AWS

Overview

If you are deploying a CloudGuard WAF AppSec Gateway to protect an existing production website, we recommend you also read the HOW-TO guide for this particular deployment.

CloudGuard WAF can be deployed as either a single virtual machine or Auto-Scaling Group in AWS. It acts as a reverse proxy where before / after you can deploy AWS Load Balancers:

When deploying an auto-scaling group, the external load balancer is deployed automatically

Installation

Follow these steps to deploy CloudGuard WAF in AWS using a supplied CloudFormation Template:

Step 1: AWS Console Log in

Step 2: Activate CloudGuard WAF through the AWS Marketplace (Once per Region)

Search for CloudGuard WAF (or the previous name CloudGuard AppSec) in AWS Marketplace. During activation, a form with a field to select one of the AWS regions, is shown. Select the region in which you wish to deploy CloudGuard WAF's Gateway.

Step 3: Verify required permissions

Verify that you have the required IAM permissions:

IAM permissions

CloudFormation::DescribeStackEvents

CloudFormation::DescribeStacks

CloudFormation::ListStacks

CloudFormation::ListStackResources

CloudFormation::CreateStack

elasticloadbalancing::DescribeLoadBalancers

elasticloadbalancing::DescribeListeners

elasticloadbalancing::DescribeTargetGroups

elasticloadbalancing::CreateTargetGroup

elasticloadbalancing::CreateListener

elasticloadbalancing::CreateLoadBalancer

elasticloadbalancing::ModifyTargetGroupAttributes

elasticloadbalancing::ModifyLoadBalancerAttributes

SNS::CreateTopic

SNS::GetTopicAttributes

SNS::Subscribe

IAM::GetRolePolicy

IAM::PutRolePolicy

IAM::CreateInstanceProfile

IAM::CreateRole

IAM::AddRoleToInstanceProfile

EC2::DescribeInternetGateways

EC2::DescribeLaunchTemplates

EC2::DescribeLaunchTemplateVersions

EC2::DescribeKeyPairs

EC2::DescribeSecurityGroups

EC2::DescribeSubnets

EC2::DescribeVpcs

EC2::DescribeAccountAttributes

EC2::CreateTags

EC2::AuthorizeSecurityGroupIngress

EC2::CreateLaunchTemplate

EC2::CreateSecurityGroup

EC2::RunInstances

CloudWatch::PutMetricAlarm

Health::DescribeEventAggregates

If you want AutoScaling setup:

AutoScaling::UpdateAutoScalingGroup

AutoScaling::CreateAutoScalingGroup

AutoScaling::DescribeAutoScalingGroups

AutoScaling::DescribeScalingActivities

AutoScaling::PutScalingPolicy

AutoScaling::PutNotificationConfiguration

If you want to store certificates in AWS:

KMS::CreateGrant

KMS::DescribeKey

Step 4: Deployment using CloudFormation

Choose one of three deployment options :

CloudFormation Link

Single Gateway into new VPC

VPC Network Configuration

Availability Zone - The availability zone in which to deploy the instance.
VPC CIDR - If you launched the CloudFormation template to create a new VPC - The CIDR of the new VPC.
Public Subnet CIDR - The Public (Frontend) subnet of the CloudGuard WAF's Gateway.
Private Subnet CIDR - The Private (Backend) subnet of the CloudGuard WAF's Gateway.

EC2 Instance Configuration

Gateway Name - EC2 name.
Gateway Instance type - The machine size of the VM. Each machine size has its own compute price. See Amazon EC2 Instance Types.
- Minimum requirements: c5.large
Key name - The EC2 Key Pair you created for this region.
Auto Assign Public IP - If selected Yes, then the solution has a public IP address.
Enable AWS Instance Connect - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the AWS EC2 User Guide.

Check Point Settings

Gateway’s Password hash – The hashed password for the Gaia Administration Portal. User is set to ‘admin’. Use this command to create the hash: openssl passwd -1 <password>. It is also possible to create a password using the SHA512 algorithm as follows: openssl passwd -6 <password>.
Infinity Next Agent Token - The token copied from the profile.
Make sure you obtain the <token> from the Enforcement Profile page, Authentication section.
Fog Address (optional) - Not used in production installations. The production cloud address is determined automatically.

Advanced Settings

Gateway Hostname (Optional) - The Gaia Hostname.
Bootstrap Script (Optional)

The default Security Group associated to the created VPC is defined with these ports for Inbound traffic:

TCP Port 22 - for SSH.
TCP Port 443 - for HTTPS.
TCP Port 30443 - The CloudGuard WAF Gateway's Web UI.
TCP Port 80 - for HTTP.
To configure a single CloudGuard WAF gateway installation with SSL, refer to Infinity Next Deployment and Configuration.

CloudFormation Link

Single Gateway into existing VPC

VPC Network Configuration

VPC - Select an existing Virtual Private Network from your region.
Public Subnet CIDR - Select the Public (Frontend) subnet of the CloudGuard WAF's AppSec Gateway from the available list.
Private Subnet CIDR - Select the Private (Backend) subnet of the CloudGuard WAF's AppSec Gateway from the available list.
Internal route table (optional) - keep empty.

EC2 Instance Configuration

Gateway Name - EC2 name.
Gateway Instance type - The machine size of the VM. Each machine size has its own compute price. See Amazon EC2 Instance Types.
- Minimum requirements: c5.large
Key name - The EC2 Key Pair you created for this region.
Auto Assign Public IP - If selected Yes, then the solution has a public IP address.
Enable AWS Instance Connect - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the AWS EC2 User Guide.

Check Point Settings

Gateway’s Password hash – The hashed password for the Gaia Administration Portal. User is set to ‘admin’. Use this command to create the hash: openssl passwd -1 <password>.
Infinity Next Agent Token - The token copied from the profile.
Make sure you obtain the <token> from the Enforcement Profile page, Authentication section.
Fog Address (optional) - Not used in production installations. The production cloud address is determined automatically

Advanced Settings

Gateway Hostname (Optional) - The Gaia Hostname
Bootstrap Script (Optional)

A security group with the name suffix "*_PermissiveSecurityGroup" will be created and associated with the existing VPC. This security group is defined with these ports for Inbound traffic:

TCP Port 22 - for SSH.
TCP Port 443 - for HTTPS.
TCP Port 30443 - The CloudGuard WAF AppSec Gateway's Web UI.
TCP Port 80 - for HTTP.
To configure a single CloudGuard WAF AppSec gateway installation with SSL, refer to Infinity Next Deployment and Configuration.

CloudFormation Link

Auto Scaling Group into existing VPC

VPC Network Configuration

VPC - Select an existing Virtual Private Network from your region.
Gateways subnets – Select at least two subnets in your VPC.
The subnets must allow outbound traffic to the internet for communicating with CloudGuard WAF's Cloud.

EC2 Instance Details

Auto Scaling Group name - The name of the Auto Scaling Group. This name determines the VM's hostname prefix.
Gateway Instance type - The machine size of the VM. Each machine size has its own compute price. See Amazon EC2 Instance Types. Minimum requirements: c5.large
Volume encryption - EBS encryption of the instances volumes using AWS managed KMS key. Custom KMS keys are not supported. If regional encryption is used then both AWS managed and Custom KMS keys are supported.
Allow access from - Specifies the client IP addresses that can reach your instance. This IP address range must be in CIDR notation.
- To add IP addresses after the deployment:
  1. Go to your deployed Stack > Resources or go to Services > EC2 > Security Groups and select the relevant Security Group.
  2. Click Edit inbound rules.
  3. Below the Source field, enter a list of IP addresses.
Key name - The EC2 Key Pair you created for this region.
Enable EC2 Instance Connect - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the AWS EC2 User Guide.
Gateway’s Password hash (Optional) – This relates to Check Point Gaia administration portal. Read the next section for further explanation.

Gateway’s Password hash (Optional, appears in EC2 instance details section) – The hashed password for the Gaia Administration Portal. User is set to ‘admin’.
Use this command to create the hash:
openssl passwd -1 <password>.
Infinity Next Agent Token - The token copied from the profile.
Make sure you obtain the <token> from the Enforcement Profile page, Authentication section.
Fog Address (optional) - Not used in production installations. The production cloud address is determined automatically.
Specify an S3 bucket for scaling events - This option allows defining an S3 bucket (a new or existing one) which allows scaling events to occur without the need to connect to Check Point's cloud. It is recommended to use an S3 bucket so scaling events will be not be disrupted by temporary Internet connectivity issues, for example, as the new instance must get its software and policy.
Specify an S3 bucket name - If you selected "existing S3 bucket" or "new S3 bucket", you must specify the name of the S3 bucket here.

Auto Scaling Group Settings

Type of the Load Balancer - Choose whether you want to deploy a solution with network or application load balancer.

Note - For application load balancer, in order to configure the HTTP health checks the following settings must be added to the Infinity Next profile:

Key: agent.rpmanager.nginxIncludeLines

Value: server {listen 8117; return 200;}

Key: agent.config.orchestration.healthCheckProbe.enable

Scheme of the Load Balancer - Choose if the load balancer should be Internal or External.
Initial number of gateways – The initial number of EC2 instances that is deployed together with the Auto Scaling Group.
Maximum number of gateways – The maximum number of EC2 instances the Auto Scaling Group can scale to.
Bootstrap script (Optional) - An optional script to run on the initial boot.
Administrator email address (Optional) - An email address to notify users about scaling events.

Creating the stack in AWS takes about 6-8 minutes. When the CloudGuard WAF EC2 loads it will automatically connect to Check Point, register using the token you provided and fetch your policy. Then, either Store Certificates in AWS or Store Certificates on the Gateway. If successful, you will see a green notification bar in this portal with a message that your Agent/Gateway successfully connected.

Troubleshooting Tips

After launching the CloudFormation, you can monitor AWS resources creation progress in AWS console under the 'Resources' tab of the deployed parent and nested stacks. In any case of provisioning failure, the created resources will be deleted, and the reason of failure can be viewed under 'Events' tab of the failed stack.
Verify that you entered the correct Token taken from the profile page. Otherwise your AppSec Gateway will not be able to connect to Check Point cloud
Verify that the subnet where you deploy the AppSec Gateway have outbound internet connectivity
Verify that the chosen EC2 instance type is available in your region
Verify that you have sufficient IAM permissions as listed above to run the CloudFormation stack