It is assumed that the reader is familiar with general AWS concepts and services such as:
EC2 (Elastic Compute Cloud)
VPC (Virtual Private Cloud)
IAM (Identity and Access Management)
As part of this article, it is necessary to create an IAM instance profile and later pass the role to the Check Point instances. To do this, you must have an AWS user account with IAM privileges.
Important Note - By default, every Check Point Security Gateway and Security Management Server's Gaia Portal is accessible from the internet by browsing to http://<virtual-machine-public-ip>. Restricting access to the Gaia Portal is possible by configuring a Network Security Group, or by configuring the Check Point Gateway and Management Server settings.
(2) Method of Operations
A Check Point cluster in a non-AWS environment uses multicast or broadcast to perform state synchronization and health checks across cluster members.
Since multicast and broadcast are not supported in VPC, the Check Point Cluster Members in AWS use unicast to communicate with each other.
In addition, in a regular ClusterXL in High Availability mode, Cluster Members use Gratuitous ARP Requests to announce the MAC Address of the Active member that is associated with the Virtual IP Address (during normal operations and when cluster failover occurs).
In contrast, in AWS this is implemented by making API calls to AWS.
When a cluster failover occurs, the Standby Cluster Member is promoted to Active and takes ownership of the cluster resources. As part of this process, this cluster member:
Moves all secondary private IP addresses from the failed cluster member to itself.
Changes the default route in all routing tables associated with internal networks to point to itself.
To automatically make API calls to AWS, the Cluster Members need to be provided with credentials. This is achieved using a standard AWS mechanism called IAM Roles.
Make sure to replace the IP addresses in the example environment to reflect your environment when you do the configuration steps listed here.
Note - Since the number of interfaces an instance can have is limited by AWS based on the instance type, we set up the internal network to function as a Cluster and as a Sync network [The smallest instance type supported by Check Point is m3.medium, which comes with 2 interfaces. All other supported instance types have 3 or more interfaces].
Cluster Virtual IP
Member A
Member B
Comments
Elastic IP address
198.51.100.10
198.51.100.20
198.51.100.30
Allocated by AWS
External private address
10.0.0.10
10.0.0.20
10.0.0.30
Internal private address
10.0.1.10
10.0.1.20
10.0.1.30
Also acts as a Sync network
(4) Deploying a Check Point Cluster in AWS
CloudFormation is an Amazon Web Services (AWS) service that enables modeling and the setup of resources inside AWS in an automated fashion.
To create the cluster, it is first necessary to subscribe to the Check Point Security Gateway solution on the AWS marketplace. Do this one time for each AWS account.
When you deploy this template, it is not necessary to run the Check Point First Time Configuration Wizard. Instead, the First Time Configuration Wizard is executed automatically, and the Cluster Members restart one time.
When you deploy the Check Point Cluster into an existing VPC using the Cloud Formation template, it automatically creates an AWS routing table, and associate the internal subnet to it. This is done to route all the traffic outside the subnet through the Check Point Cluster member.
After you create a Cloud Formation stack using the above template, configure the Check Point Cluster in SmartConsole.
If you have used the CloudFormation templates to deploy the Check Point Cluster in AWS, skip to Step (5) Configuring a Check Point Cluster in SmartConsole.
Create an IAM role
In this step, we create an IAM role and an Instance Profile. When you launch the Check Point Cluster Members, you would pass them this role. This allows the Cluster Members to automatically make changes in the VPC environment if a cluster failover occurs.
Note - Only privileged AWS users can create IAM roles.
Note - All subnets must reside in the same availability zone.
Create a route table and associate it with the external subnet, add a default route and point it to the Internet Gateway:
The Check Point Security Gateway can enforce a more sophisticated Security Policy, making the VPC security groups redundant. This procedure explains how to create a permissive VPC security group to prevent a possible conflict between the VPC security groups and the Check Point security policy.
To create a new security group:
Open the Security Groups menu.
Click Create Security Group.
In the Group name field, enter the group name - PermissiveSecGrp.
In the Description field, enter: Permissive Security Group.
In the VPC field, select the VPC.
Click Yes > select Create.
Create a new rule for this Security Group that accepts all traffic from any source address:
In the Security Groups list, select the new PermissiveSecGrp.
Go to the Inbound Rules tab.
Create a new rule that accepts all traffic from any source address.
Refer to Amazon EC2User Guide to identify an appropriate instance type that can accommodate the number of interfaces and private addresses you require.
Use these settings:
In the Network field, select your VPC.
In the Subnet field, select your external subnet.
In the IAM role field, select the IAM role you created in the previous steps (refer to section "Create an IAM role" above).
Note - To assign the IAM role to the instance, it is necessary to have special IAM privileges.
In the Network interfaces section > Primary IP field, enter the member's external private IP address (in our example - 10.0.0.20).
Note - Do not add another interface at this point.
When prompted to select a Security Group, use the permissive group you created in the previous steps (refer to section "Create your VPC environment" above - "To create a new security group").
Launch the instance.
After the instance starts, go to EC2 / Network Interfaces / Create Network interface.
Enter the necessary information:
Description: "Internal interface"
Subnet: select the subnet 10.0.1.0/24 (in our example)
Private IP: 10.0.1.20 (in our example)
Security Group: select the permissive group created in the previous steps (refer to section "Create your VPC environment" above - "To create a new security group")
Attach the interface to the Cluster Member instance.
To add additional interfaces, repeat the above steps.
Right-click on all interfaces that you created and disable the source/destination check:
Allocate an elastic IP address, or select an available one.
Associate the elastic IP address with the external private IP address of the instance (in our example - 10.0.0.20). We use this IP address to manage the Cluster Member.
Connect with SmartConsole (R80 and higher) / SmartDashboard (R77.30) to Security Management Server / Domain Management Server.
In Network Objects view, right-click on Check Point > select Security Cluster > select Check Point Appliance/Open Server.
Click Wizard Mode.
Define the cluster's general properties:
In the Cluster Name field, enter the desired name for cluster object (in our example - Cluster1).
In the Cluster IPv4 Address field, enter the cluster's external private IP address (in our example - 10.0.0.10).
In the Choose the Cluster's Solution list, select Check Point ClusterXL and High Availability.
Click Next.
Define Cluster Members:
Member A:
Click Add > select New Cluster Member.
In the Name field, enter the desired member's name (in our exampl: Member_A).
In the IPv4 Address field, enter the member's Elastic IP address (in our example: 198.51.100.20).
In the Activation Key field, enter the activation key you have created earlier (refer to section "Check Point First Time Configuration Wizard".
Click Initialize.
Member B:
Click Add > select New Cluster Member.
In the Name field, enter the desired member's name (in our example - Member_B).
In the IPv4 Address field, enter the member's Elastic IP address (in our example - 198.51.100.30).
In the Activation Key field, enter the activation key you have created earlier (refer to section "Check Point First Time Configuration Wizard".
Click Initialize.
After adding both Cluster Members, click Next.
To start configuring the topology of the cluster, click Next.
Configure External Virtual IP address (in our example: 10.0.0.10 / 255.255.255.0).
Click Next.
Configure Internal Virtual IP address (in our example: 10.0.1.10 / 255.255.255.0).
Important - This network is also used for State Synchronization.
Click Next.
A warning appears that synchronization network was not defined.
Confirm that you want to continue, click Yes.
The Cluster definition wizard is now complete.
Select the checkbox Edit Cluster's Properties > click Finish.
Cluster properties window opens.
Go to Topology pane > click Edit.
For the Internal network (in our example: 10.0.1.X), in the Network Objective field, select Cluster + 1st Sync.
Note -This network is also used for State Synchronization.
Verify the settings: to close the windowclick OK, or to close cluster object properties OK.
Install policy on this cluster.
(6) Validating the Setup
Use the cphaprob state command and the cphaprob -a if command on each Cluster Member to validate that the cluster is operating correctly.
Output of the cphaprob state command on both Cluster Member must show identical information (except the "(local)" string).
Example:
[Expert@HostName:0]# cphaprob state
Cluster Mode: High Availability (Active Up) with IGMP Membership
Number Unique Address Assigned Load State
1 (local) 10.0.1.20 0% Active
2 10.0.1.30 100% Standby
Simulate a cluster failover.
For example, shut down the internal interface of the Active Cluster Member.
After a few seconds, the second Cluster Member reports itself as the Active member.
Go to the AWS WebUI and confirm that:
All secondary private IP addresses that were assigned to the 1st member are now assigned to 2nd member
In all routing tables associated with internal subnets in the VPC, the default route is pointing to the internal interfaces of the member that has taken over.
Note - You might need to refresh the AWS WebUI to see the changes.
Verify that the Active Cluster Member is the instance that was deployed with the secondary private IP addresses:
Connect with SmartConsole (R80 and higher) / SmartDashboard (R77.30) to the Security Management Server / Domain Management Server that manages the peer Security Gateway:
Open the cluster object.
Open IPSec VPN > Link Selection.
Select Always use this IP address.
Select Statically NATed IP.
Enter the cluster's public IP address.
To close cluster object properties, click on OK.
Install the Security Policy on both the peer Security Gateway and the cluster.
Connect with SmartConsole (R80 and higher) / SmartDashboard (R77.30) to the Security Management Server / Domain Management Server that manages this cluster:
Open the cluster object.
Open IPSec VPN > Link Selection > click Source IP address settings.
Select Manual > Selected address from topology table.
Select the private IP address of the external interface of the cluster (in our example: 10.0.0.10).
To close cluster object properties, click OK.
Install the Security Policy on both the cluster and the peer Security Gateway.
(8) Troubleshooting
If you are experiencing issues:
Verify that the script in charge of communicating with AWS is running on each Cluster Member.
[Expert@HostName]# cpwd_admin list | grep -E "PID|AWS_HAD"
The output should have a line similar to:
APP PID STAT #START START_TIME MON COMMAND
AWS_HAD 3663 E 1 [12:58:48] 15/1/2015 N python /opt/CPsuite-R77/fw1/scripts/aws_had.py
Notes:
The script should appear in the output
The "STAT" column should show "E" (stands for "Executing")
The "#START" column should show "1" (how many times this script was started by the Check Point WatchDog)
Enable debugging on each Cluster Member:
Note - It is necessary to use the full path of the scripts.
If all tests were successful, the script should output:
All tests were successful!
Otherwise, an error message is displayed to help you troubleshoot the problem.
Repeat Steps A-C on the other Cluster Member.
(9) Known Limitations and Issues
Only two members per cluster are supported.
Running the Security Management Server on the Cluster Members is not supported.
Only High Availability mode (Active/Standby) is supported. Load Sharing modes are not supported.
Both Cluster Members must reside in the same Availability Zone.
Currently, it can take up to 40 seconds for a Cluster Member to take full ownership of a cluster during failover. This is due to the amount of time it takes AWS to move secondary private addresses from one member to another.
VRRP cluster is not supported.
A Check Point Security Gateway, running without the appropriate IAM role, cannot be joined to a cluster after it was created.