value: a colon separated list of port numbers, e.g. 8443:8444:9443

        Notes:

        • To apply IPS Protection for the SSL\TLS protocol, enable the IPS Protections Software Blade on the gateways and configure the desired protections with SmartConsole (SSL\TLS IPS Protections are only supported on R80.20).

        • Traffic arriving at the gateways from Load Balancers that terminate connections, i.e. Application Load Balancer and Classic Load Balancer Layer 7, originates from the Load Balancers and inspected as such.

  • One of the Network Load Balancer key features is to preserve the origin's client IP address. Therefore, the automatically added rule allows traffic from Any source. To restrict the traffic that is received from the Network Load Balancer, you can add tags to the internal ELB that determine the allowed traffic by its source IP address.

    To allow traffic from specific IP addresses or networks according to their CIDRs:

    • Tag Key: x-chkp-source-cidrs

    • Tag Value: a list of white space separated network/mask, from which traffic is allowed, e.g. 1.0.0.0/8 192.168.0.0/16

      Example:

    To allow traffic from a pre-configured SmartConsole object:

    • Tag Key: x-chkp-source-object

    • Tag Value: a single pre-configured SmartConsole object name, from which traffic is allowed, e.g. chkp-allowed-source

      Note: To prevent unexpected behavior, the name of the object must not match the CIDR format.

      Example:

    Important - These tags can only be used with an External Network Load Balancer.

  • The source IP addresses of the clients are preserved and provided to the Check Point Security Gateway, and not to the internal application.

Note - For HTTPS protocol, you must configure the listeners with HTTPS protocol. In addition, the server's SSL Certificate must be provided. To enable inbound HTTPS Inspection on the Security Gateways, use the same server certificate on the Security Gateways. See "Enabling inbound HTTPS Inspection"

Using Standard Ports on the Internal ELB Listeners

If you set the internal ELB listeners to listen to protocol HTTP, HTTPS or SSL\TLS on their standard ports, i.e. port 80 for HTTP and port 443 for HTTPS or SSL\TLS, the CloudGuard Security Gateways will automatically expect to receive traffic from a custom high port. The default high ports are 9080 for port 80 and 9443 for port 443.

The NAT and Firewall rules will be automatically configured with the custom high port as the origin port and the standard port as the destination port.

To change the default high ports, or to configure multiple internal ELBs to listen to the standard ports, tag the internal ELB as follows:

Tag Key: x-chkp-forwarding

Tag Value: a space separated list of <PROTOCOL>-<ORIGIN-PORT>-<DESTINATION-PORT> items representing the desired forwarding rules.

Replace <PROTOCOL> with a protocol (TCP, HTTP, HTTPS, SSL, UDP or TCP_UDP), <ORIGIN-PORT> with the port that the external ELB forwards traffic to, and <DESTINATION-PORT> with the internal ELB listener port, e.g. "HTTP-9081-80 HTTPS-9444-443 TCP-9022-22 SSL-9444-443".

This modifies the created NAT and Firewall rules to the selected protocol, origin and destination port.

Notes -

  • Each internal ELB that listens to standard ports must be configured with a unique origin port.

  • The external ELB should forward traffic to the configured protocols and origin ports.

Step 5: Deploying the CloudGuard Auto Scaling Group

00:00: 00:05: This video demonstrates how to deploy the auto scaling group template in AWS 00:11: First make sure you have these prerequisites. 00:15: Open SK 1111013 and go to cloudguard 00:20: network for the AWS autoscale group. 00:24: Click the launch stack button. 00:27: The quick create stack window opens Give the stack a 00:31: name. 00:33: In the parameter section select the ID of your existing VPC. 00:39: On the Gateway subnets select a minimum of two public subnets 00:43: in the VPC. 00:46: In the ec2 instance configuration get the Gateway a name. 00:51: The default gateway instance type is c5.xl. 00:56: Select a key pair for the SSH access 01:00: You can keep the default settings of the other ec2 instances parameters. 01:06: In the autoscaling configuration section configure the minimum and 01:10: maximum number of members in the Gateway group. 01:14: The next two fields are optional. In the gateways Target groups, 01:18: you can enter a list of Target groups to associate with the auto-scaling group. 01:24: In the checkpoint setting section select the Gateway version to install. 01:30: Select the gateways admin shell. 01:33: Enter the gateways in the Gateway maintenance password hashes. 01:38: Enter the gateways sick key. 01:41: Select true for allow upload and download and falls for cloudwatch 01:45: metrics. 01:48: You can enter a Gateway bootstrap script with semicolon separated commands. 01:54: In the automatic provisioning with Security Management server settings select 01:58: if the gateways are provisioned with their private or public address. 02:03: Management hyphen server is the name that represents the management server. 02:08: ESG hyphen configuration is the name of a Gateway configuration 02:12: template. 02:14: Here you can create an elb acting as an HTTP or https 02:18: proxy for outbound traffic. 02:22: In the permission section, you can select the IAM role to use. 02:28: Except the acknowledgment in the capabilities notification 02:33: Create the stack. 02:36: The stack creation process can take several moments. 02:40: And you received the create complete status message. 02:44: Thank you for watching. 02:47:

To launch the Auto Scale group template, refer to sk111013 > CloudGuard Network for AWS Auto Scale Group.

Prerequisites:

  • A VPC with a minimum of two Availability Zones, each with a public and private subnet.

  • A workload of servers deployed in the private subnets (possibly part of its own Auto Scaling group).

  • An internal Elastic Load Balancer (ELB) that sends traffic to the workload of servers.

To deploy a web service secured by an Auto Scaling group of Check Point CloudGuard Security Gateways, and automatically complete this configuration, see the AWS Quick Start for Check Point CloudGuard Auto Scaling.

To launch the Transit Gateway template into your AWS account, go to sk111013 > CloudGuard Network for AWS Auto Scale Group with Transit Gateway.

  • Newly provisioned Security Gateways automatically receive the most recently published Security Policy. For existing Security Gateways to get the Security Policy after manual changes, you must manually install the policy on the existing Security Gateways.

  • Important- As scaling events occur, Security Gateways objects are automatically created and deleted. Therefore, it is not recommended to use those objects explicitly in rules or to manually edit them.

Parameters for Deploying a Security Gateway Auto Scaling into an Existing VPC

VPC Network Configuration:

Parameter Name

Default Value

Description

VPC

Requires Input

The ID of your existing VPC.

Gateways subnets

Requires Input

The ID of your existing subnets.

EC2 Instance Configuration:

Parameter Name

Default Value

Description

Gateway Name

Check-Point-Gateway

The name tag of the Security Gateway instances (optional)    

Gateways instance type

c5.xlarge

The instance type of the Security Gateways.

Key name

Requires Input

The EC2 Key Pair to allow SSH access to the instances.

Root volume size (GB)

100

 

Enable volume encryption

True

Encrypt Auto Scaling instances volume with default AWS KMS key.

Enable AWS Instance Connect

False

Enable SSH connection over AWS web console, see sk163494.

Metadata HTTP token

True

True deploys the instance with metadata v2 token.

Auto Scaling Configuration:

Parameter Name

Default Value

Description

Minimum Gateway group size

2

The minimal number of gateways in the Auto Scaling group.

Maximum Gateway group size

10

The maximal number of gateways in the Auto Scaling group.

Email address

Optional

Notifications about scaling events will be sent to this email address (optional).

Gateways target groups

Optional

A list of Target Groups to associate with the Auto Scaling group (comma-separated list of ARNs, without spaces) (optional).

Check Point Settings:

Parameter Name

Default Value

Description

Gateways version & license

R81.20-BYOL

The license to use for the Security Gateways.

Admin shell

/etc/cli.sh

Change the admin shell to enable advanced command line configuration.

Gateways Password hash

Optional

The administrator password hash.

Run this command to get the password hash:

openssl passwd -6 <PASSWORD>

Gateways SIC key

Requires input

The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.

Allow upload & download

True

Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point.

CloudWatch metrics

False

Report Check Point specific CloudWatch metrics.

Gateways bootstrap script

Optional

An optional script with semicolon (;) separated commands to run on the initial boot (optional).

Automatic Provisioning with Security Management Server Settings:

Parameter Name

Default Value

Description

Gateways addresses

private

Determines if the gateways are provisioned using their private or public address.

Management Server

management-server

The name that represents the Security Management Server in the automatic provisioning configuration.

Configuration template

ASG-configuration

A name of a gateway configuration template in the automatic provisioning configuration.

Proxy Configuration (optional):

Important - creating Proxy Load Balancer is possible only from the cloudformation template.

Parameter Name

Default Value

Description

Proxy type

none

Whether to create an ELB acting as an HTTP/HTTPS proxy for outbound traffic.

Proxy port

8080

The TCP port, on which the proxy would be listening (default is 8080).

Allowed proxy clients

0.0.0.0/0

The CIDR range of the clients of the proxy.

Step 6: Post Deployment Configuration

Attaching the External Elastic Load Balancer to the CloudGuard Auto Scaling group

If you have a Target Group ARN in the CloudGuard Auto Scaling group CloudFormation template, then the Load Balancer is attached to your newly deployed CloudGuard Auto Scaling group and you can proceed to section Adding Tags to the Internal Elastic Load Balancer.

Otherwise, it is required to manually attach the external ELB to the CloudGuard Auto Scaling group.

If you created a Network Load Balancer, follow these steps to attach the external ELB to the CloudGuard Auto Scaling group:

  1. Open the Amazon VPC console.

  2. From main menu bar, select Target Groups.

  3. Select the target group.

  4. Set a target group’s health check:

  5. Open the Amazon EC2 console.

  6. From the main menu bar, select Auto Scaling Groups.

  7. Select the CloudGuard Auto Scaling group and click Edit.

  8. In the Load Balancing section, select the checkbox next to Network Load Balancer target groups.

  9. Select the Target Group of your External Load Balancer from the list.

  10. Click Update.

Note - If not all Network External Load Balancers target groups health check configurations are set with service TCP and port 8117, set the health probe to the traffic protocol and port.

If you created an Application Load Balancer, follow these steps to attach the external ELB to the CloudGuard Auto Scaling group:

  1. Open the Amazon VPC console.

  2. From the main menu bar, select Target Groups.

  3. Select the target group.

  4. Set the target group’s health check for the traffic port.

  5. Open the Amazon EC2 console.

  6. From the main menu bar, select Auto Scaling Groups.

  7. Select the CloudGuard Auto Scaling group and click Edit.

  8. In the Load Balancing section, select the checkbox next to Application Load Balancer target groups.

  9. Select the Target Group of your External Load Balancer from the list.

  10. Click Update.

Configuring Health check settings for Network Load Balancer’s Target Group

  1. Open the Amazon EC2 console.

  2. From main menu bar, select Load Balancing > Target Groups.

  3. Select the applicable target group.

  4. Select the Health checks section and click Edit.

  5. Below the Health checks section, select TCP for Health check protocol.

  6. Click on Advanced health check settings.

  7. In the Health check port section, select Override and insert port 8117.

  8. Click Save changes.

Adding Tags to the Internal Elastic Load Balancer

For the Security Management Server to recognize your AWS tags, you must add them to the internal ELBs. The Security Management Server is then able to automatically provision the Security Gateways to forward traffic to these internal ELBs.

  1. Open the Amazon EC2 console.

  2. From main menu bar, select Load Balancers > select the internal ELB.

  3. From the Tags tab, add these tags:

    • Tag Key: x-chkp-management
      Tag Value: <MANAGEMENT-NAME>

    • Tag Key: x-chkp-template
      Tag Value: <TEMPLATE-NAME>

    • Tag Key: x-chkp-ignore-ports  (optional)
      Tag Value: <PORTS-LIST>

Where:

  • <MANAGEMENT-NAME> - Specifies the name of the Management Server. Use the same name you used when you executed the autoprov_cfg utility or when you deployed the CloudFormation template.

  • <TEMPLATE-NAME> - Specifies the name of the Autoscaling group's template. Use the same name you used when you executed the autoprov_cfg utility or when you deployed the CloudFormation template.

Note -

  • The value for the optional tag x-chkp-ignore-ports must be a colon separated list of Load Balancer ports (frontend ports), which users choose are to ignore. Traffic on these ports is not expected to go through the gateways in the Auto Scaling group. For example, these ports can serve traffic that arrives directly to the ELB from peered networks.

  • The internal ELB Security Group must allow, at minimum, the following traffic from the gateway's subnets:

    • All ICMP traffic

    • TCP/UDP traffic to the port to which the internal ELB is listening