AWS
Overview
CloudGuard WAF can be deployed as either a single virtual machine or Auto-Scaling Group in AWS. It acts as a reverse proxy where before / after you can deploy AWS Load Balancers:
When deploying an auto-scaling group, the external load balancer is deployed automatically
Installation
Follow these steps to deploy CloudGuard WAF in AWS using a supplied CloudFormation Template:
Step 1: AWS Console Log in
Log in to AWS Console and select the relevant region.
Step 2: Activate CloudGuard WAF through the AWS Marketplace (Once per Region)
Search for CloudGuard WAF in AWS Marketplace. During activation, a form with a field to select one of the AWS regions, is shown. Select the region in which you wish to deploy CloudGuard WAF's Gateway.
Step 3: Verify required permissions
Verify that you have the required IAM permissions:
Step 4: Deployment using CloudFormation
Choose one of three deployment options :

Choose the correct fulfillment option in the Marketplace offer:

VPC Network Configuration

Availability Zone - The availability zone in which to deploy the instance.
VPC CIDR - If you launched the CloudFormation template to create a new VPC - The CIDR of the new VPC.
Public Subnet CIDR - The Public (Frontend) subnet of the CloudGuard WAF's Gateway.
Private Subnet CIDR - The Private (Backend) subnet of the CloudGuard WAF's Gateway.
EC2 Instance Configuration

Gateway Name - EC2 name.
Gateway Instance type - The machine size of the VM. Each machine size has its own compute price. See Amazon EC2 Instance Types.
Minimum requirements: c5.large
Key name - The EC2 Key Pair you created for this region.
Auto Assign Public IP - If selected Yes, then the solution has a public IP address.
Enable AWS Instance Connect - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the AWS EC2 User Guide.
Check Point Settings

Gateway’s Password hash – The hashed password for the Gaia Administration Portal. User is set to ‘admin’. Use this command to create the hash:
openssl passwd -1 <
password
>
. It is also possible to create a password using the SHA512 algorithm as follows:openssl passwd -6 <
password
>
.Infinity Next Agent Token - The token copied from the profile.
Fog Address (optional) - Not used in production installations. The production cloud address is determined automatically.
Advanced Settings

Gateway Hostname (Optional) - The Gaia Hostname.
Bootstrap Script (Optional)
The default Security Group associated to the created VPC is defined with these ports for Inbound traffic:
TCP Port 22 - for SSH.
TCP Port 443 - for HTTPS.
TCP Port 30443 - The CloudGuard WAF Gateway's Web UI.
TCP Port 80 - for HTTP.
To configure a single CloudGuard WAF gateway installation with SSL, refer to Infinity Next Deployment and Configuration.
Step 5: SSL Certificates
Choose the desired SSL Certificates storage method:
Store Certificates in AWSStore certificates on GatewayStep 6: Launch the stack
To launch the Stack, select these two checkboxes:

When deploying CloudGuard WAF Gateway without assets connected to the profile, the Gateway will be deployed with the Orchestrator nano-service only.
In this case, a manual change in the LB health check configuration will need to be changed manually from port 5555 to port 8117.
Last updated
Was this helpful?