Using User Data to execute an initialization script when you launch your Check Point Security Gateway in AWS
It is now possible to create an initialization script that would be executed the first time you launch your Check Point Security Gateway instance in AWS.
This initialization script can be used to set operating system configuration and to automate the Security Gateway's provisioning process.
It is assumed that the reader is familiar with general AWS concepts and services, such as EC2 and VPC.
When you launch an instance in AWS, you can optionally pass your own user data to it.
The Check Point Security Gateway treats this data as an initialization script.
This script can be used to modify operating system settings, as well as to replace the First Time Configuration Wizard configuration process.
Note: If no user data is supplied at boot time, the machine will boot normally and you would need to complete its configuration manually.
- This feature is available starting in R77.10 take 37.
- Although user data is only accessible from the instance itself, AWS does not protect it by cryptographic methods. Anyone, who can access the instance, can view it. You should not store sensitive data, such as passwords, as user data.
When the Check Point Security Gateway launches for the first time, it fetches the user data from AWS.
The Security Gateway saves the user data to a temporary script file and then executes it.
The output of the script is redirected to
Note: The script would only be executed when the instance boots for the first time.
Create your own initialization script to be executed when the instance first launches.
You can use the following script as an example:
clish -c 'set user admin password-hash ADMIN-PASSWORD-HASH' -s
clish -c 'set interface eth1 ipv4-address INTERNAL-GATEWAY-ADDRESS mask-length INTERNAL-GATEWAYMASKLEN' -s
clish -c 'set interface eth1 state on' -s
clish -c 'set hostname HOSTNAME' -s
config_system -s 'install_security_gw=true&install_ppak=true&install_security_managment=false&ipstat_v6=off&ftw_sic_key=SIC_KEY'
shutdown -r now
The hash of the OS admin user password, which you can copy from /etc/shadow file on another system or by using the following command:
openssl passwd -1 [PASSWORD]
|The internal network IP address.
|The internal network mask length in bits.
|The host name.
|Secure Internal communication key - a one-time key used to set up trust with Security Management Server.
- Sets the OS user 'admin' password
- Sets the IP address, network mask and state of interface eth1
- Uses the config_system utility to automate the First Time Configuration Wizard process
- Reboots the instance to complete the installation
Pass the script to AWS, when you launch the instance, as explained in http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.html#configure_instance_details_step
Additional Information and Resources:
You can obtain the contents of the user data file by running the following command on the Security Gateway:
[Expert@HostName]# $FWDIR/bin/curl_cli http://169.254.169.254/latest/user-data
The output of the script is saved to: