The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
How to Install a Security Management Server with CloudGuard for AWS
CloudGuard Network for AWS
R80.20, R80.30, R80.40, R81, R81.10
Platform / Model
Table of Contents:
Installing Check Point Security Management Server
Deploying a Security Management Server in AWS
Deploying a Security Management Server on-premises
Creating an AWS IAM User and IAM Role
AWS account authentication
Creating an AWS IAM User (for authentication using AWS IAM User)
Creating an AWS IAM Role (for authentication using AWS IAM role)
Creating AWS IAM policies
Attach the IAM policy to the IAM User or Role
Downloading and installing the latest CloudGuard Security Management Server add-on package
Automatic Provisioning with Security Management Server
Setting up Automatic Provisioning
Enabling and disabling Software Blades
Connecting with Additional AWS accounts
Provisioning using AWS controller
Automatic Provisioning in Multi-Domain Security Management Server environment
Advanced Automatic Provisioning configuration
Highly available Security Management Server
Exporting and importing Security Management Server database
On-premises Security Management Server in-place upgrade
Check Point Security Management Server that manages CloudGuard Security Gateways deployed in AWS includes unique and dedicated capabilities for key AWS features, such as the management of Security Gateways in Amazon EC2 Auto Scaling Group, AWS Transit Gateway and AWS Gateway Load Balancer.
A Transit Gateway functions as a regional virtual router for traffic that flows between your Virtual Private Clouds (VPC) and VPN connections. A Transit Gateway scales elastically based on the volume of network traffic. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once. For more information about CloudGuard Transit Gateway Auto Scaling Group, see AWS Transit Gateway R80.10 and above Deployment Guide.
(2) Installing Check Point Security Management Server
CloudGuard Security Gateways deployed in AWS can be managed by a Security Management Server that deployed either in AWS or on-premises.
To manage CloudGuard Security Gateways deployed in AWS:
The Management Server must be able to initiate connections to the CloudGuard Security Gateways.
The CloudGuard Security Gateways must be able to initiate connections to the Management Server (for example, to send logs).
The Security Management Server communicates with the Security Gateways over private and public IP addresses.
Communication over private IP addresses is possible in one of these cases:
The Management Server is in the same VPC as the Security Gateways.
The Management Server is in another VPC that is peered with the VPC in which the Security Gateways are deployed.
The Management Server is in an on-premises network that has connectivity to the VPC in which the Security Gateways are deployed, over Direct Connect.
The Management Server is in an on-premises network that has connectivity to the VPC in which the Security Gateways are deployed, over a VPN connection.
The Management Server is in an on-premises network or a VPC that has connectivity to the VPC in which the Security Gateways are deployed, over AWS Transit Gateway.
In all other cases, the Security Management Server and Security Gateways have to communicate with each other with the use of public IP addresses, and the object that represents the Management Server in the SmartConsole must have the public IP address as its main address. If you deploy the Management Server in AWS using the CloudFormation template, you can do this by selecting Over the internet in the Gateways management field. Otherwise, do these steps:
Connect to the Management Server with SmartConsole.
Select Gateways & Servers.
Double-click on the object representing the Management Server.
Insert the Management Server's public IP address in the IP Address field.
To enable this Management Server to perform AWS API calls using an STS role, specify the STS Roles to assume (comma separated list of ARNs, without spaces).
See sk122074 for more information on how to create IAM roles used by a management server, in the same or another AWS account as the managed resources.
Version & license
The version and license you have selected above.
Change the admin shell to enable advanced command line configuration.
To manage the environment's security, administrators can connect to the Management Server with SmartConsole clients and via the Gaia WebUI.
You can set the administrator password for the Management Server using this field. To protect the administrator password you must provide the password's MD5-based BSD password algorithm 1 salted hash instead of the password itself.
You can generate the password's salted hash with the following command:
openssl passwd -1 <PASSWORD>
Replace <PASSWORD> with the desired administrator password.
The Management host name.
Determines if this is the primary Management Server or not.
This parameter is mandatory only if deploying a secondary Management Server, for high availability purposes. For more information, see section Highly available Security Management Server.
The secure internal communication (SIC) key creates trusted connections between Security Gateways, Management Servers, and other Check Point components.
Select a random string consisting of at least 8 alphanumeric characters and specify it in the SIC key parameter during deployment.
Allow upload & download
Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point.
Allow web, SSH, and graphical clients only from this network to communicate with the Management Server, in CIDR notation.
Select Over the internet if any of the gateways you wish to manage are not directly accessed via their private IP address. Otherwise select Locally managed.
The CIDR IP address range that is permitted to access the Management Server. Only gateways from this network can communicate with the Management Server.
Management bootstrap script
An optional script with semicolon (;) separated commands to run on the initial boot.
Primary NTP server
Optional Primary NTP server.
Secondary NTP server
Optional Secondary NTP server.
Note: When the management instance is started, it will automatically execute its own First Time Configuration Wizard. It can take up to 45 minutes for this step to complete.
To check the Management Server's readiness, log in to the Expert mode and run the following command:
When the Management Server is ready, the output of the command should include:
-------------------------------------------- Overall API Status: Started --------------------------------------------
API readiness test SUCCESSFUL. The server is up and ready to receive connections
Deploying a Security Management Server on-premises
In the AWS IAM portal, create an IAM policy that contains the required permissions. These permissions vary and depend on the solution being deployed.
In the AWS IAM portal, create a new IAM user.
You can name the user CheckPointManagement. Download and save the automatically generated Access Key and Secret Key. On the Permissions tab, select Attach Policy, and attach the newly created IAM policy.
Follow the standard procedure to Install the Check Point Management Server on-premises
Downloading and installing the latest Cloud Management Extension (CME) version on the Security Management Server, as described in the section "Downloading and installing the latest Cloud Management Extension (CME) on a Security Management Server" below.
(3) Creating an AWS IAM User and IAM Role
Check Point Security Management Server with CME requires some permissions in your AWS account to manage CloudGuard resources deployed in AWS and, in some cases, make changes in the environment for the solutions to work correctly. These permissions can be different depending on the solution that is deployed.
(5) Automatic Provisioning with Security Management Server
The Security Management Server can be configured to automatically connect to your AWS environment and scan for newly deployed CloudGuard Security Gateways, create trusted connections with them, and to automatically provision them.
To connect to your AWS account and automatically provision Security Gateways deployed in it, the Security Management Server needs AWS specific information, such as credentials and regions. This information is associated with a controller in the automatic provisioning configuration.
To view the existing controllers used by the Management Server to connect to cloud environments, run the following command:
autoprov_cfg show controllers
To add a new AWS controller to an existing automatic provisioning configuration, run the following command:
Information required to automatically provision Security Gateways, such as what policy to install and which Software Blades to enable, is placed in a configuration template in the automatic provisioning configuration.
To view existing configuration templates that can be applied on Security Gateways, run the following command:
autoprov_cfg show templates
To add a new configuration template to an existing automatic provisioning configuration, run the following command:
This name is used to tag the Security Gateways, so they will be identified and automatically provisioned by this Management Server.
For example, 'my-management'.
Choose a name to represent the configuration template.
Information required to automatically provision Security Gateways, such as what policy to install and which Software Blades to enable, will be placed under this template name.
This name is used to tag Security Gateways as a reference to the relevant set of configurations to apply on them.
For example, 'my-configuration-template'.
Choose a random string consisting of at least 8 alphanumeric characters.
The Secure Internal Communication (SIC) key creates trusted connections between gateways, management servers and other Check Point components. Trust is required to install policies on gateways and to send logs between gateways and management servers.
This value is used when the Security Gateways are deployed, so make note of it.
This value will be obfuscated in the configuration.
The gateway version.
Specify the name of the policy to install on the Security Gateways.
The Standard policy is the default security policy defined in a newly deployed Security Management Server, and initially contains a default cleanup rule that drops all traffic.
If you intend to configure additional policy packages (for example, if you plan to manage the security of additional environments protected by Check Point's products) and want to install a different policy package on the Security Gateways, specify the name you want to give that policy package. Then, create and configure the policy by connecting to your Security Management Server with SmartConsole.
For example, 'Standard'.
Choose a name to represent the controller.
Information required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
When you change the credentials or their type, change or add regions, this name will be used to reference the controller in order to modify it.
For example, 'AWS-Production'.
Specify a comma-separated list of AWS regions, in which the gateways are deployed.
For example: "us-east-1,eu-central-1,ap-southeast-1".
Specify one of the following options to provide the Management Server credentials so it will be able to connect to your AWS environment:
To specify credentials explicitly, use:
-ak <AWS-ACCESS-KEY> -sk <AWS-SECRET-KEY>
AWS-SECRET-KEY will be obfuscated in the configuration.
To specify a file that contains credentials in the following format:
Replace <CONFIGURATION-TEMPLATE-NAME> with the name of the configuration template you have chosen in the "Setting up Automatic Provisioning " section above (e.g., 'my-configuration-template'), and <FLAG> according to the following table:
The Security Management Server can be configured so that CloudGuard Security Gateways in one AWS account is automatically provisioned to route traffic to resources in a different AWS account. To achieve this, run the this command:
autoprov_cfg set controller AWS -cn <CONTROLLER-NAME> <SUB-ACCOUNT>
The name of the existing AWS controller that contains information required to connect to the AWS environment in which the Security Gateways are deployed.
Choose a name to represent the sub-account:
The name must be unique in each AWS controller.
Specify one of the following as the credentials for the sub-account:
To assume an STS role use
See sk122074 for more information on how to create a IAM role used by a management server, in the same or another AWS account as the managed resources.
If you wish to use different credentials in order to assume the STS role, specify the STS role and additional credentials (explicit or use "-siam" to use the Management Server's IAM role). Otherwise, the top level credentials will be used to assume the STS role.
To specify the sub-account credentials explicitly, use:
-sak <AWS-ACCESS-KEY> -ssk <AWS-SECRET-KEY>
AWS-SECRET-KEY will be obfuscated in the configuration.
To specify a file that contains the sub-account credentials in the following format:
Replace the <AWS-ACCESS-KEY> and <AWS-SECRET-KEY> with the AWS access and secret keys for the sub-account, respectively.
If you did not specify the STS role ARN when you deployed the Security Management Server in AWS as described in the Deploying a Security Management Server in AWS section, or if the Management Server is deployed elsewhere, you can grant a Security Management Server permissions to assume the STS role via one of the following options:
Create a new IAM role that contains these permissions to replace the one used by the management server, as described in sk122074 and attach it to your management server.
Create a new IAM policy that contains these permissions and attach it to the existing IAM role used by your management server, by following these steps:
Open the AWS console.
Select Create Policy
In the Visual editor fill in the following values:
Resources: click Add ARN and paste the STS role ARN
Choose Review policy, fill in a name and a description and choose Create policy.
In the Policies tab, select the newly created policy, click Policy Actions, click Attach and choose the IAM role that is used by your Management Server.
Add the above policy, inline, to the management server IAM role.
Note: provisioning gateways deployed in sub accounts is not supported
Any other attribute that can be set with the set-simple-gateway R80 Web API as documented in the Management API Reference, can be set with this command:
autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -nk <PARAMETER-NAME> <PARAMETER-VALUE>
Replace <CONFIGURATION-TEMPLATE-NAME> with the name of the configuration template you have chosen in the "Setting up Automatic Provisioning" section (e.g., 'my-configuration-template'), <PARAMETER-NAME> with the parameter name from the Management API Reference and <PARAMETER-VALUE> with the desired value.
(6) Highly available Security Management Server
An additional, secondary Security Management Server can be deployed and configured as a standby Management Server to provide high availability in case of a failure or of unexpected downtime. Secondary Management Server is currently supported with R80.30 and above.
A standby Management Server that is deployed in AWS should be deployed using the same CloudFormation template as described in the "Installing Check Point Security Management Server" section, specifying the following values during stack creation:
Select a random string consisting of at least 8 alphanumeric characters.
If the standby Management Server is deployed on-premises, install the add-on package as described in the "Downloading and installing the latest CloudGuard Security Management Server add-on package" section.
(7) Exporting and importing Security Management Server database
To export the database of a Security Management Server and import it to another server, see section Backing Up and Restoring in Installation and Upgrade Guide R81.10.
If the database consists of Security Gateways that are managed by their public IP address, make sure to create, in the source management server, a Check Point Security Management Server host object using the public IP address of the destination management server. Otherwise, create the object using the private IP address of the destination management server.
(8) On-premises Security Management Server in-place upgrade
To perform an in-place upgrade of an on-premises Security Management Server you must also install the latest add-on package, as described in the "Downloading and installing the latest CloudGuard Security Management Server add-on package" section.
In-place upgrades are not supported on Management Servers deployed in AWS. Instead, deploy a machine with the new version and import the previous configuration into it, as described in the "Exporting and importing Security Management Server database" section.
(9) Known Limitations
All GUI clients should be disconnected before taking an Management export.
While it is possible to back up a Security Management Server deployed on an AWS instance and restore it to the same instance, backing up a Management Server deployed on an AWS instance or on-premise and restoring it to another AWS instance is not supported.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
By default, every Check Point Security Gateway and Security Management Server's WebUI is accessible from the internet by browsing to http://MANAGEMENT_PUBLIC_IP. Restricting access to the WebUI is possible by configuring a Network Security Group, or by configuring the Check Point Gateway and Management Server settings.
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?