Support Center > Search Results > SecureKnowledge Details
Using User Data to execute an initialization script when you launch your Check Point Security Gateway in AWS
Solution

Introduction:

It is now possible to create an initialization script that would be executed the first time you launch your Check Point Security Gateway instance in AWS.
This initialization script can be used to set operating system configuration and to automate the Security Gateway's provisioning process.

 

Prerequisites:

It is assumed that the reader is familiar with general AWS concepts and services, such as EC2 and VPC.

 

Overview:

When you launch an instance in AWS, you can optionally pass your own user data to it.

The Check Point Security Gateway treats this data as an initialization script.

This script can be used to modify operating system settings, as well as to replace the First Time Configuration Wizard configuration process.

Note: If no user data is supplied at boot time, the machine will boot normally and you would need to complete its configuration manually.

 

Known Limitations:

  • This feature is available starting in R77.10 take 37.

  • Although user data is only accessible from the instance itself, AWS does not protect it by cryptographic methods. Anyone, who can access the instance, can view it. You should not store sensitive data, such as passwords, as user data.

 

Configuration Flow:

When the Check Point Security Gateway launches for the first time, it fetches the user data from AWS.

The Security Gateway saves the user data to a temporary script file and then executes it.

The output of the script is redirected to /var/log/cloud-user-data file.

Note: The script would only be executed when the instance boots for the first time.

 

Setup

Create your own initialization script to be executed when the instance first launches.

You can use the following script as an example:

#!/bin/bash

clish -c 'set user admin password-hash ADMIN-PASSWORD-HASH' -s

clish -c 'set interface eth1 ipv4-address INTERNAL-GATEWAY-ADDRESS mask-length INTERNAL-GATEWAYMASKLEN' -s

clish -c 'set interface eth1 state on' -s

clish -c 'set hostname HOSTNAME' -s

config_system -s 'install_security_gw=true&install_ppak=true&install_security_managment=false&ipstat_v6=off&ftw_sic_key=SIC_KEY'

shutdown -r now

Where:

Variable Usage
ADMIN-PASSWORD-HASH

The hash of the OS admin user password, which you can copy from /etc/shadow file on another system or by using the following command:

openssl passwd -1 [PASSWORD]

INTERNAL-GATEWAY-ADDRESS The internal network IP address.
INTERNAL-GATEWAY-MASKLEN The internal network mask length in bits.
HOSTNAME The host name.
SIC_KEY Secure Internal communication key - a one-time key used to set up trust with Security Management Server.

This script:

  • Sets the OS user 'admin' password
  • Sets the IP address, network mask and state of interface eth1
  • Uses the config_system utility to automate the First Time Configuration Wizard process
  • Reboots the instance to complete the installation

Pass the script to AWS, when you launch the instance, as explained in http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.html#configure_instance_details_step

 

Additional Information and Resources:

 

Troubleshooting:

You can obtain the contents of the user data file by running the following command on the Security Gateway:

[Expert@HostName]# $FWDIR/bin/curl_cli http://169.254.169.254/latest/user-data

The output of the script is saved to:

/var/log/cloud-user-data file

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment