Support Center > Search Results > SecureKnowledge Details
How To upgrade a CloudGuard Network single gateway for AWS Technical Level

Note: Review SK 113113 for Management & Gateway compatibility with the desired gateway version.


1.      Accept AWS Marketplace Terms & Conditions of the new Check Point version 

All Check Point AWS Marketplace offers:


2.      Open SK111013 – to access the official Check Point CFTs.


3.      Select CFT  “Security Gateway into existing VPC” for the needed version

It will automatically launch the CFT into AWS console. Fill in all the required CFT parameters and select the same public & private subnets as the ones used for existing single gateway deployment.  Once all the required parameters are filled, accept the AWS term and select Create Stack


Note: You will experience connectivity loss during steps 4&5 – schedule those tasks during maintenance window.  


Migrating existing public IP to a new gateway:

Show / Hide this section


4.      Update your existing Routing Table:

a.      For Ingress Routing i.e. (Route Tables with Edge Association of type IGW Internet Gateway), Update Ingress route table with route destination to your VPC Internal Subnets CIDR --> eni-ID of eth0 of the newly provisioned single gateway



b.      For Outbound Inspection needs, update rout tables associated to internal subnets to point to internal eni-id or eth1 of the newly deployed single gateway. You can obtain the eni-id from  instance metadata under the Networking Tab. 




5.      After successful CFT deployment + single gateway instance provisioning.

Log in to Smart Console & Update the existing object of AWS single gateway running previous version and perform below tasks. 

  1. Update object with new private IP or public IP of eth0 (depending on management option)

  2. Reset SIC under Communication Tab

  3. Get Interfaces with Topology under Network Management Tab

  4. Publish Changes & Install Policy. 




6.      Test traffic & check logs for successful inspection flows through the new gateways. 

If not successful, please verify the below for troubleshooting

-          Route table subnet association, 

-          Security Groups Inbound & Outbound Rules for newly deployed CloudGuard Single Gateway instance.  

Note: Our CFT creates a permissive security group by default which certain third party Posture Management tools may not like & automatically delete rules as it violates corporate posture best practices.  


7.      Delete the CFT stack of CloudGuard single gateway instance running older version. It will automatically remove resource created for single gateway of old version.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document