Advanced Configuration

In This Section:

Deploying and Configuring the Check Point Security Management Server

Required Permissions for the Security Management Server

The Security Management Server must have these IAM permissions:

ec2:DescribeNetworkInterfaces
ec2:DescribeSubnets
ec2:DescribeInstances
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTags
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:DescribeRules
elasticloadbalancing:DescribeTargetHealth
autoscaling:DescribeAutoScalingGroups
ec2:DescribeCustomerGateways
ec2:CreateCustomerGateway
ec2:DeleteCustomerGateway
ec2:DescribeRouteTables
ec2:EnableVgwRoutePropagation
ec2:DisableVgwRoutePropagation
ec2:DescribeVpnGateways
ec2:CreateVpnGateway
ec2:AttachVpnGateway
ec2:DetachVpnGateway
ec2:DeleteVpnGateway
ec2:DescribeVpnConnections
ec2:CreateVpnConnection
ec2:DeleteVpnConnection
cloudformation:DescribeStacks
cloudformation:DescribeStackResources
cloudformation:CreateStack (resource: arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/*)
cloudformation:DeleteStack (resource: arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/*)

Deploying the Security Management Server

If you have a Check Point Security Management Server on AWS already (version 317 or higher), or on-premises Check Point Security Management Server R80.10 with R80.10 Jumbo Hotfix Take 135 (or higher), you can use it to manage the Transit VPC Security Gateways.

Location of the Management Server	Instructions
Security Management Server in AWS	To deploy a new Security Management Server in AWS, see sk130372 > Section Installing the Check Point Security Management Server. Note - Make sure to select Create with read-write permissions in the IAM role dropdown field. This is required to include these permissions in the IAM policy of the IAM role attached to the Security Management Server.
Security Management Server on-premises	To deploy a new Security Management Server on-premises, or use an existing Security Management Server on-premises, see sk130372 > Section Deploying a Security Management Server on-premises.

Location of the
Management Server

Instructions

Security Management Server in AWS

To deploy a new Security Management Server in AWS, see sk130372 > Section Installing the Check Point Security Management Server.

Note - Make sure to select Create with read-write permissions in the IAM role dropdown field. This is required to include these permissions in the IAM policy of the IAM role attached to the Security Management Server.

Security Management Server on-premises

To deploy a new Security Management Server on-premises, or use an existing Security Management Server on-premises, see sk130372 > Section Deploying a Security Management Server on-premises.

Configuring the Security Management Server

In This Section:

Configuring the Security Management Server with the 'autoprov-cfg' Tool

Configuring the VPN Community with the 'config-community.sh' Script

Configuring the Access Control Policy

Follow the instructions below to configure the Transit service, which controls CloudGuard's integration to AWS Endpoints that seamlessly operate the AWS Transit Hub solution.

Examples of other configuration are in the Examples of autoprov-cfg Configurations section.

Configuring the Security Management Server with the 'autoprov-cfg' Tool

This tool configures the Check Point Security Management Server with all the settings needed for Transit:

Step	Description
1	Connect to the command line on the Check Point Security Management Server.
2	Log in to the Expert mode.
3	Run all the commands below. Commands and their description:
	`autoprov_cfg init AWS -mn "<`MANAGEMENT-NAME`>" -tn "<`TEMPLATE-NAME`>" -otp "<`SIC-KEY`>" -ver R80.10 -po "<`POLICY-NAME`>" -cn "<`CONTROLLER-NAME`>" -r "<`REGIONS`>" -iam` Initializes configuration with IAM credentials. Options: `-mn` - Specifies the name of the Security Management Server `-tn` - Specifies the template name `-otp` - Specifies the one-time SIC password `-ver` - Specifies the Gateway version `-po` - Specifies the name of the policy package `-cn` - Specifies the name of the Controller `-r` - Specifies the list of regions, separated by commas `-iam` - Specifies to use IAM to connect to AWS
	`autoprov_cfg set controller AWS -cn "<`CONTROLLER-NAME`>" -sg -sv -com "<`VPN-COMMUNITY-NAMES`>" -sn "<`SUBACCOUNT-NAME`>" -ssr "<`STS-ROLE-ARN`>"` Sets Controller with the required attributes for transit. Options: `-sg` - Specifies to scans gateways (enables Autoprovision) `-sv` - Specifies to scan VPN (enables Transit) `-com` - Specifies the list of VPN communities allowed to be used by this Controller `-sn` - Specifies the custom name for your sub-account `-ssr` - Specifies the STS role name of trustee (spoke account)
	`autoprov_cfg set template -tn "<`TEMPLATE-NAME`>" -vpn -vd "<`VPN-DOMAIN`>" -com "<`VPN-COMMUNITY-NAME`>"` Sets template with the required attributes for transit. Options: `-vpn` - Enables the IPsec VPN blade on gateways `-vd` - Specifies the name of the VPN Domain object `-com` - Specifies the name of the VPN Community
	`autoprov_cfg show all` Shows all the used configurations. Run this command to confirm all the configurations are correct.
4	Run this command to test the configuration: `service cme test` Make sure there are no errors. If the test ends with any error, see the Troubleshooting section.

Examples of 'autoprov_cfg' Configuration

Learn how to use the autoprov_cfg CLI tool to configure different deployment scenarios.

In the examples below, replace the bolded variables, with values in your environment.

Example 1 - Management, Transit, and spoke VPCs are all on the same account

Scanning the Transit and spoke account is authenticated using the management IAM role only.

Step	Syntax
1	`autoprov_cfg init AWS -mn "`my-mgmt`" -tn "`my-template`" -otp "`my-one-time-password`" -ver` R80.10 `-po "`my-policy`" -cn "`my-controller`" -r "`us-east-1`" -iam`
2	`autoprov_cfg set controller AWS -cn "`my-controller`" -sg -sv -com "`my-vpn-community`"`
3	`autoprov_cfg set template -tn "`my-template`" -vpn -vd "`my-vpm-domain`" -com "`my-vpn-community`"`

Example 2 - Management and Transit are on the same account, but the spoke VPC is on a different account

Add a sub-account to the Controller with an STS role on the spoke account for spoke scanning.

The Management IAM role scans the transit account.

Step	Syntax
1	`autoprov_cfg init AWS -mn "`my-mgmt`" -tn "`my-template`" -otp "`my-one-time-password`" -ver` R80.10 `-po "`my-policy`" -cn "`my-controller`" -r "`us-east-1`" -iam`
2	`autoprov_cfg set controller AWS -cn "`my-controller`" -sg -sv -com "`my-vpn-community`" -sn "`my-account`" -ssr "`arn:aws:iam::123456789012:role/SpokeAccountRole`"`
3	`autoprov_cfg set template -tn "`my-template`" -vpn -vd "`my-vpm-domain`" -com "`my-vpn-community`"`

Example 3 - Management, Transit, and spoke VPC are each on their own account, and trust is done with STS roles

Trust between the management and transit accounts is done with STS roles.

Add a sub-account to the Controller with an STS role on the spoke account to allow spoke scanning.

Add an STS role for the transit account on the Controller to scan gateways.

Step	Syntax
1	`autoprov_cfg init AWS -mn "`my-mgmt`" -tn "`my-template`" -otp "`my-one-time-password`" -ver` R80.10 `-po "`my-policy`" -cn "`my-controller`" -r "`us-east-1`" -iam`
2	`autoprov_cfg set controller AWS -cn "`my-controller`" -sg -sv -com "`my-vpn-community`" -ssr "`arn:aws:iam::210987654321:role/TransitAccountRole`" -sn "`my-account`" -ssr "`arn:aws:iam::123456789012:role/SpokeNameOne`"`
3	`autoprov_cfg set template -tn "`my-template`"`

Example 4 - Management, Transit, and spoke VPCs are each on their own account, and a user with programmatic access is set on the transit account

Management, Transit, and spoke VPCs are each on their own account. A user with programmatic access is set on the transit account.

Add a sub-account to the Controller with an STS role on the spoke account for spoke scanning.

Add an access key and a secret key of a user with programmatic access on the transit account on the Controller, to scan gateways.

Step	Syntax
1	`autoprov_cfg init AWS -mn "`my-mgmt`" -tn "`my-template`" -otp "`my-one-time-password`" -ver` R80.10 `-po "`my-policy`" -cn "`my-controller`" -r "`us-east-1`" -ak` AKIKBJKKGPVSLTTVCGFU `-sk` m97031r93aa7x6plnkdum97031r93aa7x6plnkdu
2	`autoprov_cfg set controller AWS -cn "`my-controller`" -sg -sv -com "`my-vpn-community`" -sn "`my-account`" -ssr "`arn:aws:iam::123456789012:role/SpokeNameOne`"`
3	`autoprov_cfg set template -tn "`my-template`" -vpn -vd "`my-vpm-domain`" -com "`my-vpn-community`"`

Configuring the VPN Community with the 'config-community.sh' Script

This script creates a VPN Community with all the settings needed for Transit:

Step

Description

Connect to the command line on the Check Point Security Management Server.

Run:

/opt/CPcme/menu/additions/config-community.sh "<VPN-COMMUNITY-NAME>"

Example:

/opt/CPcme/menu/additions/config-community.sh "Transit-VPN-Community"

Configuring the Access Control Policy

Step	Description
1	Connect with SmartConsole to your Check Point Security Management Server.
2	If the Security Management Server and the Security Gateway have to communicate through public IP addresses, make sure that the Security Management Server object is defined with the elastic IP address. Edit the Security Management Server object and change the IP address. Important - If you change the main IP address of the Security Management Server, you must issue and install the license(s) for the new IP address.
3	Create the Security Policy you want to install on the Transit Gateways. When you name the policy package, use the package name you set when you executed the `autoprov_cfg` utility.
4	We recommend you create an explicit VPN Directional rule in the Access Control Policy to allow the required services to work over the VPN tunnels:
4A	Enable the support for VPN directional rules: In SmartConsole, click Menu > Global properties. In the left tree, click VPN > Advanced. Select Enable VPN Directional Match in VPN Column. Click OK.
4B	Create an explicit VPN Directional rule: Source - Applicable Objects Destination - Applicable Objects VPN - All these: `Community -> Community` `Community -> Internal_clear` `Internal_clear -> Community` Services & Applications - Applicable Services Action - `Accept` Track - `None`, or `Log` Install On - Transit gateways
5	Install the Access Control Policy on the Transit gateways.

Configuring the Multi-Domain Server

Step	Description
1	Connect to the command line on the Check Point Multi-Domain Server.
2	Log in to the Expert mode.
3	Execute the `autoprov_cfg` tool on the Multi-Domain Server. See sk120992.
4	Execute the `config-community.sh` script on the Multi-Domain Server: `env MGMT_CLI_DOMAIN="<`DOMAIN_NAME`>" /etc/fw/scripts/autoprovision/config-community.sh "<`VPN-COMMUNITY-NAME`>" [<`SPOKE-ROUTES`> [<`EXPORT-ROUTES`>, <`EXPORT-ROUTES`> ...]]` Replace the "<DOMAIN_NAME`>"` with the name of your Domain.
5	Tag a spoke VPC on a Multi-Domain Server. On a Multi-Domain Server, you have to indicate the specific Domain, on which Transit has to manage the VPN connection to the spoke VPC. Therefore, the tag value structure for the spoke VPC also must have the Domain name. Tag key: `x-chkp-vpn` Tag value: `<`MANAGEMENT_NAME`>/<`DOMAIN_NAME`>/<`VPN_COMMUNITY_NAME`>` Where: <MANAGEMENT_NAME> - Specifies the name of your Multi-Domain Server. Use the same name you used when you executed the `autoprov_cfg` command. <DOMAIN_NAME> - Specifies the name of the Domain as defined in the SmartConsole. <VPN_COMMUNITY_NAME> - Specifies the name of your VPN Community. Use the same name you used when you created the VPN Community.