Support Center > Search Results > SecureKnowledge Details
How to Deploy a Check Point Cluster in AWS Technical Level
Solution

This article will guide you in deploying a Check Point cluster in AWS.

Table of Contents:

  1. Prerequisites
  2. Method of operations
  3. Example environment
  4. Deploying a Check Point Cluster in AWS
  5. Configuring a Check Point Cluster in SmartConsole
  6. Validating your setup
  7. Setting up a Site to Site VPN
  8. Troubleshooting
  9. Known Limitations and Issues
  10. Documentation

 

(1) Prerequisites

It is assumed that the reader is familiar with general AWS concepts and services such as:

  • EC2 (Elastic Compute Cloud)
  • VPC (Virtual Private Cloud)
  • IAM (Identity and Access Management)

As part of this article, it is necessary to create an IAM instance profile and later pass the role to the Check Point instances. To do this, you must have an AWS user account with IAM privileges.

 

(2) Method of Operations

A Check Point cluster in a non-AWS environment uses multicast or broadcast to perform state synchronization and health checks across cluster members.

Since multicast and broadcast are not supported in VPC, the Check Point Cluster Members in AWS use unicast to communicate with each other.

In addition, in a regular ClusterXL in High Availability mode, Cluster Members use Gratuitous ARP Requests to announce the MAC Address of the Active member that is associated with the Virtual IP Address (during normal operations and when cluster failover occurs).
In contrast, in AWS this is implemented by making API calls to AWS.

When a cluster failover occurs, the Standby Cluster Member is promoted to Active and takes ownership of the cluster resources. As part of this process this member:

  • Moves all secondary private IP addresses from the failed cluster member to itself.
  • Changes the default route in all routing tables associated with internal networks to point to itself.

To automatically make API calls to AWS, the Cluster Members need to be provided with credentials. This is achieved using a standard AWS mechanism called IAM Roles.

More information on IAM roles can be found here:

 

(3) Example environment

Make sure to replace the IP addresses in the example environment to reflect your environment when you do the configuration steps listed here.

Note - Since the number of interfaces an instance can have is limited by AWS based on the instance type, we set up the internal network to function as a Cluster and as a Sync network [The smallest instance type supported by Check Point is m3.medium, which comes with 2 interfaces. All other supported instance types have 3 or more interfaces].

  Cluster Virtual IP Member A Member B Comments
Elastic IP address 198.51.100.10 198.51.100.20 198.51.100.30 Allocated by AWS
External private address 10.0.0.10 10.0.0.20 10.0.0.30  
Internal private address 10.0.1.10 10.0.1.20 10.0.1.30 Also acts as a Sync network

 

(4) Deploying a Check Point Cluster in AWS

CloudFormation is an Amazon Web Services (AWS) service that enables modeling and the set up of resources inside AWS in an automated fashion.

to create the cluster, it is first necessary to subscribe to the Check Point Security Gateway solution on the AWS marketplace. Do this one time for each AWS account.

To check if you are already subscribed:

  1. Log in to the AWS portal.

  2. After you have logged in, review your current subscriptions.

If you are not yet subscribed:

  1. Log in to the AWS portal.

  2. After you have logged in, select and subscribe to one of these licensing options for Check Point CloudGuard IaaS Next Gen Firewall:

    1. R77.30
    2. R80.10
    3. R80.20

Click here to deploy a CloudGuard Cluster.

Notes:

  • When you deploy this template, it is not necessary to run the Check Point First Time Configuration Wizard. Instead, the First Time Configuration Wizard is executed automatically, and the Cluster Members restart one time.
  • When you deploy the Check Point Cluster into an existing VPC using the Cloud Formation template, it automatically creates an AWS routing table, and associate the internal subnet to it. This is done to route all the traffic outside the subnet through the Check Point Cluster member.

After you create a Cloud Formation stack using the above template, configure the Check Point Cluster in SmartConsole.

Manually Deploying a Check Point Cluster in AWS

Show/Hide instructions to manually deploy a Check Point Cluster in AWS


If you have used the CloudFormation templates to deploy the Check Point Cluster in AWS, skip to Step (5) Configuring a Check Point Cluster in SmartConsole.

 

Create an IAM role

In this step, we create an IAM role and an Instance Profile. When you launch the Check Point Cluster Members, you would pass them this role. This allows the Cluster Members to automatically make changes in the VPC environment if a cluster failover occurs.

Note - Only privileged AWS users can create IAM roles.

 

  1. Go to https://console.aws.amazon.com/iam/home#home

  2. Go to Policies > select Create Policy.
  3. Select Create Your own Policy.



  4. Enter the Policy Name (such as check-point-cluster).



  5. In the Policy Document, paste the following (to allow access to all accounts and VPCs):

    {
        "Version": "2012-10-17",
            "Statement": [
            {
                "Action": [
                    "ec2:DescribeRouteTables",
                    "ec2:ReplaceRoute",
                    "ec2:AssignPrivateIpAddresses",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:CreateRoute"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    
  6. Click Create Policy > Roles > select Create New Role.

  7. In the Set Role Name, enter the desired name (such as check-point-cluster):



  8. In the Select Role Type, select Amazon EC2:



  9. In Attach Policy, locate and select the policy you created in the previous steps:

 

Creating the VPC Environment

These steps give a high-level description about how to create a VPC environment. For more information, see the R77.30 vSEC Gateway for Amazon Web Services Getting Started Guide.

  1. Create a VPC.

  2. Create an Internet Gateway in the VPC.

  3. Create the external and internal subnets.

    Note: All subnets must reside in the same availability zone.

  4. Create a route table and associate it with the external subnet, add a default route and point it to the Internet Gateway:

The Check Point Security Gateway can enforce a more sophisticated Security Policy, making the VPC security groups redundant. This procedure explains how to create a permissive VPC security group to prevent a possible conflict between the VPC security groups and the Check Point security policy.

 To create a new security group:

    1. Open the Security Groups menu.

    2. Click Create Security Group.

      1. In the Group name field, enter the group name - PermissiveSecGrp.

      2. In the Description field, enter: Permissive Security Group.

      3. In the VPC field, select the VPC.

      4. Click Yes > select Create.




  1. Create a new rule for this Security Group that accepts all traffic from any source address:

    1. In the Security Groups list, select the new PermissiveSecGrp.

    2. Go to the Inbound Rules tab.

    3. Create a new rule that accepts all traffic from any source address.

    4. Click Save.


 

Launch the Cluster Members

Launch a Check Point instance from the AWS marketplace.

Refer to Amazon EC2User Guide to identify an appropriate instance type that can accommodate the number of interfaces and private addresses you require.

Use these settings:

  1. In the Network field, select your VPC.

  2. In the Subnet field, select your external subnet.

  3. In the IAM role field, select the IAM role you created in the previous steps (refer to section "Create an IAM role" above).

    Note - To assign the IAM role to the instance, it is necessary to have special IAM privileges.
    For more information, see Granting Permission to Launch EC2 Instances with IAM Roles (PassRole Permission).

  4. In the Network interfaces section > Primary IP field, enter the member's external private IP address (in our example - 10.0.0.20).

    Note - Do not add another interface at this point.



  5. When prompted to select a Security Group, use the permissive group you created in the previous steps (refer to section "Create your VPC environment" above - "To create a new security group").

  6. Launch the instance.

  7. After the instance starts, go to EC2 / Network Interfaces / Create Network interface.

  8. Enter the necessary information:

    • Description: "Internal interface"

    • Subnet: select the subnet 10.0.1.0/24 (in our example)

    • Private IP: 10.0.1.20 (in our example)

    • Security Group: select the permissive group created in the previous steps (refer to section "Create your VPC environment" above - "To create a new security group")


  9. Attach the interface to the Cluster Member instance.

  10. To add additional interfaces, repeat the above steps.

  11. Right-click on all interfaces that you created and disable the source/destination check:



  12. Allocate an elastic IP address, or select an available one.

  13. Associate the elastic IP address with the external private IP address of the instance (in our example - 10.0.0.20). We use this IP address to manage the Cluster Member.

 

Check Point First Time Configuration Wizard

Do these steps from vSEC Gateway for Amazon Web Services Getting Started Guide, "Installing and Configuring the vSEC Gateway":

  1. Securely Accessing the Security Gateway
  2. Installing Check Point Software Blades

In the First Time Configuration Wizard, do these steps:

  1. Select the checkbox Security Gateway

  2. Clear the checkbox Security Management

  3. Select the checkbox Unit is a part of a cluster, type and select ClusterXL.



  4. Click Next.

  5. Enter an Activation Key (it is used later in SmartDashboard to establish trust with the Cluster Member. See "Configuration in SmartDashboard".



  6. After the wizard completes, let the Cluster Member restart.

  7. After the restart, connect to Gaia Portal on the Cluster Member.

  8. Configure the remaining network interfaces:

    1. Select the checkbox: Enable

    2. On IPv4 tab, configure IPv4 address using the private IP address of this interface (in our example - 10.0.1.20).

Repeat the above steps to launch a second Cluster Member instance.

On Member A (but not on Member B):

  1. Add a secondary private IP address to the External interface
  2. Assign another elastic IP address to the External interface (this IP address is used as the Cluster public IP address)
  3. Add a secondary private IP address to the Internal interface

For more information, see "Example environment".

 

(5) Configuring a Check Point Cluster in SmartConsole

For more videos, visit the Check Point Support YouTube channel.

 

  1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  2. In Network Objects view, right-click on Check Point > select Security Cluster > select Check Point Appliance/Open Server.



  3. Click Wizard Mode.



  4. Define the cluster's general properties:

    1. In the Cluster Name field, enter the desired name for cluster object (in our example - Cluster1).

    2. In the Cluster IPv4 Address field, enter the cluster's external private IP address (in our example - 10.0.0.10).

    3. In the Choose the Cluster's Solution list, select Check Point ClusterXL and High Availability.

    4. Click Next.



  5. Define Cluster Members:

    1. Member A:

      1. Click Add > select New Cluster Member.

      2. In the Name field, enter the desired member's name (in our exampl: Member_A).

      3. In the IPv4 Address field, enter the member's Elastic IP address (in our example:  198.51.100.20).

      4. In the Activation Key field, enter the activation key you have created earlier (refer to section "Check Point First Time Configuration Wizard".

      5. Click Initialize.



    2. Member B:

      1. Click Add > select New Cluster Member.

      2. In the Name field, enter the desired member's name (in our example - Member_B).

      3. In the IPv4 Address field, enter the member's Elastic IP address (in our example - 198.51.100.30).

      4. In the Activation Key field, enter the activation key you have created earlier (refer to section "Check Point First Time Configuration Wizard".

      5. Click Initialize.



    3. After adding both Cluster Members, click Next.



  6. To start configuring the topology of the cluster, click Next.



  7. Configure External Virtual IP address (in our example: 10.0.0.10 / 255.255.255.0).



  8. Click Next.

  9. Configure Internal Virtual IP address (in our example:  10.0.1.10 / 255.255.255.0).

    Important - This network is also used for State Synchronization.



  10. Click Next.

  11. A warning appears that synchronization network was not defined.

    Confirm that you want to continue, click Yes.



  12. The Cluster definition wizard is now complete.

    Select the checkbox Edit Cluster's Properties > click Finish.



  13. Cluster properties window opens.

    Go to Topology pane > click Edit.



  14. For the Internal network (in our example: 10.0.1.X), in the Network Objective field, select Cluster + 1st Sync.

    Note - This network is also used for State Synchronization.



  15. Verify the settings: to close the windowclick OK, or to close cluster object properties OK.

  16. Install policy on this cluster.

 

(6) Validating the Setup

 

  1. Use the cphaprob state command and the cphaprob -a if command on each Cluster Member to validate that the cluster is operating correctly.

    Output of cphaprob state command on both Cluster Member must show identical information (except the "(local)" string).

    Example:
    [Expert@HostName:0]# cphaprob state
    
    Cluster Mode:   High Availability (Active Up) with IGMP Membership
    Number     Unique Address  Assigned Load   State
    1 (local)  10.0.1.20       0%              Active
    2          10.0.1.30       100%            Standby
  2. Simulate a cluster failover.

    For example, shut down the internal interface of the Active Cluster Member.

    After a few seconds, the second Cluster Member reports itself as the Active member.

    Go to the AWS WebUI and confirm that:

    • All secondary private IP addresses that were assigned to the 1st member are now assigned to 2nd member
    • In all routing tables associated with internal subnets in the VPC, the default route is pointing to the internal interfaces of the member that has taken over.

    Note: - You might need to refresh the AWS WebUI to see the changes.

  3. Verify that the Active Cluster Member is the instance that was deployed with the secondary private IP addresses:

    1. Open the Amazon EC2 console.
    2. In the left navigation pane, select Instances.
    3. Select the Active Cluster Member.
    4. In the Description tab, verify that there are two private IP addresses in the Secondary private IPs field.
      If not, simulate a cluster failover as described in step 2.

 

(7) Setting up a Site-to-Site VPN

To set up a Site-to-Site VPN between the cluster and another Check Point Security Gateway, see to R77.30 vSEC Gateway for Amazon Web Services Getting Started Guide, chapter 5 'Setting up a VPN tunnel'.

In addition:

  1. Connect with SmartDashboard to the Security Management Server / Domain Management Server that manages the peer Security Gateway:

    1. Open the cluster object.

    2. Open IPSec VPN > Link Selection.

    3. Select Always use this IP address.

    4. Select Statically NATed IP.

    5. Enter the cluster's public IP address.

    6. To close cluster object propertie, click on OK.

    7. Install the Security Policy on both the peer Security Gateway and the cluster.



  2. Connect with SmartDashboard to the Security Management Server / Domain Management Server that manages this cluster:

    1. Open the cluster object.

    2. Open IPSec VPN > Link Selection > click Source IP address settings..

    3. Select Manual > Selected address from topology table.

    4. Select the private IP address of the external interface of the cluster (in our example: 10.0.0.10).

    5. To close cluster object properties, click OK.

    6. Install the Security Policy on both the cluster and the peer Security Gateway.

 

(8) Troubleshooting

If you are experiencing issues:

  1. Verify that the script in charge of communicating with AWS is running on each Cluster Member.

    [Expert@HostName]# cpwd_admin list | grep -E "PID|AWS_HAD"

    The output should have a line similar to:

    APP        PID    STAT  #START  START_TIME             MON  COMMAND
    AWS_HAD    3663   E     1       [12:58:48] 15/1/2015   N    python /opt/CPsuite-R77/fw1/scripts/aws_had.py
    

    Notes:

    • The script should appear in the output
    • The "STAT" column should show "E" (stands for "Executing")
    • The "#START" column should show "1" (how many times this script was started by the Check Point WatchDog)


  2. Enable debugging on each Cluster Member:

    Note - It is necessary to use the full path of the scripts.

    [Expert@HostName]# $FWDIR/Python/bin/python $FWDIR/scripts/aws_ha_cli.py stop

    [Expert@HostName]# $FWDIR/Python/bin/python $FWDIR/scripts/aws_ha_cli.py --debug reconf

    Debug output is written to:
    $FWDIR/log/aws_had.elg*

    To disable debugging, you must run this command on each Cluster Member: "$FWDIR/Python/bin/python $FWDIR/scripts/aws_ha_cli.py restart"

  3. Make sure that you have set up your IAM roles as outlined in this article. See "Create an IAM role" sub-section" in the Manually Deploying a Check Point Cluster in AWS".
    Misconfigured IAM roles prevent the Cluster Members from communicating with AWS to make networking changes if a cluster member failure occurs.

  4. To automatically make networking changes, the Cluster Members need to communicate with AWS. This is done over two types of connections:


    Make sure that the Security Policy installed on the Security Gateway allows this type of communication.

    Also, it is imperative that the system clock on the Cluster Members is set properly.

    • You should set up the Cluster Members to use NTP
    • Make sure that the Security Policy on the gateways allows the Cluster Members to initiate outbound NTP traffic (UDP/123) to your NTP servers.


  5. Check Point provides a script that can be used to verify and troubleshoot cluster configuration in AWS.

    This script verifies that:

    • A Primary DNS server is configured
    • DNS resolution works
    • Access from the cluster member to the AWS metadata service (HTTP to 169.254.169.254) is available
    • The instance is set up with a IAM role
    • IAM credentials are available
    • Access from the Cluster Member to the AWS web service endpoint (over TCP port 443) is available
    • The IAM credentials allow the instance to make API calls into AWS
    • The cluster is configured with at least one internal interface
    • For each Cluster Member interface there exists a corresponding AWS ENI sharing the same primary private address
    • All Cluster Member interfaces have the source/destination check disabled
    • Compares the system clock to the time reported by AWS

    Instructions:

      1. Verify the existence of $FWDIR/scripts/aws_ha_test.py.

      2. If the above file is not on the instance:

        1. Download the script file aws_ha_test.tar and transfer it to the Cluster Member.

        2. Connect to command line on Cluster Member.

        3. Unpack the script (extract the script into $FWDIR/scripts/ directory):

          [Expert@HostName]# tar -xvf aws_ha_test.tar

      3. Run the following commands to execute the script:

        [Expert@HostName]# cd $FWDIR/scripts/

        [Expert@HostName]# $FWDIR/Python/bin/python -m aws_ha_test

        If all tests were successful, the script should output:
        All tests were successful!

        Otherwise, an error message is displayed to help you troubleshoot the problem.

      4. Repeat Steps A-C on the other Cluster Member.

     

    (9) Known Limitations and Issues

        • Only two members per cluster are supported.

        • Running the Security Management Server on the Cluster Members is not supported.

        • Only High Availability mode (Active/Standby) is supported. Load Sharing modes are not supported.

        • Both Cluster Members must reside in the same Availability Zone.

        • Currently, it can take up to 40 seconds for a Cluster Member to take full ownership of a cluster during failover. This is due to the amount of time it takes AWS to move secondary private addresses from one member to another.

        • VRRP is not supported.

        • A Check Point Security Gateway running without the appropriate IAM role, cannot be joined to a cluster after it was created.

     

    (IX) Documentation

Applies To:
  • By default, every Check Point Security Gateway and Security Management Server's WebUI is accessible from the internet by browsing to http://. Restricting access to the WebUI is possible by configuring a Network Security Group, or by configuring the Check Point Gateway and Management Server settings.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment