Support Center > Search Results > SecureKnowledge Details
Check Point CloudGuard IaaS integration with AWS Traffic Mirroring Technical Level
Solution

Overview

Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon EC2 instances. You can then send the traffic to out-of-band security and monitoring appliances. Read more about AWS Traffic Mirroring here.

Check Point CloudGuard for AWS extends comprehensive enterprise-grade security, including zero-day threat protection, deep packet HTTPS inspection, intrusion prevention system (IPS), and complete application and identity awareness to the AWS Cloud. It protects assets in the cloud from attacks while enabling secure connectivity, and lets you enforce consistent security policies across your entire organization.

CloudGuard integration with AWS Traffic Mirroring automatically provides Traffic Mirroring Findings generated by the CloudGuard Security Gateways protecting your AWS environment, allowing you to view and analyze them within CloudGuard Security Management

Prerequisites

  • Make sure that the traffic mirror source and traffic mirror target are either:
  • In the same VPC, or
  • In different VPCs that are connected via VPC peering or a transit Gateway.
  • Make sure that the traffic mirror source has a route table entry for the traffic mirror target.
  • Make sure that there are no security group rules or network ACL rules on the traffic mirror target that drop the mirrored traffic from the traffic mirror source.

Configuration

1. Follow steps 1-3 according to the AWS Getting Started with Traffic Mirroring

Note: Under Additional settings in step 3, for VNI, you must enter the VXLAN ID to be used to enable the traffic mirror in the following steps

2. Connect to the Security Gateway Server over SSH.

3. Log in to Expert mode.

  1. Create a VXLAN interface (use the VXLAN ID selected in AWS from the previous step):

    clish -c 'add vxlan id <VXLAN-ID> dev eth0 remote 1.1.1.1 local <ETH0-Local-Ip-Address> dstport 4789'

  2. Create bridge interface:

    clish -c 'add bridging group <Group-Number>'

    Replace <Group-Number> with any number.

  3. Set the vxlan and bridge interface up:

    clish -c 'set interface vxlan<VXLAN-ID> state on'

  4. Add the vxlan to the bridge:

    brctl addif br<Group-Number> vxlan<VXLAN-ID>

  5. Enable hairpin on the vxlan in the bridge:

    brctl hairpin br<Group-Number> vxlan<VXLAN-ID> on

Notes:

  • Commands 7 and 8 will not be saved after a reboot.
  • There are Software Blades and deployments that are not supported by the traffic mirroring feature. Refer to the Limitations section of sk101670.
  • VXLAN support in Gaia is from versions R81 and higher only.
      This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

      Give us Feedback
      Please rate this document
      [1=Worst,5=Best]
      Comment