Deployment Steps

In This Section:

Step 1: Preparing Your AWS Account

Step	Description
1	If you do not already have an AWS account, create one at AWS.
2	Use the region selector in the navigation bar to choose the AWS region, where you want to deploy Check Point CloudGuard Auto Scaling on AWS.
3	Create a key pair in your preferred region.
4	If necessary, request a service limit increase for the AWS resources you are going to use. You may have to do this, if you have an existing deployment that uses the AWS resources below, and you may exceed the default limit with this deployment. The resources that may need a service limit increase are: Number of On-demand EC2 instances. Number of Elastic IP addresses. Number of VPCs per region. Number of VPN connections per region. Number of virtual private gateways per region. VPN connections per VPC.

By default, this Deployment guide uses c4.xlarge for the Security Gateways and m4.xlarge for the Security Management Server.

Step 2: Subscribing to Check Point CloudGuard IaaS

Step	Description
1	Log in to AWS Marketplace.
2	Select one of these licensing options for Check Point CloudGuard Security Gateways: CloudGuard IaaS Next Gen firewall and Threat Prevention (BYOL) CloudGuard IaaS Next Gen firewall and Threat Prevention (PAYG-NGTP) CloudGuard IaaS Next Gen firewall and Advanced Threat Prevention (PAYG-NGTX)
3	Select Continue to subscribe.
4	Select Accept Terms to confirm that you accept the AWS Marketplace license agreement.
5	If you want to deploy a Check Point CloudGuard Security Management Server, repeat Step 3 and Step 5 in this procedure and select one of these licensing options: CloudGuard IaaS Security Management (BYOL) CloudGuard IaaS Security Management for five Security Gateways (PAYG-MGMT5) Note - If you want to manage more than five Security Gateways, select the BYOL option to purchase a license. Contact Check Point Sales to purchase a license.

When you deploy the Transit VPC in the steps that follow, you are prompted for the licensing information for the Security Gateways and Security Management Server that you selected.

Step 3: Deploying Security Transit VPC

Select one of these options to launch the Transit VPC template into your AWS account:

Option	CloudFormation Template	Direct Link
Deploy Check Point CloudGuard IaaS Transit into a new VPC on AWS	New VPC	Launch new VPC
Deploy Check Point CloudGuard IaaS Transit into an existing VPC on AWS	Existing VPC	Launch existing VPC

Important - If you deploy Check Point CloudGuard IaaS Transit into an existing VPC, make sure that your VPC has:

Two public subnets in different Availability Zones for the Security Gateways
Two private subnets in different Availability Zones that will serve as the Security Gateway internal networks

Each deployment might take approximately 30 minutes to complete.

Parameters for Deploying Security Transit into a New VPC

General Settings:

Parameter name	Default	Description
`VPC CIDR`	`10.0.0.0/16`	Specifies the CIDR block for the VPC.
`Availability Zones`	Requires input	Specifies the Availability Zones you want to use for resource distribution. This field displays the available zones within your selected region. You must select two availability zones from this list. The logical order of your selections is preserved in your deployment.
`Public Subnet 1`	`10.0.0.0/24`	Specifies the CIDR block for the public (DMZ) subnet located in Availability Zone 1.
`Public Subnet 2`	`10.0.2.0/24`	Specifies the CIDR block for the public (DMZ) subnet located in Availability Zone 2.
`Private Subnet 1`	`10.0.1.0/24`	Specifies the CIDR block for the private subnet located in Availability Zone 1.
`Private Subnet 2`	`10.0.3.0/24`	Specifies the CIDR block for the private subnet located in Availability Zone 2.
`Key name`	Requires input	Specifies the public/private key pair that allows you to connect securely with your instance after it launches. When you create an AWS account, this is the key pair you created in your preferred region.
`Transit tag`	`Transit`	Specifies the tag is used by the Security Management Server to provision the Security Gateways automatically. Must contain up to 12 alphanumeric characters. Must be unique for each Quick Start deployment.
`Allow upload and download`	`True`	Specifies whether to download automatically the Software Blades contracts and other important data. Improves product experience by sending data to Check Point.

Configuration of Check Point CloudGuard IaaS Transit Gateways:

Parameter name	Default	Description
`Instance type`	`c4.xlarge`	Specifies the EC2 instance type for the Security Gateway.
`BGP ASN`	`65000`	Specifies the organization Autonomous System Number (ASN) that identified the routing domain for the Security Gateways.
`License`	`R80.10-BYOL`	Specifies the license to use for the Security Gateways. See Step 2 for the licensing options. You must have a subscription to the corresponding AMI in the AWS marketplace.
`Password hash`	Optional	Specifies the administrator password hash. Use this command to get the password hash: `openssl passwd` -`1 <PASSWORD>`
`SIC key`	Requires input	Specifies the one-time Activation Key. Enter a string that consists of at least 8 alphanumeric characters.

Configuration of the Check Point CloudGuard IaaS Security Management Server:

Parameter name	Default	Description
`Deploy management server`	`Yes`	Configure "`No`", if you want: To use an existing Security Management Server, or to deploy a Security Management Server later. To ignore the other parameters of this section.
`Default VPN access`	`Drop`	If the Spoke VPCs are trusted, you can configure "`Accept`" to allow all traffic between the Spoke VPCs.
`Instance type`	`m4.xlarge`	Specifies the EC2 instance type of the Security Management Server.
`License`	`R80.10-PAYG-MGMT5`	Specifies the license to install on the Security Management Server.
`Password hash`	Optional	Specifies the administrator password hash. Use this command to get the password hash: `openssl passwd -1 <PASSWORD>`
`Default Blades`	`On`	Configure "`Off`", if you want to disable the IPS, Application Control, Anti-Virus, and Anti-Bot Software Blades. After the deployment, you can manually enable and disable these and additional Software Blades.
`Administrator addresses`	Requires input	Specifies the allowed IP addresses, from which you can connect to the Security Management Server with HTTP, HTTPS, SSH, and GUI clients.
`Gateways addresses`	`10.0.0.0/16`	Specifies the CIDR IP range that is permitted to access the Security Management Server. Only gateways with IP addresses from this network can communicate with the Security Management Server.

Parameters for Deploying Security Transit into an Existing VPC

General Settings:

Parameter name	Default	Description
`VPC`	Requires input	Specifies the ID of your existing VPC.
`Public Subnet 1`	Requires input	Specifies the ID of an existing subnet inside the VPC for the first Security Gateway.
`Public Subnet 2`	Requires input	Specifies the ID of an existing subnet inside the VPC for the second Security Gateway.
`Private Subnet 1`	Requires input	Specifies the ID of an existing private subnet inside the VPC for the first Security Gateway.
`Private Subnet 2`	Requires input	Specifies the ID of an existing private subnet inside the VPC for the second Security Gateway.
`Key name`	Requires input	Specifies the public/private key pair that allows you to connect securely with your instance, after it launches. When you create an AWS account, this is the key pair you created in your preferred region.
`Transit tag`	`Transit`	Specifies that the Security Management Server uses this tag to provision the Security Gateways automatically. Must contain up to 12 alphanumeric characters. Must be unique for each Quick Start deployment.
`Allow upload and download`	`True`	Specifies whether to download automatically the Software Blades contracts and other important data. Improves product experience by sending data to Check Point.

Configuration of Check Point CloudGuard IaaS Transit Gateways:

Parameter name	Default	Description
`Instance type`	`c4.xlarge`	Specifies the EC2 instance type for the Security Gateway.
`BGP ASN`	`65000`	Specifies the organization Autonomous System Number (ASN) that identified the routing domain for the Security Gateways.
`License`	`R80.10-BYOL`	Specifies the license to use for the Security Management Server. See Step 2 for the licensing options. You must have a subscription to the corresponding AMI in the AWS marketplace.
`Password hash`	Optional	Specifies the administrator password hash. Use this command to get the password hash: `openssl passwd -1 <PASSWORD>`
`SIC key`	Requires input	Specifies the one-time Activation Key. Enter a string that consists of at least 8 alphanumeric characters.

Configuration of the Check Point CloudGuard IaaS Security Management Server:

Parameter name	Default	Description
`Deploy management server`	`Yes`	Configure "`No`", if you want: To use an existing Security Management Server, or to deploy a Security Management Server later. To ignore the other parameters of this section.
`Default VPN access`	`Drop`	If the Spoke VPCs are trusted, you can configure "`Accept`" to allow all traffic between the Spoke VPCs.
`Instance type`	`m4.xlarge`	Specifies the EC2 instance type of the Security Management Server.
`License`	`R80.10-PAYG-MGMT5`	Specifies the license to install on the Security Management Server.
`Password hash`	Optional	Specifies the administrator password hash. Use this command to get the password hash: `openssl passwd -1 <PASSWORD>`
`Default Blades`	`On`	Configure "`Off`", if you want to disable the IPS, Application Control, Anti-Virus, and Anti-Bot Software Blades. After the deployment, you can manually enable and disable these and additional Software Blades.
`Administrator addresses`	Requires input	Specifies the allowed IP addresses, from which you can connect to the Security Management Server with HTTP, HTTPS, SSH, and GUI clients.
`Gateways addresses`	`10.0.0.0/16`	Specifies the CIDR IP range that is permitted to access the Security Management Server. Only gateways with IP addresses from this network can communicate with the Security Management Server.

Configuring the Environment after the Deployment

You can use these values displayed in the Outputs tab to configure the environment later:

Key	Description
`SpokeTag`	Specifies the tag to put on the spoke VPC.
`ManagementName`	Specifies the name that represents the Security Management Server.
`CommunityName`	Specifies the name of the VPN Community created on the Security Management Server.
`ConfigurationTemplateName`	Specifies the name that represents the configuration template. Configurations required to provision the Gateways automatically in the Auto Scaling Group are placed in this template name. For example, what Security Policy to install, which Software Blades to enable, and so on.
`PublicAddressA`	Specifies the Public IP address of the first gateway.
`PublicAddressB`	Specifies the Public IP address of the second gateway.
`ManagementPublicAddress`	Specifies the public IP address of the Security Management Server.
`ControllerName`	Specifies the name that represents the controller. Configurations required to connect to your AWS environment are placed in this controller template name. For example, credentials and regions.

Step 4: Reviewing and Testing the Deployment

Review the deployment in the AWS Management Console and in Check Point SmartConsole.

If the set up was successful, you should see these components:

Two Check Point CloudGuard Security Gateways in the Amazon EC2 Console.
Two Gateways provisioned successfully in SmartConsole.
Check Point IPsec VPN Software Blade is enabled, on each Security Gateway.
Star VPN Community with both gateways, each configured as a Center Gateway.
Security Policy with a Directional VPN rule exists.
The Security Policy is installed successfully on the Security Gateways.