Deploying a Check Point Cluster in AWS (Amazon Web Services)

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk104418
Technical Level
Product	vSEC for AWS, CloudGuard for AWS
Version	R77.30, R80.10, R80.20, R80.30, R80.40
OS	Gaia
Platform / Model	AWS
Date Created	01-Feb-2015
Last Modified	11-Feb-2020

Solution

This article will guide you in deploying a Check Point cluster in AWS.

Table of Contents:

Known Limitations and Issues
Prerequisites
Method of operations
Example environment
Deploying a Check Point Cluster in AWS
Configuring a Check Point Cluster in SmartConsole
Validating your setup
Setting up a Site to Site VPN
Documentation
Troubleshooting

(I) Known Limitations and Issues

Only two members per cluster are supported.
Running the Security Management Server on the cluster members is not supported.
Only High Availability mode (Active/Standby) is supported. Load Sharing modes are not supported.
Both cluster members must reside in the same availability zone.
Currently, it can take up to 40 seconds for a cluster member to take full ownership of a cluster during failover. This is due to the amount of time it takes AWS to move secondary private addresses from one member to another.
VRRP is not supported.
A Check Point Security Gateway running without the appropriate IAM role, cannot be joined to a cluster after it was created.

(II) Prerequisites

It is assumed that the reader is familiar with general AWS concepts and services such as:

EC2 (Elastic Compute Cloud)
VPC (Virtual Private Cloud)
IAM (Identity and Access Management)

As part of this article, you would need to create an IAM instance profile and later pass the role to the Check Point instances. For that you would need an AWS user account with IAM privileges.

(III) Method of operations

A Check Point cluster in a non-AWS environment uses multicast or broadcast in order to perform state synchronization and health checks across cluster members.

Since multicast and broadcast are not supported in VPC, the Check Point cluster members in AWS communicate with each other using unicast.

In addition, in a regular ClusterXL working in High Availability mode, cluster members use Gratuitous ARP Requests to announce the MAC Address of the Active member that is associated with Virtual IP Address (during the normal operation and when cluster failover occurs).
In contrast, in AWS this is implemented by making API calls to AWS.

When a cluster failover occurs, the Standby cluster member is promoted to Active and takes ownership of the cluster resources. As part of this process this member:

Moves all secondary private IP addresses from the failed cluster member to itself.
Changes the default route in all routing tables associated with internal networks to point to itself.

In order to be able to automatically make API calls to AWS, the cluster members need to be provided with credentials. This is achieved using a standard AWS mechanism called IAM Roles.

More information on IAM roles can be found here:

(IV) Example environment

To best explain the configuration steps, we will be using the following example environment.

Make sure to replace the IP addresses in the example environment to reflect your environment when you follow the configuration steps below.

Note: Since the number of interfaces an instance can have is limited by AWS based on the instance type, we will set up the internal network to function as a Cluster and as a Sync network [The smallest instance type supported by Check Point is m3.medium, which comes with 2 interfaces. All other supported instance types have 3 or more interfaces].

	Cluster Virtual IP	Member A	Member B	Comments
Elastic IP address	198.51.100.10	198.51.100.20	198.51.100.30	Allocated by AWS
External private address	10.0.0.10	10.0.0.20	10.0.0.30
Internal private address	10.0.1.10	10.0.1.20	10.0.1.30	Also acts as a Sync network

(V) Deploying a Check Point Cluster in AWS

CloudFormation is an Amazon Web Services (AWS) service that enables modeling and setting up resources inside AWS in an automated fashion.

In order for the Cluster to be created, you first need to subscribe to the Check Point Security Gateway solution on the AWS marketplace. You only need to do this once per AWS account.

To check if you are already subscribed:

Log in to the AWS portal.
After you have logged in, review your current subscriptions.

If you are not yet subscribed:

Log in to the AWS portal.
After you have logged in, select and subscribe to one of the following licensing options for Check Point CloudGuard IaaS Next Gen Firewall:

Then, you can use one of the two CloudFormation templates:

Description	Download	Direct Launch
Creates a new VPC and deploys a Cluster into it.
Deploys a Cluster into an existing VPC.

Notes:

When you deploy this template, there is no need to run the Check Point First Time Configuration Wizard. Instead, the First Time Configuration Wizard would be executed automatically and as part of that, the cluster members would reboot once.

When deploying the Check Point Cluster into an existing VPC using the Cloud Formation template, it will automatically create an AWS routing table, and associate the internal subnet to it, in order to route all the traffic outside the subnet via Check Point Cluster member.

After creating a Cloud Formation stack using the above template, configure the Check Point Cluster in SmartConsole.

Show/Hide instructions to manually deploy a Check Point Cluster in AWS

If you have used the CloudFormation templates to deploy the Check Point Cluster in AWS, skip to step (VI) Configuring a Check Point Cluster in SmartConsole.

Create an IAM role

In this step, we will create an IAM role and an Instance Profile. When you launch the Check Point cluster members, you would pass them this role. This will allow the cluster members to automatically make changes in the VPC environment if a cluster failover should occur.

Note: IAM roles can only be created by privileged AWS users.

Go to https://console.aws.amazon.com/iam/home#home
Go to Policies
Select Create Policy
Select Create Your own Policy:
Enter the Policy Name (e.g., check-point-cluster):

In the Policy Document, paste the following (to allow access to all accounts and VPCs):

{
    "Version": "2012-10-17",
        "Statement": [
        {
            "Action": [
                "ec2:DescribeRouteTables",
                "ec2:ReplaceRoute",
                "ec2:AssignPrivateIpAddresses",
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateRoute"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Click on Create Policy
Go to Roles
Select Create New Role
In the Set Role Name, enter the desired name (e.g., check-point-cluster):
In the Select Role Type, select Amazon EC2:
In Attach Policy, locate and select the policy you created in the previous steps:

Create your VPC environment

The following steps give a high level description on creating a VPC environment. For more details, refer to the R77.30 vSEC Gateway for Amazon Web Services Getting Started Guide.

Create a VPC.
Create an Internet Gateway in the VPC.
Create the external and internal subnets.
Note: All subnets must reside in the same availability zone.
Create a route table and associate it with the external subnet - add a default route and point it to the Internet Gateway:

The Check Point Security Gateway can enforce a more sophisticated security policy, making the VPC security groups redundant. This procedure explains how to create a permissive VPC security group, in order to prevent a possible conflict between the VPC security groups and the Check Point security policy.

To create a new security group:

Open the Security Groups menu.
Click on Create Security Group.
1. In the Group name field, enter group name - PermissiveSecGrp.
2. In the Description field, enter - Permissive Security Group.
3. In the VPC field, select the VPC.
4. Click on Yes, Create button.

Create a new rule for this security group that accepts all traffic from any source address:
1. In the Security Groups list, select the new PermissiveSecGrp.
2. Go to the Inbound Rules tab.
3. Create a new rule that accepts all traffic from any source address.
4. Click on Save button.

Launch the cluster members

Launch a Check Point instance from the AWS marketplace.

Refer to Amazon EC2User Guide to identify an appropriate instance type that can accommodate the number of interfaces and private addresses you require.

Use the following settings:

In the Network field, select your VPC.
In the Subnet field, select your external subnet.
In the IAM role field, select the IAM role you created in the previous steps (refer to section "Create an IAM role" above).
Note: In order to be able to assign the IAM role to the instance, you are required to have special IAM privileges.
For more information, refer to this blog:
Granting Permission to Launch EC2 Instances with IAM Roles (PassRole Permission).
In the Network interfaces section - in the Primary IP field, enter the member's external private IP address (in our example - 10.0.0.20).

Note: Do not add another interface at this point.
When prompted to select a security group, use the permissive group you have created in the previous steps (refer to section "Create your VPC environment" above - "To create a new security group").
Launch the instance.
After the instance starts go to EC2 / Network Interfaces / Create Network interface.
Fill the following:
- Description: "Internal interface"
- Subnet: select the subnet 10.0.1.0/24 (in our example)
- Private IP: 10.0.1.20 (in our example)
- Security Group: select the permissive group created in the previous steps (refer to section "Create your VPC environment" above - "To create a new security group")
Attach the interface to the cluster member instance.
Repeat the above steps to add additional interfaces.
Right-click on all interfaces you have created and disable the source/destination check:
Allocate an elastic IP address or select an available one.
Associate the elastic IP address with the external private IP address of the instance (in our example - 10.0.0.20). We will use this IP address to manage the cluster member.

Check Point First Time Configuration Wizard

Follow these steps from vSEC Gateway for Amazon Web Services Getting Started Guide - Chapter 'Installing and Configuring the vSEC Gateway':

Securely Accessing the Security Gateway
Installing Check Point Software Blades

In the First Time Configuration Wizard, follow these steps:

Check the box Security Gateway
Clear the box Security Management
Check the box Unit is a part of a cluster, type and select ClusterXL
Click on Next button.
Enter an Activation Key (it will be used later in SmartDashboard to establish trust with the cluster member - refer to section "Configuration in SmartDashboard" below).
After the wizard completes, let the cluster member reboot.
After reboot, connect to Gaia Portal on the cluster member.
Configure the remaining network interfaces:
1. Check the box Enable
2. On IPv4 tab, configure IPv4 address using the private IP address of this interface (in our example - 10.0.1.20).

Repeat the above steps to launch a second cluster member instance.

On Member A (but not on Member B):

Add a secondary private IP address to the External interface
Assign another elastic IP address to the External interface (this IP address will be used as the Cluster public IP address)
Add a secondary private IP address to the Internal interface

Refer to section "Example environment" above.

(VI) Configuring a Check Point Cluster in SmartConsole

For more videos, visit the Check Point Support YouTube channel.

Connect with SmartDashboard to Security Management Server / Domain Management Server.
In Network Objects view, right-click on Check Point - select Security Cluster - select Check Point Appliance/Open Server...:
Click on Wizard Mode button:
Define cluster general properties:
1. In the Cluster Name field, enter the desired name for cluster object (in our example - Cluster1).
2. In the Cluster IPv4 Address field, enter the cluster's external private IP address (in our example - 10.0.0.10).
3. In the Choose the Cluster's Solution list, select Check Point ClusterXL and High Availability.
4. Click on Next button.
Define cluster members:
1. Member A:
  1. Click on Add... button - select New Cluster Member...
  2. In the Name field, enter the desired member's name (in our example - Member_A).
  3. In the IPv4 Address field, enter the member's Elastic IP address (in our example - 198.51.100.20).
  4. In the Activation Key field, enter the activation key you have created previously (refer to section "Check Point First Time Configuration Wizard" above).
  5. Click on Initialize button.
2. Member B:
  1. Click on Add... button - select New Cluster Member...
  2. In the Name field, enter the desired member's name (in our example - Member_B).
  3. In the IPv4 Address field, enter the member's Elastic IP address (in our example - 198.51.100.30).
  4. In the Activation Key field, enter the activation key you have created previously (refer to section "Check Point First Time Configuration Wizard" above).
  5. Click on Initialize button.
3. After adding both cluster members, click on Next button.
Click on Next button to start configuring the topology of the cluster:
Configure External Virtual IP address (in our example - 10.0.0.10 / 255.255.255.0):
Click on Next button.
Configure Internal Virtual IP address (in our example - 10.0.1.10 / 255.255.255.0):

Important Note: This network will also be used for State Synchronization.
Click on Next button.
A warning appears that synchronization network was not defined.

Confirm that you want to continue - click on Yes.
Cluster definition wizard is now complete.

Check the box Edit Cluster's Properties and click on Finish button:
Cluster properties window will open.

Go to Topology pane - click on Edit button:
For the Internal network (in our example - 10.0.1.X), in the Network Objective field, select Cluster + 1st Sync

Note: This network will also be used for State Synchronization.
Verify the settings - click on OK to close the window - click on OK to close cluster object properties.
Install policy on this cluster.

(VII) Validating your setup

Use the cphaprob state command and the cphaprob -a if command on each cluster member to validate that the cluster is operating correctly.

Output of cphaprob state command on both cluster member must show identical information (except the "(local)" string).

Example:

[Expert@HostName:0]# cphaprob state

Cluster Mode:   High Availability (Active Up) with IGMP Membership
Number     Unique Address  Assigned Load   State
1 (local)  10.0.1.20       0%              Active
2          10.0.1.30       100%            Standby

Simulate a cluster failover.

For example, shut down the internal interface of the Active cluster member.

After a few seconds, you should see that the 2nd cluster member reports itself as the Active member.

Go to the AWS WebUI and confirm that:
- All secondary private IP addresses that were assigned to the 1st member are now assigned to 2nd member
- In all routing tables associated with internal subnets in the VPC, the default route is pointing to the internal interfaces of the member that has taken over.
Note: You might need to refresh the AWS WebUI to see the changes.
Verify that the active cluster member is the instance that was deployed with the secondary private IP addresses:
1. Open the Amazon EC2 console.
2. In the left navigation pane, choose Instances.
3. Select the active cluster member.
4. In the Description tab, verify that there are two private IP addresses in the Secondary private IPs field.
  If not, simulate a cluster failover as described in step 2.

(VIII) Setting up a Site to Site VPN

To set up a Site to Site VPN between the cluster and another Check Point Security Gateway, refer to R77.30 vSEC Gateway for Amazon Web Services Getting Started Guide - Chapter 5 'Setting up a VPN tunnel'.

In addition:

Connect with SmartDashboard to the Security Management Server / Domain Management Server that manages the peer Security Gateway:
1. Open the cluster object.
2. Open IPSec VPN - go to Link Selection.
3. Select Always use this IP address.
4. Select Statically NATed IP.
5. Enter the cluster's public IP address.
6. Click on OK to close cluster object properties.
7. Install the security policy on both the peer Security Gateway and the cluster.
Connect with SmartDashboard to the Security Management Server / Domain Management Server that manages this cluster:
1. Open the cluster object.
2. Open IPSec VPN - go to Link Selection.
3. Click on Source IP address settings... button.
4. Select Manual.
5. Select Selected address from topology table.
6. Select the private IP address of the external interface of the cluster (in our example - 10.0.0.10).
7. Click on OK to close cluster object properties.
8. Install the security policy on both the cluster and the peer Security Gateway.

(IX) Documentation

vSEC Gateway for Amazon Web Services Getting Started Guide

(X) Troubleshooting

If you are experiencing issues:

Verify that the script in charge of communicating with AWS is running on each cluster member.

[Expert@HostName]# cpwd_admin list | grep -E "PID|AWS_HAD"

The output should have a line similar to:
```
APP        PID    STAT  #START  START_TIME             MON  COMMAND
AWS_HAD    3663   E     1       [12:58:48] 15/1/2015   N    python /opt/CPsuite-R77/fw1/scripts/aws_had.py
```
Notes:
- The script should appear in the output
- The "STAT" column should show "E" (stands for "Executing")
- The "#START" column should show "1" (how many times this script was started by the Check Point WatchDog)
Enable debugging on each cluster member:

Note: You need to use the full path of the scripts.
[Expert@HostName]# $FWDIR/Python/bin/python $FWDIR/scripts/aws_ha_cli.py stop

[Expert@HostName]# $FWDIR/Python/bin/python $FWDIR/scripts/aws_ha_cli.py --debug reconf

Debug output will be written to:
$FWDIR/log/aws_had.elg*

In order to disable debugging you should run the following command on each cluster member: $FWDIR/Python/bin/python $FWDIR/scripts/aws_ha_cli.py restart
Make sure that you have set up your IAM roles as outlined in this article (refer to section "Create an IAM role" above).
Misconfigured IAM roles would prevent the cluster members from communicating with AWS to make networking changes if a cluster member failure occurs.
In order to automatically make networking changes, the cluster members need to communicate with AWS. This is done over two types of connections:
- HTTP connection over TCP port 80 to 169.254.169.254 as described in:
  http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
- HTTPS connection over TCP port 443 to one of the AWS endpoints as described in:
  http://docs.aws.amazon.com/general/latest/gr/rande.html#vpc_region
Make sure that the Security Policy installed on the Security Gateway allows this type of communication.

Also, it is imperative that the system clock on the cluster members is set properly.
- You should set up the cluster members to use NTP
- Make sure that the security policy on the gateways allows the cluster members to initiate outbound NTP traffic (UDP/123) to your NTP servers.
Check Point provides a script that can be used to verify and troubleshoot cluster configuration in AWS.

This script verifies that:
- A Primary DNS server is configured
- DNS resolution works
- Access from the cluster member to the AWS metadata service (HTTP to 169.254.169.254) is available
- The instance is set up with a IAM role
- IAM credentials are available
- Access from the cluster member to the AWS web service endpoint (over TCP port 443) is available
- The IAM credentials allow the instance to make API calls into AWS
- The cluster is configured with at least one internal interface
- For each cluster member interface there exists a corresponding AWS ENI sharing the same primary private address
- All cluster member interfaces have the source/destination check disabled
- Compares the system clock to the time reported by AWS
Instructions:
1. Verify the existence of $FWDIR/scripts/aws_ha_test.py.
2. If the above file is not on the instance:
  1. Download the script file aws_ha_test.tar and transfer it to the cluster member.
  2. Connect to command line on cluster member.
  3. Unpack the script (extract the script into $FWDIR/scripts/ directory):
    
    [Expert@HostName]# tar -xvf aws_ha_test.tar
3. Run the following commands to execute the script:
  
  [Expert@HostName]# cd $FWDIR/scripts/
  
  [Expert@HostName]# $FWDIR/Python/bin/python -m aws_ha_test
  
  If all tests were successful, the script should output:
  All tests were successful!
  Otherwise, an error message is displayed that should help you troubleshoot the problem.
4. Repeat Steps A-C on the other cluster member.

Applies To:

By default, every Check Point Security Gateway and Security Management Server's WebUI is accessible from the internet by browsing to http://. Restricting access to the WebUI is possible by configuring a Network Security Group, or by configuring the Check Point Gateway and Management Server settings.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating