AWS
Last updated
Last updated
Overview
If you are deploying a CloudGuard WAF AppSec Gateway to protect an existing production website, we recommend you also read the HOW-TO guide for this particular deployment.
CloudGuard WAF can be deployed as either a single virtual machine or Auto-Scaling Group in AWS. It acts as a reverse proxy where before / after you can deploy AWS Load Balancers:
When deploying an auto-scaling group, the external load balancer is deployed automatically
Follow these steps to deploy CloudGuard WAF in AWS using a supplied CloudFormation Template:
Log in to AWS Console and select the relevant region.
Search for CloudGuard WAF (or the previous name CloudGuard AppSec) in AWS Marketplace. During activation, a form with a field to select one of the AWS regions, is shown. Select the region in which you wish to deploy CloudGuard WAF's Gateway.
Verify that you have the required IAM permissions:
Choose one of three deployment options :
VPC Network Configuration
Availability Zone - The availability zone in which to deploy the instance.
VPC CIDR - If you launched the CloudFormation template to create a new VPC - The CIDR of the new VPC.
Public Subnet CIDR - The Public (Frontend) subnet of the CloudGuard WAF's Gateway.
Private Subnet CIDR - The Private (Backend) subnet of the CloudGuard WAF's Gateway.
EC2 Instance Configuration
Gateway Name - EC2 name.
Gateway Instance type - The machine size of the VM. Each machine size has its own compute price. See Amazon EC2 Instance Types.
Minimum requirements: c5.large
Key name - The EC2 Key Pair you created for this region.
Auto Assign Public IP - If selected Yes, then the solution has a public IP address.
Enable AWS Instance Connect - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the AWS EC2 User Guide.
Check Point Settings
Gateway’s Password hash – The hashed password for the Gaia Administration Portal. User is set to ‘admin’.
Use this command to create the hash:
openssl passwd -1 <
password
>
.
It is also possible to create a password using the SHA512 algorithm as follows:
openssl passwd -6 <
password
>
.
Infinity Next Agent Token - The token copied from the profile.
Make sure you obtain the <token> from the Enforcement Profile page, Authentication section.
Fog Address (optional) - Not used in production installations. The production cloud address is determined automatically.
Advanced Settings
Gateway Hostname (Optional) - The Gaia Hostname.
Bootstrap Script (Optional)
The default Security Group associated to the created VPC is defined with these ports for Inbound traffic:
TCP Port 22 - for SSH.
TCP Port 443 - for HTTPS.
TCP Port 30443 - The CloudGuard WAF Gateway's Web UI.
TCP Port 80 - for HTTP.
To configure a single CloudGuard WAF gateway installation with SSL, refer to Infinity Next Deployment and Configuration.
Creating the stack in AWS takes about 6-8 minutes. When the CloudGuard WAF EC2 loads it will automatically connect to Check Point, register using the token you provided and fetch your policy. Then, either Store Certificates in AWS or Store Certificates on the Gateway. If successful, you will see a green notification bar in this portal with a message that your Agent/Gateway successfully connected.
Choose the desired SSL Certificates storage method:
To launch the Stack, select these two checkboxes:
When deploying CloudGuard WAF Gateway without assets connected to the profile, the Gateway will be deployed with the Orchestrator nano-service only.
In this case, a manual change in the LB health check configuration will need to be changed manually from port 5555 to port 8117.
Value: false