is a fully managed service offering the same AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience.
Customers who require the latest in next-generation security features while using Outposts can now deploy Check Point's CloudGuard Network Security and/or CloudGuard Network Security Managers on AWS Outposts to complement their deployments in AWS regions or on-premises.
The solution brief below describes how to deploy Check Point CloudGuard on Outposts including a reference architecture and support information.
- You must accept the Software Terms of the relevant Check Point Product AMI in the AWS Marketplace at least once before you launch the CloudFormation templates. It is not required to actually launch the instance from the Marketplace, but the agreement must be accepted from this location.
- Some stacks may "roll back" automatically after 1 hour, with an "
WaitCondition timed out" error. If this happens, make sure that your Internet access is working, either through AWS Internet Gateway (IGW) assigned to the VPC, or via the Local Gateway on Outposts.
- On Outposts, you can deploy CloudGuard only in a standalone Gateway or Security Cluster Mode (auto scaling clusters are not supported).
- The CloudFormation template used in this guide can be customized to support customer managed keys, IAM roles/profiles/etc.
- Inter VPC communication within an Outpost must use VPC-peering and as such cannot support inspection by a CloudGuard Gateway
- The customer is responsible for deploying AWS Outposts and all underlying connectivity to the Internet and/or Local Network resources.
- The customer should create VPCs and Subnets before deploying CloudGuard and should use Check Point's CloudFormation Templates that “deploy into an existing VPC”.
- The customer must create (1) Public and (1) Private Subnet belonging to the Outpost for use by CloudGuard. Follow these AWS Outpost instructions.
Supported Use Cases
North/South (ingress/egress) next generation traffic inspection between subnets in an Outpost VPC and:
- Public Access to the Internet
- Private access to the local network connected to the Outpost
Deploy and configure CloudGuard in AWS Outposts
- Deploy a Single CloudGuard Gateway or CloudGuard Security Cluster using theCloudFormation templates available in sk111013.
- For a single CloudGuard Gateway use CFT # 2: “Deploys a Security Gateway into an existing VPC”.
- For a CloudGuard HA Security cluster, use CFT # 4: “Deploys a Cluster into an existing VPC”.
- Specify a stack name and parameters:
- VPC Network Configuration:
- Choose the VPC, Public (external) subnet, and Private (internal) subnet created in the prerequisites.
- Cluster deployment Only: Specify IP addresses for each Security Gateway, including cluster IP’s if you are deploying a Security Cluster
- EC2 Instance Configuration:
- Choose from the available instance types according to bandwidth and feature requirements.
- Check Point Recommends c5.xlarge
- Select an EC2 key pair to use for ssh access to the instance(s).
- SSH login uses the following username: admin instead of ec2-user
- Leave the root volume size.
- Specify the customer managed key for EBS volume encryption or leave as is for the default AWS key.
- c. Check Point Settings:
- Choose a version and license per your requirements.
- Check Point Recommends R80.40.
- Admin Shell: use the default /etc/cli.sh
- SIC Key: provide a OTP for SIC establishment with Check Point Manager.
- Provide a password for admin login to the Gateways.
- Allow automatic information sharing with Check Point License center to improve product experience.
- Specify NTP servers.
- Provide Automatic Provisioning with Security Management Server (SMS).
- Check the Capabilities to acknowledge creation of IAM resources with custom names and Auto Expand, and click Create Stack to deploy the Gateways.
- Cluster deployment only: Continue with CloudGuard Cluster configuration as outlined in sk104418.
Deploy Check Point Security Management Server (SMS) on Outposts
- Deploy a Security Management Server (SMS) or Multi-Domain SMS via the CloudFormation templates provided in sk111013.
- For an SMS Server, use template # 16: “Security Management Server” and refer to sk130372 for details.
- For Multi-Domain SMS, use template # 17: “Multi-Domain Security Management Server” and refer to sk143213 for details.
- Specify a stack name and Parameters and click Create Stack.
Support for Check Point CloudGuard Security Gateways or SMS on Outpost
For advanced scenarios beyond the solution described in this article, reach out to your AWS Solutions Architect/Partner Team, your Check Point Account Team, and/or contact Check Point Support
To get support for an existing Check Point Deployment on Outposts, open a Service Request