The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
How to Deploy a Check Point Cluster in AWS
CloudGuard Network for AWS
Platform / Model
This article will guide you in deploying a Check Point cluster in AWS.
Table of Contents:
Method of operations
Deploying a Check Point Cluster in AWS
Configuring a Check Point Cluster in SmartConsole
Validating your setup
Setting up a Site to Site VPN
Known Limitations and Issues
It is assumed that the reader is familiar with general AWS concepts and services such as:
EC2 (Elastic Compute Cloud)
VPC (Virtual Private Cloud)
IAM (Identity and Access Management)
As part of this article, it is necessary to create an IAM instance profile and later pass the role to the Check Point instances. To do this, you must have an AWS user account with IAM privileges.
Important Note - By default, every Check Point Security Gateway and Security Management Server's Gaia Portal is accessible from the internet by browsing to http://<virtual-machine-public-ip>. Restricting access to the Gaia Portal is possible by configuring a Network Security Group, or by configuring the Check Point Gateway and Management Server settings.
(2) Method of Operations
A Check Point cluster in a non-AWS environment uses multicast or broadcast to perform state synchronization and health checks across cluster members.
Since multicast and broadcast are not supported in VPC, the Check Point Cluster Members in AWS use unicast to communicate with each other.
In addition, in a regular ClusterXL in High Availability mode, Cluster Members use Gratuitous ARP Requests to announce the MAC Address of the Active member that is associated with the Virtual IP Address (during normal operations and when cluster failover occurs).
In contrast, in AWS this is implemented by making API calls to AWS.
When a cluster failover occurs, the Standby Cluster Member is promoted to Active and takes ownership of the cluster resources. As part of this process, this cluster member:
Moves all secondary private IP addresses from the failed cluster member to itself.
Changes the default route in all routing tables associated with internal networks to point to itself.
To automatically make API calls to AWS, the Cluster Members need to be provided with credentials. This is achieved using a standard AWS mechanism called IAM Roles.
Make sure to replace the IP addresses in the example environment to reflect your environment when you do the configuration steps listed here.
Note - Since the number of interfaces an instance can have is limited by AWS based on the instance type, we set up the internal network to function as a Cluster and as a Sync network [The smallest instance type supported by Check Point is m3.medium, which comes with 2 interfaces. All other supported instance types have 3 or more interfaces].
Cluster Virtual IP
Elastic IP address
Allocated by AWS
External private address
Internal private address
Also acts as a Sync network
(4) Deploying a Check Point Cluster in AWS
CloudFormation is an Amazon Web Services (AWS) service that enables modeling and the setup of resources inside AWS in an automated fashion.
To create the cluster, it is first necessary to subscribe to the Check Point Security Gateway solution on the AWS marketplace. Do this one time for each AWS account.
When you deploy this template, it is not necessary to run the Check Point First Time Configuration Wizard. Instead, the First Time Configuration Wizard is executed automatically, and the Cluster Members restart one time.
When you deploy the Check Point Cluster into an existing VPC using the Cloud Formation template, it automatically creates an AWS routing table, and associate the internal subnet to it. This is done to route all the traffic outside the subnet through the Check Point Cluster member.
After you create a Cloud Formation stack using the above template, configure the Check Point Cluster in SmartConsole.
If you have used the CloudFormation templates to deploy the Check Point Cluster in AWS, skip to Step (5) Configuring a Check Point Cluster in SmartConsole.
Create an IAM role
In this step, we create an IAM role and an Instance Profile. When you launch the Check Point Cluster Members, you would pass them this role. This allows the Cluster Members to automatically make changes in the VPC environment if a cluster failover occurs.
Note - Only privileged AWS users can create IAM roles.
Note - All subnets must reside in the same availability zone.
Create a route table and associate it with the external subnet, add a default route and point it to the Internet Gateway:
The Check Point Security Gateway can enforce a more sophisticated Security Policy, making the VPC security groups redundant. This procedure explains how to create a permissive VPC security group to prevent a possible conflict between the VPC security groups and the Check Point security policy.
To create a new security group:
Open the Security Groups menu.
Click Create Security Group.
In the Group name field, enter the group name - PermissiveSecGrp.
In the Description field, enter: Permissive Security Group.
In the VPC field, select the VPC.
Click Yes > select Create.
Create a new rule for this Security Group that accepts all traffic from any source address:
In the Security Groups list, select the new PermissiveSecGrp.
Go to the Inbound Rules tab.
Create a new rule that accepts all traffic from any source address.
If all tests were successful, the script should output:
All tests were successful!
Otherwise, an error message is displayed to help you troubleshoot the problem.
Repeat Steps A-C on the other Cluster Member.
(9) Known Limitations and Issues
Only two members per cluster are supported.
Running the Security Management Server on the Cluster Members is not supported.
Only High Availability mode (Active/Standby) is supported. Load Sharing modes are not supported.
Both Cluster Members must reside in the same Availability Zone.
Currently, it can take up to 40 seconds for a Cluster Member to take full ownership of a cluster during failover. This is due to the amount of time it takes AWS to move secondary private addresses from one member to another.
VRRP cluster is not supported.
A Check Point Security Gateway, running without the appropriate IAM role, cannot be joined to a cluster after it was created.