AWS

Overview

If you are deploying a CloudGuard WAF AppSec Gateway to protect an existing production website, we recommend you also read the .

CloudGuard WAF can be deployed as either a single virtual machine or Auto-Scaling Group in AWS. It acts as a reverse proxy where before / after you can deploy AWS Load Balancers:

When deploying an auto-scaling group, the external load balancer is deployed automatically

Installation

Follow these steps to deploy CloudGuard WAF in AWS using a supplied CloudFormation Template:

Step 1: AWS Console Log in

Step 2: Activate CloudGuard WAF through the AWS Marketplace (Once per Region)

Step 3: Verify required permissions

Verify that you have the required IAM permissions:

IAM permissions

CloudFormation::DescribeStackEvents

CloudFormation::DescribeStacks

CloudFormation::ListStacks

CloudFormation::ListStackResources

CloudFormation::CreateStack

elasticloadbalancing::DescribeLoadBalancers

elasticloadbalancing::DescribeListeners

elasticloadbalancing::DescribeTargetGroups

elasticloadbalancing::CreateTargetGroup

elasticloadbalancing::CreateListener

elasticloadbalancing::CreateLoadBalancer

elasticloadbalancing::ModifyTargetGroupAttributes

elasticloadbalancing::ModifyLoadBalancerAttributes

SNS::CreateTopic

SNS::GetTopicAttributes

SNS::Subscribe

IAM::GetRolePolicy

IAM::PutRolePolicy

IAM::CreateInstanceProfile

IAM::CreateRole

IAM::AddRoleToInstanceProfile

EC2::DescribeInternetGateways

EC2::DescribeLaunchTemplates

EC2::DescribeLaunchTemplateVersions

EC2::DescribeKeyPairs

EC2::DescribeSecurityGroups

EC2::DescribeSubnets

EC2::DescribeVpcs

EC2::DescribeAccountAttributes

EC2::CreateTags

EC2::AuthorizeSecurityGroupIngress

EC2::CreateLaunchTemplate

EC2::CreateSecurityGroup

EC2::RunInstances

CloudWatch::PutMetricAlarm

Health::DescribeEventAggregates

If you want AutoScaling setup:

AutoScaling::UpdateAutoScalingGroup

AutoScaling::CreateAutoScalingGroup

AutoScaling::DescribeAutoScalingGroups

AutoScaling::DescribeScalingActivities

AutoScaling::PutScalingPolicy

AutoScaling::PutNotificationConfiguration

If you want to store certificates in AWS:

KMS::CreateGrant

KMS::DescribeKey

Step 4: Deployment using CloudFormation

Choose one of three deployment options :

Choose the correct fulfillment option in the Marketplace offer:

VPC Network Configuration

Availability Zone - The availability zone in which to deploy the instance.
VPC CIDR - If you launched the CloudFormation template to create a new VPC - The CIDR of the new VPC.
Public Subnet CIDR - The Public (Frontend) subnet of the CloudGuard WAF's Gateway.
Private Subnet CIDR - The Private (Backend) subnet of the CloudGuard WAF's Gateway.

EC2 Instance Configuration

Gateway Name - EC2 name.
- Minimum requirements: c5.large
Key name - The EC2 Key Pair you created for this region.
Auto Assign Public IP - If selected Yes, then the solution has a public IP address.

Check Point Settings

Gateway’s Password hash – The hashed password for the Gaia Administration Portal. User is set to ‘admin’. Use this command to create the hash: openssl passwd -1 <password>. It is also possible to create a password using the SHA512 algorithm as follows: openssl passwd -6 <password>.
Infinity Next Agent Token - The token copied from the profile.
Fog Address (optional) - Not used in production installations. The production cloud address is determined automatically.

Advanced Settings

Gateway Hostname (Optional) - The Gaia Hostname.
Bootstrap Script (Optional)

The default Security Group associated to the created VPC is defined with these ports for Inbound traffic:

TCP Port 22 - for SSH.
TCP Port 443 - for HTTPS.
TCP Port 30443 - The CloudGuard WAF Gateway's Web UI.
TCP Port 80 - for HTTP.

Choose the correct fulfillment option in the Marketplace offer:

VPC Network Configuration

VPC - Select an existing Virtual Private Network from your region.
Public Subnet CIDR - Select the Public (Frontend) subnet of the CloudGuard WAF's AppSec Gateway from the available list.
Private Subnet CIDR - Select the Private (Backend) subnet of the CloudGuard WAF's AppSec Gateway from the available list.
Internal route table (optional) - keep empty.

EC2 Instance Configuration

Gateway Name - EC2 name.
- Minimum requirements: c5.large
Key name - The EC2 Key Pair you created for this region.
Auto Assign Public IP - If selected Yes, then the solution has a public IP address.

Check Point Settings

Gateway’s Password hash – The hashed password for the Gaia Administration Portal. User is set to ‘admin’. Use this command to create the hash: openssl passwd -1 <password>.
Infinity Next Agent Token - The token copied from the profile.
Fog Address (optional) - Not used in production installations. The production cloud address is determined automatically

Advanced Settings

Gateway Hostname (Optional) - The Gaia Hostname
Bootstrap Script (Optional)

A security group with the name suffix "*_PermissiveSecurityGroup" will be created and associated with the existing VPC. This security group is defined with these ports for Inbound traffic:

TCP Port 22 - for SSH.
TCP Port 443 - for HTTPS.
TCP Port 30443 - The CloudGuard WAF AppSec Gateway's Web UI.
TCP Port 80 - for HTTP.

Choose the correct fulfillment option in the Marketplace offer:

VPC Network Configuration

VPC - Select an existing Virtual Private Network from your region.
Gateways subnets – Select at least two subnets in your VPC.
The subnets must allow outbound traffic to the internet for communicating with CloudGuard WAF's Cloud.

EC2 Instance Details

Auto Scaling Group name - The name of the Auto Scaling Group. This name determines the VM's hostname prefix.
Volume encryption - EBS encryption of the instances volumes using AWS managed KMS key. Custom KMS keys are not supported. If regional encryption is used then both AWS managed and Custom KMS keys are supported.
Allow access from - Specifies the client IP addresses that can reach your instance. This IP address range must be in CIDR notation.
- To add IP addresses after the deployment:
  1. Go to your deployed Stack > Resources or go to Services > EC2 > Security Groups and select the relevant Security Group.
  2. Click Edit inbound rules.
  3. Below the Source field, enter a list of IP addresses.
Key name - The EC2 Key Pair you created for this region.
Gateway’s Password hash (Optional) – This relates to Check Point Gaia administration portal. Read the next section for further explanation.

Gateway’s Password hash (Optional, appears in EC2 instance details section) – The hashed password for the Gaia Administration Portal. User is set to ‘admin’.
Use this command to create the hash:
openssl passwd -1 <password>.
Infinity Next Agent Token - The token copied from the profile.
Fog Address (optional) - Not used in production installations. The production cloud address is determined automatically.
Specify an S3 bucket for scaling events - This option allows defining an S3 bucket (a new or existing one) which allows scaling events to occur without the need to connect to Check Point's cloud. It is recommended to use an S3 bucket so scaling events will be not be disrupted by temporary Internet connectivity issues, for example, as the new instance must get its software and policy.
Specify an S3 bucket name - If you selected "existing S3 bucket" or "new S3 bucket", you must specify the name of the S3 bucket here.

Auto Scaling Group Settings

Type of the Load Balancer - Choose whether you want to deploy a solution with network or application load balancer.

Note - For application load balancer, in order to configure the HTTP health checks the following settings must be added to the Infinity Next profile:

Key: agent.rpmanager.nginxIncludeLines

Value: server {listen 8117; return 200;}

Key: agent.config.orchestration.healthCheckProbe.enable

Scheme of the Load Balancer - Choose if the load balancer should be Internal or External.
Initial number of gateways – The initial number of EC2 instances that is deployed together with the Auto Scaling Group.
Maximum number of gateways – The maximum number of EC2 instances the Auto Scaling Group can scale to.
Bootstrap script (Optional) - An optional script to run on the initial boot.
Administrator email address (Optional) - An email address to notify users about scaling events.

Troubleshooting Tips

After launching the CloudFormation, you can monitor AWS resources creation progress in AWS console under the 'Resources' tab of the deployed parent and nested stacks. In any case of provisioning failure, the created resources will be deleted, and the reason of failure can be viewed under 'Events' tab of the failed stack.
Verify that you entered the correct Token taken from the profile page. Otherwise your AppSec Gateway will not be able to connect to Check Point cloud
Verify that the subnet where you deploy the AppSec Gateway have outbound internet connectivity
Verify that the chosen EC2 instance type is available in your region
Verify that you have sufficient IAM permissions as listed above to run the CloudFormation stack