Using User Data to execute an initialization script when you launch your Check Point Security Gateway in AWS

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk104080
Technical Level
Product	vSEC for AWS
Version	R77.10 (EOL), R77.30 (EOL)
OS	Gaia
Platform / Model	AWS
Date Created	01-Feb-2015
Last Modified	03-Sep-2017

Solution

Introduction:

It is now possible to create an initialization script that would be executed the first time you launch your Check Point Security Gateway instance in AWS.
This initialization script can be used to set operating system configuration and to automate the Security Gateway's provisioning process.

Prerequisites:

It is assumed that the reader is familiar with general AWS concepts and services, such as EC2 and VPC.

Overview:

When you launch an instance in AWS, you can optionally pass your own user data to it.

The Check Point Security Gateway treats this data as an initialization script.

This script can be used to modify operating system settings, as well as to replace the First Time Configuration Wizard configuration process.

Note: If no user data is supplied at boot time, the machine will boot normally and you would need to complete its configuration manually.

Known Limitations:

This feature is available starting in R77.10 take 37.
Although user data is only accessible from the instance itself, AWS does not protect it by cryptographic methods. Anyone, who can access the instance, can view it. You should not store sensitive data, such as passwords, as user data.

Configuration Flow:

When the Check Point Security Gateway launches for the first time, it fetches the user data from AWS.

The Security Gateway saves the user data to a temporary script file and then executes it.

The output of the script is redirected to /var/log/cloud-user-data file.

Note: The script would only be executed when the instance boots for the first time.

Setup

Create your own initialization script to be executed when the instance first launches.

You can use the following script as an example:

#!/bin/bash

clish -c 'set user admin password-hash ADMIN-PASSWORD-HASH' -s

clish -c 'set interface eth1 ipv4-address INTERNAL-GATEWAY-ADDRESS mask-length INTERNAL-GATEWAYMASKLEN' -s

clish -c 'set interface eth1 state on' -s

clish -c 'set hostname HOSTNAME' -s

config_system -s 'install_security_gw=true&install_ppak=true&install_security_managment=false&ipstat_v6=off&ftw_sic_key=SIC_KEY'

shutdown -r now

Where:

Variable	Usage
`ADMIN-PASSWORD-HASH`	The hash of the OS admin user password, which you can copy from /etc/shadow file on another system or by using the following command: openssl passwd -1 [PASSWORD]
`INTERNAL-GATEWAY-ADDRESS`	The internal network IP address.
`INTERNAL-GATEWAY-MASKLEN`	The internal network mask length in bits.
`HOSTNAME`	The host name.
`SIC_KEY`	Secure Internal communication key - a one-time key used to set up trust with Security Management Server.

This script:

Sets the OS user 'admin' password
Sets the IP address, network mask and state of interface eth1
Uses the config_system utility to automate the First Time Configuration Wizard process
Reboots the instance to complete the installation

Pass the script to AWS, when you launch the instance, as explained in http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.html#configure_instance_details_step

Additional Information and Resources:

Troubleshooting:

You can obtain the contents of the user data file by running the following command on the Security Gateway:

[Expert@HostName]# $FWDIR/bin/curl_cli http://169.254.169.254/latest/user-data

The output of the script is saved to:

/var/log/cloud-user-data file

This solution is about products that are no longer supported and it will not be updated

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating