Support Center > Search Results > SecureKnowledge Details
Security Management Server with CloudGuard for AWS
Solution

 

Table of Contents:

  1. Overview
  2. Installing Check Point Security Management Server
    • Deploying a Security Management Server in AWS
    • Deploying a Security Management Server on-premises
  3. Downloading and installing the latest CloudGuard Security Management Server add-on package
  4. Automatic Provisioning with Security Management Server
    • Setting up Automatic Provisioning
    • Enabling and disabling Software Blades
    • Connecting with Additional AWS accounts
    • Provisioning using AWS controller
    • Automatic Provisioning in Multi-Domain Security Management Server environment
    • Advanced Automatic Provisioning configuration
  5. Highly available Security Management Server
  6. Exporting and importing Security Management Server database
  7. On-premises Security Management Server in-place upgrade
  8. Known limitations

(1) Overview

Check Point Security Management Server that manages CloudGuard Security Gateways deployed in AWS includes unique and dedicated capabilities for key AWS features, such as the management of Security Gateways in Amazon EC2 Auto Scaling group and AWS Global Transit Network.

Amazon EC2 Auto Scaling is a service offered by Amazon Web Services (AWS) that helps customers automatically adjust their Amazon EC2 capacity according to the current load. For more information about Check Point Auto Scaling solution in AWS, see sk112575.

Amazon Global Transit VPC, also known as a hub-and-spoke network, is used to perform transitive routing between spoke networks through a central hub. For more information about Check Point CloudGuard Transit VPC solution, see Transit VPC for AWS Deployment Guide.

 

(2) Installing Check Point Security Management Server

CloudGuard Security Gateways deployed in AWS can be managed by a Security Management Server that can be deployed either in AWS or on-premises.

To manage CloudGuard Security Gateways deployed in AWS:

  • The Management Server must be able to initiate connections to the CloudGuard Security Gateways.
  • The CloudGuard Security Gateways should be able to initiate connections to the Management Server (for example, to send logs).

The Security Management Server can communicate with the Security Gateways over either private or public IP addresses.

Communication over private IP addresses is possible in one of the following cases:

  • The Management Server is in the same VPC as the Security Gateways.
  • The Management Server is in another VPC that is peered with the VPC in which the Security Gateways are deployed.
  • The Management Server is in an on-premises network that has connectivity to the VPC in which the Security Gateways are deployed, over Direct Connect.
  • The Management Server is in an on-premises network that has connectivity to the VPC in which the Security Gateways are deployed, over a VPN connection.
  • The Management Server is in an on-premises network or a VPC that has connectivity to the VPC in which the Security Gateways are deployed, over AWS Transit Gateway.

In all other cases, the Security Management Server and Security Gateways will have to communicate with each other using public IP addresses and the object that represents the Management Server in the SmartConsole must have the public IP address as its main address. If you deploy the Management Server in AWS using the CloudFormation template, you can achieve this by selecting Over the internet in the Gateways management field. Otherwise, follow these steps:

  1. Connect to the Management Server with SmartConsole.
  2. Select Gateways & Servers
  3. Double click on the object representing the Management Server. 
  4. Insert the Management Server's public IP address in the IP Address field.
  5. Publish changes.

 

Deploying a Security Management Server in AWS

To deploy a Security Management Server in AWS, select and subscribe to one of the following licensing options:

If you want to manage more than five Security Gateways, select the BYOL option and purchase a license. To purchase BYOL licenses, contact Check Point Sales.

Use the following CloudFormation template to deploy the Security Management Server:

The template accepts the following parameters:

Parameter Description
VPC The ID of your existing VPC (e.g., vpc-0123456789abcdef0), into which to deploy the Management Server.
Subnet

Select a preexisting Subnet in the selected VPC.

If you wish to access the Management Server from the Internet, make sure the subnet has a route to the Internet.

Name

Optional

Specify a name of the Management Server as it will appear in the AWS EC2 console.

This name will not be used in the rest of the configuration.

Instance Type

The EC2 instance type for the Management Server.

m4 and t2 instance types are supported only with version R80.10 and m5 are supported only with R80.20.

Key name

A public/private key pair, which allows you to connect securely to your instance after it launches.

When you created an AWS account, this is the key pair you created in your preferred region.

Allocate an Elastic IP Set this value to true to associate an Elastic IP to the Management Server and to access it from the Internet via a public IP address.
IAM role The IAM role to attach to the Management Server instance profile. The permissions required vary and depend on the solution being deployed.
Existing IAM role name If you have chosen to use an existing IAM role in the IAM role field, specify the role's name here. 
STS roles

To enable this Management Server to perform AWS API calls using an STS role, specify the STS Roles to assume (comma separated list of ARNs, without spaces).

See sk122074 for more information on how to create IAM roles used by a management server, in the same or another AWS account as the managed resources.

 

Version & license The version and license you have selected above.
Admin Shell

Change the admin shell to enable advanced command line configuration.

Password Hash

Optional

To manage the environment's security, administrators can connect to the Management Server with SmartConsole clients and via the Gaia WebUI.

You can set the administrator password for the Management Server using this field. To protect the administrator password you must provide the password's MD5-based BSD password algorithm 1 salted hash instead of the password itself.

You can generate the password's salted hash with the following command:

openssl passwd -1 <PASSWORD>

Replace <PASSWORD> with the desired administrator password.

SIC Key

This parameter is mandatory only if deploying a secondary Management Server, for high availability purposes. For more information, see section Highly available Security Management Server.

The secure internal communication (SIC) key creates trusted connections between Security Gateways, Management Servers, and other Check Point components. 

Select a random string consisting of at least 8 alphanumeric characters and specify it in the SIC key parameter during deployment.

Administrator addresses
Allow web, SSH, and graphical clients only from this network to communicate with the Management Server, in CIDR notation.
Gateways management Select Over the internet if any of the gateways you wish to manage are not directly accessed via their private IP address. Otherwise select Locally managed.
Gateways addresses
The CIDR IP address range that is permitted to access the Management Server. Only gateways from this network can communicate with the Management Server.


Note:
 When the management instance is started, it will automatically execute its own First Time Configuration Wizard. It can take up to 45 minutes for this step to complete.

To check the Management Server's readiness, log in to the Expert mode and run the following command:

api status

When the Management Server is ready, the output of the command should include:

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

 

Deploying a Security Management Server on-premises

  1. In the AWS IAM portal, create an IAM policy that contains the required permissions. These permissions vary and depend on the solution (Auto Scaling or Transit VPC) being deployed.

  2. In the AWS IAM portal, create a new IAM user.

    You can name the user CheckPointManagement.
    Download and save the automatically generated Access Key and Secret Key.
    On the Permissions tab, select Attach Policy, and attach the newly created IAM policy.

  3. Follow the standard procedure to Install the Check Point Management Server on-premises
    (refer to the R80.10 or the R80.20 documentation).

  4. Downloading and installing the latest CloudGuard Security Management Server add-on package, as described in the section "Downloading and installing the latest CloudGuard Security Management Server add-on package" below.

 

(3) Downloading and installing the latest CloudGuard Security Management Server add-on package

To enable AWS dedicated capabilities on the Check Point Security Management Server, download and install the latest CloudGuard Security Management Server add-on package:

  1. Download the latest add-on package (R80.10 and above):

    https://s3.amazonaws.com/chkp-images/autoprovision-addon.tgz
  2. Transfer the downloaded TGZ package to the Management Server (into some directory, e.g., /some_path_to_addon/).

  3. Connect to the command line on the Management Server.

  4. Log in to Expert mode.

  5. If you are upgrading from an older add-on version, stop the autoprovision service:

    service autoprovision stop

  6. Unpack the add-on package to the root partition ("/"):

    cd /some_path_to_addon/
    tar zxfC autoprovision-addon.tgz /
    (mind the trailing '/')

  7. Register the new autoprovision service:

    chkconfig --add autoprovision
    service autoprovision start

Notes for Security Management Server R80 only: 

  • Make sure you are using image take 132 or higher. 
  • Latest CloudGuard Security Management Server R80 add-on version is 305 (available here).
  • Make sure to create the need_dbload file before you register the autoprovision service:

    touch $FWDIR/scripts/autoprovision/need_dbload

(4) Automatic Provisioning with Security Management Server

The Security Management Server can be configured to automatically connect to your AWS environment and scan for newly deployed CloudGuard Security Gateways, create trusted connections with them, and to automatically provision them.

Setting up Automatic Provisioning

To configure a Security Management Server to automatically provision CloudGuard Security Gateways newly deployed in AWS, follow these steps:

  1. Connect to the command line on the Management Server.
  2. Log in to the Expert mode
  3. Run the following command:

  4. autoprov-cfg -h

    Specific help documentation is available for each option you choose. For example, the following command will display the available initialization parameters for AWS and their meaning:

    autoprov-cfg init AWS -h

    If you receive the "autoprov-cfg: command not found" error, refer to the "Downloading and installing the latest CloudGuard Security Management Server add-on package" above. 

  5. Configure the automatic provisioning of CloudGuard Security Gateways (placeholders and their meanings are described in a table below):
    • Initialization

      To test if automatic provisioning has been initialized, run the following command:

      autoprov-cfg show all

      If it was not yet initialized, the following message will be displayed:

      configuration file was not initialized, please use init

      To configure automatic provisioning for the first time, initialize it with the following command:

      autoprov-cfg init AWS -mn <MANAGEMENT-NAME> -tn <CONFIGURATION-TEMPLATE-NAME> -otp <SIC-KEY> -ver <VERSION> -po <POLICY-NAME> -cn <CONTROLLER-NAME> -r <AWS-REGIONS> <CREDENTIALS>

    • Connecting to your AWS cloud environment

      To connect to your AWS account and automatically provision Security Gateways deployed in it, the Security Management Server needs AWS specific information, such as credentials and regions. This information is associated with a controller in the automatic provisioning configuration.

      To view the existing controllers used by the Management Server to connect to cloud environments, run the following command:

      autoprov-cfg show controllers

      To add a new AWS controller to an existing automatic provisioning configuration, run the following command:

      autoprov-cfg add controller AWS -cn <CONTROLLER-NAME> -r <AWS-REGIONS> <CREDENTIALS>

      Important: each controller in the configuration must have unique credentials.

    • CloudGuard Security Gateways configuration templates 

      Information required to automatically provision Security Gateways, such as what policy to install and which Software Blades to enable, is placed in a configuration template in the automatic provisioning configuration.

      To view existing configuration templates that can be applied on Security Gateways, run the following command:

      autoprov-cfg show templates

      To add a new configuration template to an existing automatic provisioning configuration, run the following command:

      autoprov-cfg add template -tn <CONFIGURATION-TEMPLATE-NAME> -otp <SIC-KEY> -ver <VERSION> -po <POLICY-NAME>

    Placeholder Description
    <MANEGEMENT-NAME>

    Choose a name to represent the Management Server.

    This name is used to tag the Security Gateways, so they will be identified and automatically provisioned by this Management Server.

    For example, 'my-management'.

    <CONFIGURATION-TEMPLATE-NAME> Choose a name to represent the configuration template. 

    Information required to automatically provision Security Gateways, such as what policy to install and which Software Blades to enable, will be placed under this template name.

    This name is used to tag Security Gateways as a reference to the relevant set of configurations to apply on them. 

    For example, 'my-configuration-template'.

    <SIC-KEY> Choose a random string consisting of at least 8 alphanumeric characters.

    The Secure Internal Communication (SIC) key creates trusted connections between gateways, management servers and other Check Point components. Trust is required to install policies on gateways and to send logs between gateways and management servers.

    This value is used when the Security Gateways are deployed, so make note of it.

    This value will be obfuscated in the configuration.
    <VERSION> The gateway version.
    <POLICY-NAME> Specify the name of the policy to install on the Security Gateways.
     
    The Standard policy is the default security policy defined in a newly deployed Security Management Server, and initially contains a default cleanup rule that drops all traffic. 

    If you intend to configure additional policy packages (for example, if you plan to manage the security of additional environments protected by Check Point's products) and want to install a different policy package on the Security Gateways, specify the name you want to give that policy package. Then, create and configure the policy by connecting to your Security Management Server with SmartConsole.

    For example, 'Standard'.

    <CONTROLLER-NAME> Choose a name to represent the controller.

    Information required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.

    When you change the credentials or their type, change or add regions, this name will be used to reference the controller in order to modify it.

    For example, 'AWS-Production'.
    <AWS-REGIONS> Specify a comma-separated list of AWS regions, in which the gateways are deployed.

    For example: "us-east-1,eu-central-1,ap-southeast-1".
    <CREDENTIALS> Specify one of the following options to provide the Management Server credentials so it will be able to connect to your AWS environment:

    • To specify credentials explicitly, use:

      -ak <AWS-ACCESS-KEY> -sk <AWS-SECRET-KEY>

      AWS-SECRET-KEY will be obfuscated in the configuration.

    • To specify a file that contains credentials in the following format:

      AWSAccessKeyId=<AWS-ACCESS-KEY>
      AWSSecretKey=<AWS-SECRET-KEY> 

      Use:

      -fi <FILE-PATH>

      Replace <AWS-ACCESS-KEY> and <AWS-SECRET-KEY> with the Access Key and Secret Key of the IAM user that will be used by the Management Server to make the API calls to AWS.

    • If you deploy the Management Server in AWS and wish to specify the Management Server's IAM profile, use:

      -iam

    To assume an STS role with one of the above options, use -sr <STS-ROLE-ARN>


    Notes:
    • To verify the configuration and that the Security Management Server can connect to your AWS cloud environment, run the following command:

      service autoprovision test

    • To skip confirmation prompts and execute the commands immediately, and to restart the autoprovision service to apply the changes, add -f after autoprov-cfg. For example:

      autoprov-cfg -f add controller AWS -cn AWS-Production -r us-east-1,eu-central-1,ap-southeast-1 -iam
    • Values that replace the placeholders should be quoted as required by the shell used.

 

Enabling and disabling Software Blades

You can enable additional Software Blades, such as IPS, Application Control, URL Filtering, Identity Awareness (for CloudGuard Controller) and HTTPS Inspection, by running the following command:

autoprov-cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> <FLAG>

To disable a blade, delete it by running the following command:

autoprov-cfg delete template -tn <CONFIGURATION-TEMPLATE-NAME> <FLAG>

Replace <CONFIGURATION-TEMPLATE-NAME> with the name of the configuration template you have chosen in the "Setting up Automatic Provisioning " section above (e.g., 'my-configuration-template'), and <FLAG> according to the following table:

Blade Flag
HTTPS Inspection (more info) -hi
Identity Awareness
-ia
Application Control
-appi 
Intrusion Prevention
-ips
URL Filtering
-uf
Anti-Bot
-ab
Anti-Virus -av

 


You can enable multiple blades with a single command, for example:

autoprov-cfg set template -tn my-configuration-template -ips -uf -hi

To enable or disable Software Blades on existing Security Gateways, follow these steps for each gateway:

  1. Open SmartConsole.
  2. Select the GATEWAYS & SERVERS tab.
  3. Double click on the Security Gateway object.
  4. Check to enable or uncheck to disable the desired blade.
  5. Click OK.
  6. Install Policy.

Example:

 

Connecting with Additional AWS accounts

The Security Management Server can be configured so that CloudGuard Security Gateways in one AWS account will be automatically provisioned to route traffic to resources in a different AWS account. To achieve this, run the following command:

autoprov-cfg set controller AWS -cn <CONTROLLER-NAME> <SUB-ACCOUNT>

Placeholder Description
<CONTROLLER-NAME>
The name of the existing AWS controller that contains information required to connect to the AWS environment in which the Security Gateways are deployed.
<SUB-ACCOUNT>
  1. Choose a name to represent the sub-account:

    -sn <SUB-ACCOUNT-NAME>

    The name must be unique in each AWS controller.

  2. Specify one of the following as the credentials for the sub-account:

    1. To assume an STS role use

      -ssr <STS-ROLE-ARN>

      See sk122074 for more information on how to create a IAM role used by a management server, in the same or another AWS account as the managed resources.

      If you wish to use different credentials in order to assume the STS role, specify the STS role and additional credentials (explicit or use "-siam" to use the Management Server's IAM role). Otherwise, the top level credentials will be used to assume the STS role.

    2. To specify the sub-account credentials explicitly, use:

      -sak <AWS-ACCESS-KEY> -ssk <AWS-SECRET-KEY>

    3. AWS-SECRET-KEY will be obfuscated in the configuration.

    4. To specify a file that contains the sub-account credentials in the following format:

      AWSAccessKeyId=<AWS-ACCESS-KEY>
      AWSSecretKey=<AWS-SECRET-KEY>

      Use:

      -sfi <FILE-PATH>

      Replace the <AWS-ACCESS-KEY> and <AWS-SECRET-KEY> with the AWS access and secret keys for the sub-account, respectively.

 

If you did not specify the STS role ARN when you deployed the Security Management Server in AWS as described in the Deploying a Security Management Server in AWS section, or if the Management Server is deployed elsewhere, you can grant a Security Management Server permissions to assume the STS role via one of the following options:

  1. Create a new IAM role that contains these permissions to replace the one used by the management server, as described in sk122074 and attach it to your management server.
  2. Create a new IAM policy that contains these permissions and attach it to the existing IAM role used by your management server, by following these steps:
    1. Open the AWS console.
    2. Select IAM
    3. Select Policies
    4. Select Create Policy
    5. In the Visual editor fill in the following values:
      • Service: STS
      • Actions: AssumeRole
      • Resources: click Add ARN and paste the STS role ARN
    6. Choose Review policy, fill in a name and a description and choose Create policy.
    7. In the Policies tab, select the newly created policy, click Policy Actions, click Attach and choose the IAM role that is used by your Management Server.
  3. Add the above policy, inline, to the management server IAM role.

Note: support for automatic provisioning for additional AWS accounts is only available on the latest CloudGuard Security Management Server add-on package.

 

Provisioning using AWS controller

By default the AWS controller will provision gateways and load balancers.

For enabling specific provisioning, use the following command:

autoprov-cfg set controller -cn <CONTROLLER-NAME> <FLAG>

Replace <CONTROLLER-NAME> with the name of the controller name you have chosen in the "Setting up Automatic Provisioning" section (e.g., 'aws-controller'), and <FLAG> according to the following table:

Provisioning Flag
Gateway
-sg
Load Balancer
-slb
VPN object
-sv


You can enable multiple provisioning with a single command, for example:

autoprov-cfg set controller AWS -cn aws-controller –sg –slb -sv

 

Automatic Provisioning in Multi-Domain Security Management Server environment

To configure automatic provisioning in a Multi-Domain Security Management Server environment see sk120992.

The management of multi-domain environments is supported only on a Multi-Domain Management Server deployed on-premise.

 

Advanced Automatic Provisioning configuration

Any other attribute that can be set with the set-simple-gateway R80 Web API as documented in the Management API Reference, can be set using the following command:

autoprov-cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -nk <PARAMETER-NAME> <PARAMETER-VALUE>

Replace <CONFIGURATION-TEMPLATE-NAME> with the name of the configuration template you have chosen in the "Setting up Automatic Provisioning" section (e.g., 'my-configuration-template'), <PARAMETER-NAME> with the parameter name from the Management API Reference and <PARAMETER-VALUE> with the desired value.

 

(5) Highly available Security Management Server

An additional, secondary Security Management Server can be deployed and configured as a standby Management Server to provide high availability in case of a failure or of unexpected downtime. Secondary Management Server is currently supported only with R80.10.

  • A standby Management Server that is deployed in AWS should be deployed using the same CloudFormation template as described in the "Installing Check Point Security Management Server" section, specifying the following values during stack creation:

    Parameter Description
    Primary Management Select false.
    SIC Key Select a random string consisting of at least 8 alphanumeric characters.
  • If the standby Management Server is deployed on-premises, install the add-on package as described in the "Downloading and installing the latest CloudGuard Security Management Server add-on package" section.

Then, configure the second machine as a secondary server, as described in Security Management Server R80.10 Administration Guide, section Management High Availability

While the Secondary Management Server acts as a standby server, you should make sure that the auto provisioning script on it is not running by executing the following commands:

service autoprovision stop
chkconfig --del autoprovision

To switch the Management Servers' roles, run the following commands:

  • On the Management Server being promoted to the active role:

    chkconfig --add autoprovision
    service autoprovision start
  • On the Management Server being demoted to the standby role:

    service autoprovision stop
    chkconfig --del autoprovision

Then, promote the standby Management Server to active, as described in Security Management Server R80.10 Administration Guide, section Changing a Server to Active or Standby.

 

(6) Exporting and importing Security Management Server database

To export the database of a Security Management Server and import it to another server, see section Backing Up and Restoring in Installation and Upgrade Guide R80.10 or R80.20.

If the database consists of Security Gateways that are managed by their public IP address, make sure to create, in the source management server, a Check Point Security Management Server host object using the public IP address of the destination management server. Otherwise, create the object using the private IP address of the destination management server.

 

(7) On-premises Security Management Server in-place upgrade

To perform an in-place upgrade of an on-premises Security Management Server you must also install the latest add-on package, as described in the "Downloading and installing the latest CloudGuard Security Management Server add-on package" section.

In-place upgrades are not supported on Management Servers deployed in AWS. Instead, deploy a machine with the new version and import the previous configuration into it, as described in the "Exporting and importing Security Management Server database" section. 

 

(8) Known Limitations

  1. To perform a Gaia system backup, you must disconnect all SmartConsole and API clients and stop the CloudGuard services.

  2. While it is possible to back up a Security Management Server deployed on an AWS instance and restore it to the same instance, backing up a Management Server deployed on an AWS instance or on-premise and restoring it to another AWS instance is not supported.




This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment