Note: Review SK 113113 for Management & Gateway compatibility with the desired gateway version.https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113113&partition=General&product=Multi-Domain Procedure:1. Accept AWS Marketplace Terms & Conditions of the new Check Point version
All Check Point AWS Marketplace offers:https://aws.amazon.com/marketplace/seller-profile?id=a979fc8a-dd48-42c8-84cc-63d5d50e3a2f 2. Open SK111013 – to access the official Check Point CFTs. 3. Select CFT “Security Gateway into existing VPC” for the needed version
It will automatically launch the CFT into AWS console. Fill in all the required CFT parameters and select the same public & private subnets as the ones used for existing single gateway deployment. Once all the required parameters are filled, accept the AWS term and select Create Stack
Note: You will experience connectivity loss during steps 4&5 – schedule those tasks during maintenance window.
Migrating existing public IP to a new gateway:
Show / Hide this section
A. Go to the AWS Management Console site of your account:
B. Go to EC2:
C. Stop the source machine in the navigation pane.
- Choose Instances and choose the instance.
- Choose Actions, choose Instance State, and then choose Stop. If Stop is disabled, the instance is already stopped.
- In the confirmation dialog box, choose Yes, Stop. It can take a few minutes for the instance to stop.
D. Disassociate the elastic IP from the source. Note that Disassociation will access the MGMT from this point.
a. In the navigation pane, choose Elastic IPs.
b. Choose the Elastic IP address, choose Actions, and then choose Disassociate address.
E. Associate the EIP with the target:
a. Choose the address that you disassociated in the previous step. For Actions, choose Associate address.
b. Choose the new instance from Instance, and then choose Associate.
F. Connect to the target machine via SSH.
G. Log in to Clish in the target machine.
H. Remove the old alias interface: delete interface eth0 alias eth0:1.
I. Add a new interface with the source EIP (mask must be /32): add interface eth0 alias source-public-ip/32
J. Save your changes by running: save config
4. Update your existing Routing Table:
a. For Ingress Routing i.e. (Route Tables with Edge Association of type IGW Internet Gateway), Update Ingress route table with route destination to your VPC Internal Subnets CIDR --> eni-ID of eth0 of the newly provisioned single gateway
b. For Outbound Inspection needs, update rout tables associated to internal subnets to point to internal eni-id or eth1 of the newly deployed single gateway. You can obtain the eni-id from instance metadata under the Networking Tab. 5. After successful CFT deployment + single gateway instance provisioning.
Log in to Smart Console & Update the existing object of AWS single gateway running previous version and perform below tasks.
6. Test traffic & check logs for successful inspection flows through the new gateways.
- Update object with new private IP or public IP of eth0 (depending on management option)
- Reset SIC under Communication Tab
- Get Interfaces with Topology under Network Management Tab
- Publish Changes & Install Policy.
If not successful, please verify the below for troubleshooting
- Route table subnet association,
- Security Groups Inbound & Outbound Rules for newly deployed CloudGuard Single Gateway instance.
Note: Our CFT creates a permissive security group by default which certain third party Posture Management tools may not like & automatically delete rules as it violates corporate posture best practices. 7. Delete the CFT stack of CloudGuard single gateway instance running older version. It will automatically remove resource created for single gateway of old version.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.