Deployment Steps

Use the steps listed below to deploy your AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Security Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

Step 1: Prepare Your AWS Account

To prepare your AWS account, do these steps:

1. If you do not already have an AWS account, create one at AWS.

2. Use the region selector in the navigation bar to choose the AWS region, where you want to deploy Check Point CloudGuard Auto Scaling on AWS.

3. Create a key pair in your preferred region.

4. If necessary, request a service limit increase for the AWS resources you are going to use.

   You may have to do this, if you have an existing deployment that uses the AWS resources below, and you may exceed the default limit with this deployment.

   The resources that may need a service limit increase are:

   • Number of On-demand EC2 instances.

   • Number of Elastic IP addresses.

   • Number of VPCs for each region.

By default, this Deployment guide uses c5.xlarge for the Security Gateways.

Deployment minimum permissions

For a successful deployment, the relevant IAM policy must have minimum permissions set configured below.

In the AWS VPC AWS Virtual Private Cloud. A private cloud that exists in the public cloud of Amazon. It is isolated from other Virtual Networks in the AWS cloud. Console navigate to IAM service, select the relevant IAM policy and copy/paste this text:

Step 2: Subscribing to Check Point CloudGuard Network

To subscribe to Check Point CloudGuard Network, do these steps:

1. Log in to AWS Marketplace.

2. Select one of these licensing options for Check Point CloudGuard Security Gateways:

   1. CloudGuard Network Security with Threat Prevention & Sandblast BYOL

   2. CloudGuard Network Security Next-Gen Firewall with Threat Prevention (PAYG-NGTP)

   3. CloudGuard Network Security with Threat Prevention and Sandblast (PAYG-NGTX)

3. Select Continue to subscribe.

4. To confirm that you accept the AWS Marketplace license agreement, select Accept Terms.

Step 3: Deploying the Check Point Security Cluster

Use one of these options to deploy the Check Point Security Cluster.

• Manually Deploying a Check Point Cluster in AWS

• Deploying Cluster CloudFormation Template

Manually Deploying a Check Point Cluster in AWS

If you have used the CloudFormation templates to deploy the Check Point Cluster in AWS, skip to Configuring a Check Point Cluster in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Create an IAM role

In this step, we create an IAM role and an Instance Profile. When you launch the Check Point Cluster Members, you would pass them this role. This allows the Cluster Members to automatically make changes in the VPC environment if a cluster failover occurs.

Note - Only privileged AWS users can create IAM roles.

1. Go to https://console.aws.amazon.com/iam/home#home

2. Go to Policies > select Create policy

3. Select Json and paste the following (to allow access to all accounts and VPCs):

   Copy

   Example of a JSON script

   { 
     "Version": "2012-10-17",
     "Statement": [
       {
         "Action": ["ec2:DescribeRouteTables",
           "ec2:ReplaceRoute",
           "ec2:AssignPrivateIpAddresses",
           "ec2:DescribeNetworkInterfaces",
           "ec2:CreateRoute"
           ],
         "Effect": "Allow",
         "Resource": "*"
       }
     ]
   }

4. Go to Roles > select Create role.

5. In the Choose a use case, select EC2.:

6. In Attach permissions policies, locate and select the policy you created in the previous steps:

   

Creating the VPC Environment

These steps give a high-level description about how to create a VPC environment.

1. Create a VPC.

2. Create an Internet Gateway in the VPC.

3. Create the external and internal subnets.

4. Create a route table and associate it with the external subnet, add a default route and point it to the Internet Gateway:

   

The Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. can enforce a more sophisticated Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., making the VPC security groups redundant. This procedure explains how to create a permissive VPC security group to prevent a possible conflict between the VPC security groups and the Check Point security policy.

To create a new security group:

1. Go to EC2.

2. Select Security Groups in the left menu.

3. Click Create Security Group.

   1. In the Group name field, enter the group name - PermissiveSecGrp.

   2. In the Description field, enter: Permissive Security Group.

   3. In the VPC field, select the VPC.

   4. Click Yes > select Create.

      

4. Create a new rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. for this Security Group that accepts all traffic from any source address:

   1. In the Security Groups list, select the new PermissiveSecGrp.

   2. Go to the Inbound Rules tab > click Edit inbound rules.

   3. Create a new rule that accepts all traffic from any source address.

   4. Click Save Rules.

      

Launch the Cluster Members

Launch a Check Point CloudGuard Network Security instance from the AWS marketplace.

Use these settings:

1. Choose an Instance Type: c5, c5n and m5 types are supported.

2. In the Network field, select your VPC

3. In the Subnet field, select your external subnet.

4. In the IAM role field, select the IAM role you created in the previous steps (refer to section "Create an IAM role" above).

   Note - To assign the IAM role to the instance, it is necessary to have special IAM privileges.

   For more information, see Granting Permission to Launch EC2 Instances with IAM Roles ("iam:PassRole" Permission).

5. In the Network interfaces section > Primary IP field, enter the member's external private IP address (in our example - 10.0.0.20).

6. When prompted to select a Security Group, use the permissive group you created in the previous steps (refer to section Creating the VPC Environment).

7. Launch the instance

8. After the instance starts, go to EC2 > Network Interfaces > Create network interface.

9. Enter the necessary information:

   • Description: "Internal interface"
     
     
   • Subnet: select the subnet 10.0.1.0/24 (in our example)
     
     
   • Private IP: 10.0.1.20 (in our example)
     
     
   • Security Group: select the permissive group created in the previous steps (refer to section Creating the VPC Environment above - "To create a new security group")

10. Attach the interface to the Cluster Member Security Gateway that is part of a cluster. instance

11. To add additional interfaces, repeat the above steps.

12. Right-click on all interfaces that you created and uncheck the source/destination check Enable:

    

13. Allocate an elastic IP address, or select an available one.

14. Associate the elastic IP address with the external private IP address of the instance (in our example - 10.0.0.20). We use this IP address to manage the Cluster Member.

Check Point First Time Configuration Wizard

Do these steps from vSEC Gateway for Amazon Web Services Getting Started Guide, "Installing and Configuring the vSEC Gateway":

1. Enter password for admin user.

2. Enter an Activation Key (it is used later in SmartConsole to establish trust with the Cluster Member. See Step 5: Configuring a Check Point Cluster in SmartConsole

3. Select the checkbox Enable cluster membership for this gateway.

4. Click Go.

   

Repeat the above steps to launch a second Cluster Member instance.

On Member A (but not on Member B):

1. Add a secondary private IP address to the External interface

2. Assign another elastic IP address to the External interface (this IP address is used as the Cluster public IP address)

3. Add a secondary private IP address to the internal interface.

Deploying Cluster CloudFormation Template

To launch the Security Cluster template into your AWS account, click here, and find Security Cluster.

Notes - When you deploy this template, it is not necessary to run the Check Point First Time Configuration Wizard. Instead, the First Time Configuration Wizard is executed automatically, and the Cluster Members restart one time. When you deploy the Check Point Cluster into an existing VPC using the Cloud Formation template, it automatically creates an AWS route table, and associate the internal subnet to it. This is done to route all the traffic outside the subnet through the Check Point Cluster member.

Parameters for Deploying a Security Cluster into a New VPC

VPC Network Configuration:

Parameter Name	Default Value	Description
VPC CIDR	10.0.0.0/16	The CIDR block for the VPC
Availability Zone	Requires Input	The availability zone in which to deploy the cluster.
Public subnet CIDR	10.0.10.0/24	The external subnet of the cluster. The cluster's public IPs will be generated from this subnet.
Private subnet CIDR	10.0.11.0/24	The internal subnet of the cluster. The cluster's private IPs will be generated from this subnet.

EC2 Instance Configuration:

Parameter Name	Default Value	Description
Gateway Name	Check-Point-Cluster	The name tag of the Security Gateway instances (optional).
Security Gateways instance type	c5.xlarge	The instance type of the Security Gateway.
Key name	Requires input	The EC2 Key Pair to allow SSH access to the instance.
Allocate Elastic IPs	True	Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
Root volume size (GB)	100
Volume encryption KMS key identifier	alias/aws/ebs	KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
Enable AWS Instance Connect	False	Enable SSH connection over AWS web console, see sk163494.
Existing IAM role name	Optional	A predefined IAM role to attach to the cluster profile.

Check Point Settings:

Parameter Name	Default Value	Description
Version & license	"version"-"license"	The license to use for the Security Gateways. By default, "version" points to the current recommended version and "license" is set to NGTX.
Admin shell	/etc/cli.sh	Change the admin shell to enable advanced command line configuration.
Password hash	Optional	The administrator password hash. Run this command to get the password hash: openssl passwd -6 <PASSWORD>
SIC key	Requires input	The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.

Quick Connect to Smart-1 Cloud:

Smart-1 Cloud (Check Point’s management server as a Service) is a recommended option to start using CloudGuard Network Security Gateways.

Parameter Name	Default Value	Description
Smart-1 Cloud Token for member A	Requires input	Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.
Smart-1 Cloud Token for member B	Requires input	Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.

Advanced Settings:

Parameter Name	Default Value	Description
Resources prefix tag	Optional	Name tag prefix of the resources.
Gateway Hostname	Optional	The host name will be appended with member-a/b accordingly.
Allow upload & download	True	Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point.
Bootstrap Script	Optional	An optional script with semicolon (;) separated commands to run on the initial boot.
Primary NTP server	169.254.169.123 (Optional)	Option to input a different Primary NTP server.
Secondary NTP server	0.pool.ntp.org (Optional)	Option to input a different Secondary NTP server.

Parameters for Deploying a Security Cluster into an Existing VPC

VPC Network Configuration:

Parameter Name	Default Value	Description
VPC	Requires Input	The ID of your existing VPC.
Public subnet	Requires Input	The public subnet of the cluster. The cluster's public IPs will be generated from this subnet.
Private subnet	Requires Input	The private subnet of the cluster. The cluster's private IPs will be generated from this subnet.
Internal route table	Optional	Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table.

EC2 Instance Configuration:

Parameter Name	Default Value	Description
Gateway Name	Check-Point-Cluster	The name tag of the Security Gateway instances (optional).
Security Gateways instance type	c5.xlarge	The instance type of the Security Gateway.
Key name	Requires input	The EC2 Key Pair to allow SSH access to the instance.
Allocate Elastic IPs	True	Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
Root volume size (GB)	100
Volume encryption KMS key identifier	alias/aws/ebs	KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
Enable AWS Instance Connect	False	Enable SSH connection over AWS web console, see sk163494.
Existing IAM role name	Optional	A predefined IAM role to attach to the cluster profile.

Check Point Settings:

Parameter Name	Default Value	Description
Version & license	"version"-"license"	The license to use for the Security Gateways. By default, "version" points to the current recommended version and "license" is set to NGTX.
Admin shell	/etc/cli.sh	Change the admin shell to enable advanced command line configuration.
Password hash	Optional	The administrator password hash. Run this command to get the password hash: openssl passwd -6 <PASSWORD>
SIC key	Requires input	The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.

Quick Connect to Smart-1 Cloud:

Smart-1 Cloud (Check Point’s management server as a Service) is a recommended option to start using CloudGuard Network Security gateways.

Parameter Name	Default Value	Description
Smart-1 Cloud Token for member A	Requires input	Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.
Smart-1 Cloud Token for member B	Requires input	Follow the instructions in sk180501 to create tokens for each member and paste them into the applicable fields.

Advanced Settings:

Parameter Name	Default Value	Description
Resources prefix tag	Optional	Name tag prefix of the resources.
Gateway Hostname	Optional	The host name will be appended with member-a/b accordingly.
Allow upload & download	True	Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point.
Bootstrap Script	Optional	An optional script with semicolon (;) separated commands to run on the initial boot.
Primary NTP server	169.254.169.123 (Optional)	Option to input a different Primary NTP server.
Secondary NTP server	0.pool.ntp.org (Optional)	Option to input a different Secondary NTP server.

Step 4: Deploy the Check Point Security Management Server

We recommend you to use Smart-1 Cloud (Check Point's management server as a Service) to manage CloudGuard Network Security Gateways.

Refer to sk180501 for step-by-step instructions for connecting CloudGuard Network Public Cloud Gateways to Smart-1 Cloud management.

You can also use one of these options to deploy the Check Point Security Management Server.

• Use the existing on-premises Security Management Server or existing Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. in AWS.

  Note - The Security Management Server must be version R81.20 or higher.

• Deploy a new Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. with the Management CloudFormation template (see sk130372).

Step 5: Configuring a Check Point Cluster in SmartConsole

1. Connect with SmartConsole to Security Management Server / Domain Management Server.

2. Click on New > select Cluster

   

3. Click Wizard Mode.

   

4. Define the cluster's general properties:

   1. In the Cluster Name field, enter the desired name for cluster object (in our example - Cluster1).

   2. In the Cluster IPv4 Address field, enter the cluster's external private IP address (in our example - 10.0.0.10).

   3. In the Choose the Cluster's Solution list, select Check Point ClusterXL and High Availability.

   4. Click Next.

   

5. Define Cluster Members:

   1. Member A:

      1. Click Add > select New Cluster Member.
         

      2. In the Name field, enter the desired member's name (in our example: Member_A).

      3. In the IPv4 Address field, enter the member's Elastic IP address (in our example: 198.51.100.20).

      4. In the Activation Key field, enter the activation key you have created earlier (refer to section "Check Point First Time Configuration Wizard".

      5. Click Initialize.

      6. Click OK

      

   2. Member B:

      1. Click Add > select New Cluster Member.

      2. In the Name field, enter the desired member's name (in our example - Member_B).

      3. In the IPv4 Address field, enter the member's Elastic IP address (in our example - 198.51.100.30).

      4. In the Activation Key field, enter the activation key you have created earlier (refer to section "Check Point First Time Configuration Wizard".

      5. Click Initialize.

      6. Click OK

      

   3. After adding both Cluster Members, click Next.

6. To start configuring the topology of the cluster, click Next.

   

7. Configure the Internal Virtual IP address (in our example: 10.0.1.10 / 255.255.255.0).

   

8. Click Next.

9. Configure the External Virtual IP address (in our example:  10.0.0.10 / 255.255.255.0).

   

10. Click Next.

    A warning appears that synchronization network was not defined.

    Click Yes.

    

11. The Cluster definition wizard is now complete.

    Select the checkbox Edit Cluster's Properties > click Finish.

    

12. Cluster properties window opens.

    Go to Network Management > double click This Network.

    

13. Choose Cluster + Sync for Network Type.

    

14. On each Network interface, click Edit and disable Anti-Spoofing.

15. Verify the settings: close cluster object properties OK.

16. In R82 and higher, after configuring the cluster object and cluster members, you must change the Hardware type of the Security Gateways object that report to the Security Management Server.

    For that:

    1. In SmartConsole, double-click the cluster object to open its properties.

    2. On the General Properties page, in the Platform section, click Get.

       The value in the Hardware field must change from Open Server to CloudGuard IaaS.

       

    3. Click OK to save the changes and close cluster object properties.

    As a result, on the Summary tab of this cluster object, a CloudGuard Network logo with a green mark is displayed.

    

17. Install policy on the cluster members.

Step 6: Configure NAT Rules

In SmartConsole, create the NAT rules below to provide Internet connectivity from the internal subnets:

No.	Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Install On	Comments
1	Virtual Private Cloud	Virtual Private Cloud	*Any	= Original	= Original	= Original	Cluster object	Avoid NAT in the Virtual Private Cloud
2	App-subnet	App-subnet	*Any	= Original	= Original	= Original	Cluster object
3	App-subnet	*Any	*Any	App-subnet (hidden address)	= Original	= Original	Cluster object
4	Web-subnet	Web-subnet	*Any	= Original	= Original	= Original	Cluster object
5	Web-subnet	*Any	*Any	Web-subnet (hidden address)	= Original	= Original	Cluster object

Notes about NAT rules: - The Cluster IPs and Cluster members IPs must be excluded from the original source column of the NAT rules. The cluster members must have outbound traffic for updates and communication with the management server (when managed using the member's public IPs). Including the Cluster IPs in the original source of a NAT rule will cause all traffic to go through the active member, resulting in connectivity issues to the internet from standby member. Rule 1 - You have to define this NAT rule manually. Rules 2 - 5 - SmartConsole creates these NAT rules automatically. Traffic between the internal subnets is based on the route table rules.

For each internal subnet, create a network object:

Step	Description
1	Double-click the Web-subnet object. The Web-subnet object window shows.
2	Select the NAT tab > Add automatic address translation rules.
3	In the Translation method field, select Hide > Hide Behind Gateway.
4	In the Install on Gateway field, select the cluster object.
5	Click OK. This creates the automatic NAT rules.
6	Install the applicable Access Control Policy on the cluster object.

Step 7: Post Deployment - Add Route to Active Member

Create a route table and associate it with the internal subnet, add a default route and point it to Active member's internal interface:

Step 8: Reviewing and Testing the Deployment

1. Use the cphaprob state command and the cphaprob -a if command on each Cluster Member to validate that the cluster is operating correctly.

   Output of cphaprob state command on both Cluster Member must show identical information (except the "(local)" string).

   Example:

   [Expert@HostName:0]# cphaprob state
   Cluster Mode:   High Availability (Active Up) with IGMP Membership
   Number     Unique Address  Assigned Load   State
   1 (local)  10.0.1.20       0%              Active
   2          10.0.1.30       100%            Standby

2. Simulate a cluster failover.

   Examples:

   • Shut down the internal interface of the Active Cluster Member and run:

     clusterXL_admin down

   • Reboot the Active Cluster Member instance form the AWS console.

   After a few seconds, the second Cluster Member reports itself as the Active member.

   Go to the AWS Console and confirm that:

   • All secondary private IP addresses that were assigned to the 1st member are now assigned to 2nd member
   • In all routing tables associated with internal subnets in the VPC, the default route is pointing to the internal interfaces of the member that has taken over.

   Note - You might need to refresh the AWS Console to see the changes.

3. Verify that the Active Cluster Member is the instance that was deployed with the secondary private IP addresses:

   1. Open the Amazon EC2 console.
   2. In the left navigation pane, select Instances.
   3. Select the Active Cluster Member.
   4. In the Description tab, verify that there are two private IP addresses in the Secondary private IPs field.
      If not, simulate a cluster failover as described in step 2.