The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Deploying a Check Point Cluster in AWS (Amazon Web Services)
vSEC for AWS, CloudGuard for AWS
R77.30, R80.10, R80.20, R80.30, R80.40
Platform / Model
This article will guide you in deploying a Check Point cluster in AWS.
Table of Contents:
Known Limitations and Issues
Method of operations
Deploying a Check Point Cluster in AWS
Configuring a Check Point Cluster in SmartConsole
Validating your setup
Setting up a Site to Site VPN
(I) Known Limitations and Issues
Only two members per cluster are supported.
Running the Security Management Server on the cluster members is not supported.
Only High Availability mode (Active/Standby) is supported. Load Sharing modes are not supported.
Both cluster members must reside in the same availability zone.
Currently, it can take up to 40 seconds for a cluster member to take full ownership of a cluster during failover. This is due to the amount of time it takes AWS to move secondary private addresses from one member to another.
VRRP is not supported.
A Check Point Security Gateway running without the appropriate IAM role, cannot be joined to a cluster after it was created.
It is assumed that the reader is familiar with general AWS concepts and services such as:
EC2 (Elastic Compute Cloud)
VPC (Virtual Private Cloud)
IAM (Identity and Access Management)
As part of this article, you would need to create an IAM instance profile and later pass the role to the Check Point instances. For that you would need an AWS user account with IAM privileges.
(III) Method of operations
A Check Point cluster in a non-AWS environment uses multicast or broadcast in order to perform state synchronization and health checks across cluster members.
Since multicast and broadcast are not supported in VPC, the Check Point cluster members in AWS communicate with each other using unicast.
In addition, in a regular ClusterXL working in High Availability mode, cluster members use Gratuitous ARP Requests to announce the MAC Address of the Active member that is associated with Virtual IP Address (during the normal operation and when cluster failover occurs). In contrast, in AWS this is implemented by making API calls to AWS.
When a cluster failover occurs, the Standby cluster member is promoted to Active and takes ownership of the cluster resources. As part of this process this member:
Moves all secondary private IP addresses from the failed cluster member to itself.
Changes the default route in all routing tables associated with internal networks to point to itself.
In order to be able to automatically make API calls to AWS, the cluster members need to be provided with credentials. This is achieved using a standard AWS mechanism called IAM Roles.
To best explain the configuration steps, we will be using the following example environment.
Make sure to replace the IP addresses in the example environment to reflect your environment when you follow the configuration steps below.
Note: Since the number of interfaces an instance can have is limited by AWS based on the instance type, we will set up the internal network to function as a Cluster and as a Sync network [The smallest instance type supported by Check Point is m3.medium, which comes with 2 interfaces. All other supported instance types have 3 or more interfaces].
Cluster Virtual IP
Elastic IP address
Allocated by AWS
External private address
Internal private address
Also acts as a Sync network
(V) Deploying a Check Point Cluster in AWS
CloudFormationis an Amazon Web Services (AWS) service that enables modeling and setting up resources inside AWS in an automated fashion.
In order for the Cluster to be created, you first need to subscribe to the Check Point Security Gateway solution on the AWS marketplace. You only need to do this once per AWS account.
Then, you can use one of the two CloudFormation templates:
Creates a new VPC and deploys a Cluster into it.
Deploys a Cluster into an existing VPC.
When you deploy this template, there is no need to run the Check Point First Time Configuration Wizard. Instead, the First Time Configuration Wizard would be executed automatically and as part of that, the cluster members would reboot once.
When deploying the Check Point Cluster into an existing VPC using the Cloud Formation template, it will automatically create an AWS routing table, and associate the internal subnet to it, in order to route all the traffic outside the subnet via Check Point Cluster member.
After creating a Cloud Formation stack using the above template, configure the Check Point Cluster in SmartConsole.
If you have used the CloudFormation templates to deploy the Check Point Cluster in AWS, skip to step (VI) Configuring a Check Point Cluster in SmartConsole.
Create an IAM role
In this step, we will create an IAM role and an Instance Profile. When you launch the Check Point cluster members, you would pass them this role. This will allow the cluster members to automatically make changes in the VPC environment if a cluster failover should occur.
Note: IAM roles can only be created by privileged AWS users.
Note: All subnets must reside in the same availability zone.
Create a route table and associate it with the external subnet - add a default route and point it to the Internet Gateway:
The Check Point Security Gateway can enforce a more sophisticated security policy, making the VPC security groups redundant. This procedure explains how to create a permissive VPC security group, in order to prevent a possible conflict between the VPC security groups and the Check Point security policy.
To create a new security group:
Open the Security Groups menu.
Click on Create Security Group.
In the Group name field, enter group name - PermissiveSecGrp.
In the Description field, enter - Permissive Security Group.
In the VPC field, select the VPC.
Click on Yes, Create button.
Create a new rule for this security group that accepts all traffic from any source address:
In the Security Groups list, select the new PermissiveSecGrp.
Go to the Inbound Rules tab.
Create a new rule that accepts all traffic from any source address.
Debug output will be written to: $FWDIR/log/aws_had.elg*
In order to disable debugging you should run the following command on each cluster member: $FWDIR/Python/bin/python $FWDIR/scripts/aws_ha_cli.py restart
Make sure that you have set up your IAM roles as outlined in this article (refer to section "Create an IAM role" above). Misconfigured IAM roles would prevent the cluster members from communicating with AWS to make networking changes if a cluster member failure occurs.
In order to automatically make networking changes, the cluster members need to communicate with AWS. This is done over two types of connections:
If all tests were successful, the script should output: All tests were successful!
Otherwise, an error message is displayed that should help you troubleshoot the problem.
Repeat Steps A-C on the other cluster member.
By default, every Check Point Security Gateway and Security Management Server's WebUI is accessible from the internet by browsing to http://. Restricting access to the WebUI is possible by configuring a Network Security Group, or by configuring the Check Point Gateway and Management Server settings.
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?